Month: February 2021

Original release date: February 26, 2021

The National Security Agency (NSA) has released Cybersecurity Information Sheet: Embracing a Zero Trust Security Model, which provides information about, and recommendations for, implementing Zero Trust within networks. The Zero Trust security model is a coordinated system management strategy that assumes breaches are inevitable or have already occurred.

CISA encourages administrators and organizations review NSA’s guidance on Embracing a Zero Trust Security Model to help secure sensitive data, systems, and services.

Quickbooks malware targets tax data for attackers to sell and use in phishing scams.

Cisco also stomped out a critical security flaw affecting its Nexus 3000 Series Switches and Cisco Nexus 9000 Series Switches.

The vulnerability, one of three patched by the company this week, could allow threat actors to breach the external perimeter of a data center or leverage backdoors already installed to take over a system.

Original release date: February 24, 2021

Mozilla has released security updates to address multiple vulnerabilities in Thunderbird 78.8, Firefox ESR 78.8, and Firefox 86. An attacker could exploit these vulnerabilities to take control of an affected system.
 
CISA encourages users and administrators to review the Mozilla security advisories and apply the necessary updates.

Original release date: February 24, 2021

VMware has released security updates to address multiple vulnerabilities–CVE-2021-21972, CVE-2021-21973, CVE-2021-21974—ESXi, vCenter Server, and Cloud Foundation. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.

CISA encourages users and administrators to review VMware Security Advisory VMSA-2021-0002 and apply the necessary updates.

The hotly anticipated ray-tracing, advanced gaming graphics chip will throttle Ethereum mining.

NurseryCam suspends service across 40 daycare centers until a security fix is in place.

Original release date: February 24, 2021

The cybersecurity authorities of Australia, New Zealand, Singapore, the United Kingdom, and the United States have released Joint Cybersecurity Advisory AA21-055A: Exploitation of Accellion File Transfer Appliance. Cyber actors worldwide have exploited vulnerabilities in Accellion File Transfer Appliance to attack multiple federal, and state, local, tribal, and territorial government organizations as well as private industry organizations in the medical, legal, telecommunications, finance, and energy fields. In some instances, the attacker extorted money from victim organizations to prevent public release of information exfiltrated from a compromised Accellion appliance.

CISA encourages users and administrators to review AA21-055A: Exploitation of Accellion File Transfer Appliance and MAR-10325064-1.v1 – Accellion FTA for more information.

Original release date: February 24, 2021

Summary

This joint advisory is the result of a collaborative effort by the cybersecurity authorities of Australia,[1] New Zealand,[2] Singapore,[3] the United Kingdom,[4] and the United States.[5][6] These authorities are aware of cyber actors exploiting vulnerabilities in Accellion File Transfer Appliance (FTA).[7] This activity has impacted organizations globally, including those in Australia, New Zealand, Singapore, the United Kingdom, and the United States.

Worldwide, actors have exploited the vulnerabilities to attack multiple federal and state, local, tribal, and territorial (SLTT) government organizations as well as private industry organizations including those in the medical, legal, telecommunications, finance, and energy sectors. According to Accellion, this activity involves attackers leveraging four vulnerabilities to target FTA customers.[8] In one incident, an attack on an SLTT organization potentially included the breach of confidential organizational data. In some instances observed, the attacker has subsequently extorted money from victim organizations to prevent public release of information exfiltrated from the Accellion appliance.

This Joint Cybersecurity Advisory provides indicators of compromise (IOCs) and recommended mitigations for this malicious activity. For a downloadable copy of IOCs, see: AA21-055A.stix and MAR-10325064-1.v1.stix.

Click here for a PDF version of this report.

Technical Details

Accellion FTA is a file transfer application that is used to share files. In mid-December 2020, Accellion was made aware of a zero-day vulnerability in Accellion FTA and released a patch on December 23, 2020. Since then, Accellion has identified cyber actors targeting FTA customers by leveraging the following additional vulnerabilities.

• CVE-2021-27101 – Structured Query Language (SQL) injection via a crafted HOST header (affects FTA 9_12_370 and earlier)
• CVE-2021-27102 – Operating system command execution via a local web service call (affects FTA versions 9_12_411 and earlier)
• CVE-2021-27103 – Server-side request forgery via a crafted POST request (affects FTA 9_12_411 and earlier)
• CVE-2021-27104 – Operating system command execution via a crafted POST request (affects FTA 9_12_370 and earlier)

