Post Syndicated from Rapid7 original https://blog.rapid7.com/2022/02/25/russia-ukraine-conflict-what-is-rapid7-doing-to-protect-my-organization/

Rapid7 is monitoring the escalating conflict in Ukraine, and we have provided a blog on the various attack vectors organizations may see, as well as guidance on mitigations and remediations.

To assist with your preparation and response efforts, Rapid7 is continuously integrating into our products the most up-to-date threat intelligence — both consumed and curated — which are monitoring for new attack vectors and intelligence in order to alert on attacker behaviors that are associated with various Advanced Persistent Threat (APT) groups within InsightIDR.

If you are a Managed Detection & Response (MDR) customer, our global SOC teams are monitoring your environment 24/7 with a high degree of diligence, and as standard procedure, any verified suspicious activity will be investigated and reported to you with expediency. Considering the current crisis, we have placed a special emphasis on the most relevant APT groups, and we are closely monitoring a wide breadth of sources to make use of any newly created and verified indicators.

Keeping software patched against known vulnerabilities is an important first line of defense against attackers. On January 11, 2022, the Cybersecurity & Infrastructure Security Agency (CISA) published Alert AA22-011A: Understanding and Mitigating Russian State-Sponsored Cyber Threats to US Critical Infrastructure, listing several vulnerabilities known to be exploited by Russian threat actors.

InsightVM and Nexpose have checks for the CVEs called out in this alert. These vulnerabilities are included in InsightVM’s Threat Feed Dashboard (see the Assets With Actively Targeted Vulnerabilities card and the Most Common Actively Targeted Vulnerabilities card), along with other vulnerabilities known to be exploited in the wild.

Useful resources

• Rapid7: Prudent Cybersecurity Preparation for the Potential Russia-Ukraine Conflict
• Rapid7: Staying Secure in a Global Cyber Conflict
• CISA Alert: Understanding and Mitigating Russian State-Sponsored Cyber Threats to U.S. Critical Infrastructure
• CISA Shields Up Report
• CISA Known Exploited Vulnerabilities (KEV) Catalog

Post Syndicated from boB Rudis original https://blog.rapid7.com/2021/11/04/trojan-source-cve-2021-42572/

What is this thing?

Researchers at the University of Cambridge and the University of Edinburgh recently published a paper on an attack technique they call “Trojan Source.” The attack targets a weakness in text-encoding standard Unicode—which allows computers to handle text across many different languages—to trick compilers into emitting binaries that do not actually match the logic visible in source code. In other words, what a developer or security analyst sees in source code with their own eyes could be different from how a compiler interprets it—leading, in effect, to an attack that is not easily discernible. This weakness arises from Unicode’s bidirectional “BiDi” algorithm and affects most compilers, or perhaps more accurately, most editing and code review tooling; the idea that source code will be compiled the way it is displayed to the human eye is a fundamental assumption.

How the attack works.

It is possible, and often necessary, to have both left-to-right and right-to-left glyphs appear in the same sentence. A classic example from O’Reilly’s “Unicode Explained” book shows Arabic embedded in an English sentence and the direction readers familiar with both languages will read the section in:

The official Unicode site also has additional information and examples.

There are a few options available to creators when the need for a document or section of a document to support bidirectional content, one of which is to insert “invisible” control characters that dictate the directionality of text following the directive. This is how the “Trojan Source” attack works. Let’s use one of the examples from the paper to illustrate what’s going on.

The screenshot above is from the GitHub repository associated with the paper and shows the C language source code that looks like it should not print anything when compiled and run. (Also note that there is a very explicit safety banner, which you should absolutely take very seriously in any source code you see it displayed in).

When we copy that code from the browser and paste it into the popular Sublime Text editor with the Gremlins package installed and enabled, we can see the attempted shenanigans pretty clearly:

The line number sidebar shows where sneaky directives have been inserted, and the usually invisible content is explicitly highlighted and not interpreted, so you can see what’s actually getting compiled. In this case, one is always “admin” when they run this program. The bottom line is that you cannot fully trust just your eyes without some assistance.

Note that cat Linux command (available on Windows via the Windows Subsystem for Linux and via macOS by installing the GNU version of the utility) can also be used to display these invisible gremlins:

cat -A -v commentint-out.c                                                  #include <stdio.h>$
#include <stdbool.h>$
$
int main() {$
    bool isAdmin = false;$
    /*M-bM-^@M-. } M-bM-^AM-&if (isAdmin)M-bM-^AM-) M-bM-^AM-& begin admins only */$
        printf("You are an admin.\n");$
    /* end admins only M-bM-^@M-. { M-bM-^AM-&*/$
    return 0;$
}$
$

Unfortunately, GitHub’s safety banner and code-editor plugins do not scale very well. Thankfully, Red Hat has come to the rescue with a simple Python script which can help us identify potential issues across an entire codebase with relative ease. It should also be possible to use this script in pre-commit hooks or in CI/CD workflows to prevent malicious code from entering into production.

CVSSv3 9.8?! Orly?!

