SANS NewsBites

Microsoft and 23andMe Open Up about Breach with Different Takes on User Responsibility

January 30, 2024  |  Volume XXVI - Issue #08

Top of the News


2024-01-29

Microsoft Provides Details About eMail Breach

Microsoft has released additional information about the breach that compromised executives’ emails. The intruders accessed the corporate email system through an old test account that had admin privileges but was not protected by multifactor authentication.

Editor's Note

The lack of MFA was obvious, even if not originally admitted by Microsoft. So, repeating part of my comment from the original news item: In Microsoft's recent “Secure Future Initiative” announcement, Microsoft President Brad Smith promised that “…over the next year we will enable customers with more secure default settings for multifactor authentication (MFA) out-of-the-box.” Replacing passwords with strong authentication has been done by many (though in this case, apparently not Microsoft) but needs the major IT platforms to make it easier to do and harder NOT to do. Additional lesson learned here: as an absolute minimum, require *all* privileged accounts to use phishing resistant authentication which means *denying* elevated privileges to all accounts relying on reusable passwords. And, remember your own policy probably already requires MFA for *all* remote access.

John Pescatore
John Pescatore

First, this has several facets: password spraying as the initial compromise and persistence through OAuth applications. It's very nasty stuff for most students, I find. We discuss these attacks at length in the SEC588 class. The other component, the use of “residential proxy infrastructure,” was discussed a few years ago when Dr. Roberto Bamberger and I released a whitepaper at the Cloud Security Exchange for 2022. Get the whitepaper at the SANS Website. So, what can you do? First, turn on MFA, and use a powerful MFA like a Passkey or FIDO2 Token. Use a CASB or other product type to look at OAuth applications; finally, don’t allow your employees or non-admins to add OAuth applications. This is a nasty, hard-to-find hack from a state actor. Many people say Microsoft can do better, but this isn’t a 100-person company. This is a 250,000-person company with an extensive infrastructure. If they could solve it, we could move on and do other things.

Moses Frost
Moses Frost

We have known for more than a decade, since the early DBIRs, the contribution of orphan systems to enterprise breaches and longer than that the contribution of reusable credentials. Microsoft is not alone among major enterprises that tolerate these risks. Do not be among them.

William Hugh Murray
William Hugh Murray

2024-01-26

Additional Information About the 23andMe Breach

In a breach notification letter recently filed with regulators, 23andMe disclosed that intruders were accessing customer accounts for about five months before the situation was detected. From April through September of last year, the intruders brute-forced user accounts, stealing both raw genomic and health data.

Editor's Note

If you build it, they will come. This motto applies to large collections of sensitive data and attackers. 23andMe attempts to deflect responsibility by stating that weak user credentials are to blame. But "brute forcing or other automated" attacks are part of the OWASP top 10 (A7), and for a site like 23andMe, dealing with highly sensitive health data, it is inexcusable to not prevent the exploitation of 1000s of accounts using these well-known techniques.

Johannes Ullrich
Johannes Ullrich

Five months to detect a breach that affected 50% of users is not ideal. Subsequently updating terms of service to prevent filing of class action lawsuits, even less so. Make sure that you're going beyond tabletop exercises to ensure that you can detect intrusions in a timely fashion. Make sure that you've got updated scenarios in your incident response plans that reflect your current architecture and services. Lastly, make sure key stakeholders are onboard, including legal, HR, C-Level and the board. You all need to be operating from the same sheet of music when it goes sideways.

Lee Neely
Lee Neely

23andMe has become the poster child for why companies should enable MFA. It’s relatively simple to implement and raises the bar substantially in preventing credential theft. Companies no longer have an excuse for not implementing this valuable security control.

Curtis Dukes
Curtis Dukes

Should not take months to detect brute force attacks. In today's threat environment, the objective should be to detect attacks in hours to days.

William Hugh Murray
William Hugh Murray

2024-01-29

Ivanti Acknowledges Missed Patch Deadline

Ivanti has acknowledged that it missed a self-imposed deadline for releasing patches for several vulnerabilities that are being actively exploited. Initially, Ivanti planned to begin releasing fixes for the flaws on January 2; an updated advisory cites “the security and quality of” the fixes as the reasons for the delay.

