SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXIII - Issue #10
February 5, 2021SolarWinds Hackers Accessed eMail for Months; MacOS sudo Vulnerability
Know any college students who hope to work in cybersecurity?
* Registration is open now for the Cyber FastTrack competition on April 5-7. It is the surest path for talented students to get into the field.
* Final day to register is March 31.
* Prizes include: $1,000 scholarship to use for undergraduate study at any accredited U.S. college, a free place at the SANS Cyber Foundations Academy this summer (worth over $3,000) and a full or partial scholarship to the SANS Undergraduate Certificate in Applied Cyber Security (worth up to $18k).
* Sponsored by the National Cyber Scholarship Foundation (https://www.nationalcyberscholarship.org/)
* Information and registration: https://cyberft.io/Spring-CTF/
High schoolers?
18,000 high school students are already practicing for the NCS Foundation's scholarship program for potential cyber stars in high school. Information at https://www.cyberstartamerica.org/
*****************************************************************************
SANS NewsBites February 5, 2021 Vol. 23, Num. 010
*****************************************************************************
TOP OF THE NEWS
SolarWinds Hackers Had Access to eMail System for Months
SolarWinds Patches Three New Vulnerabilities
Sudo Vulnerability Affects macOS
********************* Sponsored By Dragos, Inc. ******************************
Webinar: Solidifying Asset Visibility in your ICS Environment | Whether you're a CISO, OT SOC analyst, or somewhere in between, Asset Visibility is likely a challenge for you. Join us on Feb. 25 when Mike Hoffman and Josh Carlson share tips from their ICS field experience and discuss the Dragos Collection Management Framework along with Crown Jewel Analysis. Register Now!
| http://www.sans.org/info/218865
*****************************************************************************
THE REST OF THE WEEK'S NEWS
Claim: in-toto Cybersecurity System Might Have Helped Prevent SolarWinds Attack
Better Patches Could Reduce the Number of Zero-days
StormShield Discloses Security Incident
Ransomware Operators are Targeting Industrial Goods and Services
SonicWall Firmware Patch
Kobalos Malware Targets High-Performance Computing Networks
Cisco Releases Fixes for Vulnerabilities Affecting Some VPN Routers
Wordfence: Remove Contact Form 7 Style WordPress Plugin
IBM Announces Grant Program to Help Schools with Ransomware Protection
INTERNET STORM CENTER TECH CORNER
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
New & Updated Courses
SEC301: Introduction to Cybersecurity
- https://www.sans.org/cyber-security-courses/introduction-cyber-security/
SEC401: Security Essentials Bootcamp Style
- https://www.sans.org/cyber-security-courses/security-essentials-bootcamp-style/
MGT512: Security Leadership Essentials for Managers
- https://www.sans.org/cyber-security-courses/security-leadership-essentials-managers/
Upcoming Live Online Events
Register early to save up to $300 on Live Online courses.
See event pages for specific offers.
ICS Security Summit & Training
FREE Summit: Mar 4-5 | Courses: Mar 8-13 EST
- https://www.sans.org/event/ics-security-summit-2021/
SANS Stay Sharp - Mar 8-9 EST
2-Day Pen Test & Offensive Ops Courses
- https://www.sans.org/event/stay-sharp-pen-test-march-2021/
SANS Cyber Security West 2021 - Mar 15-20 | PDT
10 Interactive Courses | Core NetWars Tournament
- https://www.sans.org/event/cyber-security-west-march-2021/
OnDemand Training Special Offer
Get an iPad mini, Galaxy Tab S5e, or Take $300 Off with OnDemand training through February 10.
- https://www.sans.org/specials/north-america/
Offensive Operations Resources
New Cheat Sheets, Slingshot Linux Distro, Posters, and more. View & Download
- https://www.sans.org/offensive-operations/
*****************************************************************************
TOP OF THE NEWS
--SolarWinds Hackers Had Access to eMail System for Months
(February 3, 2021)
According to a report in the Wall Street Journal (subscription required), the threat actors behind the SolarWinds supply-chain attack likely had access to SolarWinds email system for nearly a year. In an interview, SolarWinds CEO Sudhakar Ramakrishna said that the attackers had access to SolarWinds email accounts in December 2019. (Please note that the WSJ story is behind a paywall.)
