US-CERT Feed

Microsoft Releases Alternative Mitigations for Exchange Server Vulnerabilities

US-Cert Current Activity - Fri, 03/05/2021 - 7:02pm
Original release date: March 5, 2021

Microsoft has released alternative mitigation techniques for Exchange Server customers who are not able to immediately apply updates that address vulnerabilities disclosed on March 2, 2021.

CISA and Microsoft encourages organizations to upgrade their on-premises Exchange environments to the latest supported version. If an organization is unable to immediately apply the updates, CISA strongly recommends they apply the alternative mitigations found in Microsoft’s blog on Exchange Server Vulnerabilities Mitigations in the interim.

For more information about these vulnerabilities, see:

 

 

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

Update to Alert on Mitigating Microsoft Exchange Server Vulnerabilities

US-Cert Current Activity - Thu, 03/04/2021 - 4:08pm
Original release date: March 4, 2021

CISA is aware of threat actors using open source tools to search for vulnerable Microsoft Exchange Servers and advises entities to investigate for signs of a compromise from at least September 1, 2020. CISA has updated the Alert on the Microsoft Exchange server vulnerabilities with additional detailed mitigations. 
 
CISA encourages administrators to review the updated Alert and the Microsoft Security Update and apply the necessary updates as soon as possible or disconnect vulnerable Exchange servers from the internet until the necessary patch is made available.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

Joint NSA and CISA Guidance on Strengthening Cyber Defense Through Protective DNS

US-Cert Current Activity - Thu, 03/04/2021 - 1:50pm
Original release date: March 4, 2021

The National Security Agency (NSA) and CISA have released a Joint Cybersecurity Information (CSI) sheet with guidance on selecting a protective Domain Name System (PDNS) service as a key defense against malicious cyber activity. Protective DNS can greatly reduce the effectiveness of ransomware, phishing, botnet, and malware campaigns by blocking known-malicious domains. Additionally organizations can use DNS query logs for incident response and threat hunting activities.

CISA encourages users and administrators to consider the benefits of using a protective DNS service and review NSA and CISA’s CSI sheet on Selecting a Protective DNS Service for more information.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

Cisco Releases Security Updates

US-Cert Current Activity - Thu, 03/04/2021 - 11:13am
Original release date: March 4, 2021

Cisco has released security updates to address a vulnerability in multiple Cisco products. An attacker could exploit this vulnerability to cause a denial-of-service condition. For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories page.

CISA encourages users and administrators to review Cisco Advisory cisco-sa-snort-ethernet-dos-HGXgJH8n and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

VMware Releases Security Update

US-Cert Current Activity - Thu, 03/04/2021 - 11:12am
Original release date: March 4, 2021

VMware has released a security update to address a vulnerability in View Planner. An attacker could exploit this vulnerability to take control of an affected system.

CISA encourages users and administrators to review VMware Security Advisory VMSA-2021-0003 and apply the necessary update.  

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

CISA Issues Emergency Directive and Alert on Microsoft Exchange Vulnerabilities

US-Cert Current Activity - Wed, 03/03/2021 - 3:14pm
Original release date: March 3, 2021

CISA has issued Emergency Directive (ED) 21-02 and Alert AA21-062A addressing critical vulnerabilities in Microsoft Exchange products. Successful exploitation of these vulnerabilities allows an attacker to access on-premises Exchange servers, enabling them to gain persistent system access and control of an enterprise network. 

CISA strongly recommends organizations examine their systems to detect any malicious activity detailed in Alert AA21-062A. Review the following resources for more information:

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

AA21-062A: Mitigate Microsoft Exchange Server Vulnerabilities

US-Cert Alerts - Wed, 03/03/2021 - 1:12pm
Original release date: March 3, 2021
Summary

Cybersecurity and Infrastructure Security (CISA) partners have observed active exploitation of vulnerabilities in Microsoft Exchange Server products. Successful exploitation of these vulnerabilities allows an unauthenticated attacker to execute arbitrary code on vulnerable Exchange Servers, enabling the attacker to gain persistent system access, as well as access to files and mailboxes on the server and to credentials stored on that system. Successful exploitation may additionally enable the attacker to compromise trust and identity in a vulnerable network. Microsoft released out-of-band patches to address vulnerabilities in Microsoft Exchange Server. The vulnerabilities impact on-premises Microsoft Exchange Servers and are not known to impact Exchange Online or Microsoft 365 (formerly O365) cloud email services.

