SANS NewsBites

Taiwan Reports DDoS Attacks Following Pelosi Visit; Researchers Break Post-Quantum Encryption Candidate; Patch Critical VMware Flaw

August 5, 2022  |  Volume XXIV - Issue #60

Top of the News


2022-08-04

Taiwan Reports DDoS Attack After Pelosi Visit

Taiwan’s Ministry of Defense reported that its systems were targeted by a distributed denial-of-service (DDoS) attack earlier this week, shortly after US Speaker of the House Nancy Pelosi visited. Earlier in the week, the country’s presidential website reported a DDoS attack as well.

Editor's Note

The scale of these attacks, and their targets, point to hacktivists. It looked like recovery was swift, and I doubt it significantly affected operations at these organizations. But remember that DDoS attacks can also be used as a smoke screen to cover more sophisticated attacks.

Johannes Ullrich
Johannes Ullrich

The group Anonymous group jumped into the mix, retaliating for the attacks and taking credit for hacking into government website of China's Heilongjiang Society Scientific Community Federation. The hacked site was taken down but lives on in the Internet Archive. The point is that beyond being prepared for DDoS attacks, you also need to watch for sympathetic actions, possibly retaliating on your behalf, resulting in unplanned escalation of tensions.

Lee Neely
Lee Neely

2022-08-03

Post-Quantum Encryption Algorithm Candidate Broken

Researchers have found a way to break one of the post-quantum computing encryption algorithm candidates chosen by the US National Institute for Standards and Technology (NIST) as a potential replacement for encryption algorithms currently in use. Using a single-core PC, researchers from the Computer Security and Industrial Cryptography group at KU Leuven broke the algorithm, known as Supersingular Isogeny Key Encapsulation, or SIKE, in one hour.

Editor's Note

This is exactly why we need to look for new encryption standards long before they are actually needed. The NIST process is slow and deliberate. It does allow for sufficient time and it does give these proposed standards exposure to encourage review.

Johannes Ullrich
Johannes Ullrich

Three of the new schemes rely on new, less understood assumptions, which could really raise the bar, or be subject to an old-school attack not accounted for. Now is the time to find issues with the new candidates, not after we've moved to them. I give a lot of credit for all the candidates who effectively signed up for a multi-round, public, murder board. Once the process completes, vendors will need time to both produce products which implement them, and come up with best practices so you can then discuss moving to Post-Quantum Encryption effectively.

Lee Neely
Lee Neely

2022-08-03

VMware: Patch Critical Authentication Bypass Flaw

On Tuesday, August 2, VMware released an advisory that includes fixes for 10 vulnerabilities that affect its VMware Workspace ONE Access, Workspace ONE Access Connector, Identity Manager, Identity Manager Connector, vRealize Automation, Cloud Foundation, and vRealize Suite Lifecycle Manager products. The most serious of the flaws is a remote authentication bypass issue that affects local domain users.

Editor's Note

I hope I do not need to remind anybody to not expose these systems to the open internet. This isn't the first critical VMWare flaw this year.

Johannes Ullrich
Johannes Ullrich

Take a deep breath, grab your coffee, and scan the VMware advisory page for your specific product to find actions needed. It includes a table of criticality, CVE's and links to KB articles for each. While not actively exploited, the criticality should be used as an indicator of how likely that is to change. There is only one workaround listed for one out all of these issues, frankly, plan to patch all the affected things.

Lee Neely
Lee Neely

The Rest of the Week's News


2022-08-04

CISA and ACSC: Top Malware Strains of 2021

In a joint alert, the US Cybersecurity and Infrastructure Security Agency (CISA) and the Australian Cyber Security Centre (ACSC) provide overviews of the top malware strains of 2021. The majority of the top malware strains – Agent Tesla, AZORult, Formbook, Ursnif, LokiBot, MOUSEISLAND, NanoCore, Qakbot, Remcos, TrickBot and GootLoader – have been around as one variant or another for at least five years.

Editor's Note

The top strains include RATs, banking Trojans, information stealers and ransomware. If the names Tesla, Formbook, AZORult, LokiBot, etc. aren't well known to you, read the CISA bulletin to learn about them. The mitigations remain the same: implement (comprehensive) MFA, keep systems patched and updated, don't expose RDP to the internet, have good (offline) backups and train users. When I say comprehensive MFA, I mean don’t skip any externally facing services, and don’t exclude any users from having to use it.

Lee Neely
Lee Neely

2022-08-04

FEMA: Critical Vulnerabilities in Emergency Alert System Devices

The US Department of Homeland Security’s (DHS’s) Federal Emergency Management Agency (FEMA) has issued a bulletin warning of critical vulnerabilities in Emergency Alert System (EAS) devices. The flaws in the encoder/decoder devices could be exploited to send phony emergency alerts on radio and television. FEMA is urging all EAS system participants to ensure their devices are running the most recent software versions and have their patches up to date; are protected by a firewall; and that audit logs are reviewed regularly to check for unauthorized access.

Editor's Note

The vulnerability is now public knowledge, which means participants have to patch PDQ. Some of the Monroe Electronics components of the system had flaws which couldn't be patched previously due to a lack of updates for the last few years. Ken Pyle, who discovered those flaws, will be presenting more information at the DEFCON 30 IoT village.

Lee Neely
Lee Neely

An instance where false positives more tolerable than false negatives, short of so frequent as to destroy trust in true positives.

William Hugh Murray
William Hugh Murray

2022-08-04

DoJ Using Paper for Sensitive Documents

The US Department of Justice says it has been filing sensitive court documents on paper rather than electronically since January 2021. In an interview with Cyberscoop, Deputy Assistant Attorney General for National Security Adam Hickey said, “Convenience is great, but security in any internet connected system is going to be different from what it would be on paper.”

