SANS NewsBites

Snipping/Cropping Tools Expose Data; CISA Tool Useful for Securing Microsoft Services; Reminder to Check Your Supply Chain Security Processes

March 24, 2023  |  Volume XXV - Issue #24

Top of the News


2023-03-23

Acropalypse Bug Also Affects Windows Tools, Microsoft Testing Fix

The “acropalypse” bug, which allows partial recovery of original images from screenshots that have been cropped or redacted, has now been found to affect the Windows 11 Snipping Tool and Windows 10 Snip & Sketch tool. Acropalypse was initially detected in Google’s Markup screen editing tool for Pixel. Microsoft is reportedly testing an updated version of the Windows 11 Snipping tool to address the issue.

Editor's Note

I’m sure similar issues will now be found with lots of image, video and audio editing tools and applications. This bug points out there really is a developer mindset (“I can easily just move the IEND chunk to crop this data file” without thinking “and I need to delete the cropped data, too”) vs. a good tester methodology of “I wonder if I can still find any of the ‘cropped’ data.” This is why we see so much success from managed bug bounty programs even after 20 years of secure development life cycles and developer training.

John Pescatore
John Pescatore

Practitioner's note: To demonstrate this in Windows, hit <Win><Shift>s to snag part of the screen. In the Snipping Tool itself, save that screen grab, and look at the size of the file. Now, in the Snipping Tool, use the Crop tool to cut off the bottom half of the image. Save it again with the same file name. The file size has not changed! Much of the original data is still present in the cropped file. You can mitigate this specific case by saving the cropped image with a new name (or wait for a patch).

Christopher Elgee
Christopher Elgee

Redaction has to be done right. Tools like the snipping tool, or your photo editor on your smartphone make it easier, but aren't necessarily comprehensive. Recall when it was learned a popular PDF editor used layers for redaction, but if you selected the text or exported the text, the redacted information was available? This time it's about understanding what meta-data is in an image. As the researcher noted, a small, redacted, thumbnail sized image was still 5MB. While we have been advising co-workers to make a new image or document which contains the resulting image, you're probably going to have to show them what meta data remains on a redacted photo (such as the full photo in the embedded thumbnail), to make it real.

Lee Neely
Lee Neely

applications take advantage of open-source libraries. A flaw in one or more of those libraries can lead to a vulnerable application. A SBOM will at least list the software libraries used by the application, helping to identify and close cross-platform vulnerabilities.

Curtis Dukes
Curtis Dukes

2023-03-23

CISA’s Untitled Goose Tool Helps Detect Malicious Activity in Microsoft Cloud Services

The US Cybersecurity and Infrastructure Security Agency (CISA) has released its open source "Untitled Goose Tool," which “offers novel authentication and data gathering methods for network defenders to use as they interrogate and analyze their Microsoft cloud services,” and is meant for use in Azure, Azure Active Directory, and Microsoft 365 environments. CISA developed the tool with support from the Department of Energy’s Sandia National Laboratories.

2023-03-23

Spain’s Alliance Healthcare Breach is Affecting Pharmaceutical Supply Chain

A cyberattack targeting Spain’s Alliance Healthcare, a pharmaceutical distributor, has caused a disruption of the pharmaceutical supply chain. The attack started on March 17 and has affected Alliance’s website, billing system, and ordering system.

The Rest of the Week's News


2023-03-23

CISA and NSA Release Identity and Access Management Guidance

The US Cybersecurity and Infrastructure Agency (CISA) and the National Security Agency (NSA) have jointly released the Enduring Security Framework Guidance on Identity and Access Management. The Recommended Best Practices Guide for Administrators provides suggestions for mitigating threat actors’ commonly used attack techniques, including taking control of accounts of former employees; using/creating alternative system access points; and gaining access to systems and exploiting stored credentials.

Editor's Note

Credential compromise continues to be a viable attack vector, and while I have stated the number one protection is implementing strong MFA, there is a lot more you need to do to provide comprehensive coverage, to include: actively managing accounts/identity as well as securing systems, only allowing the access needed when needed, revoking it as soon as that need expires. This guidance does a good job of laying out the threat and tying the actions to the risks you're mitigating. Review the “:actions to take now” checklists and consider where you are against those items; don't just read Appendix I – you'll want to read the rest to get your ideas flowing.

Lee Neely
Lee Neely

Given the proliferation of many different platforms and applications not just on organisations’ internal networks but also in the cloud and with third party vendors, this guidance framework is a very timely and welcome resource. As a large number of breaches can be related to the abuse of accounts and authentication mechanisms I strongly recommend the majority those response for cybersecurity in their organization read the guidance.

Brian Honan
Brian Honan

Identity and Access Management (IAM) underpins access for every IT enterprise. It is a core component in building a zero-trust architecture. Creating a best-practices guide for administrators is a good thing. For the ‘Cliff Notes’ version, see Controls 5 and 6 from the CIS Critical Security Controls.

