SANS NewsBites

Check Your Use of Hikvision Cameras for Active Threats and Possible Sanctions; Ask Vendors Using Machine Learning About Model Governance and Update Testing; Another Active Directory Authentication Bypass Attack is a Reminder to Secure AD Services

August 26, 2022  |  Volume XXIV - Issue #66

Top of the News


2022-08-24

80,000+ Hikvision Cameras Remain Unpatched

According to researchers from Cyfirma, more than 80,000 Internet-facing IP cameras are vulnerable to command injection attacks. A patch has for the vulnerability has been available since September 2021. The US Cybersecurity and Infrastructure Security Agency (CISA) added the flaw (CVE-2021-36260) to its Known Exploited Vulnerabilities catalog in January 2022.

Editor's Note

Only 80,000? These types of cameras, not just from Hikvision, have been a major source of "internet background radiation" ever since Mirai started spreading about 10 years ago. Without automatic updates, they will only become safe once their electronic fails.

Johannes Ullrich
Johannes Ullrich

It is confusing: Hikvision is NOT on the sanctions list barring import, but it IS on the OFAC Non-SDN Menu-Based Sanctions List (NS-MBS List) under the “Strong” category, whatever that means. Bottom line: check if Hikvision equipment in use or any planned procurements and considered replacing or banning since sanctions are a high risk, let alone this vulnerability issue.

John Pescatore
John Pescatore

Think of that security camera as a computer, where vulnerabilities could be leveraged to pivot onto your network. Yeah, that means you need to think about patching them. What's worse, not all manufacturers are as judicious about providing patches. Think twice about directly exposing them to the Internet, then isolate them onto a separate VLAN and use the strongest possible credentials, verifying no default passwords remain.

Lee Neely
Lee Neely

People seem to miss that there may be a Cyber-Physical component to this. While we are mired in the “What if” of Cyber and these patches, there is a real danger that not only are these systems able to be used as a pivot point inside your network but these cameras can be abused to look at people, places, locations and be used to potentially move from a cyber-attack into a real-world physical attack. We shouldn’t lose sight of that.

Moses Frost
Moses Frost

Those appliances (e.g., cameras) that must, or may be, attached to the public networks have a higher security requirement than those (e.g., baby monitors, TVs, refrigerators) that are intended to run only on private networks. Such appliances should be purpose-built and avoid any and all gratuitous functionality.

William Hugh Murray
William Hugh Murray

2022-08-24

Carbon Black Ruleset Rolled Back After Reports of BSOD

VMware has rolled back a problematic ruleset after some updates to its Carbon Black endpoint security solution were found to be causing the blue screen of death (BDOD) on Windows devices. VMware’s suggested temporary workaround is to “place impacted sensors into bypass mode via Carbon Black Cloud Console to allow them to boot successfully and have ruleset removed.”

Editor's Note

Like many endpoint protection/detection software vendors, Carbon Black using what it calls “machine learning and behavior models” which are basically software. Ruleset updates are essentially software updates and need to be QAed by vendors just like any major software update. Inability to examine and audit complex models used to bundle mortgages into “derivative” packages in 2008 ended up with a lot of “deranged” investment packages being created and sold, leading to a major recession. That led to the Federal Deposit Insurance Corporation creating “Supervisory Guidance on Model Risk Management” that is already being looked at as the basis for evaluating financial institutions’ use of models in cybersecurity controls. Ask for model governance details on all security products claiming use of AI/ML and any other trendy model-based technologies.

John Pescatore
John Pescatore

Two step fix - (yes, chicken and egg problem since you asked) first you must have the sensor bypassed via the Carbon Black console, to stop applying the ruleset and get out of the BSOD/Boot loop, then when they check in the impacted rulesets are removed. VMware did test the problematic ruleset prior to deployment, expect them to tweak this process. Note this includes sensor versions 3.6.x.x to 3.7.x.x, not just 3.7.0.1253 as was initially reported. Check the VMware KB note for information on verifying you are running non-impacted rulesets - there are six. https://community.carbonblack.com/t5/Knowledge-Base/Endpoint-Standard-Sudden-Blue-Screens-on-Windows-Devices-23rd/ta-p/114369

Lee Neely
Lee Neely

Microsoft has always contended that BSOD is most often caused by third party drivers. Avoiding such drivers has made Apple operating systems more stable, at the cost of limiting third party devices. Prefer attachment via standard interfaces.

