Cyber Pulse: Edition 186 | 23 June 2022

PowerShell Advisory from National Security Agency (NSA)

The National Security Agency (NSA) and cybersecurity partner agencies issued an advisory today recommending system administrators to use PowerShell to prevent and detect malicious activity on Windows machines. PowerShell is frequently used in cyberattacks, leveraged mostly in the post-exploitation stage, but the security capabilities embedded in Microsoft’s automation and configuration tool can also benefit defenders in their forensics efforts, improve incident response, and to automate repetitive tasks.

The NSA and cyber security centres in the U.S. (CISA), New Zealand (NZ NCSC), and the U.K. (NCSC-UK) have created a set of recommendations for using PowerShell to mitigate cyber threats instead of removing or disabling it, which would lower defensive capabilities.

“Blocking PowerShell hinders defensive capabilities that current versions of PowerShell can provide, and prevents components of the Windows operating system from running properly. Recent versions of PowerShell with improved capabilities and options can assist defenders in countering abuse of PowerShell”

Reducing the risk of threat actors abusing PowerShell requires leveraging capabilities in the framework such as PowerShell remoting, which does not expose plain-text credentials when executing commands remotely on Windows hosts. Administrators should be aware that enabling this feature on private networks automatically adds a new rule in Windows Firewall that permits all connections. Customizing Windows Firewall to allow connections only from trusted endpoints and networks helps reduce an attacker’s chance for successful lateral movement. For remote connections, the agencies advise using the Secure Shell protocol (SSH), supported in PowerShell 7, to add the convenience and security of public-key authentication. Remote connections don’t need HTTPS with SSL certificates. No need for Trusted Hosts, as required when remoting over WinRM outside a domain. Secure remote management over SSH without a password for all commands and connections. When properly configured and managed, PowerShell can be a reliable tool for system maintenance, forensics, automation, and security. The full document, titled “Keeping PowerShell: Security Measures to Use and Embrace” is available here . Edited. Original source: CISA

Significant OT / ICS vulnerabilities discovered by researchers

Several industrial control system (ICS) vendors impacted by the recently-disclosed OT:Icefall vulnerabilities have released advisories to inform customers about the impact of the flaws and to provide mitigations. OT:Icefall is the name given to a collection of 56 vulnerabilities discovered by Forescout researchers across the products of ten companies that make operational technology (OT) systems. The report identifies flaws that are related to insecure engineering protocols, weak cryptography or broken authentication schemes, insecure firmware update mechanisms, and native functionality abuse. The security holes impact various types of ICS products, including engineering workstations, PLCs, distributed control systems, building controllers, safety instrumented systems, remote terminal units, and SCADA systems. Exploitation of the flaws can lead to remote code execution, DoS attacks, firmware manipulation, compromised credentials, and authentication bypass.

Affected vendors include Baker Hughes (Bentley Nevada), Emerson, Honeywell, JTEKT, Motorola, Omron, Phoenix Contact, Siemens, and Yokogawa. One of the impacted vendors has not been named as the disclosure process is still ongoing. Patches do not appear to be available, but the impacted vendors have started informing customers about mitigations that should reduce the risk or prevent exploitation. The US Cybersecurity and Infrastructure Security Agency (CISA) has also published advisories for some of the impacted vendors. It’s worth noting that some of vendors have a higher number of vulnerabilities to deal with — Emerson has over 20 and Honeywell has 10 — which could explain why it’s taking them longer to release advisories. Edited. Original source: Forescout

Ukrainian cybersecurity CERT issues warning

Ukrainian cybersecurity officials exposed two new hacking campaigns against targets there this week, one using a phony tax collection document purportedly sent by the national tax agency and the other using a malicious document that discussed the threat of nuclear attack from Russia. Officials with the Computer Emergency Response Team of Ukraine (CERT-UA) published the first notice Monday warning of malicious Microsoft Word document titled “Imposition of penalties” distributed by email supposedly from the State Tax Service of Ukraine. If opened, the document would attempt to load a Cobalt Strike Beacon, which could give an attacker a connection to a target system and potentially enable malicious behaviour. The malicious document was compiled June 16, the officials said. They attributed the activity to a group tracked as UAC-0098, which has been blamed for other attacks on Ukrainian entities in the wake of the Russian attack Feb. 24 and shows possible links to TrickBot, a well-known malware variant associated with various Russian cybercrime groups.

Ukraine’s State Service of Special Communications and Information Protection said in a statement on its website that the campaign targeted unspecified critical infrastructure within Ukraine. The other attack, which CERT-UA detailed in a notice published Monday, used malicious code in a text file that sought to launch the CredoMap malware.

“According to the set of characteristic features, we consider it possible to associate the detected activity with the activities of the APT28 group,” the agency said. APT28, known widely as Fancy Bear, is a prolific Russian military intelligence hacking crew. The attack exploited a remote code execution vulnerability tracked as CVE-2022-30190 and dubbed “Follina” that would allow an attacker to take control of an affected system, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency warned in a May 31 notice. Metadata associated with the file indicates the document was last modified June 9, suggesting its distribution may have begun June 10, CERT-UA said. Edited. Original source: CERT-UA

Lords move to protect cyber researchers from prosecution

A cross-bench group in the House of Lords is seeking to insert an amendment to the upcoming Product Security and Telecommunications Infrastructure (PSTI) Bill that will provide cyber security researchers, penetration testers and ethical hackers with a Computer Misuse Act defence for carrying out vulnerability and security research. The group includes former digital minister Lord Vaizey and Lord Arbuthnot, a key figure in the unravelling of the Post Office Horizon scandal over many years. They say this will be the first time in the 32-year history of the Computer Misuse Act that there has been an attempt to mollify the offence of unauthorised access to computer material, which the security community has long held puts its bona fide work at risk by failing to distinguish it from cyber criminal activity.