While this isn’t really a “vulnerability” in the traditional sense of the word, it’s been assigned CVE-2021-42574 and given a “Critical” CVSSv3 score of 9.8. (The “PetitPotam” attack chain targeting Windows domains is another example of a technique that was recently assigned a CVE.) It’s a little puzzling why CVE-2021-42574 merited a “Critical” severity score, though. According to our calculations, this weakness should be more like a 5.6 on the CVSSv3 scale.

Should I be super scared?

It’s an interesting attack, and its universality is certainly attention-grabbing. With that said, there are some caveats to both novelty and exploitability. Attack techniques that leverage Unicode’s text expression aren’t new. The CVSS score assigned to this is overblown. To exploit this weakness, an attacker would need to have direct access to developers’ workstations, source code management system, or CI pipelines. If an attacker has direct access to your source code management system, frankly, you probably have bigger problems than this attack. Note that said “attacker” could be a legitimate, malicious insider; those types of attackers are notoriously difficult to fully defend against.

What should I do?

You should apply patches from vendors whose products you rely on just as you normally would, keeping in mind that because this flaw is present in so many tooling implementations, you could apply many patches and still be considered “vulnerable” in other implementations. The better thing to do would be to apply a fairly straightforward mitigation: Disallow BiDi directives in your code base if you’re writing in only English or only Arabic.

As noted above, you should absolutely heed the Unicode safety warnings (if available) in any source code repositories you use, and strongly consider using something like the aforementioned Red Hat Unicode directionality directive checker-script in source code control and continuous integration and deployment workflows.

We advise prioritizing truly critical patches and limiting service and system exposure before worrying about source code-level attacks that require local or physical access.

Post Syndicated from Erick Galinkin original https://blog.rapid7.com/2021/07/12/solarwinds-serv-u-ftp-and-managed-file-transfer-cve-2021-35211-what-you-need-to-know/

On July 12, 2021, SolarWinds confirmed an actively exploited zero-day vulnerability, CVE-2021-35211, in the Serv-U FTP and Managed File Transfer component of SolarWinds15.2.3 HF1 (released May 5, 2021) and all prior versions. Successful exploitation of CVE-2021-35211 could enable an attacker to gain remote code execution on a vulnerable target system. The vulnerability only exists when SSH is enabled in the Serv-U environment.

A hotfix for the vulnerability is available, and we recommend all customers of SolarWinds Serv-U FTP and Managed File Transfer install this hotfix immediately (or, at minimum, disable SSH for a temporary mitigation). SolarWinds has emphasized that CVE-2021-35211 only affects Serv-U Managed File Transfer and Serv-U Secure FTP and does not affect any other SolarWinds or N-able (formerly SolarWinds MSP) products. For further details, see SolarWinds’s advisory.

Details

The SolarWinds advisory cites threat intelligence provided by Microsoft. According to Microsoft, a single threat actor unrelated to this year’s earlier SUNBURST intrusions has exploited the vulnerability against a limited, targeted population of SolarWinds customers. The vulnerability exists in all versions of Serv-U 15.2.3 HF1 and earlier. Though Microsoft provided a proof-of-concept exploit to SolarWinds, there are no public proofs-of-concept as of July 12, 2021.

The vulnerability appears to be in the exception handling functionality in a portion of the software related to processing connections on open sockets. Successful exploitation of the vulnerability will cause the Serv-U product to throw an exception, then will overwrite the exception handler with the attacker’s code, causing remote code execution.

Detection

Since the vulnerability is in the exception handler, looking for exceptions in the DebugSocketLog.txt file may help identify exploitation attempts. Note, however, that exceptions can be thrown for many reasons and the presence of an exception in the log does not guarantee that there has been an exploitation attempt.

IP addresses used by the threat actor include:

98.176.196.89 
68.235.178.32 
208.113.35.58

Rapid7 does not use SolarWinds Serv-U FTP products anywhere in our environment and is not affected by CVE-2021-35211.

For further information, see Solarwinds’s FAQ here.

Post Syndicated from boB Rudis original https://blog.rapid7.com/2021/07/13/managed-service-providers-used-in-coordinated-mass-ransomware-attack-impacting-hundreds-of-companies/

Rapid7 is aware of and tracking all information surrounding a coordinated, mass ransomware attack reported to be affecting hundreds of organizations. Huntress Labs is maintaining a public Reddit thread documenting the scope and triage of an event that has, as of the original post date (see updates below), stemmed from 8 managed service providers. Rapid7 does not use Kaseya or a Kaseya MSP and we are not affected by this mass ransomware attack.

Rapid7 is updating this post as more information becomes available. Core information is below the most recent updates.

2021-07-13

• CISA has updated their Kaseya ransomware event guidance for affected managed service providers and their customers.

2021-07-11

• In a video post today, Kaseya has indicated that they are still planning to go ahead with re-enabling an updated VSA SaaS and rollout of the on-prem VSA server update. Some runbook instructions have changed, so any organization planning on going live today should review those changes to see if they impact your environment.