This Alert includes both tactics, techniques and procedures (TTPs) and the indicators of compromise (IOCs) associated with this malicious activity. To secure against this threat, CISA recommends organizations examine their systems for the TTPs and use the IOCs to detect any malicious activity. If an organization discovers exploitation activity, they should assume network identity compromise and follow incident response procedures. If an organization finds no activity, they should apply available patches immediately and implement the mitigations in this Alert.

Click here for IOCs in STIX format.

Technical Details

Microsoft has released out-of-band security updates to address four vulnerabilities in Exchange Server:

  • CVE-2021-26855 allows an unauthenticated attacker to send arbitrary HTTP requests and authenticate as the Exchange Server. The vulnerability exploits the Exchange Control Panel (ECP) via a Server-Side Request Forgery (SSRF). This would also allow the attacker to gain access to mailboxes and read sensitive information.
  • CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 allow for remote code execution.  
    • CVE-2021-26858 and CVE-2021-27065 are similar post-authentication arbitrary write file vulnerabilities in Exchange. An attacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could write a file to any path on the server.

    • CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. An attacker, authenticated either by using CVE-2021-26855 or via stolen admin credentials, could execute arbitrary code as SYSTEM on the Exchange Server.

  • To locate a possible compromise of these CVEs, we encourage you to read the Microsoft Advisory.

It is possible for an attacker, once authenticated to the Exchange server, to gain access to the Active Directory environment and download the Active Directory Database.

Tactics, Techniques and Procedures

The majority of the TTPs in this section are sourced from a blog post from Volexity, a third party cybersecurity firm. Note: the United States Government does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the United States Government.

Volexity has observed the following files as targets of HTTP POST requests:

  • /owa/auth/Current/themes/resources/logon.css
  • /owa/auth/Current/themes/resources/owafont_ja.css
  • /owa/auth/Current/themes/resources/lgnbotl.gif
  • /owa/auth/Current/themes/resources/owafont_ko.css
  • /owa/auth/Current/themes/resources/SegoeUI-SemiBold.eot
  • /owa/auth/Current/themes/resources/SegoeUI-SemiLight.ttf
  • /owa/auth/Current/themes/resources/lgnbotl.gif

Administrators should search the ECP server logs for the following string (or something similar):

S:CMD=Set-OabVirtualDirectory.ExternalUrl='

The logs can be found at <exchange install path>\Logging\ECP\Server\.

To determine possible webshell activity, administrators should search for aspx files in the following paths:

  • \inetpub\wwwroot\aspnet_client\ (any .aspx file under this folder or sub folders)
  • \<exchange install path>\FrontEnd\HttpProxy\ecp\auth\ (any file besides TimeoutLogoff.aspx)
  • \<exchange install path>\FrontEnd\HttpProxy\owa\auth\ (any file or modified file that is not part of a standard install)
  • \<exchange install path>\FrontEnd\HttpProxy\owa\auth\Current\ (any aspx file in this folder or subfolders)
  • \<exchange install path>\FrontEnd\HttpProxy\owa\auth\<folder with version number>\ (any aspx file in this folder or subfolders)

Administrators should search in the /owa/auth/Current directory for the following non-standard web log user-agents. These agents may be useful for incident responders to look at to determine if further investigation is necessary.

These should not be taken as definitive IOCs:

  • DuckDuckBot/1.0;+(+http://duckduckgo.com/duckduckbot.html)
  • facebookexternalhit/1.1+(+http://www.facebook.com/externalhit_uatext.php)
  • Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)
  • Mozilla/5.0+(compatible;+Bingbot/2.0;++http://www.bing.com/bingbot.htm)
  • Mozilla/5.0+(compatible;+Googlebot/2.1;++http://www.google.com/bot.html
  • Mozilla/5.0+(compatible;+Konqueror/3.5;+Linux)+KHTML/3.5.5+(like+Gecko)+(Exabot-Thumbnails)
  • Mozilla/5.0+(compatible;+Yahoo!+Slurp;+http://help.yahoo.com/help/us/ysearch/slurp)
  • Mozilla/5.0+(compatible;+YandexBot/3.0;++http://yandex.com/bots)
  • Mozilla/5.0+(X11;+Linux+x86_64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/51.0.2704.103+Safari/537.36

