SANS NewsBites

Expedite Patching Vulnerable Atlassian Products; Check for Use of “Fleeceware” Apps Google Published in Google Play; Microsoft Releases Improved Default Office Macro Blocking

July 22, 2022  |  Volume XXIV - Issue #56

Top of the News


2022-07-21

Atlassian Security Updates Include Fix for Hard-Coded Password Issue

Atlassian’s security advisories for July 2022 include fixes for a hard-coded password vulnerability affecting the Questions for Confluence app for Confluence Server and Data Center. The app installs a user account, “disabledsystemuser,” that admins can use to migrate data to the Confluence Cloud. Atlassian notes that “a remote, unauthenticated attacker with knowledge of the hardcoded password could exploit this to log into Confluence and access any pages the confluence-users group has access to.” Users are urged to update to Questions for Confluence versions 2.7.38 and 3.0.5. Users can also disable or delete the account. A second advisory addresses multiple servlet filter vulnerabilities in eight of its products.

Editor's Note

Not just for the hardcoded password, these vulnerabilities are serious and need to be applied expeditiously. These Atlassian products are often central to organization's software development process and a compromise could endanger this software.

Johannes Ullrich
Johannes Ullrich

When a physical substance (asbestos, lead, Red Dye #2, etc.)is found to be poisonous or dangerous, society can move pretty quickly to ban it. But, bad habits (eating too much fat/sugar salt, leaving the keys in the ignition, buffer overflows in code, hard coded passwords in apps, etc.) are much harder to eliminate. Every modern app testing tool detects the worst software coding/app security mistakes – require all software suppliers to show evidence of having run such tools or to be part of programs such as Veracode Verified, where the app test software vendor does it for them.

John Pescatore
John Pescatore

Atlassian included this account to aid cloud migration, and while considerate, including either hard coded credentials or authorization keys has repeatedly been found to be a source of exploitation. Make sure that your Atlassian products don't include the disabledsystemuser account, delete it if found, creating fresh credentials for migration only for the duration of the project if you elect to migrate. Add checking for (and removing) disabled accounts "out of the box" right next to changing default passwords in your software installation/update process.

Lee Neely
Lee Neely

2022-07-19

Google Pulls Spyware-Infested Apps from Play Store

Google has removed 60 Android apps from the Google Play Store after they were found to contain malware. The apps in question were being used to spread Joker, Facestealer, Coper, and Autolycos malware.

Editor's Note

Google seems to have been very slow to remove this “fleeceware” and has not made a public statement providing justification. I think something like 3700 apps per day are added to the 3.5M or so apps in Google play – human inspection isn’t really feasible to augment all the automated checks. The good news is Android and iOS do have what Windows and Linux lack – by default software whitelists (app stores) that greatly raise the bar against malware.

John Pescatore
John Pescatore

These apps can either install premium dialers, such as Joker, which signs users up for expensive monthly subscription plans, or install malware. While there is some screening for malware when publishing content to the Google Play Store, the Joker-spreading apps keep being reintroduced as they are obfuscating their malicious activity by changing code, execution methods and payload retrieval processes/techniques. As always beware of over permissioned apps, only download apps from known developers and either your corporate or Google app stores. Play Protect will remove the malicious applications, you need to check your device for premium subscriptions you didn't authorize and cancel them.

Lee Neely
Lee Neely

2022-07-21

Microsoft Resumes Office Macro Blocking

Microsoft has resumed blocking Office macros by default. It introduced the feature earlier this year, but recently rolled it back due to customer response. Microsoft wrote, “Based on our review of customer feedback, we've made updates to both our end user and our admin documentation to make clearer what options you have for different scenarios.”

Editor's Note

For organizations who experienced issues with macro blocking when Microsoft first started doing it: You will still be able to set your own policies, and Microsoft updated its guidance. As long as you set a specific policy manually, this change will not override it.

Johannes Ullrich
Johannes Ullrich

If you'd already configured the "Block macros from running in Office files from the Internet" policy, the setting will control the disablement behavior. Consult the updated Microsoft Guidance on how to enable macros from SharePoint or network shares to minimize impact, in general you want to disable Macros by default.

Lee Neely
Lee Neely

The Rest of the Week's News


2022-07-21

IoCs for Malware Targeting Ukrainian Networks

US Cyber Command (CYBERCOM) and Ukraine’s Security Service have jointly issued a list of 20 indicators of compromise (IoC) for attacks that have been targeting Ukrainian networks. In addition, Mandiant has published a related “blog to provide insight and context on a sampling of malicious activity targeting Ukrainian entities during the ongoing war.”

