SANS NewsBites

Russia's Daisy-Chained Network Attack Demonstrates Necessity of Wi-Fi Security; Deny Outdated Antivirus Drivers to Prevent Kernel-Level Exploit

November 26, 2024  |  Volume XXVI - Issue #91

Top of the News


2024-11-25

Nearest Neighbor Attack (TL;DR: Implement MFA on Your Wi-Fi Network)

Researchers from Volexity found that a Russian APT gained access to a targeted network by finding nearby vulnerable networks and “daisy-chaining” access to breach the targeted organization’s Wi-Fi network. The attackers used credential stuffing attacks to find passwords to the targeted organization's web service platform accounts, but MFA prevented them from accessing those accounts. Once they gained access through the nearby organizations’ Wi-Fi however, the attackers found that the purloined credentials worked on the neighboring Wi-Fi network because it had no MFA. Beyond monitoring and detection tools, mitigation suggestions from Volexity include “creat[ing] separate networking environments for Wi-Fi and Ethernet-wired networks, particularly where Ethernet-based networks allow for access to sensitive resources [and] … hardening access requirements for Wi-Fi networks, such as applying MFA requirements for authentication or certificate-based solutions.” Volexity’s Steven Adair presented the company’s findings at the Cyberwarcon security conference last week.

Editor's Note

So much to consider here. I continue to be surprised when VPN and Wi-Fi networks not only just require username/(AD) password, but also that these lightly authenticated connections are now trusted. At a minimum, implement OTP for these connections. With all the work we've done to expose services for access without respect to the network, maybe circle back and look at them from a zero-trust perspective; both the user and the device need to be authenticated before connections to services are granted, regardless of the originating network. Make sure you have Wi-Fi monitoring and security dialed in, not only for unexpected behavior, but also for rogue device and network detection and response.

Lee Neely
Lee Neely

I have heard people speculating about attacks like this. This is the first time I have seen it documented. The closest attack like this was an attack against a financial institution where an adversary landed a drone on the building that was used as a Wi-Fi relay. This attack should renew interest in Wi-Fi security.

Johannes Ullrich
Johannes Ullrich

2024-11-25

Hackers Bring Their Own Vulnerable Avast Driver

In a November 20 blog post, researchers at Trellix describe a malware campaign that abuses an outdated but authentic trusted Avast anti-rootkit driver and "manipulates it to terminate security processes, disable protective software, and seize control of an infected system." The driver in question is a kernel-mode driver, which interacts directly with the core of an operating system. The attack leverages the kernel-level position "to terminate security processes [and] disable protective software"; a list of 142 process names from major software vendors is hardcoded into the malware. Preventing a Bring Your Own Vulnerable Driver (BYOVD) attack like this involves implementing rules to "identify and block specific vulnerable drivers based on their unique signatures or hashes," according to Trellix.

Editor's Note

The trick is preventing the installation of old/outdated software (drivers, applications/etc.) coupled with visibility to the endpoint (think EDR). While the idea of allow/deny lists for installation may be daunting, take a look at this for your purpose-built servers which don't need a lot of flexibility in what they do.

Lee Neely
Lee Neely

Consider this article from Microsoft around the defensive control called Hypervisor-Protected Code Integrity (HVCI), which can help to prevent the use of BYOVD attacks. https://techcommunity.microsoft.com/blog/microsoftsecurityexperts/strategies-to-monitor-and-prevent-vulnerable-driver-attacks/4103985

Stephen Sims
Stephen Sims

The Rest of the Week's News


2024-11-24

DEF CON Hackers Help Shore Up US Water Systems

In a November 20 press release, The University of Chicago Harris School of Public Policy's Cyber Policy Initiative (CPI) announced its collaborative effort with the National Rural Water Association (NRWA) and volunteers from the DEF CON Franklin Project to pair experts with vulnerable US water utilities in the wake of rising cybersecurity attacks in the water sector. The Franklin project states two key tasks: the first is collecting information on "pressing cyber policy gaps" from participating DEF CON villages, synthesizing it into informed recommendations and a "Hackers' Almanack" resource; the second is connecting volunteers from the DEF CON community to sectors and organizations in need of cybersecurity expertise. Already six water utilities in Indiana, Oregon, Utah, and Vermont have been identified to pair with volunteers. CPI's press release highlights the overwhelming majority of US water systems that serve small communities, but lack the resources and staff to secure their systems, whom the Franklin project aims to serve by "deploying volunteers as a free, scalable solution to help secure water systems nationwide."

Editor's Note

What an excellent initiative! Unfortunately sign-ups for volunteers are presently closed, and it isn't clear how water authorities can put their names on the list. While they learn to scale: remember that we also have Infragard and state agencies to help manage volunteer efforts.

Christopher Elgee
Christopher Elgee

While I applaud the efforts of the DEF CON hackers, what happens once the volunteers depart? At the end of the day whatever solutions implemented must continue to be resourced; is that part of the plan?

