SANS NewsBites

Don’t Download Password Cracking Tools from Untrusted Sources; Make Sure GitHub Commit Identities Are Verified Before Trusting; Microsoft Exchange Outage: Did It Impact Your 2FA Approach?

July 19, 2022  |  Volume XXIV - Issue #55

Top of the News


2022-07-18

Maliciously Crafted Password Crackers Target Industrial Systems

Threat actors are using Programmable Logic Controller password cracking tools that contain trojans to infect industrial systems. Researchers from Dragos have analyzed a malicious password cracking tool that contains malware known as Sality, which corrals infected systems into being part of a botnet.

Editor's Note

Downloading a random password cracker or any piece of software for that matter, and using it in a production environment without verifying the source and integrity of said software is never a good idea.

Johannes Ullrich
Johannes Ullrich

Downloading password crackers from unvetted sources and running it in production on systems connected to the Internet are 3 very bad practices. Great write up by Dragos.

Jorge Orchilles
Jorge Orchilles

In this case the password cracking tool doesn't crack the password, it exploits a vulnerability in the firmware which allows the password to be retrieved. While the software required a serial connection, Dragos researchers determined the exploit will also work over an Ethernet connection. A firmware update has been released by Automation Direct for this weakness. See CISA ICS Advisory 22-167-02 (https://www.cisa.gov/uscert/ics/advisories/icsa-22-167-02) The Dragos blog post includes other PLCs, HMIs which the threat actor sells password "cracking" for.

Lee Neely
Lee Neely

2022-07-15

Spoofed GitHub Commit Metadata Creates Potential for Software Supply Chain Attacks

Researchers from Checkmarx say that spoofed metadata could be used to trick developers into using repositories that contain malicious code. Developers need to be vigilant about verifying the identities associated with commits.

Editor's Note

Verifying if software is safe to use is hard. Between typo squatting and bad actors taking over legitimate repositories, it can be difficult to identify "trusted" components. Opensource components included in your software should at least be run through a static code analysis tool to look for obvious issues. Even better: If your code analysis tool finds an issues, fix it and submit a pull request.

Johannes Ullrich
Johannes Ullrich

I stumbled upon this issue when committing to GitHub from a virtual machine that had the wrong date and time. As I investigated it, I was surprised to see this was expected behavior. I knew there had to be a way to abuse it somehow and the folks at Checkmarx have documented just that.

Jorge Orchilles
Jorge Orchilles

GitHub has features (like Vigilant mode) to make it easier for developers to detect spoofed identities, work with App Dev to get that made part of standard processes.The entire open source software/repository supply chain needs to raise the bar on security. The Linux Foundation “Open Source Software Security Mobilization Plan” detailed the critical areas, more funding for faster progress is needed.

John Pescatore
John Pescatore

Attackers are manipulating data related to update activities as well as spoofing who they are to lead you to believe they are a highly trusted contributor who is actively maintaining their code. This can be partly mitigated by making sure that the commits come from someone whose identity has been verified by GitHub when those commits are being made. Don't wait for the 2023 deadline to enable 2FA on your GitHub accounts. If you digitally sign your code, the "vigilant mode" feature can be used to see the status of all code submitted under that name, aiding the discovery of malfeasance.

Lee Neely
Lee Neely

2022-07-18

Microsoft is Investigating Exchange and Outlook Outage

Microsoft is looking into an outage affecting Exchange Online and Outlook. The issue appears to have begun over the weekend. Outlook and Exchange Online users have been reporting that they have had difficulty logging in and sending email. Microsoft says they have identified and resolved the problem.

Editor's Note

Gee, I wonder how many phishing emails didn’t get delivered? On the serious side, 2FA approaches that rely on sending codes to email addresses are more vulnerable to delivery outages than those that use mobile devices and SMS messages or authenticator apps.

John Pescatore
John Pescatore

Microsoft stated they found a section of network infrastructure performing below acceptable thresholds and rerouted that traffic, as well as restarted services to resolve the issues. In today's interconnected and interdependent systems required to deliver an online service like these, network performance dips can have a significant impact on service delivery, making it increasingly important to not only understand these relationships, but also to detect and react to issues rapidly.

Lee Neely
Lee Neely

The Rest of the Week's News


2022-07-18

Remove Kaswara Modern WPBakery Page Builder Addons for WordPress Now

The Wordfence threat intelligence team has noted an uptick in attempts to exploit a vulnerability in Kaswara Modern WPBakery Page Builder Addons. The critical file upload flaw was disclosed earlier this year; no fix was released, and the plugin is no longer supported. The Wordfence team is urging WordPress users to remove Kaswara Modern WPBakery Page Builder Addons from their sites.

Editor's Note

Wordfence released updated firewall rules May 21st and April 21st for the free and Premium/Care/Response versions, respectively. At this point it is unlikely the weakness will be resolved, and Wordfence has seen about 444,000 attempted attacks a day, so it's time to remove and replace this plugin. Also check your site for the listed IOCs.

Lee Neely
Lee Neely

2022-07-18

Juniper Patches Hundreds of Flaws in Multiple Products

Juniper Networks has released fixes for vulnerabilities in multiple products, including Junos Space, Contrail Networking, and NorthStar Controller. Several of the flaws are critical, prompting the US Cybersecurity and Infrastructure Security Agency (CISA) to urge admins to update without delay. Some of the flaw could be exploited to take control of vulnerable systems.