Editor's Note

While these attacks are targeting Ukrainian entities, we know that there can be collateral damage, so better safe than sorry, include the IOCs in your SIEM. Also include information from the Mandiant report on the GRIMPLANT and GRAPHSTEEL spear phishing campaign.

Lee Neely
Lee Neely

2022-07-19

CISA Warns of Vulnerabilities in GPS Tracker

The US Cybersecurity and Infrastructure Security Agency (CISA) has published an advisory warning of multiple vulnerabilities in MiCODUS GPS tracker devices. The issues include use of hard-coded credentials; improper authentication; cross-site scripting, and authorization bypass through user-controlled keys. The vulnerabilities were discovered by researchers at BitSight.

Editor's Note

The vulnerable devices do not just allow for tracking of the vehicle, but could also be used to disable them. This could become a safety issue. The inaction of the vendor is appalling and should be taken as a clear sign to not procure any more of these products.

Johannes Ullrich
Johannes Ullrich

2022-07-21

NIST and Cloud Security Alliance Offer Guidance for Healthcare Sector

The US National Institute of Standards and Technology (NIST) has published an updated draft of its healthcare cybersecurity guidance, focusing on Health Insurance Portability and Accountability Act (HIPAA) compliance. NIST is accepting public comments through September 21, 2022. The Cloud Security Alliance (CSA) has published a document designed to help the healthcare sector address third-party vendor risk management.

Editor's Note

I’m not a big fan on 152 page documents that focus on how to comply with regulations vs. how to protect data/systems/services and demonstrate compliance as a byproduct of that. But, more than half of SP800-66 is reference documents and section 5 (which is still 47 pages long) is a good source of questions that need to be answered to secure public health information.

John Pescatore
John Pescatore

The goal is to augment the guidance to include more resources to help those struggling to implement the necessary security posture for HIPAA compliance. If you're a practitioner in this space, provide feedback to increase the relevance of the guides and resources.

Lee Neely
Lee Neely

2022-07-20

Magecart Skimming Attacks Targeting Online Restaurant Ordering Services

Magecart skimming campaigns have been targeting MenuDrive, Harbortouch, and InTouchPOS online restaurant ordering services. The campaigns were detected by researchers from Recorded Future’s Insikt Group; more than 50,000 payment card records from more than 300 restaurants have been compromised.

Editor's Note

Attackers seek to leverage our increased use of online ordering from restaurants. The attackers are targeting the POS not the individual restaurants. As a subscriber to an online ordering service, verify that they are scanning server and bowser components, verifying that they are following PCI-DSS requirements to both inventory all JavaScript and traffic in and out of their website. Ask for proof of activities related to detection of Magecart and other similar threats.

Lee Neely
Lee Neely

2022-07-20

DoJ, FBI Recover Ransomware Payments Made by Healthcare Organizations

The US Department of Justice (DoJ) and the FBI have recovered half a million dollars in ransomware payments made to North Korean state-sponsored threat actors. The funds have been returned to two healthcare organizations. In addition, DoJ and the FBI were able to disrupt the threat actors’ operations.

Editor's Note

The hype around “cryptocurrency” and blockchain had reached unbelievable and really dangerous levels, so it is good to see criminal use of them be used by authorities to disrupt and catch criminals. Of course, many victims paid in crypto coins that in a few days were worth a small percentage of what was paid for them – kinda like recovering nickels when you lost $100 bills…

John Pescatore
John Pescatore

This is why you want a relationship with the FBI before you need it. The cooperation from the Kansas based facility allowed for both the recovery of the ransom payment, but also the identification of previously unidentified ransomware strain. Note that ransom payments for other victims were recovered, but without their reporting it's unlikely those funds will be properly restored.

Lee Neely
Lee Neely

2022-07-21

Apple Releases Updates for Multiple Products

Apple has released updated for multiple products, including macOS Catalina, macOS Big Sur, macOS Monterey, iOS and iPadOS, watchOS, tvOS, and Safari. The updates address nearly 40 vulnerabilities, including a memory corruption flaw in WebRTC.

Editor's Note

The memory corruption flaw in WebRTC (CVE-2022-2294) is the same flaw Google disclosed as being actively exploited in Chrome browsers. Note the Safari update is included in the macOS 12.5 update, but must be installed separately on macOS 11.6 and 10.15. In addition to addressing vulnerabilities, iOS and iPadOS 15.6 include bug fixes and some new features such as being able to restart a live stream viewed with the TV app.

