SANS NewsBites

CISA, FBI Provide Tool for VMware Recovery from Ransomware; Attacks Against Unpatched ESXi Get More Sophisticated; Microsoft Upgrades Bing and Edge with AI Capabilities

February 10, 2023  |  Volume XXV - Issue #12

Top of the News


2023-02-08

CISA and FBI Offer Guidance for ESXiArgs Ransomware Virtual Machine Recovery

The US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have published a joint security alert providing guidance on ESXiArgs ransomware virtual machine recovery. CISA has released a recovery script; the security alert offers guidance on using that script.

Editor's Note

Great move by CISA to provide the recovery script. The sad part is that this doesn't come from VMWare. It also appears to be easier to create a script to recover from ransomware vs. a script to patch systems.

Johannes Ullrich
Johannes Ullrich

First off, make sure that your ESXi management interface is not exposed to the Internet. Second, make sure that you're on the latest version of ESXi and third make sure that you've disabled the Service Location Protocol (SLP) which is a target for this attack. If you've been attacked, work on the recovery before upgrading. Some organizations have been able to recover their VMs with the recovery script and not pay the ransom. It's worth a shot, particularly if you image the datastore first. CISA and the FBI would like you to report any discovered attacks to help their response efforts. Read the guidance for artifacts you should preserve.

Lee Neely
Lee Neely

As CISA and the FBI point out: make sure you have skilled staff that can use this tool safely. If you do, once they are done put them to work making sure you don’t have other 2-year-old missing patches or obsolete versions of software running exposed on critical business networks.

John Pescatore
John Pescatore

2023-02-09

ESXi Attackers Raise the Stakes

The hackers behind the recent ransomware attacks against VMware ESXi hypervisor have reportedly modified the malware in a way that makes it more difficult for victims to use available decryption tools. A modified encryption routine encrypts a significantly larger amount of data.

Editor's Note

Of course they improve. On the other hand, all exposed vulnerable systems have been hit. If you still haven't noticed and taken basic counter measures: Do you really need that VMWare server?

Johannes Ullrich
Johannes Ullrich

This is a cat and mouse game. This new attack seems to both encrypt 50% of the data (of files over 128 MB ) and leverage a new attack vector. The new ransom note no longer has the bitcoin address, but instead, asks victims to contact them via Tox (a peer-to-peer instant message protocol) for the crypto wallet to send payment. This is likely due to investigators collecting the prior wallet addresses and tracking activity. The target is still your ESXi hypervisor, so having it updated and not exposed to the Internet still matters. And while this attack appears to bypass SLP, you still want that service disabled, as well as the SSH daemon (except when you're actively using it, then turn it back off.) Existing decryptors will have to be updated to handle the increase in encrypted data.

Lee Neely
Lee Neely

The old adage “prevention is better than the cure” really applies when it comes to ransomware. So while scripts like this one produced by CISA are very welcome to help those who become victims of a ransomware attack I urge everyone to ensure they read the CISA guidance on preventing ransomware (https://www.cisa.gov/stopransomware/ransomware-guide) or that provided by the Europol NoMoreRansom project (https://www.nomoreransom.org/en/prevention-advice.html)

Brian Honan
Brian Honan

The good news is that both security researchers and the Government have created automated scripts to recover the encrypted files. The bad but not unexpected news is that the adversary, or adversaries, have changed their techniques, tactics, and procedures in malware execution. Costs to recover, if possible, will certainly rise. Company leadership and Boards should refer to this event as they balance the economics of updating vs. cost in recovery and clean-up.

Curtis Dukes
Curtis Dukes

2023-02-09

Microsoft Launches New AI-Powered Bing and Edge

Microsoft has announced its new OpenAI-powered Bing search engine and Edge browser. The new Bing is currently available in limited preview on desktop; the preview will become more widely available over the next few weeks. Microsoft also plans to release a mobile preview version of AI-powered Bing. Google and Baidu have announced their intentions to launch ChatGPT competitors.