Editor's Note

Often, sensitive OT devices are (wisely!) disconnected from the internet, it's probably a good idea to isolate the most sensitive documents. Putting them on paper makes them much less accessible by foreign adversaries!

Christopher Elgee
Christopher Elgee

The downside of paperless is that you need to make sure the protections are appropriate for your most sensitive paper based processes. When assessing the process think of how we handled paper. While we are familiar with locked filing cabinets, offices and storage rooms, you still have transport concerns, even registered mail can get waylaid. Even so, the risks of the old processes may be lower than the online process for certain use cases. Document gaps and make deliberate decisions to accept the risk or require alternate processes in those scenarios.

Lee Neely
Lee Neely

2022-08-02

House Bill Would Reauthorize NCFI

A bipartisan bill in the US Senate would reauthorize the National Computer Forensics Institute. Would extend funding though 2028. NCFI “train state and local law enforcement, judges and prosecutors in digital evidence, network intrusion, and computer/mobile device forensic issues.” The House passed a companion bill last month.

Editor's Note

The course is conducted through the local US Secret Service field office and is available to active full time employees (law enforcement, judges and prosecutors) of state or local government agency. If you fit into one of those categories, this should be a great opportunity to hone your skills around digital evidence, network intrusion, and computer/mobile device forensic issues.

Lee Neely
Lee Neely

2022-08-04

Cyberattack Hits Association of German Chambers of Industry and Commerce

A cyberattack against the Association of German Chambers of Industry and Commerce (DIHK) prompted the organization to shut down its IT systems. According to a statement on the DIHK website, the shutdown was “a precautionary measure for security reasons. We are currently working intensively on a solution and defense. After being checked, the IT systems are successively started up so that the services for companies are then available again.”

Editor's Note

Translation - we don't know the scope of the attack; turn it all off, check everything, only enabling known-good services. This is a tough call, particularly with 79 chambers and over three million members who use their services. They are using the DIHK web site and LinkedIn to post updates. Are you prepared to communicate in a similar situation? Make the call? And do you have multiple communication paths for users and partners?

Lee Neely
Lee Neely

2022-08-01

SolarWinds CISO on Lessons Learned from Sunburst

SolarWinds CISO Tim Brown led the incident response to the Sunburst attack, which exploited a supply chain vulnerability in Orion, a SolarWinds IT performance monitoring system. The incident prompted SolarWinds to establish a new software development process that includes addressing security early on. Brown sees the event as a valuable learning experience, and not just for SolarWinds. CISOs at other companies have been able to get more funding from boards, and it has prompted government to adopt new software procurement practices and move forward with plans to secure the software supply chain.

Editor's Note

Don't get caught up in buzzwords and new shiny terms, make sure that you're using secure practices with software you're producing, paying attention to internet sourced components, make sure software installed is the genuine product from your vendor, with sufficient regression testing prior to production deployment. Make sure that you're watching your threat feeds for software and services you use so you can follow up on possible areas of concern. After that, rely on your existing processes for detection and monitoring of malfeasance.

Lee Neely
Lee Neely

2022-08-04

US Financial Companies Fined for Failing to Provide Adequate Cybersecurity

The US securities and Exchange Commission (SEC) has fined US financial companies JP Morgan Chase & Co and Trade Station for “deficient customer identity programs.” In addition, the Consumer Financial protection Bureau fined US Bancorp for opening unauthorized accounts. The fines for the three companies totaled $3.5 million.

Editor's Note

The SEC has a red flags rule, which requires financial institutions and some "creditors" to conduct a risk assessment to determine if they have covered (in scope) accounts. If so, they are required to implement a program for the relevant red flags to protect those accounts from identity theft. If you are a FI or creditor, review the rule to make sure that your risk-assessment meets the current criteria there, and address any shortcomings post-haste.

Lee Neely
Lee Neely

It is not clear from the report cited below whether this punishment is more about IAM or the traditional requirement that banks know their customer, authentication, or new account.

William Hugh Murray
William Hugh Murray

Internet Storm Center Tech Corner

Increase in Chinese "Hacktivism" Attacks

https://isc.sans.edu/diary/Increase+in+Chinese+%22Hacktivism%22+Attacks/28906


l9explore and LeakIX Internet Wide Recon Scans

https://isc.sans.edu/diary/l9explore+and+LeakIX+Internet+wide+recon+scans./28910


TLP 2.0 is Here

https://isc.sans.edu/diary/TLP+2.0+is+here/28914


Hijacking email with Cloudflare Email Routing

https://albertpedersen.com/blog/hijacking-email-with-cloudflare-email-routing/


rsync arbitrary file write vulnerability

https://www.openwall.com/lists/oss-security/2022/08/02/1


Local privilege escalation in Kaspersky VPN

https://www.synopsys.com/blogs/software-security/cyrc-advisory-kasperksy-vpn-microsoft-windows/


Arris / Arris Variant DSL/Fiber Router Critical Vulnerability

http://derekabdine.com/blog/2022-arris-advisory


35,000 Malicious Repo Forks Flood GitHub

https://www.bleepingcomputer.com/news/security/35-000-code-repos-not-hacked-but-clones-flood-github-to-serve-malware/


Palo Alto Master Key

https://twitter.com/rqu50/status/1554566757704089600#m


Laravel Unserialize RCE

https://github.com/beicheng-maker/vulns/issues/1


Unauthenticated Remote Code Execution in DrayTek Vigor Routers

https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/rce-in-dratyek-routers.html


VMWare Updates

https://www.vmware.com/security/advisories/VMSA-2022-0021.html

https://twitter.com/VietPetrus


Manjusaka: A Chinese sibling of Sliver and Cobalt Strike

https://blog.talosintelligence.com/2022/08/manjusaka-offensive-framework.html