SANS NewsBites

Check Mobile Devices for Heliconia Spyware; Update NVIDIA Drivers; Transparency Around Incidents is a Responsibility

December 2, 2022  |  Volume XXIV - Issue #93

Top of the News


2022-11-30

Google Warns of Heliconia Exploitation Framework

In a blog post, Google’s Threat Analysis Group (TAG) details its findings about an exploitation framework called Heliconia. The framework appears to be linked to a Spanish company, Variston IT, which lists custom security solutions among its offerings. The “Heliconia framework exploits n-day vulnerabilities in Chrome, Firefox and Microsoft Defender and provides all the tools necessary to deploy a payload to a target device.” TAG learned of Heliconia from bug submissions that suggest it was being used to exploit those vulnerabilities in 2018 and 2019. Patches for the various vulnerabilities were released in 2021 and early 2022.

Editor's Note

As Google points out “ …the commercial surveillance industry is thriving and has expanded significantly in recent years, creating risk for Internet users around the globe.” I’d like to see Google publish the list of the 30 or so commercial spyware vendors they are tracking, to make it easier for companies to both avoid buying from them and detect when attackers are using the tools. But you can find most of Google’s TAG reports to get the names of the companies and the indicators of use.

John Pescatore
John Pescatore

These tools are designed to attack specific vulnerabilities which have been patched. As such, you need to make sure that you've deployed the updates to Chrome, Firefox and Defender. Don't overlook Chromium based browsers. This is a good time to see if you've been procrastinating deploying other updates and run that to ground. Don't let impact deter you from finding a path: work with your business units to find how and when, then support their efforts to senior management.

Lee Neely
Lee Neely

2022-12-01

NVIDIA GPU Driver Update Addresses Nearly 30 Vulnerabilities

NVIDIA has released an update for its GPU Display Driver to address 29 vulnerabilities which could be exploited to achieve code execution, denial of service, escalation of privileges, information disclosure, or data tampering. The two most serious issues, both of which affect NVIDIA GPU Display Driver for Windows, are “a vulnerability in the user mode layer, where an unprivileged regular user can access or modify system files or other files that are critical to the application … [and] a vulnerability in the user mode layer, where an unprivileged regular user can cause an out-of-bounds write.”

Editor's Note

The vulnerabilities are on both Linux and Windows systems, so you need to deploy the update to both platforms. The Linux updates address weaknesses in the kernel mode layer of the driver which could be leveraged for DOS, code execution, data tampering or information disclosure.

Lee Neely
Lee Neely

2022-11-30

Brooklyn Hospitals Criticized for Lack of Transparency About Cyber Incident

Three hospitals in Brooklyn, NY, are facing backlash over a lack of transparency regarding a November 19 cyber incident. Patients and physicians have expressed frustration that three hospitals in the One Brooklyn Health System have not been forthcoming about the cause of the incident. Other area hospitals are concerned that they could fall prey to the same attack and would like more information from One Brooklyn; the area hospitals are also seeing an unexpected increase in patient load likely as a result of the incident.

Editor's Note

NIST, CISA and ENISA all have good guidelines for best practices in incident reporting. They all recommend what ENISA calls “…quick dissemination of information among interested parties.” That doesn’t mean telling the world you are vulnerable before you have stemmed the bleeding, but lack of transparency usually just increases the amount of blood spilled.

John Pescatore
John Pescatore

I repeatedly say, “Today you will not be judged for being the victim of a security incident, but you will be judged on how you respond.” It is vitally important that organisations ensure their incident response plans include how they clearly and transparently communicate details of a security incident to various stakeholders such as management, regulators, media, staff, and the public. It is also important that as defenders we share our experiences so that together we can all work to make our systems more robust and secure.

Brian Honan
Brian Honan

While sharing can be scary, your peers really do want to know if what happened to you can happen to them, and this is not about making you look bad. Establish communication channels, leveraging your sector ISAC, CISA or other organization, to include agreements on disclosure, anonymization and retention. Remember this is a two-way street: all parties will benefit, not just by information sharing but also potential resources, tools and references you will need.

Lee Neely
Lee Neely

Liability concerns are likely part of the reason for lack of transparency in sharing attack details. That said, cyber defenders benefit from understanding attack details; to include the defenses that were in place at time of attack.

Curtis Dukes
Curtis Dukes

Better to be criticized for lack of transparency than to put others at risk by premature disclosure. That said, one should be able to share safely with one's peers and colleagues. That is what ISACs are for. Most of these are doing a good job of sharing safely. Belong.

William Hugh Murray
William Hugh Murray

The Rest of the Week's News


2022-11-29

Sandworm Threat Actors are Launching Ransomware Attacks Against Organizations in Ukraine

Researchers from ESET say that the threat actor group known as Sandworm is launching ransomware attacks against organizations in Ukraine. They appear to be using ransomware ESET is calling RansomBoggs, which is written in .NET. ESET has notified Ukraine’s Computer Emergency Response Team (CERT-UA) of their findings.

