SANS NewsBites

Make Sure You Have Patched ALL Log4j Vulnerabilities; If You Use Authy, Okta or Signal, Check for Impact From Twilio Breach; Insurers May Decline Coverage Against Attacks Declared “State Sponsored”

August 30, 2022  |  Volume XXIV - Issue #67

Top of the News


2022-08-26

Hackers Targeting Log4j 2 Vulnerabilities in SysAid Applications

The Microsoft Threat Intelligence Center (MSTIC) warns that a hacking group it calls MERCURY is using Log4j 2 vulnerabilities in SysAid applications to launch attacks against organizations in Israel. MSTIC says this is the first time they have observed SysAid being used as an initial access vector. The MSTIC blog offers an “analysis of observed MERCURY activity and related tools used in targeted attacks.” MSTIC says there is a high likelihood that MERCURY is affiliated with Iran’s Ministry of Intelligence and Security.

Editor's Note

As the Log4j vulnerability became known, organizations often used generic exploits to scan their network. Exploitability for Log4j is tricky to determine as it all depends on how a particular application uses the framework. Do not ignore vendor patches just because some vulnerability scanner gave you a green light.

Johannes Ullrich
Johannes Ullrich

MERCURY (aka MuddyWater, Cobalt Ulster, Seedworm, static Kitten) was previously targeting VMWare instances with Log4J flaws, has now pivoted to SysAid. SysAid released Log4j patches in January, which appear not to have been applied. After you make sure that you’ve applied updates to SysAid, if you’re using it, make sure that you’re not overlooking other patches, such as VMWare, for fixes to flaws like Log4j. The attack reads like an exercise out of SANS SEC560 - the attackers are using Log4Shell flaws to get an initial footprint, then using PowerShell to drop web shells, then add a user, give it elevated privileges, and add attack tools to startup folders for persistence. From there, they are using Mimikatz for credential theft, RemCom for later movement, and send data to their C2 server using a custom version of the Ligolo tunnel/reverse proxy.

Lee Neely
Lee Neely

2022-08-29

Twilio Breach Affects Okta, Authy, and Others

The hackers responsible for the Twilio data breach used the access to steal Okta SMS one-use passwords. At the time of the breach, Okta was using Twilio as one of its SMS authentication services. When Okta learned of the breach and that some Okta-related data were compromised, they switched to a different provider. The attackers also accessed some Authy 2FA accounts and registered unauthorized devices.

Editor's Note

This is the new “dependency hell.” We used to worry about libraries we are using for example for authentication (see the PyPi story above). But APIs we are using behave very much like libraries in our code, just with less control about what they are actually doing.

Johannes Ullrich
Johannes Ullrich

Twilio’s failure to protect its systems against the original attack should serve as a warning to all companies offering strong authentication services: since MFA is a major barrier to the attackers, they are going after the entire MFA food chain. SANS instructor Katie Nichols highlighted MFA bypass in the SANS RSA Top New Threat panel – it is critical that MFA services be hardened.

John Pescatore
John Pescatore

In today’s modern business world where companies rely so heavily on their suppliers, and in turn the suppliers of their suppliers, it is prudent that we regularly run “what if” scenarios on the impact a breach against a third-party company can have on your organization. In other words, do you know the impact a breach like that on Tilion can have on your organization either directly or via one of your supplier?

Brian Honan
Brian Honan

While SMS is better than single-factor authentication, it can still go wrong. Choose other options wherever possible. Make sure that you're not leaving SMS or phone call verification options available on your MFA service offering. Better still implement phishing resistant MFA (FIDO2, SmartCards, USB hardware tokens, etc.) The cost of hardware tokens can be rapidly eclipsed by a single breach, and the integration is vastly improved to what it was even a year ago, to include NFC or Bluetooth communication options you can investigate.

Lee Neely
Lee Neely

2022-08-29

Lloyd’s of London Excludes Some State-Sponsored Cyberattacks From Coverage

In an August 16, 2022 Market Bulletin, Lloyd’s of London “set out [its] requirements for state backed cyber-attack exclusions in standalone cyber-attack policies.” Lloyd’s syndicates will be required to exclude the attacks from insurance policies starting at the end of March 2023.

Editor's Note

There are 4 complex exclusions that lawyers will have to review, but to me they basically have a very loose definition of “state-backed” unless some government agency declares an attack to be “state-backed.” It is increasingly hard to find success stories in cyber-insurance providing meaningful reduction in financial exposure to an attack, let alone complete coverage.

John Pescatore
John Pescatore

There is about a seven-month lead time for those insured by Lloyd’s to find an alternate solution. Expect other insurers to follow suit, as damages from a state actor, or undeclared war, represent large risk to the insurer. While on the surface this feels like a reasonable move from the insurers, the devil in in the details. Differentiating a genuine state sponsored attack from sympathizers or cybercrime groups is incredibly difficult. We all know attribution is hard, and now with insurance coverage hanging on the accuracy of that determination, particularly making sure that a look-alike organization is not involved, makes it even more so. This is another time to engage your legal team.

