SonicWall's dog food bites

The Risky Biz newsletter for January 26, 2021

You can subscribe to the weekly Seriously Risky Business newsletter at our SubStack page.

SonicWall’s dog food bites

SonicWall customers are on high alert after the company disclosed its internal network was compromised in an attack that abused vulnerabilities in its own SSL-VPN remote access products.

The company released an urgent statement late on Friday, disclosing that its internal systems were breached in an attack that exploited “probable zero-day vulnerabilities on certain SonicWall secure remote access products”.

SonicWall staff spent the weekend working through each of its product lines to figure out which are susceptible to the yet-to-be-disclosed vulnerabilities. By Saturday night, the company concluded that the vulnerability was limited to its SMA 100 series SSL VPNs.

The company recommended that customers temporarily mitigate these undisclosed vulnerabilities by allowlisting all the IPs of legitimate users (lol) until a patch is available.

That’s unrealistic advice for a product designed to let people work from anywhere. (You had one job, etc.)

There’s no word on who’s behind this particular attack just yet.

More hard security lessons from HAND-WAVY RUSSIASTUFF

Vendors at the coal-face of investigations into UNC2452 (aka Holiday Bear) incidents continue to deliver some hard lessons for infosec, with Microsoft and FireEye both releasing some valuable analysis of the campaign.

Microsoft has published an analysis of the second-stage malware used in the attacks on SolarWinds customers. If you can look past the nauseating Microsoft product promotions interspersed through the report, the attackers’ impressive patience and discipline shines through. They customised their attacks for every target, ensuring that the indicators shared by one breached entity wouldn’t be of much use to another. Threat hunter Joe Slowik has some words on what that means over on his DomainTools blog.

FireEye-owned Mandiant also published an excellent summary [pdf] of the ways attackers leveraged corporate network access to swim upstream into Microsoft 365 (M365) accounts, which appears most often to have been their primary objective. In our view, that’s become the defining characteristic of the whole HAND-WAVY operation.

The Mandiant paper explores four paths UNC2452 took to access and extract data from M365 tenants without triggering multifactor authentication:

  • GoldenSAML attacks, in which attackers compromise the ADFS token-signing certificate to forge SAML tokens that are valid for any domain-joined account. This was the attacker’s go-to option for targets that federated identities between on-premise networks and M365 using Active Directory Federation Services.
  • The Azure AD backdoor attack, in which attackers abused access to a M365 admin account to add their own domain (infrastructure) to Azure AD and generate SAML tokens for any user. This would be effective against targets that use pass-through authentication to sync between on-premise networks and M365.
  • The compromise of privileged accounts on a target’s internal network that were synchronised with administrator roles in M365. This would have been easy pickings against targets that followed “express” installations of Azure AD Connect and didn’t alter the configuration afterwards.
  • Backdooring an Azure/365 app, in which attackers with app admin access on M365 could add rogue certificates to apps that have permission to read email or files. This sounds eerily familiar.

A quick, facetious summary of our conclusions: ADFS needs to die in a fire, Azure AD will happily get down and dirty with anything that looks vaguely like an Identity Provider and Microsoft’s “express” Azure AD rollouts were an “accident” waiting to happen.

These were all known techniques. Dr Nestori Syynimaa disclosed the Azure AD technique to Microsoft in October 2017, CyberArk’s Shaked Reiner theorised about GoldenSAML attacks in late 2017 and Fox-IT’s Dirk-jan Mollema covered off all of them in March 2019. Mandiant saw them used more frequently in attacks from mid-2020.

It’s a shame it took an espionage campaign of epic scale (1000 Russian software engineers… or was it 100 10x engineers?) to bring these techniques into focus.

They can’t be ignored any longer. The Mandiant report will be a useful resource for Microsoft Azure/365 customers long after this campaign is mopped up, as will previous contributions from the NSA [pdf], CISA and Microsoft. Now that the SVR has blazed these trails, expect others to follow close behind.

