SANS NewsBites

Yet Again, Patch Your Cisco SMB Routers; Snapchat and American Express Websites May Have Compromised Your Microsoft 365 and Google Workspace Credentials; GitHub Looking to Add Code Signing

August 9, 2022  |  Volume XXIV - Issue #61

Top of the News


2022-08-05

Critical Flaws in Cisco SMB Routers

On Wednesday, August 3, Cisco released a security advisory warning of multiple vulnerabilities in some of its small business routers. The flaws affect the company’s RV160, RV260, RV340, and RV345 Series Routers. Cisco has made updates available.

Editor's Note

It is Tuesday, so it must be time for more Cisco SMB router vulnerabilities. A quick search at nvd.nist.gov shows 7 critical vulnerabilities this year and 8 last year (and 25 total over the two years). I guess it is cheap enough for Cisco to push vulnerability discovery right and left.

Johannes Ullrich
Johannes Ullrich

The exploit comes from input which is not properly validated/sanitized. Update to the latest firmware, and make sure that the management interface is only available to authorized systems/users. While the CVSS scores are 8.3/10 (CVE-2022-20841) and 9/10 (CVE-2022-20827) - don't expect this vulnerability to remain on the “not actively exploited” list for long.

Lee Neely
Lee Neely

2022-08-08

Open Redirect Flaws Used to Steal Account Credentials

Phishers are exploiting an open redirect vulnerabilities in the Snapchat and American Express websites to steal Microsoft 365 and Google Workspace account credentials. Open redirect occurs when sites do not validate user input. The attackers used personally identifiable information in the URLs to help generate malicious landing pages that were tailored to the user.

Editor's Note

Phishing is just the tip of the iceberg of open redirect issues. These flaws are often underestimated, and can be tricky to fix. But consider that if your site uses OAUTH for authentication, open redirect flaws can be used in some cases to steal authentication tokens.

Johannes Ullrich
Johannes Ullrich

Snapchat was told of the vulnerability over a year ago and hasn’t fixed it. Imagine if Snapchat sold breakfast cereal that was found to be contaminated with rat poison - the boxes of Snapchat would have been off the shelves in weeks if not days. It really is time for regulatory consequences that cause business disruption, not just fines, to companies that know of vulnerabilities but don’t fix them.

John Pescatore
John Pescatore

The best penetration testers and bug bounty hunters can demonstrate the severity of flaws like open redirection in a way that shows the client how to be more secure – and motivates them to make that change.

Christopher Elgee
Christopher Elgee

Prevention/training can include cautioning users around URLs that contain “url=”, “redirect=”, “external-link" or “proxy” strings, the better defense is for domain owners to limit redirection use, and include things like redirection disclaimers, (“You are leaving my site for this site, click here”).

Lee Neely
Lee Neely

2022-08-08

GitHub Seeks Comments on Plan to Improve npm Security with Code Signing

GitHub has opened a request for comments on its plan to bolster npm security with code signing. The move follows other efforts to improve npm security, including two-factor authentication, streamlined login, and enhanced artifact signing.

Editor's Note

Sigstore is a very cool effort, supported by Open SSF, Google, Cisco, Redhat, VMware and others. Kubernetes adopting sigstore/code signing in May 2022 has really picked up adoption. But, the signing of code really isn’t what increases security - *verifying* the signatures and not using unsigned or invalid/expired code is the harder required part. Processes for using open source software need to be updated.

John Pescatore
John Pescatore

Code signing is a good idea, and you need to understand what the level of assurance is behind the signature on the code. Having a reliable issuance process and disallowing self-signed as well as enforcing scope - what projects they can and cannot sign code for is a step in the right direction.

Lee Neely
Lee Neely

The Rest of the Week's News


2022-08-05

Plan to Have Sanitation Inspectors Assess Water Utility Cybersecurity is Met with Skepticism

Industry groups and cybersecurity experts have a lot to say about the White House’s plan to have the Environmental Protection Agency (EPA) delegate cybersecurity oversight to local sanitation inspectors. The US water sector currently has no minimum cybersecurity standards. Industry groups say the approach needs to be more granular to meet the cybersecurity needs of different utilities. The American Water Works Association (AWWA), which says the EPA did not engage the organization in its decisions, and noted that sanitation reviews are largely visual, making sure equipment is operating effectively. Cybersecurity experts have expressed concerns about state sanitation inspectors not being trained to conduct cybersecurity audits. Dragos CEO Rob Lee also pointed out that the underlying issue is how to pay for necessary water utility cybersecurity changes.

