SANS NewsBites

Important Zero Day Updates for All iOS Devices; Check and Test Your DDoS Defenses; Use High Profile Twitter Account Takeover to Drive Authentication Upgrade

February 14, 2023  |  Volume XXV - Issue #13

Top of the News


2023-02-13

Apple Updates Include Fix for iOS Zero-day

On Monday, February 13, Apple released fixes for multiple products, including iOS, macOS, Safari, iPadOS, tvOS, and watchOS. Updates for iOS and iPadOS 16.3.1 and macOS 13.2.1 an actively-exploited arbitrary code execution flaw in WebKit/Safari.

Editor's Note

The 0-day vulnerability is part of "WebKit". WebKit is Apple's open source browser engine that is included in other browsers as well. In addition to the WebKit problem, Apple fixed a privilege escalation issue. This privilege escalation issue could be used to escape the browser sandbox and gain full system access after a executing code via the WebKit vulnerability.

Johannes Ullrich
Johannes Ullrich

Apple reports this is being actively exploited. Given that Apple just released 16.3 (and we’re all still getting that rolled out.) I’d treat this as a zero-day fix and pause 16.3 to push this instead.

Lee Neely
Lee Neely

The Apple security notice is vague; however, it mentions remote code execution at the kernel level and being actively exploited in the wild. It’s not very easily understood yet how reliable or complex the exploit is to re-create, but you should patch it now as it’s actively exploited. There were a couple of reports that Google Photos was not working when the iPhones were patched, but with my own devices, that has not manifested itself. It also takes a long time for this update to go through on both MacOS and certain phones, so expect a good amount of downtime. On MacOS, something like 20-25 minutes on the most recent Intel Macbook Pro seems to be the case.

Moses Frost
Moses Frost

2023-02-13

Cloudflare Blocks 71M rps DDoS

Cloudflare says it has blocked a distributed denial-of-service (DDoS) attack that peaked at between 50 and 70 million requests per second (rps), at one point reaching 71 rps. Cloudflare says that the attack “is the largest reported HTTP DDoS attack on record.” The record-breaking DDoS was just one of dozens of DDoS attacks over the weekend.

Editor's Note

A lot of questions will surround this one as the number of requests per second (RPS) is 70 million, which is very large for TCP-based attacks. In the past, the largest DDoS attacks were made possible via amplification over UDP. We are not at the moment where this is possible with HTTP, as HTTP/2 is still a TCP-based session. It’s fairly difficult in the blog post from Cloudflare to understand the implications here, but it would stand to reason these are compromised hosts in cloud providers that are causing the attack. Cloudflare is offering ISPs (or maybe cloud providers themselves) a threat list to use. It’s smart to give it away for free as mitigating these large-scale attacks is probably costly on their infrastructure.

Moses Frost
Moses Frost

DDoS attacks are hitting everyone. Check your logs to see if you’ve been affected. Then go back to service providers to make sure they are stopping them as agreed, or if they are slipping through. If you have staff or friends with advertised services on their home networks, they should also double check. Then talk to their ISP about prevention. Hopefully the only impact seen is interrupting streaming services.

Lee Neely
Lee Neely

2023-02-04

US Cyber Ambassador’s Twitter Account Hacked

Nathaniel Fick, the US’s first “ambassador-at-large” for cyberspace and digital policy, Tweeted last week that his personal Twitter account had been hacked. 

Editor's Note

This is a good one to show to CEOs and boards to reinforce that they are also likely targets. “Hacking” a Twitter account usually means that the person’s email address and password were obtained in some other breach and the bad guys tried that combination on Twitter. Remind them (or do it for them) how to do a “Have I been pwned?” check and when the answer is yes (as it always is) what to do from there – ideally move to 2FA, minimum change the password.

John Pescatore
John Pescatore

This isn’t just a thought exercise: make sure you’re enabling whatever strong authentication options are available, not just for high visibility accounts like this but also personal ones. Those are going to be targeted to see if a trust relationship with the visible account can be exploited. Make sure you’re not overlooking abandoned accounts which you never got around to canceling. Ring up those in your organization with these types of accounts and make sure they understand this and know you’re looking out for them, just in case something got lost in translation.

Lee Neely
Lee Neely

Let this be a reminder to all of us that good cybersecurity hygiene means more than bank accounts and email!

Christopher Elgee
Christopher Elgee

Twitter offers optional MFA. One wonders if he was using it.

William Hugh Murray
William Hugh Murray

The Rest of the Week's News


2023-02-10

Multiple US and Korean Agencies Issue Joint Cybersecurity Alert

The US Cybersecurity and Infrastructure Security Agency (CISA), US National Security Agency (NSA), the US Federal Bureau of Investigation (FBI), the U. Department of Health and Human Services (HHS), the Republic of Korea (ROK) National Intelligence Service (NIS), and the ROK Defense Security Agency (DSA) have issued a joint alert detailing the tactics, techniques, and procedures (TTPs) North Korean state-sponsored ransomware groups are using to attack the public health sector and other sectors of critical infrastructure.