Volexity observed these user-agents in conjunction with exploitation to /ecp/ URLs:

  • ExchangeServicesClient/0.0.0.0
  • python-requests/2.19.1
  • python-requests/2.25.1

These user-agents were also observed having connections to post-exploitation web-shell access:

  • antSword/v2.1
  • Googlebot/2.1+(+http://www.googlebot.com/bot.html)
  • Mozilla/5.0+(compatible;+Baiduspider/2.0;++http://www.baidu.com/search/spider.html)

As with the non-standard user-agents, responders can examine internet information services (IIS) logs from Exchange Servers to identify possible historical activity. Also, as with the non-standard user agents, these should not be taken as definitive IOCs:

  • POST /owa/auth/Current/
  • POST /ecp/default.flt
  • POST /ecp/main.css
  • POST /ecp/<single char>.js

Volexity has seen attackers leverage the following IP addresses. Although these are tied to virtual private servers (VPSs) servers and virtual private networks (VPNs), responders should investigate these IP addresses on their networks and act accordingly:

  • 103.77.192[.]219
  • 104.140.114[.]110
  • 104.250.191[.]110
  • 108.61.246[.]56
  • 149.28.14[.]163
  • 157.230.221[.]198
  • 167.99.168[.]251
  • 185.250.151[.]72
  • 192.81.208[.]169
  • 203.160.69[.]66
  • 211.56.98[.]146
  • 5.254.43[.]18
  • 5.2.69[.]14
  • 80.92.205[.]81
  • 91.192.103[.]43

Volexity has also provided the following YARA signatures that can be run within your network to assist in finding signs of a compromise.

1. rule webshell_aspx_simpleseesharp : Webshell Unclassified
{
    meta:
        author = “threatintel@volexity.com”
        date = “2021-03-01”
        description = “A simple ASPX Webshell that allows an attacker to write further files to disk.”
        hash = “893cd3583b49cb706b3e55ecb2ed0757b977a21f5c72e041392d1256f31166e2”
 
    strings:
        $header = “<%@ Page Language=\”C#\” %>”
        $body = “<% HttpPostedFile thisFile = Request.Files[0];thisFile.SaveAs(Path.Combine”
 
    condition:
        $header at 0 and
        $body and
        filesize < 1KB
}
 
2.
rule webshell_aspx_reGeorgTunnel : Webshell Commodity
{
    meta:
        author = “threatintel@volexity.com”
        date = “2021-03-01”
        description = “A variation on the reGeorg tunnel webshell”
        hash = “406b680edc9a1bb0e2c7c451c56904857848b5f15570401450b73b232ff38928”
        reference = “https://github.com/sensepost/reGeorg/blob/master/tunnel.aspx”
 
    strings:
        $s1 = “System.Net.Sockets”
        $s2 = “System.Text.Encoding.Default.GetString(Convert.FromBase64String(StrTr(Request.Headers.Get”
        // a bit more experimental
        $t1 = “.Split(‘|’)”
        $t2 = “Request.Headers.Get”
        $t3 = “.Substring(“
        $t4 = “new Socket(“
        $t5 = “IPAddress ip;”
 
    condition:
        all of ($s*) or
        all of ($t*)
}
 
3
rule webshell_aspx_sportsball : Webshell Unclassified
{
    meta:
        author = “threatintel@volexity.com”
        date = “2021-03-01”
        description = “The SPORTSBALL webshell allows attackers to upload files or execute commands on the system.”
        hash = “2fa06333188795110bba14a482020699a96f76fb1ceb80cbfa2df9d3008b5b0a”
 
    strings:
        $uniq1 = “HttpCookie newcook = new HttpCookie(\”fqrspt\”, HttpContext.Current.Request.Form”
        $uniq2 = “ZN2aDAB4rXsszEvCLrzgcvQ4oi5J1TuiRULlQbYwldE=”
 
