SANS NewsBites

Educate Management About Risks of Using Telegram and Other Consumer Apps for Sensitive Communications; Use Google YARA Rules to Detect Unauthorized Use of Cobalt Strike; Debate Continues Over Offensive Cybersecurity Operations

November 22, 2022  |  Volume XXIV - Issue #91

Top of the News


2022-11-16

Moldovan Government Officials Hit by Cyberattack

Hackers appear to have compromised communications between several Moldovan government officials. Private conversations of the country’s Minister of Justice, the Defense and National Security Advisor to the President, and the former Minister of Internal Affairs have been leaked.

Editor's Note

This is a complex story with not a lot of verification, but I wanted to highlight one important quote: “The Justice Ministry confirmed the leak but added that some messages were grossly modified or taken out of context.” This is a good one to highlight to CXOs and board members: doing company business over apps that have “zero revenue” models, or only get revenue through sponsored messages and in-app purchases is an enormous risk. The risk is not just eavesdropping, it is fake messages being sent out as coming from your company.

John Pescatore
John Pescatore

If you've seen the movie RED with Bruce Willis, you're thinking of the end-quotes pertaining to Moldova. In this case, it's their leadership which finds themselves in an uncomfortable position under "hot pursuit." Essentially their Telegram accounts were compromised. Beyond my usual pitch to implement MFA everywhere, I would also add understanding who and how information you're sending over a service can be accessed. If you have any doubts, implement your own encryption (such as S/MIME for email) rather than relying on service provided encryption, particularly if it's not truly end-to-end. When in doubt, use enterprise vetted services, on their issued devices.

Lee Neely
Lee Neely

2022-11-21

Google Taking Steps to Prevent Cobalt Strike Abuse

Google has announced new YARA rules and a VirusTotal collection that are intended to make Cobalt Strike harder to abuse. Cobalt Strike is a legitimate red-team testing tool, but malicious actors have been using it to move laterally within infiltrated networks.

Editor's Note

This debate goes back to 1995 when Dan Farmer and Wietse Venema released the SATAN scanning tool – one of the very first tools network security folks could use to find vulnerabilities and misconfigurations. Overall, we are better off having strong security tools in use by the good side, even if the bad side will get to use them, too.

John Pescatore
John Pescatore

You can use these new YARA rules to detect Cobalt Strike variants in your environment. Not a bad idea to go proactively hunting to see what turns up. Beware of security research legitimately using it for exactly that. While tempting to put those workstations on a blanket allow list, you need to not completely ignore them as they too could become a target for compromise.

Lee Neely
Lee Neely

2022-11-17

Wray: FBI Conducts Offensive Cyber Operations

In testimony before the US Senate Homeland Security Committee, FBI Director Christopher Wray said that his agency conducts offensive cyber operations against both state and non-state threat actors. Wray did not offer specifics about the offensive operations. “However, he warned that deterring nation-state threat actors from continuing to engage in illegal cyber activity is much more difficult than disrupting their operations.”

Editor's Note

Another long running policy debate. When this comes up, my response is always “Did you check that you are not vulnerable to those same offensive tactics before you use them?” I always attribute that philosophy to the first US security analyst, who in 1736 said “Don't throw stones at your neighbors, if your own windows are glass.” Mr. Franklin’s advice pre-dated Stuxnet by 274 years…

John Pescatore
John Pescatore

Be really careful conducting offensive operations. To include not only resistant to all the attack techniques you're dying to lose on your target, but also all the basics - hardened/updated entry points, MFA everywhere, responsive monitoring and alerting. Even then, if I can't talk you out of it, I would make sure you have support to the highest levels and experienced guidance.

Lee Neely
Lee Neely

The Rest of the Week's News


2022-11-18

Z-Library Domains Taken Down, Alleged Operators Arrested

Two individuals have been arrested and charged with for their roles as operators of Z-Library. The Russian citizens face charges of copyright infringement, wire fraud, and money laundering. US authorities have also taken down Z-Library’s domains and seized its assets.

Editor's Note

The takedown involved taking down 250 domains.Let that sink in for a minute. How's that for scaling virtualization and distributed resources? Note to self - taking down an operation like this is a bigger job than I once thought, requiring international coordination and cooperation. After the takedown, students were distressed as they were using the site to access textbooks and research papers which were otherwise priced out of their reach, contrast that to the Author's guild who herald this as one of the largest takedowns in the fight against criminal e-book piracy to date. The issues behind the library bring to light the need to solve affordability and reachability of this type of resource. Hopefully that will be worked by both universities and the Author's Guild, leveraging lessons from Z-Library.

