SANS NewsBites

More Reasons to Prioritize 2FA Migration; Prioritize Patching Citrix and Cisco Products

August 18, 2023  |  Volume XXV - Issue #65

Top of the News


2023-08-17

LinkedIn Accounts are Being Hijacked

LinkedIn users are reporting account takeovers. In some cases, the hackers are demanding payment to return control of the accounts and threatening to permanently delete them if payment is not made. Researchers from Cyberint say that the attacks are affecting people around the world and that analysis of Google Trends data indicates “a significant surge [in account takeovers] in the past 90 days.”

Editor's Note

If you care enough about your LinkedIn account to actually pay a ransom to get it back: Maybe you should enable 2FA. There is no indication that these attacks use any new technique. Likely, they are just phishing or guessing credentials.

Johannes Ullrich
Johannes Ullrich

The Cyberint writeup doesn’t really point out hacking of LinkedIn. The two scenarios are (1) Temporary Lockout where you are notified someone was trying and failing to log in; and (2) account takeover, where is usually where the password you are using was compromised somewhere else and you didn’t change in on LinkedIn and didn’t turn on two step verification on LinkedIn. (1) is a working security feature, (2) is failure to use a known needed security feature.

John Pescatore
John Pescatore

Part of the attack involves not only compromising the password but also changing the email on the account, making recovery options impossible. If you have a LinkedIn account, make sure that you still have access, that contact information is correct (no unexpected email or phone numbers), then go into settings -> Sign in & security and make sure Two-step verification is enabled. Use the authenticator app rather than the SMS options. Also check your active sessions and devices which remember your password. LinkedIn seems to be forcing users to verify email and phone associated with their accounts.

Lee Neely
Lee Neely

From the apparent large number of frustrated users, LinkedIn did not create an Incident Response plan for this sort of attack. While they will suffer ‘brand’ damage for a period of time, there really isn’t an alternative for business professionals. At some point LinkedIn will provide additional details of the attack and its lessons learned.

Curtis Dukes
Curtis Dukes

Every application that I use daily offers strong authentication. Even my little community bank turned it on this month. A few even offer Passkeys. They are all user opt-in. Hardly any of them promotes its use. In some it was hard to find. Yet most agree that it is our single most effective, efficient, and essential cybersecurity measure.

William Hugh Murray
William Hugh Murray

2023-08-16

Citrix Releases Fixes for Vulnerabilities in NetScaler ADC and Gateway

Citrix has released updates to address several vulnerabilities in its NetScaler ADC and NetScaler Gateway products. The Citrix security bulletin notes that NetScaler ADC and NetScaler Gateway 12.1 are at End of Life and will not have updates to address these flaws. Researchers from Fox-IT, which is part of NCC Group, have detected a campaign in which nearly 2,000 Citrix NetScaler instances have been compromised through an exploits of one of those vulnerabilities, CVE-2023-3519.

Editor's Note

Any unpatched Citrix ADC should be considered compromised. Mandiant released a nice tool that will not only identify available patches, but will also check for indicators that the device is compromised.

Johannes Ullrich
Johannes Ullrich

Citrix has observed bad actors exploiting these flaws, (CVE-2023-3466, CVE-2023-3467 and CVE-2023-25-19), so you need to update to the fixed releases. Note if you're on NetScaler ADC or NetSCaler Gateway version 12.1, that version is EOL and you need to update to the newer version 13 releases.

Lee Neely
Lee Neely

Patching Citrix ADC (NetScaler) is just as valid as relevant as patching a VPN device. It’s important to realize that.

Moses Frost
Moses Frost

2023-08-17

CISA Adds Citrix ShareFile Vulnerability to KEV

Citrix has released a security update to address a critical improper access vulnerability in its ShareFile file sharing and transfer service. The US Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to the Known Exploited Vulnerabilities catalog on August 16, noting that it is being actively exploited.

Editor's Note

CVE-2023-24489 can be exploited by a non-authenticated user, rates a CVSS score of 9.8, so you're going to want to jump on upgrading to ShareFile storage zones controller 5.11.14. Note that Citrix is blocking access from any controllers not running patched versions.

Lee Neely
Lee Neely

2023-08-17

Cisco Security Advisories

Cisco has released 17 security advisories to address vulnerabilities in multiple products. Five of the flaws have been rated high severity: a privilege elevation vulnerability in Cisco ThousandEyes Enterprise Agent; an arbitrary file write vulnerability in Cisco Duo Device Health Application for Windows; an SQL injection vulnerability in Cisco Unified Communications Manager; an infinite loop denial-of-service vulnerability in ClamAV HFS+ File Scanning; and a denial-of-service vulnerability in ClamAV AutoIt Module.

Editor's Note

These vulnerabilities can lead to privilege escalation, SQL injection, directory traversal, DOS, not a good end to the week. Go through your inventory of Cisco non-router products making sure they are all updated. Make sure that security/patch alerts for these items go to the right folks, not just the network team.

