SANS NewsBites

If Execs Are Traveling to Qatar, Give Them a Temporary Phone; Patch Zimbra and Look for Indicators You Were Already Compromised

November 15, 2022  |  Volume XXIV - Issue #89

Top of the News


2022-11-14

Data Protection Agencies: If You’re Going to Qatar for the World Cup, Take a Burner Phone

Visitors to Qatar are required to download two apps to their smartphones: a COVID-tracking app called Ehteraz, and the official World Cup app, Hayya. Ehteraz has received scrutiny over its ability to allow remote access to users’ photos and videos, the ability to read and write to a device’s file system, and requiring location services to be always on.

Editor's Note

Burner phones are a good idea whenever you are traveling, in particular if you are traveling abroad and are required to install special tracking applications. Post Covid, these tracking applications have become quite common.

Johannes Ullrich
Johannes Ullrich

Many organizations had such policies for executive travel to China, Russia and other countries – add Qatar to the list. Maybe in the US we will soon require visitors to download apps featuring Beyonce or Taylor Swift…

John Pescatore
John Pescatore

Over-permissioned apps are a threat. The Ehteraz app asks users to allow remote access to pictures and videos, make unprompted calls, and read or modify device data while the Hayya app asks for full network access and unrestricted access to personal data. It also prevents the device from going into sleep mode and views the phone’s network connections. Both need location data to operate, which is expected. This is an excellent time to take a loaner/burner device which has _MINIMAL_ data. Also at the event are 15,000 surveillance cameras with facial recognition capabilities, ostensibly to keep people safe. Given that Qatar has a lousy reputation when it comes to human rights, this may be a good time to pass on visiting.

Lee Neely
Lee Neely

The apps make this problem obvious and burners an appropriate mitigation. However, the risk of international travel with information is not limited to a few countries or a particular technology. For government officials, journalists, activists, and even some business people, it is a more fundamental problem. In a world of fast and ubiquitous connectivity and efficient cryptography, consider leaving the data behind. consider disposable hardware in general, not just phones.

William Hugh Murray
William Hugh Murray

2022-11-14

CISA and MS-ISAC Add New Indicators of Compromise to Zimbra Collaboration Suite Alert

The US Cybersecurity and Infrastructure Security Agency (CISA) has updated its August 16 alert, Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite, to include additional indicators of compromise (IoCs). In the August version of the alert, CISA and the Multi-State Information Sharing and Analysis Center (MS-ISAC) urge organizations that did not immediately update Zimbra Collaboration Suite when the fixes became available, or whose instances of ZCS were exposed to the Internet, should “assume compromise and hunt for malicious activity.”

Editor's Note

The highlight to take away from this: If you are still running a vulnerable version of Zimbra, assume it to be compromised.

Johannes Ullrich
Johannes Ullrich

This is an update to the advisory from August 16th. Two things here. First, there are updated IOCs to consume and scan for, like now. Second, unpatched Zimbra installations are targeted, so patch your Zimbra installation. Leverage this information to get the downtime you need to properly analyze and remediate/patch. Don't let anyone talk you out of addressing this.

Lee Neely
Lee Neely

The Rest of the Week's News


2022-11-14

NSA Urges Use of Memory-Safe Software Languages

The US National Security Agency has published guidance on software memory safety. Noting that “exploitable software vulnerabilities are … frequently based on memory issues,” NSA urges developers to use “memory safe software languages,” such as C#, Go, Java®, Ruby™, Rust®, and Swift®. NSA recommends the use of static and dynamic supplication security testing to harden languages that are not as safe.

Editor's Note

NSA’s report points out “Even with a memory safe language, memory management is not entirely memory safe. Most memory safe languages recognize that software sometimes needs to perform an unsafe memory management function to accomplish certain tasks.” This highlights the importance of requiring static and dynamic testing of all procured or custom-built software. A historical note: in 1978 I graduated from college and went to work at NSA. The first edition I read of the internal NSA newsletter Cryptolog had an article on buffer overflow vulnerabilities – in mainframe operating systems. Software has a long history of being soft.

