<![CDATA[Decipher]]> https://decipher.sc Decipher is an independent editorial site that takes a practical approach to covering information security. Through news analysis and in-depth features, Decipher explores the impact of the latest risks and provides informative and educational material for readers curious about how security affects our world. Thu, 29 Jul 2021 00:00:00 -0400 en-us info@decipher.sc (Amy Vazquez) Copyright 2021 3600 <![CDATA[Decipher Podcast: Jules Okafor]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/decipher-podcast-jules-okafor https://duo.com/decipher/decipher-podcast-jules-okafor Thu, 29 Jul 2021 00:00:00 -0400

<![CDATA[Biden Moves to Reinforce Critical Infrastructure Security]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/biden-moves-to-reinforce-critical-infrastructure-security https://duo.com/decipher/biden-moves-to-reinforce-critical-infrastructure-security Wed, 28 Jul 2021 00:00:00 -0400

Following high-profile attacks on a major gas pipeline, a water control facility, and other critical infrastructure facilities in recent months, the Biden administration is establishing a new information-sharing and collaboration initiative with the private sector to improve the security of ICS systems and address the latent weaknesses and vulnerabilities in many of those environments.

The initiative is part of a broader effort to upgrade critical infrastructure (CI) security that President Joe Biden laid out in a National Security Memorandum he signed Wednesday. The memo also lays the groundwork for the federal government to create a set of security performance goals for critical infrastructure operators, baseline security practices that should be in place across critical infrastructure sectors. The initial set of performance goals will be published by Sept. 22, with the final goals due by July 2022.

Biden’s critical infrastructure security effort comes two months after the DarkSide ransomware attack on the Colonial Pipeline, an incident that led to a temporary fuel shortage in some southern states and a ransom payment of $4.4 million. The FBI later recovered more than $2 million of that money, but that attack and a subsequent one on meat producer JBS Meats had the effect of galvanizing the administration and spurring action in a number of areas. In a recent conversation with Russian President Vladimir Putin, Biden brought up the issue of ransomware and attacks on critical infrastructure by cybercrime groups based in Russia, and said the U.S. “will take any necessary action to defend its people and its critical infrastructure in the face of this continuing challenge.”

In the new memo, Biden emphasizes the need for cooperation between federal agencies and critical infrastructure operators to shore up security in environments such as the electrical grid, water, gas, and others. Earlier this year, the administration began a pilot security improvement program in the electrical sector, and the memo expands that to other critical infrastructure sectors.

“We can set the goals, but we need companies to do their part to meet them. The American people are counting on it.”

“The Initiative builds on, expands, and accelerates ongoing cybersecurity efforts in critical infrastructure sectors and is an important step in addressing these threats. We cannot address threats we cannot see; therefore, deploying systems and technologies that can monitor control systems to detect malicious activity and facilitate response actions to cyber threats is central to ensuring the safe operations of these critical systems,” the memo says.

As part of the initiative, the Department of Homeland Security and the National Institute of Standards and Technology will develop the baseline performance goals for the critical infrastructure sectors. While the goals themselves are still in the beginning stage of development, what they’re meant to accomplish is clear.

“These performance goals should serve as clear guidance to owners and operators about cybersecurity practices and postures that the American people can trust and should expect for such essential services. That effort may also include an examination of whether additional legal authorities would be beneficial to enhancing the cybersecurity of critical infrastructure, which is vital to the American people and the security of our Nation,” the memo says.

Security is difficult in the best of circumstances, and trying to defend a wide range of critical infrastructure networks and facilities that are mostly in private hands is not the best of circumstances. Doing so requires the cooperation of the infrastructure operators and the Cybersecurity and Infrastructure Security Agency (CISA), the federal agency tasked with defending CI networks. Jen Easterly, the newly confirmed director of CISA, said the new initiatives in the memo are welcome additions.

“I commend [Biden] for doubling down on his commitment to bolster critical infrastructure cybersecurity & protect our national critical functions. Recent incidents like the ransomware attacks on Colonial Pipeline & JBS show the urgent need to implement strong security controls,” Easterly said on Twitter.

“We can set the goals, but we need companies to do their part to meet them. The American people are counting on it.”

<![CDATA[Microsoft Issue Guidance for Mitigating PetitPotam NTLM Relay Attack]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/microsoft-issue-guidance-for-mitigating-petitpotam-ntlm-relay-attack https://duo.com/decipher/microsoft-issue-guidance-for-mitigating-petitpotam-ntlm-relay-attack Tue, 27 Jul 2021 00:00:00 -0400

Microsoft has released detailed guidance to help enterprises protect their networks against a new variant of the old NTLM relay attack called PetitPotam that can allow a user to force one Windows server to authenticate to another one.

PetitPotam works against servers that have NTLM authentication enabled and Active Directory Certificate Services (AD CS) used for Certificate Authority Web Enrollment or Certificate Enrollment Web Service. The PetitPotam tool, released last week, demonstrates how an attacker could abuse the Microsoft Encrypting File System Remote Protocol (MS-EFSRPC) to cause one Windows server to authenticate to another server using NTLM authentication over the local security authority RPC (LSARPC) service.

“What’s even crazier is that this can be done without any authentication – so as long as you can connect to the target server to the LSARPC named pipe with interface c681d488-d850-11d0-8c52-00c04fd90f7e, you can make that target server connect to any other server,” Bojan Zdrnja of the SANS Internet Storm Center wrote in an analysis of the flaw.

“The other vulnerability that is being exploited here is the fact that the IIS server that is used by Active Directory Certificate Services uses NTLM over HTTP for authentication. This makes it perfect for this attack.”

The broad advice for mitigating these attacks is to disable NTLM authentication on domain controllers.

NTLM relay attacks have been around in various forms for many years and they’re well-understood by MIcrosoft and many network administrators. The broad advice for mitigating these attacks is to disable NTLM authentication on domain controllers, and the more specific mitigation related to PetitPotam is to disable NTLM on any AD CS servers and NTLM for IIS AD CS servers.