ASIC, Allens also hit in attacks on file transfer software

Australia’s security regulator ASIC and law firm Allens are the latest customers of Accellion software to disclose data breaches, after attackers took a SQL injection bug in the web interface of the Accellion’s FTA (secure file transfer) software for a Christmas joyride.

As previously reported, the Reserve Bank of New Zealand was breached by attackers using the same technique.

Australian financial institutions use ASIC’s install of Accellion’s FTA software to transfer credit licence applications to the regulator. Allens uses the same tool for exchanging large, sensitive files with its high-profile clients.

The Australian Cyber Security Centre (ACSC) warned FTA customers to temporarily isolate FTA hosts from the internet, rotate system passwords and to patch as soon as possible.

Accellion continues to defend its security program, claiming that it (privately) sent clients a patch for the SQLi bug within 72 hours of learning about it.

Risky.Biz has learned that the SQLi was one of several highly exploitable vulnerabilities fixed in that December 20 patch:

  • The SQLi in FTA’s web interface,
  • An XSS vulnerability in FTA’s file manager,
  • Blind SQLi and command injection vulnerabilities in FTA’s administrative interface,
  • An unauthorised upload vulnerability (it was light on details here)

Four days later, on Christmas Eve, Accellion released a second patch for FTA to fix bugs resulting from the first patch, including “password reset issues”.

Accellion did not assign CVEs or publish patch notes for these bugs.

This week an apologetic RBNZ Governor Adrian Orr said the bank’s team had been able to answer “some serious questions” but “there are more for the supplier of the system that was breached”.

US cloud providers hit with KYC obligations

The Biden White House inherited a surprising executive order in the dying hours of the Trump administration: an executive order that foists “Know Your Customer” obligations on US cloud service providers.

Under the proposed regulations, US cloud providers would be required to collect, at minimum, the name, address, contact details, national identifier (where applicable), payment details and IP address of any non-US person signing up to an account, and store that information for six months.

If the US Government identifies a group or a significant number of foreign persons from one country abusing US-owned services, it could order what might loosely be described as a sanctions regime for cloud services. That is, the Commerce Department could “set conditions or a complete prohibition on accounts (including resellers) in certain foreign jurisdictions or by certain foreign persons”.

The stated aim of the policy is to limit the ability of foreign actors to use US cloud services in their hacking operations, under the assumption this will push state-backed attackers on to non-US services where the US intelligence community can more easily target them.

US intelligence agencies face a burdensome legal authorisation process when collecting intelligence on foreigners that use US-based cloud providers. NYU researcher Peter Machtiger notes that authorising collection via the FISA 702 process is (rightly) a serious pain in the rear. When a foreign actor operates from abroad, they can be targeted by the US intelligence community under Executive Order 12333, which is more or less a blanket authorisation used to collect foreign intelligence.

But we fear the policy wonks have made some brash assumptions about attacker behaviour. Would a KYC requirement really compel foreign actors to avoid the use of US-owned cloud services? It’s equally likely that KYC requirements will drive other undesirable behaviours:

  • A more lucrative market for stolen credentials. Just hack Americans that use AWS or Azure or App Engine. (This comes with some risks, like the administrator of the compromised environment detecting the attacker’s presence.)
  • A more lucrative market for fraudulent identities. Think money mules, but for cloud accounts instead of bank accounts.
  • Lots of photoshopped identity docs.

UK school district sent infected laptops

A batch of PCs ordered by the UK Government for distribution to school-age children was found to be infected with the Gamarue, a self-replicating remote access worm.

The Register reports that the infected units arrived amongst a batch of 23,000 GeoBook laptops the UK Government purchased from Shenzhen-headquartered Tactus Group under the Get Help With Technology (GHWT) scheme. GHWT is a £400m program that aims to help Britain’s disadvantaged youth continue learning during lockdowns.

