SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXI - Issue #100
December 27, 2019****************************************************************************
SANS NewsBites Dec. 27, 2019 Vol. 21, Num. 100
****************************************************************************
SPECIAL WEBCAST: Tuesday Dec., 31st, 1:00 p.m. ET
What You Need to Know About the Critical Citrix Gateway/ADC (Netscaler) Vulnerability CVE-2019-19781
Speakers: Jason Lam & Johannes Ullrich
Citrix released a workaround for a critical vulnerability in its Gateway/ADC products. This critical perimeter security component can easily be compromised unless you apply the workaround. Join us to learn more. https://www.sans.org/webcasts/about-critical-citrix-gateway-netscaler-vulnerability-cve-2019-19781-112990?utm_medium=Email&utm_source=Newsbites&utm_content=NBvol21no100+NA&utm_campaign=Citrix+Gateway+Vulnerability
Top of The News
- FLASH: Citrix Releases Mitigations for Flaw in Application Delivery Controller and Gateway
- Pensacola Ransomware Hackers Release Data Stolen from City
- LifeLabs Data Breach Affects 15 Million People
The Rest of the Week's News
- SANS Holiday Hack Challenge 2019
- ToTok Messaging App is Spyware
- Twitter Fixes Android App Flaw
- Five Year Prison Sentence for Funneling Millions Through Fraudulent Invoices
- US Federal Jury Finds Cox Communications Liable for Piracy Damages
- Russia's Internet Disconnect Called Successful
- Phishing Scheme Targeted Canadian Bank Customers
- Cisco ASA and Firewall Appliance Targeted Through Known Vulnerability
- Cyber Attack Causes RavnAir to Cancel Some Flights
- Twitter Bans Animated APNG Files
Internet Storm Center Tech Corner
****************************************************************************
Cybersecurity Training Update
-- SANS Security East 2020 | New Orleans, LA | February 1-8 | https://www.sans.org/event/security-east-2020
-- SANS Miami 2020 | January 13-18 | https://www.sans.org/event/miami-2020
-- SANS Threat Hunting & IR Summit & Training | London, UK | January 13-19, 2020 | https://www.sans.org/event/threat-hunting-europe-2020
-- SANS Tokyo January 2020 | January 20-25 | https://www.sans.org/event/tokyo-january-2020
-- SANS Amsterdam January 2020 | January 20-25 | https://www.sans.org/event/amsterdam-january-2020
-- SANS Scottsdale 2020 | February 17-22 | https://www.sans.org/event/scottsdale-2020
-- Open-Source Intelligence Summit & Training 2020 | Alexandria, VA | February 18-24 | https://www.sans.org/event/osint-summit-2020
-- ICS Security Summit & Training 2020 | Orlando, FL | March 2-9 | https://www.sans.org/event/ics-security-summit-2020
-- SANS Secure Singapore 2020 | 16-28 March | https://www.sans.org/event/secure-singapore-2020
-- SANS OnDemand and vLive Training
Get an iPad Mini, a Samsung Galaxy Tab S2, or Take $300 Off through January 8 with OnDemand or vLive training.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
****************************************************************************
Free technical content sponsored by SANS
Attend SANS ICS Security Summit & Training Summit 2020 | Orlando, FL | March 2-9.
The 15th annual ICS Summit will bring together in-the-field practitioners & leading experts to share ideas, methods, and techniques for defending control systems.
http://www.sans.org/info/215120
****************************************************************************
Top of the News
FLASH: Citrix Releases Mitigations for Flaw in Application Delivery Controller and Gateway
(December 23 & 24, 2019)
Citrix has released mitigations for a critical flaw in Citrix Netscaler Application Delivery Controller and Citrix Netscaler Gateway could be exploited to gain access to the internal networks of organizations using vulnerable products. The issue is believed to affect at least 80,000 organizations in more than 150 countries worldwide. Citrix users running vulnerable versions of the products are urged to implement the mitigations and upgrade to a new version of firmware when it is ready.
Editor's Note
[Ullrich]
Patch this TODAY! Luckily, we do not see any widespread exploitation of this flaw yet, but maybe we are lucky with the bad guys taking a few days off too. But this vulnerability is easy to exploit and will give full access to one of your critical perimeter appliances. Citrix released the original advisory on the 17th, but it didn't get much attention until Positive Technologies noted the full impact in its blog post on the 23rd. With 70% of the planet taking most of these two weeks off, it is likely that this issue will slip through the cracks.
[Neely]
Citrix provides configuration changes for standalone, HA and clustered (CLIP) environments to mitigate the vulnerabilities. A patch has not been released at this time. While there is no evidence of exploitation, it remains prudent to deploy the configuration changes in a timely fashion. Additionally, verify you're subscribed to Citrix Bulletin Alerts for timely notification of firmware and security alerts.
Read more in:
- https://www.zdnet.com/article/this-critical-citrix-netscaler-bug-could-affect-80000-companies/
- https://support.citrix.com/article/CTX267027
- https://support.citrix.com/article/CTX267679
Pensacola Ransomware Hackers Release Data Stolen from City
(December 16, 23, & 24, 2019)
Hackers who say they launched a ransomware attack on Pensacola, Florida city IT systems say they have published information taken from city computers. Pensacola did not pay the $1 million ransomware demand; releasing the stolen information is believed to be a tactic to get the city to pay the ransom. Other groups spreading ransomware have indicated that they plan to publish data stolen from targets that have not paid their demands.
Editor's Note
[Neely]
As if the decision to pay or not is not complicated enough, new ransomware tactics include data exfiltration. Key here is the question of trust: if you pay to get your data back, are exfiltrated copies truly gone? DLP/exfiltration detection and response capabilities may be able to minimize the data extracted, reducing the potential exposure.
