SANS NewsBites

Another Reason to Prioritize Rolling Out MFA to All Privileged Users and Limiting Privileges; Senate Bill to Increase Open Source Security Needs More Focus on Immediate Actions, Less on Documents; Educate Developers/GitHubUsers About Increased Phishing Attacks Targeting Them

September 27, 2022  |  Volume XXIV - Issue #75

Top of the News


2022-09-23

Malicious OAuth Apps are Being Used to Compromise Exchange Servers and Spread Spam

Attackers are using malicious OAuth apps on compromised cloud tenants to take commandeer Microsoft Exchange Servers to send spam. The Microsoft 365 Defender Research Team says that hackers have been using credential-stuffing attacks against accounts that do not have multifactor authentication.

Editor's Note

This attack only succeeds if privileged accounts initially compromised do NOT have MFA in use. As Microsoft points out “also important to note that all the compromised admins didn’t have MFA enabled, which could have stopped the attack. These observations amplify the importance of securing accounts and monitoring for high-risk users, especially those with high privileges.”

John Pescatore
John Pescatore

This attack uses credential stuffing, targeting admin users, to create exchange connectors. At a minimum, enable MFA, then turn on conditional access to limit where admins can connect from. Now, make sure you’re using continuous access evaluation to shutdown accounts behaving unexpectedly. Lastly, if you’re using the free tier AzureAD, make sure the security defaults are enabled.

Lee Neely
Lee Neely

In the beginning, most strong authentication schemes were user opt-in, but one was thrilled when one's banks began to offer it. The schemes were often awkward to use but less and less so. Reusable credentials continue to be implicated in breaches. It is time to make MFA mandatory. We should continue to offer users options about how to implement but reliance on passwords puts us all at risk.

William Hugh Murray
William Hugh Murray

2022-09-22

Senate Bill Addresses Open Source Software Protection

Members of the US Senate Homeland Security Committee have introduced a bill that aims to enhance open-source software security. The Securing Open Source Software Act would direct the Cybersecurity and Infrastructure Security Agency (CISA) to develop a framework for assessing open source software risk. It would also direct the Office of Management and Budget to publish guidance to help agencies secure open source software.

Editor's Note

Even commercial software could not exist in its current form without open source. Protecting open source by extension does protect the vast majority of commercial software as well.

Johannes Ullrich
Johannes Ullrich

The proposed language gives CISA a year to put out yet another framework and then another two years for a report to determine if private industry could use that same framework. Three years to more paper documents is not major movement forward. On the good side, funding hiring of open source expertise in the CISA is a good thing and treating open source software used in critical functions as critical infrastructure is a very good thing. CISA should use the OpenSSF and the Linux Foundation “Open Source Software Security Mobilization Plan” as a starting point to fund immediate movement forward in parallel with any framework development.

John Pescatore
John Pescatore

Executive Order 14028 already introduced requirements for securing the software supply chain. Additionally, there is existing guidance you can look to already to raise your bar. At a minimum, ensure you’re only allowing secure access to code repositories, implementing MFA for users and making sure you are using the vetted release of components in your CI/CD pipeline.

Lee Neely
Lee Neely

Being able to measure risk is always useful. So is hiring those with skills and experience. One can hardly fault a laws that favors such. However, we already know that this risk is high and that there is not much the buyers can do about it. We know skills and experience are in short supply. As John Pescatore suggests, the time scale for this law to have any real impact is very long. A law that requires a digital software bill of materials would be a good place for Congress to start and would have earlier impact. While our tolerance for supplier error is high, at some point we need to hold sellers accountable for malicious code in their products. That too will require legislation.

William Hugh Murray
William Hugh Murray

2022-09-23

Phishing Campaign Targets GitHub and CircleCI Users

A phishing campaign is targeting customers of GitHub and the CircleCI continuous integration and delivery platform in an attempt to harvest account credentials. Both companies have notified their customers bout the malicious emails.

