SANS NewsBites

Google Ramping Up Support for Phishing Resistant Passkey Authentication; Patch Your Fortinet Products; Apply Fixes For All Use of Zimbra

October 18, 2022  |  Volume XXIV - Issue #81

Top of the News


2022-10-16

Google Adds Passkey Support to Chrome and Android

Google has added passkey support to Chrome and Android as of Wednesday, October 12. Currently, two capabilities are in beta: “Users can create and use passkeys on Android devices, which are securely synced through the Google Password Manager, [and] developers can build passkey support on their sites for end-users using Chrome via the WebAuthn API, on Android and other supported platforms.”

Editor's Note

More progress away from reusable passwords is always a good thing. Password manager software products such as Dashlane have added passkey support, as well. VPN/remote access providers should accelerate rolling out standards-based passkey support as should all of the platform as a service providers (such as in healthcare and retail) to make broad adoption happen faster.

John Pescatore
John Pescatore

Passkey is what most vendors are calling the FIDO based implementation of strong (or phishing resistant) MFA. Apple has already announced something similar, with Microsoft and other big vendors supporting the solution soon (if not already). This solution replaces traditional passwords and other versions of MFA with a public-key cryptography /biometric solution. While the backend technology can be quite complex, it greatly simplifies authentication for people as there are no passwords to manage, people simply authenticate via biometrics. To help me better understand all of this, I forced myself to write a blog explaining in very simple terms passkeys / phishing resistant MFA. https://www.sans.org/blog/what-is-phishing-resistant-mfa/

Lance Spitzner
Lance Spitzner

As a transition to passwordless, these passkeys are essentially the public key that is verified by unlocking the private key on your device (e.g., android) using biometric authentication. Google is making these cross-platform and encouraging developers to include support for passkeys in applications to raise the bar on “standard” logins.

Lee Neely
Lee Neely

I have concerns around passkey and it's Apple equivalent. The concern isn't the technology per-se, it's the extreme lock in. Say you have several hundred passkeys. How easy would it be to migrate between systems? Do developers have to keep adding more and more identity provider integrations?

Moses Frost
Moses Frost

The excuses for the continued use of passwords are fast disappearing even as their contribution to breaches persists.

William Hugh Murray
William Hugh Murray

2022-10-17

Attacks Targeting Fortinet Vulnerability are Escalating

Fortinet is urging users to take steps to patch their FortiOS, FortiProxy and FortiSwitchManager appliances to protect them from an authentication bypass vulnerability. The flaw can be exploited to gain admin access through maliciously crafted HTTP/HTTPS requests. If users are unable to update immediately, they are advised to disable the HTTP/HTTPS administrative interface or limit IP addresses that are able to reach that interface. The flaw, CVE-2022-40684, has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.

Editor's Note

There appear to be a lot of organizations unaware that they are using a vulnerable appliance. Please double check and scan your network for these devices. As usual: Do not expose admin interfaces to the internet (web or ssh). In our honeypots, we saw exploit attempts as soon as the details were made public.

Johannes Ullrich
Johannes Ullrich

Fortinet is actively reaching out to customers and urging them to apply the update or mitigations. If you have affected Fortinet gear, make sure that no unauthorized/unexpected changes have been made. Verify the update has been applied and review the Fortinet bulletin for other IOCs, make sure you're golden. Even if you don’t have Fortinet gear, make sure that you’re limiting access to the administrative interfaces of your boundary control devices.

Lee Neely
Lee Neely

I know many vendors provided web based administration capabilities for their devices, but I believe the risks of such a solution far outweigh the benefits provided. My recommendation is configure any remote administration of a firewall or other security devices to use a VPN that is protected by strong MFA.

Brian Honan
Brian Honan

On the surface, having your management interfaces exposed to the internet would normally be something we would consider a bad practice. This is until you realize that many enterprises will attempt to manage their sites using cloud-based management interfaces that require this configuration. The only current saving grace is that 7.0 and 7.2, which are the current vulnerable ones, are not yet widely deployed.