Lee Neely
Lee Neely

It will be interesting to see what the detail of this change will mean on companies’ claims. Hopefully, what this will lead to is more honest press releases and breach notifications where companies won’t automatically leap to point the blame at “nation state sophisticated attackers”, but rather admit they were victims of ordinary criminal behaviour.

Brian Honan
Brian Honan

This should not surprise anyone. Lloyd’s underwriters have never covered acts of war.

William Hugh Murray
William Hugh Murray

The Rest of the Week's News


2022-08-26

Phishing Campaign Targeting PyPI Developers

Python Package Index (PyPI) developers are being targeted in a phishing campaign that has succeeded in compromising some developers’ accounts. The phishing message used in this campaign says a mandatory package validation process is being implemented and that unvalidated packages risk being removed. PyPI reminds users that it never removes valid packages from the registry – just packages that violate PyPI’s terms of service. The campaign’s success might be partly attributable to the fact that many package registries are implementing MFA and other security measures. PyPI is offering free hardware security keys to maintainers of critical projects.

Editor's Note

This campaign was clever and should be included in awareness training for developers. Too often, training examples are too generic and users will miss these more targeted and sophisticated attempts. At the same time: There was (limited) resistance from developers against PyPi enforcing stronger authentication methods. Attacks like this show why we need strong MFA.

Johannes Ullrich
Johannes Ullrich

This was a credential stealing attack. PyPI states that accounts protected with hardware tokens are safe, and they are unsure about TOTP users. PyPI has announced a campaign to give away hardware security tokens for their top one percent of projects, based on download volume. Be aware of your source code repository’s efforts on both MFA and conditions for package removal or account disablement. With all the current activity around MFA and doctored-up packages, it’s easy to miss what is legitimate and what is not. PyPI has worked to roll back repositories which were compromised and contained malicious content as well as taking down numerous typo squatting repositories.

Lee Neely
Lee Neely

Am I the only one who finds the repositories late to their responsibility in the supply chain?

William Hugh Murray
William Hugh Murray

2022-08-29

Atlassian Releases Updates to Address Critical Flaw in Bitbucket Server and Data

Atlassian has issued an advisory warning of a critical vulnerability affecting Bitbucket Server and Data Center versions 7.0.0 though 8.3.0. The command injection vulnerability in multiple API endpoints of Bitbucket Server and Data Center could allow “an attacker with access to a public repository or with read permissions to a private Bitbucket repository can execute arbitrary code by sending a malicious HTTP request.” If updates cannot be applied right away, Atlassian says the issue can be temporarily mitigated by turning off public repositories globally.

Editor's Note

The best mitigation is to update to the applicable fixed version (see the Atlassian advisory for specifics.) Even if you implement the workaround of turning off public repository access, it’s not a full mitigation as users with accounts can still execute the exploit. CVE_2022_36804 has a CVSS v3 score of 9.9 as the attack complexity is low, and doesn’t require privileges, or even an account. Expect DHS/CISA to issue alerts tracking fixing of this issue, either as a BOD or KEV.

Lee Neely
Lee Neely

2022-08-29

Montenegro Government Systems Targeted in Cyberattacks

Montenegro’s Agency for National Security has warned that Russian hackers have launched “a persistent and ongoing cyberattack” against the Adriatic country’s government and services. Some of the country’s power plants are currently operating manually, and some government systems have been taken offline as a precaution.

Editor's Note

I've spent a lot of time in Montenegro, and I've truly enjoyed watching the nation mature to the West-leaning democracy it is today. As much as we may like to ignore politics in cybersecurity, this is a prime example of political decisions' effects on threat landscape. Russia has been vocal about its disappointment in Montenegro's NATO and pending EU memberships, and this is not Russia's first known attack against the small country.

Christopher Elgee
Christopher Elgee

The attack appears politically motivated, possibly as a result in the change of government last week. Montenegro was previously attacked on their election day in 2016, and again in 2017 when they threatened to join NATO. Systems are offline both for analysis and to prevent further damage, necessitating alternate communications, such as Twitter, as well as manual processing. Now is a time to look at what you can leverage from this even in your BCP plan and exercises. Don’t forget to consider how you reconcile systems when switching back from manual to automated mechanisms, as well as to define what constitutes a determination that a system is suitable to return to operation.

Lee Neely
Lee Neely

2022-08-29

FCC Releases Mobile Carrier Responses to Data Privacy Inquiry

According to the US Federal Communications Commission (FCC), 10 of the top 15 mobile carriers collect geolocation data but do not provide a means for customers to opt-out. Most of the carriers said that they do not allow customers to opt-out because of the need to comply with requests from law enforcement and because of FCC rules. FCC chair Jessica Rosenworcel has asked the FCC’s enforcement bureau to investigate whether the companies are abiding by FCC rules requiring them to communicate their geolocation data use and sharing practices to customers.

Editor's Note

This is not location services on your devices. This is triangulation based on highly accurately located towers, as well as their full visibility to your call meta-data. Expect to see attempted refinements in retention periods and data sharing agreements, and carriers to push back as there is a big financial stake with even obfuscated versions of their data.

