After completing the workaround, run the following command to verify:
curl -X POST "http://localhost:15080/analytics/telemetry/ph/api/hyper/send?_c&_i=test" -d "Test_Workaround" -H "Content-Type: application/json" -v 2>&1 | grep HTTP
If the above command returns a 404 error, then the workaround has been successfully implemented. The workaround is only needed if you are unable to apply the necessary patch immediately.
This is a critical vulnerability and some reports have already come in that threat actors have been observed scanning for this vulnerability, though we have not yet observed any active exploitations in the wild. If you are a Perch customer subscribed to the Emerging Threats Pro community, detection signatures have already been put in place for this and the other VMware vulnerabilities released in this advisory. The CRU has released a couple of signatures specifically for CVE-2021-22005 which have been deployed across all Perch IDS customers:
Microsoft Exchange has been a hot topic throughout all of 2021. It’s been almost three weeks since we’ve had to talk about any new vulnerabilities related to Microsoft Exchange. This week, researchers from Guardicore Labs released a report with information about an information disclosure vulnerability inherent in the design of Microsoft’s Autodiscover protocol. Autodiscover is a protocol designed to make configuration of Outlook clients simpler by allowing an end-user to configure Outlook to connect to an Exchange server by only supplying a username and password.
The information disclosure issue is specifically related to the “back-off” procedure built into the Autodiscover protocol. Say, for example, you have a user configuring an Outlook client with the email address user@example.com
. Outlook will parse the email address and identify the domain name example.com
and then will search for an Autodiscover URL with Exchange configuration information with the following format:
https://Autodiscover.example.com/Autodiscover/Autodiscover.xml
http://Autodiscover.example.com/Autodiscover/Autodiscover.xml
https://example.com/Autodiscover/Autodiscover.xml
http://example.com/Autodiscover/Autodiscover.xml
If none of these URLs respond, Autodiscover will continue to “back-off” and attempts to connect to http://Autodiscover.com/Autodiscover/Autodiscover.xml
. This means, if someone controls “Autodiscover.com”, Outlook will send them your username and password. This applies to any top-level-domain (TLD) such as “.com”, “.net”, etc.
According to the Guardicore Labs report, they registered the following domains:
- Autodiscover.com.br – Brazil
- Autodiscover.com.cn – China
- Autodiscover.com.co – Columbia
- Autodiscover.es – Spain
- Autodiscover.fr – France
- Autodiscover.in – India
- Autodiscover.it – Italy
- Autodiscover.sg – Singapore
- Autodiscover.uk – United Kingdom
- Autodiscover.xyz
- Autodiscover.online
All these domains were configured to point to a webserver they controlled, and they began collecting information. They also developed a mechanism that downgrades a client’s authentication scheme from a secure one to HTTP Basic Auth which sends credentials in an easy to capture clear text format. Between April 16, 2021, to August 25, 2021, they captured 372,072 Windows domain credentials in total, with 96,671 unique credentials leaked.
Guardicore Labs lists a couple of mitigation strategies for this information disclosure vulnerability. First, they recommend blocking all Autodiscover.TLD domains (i.e., Autodiscover.com, Autodiscover.cn, etc.) in your firewall. A comprehensive list of all available TLDs is available at https://data.iana.org/TLD/tlds-alpha-by-domain.txt. You should also make certain basic authentication is disabled in Exchange, and if you are using Exchange and Outlook, make sure your Autodiscover domain is configured and working. The vulnerability only occurs when the default domain of Autodiscover.(yourdomain.com) doesn’t respond.
Ransomware Hits Big Agriculture
Two U.S. farmers cooperatives have suffered from ransomware attacks this week. Farmer’s feed and grain cooperative NEW Cooperative, with over sixty location throughout Iowa, was the victim of a ransomware attack from BlackMatter, a newer group that appeared on the scenes in late July and is believed to be the successor to DarkSide, the Russian APT group attributed to the Colonial Pipeline attack back in May. According to NEW Cooperative, this attack threatens to affect the software controlling 40% of US grain production, as well as the feed schedule for 11 million animals.
BlackMatter claims to avoid attacking critical infrastructure on their website; however, during the initial negotiation process between BlackMatter and NEW Cooperative the BlackMatter representative responded that they do not “fall under the rules” and instead threated to double the ransom demand, initially at $5.9 million. BlackMatter is also threatening to release a terabyte of stolen data on their darknet data leaks site.
Minnesota farming supply cooperative Crystal Valley was also the victim of a ransomware attack on Sunday. Crystal Valley has 260 employees and provides services to 2500 farmers and livestock producers in Minnesota and Iowa. According to their public notice, “Crystal Valley has been targeted in a ransomware attack. The attack has infected our the computer systems and interrupted the daily operations of our company.
Note: due to this, we are unable to accept Visa, Mastercard, and Discover cards at our cardtrols until further notice. Local cards do work.”
Information regarding the ransom demand and who is responsible have not yet been disclosed. While NEW cooperative has switched to a paper-based system and is still delivering grain, it is likely we will see long-lasting effects from both of these attacks in the price of food in the US.
Bryson Medlock, the Dungeon Master
References