Lee Neely
Lee Neely

If you’re a Cisco Customer or any type (outside of just routing and switching but also software), patch. Unlike other companies, there is no regular release cadence for this like Patch Tuesday.

Moses Frost
Moses Frost

The Rest of the Week's News


2023-08-17

DEF CON Hack-A-Sat Competition’s Target was an Actual Satellite in Space

This year, the DEF CON Hack-A-Sat competitors were given Moonlighter, a “hacking sandbox in space,” as their target. In previous years, the Hack-A-Sat teams were given earthbound satellite simulations as their target. The competition, which ran from August 11-14, involved nine challenges, including accessing the satellite, bypassing its observation restrictions, taking a photo, and downloading the image to a ground station. The competition aims to improve satellite cybersecurity; Moonlighter will remain in low Earth orbit as a US Defense Department cybersecurity testbed.

Editor's Note

This is a great reminder that defenders have more than traditional IT infrastructure to defend. Some of our most interesting pentesting engagements involve access badges, power generation, wearables, and other "in between" systems that are easily forgotten.

Christopher Elgee
Christopher Elgee

Kudos to the Italian team "mHACKeroni" for winning Hack-A-Sat 4. Earlier in the week, Stefano Zanero, who sits with me on the ISSA International board, was telling me about the team and how excited they were for the chance to compete. It is amazing that the economics of putting a satellite in space as a cyber testbed have changed enough to make flying a real bird viable.

Lee Neely
Lee Neely

I watched the DefCon hack-a-sat a bit over the DefCon weekend, and it was interesting to see the teams work on it. Happy to see that this type of device is being made available to a broader audience.

Moses Frost
Moses Frost

While cyber is but one active threat to satellite systems, it is the most ‘reachable’ by non-nation state actors. Both the US Air Force and its defense contractors will learn valuable cyber defense lessons from offering the Hack-A-Sat competition. Unfortunately so will cyber attackers, as details of the competition are released.

Curtis Dukes
Curtis Dukes

2023-08-17

US Energy Company was Victim of Malicious QR Code Phishing Campaign

Researchers from Cofense have identified a phishing campaign that uses malicious QR codes to steal Microsoft account credentials. The campaign has been operating since at least May of this year. One of the victims is an unnamed US energy company. Most of the phishing emails appear to be Microsoft security notifications.

Editor's Note

This campaign delivers QR codes in email, largely as Bing redirect URLs. It's probably best to train users to not scan QR codes in email messages, then, for allowed use cases, make sure that they are using QR scanners which preview the content of the code, such as the URL, so they can assess before clicking.

Lee Neely
Lee Neely

QR codes seemed to be going the way of the blinking URL but “touch-free” demand during COVID seemed to breath some life in usage, and the raise of cellphone payment apps resulted. Just as now it is common for every legitimate business to say “We would never ask for your sensitive information over email” good idea to review any use you have of QR codes and see if it is really necessary – for example, in rolling out 2FA. Not really a huge risk path, but if not necessary, better to avoid.

John Pescatore
John Pescatore

Malicious QR Codes are a thing. I would be very wary of getting them over untrusted sources. It’s a new area for training for sure.

Moses Frost
Moses Frost

This campaign takes *ishing (ph-, v-, sm-) to the next level by embedding malicious QR codes. To fully enable the attack though, one must use a mobile device. That’s ok though, as today’s workforce likely receives business email on that device. Finally, the evil-doers and betting that their targets are generally accustomed to just scanning the QR code. Organizations should add this attack scenario as part of their periodic cyber awareness training.

Curtis Dukes
Curtis Dukes

The lesson for the rest of us is that QR tags, like any link, URL, or button, may be bait and should be regarded with appropriate suspicion.

William Hugh Murray
William Hugh Murray

2023-08-17

Phishing Campaign Targeting Zimbra Collaboration Accounts

Researchers from ESET have detected a phishing campaign aimed at gathering Zimbra Collaboration user account credentials. The campaign has been ongoing since at least April of this year. Most of the targeted accounts are in Poland, Ecuador, and Italy.

Editor's Note

Pass the IOCs from the We Live Security blog posting to your threat hunters to make sure you're not already compromised. The phishing email masquerades as a notice about a legitimate change to the Zimbra login, then directs them to open the provided attachment to access the new borked login page. This comes back to training users on detecting real IT updates.

Lee Neely
Lee Neely

2023-08-17

CISA Remote Monitoring and Management Cyber Defense Plan

The US Cybersecurity and Infrastructure Security Agency (CISA) has released the Remote Monitoring & Management (RMM) Cyber Defense Plan, which was developed by the Joint Cyber Defense Collaborative (JCDC), a public/private partnership. The document states its mission: “JCDC’s RMM Cyber Defense Plan provides cyber defense leaders in government and industry with a collaborative proposal for mitigating threats to the RMM ecosystem.”