        $var1 = “Result.InnerText = string.Empty;”
        $var2 = “newcook.Expires = DateTime.Now.AddDays(”
        $var3 = “System.Diagnostics.Process process = new System.Diagnostics.Process();”
        $var4 = “process.StandardInput.WriteLine(HttpContext.Current.Request.Form[\””
        $var5 = “else if (!string.IsNullOrEmpty(HttpContext.Current.Request.Form[\””
        $var6 = “<input type=\”submit\” value=\”Upload\” />”
 
    condition:
        any of ($uniq*) or
        all of ($var*)
}

A list of web shell hashes have also been provided by Microsoft:

  • b75f163ca9b9240bf4b37ad92bc7556b40a17e27c2b8ed5c8991385fe07d17d0
  • 097549cf7d0f76f0d99edf8b2d91c60977fd6a96e4b8c3c94b0b1733dc026d3e
  • 2b6f1ebb2208e93ade4a6424555d6a8341fd6d9f60c25e44afe11008f5c1aad1
  • 65149e036fff06026d80ac9ad4d156332822dc93142cf1a122b1841ec8de34b5
  • 511df0e2df9bfa5521b588cc4bb5f8c5a321801b803394ebc493db1ef3c78fa1
  • 4edc7770464a14f54d17f36dc9d0fe854f68b346b27b35a6f5839adf1f13f8ea
  • 811157f9c7003ba8d17b45eb3cf09bef2cecd2701cedb675274949296a6a183d
  • 1631a90eb5395c4e19c7dbcbf611bbe6444ff312eb7937e286e4637cb9e72944

Note: this is not an all-inclusive list of indicators of compromise and threat actors have been known to use short-term leased IP addresses that change very frequently. Organizations that do not locate any of the IOCs in this Alert within your network traffic, may nevertheless have been compromised. CISA recommendations following the guidance located in the Microsoft Advisory to check your servers for any signs of a compromise.  

Conduct Forensic Analysis

Should your organization see evidence of compromise, your incident response should begin with conducting forensic analysis to collect artifacts and perform triage. Please see the following list of recommendations on how to conduct forensic analysis using various tools.

Although the following free tools are not endorsed by the Federal Government, incident responders commonly use them to perform forensics.

While collecting artifacts to perform triage, use processes and tools that minimize the alteration of the data being collected and that minimize impact to the operating system itself.

Ideally, during data collection, store the data on removable/external media and, when possible, run the artifact collection tools from the same media.

Key artifacts for triage that should be collected:

  • Memory
  • All registry hives
  • All windows event logs
  • All web logs

Memory can be collected with a variety of open source tools (e.g., FTK Imager by AccessData, Ram Capture by Belkasoft).

Registry and Windows Event logs can be collected with a variety of open source tools as well (e.g., FTK_Imager, Kroll Artifact Parser And Extractor [KAPE]).

Web logs can also be collected with a variety of open source tools (e.g., FTK Imager).

Windows Artifact Collection Guide

Execute the following steps in order.

1) Download the latest FTK Imager from https://accessdata.com/product-download/.

  • Note: Ensure your review of and compliance with the applicable license associated with the product referenced, which can be found in the product’s User Guide. The United States Government does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the United States Government.

2) Collect memory from live system using FTK Imager. See Memory Capture with FTK Imager.pdf for instructions. Note: Download and copy “FTK Imager” folder to an external drive. Run FTK Imager.exe from the FTK Imager folder from external drive. Wait until memory collect is complete before proceeding to step 2.

3) Collect important system artifacts using KAPE. See KAPE Collection Procedure. Note: Download KAPE from a separate system; do not download KAPE to the target system. Run KAPE from external drive.

4) Collect disk image using FTK Imager. See Live Image with FTK Imager.pdf for instructions. Note: Run FTK Imager.exe from the “FTK Imager” folder from external drive.

Memory Capture with FTK Imager

1) Open FTK Imager. Log into the system with Administrator privileges and launch “FTK Imager.”

2) Open “Capture Memory." Select “Capture Memory…” from the File menu.

Figure 1: FTK Imager – Capture Memory Command

3) Select Path and Filenames. On the window that appears, use the “Browse” button to identify the destination of the memory capture. Save the memory capture to an external device and not the main hard drive of the system. Doing so will prevent the saved file from overwriting any dataspace on the system.

