SANS NewsBites

Free DHS Election Cybersecurity Toolkits Require Investment in Skills; Cisco Details on Errors That Enabled MFA Bypass Breach; US Needs Congress to Act on Assuring Critical Infrastructure Guidance Will Be Followed

August 12, 2022  |  Volume XXIV - Issue #62

Top of the News


2022-08-11

CISA Releases Cybersecurity Toolkit for Elections

The US Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the Joint Cyber Defense Collaborative (JCDC), has published a guide for election systems cybersecurity. Designed to help US state and local election officials, the Cybersecurity Toolkit to Protect Elections includes a tool to assess risk profile as well as information about tools and services that can be used to help secure election infrastructure assets.

Editor's Note

While free toolkits are obviously lower in acquisition cost, they still require a level of cybersecurity skill to use for any purpose other than producing “fill the binder” documentation. For example, the first step in this process is to use the online Election Security Risk Profile Tool developed by CISA and the U.S. Election Assistance Commission. The bad news: it asks the filler-outer to estimate risk at the Confidentiality/Integrity/Availability level with slider bars. All too often in the US election system, the person filling out this form will have no idea of what the risk level is and may not even understand those terms. The good news: the slider bars show curves for how election experts assessed the CIA risk and (at least on my browser) the default risk estimates are fairly high and clicking through maintains those defaults. The CISA focus on free tools unfortunately perpetuates the myth that additional spending on staffing and training by state and local is not required for election security – both are badly needed.

John Pescatore
John Pescatore

When performing a self-assessment, one of the hardest parts is to be brutally honest about your current state, particularly if you're not used to this. Here is a case where peer review can help you. The Election Survey Risk Profile tool is ten pages of questions, with your answers driving added questions. Once you have an honest assessment, then the real work begins of addressing issues. CISA is leveraging the NIST Cybersecurity Framework, so there are plenty of resources and expertise to help you succeed.

Lee Neely
Lee Neely

As the tool suggests, in order to be effective, much less efficient, security must be risk based. However, risk assessment requires knowledge, skill, ability, and experience. These are not likely to be found in many of the 8000 election jurisdictions. It is all too easy, indeed common, for the novice to confuse threat, vulnerability, or consequences for risk. An effective tool for such a population must provide a lot of guidance while being easy to use. It must not rest upon the ability of the user to do something that he is not equipped to do.

William Hugh Murray
William Hugh Murray

2022-08-11

Cisco Acknowledges Network Breach

Cisco has acknowledged that threat actors managed to gain access to its corporate network. The company learned of the compromise in late May 2022. The threat actors, a ransomware group known as Yanluowang, used a hacked Google account to gain access to a Cisco employee’s VPN client. Cisco said that the group was not successful in deploying ransomware on their network.

Editor's Note

This is another example of how complex attacks will be used to try to (and sometimes succeed in) bypassing multifactor authentication. Definitely read the Initial Vector section of the Talos report to see what the compromised user did wrong (multiple things) and look at your awareness training to see if you have this covered. Cisco has recently seemed to be in the news too often for vulnerabilities in their products (see ASA item in this Newsbites, for example) but over the years (going as far back as SQL Slammer in 2002) Cisco’s internal security has aggressively focused on maintaining the skills, processes and controls to reduce time to detect, respond, restore, etc.

John Pescatore
John Pescatore

Thanks to Cisco for sharing the details to allow us to learn from Cisco's experience.

Johannes Ullrich
Johannes Ullrich

The higher we raise the bar on password-based authentication, the more we can expect users to use electronic means to store those credentials. Make sure that you have policy and training about storing and syncing company credentials using non-corporate mechanisms. At a minimum make sure that remote access requires MFA rather than reusable credentials. Ideally, all remote entry points, including endpoints, should require MFA.

Lee Neely
Lee Neely

All too often an error by a single employee results in the compromise of the entire enterprise but it need not be so. “Zero Trust” architectures, or even network segmentation, can make the enterprise tolerant of the inevitable user error.

