SANS NewsBites

Audit Microsoft 365 Configuration and Authentication to Thwart Active Attacks; Educate Users About Fake Popups; CISA Uses Tabletop Exercise to Raise the Bar on Election Systems Security

August 23, 2022  |  Volume XXIV - Issue #65

Top of the News


2022-08-22

Mandiant: Russian Hackers are Targeting Microsoft 365 Accounts

In a blog post, Mandiant highlights some tactics, techniques, and procedures (TTPs) the APT29 espionage group is using to target Microsoft 365 accounts. The hackers, who have ties to Russia’s government, have been observed disabling licenses, taking over dormant accounts, and focusing on operational security.

Editor's Note

Not just Russian hackers, but pretty much anybody in the cybercrime game is going after Microsoft 365 accounts. Just like for any cloud-based service, 2FA is a must and accounts as well as account configurations need to be carefully audited, even if you are not in the cross hairs of nation state attackers.

Johannes Ullrich
Johannes Ullrich

They are disabling logging, such as Purview Audit (formerly Advanced Audit) which is required to enable the Mail Items Accessed audit which is a very effective tool for determining specific accesses to Mail items. Make sure that you've enabled MFA for _ALL_ accounts, including dormant/disabled accounts. Make sure the MFA self-enrollment process leverages features such as conditional access to ensure an adversary who guesses credentials isn’t able to self-enroll before the legitimate user can. When considering MS 365 security, don’t underestimate the skills of possible attackers.

Lee Neely
Lee Neely

2022-08-22

Sucuri: Fake DDoS Protection Popups on WordPress Sites Lead to Drive-by Download

Researchers from Sucuri warn that some WordPress sites are being hacked to display phony DDoS protection popups. The prompts are designed to appear that they came from Cloudflare. When people click on a button to purportedly get a verification code to access the site, they are actually being tricked into downloading a remote access trojan (RAT).

Editor's Note

This is an interesting “trick” in that it is likely perfectly reasonable to users to follow the instructions on these fake DDoS protection pages. There is no good way for a user to distinguish a fake from a real DDoS protection page. Some user education may help.

Johannes Ullrich
Johannes Ullrich

As a site owner, make sure that you're keeping it updated; implement MFA for administrator accounts. If you're not implementing MFA for all accounts, use strong passwords for end-users, and allow them to self-enroll in MFA. Put a firewall in front of your site, and looking into file integrity monitoring which can alert you to unauthorized or unexpected changes. As a user, beyond keeping your system updated, look carefully at requests to verify you are not a bot or other malicious agent. Make sure that your endpoint protection is both enabled and keeping current.

Lee Neely
Lee Neely

2022-08-22

CISA Hosts Tabletop Election Security Exercise

The US Cybersecurity and Infrastructure Security Agency (CISA), along with the US Election Assistance Commission, National Association of Secretaries of State (NASS) and the National Association of State Election Directors (NASED) hosted a tabletop election security exercise last week. Participants included representatives from state and local government, federal agencies, and election industry firms.

Editor's Note

Good to see proactive effort for assuring the security of election systems. This was a larger, longer version of a tabletop exercise – many CISOs have found doing 1-4 hour tabletop exercises with Boards of Directors, often outside of the regular board meeting, to be very effective in both gaining trust for strategy and support from directors and senior management.

John Pescatore
John Pescatore

When's the last time you conducted a tabletop exercise? Did it include the same systems as last time or are you working through all your systems, including cloud and outsourced services? CISA has resources to help if you don't have a handle on conducting these exercises. Make them regular – at least annual – and implement lessons learned, don't leave them sitting in a report someplace.

Lee Neely
Lee Neely

The Rest of the Week's News


2022-08-22

CISA and MS-ISAC: Zimbra Flaws are Being Actively Exploited

In a joint cybersecurity advisory (CSA), the US Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) warn of “active exploitation of multiple Common Vulnerabilities and Exposures (CVEs) against Zimbra Collaboration Suite (ZCS).” The CSA includes technical details, detection methods, and suggested mitigations.

