SANS NewsBites

Check How Quickly You Would Notice Network Routing Problems; Google Extends Deadline for Stronger Cookie Privacy Controls; More Data Points of Benefits of Moving Away From Reusable Passwords

July 29, 2022  |  Volume XXIV - Issue #58

Top of the News


2022-07-27

Some of Apple’s Network Traffic was Routed Through Russian ISP

For a 12-hour stretch on July 26 and 27, Russia’s Rostelecom was announcing routes for portions of Apple’s network. It is not known if this was due to a border gateway protocol (BGP) misconfiguration or if it was a deliberate hijacking.

Editor's Note

Never ascribe to malice what can be explained by a simple typo. Rostelecom owns 37.70.96.0/19 and rerouted 17.70.96.0/19 which is owned by Apple. Note the simple swapped digit in the beginning? Still, it would be nice if Apple would be able to roll out Route Origin Authorization, a feature that has made a real difference in some of these BGP route hijacks from causing more damage. And most of these “hijacks” are simple configuration mistakes. Change control is for people who can't do incident response.

Johannes Ullrich
Johannes Ullrich

When you look at which groups have responsibility for availability and integrity of critical services, IT ops and Network ops really carry the bulk of the responsibility and authority, not security. But many of the tools and services that security uses will detect misconfigurations before IT/Network ops does. Integrated SOC/NOCs bring many benefits, next best thing is common or at least integrated tools being used across the groups.

John Pescatore
John Pescatore

Regardless of whether this rerouting was accidental or deliberate this incident is another prime example of the importance of end-to-end encryption for all communications.

Brian Honan
Brian Honan

While there is no official statement from them, Apple did take action by advertising more specific routes to services during the time their traffic was being routed to Russia, which is about the only recourse you have when this happens. It's unlikely we will learn if this was deliberate, accidental, or a trial balloon for future activities. Make sure that you and your network team have a plan for this scenario.

Lee Neely
Lee Neely

2022-07-27

Google Pushing Back Deadline to Deprecate Third-Party Cookies

Google now says it will support third-party cookies until the second half of 2024. Two years ago, the company said it would phase them in 2022. Google says the decision was made based on “feedback we’ve received is the need for more time to evaluate and test the new Privacy Sandbox technologies before deprecating third-party cookies in Chrome.“

Editor's Note

Latest Facebook financial numbers seem to indicate that the lack of the ability to track users has material impact on the ad industrial complex. Google tried to replace cookies with FLoC (Federated Learning of Cohorts) but failed. Now they are trying “Topics” as a new tracking standard to balance privacy with Google's need to accurately target and track the impact of ads it sells. We will see if that works, or if third-party cookies will stick around for a few more years.

Johannes Ullrich
Johannes Ullrich

The good news is even the Facebooks of the world and most US politicians are largely past the “privacy-denial” stage. The underlying revenue model for the Internet has to change from tricking people into exposing their personal information and then selling it. When cable TV needed more revenue that it could get from subscription services, cable TV introduced ads. The internet started with ads, and quickly moved to the selling personal info model to advertisers. However, many valuable services have found they can add subscription services for revenue and promise higher privacy as a large part of the consumer allure. It is very cool these days to see more software architects listing privacy as a key product requirement, and getting security involved vs. the other way around.

John Pescatore
John Pescatore

Recall Google first tried their FLoC solution which went over like a lead balloon, then in January of 2022, they rolled out the Topics API, and now we have the Privacy Sandbox, which will be available in Chrome 104 Stable at the beginning of August. This gives you a little over a year to test and provide feedback.

Lee Neely
Lee Neely

2022-07-27

Multi-Factor Authentication Thwarts Ransomware Actors

Authorities in the European Union (EU) say they have seen cases in which multi-factor authentication stopped ransomware groups from proceeding with their attacks. Marijn Schuurbiers, head of operations at Europol's European Cybercrime Centre (EC3), said, “In certain investigations, we saw [the attackers] trying to access companies – but as soon as they would hit two-factor authentication in this process, they would immediately drop this victim and go to the next.”

Editor's Note

In 2019, Microsoft published a study of 200M logins that show even simple text message-based MFA prevented 99.9% of phishing attacks from succeeding. So, we really don’t need more evidence, but always good to highlight successes. But, just as “airplane successfully lands at airport, no drinks are even spilled” headlines wouldn’t get many clicks, the press has learned that any successful attack does. Always good in our field to highlight successes whenever possible.

John Pescatore
John Pescatore

Is MFA perfect? No. Can it be bypassed. Yes. However, time and time again MFA has proven to be one of the single most effective controls people can enable to protect their digital lives and data. As a security awareness professional, if I could teach people only one single behavior to protect themselves, enabling MFA would most likely be it.