Editor's Note

It appears that there has been a significant increase in phishing attacks targeting developers. Attackers have figured out that this is the easiest way to break the integrity of the software development supply chain. More technical employees like developers are often considered less vulnerable to phishing, but these attacks are usually less motivated by greed than those targeting executives. Instead, they are using a ruse that targets the desire of developers to get work done. Consider including some of these scenarios in your awareness program.

Johannes Ullrich
Johannes Ullrich

Source code repositories remain a target, and while actions are underway to raise awareness and overall security, threat actors are going to try to both inject new functionality and access your secret sauce to obtain an advantage. No package is too small to be a target.

Lee Neely
Lee Neely

The Rest of the Week's News


2022-09-25

As India’s Data Retention Law Takes Effect, VPN Providers Exit

Virtual Private Network (VPN) companies are removing their physical servers from India as a new law in that country takes effect. As of Sunday, September 25, the Indian Computer Emergency Response Team is requiring VPN operators to retain customer data for at least five years, even after customers have cancelled their accounts.

Editor's Note

Individual countries each have to establish their own societal balance between law enforcement/intelligence agency access to citizen communications and citizen privacy rights. The difference between this current wave and previous privacy vs. surveillance waves (such as when telephone audio services first went digital) is that many services do not have to have physical presence in-county to succeed, so providers can fight back by moving offshore. For most companies, this law is a high risk to customer privacy unless stringent judicial release procedures are defined.

John Pescatore
John Pescatore

Moving services out of a country whose privacy laws, or other regulations, you can’t comply with is a good idea. In this case the India rules don’t mesh well with the anonymous browsing model many VPNs offer. NordVPN, Proton VPN, Surfshark, Hide.me and ExpressVPN are all shutting down their servers in India. Read the fine print on alternatives which may still provide an Indian IP while not in the country. Expect India to take steps to apply their requirements to this or other perceived bypass scenarios.

Lee Neely
Lee Neely

If India wants a Bluffdale, it should build it and pay for it itself. To require VPN service providers to do it will so decrease their revenues and increase their costs as to destroy the business model. The citizen will be the loser.

William Hugh Murray
William Hugh Murray

2022-09-24

Sophos Releases Patch and Workaround for Zero-Day Code Injection Flaw in Sophos Firewall

Sophos has released a fix for a code injection vulnerability in the User Portal and Webadmin components of Sophos Firewall. The flaw is being actively exploited. Customers who have enabled the “allow automatic installation of hotfixes” feature do not need to take action. The flaw affects Sophos Firewall v19.0 MR1 [19.0.1] and older. Sophos has also suggested disabling WAN access to the vulnerable components as a workaround.

Editor's Note

My usual advise applies: Patch, but also make sure that you are not exposing these web-based admin interfaces to the world. I doubt that this will be the last vulnerability to be found in a web-based firewall/router/VPN admin interface.

Johannes Ullrich
Johannes Ullrich

This flaw is noted in the CISA KEV catalog. You have until Oct 14th to fix it. The flaws are in the User Portal and Webadmin services. A workaround is to not expose these services to the Internet. You need to do both, don’t expose those to the WAN and apply the update.

Lee Neely
Lee Neely

In this case "allow" is the safe choice and should be the default. We simply have not seen sufficient cases where updates have caused problems to justify the alternative.

William Hugh Murray
William Hugh Murray

2022-09-24

American Airlines Learned of Breach from Phishing Targets

American Airlines says it learned it was the victim of a data breach after being contacted by people who received phishing messages from a compromised American Airlines employee account. Once they were notified, the airline’s security team found evidence of unauthorized activity in its Microsoft 365 environment. The intruders apparently compromised multiple employee accounts and sent phishing messages from them.

Editor's Note

The same mitigations apply as with the OAuth attack: MFA, conditional access, and continuous access validation. Make sure that you’ve disabled inactive users, and set a time limit on MFA configuration, perhaps locking users out who can’t meet the timeline.

Lee Neely
Lee Neely

There are two items of note from this incident that we should learn from. The first is the compromised mailboxes were accessed via the IMAP protocol. This is an old protocol and one which should be removed from systems. The second is the amount and type of personal data that was stored in the compromised mailboxes. According to the breach notification the personal data exposed in this breach may have included names, Social Security numbers, employee numbers, dates of birth, mailing addresses, phone numbers, email addresses, driver’s license numbers, and/or passport numbers. Email platforms should not be used as databases for personal data and processes should be in place to remove such data from mailboxes.

