SEC595: Applied Data Science and AI/Machine Learning for Cybersecurity Professionals
SEC595Cyber Defense
SANS Community Benefits
Connect, learn, and share with other cybersecurity professionals
Top of the News
X_TRADER Supply Chain Attack Has Additional Victims
Symantec’s Threat Hunter Team says that the X_Trader supply chain attack that affected 3CX attack also affected at least four other organizations – two in the energy sector and two in the financial sector. A trojanized version of the X_Trader installer was used to compromise 3CX systems, which allowed that company’s software to become compromised as well.
Editor's Notes
- Slide 1 of 4
The Symantec report doesn’t detail how the Trojaned X_Trader software got on the additional victims’ PCs. A safe guess is the same path as 3CX: reusable passwords used for corporate access from employee-owned Windows PC were harvested after users downloaded the trojaned installer onto their home computer. Yet another big reminder about (1) matching controls with policy, as it seems like the majority of organizations do have policy requiring 2FA, but haven’t implemented it; and (2) such “hybrid” work from home on employee-owned and vulnerable Windows PCs did not go away when Covid mask requirements ended.
- Slide 2 of 4
Two topics to run to ground here: have they got a toehold in my network and can they spread laterally? For the first one, use the IOCs in the Symantec or Mandiant reports to determine if you have the trojanized X_Trader in your environment. For the second, consider your trust relationships. Beyond MFA to the endpoint, what happens with SSO? Can users SSO to any endpoint or to just those they have a need to access? What about privilege escalation? Do you have UAC set to always? How about requiring MFA for privileged actions? Do all your users have admin on their endpoints or do you only provide it where approved? Are you leveraging a PAM solution to manage local admin accounts? Leverage incremental increases in security to raise the bar.
- Slide 3 of 4
The X_Trader application was built to support futures trading. Potential victims of the boogered version are likely trading institutions. If you are a company that uses the application, assume you’ve been breached until you are able to validate the X_Trader application with its developer – Trading Technologies.
- Slide 4 of 4
It is now clear that at least some APTs are concentrating on software suppliers and the leverage they provide. In the face of an increase in risk, suppliers should consider a hiatus in shipments until they are satisfied that they can meet their obligation to customers not to ship contaminated code. The necessary changes to their processes to improve security will likely also lead to a general increase in efficiency.
Slide 1 of 0- Slide 1 of 4
Hackers are Installing Eval PHP WordPress Plugin to Create Backdoors
Hackers are exploiting a vulnerability in an unsupported WordPress plugin to inject malicious PHP code into web pages. Eval PHP has not been updated for a decade, yet researchers noted a sudden surge in Eval PHP downloads over the past months. The attackers are installing the plugin on compromised sites to establish backdoors.
Editor's Notes
- Slide 1 of 3
The Eval PHP plugin hasn't been updated in over a decade but remains available in the WordPress plugin repository. If you forgot to remove it from your site, you really need to get rid of it, (not just disable it) then actively watch for reintroduction. Threat actors are installing the plugin from the WordPress plugin site on compromised sites. This would be a good time to review admin accounts on your WordPress site, requiring MFA and eliminating old or unused ones. Note you don't need an admin user named admin (the default), so change that too.
- Slide 2 of 3
With WordPress, critical vulnerabilities most often crop up by the use of plugins that render websites exploitable; this vulnerability is no different. What is different is that it is an unsupported plugin. Unsupported apps should not be available for download.
- Slide 3 of 3
We continue to be plagued by WordPress plugins. The problem is not simply the quality of the plugins. Like browsers, the usual client of WordPress services, WordPress itself is open, flexible, complex, and has proven to be difficult to operate safely. Use it with appropriate caution.
Slide 1 of 0- Slide 1 of 3
Google Addresses GhostToken Vulnerability in Google Cloud Platform
Google has fixed a flaw in its Cloud Platform (GCP) that could be exploited to backdoor accounts using malicious OAuth applications. The issue was reported to Google in June 2022; the fix was released in a patch earlier this month.
Editor's Notes
- Slide 1 of 3
If you are a Google Cloud Platform user, follow Astrix’s recommendations for checking GCP app management and OAuth logs for indicators of compromise. This is one of those “huh” type of vulnerabilities that is likely to be found in other applications.