[Editor Comments]
[Neely] Reducing dwell time by earlier detection is something we all are challenged with. Cloud email providers have tools to help. Make sure to enable the threat detection capabilities in your email system, that you've got adequate monitoring/alerting which is integrated with your SIEM. Also use tools such as the ones from Microsoft and FireEye to detect post-compromise activity to make sure that you're clean now and in the future.
Read more in:
The Hill: Hackers had access to SolarWinds email system for months: report
WSJ: Hackers Lurked in SolarWinds Email System for at Least 9 Months, CEO Says (paywall)
--SolarWinds Patches Three New Vulnerabilities
(February 3 & 4, 2021)
SolarWinds has released fixes for three serious security issues. Two of the flaws affect SolarWinds Orion User Device Tracker; the third affects SolarWinds Serv-U FTP for Windows. The flaws were detected by a researcher at Trustwave who notified SolarWinds in late December. SolarWinds released fixes for the flaws in an update last week.
[Editor Comments]
[Neely] SolarWinds is going to be under the microscope as they recover from their breach. Even so, their updates and fixes need to be considered and applied if warranted. If you're bound by DHS's ED 21-01 (https://cyber.dhs.gov/ed/21-01/#supplemental-guidance-v3) and permitted to run Orion, the directive is to use at least version 2020.2.1 HF2, so you're ok to install 2020.2.4. Definitely patch any internet facing Serv-U FTP servers.
[Pescatore] SolarWinds obviously has a credibility problem around updates, since compromised SolarWinds Orion updates were used to infiltrate many SolarWinds customers. Trusted, high-quality patches and updates are key to rapid patching - just like the false positive rate of detection processes and products is key to rapid prevention/mitigation. See related comment on the "Better Patches Could Reduce the Number of Zero Days" item.
Read more in:
Ars Technica: SolarWinds patches vulnerabilities that could allow full system control
ZDNet: SolarWinds patches three newly discovered software vulnerabilities
https://www.zdnet.com/article/solarwinds-patches-three-newly-discovered-software-vulnerabilities/
The Register: More patches for SolarWinds Orion after researchers find flaw allowing low-priv users to execute code, among others
https://www.theregister.com/2021/02/03/solarwinds_patch_trustwave/
SC Magazine: Three new SolarWinds vulnerabilities found and patched
Threatpost: SolarWinds Orion Bug Allows Easy Remote-Code Execution and Takeover
https://threatpost.com/solarwinds-orion-bug-remote-code-execution/163618/
Trustwave: Full System Control with New SolarWinds Orion-based and Serv-U FTP Vulnerabilities
--Sudo Vulnerability Affects macOS
(February 3, 2021)
A vulnerability recently detected in LINUX Sudo has been found to also affect the most recent version of macOS, Big Sur 11.2. The heap overflow bug could be exploited to gain elevated privileges. No fix is currently available for macOS 11.2.
[Editor Comments]
[Neely] This flaw has also been reproduced on AIX. Until explicitly updated, assume all sudo versions are vulnerable. macOS users cannot update sudo directly due to OS integrity protection, introduced in macOS 10.11, which restricts overwriting of applications or files. Expect a fix in the next OS update from Apple.
[Murray] This is a privilege escalation vulnerability, requires access, and is mostly of concern in multi-user or managed systems. That said, this is a case where code has been reused in tens of products for a decade without anyone assessing its quality and suitability. Open source is not delivering on its security promise. What is everyone's responsibility is no one's responsibility. Developers must be held responsible for all the code in their products without regard to source.
Read more in:
ZDNet: Recent root-giving Sudo bug also impacts macOS
https://www.zdnet.com/article/recent-root-giving-sudo-bug-also-impacts-macos/
Bleeping Computer: Latest macOS Big Sur also has SUDO root privilege escalation flaw
******************************* SPONSORED LINKS ********************************
1) Webcast | Register for our upcoming webcast featuring SANS senior instructor and AWS Marketplace specialist Nam Le titled, "How to Build an Effective Cloud Threat Intelligence Program in the AWS Cloud" and be among the first to receive the associated whitepaper written by Dave Shackleford.
| http://www.sans.org/info/218850
2) Webcast | We invite you to join us for, "Using SOAR to Elevate Your Security Operations." Join John Pescatore, SANS and Matthew Pahl, DomainTools, as they discuss the benefits of incorporating SOAR into your organization's security operations.