However, Zdrnja said those mitigations are not completely effective.

“What the advisory above missed is the fact that the PetitPotam vulnerability is a completely separate issue - it allows an attacker to provoke a server to authenticate to an arbitrary machine. Abusing ADCS is just one way to use this - any service that allows NTLM authentication can probably be abused similarly (Print Spooler could be a candidate),” Zdrnja said.

<![CDATA[Officials Cite Progress on Ransomware, But Say Much More Work Ahead]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/officials-cite-progress-on-ransomware-but-say-much-more-work-ahead https://duo.com/decipher/officials-cite-progress-on-ransomware-but-say-much-more-work-ahead Mon, 26 Jul 2021 00:00:00 -0400

The fight against ransomware is happening on many different fronts and while some ransomware gangs are making rather large piles of money, law enforcement and security researchers have had their successes, as well. The takedowns of some ransomware-adjacent botnets and arrests of some ransomware operators have forced criminals to adjust their tactics and techniques, which in turn has made life more difficult for the researchers and investigators who track them.

The most disruptive change that ransomware gangs have made recently is the shift away from vertical integration and to specialization and diversification. In the early days of the ransomware epidemic, the people who developed ransomware were usually the same one who gained access to victim networks and then deployed the ransomware. That model works pretty well for criminals who have a broad skill set, but for those who just want to make some easy money without actually learning how to do the thing that produces that money, it’s a little daunting. Enter the ransomware-as-a-service model, a model that divides the various tasks in the ransomware creation, infection, deployment, and payment ecosystem among people with the specific skills necessary to accomplish them. In this system, ransomware developers write the malware and them farm it out to affiliates who then deploy it and split any resultant profits with the developers.

RaaS is now the dominant model among ransomware gangs and it has proven to be extremely profitable for many of them. It has also had the effect of giving law enforcement fits.

“Specialization has made investigation more difficult because you're not just looking at one criminal group, you’re looking for several. It has made investigations more complex,” said Marijn Schuurbiers, deputy head of the Dutch High Tech Crime Unit, during a panel discussion on ransomware Monday sponsored by the No More Ransom initiative.

“The market has gotten more efficient. People specialize in coding one thing really good and leave the rest to other people.”

Perhaps the most prominent example of RaaS is the Russia-based REvil group, which is responsible for some of the nastier and more notorious ransomware infections in recent memory. The most recent ugliness attributed to REvil is the mass infection of more than 1,500 companies that use the Kaseya VSA platform earlier this month, an event that led President Joe Biden to tell Russian President Vladimir Putin that the United States “will take any necessary action to defend its people and its critical infrastructure in the face of this continuing challenge.”

Soon after the Kaseya incident, the REvil operation essentially dropped offline. But there are plenty of other RaaS operations still going strong and making considerable amounts of money.

“The groups that are still operating, they did separate duties very well. They all use what works best, like exploit kits, phishing campaigns. Everybody’s doing the thing they’re very good at,” said Catalin Cosoi, senior security strategist at Bitdefender.

“It’s unfortunately a very successful criminal business model. I don’t think we’ll see this disappear in the near future."

Disrupting RaaS operations has proven to be challenging, thanks to their decentralized nature and the ability these groups have shown to shift their infrastructure whenever necessary. One of the key methods that researchers have used to defeat RaaS operations is finding mistakes or weaknesses in the encryption schemes the ransomware employs. That works in some cases, but it’s by no means a panacea.

“We constantly have to find the Achilles heel of criminals. They will improve and evolve but there will always be an Achilles heel. Is it the encryption algorithm? That’s always a great one but there will be others,” said Schuurbiers.

On the defensive side, maintaining current, offsite backups of all key enterprise systems can be the key to recovering from a ransomware infection. But stopping the infection in the first place is just as important, and Schuurbiers said implementing two-factor authentication on high-value systems and services is quite valuable.

“We have seen incidents where as soon as they hit 2FA, they drop it and go on to the next victim. They have so many potential victims, if they see 2FA they leave. Implement 2FA on your most important data,” he said.

Ransomware began as a nuisance, evolved into an enterprise threat, and has now reached the point of being a national security concern. Given the amount of money to be made and volume of potential victims available, it’s unlikely that ransomware will drop off the map anytime soon.

“It’s unfortunately a very successful criminal business model. I don’t think we’ll see this disappear in the near future. It goes way beyond the financial damage. There’s a real risk to our lives,” said Philipp Amann, head of strategy at Europol’s EC3 cybercrime unit.

<![CDATA[New Print Spooler Flaw Found in Windows]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/new-print-spooler-flaw-found-in-windows https://duo.com/decipher/new-print-spooler-flaw-found-in-windows Wed, 21 Jul 2021 00:00:00 -0400

There is another serious vulnerability in the Windows print spooler service that Microsoft says can allow an unprivileged local user to get system-level privileges.

The new vulnerability (CVE-2021-34481) surfaced this week and MIcrosoft does not yet have a patch available for it. The company has not indicated whether it will release an out-of-band patch for the bug, but it has released a preliminary advisory that recommends customers disable the print spooler service for the time being.

“An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” the Microsoft advisory says.

“An attacker must have the ability to execute code on a victim system to exploit this vulnerability.”

Researcher Jacob Baines of Dragos discovered the vulnerability and said he reported it to the Microsoft Security Response Center on June 18. The new vulnerability is not specifically related to the Print Nightmare bugs in the print spooler service that were disclosed earlier this month. Those vulnerabilities were more serious and could lead to remote code execution, whereas the newer one is a local privilege escalation vulnerability.

“I don't consider it to be a variant of PrintNightmare. The MS advisory/CVE was a surprise to me and, as far as I'm concerned, it wasn't a coordinated disclosure,” Baines said on Twitter.

