SANS NewsBites

Check Cisco Routers for Compromised Firmware and Patch All Cisco Gear; More Zero Day Vulnerabilities in Google Chrome Require Priority Patching

September 29, 2023  |  Volume XXV - Issue #77

Top of the News


2023-09-28

Joint Cybersecurity Advisory Warns of Chinese Threat Actors Modifying Router Firmware

A joint advisory from intelligence, cybersecurity, and law enforcement authorities in the US and Japan warns that cyber threat actors with ties to China’s government have been stealthily modifying Cisco IOS router firmware and taking advantage of routers’ domain-trust relationships to move/traverse from subsidiary organizations to primary target organizations. Cisco notes that “the most prevalent initial access vector in these attacks involves stolen or weak administrative credentials.”

Editor's Note

Make sure that you’re using strong credentials with your routers, limit which networks/interfaces they can be used from. You may want to leverage capabilities in your existing PAM solution to enforce how users connect, those passwords are managed and create a good record of all actions taken.

Lee Neely
Lee Neely

I am pretty hard on bombastic articles about “Cisco Critical Zero Days,” typically because they are usually around the SMB Routers. The following few articles will not be that. This is extraordinarily bad, and there needs to be an extremely high focus on these two articles. First, if you are a Cisco customer, look closely at your edge equipment. Make sure, make very sure, that your device has not been modified and that you know exactly what software was run. Protect your control planes. The attackers are getting in through weak passwords. Ensure your router's console logins are unavailable over the wider internet. This one is bad because it affects potentially even ISP customers. The way it is working is very well done. The attackers are downgrading the firmware, using a vulnerability in the firmware (it appears), and using a bug in that firmware to load and replace the bootloaders to not correctly check the boot anchors. They are then able to load their firmware that enables backdoors. The backdoors leverage EEM and can be opened and closed via TCP / UDP packets. Based on the amount of knowledge you need to be able to pull this off, this, on the surface, appears to be a very sophisticated threat actor.

Moses Frost
Moses Frost

If a thief has a key to your house, then it becomes quite easy to break in and cause mischief. That adage applies here when it comes to digital credentials. Further, the 2023 Verizon DBIR highlighted that credential leaks continue to be a major issue. The best mitigation is implementation of Multi-Factor Authentication (MFA). It is very effective in limiting the effectiveness of attacks that lead to credential theft.

Curtis Dukes
Curtis Dukes

2023-09-28

Cisco: Patch IOS and IOS XE Software to Fix Zero-day

Cisco is urging users to update their IOS and IOS XE software to protect devices from an out-of-bounds write vulnerability in the software’s Group Encrypted Transport VPN (GET VPN) feature. The flaw is being actively exploited, and there are no workarounds available.

Editor's Note

While the attack requires control of a key server, and inside access, which would indicate a high level of complexity, the flaw is still being exploited successfully. This follows the release of their fix to their SAML authentication which allowed an attacker to authenticate as any user. Suggest high priority getting these deployed.

Lee Neely
Lee Neely

On the heels of the previous article, this one is interesting because it was discovered by someone in Cisco ASIG and attempted to be exploited in the wild. It is a complex attack against the GET VPN feature in IOS. GET VPN is an older, but still highly used feature set. It is also really complex to exploit, requiring access to an existing member of the GET VPN Domain. Either way, if you are already looking at the first issue and are using GET VPN, this one may be a fix you want to implement quickly.

Moses Frost
Moses Frost

This vulnerability requires the attacker to have authenticated access in order to exploit the device. Review your system logs and prioritize the software update accordingly.

Curtis Dukes
Curtis Dukes

2023-09-28

Google Patches Another Chrome Zero-day

Google has updated the Chrome Stable Channel for Desktop to address 10 security issues, including a high-severity heap buffer overflow vulnerability in vp8 encoding in libvpx that is being actively exploited. Chrome users are advised to update to version 117.0.5938.132 or later.

