SANS NewsBites

Warn Home Workers of Cheap Android Device Risks; Enable GitHub Token Validity Checks; Patch Citrix NetScaler Gateways

October 10, 2023  |  Volume XXV - Issue #80

Top of the News


2023-10-04

Some Android Devices Found to Contain Pre-Installed Malware

Human Security’s Satori Threat Intelligence and Research Team “observed at least 74,000 Android-based mobile phones, tablets, and Connected TV boxes worldwide” that shipped with malware already installed. The malware – a firmware backdoor known as Triada – connects to command-and-control servers.

Editor's Note

This isn't anything fundamentally new. Low cost devices have often been subsidized by additional software. It is worth noting however that "Android" is more than a smartphone operating system. For years, we have seen in our internet storm center sensors attacks against TV sticks and similar devices running Android.

Johannes Ullrich
Johannes Ullrich

This is a good example to use for education/awareness for employees with remote access over some simple steps to reduce the risk of compromised devices (like the “cheap Android TV streaming boxes” detailed here). Home DNS filtering services can go a long way in impeding connections to the malicious actors’ command and control servers that are needed to make these attacks work.

John Pescatore
John Pescatore

Think beyond the smart phone/tablet to streaming and other IoT devices running the Android OS. Generally, these are knock-off devices, which appear to be a bargain, which have achieved that discount by partnering with others such as malware providers, for offsetting income. Purchase the name-brand devices, isolate them on appropriate segments, and limit their connectivity to only the services needed, to include updates. You may wish to blackhole DNS entries for unexpected sites they are trying to access.

Lee Neely
Lee Neely

The old adage proves true; you get what you pay for. In this case, cheap Android TV streaming boxes, come preloaded with malware. When purchasing IT devices do the research and buy from a reputable company. Yes, it may cost a bit more but well worth it. Additionally, every home should use a free DNS filtering service like OpenDNS, Quad9, Cloudflare, and Google Public DNS, to block malicious websites.

Curtis Dukes
Curtis Dukes

2023-10-06

GitHub Expands Token Validity Checks to Include Major Cloud Services

GitHub has expanded its secret scanning feature to include token validity checks for Amazon Web Services (AWS), Microsoft, Google, and Slack. GitHub has adopted secret scanning measures over the past year to support its “mission of eliminating all credential leaks.” Secret scanning and push protection are available at no cost on public repositories.

Editor's Note

Nice move by Github to make their alerts more actionable. This is a free feature, but remember that you must enable it.

Johannes Ullrich
Johannes Ullrich

By now we know to leverage any services like this which help us discover accidental information disclosure. The scan will determine if any discovered tokens are valid, allowing you to remediate as needed. You (enterprise or organization owners and repository administrators) need to enable the service for it to work - Settings > Code security and analysis > Secret scanning and check the option "Automatically verify if a secret is valid by sending it to the relevant partner."

Lee Neely
Lee Neely

GitHub has been on a security tear over the last 18-months. They first started the security journey by requiring MFA for privileged accounts, then expanded the requirement for all user accounts. Next, they created a secret scanning capability as a credential security check on their public repositories, now expanding to include the major cloud service providers. Well done GitHub, well done!

Curtis Dukes
Curtis Dukes

2023-10-09

Citrix NetScaler Gateways Vulnerability is Being Exploited

Cyber criminals are exploiting a recently-disclosed vulnerability in Citrix NetScaler Gateways to steal user credentials. The vulnerability (CVE-2023-3519) was disclosed in July 2023, and updates to fix the issue were released at that time. The flaw has been under exploit since June 2023; in some instances, the attacks have targeted organizations that support critical infrastructure.

Editor's Note

You read that right, the patch was released in July, and is still being exploited on unpatched devices. Add looking for NetScaler Packet Processing Engine (NSPPE) crash files to your threat hunting as they can contain evidence of the exploitation of the vulnerability. Other IOCs were released with the CVE notification in July. Most importantly, make sure you're on top of patching these devices. While you may be waiting for an outage window, make sure there is an upper end for that wait, and it's reflected in policy.

Lee Neely
Lee Neely

We are looking at attackers hitting NetScaler gateways with a vulnerability that has had a patch available for the last 4 months. At this point there are only a few scenarios. Negligence is one. Inability to patch because of some external factor such as it breaks a business process. Could also be that the company forgot the NetScaler was there, moved away from it, and is unaware. Maybe it was a M&A thing. Maybe their support contract ran out and they can’t get the patch? Either way, it does make you wonder who is being affected and why.

