SANS NewsBites

Account Hijack Enables Aircraft Data Altering; Prolific Microsoft Path Tuesday; Azure Mitigates Massive DDoS attack; Google Provides Security Tokens to Targets of Nation State Attacks

October 15, 2021  |  Volume XXIII - Issue #81

Top of the News


2021-10-12

Former Flight School Employee Arrested for Allegedly Altering Aircraft Data

A former flight training school employee broke into the school’s systems and modified aircraft data. In some cases, aircraft that had needed maintenance were cleared to fly. Lauren Lide had been Flight Operations Manager at the Melbourne Flight Training school until she resigned from the company in November 2019. The intrusion and data tampering occurred in January 2020. Lide has been arrested and charged with fraudulent use of a computer and unauthorized access to a computer system or network.

Editor's Note

Another good example of why privileged accounts should be migrated from reusable passwords to multi-factor authentication. The account of the current Flight Operations Manager was used for the unauthorized access – even just using text messaging as the second factor would have prevented this damage.

John Pescatore
John Pescatore

This is a case of a (former) disgruntled insider who, despite her credentials being disabled, was able to obtain current credentials with sufficient privileges to retaliate. Use of MFA would have prevented that access. Additionally monitoring for anomalous access patterns could help discover the illicit activity.

Lee Neely
Lee Neely

From our perspective the issue is not the sensitivity of the data that was altered so much as that a former employee accessed the company’s systems. When granting privilege, be sure that you know how you will withdraw that privilege when the time comes.

William Hugh Murray
William Hugh Murray

2021-10-12

Microsoft Patch Tuesday

Microsoft’s October security release includes fixes for more than 70 issues, including a zero-day privilege elevation vulnerability in Win32 Driver that is being actively exploited. The batch fixes three additional previously disclosed vulnerabilities, as well as fixes for vulnerabilities in Windows 11, which was released earlier this month.

Editor's Note

About an average patch Tuesday. The already exploited privilege escalation should be patched quickly, but remember there are always more privilege escalation issues.

Johannes Ullrich
Johannes Ullrich

There is a new MS Exchange fix (CVE-2020-26427) with a CVSS score of 9.0; make sure that your remaining on-prem services are patched, and only exposed to the Internet if absolutely necessary. The MysterySnail RAT has been found installed on systems where the Win32 driver bug (CVE-2021-40449) is being exploited. MysterySnail allows for data exfiltration, control of the compromised system and launching further attacks. This also includes another print-nightmare fix. The prior fix resulted in operational impacts, such as requiring administrative credentials for every print job. There are also fixes for Word, Hyper-V, SharePoint and DNS RCE vulnerabilities. The DNS vulnerability (CVE-2021-40469), per Jake Williams, could be leveraged to obtain remote control of a domain controller, where DNS services typically run, likely leading to domain administrator rights.

Lee Neely
Lee Neely

This Microsoft Patch Tuesday is a doozy. I am not sure how the IT shops that are supposed to test patches before deployment will have sufficient time to test 70 patches or triage these correctly. Microsoft Exchange is the current gift that keeps on giving, but those not marked as "critical," such as those Local Privilege Escalations, are probably the ones that attackers will go after in this batch. There may also be some interesting attacks against Windows Containers that indirectly show up in the form of Hyper-V Exploits or AppContainer exploits coupled with those Local Privilege Escalations.

Moses Frost
Moses Frost

2021-10-13

Azure Customer Sustained 2.4 Tbps DDoS in August

Microsoft says that in August, it defended an Azure customer from a UDP reflection distributed denial-of-service (DDoS) attack that at its peak was measured at 2.4 terabits per second (Tbps). The attack traffic came from roughly 70,000 sources in Asia and the US.

Editor's Note

One advantage of migrating to the cloud is the benefit of scale. No business would be able to absorb a DDoS attack of this scale on its own. But for smaller attacks, in particular more application-specific attacks, a cloud application can also become a huge financial burden if the attack is not quickly mitigated.

Johannes Ullrich
Johannes Ullrich

The ability for service providers to withstand an increasingly large volume of DDoS attacks is necessary for service delivery and most have solutions. Talk to your service providers to understand their protection model. Azure DDoS protection is enabled by the tenant at the virtual network level and is a separate product; leverage your account representative to understand the offering, pricing, and scaling model.

Lee Neely
Lee Neely

It is almost impossible to resist denial-of-service attacks without the cooperation of an upstream provider. Steve Gibson tells that it took him 12 hours to find the right guy and 15 minutes for him to fix the problem. Be sure you know who to call.

William Hugh Murray
William Hugh Murray

2021-10-14

Google Warnings of State Sponsored Hacking

Google says that in 2021, it has sent more than 50,000 warnings of state-sponsored phishing and other attacks targeting its customers. A security engineer from Google’s Threat Analysis group (TAG) notes that “receiv[ing] a warning it does not mean your account has been compromised, it means you have been identified as a target.” Google urges users to enable two-factor authentication, and says that it plans to provide hardware security keys to 10,000 high-risk users.

