SANS NewsBites

Business Use of Twitter Needs Strong Authentication; Make Sure Your Hosting Provider Has Not Been Compromised; Prioritize Patching Fortinet and SolarWinds Software

February 21, 2023  |  Volume XXV - Issue #15

Top of the News


2023-02-20

Twitter Eliminates SMS 2FA for Non-Paying Users

Twitter is eliminating SMS two-factor authentication (2FA) for users who do not subscribe to Twitter Blue. Customers have 30 days to choose a different form of 2FA: an authentication app or a physical security key. As of March 20, text message 2FA for non-Twitter Blue accounts will be disabled. The move has puzzled some experts, who wonder why Twitter would retain SMS 2FA, which they acknowledge is being used by bad actors, for their premium customers.

Editor's Note

Twitter has many years of “puzzling” behavior around security. In 2022 Twitter paid a $150M civil penalty because of “misrepresentation” of actions it was required to take because of privacy violations as far back as 2011. Also in 2022, former Twitter CISO Peiter “Mudge” Zatko testified to the US Senate Judiciary Committee about Twitter management’s refusal to deal with essential security hygiene issues and personnel issues. Under new ownership, Twitter has made moves that are only “puzzling” if you are looking for increases in security vs. increases in Twitter revenue and reduction of losses. Any business use of Twitter needs to be accompanied by dedicated brand awareness/security efforts to quickly detect misuse or compromise.

John Pescatore
John Pescatore

This is more about finding additional ways to monetize Twitter as opposed to security. Yes, SIM swapping is a thing, but its successful use is incredibly small given the large-scale use of SMS as a second factor of authentication. The inconvenience [if one can call it that] of moving to a different second factor for authentication will likely drive users to Twitter Blue.

Curtis Dukes
Curtis Dukes

When was the last time you looked at your accounts and made sure you had enabled any MFA options? Have you gone back to the ones using SMS to see if there is an alternative? Lastly make sure you understand the recovery process, both for your account and your authentication app or device. Then test this when you have time for it to go wrong.

Lee Neely
Lee Neely

Non-paying twitter users are still able to use the arguably more secure authenticator app or token as a second factor.

Johannes Ullrich
Johannes Ullrich

There are better 2FA solutions available than SMS. However, to many uses SMS 2FA is simple and easy to use. Removing SMS 2FA is very much a retrograde step which will leave many accounts more vulnerable as they either won’t pay for Twitter Blue or won’t adopt alternative MFA solutions such as Apps due to their poor user experience and cumbersomeness. It will also be interesting to see how European data protection regulators will view this move by Twitter and if they will be of the opinion that this is weakening security for many accounts.

Brian Honan
Brian Honan

Given the implication of passwords in breaches, we should be encouraging the use of strong authentication, not pricing it. One infers that this decision is not about security.

William Hugh Murray
William Hugh Murray

2023-02-17

GoDaddy Discloses Multi-year Breach

In a filing with the US Securities and Exchange Commission (SEC) domain registrar and web hosting services provider GoDaddy disclosed a breach that resulted in multiple websites being intermittently redirected to other domains. GoDaddy “discovered that an unauthorized third party had gained access to servers in [their] cPanel shared hosting environment and installed malware causing the intermittent redirection of customer websites.” The intruders had access to the GoDaddy network for several years; two breaches that were disclosed earlier (in March 2020 and November 2021) are likely part of this multi-year campaign.

2023-02-20

Fortinet Security Updates Fix 40 Vulnerabilities

Fortinet has released security updates to address 40 vulnerabilities in various products, including FortiWeb, FortiOS, FortiNAC, and FortiProxy. Two of the vulnerabilities are rated critical: an external control of file name or path vulnerability [CWE-73] in FortiNAC web server and multiple stack-based buffer overflow vulnerabilities [CWE-121] in FortiWeb's proxy daemon.

2023-02-17

SolarWinds Releases Security Advisories; Fixes Will be Available Within the Next Week

SolarWinds has published advisories for six vulnerabilities affecting the SolarWinds Platform; five of the flaws are deserialization of untrusted data issues, and the sixth is a directory traversal flaw. SolarWinds says the vulnerabilities will be addressed in SolarWinds Platform 2023.1, which is scheduled for release by the end of this month.

The Rest of the Week's News


2023-02-17

FBI Discloses Cybersecurity Incident

The US Federal Bureau of Investigation (FBI) says it has contained a cybersecurity incident affecting a system at its New York field office. The FBI says it is investigating the matter and “does not have further comment to provide at this time.”

Editor's Note

Nobody is immune from compromise. This incident is restricted/contained, depending on the root cause, recurrence may be prevented. You should verify your exercises include containment scenarios for multiple incident types, as well as disclosure requirements. While pertinent information must be included in your SEC filing, delaying disclosure until then is not consistent with current transparency expectations customers now demand.

Lee Neely
Lee Neely

Computer forensics are most often done on a stand-alone network with no connectivity to other enterprise networks. If this turns out to be the source of the incident, then it is easily contained and remediated. We should know more in the coming days.

Curtis Dukes
Curtis Dukes

2023-02-20

UK Plans Updates to Computer Misuse Act

The British government is conducting a review of the Computer Misuse Act of 1990. Response to the public consultation includes concerns that the law does not do enough to protect legitimate security researchers from prosecution. The government plans to include provisions that would give it the authority to seize IP addresses associated with cybercrime, to require organizations to retain data, and to criminalize possession of stolen data.

2023-02-20

VA Postpones Oracle Cerner EHR Rollout in Ann Arbor

The US Department of Veterans Affairs (VA) has postponed the deployment of Oracle Cerner electronic health records (EHR) platform at its Ann Arbor (Michigan) Healthcare System. According to an internal email, the decision to delay rolling out the platform was due to concerns about how it would interact with existing medical research systems. The HER launch in Ann Arbor was initially set for July 2023; now it will be delayed until late this year or early 2024.

2023-02-20

Outlook Users Reporting Spam in Inboxes

Some Microsoft Outlook users have been reporting that their inboxes are being inundated with spam, raising speculation that Outlook’s spam filters are not functioning. Microsoft’s service status page indicates that everything is up and running. They have not yet commented publicly about the spam issue.

2023-02-20

Norwegian Police Recover Virtual Currency Stolen from Axie Infinity

Norwegian law enforcement authorities have seized 60m NOK (about $5.8m) worth of virtual currency that ransomware operators stole from Axie Infinity Ronin Bridge operators last March. US authorities managed to seize $30m of the funds in September.

Internet Storm Center Tech Corner

OneNote Suricata Rules

https://isc.sans.edu/diary/OneNote%20Suricata%20Rules/29564

Phishing Emails to out Handlers Inbox

https://isc.sans.edu/diary/Spear+Phishing+Handlers+for+UsernamePassword/29560

New IIS Backdoor

https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/frebniis-malware-iis

Fortinet Updates

https://www.fortiguard.com/psirt-monthly-advisory/february-2023-vulnerability-advisories

https://twitter.com/Horizon3Attack/status/1626692778062237713

Outlook Spam

https://www.bleepingcomputer.com/news/microsoft/microsoft-outlook-flooded-with-spam-due-to-broken-email-filters/

GoDaddy Breach and Website Redirects

https://aboutus.godaddy.net/newsroom/company-news/news-details/2023/Statement-on-recent-website-redirect-issues/default.aspx

Twitter Alters 2FA

https://blog.twitter.com/en_us/topics/product/2023/an-update-on-two-factor-authentication-using-sms-on-twitter

Cisco ClamAV Patches

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-clamav-q8DThCy