SANS NewsBites

iCloud End-to-End Encryption Will Restart Debate; Internet Explorer is Mostly Gone But Still Needs Patching; Mitigate Flaw in Cisco Phones and Patch When Available

December 9, 2022  |  Volume XXIV - Issue #95

Top of the News


2022-12-08

Advanced Data Protection for iCloud Expands Range of Protected Information

Apple will expand the range of data that users can protect with end-to-send encryption in iCloud. Currently, certain types of data – including health information, passwords, and payment card data – can be protected by end-to-end encryption. Apple plans to extend the protection to photos, notes, and iCloud backups. The feature is now available to users in the Apple Beta Software Program. It will be available to all US users by the end of this calendar year and will be rolled out worldwide early next year.

Editor's Note

Interesting new features. But before you go ahead and require hardware tokens to access your account: Make sure you have a recovery plan for lost tokens. Apple should allow multiple tokens to be registered. Keep at least one backup in a safe place to protect yourself if your primary hardware token is lost. If implemented correctly, Apple will not be able to help you recover your content.

Johannes Ullrich
Johannes Ullrich

I’m placing the over/under at 6 months on how quickly a US intelligence or national law enforcement agency will brief the White House on how such end-to-end encryption is thwarting the investigation and apprehension of dangerous criminals. As a side bet, another over/under is 100TB – how much sensitive personally identifiable information will be compromised by then due to lack of use of end-to-end encryption. This is a debate that needs to happen, but we already know the negative impact of lack of use of encryption to protect stored data.

John Pescatore
John Pescatore

This is simply a continuation of Apple’s plan to protect user privacy by employing end to end encryption. At the end of the day, a good thing for user privacy. Now the debate begins on potential loss of government ability to find and thwart on-line criminal activity against its citizens.

Curtis Dukes
Curtis Dukes

The engineering effort to support taking existing data and running this type of encryption cannot be understated. Anything that goes wrong in the encryption/decryption process could mean tens of millions of backups that are no longer accessible. I want to put out there that this process must have taken a considerable effort and is a significant risk to the company. Kudos to Apple for attempting this at all.

Moses Frost
Moses Frost

This is device-to-device encryption, not true end-to-end, i.e, person-to-person. The data will likely be in the clear on one or both of the devices. It will resist pervasive surveillance. It will raise the cost of investigation but not defeat it.

William Hugh Murray
William Hugh Murray

2022-12-08

North Korea’s APT37 Hackers Exploited Internet Explorer JScript9 Engine Zero-Day

Hackers linked to North Korea have been exploiting a zero-day type-confusion vulnerability in Internet Explorer’s JScript9 engine. Google’s Project Zero detected the vulnerability, which affects Windows 7 though 11 and Windows Server 2008 through 2022 prior to patches Microsoft released in November. APT has been exploiting the vulnerability to spread malware embedded in documents.

Editor's Note

You may consider Internet Explorer "legacy" at this point. But it may still be used to render content in Office documents.

Johannes Ullrich
Johannes Ullrich

North Korea, while a fairly underfunded state, still has this innovating team of individuals who find interesting ways to abuse Windows. Don’t underestimate their technical capabilities; they can still be effective. This is a classic one. Who would have thought IE11 is still the core rendering engine for HTML in Office in 2022? It would be as if I said IE6 was being used to render HTML in Adobe Reader. It’s rather shocking, but maybe not surprising.

Moses Frost
Moses Frost

2022-12-08

Cisco Discloses Vulnerability Affecting IP Phone 7800 and 8800 Series Firmware

Cisco has disclosed a vulnerability in the Cisco Discovery Protocol processing feature of Cisco IP Phone 7800 and 8800 Series firmware. The issue lies in the insufficient input validation of received Cisco Discovery Protocol packets and could be exploited to achieve remote code execution or a denial of service condition. Cisco plans to release updates to address the vulnerability. A suggested mitigation is to disable Cisco Discovery Protocol on affected IP Phone 7800 and 8800 Series devices.

Editor's Note

So far, no patch has been released. You may only disable CDP if you have LLDP enabled.