John Pescatore
John Pescatore

Memory management is key on multiple levels. I remember writing code that consumed memory as well as other programs which neglected to fully release it when done. Irrespective of your development environment, make sure that you're running static and dynamic code analysis to make sure you didn't overlook it.

Lee Neely
Lee Neely

Don't get me wrong; I am critical of our tools and believe that our choice of those tools contributes to the poor quality of our results. However, our choice of tools is rooted in our culture and that is where the real problem lies. The culture prefers cheap, early, general, flexible, and feature rich; it is tolerant of shoddy. Collectively and pervasively, we will not choose safer tools, much less produce quality results, until we change our culture to one that puts quality first. (Incidentally, if one controls for quality ahead of cost and schedule, cost and schedule will take care of themselves. The reason that we do not make cost and schedule is, not because we do not produce enough code per unit of cost and time but because when we finally get around to testing (for quality) the damn thing doesn't work. Test early, test often, test late, test.)

William Hugh Murray
William Hugh Murray

2022-11-14

CISA Publishes Stakeholder-Specific Vulnerability Categorization Guide

The US Cybersecurity and Infrastructure Security Agency (CISA) has published a Stakeholder-Specific Vulnerability Categorization Guide to help government agencies and other organizations prioritize vulnerability management. The guide includes information about how CISA scores vulnerabilities, and describes its decision tree model.

Editor's Note

CISA Publishes Stakeholder-Specific Vulnerability Categorization Guide

Lee Neely
Lee Neely

2022-11-14

Canadian Supermarket Chain Recovering From Cyberattack

Canadian supermarket chain Sobeys is recovering from a cyberattack. Sobeys parent company Empire disclosed the incident in a press release on November 7, noting that while stores remained open, “some in-store services are functioning intermittently or with a delay. In addition, certain of the Company’s pharmacies are experiencing technical difficulties in fulfilling prescriptions.”

Editor's Note

Sobeys has more than 1500 locations across Canada with brand names such as Foodland, IGA, Lawtons, Needs, Safeway, etc. The attack appears to involve the Black Basta ransomware and was executed about the same time as the attack on Canadian meat supplier Maple Leaf foods. Fortunately, the contingency plans have most services operating at this time. With today's patterns, the trick is not only to restore operations and close the avenue of attack, but also make sure that you have checked for, and addressed other attack vectors, as attackers are quick to go after what is perceived as a weakened target. Make sure your recovery plan considers this behavior.

Lee Neely
Lee Neely

2022-11-14

Kerberos Authentication Problems After Last Week’s Microsoft Patch Tuesday

Microsoft has acknowledged that updates released last week might cause problems with Kerberos authentication on Windows Servers with the Domain Controller role. Microsoft says it is working on a solution for the problem. Kerberos is the default authentication protocol for domain-connected devices running Windows 2000 and newer.

Editor's Note

So this isn't impacting home users and non-domain joined devices. Which reduces the problem set for the enterprise very little. This is an unintended consequence of domain hardening actions, which are desirable, taken as part of the update. The issue may raise a Microsoft-Windows-Kerberos-Key-Distribution-Center Event ID 14 error event in the System section of Event Log on your Domain Controller, and is most likely tied to where you have set the This account supports Kerberos AES 256 bit encryption' or 'This account supports Kerberos AES 128-bit encryption' Account Options for your AD users. Lots of variability here; keep an eye on MS for a revised patch.

Lee Neely
Lee Neely

2022-11-14

CIS MS-ISAC Report: K-12 Schools Cybersecurity Concerns

A report from the Center for Internet Security (CIS) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) says that while K-12 schools in the US continue to be targeted by cyberattacks, the sector as a whole “lag[s] behind other sectors in cybersecurity preparedness.” K-12 organizations responding to the 2021 Nationwide Cybersecurity Review were most concerned with insufficient cybersecurity funding and the sophistication of cyber threats.