Editor's Note

It is easy to criticize thinking local water system inspectors could effectively perform cybersecurity audits, but the real issue is the lack of defined standards for required cybersecurity levels for the various levels of water utilities in the US – no auditor can audit without something against which to audit. By the way, Deputy National Security Advisor Anne Neuberger is quoted as saying the EPA is well equipped to make sure cybersecurity is “holistically” considered. Whenever I hear one of the “H” words (holistic and heuristic) used by a vendor or government official (the two that tend to use those terms the most) I automatically replace the former with “imaginary” and the latter with “undocumented."

John Pescatore
John Pescatore

Clearly defined standards and requirements must be in place before you can effectively assess the cybersecurity. Otherwise, you're going have inconsistent results. The selection of Sanitation Inspectors reflects their ability to subjectively inspect and audit against a known set of standards; it is not clear they are going to have the level of familiarity required to audit against cybersecurity requirements.

Lee Neely
Lee Neely

Cybersecurity evaluation, audit, is not an ancillary duty nor a job for amateurs. Such efforts will not enable any conclusions about the security of an enterprise. However, in this industry a very short checklist, suitable for use by any literate person, may enable the early identification and mitigation of dangerous omissions.

William Hugh Murray
William Hugh Murray

2022-08-08

HHS Suggestions for Healthcare Sector IoT Cybersecurity

The US Department of Health and Human Services Health Sector Cybersecurity Coordination Center (HHS HC3) has published an analyst note providing healthcare organizations with information to improve IoT security. The note suggests limiting attack surface using network segmentation. It also describes common IoT attacks and lists steps to take to minimize the risk posed by IoT devices. HHS has also published a threat brief about web application attacks in healthcare.

Editor's Note

Healthcare continues to be a target, particularly their IT/OT systems. The guidance is familiar and appropriate for networked IT/OT components (segmentation - only authorized users/devices, use MFA, keep updated/patched, and monitor.) Don't forget about embedded devices, such as pacemakers, which have wireless communication, which requires you to work with the provider to ensure you either have security best practices implemented or disable the interface.

Lee Neely
Lee Neely

Anyone who's worked cybersecurity in healthcare knows this is partly a philosophical struggle along the CIA triad. To those of you in cybersecurity making patient health information access secure, immediate, and highly available, thank you! Yours is some of the hardest and most important working going on.

Christopher Elgee
Christopher Elgee

2022-08-08

Tornado Cash Sanctioned for Laundering Cybercrime Proceeds

The US Department of the Treasury’s Office of Foreign Assets Control (OFAC) has sanctioned Tornado Cash, a virtual currency mixer that has been used to launder billions of dollars in stolen virtual currency. The sanctions freeze company assets and prohibit US citizens from doing business with Tornado Cash without approval from OFAC.

Editor's Note

If you are a legitimate business, not much chance you were using Tornado Cash – or using “crypto currency” at all, since actual use for business transactions is minimal. But US Treasury has a compliance guide that is worth reading if you are - https://home.treasury.gov/system/files/126/virtual_currency_guidance_brochure.pdf

John Pescatore
John Pescatore

If you're looking at accepting cryptocurrency, actions like this matter. Be sure you do your research, including getting input from peers on options and pitfalls. This is a case where you really need to be continuously monitoring your partners to ensure you're not going to be on the wrong side of a regulatory decision. Make sure that you not only understand the relationships in play and how transactions are governed but also what the contingency plans are when something fails or becomes prohibited before jumping in with both feet.

Lee Neely
Lee Neely

2022-08-08

Slack Resets Some Users’ Passwords

Last week, Slack sent some workspace users emails requesting that they reset their passwords. The issue lay in a bug that exposed hashed versions of users’ passwords when they created or revoked a Shared Invite Link for their workspace. The issue affected all users who created or revoked such links between April 17, 2017, and July 17, 2022. Slack has fixed the bug.

Editor's Note

Slack leaked salted hashes of passwords, not passwords themselves. But yet another reason to first of all use long and random passwords to make offline brute forcing more difficult, and of course always use a different password for different services. In this case, the four emails I received from Slack about being affected by the leaks are non-events.

