CYBER PULSE: EDITION 139 | 18 DECEMBER 2020

Cyber Security Training Courses In association with QA present the latest cyber security news stories.

The SolarWinds ‘Sunburst’ critical supply chain compromise

On 13 December, the security firm FireEye released the details of a sophisticated manual supply chain attack that affects SolarWinds Orion Platform versions 2019.4 HF 5, 2020.2 (with no hotfix installed) or 2020.2 HF 1.  The Washington Post reported that APT29 – aka Russian hacking group Cozy Bear – is the main suspect behind the incident, though this has not yet been validated by FireEye.

Read more here: Massive cyber attack on US government and companies underway

The threat actors involved were able to incorporate a malicious “SolarWinds.Orion.Core.BusinessLayer.dll” dubbed Sunburst into the SolarWinds Orion software distribution, which was digitally signed by SolarWinds. The malicious .dll remains dormant for up to two weeks, where it then connects to several command-and-control servers, where it has the ability to conduct “jobs” that allow activities such as transfer of files, execution of files, system enumeration and more.

After initial compromise, the threat actors utilise available remote access tools and valid credentials within the environment to appear as legitimate traffic. Additional tools have also been deployed, one called Teardrop, an in-memory only dropper, being used in this campaign to pull a custom version of Cobalt Strike onto affected systems. SolarWinds recommends updating to Orion version 2020.2.2, which was made available Tuesday 15 December. 

Cisco Talos has summarised the vulnerabilities most likely to be exploited by the stolen red-team tools at FireEye, and has published them alongside the products they affect: CVE-2019-11510 (Pulse Secure), CVE-2020-1472 (Netlogon (Windows)), CVE-2018-13379 (Fortinet FortiGuard FortiOS), CVE-2018-15961 (Adobe ColdFusion), CVE-2019-0604 (Microsoft SharePoint), CVE-2019-0708 (Microsoft Remote Desktop Services), CVE-2019-11580 (Atlassian Crowd and Crowd Data Center), CVE-2019-19781 (Citrix Application Discovery Controller and Citrix Gateway), CVE-2020-10189 (Zoho ManageEngine Desktop Central), CVE-2014-1812 (Group Policy implementation in Microsoft Windows), CVE-2019-3398 (Confluence Server and Data Center), CVE-2020-0688 (Microsoft Exchange), CVE-2016-0167 (Microsoft Windows), CVE-2017-11774 (Microsoft Outlook), CVE-2018-8581 (Microsoft Exchange Server), and CVE-2019-8394 (Zoho ManageEngine ServiceDesk Plus).

Meanwhile, the US Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive directing all US federal agencies to review their networks for signs of compromise and disconnect all SolarWinds products immediately. The NCSC issued a statement and guidance on immediate actions for organisations using SolarWinds.

TCP/IP stack vulnerabilities dubbed AMNESIA:33


Forescout uncovered 33 vulnerabilities across four open-source TCP/IP stacks (uIP, FNET, PicoTCP, and Nut/Net), affecting IoT, OT, and IT devices from at least 150 vendors. Like the Ripple20 vulnerabilities disclosed by JSOS in June, the full scope of AMNESIA:33 is difficult to quantify, since the stacks are widely distributed and implemented by individual vendors themselves. Many devices will likely remain unpatched for this reason.

26 of the flaws could trigger a denial-of-service condition, five could leak potentially sensitive information, two could lead to DNS cache poisoning, and four can be used to achieve remote code execution. Four of the flaws are deemed critical, although the researchers note that the consequences of the vulnerabilities vary widely depending on the circumstances. (A denial-of-service flaw, for example, can be much more serious in an OT environment.) CISA published an advisory to raise awareness around the existence of these vulnerabilities and identify mitigations meant to reduce the risks associated with them.

D-Link routers vulnerable to attack


Multiple wireless routers manufactured by networking hardware supplier D-Link, who acknowledged the risk, have been found at risk of being attacked via a remotely exploitable root command injection flaw, according to vulnerability management and threat assessment researchers Digital Defense. The research team (VRT) found the previously undisclosed bug in four D-Link products, the DSR-150, DSR-250, DSR-500 and DSR-1000AC VPN routers running firmware versions 3.14 and 3.17.

Although pitched at small and medium-sized enterprises (SMEs) first and foremost, the affected devices are commonly sold on consumer websites and e-commerce sites. Given the rise in remote working during the pandemic, it is possible that many people are connecting into a corporate network using one of the affected devices. The vulnerable component in the devices can be accessed without authentication and is exploitable over the internet from both WAN and LAN interfaces. As such, the researchers said, a remote, unauthenticated attacker who had access to the router’s web interface could execute arbitrary commands as root, giving them control of the router.

Poor security exposes millions of medical images online


The analyst team at CybelAngel, a global leader in digital risk protection, has discovered that more than 45 million medical imaging files – including X-rays and CT scans – are freely accessible on unprotected servers, in a new research report released today. The Full Body Exposure report is the result of a six-month investigation into Network Attached Storage (NAS) and Digital Imaging and Communications in Medicine (DICOM), the de facto standard used by healthcare professionals to send and receive medical data. The analysts discovered millions of sensitive images, including personal healthcare information (PHI), were available unencrypted and without password protection.

The tools scanned approximately 4.3 billion IP addresses and detected more than 45 million unique medical images left exposed on over 2,140 unprotected servers across 67 countries including the US, UK and Germany. The analysts found that openly available medical images, including up to 200 lines of metadata per record which included PII (personally identifiable information; name, birth date, address, etc.) and PHI (height, weight, diagnosis, etc.), could be accessed without the need for a username or password. In some instances, login portals accepted blank usernames and passwords.

Edited and compiled by QA's Director of Cyber, Richard Beck.

Subscribe to our weekly Cyber Pulse newsletter 

QA