Threat Intel Week 27, 2020

F5 Traffic Management User Interface (TMUI) Remote Code Execution (CVE-2020-5902) & XSS (CVE-2020-5903)

https://support.f5.com/csp/article/K52145254

https://support.f5.com/csp/article/K43638305

A critical vulnerability exists (CVE-2020-5902) that can lead to remove code execution from an unauthenticated network perspective. The vulnerability exists in the management interface, by good practise these interfaces would be on a private restricted network however we know this is not always the case as we can see from Shodan:

Image

https://www.shodan.io/search?query=http.favicon.hash%3A-335242539

This vulnerability has an active POC exploit in the wild covering path traversal to file read through to remote code execution. Examples of both the Metasploit module and public intel on HTTP requests are here:

https://github.com/rapid7/metasploit-framework/pull/13807

https://github.com/jas502n/CVE-2020-5902/

We strongly recommend management interfaces are not exposed to the internet, consider:

  • Removing the interface from the internet
  • Using IP Whitelisting to restrict traffic flows
  • Using a VPN and/or jump box solution to perform sensitive remote administration tasks
  • Restrict access using a management traffic interface/route
  • Patch the vulnerable devices

Palo Alto Networks PA-OS Authentication Bypass (CVE-2020-2021)

https://security.paloaltonetworks.com/CVE-2020-2021

When Security Assertion Mark-up Language (SAML) authentication is enabled and the ‘Validate Identity Provider Certificate’ option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. The attacker must have network access to the vulnerable server to exploit this vulnerability.

This vulnerability requires specific conditions to exist (which are not good practise from a Palo Alto deployment best practise point of view) so whilst this is still critical, it is wise to conduct a configuration review and take appropriate action.

Phishing

Phishing is a constant threat scenario, during the COVID pandemic we have seen lures adapted to take advantage of a range of situations, as always leveraging FUD and high-pressure scenarios such as PPE, Corona Virus testing equipment etc.

From an internet facing perspective we see the following generalisations:

  • Poor coverage of SPF, DMARC and DKIM deployment
  • Misconfiguration of mail protection records

Whilst we advocate security awareness with staff members, during a time of increased pressure it is just as (potentially more so) to leverage technical controls as well as soft controls to help combat the likelihood of a phishing incident achieving impact.

Useful Resources

Phishing and Web Content Filtering

Our friends in the CTI league and Cyber Threat Coalition both publish independent block lists which can be leverage my mail hygiene and perimeter security solutions (such as Firewall and IPS/IDS systems)

https://github.com/COVID-19-CTI-LEAGUE/PUBLIC_RELEASE

https://blocklist.cyberthreatcoalition.org/vetted/

NCSC Weekly Threat Report

This report includes links to the phishing reporting service recently stood up by NCSC:

https://www.ncsc.gov.uk/information/report-suspicious-emails

https://www.ncsc.gov.uk/report/weekly-threat-report-3rd-july-2020

Our Phishing Awareness Campaign

Cyber Awareness

Over the last week or so, the team at Cygenta and I have been busy pulling together the first campaign for the CV19 volunteers group, which is focused on phishing awareness. This campaign will go to frontline and back office staff in healthcare organisations in the UK, Germany, France, Spain, Italy, Portugal, Russia, Poland, Greece, Sweden, Slovakia, Finland, Norway and the Netherlands. It will also be made available for use in CV19 sister groups in Australia, Brazil, the USA and Dubai.

You can see all of the resources and download them here.

Cyber criminals are seeking to exploit the COVID-19 pandemic, with many social engineering attacks using the crisis as a theme in one way or another. The UK’s National Cyber Security Centre (NCSC) has detected more UK government branded scams relating to COVID-19 than any other subject, as they outline in this pdf joint advisory with the US Department of Homeland Security. According to Google, criminals are sending 18 million COVID-19 phishing emails a day to Gmail users, with some speculating that the pandemic is the biggest phishing topic we have ever seen.

With this in mind, my team and I knew that phishing should be the focus of the first awareness campaign that we would deliver as part of our volunteer work with the CV19 group. The healthcare workers that we know have been recipients of phishing messages both at work and on their personal devices and now, more than ever, we want to help the healthcare sector be as secure as possible. 

Posters for the CV19 phishing awareness campaign

Many phishing attacks take advantage of people’s anxieties, concerns, desire to help and the special offers and support that corporations are extending to healthcare workers. Attackers do this because when a target’s judgement is clouded by emotion, they are more likely to click a link, download an attachment or transfer money without considering the fact that the communication might not be genuine. Therefore, this campaign raises awareness of these scams and the way they target our emotional responses. The aim of this campaign is to encourage people to be vigilant of communications and to take a minute to check it’s right. 

