SANS NewsBites

More Mitigations Needed from Microsoft to Deal With Exchange Zero Days; Service Providers Will Be Settling More Breach Lawsuits; Proposed FERC Incentives Focus too Much on Buying Products, Not Enough on Increasing Security Operations Effectiveness and Efficiency

October 4, 2022  |  Volume XXIV - Issue #77

Top of the News


2022-10-03

Researchers Say Microsoft’s Mitigations for Exchange Server Zero-Days are Not Robust Enough; Microsoft is Developing Fixes on an “Accelerated Timeline”

Last week, Microsoft released mitigations to help protect users from attacks exploiting a pair of vulnerabilities in Exchange Server. The flaws are being actively exploited, and can be chained to attain remote code execution. Researchers now say that those mitigations can easily be bypassed. Actual patches for the vulnerabilities are not yet available; Microsoft says it is working on an “accelerated timeline” to make fixes available. On Sunday, October 2, Microsoft added this to the mitigation suggestions: “we strongly recommend Exchange Server customers to disable remote PowerShell access for non-admin users in your organization.“ [Ed: CISA has added the Exchange Server flaws to its Known Exploited Vulnerabilities catalog.]

Editor's Note

This vulnerability is a good example for the need of robust detection engineering to cover post exploit activity. Rules to detect rogue DLLs or webshells will go a long way to detect activity well beyond Exchange flaws.

Johannes Ullrich
Johannes Ullrich

The trick is to focus on where you can raise the bar until a patch is released. Allowing Powershell execution only from users who need it is a good first step. These attacks require account takeover. As such, make sure accounts, especially administrative ones, use MFA and are only allowed to connect from authorized devices/services. Employ separation of duties, require administrative accounts not be end user accounts, then monitor their use.

Lee Neely
Lee Neely

2022-09-30

Magellan Health Agrees to Pay $1.43M to Settle Breach Lawsuit

Managed care company Magellan Health will pay $1.43 million to settle a lawsuit filed in the wake of a 2019 data breach. In May 2019, Magellan subsidiary Magellan Rx Management suffered a phishing attack that led to the compromise of sensitive personal information belonging to 273,000 patients. While Magellan learned about the breach in July 2019, affected patients were not notified until November 2019. According to the HIPAA Breach Notification Rule, covered entities and their associates are required to disclose breaches affecting more than 500 individuals within 60 days of discovering the incident.

Editor's Note

Managed service providers are going to see more of these lawsuits from their customers, which seem to be settled more often than the broad class action lawsuits that have gotten more press. If you are a service provider, good one to show your Chief Legal Counsel along with many previous reports on how cost to avoid was way less than the overall eventual cost of being compromised.

John Pescatore
John Pescatore

Make sure you are tracking breach notification requirements for all your data types. Enlist expert guidance when you’re breached , and if you’re planning to miss the required window make sure you’re also taking to the regulator as late findings/penalties will only worsen your recovery process.

Lee Neely
Lee Neely

2022-09-22

FERC Notice of Proposed Rulemaking: Incentives for Voluntary Cybersecurity Investments

The Federal Energy Regulatory Commission (FERC) has issued a Notice of Proposed Rulemaking (NOPR) seeking public comment on its proposal to “provide incentive-based rate treatment for utilities making certain voluntary cybersecurity investments.” Eligible investments must meet several requirements, which include “materially improv[ing] cybersecurity through either an investment in advanced cybersecurity technology or participation in cybersecurity threat information sharing programs; and [those not already … mandated by Critical Infrastructure Protection (CIP) Reliability Standards, or local, state, or federal law.”

Editor's Note

I think the proposed approach has a dangerous flaw: it is almost 100% focused on either deploying new products and services to get rate reductions or by joining threat sharing. It almost completely avoids the People and Process part of “People, Process and Technology. For example, better IT admin and faster patching is one of the biggest improvements that could be made and in most cases does not require advanced products or new procurements – it requires a security team that can get the admin side to do things differently. The same is true for segmentation, privilege management and many of the Critical Security Controls that provide the biggest bang for the buck. The people skills to work with other organizations and to develop effective and repeatable playbooks to make the operations side better need to be incentivized, not just buying new products/services.

John Pescatore
John Pescatore

The comment period runs for 30 days from publication which was 9/22/22. The proposed incentives would take two forms: a return on equity adder of 200 basis points, or deferred cost recovery that would enable the utility to defer expenses and include the unamortized portion in its rate base which could substantially reduce the burden of improving their security. The trick is the improvements must be deemed to materially improve the utilities cyber security, so it is critical to have a clear understanding of what that means. Also be prepared to demonstrate you’ve actually implemented changes, not purchased shelfware.