Curtis Dukes
Curtis Dukes

The DEF CON Franklin project is not only about security and policy work but also empowers volunteer members of the DEF CON community to help support critical infrastructure. Beyond identifying weaknesses, like a VDP, they are working to resolve issues. If you're in the critical infrastructure business, and feeling under-resourced, give them a shout to see if they can help.

Lee Neely
Lee Neely

It's nice to see a news story that recognises the good that hackers do and our contribution to making the world a safer place.

Brian Honan
Brian Honan

2024-11-22

Cyberattacks on UK Drinking Water

While British critical national infrastructure suffered an unprecedented number of "cyber incidents" in 2024 -- possibly as much as a 50% increase from 2023, -- under UK law providers must report any significant incidents to the government but are not required to disclose them publicly. Recorded Future News discovered through a UK Freedom of Information (FOI) Act request that drinking water systems experienced at least six significant cyber incidents this year that “directly impact[ed] on the production and delivery of wholesome water, irrespective of whether or not customers are directly affected,” rising from a previous yearly record of two. The information request was initially denied, but successfully appealed when the Department for Environment, Food, & Rural Affairs "could not demonstrate how [disclosing] statistical data might make services more vulnerable." The Cyber Security and Resilience bill, to be introduced in Parliament in 2025, aims to redefine thresholds and requirements for reporting, and to establish a balance between secrecy and transparency, prioritizing citizens' informed confidence in infrastructure alongside the security of critical details.

Editor's Note

An n of six hardly supports any statistical inference, particularly in such a large population. That is not to suggest that there is no problem, only to caution about how to talk about its growth.

William Hugh Murray
William Hugh Murray

All critical infrastructure is a target - from the smallest town water authority to national power grids. Sharing details about attacks like this helps everyone prepare for WHEN they're hit.

Christopher Elgee
Christopher Elgee

At first blush this story feels like issues with UK critical infrastructure; the bigger concern is the balance in disclosure of security incidents to regulators versus the disclosure of those events to the press/public. An ongoing topic of discussion as more and more regulators require these disclosures. With luck, the UK legislation to address this can be modeled for use by others.

Lee Neely
Lee Neely

2024-11-25

SCOTUS: Meta Will Face Class Action Suit over Cambridge Analytica

On November 22, 2024, the Supreme Court of the United States (SCOTUS) issued a per curiam decision in the case of Facebook, Inc. v. Amalgamated Bank, dismissing Meta's petition for writ of certiorari as "improvidently granted." Granting the writ would have brought the case to SCOTUS for review; this dismissal leaves the case under a District Court's appellate ruling, "allow[ing] a securities fraud class action against Meta to go forward." The "multibillion-dollar" suit stems from investors' complaints that when the Cambridge Analytica scandal came to light, stock prices plunged because Meta had "improperly downplayed the risks of a data breach." In 2019 the Federal Trade Commission fined Meta an unprecedented $5 billion over the company's culpability in misleading customers while their personal information was collected, purchased, and used by Cambridge Analytica in 2016 US political campaigns. A separate class-action suit over the same breach settled in 2022 for $725 million.

Editor's Note

To help them fight any possible tendency to soft-pedal incident reports, make sure your CFO and corporate PR/communication teams are aware of this decision.

John Pescatore
John Pescatore

This class action suit was brought by Meta investors, as opposed to Meta (Facebook/Instagram) users. The lessons remain, be careful of who you allow to use your customer's data (and how), and don't understate the potential financial impacts, particularly to shareholders, of misuse or compromise of that data.

Lee Neely
Lee Neely

Companies that collect and manage consumer data should pay attention to this decision. If you’re in the data collection business, and who isn’t these days, have your legal team review and update the authorization agreement as needed.

Curtis Dukes
Curtis Dukes

2024-11-22

FCC Fines Smart Doorbell Maker $735,000

The US Federal Communications Commission (FCC) has proposed a fine of nearly $735,000 against Hong Kong-based smart device manufacturer Eken. Specifically, the FCC alleges that Eken has violated an FCC requirement that foreign companies designate an agent within the US. Additionally, the FCC’s enforcement bureau is investigating allegations of security issues with Eken video doorbells. A Consumer Reports investigation found “serious security and privacy vulnerabilities with these devices” that could have been exploited to gain control of affected doorbells and to view images from the doorbell’s camera. The devices also leaked WiFi network names and home IP addresses. Eken released fixes for the vulnerabilities after meeting with Consumer Reports engineers.

Editor's Note

With new 2025 tariffs in the news, good for CISOs to check on impacted supply chain reliances on vendors, subcontractors/outsourcers, and the suppliers to critical vendors, and develop contingency plans to deal with supply chain impacts.

John Pescatore
John Pescatore

The US agent is supposed to conduct required wireless interface testing and obtain authorization from the FCC prior to products being sold in the US. Elken and the other Chinese equipment manufacturers being investigated all used the same US agent, GSS Service Inc., based in Colorado Springs. This agent's address/mailbox, has been inactive since 2019, so it's likely the claimed authorizations are fraudulent. Consumer Reports identified both the security flaws and lack of FCC ID sticker on the devices. Subsequently, Elken did issue a firmware update which addressed their security flaws in April, and the company claims to have an approved FCC ID which appears in their app.