Editor's Note

The RansomBoggs ransomware is Monsters Inc. (Disney, 2001) themed, and while announcing it's using AES 128 encryption, actually encrypts files with AES 256 and appends the .chsch extension to those files. The key is stored in a file called aes.bin with the public key either passed as an argument to the ransomware or it's hard coded. The ransomware is distributed via a PowerShell script, and written in .NET. The primary purpose of this attack appears to be disruption versus extorting money, even so, make sure your users are trained to be cautious with unknown attachments/scripts which come bearing gifts. Check with your EDR provider for detection capabilities.

Lee Neely
Lee Neely

For more on the Sandworm threat actor, I highly recommend Andy Greenberg’s book, Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers.

Jorge Orchilles
Jorge Orchilles

2022-11-30

Akamai Researchers Inadvertently Crash Botnet

While monitoring the KmsdBot cryptomining botnet, Akamai researchers accidentally discovered its Achilles heel. The researchers write that they “modif[ied] a recent sample of KmsdBot to talk to an IP address in RFC 1918 address space. This allowed us to have a controlled environment to play around in — and, as a result, we were able to send the bot our own commands to test its functionality and attack signatures.” A simple syntax error cause the botnet to crash.

Editor's Note

This botnet operates on Windows and Linux systems, and is targeted towards gaming firms, technology companies, and luxury car manufacturers. Systems are infected using SSH to account with default or weak connections. As it's not persistent, a crash or other interruption to the process means that nodes have to be re-acquired. While the crash resulted because of a lack of error handling, don't assume malware operators aren't including error handling, most do. Making sure that default passwords are changed, and passwords, where they remain, are sufficiently strong, has to be SOP. Make sure that you're checking for re-introduction of these after updates or upgrades.

Lee Neely
Lee Neely

2022-11-29

CISA Adds Oracle Fusion Middleware Flaw to Known Exploited Vulnerabilities Catalog

The US Cybersecurity and Infrastructure Security Agency (CISA) has added an unspecified vulnerability in Oracle Fusion Middleware to its Known Exploited Vulnerabilities (KEV) catalog. The flaw affects Oracle Fusion Middleware Access Manager and “allows an unauthenticated attacker with network access via HTTP to take over the Access Manager product.” CISA has specified a mitigation due date of December 19, 2022.

Editor's Note

Your business units are going to want to regression test updates to Fusion Middleware. While appropriate, time bound those activities so you can get the updates deployed. The update includes 39 security patches, 35 of which may be remotely exploitable without authentication, so make sure you prioritize any Internet facing applications. Updates are also tied to the version of Oracle Database used, so make sure to also apply the November database CPU.

Lee Neely
Lee Neely

2022-12-01

Vanuatu’s Government Struggling to Recover from Cyberattack

A month after a cyberattack took down Vanuatu’s government servers and websites, officials are still using their private email accounts, their personal laptops, typewriters, and pen and paper to conduct business. Government offices in the outer islands of the South Pacific country are experiencing significant delays in services. Vanuatu’s CIO estimates that 70 percent of the government’s network is operating.

Editor's Note

While disappointing that cyber criminals targeted a small island nation, it serves as reminder for organizations to regularly exercise their recovery plans for service disruptions that impact both business and government operations. Also, don’t forget those third party support relationships, as they form part of the cybersecurity chain of trust.

Curtis Dukes
Curtis Dukes

The Vanuatu government called in help from Australia. I remember visiting Tahiti years back and at that time their governor was not interested in any resources outside his islands. Ask yourself, what resources would you need, "off your island" to respond to an incident, then make connections with them. Make sure you know how to initiate an engagement, what their capabilities are and what costs will be incurred. Now is the time to refine your list, expectations and understanding, rather than when the chips are down.

Lee Neely
Lee Neely

2022-12-30

TSA Seeks Comments on Strengthening Pipeline and Rail Cybersecurity and Resiliency

The US Transportation Security Administration (TSA) has published an advance notice of proposed rulemaking “regarding ways to strengthen cybersecurity and resiliency in the pipeline and rail (including freight, passenger, and transit rail) sectors.” TSA is accepting public comments through January 17, 2023.

Editor's Note

Are the cybersecurity requirements for both the pipeline and rail sectors really that unique? Each of the critical infrastructure sectors share more in common when it comes to developing cybersecurity best practices. What’s needed is a common and prioritized set of safeguards to achieve a baseline cybersecurity posture. The good news, one exists [CIS Critical Security Controls] and is measurably effective against the top five attack types.