Editor's Note

I get it. It isn't easy to fix vulnerabilities in unmaintained legacy code. In particular if after acquiring a company like Pulse Secure, you prioritize short term financial gains, lay off many of the employees who may actually understand how the product works.

Johannes Ullrich
Johannes Ullrich

Ivanti is rightly not pushing out patches until they meet their quality standards. They hope to release updates next week. The rub comes from CISA's KEV deadline of 1/22 to either apply the patches or remove the software from government systems. In the interim, CVE-2023-46805 and CVE-2024-21887 can be mitigated by importing mitigation.release.20240107.1.xml file via the Ivanti download portal.

Lee Neely
Lee Neely

Rushing a patch for a critical vulnerability often leads to further security issues. In this case Ivanti wants to solve the underlying security issue once and for all. Until the patch is available for download, follow the previously published mitigation guidance.

Curtis Dukes
Curtis Dukes

The Rest of the Week's News


2024-01-29

Freehold Township (NJ) Schools Closed Due to Cyberattack

The Freehold Township (New Jersey) School District schools and offices were closed on Monday, January 29, because of a cyberattack. An investigation into the incident is underway. There has been a spate of cyberattacks targeting K-12 school districts in the US since the beginning of the year.

Editor's Note

What makes this even more painful is that some schools that hired third-party companies to provide security services were themselves not secure and were themselves, subsequently compromised. This is a case where strong consideration should be given to leveraging free services, such as those offered by CISA, to help schools, already on tight budgets, assess their security posture, making tweaks to avoid a me-too scenario.

Lee Neely
Lee Neely

2024-01-27

Ransomware Attack Disrupts Kansas City Transportation Communications

A ransomware attack disrupted communications for the Kansas City Area Transportation Authority (KCATA) last week. The incident affected KCATA’s RideKC call centers and all KCATA landlines. KCATA released a statement providing alternate phone numbers for customers who need to schedule rides through KCATA’s Freedom and Freedom-On-Demand Paratransit services.

Editor's Note

The Medusa ransomware gang is taking credit for this attack and is posting data samples in an attempted extortion ploy. KCATA was sufficiently prepared to only have their call center offline, stating all services are operating, immediately providing alternate options for the affected call center. We've all been walking through what we'd do if we were in a similar situation, but have we had the time to see if we could actually pull it off? Have some serious chats with organizations you're counting on to bridge gaps or take up the slack. Make sure that your capacity and startup time assumptions are sound.

Lee Neely
Lee Neely

5000 successful extortion attacks in 2023. Large increase year over year. Billions of dollars in lost productivity. While we see an increase in the use of vulnerabilities, over phishing, to establish the initial foothold, the failure to mandate the use of strong authentication internally and to structure our networks facilitates the necessary lateral movement in these attacks.

William Hugh Murray
William Hugh Murray

2024-01-29

Patch Jenkins Vulnerability Now

Users are urged to patch a critical arbitrary file-read vulnerability in the Jenkins command line interface. Proof of concept code has been released and there are reports that the vulnerability is being actively exploited. The vulnerability, CVE-2024-23897, is one of two Jenkins vulnerabilities disclosed last week.

Editor's Note

Now we have multiple PoC exploits for the vulnerabilities, published in GitHub, most validated, which means that you need to assume compromise if haven't applied the updates or workaround. (Disable the CLI.) The Jenkins advisory below lays out all the detail. Packet Storm has published two POC scripts you can use to validate your environment; these are referenced in the NIST NVD details for CVE-2024-23897 linked below.

Lee Neely
Lee Neely

2024-01-29

Schneider Electric Suffers Ransomware Attack

Ransomware operators have reportedly targeted systems at Schneider Electric’s Sustainability Division. The attack, which occurred in mid-January, resulted in the theft of terabytes of data. The incident has caused disruptions for Schneider’s Resource Advisor cloud platform.

Editor's Note

This is a case of the Cactus ransomware gang, first observed in March 2023, which likes to gain access using purchased credentials, phishing, malware distribution and even just exploiting vulnerabilities. They are attempting to extort payment leveraging the terabytes of data exfiltrated from Schneider Electric. The exfiltrated data appears to be relating to their customer's power utilization, ICS and automation systems, and compliance with environment and energy regulations. Customers include Walmart, PepsiCo, Lexmark, PepsiCo, DuPont, Clorox and DHL.

