SANS NewsBites

Test Data Center Switchover Processes; Monitor Microsoft and Quickly Abandon NTLM When Possible; Disable HTTP or Block Internet Connection for all CISCO IOS XE Use

October 17, 2023  |  Volume XXV - Issue #82

Top of the News


2023-10-15

Equinix Data Center Outage Due to Planned Upgrade

A scheduled chilled water system upgrade at an Equinix data center in Singapore caused outages for DBS Bank and Citi Singapore. The incident, which lasted for several hours, occurred on Saturday, October 14. Services in other locations, including India, the Philippines, and Hong Kong, were reportedly also affected.

Editor's Note

A scheduled chilled water system upgrade at an Equinix data center in Singapore caused outages for DBS Bank and Citi Singapore. The incident, which lasted for several hours, occurred on Saturday, October 14. Services in other locations, including India, the Philippines, and Hong Kong, were reportedly also affected.

John Pescatore
John Pescatore

DBS Bank was unable to fail-over to services in another Equinix data center, which raises the question of why not. So far Equinix hasn't provided an answer on the interdependencies that prevented failover. The point being, when you setup for multiple physical locations with failover in mind, it's not always possible to ensure that failover will succeed. Work with your hosting provider to identify these dependencies and how they can be mitigated. Make sure you capture the risk and ROI of proposed mitigations.

Lee Neely
Lee Neely

Fundamentals matter. Ensuring back-up and failover sites are operational before attempting an upgrade is about as fundamental as you can get. We are too often enamored by the sexy tech and forget that physical procedures are actually pretty important.

Mark Weatherford
Mark Weatherford

The investigation is continuing but it does highlight that even planned upgrades can have unexpected consequences. Therefore, it’s important as part of the planning process to be able to quickly roll back system upgrades. This ensures continuity of business operations should the upgrade not go as planned.

Curtis Dukes
Curtis Dukes

2023-10-11

Microsoft to Improve Windows Authentication by Enhancing Kerberos and Phasing Out NTLM

Microsoft is taking steps to strengthen Windows user authentication by adding features to Kerberos and eventually eliminating NTLM (New Technology LAN Manager). While Kerberos has been the default Windows authentication for more than two decades, there are instances where it still cannot be used. Microsoft plans to introduce new features to Kerberos to eliminate the need to fall back to NTLM.

Editor's Note

Removing NTLM will be a significant security improvement. We keep having vulnerabilities in various software (most recently WordPad) that trick clients into establishing SMB connections, potentially transmitting NTLM password hashes.

Johannes Ullrich
Johannes Ullrich

The fall-back NTLM use cases: Only supported protocol with local accounts, works when there is no connection to a DC, or when you don't know who the target server is. The changes include IAKerb, for relay communication to a system with "line of sight" access to the DC; having a local KDC (LocalKDC) for local accounts and fixing windows components hard-coded to use NTLM to use the Negotiate protocol, which can leverage IAKerb and LocalKDC. While the date is not set to phase out NTLM, it's time to start gathering your use cases, so you can test the replacement options prior to the forced retirement of NTLM.

Lee Neely
Lee Neely

Dave Mayer at Neuvik, where I worked, looked at some articles because the curiosity about dropping NTLM is essential. How do you drop NTLM and use two workstations? Who is the KDC? We got the answer: the KDC will be set up on a non-domain computer on each machine. They will act as the KDC for the transaction. Does this mean there is a krbtgt account on your Windows 11 Workstation? What will this look like? But just like vbScript, there is no stopping this, so Farewell NTLM. You were such a good friend for the Redteam.

Moses Frost
Moses Frost

It took something like 15 years for the US to make the shift away from leaded gasoline – removing dangerous stuff from a large installed base is not easy, but in the modern software world “legacy software backwards compatibility” needs to be measured in single digit years not decades.

John Pescatore
John Pescatore

Could this finally be the end of NTLM? NTLM has had a checkered security history, being susceptible to replay attacks among other security vulnerabilities (i.e, pass-the-hash). By making these changes to Kerberos part of the default configuration in Windows 11, Microsoft is easing adoption.

Curtis Dukes
Curtis Dukes

2023-10-16

Cisco Warns of Critical Vulnerability in IOS XE Software Web UI

Cisco has published a security advisory warning of a critical privilege elevation vulnerability in its IOS XE Software web user interface (UI). The flaw (CVE-2023-20198) is being actively exploited to gain full admin privileges. There is currently not a patch available for the vulnerability; Cisco is urging users to disable the HTTP Server feature on all internet-facing systems.

