SANS NewsBites

Update Detections and Patching to Spot Exploitation of Latest Zero Day Exchange Flaws; If You Run Azure Virtual Desktop, Try Out Password-less Authentication; Enable Continuous Access Evaluation (CAE) Rules for Azure Active Directory

September 30, 2022  |  Volume XXIV - Issue #76

Top of the News


2022-09-30

Potentially New Microsoft Exchange Flaw Actively Exploited

Zero-day remote code execution vulnerabilities in Microsoft Exchange servers are being actively exploited, according to researchers from GTSC. The flaws can be chained to deploy web shells on vulnerable servers. The GTSC researchers notified Microsoft of the vulnerabilities three weeks ago via the Zero Day Initiative, which has given them identifiers: ZDI-CAN-18333 and ZDI-CAN-18802.

Editor's Note

Right now, information about this issue is still not complete. But there is a high probability that a new Microsoft Exchange flaw has been abused in the wild to compromise Exchange and install web shells. You should still double check that your Exchange servers are patched, and make sure you have detection rules in place to pick up any post exploit activity.

Johannes Ullrich
Johannes Ullrich

The Microsoft guidance for this vulnerability (first link below) two vulnerabilities CVE-2022-41040 is a server side request forgery and CVE-2022-41082 is a RCE flaw which is exploited using power shell. Both flaws require authenticated access and only apply to your on-premises exchange environment. There is not currently a patch so you need to implement the mitigations which include augmenting URL rewrite configuration for your autodiscover service to block known attack patterns and blocking HTTP/HTTPS ports 5895 and 5896. Better still migrate off your on-premises exchange servers.

Lee Neely
Lee Neely

2022-09-27

Azure Single Sign-on and Passwordless Authentication

Microsoft has announced the public preview of single sign-on and passwordless authentication for Azure Virtual Desktop. The “new functionality is currently available on Windows 10, Windows 11 and Windows Server 2022 session hosts, once [users have] installed the September Cumulative Update Preview.”

Editor's Note

This is using Windows Hello and FIDO2. If you’re looking to start experimenting with passwordless, FIDO2, SSO and IDP /Azure AD integration give this a shot, particularly if you’re looking at using Azure remote workstations to provide a secure environment independent of the connecting endpoint.

Lee Neely
Lee Neely

This is very similar to Apple’s Passkey, where both vendors (and Google) are implementing the FIDO authentication standard into their operating systems. This has the potential to make strong authentication far easier for people, and far more secure. By building the FIDO standard into Microsoft / Apple / Google devices, we are moving to token-based authentication (device you have) which is authorized by biometrics. In other words, if a website supports the FIDO standard for authentication, then you register your device(s) with that site and when you want to login, you simply have your device with you and approve it with biometrics. Very simple and secure. The trick over the coming years will be pushing websites to support this. Love this solution as it takes one of the most complex security controls (authentication) out of people’s hands and puts it almost entirely in the tech side.

Lance Spitzner
Lance Spitzner

Any alternative to fraudulently reusable credentials should be welcome and embraced. Perhaps we are beginning to see techs looking for broadly applicable solutions instead of simply identifying and exposing vulnerabilities. We need to make doing it right easier than doing it wrong.

William Hugh Murray
William Hugh Murray

2022-09-28

Microsoft Will Deprecate Client Access Rules in Exchange Online

In October, Microsoft will begin retiring Client Access Rules (CARs) in Exchange Online with the goal of completely deprecating them by September 2023. CARs will be replaced with Continuous Access Evaluation (CAE) for Azure Active Directory.

Editor's Note

Don’t wait, you want to get ahead of the curve on CAE as it’ll help you shutting down malicious access attempts relating to credential theft. CAE enables Azure Active Directory applications to subscribe to critical events, that can then be evaluated and enforced in near realtime.

Lee Neely
Lee Neely

Very positive move forward - User session revocation can be enforced in near real time. There may be some business app breakage but those were just vulnerabilities waiting to be exploited.