2021-07-09

• The Dutch Institue for Vulnerability Disclosure (DIVD) published more information on the specific vulnerabilities they shared with Kaseya:
  • CVE-2021-30116 – A credentials leak and business logic flaw, resolution in progress. [CVSS 10]
  • CVE-2021-30117 – An SQL injection vulnerability, resolved in May 8th patch. [CVSS 9.8]
  • CVE-2021-30118 – A Remote Code Execution vulnerability, resolved in April 10th patch. (v9.5.6) [CVSS 9.8]
  • CVE-2021-30119 – A Cross Site Scripting vulnerability, resolution in progress. [CVSS 5.4]
  • CVE-2021-30120 – 2FA bypass, resolution in progress. [CVSS 9.9]
  • CVE-2021-30121 – A Local File Inclusion vulnerability, resolved in May 8th patch. [CVSS 6.5]
  • CVE-2021-30201 – A XML External Entity vulnerability, resolved in May 8th patch. [CVSS 7.5]
• President Biden urged Vladimir Putin to ‘take action to disrupt’ Russia-based hackers behind ransomware attacks.

2021-07-08

• Kaseya has posted a video from their CEO notifying customers that patches and VSA SaaS will likely be available this coming Sunday afternoon (July 11, 2021).
• According to Malwarebytes, some threat actors are capitalizing on the extended response to the Kaseya mass ransomware attack and are targeting victims via email with fake patches that push Cobalt Strike payloads.

2021-07-07

• Kaseya has posted runbooks for on premesis VSAs with steps on how to prepare VSA servers for the forthcoming patch. These details include the installation of FireEye’s agent software along with details on how to isolate the server from production networks, and SaaS customers for how to prepare for the SaaS VSAs coming back online.

2021-07-06

• In a statement posted late Monday night, Kaseya provided an update on their assessment of the impact of the attack: "we are aware of fewer than 60 Kaseya customers, all of whom were using the VSA on-premises product, who were directly compromised by this attack. While many of these customers provide IT services to multiple other companies, we understand the total impact thus far has been to fewer than 1,500 downstream businesses. We have not found evidence that any of our SaaS customers were compromised.
• The Compromise Detection Tool, which was originally only provided directly to customers, has been made public. The tool searches for indicators of compromise, evidence of data encryption, and the REvil ransom note.
• Kaseya also stated that — based on advice by outside experts — customers who experienced ransomware and receive communication from the attackers should not click on any links as they may be weaponized.

2021-07-05

• Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger issued a statement noting that the President has directed the full resources of the government to investigate this incident and urged anyone who believes their systems have been compromised in the Kaseya ransomware incident to immediately report to the Internet Crime Complaint Center at https://www.IC3.gov.
• The Associated Press is reporting that REvil has offered a blanket decryption for all victims of the Kaseya attack in exchange for $70 million.
• Incident responders across multiple firms are indicating the number of victim organizations is in the thousands, spanning over 18 countries.

2021-07-04

• Cado Security published resources which can aid responders as they triage theie exposure to the mass ransomware incident.
• CISA and the FBI have issued guidance for MSPs and their customers who have been affected by the Kaseya VSA supply-chain ransomware attack.

2021-07-03 Update

• The Washington Post has a story with information on the ransom demands being made
• The Dutch Institue for Vulnerability Disclosure (DIVD) posted information into their ongoing investigation and response into the Kaseya incident, which includes details on their efforts to identify and secure internet-facing VSA servers.
• CISA posted an initial advisory and is taking action to understand and address the recent supply-chain ransomware attack.
• Bloomberg is reporting that the attack (so far) spans over 1,000 organizations across 11 countries with numerous downstream impacts.

Original/Main Content

Evidence points to a supply chain attack targeting Kaseya VSA patch management and monitoring software. Ransom notes suggest REvil is behind the coordinated attack.

Rapid7 Managed Detection and Response teams suggest that, out of an abundance of caution, organizations that use either an on-premise Kaseya VSA solution or the Kaseya cloud-based VSA solution perform the following steps immediately:

• Disabling or uninstalling the Kaseya agent
• If you host the Kaseya management server, shut down this system (Kaseya also strongly suggests this course of action)

Kaysea appears to be providing updates via their public helpdesk page and their status page provides visibility into the status of their hosted infrastructure.

Researcher @BushidoToken has provided a link to a GitHub gist containing the REvil configuration dump, which includes indicators of compromise organizations may be able to use to detect evidence of these actors operating in your infrastructure.

Rapid7 Customers

Managed Detection and Response

Rapid7’s Managed Detection and Response (MDR) team had existing attacker behavior detections that identified Kaseya-related ransomware activity beginning on Friday, July 2, 2021. Following the initial wave of alerts on Friday, July 2, MDR sent an email communication with a Critical Advisory to all MDR customers with guidance on disabling Kaseya and mitigating risk. We have conducted hunts across customer environments and deployed additional detections to accelerate identification of the threat. Affected customers have been notified.

InsightIDR

Rapid7 has deployed the following detections in InsightIDR for attacker behavior related to the Kaseya ransomware attack:

• Attacker Technique – CertUtil With Decode Flag
• Suspicious Process – Renamed CertUtil
• Suspicious Process – Certutil Decodes Executable File
• Attacker Tool – KWorking\agent.exe