Editor's Note

At this point, if you’ve not applied the patches and have Internet facing Zimbra instances, you need to assume they've been compromised. This means you need to forensicate your environment _AND_ apply the updates. Leverage the snort signatures in the CISA alert to detect malicious activities, as well as any activity from the C2 domain. Act now before you show up on a list of pwned sites. Note the Zimbra flaws are on the CISA KEV site with due dates of September 1st.

Lee Neely
Lee Neely

2022-08-22

LockBit Gang Website DDoSed

The site on which the LockBit ransomware group posts stolen data has been shut down by a distributed denial-of-service (DDoS) attack. LockBit says that the messages accompanying the attack referenced Entrust, a cybersecurity vendor that reported a cyberattack and data theft earlier this summer. LockBit began posting data taken from Entrust late last week; the DDoS attack began over the weekend.

Editor's Note

I worked for the original Entrust PKI company back in the late 1990s – a security firm launching a DDoS attack back then wasn’t even a consideration. Doing so today shouldn’t be one either, as it is unlikely to have any positive outcome. Good example to use to drive planning for how your company would respond if attack traffic was doctored to appear as if it was coming from you.

John Pescatore
John Pescatore

Entrust has contracts through GSA and US-Access to provide HSPD-12 badges to much of the US Government as well as many other customers of their hosted and local PKI services. I have been involved with their products since 1998 and knowing the company it’s unlikely that they would jeopardize these relationships to strike back at the LockBit gang. If you have a desire to strike back at a threat actor or ransomware gang, be very careful. Not only do you need good operational security, but also a clear understanding of risks, blow-back and permission to use the devices and networks involved in that retaliatory move.

Lee Neely
Lee Neely

It should come as no surprise the cybercriminals do not have robust cybersecurity measures in place and can themselves be victims of cyberattacks. This is a cautionary reminder that even if a criminal gang promises not to release your data should you pay the extortion fee, they themselves cannot guarantee the security of that data on an ongoing basis.

Brian Honan
Brian Honan

2022-08-22

Greek Natural Gas Company Hit with Cyberattack

A natural gas distribution company in Greece was the target of a cyberattack. The incident compromised some data and was responsible for an IT system outage. The Ragnar Locker ransomware group has claimed responsibility for the attack.

Editor's Note

The attack impacted their online services, not their gas delivery (OT) systems. DESFA is taking a conservative approach of validating and restoring all non-OT IT services, rather than just known compromised systems, before bringing them back online. That is a scenario worth discussing at your next tabletop. While there is no such thing as perfect security, there are steps you can take, like these, to reduce the likelihood of recurrence.

Lee Neely
Lee Neely

2022-08-19

CISA Adds Seven Vulnerabilities to Known Exploited Vulnerabilities Catalog

The US Cybersecurity and Infrastructure Security Agency (CISA) has added seven security issues to its Known Exploited Vulnerabilities Catalog over the past week. The vulnerabilities affect Palo Alto Networks PAN-OS, Apple’s iOS and macOS, Google Chrome, Microsoft Windows and Active Directory, and multiple SAP products. Seven of the flaws have mitigation deadlines of September 8; the eighth has a mitigation deadline of September 12.

Editor's Note

If you're holding off on pushing people to install the patches for iOS and macOS because a new version is “around the corner,” you need to rethink that strategy as the vulns are being actively exploited. Don't overlook the SAP issues while you're heads-down updating Windows, Chrome and PAN-OS.

Lee Neely
Lee Neely

2022-08-18

Joint-Cybersecurity Operations Command Center Membership is Growing

The Joint-Cybersecurity Operations Command Center (J-CSOC), founded by North Dakota in 2021, now has nearly 20 percent of US states participating. Initially, the organization included North Dakota, South Dakota, and Montana because of a law that allowed state agency collaboration only with bordering states. That law has since been overturned. The J-CSOC hopes to have 30 percent participation by the end of this calendar year. “Prior to forming the J-CSOC, there was no mechanism to facilitate direct state-to-state sharing of cyber threat intelligence.”