Microsoft is still determining exactly which versions of Windows are affected by the new flaw, but said Windows 10 and newer are vulnerable.

<![CDATA[Privilege Escalation Flaw Found Buried in Linux File System]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/privilege-escalation-flaw-found-buried-in-linux-file-system https://duo.com/decipher/privilege-escalation-flaw-found-buried-in-linux-file-system Tue, 20 Jul 2021 00:00:00 -0400

Researchers have discovered a serious vulnerability buried deep in the Linux file system that could allow an unprivileged user to gain root privileges.

The bug (CVE-2021-33909) has been there since at least 2014 and it affects a wide range of Linux distributions, including Debian, Ubuntu, Fedora, and many others. The researchers at Qualys who discovered the flaw developed an exploit that worked against several of those distributions and disclosed the bug to the affected vendors. Engineers at Red Hat, which hosts the main Linux development mailing list, developed a patch for the flaw. The bug, which Qualys has named Sequoia, requires local access to the target machine for successful exploitation.

“We discovered a size_t-to-int conversion vulnerability in the Linux kernel's filesystem layer: by creating, mounting, and deleting a deep directory structure whose total path length exceeds 1GB, an unprivileged local attacker can write the 10-byte string "//deleted" to an offset of exactly -2GB-10B below the beginning of a vmalloc()ated kernel buffer,” the Qualys advisory says.

The Sequoia vulnerability is serious and its reach is broad, but the requirement for local system access mitigates the potential damage for enterprises. There is an upstream patch available for the bug now, but it’s not clear how many vendors have incorporated it yet.

“Successful exploitation of this vulnerability allows any unprivileged user to gain root privileges on the vulnerable host. Qualys security researchers have been able to independently verify the vulnerability, develop an exploit, and obtain full root privileges on default installations of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34 Workstation. Other Linux distributions are likely vulnerable and probably exploitable,” Bharat Jogi, a senior manager for vulnerabilities and signatures at Qualys, said in a post.

Red Hat Enterprise Linux 6, 7, and 8 are all affected by the vulnerability, as are any other Red Hat products supported on those vulnerable versions. The company said that it has not found any potential mitigations for this flaw and recommends that customers updated vulnerable packages as soon as they can.

<![CDATA[U.S. Indicts Four Chinese Nationals for Cyberespionage]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/u-s-indicts-four-chinese-nationals-for-cyberespionage https://duo.com/decipher/u-s-indicts-four-chinese-nationals-for-cyberespionage Mon, 19 Jul 2021 00:00:00 -0400

The Department of Justice has unsealed an indictment that alleges four Chinese nationals, three of whom are state intelligence officers, have conducted broad cyberespionage campaigns that targeted companies in more than a dozen countries. The men are allegedly part of he threat group known as APT40, which is known for targeting companies in the defense and engineering industries, among others.

The indictments against Ding Xiaoyang, Cheng Qingmin, Zhu Yunmin and Wu Shurong are part of a broader set of actions the federal government took on Monday to expose cyberespionage and ransomware activities that White House officials say are sponsored and encouraged by the Chinese government. Xiaoyang, Qingmin, and Yunmin are members of the Hainan State Security Department, and Shurong worked at Hainan Xiandun Technology Development, which the Justice Department alleged was a front company for Chinese state security.

“This indictment alleges a worldwide hacking and economic espionage campaign led by the government of China,” said Acting U.S. Attorney Randy Grossman for the Southern District of California. “The defendants include foreign intelligence officials who orchestrated the alleged offenses, and the indictment demonstrates how China’s government made a deliberate choice to cheat and steal instead of innovate. These offenses threaten our economy and national security, and this prosecution reflects the Department of Justice’s commitment and ability to hold individuals and nations accountable for stealing the ideas and intellectual achievements of our nation’s best and brightest people.”

As part of these actions, the White House publicly attributed to the Chinese Ministry of State Security the exploitation activity that targeted the four Microsoft Exchange zero days that were disclosed in March. Those attacks were widespread and affected organizations in a wide range of industries. The White House said it had a “high degree of confidence” that actors affiliated with the MSS were exploiting the flaws.

“Before Microsoft released its security updates, MSS-affiliated cyber operators exploited these vulnerabilities to compromise tens of thousands of computers and networks worldwide in a massive operation that resulted in significant remediation costs for its mostly private sector victims,” the White House statement says.

“We have raised our concerns about both this incident and the PRC’s broader malicious cyber activity with senior PRC Government officials, making clear that the PRC’s actions threaten security, confidence, and stability in cyberspace.”

The White House also said that some actors working on behalf of the Chinese government have run ransomware operations for the benefit of the government.

“In some cases, we are aware that PRC government-affiliated cyber operators have conducted ransomware operations against private companies that have included ransom demands of millions of dollars. The PRC’s unwillingness to address criminal activity by contract hackers harms governments, businesses, and critical infrastructure operators through billions of dollars in lost intellectual property, proprietary information, ransom payments, and mitigation efforts,” the White House statement says.

APT40 has been operating for close to a decade and a lot of the group’s activities focus on obtaining intellectual property and information to support China’s military and modernization efforts. The Biden administration’s exposure of the group’s activities was done in coordination with the European Union, NATO, and the UK government.

<![CDATA[Chinese Attack Group Exploiting SolarWinds Zero Day]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/chinese-attack-group-exploiting-solarwinds-zero-day https://duo.com/decipher/chinese-attack-group-exploiting-solarwinds-zero-day Thu, 15 Jul 2021 00:00:00 -0400

Microsoft recently discovered an attack group operating from China exploiting a previously unknown vulnerability in the SolarWinds Serv-U products to target a small number of organizations. The vulnerability can lead to remote code execution, and SolarWinds has released a fix for it in a new update after MIcrosoft informed the company of the attacks.

