SANS NewsBites

If You Haven’t Patched GoAnywhere MFT Yet, Start Incident Response; If It Has an Apple Logo On It, Patch IT ASAP; If You Don’t Patch On Premise Exchange, Microsoft May Keep You Out of the Exchange Online Pool

March 28, 2023  |  Volume XXV - Issue #25

Top of the News


2023-03-27

Patch GoAnywhere MFT Software Now

More organizations are coming forward to disclose that they have suffered cyber incidents that exploited a vulnerability in Fortra’s GoAnywhere managed file transfer software. The vulnerability was disclosed in February and a fix was released within a week. Over the past several weeks, Community Health Systems, security company Rubrik, and Hitachi Energy confirmed that their systems were impacted by attacks exploiting the GoAnywhere flaw. More recently, Saks Fifth Avenue and the UK’s Pension Protection Fund acknowledged GoAnywhere-related incidents.

Editor's Note

If you are still running vulnerable GoAnywhere MFT software, patching now isn't going to fix your problem. This vulnerability has been known, and publicly discussed, for a while now. If you are still not patched: Go straight to incident response and do not waste time patching first.

Johannes Ullrich
Johannes Ullrich

Many disclosures include notification that they are no-longer using the GoAnywhere file transfer service. If you are using GoAnywhere MFT software, make sure it's updated. File transfer services as well as API gateways have become increasingly prevalent with the increased use of cloud and outsourced services. Make sure that you know what services are used for these communications and that you've not only secured them, but watch for changes in that security.

Lee Neely
Lee Neely

The underlying attack utilized a zero-day exploit. ‘Zero days’ are next to impossible to defend against until the vendor issues a patch, which it did within a week. Now it is up to users of the software to escalate remediation as part of their patch management process. It often comes down to a race between the evil-doer to exploit and, the target to protect themselves by patching.

Curtis Dukes
Curtis Dukes

The GoAnywhere software we wrote about a few weeks ago is popping up again as more companies get hit with this vulnerability. We haven’t seen this system in use in many of the orgs we have tested, but then again, our view of the total install base would be fairly small. It is commercial software sold by Fortra, and you would imagine it would have been sold to several companies.

Moses Frost
Moses Frost

Read more in


2023-03-27

Apple Updates for iOS, IPadOS, macOS and Other Products

Apple has released updates for multiple products, including iOS, iPadOS, macOS, watchOS, tvOS, and HomePod. The updates for iOS and iPadOS include fixes for more than 30 security issues. The updates for iOS and iPadOS include backported fixes for WebKit vulnerability that was patched in newer versions of the operating systems last month.

2023-03-27

Microsoft Will Block Messages From “Persistently Vulnerable” On-Premises Exchange Servers to Exchange Online

Microsoft is taking a three-step approach to preventing unpatched and unsupported on-premised Exchange servers from sending messages to Exchange Online. First, Microsoft will alert admins to unpatched  or unsupported Exchange servers in their on-premises environments. If the issues are not addressed within a set period of time, Exchange Online will start throttling messages from the offending server. If this action does not result in remediation after another set period of time, messages from the server will be blocked.

The Rest of the Week's News


2023-03-24

GitHub Updates Accidentally Exposed Private RSA Key

GitHub has replaced its RSA SSH host key after it was inadvertently exposed in a public repository. The change will generate warning messages, but there is no cause for alarm. In a blog post, GitHub provides instructions for what users need to do.

Editor's Note

I appreciate GitHub acting quickly to protect users from potential machine in the middle attacks. But this also highlights the need to have procedures in place to quickly swap out crypto keys as needed. Many scripts automating actions against GitHub broke as a result, and will likely be broken for a while until users get around to swapping the respective keys. In particular for SSH, rotating keys isn't quite as straight forward as for TLS.

Johannes Ullrich
Johannes Ullrich

Practitioner's note: If you're already using GitHub, this will require removing old host key lines from your known hosts file (in the .ssh/ folder, in your Linux or Windows home directory). Any git actions that use SSH will bring errors about which lines are passé. Once the old entries are deleted, the new host key will show up during your next git action. Accept the new key if it matches one in GitHub's list: https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints

Christopher Elgee
Christopher Elgee

SOP should be that when a private key is exposed, or otherwise compromised, you revoke and replace the keypair. The GitHub blog includes what you need to do to update your copies of their SSH public key, a useful reference for users when you change one of your SSH Host keys. This is a good time to make sure that you don't have any private keys stored in your repositories, particularly public facing ones.