  • Name the destination file with a descriptive name (i.e., hostname of the system).
  • Select the box “Include pagefile” and provide a name of the pagefile that is descriptive of the system.
  • Do not select “Create AD1 file.”

Figure 2: FTK Imager – Memory Capture

4) Capture Memory. Click on “Capture Memory” to begin the capture process. The process will take several minutes depending on the size of the pagefile and the amount of memory on the system.

Figure 3: FTK Imager – Capture Process

KAPE Collection Procedure [1]

1) Download KAPE from https://www.kroll.com/en/services/cyber-risk/investigate-and-respond/kroll-artifact-parser-extractor-kape.

2) Disable any antivirus or host protection mechanisms that prevent execution from removable media, or data loss prevention (DLP) mechanisms that restrict utilization of removable media.

  • Enable antivirus and host protection once this process is completed.

3) Unzip Kape.zip and run gkape.exe as admin from your removable media

4) Target source should be the drive on which the OS resides, typically C:.

5) Target destination should be an external drive folder, not the same drive as the Target source. If available, use an external hard drive or flash drive.

  • A KAPE execution with these parameters will typically produce output artifacts with a total size of 1-25 GB.
  • If you are going to be running KAPE on different machines and want to save to the same drive, ensure the Target destination folder is unique for each execution of KAPE.

6) Uncheck Flush checkbox (it is checked natively).

7) Check Add %d and Add %m checkboxes.

8) Select ALL checkboxes to ensure KAPE will target all available data that it is capable of targeting. This takes some time; use the down arrow and space bar to move through the list quickly.

9) Check Process VSCs checkbox.

10) Select Zip radio button and add Base name TargetOutput.

11) Ensure Deduplicate checkbox is checked (it is checked natively).

  • At the bottom you should now see a large Current command line, similar to:
.\kape.exe --tsource C: --tdest E:\%d%m --tflush --target !BasicCollection,!SANS_Triage,Avast,AviraAVLogs,Bitdefender,ComboFix,ESET,FSecure,HitmanPro,Malwarebytes, McAfee,McAfee_ePO,RogueKiller,SentinelOne,Sophos,SUPERAntiSpyware,Symantec_AV_Logs,TrendMicro,VIPRE, Webroot,WindowsDefender,Ammyy,AsperaConnect,BoxDrive,CiscoJabber,CloudStorage,ConfluenceLogs,Discord, Dropbox, Exchange,ExchangeClientAccess,ExchangeTransport,FileZilla,GoogleDrive,iTunesBackup,JavaWebCache,Kaseya,LogMeIn,Notepad++, OneDrive,OutlookPSTOST,ScreenConnect,Skype,TeamViewerLogs,TeraCopy,VNCLogs, Chrome,ChromeExtensions,Edge,Firefox,InternetExplorer,WebBrowsers,ApacheAccessLog,IISLogFiles,ManageEngineLogs, MSSQLErrorLog,NGINXLogs,PowerShellConsole,KapeTriage,MiniTimelineCollection,RemoteAdmin, VirtualDisks, Gigatribe,TorrentClients,Torrents,$Boot,$J,$LogFile,$MFT,$SDS,$T,Amcache,ApplicationEvents,BCD,CombinedLogs, EncapsulationLogging,EventLogs,EventLogs-RDP,EventTraceLogs, EvidenceOfExecution,FileSystem,GroupPolicy,LinuxOnWindowsProfileFiles,LnkFilesAndJumpLists,LogFiles,MemoryFiles, MOF,OfficeAutosave,OfficeDocumentCache,Prefetch,RDPCache,RDPLogs,RecentFileCache,Recycle, RecycleBin, RecycleBinContent,RecycleBinMetadata,RegistryHives,RegistryHivesSystem,RegistryHivesUser,ScheduledTasks,SDB, SignatureCatalog,SRUM,StartupInfo,Syscache,ThumbCache,USBDevicesLogs,WBEM,WER,WindowsFirewall,  WindowsIndexSearch,WindowsNotifcationsDB,WindowsTimeline,XPRestorePoints --vss --zip TargetOutput –gui
  • In the bottom right corner hit the Execute! Button.
  • Screenshot below shows gkape.exe during execution, you will also see a command window execute. Note: KAPE usually takes less than 20 minutes to complete on a workstation; if it is taking significantly longer there may be an issue.