Johannes Ullrich
Johannes Ullrich

This vulnerability looks pretty serious for Cisco phones. CDP is a well-used protocol that does not require authentication and generally is gratuitously sent on the network. If a CDP packet can lead to a remote code execution, then patch these devices now. I cannot stress this enough, patch now. I still find very vulnerable network devices unpatched on a network, even when it is trivial to exploit, and the vulnerability has been known for over ten years. I cannot stress that a CDP packet that can cause RCE is terrible. Once someone is on one of these devices, they can quickly pivot to other parts of the network. If you cannot patch at this time, please make sure that these devices are on their network and that these networks are firewalled away from the data networks.

Moses Frost
Moses Frost

2022-12-09

2022 Holiday Hack Challenge

Join the annual SANS Holiday Hack Challenge and participate for FREE in a series of fun hands-on cybersecurity challenges. Available for all skill levels with a stellar prize at the end for the best of the best entries.

The Rest of the Week's News


2022-12-08

Rackspace Acknowledges Outage Was Caused by Ransomware

Cloud services provider Rackspace has acknowledged that the outage that disrupted availability of its Hosted Exchange environments was due to a ransomware infection. Rackspace is making sure that all affected customers have access to Microsoft 365 and is providing guidance to help them migrate.

Editor's Note

Rackspace has done a good thing in warning its customers that “In situations like these, it's common for scammers and cybercriminals to try to take advantage.” Check your processes to be sure you’d be doing the same thing – once it is made public that Company X has been compromised and is notifying its customers, attackers pretend to be company X and try to scam passwords from customers. The important thing Rackspace has not yet divulged is *why* the attack succeeded – odds are high that reusable passwords were compromised somewhere. Ask your cloud service provider where they are in migrating privileged cloud infrastructure admin accounts to multi-factor authentication.

John Pescatore
John Pescatore

Companies typically employ one of two approaches in breach notification: limit information made available on the attack; or be open and transparent about the incident. As Rackspace continues to investigate the cyber breach, let’s hope they fully share details of the event – to include what security applications were in place and operating. We all can learn from this unfortunate cyber incident.

Curtis Dukes
Curtis Dukes

Be prepared to disclose both root cause and what you’ve done to prevent recurrence to both customers and regulators when you are breached. Transparency and honesty should be favored over spinning a story to make you look better.

Lee Neely
Lee Neely

2022-12-08

Sequoia Notifies Customers of Data Breach

Sequoia has notified customers of its human resources, payroll, and benefits management services that their sensitive personal data have been compromised. The breach of a cloud storage repository was active during the end of September and the beginning of October. Compromised information includes names, addresses, vaccine cards and benefits-related wage data.

Editor's Note

Another week, another cloud service breach. Executive leadership teams: use this cyber incident to reinforce implementation of configuration and access management processes for your cloud provided business operations. The Center for Internet Security makes available security configuration benchmarks for each of the major cloud service providers.

Curtis Dukes
Curtis Dukes

2022-12-08

HHS Warning on Royal Ransomware

The US Health Sector Cybersecurity Coordination Center (HC3) has published an analyst note warning of the threat of the Royal ransomware being used against networks of healthcare organizations. Royal appears to be a human-operated, rather than automated, ransomware operation.

Editor's Note

While the cyber threat warning is specific to the Royal ransomware and healthcare sector, cyber gangs don’t divvy up critical infrastructure sectors amongst themselves. It’s more about a quick payout; ransomware gangs are targeting every infrastructure sector. That said, don’t let a good warning go to waste; revisit your cyber defense plan and its implementation.

Curtis Dukes
Curtis Dukes

2022-12-07

Android Security Bulletin December 2022

Android’s security bulletin for December 2022 includes fixes for more than 80 vulnerabilities. Four of the flaws have been deemed critical. They affect Android versions 10 through 13. Two are in the Android System component, and two are in the Android Application Framework.

Editor's Note

I hope you'll be able to upgrade your device to the latest update. Unfortunately, I only have two recommendations to ensure that you get updates. One, get on a Google Pixel device that will provide the latest and greatest updates. You could go with a flagship Samsung device, but there is no guarantee you will be patched. Two, as an alternative, you can get an Android One device that is guaranteed two years of updates. Unfortunately, these lower-end devices will probably have to be recycled if you want to be updated to date after two years.

