Bear Security – Security News For Week of May 15th, 2021
These are the stories that relate to our careers, clients, and businesses in the cybersecurity world for the Week of May 15th, 2021. Watch this in video form over on YouTube, or you can listen on the go with the Bear Security podcast.
Executive Order on Cybersecurity Official
It’s official. President Joe Biden signed an executive order on Wednesday aimed at charting a new course to improve the nation’s cybersecurity and protect Federal Government networks. The order aims to remove barriers to threat information sharing between the government and private sector such as requiring IT service providers to share certain breach information should it potentially impact government networks. It seeks to modernize and implement stronger cybersecurity standards in the Federal Government by moving toward cloud services, a zero-trust architecture, requiring MFA, and mandatory encryption. It seeks to establish baseline security standards for the development of software that is sold to the Federal Government, and improve the visibility of issues. The order also establishes the Cybersecurity Safety Review Board which will be modeled after the National Transportation Safety Board, to be co-chaired by government and private sector leads, that may convene after a significant cyber incident to understand what happened, and make recommendations on improvements. Lastly, it requires the Federal Government to create a standardized playbook and set of definitions for incident response to help reduce complexities and establish a baseline of response. This would be further bolstered through improved investigative and remediation capabilities by requiring government-wide Endpoint Detection and Response (EDR) along with robust intra-governmental information sharing.
It’s a good start toward what could become a model for the private market in the future, depending on the success of its execution and maintenance. Read the full executive order over on WhiteHouse.gov.
Vulnerability Affects Wi-Fi Devices As Far Back as 1997
If you thought Dell’s 12 year long vulnerability was bad, how about a flaw as old as the original Wi-Fi standard itself, from 1997? Wired is reporting that a set of vulnerabilities were disclosed this week by New York University Abu Dhabi researcher Mathy Vanhoef, that an attacker within Wi-Fi range of a target network could potentially exfiltrate data from a victim and compromise their devices. The findings were collectively called “Frag Attack”, short for “Fragmentation and aggregation attack” due to how the flaws relate to how data is processed with Wi-Fi. Though, don’t go unplugging things just yet. Vahoef says that while the flaws are widespread, they are currently difficult to exploit, but stay on the lookout for patches for your devices, especially routers and Wireless Access Points.
Colonial Pipeline Paid $5 Million Ransom, Now RaaS Group DarkSide Has Disappeared?
The register is reporting that Colonial Pipeline’s operators reportedly paid $5 million to regain control of their digital systems to restore gas and oil deliveries across the eastern seaboard of the United States, following last week’s ransomware infection by the group DarkSide. Meanwhile, due to how slow the decryptor was, Colonial continued recovering from backups as well in an attempt to speed up the restoration. The pipeline’s service resumed Thursday, and they expect it to take up to two weeks to get back to full operation. Meanwhile, DarkSide had also received a $4.4 million ransom from chemical distributor Brenntag who they also hit around the same time. Though here is where the story gets even more interesting. DarkSide and other ransomware groups, after realizing that someone hit a hornet’s nest, decided to set some rules around their Ransomware as a Service, and some hacking forums now prohibiting the marketing of locker-type malware and services. Then on Friday, Bleeping Computer reported that a threat actor known as UNKN, who is considered the public-facing representative of the rival ransomware gang REvil, shared that allegedly DarkSide lost access to their public data leak site, payment servers, and CDN servers due to law enforcement action. Though no law enforcement agency has made mention of action so far, leading to speculations that this may be an exit scam. Expect more updates on this story.
On a lighter note, I couldn’t help but think of this band called AKADO and their song DARKSIDE every time I heard of the group this past two weeks. So if you dig rock music, maybe check out their music video for DARKSIDE.
