SANS NewsBites

Look at Advertising Networks as Part of Your Supply Chain Security Responsibility; Check IPV4/V6 Transition Risks; Changes In Ransomware Volume Don’t Change Need for Essential Security Hygiene

January 24, 2023  |  Volume XXV - Issue #07

Top of the News


2023-01-23

HUMAN Security Takes Down Vastflux Ad Fraud Operation

Researchers from HUMAN have taken down a sizeable ad fraud scheme that spoofed more than 1,700 apps and managed to generate 12 billion ad requests a day. By injecting JavaScript into the ads, the scammers were able to layer multiple ads, registering views for ads that users did not see. HUMAN dubbed the malicious campaign Vastflux.

Editor's Note

Ad botnets/malvertising attacks are a constant and this is reminder that if your company pays for ads or takes revenue from ad placement, advertising networks have to be considered as part of your supply chain security and user awareness programs. In particular, increased use of MFA will bring increased “MFA fatigue” attacks, which share a lot of evil DNA with ad stacking attacks. Use this one as impetus for an awareness push to users and management.

John Pescatore
John Pescatore

2023-01-23

NSA Publishes IPv6 Transition Guidance

The US National Security Agency (NSA) has published IPv6 security guidance to help the Department of Defense (DoD) and other federal agencies with the transition to IPv6. One concern is dual stacked networks (networks that are running IPv4 and IPv6 at the same time), as this poses additional security risks, including an increased attack surface.

Editor's Note

Not a bad overview, but note that recently released operating systems will use privacy enhanced IPs by default and embedded MAC addresses are rather uncommon these days. Also carefully test the interactions between SLAAC and DHCPv6 for your systems. Just like any feature, it should be enabled if there is a clear business need for it, and if you have the domain expertise to support IPv6.

Johannes Ullrich
Johannes Ullrich

Practitioner's note: Whether you've intentionally "transitioned to IPv6" or not, it's likely already running in your environment. Test it yourself! Penetration testers make easy money from systems with rock-solid IPv4 firewall rulesets and "allow any any *" for IPv6. Also, without the protection of NAT, it's worth trying to access internal assets from an external host. It might be directly accessible!

Christopher Elgee
Christopher Elgee

2023-01-23

Report: Ransomware Victims are Refusing to Pay

Studies from two security firms suggest that ransomware victims are increasingly refusing to pay the attackers’ demands. According to Chainalysis, ransomware payments fell from $766 million in 2021 to $457 in 2022. Coveware reports that 76 percent of ransomware victims paid the ransom demands in 2019, while that figure fell to 41 percent in 2022.

Editor's Note

First, a caveat that there is *no* reliable data on ransomware payments, as even Chainalysis notes. That said, essential security hygiene works against the majority of attacks and ransomware is not different. If you’ve been unable to get backing to make needed changes, you can certainly take advantage these headlines to show management that your competition has been getting more secure.

John Pescatore
John Pescatore

Between dropping crypto currency prices, and victims refusing to pay, the researcher in me can't wait for what attackers come up with next to monetize their efforts.

Johannes Ullrich
Johannes Ullrich

The Rest of the Week's News


2023-01-23

Indian Education App Exposed Student and Teacher Data

The personal information of students and teachers in India was exposed on the Internet for more than a year. The Digital Infrastructure for Knowledge Sharing (Diksha) app stored the data on an unprotected Azure cloud server. Diksha has made data privacy news before: last year, a report from Human Rights Watch found that the app was tracking students’ location and sharing that information with Google.

Editor's Note

Practitioner's note: If you're not 100% confident that your cloud assets are appropriately secured from public access, test it! Try to access it from an account which shouldn't be able to access your instance/storage blob/assumed role policy. You may still miss subtle misconfigurations, but you'll catch the most egregious - like this one.

Christopher Elgee
Christopher Elgee

Improper configuration of cloud resources is a preventable problem. The Center for Internet Security publishes and makes available for free foundation benchmarks for each of the major cloud service providers (Azure in this case). The benchmark contains security recommendations, and information on how to implement them, that improves the security posture of cloud resources.

Curtis Dukes
Curtis Dukes

2023-01-20

Some MSI Motherboards Do Not Have Secure Boot Enabled by Default

Security researcher Dawid Potocki discovered that more than 300 motherboard models from MSI do not implement the Secure Boot feature by default, which means that they will allow any bootloader, signed or unsigned, to run. According to an MSI Reddit post, the company says they “preemptively set Secure Boot as Enabled and ‘Always Execute’ as the default setting to offer a user-friendly environment that allows multiple end-users flexibility to build their PC systems.” MSI reportedly plans to release firmware updates that will change the default setting to “Deny Execute.”  

Editor's Note

Classic "usability vs security" issue. Disabling full Secure Boot protection will cause more support queries from users attempting to use a boot loader / operating system not sanctioned by MSI or the OEM.