The bug affects SolarWinds Serv-U Manages File Transfer and Secure FTP products and it lies in the implementation of SSH in those products. Microsoft said the attack group that was exploiting it has been known to target companies in defense and software sectors in the past. Microsoft calls the group DEV-0322, but didn’t identify it aside from saying it operates from China. The Microsoft Threat Intelligence Center gave the details of the exploit and the underlying vulnerability to SolarWinds and worked with the company to help mitigate the attacks.

“MSTIC discovered the 0-day attack behavior in Microsoft 365 Defender telemetry during a routine investigation. An anomalous malicious process was found to be spawning from the Serv-U process, suggesting that it had been compromised,” Microsoft said.

“We observed DEV-0322 piping the output of their cmd.exe commands to files in the Serv-U \Client\Common\ folder, which is accessible from the internet by default, so that the attackers could retrieve the results of the commands. The actor was also found adding a new global user to Serv-U, effectively adding themselves as a Serv-U administrator, by manually creating a crafted .Archive file in the Global Users directory. Serv-U user information is stored in these .Archive files.”

The vulnerability affects version 15.2.3 HF1 of the Serv-U software, and SolarWinds is urging customers to install the new update as soon as possible.

“Microsoft has provided evidence of limited, targeted customer impact, though SolarWinds does not currently have an estimate of how many customers may be directly affected by the vulnerability. SolarWinds is unaware of the identity of the potentially affected customers,” SolarWinds said.

<![CDATA[SonicWall Warns of Active Ransomware Campaign Targeting Older Appliances]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/sonicwall-warns-of-active-ransomware-campaign-targeting-older-appliances https://duo.com/decipher/sonicwall-warns-of-active-ransomware-campaign-targeting-older-appliances Wed, 14 Jul 2021 00:00:00 -0400

A targeted ransomware campaign by an unknown actor is exploiting a known vulnerability in some older SonicWall security appliances and the company is warning customers still running those products that there are no real mitigations available right now.

SonicWall said the campaign is targeting several end-of-life appliances that are no longer supported or receiving firmware updates, including the Secure Mobile Access (SMA) 100 and the older Secure Remote Access line. The actors are exploiting a vulnerability in the 8.x firmware line.

“Through the course of collaboration with trusted third parties, SonicWall has been made aware of threat actors actively targeting Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products running unpatched and end-of-life (EOL) 8.x firmware in an imminent ransomware campaign using stolen credentials. The exploitation targets a known vulnerability that has been patched in newer versions of firmware,” the company said in an advisory Wednesday,

“If your organization is using a legacy SRA appliance that is past end-of life status and cannot update to 9.x firmware, continued use may result in ransomware exploitation. The affected end-of-life devices with 8.x firmware are past temporary mitigations. Continued use of this firmware or end-of-life devices is an active security risk.”

SonicWall also warned customers running other older appliances that are not under active attack that they should disconnect them immediately and reset the credentials. Those products include the SRA 4600/1600 line, the SRA 4200/1200 line, and the SSL-VPN 200/2000/400 line. The SMA 400/200 line is still supported in a limited retirement mode and customers using those should upgrade the firmware immediately, enable MFA and reset the passwords.

The company did not specify which vulnerability the ransomware campaign is targeting or which actor is conducting the attacks.

<![CDATA[Biden Says U.S. Will Take 'Any Necessary Action' to Defend Against Ransomware]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/biden-says-u-s-will-take-any-necessary-action-to-defend-against-ransomware https://duo.com/decipher/biden-says-u-s-will-take-any-necessary-action-to-defend-against-ransomware Fri, 09 Jul 2021 00:00:00 -0400

With the effects from last week’s REvil ransomware attack on users of Kaseya’s VSA platform still shaking out, President Joe Biden told Russina President Vladimir Putin in a phone call Friday that Putin’s government has a responsibility to disrupt REvil and other ransomware groups that operate from that country.

REvil is one of many ransomware gangs that it is known to operate from Russia, and while authorities in the United States and other countries have called out these groups publicly, the Russian government has shown no appetite for going after them in any way. The attack on Kaseya’s VSA platform has had devastating effects for many of the company’s customers who were hit with REvil ransomware after dozens of MSPs who use VSA were compromised.

“President Biden also spoke with President Putin about the ongoing ransomware attacks by criminals based in Russia that have impacted the United States and other countries around the world. President Biden underscored the need for Russia to take action to disrupt ransomware groups operating in Russia and emphasized that he is committed to continued engagement on the broader threat posed by ransomware,” a readout of the call from the White House says.

In the call with Putin, Biden also said that the U.S. may take action of its own, though he did not specify what that could entail.

“President Biden reiterated that the United States will take any necessary action to defend its people and its critical infrastructure in the face of this continuing challenge,” the White House readout says.

“President Biden reiterated that the United States will take any necessary action to defend its people and its critical infrastructure."

Some security and cyber policy experts have been advocating for Biden to pressure Putin on the ransomware issue, and specifically the need for the Russian government to stop ransomware groups from launching attacks.

“Biden, however, can push Putin to act by sending a clear message, proffered privately and directly: Moscow must immediately identify the responsible individuals operating in its territory or subject to its control, produce the encryption keys necessary to unlock the victims’ data, and put a halt to future ransomware attacks from within its borders,” Dmitri Alperovitch and Matthew Rojansky wrote in an op-ed piece in Washington Post this week.

“If not, Washington could hit Russia where it hurts by sanctioning its largest gas and oil companies, which are responsible for a significant portion of the Russian government’s revenue.”

Another potential option is for U.S. teams, either from the military or intelligence community, to run offensive operations against ransomware actors to disrupt their infrastructure and operations.