Lee Neely
Lee Neely

2022-11-18

OMB Memo on Post-Quantum Encryption Migration

US federal civilian government agencies have until May 2023 to provide the Cybersecurity and Infrastructure Security Agency and the Office of the National Cyber Director with a list of their systems vulnerable to a cryptographically relevant quantum computer. According to an Office of Management and Budget (OMB) memo, agencies must submit the information by May 4, 2023 and update the list annually through 2035.

Editor's Note

Quantum computing still has a way to go to break current ciphers. As a "quick fix", increasing key sizes in existing ciphers may buy additional time. But you need to start these migration initiatives early, long before the actual threat materializes. It is nice to see OMB worry about these issues before they are becoming an emergency.

Johannes Ullrich
Johannes Ullrich

A relatively straight-forward directive to take action on. Knowing one’s environment is foundational to essential cyber hygiene. The first 3 CIS critical security controls focus on inventory of hardware, software, and data sensitivity/location.

Curtis Dukes
Curtis Dukes

Moving to post-quantum cryptography (PQC) is going to take deliberate effort over multiple years and will need to be tracked and supported. While this data call starts that process out, it's a bit premature as we don't have finalized standards for Quantum Crypto, let alone products to deploy, meaning the answer to this data call is effectively "everything in scope." The memo is also asking agencies to produce budget estimates to implement PQC, which is again difficult without products to incorporate. The memo attempts to prioritize by focusing on high impact systems, high-value-assets (HVAs), systems which are particularly vulnerable top CRQD-based attacks as well as logical access control systems or those containing mission relevant data, while excluding National Security Systems (NSS).

Lee Neely
Lee Neely

Perhaps a little aggressive but doable for most.

William Hugh Murray
William Hugh Murray

2022-11-19

DOJ Announces Charges Against 10 Individuals for Alleged Involvement in Business eMail Compromise Schemes

US authorities have charged 10 individuals in connection with business email compromise (BEC) schemes that targeted numerous organizations including federally funded US programs like Medicare and Medicaid. The losses total more than $11m.

Editor's Note

BEC is still a concern; with estimates of a 65% increase in identified global exposed losses between July 2019 and December 2021. The increased success is partly attributed to the pandemic where increased telework removed some traditional mitigations, such as shouting or walking down the hall for support. The attackers still largely leverage phishing, social engineering, hacking, in combination or separately. This means we need to stay vigilant and support our users making good choices to avoid BEC, and make sure our training and support mechanisms remain viable in the current work environment. Conduct regular exercises and adjust where you can to make improvements.

Lee Neely
Lee Neely

BEC schemes have been around for years. Cybersecurity best practices, such as email authentication using Domain-based Message Authentication Reporting and Conformance (DMARC), ensure that only legitimate senders are using company trusted domains to message customers and employees. Use the DOJ charging documents to frame the discussion between executive leadership and IT staff.

Curtis Dukes
Curtis Dukes

2022-11-18

Securing the Supply Chain Guidance for Customers

The US Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Office of the Director of National Intelligence have published Securing Software Supply Chain Series - Recommended Practices Guide for Customers. The publication is the third in a series of guidance manuals for supply chain security; guidance for developers was released in August and guidance for suppliers was released in October.

Editor's Note

With increased supply chain risk focus and regulatory requirements, you should be incorporating all the guidance you can find into your planning and response. These are intended for customers to leverage as a basis for assessing, describing and measuring security practices relatively to the software lifecycle. The customer slicksheet provides suggestions for requests you can make of suppliers to help reduce your risk. While likely more effective in a paid environment, don't hesitate to leverage these to increase the integrity of open-source software leveraged.

Lee Neely
Lee Neely

This is a supplier problem. It will not be fixed by customers. Too many suppliers, too many updates, too obscure.

William Hugh Murray
William Hugh Murray

2022-11-18

Zeppelin Ransomware Decryptor

A researcher from Unit 221B, a New Jersey cybersecurity consulting, firm found vulnerabilities in the Zeppelin ransomware’s encryption routines and was able to brute force decryption keys. Zeppelin first appeared in late 2019. The researchers say they began investigating Zeppelin after attackers started using it to target non-profits and charities. The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI published a joint alert about Zeppelin in August 2022.

