NewsBites Volume XXIV – Issue 59

Top of the News

2022-08-02

Increase in Chinese "Hacktivism" Attacks

As US Speaker of the House Nancy Pelosi's planned visit to Taiwan approaches, the Internet Storm Center is seeing an increase in small to medium denial of service attacks against websites that either report the visit or are considered otherwise hostile to China. At this point, these attacks are likely uncoordinated and conducted by "hacktivists." The DDoS attacks use smaller botnets and appear to target websites by exhausting server resources, not bandwidth. If you consider yourself a possible target, it may be advisable to keep monitoring the response times of your websites and to check in with your anti-DDoS service.

For more details and updates see:

https://isc.sans.edu/diary/Increase+in+Chinese+%22Hacktivism%22+Attacks/28906

2022-08-01

Apps Expose Twitter API Keys

More than 3,200 apps are exposing Twitter API keys publicly. Researchers from the cybersecurity firm CloudSEK “discovered that 3207 apps were leaking valid Consumer Key and Consumer Secret.” Bad actors with access to these keys could perform actions as the account owners. CloudSEK recommends that developers use API key rotation.

Editor's Note

There is nothing you can do to protect credentials once you send them to the user. If you would like the user to interact with Twitter using your application, use the user's credentials, not yours.

Johannes Ullrich

Review source code to make sure that hard-coded API keys are not included. When stored, make sure they are not in plaintext. Consider using the mobile device secure storage for API keys versus storing them in configuration files.

Lee Neely

CISA Adds Atlassian Flaw to Known Exploited Vulnerabilities Catalog

The US Cybersecurity and Infrastructure Security Agency (CISA) has added the Atlassian Questions for Confluence hard-coded credentials vulnerability (CVE-2022-26138) to its Known Exploited Vulnerabilities catalog. Atlassian has released updates (2.7.38 and 3.0.5) to address the flaw, which is being actively exploited. Federal agencies have until August 19 to mitigate the vulnerability.

Editor's Note

Exploiting the flaw is trivial and we have seen a number of attempts against honeypots. Treat exposed unpatched systems as compromised.

Johannes Ullrich

The motivator here is that this is being actively exploited, which you may need to leverage if you're not getting support to update to the patched version. Agencies are likely already being asked to report out on remediating the Atlassian flaws, expect this to fold into your regular BOD-22-01 reporting.

Lee Neely

Austrian Government Investigating Alleged Spyware Company

Authorities in Austria are investigating a company in that country that allegedly makes spyware to be used for targeting law firms, banks, and consultancies. The spyware has been used to target organizations in at least three countries. News of the investigation follows close on the heels of a report from Microsoft’s Threat Intelligence Center that included information about malware known as Subzero that was allegedly developed by a company based in Vienna, Austria.

Editor's Note

In the 1980s I worked for the US Secret Service designing surveillance equipment used in counterfeiting investigations. Back then there were companies that pretended to sell anti-surveillance equipment to law enforcement (who, of course, didn’t need it) but really sold to criminals. We had to build in “anti-anti-surveillance” capabilities because in an open society it is hard to make dual use technologies illegal, as we’ve seen with social networks in recent times. Seems like in this case (DSIRF selling spyware that exploited a (now patched) vulnerability) existing laws could be used against the companies doing this.

John Pescatore

Back in January, Xavier Mertens wrote up a malicious Excel file that matches the type of malware used by this company. See https://isc.sans.edu/diary/Mixed+VBA+%26+Excel4+Macro+In+a+Targeted+Excel+Sheet/28264

Johannes Ullrich

The company accused of developing the Subzero spyware is DSIRF (tracked by Microsoft as KNOTWEED). The malware spreads multiple ways including exploiting zero-day vulnerabilities in Windows and Acrobat Reader. Microsoft's advisory allowed the company to be linked to the sale of the software for unauthorized surveillance. Microsoft announced that Defender Antivirus, signature build 1.371.503.0, detects KNOTWEED and released a patch for the zero-day (CVE-2022-22047) in their July 12 patch release.

Lee Neely

The Rest of the Week's News

2022-08-01

US Court System Breach

At a hearing of the US House Committee on the Judiciary last week, committee chair Jerrold Nadler said the US federal judicial court system “faced an incredibly significant and sophisticated cyber security breach, one which has since had lingering impacts on the department and other agencies.” The breach was conducted by three foreign state-sponsored threat actors.

Editor's Note

Not much info on this one, but odds are high it was yet another failure of basic security hygiene and really not all that sophisticated of an attack.

John Pescatore

This is a breach from 2020 which is only just now coming to light. Even now, the concerns are of eradication and preventing recurrence. While not disclosed, at this point scope should be very well known so recovery actions can complete. The lesson here is to have a disclosure timeline that you manage, as opposed to learning your breach was announced by a third-party at a venue you've not granted permission for the disclosure.

Lee Neely

The lesson for the rest of us is that “data at rest” for an indefinite period should be encrypted.