Brian Honan
Brian Honan

2022-09-23

CISA Adds Critical Zoho Flaw to Known Exploited Vulnerabilities Catalog

The US Cybersecurity and Infrastructure Security Agency (CISA) has added a Java deserialization vulnerability in Zoho ManageEngine products to its Known Exploited Vulnerabilities (KEV) catalog. The critical flaw affects ManageEngine PAM360, Password Manager Pro, and Access Manager Plus. CISA has given federal agencies until October 13 to mitigate the flaw.

Editor's Note

Good news: the vendor updates are available; bad news: you need to roll them out quickly. Note that Sophos Firewalls are also on the list with a code injection vulnerability in the User Portal and Webadmin functions which allow RCE.

Lee Neely
Lee Neely

2022-09-27

Ukraine Warns of Russia's Plans to Increase Cyberattacks

Ukraine’s Main Directorate of Intelligence of the Ministry of Defense warns that Russia is planning to escalate cyberattacks against Ukrainian and Ukrainian allies’ critical infrastructure. The Directorate says it expects the first attacks to target the energy sector. They also warn that Russia is likely to escalate distributed denial-of-service (DDoS) attacks against critical infrastructure in Poland and the Baltic states (Estonia, Latvia, and Lithuania).

Editor's Note

If you’re in the energy sector, are you prepared to withstand such an attack? Make sure DDoS, remote access, segmentation, and authentication services are up to the task. Ensure your user awareness training is both current and required- to include annual refreshers. Lastly, ensure media and content validation processes are in place; don’t allow unconstrained introduction into OT environments.

Lee Neely
Lee Neely

2022-09-23

Compromised npm Packages Affect Cryptocurrency Projects

Multiple npm packages used by cryptocurrency projects have been compromised and are installing information stealers. The compromised packages “were published from the npm account of a dYdX staff member and found to contain illicit code.”

Editor's Note

Mitigations are known to prevent account takeover for your repository. Make sure that only your vetted code is committed. Make sure that you have visibility to all updates, then follow up on unexpected or oddly-timed updates.

Lee Neely
Lee Neely

2022-09-23

GAO Audit Finds Cybersecurity Shortcomings at NNSA

A report from the US Government Accountability Office (GAO) says that “the National Nuclear Security Administration (NNSA) and its contractors have not fully implemented six foundational cybersecurity risk practices in its traditional IT environment. NNSA also has not fully implemented these practices in its operational technology and nuclear weapons IT environments.” GAO made nine recommendations for NNSA, including implementing an IT continuous monitoring strategy and improving subcontractor cybersecurity monitoring.

Internet Storm Center Tech Corner

Easy Python Sandbox Detection

https://isc.sans.edu/forums/diary/Easy+Python+Sandbox+Detection/29090


Kids Like Cookies and Malware Likes them Too

https://isc.sans.edu/forums/diary/Kids+Like+Cookies+Malware+Too/29082


Downloading Files from Removed Domains

https://isc.sans.edu/forums/diary/Downloading%20Samples%20From%20Takendown%20Domains/29086/


Redis 7.0 XAUTOCLAIM Heap Overflow

https://github.com/redis/redis/security/advisories/GHSA-5gc4-76rx-22c9


Scoreboard Hacking

https://maxwelldulin.com/BlogPost?post=7118102528


Hackers Use PowerPoint Files for "Mouseover" Malware Delivery

https://blog.cluster25.duskrise.com/2022/09/23/in-the-footsteps-of-the-fancy-bear-powerpoint-graphite/


WhatsApp Security Updates

https://www.whatsapp.com/security/advisories/2022/


Sophos RCE Flaw

https://www.sophos.com/en-us/security-advisories/sophos-sa-20220923-sfos-rce


CircleCI Phishing Attacks Used to Access GitHub Accounts

https://discuss.circleci.com/t/circleci-security-alert-warning-phishing-attempt-for-login-credentials/45408