- Slide 2 of 3
Exploiting the flaw allows an app to be hidden from the Google application management page, the only place you can manage applications associated with your GCP account. Essentially the app is put in a pending deletion state, which hides it, the patch makes apps in that state visible to the 'Apps with access to your account' page, allowing you to delete it.
- Slide 3 of 3
This is a vulnerability that should be taken seriously if you are a GCP tenant. Check for signs of the vulnerability by reviewing the OAuth logs; and as always, follow vendor security recommendations.
Slide 1 of 0- Slide 1 of 3
The Rest of the Week's News
Schneider Electric Releases Fixes for Vulnerabilities in Easy UPS Online Monitoring Software
Schneider Electric has released patches for three vulnerabilities in its Easy UPS Online Monitoring Software from Schneider Electric’s American Power Conversion (APC). Schneider cautions users that “failure to apply the remediations provided below may risk remote code execution, escalation of privileges, or authentication bypass, which could result in execution of malicious web code or loss of device functionality.”
Editor's Notes
- Slide 1 of 3
First thing, remember that APC falls under Schneider Electric, so yeah, we need to start reading Schneider bulletins because they relate to APC UPSs most of us have. Next, determine where you're using monitoring software, such as Easy UPS, and get it updated. Lastly, review the recommendations for physical and logical isolation and protection of control systems, particularly UPSs. That is most relevant in your data center where you're going to have the bigger solutions, which also means a bad actor could do more harm compromising a single device. When reviewing your physical protections, don't overlook accidents. Remember when we didn't have covers over the crash button (aka elevator call button) in the data center? Yeah...
- Slide 2 of 3
In this case, one of Schneider’s “strongly recommended” practices is “Never allow mobile devices that have connected to any other network besides the intended network to connect to the safety or control networks without proper sanitation.” This requires Network Access Control capabilities for all remote access to UPS systems.
- Slide 3 of 3
Two of the three vulnerabilities allow for remote code execution and carry a CVSS score of 9.8. Exercise your patch process and remediate these vulnerabilities as well as follow Industry configuration recommendations.
Slide 1 of 0- Slide 1 of 3
DC Health Link Breach Was Due to Misconfigured Server
Mila Kofman, Executive Director of the District of Columbia Health Benefit Exchange Authority, told US legislators that the DC Health Link breach was found to be enabled by a misconfigured server. The breach, which exposed personal information of more than 56,000 current and former members of Congress, their family members, and Congressional aides, was detected in early March 2023. Kofman testified before the US House Oversight and Accountability Subcommittee on Cybersecurity, Information Technology, and Government Innovation and House Administration Subcommittee on Oversight on April 19.
Editor's Notes
- Slide 1 of 3
This was a human error in a cloud-based Jenkins reporting system, which allowed for anonymous downloading of reports and logs. Additionally, there wasn't sufficient logging from that service to fully forensicate the incident. We all have outsourced and cloud services, what is needed is to regularly review the security configurations of each of them, as well as making sure you have optimal logging for successful incident response. Make sure you're including your incident responders in that conversation; they likely have a very different view than the service provider on what adequate means.
- Slide 2 of 3
The testimony by Director Kofman mentions the human error that resulted in critical data being accessible without authentication, but never acknowledged the equally serious mistake of not detecting that before criminals did. Kofman confused buying products with strong security, saying: “We have a strong cybersecurity program. For example, we use technologies such as…” Strong processes and skilled analysts are needed to make investments in technology effective in reducing risk.
- Slide 3 of 3
The CIS Community Defense Model identified misconfiguration as a leading cause for most cyber breaches. As such, server configuration guidance is available for a large number of products to include servlet containers such as Apache Tomcat. Going forward, standardize server configuration using Industry best practices as put forth by CIS Benchmarks.
Slide 1 of 0- Slide 1 of 3
Database-Oriented Operating System Will be Demonstrated at RSA
Researchers at the Massachusetts Institute of Technology (MIT) and Stanford University are developing an operating system with baked-in malware defense. The database-oriented operating system, or DBOS, is being designed to recover from ransomware attacks within minutes. The researchers – Michael Stonebraker, Matei Zaharia, and Jeremy Kepnew – will demonstrate their work at the RSA conference this week in San Francisco.
Editor's Notes
- Slide 1 of 2
This changes the idea that everything is a file, which is the paradigm in *nix, to everything is a table. As such, system logs become transaction logs, rolling back is as simple as rolling back a database. And yeah, I'm remembering multi-phase commit rollback too. Making it easier to revert the system to a known good state as well as improved visibility to system events means we should keep an eye on this one.
