SANS NewsBites

Make Sure You Know Who Your Remote Employees Are; FreeBSD Updates Address OpenSSH Vulnerability; Microsoft Office Zero-Day

August 13, 2024  |  Volume XXVI - Issue #62

Top of the News


2024-08-09

Tennessee Man Arrested for Running Laptop Farm Employing North Korean Citizens

US federal authorities have arrested Matthew Isaac Knoot for allegedly helping North Korean citizens fraudulently obtain remote employment with IT companies. US sanctions forbid US companies from hiring North Korean citizens. Knoot allegedly helped the North Koreans apply for remote IT positions using a stolen identity. The North Korean workers were paid hundreds of thousands of dollars, which was allegedly funneled to North Korea's weapons program.

Editor's Note

Understand how this fraud works to prevent falling for it: Knoot was hired by dozens of firms using a stolen identity; the firms then sent him laptops that he connected in Nashville and which the North Korean workers would VPN into and use. At times this scenario also includes cameras which are pointed at MFA tokens so the remote worker can enter the code. His undoing was likely his reporting income, against the stolen identity, in Nashville, which didn't mesh with the actual taxes filed. Due care must be made to ensure remote workers are who they claim to be, and that additional connections, with corresponding RDP services, to remote laptops are not in play.

Lee Neely
Lee Neely

It's not clear how technical this person was or if they were a hobbyist who got duped into some type of fraud. It is a strange case, and I am going to look further into it. If this has happened once, it may have been happening in more places.

Moses Frost
Moses Frost

In my 90th year, I may yet live long enough to see the day when the risk of cyber crime exceeds its return.

William Hugh Murray
William Hugh Murray

2024-08-12

FreeBSD Releases Updates to Address OpenSSH Vulnerability

FreeBSD Project maintainers have released updates to address a high-severity vulnerability in OpenSSH that could be exploited to execute code with elevated privileges. The flaw is due to a signal handler race condition. FreeBSD users are urged to update to a version in which the vulnerability (CVE-2024-7589) has been addressed: FreeBSD OS 14.0, FreeBSD OS 14.1, or FreeBSD OS 13.3.

Editor's Note

This update addresses the regreSSHion vulnerability made public a couple weeks ago. Exploitation is not trivial, but given the severity, the vulnerability should be addressed quickly.

Johannes Ullrich
Johannes Ullrich

There are two mechanisms to mitigate FreeBSD: either update to the latest supported version of FreeBSD OS 13 or 14, which includes the binary patch, or download and deploy the source for the affected products. Even if you're compiling from source, get on the current versions so you get updated/fixed source for all your packages.

Lee Neely
Lee Neely

I am not sure if this is related to HDMoore's thing around SSHamble, but SSH is getting a closer look lately.

Moses Frost
Moses Frost

2024-08-11

Fix for Microsoft Office Zero-Day to be Included in August Security Update

Last week, Microsoft disclosed a zero-day vulnerability in Office that could be exploited to gain access to sensitive information that could them be used to compromise networks. The medium severity information disclosure vulnerability affects both 64-bit and 32-bit editions of Microsoft Office 2016, Microsoft Office LTSC 2021, Microsoft 365 Apps for Enterprise, and Microsoft Office 2019. A fix is expected to be included in Microsoft's monthly security update on Tuesday, August 13.

Editor's Note

The exploit patterns around tricking Windows into establishing SMB connections with no or little user interaction is probably not going away until NTLM is removed from Windows. There appears to be an inexhaustible reservoir of vulnerabilities. By now, you hopefully have at least outbound port 445 blocked.

Johannes Ullrich
Johannes Ullrich

While mitigations to this flaw were published in July, applying the update, scheduled for August 13th, provides the full fix to the flaw. If you've not yet deployed the mitigations, make sure all your endpoints are ready to automatically deploy the update when it is released today.