Moses Frost
Moses Frost

2022-12-06

Antwerp Digital Services Affected by Cyberattack

The Belgian city of Antwerp’s digital services were disrupted earlier this week following a cyberattack against its digital provider, Digipolis. Affected entities include police, schools, daycare centers, and Zorgbedrijf Antwerpen, which provides residential care fort senior citizens. Just over a week ago, ransomware operators published data stolen from the network of police in Zwijndrech, which is a municipality within Antwerp.

Editor's Note

Increasingly, adversaries are targeting companies that provide digital services to both the private sector and government. From an attacker’s point of view, it’s more efficient to exploit once so that they can attack many. Both the 2019 Texas municipalities attack and this one are reminders for organizations to review their SLA with the digital service provider. Part of the review should include discussion on security controls that the service provider employs.

Curtis Dukes
Curtis Dukes

2022-12-08

Fantasy Wiper Used in Attacks Against Diamond Industry and Others

While researchers at ESET were analyzing a supply chain attack affecting Israeli software developer, they detected a wiper being used by the Agrius APT group. The wiper, Fantasy, and its execution tool, known as Sandals, were used after Agrius gained access to other networks through the supply chain attack, which targeted software used in the diamond industry.

Editor's Note

If one is vulnerable to ransomware, a risk to which far too many are exposed, then one is also vulnerable to destruction or even malicious modification of one's data. Implement strong authentication, end-to-end application layer encryption or a structured network, and least privilege access control, the essence of a "zero trust" strategy.

William Hugh Murray
William Hugh Murray

2022-12-07

New Zealand Privacy Commissioner Says They Are Investigating Mercury IT Ransomware Attack

New Zealand’s Privacy Commissioner has issued a statement about a recent ransomware attack against Mercury IT, which “provides a wide range of IT services to customers” throughout the country. The incident affected systems at multiple government agencies across New Zealand.

Internet Storm Center Tech Corner

Finding Gaps in Syslog

https://isc.sans.edu/diary/Finding+Gaps+in+Syslog+How+to+find+when+nothing+happened/29314


Mirai Botnet and Gafgyt DDoS Team Up Against SOHO Routers

https://isc.sans.edu/diary/Mirai+Botnet+and+Gafgyt+DDoS+Team+Up+Against+SOHO+Routers/29304


Packet Tuesday Episode 4: TLS Client Hello

https://www.youtube.com/playlist?list=PLs4eo9Tja8biVteSW4a3GHY8qi0t1lFLL


Internet Explorer Vulnerability used in Malicious Word Document

https://blog.google/threat-analysis-group/internet-explorer-0-day-exploited-by-north-korean-actor-apt37/


Zombinder Obfuscation Service used by Ermac

https://www.threatfabric.com/blogs/zombinder-ermac-and-desktop-stealers.html


Cisco IP Phone Vulnerability CVE-2022-20968

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ipp-oobwrite-8cMF5r7U


Defcon Skimming: A new batch of Web Skimming attacks

https://blog.jscrambler.com/defcon-skimming-a-new-batch-of-web-skimming-attacks


daloRADIUS Vulnerability CVE-2022-23475

https://securityonline.info/cve-2022-23475-account-take-over-flaw-in-open-source-radius-web-management-app/


Fake D-Link Vulnerability used by Moobot

https://vulncheck.com/blog/moobot-uses-fake-vulnerability


Android Patches CVE-2022-20411

https://source.android.com/docs/security/bulletin/2022-12-01?hl=en


ZeroBot / WSZero IoT Botnet

https://www.fortinet.com/blog/threat-research/zerobot-new-go-based-botnet-campaign-targets-multiple-vulnerabilities


Cacti Vulnerability CVE-2022-46169

https://github.com/Cacti/cacti/security/advisories/GHSA-6p93-p743-35gf


Wireshark Updates

https://www.wireshark.org/docs/relnotes/wireshark-4.0.2.html


Apple iCloud Security Improvements

https://www.apple.com/newsroom/2022/12/apple-advances-user-security-with-powerful-new-data-protections/


SANS Holiday Hack Challenge

https://www.sans.org/mlp/holiday-hack-challenge/