One of the exploited vulnerabilities (CVE-2021-27101) is an SQL injection vulnerability that allows an unauthenticated user to run remote commands on targeted devices. Actors have exploited this vulnerability to deploy a webshell on compromised systems. The webshell is located on the target system in the file /home/httpd/html/about.html or /home/seos/courier/about.html. The webshell allows the attacker to send commands to targeted devices, exfiltrate data, and clean up logs. The clean-up functionality of the webshell helps evade detection and analysis during post incident response. The Apache /var/opt/cache/rewrite.log file may also contain the following evidence of compromise:

• [.'))union(select(c_value)from(t_global)where(t_global.c_param)=('w1'))] (1) pass through /courier/document_root.html
• [.'))union(select(reverse(c_value))from(t_global)where(t_global.c_param)=('w1'))] (1) pass through /courier/document_root.html
• ['))union(select(loc_id)from(net1.servers)where(proximity)=(0))] (1) pass through /courier/document_root.html

These entries are followed shortly by a pass-through request to sftp_account_edit.php. The entries are the SQL injection attempt indicating an attempt at exploitation of the HTTP header parameter HTTP_HOST.

Apache access logging shows successful file listings and file exfiltration:

• “GET /courier/about.html?aid=1000 HTTP/1.1” 200 {Response size}
• “GET /courier/about.htmldwn={Encrypted Path}&fn={encrypted file name} HTTP/1.1” 200 {Response size}

When the clean-up function is run, it modifies archived Apache access logs /var/opt/apache/c1s1-access_log.*.gz and replaces the file contents with the following string:

      Binary file (standard input) matches

In two incidents, the Cybersecurity and Infrastructure Security Agency (CISA) observed a large amount of data transferred over port 443 from federal agency IP addresses to 194.88.104[.]24. In one incident, the Cyber Security Agency of Singapore observed multiple TCP sessions with IP address 45.135.229[.]179.

Organizations are encouraged to investigate the IOCs outlined in this advisory and in [AR21-055A]. If an Accellion FTA appears compromised, organizations can get an indication of the exfiltrated files by obtaining a list of file-last-accessed events for the target files of the symlinks located in the /home/seos/apps/1000/ folder over the period of malicious activity. This information is only indicative and may not be a comprehensive identifier of all exfiltrated files.

Mitigations

Organizations with Accellion FTA should:

• Temporarily isolate or block internet access to and from systems hosting the software.
• Assess the system for evidence of malicious activity including the IOCs, and obtain a snapshot or forensic disk image of the system for subsequent investigation.
• If malicious activity is identified, obtain a snapshot or forensic disk image of the system for subsequent investigation, then:
  • Consider conducting an audit of Accellion FTA user accounts for any unauthorized changes, and consider resetting user passwords.
  • Reset any security tokens on the system, including the “W1” encryption token, which may have been exposed through SQL injection.
• Update Accellion FTA to version FTA_9_12_432 or later.
• Evaluate potential solutions for migration to a supported file-sharing platform after completing appropriate testing.
  • Accellion has announced that FTA will reach end-of-life (EOL) on April 30, 2021.[9] Replacing software and firmware/hardware before it reaches EOL significantly reduces risks and costs.

Additional general best practices include:

• Deploying automated software update tools to ensure that third-party software on all systems is running the most recent security updates provided by the software vendor.
• Only using up-to-date and trusted third-party components for the software developed by the organization.
• Adding additional security controls to prevent the access from unauthenticated sources.

Resources

• FireEye Blog – Cyber Criminals Exploit Accellion FTA for Data Theft and Extortion 
  • https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html 
• Center for Internet Security (CIS) Critical Security Controls for Effective Cyber Defense, known as “CIS Controls” 
  • https://www.cisecurity.org/controls/
  • https://www.cisecurity.org/ms-isac/
• Australia, Canada, New Zealand, the United Kingdom, and the United States Joint Advisory on Technical Approaches to Uncovering and Remediating Malicious Activity 
  • https://us-cert.cisa.gov/ncas/alerts/aa20-245a 
• CISA and MS-ISAC’s Ransomware Guide 
  • https://www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware%20Guide_S508C.pdf

References

• [1] Australian Cyber Security Centre (ACSC)
• [2] New Zealand National Cyber Security Centre (NZ NCSC)
• [3] Singapore Cyber Security Agency (CSA)
• [4] United Kingdom National Cyber Security Centre (UK NCSC)
• [5] United States Cybersecurity and Infrastructure Security Agency (CISA)
• [6] United States Multi-State Information Sharing and Analysis Center (MS-ISAC)
• [7] Accellion Press Release: Update to Recent FTA Security Incident
• [8] Accellion Press Release: Update to Recent FTA Security Incident
• [9] Accellion Announcement: End-of-Life for Legacy FTA Software

Revisions

• February 24, 2021: Initial Version

---