William Hugh Murray
William Hugh Murray

2022-08-25

NOBELIUM Threat Actors Deploying MagicWeb Authentication Bypass

The threat actors behind the SolarWinds supply chain attack are believed to be responsible for a newly detected “post-compromise capability.” Rather than using supply chain attacks, the threat actors are using purloined admin credentials. Dubbed MagicWeb, the trick allows attackers “to maintain persistent access to compromised environments” by gaining admin privileges to an Active Directory Federated Services server. Then they replace a legitimate DLL with a MagicWeb DLL.

Editor's Note

This is not a supply chain attack. This is a case of compromised credentials being used to access your AD FS servers. Make sure that you're protecting those servers as you would a domain controller, making sure it's isolated, restricted to only allow admin accounts to login and monitored closely. Once the malicious Microsoft.IdentityServer.Diagnostics.dll is loaded, an attacker can generate claims that allow bypass of AD FS policies (roles, devices, network including MFA) to login to your other services. Make sure that you're actively managing accounts, use MFA where possible, that you leverage services to detect passwords in data breach dumps as well as long passphrases where you're still using passwords, and review the Microsoft blog for IOCs and other threat hunting information.

Lee Neely
Lee Neely

Move away from On-Premise Active Directory and legacy technologies like ADFS. Yet another example of why.

Moses Frost
Moses Frost

This is similar to a previous Active Directory MFA-bypass reported on in July. Microsoft’s recommended mitigation starts with “It’s critical to treat your AD FS servers as a Tier 0 asset, protecting them with the same protections you would apply to a domain controller or other critical security infrastructure.”

John Pescatore
John Pescatore

The Rest of the Week's News


2022-08-24

VMware Releases Updates to Fix Local Privilege Escalation Flaw

VMware has released updates to address a local privilege escalation vulnerability in VMware Tools. The issue affects VMware tools on Linux and Windows platforms. Users are urged to update to VMware Tools 12.1.0 running on Windows, and 12.1.0 / 10.3.25 running on Linux.

Editor's Note

In our Penetration Testing Practice and in the Cloud Penetration Testing class we spend a great deal of time attacking control planes. There are many times that we are abusing this channel to evade detection by EDR and EPP. An attacker can evade these tools by using the control places like VMware to do work such as access consoles, and disks without having to work with the operating system. Instead of cracking passwords we typically find unpatched systems all over the place. Please patch your infrastructure.

Moses Frost
Moses Frost

The flaw in VMware Tools can be exploited by a user on the guest OS to obtain privileges. Make sure that you're tracking/updating VMware tools versions on the guest OS just as you are other packages on endpoints, don't overlook the service components, whether workstation, player, or ESXi. This is a good time to also make sure that you limit access to administration interfaces for your virtualization environment.

Lee Neely
Lee Neely

2022-08-24

French Hospital Diverts Patients Other Facilities in Wake of Ransomware Attack

Centre Hospitalier Sud Francilien (CHSF) was the target of a ransomware attack that began on Sunday, August 21. The incident forced the hospital, which is about 40 km (25 miles) south of Paris, to redirect patients to other facilities. The attackers have reportedly demanded $10 million for the decryption key.

Editor's Note

The big deal is not the ransom demand, it's the impact to patient safety. Not only are they re-routing patients, but they have also deployed their crisis unit to ensure existing patients are getting proper care. When formulating response plans, make sure to include mission or service delivery plans, which means we need to be partnering with the mission side of the organization, and vice versa, to include being at each other's exercises, from tabletop to live fire.

Lee Neely
Lee Neely

Unfortunately, this is not the first time a ransomware attack affects the physical world and affecting human lives. We were warned years ago: https://www.wired.co.uk/article/ransomware-hospital-death-germany. What can you do? Understand how attacks work, emulate them in your environment, improve and tune your security controls, train your people to detect and respond before impact.

Jorge Orchilles
Jorge Orchilles

2022-08-24

Plex Instructs Customers to Reset Passwords Following Breach

Streaming media service Plex is instructing all customers to reset their passwords following a data theft incident that compromised a proprietary database containing usernames, email addresses, and hashed passwords for at least half of its 30 million customers. In an email sent to customers, Plex said that it has “already addressed the method that this third-party employed to gain access to the system.”

Editor's Note

Make sure that you’ve using a unique, strong, password for your Plex devices. Yeah, I know the cat’s name is something your mom can remember, it’s still not a good plan. After you change the password, be sure to click the “Sign out connected devices after password change” box so nothing using that past password is overlooked.