Figure 4: gkape.exe screenshot

Mitigations

CISA strongly recommends organizations read Microsoft’s advisory and security blog post for more information on how to look for this malicious activity and apply critical patches as soon as possible.

If patching is not an immediate option, there are other mitigation options available. However, these options should only be used as a temporary solution, not a replacement for patching.  CISA recommends limiting or blocking external access to internet-facing Exchange Servers via the following:

  • Restrict untrusted connections to port 443, or set up a VPN to separate the Exchange Server from external access; note that this will not prevent an adversary from exploiting the vulnerability if the attacker is already in your network.
  • Block external access to on-premise Exchange:
    • Restrict external access to OWA URL: /owa/. 
    • Restrict external access to Exchange Admin Center (EAC) aka Exchange Control Panel (ECP) URL: /ecp/.

CISA would like to thank Microsoft and Volexity for their contributions to this alert.

RESOURCES

 

References Revisions
  • March 3, 2021: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

Google Releases Security Updates for Chrome

US-Cert Current Activity - Wed, 03/03/2021 - 12:10pm
Original release date: March 3, 2021

Google has released Chrome version 89.0.4389.72 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system. 

CISA encourages users and administrators to review the Chrome Release Note and apply the necessary updates. 

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

Microsoft Releases Out-of-Band Security Updates for Exchange Server

US-Cert Current Activity - Tue, 03/02/2021 - 5:41pm
Original release date: March 2, 2021

Microsoft has released out-of-band security updates to address vulnerabilities affecting Microsoft Exchange Server 2013, 2016, and 2019. A remote attacker can exploit three remote code execution vulnerabilities—CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065—to take control of an affected system and can exploit one vulnerability—CVE-2021-26855—to obtain access to sensitive information. These vulnerabilities are being actively exploited in the wild.

CISA encourages users and administrators to review the Microsoft blog post and apply the necessary updates or workarounds.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

Apache Releases Security Advisory for Tomcat

US-Cert Current Activity - Tue, 03/02/2021 - 10:29am
Original release date: March 2, 2021

The Apache Software Foundation has released a security advisory to address a vulnerability in multiple versions of Apache Tomcat 9.0. An attacker could exploit this vulnerability to access sensitive information.

CISA encourages users and administrators to review the Apache security advisory for CVE-2021-25122 and upgrade to the appropriate version.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

NSA Releases Guidance on Zero Trust Security Model

US-Cert Current Activity - Fri, 02/26/2021 - 8:47am
Original release date: February 26, 2021

The National Security Agency (NSA) has released Cybersecurity Information Sheet: Embracing a Zero Trust Security Model, which provides information about, and recommendations for, implementing Zero Trust within networks. The Zero Trust security model is a coordinated system management strategy that assumes breaches are inevitable or have already occurred.

CISA encourages administrators and organizations review NSA’s guidance on Embracing a Zero Trust Security Model to help secure sensitive data, systems, and services.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

Cisco Releases Security Updates 

US-Cert Current Activity - Thu, 02/25/2021 - 7:08am
Original release date: February 25, 2021

Cisco has released security updates to address vulnerabilities in Cisco products. An attacker could exploit some of these vulnerabilities to take control of an affected system.
 
CISA encourages users and administrators to review the following Cisco Advisories and apply the necessary updates:

For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories page.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

Mozilla Releases Security Updates for Thunderbird, Firefox ESR, and Firefox

US-Cert Current Activity - Wed, 02/24/2021 - 10:54am
Original release date: February 24, 2021

Mozilla has released security updates to address multiple vulnerabilities in Thunderbird 78.8, Firefox ESR 78.8, and Firefox 86. An attacker could exploit these vulnerabilities to take control of an affected system.
 
