SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #100

December 27, 2019

****************************************************************************

SANS NewsBites Dec. 27, 2019 Vol. 21, Num. 100

****************************************************************************

SPECIAL WEBCAST: Tuesday Dec., 31st, 1:00 p.m. ET

What You Need to Know About the Critical Citrix Gateway/ADC (Netscaler) Vulnerability CVE-2019-19781

Speakers: Jason Lam & Johannes Ullrich

Citrix released a workaround for a critical vulnerability in its Gateway/ADC products. This critical perimeter security component can easily be compromised unless you apply the workaround. Join us to learn more. https://www.sans.org/webcasts/about-critical-citrix-gateway-netscaler-vulnerability-cve-2019-19781-112990?utm_medium=Email&utm_source=Newsbites&utm_content=NBvol21no100+NA&utm_campaign=Citrix+Gateway+Vulnerability

Top of The News

- FLASH: Citrix Releases Mitigations for Flaw in Application Delivery Controller and Gateway

- Pensacola Ransomware Hackers Release Data Stolen from City

- LifeLabs Data Breach Affects 15 Million People

The Rest of the Week's News

- SANS Holiday Hack Challenge 2019

- ToTok Messaging App is Spyware

- Twitter Fixes Android App Flaw

- Five Year Prison Sentence for Funneling Millions Through Fraudulent Invoices

- US Federal Jury Finds Cox Communications Liable for Piracy Damages

- Russia's Internet Disconnect Called Successful

- Phishing Scheme Targeted Canadian Bank Customers

- Cisco ASA and Firewall Appliance Targeted Through Known Vulnerability

- Cyber Attack Causes RavnAir to Cancel Some Flights

- Twitter Bans Animated APNG Files

Internet Storm Center Tech Corner

****************************************************************************

Cybersecurity Training Update

-- SANS Security East 2020 | New Orleans, LA | February 1-8 | https://www.sans.org/event/security-east-2020

-- SANS Miami 2020 | January 13-18 | https://www.sans.org/event/miami-2020

-- SANS Threat Hunting & IR Summit & Training | London, UK | January 13-19, 2020 | https://www.sans.org/event/threat-hunting-europe-2020

-- SANS Tokyo January 2020 | January 20-25 | https://www.sans.org/event/tokyo-january-2020

-- SANS Amsterdam January 2020 | January 20-25 | https://www.sans.org/event/amsterdam-january-2020

-- SANS Scottsdale 2020 | February 17-22 | https://www.sans.org/event/scottsdale-2020

-- Open-Source Intelligence Summit & Training 2020 | Alexandria, VA | February 18-24 | https://www.sans.org/event/osint-summit-2020

-- ICS Security Summit & Training 2020 | Orlando, FL | March 2-9 | https://www.sans.org/event/ics-security-summit-2020

-- SANS Secure Singapore 2020 | 16-28 March | https://www.sans.org/event/secure-singapore-2020

-- SANS OnDemand and vLive Training

Get an iPad Mini, a Samsung Galaxy Tab S2, or Take $300 Off through January 8 with OnDemand or vLive training.

https://www.sans.org/online-security-training/specials/

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/

Single Course Training

-- Single Course Training

SANS Mentor | https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap

****************************************************************************

Free technical content sponsored by SANS

Attend SANS ICS Security Summit & Training Summit 2020 | Orlando, FL | March 2-9.

The 15th annual ICS Summit will bring together in-the-field practitioners & leading experts to share ideas, methods, and techniques for defending control systems.

http://www.sans.org/info/215120

****************************************************************************

Top of the News

FLASH: Citrix Releases Mitigations for Flaw in Application Delivery Controller and Gateway

(December 23 & 24, 2019)

Citrix has released mitigations for a critical flaw in Citrix Netscaler Application Delivery Controller and Citrix Netscaler Gateway could be exploited to gain access to the internal networks of organizations using vulnerable products. The issue is believed to affect at least 80,000 organizations in more than 150 countries worldwide. Citrix users running vulnerable versions of the products are urged to implement the mitigations and upgrade to a new version of firmware when it is ready.

Editor's Note

[Ullrich]

Patch this TODAY! Luckily, we do not see any widespread exploitation of this flaw yet, but maybe we are lucky with the bad guys taking a few days off too. But this vulnerability is easy to exploit and will give full access to one of your critical perimeter appliances. Citrix released the original advisory on the 17th, but it didn't get much attention until Positive Technologies noted the full impact in its blog post on the 23rd. With 70% of the planet taking most of these two weeks off, it is likely that this issue will slip through the cracks.