Editor's Note

The report notes that K-12 schools are spending less than 1% of their IT budget on cyber security. Given the history of school budgets, those IT dollars are stretched pretty thin, leaving few dollars to implement needed improvements such as MFA or startup campus-wide strategic planning for overall cyber resiliency. Schools can join the MS-ISAC for no cost and have access to information and tools needed to help them raise the bar. This may be a good time for you to introduce yourself to your kids’ school as a cyber professional offering to help, rather than just a concerned parent.

Lee Neely
Lee Neely

There are lots of target school systems and many lack the scale necessary to do security well. Consider application services in the cloud. Choose them for their ability to protect users and users from themselves and others.

William Hugh Murray
William Hugh Murray

2022-11-14

BatLoader is Being Used in Active Attacks

Analysts from VMware’s Carbon Black Managed Detection and Response are tracking a malware campaign involving the BatLoader downloader. The analysts have detected 43 successful infections over the past three months. BatLoader has the ability to figure out if it is on a personal computer or a business system. It is being used to drop an information stealer, a banking Trojan, and other malware. BatLoader was first reported by Mandiant in February 2022.

Editor's Note

BatLoader appears to be drawing from the Conti malware playbook, leveraging some of the same resources and techniques. A common entry point is leveraging SEO to get users to download malicious .MSI installer/updater for products such as LogMeIn, Zoom, TeamViewer and AnyDesk. While detection is included in CarbonBlack MDR products, the VMware blog does include IOCs you can incorporate locally. When it hits a personal computer, it installs the Ursnif banking malware and Vidar information stealer, while on an enterprise system it also downloads Cobalt Strike and the Syncro remote management/monitoring tool.

Lee Neely
Lee Neely

2022-11-15

Russian Code Found its way into Army, CDC Apps

The CDC and the Army leveraged code from Pushwoosh for their own apps as they believed Pushwoosh was a U.S. company. Pushwoosh's social media profile states they are indeed a U.S. company, but Reuters discovered they are actually a Russian company headquartered in Siberia. Upon discover of the origin of the Pushwoosh code, the Army removed the app, and the CDC removed the software from their public facing applications due to security concerns.

Editor's Note

Supply chain security requires understanding not only the security of code used, but also its origins. Note that Pushwoosh represents itself as being a U.S. company in regulatory findings, claiming, at times, it is based in California, Maryland, and Washington D.C. When considering the risk, incorporate not only the origin but their TTPs to evaluate how they may impact you.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Extracting "HTTP CONNECT" Requests with Python

https://isc.sans.edu/diary/Extracting+HTTP+CONNECT+Requests+with+Python/29246


Extracting Information From "logfmt" Files with CyberChef

https://isc.sans.edu/diary/Extracting+Information+From+logfmt+Files+With+CyberChef/29244/


Cookies for MFA Bypass Gain Traction Among Cyberattackers

https://www.darkreading.com/threat-intelligence/cookies-mfa-bypass-cyberattackers


Extortion Scams Hit Website Owners

https://www.bleepingcomputer.com/news/security/new-extortion-scam-threatens-to-damage-sites-reputation-leak-data/


Windows Kerberos Authentication Breaks After November Updates

https://www.bleepingcomputer.com/news/microsoft/windows-kerberos-authentication-breaks-after-november-updates/

https://learn.microsoft.com/en-us/windows/release-health/status-windows-11-22h2#2953msgdesc


Mysterious Company With Government Ties Plays Key Internet Role

https://www.washingtonpost.com/technology/2022/11/08/trustcor-internet-addresses-government-connections/


Soccer World Cup Risks

https://www.theregister.com/2022/11/11/world_cup_security/

https://www.welivesecurity.com/2022/11/11/fifa-world-cup-2022-scams-fake-lotteries-ticket-fraud/