SANS NewsBites

Check For Compromised Okta IDs and Your Use of HAR Files; BHI Energy Compromise Another Reason to Use MFA for All Remote Access; Patch Citrix NetScaler ASAP

October 24, 2023  |  Volume XXV - Issue #84

Top of the News


2023-10-20

Okta Discloses Support System Breach

On Friday, October 20, identity and access management firm Okta disclosed that stolen credentials were used to access the company’s support case management system. The intruder was able to view customer HTTP Archive (HAR) files that were uploaded as part of support cases. HAR files sometimes include cookies and session tokens, which bad actors can exploit to impersonate users. Okta has contacted and worked with all affected customers to revoke exposed session tokens.

Editor's Note

Any organization outsourcing identity must establish a plan to detect compromise of the outsourced identity function. You must not rely solely on the service provider to detect compromise. Do not outsource identity management if you do not have a detection plan in place.

Johannes Ullrich
Johannes Ullrich

An important point to note is that this breach was discovered and reported to Okta by its customers and not by Okta itself. As we rely more and more on third-party providers for key services, we need to ensure our detection and incident response capabilities can deal with a breach in those third parties and that your security doesn’t stop with a list of security questions sent to the vendor as part of the initial engagement.

Brian Honan
Brian Honan

Ironic that Okta’s marketing tag line is “Everything starts with Identity” and they were compromised by a stolen identity credential. This incident is a good reason to check if your support systems or processes are using HTTP Archive files that may expose sensitive information or credentials.

John Pescatore
John Pescatore

When you're gathering data for a support ticket, be aware of sensitive data included in that data. Consider redacting, or better still not gathering in the first place, data they don't need, particularly sensitive data like session tokens/etc. Ask where your information is stored, for how long, and who can access it. Have conversations about what data you do and don't want to share with system admins and/or users before a ticket ever gets filed. Assist when needed to help only gather what's needed.

Lee Neely
Lee Neely

2023-10-23

BHI Energy Details Data Breach

In a breach notification letter, Massachusetts-based BHI Energy offers details about a cyber incident that took place earlier this year. On June 29, BHI discovered they were the victims of a ransomware attack; a third-party cybersecurity team determined the threat actor had gained access to BHI systems in late May. The threat actor used “a previously compromised user account of a third-party contractor” to access BHI’s network though a VPN. The threat actor conducted reconnaissance, exfiltrated 690 gigabytes of data, including the company’s Active Directory database, and then encrypted data on BHI’s network. BHI’s cloud backup services were not affected, so recovery was possible without obtaining decryption key. BHI has taken several steps to bolster its network security, including adding multi-factor authentication to VPN access.

Editor's Note

Since the compromised third party contractor account was used on a VPN connection to BHI’s internal network, this seems to be another use of reusable credentials on remote access systems - a violation of just about every compliance regime out there. This means either audits of BHI security were never done, were done badly or were done well and the audit results were ignored.

John Pescatore
John Pescatore

Of note here, BHI's cloud backup was not impacted by the ransomware, allowing them to recover systems without paying ransom once the threat actor was ejected from their network. Further, they expedited other projects such as implementing MFA, EDR as well as decommissioning of legacy and unused systems. Those are projects you should look at now, before your back is against the wall.

Lee Neely
Lee Neely

Better late than never but the lesson for the rest of us is to lock the barn before the horse is stolen. Reusable credentials are implicated in nine out of ten breaches. Strong authentication is the single most essential and efficient measure that we have. Properly chosen and implemented, it can be even more convenient than passwords. Oh, and while I think about it, terminate VPNs on the application, not on the operating system, not on the network perimeter, not on an internet proxy.

William Hugh Murray
William Hugh Murray

2023-10-23

Citrix Reiterates Need to Patch NetScaler ADC and Gateway

Citrix is urging admins to patch NetScaler ACD and NetScaler Gateway appliances to fix a critical information disclosure vulnerability (CVE-2023-4966)., Citrix released fixes for the issue on October 10. In an October 23 NetScaler blog, Citrix writes that they “now have reports of incidents consistent with session hijacking, and have received credible reports of targeted attacks exploiting this vulnerability.”

Editor's Note

The two flaws here - CVE-2023-4966, a buffer overflow flaw, which can result in sensitive information disclosure with a CVSS score of 9.4 and CVE-2023-4967, a denial-of-service flaw, with a CVSS score of 8.2 make an attractive target. Essentially in under two weeks the announced vulnerability is being actively exploited. While the exploit only works on NetScaler ADC and NetScaler Gateways setup as gateways, or AAA virtual servers, you need to apply the update as they still contain the vulnerable code, even if not in the vulnerable configuration, assume threat actors are working to exploit the flaws in the non-gateway/AAA configured devices. This flaw is in CISA's KVE catalog with a due date of November 8th and guidance to apply the mitigation (update) or discontinue use of the product.

