This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

**Urgent IRT Alert** Your Check Point Weekly Updates & Threat Intelligence -- 12/16/2020

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Aaron_Rose
Employee
Employee
2 0 1,212
‎2020-12-16 07:42 AM

Newsletter_Social.jpg

 

Urgent Incident Response Team Alert:

 

On December 13th, 2020 FireEye disclosed a breach into their systems was a result of a supply chain attack that originated within a product from software provider SolarWinds.  Further investigation led the Department of Homeland Security to issue Emergency Directive 21-01: Mitigate SolarWinds Orion Code Compromise directing all Federal agencies to disconnect or power down all SolarWinds Orion products until further notice.

 

Synopsis: A breach of SolarWinds Orion has led to the installation and proliferation of a persistent backdoor into their product.  The APT responsible is believed to have had full access to the effected source code in addition to the software signing certificates to ensure the updates were trusted by affected systems and would remain unnoticed.  The malformed code is believed to have been distributed to customers as early as March 2020.  SolarWinds, a widely used network monitoring solution, by nature has deep access to an organizations infrastructure, thus the critical severity of this attack.

 

Affected Versions: SolarWinds Orion versions 2019.4 through 2020.2.1 HF1 (Reference: SolarWinds Security Advisory)


If your organization is running an affected version of SolarWinds Orion contact your local account team or reach out to Check Point’s Global Incident Response Team Immediately at: (866) 923-0907

 

Infiltration Method: The backdoor code was embedded into a legitimate SolarWinds file (“SolarWinds.Orion.Core.BusinessLayer.dll”).  This backdoor was distributed via a built-in automatic update engine globally as early as March 2020.  Once executed by the update engine, the backdoor maintains persistence by implanting itself as a Windows service and a DLL file (signed by SolarWinds to evade detection). 

 

Impact witnessed thus far:  Check Point’s Global Incident Response Team is engaged with customers and have discovered the following tactics being employed:

  • Once in the network, the intruder then uses the administrative permissions acquired through the on-premises compromise to gain access to the organization’s global administrator account and/or trusted SAML token signing certificate. This enables the actor to forge SAML tokens that impersonate any AD users, including highly privileged accounts.

  • Anomalous logins using the SAML tokens created by the compromised token signing certificate can then be made against any on-premises resources (regardless of identity system or vendor) as well as to any cloud environment (regardless of vendor) because they have been configured to trust the certificate. Credit: Microsoft

  • Although we haven’t encountered a compromised Linux resource, if Orion has SSH permissions to a Linux resource lateral movement is possible.  This applies to network devices as well if Orion has the SNMP write permission to a device.


Prevention/Remediation Steps:

  • If you have an affected version of SolarWinds Orion deployed, disconnect and/or power down the instance(s) immediately.
  • Check Point has released detailed guidance and tools to determine if the Orion server has been compromised.  This guidance is continuously being updated as additional relevant details are made available.
  • Check Point’s Anti-Virus, Anti-Bot, and Advanced Threat Prevention Technologies have been updated to assist in preventing this attack.
  • Reset API Keys and SAML tokens for your identity federation solution.  Follow this Microsoft best practice document for Securing ADFS .
  • Monitor all services (O365 is an observed target in cases thus far) for unusual sign-ins, changes to tokens or keys (specifically look for changes of lifespan values greater than the default value).
  • Change SNMP community strings on devices managed or monitored by Orion, as well as any AD credentials used for WMI monitoring.

 

Indicators of Compromise:

  • Network Traffic reaching out to the command and control domain “avsvmcloud.com”
  • Changes to API keys or SAML tokens
  • Unusual logins using identity federation services for cloud and/or local resources
  • New federation trusts to an existing tenant or modifying the properties of an existing federation trust to accept tokens signed with the attackers certificates
  • Credentials added (x509 or passwords) to existing OAuth Applications or Service Principals

 

ANNOUNCEMENTS & UPCOMING EVENTS

  • Webinar: Tips and Tricks 2020 #20 – “Using the Threat Prevention API to Protect against Malicious File Uploads”
    When: Friday, December 18th – 9am EST
    Register Here

  • CheckMates TechTalk: “The Value of Security Vendor Self-Awareness”
    When: Wednesday, January 20th - 11am EST
    Register Here