| http://www.sans.org/info/218855
3) Webcast | February 10th @ 3:30 PM EST: A step-by-step guide to implementing Moving Target Defense in OT Environments. Register Now:
| http://www.sans.org/info/218860
*****************************************************************************
THE REST OF THE WEEK'S NEWS
--Claim: in-toto Cybersecurity System Might Have Helped Prevent SolarWinds Attack
(February 2, 2021)
The academic developers of a cybersecurity system protocol funded by the US government claim their approach might have been able to prevent or diminish the severity of the SolarWinds supply-chain attack. The system, called in-toto, "is designed to ensure the integrity of a software product from initiation to end-user installation. It does so by making it transparent to the user what steps were performed, by whom and in what order. As a result, with some guidance from the group creating the software, in-toto allows the user to verify if a step in the supply chain was intended to be performed, and if the step was performed by the right actor." The US government has never required its vendors to use in-toto.
[Editor Comments]
[Paller] Perhaps the in-toto developers (and the journalists implying the government is incompetent) might first want to prove their approach works at scale in their own universities, and that it has been widely adopted there and works effectively for large complex systems.
Read more in:
ProPublica: The U.S. Spent $2.2 Million on a Cybersecurity System That Wasn't Implemented -- and Might Have Stopped a Major Hack
https://www.propublica.org/article/solarwinds-cybersecurity-system
In-toto: What is in-toto?
in-toto: A framework to secure the integrity of software supply chains
--Better Patches Could Reduce the Number of Zero-days
(February 2 & 3, 2021)
Maddie Stone, a Google security researcher, told an audience at the USENIX Enigma 2021 virtual conference that more than one-third of the 24 zero-day vulnerabilities Google's Project Zero team found last year were variants of other security issues that had already been disclosed or had been incompletely patched. In a blog post, Stone writes, "If more vulnerabilities are patched correctly and comprehensively, it will be harder for attackers to exploit 0-days."
[Editor Comments]
[Neely] It's easy to get tunnel-vision when a flaw is reported and only address that issue, particularly when facing a disclosure countdown. The security code review has to begin at inception, not after flaws are discovered; it's a nearly insurmountable task to review and fix existing applications. One approach is to augment bug fix procedures to include activities to seek and find and remediate similar flaws elsewhere in the code, possibly necessitating a second release.
[Pescatore] (Long anecdote coming, you can skip to the last sentence if not in the mood.) Years ago I worked for the Secret Service and part of the job was being part of advance teams and doing "technical security" in places where the protectee would visit or stay overnight. In hotels, we had to get the elevator maintenance guy to come in, inspect the elevators and recommend which one was the most reliable. On the first trip I worked solo after training and working in tandem for a few trips, in Denver, the Otis elevator guy said "I just did a repair and full preventive maintenance on elevator A, but elevator B never fails - you should use B. It always seems like on these new fancy elevators with all the electronics when I fix something, I also weaken something else that breaks the following week." I felt that elevator B was probably due to fail, ignored the advice, chose elevator A and the next morning Vice President George H. W. Bush got stuck in elevator A when the doors opened three feet above the lobby. Much paperwork ensued. Moral of the story: as we learned with Windows patches in the early days, too many software vendors treat patching as a drain on profits and don't invest in doing it right. Poor patch QA is usually a sign of bigger problems at the vendor - lack of sufficient maturity in software life cycle, under investment in QA overall, etc.
Read more in:
Google Project Zero: Deja vu-lnerability | A Year in Review of 0-days Exploited In-The-Wild in 2020
https://googleprojectzero.blogspot.com/2021/02/deja-vu-lnerability.html
Google Docs: 0day "In the Wild"
Dark Reading: Patch Imperfect: Software Fixes Failing to Shut Out Attackers
ZDNet: Google: Proper patching would have prevented 25% of all zero-days found in 2020
The Register: Rubbish software security patches responsible for a quarter of zero-days last year
https://www.theregister.com/2021/02/03/enigma_patch_zero/
Cyberscoop: Bad patching practices are a breeding ground for zero-day exploits, Google warns
https://www.cyberscoop.com/project-zero-google-zero-days-patching/
Duo: Making 0-Day Hard is Still Hard
https://duo.com/decipher/making-0-day-hard-is-still-hard
--StormShield Discloses Security Incident
(February 2 & 3, 2021)
French cybersecurity company StormShield has disclosed that it "detected a security incident that resulted in an unauthorized access to a technical portal used ... by our customers and partners for the management of their support tickets on our products." The intruders also appear to have stolen some StormShield Network Security source code. StormShield has notified affected customers and has contacted authorities regarding the incident.