Lance Spitzner
Lance Spitzner

While this anecdote highlights the importance of MFA in protecting against attacks, it also reflects the high number of targets available to criminals that they can readily drop one potential victim and move on to the next one with weaker security controls. It is analogous to the joke about not needing to outrun the bear but just needing to outrun the other potential victim. It's important that we continue to encourage organisations to adopt MFA where they can and that vendors, particularly cloud service providers, adopt MFA as a default setting.

Brian Honan
Brian Honan

As the Palo Alto Unit 42 report shows, the number one thing to thwart attacks is MFA. Even if you have some form of MFA, make sure that you've chosen wisely, particularly if you have SMS or Phone based MFA, which is an awesome step in the right direction, you need to move to phishing resistant forms of MFA.

Lee Neely
Lee Neely

The Rest of the Week's News


2022-07-28

EPA Will Introduce Cybersecurity Into its Reviews of Critical Water Facilities

The US Environmental Protection Agency (EPA) will issue a new rule that will expand their reviews of critical water facilities to include cybersecurity. Deputy National Security Advisor for Cyber and Emerging Tech Anne Neuberger says the White House is working toward legislation that would give agencies like the EPA greater authority to impose cybersecurity requirements for organizations that operate elements of the country’s critical infrastructure.

Editor's Note

The US Government’s 2023 fiscal year starts on October 1 and here’s my wish for their New Year’s resolution: *All* government agency reviews of IT systems for any reason should include cybersecurity requirements in those reviews. All entities accepting federal funds related to anything that runs software (firmware has software, too) should be subject to those requirements.

John Pescatore
John Pescatore

There is nothing like an external review to shine a light on anything swept under the rug. While these systems should already be secure, publishing a mandate and specific required standards to follow will empower staff seeking management support to better secure their operations. This also means when competing for this business, companies will have to factor in the cost of meeting these requirements commensurate with the criticality and sensitivity of the data and service provided. Such requirements, including review expectations, should be SOP on any contract. Make sure that you're regularly monitoring your contracted/outsourced services are as expected.

Lee Neely
Lee Neely

2022-07-27

Report: Chinese Threat Actors Attempted to Infiltrate US Federal Reserve for Years

A report from the US Senate Committee on Homeland Security and Governmental Affairs “reveals a sustained effort by China, over more than a decade, to gain influence over the Federal Reserve and a failure by the Federal Reserve to combat this threat effectively.”

Editor's Note

The Chinese are very patient, remember they think about actions taking fifty or more years, while we in the US tend to think in four-year cycles, as in election cycles. They target acquisition of intellectual property. Consider not only background checks on employees, but also repeating those periodically to make sure employees have not be co-opted.

Lee Neely
Lee Neely

2022-07-27

Unit 42: Vulnerability Disclosure to Exploit Time is Shrinking

According to a report from Palo Alto Networks Unit 42, the average time between a vulnerability being disclosed and it being exploited is growing smaller. Attackers were detected scanning for vulnerabilities within 15 minutes of their disclosure. The report draws its data from 600 incident response cases.

Editor's Note

Nice attention grabbing headline. And there is some truth to it. But the real answer as so often is: It depends. We had exploits being used against vulnerabilities within minutes of the vulnerability becoming known as far back as the "Witty Worm" (still one of my all time favorites). But the real challenge nobody has a good answer for: How am I able to predict which vulnerabilities will be exploited quickly vs. which once will never be exploited? Gazillions of sysadmin tears will be saved if someone can come up with an absolute accurate way to tell which vulnerabilities are “patch now” vs. “don't bother.”

Johannes Ullrich
Johannes Ullrich

The top three contributors to attacker success are lack of MFA, EDR, and lack of patch management. While you've focused on endpoint and OS patching roll-out, don't overlook the application layer on endpoints and servers. Ask when you can expect to MFA all externally facing services, then internal services - and don't forget MFA on the desktop.

Lee Neely
Lee Neely

2022-07-28

Two People Arrested for Disabling Spain’s Radiation Alert Sensors

Two former Spanish government contract workers have been arrested for allegedly breaking into the country’s radioactivity alert system and disabling a third of its sensors. The pair allegedly deleted the alert system web app from the General Directorate of Civil Protection and Emergencies (DGPGE) control center, then hacked the sensors. The incident occurred in the spring of 2021.

Editor's Note

Spain has a network of 800 gamma radiation sensors designed to detect and alert on excessive radiation from one of their seven nuclear reactors. The attackers took down 300 of these sensors using illegitimate access to the DGPGE network. While the specifics on he attack vectors are unclear, you can mitigate some risks by making sure that you expeditiously disable/delete accounts for non-active employees, to include monitoring for re-activation or recreation. Also make sure any external entry points are not only implemented using current security guidance, but also require MFA. Don't forget about physical access scenarios.