Lee Neely
Lee Neely

Most electric utilities are regulated by the states. The states tend to focus on the rate to the consumer and to discourage what they see as discretionary spending. That contributes to the state of security in the industry. This legislation might well compensate.

William Hugh Murray
William Hugh Murray

The Rest of the Week's News


2022-10-03

New CISA Directive Requires Agencies to Improve Vulnerability Detection and Reporting

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a new Binding Operational Directive, BOD 23-01, requiring federal civilian agencies to step up network vulnerability detection. Specifically, the Improving Asset Visibility and Vulnerability Detection on Federal Networks BOD required actions include “perform[ing] automated asset discovery every 7 days, ... [and] initiat[ing] vulnerability enumeration across all discovered assets, including all discovered nomadic/roaming devices (e.g., laptops), every 14 days.” The agencies are also required to automate entry of vulnerability enumeration results to the CDM agency dashboard within 72 hours of discovery.

Editor's Note

The DISA CDM program has been going for almost 10 years now and the acronym has always stood for *Continuous* Diagnostics and Mitigation. The question has always been what is the definition of “continuous” which ranged from yearly (or worse) to monthly for agencies checking on monthly Windows patches. While the CDM tools have been purchased to go faster, and meet this directive’s 7 day asset discovery and 14 day vulnerability assessment, the processes and staff skills needed to do that have lagged. This is step one to getting to basic security hygiene.

John Pescatore
John Pescatore

CDM (which has the same scope as this directive) already expects discovery within 72 hours with the expectation that interval will shrink to near-real-time. Additionally scanning and remediation windows have been specified in previous directives. Irrespective of applicability, make sure you are able to discover all devices on your network and block/quarantine devices which are either unknown or not meeting minimum security standards. Technology such as NAC has matured to make this possible.

Lee Neely
Lee Neely

2022-10-02

Witchetty Espionage Group Has Added Steganography to Their Toolkit

Researchers from Symantec’s Threat Hunter Team detected an espionage group using steganography to further their activities. The Witchetty espionage group exploited five ProxyShell and ProxyLogon vulnerabilities to install web shells, then stole access credentials and began moving laterally through compromised networks. The steganographic portion of the attack hides malicious code in a Windows logo graphic. The steganographic bitmap image is deployed with the help of a backdoor Trojan.

Editor's Note

This looks like yet another example where the attacker attached an obfuscated executable to an image (which isn't steganography in my opinion), and used a common cloud service to deliver the image. Lazy detection systems often ignore content past the initial header and this trick isn't new but effective. Catchy headline, but nothing really new.

Johannes Ullrich
Johannes Ullrich

Steganography is very interesting and capturing the source image is tempting. Use care handling it if you go down that path. This attack is new functionality added to the LookBack back door and the image (the jacked up windows logo) is stored on a GitHub repository. The Symantec blog has IOCs for you to incorporate. The attack is leveraging weaknesses in public facing services, e.g., exchange. The best mitigation is to actively update any public facing services and regularly verify they are running current security configurations.

Lee Neely
Lee Neely

2022-10-03

Optus Data Breach Compromised at Least 2.1 Million Valid Identification Numbers

Australian telecommunications company Optus says that a recent breach of its network compromised accounts belonging to 9.8 million customers. Of those, at least 1.2 million records contain at least one valid identification number. Optus has engaged Deloitte to investigate the breach and to determine what could have been done to prevent the incident. Optus has not yet revealed how the attackers infiltrated the network, nor have they provided details about which systems were affected.

Editor's Note

While Optus has not publicly stated the vulnerability, the articles say local reports point to “did not require authentication or authorisation for customer data to be accessed.” “Broken Access Controls” is the number 1 vulnerability on the OWASP Top 10 and “Insecure Design” is number 4 – any thorough software review of internal code or use of a modern software test tool on any open source code should have detected this long ago.

John Pescatore
John Pescatore

In addition to the 1.2 million current customer records exposed, another 900,000 expired documents were exposed - which means attackers have customers' old data that could be leveraged to obtain the current information. While the company says they are taking steps to prevent recurrence and affected users have been notified, it’s still not a bad idea to make sure you’ve got credit/ID monitoring now rather than waiting for this to all shake out.