William Hugh Murray
William Hugh Murray

2022-08-01

White House to Provide Critical Infrastructure Sectors with Cybersecurity Guidance

The White House wants to provide the water sector (and other critical infrastructure sectors) with cybersecurity guidance. It asked Congress months ago to codify the Environmental Protection Agency's (EPA) authority to establish standards for the water sector. An administration official said “the EPA’s current safety and security authorities allow them to roll cybersecurity in,” and added that the EPA will likely issue the rule this summer. Anne Neuberger, deputy national security adviser for cyber and emerging technology, said last week “We need the Hill to ensure that those authorities are clear. There's hesitancy by agencies to move without real Hill backing to do so.”

The Rest of the Week's News


2022-08-09

Microsoft’s August Patch Tuesday Includes Fix for RCE Flaw in MSDT

Microsoft’s Patch Tuesday for August 2022 addresses more than 120 security issues in multiple products; 17 of the vulnerabilities are rated critical. The batch of issues addressed includes a fix for a zero-day remote code execution vulnerability in the Microsoft Windows Support Diagnostic Tool (MSDT).

Editor's Note

The main issue with MSDT was the fact that it was directly exposed via Microsoft Office. This issue was fixed in an earlier update. However, the directory traversal/code execution issue remained. This has been fixed with this update.

Johannes Ullrich
Johannes Ullrich

While the number of issues seems large, 20 of these are Chromium-Edge and 32 are Azure Site Recovery. Also included in the patches are three critical Exchange server patches (CVE-2022-24477, CVE-2022-24516 and CVE-2022-21980) which need to be applied immediately. Fully fixing the issues requires enabling Windows Extended protection on Exchange Servers. Review the MS blog post on the Exchange Server Updates (https://techcommunity.microsoft.com/t5/exchange-team-blog/released-august-2022-exchange-server-security-updates/ba-p/3593862) for more details. Revitalize your projects to move to hosted email servers wherever possible.

Lee Neely
Lee Neely

2022-08-10

Cloudflare Says They Thwarted a Phishing Scheme in July

Cloudflare says their organization was recently targeted by a phishing scheme similar to the one that hit Twilio last week. Twilio’s network was breached after employees received phishing emails claiming to be from the company’s IT department that led them to a phony Twilio sign-in page. Cloudflare said it experienced a similar attempted attack last month, but was able to thwart it because they use hardware-based MFA keys. The Cloudflare blog post offers “a rundown of exactly what [they] saw in order to help other companies recognize and mitigate this attack.”

Editor's Note

Sharing information lately practiced by Cloudflare, Cisco and Twilio is a great resource to learn and improve. One common theme lately is that targeted attacks are exploiting a disconnect in how some multi factor authentication systems work, and how users perceive them. You should update your user awareness training to include these abuse cases.

Johannes Ullrich
Johannes Ullrich

This is a great example of what phishing-resistant MFA means. Hardware MFA, in this case using FIDO2-compliant key and implemented origin-binding, even with the captured credentials, the attacker couldn't get past the login prompt. That said, you need to make sure that your MFA is comprehensive, don't exclude system administrators, VIPs, etc. Where using SSO, make sure that users have to strongly authenticate to the endpoint, and that the endpoint is trusted, genuine, and meets or exceeds your required security posture

Lee Neely
Lee Neely

2022-08-10

Critical Flaws in Device42 Platform

Researchers from Bitdefender discovered multiple vulnerabilities in the Device42 Asset Management Platform that could be exploited to gain full root access to vulnerable systems. The flaws were found during a security assessment of the Device42 appliance with the production instance and with the staging instance. Bitdefender notified the vendor of the vulnerabilities on February 18, 2022. The flaws were patched on July 20, and report and CVEs released on August 10.

Editor's Note

Bitdefender gives kudos to the Device42 team for rapidly responding and working with them to make sure the issues are resolved. Make sure that your vulnerability disclosure team has a similar model, irrespective of the source reporting issues. Device42 version 18.01.00 addresses the four CVEs (CVE-2022-1399, CVE-2022-1400, CVE-2022-1401, and CVE-2022-1402). Given that Bitdefender has published their findings, it's time to make sure that version was deployed.

Lee Neely
Lee Neely

2022-08-10

7-Eleven Denmark Hit with Ransomware

A ransomware attack caused 7-Eleven Denmark to shut down all 175 of its stores earlier this week. The attack prevented stores from using cash registers or accepting payments. Stores are gradually re-opening and are using alternate payment methods, such as cash of mobile payment systems. 7-Eleven Denmark acknowledged the attack in a statement on Facebook.

