SANS NewsBites

Resource PKI for BGP Security Requires Network Provider Mitigations Until Fully Adopted; HHS Presentation Can Aid in Checking Your Approach to Detecting/Mitigating Living Off the Land Attacks; Patch Fortinet Equipment ASAP

October 11, 2022  |  Volume XXIV - Issue #79

Top of the News


2022-10-09

ATHENE Research Center: Resource Public Key Infrastructure is Broken

Experts at the National Research Center for Applied Cybersecurity say that they have found a method to break Resource Public Key Infrastructure (RPKI), a “mechanism … [that] is actually designed to prevent cybercriminals or government attackers from diverting traffic on the Internet.” The team of scientists say attackers can circumvent RPKI without being detected by network operators.

Editor's Note

The real problem isn't that it fails "open" if a key cannot be found, but the fact that the majority of networks do not have RPKI configured at all.

Johannes Ullrich
Johannes Ullrich

As ATHENE points out, currently only 40% of address blocks have RPKI certificates and only 27% of networks are verifying RPKI certs. This attack takes advantage of the way connectivity is allowed when RPKI certs can’t be found or validated and is not effective with full participation. Google and other BGP network providers have put mitigation measures in place to deal with the issue, but faster adoption of RPKI and other MANRS (Mutually Agreed Norms for Routing Security) that The Internet Society has been recommending will be the best solution for upgrading BGP security.

John Pescatore
John Pescatore

The exploit takes advantage of RPKI allowing traffic to flow when the identifying certificate for that block cannot be found. About 40% of networks have an identifying certificate, while 27% of networks verify them. As this is a design flaw, don’t expect a rapid change to be issued to fix this issue.

Lee Neely
Lee Neely

2022-10-07

US HHS HC3 Presentation on Risks Posed by Legitimate Security Tools

The US Department of Health and Human Services Health Sector Cybersecurity Coordination Center (HHS HC3) has published a presentation detailing risks posed by legitimate security tools. The presentation addresses threats posed by Cobalt Strike, PowerShell, Mimikatz, Sysinternals, Anydesk, and Brute Ratel. The document does not call for organizations to stop using the tools; instead, it urges organizations “weigh the risks and rewards of each of these tools and be aware of both the value and risk they bring with them.”

Editor's Note

Key takeaways here are actionable defense and detection strategies for these technologies. As a penetration tester, I know that no control is a silver bullet, but we attackers have a harder time when PowerShell is disabled, Credential Guard is enabled, and defenders are watching for beacon-like and odd DNS traffic egressing their networks.

Christopher Elgee
Christopher Elgee

In the 2020 SANS Emerging Threats keynote at the RSA Conference, Ed Skoudis pointed out “Living off the Land” attacks that used these and other tools to essentially use the target’s resident apps against itself. Two of his key recommendations: (1) More use of application whitelisting to limit access to the needed tools; and (2) Purple Teaming, where the Red Team launches LotL attacks and the defenders improve ability to detect and rapidly mitigate.

John Pescatore
John Pescatore

Many tools like these can be used for both legitimate and nefarious purposes. The trick is understanding what is normal in your environment and making sure you can detect anomalous behavior. Use application allow/deny lists, particularly on critical servers, to block the installation of anything beyond what they need to meet mission objectives.

Lee Neely
Lee Neely

A tool can be used for legitimate or nefarious means. A screwdriver can be used to fix things or it can be used to attack people or break into premises. It is the intent of the person using the tool that matters. That being said, I like this presentation as it gives a good insight into how these tools can be abused and in most cases outlines steps you can take to protect against the abuse/misuse of these tools.

Brian Honan
Brian Honan

2022-10-10

Fortinet: Patch Critical Authentication Bypass Flaw Now

Fortinet says that a critical authentication bypass vulnerability in its FortiOS, FortiProxy and FortiSwitchManager products is being actively exploited. The flaw can allow attackers to bypass the product’s administrative interfaces. Fortinet released a fix for the flaw last week. Fortinet is urging users to update as follows: for FortiOS update from 7.0.0 to 7.0.6 and from 7.2.0 to 7.2.1; for FortiProxy, update from 7.0.0 to 7.0.6 and 7.2.0.