Lee Neely
Lee Neely

I just got a copy from a public repository for several CVEs relating to this equipment from this year alone. The first one appears to be an overflow condition that allows you to perform command injection when done. This would presumably allow for control of the ADC and gain access to your network. The second is an overflow that allows for memory reading. With this bug, you can read cookies and take over sessions. This is the one that Citrix is talking about being exploited. For those that have memory of this, if you recall, Juniper SSL VPN had a similar issue, and several significant breaches came from this, including Community Health Services.

Moses Frost
Moses Frost

The Rest of the Week's News


2023-10-23

Cisco Releases Fixes for Actively Exploited IOS XE Vulnerabilities

On Sunday, October 22, Cisco released updates to fix a pair of zero-day vulnerabilities that were being exploited to gain elevated privileges on devices running Cisco’s IOS XE software. The vulnerabilities were first disclosed on October 16; over the ensuing week, security researchers reported seeing tens of thousands of compromised routers and switches. In a puzzling turn of events, the number of detectable compromised devices plunged to just several hundred over the weekend ahead of Cisco’s patches. Researchers from FoxIT determined that the sudden change in numbers was because “the implant placed on tens of thousands of Cisco devices has been altered to check for an Authorization HTTP header value before responding.”

Editor's Note

This issue has been exploited by multiple groups. Be careful and as you apply patches assume the device is already compromised, possibly multiple times.

Johannes Ullrich
Johannes Ullrich

If you have Cisco IOS XE, patch it. Even if you've mitigated the risk by disabling the Web UI or limiting access to that service, you need to update the flawed code running on your device. If you haven't applied the mitigations, get on it, you don't want management interfaces exposed to the Internet (ever) and internally limit access to reduce the risks from insiders as well as compromised systems.

Lee Neely
Lee Neely

We are weeks into this being a known vulnerability, and that the number of owned devices is still this high is concerning. Let’s start with what we know: 37,000 Cisco IOS XE Devices have their Web UI on the internet. I am still befuddled as to why this is even a thing outside of a default configuration, ease of administration, or a set of providers with bad practices. How do we tell these companies what’s occurred? Do we call the ISP? Does the ISP call them?

Moses Frost
Moses Frost

Now we begin the second leg of the exploit race – updating and monitoring for compromise. What’s even more interesting is the fact that two zero-day vulnerabilities were chained together for this exploit. Given the ‘cost’ in using a zero-day, the perpetrator definitely had a specific target, or targets, in mind.

Curtis Dukes
Curtis Dukes

2023-10-20

Update Available to Fix Vulnerabilities in SolarWinds ARM

On Wednesday, October 18, Solar Winds released an update for its Access Rights Manager (ARM) to address eight vulnerabilities. Trend Micro’s Zero Day Initiative published details about the vulnerabilities the following day. Three of the vulnerabilities are deemed to be critical severity; they could be exploited to run arbitrary code at SYSTEM level.

Editor's Note

CVE-2023-35180, CVD-2023-35184 and CVE-2023-35186 can be abused for remote code execution, while CVE-2023-35181 and CVE-2023-35813 allow local users to perform privilege escalation. The final (most severe) three, CVE-2023-35182, CVE-2023-35185 and CVE-2023-35187, allow RCE due to improper validation for the methods createGlobalServerChannelInternal, OpenFile, and OpenClientUpdateFile, respectively, allow that SYSTEM level code execution. The vulnerabilities are fixed in ARM version 2023.2.1. The process, check system requirements, prepare system for update, install the updated packages, seems pretty simple, but make sure you follow the steps in the preflight guide for a smooth update. Given that this is SolarWinds, assume threat actors are going to smell blood in the water going after these.

Lee Neely
Lee Neely

2023-10-23

Europol Observatory Report on Quantum Computing, Quantum Technology, and Law Enforcement

The European Commission’s Joint Research Centre (JRC), Europol’s European Cybercrime Centre (EC3) and Europol’s Innovation Lab have jointly published a report detailing “potential applications of quantum technology in the law enforcement sphere.” The report offers five key recommendations for law enforcement: observe quantum trends; build up knowledge and start experimenting; foster research and development projects to build a network of expertise; assess the impact of quantum technologies on fundamental rights; and review your organization's transition plans to ensure critical systems are protected in the post-quantum era.

Editor's Note

One use-case the report suggests considering is that encrypted data is being gathered today in hopes of using quantum computers to decrypt it later. While some data value diminishes over time, other data, PII, biometrics, likely does not. Those recommendations are prudent for any sector. Be aware of the technology, monitor, experiment and familiarize yourself. Where you're using cryptography, be ready to adopt quantum resistant alternatives when they become available. Don't panic.