Editor's Note

In other verticals, like healthcare, there have been problems when multiple sharing organizations existed without coordination. More sharing is better than less, but isolate silos don’t lead to effective sharing – the JSOC and the Multi-State ISAC should work together to establish coordination/cooperation.

John Pescatore
John Pescatore

Information sharing is how we help each other. Overturning that law which limited participation to bordering states allowed the J-CSOC to include the entire nation. As a participant in a service like this, make sure that you understand what information is stored, and how it is shared. Make sure that you have appropriate NDAs as well as sign-off from your risk executive as your CISO and SOC will benefit from access to the information. For optimal benefit, all participants need to ensure they're contributing not just consuming incident and threat data.

Lee Neely
Lee Neely

2022-08-22

Java Libraries and Deserialization Vulnerabilities

Researchers from four European universities have published a paper titled An In-depth Study of Java Deserialization Remote-Code Execution Exploits and Vulnerabilities. The researchers “perform[ed] two main analyses: one on attack gadgets, i.e., exploitable pieces of code, present in Java libraries, and one on vulnerabilities present in Java applications.” Some notable deserialization issues include the Log4Shell RCE vulnerability, the 2017 Equifax breach that was enabled by a deserialization flaw in Apache Struts, and the Atlassian Jira vulnerability that was disclosed last summer.

Editor's Note

A couple of key points in the study include that deserialization vulnerabilities have an average of six years for removal of the exposed exploitable code constructs as well as using caution to only accept deserialized data from a trusted source. Even with a long patch time, make sure that you're using updated libraries which include fixes for these flaws.

Lee Neely
Lee Neely

The efficient use of computers relies upon code reuse. Secure use of computers requires that developers (and users) be accountable for the quality of all the code that they use, regardless of source.

William Hugh Murray
William Hugh Murray

2022-08-19

DHS IG: CISA’s Automated Indicator Sharing Service Needs Improvement

According to a report from the US Department of Homeland Security Office of Inspector General, the Cybersecurity and Infrastructure Security Agency’s (CISA’s) Automated Indicator Sharing (AIS) service “has made limited progress improving the overall quality of threat information.” Entities interviewed for the report said that most of the threat indicators they received did not include enough information for them to take steps to mitigate the issues.

Editor's Note

This is the feed between government and private sector customers. As such, data quality and relevance are crucial for effective decision making. CISA has been directed to upgrade systems, hire staff, and implement quality controls on reporting of data to ensure needed context is included to allow consumers to make better decisions.

Lee Neely
Lee Neely

Timely and effective intelligence sharing is much more difficult than it looks. It takes years to establish, not weeks or months.

William Hugh Murray
William Hugh Murray

Internet Storm Center Tech Corner

32 or 64 Bits Malware

https://isc.sans.edu/diary/32+or+64+bits+Malware%3F/28968


Brazil malspam pushes Astaroth (Guildma) malware

https://isc.sans.edu/diary/Brazil+malspam+pushes+Astaroth+%28Guildma%29+malware/28962


Proxies and Configurations Used for Credential Stuffing Attacks

https://www.ic3.gov/Media/News/2022/220818.pdf


DirtyCred Linux Privilege Escalation Vulnerability

https://www.blackhat.com/us-22/briefings/schedule/#cautious-a-new-exploitation-method-no-pipe-but-as-nasty-as-dirty-pipe-27169


Fake DDoS Pages on WordPress Sites Lead to Drive-By-Downloads

https://blog.sucuri.net/2022/08/fake-ddos-pages-on-wordpress-lead-to-drive-by-downloads.html


Android Ring App XSS

https://checkmarx.com/blog/amazon-quickly-fixed-a-vulnerability-in-ring-android-app-that-could-expose-users-camera-recordings/


iOS in App Browser Security Issues (August 18)

https://krausefx.com/blog/announcing-inappbrowsercom-see-what-javascript-commands-get-executed-in-an-in-app-browser


iOS in-App Browser Issues (August 10)

https://krausefx.com/blog/ios-privacy-instagram-and-facebook-can-track-anything-you-do-on-any-website-in-their-in-app-browser