Editor's Note

Kudos to Google for its continuing efforts to increase the use of multi-factor authentication, but most organizations need to take the same security steps to prevent business damage from all the very active non-state sponsored attackers that are behind the majority of attacks.

John Pescatore
John Pescatore

Google is making an important point in saying that receiving a warning does not mean that your account is compromised. Too often, users mistake warnings for an actual compromise.

Johannes Ullrich
Johannes Ullrich

Enable two-factor authentication on your Google accounts now, whether using workspaces or their free offering; don’t wait for an alert or worse that you’ve been targeted. If you receive one of the hardware tokens from Google, enable it, don’t file it; then talk to your team about implementing those keys for everyone.

Lee Neely
Lee Neely

This is a very impressive service that Google provides. I’ve always admired Google’s push for cyber security (they were one of the very first vendors to publicly push and enable 2FA for users of their free services). Interesting side note: in Microsoft’s webcast yesterday on passwords, they stated that only 20% of enterprise Microsoft 365 customers enable 2FA. So while a powerful security solution, 2FA still has a low adoption rate.

Lance Spitzner
Lance Spitzner

Google has been offering strong authentication options to its users for several years now. Their implementation allows their users a wide range of choices to balance security against convenience; it is a model for others to follow. While Google is releasing data, it would be useful if they told us what user adoption has been and what options users are choosing.

William Hugh Murray
William Hugh Murray

The Rest of the Week's News


2021-10-14

VirusTotal’s Ransomware Data Analysis

VirusTotal has published a report detailing its findings from analyzing 80 million ransomware samples. VirusTotal says that of those samples, 95 percent targeted Windows machines. The report breaks down ransomware activity by threat operator groups and geographic areas targeted. The data were collected between January 2020 and August 2021.

Editor's Note

Much interesting data in the report, but if you block replaced “ransomware” with “malware” most of the data would not change. Take the essential security hygiene steps to raise the bar against malware succeeding and you’ve simultaneously lowered the risk of a ransomware attack causing damage.

John Pescatore
John Pescatore

Key points I took away from this report: 95% of all ransomware samples targeted Windows. Less that 5% of samples were related to exploits; the majority of infections were driven by social engineering or droppers. In other words, when it comes to malware, not a lot has changed in the past years. Remember, ransomware is NOT a new attack method, it is a new monetization method. What’s different is that ransomware has made malware a very profitable business model.

Lance Spitzner
Lance Spitzner

Before you celebrate your systems not running Windows, note that two percent of attacks targeted Android, and there were also 1 million samples from macOS. Read the key take-aways in the report. Focus on privilege escalation patches and mitigations, keep your detection profiles updated, monitoring for new activities which needed to be added to your detection capabilities; lastly, keep your cyber resiliency and recovery strategies ready and current.

Lee Neely
Lee Neely

2021-10-14

MITRE Establishes New Organizations to Help Protect Critical Infrastructure and Healthcare Sectors from Cyberthreats

MITRE Labs has set up two new centers focused on cybersecurity. The Cyber Infrastructure Protection Innovation Center will address cybersecurity issues that affect the critical infrastructure; the Clinical Insights Innovation Cell will focus on health care cybersecurity issues. Both centers aim to bring together organizations from the public and private sectors.

Editor's Note

As these advance, they will be a source of information that can be leveraged to better our protection strategies for healthcare and critical infrastructure. It’s easy to lose sight of new strategies and techniques when you’re heads down operating and maintaining your current systems, and even more so if you’re busy responding to attacks or incidents.

Lee Neely
Lee Neely

Mitre has some amazing people doing important work. I hope these initiatives get the traction required to help these areas of need.

Christopher Elgee
Christopher Elgee

I worked in the healthcare space for a little over eight years and was doing so while getting more and more into this field. It was challenging to try and explain to doctors and healthcare executives the actual dangers posed by cyber security threats. Mainly because those threats impacted financial systems or industry secrets, it appears that ransomware and patient safety has changed that risk calculus. I'm happy to see MITRE step up here because healthcare organizations should be treated like power plants as critical infrastructure. Unfortunately, those systems will continue to be vulnerable without that level of oversight and thinking as the risk calculus is still not fully understood. I can't wait to see what is occurring here.

Moses Frost
Moses Frost

2021-10-11

NASCIO Report on Cloud Adoption

A report from the National Association of State Chief Information Officers (NASCIO) examines states’ gradual movement to cloud services. For more than a decade, state CIOs have said cloud services is among their top priorities; however, adoption appears to be slow. Of the 35 state CIOs responding, 89 percent say they are still using mainframes and 71 percent say they have not moved any mainframe applications to the cloud.

Editor's Note

While many businesses are finding the right balance of cloud versus on-premise services, state and federal agencies have been struggling with making sure the cloud service providers meet regulatory requirements. While federal agencies have the FedRAMP process to help, StateRAMP has only recently emerged for state and local government users to fill this need. StateRAMP will grant a certification to existing FedRAMP service providers and will work with providers not interested in FedRAMP certification to become StateRAMP certified. With this in hand, it becomes simpler to begin the path to figuring out what will be best in the Cloud.