John Pescatore
John Pescatore

The Rest of the Week's News


2022-09-28

More News About Optus Breach

Australian authorities have asked the US Federal Bureau of Investigation (FBI) for help identifying the culprits responsible for the Optus breach. The incident has reportedly compromised driver’s license information, passport numbers, and email addresses of more than 10 million customers. Optus has taken a hit to its credibility after it became apparent that Medicare information was compromised as well, although Optus had not disclosed that. Initially, the attackers had demanded AU$1.5 million in ransom. Now the apparent culprits have apologized for the attack and have withdrawn the monetary demand as well as threats to post stolen data. However, more than 10,000 customer records had already been released.

Editor's Note

Kudos to Optus for calling in additional support to work the breach. It’s not a bad idea to have an escalation plan in your hip pocket. At this point, if you’re using Optus, assume your data is compromised. Take active steps to monitor your identity, don’t wait for the investigation to complete.

Lee Neely
Lee Neely

2022-09-28

Cloudflare’s Introduces a CAPTCHA Alternative

Cloudflare has announced the open beta of Turnstile, an alternative to CAPTCHA. Rather than waste users’ time with frustrating clicking exercises, Turnstile “automatically chooses from a rotating suite of non-intrusive browser challenges based on telemetry and client behavior exhibited during a session.”

Editor's Note

I experimented with Turnstile earlier this week, and it looks intriguing enough to install it in a few cases. I do like the privacy focus. So far, my tests look good and implementation was easy enough.

Johannes Ullrich
Johannes Ullrich

This could be a welcome relief from spotting bridges or trying to read letters in font/color combinations I can’t see. Turnstile is built to use the device manufacturer as a source for human operator validation, doesn’t require you to use the Cloudflare a network or even be a customer (just a free account to set it up) to work. It’s using private access tokens, piloted with Apple to prove human operator without giving up privacy information or relying on a browser cookie.

Lee Neely
Lee Neely

2022-09-29

Chaos Cross-Platform Malware

Researchers from Lumen’s Black Lotus Labs “recently uncovered a multifunctional Go-based malware that was developed for both Windows and Linux.” Dubbed Chaos, the malware uses infected devices for cryptomining and launching distributed denial-of-service (DDoS) attacks.

Editor's Note

While Chaos appears to have roots in the Kanji malware, it is considerably more advanced. This spreads by exploiting vulnerabilities both in the OS (Win/Lin) and SOHO routers. This means keep those patched. Ensure you have effective EDR in place and change default passwords.

Lee Neely
Lee Neely

2022-09-28

CISA Releases Protective DNS Resolver Shared Service

The US Cybersecurity and Infrastructure Security Agency (CISA) has made its Protective Domain Name System available to all federal civilian agencies through CISA’s Cybersecurity Shared Services Office. In a blog post, CISA writes, “Protective DNS shields federal users and organizations from reaching known or suspected malicious destinations with a cutting-edge capability that safeguards network connections. It also empowers FCEB agencies with better visibility into their own internet traffic, providing real-time logs, reports and other insights into an ever-evolving cyber threat landscape.”

Editor's Note

Having a service which black-holes known bad DNS entries helps reduce the success of attacks and reach ability of C2 services, akin to Einstein. As with any such service, you should monitor for interruption of legitimate traffic and understand how to both add services which are banned and/or how to revert to your existing configuration.

Lee Neely
Lee Neely

2022-09-26

TIGTA Audit: IRS Needs to Improve Digital Communication Platform Security and Access Controls

According to a report from the Treasury Inspector General for Tax Administration (TIGTA), a vendor who provides the US Internal Revenue Service (IRS) with a communications system did not apply available updates for antivirus and as a result, was running vulnerable software for more than a year. The vendor, eGain, is a managed service provider for the communications system, which is known as the Taxpayer Digital Communications (TDC) platform. TIGTA made nearly a dozen recommendations, including having “The [IRS} Chief Information Officer … ensure that adequate oversight is provided to ensure that eGain MSP personnel timely upgrade antivirus software in accordance with IRM (Internal Revenue Manual) requirements.”