[Neely]

Citrix provides configuration changes for standalone, HA and clustered (CLIP) environments to mitigate the vulnerabilities. A patch has not been released at this time. While there is no evidence of exploitation, it remains prudent to deploy the configuration changes in a timely fashion. Additionally, verify you're subscribed to Citrix Bulletin Alerts for timely notification of firmware and security alerts.

- https://www.theregister.co.uk/2019/12/23/patch_now_published_citrix_applications_leave_network_vulnerable_to_unauthorised_access/

- https://www.darkreading.com/vulnerabilities---threats/citrix-urges-firms-to-harden-configurations-after-flaw-report/d/d-id/1336695

- https://www.bleepingcomputer.com/news/security/critical-citrix-flaw-may-expose-thousands-of-firms-to-attacks/

- https://www.zdnet.com/article/this-critical-citrix-netscaler-bug-could-affect-80000-companies/

- https://support.citrix.com/article/CTX267027

- https://support.citrix.com/article/CTX267679

Pensacola Ransomware Hackers Release Data Stolen from City

(December 16, 23, & 24, 2019)

Hackers who say they launched a ransomware attack on Pensacola, Florida city IT systems say they have published information taken from city computers. Pensacola did not pay the $1 million ransomware demand; releasing the stolen information is believed to be a tactic to get the city to pay the ransom. Other groups spreading ransomware have indicated that they plan to publish data stolen from targets that have not paid their demands.

Editor's Note

[Neely]

As if the decision to pay or not is not complicated enough, new ransomware tactics include data exfiltration. Key here is the question of trust: if you pay to get your data back, are exfiltrated copies truly gone? DLP/exfiltration detection and response capabilities may be able to minimize the data extracted, reducing the potential exposure.

[Murray]

These attackers are becoming increasingly threatening and bold. As yet, few if any have been identified, much less punished. It is essential that we improve our resistance to attack and our back-up and recovery. Have at least three copies of essential data, on two different kinds of media, at least one off-site. Create a capability to recover essential data and applications in hours to days. The necessary application software and tools exist. IT should be asking application owners not whether their applications are critical or not, but when do they become critical; then plan accordingly.

- https://www.bleepingcomputer.com/news/security/maze-ransomware-releases-files-stolen-from-city-of-pensacola/

- https://krebsonsecurity.com/2019/12/ransomware-gangs-now-outing-victim-businesses-that-dont-pay-up/

LifeLabs Data Breach Affects 15 Million People

(December 18, 2019)

A Canadian medical testing laboratory is notifying 15 million people that their personal information was compromised. A notice from the LifeLabs President and CEO says that the company paid the attackers to retrieve the stolen data.

Editor's Note

[Neely]

I applaud the transparency of LifeLabs and attempts to do the right things through reporting, customer notifications, and retrieval of exfiltrated data. Although LifeLabs says the data were not shared or published on-line, impacted parties should operate as if their data are still exposed and take appropriate steps to protect their privacy.

Read more in:

- https://customernotice.lifelabs.com/

- https://news.softpedia.com/news/canadian-company-pays-hackers-to-retrieve-data-of-15-million-customers-528649.shtml

- https://healthitsecurity.com/news/data-of-15m-patients-impacted-retrieved-in-lifelabs-cyberattack

****************************************************************************

- https://objective-see.com/blog/blog_0x52.html

- https://www.wired.com/story/totok-alleged-emirati-spy-app/

- https://www.bbc.com/news/technology-50890846

Twitter Fixes Android App Flaw

(December 20, 2019)

Twitter has fixed a flaw in its Android app that could have been exploited to take control of accounts and access personal information. Attackers would have needed to "insert... malicious code into restricted storage areas of the Twitter app."

- https://www.reuters.com/article/us-twitter-cyber/twitter-fixes-glitch-in-its-android-app-idUSKBN1YO21N

- https://privacy.twitter.com/en/blog

Five Year Prison Sentence for Funneling Millions Through Fraudulent Invoices

(December 19 & 20, 2019)

A Lithuanian man has been sentenced to five years in prison for defrauding Facebook and Google by sending $120 million worth of phony equipment invoices to Facebook and Google. Evaldas Rimasauskas pleaded guilty to one count of wire fraud earlier this year.