Johannes Ullrich
Johannes Ullrich

Slack estimates this impacted about 0.5% of users. Apparently, the shared invite link included the hashed value of the sender's password. Slack has not revealed which hashing algorithm was used and sent communication to those impacted users directing them to change their passwords. It's not a bad idea to go through and update your slack passwords, as well as checking to make sure you're keeping your desktop client updated.

Lee Neely
Lee Neely

Slack offers its users a two-factor authentication option. The key word is “option.” All users of Software as a service (SaaS), indeed any cloud service, should expect and use strong authentication.

William Hugh Murray
William Hugh Murray

2022-08-06

NHS Outage Due to Cyberattack Against Managed Service Provider

The UK’s National Health Service (NHS) is experiencing an outage after a managed service provider suffered a cyberattack. The incident is affecting NHS’s 111 service, which is designed for people who need urgent health care, but not for life-threatening situations. The 999 emergency services number does not appear to be affected. The situation is expected to be resolved this week.

Editor's Note

The question is how insulated are you from compromise at your third-party providers. Make sure that your DR plans address both directly and indirectly connected systems. Whether a failure in the feed you send to the bank for payroll processing or outsourced/cloud services directly connected to your network, be sure to know what impacts are possible and what your recovery option is. Make sure that you have segmentation and monitoring, appropriate geographic distribution as well as redundancy of connections.

Lee Neely
Lee Neely

2022-08-05

Zimbra Vulnerability is Being Actively Exploited

A command injection vulnerability in Zimbra Collaboration is being actively exploited to steal email account credentials with no user interaction. Researchers from SonarSource discovered the vulnerability on March 11, 2022; Zimbra released a fix on May 10. The US Cybersecurity and Infrastructure Security Agency (CISA) has added the flaw to its Known Exploited Vulnerabilities Catalog with a mitigation due date of August 25, 2022.

Editor's Note

The patch for Zimbra was released May 10, 2022, with versions ZCS 9.0.0 Patch 24.1 and ZCS 8.8.15 Patch 31.1. The report from SonarSource, released a month after the patches were released, has details and pointers for attackers to successfully exploit the flaws. Yup, time to patch.

Lee Neely
Lee Neely

2022-08-08

Spear Phishing Operation Targeted Industrial Plants and Government Agencies

Researchers from Kaspersky said that an advanced persistent threat (APT) group with ties to China’s government used six separate backdoors to infiltrate networks at industrial plants, research organizations, and government agencies and ministries in Belarus, Ukraine, Russia, and Afghanistan. The attackers gained initial purchase in the systems with spear phishing emails.

Editor's Note

Make sure you're looking at both sides of this equation. Making sure the users have the training and tools to spot and report phishing emails as well as making sure that you're securing your systems, particularly critical systems, whether OT or IT. You know the drill, keep them updated, only allow authorized devices and user access, enable MFA where possible, monitor for irregular behavior. On the monitoring front, where OT systems have proprietary protocols, some network analyzers now understand these and can alert on unexpected traffic. Use caution with active response solutions on OT networks.

Lee Neely
Lee Neely

It is unlikely that any technique will ever wholly protect against human error but strong authentication will certainly help here. Once an enterprise network is compromised it almost impossible to completely trust it again. Backdoors are easy to install and very difficult to find and eliminate.

William Hugh Murray
William Hugh Murray

Internet Storm Center Tech Corner

JSON All the Logs!

https://isc.sans.edu/diary/JSON+All+the+Logs%21/28920


Exim Vulnerability Silently Patched

https://github.com/ivd38/exim_overflow


Microsoft Edge Enhanced Security

https://docs.microsoft.com/en-us/deployedge/microsoft-edge-security-browse-safer


Malicious Python Packages

https://www.darkreading.com/application-security/10-malicious-packages-slither-pypi-registry


New Orchard Botnet

https://thehackernews.com/2022/08/new-orchard-botnet-uses-bitcoin.html


DuckDuckGo Stopping Microsoft Tracking Code

https://spreadprivacy.com/more-privacy-and-transparency/


Emergency Broadcast Messaging System Vulnerabilities

https://content.govdelivery.com/accounts/USDHSFEMA/bulletins/3263326


Slack Leaks Hashed Passwords

https://slack.com/intl/en-in/blog/news/notice-about-slack-password-resets


Zimbra Flaw Exploited

https://nvd.nist.gov/vuln/detail/CVE-2022-27924