Curtis Dukes
Curtis Dukes

As someone very interested in the IAM space, I am happy to see general guidance for companies. This is a very good thing and dovetails nicely with the large number of installations we see using Azure AD.

Moses Frost
Moses Frost

2023-03-22

CISA ICS Advisories / ENISA Warns on Threats to OT in Transportation Sector

On Tuesday, March 21, the US Cybersecurity and Infrastructure Security Agency (CISA) published eight Industrial Control Systems (ICS) security advisories regarding vulnerabilities in products from Keysight, Delta Electronics, Siemens, VISAM, Rockwell Automation, and Hitachi Energy. In a related story, the European Union Agency for Cybersecurity (ENISA) published a report on cyberthreats to the transportation sector that warns of potential ransomware attacks targeting operational technology (OT) systems.

2023-03-23

CISA Updates Baseline Cybersecurity Performance Goals, and Adds Members to Advisory Committee

The US Cybersecurity and Infrastructure Security Agency (CISA) has revised its Cross-Sector Cybersecurity Performance Goals (CPGs) in response to stakeholder feedback. The first version of the CPGs was released in October 2022. CISA has also announced the addition of more than a dozen new members to its Cybersecurity Advisory Committee (CSAC), including former US national cyber director Chris Inglis and former Rhode Island congressman Jim Langevin.

2023-03-23

Fix Available for Authentication Bypass Vulnerability in WooCommerce Payments WordPress Plugin

An authentication bypass and privilege elevation vulnerability in the WooCommerce Payments plugin for WordPress could be exploited to “allow an unauthenticated attacker to impersonate an administrator and completely take over a website without any user interaction.” Users are urged to update to the most recent version of WooCommerce Payments (5.6.2 or later). 

2023-03-22

More Healthcare Pixel Tracking Reported

University of California San Diego (UCSD) Health has begun notifying patients that their personal data were compromised because a vendor used pixel-tracking technology on patient-facing websites. UCSD health is one of a growing number of healthcare organizations that have reported pixel-related data compromises. Pixel-tracking is used as a data analytics tool; news has recently come to light that these tools share data they have gathered with Meta and its partners.

2023-03-22

Adobe ColdFusion Vulnerabilities are Being Actively Exploited

Researchers from Rapid7 have observed vulnerabilities in Adobe ColdFusion being actively exploited in “multiple customer environments.” The activity has been ongoing since January 2023. Adobe released fixes for vulnerabilities in ColdFusion 2021 and ColdFusion 2018 earlier this month; one of the vulnerabilities (CVE-2023-26360) was added to CISA’s Known Exploited Vulnerabilities Catalog on March 15.

2023-03-23

February Dole Breach Compromised Employee Data

Dole Food Company has disclosed that a February ransomware attack against its systems compromised employee data. The new information was revealed in a document the company filed with the US Securities and Exchange Commission (SEC) earlier this week.

Internet Storm Center Tech Corner

Cropping and Redacting Images Safely

https://isc.sans.edu/diary/Cropping+and+Redacting+Images+Safely/29666

Acropalypse Detection and Sanitization Tools

https://github.com/infobyte/CVE-2023-21036

Windows Snipping Tool Privacy Bug: Inspecting PNG Files

https://isc.sans.edu/diary/Windows+11+Snipping+Tool+Privacy+Bug+Inspecting+PNG+Files/29660

Windows 11 Snipping Tool Privacy Bug

https://www.bleepingcomputer.com/news/microsoft/windows-11-snipping-tool-privacy-bug-exposes-cropped-image-content/

String Obfuscation: Character Pair Reversal

https://isc.sans.edu/diary/String+Obfuscation+Character+Pair+Reversal/29654

Untitled Goose Tool

https://github.com/cisagov/untitledgoosetool

Veeam Vulnerability Details

https://www.horizon3.ai/veeam-backup-and-replication-cve-2023-27532-deep-dive/

Unicode Support in Python used to Evade Detection

https://blog.phylum.io/malicious-actors-use-unicode-support-in-python-to-evade-detection

WooCommerce Skimmer Reveals Tampered Gateway Plugin

https://blog.sucuri.net/2023/03/woocommerce-skimmer-reveals-tampered-gateway-plugin.html

Netgear Orbi Router Vulnerable

https://blog.talosintelligence.com/vulnerability-spotlight-netgear-orbi-router-vulnerable-to-arbitrary-command-execution/

Malicious .Net Packages

https://jfrog.com/blog/attackers-are-starting-to-target-net-developers-with-malicious-code-nuget-packages/

Spring Framework Vulnerability

https://spring.io/blog/2023/03/20/spring-framework-6-0-7-and-5-3-26-fix-cve-2023-20860-and-cve-2023-20861

Snappy Vulnerability

https://github.com/KnpLabs/snappy/security/advisories/GHSA-gq6w-q6wh-jggc