Video for the CV19 phishing awareness campaign

We have intentionally avoided heavy use of fear-based messaging, because such messaging can often be counter-productive. We want to engage and empower people, not add more fear into a climate where there is already enough anxiety. 

For this awareness campaign, we have created three posters, three flyers and a video. These are targeted at frontline and back office healthcare workers in the UK and Europe and are freely available for all to download and use.

You can see all of the resources and download them here.

Using a Pi-hole to fight phishing

Introduction

Due to recent events related to COVID-19, some Health Centres in Europe have fallen  victim to ransomware attacks. The first channel to spread ransomware is often phishing, so here are some suggestions to block web surfing to phishing sites if users have clicked on any emailed phishing links.

In my personal journey of learning about this technology, I installed some time ago Pi-hole Ad Blocking on my Raspberry Pi to avoid annoying commercials when surfing the net from home. Pi-hole can have more powerful applications as well, such as adding other types of blacklists to the Pi-hole – and a phishing site blacklist could be one of them.

The chain

The chain to follow to transform your Pi-hole into a DNS that blocks phishing links is pretty easy:

  1. Download and install Pi-hole; there are many guides on the Internet, depending on where you want to install it, here’s one for Raspberry.
  2. Add the phishing list to the adlist.list of your Pi-hole installation.
  3. Update your Gravity list.
  4. Report and vote for phishing sites.
  5. Check that Pi-hole blocks the right DNS queries.

As stated, the first step is pretty simple – yet it’s off topic here (ping the author if you are in trouble with the installation), so now to discuss directly the second point.

Add phishing list

I recently found a very good project that updates a phishing blacklist every 6 hours. This list could be implemented in your own Pi-hole installation to block phishing sites. It is called Phishing Army and it updates its lists directly from 3 sources:

Add Phishing Army blacklist to your Pi-hole

To add the Phishing Army blacklist to your Pi-hole simply add the list to the list file in the path /etc/pihole/adlist.list file in your Pi-hole installation. Just connect to the Pi-hole via ssh and type this command:

# vim /etc/pihole/adlists.list

Paste the link at the bottom of your list file, write and quit.

Update your Gravity list

Now you have to update the Gravity black list by typing the command

# pihole -g

Report and vote for phishing sites

The first thing to do is to report and vote for phishing sites and the easiest way is to follow the instruction written on the amazing blog of the CyberV19 volunteers about using the voting system on Phishtank. When a Phishtank-submitted link reaches a good number of votes, it is marked as phishing. At this stage, it will then be put on the blacklist update of Phishing Army and automatically updated in the feed to your Pi-hole.

Checks

Now you can check if your Pi-hole is blocking malicious DNS requests. Search for a full or partial link in the Query Lists Search of the Pi-hole:


Try to surf to one of the links in the results and see the DNS query blocked by the Pi-hole:


Well done!

Conclusions

This is a home setup scenario. For a small company or test enterprise solutions, we would suggest installing Pi-hole in a docker container and configuring the Domain Controller to point to the Pi-hole as your primary DNS.

To reiterate, we recommend this setup for HOME use only. Hospitals and healthcare providers should use business class solutions for DNS services and protective DNS.

Thanks

Thanks to Luca Testoni for writing this blog and and contributing to CV19! This is a slightly modified version of the post on https://blackcloud.me/fight-phishing/

Helping the fight against phishing!

PhishTank is a collaborative clearing house for data and information about phishing on the Internet. We can use Phishtank to help take down and disrupt phishing operations.

We are also working on some custom tooling; however, in the meantime let’s make sure everyone knows how easy it is to help fight phishing!

Getting Started

To report and vote for sites on Phishtank, you first need to register on the Phishtank site at https://www.phishtank.com/:

Click on Register or use the following URL:

https://www.phishtank.com/register.php

Enter your details:

Click I’m not a robot and complete the captcha:

Click Verify and then Create My Account:

You will now be sent an email with a validation link:

You are now good to go! Next, we need to sign in:

Reviewing and Voting

We are now ready to report and vote for phishing sites!

Click on the submission ID you want to review.

Review the site – this one is impersonating the World Health Organization (WHO):

Click it’s a PHISH (or another option, depending upon the result of your review):

We have now voted this as a phishing site! Simples! If the site gets validated enough it will be added to block lists.

Phishtank can be used to report both URLs and phishing emails. The process is fairly simple. If you want to  check a URL, you can do this from the main page. If it is not in the database, follow the onscreen instructions and submit the phish. You can then share the URL with the group and we can help review and upvote sites once they’re submitted.

Every little bit we do to disrupt these networks helps, so get registered and make sure you remember to report and upvote!