Lee Neely
Lee Neely

2024-01-26

Swatting Arrest

Authorities have arrested a 17-year-old individual in connection with a series of swatting attacks. The suspect is awaiting extradition from California to Florida to face four felony charges, including “making false reports concerning the planting of a bomb or the use of firearms, causing a law enforcement response.”

Editor's Note

The suspect is scheduled to be tried as an adult in Florida where swatting is a felony. Lately, swatting attacks are on the rise, particularly directed at prominent politicians. As of May, the FBI launched a collaborative effort to thwart swatting nationwide, which has processed over 550 reports since its inception. Florida's senator Rick Scott introduced a bill that proposes a maximum penalty of up to 20 years for individuals convicted of swatting.

Lee Neely
Lee Neely

VoIP has enabled criminals to perpetrate swatting attacks anywhere. VoIP is hard to trace but with the help of federal law enforcement, there are techniques than can be used.

Curtis Dukes
Curtis Dukes

People are exploiting weaknesses in our E-911 system. They exploit the Disability Systems to do this, and they exploit our inherent trust. This is a hard one to solve so I expect major penalties to whoever they do catch.

Moses Frost
Moses Frost

2024-01-29

Prison Sentence for Ransomware Operator

A Canadian court has sentenced Matthew Philbert to two years in prison for launching ransomware and other cyberattacks. Philbert was arrested in 2021, and pleaded guilty to fraud and unauthorized access to computers in October 2023.

Editor's Note

Philbert's attacks affected about 1,330, with losses of about $49,000, including $15,000 from a small family-run business that thought an employee may have stolen the money. The chilling part is each victim is considered as an opportunity for income, not the effect of the crime on their wellbeing or business. His lawyer proposed sentence was two years, minus a day, to be served out of jail; the judge disagreed, feeling the crimes warranted two years behind bars. Additional court sessions are scheduled in March to discuss restitution to his victims.

Lee Neely
Lee Neely

2024-01-25

64-Month Prison Sentence for Trickbot Developer

A US court has sentenced Vladimir Dunaev to more than five years in prison for his role in the development of the Trickbot malware. The malware has been used to disrupt systems at hospitals and other businesses in the US. Dunaev, who is a Russian citizen, was extradited to the US from South Korea in 2021. He pleaded guilty to conspiracy to commit computer fraud and conspiracy to commit wire fraud in November.

Editor's Note

Initially, Trickbot was used to capture banking credentials from PCs to siphon those fees to the gang. It evolved into an expandable ransomware-as-a-service that you could rent for your own nefarious purposes in exchange for a cut of the take. This gang is reported to have extorted at least $180 million from people and organizations worldwide. Trickbot was shut down in 2022, but many of its developers have moved to other criminal organizations, so expect variants in the future.

Lee Neely
Lee Neely

With time served, he basically has three years left on his prison sentence. Doubtful this will deter cybercriminals from continuing ransomware attacks; but it is a win for law enforcement.

Curtis Dukes
Curtis Dukes

Internet Storm Center Tech Corner

A Batch File With Multiple Payloads

https://isc.sans.edu/diary/A+Batch+File+With+Multiple+Payloads/30592

Exploit Flare Up Against Older Atlassian Confluence Vulnerability

https://isc.sans.edu/diary/Exploit+Flare+Up+Against+Older+Altassian+Confluence+Vulnerability/30600

Malicious Python Packages install Infostealer

https://www.fortinet.com/blog/threat-research/info-stealing-packages-hidden-in-pypi

Linux ICMPv6 Router Adv. RCE

https://access.redhat.com/security/cve/cve-2023-6200

fritz.box domain used to advertise NFTs

https://www.heise.de/news/Verwirrend-Internet-Domain-fritz-box-zeigt-NFT-Galerie-statt-Router-Verwaltung-9610149.html

Jenkins CVE-2024-23897 PoC

https://github.com/gquere/pwn_jenkins/blob/master/README.md#jenkins-cli-arbitrary-read-cve-2024-23897-applies-to-versions-below-2442-and-lts-24263

Malicious Google Ads Target Chinese Users

https://www.malwarebytes.com/blog/threat-intelligence/2024/01/malicious-ads-for-restricted-messaging-applications-target-chinese-users