<![CDATA[Kaseya Plans to Restart VSA Service Sunday]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/kaseya-plans-to-restart-vsa-service-sunday https://duo.com/decipher/kaseya-plans-to-restart-vsa-service-sunday Thu, 08 Jul 2021 00:00:00 -0400

After a couple of false starts in attempting to bring its SaaS and on-premises VSA services back online following the REvil ransomware event last week, Kaseya executives now say the services won’t be available until Sunday afternoon.

Kaseya CEO Fred Voccola said in a video update Wednesday evening that he was “very confident” that the company’s VSA services would be back online Sunday, and clarified that it was his decision to halt the previous restart attempt earlier this week. The decision was made out of an abundance of caution after Kaseya’s internal IT team and outside experts suggested some additional security mitigations.

“I don’t want anyone to think that we’re aren’t taking this as seriously as anything we’ve done professionally,” Voccola said.

“All software has vulnerabilities and flaws and it’s our job to make sure they don’t impact you.”

The ransomware incident that caused the shutdown of Kaseya’s VSA remote management and monitoring service was not a direct attack on the company itself, but rather against several dozen managed services providers (MSP) who use the on-premises version of the product. The REvil ransomware actors were able to exploit at least two previously undisclosed vulnerabilities in VSA to gain access to the servers and then eventually deploy ransomware on the networks of the MSPs’ customers. Those flaws were two of seven that researchers from the Dutch Institute for Vulnerability Disclosure discovered and disclosed to Kaseya in early April.

“We later learned that one of the two vulnerabilities used in the attack was one we previously disclosed to Kasya VSA."

Kaseya patched some of the flaws in May, but others have not yet been resolved.

“When we discovered the vulnerabilities in early April, it was evident to us that we could not let these vulnerabilities fall into the wrong hands. After some deliberation, we decided that informing the vendor and awaiting the delivery of a patch was the right thing to do. We hypothesized that, in the wrong hands, these vulnerabilities could lead to the compromise of large numbers of computers managed by Kaseya VSA,” the DIVD CSIRT said in a post on the vulnerabilities.

“We later learned that one of the two vulnerabilities used in the attack was one we previously disclosed to Kasya VSA. We have no indication that Kaseya is hesitant to release a patch. Instead they are still working hard to make sure that after their patch the system is as secure as possible, to avoid a repeat of this scenario.”

The number of total organizations affected by the REvil ransomware in this incident is unclear, but Kaseya officials said earlier this week that it was fewer than 1,500 organizations.

<![CDATA[Microsoft Releases Emergency Patch for PrintNightmare Bug]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/microsoft-releases-emergency-patch-for-printnightmare-bug https://duo.com/decipher/microsoft-releases-emergency-patch-for-printnightmare-bug Wed, 07 Jul 2021 00:00:00 -0400

Microsoft has released an out-of-band update to address the PrintNightmare remote code execution vulnerability in Windows, although the fix isn’t available for all Windows versions yet and researchers say it does not patch the local privilege escalation bug that is part of the same vulnerability set.

The patch for CVE-2021-34527 rolled out Tuesday, more than a week after several proof-of-concept exploits were published for the vulnerability. Attackers have exploited the vulnerability, which allows a remote attacker to execute code with system privileges.

“Note that while the Microsoft security bulletin for CVE-2021-34527 states that An attack must involve an authenticated user calling RpcAddPrinterDriverEx()., we have found this statement to be incorrect. An exploit that uses RpcAsyncAddPrinterDriver() can achieve the same goal as earlier versions of the exploit, while not using RpcAddPrinterDriverEx() at all,” an advisory from the CERT Coordination Center says.

“Additionally, the Microsoft update for CVE-2021-34527 only appears to address the Remote Code Execution (RCE via SMB and RPC) variants of the PrintNightmare, and not the Local Privilege Escalation (LPE) variant.”

The vulnerability affects every supported version of Windows and the vulnerable print spooler service is enabled by default on Windows domain controllers.

“The main issue with ‘printnightmare’ was the ability of regular users to load their own printer drivers. One issue the patch fixes is that normal users are only allowed to provide digitally signed printer drivers. Unsigned drivers may only be installed by Administrators, reducing the privilege escalation issue of normal users installing malicious printer drivers,” Johannes Ullrich of the SANS Institute wrote in an analysis of the bug.

“Your system may, however, still be vulnerable if you have ‘Point&Print’ enabled. The patch does not prevent users using ‘Point&Print’ from installing their own, possibly malicious, printer drivers.”

The fix for this vulnerability is not available yet for Windows 10 1607, Windows Server 2012, and Windows Server 2016.

<![CDATA[Kaseya Attack Affects Nearly 1,500 Companies]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/kaseya-attack-affects-nearly-1-500-companies https://duo.com/decipher/kaseya-attack-affects-nearly-1-500-companies Tue, 06 Jul 2021 00:00:00 -0400

The attack that compromised Kaseya’s VSA product last week and led to a widespread REvil ransomware incident has affected nearly 1,500 businesses so far, and researchers say there are ongoing attacks in more than 20 countries.

The incident began on July 2 when REvil actors exploited a vulnerability in Kaseya Virtual Server Administration product to gain access to the on-premises VSA servers on the networks of a number of managed service providers (MSPs). The actors then used the tool, which is a remote management and monitoring application, to deploy ransomware on the networks of hundreds of those MSPs’ customers. The damage from the incident has been extensive and has forced the closing of stores in some countries, affected schools and many businesses. The actors behind the incident have said they would decrypt all of the infected systems for $70 million.

Researchers working on the incident have discovered that the REvil actors exploited at least one vulnerability in Kaseya VSA, and possibly others, to gain initial access to the servers and then deploy the ransomware payload.

“All of these VSA servers are on-premises and Huntress has confirmed that cybercriminals have exploited an arbitrary file upload and code injection vulnerability and have high confidence an authentication bypass was used to gain access into these servers,” researchers from Huntress, which works with MSPs, said.