Editor's Note

While the attack took out the central payment systems, local stores were able to open by finding alternate solutions which worked locally. Make sure that your DR plan includes information on how to keep remote locations operating when central systems are offline. Consider not only the tactical immediate operational return, but also the long-term actions to reconcile information with those systems when they come back online.

Lee Neely
Lee Neely

2022-08-11

Fortinet: Older Microsoft Office Vulnerabilities are Still Being Exploited

Researchers from Fortinet say that threat actors are still exploiting a pair of known vulnerabilities in Microsoft Office that are five years old. The flaws, CVE-2017-0199 and CVE-2017-11882, are being exploited by a variant of the SmokeLoader malware.

Editor's Note

Make sure that users are staying on the current release of Office products, including subscription to (and application of) updates. Make sure you have written management support for minimum versions for users resistant to moving off treasured versions. Recovery from an incident related to running old versions quickly exceeds the cost of providing a license. Investigate Microsoft's home use program to facilitate users being on current versions for their non-work systems.

Lee Neely
Lee Neely

2022-08-11

NHS Outage Due to Ransomware Attack on Vendor Network

A ransomware attack against a third-party vendor is responsible for an outage affecting the UK’s National Health Service (NHS). Managed service provider, Advanced, has released a FAQ document that provides information about which of its customer groups are affected and other details about the attack. Advanced says it could be three to four weeks before all the disruptions are mitigated.

Editor's Note

The service provider is rebuilding services with updated security practices, to include increased monitoring, EDR, and increased segmentation/isolation. If you're going to rebuild everything, you may as well increase the security, and may be the only time you get management support to fully implement those changes. Beware that you're changing things and unknown interdependencies may add significant time to the recovery process as they are resolved. As a customer, be aware of your service provider's security posture. While we're used to making sure our data data is isolated and protected, we also need to ensure that protections are in place to stop lateral movement, all endpoints leverage EDR, are actively monitored, and have a clear understanding of their service restoration model and timeline.

Lee Neely
Lee Neely

2022-08-11

Black Hat: Cisco ASA Vulnerabilities

Researchers from Rapid7 discovered vulnerabilities affecting Cisco Adaptive Security Appliance software, Adaptive Security Device Manager (ASDM), Cisco ASA-X and FirePOWER Services Software for ASA. Rapid7 disclosed the vulnerabilities to Cisco in February and March of this year. Cisco has released advisories addressing most of the vulnerabilities.

Editor's Note

As the ASDM packages are not signed, use caution downloading to make sure you have legitimate copies, including the Java based launcher. It's also not verifying SSL certificates, so use caution to avoid MitM scenarios. At this time there is no auto-update, so make sure that you're checking periodically, and don't expose your ASDM services to the Internet. The good news is there are fixes for most of the ASA and FirePOWER Services you can deploy.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Microsoft August 2022 Patch Tuesday

https://isc.sans.edu/diary/Microsoft+August+2022+Patch+Tuesday/28924


And Here They Come Again: DNS Reflection Attacks

https://isc.sans.edu/diary/And+Here+They+Come+Again%3A+DNS+Reflection+Attacks/28928


InfoStealer Script Based on Curl and NSudo

https://isc.sans.edu/diary/InfoStealer+Script+Based+on+Curl+and+NSudo/28932


Cisco Breach Details

https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html


Rapid 7 Defaultinator

https://defaultinator.com


Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software RSA Private Key Leak Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-rsa-key-leak-Ms7UEfZz


Ivanti Pulse Connect Secure Privilege Escalation Vulnerability

https://gist.github.com/JGarciaSec/2060ec1c8efc1d573a1ddb754c6b4f84


Zimbra Mass Compromise

https://www.volexity.com/blog/2022/08/10/mass-exploitation-of-unauthenticated-zimbra-rce-cve-2022-27925/


VMWare vRealize Vulnerability

https://www.vmware.com/security/advisories/VMSA-2022-0022.html


Microsoft Vulnerability and IPS/Snort

https://community.meraki.com/t5/Meraki-Service-Notices/Microsoft-vulnerability-and-IPS-SNORT/ba-p/156649


AEPIC Leak

https://aepicleak.com


Adobe Security Bulletins

https://helpx.adobe.com/security/security-bulletin.html