Editor's Note

Since Google built a $238B business around free search, the commercial battlefield for the current wave of AI hype is around making search return answers to questions rather than just lists of places to look. So, think of the Shodan IoT discovery search engine being able to answer questions like “How can I break into the Acme Healthcare/Smart Parking Meter/Burglar Alarm/etc. monitoring network of devices?”

John Pescatore
John Pescatore

This "rise of the machines" is going to affect the workforce far beyond "cyber." As a college, SANS.edu has just drafted a first policy to allow students to integrate machine learning and artificial intelligence tools into their research papers. These technologies are already affecting us more than we realize.

Johannes Ullrich
Johannes Ullrich

Microsoft is leveraging the partnership with OpenAI to tell Google users, in effect, hold my beer. Google is poised to strike back with Bard, their AI-powered conversational bot. Heck, even Chinese search engine Baidu is getting into the act with their upcoming "Ernie Bot" (文心一言) in March. While this is a far cray from the age-old office-assistant "Clippy," the question remains of will these AI bots, be useful, or will they retain ChatGPT's propensity to be chatty and sometimes seemingly make up answers.

Lee Neely
Lee Neely

The Rest of the Week's News


2023-02-09

NIST Announces Choice for Lightweight Cryptographic Standard

The US National Institute of Standards and Technology (NIST) has selected the Ascon cryptographic algorithms to be its lightweight cryptographic standard. Lightweight cryptography algorithms need to be powerful enough to protect small Internet of Things (IoT) and other lightweight devices with limited computational resources.

Editor's Note

It is a very important move by NIST to recognize that IoT devices with limited hardware capabilities need different encryption standards. Ascon appears to be a solid choice. But also remember that weak or missing encryption is just one of many security issues hurting IoT users. Encryption issues rank far below vulnerabilities like default passwords, outdated software components and the inability to efficiently upgrade IoT devices.

Johannes Ullrich
Johannes Ullrich

There is a definite need for data encryption on a wide range of devices. While the phrase “lightweight cryptography” gives me pause, much the way “healthy fried food” does, the public process NIST uses for this has a good track record. Start by informing all device suppliers that security and privacy is an important criteria for all future procurements.

John Pescatore
John Pescatore

Get ready to add Ascon to your cryptographic lexicon. While some encryption is available in hardware, such as AES, having a lightweight option than can fit within the resources of IoT devices makes it all that easier to incorporate without impact to performance or price point. There are seven members of the Ascon family. Keep an eye on solutions in the authenticated encryption with associated data (AHED) which will help better secure vehicle and RFID communications. While these show promise of raising the bar for IoT security, consumer education will be needed to drive demand for adoption and selection of products with increased security.

Lee Neely
Lee Neely

Defining the US national standard for lightweight cryptography has been many years in the making. Unfortunately, it will be of little use for the billions of IoT devices in use today.

Curtis Dukes
Curtis Dukes

In order to be useful and efficient, cryptographic algorithms need only raise the cost of attack to a point greater than the value of success. One must be sure to that use them only for the intended application and environment.

William Hugh Murray
William Hugh Murray

2023-02-08

Toyota Fixes Hole in Supply Chain Web Portal

Toyota has fixed a vulnerability in the Toyota Global Supplier Preparation Information Management System (GSPIMS) Web portal that allowed a security researcher to gain access to corporate and partner accounts, and other sensitive data. GSPIMS is used by Toyota employees and suppliers to coordinate supply chain tasks. The researcher notified Toyota about the backdoor login flaw in November 2022.

Editor's Note

Another example that supply chain security isn’t just about suppliers, it is also about the security of portals that the big guys require their suppliers to use. Since in most cases suppliers have no choice, use this one as an example to your Chief Legal Counsel to make sure you have some form of liability coverage or limitation.