- https://www.justice.gov/usao-sdny/pr/lithuanian-man-sentenced-5-years-prison-theft-over-120-million-fraudulent-business

US Federal Jury Finds Cox Communications Liable for Piracy Damages

(December 23, 2019)

A federal jury in Virginia has awarded a coalition of music industry organizations $1 billion in damages from Cox Communications. The jury found that the Internet service provider did not employ sufficient measures to prevent music piracy on its networks. The jury awarded the plaintiffs nearly $100,000 for each work that was pirated.

Russia's Internet Disconnect Called Successful

(December 23 & 24, 2019)

Russia's Ministry of Communications said that its test in which it cut the country's Internet, RuNet, off from the rest of the world's was a success. The test was to see if RuNet could effectively operate while cut off from the worldwide DNS system and the rest of the Internet.

Editor's Note

[Neely]

The days of being able to just "pull the plug" on the Internet connection and run business as usual are long past. Operating while disconnected from the Internet takes a lot of planning and walk-throughs before an actual disconnect can be attempted. DR planning now needs to include mitigations and impacts of internet disconnection which should lead to risk assessments of alternate paths to external services and locations.

- https://www.zdnet.com/article/russia-successfully-disconnected-from-the-internet/

Phishing Scheme Targeted Canadian Bank Customers

(December 23 & 24, 2019)

A phishing campaign that has been active since 2017 targets customers of 14 Canadian banks. The scheme involved sending people emails that told then they needed to renew their digital certificate to be able to conduct online transactions. The message includes a PDF attachment.

- https://www.infosecurity-magazine.com/news/canadian-banks-spoofed-in-2year/

- https://www.bleepingcomputer.com/news/security/two-year-long-phishing-campaign-impersonates-canadian-banks/

- https://www.databreachtoday.com/phishing-scams-target-canadian-bank-customers-a-13551

Cisco ASA and Firewall Appliance Targeted Through Known Vulnerability

(December 20 & 22, 2019)

Recently-detected denial-of-service and information disclosure attacks targeting Cisco's Adaptive Security Appliance (ASA) and Firewall Appliance are exploiting a known vulnerability. The issue lies in the framework of the ASA/Firepower, and can be exploited by sending a specially-crafted URL. A fix for the flaw has been available since June 2018.

- https://www.bleepingcomputer.com/news/security/cisco-security-appliances-targeted-for-dos-attacks-via-old-bug/

- https://blog.talosintelligence.com/2019/12/ASA-Bug-Attacked-In-The-Wild.html

- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-asaftd

Cyber Attack Causes RavnAir to Cancel Some Flights

(December 21 & 23, 2019)

The RavnAir Group grounded several flights over the weekend after the company "experienced a malicious cyber attack on [its] network." RavnAir, which offers flights within the US state of Alaska, cancelled all flights involving its Dash 8 aircraft as the attack affected the plane's maintenance system.

- https://news.softpedia.com/news/alaska-flights-canceled-after-hackers-take-down-aircraft-maintenance-system-528698.shtml

- https://www.infosecurity-magazine.com/news/cyberattack-grounds-flights-in/

- https://www.adn.com/alaska-news/aviation/2019/12/21/ravnair-flights-in-alaska-canceled-after-cyber-attack/

Twitter Bans Animated APNG Files

(December 23, 2019)

Twitter has banned animated PNG (APNG) files from being added to Tweets after hackers sent out an animated Tweet through the Epilepsy Foundation's Twitter account. The images could potentially trigger seizures in people with epilepsy. APNGs "don't respect autoplay settings," according to Twitter.

Editor's Note

[Pescatore]

When everyone moved from using Windows PCs to using Android/iOS phones and tablets, no one missed the ability to send each other .exe files. Various forms of animation (like Flash) have become the .exe file of the mobile world and the reality is hardly anyone will miss them when they are blocked, either.

****************************************************************************

Internet Storm Center Tech Corner

Citrix Application Delivery Controller (Netscaler ADC) Critical Vulnerability

https://www.ptsecurity.com/ww-en/about/news/citrix-vulnerability-allows-criminals-to-hack-networks-of-80000-companies/

https://support.citrix.com/article/CTX267027

Extracting VBA Macros From .DWG Files

https://isc.sans.edu/forums/diary/Extracting+VBA+Macros+From+DWG+Files/25634/

Cisco PKI Self-Signed Certificate Expiration

https://www.cisco.com/c/en/us/support/docs/field-notices/704/fn70489.html

AFRINIC IP Address Space Misappropriated By Insider

https://mybroadband.co.za/news/internet/330379-how-internet-resources-worth-r800-million-were-stolen-and-sold-on-the-black-market.html

****************************************************************************