Editor's Note

Never ever expose these admin interfaces to the public internet. It is sad how no vendor is able to apply secure coding practices to these high risk applications. Instead of "shift left", this feels more like "shift right for the customer to secure".

Johannes Ullrich
Johannes Ullrich

First thing: eliminate Internet access to your Cisco devices management interfaces, ideally to management networks with very limited access. For those of you in the federal space, that should have been part of implementing BOD-23-02. For the rest of us, quick like a bunny, get that taken care of. Exploiting this flaw allows a remote unauthenticated attacker to create an administrator account with level 15 privileges, which can be used to take over the device.

Lee Neely
Lee Neely

As someone who knows how to operate old-school Cisco gear, don’t use the WebUI on IOS XE. Unless there is some weird vManage (Viptela) requirement, this is just… no, bad. Turn off. No. That’s all I have to say. I’m sure there are tons of issues with it. There must be; who uses this?

Moses Frost
Moses Frost

Yet another example of why you should not have your web management interface exposed onto the internet. If you do you are hoping that a critical vulnerability is never discovered or exploited. It is much better to have access to the web management interface restricted to internal IP addresses accessible via a VPN.

Brian Honan
Brian Honan

This is a dangerous vulnerability – zero day and CVSS score of 10. Heed Cisco’s mitigation guidance and be ready to implement the software update once it becomes available.

Curtis Dukes
Curtis Dukes

The Rest of the Week's News


2023-10-11

EPA Pulls Water Sector Cybersecurity Audit Requirement

Citing lawsuits filed by states and other entities, the US Environmental Protection Agency (EPA) has rescinded a March 2023 cybersecurity audit requirement for water utilities. The rule would have required states to add a cybersecurity audit component to their Sanitary Survey programs. The lawsuits maintained that the rule was untenable due to expenses, lack of technical expertise, and weak state laws that would not protect the data gathered by the surveys.

Editor's Note

Stating that "the new requirements would put a significant financial burden on small towns" is, while a legitimate concern, a poor excuse for not doing something everyone realizes is necessary. Following a ransomware attack on computer systems in Hinds County, MS last month, a county administrator said that "we felt like we were vulnerable" and that it "just that it came too soon before we could get to it.” It's human nature to a degree to think we always have a little more time, but security incidents aren't something that arrive on a schedule. Next to electricity, water is one of society's most critical resources and these lawsuits filed by states and non-profit water associations are not in the best interest of the public unless followed with specific and timely action."

Mark Weatherford
Mark Weatherford

Highly likely that Congress will see bills to add the regulatory authority and this will be back. It is not a defensible position to say water utilities *do* have the funding, expertise and local laws needed to add computers and internet connections but *don’t* have the ability to do so safely and reliably.

John Pescatore
John Pescatore

The requirement, from March 2023 as part of the National Cybersecurity Strategy, which had a stay July 12, 2023, of the memorandum under litigation, is still a good idea. Regardless of regulatory requirement, critical infrastructure remains a target, as such, operators need to ensure the security of their water and wastewater systems, ideally hiring a third-party to audit and/or test their configuration to ensure objectivity. One hopes future regulatory requirements address concerns raised to make them more palatable

Lee Neely
Lee Neely

As previously discussed, use of the Sanitary Survey program as means to compel a cybersecurity audit was problematic from the get go. In rescinding the audit requirement, EPA is simply acknowledging that fact. That said, the EPA can do two things: 1) work with the water utility sector on establishing a measurable cybersecurity program; and, 2) work within the USG to normalize a baseline set of cybersecurity requirements applicable to every critical infrastructure sector.

Curtis Dukes
Curtis Dukes

Hopefully the various entities within the Water Sector will look to conduct cybersecurity audits regardless of the withdrawal of this memorandum. I always state I’d rather have an auditor find issues with my cybersecurity program than the same issues being discovered by a criminal.

Brian Honan
Brian Honan

2023-10-16

CISA, FBI, MS-ISAC: Patch Atlassian Confluence Vulnerability Now

The US Cybersecurity and Infrastructure Security Agency (CISA), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the FBI have issued a joint advisory urging users to update to the most recent versions of Atlassian Confluence Data Center and Server. The privilege elevation vulnerability affects on-premises installations of Confluence Data Center and Server. Atlassian issued an advisory about the vulnerability earlier this month. The October 16 multi-agency advisory provides users with detection signatures and indicators of compromise.

