SANS NewsBites

Nominate Difference Makers; Prioritize Mitigation of Cisco ASA and Patching of Cisco BroadWorks; Focus on Hygiene and Known Vulnerabilities to Thwart Ransomware

September 12, 2023  |  Volume XXV - Issue #72

Top of the News


2023-09-14

SANS Difference Makers Awards

At the SANS Cyber Defense Initiative conference in December 2023, SANS will hold its 13th annual celebration of the most dedicated and effective security people and we need your support in finding worthy candidates. Please help SANS shine a light on the cybersecurity practitioners who through hard work, innovation and skill made measurable and significant improvements in the overall state of cyber security in 2023.

We are looking to recognize security people who raised the bar in enabling secure business operations and reducing risk, or made progress in key areas like implementing multifactor authentication, eliminating software vulnerabilities, reducing Time to Detect/Respond/Restore, bringing new and diverse people into the field etc.. We have expanded the awards to include top mentors, content creators and the most influential champions focused on building the next generation.

The deadline for submissions is Friday, September 29 at 5 pm EDT. Full information at:

https://www.sans.org/about/awards/difference-makers/


2023-09-11

Cisco: Zero-Day in ASA and FTD is Under Active Exploit

Cisco has acknowledged that there is an unpatched and actively exploited vulnerability in the remote access VPN feature of its Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD). Cisco says that the flaw “is due to improper separation of authentication, authorization, and accounting (AAA) between the remote access VPN feature and the HTTPS management and site-to-site VPN features [and] could allow an unauthenticated, remote attacker to conduct a brute force attack in an attempt to identify valid username and password combinations or an authenticated, remote attacker to establish a clientless SSL VPN session with an unauthorized user.” Cisco plans to release fixes to address the issue; in the meantime, they have suggested workarounds.

Editor's Note

The vulnerability enables brute force attacks. Only specific configurations are vulnerable, and the attacker will still need to guess your password. Due to the vulnerability, brute force protections can be bypassed allowing for faster attacks. An interesting lesson here: Vulnerabilities in services like web applications and APIs may lead to problems in non-web related services, like VPNs in this case.

Johannes Ullrich
Johannes Ullrich

Since most compliance regimes require MFA for remote access, and also require any default accounts be removed or disabled, theoretically this type of password spraying attack shouldn’t work very often – the level of success always points out how compliance actually does not equate to secure. If you are still facing resistance to requiring MFA for remote access, at least start with all privileged users and use this item to expand from there.

John Pescatore
John Pescatore

Read the Cisco bulletin carefully: the vulnerabilities require multiple conditions to be true, albeit they are likely things you have. Pass the IoC's to your threat hunting team to determine where you stand, while focusing on implementing mitigations until a patch is released. Make sure you're limiting VPN access for default user groups, make sure you're requiring MFA for VPN connections, and disable or remove the default accounts the threat actors are using to exploit the vulnerability.

Lee Neely
Lee Neely

The Cisco ASA VPN Software getting press this time is valid but requires a specific implementation. It does work because it was discovered in an actual breach. There are a very large number of implementations that meet the requirements. MFA helps, but many implementations that leverage MFA may need to leverage it entirely, leaving specific profiles vulnerable. Please watch this until the patch is out; when it is out, patch. This is not a 0-day; this is already an N-Day in the wild, having been exploited. It would also be ideal to look through your logs.

Moses Frost
Moses Frost

While the vulnerability is actively being exploited, it does require brute force guessing of the username/password combination. Further, if you’ve implemented MFA as you should, the likelihood of attacker success is extremely low. That said, IT staff should remain vigilant for such attempts whilst reviewing their audit logs.

Curtis Dukes
Curtis Dukes

2023-09-08

Cisco Releases Patches for Authentication Bypass Vulnerability in BroadWorks

Cisco has released updates to address an authentication bypass vulnerability affecting the single sign-on (SSO) implementation of Cisco BroadWorks Application Delivery Platform and Cisco BroadWorks Xtended Services Platform. The vulnerability exists in the method used to validate SSO tokens.

Editor's Note

If you are a BroadWorks user, patching this needs to be high priority. Also, a good reminder to those using other SSO solutions – ask your vendor if they are vulnerable to similar attacks and do some threat hunting to be proactive.

John Pescatore
John Pescatore

CVE-2023-20238 scores a perfect 10 base CVSS score. There are no workarounds, you have to apply the update. If you're using another SSO solution, verify they are properly validating SSO tokens, rather than assume they are not vulnerable to a similar exploit.

Lee Neely
Lee Neely

This vulnerability requires immediate attention by users of the Cisco BroadWorks application. Download and implement the available software update as soon as possible.