Editor's Note

More details and a likely PoC exploit are expected later this week. This is not just a “must patch now” issue, but yet another reason to verify that your admin interfaces are not exposed. Starting yesterday, we saw an increase in scans for an older Fortinet vulnerability. This may either be due to the publicity around the flaw, or someone using an older attack tool to fingerprint devices in order to build target lists.

Johannes Ullrich
Johannes Ullrich

Until you've applied the update, you can disable access to the web administration interface, or limit which hosts are allowed to connect to it. Even after you've applied the update, keep access to the web interface limited to only the devices which _MUST_ use it.

Lee Neely
Lee Neely

The Rest of the Week's News


2022-10-07

Lloyd’s of London is Investigating “Unusual Activity” on its Network

Insurance and reinsurance market Lloyd’s of London says they have “detected unusual activity on [their] network and … are investigating the issue.” Lloyd’s has reset its IT systems and shut down external connectivity, but has yet provided no further details.

Editor's Note

This is a good example of that tough business risk decision to proactively disconnect and impact business to minimize potential impact of a suspected breach. This a good scenario for a proactive tabletop exercise with management/board members, both to educate them and to make sure the security team has an effective approach for communicating near term risk in a way that management can make an informed decision.

John Pescatore
John Pescatore

Lloyd’s engaged Mandiant and NTT to help with the investigation which found there was no evidence of compromise and advised Lloyd’s to start bringing systems online whenever they wish. Services are expecting to be restored by October 12.

Lee Neely
Lee Neely

2022-10-08

Microsoft Updates Exchange Server Mitigations Again

On October 8, Microsoft updated its suggested mitigations for two zero-day vulnerabilities in Exchange Server. The updated recommendations include a revised blocking rule in IIS Manager. The two vulnerabilities, which are collectively known as ProxyNotShell, can be chained to allow remote code execution.

Editor's Note

Let’s hope we will get a patch for this vulnerability today. Filtering malicious requests will always be a whack the mole game between defenders coming up with better rules and attackers finding bypasses as long as the actual vulnerability isn’t fixed.

Johannes Ullrich
Johannes Ullrich

The update to the instructions changes the blocking rule in IIS Manager from .*autodiscover\.json *Powershell.* to (?=.*autodiscover\.json)(?=.*powershell). It's likely going to be easier to use the updated EOMTv2 PowerShell script and avoid transcription errors. There are still no patches; you will need to continue active monitoring for attempted exploits.

Lee Neely
Lee Neely

For those that are concerned if there servers have been compromised the Microsoft Safety Scanner is a tool that can quickly scan for any malicious software and is available to download for free from https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/safety-scanner-download?view=o365-worldwide

Brian Honan
Brian Honan

2022-10-10

Zimbra Vulnerability Remains Unpatched

A zero-day flaw in Zimbra email servers is being actively exploited to backdoor vulnerable servers. A Zimbra customer reported the attacks in early September. Zimbra has not yet released a fix for the vulnerability and has instead urged customers to make sure that the pax file archiver is installed on their systems.

Editor's Note

Note that this isn't so much a Zimbra vulnerability but a vulnerability in the cpio utility included in some Linux distributions. Using the alternative (and preferred) "pax" utility will prevent exposing cpio via Zimbra.

Johannes Ullrich
Johannes Ullrich

The exploit requires two conditions to be met. First, a vulnerable version of cpio must be present/pre-installed, second, the pax utility must not be installed. The flaw leverages behavior in the Zimbra AV engine which uses cpio to extract the files it's scanning. Zimbra is moving to pax from cpio and will use pax if installed. Note the easiest fix it is to add pax to your Linux distribution and restart the Zimbra services.

Lee Neely
Lee Neely

2022-10-06

CISA Schedules Additional Listening Session for Incident Reporting Rules Input

The US Cybersecurity and Infrastructure Security Agency (CISA) has scheduled an additional listening session for public input on its proposed cyber incident reporting regulations in Washington, DC. CISA is seeking input on the Cyber Incident Reporting for Critical Infrastructure Act of 2022. There are also sessions scheduled for New York City, Philadelphia, Oakland, CA, Boston, Seattle, and Kansas City, MO. Interested parties may register at https://www.cisa.gov/circia.