Lee Neely
Lee Neely

2022-07-21

FCC Investigates Mobile Carriers’ Use of Geolocation Data

The US Federal Communications Commission (FCC) is investigating how mobile carriers use geolocation data. FCC chair Jessica Rosenworcel has sent letters of inquiry to 15 mobile providers, asking them to answer a series of questions about their geolocation data retention and data sharing policies.

Editor's Note

While the FCC fined the major carriers over $200M in 2020 around misuse of customers location data, this issue has been a problem for more than a decade and the FCC has been slow to define user rights and carrier regulations around location data. If you have corporate wireless contracts with carriers, try to get questions around location data use and protection into RFPs – the market needs to feel demand around privacy.

John Pescatore
John Pescatore

This follows up on Feb. 2020 FCC proposed fine of $208 million after determining that Sprint, AT&T, Verizon and T-Mobile were selling access to the customer's location information without ensuring that adequate protections were in place to prevent misuse of that information.

Lee Neely
Lee Neely

2022-07-21

Candiru Spyware Exploited Chrome Vulnerability

A vulnerability in Chrome that was patched earlier this month was previously exploited by Candiru spyware. The flaw was reported to Google on July 1 by researchers from Avast, who discovered the issue while investigating a spyware attack.

Editor's Note

Web Real-Time Communications (WebRTC) provided JavaScript interface to enable realtime voice, text and video communications between web browsers and devices. The WebRTC flaw, fixed July 4th, is being actively exploited. As such, you need to make sure that not only are your Chrome updates pushed out, but also that users are restarting the browser for the update to take effect. You can now push enterprise settings for Chrome browsers to both auto-update and force the relaunch in a defined period.

Lee Neely
Lee Neely

2022-07-21

Missouri’s BJC Healthcare Settles Class Action Lawsuit

BJC Healthcare in Missouri has agreed to pay eligible class action members between $250 and $5,000 each, and to implement security improvements, including multi-factor authentication (MFA). BJC estimates the terms of the settlement will cost about $2.7 million.

Editor's Note

f you're impacted and seeking restitution, make sure you have a supporting paper trail to support your claims of expenses incurred. If you allow remote access to your email, enforce MFA, being careful to exclude SMS and phone-call verification methods. If you already have MFA, make sure it's phishing resistant, if not, create a plan to get there from here.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Beacon Request

https://isc.sans.edu/diary/Requests+For+beacon.http-get.+Help+Us+Figure+Out+What+They+Are+Looking+For/28856


Malicious Python Script Behaving Like a Rubber Ducky

https://isc.sans.edu/diary/Malicious+Python+Script+Behaving+Like+a+Rubber+Ducky/28860


Apple Patches Everything

https://isc.sans.edu/diary/Apple+Patches+Everything+Day/28862


Maldoc with non-ASCII VBA Identifiers

https://isc.sans.edu/diary/Maldoc%3A+non-ASCII+VBA+Identifiers/28866


Cisco Security Updates

https://tools.cisco.com/security/center/publicationListing.x?


Confluence Atlassian Hard Coded Password

https://confluence.atlassian.com/doc/questions-for-confluence-security-advisory-2022-07-20-1142446709.html


Windows RDP Brute Force Protection

https://twitter.com/dwizzzleMSFT/status/1549870156771340288


Microsoft resuming blocking macros

https://techcommunity.microsoft.com/t5/microsoft-365-blog/helping-users-stay-safe-blocking-internet-macros-by-default-in/ba-p/3071805


Outlook 365 Odd Suspicious Login Attempt Warnings

https://www.theregister.com/2022/07/21/outlook_sign_ins/


Zyxel Vulnerability

https://www.zyxel.com/support/Zyxel-security-advisory-authenticated-directory-traversal-vulnerabilities-of-firewalls.shtml


DNS over HTTP/3

https://security.googleblog.com/2022/07/dns-over-http3-in-android.html


Oracle July 2022 CPU

https://www.oracle.com/security-alerts/cpujul2022.html


CloudMensis MacOS Spyware

https://www.welivesecurity.com/2022/07/19/i-see-what-you-did-there-look-cloudmensis-macos-spyware/


GPS Tracker Vulnerabilities

https://www.bitsight.com/sites/default/files/2022-07/MiCODUS-GPS-Report-Final.pdf