Curtis Dukes
Curtis Dukes

2023-09-11

NCSC and NCA Urge Focusing on Common Enablers and Vulnerabilities to Address Ransomware

The UK’s National Cyber Security Centre (NCSC) and the National Crime Agency (NCA) have published a white paper, Ransomware, Extortion, and the Cyber Crime Ecosystem. The paper traces the arc of ransomware attacks, from initial attack vectors to ransomware deployment to monetizing the attack. The document notes that “tackling individual ransomware variants ... is akin to treating the symptoms of an illness, and is of limited use unless the underlying disease is addressed.”

Editor's Note

This is an excellent paper and huge kudos to the NCSC and NCA for producing and sharing this report. It is an essential read for anyone wanting to understand the threat landscape as it applies to ransomware attacks, in particular the key role initial access brokers play in the whole ransomware ecosystem.

Brian Honan
Brian Honan

As with any risk, having too narrow of a focus on mitigation leaves you vulnerable to variants. Ransomware protections, including training, physical and technical countermeasures, should not be strain-specific and are one part of your overall cyber security and hygiene plans. Ransomware is still an active threat, and you should assess your mitigations for effectiveness, but don't overlook the rest of the threats you're mitigating.

Lee Neely
Lee Neely

While a good primer on the arc of ransomware attacks, the best defense is still, adherence to the core tenets of basic cyber hygiene – know your environment, configuration management, patch management, and system monitoring. If you get those pieces right, you exact a cost on the cybercriminal to attack you.

Curtis Dukes
Curtis Dukes

This white paper is a long description, not to say an admiration, of the problem. It seems to be based on the idea that the reason that enterprises do not address the problem is that they do not appreciate it or its risks rather than that they believe that the solution is inconvenient or inefficient, or just have not gotten around to it. If one is interested in the solution, one should go immediately to the links at the end of the paper.

William Hugh Murray
William Hugh Murray

The Rest of the Week's News


2023-09-07

International Criminal Court Will Prosecute Cybercrimes that Violate Rome Statute

The lead prosecutor of the International Criminal Court (ICC) at the Hague will investigate and prosecute cybercrimes, including cyberwar crimes, that violate international law. The Rome Statute, which establishes ICC’s authority to prosecute war crimes, genocide, and other crimes against humanity, does not specifically mention cybercrime, “such conduct may potentially fulfill the elements of many core international crimes as already defined.”

Editor's Note

As international law agencies continue to cooperate to bring down cyber criminals, the need to prosecute those which have violated International law, particularly when cyberwarfare is involved, needs to be addressed. With 123 countries as parties to the Rome Statue, they are well positioned to take on these cases.

Lee Neely
Lee Neely

An interesting move by the ICC. First a definition of cybercrime will need to be agreed to by nations. It does at least acknowledge the importance of the cyber domain and how it can potentially be used in the commission of crimes.

Curtis Dukes
Curtis Dukes

While we may not have seen one yet, it is certainly easy to visualize a cyberattack that would rise to the level of a crime against humanity. Our dependence and vulnerability increase daily.

William Hugh Murray
William Hugh Murray

2023-09-12

Google Update for Chrome Addresses Zero-Day Vulnerability

Google is updating Chrome to fix a zero-day vulnerability, the fourth since the beginning of the year. Google has acknowledged that an exploit for the flaw, a heap buffer overflow in WebP (CVE-2023-4863), exists in the wild and is rolling out a new version of Chrome to the Stable and Extended stable channels. The vulnerability was reported by Apple Security Engineering and Architecture (SEAR) and The Citizen Lab at The University of Torontoʼs Munk School.

Editor's Note

Better your users are noting reminders to relaunch Chrome in the next X hours to apply the update than being oblivious. Ensure that you've configured an upper limit to deferring that relaunch. Don't forget to watch for updates for your other Chromium based browsers.

Lee Neely
Lee Neely

Any time you see the words ‘zero-day vulnerability’ pay immediate attention. The fix is easy: simply relaunch your chrome browser. Don’t be a victim!

Curtis Dukes
Curtis Dukes

2023-09-11

MGM Resorts Systems Offline Following Cyberattack

Some MGM Resorts systems are down following a cyberattack that began on Sunday, September 10. The company’s website is unavailable, a temporary page lists contact numbers in various cities across the US. According to a statement published on social media, MGM shut down certain systems as a protective measure while the incident is being investigated. MGM-operated hotels in Las Vegas have reportedly been unable to process payment card transactions.

Editor's Note

MGM has moved to manual transaction processing, but the volume of transactions may prove unmanageable. Note to self: fully understand the limits of moving to manual processing during an incident, including short-term mitigations which can be leveraged. MGM and other Hotels/Casinos are targeted these days. Last December, MGM's online sports betting company BetMGM reported a breach; Meliá Hotels international was hit hard in 2021; Marriott was targeted for extortion after 20 GB was exfiltrated last year. The draw is the mass amount of financial information they retain on clients; it'd be a good idea to review what information you are storing in any hotel/casino loyalty programs and minimizing it.

