SANS NewsBites

Check Enrollment Status on Your Managed Chromebooks; Another Ransomware Incidents Points Out Costs of Manual Workarounds; Vulnerabilities Found in Electric Vehicle Charger Protocols

February 3, 2023  |  Volume XXV - Issue #10

Top of the News


2023-02-01

SH1MMER ChromeBook Exploit

An exploit known as SH1MMER (Shady Hacking 1nstrument Makes Machine Enrollment Retreat) has the capacity to unenroll enterprise- and school-managed ChromeBooks from administrative policies as set in the Google Admin console. Google is working on addressing the issue.

Editor's Note

If you're reliant on your managed mode for your Chromebook fleet, you're going to need to monitor to make sure they remain enrolled until Google's patch can be deployed. Effectively, you boot from external media, run the code which both unenrolls the device and puts it in developer mode. If you're researching this behavior, make sure that you're using a valid shim, as some will brick the Chromebook. If you're creating a device that supports developer and managed modes, create two accounts before enrolling: first in developer mode, the second enrolled.

Lee Neely
Lee Neely

This exploit requires direct access to the ChromeBook. While that may be appealing for users of enrolled and managed ChromeBooks, it is likely a violation of enterprise IT security policies and violators would be held accountable. Physical access to devices (laptops, desktops, etc.) open up a number of potential new attack vectors that can be used by an adversary.

Curtis Dukes
Curtis Dukes

2023-02-02

Financial Software Company Hit with Ransomware

Financial software firm ION Group was the victim of a ransomware attack on January 31. The attack affected ION’s Cleared Derivatives division. In a press release, ION wrote, “The incident is contained to a specific environment, all the affected servers are disconnected.”

Editor's Note

Not a lot of information out on this one – the important part is always *why* and *how* the attack succeeded. In the financial world, being forced to use slower manual trading/reconciliation processes can carry huge costs to customers and the financial organization hit swamps recovery costs.

John Pescatore
John Pescatore

The LockBit ransomware group is taking credit for this attack, threatening to leak data on Feb 4 unless the ransom demand is paid. Financial institutions using their services currently have to process trading and clearing of exchange-traded derivatives manually. The question is how long manual processing will be viable. When reviewing DR plans, this is something to contemplate and at least plan for a point where you need to move to a new automated system before the business impact is unacceptable.

Lee Neely
Lee Neely

This ransomware attack, while specific to financial trading systems, is a good reminder for every enterprise to revisit their SLA with third party software vendors. Reliance on third party vendors for products and services should be part of a company’s risk assessment; and mitigations such as switching to staff intensive processes regularly tested to counter impacts to business operations.

Curtis Dukes
Curtis Dukes

2023-02-01

Electric Vehicle Charger Vulnerabilities

Researchers from SaiFlow have detailed vulnerabilities affecting electric vehicle (EV) charging stations that could be exploited to cause denial-of-service or trick them into charging vehicles without payment. The vulnerabilities lie in the Open Charge Point Protocol (OCPP) standard.

Editor's Note

Electric Vehicle chargers are more than high power electric outlets. The cable connecting the car to the charger includes data lines to regulate charging and provide metering as well as payment information. It is more like a "very large USB-C" charger in how it combines data and power delivery. This provides an avenue to either attack the charger or the car. In addition, wireless networking may be used as well to interface with mobile devices for payment.

Johannes Ullrich
Johannes Ullrich

In 2021 USD 7.5B was allocated over five years to build out EV charging stations and last September the Biden administration launched a grant program to build charging networks along 75,000 miles of interstate highways. That means the focus is going to be on deployment before the money runs out rather than cyber security. While many states are working to require cyber security components as part of approving grants for EV charging stations, this still leaves existing or legacy installations possibly exempted. If providers don't resolve issues, expect a regulatory body, like NERC, to step in and require it. Regardless, if you're in the EV charging business, you want to make sure that you've got cyber security covered, before your hand is forced.

Lee Neely
Lee Neely

This announcement isn’t unexpected as the EV infrastructure continues to build out. Researchers in academia, private sector, and hacking circles will start fully testing the underlying protocols and vulnerabilities will be found. Unfortunately, speed to market often trumps adequate security testing of new technology. We’ve witnessed a similar parallel with vehicle automation. What’s important is that the industry move quickly to close this and other vulnerabilities, as they will be targeted by cybercriminals.