Read more in:
Stormshield: Security Incident concerning Stormshield
https://www.stormshield.com/security-incident-stormshield/
SSI: Incident de Securite chez Stormshield (in French)
https://www.ssi.gouv.fr/actualite/incident-de-securite-chez-stormshield/
ZDNet: Security firm Stormshield discloses data breach, theft of source code
https://www.zdnet.com/article/security-firm-stormshield-discloses-data-breach-theft-of-source-code/
Bleeping Computer: Hackers steal StormShield firewall source code in data breach
--Ransomware Operators are Targeting Industrial Goods and Services
(January 26 & February 2, 2021)
According to data gathered by Digital Shadows, ransomware operators targeted organizations in the industrial goods and services sector more than any other; it accounts for 29 percent of reported ransomware attacks. The three next most-targeted sectors - construction, technology, and retail - account for nine, eight, and seven percent of reported ransomware attacks.
Read more in:
ZDNet: Ransomware gangs now have industrial targets in their sights. That raises the stakes for everyone
Digital Shadows: Ransomware: Analyzing The Data From 2020
https://www.digitalshadows.com/blog-and-research/ransomware-analyzing-the-data-from-2020/
--SonicWall Firmware Patch
(February 3 & 4, 2021)
SonicWall has released a firmware patch to address critical vulnerabilities in SMA 100 series 10.x code that are being actively exploited. The issues are fixed in the SMA 100 series firmware 10.2.0.5-29sv update.
Read more in:
SC Magazine: SonicWall issues firmware patch after attackers exploited critical bugs
Bleeping Computer: SonicWall fixes actively exploited SMA 100 zero-day vulnerability
Cyberscoop: SonicWall issues patch for firmware zero-day used to attack the company and its customers
https://www.cyberscoop.com/sonicwall-patches-zero-day-firmware/
SonicWall: Urgent Patch Available For SMA 100 Series 10.X Firmware Zero-Day Vulnerability [Updated Feb. 3, 2 P.M. CST]
--Kobalos Malware Targets High-Performance Computing Networks
(February 2, 2021)
A small piece of backdoor malware is targeting high-performance computing clusters. Dubbed Kobalos by researchers at ESET, the "malware gives access to the file system of the compromised host and enables access to a remote terminal, giving the attackers the ability to run arbitrary commands." ESET surmised that the systems infected with Kobalos are specifically targeted because they belong to high-profile organizations.
[Editor Comments]
[Neely] I work with a High-Performance Computing (HPC) group which has required 2FA authentication on SSH, and limited which SSK keys, particularly from third-party organizations, can be installed, for 21 years. Those simple mitigations, along with rigorous configuration management and monitoring, are very effective controls. HPC is a very different environment from conventional data center computing resources. HPC services are often exposed to the Internet due the size of data exchanged, and resources carefully allocated and managed. While we were getting used to gigabytes, they were working in terabyte and petabyte data sets, and in-line security devices which introduce latency can fatally impact operations. They look back on when they could only get 40gb network connections. Note that ESET has published IOCs for detecting the malware; see the We Live Security PDF below.
Read more in:
We Live Security: Kobalos - A complex Linux threat to high performance computing infrastructure
We Live Security: A Wild Kobalos Appears | Tricksy Linux malware goes after HPCs (PDF)
https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf
Ars Technica: High-performance computers are under siege by a newly discovered backdoor
Threatpost: Tiny Kobalos Malware Bedevils Supercomputers to Steal Logins
https://threatpost.com/kobalos-malware-supercomputers-logins/163604/
--Cisco Releases Fixes for Vulnerabilities Affecting Some VPN Routers
(February 3 & 4, 2021)
Cisco has released updates to address for multiple vulnerabilities in its small-business VPN routers models RV160, RV160W, RV260, RV260P, and RV260W running firmware releases prior to 1.0.01.02. The flaws exist in the routers' web-based management interface.
[Editor Comments]
[Murray] Vendors and users should prefer purpose-built management interfaces.