Lee Neely
Lee Neely

Not many details to work with. Suspect it will turn out to be yet another ransomware event. So far, 2023 has seen a decidedly large uptick in ransomware attacks.

Curtis Dukes
Curtis Dukes

2023-09-11

Akamai Thwarted Huge DDoS Attack Against Financial Firm

Akamai says that on September 5, its Akamai Prolexic platform thwarted a distributed denial-of-service (DDoS) attack against an unidentified major US financial institution. Akamai writes that the “cybercriminals used a combination of ACK, PUSH, RESET, and SYN flood attack vectors, peaking at 633.7 gigabits per second (Gbps) and 55.1 million packets per second (Mpps).”

Editor's Note

Consider the volume of the attempted attack, involving TCP connection requests. The maturity of DDoS protection continues to evolve, and it is past time to make sure you're protected. This is no longer an attack vector you can just roll your own defense. You're going to need multiple approaches, from your ISP, Cloud Service Providers, CDN, who are actively developing defenses, and don't forget your perimeter, then go out and verify everything is working.

Lee Neely
Lee Neely

Though both DoS and ransomware attacks may involve extortion, DoS attacks tend to end in hours to days and without leaving permanent damage. On the other hand, they may interfere with the mission and damage reputation. As in this case, the ability to mitigate them usually depends upon third parties and advance planning.

William Hugh Murray
William Hugh Murray

2023-09-11

Sri Lanka's Government eMail System Hit by Ransomware Attack

The email network of Sri Lanka’s government was the target of a ransomware attack that began in late August. The incident resulted in the loss of more than four months of data from nearly 5,000 government email accounts. While the Sri Lankan government was able to back up the targeted system within 12 hours of the attack, they did not have backups for May 17 – August 26.

Editor's Note

It's easy to focus on the backups lost from May 17 - August 26, overlooking the exploit leveraged flaws in the outdated Exchange service, the updates, planned for 2021, had been delayed due to funding constraints and board decisions. Email is somewhere between a critical system and a system of record in current use; as such, you need to make sure you're maintaining it, and using a hosted or cloud email platform brings more than just up-to-date services, it also adds layers of security and monitoring you can leverage, even if you have to outsource; which was problematic for your in-house solution.

Lee Neely
Lee Neely

This ransomware attack serves as a reminder for organizations to set up a reasonable backup frequency. There is not a hard and fast rule on backup frequency, as data sensitivity is an important factor. That said, most organizations do so on a weekly basis. And while you’re at it, also remember to store a backup off-site in order to aid data recovery.

Curtis Dukes
Curtis Dukes

2023-09-11

CISA: Nation State Threat Actors Targeted US Aeronautical Organization

The US Cybersecurity and Infrastructure Security Agency (CISA), Federal Bureau of Investigation (FBI), and Cyber National Mission Force (CNMF) published a joint cybersecurity advisory warning that state-sponsored threat actors have exploited vulnerabilities in Zoho and Fortinet products to compromise an organization in the Aeronautical Sector. The advisory includes tactics, techniques, and procedures (TTPs), indicators of compromise (IOCs), and suggested detection methods and mitigations.

Editor's Note

Two weaknesses were leveraged for this attack -- CVE-2022-47966 was leveraged to access their public-facing Zoho Manage Engine ServiceDesk Plus, and CVE-2022-42475 to access their firewall, at which point they were able to scan internal networks and find added vulnerabilities to exploit. Making sure that your boundary protection and Internet facing services are kept updated is critical. Set hard limits on mitigating weaknesses for these devices. The CISA report is a good writeup of how the attack progressed and should provide you points to your argument to raise the bar. Also, there are IoC's for your threat hunters to investigate.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Apple Patches Older Operating Systems

https://isc.sans.edu/diary/Apple+fixes+0Day+Vulnerability+in+Older+Operating+Systems/30210

Augmenting Honeypot Logs

https://isc.sans.edu/diary/Anyone+get+the+ASN+of+the+Truck+that+Hit+Me+Creating+a+PowerShell+Function+to+Make+3rd+Party+API+Calls+for+Extending+Honeypot+Information+Guest+Diary/30204

Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Remote Access VPN Unauthorized Access Vulnerability

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-ravpn-auth-8LyfCkeC#fs

Phishing via Google Looker Studio

https://blog.checkpoint.com/security/phishing-via-google-looker-studio

Wi-Fi Enabled Practical Keystroke Eavesdropping (PDF)

https://arxiv.org/pdf/2309.03492.pdf

HPE One View Authentication Bypass

https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=hpesbgn04530en_us

More details about Apple 0-day

https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zero-click-zero-day-exploit-captured-in-the-wild/

Odd Password Solution

https://notpickard.com/@rdp/111009868239846779