SANS NewsBites

Microsoft Allowed Malicious Drivers To Be Signed As Legitimate, Prioritize This Month’s Patches; Patch Everything With An Apple Logo On It; Expect to Receive Phishing Email Pretending to Be From FBI InfraGard

December 16, 2022  |  Volume XXIV - Issue #97

Top of the News


2022-12-15

Microsoft-Signed Windows Drivers Used Maliciously

In October, researchers from SentinelOne, Mandiant, and Sophos notified Microsoft “that drivers certified by Microsoft’s Windows Hardware Developer Program were being used maliciously in post-exploitation activity.” Microsoft has revoked several developer certificates and suspended associated developer accounts.

Editor's Note

Microsoft notes that their investigation “…revealed that several developer accounts for the Microsoft Partner Center were engaged in submitting malicious drivers to obtain a Microsoft signature.” I’d like to hear what Microsoft will do to improve the certification of Microsoft Software “Partners” just as we’ve seen Apple and Google have to improve the processes for developers to get apps through their app store mechanisms.

John Pescatore
John Pescatore

It appears these drivers were used after compromising a system for post-exploitation activities, most likely tied to the Cuba Ransomware campaign (which has no known connection to the republic of Cuba). Applying this month's updates, and Microsoft revoking the certificates associated with these developers, which should prevent execution of the drivers, are two steps needed to prevent these attacks. You still need to use strong authentication, offline backups, segmentation and keep things updated. Read the CISA bulletin for IOCs, TTPs and added mitigations.

Lee Neely
Lee Neely

There has been a marked increase in reported supply chain attacks in the last couple years. In this case the malicious signed drivers can enable privilege escalation and ability to move across the victim’s network. Although the user is dependent on MSFT to correct deficiencies in its signed driver program, they can still protect themselves by limiting an attacker’s ability to gain initial access to their network. Users should revisit their configuration and patch management processes.

Curtis Dukes
Curtis Dukes

Is it necessary to remind people that certificates are public information about key pairs, are not sensitive, and cannot be used to create other certificates and are cryptographically bound to the software for which they vouch? It is the private half of the key-pair that can be used to create certificates, is sensitive, must be kept secret.

William Hugh Murray
William Hugh Murray

2022-12-14

Apple Updates Multiple Products

Apple has released updates for iCloud for Windows, Safari, tvOS, watchOS, macOS Monterey, Big Sur, and Ventura, and iOS and iPadOS. The updates for iOS and iPadOS (version 16.2) address more than 30 security issues, including an actively exploited type confusion vulnerability (CVE-2022-42856) in the WebKit browser engine that is being actively exploited. Apple has also released iOS 15.7.2 and iPadOS 15.7.2 to address vulnerabilities for devices that are unable to run iOS 16.

Editor's Note

As usual, Apple updated "everything." There is a lot of overlap between Apple's operating systems. In addition to fixing vulnerabilities, Apple added the ability to enable encryption for many iCloud resources, most notably backups. Carefully read the instructions as you enable these features. Once enabled, Apple by design is no longer able to recover your data in case you lose access to your iCloud account.

Johannes Ullrich
Johannes Ullrich

This was a busy week for Apple, releasing updates for macOS 11, 12 and 13, Safari 16.2, watchOS 9.2. A couple of weeks ago Apple quietly dropped iOS 16.1.2 and a critical fix to iOS 16.2 beta to address a zero-day: these fixes are included in 16.2 if you didn't get 16.1.2 deployed. iOS and iPadOS 16.2 allow for more uses of end-to-end encryption with iCloud storage. Push out the updates to iOS/iPadOS quickly so you can have bandwidth for your regression testing for macOS/Safari. The iOS 15 updates work for devices back to the iPhone 6s; these are six- to seven-year-old devices you really need to replace.