Moses Frost
Moses Frost

2022-10-17

Zimbra Releases Fixes for Actively Exploited Flaw

Zimbra has released updates to address a critical code execution vulnerability that is being actively exploited. The vulnerability, CVE-2022-41352, affects the Amavis open source content filter component of Zimbra Collaboration Suite versions 8.8.15 and 9.0. Users are urged to update to Zimbra 9.0.0 Patch 27 and Zimbra 8.8.15 Patch 34. The flaw has a CVSS score of 9.8.

Editor's Note

Note that strictly speaking, this isn't a Zimbra flaw, but a cpio flaw. Some Linux distributions include a version of cpio that does not include an older security fix as it may interfere with other usage cases for cpio. The Zimbra patch makes sure that the alternative "pax" utility is installed, which isn't installed by default in some Linux distributions. In addition, the update fixes a few more security vulnerabilities.

Johannes Ullrich
Johannes Ullrich

This vulnerability is being actively exploited and builds upon a 2015 weakness (CVE-2015-1197.) After you apply the patch, go to the Zimbra support portal and review the additional hardening guidance there to ensure you have a complete fix to the vulnerability.

Lee Neely
Lee Neely

The Rest of the Week's News


2022-10-14

NHS Managed Software Provider Says Some Data Were Exfiltrated in Ransomware Attack

A managed software provider for the UK’s National Health Service (NHS) has acknowledged that a cybersecurity incident disclosed this summer resulted in the exfiltration of some sensitive data. Advanced was forced to “disconnect the entire Health and Care environment” in early August; the incident has caused disruptions to NHS.

Editor's Note

Looks like once again reusable passwords enabled a breach at a service provider: “Access was gained via Advanced’s network using legitimate third-party credentials to set up a Remote Desktop session to the Staffplan Citrix server.” Make sure support for multifactor authentication/passkey support is a key requirement when your organization is looking at any third party services.

John Pescatore
John Pescatore

As of October 13th, 90 percent of the affected sites were back online, a bit longer than the initial projection of seven to twenty-one days to recover. Interesting note is the recovery is expected to be on the order of 10x any ransom payment requested. When you include costs of hiring additional incident response expertise, staff to rebuild and re-assure systems, and add in costs related to loss of services to customers, 10x seems conservative. Point is - make sure that you’re truly prepared for the costs associated with a breach, talk through all the resources required and time expected, then consider doubling it.

Lee Neely
Lee Neely

2022-10-14

Three US Critical Infrastructure Sectors to Get New Cybersecurity Requirements

The White House will soon be addressing critical infrastructure sector-specific cyber security standards for the communications, water, and healthcare sectors. The US Federal Communications Commission (FCC), the Environmental Protection Agency (EPA), and the Department of Health and Human Services (HHS) will release cyber guidelines and rules as they pertain to the sectors that fall under their purview.

Editor's Note

Critical infrastructure guidance has been released a few sectors at a time based on risk. Eventually all sectors will have coverage. This guidance will be voluntary at this time, which means it’s a good time to review it and figure out what works best as either sector or NIST guidance enters the comment phase for proposed required configurations.

Lee Neely
Lee Neely

2022-10-17

Ransomware Disrupts German Newspaper Printing

A ransomware attack caused the shutdown of systems that are used to print several German newspapers. The attack disrupted the Stimme Mediengruppe, whose publications include Heilbronner Stimme, Pressedruck, Echo, and RegioMail.

Editor's Note

When internet access first came about, most newspapers and periodicals used to have strong segmentation between their printing operations and their office/news production networks. However, shortcuts have often been taken to both reduce the time and cost of having online versions of the print offering as well as for remote work. If you are in that industry, good item to use to drive a review of your actual (in practice, not just on paper) IT/OT segmentation.

John Pescatore
John Pescatore

The fallback plan here is leveraging on-line versions of the newspapers, dropping paywalls to allow readers access as well as printing emergency copies at alternate facilities. Both approaches have been problematic as the systems needed to create or host the content are similarly impacted. Kudos to the publisher for leveraging multiple mechanisms to deliver information to the customer; consider this scenario as you conduct your tabletop, maybe asking a few more what-if questions, extending your definition of what's offline to augment your plan.