Editor's Note

The quantity of zero days in 2023 is still below the record year of 2021, but the percentage of zero days that are being actively exploited when discovered seems higher that in the past. That could mean more threat hunting and better detection is reducing overall time to detect incidents and that does seem to be the case in many areas. But more “hoarding” of zero day vulnerabilities by threat actors is also being reported – threat hunting and purple teaming are still critical skills and processes.

John Pescatore
John Pescatore

You know the drill. Push and verify. If you’re not leveraging Chrome enterprise, go check it out. Chrome updates are at least monthly, that will save you some headaches.

Lee Neely
Lee Neely

Adobe Acrobat, errr, Google Chrome, has been in the news a lot lately, correct? Feels like déjà vu to me. Given the amount of focus on Google Chrome and its relevant offspring, such as Electron and Microsoft Edge, maybe it’s time to look back to Firefox or other browsers to reduce the risk of exploitation. This is one you’ll have to use a threat model to see how likely you are to reduce your risk given that every browser has its bugs.

Moses Frost
Moses Frost

Thankfully Google has made the update process easy-peasy, so really no excuse not to update immediately. What is striking though, is the number of zero-days being used these days and our ability to detect them quicker.

Curtis Dukes
Curtis Dukes

The Rest of the Week's News


2023-09-28

Privacy Watchdog Board Wants Limits on FISA Section 702 Searches

The Foreign Intelligence Surveillance Act (FISA) Section 702 data gathering program expires at the end of this calendar year. The Privacy and Civil Liberties Oversight Board (PCLOB) has recommended that Congress make changes to Section 702 to enhance data privacy before reauthorizing the program. Section 702 allows the government to gather electronic communications of non-U.S. persons without a warrant. In the process of gathering this information, personal data of US citizens and legal US residents is “incidentally” collected as well. The PCLOB recommends that Congress require FBI to obtain Foreign Intelligence Surveillance Court approval to look at data belonging to US citizen and legal residents before reauthorization.

Editor's Note

A complex issue but some simple parts: We’ve seen several times that government agency abuse of monitoring resulted in movement to require court warrants, and the agencies predicted catastrophic loss of intelligence ability - which rarely if ever actually happened. As more states enact meaningful privacy legislation, there is also an issue of government agency ability to actually protect collected sensitive information and any resulting liability impacting companies that provided customer data with no warrant obtained.

John Pescatore
John Pescatore

Section 702 is a valuable intelligence gathering tool, but it has to be used responsibly. Most of the recommendations made by the PCLOB are reasonable and provide guardrails on the use of the tool. It also includes a couple exemptions that likely address the timeliness concern. Given that the law was enacted 15 years ago, some changes are likely warranted as we’ve learned has it is used and misused.

Curtis Dukes
Curtis Dukes

While it’s always good to consider the checks and balances of government security vs. privacy, I’m personally far more concerned about the amount of data the private sector collects. The private world knows not only our age, gender, job and where we live but track our political and sexual preferences, our financial reliability, our travel records, our physical and mental health, our personal relationships, employment history, purchases, etc. In some cases, this information can even be purchased, not just on the Dark Web but via legitimate data brokers. It’s now to the point that I don’t teach people how to protect their privacy, but how to protect themselves assuming that data is already in the hands of threat actors (credit freeze, bank account & credit card real-time monitoring, MFA, etc).

Lance Spitzner
Lance Spitzner

There are some of you saying “What do you think <TLA> does?” That this is their core business. With increased emphasis on transparency, and ever evolving privacy laws (GDPR, CCPA, etc.), having clear permission (e.g., a warrant) as well as a requirement on handling incidentally collected data is not a big surprise. Hopefully a middle ground can be found where investigations are still effective.

Lee Neely
Lee Neely

The very existence of this data invites abuse. As predicted, we have seen the abuse both with and without warrants; it would be naive to think that we know about all of it. The sunset provision in 702 exists to provide an opportunity to resist abuse; it should not reauthorized without doing so. The fact that the FISA court has only rarely refused a request for a warrant is not an excuse for not requiring them. While the FISA court's threshold for probable cause may be low, warrants do come with judicial supervision.