CISA encourages users and administrators to review the Mozilla security advisories and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

VMware Releases Multiple Security Updates

US-Cert Current Activity - Wed, 02/24/2021 - 10:52am
Original release date: February 24, 2021

VMware has released security updates to address multiple vulnerabilities--CVE-2021-21972, CVE-2021-21973, CVE-2021-21974—ESXi, vCenter Server, and Cloud Foundation. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review VMware Security Advisory VMSA-2021-0002 and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

CISA Releases Joint Cybersecurity Advisory on Exploitation of Accellion File Transfer Appliance

US-Cert Current Activity - Wed, 02/24/2021 - 9:00am
Original release date: February 24, 2021

The cybersecurity authorities of Australia, New Zealand, Singapore, the United Kingdom, and the United States have released Joint Cybersecurity Advisory AA21-055A: Exploitation of Accellion File Transfer Appliance. Cyber actors worldwide have exploited vulnerabilities in Accellion File Transfer Appliance to attack multiple federal, and state, local, tribal, and territorial government organizations as well as private industry organizations in the medical, legal, telecommunications, finance, and energy fields. In some instances, the attacker extorted money from victim organizations to prevent public release of information exfiltrated from a compromised Accellion appliance.

CISA encourages users and administrators to review AA21-055A: Exploitation of Accellion File Transfer Appliance and MAR-10325064-1.v1 – Accellion FTA for more information.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

AA21-055A: Exploitation of Accellion File Transfer Appliance

US-Cert Alerts - Wed, 02/24/2021 - 9:00am
Original release date: February 24, 2021
Summary

This joint advisory is the result of a collaborative effort by the cybersecurity authorities of Australia,[1] New Zealand,[2] Singapore,[3] the United Kingdom,[4] and the United States.[5][6] These authorities are aware of cyber actors exploiting vulnerabilities in Accellion File Transfer Appliance (FTA).[7] This activity has impacted organizations globally, including those in Australia, New Zealand, Singapore, the United Kingdom, and the United States.

Worldwide, actors have exploited the vulnerabilities to attack multiple federal and state, local, tribal, and territorial (SLTT) government organizations as well as private industry organizations including those in the medical, legal, telecommunications, finance, and energy sectors. According to Accellion, this activity involves attackers leveraging four vulnerabilities to target FTA customers.[8] In one incident, an attack on an SLTT organization potentially included the breach of confidential organizational data. In some instances observed, the attacker has subsequently extorted money from victim organizations to prevent public release of information exfiltrated from the Accellion appliance.

This Joint Cybersecurity Advisory provides indicators of compromise (IOCs) and recommended mitigations for this malicious activity. For a downloadable copy of IOCs, see: AA21-055A.stix and MAR-10325064-1.v1.stix.

Click here for a PDF version of this report.

Technical Details

Accellion FTA is a file transfer application that is used to share files. In mid-December 2020, Accellion was made aware of a zero-day vulnerability in Accellion FTA and released a patch on December 23, 2020. Since then, Accellion has identified cyber actors targeting FTA customers by leveraging the following additional vulnerabilities.

  • CVE-2021-27101 – Structured Query Language (SQL) injection via a crafted HOST header (affects FTA 9_12_370 and earlier)
  • CVE-2021-27102 – Operating system command execution via a local web service call (affects FTA versions 9_12_411 and earlier)
  • CVE-2021-27103 – Server-side request forgery via a crafted POST request (affects FTA 9_12_411 and earlier)
  • CVE-2021-27104 – Operating system command execution via a crafted POST request (affects FTA 9_12_370 and earlier)

One of the exploited vulnerabilities (CVE-2021-27101) is an SQL injection vulnerability that allows an unauthenticated user to run remote commands on targeted devices. Actors have exploited this vulnerability to deploy a webshell on compromised systems. The webshell is located on the target system in the file /home/httpd/html/about.html or /home/seos/courier/about.html. The webshell allows the attacker to send commands to targeted devices, exfiltrate data, and clean up logs. The clean-up functionality of the webshell helps evade detection and analysis during post incident response. The Apache /var/opt/cache/rewrite.log file may also contain the following evidence of compromise:

  • [.'))union(select(c_value)from(t_global)where(t_global.c_param)=('w1'))] (1) pass through /courier/document_root.html
  • [.'))union(select(reverse(c_value))from(t_global)where(t_global.c_param)=('w1'))] (1) pass through /courier/document_root.html
  • ['))union(select(loc_id)from(net1.servers)where(proximity)=(0))] (1) pass through /courier/document_root.html

These entries are followed shortly by a pass-through request to sftp_account_edit.php. The entries are the SQL injection attempt indicating an attempt at exploitation of the HTTP header parameter HTTP_HOST.