Lee Neely
Lee Neely

The Rest of the Week's News


2024-08-12

Windows Driver Vulnerability

An improper input data validation vulnerability in the Common Log File System (CLFS.sys) Windows driver could be exploited to cause system crashes. The vulnerability affects multiple Windows versions. The flaw, which is not remotely exploitable, has been rated medium severity. Fortra security researcher Ricardo Narvaja reported the issue to Microsoft by in December.

Editor's Note

Two vulnerabilities, CVE-2024-21302 and CVE-2024-38202, need to be chained to exploit this attack, and Microsoft has not yet released a patch to mitigate these flaws. In the interim, follow the guidance in the linked Microsoft advisories to enabling auditing of file access use, and check your EDR provider for their ability to detect attempted exploitation of these flaws.

Lee Neely
Lee Neely

Typically, one or more product vulnerabilities are announced at BlackHat/DefCon. And often, Microsoft is a target. This year is no different. While the vulnerability requires local access and admin privileges to implement, do follow the mitigation guidance provided by Microsoft until a patch is released.

Curtis Dukes
Curtis Dukes

2024-08-12

Windows Downgrade Attack

In a presentation at the BlackHat security conference last week SafeBreach researcher Alon Leviev demonstrated how by editing Windows Registry, an attacker could downgrade the version of Windows running on a targeted machine. As a result, the machine would be running an unsecured version of the operating system; the Windows Update tool would also indicate that the machine is completely up-to-date. Microsoft has published an advisory to provide mitigation guidance.

Editor's Note

I saw this at DefCon this weekend. It's an interesting attack vector. It makes you feel more confident when Apple removes the ability to Downgrade. This issue is happening because Windows can downgrade. The toolchain allows for downgrade attacks that enable further exploitations. Interesting vectors, difficult problem for Microsoft.

Moses Frost
Moses Frost

Two vulnerabilities, CVE-2024-21302 and CVE-2024-38202, need to be chained to exploit this attack, and Microsoft has not yet released a patch to mitigate these flaws. In the interim, follow the guidance in the linked Microsoft advisories to enabling auditing of file access use, and check your EDR provider for their ability to detect attempted exploitation of these flaws.

Lee Neely
Lee Neely

Typically, one or more product vulnerabilities are announced at BlackHat/DefCon. And often, Microsoft is a target. This year is no different. While the vulnerability requires local access and admin privileges to implement, do follow the mitigation guidance provided by Microsoft until a patch is released.

Curtis Dukes
Curtis Dukes

2024-08-12

Researchers Uncover a Very Old AMD Chip Flaw

Researchers from IOActive have discovered an 18-year-old vulnerability affecting AMD processors. Enrique Nissim and Krzysztof Okupski presented their findings at DEF CON over the weekend. The flaw, dubbed Sinkclose, could be exploited to run code in System Management Mode (SMM). The vulnerability affects AMD chips dating back to 2006 or possible

Editor's Note

CVE-2023-31315 has a CVSS score of 7.5, and is not remotely exploitable. Fixes have been released to OEMs for distribution. Note that some of the fixes werenÕt available until this August. The fix is a firmware flash, although some CPUs have a mitigation 2 option of installing updated microcode, for consistency the best bet is to do the FW update across your affected AMD processors. This would be a good time to make sure all your AMD CPUs are running the latest firmware.

Lee Neely
Lee Neely

The latest Intel CPUs have CPU bugs, which is why people are running to AMD. AMD is not bug-free either. I'm just watching this space.

Moses Frost
Moses Frost

It is sad that so much time and talent is wasted exposing obscure vulnerabilities while we do not have enough to implement strong authentication, structured networks, cryptography, and least privilege access control, much less develop and apply novel security measures.

William Hugh Murray
William Hugh Murray

2024-08-12

Radar/Dispossessor Ransomware Operation Takedown

The US Federal Bureau of Investigation (FBI) has announced the takedown of the Radar/Dispossessor ransomware infrastructure. The takedown was an international operation, involving the dismantling of servers and domains in the UK, Germany, and the US. Law enforcement organizations in all three countries were involved. The ransomware operation has targeted 43 companies around the world.