Lee Neely
Lee Neely

Encryption/digital signatures are worse than useless if private keys are not kept private, they provide a dangerous false sense of security. GitHub seems to have handled this well and found the “inadvertent publishing of private information” quickly, but it really means they just got lucky that the error wasn’t found first by bad actors. I hope they publish lessons learned on what they changed to greatly reduce chances of this happening again.

John Pescatore
John Pescatore

The 2022 Verizon Data Breaches Investigations Report states that 82 percent of data breaches are caused by a human element; other reports claim upwards of 90 percent. GitHub’s actions are both prudent and reflect the potential severity of the risk.

Curtis Dukes
Curtis Dukes

The remedy for the possible compromise of a private key is to replace the key pair. This includes revoking and replacing the corresponding public key. Revocation of key pairs should be routine and should not require "instructions for what users need to do."

William Hugh Murray
William Hugh Murray

2023-03-27

Twitter Source Code Leak

After Twitter source code was leaked online, GitHub removed the code from the repository where it appeared and disabled the user’s account. Twitter has filed court documents seeking to compel GitHub to reveal the identity of that user.

2023-03-27

US Executive Order Limits Government’s Use of Commercial Spyware

The White House issued an executive order barring US agencies from purchasing and “operationally using” spyware that poses a threat to national security. The order directs the Director of National Intelligence (DNI) to provide semi-annual assessments of spyware products. Spyware products are deemed unacceptable if they have been used against the US government or an individual without their permission; if they have been used to commit human rights abuses, and if they have been used by governments for purposes of political repression.

2023-03-24

Dish Network Ransomware Attack Effects Linger for Customers

Customers of the Dish Network satellite television service are still experiencing service disruptions and technical issues weeks after the company disclosed that it was hit with a ransomware attack. The incident began on February 23; at that time, Dish Network experienced an outage that lasted for several days. Customers are reporting difficulty reaching customer service agents to pay bills, cancel subscriptions, or address login issues.

2023-03-23

Internet Shutdown in Indian State of Punjab

Authorities temporarily shut down mobile Internet and text messaging service throughout the Indian state of Punjab while searching for an activist. The shutdown, which affected 30 million people, was intended to prevent the spread of fake news. The shutdown began on Saturday, March 18.

2023-03-23

Operational Technology Vulnerabilities

In a paper scheduled to be presented at the IEEE/ACM Workshop on the Internet of Safe Things in May, researchers from Forescout, and a professor for secure IT systems at Technical University of Clausthal, Germany describe more than 50 security issues they found in operational technology (OT) products. The paper’s authors examined 45 product lines that are used in multiple sectors including healthcare, water, and power generation.

Internet Storm Center Tech Corner

Another Malicious HTA File Analysis Part 1

https://isc.sans.edu/diary/Another+Malicious+HTA+File+Analysis+Part+1/29674

Apple Updates Everything

https://isc.sans.edu/diary/Apple+Updates+Everything+including+Studio+Display/29682

Update for Windows Snipping Tool

https://isc.sans.edu/diary/Microsoft+Released+an+Update+for+Windows+Snipping+Tool+Vulnerability/29670

Linux Tech Tips YouTube Hack

https://www.theverge.com/2023/3/23/23653115/linus-tech-tips-youtube-hack-crypto-scam

https://isc.sans.edu/diary/Elon+Musk+Themed+Crypto+Scams+Flooding+YouTube+Today/29434

GitHub Rotates SSH Keys

https://github.blog/2023-03-23-we-updated-our-rsa-ssh-host-key/

MacStealer Malware Exfiltrates Mac Secrets

https://www.uptycs.com/blog/macstealer-command-and-control-c2-malware

redis-py vulnerability leads to mixed up sessions, affects ChatGPT

https://openai.com/blog/march-20-chatgpt-outage

CyberChef Update

https://github.com/gchq/CyberChef/wiki/Character-encoding,-EOL-separators,-and-editor-features