Editor's Note

The fixes include updates to the underlying CentOS 6.8 shipped with some products to CentOS 7.9. The update to Contrail Networking 21.4.0 addresses 166 vulnerabilities, while the update to Space network management 22.1R1 addresses 31. Several of these vulnerabilities have CVSS base scores of 9.6 or higher, so you're want to go to the Juniper Security Advisory site and proactively search for your products. Note the CISA advisory (https://www.cisa.gov/uscert/ncas/current-activity/2022/07/14/juniper-networks-releases-security-updates-multiple-products-1) simply advises you read the Juniper Security Advisory page and apply relevant updates.

Lee Neely
Lee Neely

2022-07-18

Albania’s Online Government Services Hit with Cyberattack

Many Albanian government e-services are unavailable after suffering a cyberattack. The incident was detected on July 15. The government took its systems offline to deal with the attack, just months after moving government services online.

Editor's Note

While the Albanian government has assured citizens that their data is backed up, it's not clear that the root cause has been identified or remediated so those backups can be applied. Additionally, it's been noted these services were only recently being moved online, so it's likely the full plans for redundancy and resiliency hadn't been implemented. In today's climate, you need to start with those defenses in place prior to going live, particularly if you're operating a government affiliated service. You may also want to add practicing service restoration to your acceptance criteria for going live.

Lee Neely
Lee Neely

2022-07-15

Former CIA Programmer Guilty of leaking Vault 7 Data to WikiLeaks

Former CIA software engineer Joshua Adam Schulte has been convicted on charges related to his theft of national defense data and giving it to WikiLeaks. Known as Vault 7, the trove of data included cyber espionage tools the US government uses to infiltrate terrorist and foreign government networks. Schulte could face up to 80 years in prison.

Editor's Note

The release to WikiLeaks was allegedly motivated by an abject hatred for the CIA. With that level of access, Schulte would have not only had to obtain a security clearance, but also signed enough NDA documents assuring his fate in the event he violated them. Schulte also was found to have child exploitation material on his laptop, so he's going to be busy paying his debt to society for a very long time.

Lee Neely
Lee Neely

2022-07-18

Attackers Targeting Elastix VoIP Systems to Install Web Shells

Researchers from Palo Alto Networks Unit 42 say that attackers are targeting Elastix VoIP telephony servers. The threat actors “implants a web shell to exfiltrate data by downloading and executing additional payloads inside the target's Digium phone software.” The researchers believe the attackers may be exploiting a critical remote code execution vulnerability in FreePBX with restapps installed; a fix has been available for that flaw since late 2021.

Editor's Note

Make sure you're running the updated FreePBX software, ingest the IOCs in the Unit 42 blog, and check for unexpected new root accounts or scheduled tasks.

Lee Neely
Lee Neely

2022-07-19

Citizen Lab: Pegasus Used Against Thai Pro-Democracy Activists

A report published by researchers from the University of Toronto’s Citizen Lab and Digital Watch says that at least 30 Thai pro-democracy activists were targeted with NSO’s Pegasus Spyware. The infections occurred between October 2020 and November 2021. The attacks were revealed when Apple began sending notifications to iPhone users being targeted by the spyware.

Editor's Note

Make sure that your users are running the latest iOS versions which close the attack vector used by Pegasus. If you have users who may be targeted, consider the Apple's Lockdown Mode which will be released with iOS 16 this fall.

Lee Neely
Lee Neely

2022-07-18

Retbleed Vulnerability Fixed in Linux Kernel

The Retbleed speculative execution attack vulnerability has been fixed in the Linux kernel, according to Linus Torvalds. The release of Linux kernel version 5.19 has been delayed for a week due in part to the complexity of the Retbleed vulnerability, and in part to two other development trees that requested extensions.

Editor's Note

The btrfs file system and firmware for Intel GPU controllers branches also called for a delay. It is likely that version 5.20 of the kernel will be chosen as the next long-term support release.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Python: Files in Use By Another Process

https://isc.sans.edu/diary/Python%3A+Files+In+Use+By+Another+Process/28848


Adding Your Own Keywords to My PDF Tools

https://isc.sans.edu/diary/Adding+Your+Own+Keywords+To+My+PDF+Tools/28852


Tor Improvements

https://blog.torproject.org/new-release-tor-browser-115/


Trojan Horse Malware Password Cracker

https://www.dragos.com/blog/the-trojan-horse-malware-password-cracking-ecosystem-targeting-industrial-operators/


Juniper Junos Vulnerabilities

https://supportportal.juniper.net/s/global-search/%40uri?language=en_US#sort=date%20descending&f:ctype=[Security%20Advisories]

CVE-2022-33891 Apache Spark Shell Command Injection Vulnerability

https://securityonline.info/cve-2022-33891-apache-spark-shell-command-injection-vulnerability/


Google Removing App Permissions List for Data Safety

https://twitter.com/MishaalRahman/status/1547307555407421443


Google Play Malware

https://twitter.com/IngraoMaxime/status/1547164768401858560


Faking Github Metadata

https://checkmarx.com/blog/unverified-commits-are-you-unknowingly-trusting-attackers-code/