Lee Neely
Lee Neely

2022-12-13

InfraGard Database Spotted for Sale on Cybercrime Forum

The user database of the FBI’s InfraGard has been offered for sale on a cybercrime forum. The database contains contact information for 80,000 public- and private-sector InfraGard members who hold positions in physical and cybersecurity at organizations that comprise the country’s critical infrastructure

Editor's Note

Two shortfalls enabled the access to be granted. First, the impersonated executive's identity wasn't sufficiently verified, second, the MFA options were leveraged to allow a second factor that hacker controlled. (Email in this case.) Both of these processes were implemented with what was deemed as an acceptable level of risk. The identity information was correct, and likely validated via on-line services, much like loan applications, and having multiple MFA options reduces account lockout scenarios. The attack risks/threats were likely very different when these decisions were made. When engineering services similar to this, keep an eye on threats and trends, revisiting your decisions and updating controls as the threat environment changes.

Lee Neely
Lee Neely

The fact that individuals’ data is for sale on a cybercrime forum is not the worrying aspect of this story, after all our data is being bought and sold constantly. The concern is that criminals now have details of those people who are involved in a trusted network and can exploit that to scam or exploit the inherent trust relationships people may have in that network. It is always useful therefore to remind staff, particularly senior staff, to be always mindful of communications they receive from others.

Brian Honan
Brian Honan

OK, NewsBites readers: warn yourselves you are likely to see really well-crafted phishing attacks from members of your InfraGard chapter…

John Pescatore
John Pescatore

The release onto the cybercrime forum was to be expected. On the surface, the material is of limited value as it is publicly findable. However, given the amount of material, its value to a buyer is the reduction in time to create cyber target packages.

Curtis Dukes
Curtis Dukes

Many of those in the population were trusted by most other members; the essential purpose of the association is to create a level of trust. That trust is diminished by this publication. Furthermore, the association of name, e-mail and enterprise is sensitive and may be used to dupe other members of the enterprise in social engineering attacks. While I am in that database, I am not associated with any enterprise. The site is not responsive, so I cannot check my profile, but I do not think there is any information in it that is not available on LinkedIn.

William Hugh Murray
William Hugh Murray

The Rest of the Week's News


2022-12-14

Microsoft Patch Tuesday

On Tuesday, December 13, Microsoft released fixes to address more than 70 security issues, including a previously disclosed privilege elevation flaw in the Windows 11 DirectX graphics component (CVE-2022-44710) and a Windows SmartScreen security feature bypass vulnerability (CVE-2022-44698) that is being actively exploited. The bypass vulnerability has been exploited by Magniber ransomware threat actors. Seven of the vulnerabilities addressed in this month’s release are rated critical.

Editor's Note

Note that this will be the last (or next to last) patch Tuesday for Window 8.1. In case you still have any 8.1 systems hanging around in your network, try to have them upgraded to Windows 10/11.

Johannes Ullrich
Johannes Ullrich

I have to remind myself that SmartScreen is the service that detects a document is from the Internet and disables features until the user indicates it's secure, so kind of a big deal. Add that to CVE-2022-41076 - a PowerShell remote code execution flaw, I'm clicking install right now, but wait there is more - there is a spoofing bug in Outlook, which could allow an attacker to appear as a trusted user, so your attached word docs are trusted when they should not be. The holiday season makes it tough to get good regression testing, and often people are out with systems shutdown, so be prepared to do a cleanup sweep in January if your patching system won't automatically catch systems up when brought back online.

Lee Neely
Lee Neely

I’m going to arbitrarily mark 1992 and the release of Windows 3.1 as the start of Windows vulnerabilities being remotely exploited. It took Microsoft until 2003 (11 years) to move to regular monthly patching with the now almost 20-year-old “Vulnerability Tuesday” approach. It is long past time for the monthly approach to go away and more frequent and more transparent patch pushing to be the norm. I’d like to see Microsoft make a major announcement about that happening before Vulnerability Tuesday leaves its teenage years…

John Pescatore
John Pescatore

2022-12-13

NSA Says Hackers with Ties to China’s Government are Exploiting Citrix Vulnerability

According to an advisory from the US National Security Agency (NSA), the APT5 hacking group is exploiting an authentication control bypass vulnerability in Citrix Application Delivery Controller and gateway products. The NSA’s advisory provides “guidance to provide steps organizations can take to look for possible artifacts of this type of activity.” Citrix has released an update to fix the vulnerability.