Editor's Note

CISA continues to create services intended to build partnerships with the private sector. Consider bringing in your local CISA representative (they have offices in all 50 states), to present to your company, or professional organization, on what they can do for (and with) you. At a minimum, having a face to go with the agency goes a long way should you ever need each other. This plan, it's only 8 pages, has two pillars –Operational Collaboration and Cyber Defense Guidance – with four LOE's - Cyber threat and vulnerability information sharing, educating RMM Operational Community, End-User Education and Amplification. Critical components to build trust and sharing partnerships with the private sector.

Lee Neely
Lee Neely

Two pillars of the plan are "collaboration" and "end user education." One looked in vain for first or next steps, for direction on how the plan should alter one's behavior.

William Hugh Murray
William Hugh Murray

2023-08-17

White House Urges Federal Agencies to Strengthen Their Cybersecurity

According to a memo obtained by CNN, the Biden Administration is urging federal agencies to take steps to improve their cybersecurity posture. In the memo, national security adviser Jake Sullivan reportedly notes that agencies have “failed to comply” with requirements set by a 2021 Executive Order. Sullivan asked senior agency officials to ensure that they are compliant by the end of this calendar year.

Editor's Note

In 2021, Executive Order 14028, improving the nation's cybersecurity, was released with many required improvements for cabinet level agencies to adopt, on fairly short timelines. While it was not supposed to be an unfunded mandate, many agencies have not received sufficient funding to properly implement these changes. Required activities like zero-trust, increased cloud adoption, increased logging and retention and even phishing resistant MFA can be foundational technology and cultural changes which can be extremely expensive and time consuming. Due to differences in size, structure and cyber maturity, one must take care with making broad requirements without considering specific risk posture. I predict that full adoption of EO 14028, like HSPD-12 which is still not fully implemented after 19 years, will be measured in decades, not years.

Lee Neely
Lee Neely

Until senior leaders of departments and agencies are held accountable, little will change when it comes too cybersecurity. Sending a memo isn’t holding individuals accountable.

Curtis Dukes
Curtis Dukes

2023-08-16

Google Releases Chrome 116 to Stable Channel

On Tuesday, August 15, Google released Chrome 116, which includes fixes for 26 security issues, eight of which are deemed high severity. Chrome 116 also includes a new option in permission prompts. Users can now opt for “Allow this time” one-time permissions when sites request access to features like location or microphone.

Editor's Note

Remember those frequent updates for Chrome Google promised? Don't miss added features like the one-time allowance of permissions and their new privacy options relating to presented ads, you may have to start testing the earlier release channels, such as Dev or Beta to stay ahead of the production release of new capabilities.

Lee Neely
Lee Neely

An important update for Google Chrome. The good news is that updating the browser has become a routine practice for most users; as simple as ‘clicking’ a button. The new ‘Allow this time’ feature is also a welcome change by Google.

Curtis Dukes
Curtis Dukes

Internet Storm Center Tech Corner

Command Line Parsing - Are These Really Unique Strings?

https://isc.sans.edu/diary/Command+Line+Parsing+Are+These+Really+Unique+Strings/30126

iOS 16 Fake Airplane Mode

https://www.jamf.com/blog/fake-airplane-mode-a-mobile-tampering-technique-to-maintain-connectivity/

LinkedIn Attacks

https://cyberint.com/blog/research/linkedin-accounts-under-attack-how-to-protect-yourself/

Robot Vacuum Privacy Issues

https://dontvacuum.me/talks/DEFCON31/DEFCON31-vacuum-robots-final.pdf

PowerShell Gallery Prone to Typosquatting, Other Supply Chain Attacks

https://www.darkreading.com/application-security/powershell-gallery-prone-to-typosquatting-other-supply-chain-attacks

Windows Random Time Issues

https://arstechnica.com/security/2023/08/windows-feature-that-resets-system-clocks-based-on-random-data-is-wreaking-havoc/

Energy Company Targeted in QR Code Campaign

https://cofense.com/blog/major-energy-company-targeted-in-large-qr-code-campaign/

New Citrix Scanner from Mandiant

https://www.mandiant.com/resources/blog/citrix-adc-vulnerability-ioc-scanner

macOS Background Task Manager Bypass

https://www.wired.com/story/apple-mac-background-task-management-flaw/

Ivanti Avalanche Vulnerability

https://www.tenable.com/security/research/tra-2023-27

Exploiting Synology NAS Cloud Connectivity

https://claroty.com/team82/research/a-pain-in-the-nas-exploiting-cloud-connectivity-to-pwn-your-nas-synology-ds920-edition

Fake Crypto Currency Apps Offered as "Beta" versions

https://www.ic3.gov/Media/Y2023/PSA230814