Lee Neely
Lee Neely

2022-09-30

CISA Adds Microsoft and Atlassian Flaws to Known Exploited Vulnerabilities Catalog

The US Cybersecurity and Infrastructure Security Agency (CISA) has added three security flaws to its Known Exploited Vulnerabilities (KEV) catalog. All three – a command injection vulnerability in Atlassian Bitbucket Server and Data Center, and a server-side request forgery vulnerability and a remote code execution vulnerability in Microsoft Exchange server – have mitigation deadlines of October 21.

Editor's Note

The KEV instructions for mitigation for all three of these is to apply vendor updates. The Bitbucket issue goes back to August; this should be well and truly patched by now. The Microsoft Exchange issues are still waiting on patches, but you can follow their mitigation guidance.

Lee Neely
Lee Neely

2022-10-03

North Korea-linked Hackers Exploited a Dell Firmware Driver Vulnerability to Install Rootkit

Researchers from ESET have observed cyberthreat actors with links to North Korea exploiting a known vulnerability in a Dell firmware driver to install a Windows rootkit. The campaign took place last autumn; the attackers sent targets phony job offers to a political journalist in Belgium and an aerospace company employee in the Netherlands. The goal of the campaign appears to have been data exfiltration.

Editor's Note

While the intended targets so far have been small, it’s not hard to take mitigation steps regardless of being targeted. Dell provided updates to the DBUtil drivers in May of 2021. Make sure that you’ve deployed them.

Lee Neely
Lee Neely

2022-10-03

Comm100 Live Chat Supply Chain Attack

The CrowdStrike Falcon Platform has identified a supply chain attack targeting the Comm100 Live Chat app. Attackers Trojanized an installer for the Comm100 Live Chat app; the malicious version of the installer appears to have been available between September 26 and 29. Comm100 has since released an updated installer (version 10.0.9).

Editor's Note

If you’re using the Comm 100 live chat app make sure that you’re using the updated installer. Make sure that your EDR platform can detect malicious installers.

Lee Neely
Lee Neely

2022-09-30

Microsoft: North Korean Hackers are Using Trojanized Open-Source Software and Social Engineering in Espionage Campaign

Microsoft’s LinkedIn Threat Prevention and Defense team says that North Korean state-sponsored hackers are Trojanizing open-source software in an attempt to steal information from organizations in the entertainment, technology, and defense sectors around the world. The threat actors are using social engineering techniques to manipulate people into downloading the maliciously crafted software.

Editor's Note

They are creating weaponized versions commonly used open source, including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording software installer, you need to make sure you are not only educating users about obtaining genuine versions of packages but also providing current EDR which is watching for this activity.

Lee Neely
Lee Neely

2022-10-03

US/UK Data Access Agreement Now in Effect

The Data Access Agreement that codifies how the UK and the US will respond to lawful data demands from law enforcement and investigators in the other country, took effect on Monday, October 3. The agreement, also known as the Agreement … on Access to Electronic Data for the Purpose of Countering Serious Crime, is authorized by the Clarifying Lawful Overseas Use of Data (CLOUD) Act.

Editor's Note

These type of agreements are always controversial, but are badly needed to both monitor and apprehend cybercriminals. The best possible outcome is an equal and opposite amount of opposition from privacy groups and national intelligence/law enforcement agencies.

John Pescatore
John Pescatore

Data sharing agreements like this are needed to facilitate effective law enforcement response to multi-national crimes. Make sure you have a clear process, properly vetted by all parties, with those you plan to enlist in response to an incident well before it’s needed.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Microsoft Exchange 0-Day Update

https://isc.sans.edu/forums/diary/Exchange+Server+0Day+Actively+Exploited/29106

https://microsoft.github.io/CSS-Exchange/Security/EOMTv2/


CISA Adds Atlassian Bitbucket Vulnerability to Exploited List

https://www.cisa.gov/uscert/ncas/current-activity/2022/09/30/cisa-adds-three-known-exploited-vulnerabilities-catalog


Microsoft Exchange Vulnerability Fix Bypassed

https://twitter.com/testanull/status/1576774007826718720


Every unsandboxed app has Full Disk Access if Terminal Does

https://lapcatsoftware.com/articles/FullDiskAccess.html


Schneider Electric UMAS Patch Bypass

https://securelist.com/the-secrets-of-schneider-electrics-umas-protocol/107435/


Supply Chain Attack via Trojanized Comm100 Chat Installer

https://www.crowdstrike.com/blog/new-supply-chain-attack-leverages-comm100-chat-installer/