Lee Neely
Lee Neely

2022-07-26

EU Helped 1.5M Ransomware Victims


Europol says that authorities in the European Union (EU) have helped 1.5 million people and organizations regain data that had been encrypted with ransomware. The announcement was made on July 26, the sixth anniversary of the No More Ransom project, which brings law enforcement and IT companies together to help victims of ransomware.

Editor's Note

Nomoreransom.org is a solid effort, but the Vice piece states $1.5B was saved across 1.5M people overall. I couldn’t find any backup for the math – that works out to $1,000 per victim, which seems odd. Could be skewed by a few big ones but need to know how much of the $1.5B was in previously ridiculously inflated “crypto currencies.” Still, a good effort to point your users to for education about how to avoid attacks at home and how best to deal with ransom demands if they do get hit.

John Pescatore
John Pescatore

This project is a great example of how effective public/private partnerships can be in the fight against cybercrime. The No More Ransom project is a resource all in cybersecurity should be aware of, I know we have successfully used it over the past years to successfully recover several victims of ransomware attacks. The site is available at www.nomoreransom.org.

Brian Honan
Brian Honan

To date, the group offers 136 free decryption tools for 165 ransomware variants including MAZE, REvil and GandCrab. Having a similar service supported by law enforcement worldwide would aid reporting and reduce likelihood of payment.

Lee Neely
Lee Neely

2022-07-28

Another Microsoft 365 Outage

On July 28, admins in North America were reporting that they could not access the Microsoft 365 admin center. After looking into the situation, Microsoft determined that the incident affected a broader group of admins. The company has restarted “the affected infrastructure” and says the issue has been resolved.

Editor's Note

The silver lining is this time end-users were not impacted, even though being blocked from performing admin actions is bloody annoying. Microsoft's preliminary response was, again, certain servers were performing blow acceptable thresholds and they are working to optimize performance. When monitoring your service delivery components, make sure that you are equipped to communicate and respond commensurate with both your SLA and user expectations.

Lee Neely
Lee Neely

2022-07-28

Cyberattack Prompts MSP NetStandard to Shut Down Cloud Services

Kansas-based managed service provider (MSP) NetStandard shut down its MyAppsAnywhere cloud services after discovering that the company was the victim of a cyberattack. The attack was detected on July 26.

Editor's Note

Service providers are high leverage targets for attacks. Use press coverage like this to show management that security should be involved in any procurement of 3rd party services, which includes cloud services.

John Pescatore
John Pescatore

Many of us may have a simulation exercise to determine how our organization will respond to a ransomware attack, but have you considered what your playbook should be should one of your critical suppliers or cloud service providers become a victim?

Brian Honan
Brian Honan

If you're using a MSP, make sure that you've had a frank conversation about what a compromise would entail. Would that expose your data or other customers' data as well. Make sure that you have the relationship and communication paths needed to not only handle incident communication but also verify that their security remains as promised.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

How is Your macOS Security Posture?

https://isc.sans.edu/diary/How+is+Your+macOS+Security+Posture%3F/28882


IcedID (BokBot) with Dark VNC and Cobalt Strike

https://isc.sans.edu/diary//28884


Exfiltrating Data with Bookmarks

https://isc.sans.edu/diary/Exfiltrating+Data+With+Bookmarks/28890


Critical Samba Bug Could Let Anyone Become Domain Admin

https://nakedsecurity.sophos.com/2022/07/27/critical-samba-bug-could-let-anyone-become-domain-admin-patch-now/


Apple IP Address Range Hijacked by Rostelecom

https://www.manrs.org/2022/07/for-12-hours-was-part-of-apple-engineerings-network-hijacked-by-russias-rostelecom/


IBM Patches

https://www.ibm.com/support/pages/node/6606251

https://www.ibm.com/support/pages/node/6607135


Veritas Patches

https://www.veritas.com/content/support/en_US/security/VTS22-004#c1


Web Assembly Crypto Miners

https://blog.sucuri.net/2022/07/cryptominers-webassembly-in-website-malware.html


Subzero and Knotweed

https://www.microsoft.com/security/blog/2022/07/27/untangling-knotweed-european-private-sector-offensive-actor-using-0-day-exploits/


Registry file with Executable Payload

https://www.x86matthew.com/view_post?id=embed_exe_reg


Targeted Phishing of Facebook Business Users

https://labs.withsecure.com/assets/BlogFiles/Publications/WithSecure_Research_DUCKTAIL.pdf


Forwarding Addresses is Hard

https://www.synacktiv.com/publications/cve-2022-31813-forwarding-addresses-is-hard.html