John Pescatore
John Pescatore

A good use case for enterprises to review the network security architecture that supports their supply chain. APIs are prevalent in most web applications and consequently are often an attack vector used for initial access. The Open Web Application Security Project (OWASP) regularly publishes mitigation guidance against the top security concerns. Implement OWASPs recommendations as part of your software development process.

Curtis Dukes
Curtis Dukes

Recall the flaw was that Toyota's GSPIMS system was generating JWTs based solely on email, not on a validation process. While Toyota has addressed the shortfall, the question is are you properly generating tokens used for trust relationships or are you assuming that the generation and use points of the tokens is secure enough to not warrant verification? Yeah, it's a hard question to ask, and the developers are going to hurt your head explaining, (don't hate on them, we still love them), so use the Toyota example to make your case and have them step back and consider if their assumptions are still correct, don't forget to ask them to consider the impact of distributed/cloud or ZTA changes in the environment.

Lee Neely
Lee Neely

2023-02-08

SonicWall Warns of Web Content Filtering Limitation

SonicWall has published a security advisory warning that they “have identified an inconsistency in Capture Client Windows 3.7.6 and older clients on endpoints running Windows 11 version 22H2 … result[ing] in Web Content Filtering (WCF) policies that enforce blocked categories to be no longer effective on impacted endpoints.” SonicWall says the issue will be addressed in Capture Client 3.7.7 for Windows, which is scheduled to be released on February 17.

Editor's Note

One of the challenges with endpoint protection products is tight integration with OS features. In this case Microsoft's changes to the CryptoAPI, released in Windows 11 22H2 break the SonicWall Content Capture product. SonicWall is releasing an update February 17th, and patch Tuesday is the 14th, so you may want to pause on pushing the 22H2 update until after you've deployed the 3.7.7 client, or except the risk for your Windows 11 user base with this product not doing content filtering until after the Capture Client update is deployed, which may be a better plan.

Lee Neely
Lee Neely

2023-02-08

US House Bill Would Impose 24-Hour Breach Reporting Deadline for Grid Operators

A US legislator plans to introduce a bill that would require power grid operators to notify the Department of Energy (DoE) of cyber incidents within 24 hours of their detection. The Critical Electric Infrastructure Cybersecurity Incident Reporting Act would give DoE the responsibility of establishing guidelines for determining which incidents must be reported and for establishing ways for the operators to report the incidents.

Editor's Note

The problem is consistency. The Critical Infrastructure Act of 2022 set the reporting interval at 72 hours, which may be a bit long for critical infrastructure, and having new legislation now saying 24 hours is likely to confuse operators without clear definitions about which timeline applies. Even then, you may not be prepared to report that quickly. Now is the time to make sure you are aware of the criteria applied to your organization and what you need to do to meet existing reporting requirements, then look at how you would implement a shortened window. It's better to have that worked out before regulators come knocking.

Lee Neely
Lee Neely

On the face of it 24 hours seems like a relatively short time for critical infrastructure operators to provide specifics on cyber breaches. The reality is that national news reporting will have already picked up on the power grid outage. It doesn’t matter whether the outage is the result of equipment failure, physical attack [most recent outages in both North Carolina and Washington] or cyberattack—it will make the 24-hour news cycle. The draft bill does provide flexibility in allowing the Department of Energy to define specifics on what incidents require reporting to the federal government. That said, at a minimum we should at least be consistent in both cyber breach reporting requirements (24 – 72 hours) and responsibility for establishing reporting guidelines (DoE – DHS).

Curtis Dukes
Curtis Dukes

Many attacks against the grid, e.g., ransomware, will announce themselves. The interesting breaches are those that are quiet, undetected, that are intended for exploitation in the future, during times of conflict.

William Hugh Murray
William Hugh Murray

2023-02-08

Multiple Vulnerabilities in Document Management Systems

Researchers from Rapid7 have found multiple vulnerabilities in Document Management systems from ONLYOFFICE, OpenKM, LogicalDOC, and Mayan. All eight of the vulnerabilities are due to improper neutralization of input during web page generation and can be exploited through cross-site-scripting attacks.