“This potential authentication bypass likely grants the user a valid session, and may let the user "impersonate" a valid agent. If that speculation is correct, the user could access other files that require authentication -- specifically KUpload.dll and userFilterTableRpt.asp in this case.KUpload.dll offers upload functionality and logs to a file KUpload.log. From our analysis, we have seen the KUpload.log on compromised servers prove the files agent.crt and Screenshot.jpg were uploaded to the VSA server.agent.crt is, as previously stated, used to kick off the payload for ransomware.”

Both the FBI and CISA are involved in the investigation and recovery process for the incident, and Kaseya is still working on a fix that will enable it to bring both its on-premises and cloud VSA services back online. The company estimates that it will be able to bring the SaaS VSA implementation back online this afternoon, and then have the patch available for on-premises servers within 24 hours after that.

REvil is one of the many ransomware-as-a-service operations that have sprung up in the last couple of years, offering criminals the tools and support to deploy ransomware. The group has been operating for more than two years and has been quite active and successful. The number of affiliates that buy REvil’s services isn’t clear, but the ransomware has been used in some high-profile incidents, including the attack on JBS USA in May. In that incident, the company eventually paid a ransom of $11 million.

"They run it like a business. REvil is about as sophisticated as they come. They take it seriously," said Kyle Hanslovan, CEO of Huntress.

<![CDATA[Fancy Bear Running Long Brute-Force Campaign on U.S. Targets]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/fancy-bear-running-long-brute-force-campaign-on-u-s-targets https://duo.com/decipher/fancy-bear-running-long-brute-force-campaign-on-u-s-targets Fri, 02 Jul 2021 00:00:00 -0400

The Russian GRU has been running a widespread campaign for nearly two years that uses a large Kubernetes cluster to hammer public and private networks with brute-force access attempts.

The group, which is known as APT28 and Fancy Bear, is often associated with cyberespionage attacks against government agencies and technology companies and in a new joint advisory, the NSA, FBI, CISA and the UK’s NCSC warn that the group is targeting organizations running Microsoft Office 365 and other cloud services, as well as on-premises email servers. The campaign has been going on since about the middle of 2019, and the agencies said the attackers are also using exploits for a couple of known vulnerabilities in Microsoft Exchange.

“This brute force capability allows the 85th GTsSS actors to access protected data, including email, and identify valid account credentials. Those credentials may then be used for a variety of purposes, including initial access, persistence, privilege escalation, and defense evasion,” the advisory says.

“The actors have used identified account credentials in conjunction with exploiting publicly known vulnerabilities, such as exploiting Microsoft Exchange servers using CVE 2020-0688 and CVE 2020-17144, for remote code execution and further access to target networks. After gaining remote access, many well-known tactics, techniques, and procedures (TTPs) are combined to move laterally, evade defenses, and collect additional information within target networks.”

“Network managers should adopt and expand usage of multi-factor authentication to help counter the effectiveness of this capability."

Brute-force campaigns like this one are quite common and there are often many separate groups running them at any given time. Cybercrime groups use brute force tactics against their targets, taking credentials from public data breach dumps and throwing them against a variety of systems. The somewhat unusual piece of the current GRU activity is the use of the Kubernetes cluster as the attack platform.

“In an attempt to obfuscate its true origin and to provide a degree of anonymity, the Kubernetes cluster normally routes brute force authentication attempts through TOR and commercial VPN services, including CactusVPN, IPVanish, NordVPN, ProtonVPN, Surfshark, and WorldVPN. Authentication attempts that did not use TOR or a VPN service were also occasionally delivered directly to targets from nodes in the Kubernetes cluster,” the advisory says.

The current campaign has targeted a wide range of organizations in the United States, including both government agencies and private companies. The advisory says the GRU campaign has gone after hundreds of organizations in the U.S., Europe, and other countries, including defense contractors, think tanks, energy companies, media companies, and law firms. The composition of the Kubernetes cluster used in the campaign changes over time, and the attackers are using a number of different user agent strings and protocols.

“Network managers should adopt and expand usage of multi-factor authentication to help counter the effectiveness of this capability. Additional mitigations to ensure strong access controls include time-out and lock-out features, the mandatory use of strong passwords, implementation of a Zero Trust security model that uses additional attributes when determining access, and analytics to detect anomalous accesses,” the advisory says.

<![CDATA[Exploit Code Released for Critical Windows Print Spooler Flaw]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/exploit-code-released-for-critical-windows-print-spooler-flaw https://duo.com/decipher/exploit-code-released-for-critical-windows-print-spooler-flaw Wed, 30 Jun 2021 00:00:00 -0400

There are several different proof-of-concept exploits for a vulnerability in the Windows print spooler service circulating publicly right now, some of which are able to exploit the bug even if the patch Microsoft released earlier this month is applied.

The vulnerability (CVE-2021-1675) affects most versions of Windows and Windows Server, and although Microsoft initially classified it as a low-severity local privilege escalation bug, it revised that assessment last week to clarify that it can be used for remote code execution and upgraded it to a critical rating. The print spooler service runs by default on Windows Domain Controllers and is often enabled on other servers and desktops, as well. However, the attacker would need to have authenticated access to the print spooler service in order to get remote code execution.

A research team posted PoC exploit code for the vulnerability to GitHub on Tuesday, and although the repository was removed soon after, it was up long enough to allow other people clone it and fork it.

“Exploitation of CVE-2021-1675 could give remote attackers full control of vulnerable systems. To achieve RCE, attackers would need to target a user authenticated to the spooler service. Without authentication, the flaw could be exploited to elevate privileges, making this vulnerability a valuable link in an attack chain,” Claire Tills of Tenable said in a post.

“Windows Print Spooler has a long history of vulnerabilities and its ubiquity can allow for serious impact on targets.”

Microsoft released a fix for the vulnerability on June 8, but the patch did not completely resolve the issue. MIcrosoft has not made any public statement about the patch issue or whether it plans to release an updated fix. Researchers recommend disabling the print spooler service in the meantime to mitigate the vulnerability.