Editor's Note

This impacts the 12.1 and 13.0 versions (including FIPS and NDcPP builds) where you've configured an IDP or SAML authentication - which most of us are using for centralized authentication. While you can apply updates to these versions, the better fix is to go to 13.1 which is not affected. Even if you don't have the SAML/IDP configuration today, apply the update so you're ready when and if you do. While you're at it, review the instructions for setting up auditing of unauthorized activity, make sure you didn't miss any tricks.

Lee Neely
Lee Neely

From an actual risk perspective, wouldn’t it be more worrisome if the headlines said, “Grade School Kids Exploiting Citrix Vulnerability”? What I’d really like to see is a headline like “Grade School Kids Already Patched Their School’s Citrix Server.”

John Pescatore
John Pescatore

You can be certain that if Chinese APT groups are exploiting these vulnerabilities, criminal gangs and ransomware groups won’t be far behind. So please don’t think that “we are not a target for an APT group” is a reason not to address this vulnerability.

Brian Honan
Brian Honan

2022-12-13

NSA Says Hackers with Ties to China’s Government are Exploiting Citrix Vulnerability

According to an advisory from the US National Security Agency (NSA), the APT5 hacking group is exploiting an authentication control bypass vulnerability in Citrix Application Delivery Controller and gateway products. The NSA’s advisory provides “guidance to provide steps organizations can take to look for possible artifacts of this type of activity.” Citrix has released an update to fix the vulnerability.

Editor's Note

In essence, VLANs/SDN for 5G. (And so much more.) The biggest identified risks are DOS, MITM and configuration attacks. So, controls need to be there, only allow the devices/services intended, and not leak data. If you've ever configured devices or offices connected by cellular service, this virtualization raises the bar on isolating your traffic, with increased bandwidth, with flexibility and affordability we never saw with leased lines. If you're going down this path, ask your provider how they are responding to the identified risks and how they verify they are mitigated.

Lee Neely
Lee Neely

Every shared media network technology (including satellite and fiber) has had this same sort of vulnerability, where isolation was in the specifications but the early implementations, not so much. State actors used to find and exploit these vulnerabilities for long periods of time, so it is good to see NSA putting a warning out vs. hoarding the information. But, this is not just a 5G issue, which seems to have been politicized. Make sure any plans to reduce communications costs include validated security in the evaluation process.

John Pescatore
John Pescatore

This is mischaracterized as a threat; threats have both sources and rates, not potential. Rather it is a risk. Slices are analogous to connections in POTS and VPNs in the Internet. Those who set up and rely upon these routes should exercise due caution.

William Hugh Murray
William Hugh Murray

2022-12-15

DDoS Booter Sites Seized; Seven People Arrested

An international law enforcement operation has resulted in nearly 50 domains associated with distributed denial-of-service (DDoS)-for-hire services being taken down. Seven people have been arrested in connection with these so-called booter services; one of the people was arrested in the UK and six in the US. The operation was a cooperative effort between law enforcement agencies in the UK, the US, the Netherlands, Germany, and Poland.

Editor's Note

Have you had a recent conversation about what DDoS mitigations are in place? Cloud, CDN, ISP, on-premise systems all have capabilities: make sure they are all enabled. When getting push-back, make sure it's based on current information, many services have evolved in the last year or so, so you may need to update your evaluation/opinion.

Lee Neely
Lee Neely

2022-12-15

GitHub Expands Secret Scanning

GitHub is rolling out free secret scanning to all public repositories. Previously, the service had been available only to organizations that use GitHub Enterprise Cloud with a GitHub Advanced Security license. The feature should be available to all users by the end of January 2023. After the feature is enabled, GitHub will automatically scan repositories for more than 200 token formats and notify developers when leaked secrets are detected. In a separate story, GitHub will require all users to enable two-factor authentication by the end of 2023. The requirement will begin rolling out in March.

Editor's Note

You should have processes in place locally to ensure you're not sharing secrets, and the GitHub process will merely have your back. Don't miss that 2FA will also be required for all users next year.