Curtis Dukes
Curtis Dukes

The Rest of the Week's News


2023-02-03

CISA Adds Two Security Issues to Known Exploited Vulnerabilities Catalog

On Thursday, February 2, the US Cybersecurity and Infrastructure Security Agency (CISA) added two vulnerabilities to its Known Exploited Vulnerabilities database: an unspecified vulnerability in Oracle E-Business Suite, and a remote code execution vulnerability in multiple products from SugarCRM. Both vulnerabilities have mitigation deadlines of February 23.

Editor's Note

Oracle released the update in their October 2022 CPU; SugarCRM released their patch Jan 11, 2023. SugarCRM cloud services are already updated. Three weeks is not a lot of time for regression testing of ERP and CRM systems: you're going to need to not only build an aggressive schedule, but also management support for the resource hit. Even though the Oracle release was in October, be sure it wasn't postponed due to the fiscal year open/close. (Sept 30/Oct 1 for Federal Agencies.)

Lee Neely
Lee Neely

2023-02-01

Hive Takedown Demonstrates that FBI is Learning from Experience

In 2021, the FBI faced criticism for holding onto a decryptor for the Kaseya ransomware for weeks before sharing it with organizations whose networks had been infected with the ransomware. More recently, the FBI participated in taking down the infrastructure of the Hive ransomware. During that operation, the FBI gained access to and maintained a presence in Hive’s network for six months. They were able to obtain decryptors and share them with more than 300 organizations that had been infected.

Editor's Note

It is clear that the FBI Cyber Crimes Unit has adapted its tactics, techniques, and procedures to better support victims of cybercrime. In this instance, while successful, other cybercriminal gangs will learn from this change in tactics to increase their vetting procedures. As always, more work needs to be done to make enterprises more resilient against ransomware attacks.

Curtis Dukes
Curtis Dukes

The FBI is facing a balancing act. While their work gets them access to tools, like decryptors, that victims desperately need, releasing those tools can also compromise their investigation. The trend with the Hive takedown indicates they are actively working to release things sooner. My takeaway is to make sure that you've got a relationship with your local FBI office so you know who to call if you have an incident and need to leverage their resources.

Lee Neely
Lee Neely

2023-02-02

House Committee Seeks Information About National Lab Breaches

Members of the UDS House of Representatives Committee on Oversight and Accountability have written a letter to Energy Secretary Jennifer Granholm seeking information about a series of cyberattacks that targeted US National Laboratories in the summer of 2022. The committee members are requesting all documents and communications between the Department of Energy, the National Labs, contractors, and any other departments and federal agencies regarding the cyberattacks.

Editor's Note

National Laboratories have been a target since their inception, meaning they also have a lot of experience with detection, defense, monitoring and response. If you're the subject of a data call, such as this, don't take it personally: work to gather the requested information, then review it carefully with management before turning it over so they understand any implications. Do not fail to respond.

Lee Neely
Lee Neely

2023-02-01

Maryland Hospital Suffers Ransomware Attack

Maryland’s Atlantic General Hospital is experiencing disruptions to some services following a ransomware attack. Healthcare professionals are operating on EHR downtime procedures. Most patients can still be seen; the attack has caused outages affecting the hospital’s pharmacy, outpatient imaging, outpatient walk-in lab, and pulmonary function testing.

Editor's Note

The Healthcare Sector was frequently targeted for ransomware attacks in 2022 and that trend is continuing into 2023. Organizations that make up this critical infrastructure sector can’t say they haven’t been warned that a ransomware attack is coming for you. I urge all organizations to use the recently published ‘Blueprint for Ransomware Defense’ as an action plan for ransomware mitigation, response, and recovery to protect against future attacks.

Curtis Dukes
Curtis Dukes

As the event is still under active investigation, Atlantic General is holding their cards close until they have definitive answers. In the meantime, they are operating under a combination of manual procedures and reduced capacity to minimize the overall impact on patients. While working to increase security, which the medical profession is doing, it's important to look beyond your top identified mitigations to make sure that you've not left unaddressed attack paths, e.g, MFA on the workstations, but leave accessible (unprotected) network jacks in the conference rooms.

Lee Neely
Lee Neely

Hospitals really need to isolate patient-facing applications from those, like e-mail and browsing, that are connected to the public networks.

William Hugh Murray
William Hugh Murray

2023-01-30

CISA to Create Open Supply Chain Risk Management Office

The US Cybersecurity and Infrastructure Security Agency (CISA) will establish a supply chain risk management office. The office will be headed by Shon Lyublanovits, who currently leads the project management office for cyber supply chain risk management (C-SCRM) at CISA’s cybersecurity division. At a January 30 GovExec event, Lyublanovits said that it’s time to move beyond “just thinking broadly about C-SCRM and really figure[e] out what chunks I want to start to tackle first, creat[e] that roadmap so that we can actually move this forward.”