Lee Neely
Lee Neely

The chief concern with quantum computing remains its use in ‘cracking’ encrypted communications, in transit and stored. Law enforcement is not going to solve that problem, cryptologists will. Otherwise, a mildly interesting report.

Curtis Dukes
Curtis Dukes

2023-10-21

American Family Insurance Acknowledges Cybersecurity Incident

American Family Insurance has confirmed that a cybersecurity incident last week was responsible for system outages that have affected customers, agents, and employees. The company shut down some of its systems to prevent the attack from spreading. The incident has affected phone service, building connectivity, and online services. There have been reports that when American Family shut down Internet connectivity, other tenants of the building were affected as well.

Editor's Note

To file a claim, customers must call the AmFam help desk. Bill due dates are being extended until systems are back online. If you're delaying that payment, don't forget to watch for the window to re-open. While this appears to be a ransomware attack, it's not yet clear if extortion over exfiltrated data is also in play. This, so far, is looking like a good case study to model your ransomware response on.

Lee Neely
Lee Neely

It proves that everyone is a target of ransomware gangs, even large, well-resourced companies. In order to minimize impact to business operations, organizations should conduct tabletop exercises as part of disaster recovery planning.

Curtis Dukes
Curtis Dukes

2023-10-23

ICC Offers Additional Information About September Cyberattack

The International Criminal Court (ICC) has released additional information about the cyberattack against its systems last month. The ICC responded to the incident with support from the Netherlands, where the ICC is located, and external cybersecurity experts. Forensic analysis “thus far indicates a targeted and sophisticated attack with the objective of espionage.” There is not adequate information currently available to attribute the attack to a specific threat actor.

Editor's Note

While the ICC has taken steps to increase their security posture, they are being decidedly vague about that, except that like BHI above, they are accelerating planned security projects. If you've got some projects waiting in the wings, pick one and work to get it adopted sooner than later.

Lee Neely
Lee Neely

2023-10-23

Westchester Medical Center Health Network Cybersecurity Incident

Last week, the Westchester (New York) Medical Center Health Network experienced a cyberattack that temporarily forced the organization to divert ambulances from its HealthAlliance and Margaretville Hospitals and Mountainside Residential Care Center. The organization’s phone, Internet, and email services were also offline. The hospitals remained open during the incident. As of Saturday, October 21, the hospitals had resumed accepting emergency patients, with the exception of emergency stroke patients, who are still being diverted to other area hospitals.

Editor's Note

As of October 23rd, it appears all systems are 100% operational, and patients are no longer being diverted. The only hiccup was difficulty in communicating with local residents as initial claims that healthcare was not impacted turned out to be untrue. A key part of your response plan has to be communication. Timely, accurate and honest, ideally, delivered through the channels you regularly use to reach customers. Update it at least daily.

Lee Neely
Lee Neely

2023-10-23

Washington, DC Board of Elections: Voter Roll Data Compromised

The Washington, DC Board of Elections (DCBOE) says that cyber criminals accessed the district’s voter rolls via a third-party services provider. The breach occurred on the network of DataNet Systems. The compromised data include personal information, such as driver’s license numbers, dates of birth, partial Social Security numbers and contact information.

Editor's Note

This may not be as big of a deal as it appears. Voter roll data is often shared with parties and candidates. In some states, the data is public.

Johannes Ullrich
Johannes Ullrich

To be clear, the third-party provider, DataNet, not DCBOE, was compromised. DCBOE has engaged Mandiant to help with the investigation, and is working with DHS, the FBI and OCTO on assessing the situation. The data impacted appeared to belong to at least 4,000 people who had their voter records between August 9, 2019, and January 25, 2022, leaked. These records contained data collected in DCBOE's canvass process which is conducted every odd year to ensure the voter roll is up to date. When you annually verify the protections at your third-party service providers, verify they are well equipped to respond to a data loss incident, to include exercises.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Apple TV IPv6 DoS

https://isc.sans.edu/diary/How+an+AppleTV+may+take+down+your+IPv6+network/30336

base64dump.py Handles More Encodings Than Just BASE64

https://isc.sans.edu/diary/base64dumppy+Handles+More+Encodings+Than+Just+BASE64/30332

Squid Patches

https://github.com/squid-cache/squid/security/advisories

Critical Citrix Update

https://www.netscaler.com/blog/news/cve-2023-4966-critical-security-update-now-available-for-netscaler-adc-and-netscaler-gateway/

Cisco Vulnerability Updates CVE-2023-20198

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-webui-privesc-j22SaA4z

Stealing OAuth Tokens via Open Redirects

https://eval.blog/research/microsoft-account-token-leaks-in-harvest/

VMWare Patches

https://www.vmware.com/security/advisories.html

SolarWinds Patches

https://documentation.solarwinds.com/en/success_center/arm/content/release_notes/arm_2023-2-1_release_notes.htm