SANS NewsBites

CISA Red Team Assessment Report; Singapore Banks Getting Rid of SMS One-Time Passwords

July 16, 2024  |  Volume XXVI - Issue #53

Top of the News


2024-07-12

CISA Red Team SILENTSHIELD Assessment Report

The US Cybersecurity and Infrastructure Security Agency (CISA) has published a report detailing a cybersecurity assessment of an unnamed US Federal Civilian Executive Branch (FCEB) agency. The SILENTSHIELD red-team assessment was conducted over an eight-month period, starting with a no-notice, long-term simulation of nation-state cyber operations, and culminating three months of collaboration with agency staff and technical personnel to address their cybersecurity posture.

Editor's Note

CISA is emulating the behavior of a nation-state attacker, to include attempting to exploit trust relationships with third parties. In this case, they not only compromised an unpatched Solaris web server, they also used phishing to obtain Windows credentials, elevated to an unsecured administrator account, obtained domain admin, and pivot into their partner networks, while remaining undetected in the first phase. Lessons learned here include having sufficient monitoring and alerting to detect malicious activity, not having sufficient centralized logging and having better cohesion/communication between the defender teams. Read the report to identify areas where you could have similar risks.

Lee Neely
Lee Neely

I haven't mentioned the Critical Security Controls in quite a while but the one line summary of this 29 page report is 'Focus on the Basic Hygiene levels of the Critical Security Controls first Ð without that foundation you can never stop even rudimentary attacks, let alone sophisticated ones.'

John Pescatore
John Pescatore

Red Team exercises have been used for several decades, starting with the Defense Department. Most red team exercises are successful. They typically exploit missing patches or weak credential management. One takeaway is that while bugs listed in the known exploit vulnerability catalog help focus attention, federal agencies often have weeks to months too patch. That's well within the attack cycle of cyber criminals. Organizations must shorten their patch cycle.

Curtis Dukes
Curtis Dukes

Zero days can be impactful. But given how many CVEs there are a year (are we over 40,000 yet?) N-Days are the real danger. Most companies do not realistically patch in any normal window of time. Why 'burn' a 0 Day when an N-Day is 'good enough?' The write-up is 'good enough' to understand how to run through a long-term engagement.

Moses Frost
Moses Frost

2024-07-14

Singapore Banks are Phasing Out One-Time Passwords

Over the next three months, banks in Singapore will be phasing out one-time passwords to improve security. The change was mandated by the Monetary Authority of Singapore (MAS) and the Association of Banks in Singapore (ABS). While the one-time passwords were introduced to be a multi-factor authentication (MFA) option, social engineering tactics have evolved to weaken their security. Bank customers in Singapore will be use digital tokens on their mobile devices for account MFA.

Editor's Note

While any form of MFA is better than reusable passwords, the bank is moving from SMS based OTP to mobile app-based OTPs. While this does raise the bar, it's best to ensure that your solution is both phishing and authenticator fatigue resistant. Consider that smartphones are also able to support passkeys and other stronger authenticators. If you're electing to raise the authentication bar in stages, make sure you implement a solution that can get you to the desired end-state through configuration management as opposed to rip and replace.

Lee Neely
Lee Neely

I would imagine in a country like Singapore, this would be possible, mostly because larger populations and decentralized banking would make it difficult for a country like the US to support this. Maybe in 30 years. People in the U.S. still use checks, let that sink in.

Moses Frost
Moses Frost

Most of the enterprises that I do business with, already notify me if they see activity from a new device. This is true MFA, not merely 2FA.

William Hugh Murray
William Hugh Murray

The Rest of the Week's News


2024-07-12

AT&T Data Breach Affects Tens of Millions

Late last week, telecommunications company AT&T disclosed that they experienced a data breach affecting call and text records of nearly all of their customers. AT&T has begun notifying approximately 110 million people that their communications data were compromised. The breach appears to be yet another that was conducted through inadequately protected Snowflake accounts.

Editor's Note

Note that the data compromised was from May 1 to October 31, 2022, as well as January 2, 2023. While the breach doesn't seem to include decrypted message bodies, it does include not only the meta-data about the messages/calls but also often the cell tower location data. While the dataset doesn't include subscriber names, it's not difficult to map that using OSINT, allowing mapping of not only who is talking to who, but from where, which makes the data set attractive. AT&T notifications are being sent to account holders, which means that your corporate account representative is being notified rather than end users for enterprise accounts, leaving that job in your court. While this notification from AT&T doesn't include offers of identity protection, this is a good time to decide how you'd handle a corporate notification where end-user privacy data was exposed through use of a third-party employer provided service.