Editor's Note

Lots of useful stuff you can leverage in this alert. Ingest the included IOCs then run through the mitigations, even if you don’t think you’re a target they are good Cyber practices to help you keep the bar raised.

Lee Neely
Lee Neely

It's good to see nations band together to jointly develop and publish guidance on ransomware gangs. While the alert calls out the tactics and techniques employed by a state-sponsored actor; they are virtually the same as those employed by other ransomware gangs. A primary defensive focus should be on ensuring that known vulnerabilities have been patched as part of your vulnerability management process. Let’s deny the cybercriminal initial access and ability to escalate privileges on the network.

Curtis Dukes
Curtis Dukes

This appears to align with the DPRKs intention to continue to fund its military by using funding sources that evade sanctions. They have just made a huge show of force with a large military parade touting the most ICBMs we have seen so far. It makes sense for Korea and the US to focus on cutting off the funding source, which is not only Crypto and Ransomware but other illicit activities.

Moses Frost
Moses Frost

2023-02-13

Malware Takes Screenshots

Proofpoint Threat Research has detected malware that takes screenshots of infected devices. The screenshot malware is the first stage of the attack: it appears to be used to determine if additional malware should be sent to the infected device. The campaign has been targeting organizations in the US and Germany since October 2022; the initial infection has been made through a malicious attachment of URL in email.

2023-02-11

CISA Adds Three Items to Known Exploited Vulnerability Catalog

On Friday, February 10, the US Cybersecurity and Infrastructure Security Agency (CISA) has added three vulnerabilities to its Known Exploited Vulnerabilities list. The flaws are a denial of service vulnerability in Ethernet Diagnostics for Driver for Windows; a remote command execution vulnerability in TerraMaster OS; and a remote code execution vulnerability in GoAnywhere MFT. All three have mitigation deadlines of March 3, 2023.

Editor's Note

All three have updates from the vendor. This makes it a bit easier. The bad news is the Windows driver update comes from Intel not Microsoft so it’s not in your monthly patch bundle. While you’re looking at your TNAS devices makes sure they’re not directly exposed to the Internet. NAS devices are like candy to attackers, don’t make it any easier than it has to be.

Lee Neely
Lee Neely

2023-02-13

California Healthcare Provider’s Network Breach Affects 3.3 Million People

California’s Regal Medical Group reported a breach affecting more than 3.3 million individuals to the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR). The breach occurred on December 1, 2002 and was detected a week later. Regal has begun sending breach notification letters to affected people to let them know that their personally identifiable information (PII) and protected health information (PHI) were compromised.

Editor's Note

It appears that Regal Medical Group met the HIPAA requirement to inform patients within 60 days of possible data exposure. I agree: organizations should be afforded time to investigate the cyber breach. But given the speed in which they detected and responded to the attack; the prudent thing would have been to send out victim notification letters sooner. You’re basically giving the adversary 60 days to use or sell the PII and PHI illegally obtained.

Curtis Dukes
Curtis Dukes

2023-02-10

Oakland, California Government Hit by Ransomware

On Friday, February 10,  spokesperson for the city of Oakland, California, said the city’s government was experiencing an ongoing ransomware attack. The city took systems offline as a precautionary measure. Fire and emergency services appear not to be affected.

Editor's Note

Good example of a city seeming to be well prepared to make the decision whether to disconnect or not, and how to keep critical services running while back-office systems are offline and being evaluated by a third party. Other cities of similar size should check to see if they have the plans in place and tested to have the same quality of reaction.

John Pescatore
John Pescatore

Since the beginning of the pandemic, we have seen an increase in ransomware attacks across every industry vertical including Government. In response, industry best practices on how to protect against attack have been published. Once you’re a victim of ransomware attack it’s too late to start developing a response plan. The plan should have already been developed and periodically practiced.

Curtis Dukes
Curtis Dukes

2023-02-13

Cyberattack Downs Philadelphia Orchestra Website

The Philadelphia Orchestra and its home performance facility, the Kimmel Center, are reporting that their ticketing system is unavailable due to a cyber incident. A temporary web portal for ticket sales has been set up. The attack began on February 9.

Internet Storm Center Tech Corner

Apple Patches Exploited Vulnerability

https://isc.sans.edu/diary/Apple+Patches+Exploited+Vulnerability/29544

Venmo Phishing Abusing LinkedIn "slink"

https://isc.sans.edu/diary/Venmo+Phishing+Abusing+LinkedIn+slink/29542/

Obfuscated Deactivation of Script Block Logging

https://isc.sans.edu/diary/Obfuscated+Deactivation+of+Script+Block+Logging/29538

PCAP Data Analysis with Zeek

https://isc.sans.edu/diary/PCAP+Data+Analysis+with+Zeek/29530

Malicious PyPi Packages Install Browser Extensions

https://blog.phylum.io/phylum-discovers-revived-crypto-wallet-address-replacement-attack

More Malicious Python Packages

https://blog.sonatype.com/malicious-aptx-python-package-drops-meterpreter-shell-deletes-netstat

Bing Chat Prompt Injection

https://arstechnica.com/information-technology/2023/02/ai-powered-bing-chat-spills-its-secrets-via-prompt-injection-attack/