Lee Neely
Lee Neely

2022-08-24

Dominican Republic Government Agency Suffers Ransomware Attack

An agency within the Dominican Republic’s Ministry of Agriculture was the target of a ransomware attack earlier this month. The attack has affected all department of the Dominican Agrarian Institute; just one of the agency’s servers was not breached as it runs on Linux.

Editor's Note

We are seeing an uptick in ransomware attacks against Latin American governments. Costa Rica was a pilot and hopefully organizations are acting. Latin America has traditionally been behind in cyber security.

Jorge Orchilles
Jorge Orchilles

“Quantum” ransomware, noted by the use of the .quantum extension on encrypted files, is a branch of the Conti ransomware, which was largely dormant until Conti shutdown and some of their members joined the Quantum gang. While root causes are still being investigated, it's already been noted that not only did their systems not have comprehensive EDR, they also didn't have a dedicated security department. In a similar situation, consider not only the value of your endpoint security, but also weigh the value of outsourcing your services and applications along with your SOC, which may provide some offsetting costs to raise the bar overall.

Lee Neely
Lee Neely

One might easily guess what the vulnerable servers were running. That said, ransomware is more likely to exploit fraudulently reusable user credentials, flat networks, and default read/write access control than operating systems.

William Hugh Murray
William Hugh Murray

2022-08-24

Apply GitLab Updates to Fix Critical RCE Vulnerability

GitLab has issued updates to address a critical remote code execution flaw that affects GitLab Community Edition (CE) and Enterprise Edition (EE). The vulnerability affects all versions of the software from 11.3.4 through 15.1.4, as well as 15.2 through 15.2.3, and 15.3. Users are being urged to update to versions 15.3.1, 15.2.3, and 15.1.5.

Editor's Note

GitLab has already updated their hosted service, this applies to folks running local copies of GitLab and GitLab Runner. CVE-2022-2884 has a raw CVSS 3 score of 9.9, so you may want to get this done PDQ. Make sure you are subscribed to GitLab's security release emails or their RSS feed (See the GitLab notice for information on subscribing.)

Lee Neely
Lee Neely

2022-08-25

National Security Telecommunications Advisory Committee Draft Report on Information Technology and Operational Technology Convergence

A draft report from the President’s National Security Telecommunications Advisory Committee (NSTAC) aims to identify opportunities for the federal government to aid in a secure convergence of OT cybersecurity within all relevant stakeholder communities.” The committee’s recommendations include requiring “the Cybersecurity and Infrastructure Security Agency (CISA) [to] issue a Binding Operational Directive (BOD) requiring executive civilian branch departments and agencies to maintain a real-time, continuous inventory of all OT devices, software, systems, and assets within their area of responsibility, including an understanding of any interconnectivity to other systems.”

Editor's Note

I briefed the NSTAC on “Securing an Internet of Things” back in 2013 and this draft does start out by saying “The cybersecurity challenge of converged IT and OT is not a new issue; it has been happening for decades. The United States has the technology and the knowledge to secure these systems but has not prioritized the resources required to implement solutions.” They also admit most of the recommendations are not new – the issue is starting with moving to a governance approach for OT that is similar to if not identical to mature IT governance around security being baked into procurement, deploying and monitoring.

John Pescatore
John Pescatore

We have all seen an increased importance on OT security over the last couple of years. The focus needs to be on where OT systems interface with conventional IT systems, to include media transfer procedures for isolated systems. Use caution when looking at patches/updates or adding active testing as these activities can render systems inoperable, or worse, OT components may not have any provision for updates other than a very expensive forklift replacement.

Lee Neely
Lee Neely

We need to know what we have so that we can protect it. We all so need to know what we rely upon so that we can patch it as necessary. Given so called “shadow IT,” this becomes a line-management, not IT or security staff, responsibility.

William Hugh Murray
William Hugh Murray

2022-08-25

CISA: Critical Infrastructure Agencies Should Prepare for Post-Quantum Computing

The US Cybersecurity and Infrastructure Security Agency (CISA) has published Preparing Critical Infrastructure for Post-Quantum Cryptography. The document provides an overview of quantum computing and explains why it is a threat to digital communications, public key cryptography, and enumerates potential impacts to national critical functions.