Lee Neely
Lee Neely

This trove of data contains the kind of association data which intelligence and law enforcement use but which in the US they are Constitutionally restricted in collecting. Apparently this breach could impact you even if you are not an AT&T customer, but have merely talked to one. If you are an AT&T customer you may be notified of the breach, though there is little you can do reduce your small risk of guilt by association. In today's environment this risk is already sufficiently high that consumers should be blocking access to their data in the three credit bureaus. Businesses should not open accounts in the name of a consumer without access to their data with a credit bureau.

William Hugh Murray
William Hugh Murray

2024-07-15

AT&T Reportedly Paid Someone to Delete Stolen Data

A member of a hacking group told Wired journalists that in May, AT&T paid them 5.7 bitcoins (roughly US$ 380,000 at the time) to delete the stolen data and provide a video demonstrating proof of their deletion. The ransomware operators initially demanded USD$1 million, but agreed to reduce the demand by two-thirds.

Editor's Note

While it's tempting to hire someone to help clean up such a mess, it's important to remember that transactions can be tracked through the blockchain, so consider that arrangement will not remain confidential, you may want to be completely transparent with all such actions, paid removal, paid ransom, rather than awkward damage control post-discovery.

Lee Neely
Lee Neely

2024-07-15

CDK Global Reportedly Paid Ransomware Demand

CDK Global, the car dealership software company that experienced a ransomware attack in June, reportedly paid the ransomware operators roughly US$25 million. While CDK Global has not commented, analysis of blockchain data indicates that on June 21, 387 bitcoin (US$24.5 million at the time) was sent to a known ransomware group. A week later, CDK Global began restoring service. In a July 15 report filed with the US Securities and Exchange Commission (SEC), AutoNation wrote that the incident 'negatively impacted' their earnings per share for the quarter ending June 30, 2024.

Editor's Note

Indications are CDK paid the ransom within two days of the attack and was able to commence service restoration immediately. Given that the estimated financial impact of the outage is estimated at least $600 million, payment makes financial sense in hindsight. Even so, it's still best not to pay. Not only for concerns about the reliance on the gang being paid, but also regulatory/OFAC consequences of making that payment. If you find yourself in that position, have a heart-to-heart with both your regulator and the FBI before electing to move forward.

Lee Neely
Lee Neely

The answer is not to pay the ransom, but that easy for me to say. The reality though, is that it's a bit more complicated. The CEO must balance loss of revenue, impact to customers, and company reputation in making the decision to pay or not. Sometimes even the insurance carrier gets to weigh in on the decision. Until payment of a ransom is made illegal, it will always be a business decision.

Curtis Dukes
Curtis Dukes

2024-07-15

Synnovis Breach Still Causing Healthcare Procedure Delays

In the six weeks since the Synnovis breach, two of the UK National Health Service's trusts has cancelled, postponed, or referred to other facilities nearly 8,000 medical appointments and procedures, including organ transplants and cancer treatments. The June 3 breach has had significant impacts on London's King's College Hospital NHS Foundation Trust and Guy's and St Thomas' NHS Foundation Trust.

Editor's Note

In addition to cancelled or rescheduled services, NHS is still calling for type O donations, which are universal, to bridge the gap in blood type matching operations. Time to reflect on how long your planned mitigations in such an outage are viable. What would happen if your service restoration time was extended longer than planned? Document your conclusions/mitigations, just in case.

Lee Neely
Lee Neely

Organizations should use the Synnovis breach as an opportunity to review their incident response planning and recovery procedures. Tabletop exercises using cybersecurity events as input, can help expose gaps in the return to normal business operations.

Curtis Dukes
Curtis Dukes

2024-07-12

Advance Auto Parts Notifies Customers Whose Data were Exposed Through Snowflake Account

Advance Auto Parts has begun notifying 2.3 million people that their personal information was compromised in a breach of the automotive parts company's Snowflake account. Other companies impacted by breaches of inadequately protected Snowflake accounts include Neiman Marcus, State Farm, and Anheuser-Busch. Starting in April of this year, cyber threat actors began targeting Snowflake accounts that were not protected by multi-factor authentication (MFA) or network allow lists. While investigations confirmed that Snowflake's systems were not breached, until recently, Enabling MFA on Snowflake accounts was difficult. Last week, Snowflake announced changes to make implementing MFA easier.