Lee Neely
Lee Neely

If the rare use of location data by law enforcement is to trump the day-to-day privacy of users, then transparency is the least we should expect. Fine print buried in terms of service does not amount to transparency. Emergency use of location does not require that the data be retained. Retention for more than days to weeks for potential use in investigations should be a matter of law, not mere convenience.

William Hugh Murray
William Hugh Murray

2022-08-29

FTC Sues Kochava Over Location Data Sales

The US Federal Trade Commission (FTC) has filed a lawsuit against data broker Kochava for allegedly selling geolocation data that links users to health clinics, domestic violence shelters, recovery centers, and other sensitive locations. The FTC alleges that Kochava sells data collected from “hundreds of millions of mobile devices” paired with time-stamps and Mobile Advertising IDs.

Editor's Note

The device data gathered includes a unique device identifier (Mobile Advertising ID or MAID), device type, timestamp, latitude, longitude, horizontal accuracy (how close the latitude/longitude are in meters) and the IP address. This data can be mined determining sensitive locations, such as a user’s home, shelter, place of worship, or medical providers. About the only action you can take is to change the MAID on your device on a periodic basis. Watch this case, as well as the FCC action above, to see what privacy protections can be placed on this data.

Lee Neely
Lee Neely

2022-08-29

Health-ISAC White Publishes Zero-Trust Guide

The Health Information Sharing and Analysis Center (Health-ISAC) has published a guide “intended to help CISOs understand and implement a zero trust security architecture.” The paper notes two central challenges to zero-trust adoption in the healthcare sector: the increasing use of IoT devices, and the identity and access management challenges posed by healthcare workers moving from room to room and logging into multiple workstations.

Editor's Note

Before you roll your eyes at Zero Trust, delve down into what the fundamental improvements are and look at how they can improve your business. Look at improvements in endpoint security to reduce reliance on your boundary protections; factoring not just for the human identifier but also for the device authenticator in authentication processes, raising the bar where you don’t recognize one or the other; leveraging software defined networks to dynamically define and protect assets, particularly with cloud and outsource activities. Then make deliberate decisions using guides like this moving forward.

Lee Neely
Lee Neely

Recent breaches suggest that the first step for hospitals is to isolate clinical systems from public network facing systems (e.g., e-mail and browsing). Clinical personnel should carry their personal authentication (e.g., NFC token or mobile) with them from station to station.

William Hugh Murray
William Hugh Murray

2022-08-29

CISA Adds 10 More Flaws to Known Exploited Vulnerabilities Catalog

The US Cybersecurity and Infrastructure Security Agency (CISA) has added 10 more security issues to its Known Exploited Vulnerabilities catalog. The vulnerabilities affect dotCMS, Apache CouchDB, Apache APISIX, VMware Tanzu Spring Cloud, WebRTC, Grafana, Delta Electronics DOPSoft2, Apple iOS, macOS, watchOS, and PEAR Archive_Tar. The flaws have a mitigation date of September 15, 2022.

Editor's Note

Check the clock: September 15th is only a couple of weeks out. The entries have notes that include links to the vendor notifications about these flaws, which can be a real help. Once you've filtered out what you don’t have and checked for any others with recent due dates you do, work with business units to get these buttoned up. Make sure that your SOC is checking for IOCs, these are actively being exploited and you may want to assume compromise. Be methodical, don’t panic, solve one problem, then solve the next one and then next, one update at a time.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Update: VBA Maldoc & UTF7 (APT-C-35)

https://isc.sans.edu/diary/Update%3A+VBA+Maldoc+%26+UTF7+%28APT-C-35%29/28994


Dealing With False Positives when Scanning Memory Dumps for Cobalt Strike Beacons

https://isc.sans.edu/diary/Dealing+With+False+Positives+when+Scanning+Memory+Dumps+for+Cobalt+Strike+Beacons/28990


HTTP/2 Packet Analysis with Wireshark

https://isc.sans.edu/diary/HTTP2+Packet+Analysis+with+Wireshark/28986


Paypal Phishing/Coinbase in One Image

https://isc.sans.edu/diary/Paypal+PhishingCoinbase+in+One+Image/28984


Twilio Breach used to access 2FA Tokens

https://sec.okta.com/scatterswine


Sysinternals Updates: Sysmon v14.0 and ZoomIt v6.01

https://isc.sans.edu/diary/Sysinternals+Updates%3A+Sysmon+v14.0+and+ZoomIt+v6.01/28988


Popular PDF Reader Adware

https://www.malwarebytes.com/blog/news/2022/08/adware-found-on-google-play-pdf-reader-servicing-up-full-screen-ads


Google changing its VPN Ad Blocker Policy

https://support.google.com/googleplay/android-developer/answer/12253906?hl=en


eth.link domain at risk

https://www.coindesk.com/tech/2022/08/26/web3-domain-name-service-could-lose-its-web-address-because-programmer-who-can-renew-it-sits-in-jail/