VULNERABILITIES AND PATCHES

  • Check Point researchers have found vulnerabilities in Valve’s Game Networking Sockets, also known as “Steam Sockets”, the core networking library used in a wide variety of games including Valve’s own titles and several third-party titles. If exploited, an attacker could take over hundreds of thousands of computers without needing gamers to click on a malicious email or link.
  • OpenSSL has released a security advisory regarding the EDIPartyName NULL vulnerability that can allow attackers to cause a denial-of-service condition (CVE-2020-1971).
  • Microsoft December 2020 patch Tuesday fixes 58 vulnerabilities, nine of them are rated as critical, including remote code execution (RCE) bugs in SharePoint, Exchange Server, Edge and more.
    Check Point IPS provides protection against these threats (CVE-2020-17096; CVE-2020-17152; CVE-2020-17144; CVE-2020-17121; CVE-2020-17140; CVE-2020-17158)
  • Cisco has addressed a new critical RCE vulnerability that affects several versions of Cisco Jabber for Windows, MacOS and mobile.
  • Critical site-wide cross-site request forgery (CSRF) vulnerability has been found on Glassdoor, a website for job hunting and posting anonymous company reviews. The vulnerability impacted both job seekers and employer accounts on the web domain.
  • Adobe Flash Player has received its final updates, ahead of a complete shutdown at the end of the year.

 

TOP ATTACKS AND BREACHES

  • The US Treasury Department and US Department of Commerce were victims of a cyberattack compromising their internal email traffic. Perhaps related, SolarWinds IT management software has been exploited in a supply chain attack, adding malicious code to its software updates released between March and June 2020. Check Point utilizes multiple technologies to prevent this attack.
  • Habana Labs, Israeli AI processor developer owned by Intel, suffers an attack by Pay2Key, a ransomware developed by Iranian hackers and first reported by Check Point Research. Hackers have stolen Habana Labs data including source-code and business documents, and are threatening to expose it if ransom is not paid.
    Check Point SandBlast Agent provides protection against this threat
  • Researchers have revealed a phishing campaign executed by the Russian APT28 hacking group, delivering the Zebrocy malware, mainly used against governments and commercial organizations engaged in foreign affairs. The campaign uses lure documents related to Sinopharm International Corporation, a pharmaceutical company going through COVID-19 vaccine clinical tests.
    Check Point SandBlast and Anti-Bot provide protection against this threat (Trojan-Downloader.Win32.Zebrocy)
  • Foxconn, the electronics contract manufacturer in Mexico, has been hit by “DoppelPaymer” ransomware. The hacking group claims to have stolen unencrypted files before encrypting the facility system. 
    Check Point SandBlast Agent provides protection against this threat (Ransomware.Win32.DoppelPaymer)
  • Music streaming giant Spotify has suffered a data breach caused by a security vulnerability exposing users’ private account information including email address, user name and password, date of birth, and gender.
  • Trickbot malware is spreading in a massive phishing campaign targeting the UK, pretending to be a Subway order confirmation including the user’s first name, implying that the attack might follow a data breach.
    Check Point SandBlast and Anti-Bot provide protection against this threat (Trojan-Banker.Win32.TrickBot)
  • FireEye has reported a breach and data exfiltration, as hackers stole FireEye’s “red team” hacking tools.
    Check Point Anti-Bot provides protection against these tools (Backdoor.Win32.Beacon; Trojan.Win32.Rubeus)



THREAT INTELLIGENCE REPORTS

  • “OceanLotus”, or APT32 hacking group, has allegedly been traced to an IT firm in Vietnam. The group is accused of spying on political dissidents and businesses, as well as trying to break into China’s Ministry of Emergency Management and Wuhan government following the COVID-19 outbreak. It has long been suspected of spying on behalf of the Vietnamese government.
  • CISA and FBI warn of a rise in phishing, ransomware, DDoS and Zoom-bombing attacks, targeting students and faculty in K-12 educational sectors.
  • Researchers have discovered a botnet called PGMiner targeting PostgreSQL, an open-source relational database management system. The botnet exploits a disputed RCE flaw to compromise database servers, and installs a cryptocurrency miner. Check Point IPS provides protection against this threat (PostgreSQL Remote Code Execution (CVE-2019-9193))
  • MountLocker ransomware as-a-service, operating since July 2020, is now offering double extortion capabilities to its affiliates. Check Point SandBlast Agent provides protection against this threat

 

BOOKMARKS

  • CheckMates Video Series: Check Point for Beginners
    If you’re new to Check Point, or would like to brush up on your CP skillset, this is an excellent video series to get you started!  
  • CheckMates “TechTalk” Webinar Recordings
    In case you missed our previous TechTalks, checkout this page for a list of recordings of all the TechTalk webinar series.  Including Management API Best Practices, Migrate to R80.40, IPS Ease of Use in R80.20, & more.

 

 

If you were forwarded this email, click here to subscribe.