William Hugh Murray
William Hugh Murray

2023-09-28

60,000 State Department eMails Exfiltrated in Outlook/Exchange Online Breach

When Chinese state-sponsored hackers broke into US government Outlook and Exchange Online accounts earlier this year, they stole about 60,000 email from the State Department. In a press briefing on Thursday, September 28, a US State Department spokesperson said that the stolen emails were from accounts belonging to 10 State Department officials, the majority of whom were involved in Indo-Pacific diplomatic work. The stolen information includes travel itineraries and diplomatic notes.

Editor's Note

If your company does business with or competes with China, your executives are very likely to have been targeted by foreign intelligence activities. Use this item to justify and drive threat hunting around your company’s high value targets – people and facilities.

John Pescatore
John Pescatore

Too often email accounts are used as the de facto file system by employees. On average, having 6,000 email messages per compromised State Department employee supports the premise. The Center for Internet Security critical security control 3 outlines a number of safeguards for data protection. It starts with having a data management process.

Curtis Dukes
Curtis Dukes

A good example of why end to end encryption is so critical when dealing with sensitive data. Sadly, until vendors make vast improvements in end to end email encryption solutions, emails stored in mailboxes will always be vulnerable.

Brian Honan
Brian Honan

Protect sensitive conversations in email with encryption. Encryption of stored email provides need to know protection beyond the encryption in transit already in place. Your email solution may already have options. Make sure that you consider how it interacts with business partners and collaborators.

Lee Neely
Lee Neely

2023-09-27

Windows 11 Update Includes Integrated Passkeys

The most recent update for Windows 11 includes support for passkeys across the platform. The feature was introduced in June for the Windows Insider program. The passkeys will be created through the Windows Hello biometric authentication tool.

Editor's Note

Microsoft making it easier for everyone to move away from reusable passwords is a good thing but the rate of critical vulnerabilities showing up in Microsoft software, and Microsoft’s slow (compared to the browser world) patch release process almost revives old fears that drove always waiting a few months before jumping on a Windows update. In this case, three months of use in the Windows Insider program should mitigate that risk.

John Pescatore
John Pescatore

Make sure you’ve got folks using the Insider program to check out new features before the next update makes them available to everyone. As passkeys get increasingly incorporated into operating systems and applications, you’re going to want to be up to speed to embrace them.

Lee Neely
Lee Neely

Passkeys are a great feature to implement from a security perspective. I think enabling and using them for everything that supports it is a good idea. The only “better” security solution (if you can argue better and worse) is leveraging a physical hardware security token such as Yubikey.

Moses Frost
Moses Frost

Inclusion of passkeys in Windows 11 is another nail in the password coffin. Passkeys provide for a strong form of authentication and are phish-resistant. Perhaps, just perhaps, 2024 is the year we can finally say goodbye to passwords.

Curtis Dukes
Curtis Dukes

Microsoft finally joins Apple and Google in supporting the user side of Passkeys. This support is essential. The convenience of Passkeys can reduce the resistance to strong authentication but only if the application side offers them at least as an option. Enterprises should consider making them mandatory internally. Users should prefer applications and services that offer Passkeys as an option and even ask for them where they are not offered.

William Hugh Murray
William Hugh Murray

2023-09-28

Johnson Controls Discloses Cybersecurity Incident

Johnson Controls International (JCI) has disclosed in a US Securities and Exchange Commission (SEC) filing that it “experienced disruptions in portions of its internal information technology infrastructure and applications resulting from a cybersecurity incident.” JCI makes industrial control systems as well as HVAC, fire, and security equipment for buildings. Several JCI subsidiaries, including Simplex and York, are reportedly experiencing technical outages.

Editor's Note

This appears to be a ransomware attack from the Dark Angels gang, who reportedly exfiltrated 27TB of data, and is demanding $51 million for the decryption key and to delete the data. The 8-K filing indicates that Johnson Controls is implementing system recovery procedures, and that most systems are back online, a hint they don’t intend to pay the ransom. The impact on York and Simplex is an indicator to understand downstream impacts of a similar event in your enterprise. Ask if your subsidiaries could operate independently. If not, how does that alter your recovery plan?