Apache access logging shows successful file listings and file exfiltration:

  • “GET /courier/about.html?aid=1000 HTTP/1.1” 200 {Response size}
  • “GET /courier/about.htmldwn={Encrypted Path}&fn={encrypted file name} HTTP/1.1” 200 {Response size}

When the clean-up function is run, it modifies archived Apache access logs /var/opt/apache/c1s1-access_log.*.gz and replaces the file contents with the following string:

      Binary file (standard input) matches

In two incidents, the Cybersecurity and Infrastructure Security Agency (CISA) observed a large amount of data transferred over port 443 from federal agency IP addresses to 194.88.104[.]24. In one incident, the Cyber Security Agency of Singapore observed multiple TCP sessions with IP address 45.135.229[.]179.

Organizations are encouraged to investigate the IOCs outlined in this advisory and in [AR21-055A]. If an Accellion FTA appears compromised, organizations can get an indication of the exfiltrated files by obtaining a list of file-last-accessed events for the target files of the symlinks located in the /home/seos/apps/1000/ folder over the period of malicious activity. This information is only indicative and may not be a comprehensive identifier of all exfiltrated files.

Mitigations

Organizations with Accellion FTA should:

  • Temporarily isolate or block internet access to and from systems hosting the software.
  • Assess the system for evidence of malicious activity including the IOCs, and obtain a snapshot or forensic disk image of the system for subsequent investigation.
  • If malicious activity is identified, obtain a snapshot or forensic disk image of the system for subsequent investigation, then:
    • Consider conducting an audit of Accellion FTA user accounts for any unauthorized changes, and consider resetting user passwords.
    • Reset any security tokens on the system, including the “W1” encryption token, which may have been exposed through SQL injection.
  • Update Accellion FTA to version FTA_9_12_432 or later.
  • Evaluate potential solutions for migration to a supported file-sharing platform after completing appropriate testing.
    • Accellion has announced that FTA will reach end-of-life (EOL) on April 30, 2021.[9] Replacing software and firmware/hardware before it reaches EOL significantly reduces risks and costs.

Additional general best practices include:

  • Deploying automated software update tools to ensure that third-party software on all systems is running the most recent security updates provided by the software vendor.
  • Only using up-to-date and trusted third-party components for the software developed by the organization.
  • Adding additional security controls to prevent the access from unauthenticated sources.
Resources References Revisions
  • February 24, 2021: Initial Version

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

SonicWall Releases Additional Patches

US-Cert Current Activity - Tue, 02/23/2021 - 11:08am
Original release date: February 23, 2021

SonicWall has released firmware patches for SMA 100 series products in an update to its previous alert from February 3, 2021. A remote attacker could exploit a vulnerability in versions of SMA 10 prior to 10.2.0.5-29sv to take control of an affected system.

CISA encourages users and administrators to review the updated SonicWall alert and apply the necessary patches as soon as possible.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

Cisco Releases Security Updates for AnyConnect Secure Mobility Client

US-Cert Current Activity - Thu, 02/18/2021 - 10:29am
Original release date: February 18, 2021

Cisco has released security updates to address a vulnerability in Cisco AnyConnect Secure Mobility Client. An attacker could exploit this vulnerability to take control of an affected system.

CISA encourages users and administrators to review Cisco Security Advisory cisco-sa-anyconnect-dll-hijac-JrcTOQMC and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

Google Releases Security Updates for Chrome

US-Cert Current Activity - Wed, 02/17/2021 - 2:19pm
Original release date: February 17, 2021

Google has released Chrome version 88.0.4324.182 for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system.

CISA encourages users and administrators to review the Chrome Release and apply the necessary updates.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

North Korean Malicious Cyber Activity: AppleJeus

US-Cert Current Activity - Wed, 02/17/2021 - 11:00am
Original release date: February 17, 2021

CISA, the Federal Bureau of Investigation, and the Department of the Treasury have released a Joint Cybersecurity Advisory and seven Malware Analysis Reports (MARs) on the North Korean government’s dissemination of malware that facilitates the theft of cryptocurrency—referred to by the U.S. Government as “AppleJeus.”

The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.

CISA encourages users and administrators to review the following resources for more information.

This product is provided subject to this Notification and this Privacy & Use policy.

Categories: US-CERT Feed

Pages