Read more in:
Bleeping Computer: Cisco fixes critical code execution bugs in SMB VPN routers
Threatpost: Critical Cisco Flaws Open VPN Routers Up to RCE Attacks
https://threatpost.com/cisco-flaws-vpn-routers-rce/163662/
Cisco: Cisco Small Business RV160, RV160W, RV260, RV260P, and RV260W VPN Routers Remote Code Execution Vulnerabilities
--Wordfence: Remove Contact Form 7 Style WordPress Plugin
(February 4, 2021)
Wordfence is warning of an unpatched Cross-Site Request Forgery (CSRF) to Stored Cross Site Scripting (XSS) vulnerability affecting the Contact Form 7 Style WordPress plugin. (Contact Form 7 Style is an add-on to the Content Form 7 plugin.) The plugin's developer has been contacted several times but has not responded. WordFence "strongly recommends deactivating and removing this plugin and finding a replacement as it no longer appears to be maintained by its developer."
[Editor Comments]
[Neely] Read carefully: the flaw is in the Contact Form 7 Style plugin, not the Contact Form 7 plugin itself; if you have other plugins for Contact Form 7, make sure they are up-to-date. If you are running Wordfence, free or paid, the built-in XSS protections will mitigate attempted exploits. Even so, a plugin that is not being actively supported should be removed/replaced before additional unpatched flaws are discovered.
[Murray] WordPress plugin of the week. Use plugins sparingly and police them actively.
Read more in:
Wordfence: Unpatched Vulnerability: 50,000 WP Sites Must Find Alternative for Contact Form 7 Style
--IBM Announces Grant Program to Help Schools with Ransomware Protection
(February 4, 2021)
IBM has announced a $3 million grant program to help US school districts protect their systems from ransomware. IBM will award $500,000 in-kind grants to six school districts, which will be chosen through an application process. The applications opened on February 4 and close on March 1, 2021. Teams from IBM's Service Corps Program will "help [the selected schools] proactively prepare for and respond to cyberattacks."
[Editor Comments]
[Neely] With the increased reliance on network services to deliver classroom content, and without corresponding increases in cyber security initiatives to help keep those services and online activities secure, these grants may be helpful. These in-kind grants include a team of six to ten people from IBM's Service Corps Program to help develop incident response plans and implement basic cyber security training, including online hygiene and password management.
[Murray] Certainly a worthy effort but it shines a light on just how costly this problem is. There are 130K school districts in the US. At $500K per, "pretty soon, that adds up to real money."
Read more in:
Edscoop: IBM plans grant program to help schools fend off ransomware
https://edscoop.com/ibm-ransomware-grant-program-k12-schools/
The Hill: IBM rolls out $3M grant program for schools to defend against cyberattacks
IBM: IBM Introduces $3 Million in Cybersecurity Grants for Public Schools in United States as Attacks on Education Grow
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
SolarWinds SANS Lightning Summit
https://www.sans.org/webcasts/solarwinds-lightning-summit-118550
New Example of XSL Script Processing aka "Mitre T1220"
https://isc.sans.edu/forums/diary/New+Example+of+XSL+Script+Processing+aka+Mitre+T1220/27056/
Excel Spreadsheets Push SystemBC Malware
https://isc.sans.edu/forums/diary/Excel+spreadsheets+push+SystemBC+malware/27060/
Abusing Google Chrome Extension Syncing For Data Exfiltration and C&C
Camerfirma Certificate Authority Revocation
https://groups.google.com/g/mozilla.dev.security.policy/c/jif4zWNgGPw
Social Engineering Attacks against Security Researchers Used IE 0 day
https://enki.co.kr/blog/2021/02/04/ie_0day.html
Kobalos HPC Linux Malware
Agent Tesla Overwrites Windows AMSI
https://threatpost.com/agent-tesla-microsoft-asmi/163581/
SolarWinds Vulnerability
https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=28389
SonicWall Patch
Cisco Advisories
https://tools.cisco.com/security/center/publicationListing.x
Realtek RTL8195A Wi-Fi Module Vulnerability
https://www.vdoo.com/blog/realtek-rtl8195a-vulnerabilities-discovered
Microsoft Defender ATP Google Chrome False Positive
https://twitter.com/itquartz/status/1356940218138509312
*****************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