Lee Neely
Lee Neely

It's not uncommon to see long-deprecated IT systems in SLTT networks. Because of financial limitations, they simply can't manage to keep up. I'm thankful for services like Google Classroom that allow educational institutions (globally) to move to the cloud for free. At that point, "keeping up" just means updating end user devices and school networks.

Christopher Elgee
Christopher Elgee

The NASCIO report is fascinating; it highlights a sector of the IT industry that is very far behind in its operations. Last year the state of New Jersey needed more COBOL programmers to retrofit their systems to absorb the volume of requests for aid. This report highlights how they are not the outlier. The states have several issues; the first is retrofitting their aging systems outside of the challenge of maintaining them. The second is attracting talent that can do so. If it is hard to do this at the state level, it's even more challenging at the city level. States with a large budget may migrate their systems, but finding talent to maintain and operate those cloud instances will be very difficult as we have seen a severe shortage in the market. Two charts that are in the report highlight the problems. One asks how many have to MFaaS (Mainframe as a Service). The second details how many entities use IP addressing and not names to reach their systems. Those two charts alone show how difficult and challenging this migration will be for many shops. I guess offensive and defense teams will need to brush up on mainframes and JCL for a while longer.

Moses Frost
Moses Frost

2021-10-14

NHS Vaccine Passport Outage Causes Travel Problems

The UK’s National Health Service (NHS) vaccine passport, NHS Covid Pass, suffered a disruption on Wednesday, October 13. The feature is part of the NHS smartphone app. Users received error messages suggesting that the service was experiencing unusually high traffic volumes, which was limiting access. Some passengers at UK airports reported that they were unable to board their flights because they did not have sufficient proof of their vaccination status without access to NHS Covid Pass.

Editor's Note

Understand the requirements for proving vaccination status when traveling and have a backup option in case the primary option fails. In this case the airports were not accepting paper vaccination records, which we’ve carried for years for this purpose. For a digital application, screenshot the barcode or add it to your digital wallet. Note that you may have to update those as frequently as every thirty days.

Lee Neely
Lee Neely

Always try and travel with physical backups of all your paperwork. It may seem counterintuitive as we are so used to the availability of systems. However, we should also acknowledge that many of these systems are new and have probably not been as tested as amazon.com. I would also suggest taking a screenshot for a backup. I try and travel with the physical US vaccine cards and pictures of them just in case.

Moses Frost
Moses Frost

2021-10-14

CISA Alert: Water and Wastewater Cyberthreats

A joint advisory from the US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), the Environmental Protection Agency (EPA), and the National Security Agency (NSA) warns of “ongoing malicious cyber activity” targeting water and wastewater facilities in the US. The threat actors have been targeting both IT and OT networks. The alert describes threat actors’ tactics, techniques, and procedures, and lists mitigations and resources for water facilities.

Editor's Note

If you’re a critical system operator, make sure you’re subscribed to these alerts. The mitigations for these attacks are to include segmentation, monitoring, and MFA for remote access and to remove unnecessary components from networks to reduce your attack surface. Read the bulletin for a comprehensive list along with resources you can leverage.

Lee Neely
Lee Neely

2021-10-13

OVH Outage Due to Network Reconfiguration

Hosting provider OVH suffered an hour-long outage on Wednesday, October 13. The issue appeared to be related to routing configuration problems during scheduled maintenance. OVH founder Octave Klaba said that “a bad configuration of the router caused the failure of the network.” The outage reportedly affected only OVH’s IPv4 infrastructure.

Editor's Note

The complexity of the network infrastructure, which is required for modern service delivery and redundancy, heightens the need to carefully scrutinize changes prior to deployment. This is not only for big providers like OVH and FaceBook, but also for your enterprise where the configurations now include virtual networks to cloud providers, outsource or business providers and your locations. This is further complicated by increased remote access where network locations can be easily omitted from the VPN configuration. Read twice, deploy once, know how to back it out.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Port Forwarding with Windows for the Win

https://isc.sans.edu/forums/diary/PortForwarding+with+Windows+for+the+Win/27934/


Please Fix Your E-Mail Brute Forcing Tool

https://isc.sans.edu/forums/diary/Please+fix+your+EMail+Brute+forcing+tool/27930/


Microsoft Patch Tuesday

https://isc.sans.edu/forums/diary/Microsoft+October+2021+Patch+Tuesday/27928/


Adobe Patches

https://helpx.adobe.com/security/security-bulletin.html


PyPi Remove mitmproxy2 Module

https://twitter.com/maximilianhils/status/1447525552370458625

https://web.archive.org/web/20211012105244/https://gist.github.com/mhils/7ff29d50b25a1c99e06834cf95684333


Ad Blocker Injects Ads

https://www.imperva.com/blog/the-ad-blocker-that-injects-ads/


Romance Scams Go After Crypto Currency

https://nakedsecurity.sophos.com/2021/10/13/romance-scams-with-a-cryptocurrency-twist-new-research-from-sophoslabs/


Sysmon For Linux

https://github.com/Sysinternals/SysmonForLinux


Foxit Updates

https://www.foxit.com/support/security-bulletins.html


VMWare Updates

https://www.vmware.com/security/advisories/VMSA-2021-0023.html