Moses Frost
Moses Frost

The Rest of the Week's News


2023-10-09

WordPress TagDiv Composer Plugin Vulnerability is Being Exploited

More than 17,000 WordPress websites have become infected with backdoors that were installed via a known vulnerability in the TagDiv Composer WordPress plugin. An updated version of the plugin has been released; users are urged to update to TagDiv Composer version 4.2 or later. The plugin is a companion tool to the Newspaper and Newsmag WordPress themes.

Editor's Note

The flaw stems from TagDiv not properly validating and escaping some parameters, as well as improper authorization on the REST route, which allows Stored Cross-Site Scripting attacks. The attackers are leveraging this to send victims to various scam sites such as fake tech support, false lottery wins and push notification scams. TagDiv is a required plugin for the Newspaper and Newsmag WordPress themes, so you can't uninstall it if you're using those themes; make sure that you're on 4.2+ of TagDiv, and then make sure the themes are also updated.

Lee Neely
Lee Neely

A WordPress plugin that has vulnerabilities and its actively being exploited? Never heard of such a thing. This is one of those: if you still use WordPress, just have it hosted in a hosting provider that is good at security.

Moses Frost
Moses Frost

WordPress Plugins continue to be a source of vulnerability and exploitation. They should be used only by design and intent, never by default, and must be scrupulously managed.

William Hugh Murray
William Hugh Murray

2023-10-06

MGM Says Ransomware Attack Costs Exceed $100 Million

In a Form-8 filing with the US Securities and Exchange Commission (SEC), MGM Entertainment disclosed that a ransomware attack earlier this year has cost the company more than $100 million so far. MGM also said that the attackers stole customer data, including passport and Social Security numbers.

Editor's Note

This is a good example of a failure in cybersecurity having a direct impact on a closely tracked business metric – in this case room occupancy. MGM’s annual revenue is over $13B but the ransomware compromise took down their ability to book rooms and they had to report a likely miss in forecasted revenue for 3Q23 – the $100M reduction in billings resulted in a 15% drop in their stock price since the incident was reported. All that adds up to needing to know which baskets are holding a lot of business eggs and prioritizing really, really watching and securing those baskets.

John Pescatore
John Pescatore

While the $100M cost seems eye-popping, it likely will grow. What’s really interesting is the impact the purported ransomware event had on business operations – fully $90M in lost revenue. Both the MGM and Caesars Entertainment cyber incidents should be documented as risk management case studies. In this case, businesses need to model potential cyber risks, to include ransomware, and the effect it can have on continuity of business operations.

Curtis Dukes
Curtis Dukes

The loss of revenue from people choosing to stay elsewhere, as well as reduction in stock value, is likely not finished yet. While the exact extent of data exfiltrated may be in question, assume data related to any stay for the last ten years and/or your loyalty program membership are included. You may not get notified of any issues unless you're a loyalty program member. Be proactive and get your own identity protection in place.

Lee Neely
Lee Neely

The increasing frequency of successful ransomware attacks suggest that many enterprises are relying on mitigation, to include paying the extortion. When doing so, one's business continuity plan should include hot backups. Keep in mind that these are difficult to implement and test. Consider that prevention may be more efficient.

William Hugh Murray
William Hugh Murray

2023-10-09

Amnesty International Calls for Worldwide Ban on Spyware

A report from Amnesty International based on its own disclosures “and the findings of the new Predator Files investigation coordinated by European Investigative Collaborations (EIC) media network, have laid bare how government action has been inadequate and ineffective in ending spyware abuse.” The report maintains that attacks targeting academics, political figures, journalists, and others have “severely and detrimentally impacted human rights, media freedoms, and social movements across the world.”

Editor's Note

Fundamentally, the beef is that there is no control over spyware use, in this case they are using the use case of the Predator spyware, which appears to be readily available to anyone who wants it. It's a similar argument to making a tool that only a certain group (e.g., law enforcement) will have access to, which turns out to be available to a much larger group. The best mitigation is to keep devices updated, and leverage settings such as lockdown mode in iOS in high-risk environments, to reduce the attack surface on smartphones and tablets. Develop a cyber hygiene check prior to foreign travel, which may include provisioning secured loaner devices, to keep the bar raised.

Lee Neely
Lee Neely

From a policy standpoint I see what Amnesty International is attempting to do, but we must be really careful not to hamstring the teams attempting to model what the adversary is doing. The attack teams still have better tools than we can model. If we can’t model it, we cannot do well to defend against it. This is speaking from someone who worked in the vendor space, you must be able to model the attacks to make sure products can detect and protect.

Moses Frost
Moses Frost

There is a market for software vulnerabilities, pure and simple. In this case the marketplace is used by both the private sector and government entities. It’s only logical that now those purveyors, Intellexa in this case, would move to offer surveillance services through an alliance. It really is ‘all about the Benjamins.’