Risky.Biz learned that the infected devices were limited to a batch of those shipped with the Education Department’s InTune (MDM) profile installed by the manufacturer. But we don’t know how many of the 23,000 devices were infected.

The UK Education Department claims the infection was detected prior to the devices being shipped to kids “in all known cases”.

You’ve got mail

To: Everyone
From: Ivan and friends
Incident responders report that the major malspam operators responsible for QakBot, Emotet and Hancitor are back from winter hibernation and ramping up volumes. Emotet and QakBot infections are often sold off to ransomware gangs for further plunder.

Three reasons to actually be cheerful this week:

  1. Job security: US President Joe Biden promised a big funding boost for cyber security projects across the US government. Addressing cybersecurity is reportedly his second highest priority behind tackling COVID-19.
  2. Browser-managed passwords: Microsoft will include a feature that suggests and stores strong, random passwords in the next version of Edge. Like Google’s Chrome, Edge will also check if entered passwords appear in breach dumps.
  3. This IoT device isn’t as dumb as the others: Singapore’s security labelling system, restricted at launch to home routers, is now available to any IoT device sold in the country. Vendors can have their kit assessed free of charge until October 2021.


Go read this other newsletter

There’s another weekly newsletter you might like called TL;DR sec. Clint Gibler does a great job of tracking the release of new infosec tools, research papers and conference talks and he’s super strong on AppSec. There’s a little overlap between what we cover, but Clint’s newsletter is definitely more on the technical side. Check it out!

North Korean attackers target security researchers

Google’s Threat Analysis Group warned security researchers to watch out for unsolicited requests to collaborate on vulnerability research. Some cheeky North Korean actors have been sharing malicious Visual Studio Projects with exploit developers in western countries.

FSB warns Russia to expect retaliatory attacks

Russia’s Federal Security Bureau expects the United States and its allies to launch retaliatory strikes on Russia’s critical infrastructure in response to the HAND-WAVY RUSSIASTUFF shenanigans. The FSB ordered its National Coordination Center for Computer Incidents (NKTsKI) to warn critical information infrastructure operators to prepare for targeted cyber attacks.

Tesla’s DLP actually worked

Tesla filed a lawsuit against a former QA engineer that shifted 26,000 company documents, including snippets of Tesla’s proprietary code, into his personal DropBox when he was just three days into the job. According to Tesla’s complaint, company investigators had to confront the defendant over Microsoft Teams (thanks COVID-19). During this Teams meeting he was alleged to have deleted the DropBox app from his company-issued device, but didn’t realise that the file manager on the device still listed the files stored in his DropBox account.

Add “Zombie Flash” to the cyber lexicon

Lily Hay Newman at Wired wrote an entertaining piece about what happened in places where system administrators didn’t get the “Adobe Flash is dead’’ memo. The train scheduling system for a railway network in Dalian, China was reportedly offline for 20 hours after Adobe pressed the kill switch on Flash. It was restored with a pirated copy of Windows. Apple Daily reported that the disruption interrupted train services for most of the day, but this has since been debunked. Newman reports that Flash is likely to live on, unsupported and vulnerable, in many enterprise networks. Like this one, right here.

Creds from Nitro PDF breach offered at steep discount

Attackers that previously tried to sell 77m credentials stolen from Nitro Software have now dumped them in a forum, where they are available free of charge. The company said the creds were stolen from customers of its free/trial tier.

This week’s long read

Last week we missed a refreshingly cogent post by former NCSC CEO Ciaran Martin on how the United States should respond to HAND-WAVY RUSSIASTUFF. Martin argues that the pledge to “impose costs to deter adversaries’’ has grown into a meaningless catchphrase, especially when applied to state-backed adversaries. We agree: it’s the public policy equivalent of “we take the security of our customers seriously.” What sort of proportionate and legally justifiable measure would impose a cost that SVR couldn’t live with? Suggestions welcome.

Enjoy this update? You can subscribe to the weekly Seriously Risky Business newsletter at our SubStack page. Feedback welcome at