This Month’s Patch Tuesday for Microsoft Includes a Wormable RCE in the HTTP Stack
Talos published a blog this week covering their insight over the recent patches published on Tuesday by Microsoft. The most significant vulnerability in this month’s updates is a Remote Code Execution vulnerability in the HTTP protocol stack. This vulnerability would allow an unauthenticated attacker to send a specially crafted packet to a target server that, if successful, gives an attacker the ability to execute remote code on the target host. Microsoft believes this vulnerability could be wormable, and with a CVSS score of 9.8 / 10, this is one you’ll want to patch quickly.
If you aren’t hosting HTTP websites, then you may want to be concerned about another RCE, this time in Internet Explorer 11. This RCE can be exploited by getting a vulnerable user to visit a specially crafted website, or open an embedded Microsoft Office document. The last significant critical vulnerability as part of this patch Tuesday has to do with the OLE Automation protocol, which is an inter-process communication mechanism relied on by a number of programming languages. This vulnerability could allow an attacker to execute remote code on a targeted machine without any interaction.
6 Month Old Zero-Day in Cisco AnyConnect Patched
Bleeping Computer is reporting that Cisco has fixed a six-month-old zero-day vulnerability that was found in the Cisco AnyConnect Secure Mobility Client VPN software, with publicly available proof-of-concept exploit code. The zero-day was disclosed back in November 2020 with Cisco only offering mitigation measures to decrease the attack surface at the time. The Cisco Product Security Incident Response Team has said despite proof-of-exploit code being made available, they don’t currently see evidence of attackers exploiting it in the wild. In addition to resolving the zero-day, the new versions also introduce new settings that are strongly recommended for increased protection that administrators should check out.
The vulnerability and improvements are now addressed in Cisco AnyConnect Secure Mobility Client releases 4.10.000093 and later. Read the full story over on Bleeping Computer.
Apple’s ‘Find My’ Network is Exploitable Via Bluetooth
Threatpost is reporting that Apple’s ‘Find My Device’ function that helps users track their iOS and macOS devices, can be exploited to transfer data to and from random passing devices without using the internet. Security Researched Fabian Bräunlein with Positive Security developed a proof of concept for the attack, which uses a microcontroller and a custom macOS app that can broadcast data from one device to another via Bluetooth Low Energy. Then, once the receiving device connects to the internet, it will then forward data to an attacker-controlled Apple iCloud server. The research dubbed the method “Send My” and detailed several use cases for the method. Bräunlein mentioned the misuse of Find My in this way may be nearly impossible for Apple to prevent given the capability is “inherent to the privacy and security-focused design of the Find My offline finding system”.
Researchers Find 19 Petabytes of Data in Unprotected Databases
CyberNews researchers have found that more than 29,000 databases worldwide are unprotected and publically accessible leaving nearly 19 Petabytes of data exposed to anybody. While they don’t mention the data discovered, Hadoop databases had the largest amount of data exposed and the countries with the most unprotected databases online are topped by China, followed by the United States.
See the full research over at CyberNews.
Story Updates From Prior Episodes…
Rapid7 Source Code Accessed as part of Codecov
The Hacker News is reporting that Rapid7 revealed on Thursday that they were affected by the Codecov breach. Rapid7 joins HashiCorp, Confluent, and Twilio, as companies continue to assess the potential that they were breached. Rapid7 says on their website that the use of Codecov’s bash uploader script was limited to a single CI server used to test and build some internal tooling for their Managed Detection and Response (MDR) service. They were not using Codecov on any CI server used for product code. In addition, they have not found evidence of any other system being accessed and they’ve already reached out to any customers whose dataset may have been used as part of the CI system.
The Federal Government is also engaged in investigating the Codecov breach, and it’ll be months before we know the full extent of all the customers that have been impacted. We’ll keep you updated as we learn more.
One last thing… A correction! Last week on the YouTube / Podcast version, I referred to NIST as the National Institute of Science and Technology. It’s actually the National Institute of Standards and Technology. I don’t know where my brain was when I wrote the script, so my apologies! Speaking of which, the comment period regarding the HIPAA guidance remains open, so if you are involved in HIPAA at your workplace, be sure to give your feedback to NIST.