Lee Neely
Lee Neely

JCI is a $25B international company that has unfortunately fallen victim to a ransomware attack. It proves that no matter how large or small a company is, they are being targeted and can become a victim. Once the dust has settled, I hope that JCI will publish an after-action report detailing initial attack access, privilege escalation, security defenses employed, and incident response plan to minimize the disruption. We all benefit from this knowledge.

Curtis Dukes
Curtis Dukes

2023-09-28

Progress Software Releases Patches for Critical Vulnerabilities

Progress Software has released updates to address eight vulnerabilities in their WS_FTP file transfer software. Two of the vulnerabilities are rated critical: a .NET deserialization vulnerability in the Ad Hoc Transfer module (CVE-2023-40044) and a directory traversal vulnerability (CVE02023-42657). Users are urged to upgrade to WS_FTP Server 2020.0.4 (8.7.4) or WS_FTP Server 2022.0.2 (8.8.2).

Editor's Note

The 1990’s are calling: they want their software back. If you’re using WS_FTP, patch it, then seriously find an alternative. This is another issue from Progress Software, the folks who brought us MOVEit. They are now delivering service packs to make updates easier, which is great, and it’s time to move to more modern and secure data interchange solutions.

Lee Neely
Lee Neely

I guess someone saw MoveIT having issues and thought, “Where there is smoke, there is fire.” I remember running WS_FTP in the late 90s or early 2000s. Although I’m sure significant pieces of it are rewritten since some exploits deal with .NET Deserialization.

Moses Frost
Moses Frost

2023-09-28

Logistics Firm Closes Down After Ransomware Attack

UK logistics firm KNP Logistics Group has entered administration following a June ransomware attack. One of the administrators told the BBC, “Against a backdrop of challenging market conditions and without being able to secure urgent investment due to the attack, the business was unable to continue. We will support all affected staff through this difficult time.” More than 90 percent of the company’s employees have lost their jobs.

Editor's Note

Before people start populating their conference slide decks citing this as an example of a business closing resulting from a cyber-attack we need to be aware that the company was already struggling to survive. It appears the ransomware attack was the proverbial last straw but not the sole reason for the closure.

Brian Honan
Brian Honan

The most severe consequence of an incident is to go out of business. Have you incorporated that into your planning? Meaning do you know what thresholds or events the business can’t recover from? While implicit in your planning, having explicit information may cause you to rethink your plan.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

IPv4 Addresses in Little Endian Decimal Format

https://isc.sans.edu/diary/IPv4+Addresses+in+Little+Endian+Decimal+Format/30256

A new spin on the ZeroFont phishing technique

https://isc.sans.edu/diary/A+new+spin+on+the+ZeroFont+phishing+technique/30248

macOS Sonoma Updates

https://isc.sans.edu/diary/Apple+Releases+MacOS+Sonoma+Including+Numerous+Security+Patches/30252

Chrome Update fixes 0-day Vulnerability

https://chromereleases.googleblog.com/2023/09/stable-channel-update-for-desktop_27.html

Unpatched EXIM Vulnerabilities

https://www.zerodayinitiative.com/advisories/ZDI-23-1469/

WS_FTP Vulnerabilities

https://community.progress.com/s/article/WS-FTP-Server-Critical-Vulnerability-September-2023

GPU Sidechannel Attack

https://www.hertzbleed.com/gpu.zip/GPU-zip.pdf

Router Firmware Compromised for Persistent Access

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-csa-cyber-report-sept-2023

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-270a

More libwebp vulnerability confusion

https://www.cve.org/CVERecord?id=CVE-2023-5129

https://arstechnica.com/security/2023/09/google-quietly-corrects-previously-submitted-disclosure-for-critical-webp-0-day/

Fake Dependabot Commits

https://checkmarx.com/blog/surprise-when-dependabot-contributes-malicious-code/