Lee Neely
Lee Neely

2022-10-17

Debugging Port Misconfiguration in Zoom for macOS

A high-severity vulnerability in Zoom Client for Meetings for macOS could be exploited “to connect to and control the Zoom Apps running in the Zoom client.” The flaw affects Zoom Client for Meetings for macOS (Standard and for IT Admin) starting with 5.10.6 and prior to 5.12.0. Zoom has released a patch to address this vulnerability. Zoom has also released a fix for a medium-severity flaw in Zoom On-Premise Meeting Connector Multimedia Router (MMR).

Editor's Note

Make sure that your Mac users have updated their client. The users should be prompted to apply the update when they launch Zoom, but it doesn’t hurt to scan and make sure. Zoom released two fixes - the client patch fixes CVE-2022-28762 and Zoom MMR fix for CVE-2022-28761.

Lee Neely
Lee Neely

2022-10-17

Operation Jackal Takes Down Cybercrime Organization

Interpol has announced the arrest of 75 people in connection with a cybercrime syndicate that has been perpetrating cyber fraud and using the spoils to fund other criminal activity. Operation Jackal involved law enforcement agents in 14 countries around the world. Officials raided nearly 50 properties and seized numerous assets, including 12,000 SIM cards, and EUR 1.2 million in bank accounts.

Editor's Note

Read those numbers again. It is estimated that about 2 trillion dollars in illicit funds is laundered and less than 1% is intercepted and recovered. INTERPOL’s actions are an example of what can happen when police forces cooperate across borders.

Lee Neely
Lee Neely

Well done to all involved in this operation. Running an operation involving law enforcement agencies from 14 different countries is no easy task, but this successful operation highlights how international cooperation between the law enforcement agencies is improving and becoming more effective. Good news for us all, except of course for cybercriminals.

Brian Honan
Brian Honan

2022-10-17

Arrests Made in Connection with Keyless Entry Auto Theft Ring

Law enforcement authorities in France, Spain, and Latvia has arrested more than 30 people in connection with a scheme to steal cars that use keyless entry and start technology. The thieves used a tool that is advertised as an automotive diagnostic solution to unlock and start the cars.

Editor's Note

The arrests included not only the thieves, but also the software developers and resellers. The thieves replaced the original software in the vehicles, which allowed for remote start/unlock without the vehicle fob and to drive off the car without the engine stopping when the door was opened.

Lee Neely
Lee Neely

2022-10-14

India is Expected to Push Back Deadline for Infosec Reporting Rules, Again

The deadline for compliance with India’s new information security data reporting requirements are likely to be extended once again. The rules require organizations to report numerous types of security incidents to India’s Computer Emergency Response Team (CERT-In) within six hours of detection. When they were introduced in April 2022, the rules were met with criticism for being both laborious and vague. Organizations were initially given 60 days to comply with the rules; in June, that deadline was extended to September 25. India's minister of state for electronics and information technology indicated that the deadline is likely to be pushed out once again.

Editor's Note

India is learning the difficulty of sweeping regulation. While some larger organizations appear to be complying with the new rules, small to medium sized organizations are not as easily able to comply. One hopes that CERT-In is also considering modification to the requirements to make them more achievable, lest additional businesses either move out of India or find ways around the regulation.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Fileless Powershell Dropper

https://isc.sans.edu/forums/diary/Fileless%20Powershell%20Dropper/29156/


Analysis of a Malicious HTML File and QBot

https://isc.sans.edu/forums/diary/Analysis+of+a+Malicious+HTML+File+QBot/29146


Apache Commons Text Vulnerability

https://www.openwall.com/lists/oss-security/2022/10/13/4


End of Life VMWare ESXi Versions

https://www.lansweeper.com/eol/vmware-esxi-end-of-life/


Horizon3 Publishes FortiOS Vulnerability Details and Exploit

https://github.com/horizon3ai/CVE-2022-40684


How a Microsoft Blunder Opened Millions of PCs to Potent Malware Attacks

https://arstechnica.com/information-technology/2022/10/how-a-microsoft-blunder-opened-millions-of-pcs-to-potent-malware-attacks/


More Exchange Vulnerability Workaround Bypasses

https://twitter.com/wdormann/status/1576922677675102208