Lee Neely
Lee Neely

Enforcement leads to establishment and implementation of security better practices. With the proposed fine, the FCC has exposed a dirty little secret in how foreign companies get around, at minimal cost, the intent of the law requiring US-based company agents.

Curtis Dukes
Curtis Dukes

2024-11-22

2,000 Palo Alto Networks Devices Compromised

Roughly 2,000 Palo Alto Networks devices have been compromised via a pair of recently-disclosed vulnerabilities, according to data gathered by The Shadowserver Foundation. The flaws, an authentication bypass vulnerability (CVE-2024-0012) and a command injection vulnerability (CVE-2024-9474), affect Palo Alto Networks PAN-OS Management Interface. The US Cybersecurity and Infrastructure Security Agency (CISA) added the flaws to their Known Exploited Vulnerabilities catalog on November 18; Federal Civilian Executive Branch agencies have until December 9 to address the issues.

Editor's Note

For any device, not just PAN, the device’s control plane must be isolated. Do not expose admin interfaces and APIs, and disable any unused features. Do not assume a device is “secure” just based on the price you paid for it or for support.

Johannes Ullrich
Johannes Ullrich

Palo Alto has released updates which address both of these flaws. In addition to applying the update, secure access to the management interface. CVE-2024-0012 has a CVSS score of 9.8, which drops to 5.9 after restricting access to management interface. CVE-2024-9474 has a CVSS score of 6.9. Regardless of the score, the flaws are being agressively targeted, so you need to take action now. The campaign is being tracked by Palo Alto Unit 42 as Operation Lunar Peek.

Lee Neely
Lee Neely

2024-11-25

QNAP Pulls Problematic Firmware Update

QNAP has pulled a firmware update, QTS 5.2.2.2950, build 20241114, that was reportedly breaking some network attached storage (NAS) features and capabilities, and in some cases preventing users from logging into their devices. In a community announcement, QNAP wrote that “the issue caused by this update only affected limited models of TS-x53D series and TS-x51 series: HS-453DX, TBS-453DX, TS-251D, TS-253D, TS-653D, TS-453D, TS-453Dmini, TS-451D, TS-451D2." QNAP provides instructions for downgrading the update.

Editor's Note

It’s generally a poor security practice, but in this case it hopefully saved some users a tech support call. Firmware tends to be the one area where users lag in implementing the software update.

Curtis Dukes
Curtis Dukes

The firmware downgrade involves downloading the prior firmware image and doing a manual install. QNAP is ready to provide technical support for this process. If you're downgrading, keep an eye open for the next update, as the downgrade reintroduces the flaws, mostly operational, previously fixed. As NAS continues to be a target, be mindful of malicious actors targeting the downgraded devices. Make sure your NAS devices are not directly exposed to the Internet.

Lee Neely
Lee Neely

Make sure to test changes against all devices or products.

William Hugh Murray
William Hugh Murray

2024-11-25

Microsoft 365 Outage

"We're having issues, but we're working on it," reads the service status page for Microsoft's software products, as Microsoft 365 (Consumer) "continu[es] to incrementally recover" from an outage starting in the morning on Monday, November 25. Throughout the day, customers reported problems or complete outages in Exchange Online, Microsoft Teams, SharePoint Online, OneDrive, Purview, Copilot, Microsoft Fabric, Microsoft Bookings, Microsoft Defender for Office365, and Outlook Web and Desktop. At 6:25pm EST, Microsoft updated the status of the outage, adding an explanation: "We identified a change that caused an influx of retry requests routed through servers, impacting service availability. To address this, we implemented optimizations to enhance the infrastructure's processing capabilities. These changes have provided incremental relief, and we are closely monitoring the service to ensure stability. Our team is actively performing follow-up actions and will initiate additional workstreams as needed to fully resolve the issue."

Editor's Note

Microsoft’s Service Level Agreement document is over 100 pages long and is based on the percentage of “user minutes” impacted per month — or (for internal Exchange 365 use) when 95% of email takes longer than 1 minute to be delivered — but an 8 hour disruption could qualify your company for a 25% service credit. Make sure IT ops knows how to determine when Microsoft is non-compliant with its own SLAs, and that you are being compensated. It is important to make such outages expensive as possible to the offenders.

John Pescatore
John Pescatore

This affects Microsoft 365 Commercial rather than their Government cloud service offerings. While it looks like Microsoft has either rolled back the change or implemented mitigations to at least 98% of their environments, with outage reports tapering off after noon on Monday, the size and interconnection of the components affected mean that it'll take a bit for service to normalize everywhere. If the conversation takes you to moving off MS 365, consider your prior on-premises service offering, including services offered, scaling and availability, and that alternate cloud services may have similar outage impact risks to explore before going there.

Lee Neely
Lee Neely

One more in the increasingly frequent Microsoft incidents. Reliance at the cost of resilience.

William Hugh Murray
William Hugh Murray

Internet Storm Center Tech Corner