Editor's Note

Think of this when you’re asked about downtime to apply patches /updates. Not just to the OS but also to the applications. Verify that you’re keeping applications on current versions which are getting updated commensurate with the current threat landscape. When you find old / legacy versions, make plans to both update (soon) and protect the existing installation from abuse.

Lee Neely
Lee Neely

2022-09-29

Medical Device Cybersecurity Mandate Dropped from FDA Authorization Bill

The US Food and Drug Administration (FDA) appropriations bill has passed, but cybersecurity provisions introduced in the House version were removed when the bill went to Senate. The bill gives the FDA the authority to collect fees from healthcare organizations for reviewing new drugs and medical devices.

Editor's Note

This is an unfortunate victory for the lobbyists of the medical device industry. The problem with unsecure medical devices won’t go away on its own – the industry needs to demonstrate it can drive itself to higher levels of security being built in. Not a great track record there.

John Pescatore
John Pescatore

The mandate was dropped due to logistical complications of attempting to get it passed as well as possible delays to critical funding needed to continue the FDA operations in the bill. Expect future actions to take up the call to raise the bar on medical device security.

Lee Neely
Lee Neely

2022-09-28

US Senate Committee Approves Bill That Would Require Government-Wide Software Inventory

The US Senate Homeland Security and Governmental Affairs Committee has approved a bill that would direct federal agencies to conduct thorough inventories of software they use. The long-term goal of the Strengthening Agency Management and Oversight of Software Assets Act is to help consolidate software contracts and licenses, and encourage the adoption of open-source software.

Editor's Note

Good start, since for any Software Bill of Materials to be useful, it has to be based on an accurate software asset inventory. The USG has to make sure the inventory includes all software, not just formally procured software – i.e. open source, rouge IT, tools used by in-house contractors, etc.

John Pescatore
John Pescatore

CDM already requires this software inventory; the trick is mining that data to discover and prioritize remediation of issues. If you don’t know what’s running in your environment, spend time on discovery and remediation planning before implementing any sort of penalty phase to prevent negative impact to mission or operations.

Lee Neely
Lee Neely

This is a step in the right direction, but only “top down.” The agencies can fairly easily identify what they installed. However, absent a digital software bill of materials that is bottom up, the government will still not know what code it is running

William Hugh Murray
William Hugh Murray

Internet Storm Center Tech Corner

PNG Analysis with pngdump.py

https://isc.sans.edu/forums/diary/PNG%20Analysis/29100/


10 Years Later: Attacker re-discovering old VTiger CRM Vulnerability

https://isc.sans.edu/forums/diary/10+Years+Later+Attacker+rediscovering+old+VTiger+CRM+Vulnerability/29098


DNS Option 15 and Debugging DNSSEC Errors

https://isc.sans.edu/forums/diary/DNS+Option+15+Debugging+DNSSEC+Errors/29094


Possible Exchange Server 0-Day Vulnerability

https://www.gteltsc.vn/blog/warning-new-attack-campaign-utilized-a-new-0day-rce-vulnerability-on-microsoft-exchange-server-12715.html

https://success.trendmicro.com/dcx/s/solution/000291651?language=en_US


Bad VIB(E)s Part One: Investigating Novel Malware Persistence Within ESXi Hypervisors

https://www.mandiant.com/resources/blog/esxi-hypervisors-malware-persistence


IRS Reports Significant Increase in Texting Scams

https://www.irs.gov/newsroom/irs-reports-significant-increase-in-texting-scams-warns-taxpayers-to-remain-vigilant


Cloudflare Releases Turnsitle, a user-friendly, privacy-preserving CAPTCHA alternative

https://blog.cloudflare.com/turnstile-private-captcha-alternative/


Cisco Patches

https://kb.cert.org/vuls/id/855201


Chrome 106 Release

https://chromereleases.googleblog.com/2022/09/stable-channel-update-for-desktop_27.html?m=1


Yari: A New Era of Yara Debugging

https://engineering.avast.io/yari-a-new-era-of-yara-debugging/


HTTP Archive Almanac

https://almanac.httparchive.org/en/2022/security