Editor's Note

If only new org charts and strategic plans could solve supply chain security issues. More info to buyer organizations is pretty low on the need list to improve supply chain security – more pressure on the suppliers is needed. In 2018 the Federal Acquisition Security Council (FASC) was created by the 2018 Federal Acquisition Supply Chain Security Act. In 2021, FASC issued rulemaking establishing authority to issue removal and exclusion orders if suppliers were found to be negligent. US procurement policy moved pretty quickly to remove/exclude Chinese suppliers of technology, but I can’t find any case of any actual action taken against the numerous suppliers that have had cybersecurity incidents. The US government needs to use its buying power to drive progress.

John Pescatore
John Pescatore

Beyond training for a consistent approach, having resources to share existing research would be helpful. Those databases would need to include context, and the hardest part, remain unclassified.

Lee Neely
Lee Neely

One might hope that holding suppliers accountable for shipping malicious code would be an obvious place to start. At some point we must address the software quality problem. We may be spending as much or more trying to eliminate vulnerabilities in software which the suppliers wrote themselves as we are eliminating malicious code that they shipped but did not write.

William Hugh Murray
William Hugh Murray

2023-02-02

Cisco Releases Updates to Fix Flaw in IOx Application Hosting Environment

Cisco has released updates to address a command injection vulnerability in its IOx application hosting environment. The high-severity flaw exists “due to incomplete sanitization of parameters that are passed in for activation of an application.”

Editor's Note

The flaw only applies to the product with the native docker status; if your device has Dockerd running, it's not vulnerable. There really isn't a viable workaround other than disabling the IOx application hosting service entirely, unlikely a viable option. Cisco's updates are free, check their release notes for the versions relating to your affected products.

Lee Neely
Lee Neely

2023-02-02

Format String Vulnerability in F5 BIG-IP

F5 has published a security advisory warning of a high-severity flaw in iControl SOAP. The format string vulnerability could be exploited to crash the iControl SOAP CGI process or execute arbitrary code. The vulnerability affects F5 BIG-IP versions 17.0.0; 16.1.2.2 - 16.1.3; 15.1.5.1 - 15.1.8; 14.1.4.6 - 14.1.5; and 13.1.5. Fixes are not yet available.

Editor's Note

F5 has released an engineering hotfix, available from their downloads site. Before deploying the hotfix, read and understand the caveats relating to how to return to a mainstream of F5 BIG-IP (See their KB55025573: Engineering hotfix installation overview) Alternately there is a workaround which limits the iControl SOAP message traffic, but this will prevent adding new devices to a device trust.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Rotating Packet Captures with pfSense

https://isc.sans.edu/diary/Rotating+Packet+Captures+with+pfSense/29500

Detecting Malicious OneNote Files

https://isc.sans.edu/diary/Detecting+Malicious+OneNote+Files/29494

DShield Honeypot Setup with pfSense

https://isc.sans.edu/diary/DShield+Honeypot+Setup+with+pfSense/29490

BEC Group Incorporates Secondary Impersonated Personas

https://intelligence.abnormalsecurity.com/blog/firebrick-ostrich-third-party-reconnaissance-attacks

MalVirt .Net Virtualization Thrives in Malvertising Attacks

https://www.sentinelone.com/labs/malvirt-net-virtualization-thrives-in-malvertising-attacks/

Cisco Remote Code Execution with Persistence

https://www.trellix.com/en-us/about/newsroom/stories/research/when-pwning-cisco-persistence-is-key-when-pwning-supply-chain-cisco-is-key.html

Microsoft Defender Device Isolation for Linux

https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/announcing-device-isolation-support-for-linux/ba-p/3676400

SH1MMER Exploit for Chromebooks (new domain)

https://thehackernews.com/2023/02/new-sh1mmer-exploit-for-chromebook.html

DOMPDF SVG Parsing Vulnerability

https://github.com/dompdf/dompdf/security/advisories/GHSA-3cw5-7cxw-v5qg

Threat Actors Abusing Microsoft's "Verified Publisher" Status

https://www.proofpoint.com/us/blog/cloud-security/dangerous-consequences-threat-actors-abusing-microsofts-verified-publisher

PoS Malware Can Block Contactless Payments

https://securelist.com/prilex-modification-now-targeting-contactless-credit-card-transactions/108569/

Detecting Files Exempt from Anti Malware Scans

https://github.com/bananabr/TimeException