Lee Neely
Lee Neely

Kudos to GitHub for enabling this free service. Frankly, all Cloud Service Providers should enable a similar free scanning service for all of their customers. The cost to the company is miniscule, the value to the customer is immense.

Curtis Dukes
Curtis Dukes

2022-12-14

Flaws in Veeam, Microsoft, Citrix, Fortinet, and Apple Added to KEV Catalog

The US Cybersecurity and Infrastructure Security Agency (CISA) has added six flaws to its Known Exploited Vulnerabilities (KEV) Catalog. The vulnerabilities are a pair of remote code execution vulnerabilities in Veeam Backup & Replication; an authentication bypass vulnerability in Citrix Application Delivery Controller (ADC) and Gateway; a feature bypass vulnerability in Microsoft Defender SmartScreen; a heap-based buffer overflow vulnerability in Fortinet FortiOS; and a type confusion vulnerability in iOS. The first five issued have remediation deadline dates of January 3, 2023; the iOS issue has a remediation date of January 4.

Editor's Note

For those in the federal space, you now have targets for rolling out the updates we've been talking about. And yes, those dates are challenging with the holidays. The attackers are counting on us being distracted or not present so they can more easily exploit targets during this time of year, so we need to plan accordingly. Fingers crossed you can get things rolled out in the next week, to include any tune-up to your monitoring and alerting systems so you can give your staff time off.

Lee Neely
Lee Neely

2022-12-15

Microsoft Now Says SPNEGO Extended Negotiation Security Vulnerability is Critical

Microsoft has reclassified a vulnerability they patched in September as critical. The vulnerability in the Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) Extended Negotiation Security Mechanism (CVE-2022-37958) was initially described as an information disclosure issue. Now it has been found that the flaw could be exploited to allow remote execution of arbitrary code, prompting Microsoft to reclassify its severity.

Editor's Note

Common mechanisms that can be used to exploit the vulnerability are SMB, HTTP, and RDP. While you're no longer exposing SMB and RDP to the Internet, you are likely exposing HTTP. Don't panic: make sure the September update was rolled out to those servers. Microsoft included the update in the monthly rollup for their OSes, as well as their security specific update patch set.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Google ads lead to fake software pages pushing IcedID (Bokbot)

https://isc.sans.edu/diary/Google+ads+lead+to+fake+software+pages+pushing+IcedID+Bokbot/29344


Microsoft Patches

https://isc.sans.edu/diary/Microsoft+December+2022+Patch+Tuesday/29336


Microsoft Patch Issues:

https://support.microsoft.com/en-us/topic/december-13-2022-kb5021249-os-build-20348-1366-d5fe7608-bc9d-4055-a88c-fb2fd3d5fd45

https://techcommunity.microsoft.com/t5/ask-the-directory-services-team/so-you-say-your-dc-s-memory-is-getting-all-used-up-after/ba-p/3696318


Apple Patches

https://isc.sans.edu/diary/Apple+Updates+Everything/29338


HTML smugglers turn to SVG images

https://blog.talosintelligence.com/html-smugglers-turn-to-svg-images/


VMWare EHCI Controller Vulnerability CVE-2022-31705

https://www.vmware.com/security/advisories/VMSA-2022-0033.html


GitHub Improvements

https://github.blog/2022-12-14-raising-the-bar-for-software-security-next-steps-for-github-com-2fa/


NIST Retires SHA-1

https://www.nist.gov/news-events/news/2022/12/nist-retires-sha-1-cryptographic-algorithm


Citrix Patches

https://www.citrix.com/blogs/2022/12/13/critical-security-update-now-available-for-citrix-adc-citrix-gateway/


Veeam Vulnerability Now Exploited

https://www.veeam.com/kb4288


nuget / npm / pypi used to host phishing pages

https://checkmarx.com/blog/how-140k-nuget-npm-and-pypi-packages-were-used-to-spread-phishing-links/


Critical Remote Code Execution Vulnerability in SPNEGO Extended Negotiation Security Mechanism

https://securityintelligence.com/posts/critical-remote-code-execution-vulnerability-spnego-extended-negotiation-security-mechanism/