Editor's Note

The new session is October 19th in Washington, DC. The proposed regulation requires reporting of “covered cyber incidents” to CISA within 72 hours, and report “ransom payments” within 24 hours. Input is needed to make sure that “covered entities,” “covered cyber incidents,” and “ransom payments” are properly defined.

Lee Neely
Lee Neely

2022-10-07

Cancer Testing Lab Reports Second Data Breach in Six Months

A cancer testing laboratory based in the US state of Georgia has reported a second data breach within just six months. In early July, Cytometry Specialists, dba CSI Laboratories, learned that it had been the victim of a phishing attack. The company reported the incident to federal regulators on September 26. CSI Laboratories says the more recent incident is not related to the data exfiltration incident it reported to regulators in March 2022.

Editor's Note

A side effect of improving your cyber hygiene is that you may find you’re discovering incidents which would previously have gone unnoticed, which is a huge step in the right direction. Even so, make sure that you’re looking for gaps in your armor and filling them, not only to prevent recurrence, but also to thwart other types of attack. Consider that once breached, it’s kind of like blood in the water, and you’re going to be targeted by others looking to take advantage of your shortcomings.

Lee Neely
Lee Neely

2022-10-10

Intel Acknowledges Alder Lake BIOS Leak

In a statement to Tom’s Hardware, Intel acknowledged a data leak that exposed Unified Extensible Firmware Interface (UEFI) code source code for its Alder Lake CPUs. Intel does not believe the leaked information exposes any new vulnerabilities, but does encourage researchers to report any issues they do detect to its bug bounty program, Project Circuit Breaker.

Editor's Note

The repository with the source code has been taken down. Alder Lake CPUs, first released in late 2021, are in Laptop/desktop systems not servers. While researcher claims to have discovered undocumented registers, aka MSRs, used in the Alder Lake CPU for debugging or enabling/disabling specific chip features, as Intel claims they are not obscuring security information; that information should be available through other legitimate channels if you really need it.

Lee Neely
Lee Neely

2022-10-07

macOS Archive Utility Vulnerability

Researchers at Jamf Threat Labs have discovered a remote code execution vulnerability in macOS Archive Utility. Jamf notified Apple about the issue on May 31, 2022; the flaw was fixed in July. Jamf found the Archive Utility vulnerability after detecting a flaw in Safari that could circumvent Gatekeeper checks earlier this year and decided to “research other archiving features that might suffer from similar issues.”

Editor's Note

The flaw was fixed in macOS 12.5, released July 2022. Essentially, you leverage a flaw in the Safari browser to get it to unload a crafted archive file causing the quarantine bit to _NOT_ be set, which then bypasses the gatekeeper functions which prompt for permission prior to allowing execution of such a file. The fix is simple – apply the latest updates from Apple.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Wireshark Display Filter Update

https://isc.sans.edu/forums/diary/Wireshark+Specifying+a+Protocol+Stack+Layer+in+Display+Filters/29130


BazarCall Social Engineering Tactics

https://www.trellix.com/en-us/about/newsroom/stories/research/evolution-of-bazarcall-social-engineering-tactics.html


RPKI Rate Limiting

https://www.usenix.org/system/files/sec22-hlavacek.pdf


Microsoft Exchange Workaround Improved Again

https://msrc-blog.microsoft.com/2022/09/29/customer-guidance-for-reported-zero-day-vulnerabilities-in-microsoft-exchange-server/


Fortinet Vulnerability Update

https://twitter.com/Horizon3Attack/status/1579285863108087810

https://docs.fortinet.com/document/fortigate/7.2.2/fortios-release-notes/760203/introduction-and-supported-models


Zimbra Vulnerability

https://twitter.com/iagox86/status/1578084484720734209

https://attackerkb.com/topics/1DDTvUNFzH/cve-2022-41352/rapid7-analysis?referrer=activityFeed


Ikea Smart Bulb Exploit

https://www.synopsys.com/blogs/software-security/cyrc-advisory-ikea-tradfri-smart-lighting/