William Hugh Murray

Akamai Mitigated Largest Ever DDoS Against a European Company

Akamai thwarted the largest distributed denial-of-service (DDoS) attack ever faced by a European customer. The unnamed organization was targeted by DDoS attacks over a 30-day period earlier this summer. The attack peaked at 659.6 million packets per second (Mpps) and 853.7 gigabits per second (Gbps) over 14 hours on July 21.

Editor's Note

I’d like to see the newly formed DHS CISA Cyber Safety Review Board look at this or any of the other recent “largest ever DDoS” attacks and determine why ISPs couldn’t detect much/most of this attack and apply filtering at the source’s connection to their services. If the water companies were delivering sewage to businesses and government agencies, we would not expect to see companies paying to filter it out on the receiving end.

John Pescatore

Companies like Akamai, Microsoft and Cloudflare will continue to raise the bar on their DDoS protection capabilities, which deserves kudos. Seems like we're continuing to hear about mitigating “the largest attack ever.” I think the better question is what can your ISP and CDN do for you to mitigate these attacks and have you signed up for that service. If they have free and paid services, fully understand the difference so you can make an informed choice.

Lee Neely

Tennessee Valley Authority IG Audit Report on EDR

The Tennessee Valley Authority Office of the Inspector General has published the results of an audit they conducted “to determine the effectiveness of endpoint protection on TVA desktops and laptops.” The White House’s Federal zero-trust architecture strategy includes deploying endpoint detection and response (EDR) technology that meet technical requirements set by the Cybersecurity and Infrastructure Security Agency (CISA). While the TVA IG’s audit found aspects “of TVA’s endpoint protection program to be generally effective,” the report found some gaps in TVA’s policy, procedures, and internal controls and notes that TVA does not require endpoint protection for all network connections.

Editor's Note

Independent of Zero Trust, our hybrid work model drives the need for both effective EDR and remote connections to services. Configure your VPN to conduct a posture check against minimum standards prior to allowing the connection, to include enabled/current EDR. Make sure that your EDR is indeed that, not just an anti-malware tool, and that you've enabled protections as well as centralized the logging from your endpoints. Make sure that updates, configuration management and logging work irrespective of the VPN. As you move into "vpnless" services make sure that appropriate posture checks are made before connections are made, and the control point is as close to the target service as possible to prevent bypass.

Lee Neely

European Energy Company Encevo Discloses Cyberattack

Luxembourg-based energy provider Encevo has acknowledged that some of its subsidiaries were targeted in a cyberattack. Encevo says that the attackers exfiltrated data and rendered data inaccessible. Customers are advised to reset account credentials.

Editor's Note

Indicators point to this as the BlackCat ransomware and that they threatened to post 180,000 files (about 150GB ), adding extortion to their ransomware plans. Encevo is still working to determine the scope of the attack and plan their recovery. While customers are advised to reset their credentials, I would hold off until they are certain the malware is contained/eradicated. If you happen to have used the same credentials with Encevo and ANY OTHER service, change those non-Encevo passwords immediately, enabling MFA if offered.

Lee Neely

Proposed Legislation Addresses Federal Data Center Resilience

A bill introduced in the US Senate would direct the Office of Management and Budget (OMB) to establish requirements to protect federal data centers. The Federal Data Center Enhancement Act of 2022 addresses both cybersecurity and physical security, aiming to improve the centers’ resilience against cyberattacks, terrorist attacks, and natural disasters.

Editor's Note

It is hard to be against any action to improve government data center security, but after the terrorist attacks against the US on September 11 2001 and the impact of Hurricane Katrina in 2005 I think we saw similar legislation, though without the new “resilience” buzzword. I’d like to see reviews of both gaps and best practices in federal data center protection happen before more layers of security requirements are issued.

John Pescatore

I'm not so sure we need information on how to harden a data center. Information for building or retrofitting data centers with different tiers is well known, and we already have controls intended to verify the basics. The bigger problem is to ensure that services are in a data center commensurate with their C-I-A levels. This means you need to find out what service level your data center is built to, then making sure that your applications are not expecting a higher level. Don't forget about geographic diversity. With the administration directive to cloud adoption, many service providers already have solutions to get your CIA levels without you having to physically build anything. You also have the flexibility to select application specific options, rather than having to build your facility to the highest common denominator.

Lee Neely

Australian Man Charged for Creating and Distributing RAT

Australian authorities have charged an individual for allegedly creating and selling spyware for criminal use. Jacob Wayne John Keen allegedly created a remote access trojan (RAT) and sold it to more than 14,500 people in 128 countries between 2012 and 2019. Keen faces six counts that carry a maximum sentence of 20 years in prison.

Editor's Note

The spyware, named Imminent Monitor, was allegedly created by Keen when he was 15 and he administered it from 2013 until his shutdown in 2019. The RAT, which is distributed via email and text messages, included keystroke monitors, recording from webcams and/or microphones, hidden RDP access and even a cryptocurrency miner. The miner is not a typical RAT function. Imminent Monitor sold for AUD $35.