The amendment also increases the pressure on the government to make public the findings of its Call for Information on the effectiveness – and potential reform of – the Computer Misuse Act, which closed more than 12 months ago and appears to have been quietly forgotten. The CyberUp campaign, which has been advocating for the reform of the Computer Misuse Act for years, said that given the PSTI Bill contains provisions to force product manufacturers to implement vulnerability disclosure policies, without a statutory defence in the Computer Misuse Act, researchers can face “spurious legal action” for reporting a vulnerability to a company which can decide “on a whim” to ignore the policy. This is known as liability dumping. The proposed amendment would provide a statutory defence for breaches of the Computer Misuse Act if the researcher reasonably believed the owner of the system they hacked would have consented to the research, or if such an act was necessary for the detection of crime. The amendment, which is also sponsored by Lord Clement-Jones and Lord Holmes, will be introduced on the floor on 21 June. Edited. Original source: Comp Weekly

Software Supply Chain – Open Source Audit Tool

Cloud security start-up Aqua Security has partnered with the Center for Internet Security (CIS) to create guidelines for software supply chain security and followed up by shipping an opensource auditing tool to ensure compliance with the new benchmarks. The open source tool, called Chain-Bench, is available for for auditing an organization's software supply chain stack for security compliance based on the newly created CIS Software Supply Chain Security Guide. 

Chain-Bench can be used by organizations to scan the DevOps stack from source code to deployment and simplify compliance with security regulations, standards, and internal policies, Aqua Security explained. In a statement, the company said the new Software Supply Chain Security Guide offers more than 100 foundational recommendations that can be applied across a variety of commonly used technologies and platforms. Within the guide, recommendations span five categories of the software supply chain, including Source Code, Build Pipelines, Dependencies, Artifacts, and Deployment. The company said CIS plans to expand this guidance into more specific CIS Benchmarks to create consistent security recommendations across platforms.  Edited. Original source: Aqua / CIS

Inverse Finance stung for $1.2 million via flash loan attack

A decentralized autonomous organization (DAO) called Inverse Finance has been robbed of cryptocurrency somehow exchangeable for $1.2 million, just two months after being taken for $15.6 million.

"Inverse Finance’s Frontier money market was subject to an oracle price manipulation incident that resulted in a net loss of $5.83 million in DOLA with the attacker earning a total of $1.2 million," the organization said on Thursday in a post attributed to its Head of Growth "Patb."

And Inverse Finance would like its funds back. Enumerating the steps the DAO intends to take in response to the incident, Patb said, "First, we encourage the person(s) behind this incident to return the funds to the Inverse Finance DAO in return for a generous bounty." That appears unlikely given reports that the attacker has routed the funds through Tornado Cash, a cryptocurrency mixing or tumbling protocol designed to obscure where funds came from. Coincidentally, the service is popular for money laundering. The $5.83 million net loss represents funds borrowed by the attacker from the DAO to conduct the attack. So Inverse Finance is counting it as bad debt rather than funds that need to be repaid to any individual. The attacker used a flash loan – a loan taken out and immediately paid back – to dupe the protocol and obtain control of assets. According to their post, Inverse Finance is "adding additional security operations talent to the Inverse team." That follows "a competent third-party team to review the architecture and implementation of the oracle involved in today’s incident" and contributions and consulting that followed the incident in April. Edited. Original source: Register

New health data strategy for England promises privacy

Health and Social Care Secretary of State Sajid Javid announced a new data strategy focused on giving patients greater control over their data, delivering faster treatment, and tackling the pandemic backlog The new data in health strategy, Data saves lives: reshaping health and social care with data, focuses on seven core principles, with a particular emphasis on improving the privacy and security of patient’s data, digitising social care, and enabling clinicians and researchers to have legitimate access to the right data in order to improve care and deliver life-saving treatments.

These principles are:

1. Improving trust in the health and care system’s use of data
2. Giving health and care professionals the information they need to provide the best care
3. Improving data for adult social care
4. Supporting local decision-makers with data
5. Empowering researchers with the data they need to develop life-changing treatments and diagnostics
6. Working with partners to develop innovations that improve health and care
7. Developing the right technical infrastructure

The strategy, which covers only England due to devolved decision-making in healthcare, ties back to Javid’s earlier ambitions to focus reform in healthcare on four P’s: prevention, personalisation, performance, and people – and puts a heavy emphasis on giving patients greater confidence that their data is being used appropriately. Edited. Original source: Gov publications

Cisco alerts another four vulnerabilities

Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old. This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

To exploit the vulnerability, an attacker needs valid operator-level or higher access to the appliance. Once authenticated, the miscreant can steal sensitive information, such as user credentials, from a Lightweight Directory Access Protocol (LDAP) external authentication server connected to the device due to a blunder in the query process. We can imagine a rogue insider or someone who has compromised an operator account exploiting this flaw to further penetrate a network.

"This vulnerability is due to a lack of proper input sanitization while querying the external authentication server," reads the security advisory, which was issued last week and updated yesterday with more details on available software fixes.

Cisco deemed the three other vulnerabilities medium severity, though their CVSS scores range from 9.1 to 5.4. We’re told miscreants haven’t (yet) exploited any of these bugs either. Edited. Original source: Cisco