Johannes Ullrich
Johannes Ullrich

Organizations count on OEMs to ship their products properly configured. The troubling bit is that this configuration change, made by MSI, resulted in secure boot being irrelevant and users of the product were unaware. Lately, CISA has been talking about shifting the security burden (secure, transparent, and sustainable) from the end user to the vendor. Here’s an example where configuration control processes need to be reinforced and tested prior to shipping, else the security shift can become a potential supply chain attack.

Curtis Dukes
Curtis Dukes

2023-01-23

Apple Updates Include Backported Fix for iOS Vulnerability

Apple released fixes for multiple security issues in iOS and macOS, including a remotely exploitable zero-day flaw in iOS. The type confusion issue in Apple WebKit browser engine was deemed serious enough to prompt Apple to release updates for older versions of iOS.

Editor's Note

Impressive from Apple to release an update for hardware released 10 years ago. I wish more device manufacturers would offer fixes for critical security issues for older devices. On the other hand, I don't think Apple offers any guarantees as to how long updates like this are available for specific devices.

Johannes Ullrich
Johannes Ullrich

2023-01-23

CISA Adds ManageEngine Flaw to Known Exploited Vulnerabilities Catalog

The US Cybersecurity and Infrastructure Security Agency (CISA) has added a remote code execution vulnerability on Zoho ManageEngine to its Known Exploited Vulnerabilities catalog. Federal Civilian Executive Branch Agencies (FCEB) agencies have until February 13 to mitigate the flaw.

2023-01-23

Federal Agencies Do Not Implement Majority of GAO’s Cybersecurity Recommendations

According to a new report from the US Government Accountability Office (GAO), US federal agencies have implemented just 40 percent of the 335 cybersecurity recommendations made by GAO since 2010. The report, Cybersecurity High-Risk Series: Challenges in Establishing a Comprehensive Cybersecurity Strategy and Performing Effective Oversight, is the first of four planned reports examining the government’s development and implementation of cybersecurity policy.

Editor's Note

It is tempting to skip over this “evergreen” item – government agencies not implementing audit recommendations is not news. But, I have to point out that GAO/OMB always never seem to address the root problem of ” Why?” Instead, it is always an immediately jump to “a more comprehensive strategy” is needed at the top, vs. what really are the obstacles facing government CISOs and SOC managers who do want to improve cybersecurity and why some agencies *are* able to stay safe and score well.

John Pescatore
John Pescatore

One would hope that implementing fundamental recommendations would obviate others even though it decreased the number of boxes checked. Checking boxes is not an efficient way to achieve quality. Unchecked boxes are not necessarily an indicator of poor quality.

William Hugh Murray
William Hugh Murray

2023-01-20

FAA Statement on NOTAM Outage (January 19, 2023)

In a January 19 statement, the US Federal Aviation Administration (FAA) said that according to a preliminary review, “contract personnel unintentionally deleted files while working to correct synchronization between the live primary database and a backup database. The agency has so far found no evidence of a cyber-attack or malicious intent.” The statement also notes that the FAA “has taken steps to make the NOTAM system more resilient.”

Editor's Note

File integrity management is one of basic security hygiene requirements that actually works when done right. One key element is figuring out what are the actual show stopper files, not always just key executables.

John Pescatore
John Pescatore

2023-01-23

Bitzlato Virtual Currency Exchange Taken Down in International Effort

The digital infrastructure of the Bitzlato virtual currency exchange was taken down in an international operation involving authorities from the US, France, Belgium, Cyprus, Portugal, Spain and the Netherlands. Authorities said that nearly half of Bitzlato’s transactions were tied to criminal activity. Five people have been arrested in all: three in Spain, one in Cyprus, and one in the US.

Editor's Note

Defeating ransomware has three parts. Step one is making available best practice guidance to protect oneself from ransomware attack; see the ‘Blueprint for Ransomware Defense.’ A second step is not to pay the ransom; over the last year great progress has been made. The third step is removing the currency exchanges used by cybercriminals. Effort along all three parts is necessary, else the cybercriminal will continue targeting organizations.

Curtis Dukes
Curtis Dukes

Internet Storm Center Tech Corner

Who's Resolving This Domain

https://isc.sans.edu/diary/Whos+Resolving+This+Domain/29462

Importance of Signing in Windows Environments

https://isc.sans.edu/diary/Importance+of+signing+in+Windows+environments/29456

Apple Updates Everything

https://support.apple.com/en-us/HT201222

NSA IPv6 Security Guidance

https://media.defense.gov/2023/Jan/18/2003145994/-1/-1/0/CSI_IPV6_SECURITY_GUIDANCE.PDF

Roaming Mantis Implements new DNS Changer in tis malicious mobile app

https://thehackernews.com/2023/01/roaming-mantis-spreading-mobile-malware.html

FanDuel Discloses Data Breach Caused by Recent MailChimp Hack

https://www.bleepingcomputer.com/news/security/fanduel-discloses-data-breach-caused-by-recent-mailchimp-hack/

OneNote Documents Used to Embed Malicious Office Documents

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/trojanized-onenote-document-leads-to-formbook-malware/

Cisco Unified Communications Manager SQL Injection

https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cucm-sql-rpPczR8n

Possible KeePass Vulnerability

https://twitter.com/vomanc/status/1617135599030530054