Curtis Dukes
Curtis Dukes

Note that comments can only be accepted via the Federal eRulemaking Portal, US Mail, or Fax and must be submitted by January 17th, 2023. The eRulemaking portal is going to be your best bet here. The proposed rulemaking includes goals such as common security frameworks, segmentation, patching and access controls; the need is for those with experience in the field to review and make sure they can be accomplished.

Lee Neely
Lee Neely

Publishing for comment is good practice for regulators.

William Hugh Murray
William Hugh Murray

2022-12-02

UK High Court Judge: Cryptocurrency Exchanges Must Reveal Information Linked to Alleged Thieves

A UK high court judge has ordered half a dozen cryptocurrency exchanges to divulge the identities of account holders allegedly linked to a 2020 cryptocurrency heist. The incident involved the theft of what was worth at the time $10.7 million in digital assets. In his ruling, High Court Justice Christopher Butcher said the exchanges must disclose the status of stolen funds, bank account and payment card information, bank statements, and “know your customer” details.

Editor's Note

This is just another issue in a long list of issues that point out most virtual “currencies” don’t meet the definition of what it takes to be called a currency. It is kind of like the difference between a bottle of miracle pills and actual medicine.

John Pescatore
John Pescatore

As Crypto continues to become "mainstream" disclosures and other regulatory practices from the banking industry are needed to protect the "average" consumer, particularly when they are seeking lost funds. This ruling leverages a UK update to civil procedure law from October 2022 which streamlined information disclosure against foreign entities, in fraud cases, where they are intended to be prosecuted in English or Welsh courts.

Lee Neely
Lee Neely

2022-11-30

Hackers Exploit Popular TikTok Challenge to Install Malware

Hackers are exploiting the popular “Invisible Challenge” TikTok challenge to install malware. The challenge involves using a special effect to make a blurred, contour image of a person posing naked. The hackers are capitalizing on the fad by offering a tool that allegedly removes the filter; instead, it downloads password-stealing malware.

Editor's Note

Two things come to mind. First, when redacting information, make sure that it cannot be restored. Better still, don't capture information you don't want shared in the first place. Second, beware of social engineering, just as there is no Nigerian Prince offering you millions for your help, (sorry, there is not), these apps don't unfilter anything. They do, however; install malware such as the WASP stealer malware. There are multiple malicious Python packages and other lures, such as one aimed at Discord users, with the same intent. Aside from cautioning users to not fall for scams to reveal the "person behind the mask," remind them that what goes online stays online and really is controlled by the service hosting the content.

Lee Neely
Lee Neely

While the focus is on the open source app and shift in attacker tactics, this is really about capitalizing on human frailty to lure users into downloading the malicious app. Ingenious!

Curtis Dukes
Curtis Dukes

Internet Storm Center Tech Corner

What's the deal with these router vulnerabilities?

https://isc.sans.edu/diary/Whats+the+deal+with+these+router+vulnerabilities/29288/


LinkedIn Bots

https://isc.sans.edu/diary/Identifying+Groups+of+Bot+Accounts+on+LinkedIn/29282


Quarkus Java Framework Vulnerability CVE-2022-4116

https://www.contrastsecurity.com/security-influencers/localhost-attack-against-quarkus-developers-contrast-security

https://access.redhat.com/security/cve/CVE-2022-4116


FreeBSD Ping RCE CVE-2022-23093

https://www.freebsd.org/security/advisories/FreeBSD-SA-22:15.ping.asc


NVidia GPU Display Driver Vulnerabilities CVE-2022-34669

https://nvidia.custhelp.com/app/answers/detail/a_id/5415


TrustCor CA Revoked

https://www.washingtonpost.com/technology/2022/11/30/trustcor-internet-authority-mozilla/


Android Platform Certificates Used to Sign Malware

https://bugs.chromium.org/p/apvi/issues/detail?id=100


Apple Updates

https://support.apple.com/en-us/HT201222


VLC Media Player Updates CVE-2022-41325

https://www.videolan.org/security/sb-vlc3018.html


VIN used to authenticate to Sirius XM Connected Vehicle Services

https://www.theregister.com/2022/11/30/siriusxm_connected_cars_hacking/


Oracle Fusion Middle Ware Exploited CVE-2021-35587

https://www.cisa.gov/known-exploited-vulnerabilities-catalog


Windows IKE Flaw Exploited CVE-2022-34721

https://www.cyfirma.com/outofband/windows-internet-key-exchange-ike-remote-code-execution-vulnerability-analysis/


Anker Eufy Cameras Sending Images to Cloud even if asked not to

https://www.macrumors.com/2022/11/29/eufy-camera-cloud-uploads-no-user-consent/


Packet Tuesday

https://packettuesday.com


SANS Holiday Hack Challenge Sign Up

https://www.sans.org/mlp/holiday-hack-challenge/