Editor's Note

Score one for the good guys. That said, ransomware purveyors have demonstrated a penchant for reestablishing themselves quickly after loss of infrastructure. The best long-term bet is to put maximum pressure on how the ransom is transacted.

Curtis Dukes
Curtis Dukes

Indications are Radar/Disposessor is an outgrowth from the displaced LockBit ransomware gang members under the guidance of ÒBrain.Ó They have been in existence since August 2023, and target small to mid-sized businesses. This ransomware operates in two steps, first as a data stealer and second as an encryptor, and has many parallels to LockBit.

Lee Neely
Lee Neely

2024-08-12

East Valley Institute of Technology Cyber Incident

East Valley Institute of Technology (EVIT) in Arizona has released additional information about a January 2024 cyber incident that compromised a broad range of personal information belonging to more than 200,000 current and former students, their parents, and faculty members. The compromised data include names, Social Security numbers, driver's license data, medical information, biometric data, and payment card information.

Editor's Note

While not much can be said about the actual cyber incident, a lot can be said about the amount and type of data maintained. Maintaining up to 48 different data types seems excessive but then as you look at the potential make-up of the student population, on-site medical support, and faculty it makes sense. Now comes the rub: what is the data retention policy and how much is required by regulation? Organizations should always look for ways to minimize what data is collected and retained while still complying with laws.

Curtis Dukes
Curtis Dukes

Application fraud is far more serious than transaction fraud. The collection and use of multiple forms of identifying information may be justified to resist it. However, retaining such data after a decision has been made on the application is reckless.

William Hugh Murray
William Hugh Murray

Key in the notification, besides offering credit monitoring to affected individuals, are clear instructions on freezing your credit, something we all need to do, particularly our younger generation who haven't yet experienced ID theft or other consequences when it's not frozen.

Lee Neely
Lee Neely

2024-08-12

Malware Campaign Involves Malicious Browser Extensions

Researchers from Reason Labs have detected a campaign that has infected browsers with malicious extensions that have proven difficult to remove. The campaign forces the extensions' installation; the malware they deliver ranges from adware to data theft to command execution. The researchers estimate that at least 300,000 users of Microsoft Edge and Google Chrome browsers have been affected. The Eason Labs write-up include indicators of compromise and instructions for removing the malicious extensions, which includes making sure their 'persistence mechanisms are gone.'

Editor's Note

Have your threat hunters grab the IOCs from Reason Labs and see if you've got some of these malicious extensions in your environment. Next, make sure your EDR solution is checking for malicious browser extensions, if they don't ask for a roadmap of when, this is an increasingly common attack and you're going to want your endpoints defending themselves from malicious extensions, which may require a pivot in your EDR plans.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

CORS/SameOrigin Video

https://isc.sans.edu/diary/Video+Same+Origin+CORS+DNS+Rebinding+and+Localhost/31158

QuickShell: Sharing is Caring about an RCE Attack Chain on Quick Share

https://www.safebreach.com/blog/rce-attack-chain-on-quick-share

Chrome, Edge users beset by malicious extensions that canÕt be easily removed

https://www.helpnetsecurity.com/2024/08/12/chrome-edge-malicious-browser-extensions/

AMD Guest Memory Vulnerabilities

https://www.amd.com/en/resources/product-security/bulletin/amd-sb-7014.html

Splitting the email atom: exploiting parsers to bypass access controls

https://portswigger.net/research/splitting-the-email-atom#parser-discrepancies

Confusion Attacks: Exploiting Hidden Semantic Ambiguity in Apache HTTP Server!

https://blog.orange.tw/2024/08/confusion-attacks-en.html

GL-Inet Patches

https://www.gl-inet.com/security-updates/security-advisories-vulnerabilities-and-cves-aug-1-2024/

Microsoft Office Spoofing Vulnerability

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38200