Editor's Note

The US Cybersecurity and Infrastructure Security Agency (CISA), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the FBI have issued a joint advisory urging users to update to the most recent versions of Atlassian Confluence Data Center and Server. The privilege elevation vulnerability affects on-premises installations of Confluence Data Center and Server. Atlassian issued an advisory about the vulnerability earlier this month. The October 16 multi-agency advisory provides users with detection signatures and indicators of compromise.

Johannes Ullrich
Johannes Ullrich

The weakness affects Confluence Data Center and server versions 8.0 to 8.5.1. Versions prior to 8.0 are not affected , but you really don't want to be on an old version. This was added to the CISA's KEV on 10/5/23 with a due date of 10/13/23. Two core mitigations are to apply the update post-haste and implement phishing resistant MFA. Be sure to check for indications of compromise if you're running any of the affected Confluence versions.

Lee Neely
Lee Neely

If the US Cybersecurity and Infrastructure Security Agency (CISA), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the FBI Read urge you to patch your systems, then you patch your systems. I also recommend that even if you have already patched your Confluence systems that you check your environment for the Indicators of Compromise included in the alert to ensure your systems have not been compromised.

Brian Honan
Brian Honan

2023-10-13

CISA Sharing More Information About Which Vulnerabilities and Misconfigurations Ransomware Operators are Using

The US Cybersecurity and Infrastructure Security Agency (CISA) has introduced two new resources to help organizations identify and mitigate vulnerabilities known to be exploited by ransomware operators. One of the resources is a new table on StopRansomware project website that provides information about misconfiguration and weaknesses ransomware operators have been exploiting. The other resource is a new column in the Known Exploited Vulnerabilities (KEV) catalog to indicate whether a vulnerability is known to have been used in ransomware attacks. Both resources are part of CISA’s Ransomware Vulnerability Warning Pilot program.

Editor's Note

The current list of Misconfigurations and Weaknesses on the StopRansomware site are: RDP, FTP, TELNET, SMB and VNC. You should be going, wait, really? Yeah, go make sure these are never exposed to the Internet, that they are only enabled where needed, you're on the latest (SMBv2 vs SMBv1), VPN is required to access the services, and you have implemented secure configurations. You need a plan to retire FTP, TELNET, and SMBv1 right away.

Lee Neely
Lee Neely

Most if not all ransomware attacks take advantage of misconfiguration and missing patches to successfully execute the attack. The best advice to prevent a ransomware attack remains, know your enterprise, implement a patch management process, configure to a known security benchmark, and monitor your enterprise. An excellent starting point is the ‘Blueprint for Ransomware Defense.’ The blueprint is an action plan for ransomware mitigation, response, and recovery for small and medium sized enterprises.

Curtis Dukes
Curtis Dukes

Kudos to CISA for providing this information as ransomware is probably the top, or one of the top threats, that most organisations are currently facing. However, I feel that the material produced is focused at a technical audience and that many of those that need to digest and take on board this information are small and medium sized businesses who need more plain speaking guidance.

Brian Honan
Brian Honan

2023-10-16

Cybersecurity Incident Disrupts Kansas Courts eFiling System

The Kansas Supreme Court has issued an administrative order declaring that its e-filing system would be unavailable through Sunday, October 15, due to “a security incident that has disrupted access to court systems.” Courts were operational during the downtime. Just one of the state’s counties has been able to operate as usual; Johnson County is the only county to have not yet been updates to Kansas’s new eCourt system.

Editor's Note

While the courts are operating, clerks cannot receive electronic filings or payments. All filings must be on paper or by fax. Paper filings can be sent by mail or hand delivered. Courts are being prepared to operate for at least the next two weeks on manual processes. While Jefferson County is able to continue business as usual, as the only site not to have been signed up for the state's new centralized eCourt system, it's not clear what aspect of the new system allowed it to be compromised. This introduces the consideration when introducing a new centralized system of not only measuring the overall security, but also developing viable scenarios to continue operations locally while the central system is impacted. Don't let a return to manual processing be the end of the discussion.

Lee Neely
Lee Neely

Given the published length of downtime, it’s safe to assume a ransomware attack as the likely culprit. Hopefully, the State court system will provide an after-action report on the sequence of events that led to the security incident. This can shed some light on security responsibilities of the system provider, Tyler Technologies.

Curtis Dukes
Curtis Dukes

Ah yes, that seldom seen security control, “Security by antiquity.”

Brian Honan
Brian Honan

2023-10-09

Magecart Campaign Hides Malicious Code in Default 404 Error Pages

Akamai’s Security Intelligence Group has detected a new Magecart web skimming campaign that employs “advanced concealment techniques,” including one involving the targeted website’s default 404 error page. The technique involves hiding malicious code in a comment in the 404 page. The campaign has been targeting Magento and WooCommerce websites.