- Slide 2 of 2
First, it is encouraging to see that some researchers are working on solutions rather than mere vulnerability discovery. Second, this solution addresses the requirement, in the face of ransomware attacks, to recover applications, rather than merely files, in hours to days, rather than days to weeks. Worth checking out.
Slide 1 of 0- Slide 1 of 2
PaperCut Authentication Bypass Vulnerability is Being Actively Exploited
Users are urged to update their PaperCut MF/NG print management software to fix a critical improper access control vulnerability that is being actively exploited. The flaw allows an attacker to bypass authentication and remotely execute arbitrary code with System user privileges. PaperCut fixed the vulnerability in versions 20.1.7, 21.2.11, and 22.0.9 of PaperCut MF and PaperCut NG in March.
Editor's Notes
The version numbers can be confusing; make sure that you're running the latest version of PaperCut for your platform. Both Windows and Mac versions of the software need updating. Note that only version 20.x or later are patched, so be prepared for some big catching up if you've fallen behind. Also make sure that you're limiting traffic to the PaperCut management interface (Port 9191) to only authorized devices/users. This is an unauthenticated RCE flaw, which is being actively exploited. Plan accordingly.
RSA: CISA and Cyber Command Cyber Ops Partnership
At the RSA Conference in San Francisco, Eric Goldstein, executive assistant director at the US Cybersecurity and Infrastructure Security Agency (CISA) and Maj. Gen. William Hartman, commander of the Cyber National Mission Forces (CNMF) at Cyber Command spoke about their agencies’ cyber operations partnership. The collaborative effort has thwarted several potentially serious attacks, including an attempt by hackers with links to Iran to gain access to election results reporting software.
Editor's Notes
Public sector information sharing is working, and we have reported many stories of cooperation leading to takedowns and successful incident prevention and response. The relationship between CISA and CNMF is new and their focus needs to include maintaining and maturing that partnership, keeping information flowing. One of the next challenges for CISA is providing value to the private sector in exchange for their sharing of similar information.
Firmware Update Available to Address Inea ICS ME RTU
The US Cybersecurity and Infrastructure Security Agency (CISA) has published an ICS advisory warning of a critical OS command injection vulnerability in INEA ME Remote Terminal Unit (RTU) firmware versions older than 3.36. The INEA ME RTU is used in the energy, transportation, and water and wastewater sectors.
Editor's Notes
The RTU is sitting between the SCADA and the instrumentation devices. Taking over the RTU allows input or outputs - manipulating pumps or valves or can be used to pivot to available networks for further malfeasance. First thing, apply the firmware update, (CVE-2023-2131 has a CVSS score of 10.0) then review your segmentations and access controls to ensure that only authorized systems can interact with ICS components.
Shields Health Care Group Breach Affects Millions
Shields Health Care Group has disclosed a breach that compromised personal information of 2.3 million patients. Intruders had access to Shields’ systems in mid-March 2022. Shields provides imaging services for ambulatory surgery centers.
Editor's Notes
Shields is offering credit monitoring for two years to affected customers and started notifications 4/19. It appears the breach investigation spanned a year, from March 28, 2022 to March 27, 2023 and the data exfiltrated was names or other personal identifier in combination with driver's license number or other ID card number. While the notification was filed in Maine, only 2260 of the 2.3 million patients were in Maine. Sending a breach notification over a year later to affected customers is too long after the fact. The reality is you have no idea what the intersection of your data being breached, notification and implementation of credit monitoring will be. Be proactive and get your own coverage in place before you need it.
Internet Storm Center Tech Corner
Management of DMARC control for email impersonation for domains in the .co TLD
Papercut Vulnerability Deep Dive
https://www.horizon3.ai/papercut-cve-2023-27350-deep-dive-and-indicators-of-compromise
Solarwinds Patches
Schneider Electric Update
Virustotal Code Insight
https://blog.virustotal.com/2023/04/introducing-virustotal-code-insight.html
Aukill EDR Killer Malware Abuses Process Explorer Driver
https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/
X_Trader Supply Chain Attack Fallout
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/xtrader-3cx-supply-chain
Car Hacking with Old Nokia Phones
Dog Hunt Finding Decoy Dog Toolkit