Editor's Note

The good news is that cryptography is hard for the bad guys to do well. The bad news is that cryptography is also hard for the good guys to do well. If you are building or buying apps that use cryptography, make sure the code is tested by skilled personnel. Side note: “Zeppelin Ransomware” would be a good name for a band…

John Pescatore
John Pescatore

Encryption is hard, even without quantum computing. In this case the researchers discovered two flawed encryption techniques, then were able to leverage twenty 40-CPU servers to factor a 520-bit RSA key in a few hours, from there they had the two primes (p,q) used to compute the public key (n) which in turn allowed them to compute the private key (d). Yes, this makes my head hurt too - look when implementing cryptography, make sure that it's done properly, ideally let someone else create and certify the implementation before you use it. If you really want to roll your own encryption, read that blog, and if you're still determined to do so, make sure that you have it authoritatively reviewed for deficiencies.

Lee Neely
Lee Neely

While finding a vulnerability in the encryption routine worked this time; the best defense is still patching, configuration management, and limiting accounts with elevated privileges.

Curtis Dukes
Curtis Dukes

My regular reminder that the Europol No More Ransom website www.nomoreransom.org has a repository for known decryption keys

Brian Honan
Brian Honan

2022-11-19

Atlassian Patches Critical Flaws in Bitbucket and Crowd

Atlassian has released fixes to address vulnerabilities in both Crowd and Bitbucket Server and Data Center. Both flaws are considered critical. The command injection vulnerability in Bitbucket was introduced in version 7.0.0 of Bitbucket Server and Data Center and affects versions 7.0 to 7.21 and versions 8.0 to 8.4 if mesh.enabled is set to false in bitbucket.properties. The security misconfiguration vulnerability in Crowd was introduced in version 3.0.0 and affect all subsequent versions if they are both new installations of affected versions and an IP address has been added to the Remote Address configuration of the Crowd application.

Editor's Note

The Crowd attack has to come from an IP address in your allow list, where the attack can bypass an authentication check. Make sure that you're on a fixed/supported version of Crowd, and cross-check your Remote Address configuration. The Bitbucket fix requires applying the update. It is possible to slightly reduce the risk by disabling public signup, but this really only moves the attack from unauthenticated to authenticated users, so if someone has credentials, it's still game-over.

Lee Neely
Lee Neely

2022-11-21

GAO: Offshore Oil and Gas Installations Need to Address Cybersecurity Risks

According to an October 2022 report from the US Government Accountability Office, (GAO), the country’s “offshore oil and gas infrastructure faces significant and increasing cybersecurity risks in the form of threat actors, vulnerabilities, and potential impacts.” The infrastructure is regulated by the Department of the Interior’s Bureau of Safety and Environmental Enforcement (BSEE). GAO recommends that BSEE “develop and implement a strategy to address offshore infrastructure risks. Such a strategy should include an assessment and mitigation of risks; and identify objectives, roles, responsibilities, resources, and performance measures.”

Editor's Note

The trick here is finding a cost-effective way to raise the bar without overly increasing the operational costs. One of the attack vectors which has to be considered is the interface between IT and OT systems, which is an increasingly used as an attack vector. Examine these connections with an eye to preventing the trust relationship being used as a superhighway to your OT systems.

Lee Neely
Lee Neely

Establishing a common and prioritized set of safeguards to achieve a baseline cybersecurity posture across all sectors should be a national imperative. The CIS Critical Security Controls, starting with implementation group 1 are measurably effective against the top five attacks being used against every industry sector, why not start there.

Curtis Dukes
Curtis Dukes

2022-11-22

Clarification Regarding the Use of the Ehteraz App During the FIFA World Cup in Qatar

As a NewsBites reader has pointed out, The Ehteraz app is not required for FIFA fans to enter the country. Also, the app’s permissions stated in Lee Neely’s comment apply to Android, but not to iOS, which requests Bluetooth & cellular data use and background app refresh permissions.

Internet Storm Center Tech Corner

Packet Tuesday: Episode 2 - Extended DNS Option Type 0

https://isc.sans.edu/diary/Packet+Tuesday+Episode+2+Extended+DNS+Option+Type+0/29268/


McAfee Fake Antivirus Phishing Campaign is Back!

https://isc.sans.edu/diary/McAfee+Fake+Antivirus+Phishing+Campaign+is+Back/29264/


Log4Shell campaigns are using Nashorn to get reverse shell on victim's machines

https://isc.sans.edu/diary/Log4Shell+campaigns+are+using+Nashorn+to+get+reverse+shell+on+victims+machines/29266/