<![CDATA[Move Fast and Fix Things]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/move-fast-and-fix-things https://duo.com/decipher/move-fast-and-fix-things Tue, 29 Jun 2021 00:00:00 -0400

For many years, federal government officials have cited the need for a public-private partnership to address cybersecurity weaknesses, attacks, and defenses, which has generally meant enterprises and security companies providing threat intelligence and other information to the government while getting little back in return. That dynamic has shifted somewhat recently, with agencies such as CISA, FBI, and NSA sharing both public and private warnings to companies about vulnerabilities and ongoing attacks.

A recent example is a set of four critical flaws in Microsoft Exchange that National Security Agency engineers discovered and disclosed to the company earlier this year. Microsoft patched the vulnerabilities in its April update cycle, and said that it had not seen malicious exploitation of the bugs at that point. It’s unclear how soon after NSA disclosed the flaws to Microsoft that the company patched them, but shortening that window of vulnerability is the goal of both the government and the vendors to which agencies report bugs. However, some companies don’t necessarily respond to those reports as quickly as one might expect.

Anne Neuberger, the Deputy National Security Advisor for Cyber and Emerging Technology, and the former director of cybersecurity at NSA, said that sometimes when the agency disclosed vulnerabilities to vendors, the reaction could be a little slow.

“When we found sensitive vulnerabilities and quietly shared them with the company, they weren't often rapidly patched, and that’s a troubling factor because we’re balancing the visibility problem,” Neuberger said during a discussion with Dmitri Alperovitch of Silverado Policy Accelerator on Tuesday.

Neuberger, who has a deep background in both policy and security, did not single out any specific technology vendors or point to any vulnerabilities as examples, but the issue she described is a thorny one. In the years following the Edward Snowden disclosures, NSA publicly committed to disclosing more of the vulnerabilities that its teams find internally rather than keeping them secret for use in offensive operations. Given that NSA has a dual offensive and defensive mission in cybersecurity, deciding when to disclose is a delicate thing. There is a formal process to guide that decision, known as the Vulnerability Equities Process, and while it applies to a number of federal agencies, NSA is the executive secretariat for the VEP.

“When we found sensitive vulnerabilities and quietly shared them with the company, they weren't often rapidly patched."

NSA has one of the preeminent offensive cyber groups in the world, and part of that work includes vulnerability discovery. If the agency finds a vulnerability that is serious enough that the potential damage from not disclosing it to the affected vendor outweighs its offensive value, that should serve as a clear signal to the vendor that quick action is warranted. But the way that most vendors handle bug triage and remediation doesn't always lend itself to prioritizing flaws reported by NSA or another government agency.

"NSA, or any other organization outside of your own, telling you they’ve come across a vulnerability, it would depend on the context. If it's being exploited in the wild, then it might cause you to act more quickly. It really depends on was it exploitation in progress or a true vulnerability discovery ahead of exploitation. The right move would be to prioritize it relative to all the other bugs you're working on," said Katie Moussouris, CEO of Luta Security.

Just from my experience at Microsoft, we were working on hundreds or even thousands of bugs at any time.

The VEP specifically addresses the scenario of a vendor either deciding not to fix a vulnerability or moving too slowly on it.

“If the vendor chooses not to address a vulnerability, or is not acting with urgency consistent with the risk of the vulnerability, the releasing agency will notify the VEP Executive Secretariat, and the USG may take other mitigation steps,” the VEP says.

A variation of this situation came up in March after Microsoft had released emergency fixes for the ProxyLogon vulnerabilities in Exchange--which are distinct from the Exchange flaws NSA reported to Microsoft a month later. Although the patches were available, there were still tens of thousands of vulnerable Exchange servers online two weeks later, due in part to the fact that some enterprises couldn’t apply the patches because they had not installed older fixes that are required. So the White House asked Microsoft to do whatever it could to simplify the process for customers in order to reduce the risk of mass exploitation. Microsoft quickly developed and released a one-click tool that mitigated the vulnerabilities.

“The Exchange bugs were a very serious area of concern and it led the White House to innovate in how we respond,” Neuberger said.

Those bugs were being exploited as zero days by a threat actor that Microsoft calls Hafnium, and the company said when it released the fixes in March that the group was based in China. Neuberger said Tuesday that the U.S. plans to name the group publicly soon.

“We will attribute that activity and along with that determine what we need to do as a follow up to that, and you will see further from us on that in the next few weeks,” she said.

<![CDATA[Nobelium Attackers Compromised Microsoft Customer Support Agent]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/nobelium-attackers-compromised-microsoft-customer-support-agent https://duo.com/decipher/nobelium-attackers-compromised-microsoft-customer-support-agent Mon, 28 Jun 2021 00:00:00 -0400

The group of attackers that compromised SolarWinds late last year recently conducted another campaign against government agencies and IT companies and was able to compromise the machine of a Microsoft customer support agent who had access to customer account data.

The attack campaign targeted companies in 36 countries, but nearly half of the affected organizations were in the United States. Microsoft has warned the customers whose accounts were affected by the compromise of the agent’s machine, and the company said that it was only a handful of companies that were affected. The campaign was essentially a phishing attack that also used password spraying and brute force attempts to access accounts.

“This recent activity was mostly unsuccessful, and the majority of targets were not successfully compromised – we are aware of three compromised entities to date. All customers that were compromised or targeted are being contacted through our nation-state notification process,” Microsoft’s Threat Intelligence Center said.

Microsoft discovered the compromise of its customer service agent as part of an investigation into ongoing activity by the threat group it refers to as Nobelium. The group is affiliated with the Russian SVR and is also known as APT29, and the U.S. government has attributed the compromise of SolarWinds and many of its customers to the group.

Microsoft did not specify where the compromised customer service agent was located or whether the person is a company employee or a contractor.