Curtis Dukes
Curtis Dukes

2023-10-09

IZ1H9 Campaign Targets Devices From Multiple Vendors

Researchers from Fortinet have observed a campaign involving a Mirai-based distributed denial-of-service (DDoS) attacks. The IZ1H9 campaign targets routers and Internet of Things (IoT) devices from multiple vendors, including D-Link, Zyxel, and TOTOLINK and adds them to a botnet that is used to launch DDoS attacks.

Editor's Note

An example of quick-thinking cybercriminals taking advantage of known vulnerabilities in a range of IoT products to add to their botnets. The simple solution is for users to manage their devices, which means routinely downloading and patching as software updates become available.

Curtis Dukes
Curtis Dukes

The researchers enumerated 13 new payloads being used to infect these devices, all of which are part of the IZ1H9 campaign. The attack is aimed at Linux-based network devices, which starts by leveraging a known weakness to deploy a payload which installs a shell script downloader, deleting all logs, then modifying the device iptables to obscure and enable their desired communication. The primary mitigation is to keep devices aggressively updated as well as limit access to their management services. Fortinet has provided IOCs you may wish to leverage.

Lee Neely
Lee Neely

Read more in

Fortinet: IZ1H9 Campaign Enhances Its Arsenal with Scores of Exploits

https://www.fortinet.com/blog/threat-research/Iz1h9-campaign-enhances-arsenal-with-scores-of-exploits

Dark Reading: Patch Now: Massive RCE Campaign Wrangles Routers Into Botnet

https://www.darkreading.com/cloud/patch-now-massive-rce-campaign-d-link-zyxel-botnet


2023-10-09

Volex Acknowledges Cybersecurity Incident

Volex, a UK-based provider of electronic components and integrated manufacturing services, has confirmed that intruders gained access to the company’s IT systems. The company’s notice of cyber incident says the intruders accessed systems at some of its international sites, and that “actions taken to date have ensured that all sites remain operational, with minimal disruption to global production levels, and the Group continues to trade with its customers and suppliers.”

Editor's Note

Often when we talk about supply chain attacks, we think solely in the areas of IT and cyber. However, this is a good example of how a cyberattack can potentially impact on the non-IT aspects of your business. Now is a good time to examine your business continuity planning in the event one or more of your key suppliers suffer a cyberattack and cannot deliver their supplies to your organization.

Brian Honan
Brian Honan

It's likely this attack was designed to disrupt supply chains, resulting in reputation and financial damage rather than access company secrets. Even so, Volex's response plan minimized impact to operations and their customers as well as nominalizing the financial impact. Make sure you've addressed reputational and financial impact in your BC/DR planning.

Lee Neely
Lee Neely

2023-10-09

curl Maintainers to Fix Two Flaws This Week

Maintainers of the curl open-source command-line tool will release fixes to address two vulnerabilities later this week: a high severity vulnerability that affects both libcurl and the curl tool, and a low severity vulnerability that affects that affects only libcurl. The maintainers plan to release curl 8.4.0 on Wednesday, October 11.

Editor's Note

The maintainers of curl are keeping details of high security vulnerability close; unless you have a support contract and good reason, you're not going to get the details on CVE-2023-38545 before 10/11 other than it's bad and affects multiple prior versions of curl. Note that they are working with the Linux distribution lists to get patches prepared. Be proactive and scan your systems to get ready for deployment of the updated curl/libcurl.

Lee Neely
Lee Neely

I have no idea what is going to come out with this curl vulnerability. The maintainer of the project has been consistently sounding the alarm that this one will be bad. cURL is used everywhere including in IoT devices. This has the potential to be a very long lasting and nasty bug. Brace yourselves. winter is coming.

Moses Frost
Moses Frost

Internet Storm Center Tech Corner

ZIP's DOSTIME and DOSDATE Formats

https://isc.sans.edu/diary/ZIPs+DOSTIME+DOSDATE+Formats/30296

Binary IPv6 Address Conversion

https://isc.sans.edu/diary/Binary+IPv6+Addresses/30290

New Magecart Campaign Abusing 404 Pages

https://www.akamai.com/blog/security-research/magecart-new-technique-404-pages-skimmer

Sophos Effected by Exim Flaw

https://www.sophos.com/en-us/security-advisories/sophos-sa-20231005-exim-vuln

Turn OFF This WatchGuard Feature: GuardLapse

https://projectblack.io/blog/turn-off-this-watchguard-feature-guardlapse/

Wireshark Updates

https://www.wireshark.org/

Improved GitHub Secret Scanning

https://github.blog/2023-10-04-introducing-secret-scanning-validity-checks-for-major-cloud-services/

Prerooted Android Devices

https://arstechnica.com/security/2023/10/thousands-of-android-devices-come-with-unkillable-backdoor-preinstalled/

curl update

https://github.com/curl/curl/discussions/12026