Editor's Note

The idea is to have the browser executing malicious JavaScript, which means the protection falls to the endpoint, either via disablement of JavaScript or other EDR protections. As a service owner, your best protection is to prevent the addition of the malware via software updates, secure configurations and web application firewalls to intercept attempted malfeasance, rather than rely on the endpoint not executing malicious code. Note that there are now two controls in PCI/DSS version 4.0, intended to address Magecart attacks: requirement 6 "Development and Maintain Secure Systems and Software" and requirement 11 "Test Security of Systems and Networks Regularly." These are currently PCI/DSS best practices, not becoming mandatory until early 2025, you may want to look at early adoption.

Lee Neely
Lee Neely

The headline doesn’t do this much justice because, on the surface, it appears it’s just a rehash of an older news story that’s been making the rounds forever. However, I'd look through some interesting technical details in this case. The fact that there are several novel variations that attackers are using listed in the article makes for an interesting read.

Moses Frost
Moses Frost

2023-10-13

Ransomware Operators are Targeting WS_FTP Servers

Sophos X-Ops incident responders say they have observed ransomware threat actors exploiting a recently-disclosed vulnerability in Progress Software’s WS_FTP servers. Progress Software released a fix for the vulnerability in September.

Editor's Note

The attacks by the Reichsadler Cybercrime Group, which target Windows systems, start with w3p3 (IIS component), "GodPotato" (an open-source privilege-escalation tool), then LB3 (ransomware payload crafted using an acquired copy of the LockBit 3.0 ransomware builder.) Make sure that you've updated your WS_FTP server to the latest version, then find an alternative to FTP file transfers.

Lee Neely
Lee Neely

Will this be another MoveIT-like bug from the same manufacturer? It could depend on whether the same IT teams purchase from the same vendors. If you look for the WS_FTP server strings in Shodan, you’ll find about 1800 WS FTP servers listening on port 21. Does that mean there are 1800 targets? Could be.

Moses Frost
Moses Frost

2023-10-13

Critical Flaw in Royal Elementor Addons and Templates for WordPress

A critical vulnerability in Royal Elementor Addons for WordPress has been actively exploited since late August. The insufficient filetype validation flaw can be exploited to allow unauthenticated arbitrary file up-loads. The plugin has been installed on more than 200,000 websites. Users are urged to ensure they have updated to version 1.3.79.

Editor's Note

The flaw, which is fixed in version 1.3.79, allowed for arbitrary upload of PHP files with malicious content, allowing remote exploitation, and a complete takeover of a site. Make sure that you've updated your Royal Elementor plugin. The WordPress WAF already had protections, in the paid and free versions, to prevent the upload of files with malicious content, even so, make sure you've got the updated plugin, or that you've uninstalled it if no-longer used.

Moses Frost
Moses Frost

Another week, another announcement of a WordPress plugin vulnerability. Given that the vulnerability is actively being exploited and carries a CVSS rating of 9.8, users of the website building kit should download the update and patch immediately. If you wish to roll the dice, use the free scanner to see if your website is vulnerable first.

Curtis Dukes
Curtis Dukes

Internet Storm Center Tech Corner

Are Typos Still relevant As An Indicator of Phishing?

https://isc.sans.edu/diary/Are+typos+still+relevant+as+an+indicator+of+phishing/30316

What's Normal: Odd Mac Addresses

https://isc.sans.edu/diary/Whats+Normal+MAC+Addresses/30310

Domain Name Used as Password Captured by DShield Sensor

https://isc.sans.edu/diary/Domain+Name+Used+as+Password+Captured+by+DShield+Sensor/30312

Active Exploitation of Cisco ISO XE Software Web Management User Interface Vuln

https://blog.talosintelligence.com/active-exploitation-of-cisco-ios-xe-software/

Mail traffic to cancelled domain names

https://www.sidn.nl/en/nl-domain-name/mail-traffic-to-cancelled-domain-names

SAMBA Update

https://www.samba.org/samba/history/security.html

PoC Exploit for CVE-2023-41993

https://github.com/po6ix/POC-for-CVE-2023-41993

AvosLocker Ransomware Details

https://www.cisa.gov/sites/default/files/2023-10/aa23-284a-joint-csa-stopransomware-avoslocker-ransomware-update.pdf

DarkGate Spreading via Skype and Teams

https://www.trendmicro.com/en_ph/research/23/j/darkgate-opens-organizations-for-attack-via-skype-teams.html