“As part of our investigation into this ongoing activity, we also detected information-stealing malware on a machine belonging to one of our customer support agents with access to basic account information for a small number of our customers. The actor used this information in some cases to launch highly-targeted attacks as part of their broader campaign. We responded quickly, removed the access and secured the device,” MIcrosoft said.

The tactics that MIcrosoft describes Nobelium using in this campaign are typical of the way that many threat groups conduct phishing and targeted attack operations. Advanced threat groups often start their operations with relatively basic tactics to gain initial access to a target organization, and will then use more sophisticated tools and techniques to move laterally or escalate privileges. Nobelium is among the more active threat groups and is known for going after high-level targets such as government agencies, technology companies, and diplomatic entities.

MIcrosoft said that the customer service agent who was compromised in this recent operation only had access to a limited amount of customer information, and the person’s computer was set up to only have the lowest level of access necessary.

“The investigation is ongoing, but we can confirm that our support agents are configured with the minimal set of permissions required as part of our Zero Trust “least privileged access” approach to customer information,” Microsoft said.

<![CDATA[Decipher Podcast: Mark Werremeyer and Bryce Kerley on Hack-a-Sat]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/decipher-podcast-mark-werremeyer-and-bryce-kerley-on-hack-a-sat https://duo.com/decipher/decipher-podcast-mark-werremeyer-and-bryce-kerley-on-hack-a-sat Thu, 24 Jun 2021 00:00:00 -0400

<![CDATA[Mozilla Rally Aims to Give Control of Personal Data Back to Users]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/mozilla-rally-aims-to-give-control-of-personal-data-back-to-users https://duo.com/decipher/mozilla-rally-aims-to-give-control-of-personal-data-back-to-users Thu, 24 Jun 2021 00:00:00 -0400

A rather large fraction of the world economy is built upon a foundation of personal data, most of which is used for purposes that are entirely opaque to the people who provided it and manipulated, analyzed, and resold by companies that those people will never hear about. Mozilla is launching a new platform called Rally that aims to upturn that model and enable individuals to donate a tightly controlled set of their browsing data to specific projects designed to contribute to the common good of the Internet.

The project has some ambitious goals and achieving them will require the help and good faith contributions of a large swath of Firefox users. Rally is beginning as a function in Firefox and is opt-in only, and individuals can choose which studies they want to participate in. The collected data will be limited to only what is needed to the specific study, and the research partners working with Mozilla will only be able to access the data for their particular studies. The first two studies to utilize Rally are one on engagement with political and COVID-19 news at Princeton University and another at Stanford University on news consumption and how news organizations might be able to build sustainable business models.

Rally is the culmination of a long collaboration between Mozilla data scientists, academics, and folks in the civil society realm who came to realize that they were trying to address the same problems from different angles.

“These communities were reaching out to each other and trying to combine our forces and we realized we didn’t have the right data. At Mozilla, we have this big data platform and we thought there were other use cases for it. We have this big social problem and there was kind of a gap there in how it was being addressed,” said Rebecca Weiss, a data scientist and Rally project lead at Mozilla.

“We’ve kind of been inching toward this for years.”

The data economy at large is built on you, but you don’t get to play in that market at all."

For Firefox users who opt in to a Rally research project, the platform will collect a specified set of data that is germane to the study through a browser add-on. The specific types of data will vary from study to study, but the add-on will collect it passively as the individual wanders around the web. Rally will encrypt the data before it leaves Firefox and the information will be stored in a secure analysis environment. Each research partner only has access to data collected for its specific study, and once a study ends, Mozilla will delete all of the data. Rally will not collect data from Private Browsing windows by default.

Rally takes a novel approach to the collection and usage of user data by giving individuals the ability to consent to the use of their information for specific projects that they see as valuable. In that way it is the inverse of the way that most large platform providers handle user data, which relies on the outdated notice-and-consent model and enables them to use huge amounts of data for purposes that are almost never communicated clearly to their users.

But Rally is not designed to be a replacement for that model. That ship sailed a long time ago. But Weiss believes there is plenty of room and appetite for projects that are committed to ethical use of data for purposes that serve the greater good.

“There’s success on different horizons. The first is can you flip the script on how data is used. The data economy at large is built on you, but you don’t get to play in that market at all,” Weiss said.

“So in the long term how can we change that?”

<![CDATA[VMware Fixes Critical Authentication Bypass in Carbon Black App Control]]> dennis@decipher.sc (Dennis Fisher) https://duo.com/decipher/vmware-fixes-critical-authentication-bypass-in-carbon-black-app-control https://duo.com/decipher/vmware-fixes-critical-authentication-bypass-in-carbon-black-app-control Wed, 23 Jun 2021 00:00:00 -0400

VMware has released updates to fix a critical authentication bypass vulnerability that affects several versions of its Carbon Black App Control management server.

App Control is designed to act as a controller for which applications are allowed to run on protected machines. It works as a whitelisting tool, ensuring that only approved applications can run on servers or endpoints. The vulnerability (CVE-2021-21998) could allow a remote attacker to gain access to the App Control management server without any requirement for authentication.

“The VMware Carbon Black App Control management server has an authentication bypass. A malicious actor with network access to the VMware Carbon Black App Control management server might be able to obtain administrative access to the product without the need to authenticate,” the VMware advisory says.

The bug affects versions 8.0.x, 8.1.x, 8.5.x, and 8.6.x of the software running on Windows machines.

In addition to the authentication bypass flaw, VMware fixed a separate local privilege escalation vulnerability in several other products, including VMware Tools for Windows, VMware Remote Console, and VMware App Volumes. The bug affects several versions of the apps on Windows and other platforms.

“An attacker with normal access to a virtual machine may exploit this issue by placing a malicious file renamed as `openssl.cnf' in an unrestricted directory which would allow code to be executed with elevated privileges,” the VMware advisory says.