Editor's Note

It's trivial to stand up a cloud service using reusable passwords, to include skipping implementing the provider's security best practices. Your cloud service approval process should include both verification of the security profile and adherence to company security standards, such as MFA and logging/monitoring and BC/DR. Ideally, have SME's who can help implement quickly and consistently to allow you to support mission needs while both knowing where your data is being processed and that it's being done securely. Consider reviewing existing services to verify security measures are still in place, to include reviewing the providers guidance for updated requirements or best practices.

Lee Neely
Lee Neely

It's only a matter of time before use of MFA becomes a standard (i.e., required) cybersecurity practice. Failure to have MFA will be a failure in the standard duty of care, and courts will hold organizations accountable for the data breach.

Curtis Dukes
Curtis Dukes

2024-07-15

Phishing Campaigns Use URL Protection Services to Obfuscate Malicious Links

Researchers at Barracuda have detected phishing campaigns that leverage URL protection services to obfuscate malicious links. Since the middle of May, the researchers have seen the campaigns target hundreds of companies. The researchers surmise that the attackers have obtained access to the URL protection services by compromising legitimate accounts.

Editor's Note

Many enterprises use URL security services which encapsulate URLs in email and restrict access to known malicious sites by wrapping links to route through their security services when accessed. The hackers are turning these services on themselves by compromising the URL protection service to allow their services or by using their own protected version of the phishing link, allowing a bypass. A multi-layered or defense-in-depth approach is still needed, where EDR or gateway services still need to disallow access to known malicious sites.

Lee Neely
Lee Neely

I didn't see a list of the compromised URL protection services but make sure you are not using them if the names do come out.

John Pescatore
John Pescatore

2024-07-15

Critical Exim Vulnerability

A critical vulnerability in the Exim mail transfer agent could be exploited to bypass filename extension blocking protections and deliver malicious attachments to inboxes. The issue is due to a bug in RFC 2231 header parsing. The vulnerability is fixed in Exim version 4.98.

Editor's Note

CVE-2024-39929, mis-parsing RFC 2231 headers, CVSS score 5.4, has no workaround, and applies if you are using a block list leveraging $mime_filename as a multiline filename isn't parsed properly and the last part is omitted. The fix is to update to EXIM version 4.98.

Lee Neely
Lee Neely

2024-07-11

Race Condition in OpenSSH Server Signal Handling

Openwall founder and CTO Alexander Peslyak has detected a race condition in the core sshd daemon in RHEL 9.x and related releases. The flaw (CVE-2024-6409) was discovered during analysis of the RegreSSHion OpenSSH vulnerability (CVE-2024-6387), disclosed several weeks ago; the disclosure was delayed until vendors had time to prepare fixes.

Editor's Note

This particular flaw is specific to the RedHat change to OpenSSH, which affects Fedora 36 & 37 (both are EOL) and RHEL 9.x and its offshoots (or RHELatives) like AmaLinux. Deploy the updated OpenSSH packages for these systems, and make sure those Fedora systems are now on Fedora 39 or 40. (38 is also unsupported.)

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

16-Bit Hash Collisions in XLS Spreadsheets

https://isc.sans.edu/diary/16bit+Hash+Collisions+in+xls+Spreadsheets/31066

Attacks against the "Nette" PHP framework CVE-2020-15227

https://isc.sans.edu/forums/diary/Attacks+against+the+Nette+PHP+framework+CVE202015227/31076/

Protected OOXML Spreadsheets

https://isc.sans.edu/diary/Protected+OOXML+Spreadsheets/31070

Leaked PyPi Secret Token Revealed in Binary

https://jfrog.com/blog/leaked-pypi-secret-token-revealed-in-binary-preventing-suppy-chain-attack/

Microsoft 365 Defender Affected by June Update

https://learn.microsoft.com/en-us/windows/release-health/status-windows-server-2022#network-data-reporting-from-microsoft-365-defender-may-be-interrupted

Squarespace Hijacked Domains

https://github.com/security-alliance/advisories/blob/main/2024-07-squarespace.pdf