Editor's Note

If you're using one of these document management systems, there is not a fix yet, so you need to exercise caution with actions that allow for exploitation such as: importing documents from untrusted sources, as well as creation of anonymous/untrusted users. Lastly limit features such as user tagging and chats. There is no indication as to when a patch will be developed at this time. I heard that eyeroll from some of you, look at this as another chance to make sure that your developers are properly sanitizing inputs, (all of them) and you're not vulnerable to XSS attacks.

Lee Neely
Lee Neely

2023-02-09

UK and US Sanction Trickbot and Conti Ransomware Group Members

The US Department of the Treasury’s Office of Foreign Assets Control and the UK’s Foreign, Commonwealth, and Development Office, National Crime Agency, and His Majesty’s Treasury, have jointly sanctioned seven individuals in connection with the Trickbot and Conti ransomware groups. The sanctions freeze the individuals’ assets held in  the UK and the US, and bar people and organizations from conducting transactions with these individuals.

Editor's Note

Not only does this allow for their assets to be frozen and prohibit transactions by the rest of us with them, but also it means they can't obtain new accounts or services. A number of financial institution transaction and account services are tied to cross checking for these sanctions, which are in-effect outgrowth of prior terrorist activities. These sanctions apply equally to virtual and fiat currencies, and members of the virtual currency industry are responsible for following the sanctions. Read more in the OFAC virtual currency guidance brochure ( https://home.treasury.gov/system/files/126/virtual_currency_guidance_brochure.pdf ). If you have friends in the banking industry, ask them about the Bank Security Act (BSA) and OFAC and how this impacts them. They have to train on this annually.

Lee Neely
Lee Neely

Global law enforcement and treasury departments have had a good couple of months. We’ve seen takedowns of cybercriminals, removal of ransomware infrastructure, and a focus on currency exchanges. Now they are sanctioning individuals associated with criminal ransomware gangs. Well done and keep going after those benjamins!

Curtis Dukes
Curtis Dukes

Internet Storm Center Tech Corner

A Backdoor with Smart Screenshot Capability

https://isc.sans.edu/diary/A+Backdoor+with+Smart+Screenshot+Capability/29534

Simple HTML Phishing via Telegram Bot

https://isc.sans.edu/diary/Simple+HTML+Phishing+via+Telegram+Bot/29528

A Survey of Bluetooth Vulnerabilities Trends

https://isc.sans.edu/diary/A+Survey+of+Bluetooth+Vulnerabilities+Trends+2023+Edition/29522

Packet Tuesday: Most Frequent DNS Query ID / DNS Notify

https://www.youtube.com/watch?v=QgCuE_zKyMY

KeePass Patches Issue Allowing Password Export

https://keepass.info/news/n230109_2.53.html

AWS Phishing via Google Ads

https://www.sentinelone.com/blog/cloud-credentials-phishing-malicious-google-ads-target-aws-logins/

SonicWall Web Content Filtering on Windows 11 22H2

https://www.sonicwall.com/support/product-notification/limitation-with-web-content-filtering-on-windows-11-22h2/230208075107457/

Recovering from ESXiArgs Ransomware

https://www.cisa.gov/uscert/ncas/alerts/aa23-039a

NIST Standardizes Lightweight Cryptography

https://csrc.nist.gov/Projects/lightweight-cryptography

Apache Kafka Vulnerability

https://lists.apache.org/thread/vy1c7fqcdqvq5grcqp6q5jyyb302khyz

Google Chrome Release Changes

https://developer.chrome.com/blog/early-stable/

OpenSSL Vulnerabilities / Patches

https://www.openssl.org/news/secadv/20230207.txt

GoAnywhere MFT Patch Available (and PoC)

https://frycos.github.io/vulns4free/2023/02/06/goanywhere-forgotten.html

Qakbot Mechanizes Distribution of Malicious OneNote Notebooks

https://news.sophos.com/en-us/2023/02/06/qakbot-onenote-attacks/