Editor's Note

A good tutorial around how quantum computing will impact the use of cryptography, but the truth is most (really all) government agencies need to reach basic security hygiene levels long before quantum computing use by bad guys reaches the top 5 risks. A critical part of basic security hygiene, as defined in every security framework, is an accurate inventory of resources that need to be protected to keep the mission safe. ALL security controls should be part of that accurate inventory. Knowing where you are using crypto is one of the early steps in the DHS Post-Quantum Crypto Roadmap.

John Pescatore
John Pescatore

There is not a lot you can do right now except to make sure that you've phased out older weaker encryption/signing such as 3DES and SHA1. If you're already at AES128, look at moving to AES256. Prepare for the quantum-resistant crypto by identifying where you're using encryption so you can plan for testing prior to a wholesale uplift to new algorithms. Pay particular attention to key escrow and recovery changes where applicable.

Lee Neely
Lee Neely

It is not simply the traffic that occurs after quantum computer attacks become efficient that is at risk but all that encrypted traffic that the NSA is storing. We must assume that our adversaries also have troves of traffic that will remain sensitive into the future. That said, we still have ample time to prepare. Let us use it well.

William Hugh Murray
William Hugh Murray

2022-08-25

Mozilla Releases Updates for Firefox and Thunderbird

Mozilla has updated Firefox and Thunderbird to address several vulnerabilities in its Firefox browser and Thunderbird email client. Users are urged to update to Firefox 104, Firefox ESR 102.2, and Firefox ESR 91.13 and Thunderbird 102.2, and Thunderbird 91.13.

Editor's Note

If you're still on ESR 91.12, you may want to go to 91.13 vs 102.2 until you've verified the impact of any UI/Feature changes. The .13 versions updates are effectively transparent to end users aside from the browser relaunch.

Lee Neely
Lee Neely

2022-08-25

LastPass Discloses Security Incident

Password management company LastPass has disclosed a breach in which intruders stole source code and proprietary data. In a blog post, LastPass CEO Karim Toubba writes that they “determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information.”

Editor's Note

This is about security of their development system, no user impacts are yet determined. The hard problem for LastPass will be determining what actions to take to circumvent the risk of the lost intellectual property. Keep an eye out for any updates to address that risk.

Lee Neely
Lee Neely

Every organization has security incidents. I applaud those like LastPass who 1) detect and 2) report publicly on what happened.

Christopher Elgee
Christopher Elgee

Internet Storm Center Tech Corner

Taking Apart URL Shorteners

https://isc.sans.edu/diary/Taking+Apart+URL+Shorteners/28980


Monster Libra -> IcedID -> Cobalt Strike and DarkVNC

https://isc.sans.edu/forums/diary/VNC/28974/


Who's Looking at Your security.txt File?

https://isc.sans.edu/diary/Who%27s+Looking+at+Your+security.txt+File%3F/28972


Python Developers Phished for PyPi Credentials

https://twitter.com/pypi/status/1562442188285308929


Group IB Connects Twilio and Cloudflare Phishing attacks to others

https://www.helpnetsecurity.com/2022/08/25/0ktapus-twilio-cloudflare-phishers-targets/


Ransomware Actor Abuses Genshin Impact Anti-Cheat Driver to Kill Antivirus

https://www.trendmicro.com/en_us/research/22/h/ransomware-actor-abuses-genshin-impact-anti-cheat-driver-to-kill-antivirus.html


Assessing Python Malware Detectors with a Benchmark Dataset

https://blog.chainguard.dev/taming-python-malware-scanners/


Bitbucket Vulnerability

https://securityonline.info/cve-2022-36804-bitbucket-server-and-data-center-command-injection-vulnerability/


LastPass Security Incident

https://blog.lastpass.com/2022/08/notice-of-recent-security-incident/


Is Tox the New C&C Method for Coinminers?

https://www.uptycs.com/blog/is-tox-the-new-cc-method-for-coinminers


Carbon Black Blue Screens

https://community.carbonblack.com/t5/Knowledge-Base/Endpoint-Standard-Sudden-Blue-Screens-on-Windows-Devices-23rd/ta-p/114369


Gitlab Vulnerability

https://about.gitlab.com/releases/2022/08/22/critical-security-release-gitlab-15-3-1-released/#Remote%20Command%20Execution%20via%20Github%20import


New Iranian APT Data Extraction Tool

https://blog.google/threat-analysis-group/new-iranian-apt-data-extraction-tool/


Firefox Update

https://www.mozilla.org/en-US/security/advisories/mfsa2022-33/


IBM MQ Update

https://www.ibm.com/support/pages/node/6613021