[Murray]
These attackers are becoming increasingly threatening and bold. As yet, few if any have been identified, much less punished. It is essential that we improve our resistance to attack and our back-up and recovery. Have at least three copies of essential data, on two different kinds of media, at least one off-site. Create a capability to recover essential data and applications in hours to days. The necessary application software and tools exist. IT should be asking application owners not whether their applications are critical or not, but when do they become critical; then plan accordingly.
Read more in:
- https://statescoop.com/maze-group-pensacola-ransomware-published-city-files/
- https://krebsonsecurity.com/2019/12/ransomware-gangs-now-outing-victim-businesses-that-dont-pay-up/
LifeLabs Data Breach Affects 15 Million People
(December 18, 2019)
A Canadian medical testing laboratory is notifying 15 million people that their personal information was compromised. A notice from the LifeLabs President and CEO says that the company paid the attackers to retrieve the stolen data.
Editor's Note
[Neely]
I applaud the transparency of LifeLabs and attempts to do the right things through reporting, customer notifications, and retrieval of exfiltrated data. Although LifeLabs says the data were not shared or published on-line, impacted parties should operate as if their data are still exposed and take appropriate steps to protect their privacy.
Read more in:
- https://customernotice.lifelabs.com/
- https://healthitsecurity.com/news/data-of-15m-patients-impacted-retrieved-in-lifelabs-cyberattack
****************************************************************************
Sponsored Links
Webcast January 14 at 3:30 PM ET: Designing Security Policies Through Data Intelligence. http://www.sans.org/info/215125
Join us in Washington D.C for the SANS Cyber Threat Intelligence Solutions Forum: http://www.sans.org/info/215130
ICYMI Webcast: What Works in SOC/NOC Integration: Improving Time to Detect, Respond and Contain with ExtraHop Reveal(x). http://www.sans.org/info/215135
****************************************************************************
The Rest of the Week's News
SANS Holiday Hack Challenge 2019
Ta-da--the world's most fun and festive cybersecurity challenge is available now for free. SANS Holiday Hack Challenge is the best place to learn about InfoSec trends, gain exposure to new technologies, and get information that is not accessible anywhere else. This year's challenge includes offensive and defensive training opportunities, machine learning scenarios, an extensive line-up of KringleCon speakers, and so much more. It's game-based training at its best--highly engaging, designed for all skill levels, and actually free. Whether you want to expand on-the-job skills, see the latest tools, or get fresh inspiration from thought leaders in cybersecurity, exploring SANS Holiday Hack Challenge is a smart use of your holiday time. Hurry and secure your complimentary pass today at https://holidayhackchallenge.com.
ToTok Messaging App is Spyware
(December 20, 22, & 23, 2019)
The ToTok mobile messaging app has been downloaded millions of times, but a classified intelligence assessment has found the app to be spyware operating for the benefit of the United Arab Emirates. Users are being advised to remove the app from their devices. The NYT reported that ToTok appears to act as a surveillance tool for the UAE government. ToTok has been removed from the Google Play Store and the Apple App Store.
Editor's Note
[Pescatore]
This is a big deal. The part that is the most telling and that demands real change from Google and Apple: "...it (ToTok) functions much like the myriad other Apple and Android apps that track users' location and contacts." Probably the best hope is to see the GDPR country privacy authorities investigate and see if fines are warranted to drive needed change in Google Play and Apple App Store around tracking.
[Ullrich]
Patrick Wardle (see his technical analysis at objective-see.com, link below) summarized this issue best: "no exploits, no backdoors, no malware, ...again, just 'legitimate' functionality that likely afforded in-depth insight in a large percentage of the country's population." ToTok does pretty much the same thing other chat applications do. But by outlawing other VoIP/Chat applications, and blocking them, the UAE government was able to direct users to this application that they are controlling. And remember that any application offering "end-to-end encryption" still requires the integrity of the application itself.
[Neely]
The ToTok application uses standard location aware features, making the malicious behavior harder to detect at the application store level. As the application has been pulled, iOS and Android protect (where present) will uninstall it from user devices. User awareness remains key, if it seems to good to be true ... In this case the app was touted as one of the few applications that didn't require VPN to work with UAE network security constraints.
Read more in:
- https://www.nytimes.com/2019/12/22/us/politics/totok-app-uae.html
- https://objective-see.com/blog/blog_0x52.html
- https://www.wired.com/story/totok-alleged-emirati-spy-app/
- https://www.bbc.com/news/technology-50890846
Twitter Fixes Android App Flaw
(December 20, 2019)
Twitter has fixed a flaw in its Android app that could have been exploited to take control of accounts and access personal information. Attackers would have needed to "insert... malicious code into restricted storage areas of the Twitter app."
Read more in:
- https://www.digitaltrends.com/social-media/twitter-android-storage-bug/
- https://privacy.twitter.com/en/blog
Five Year Prison Sentence for Funneling Millions Through Fraudulent Invoices
(December 19 & 20, 2019)
A Lithuanian man has been sentenced to five years in prison for defrauding Facebook and Google by sending $120 million worth of phony equipment invoices to Facebook and Google. Evaldas Rimasauskas pleaded guilty to one count of wire fraud earlier this year.
Read more in:
- https://www.theregister.co.uk/2019/12/20/facebook_google_hacker_five_years/
US Federal Jury Finds Cox Communications Liable for Piracy Damages
(December 23, 2019)
A federal jury in Virginia has awarded a coalition of music industry organizations $1 billion in damages from Cox Communications. The jury found that the Internet service provider did not employ sufficient measures to prevent music piracy on its networks. The jury awarded the plaintiffs nearly $100,000 for each work that was pirated.
Read more in:
Russia's Internet Disconnect Called Successful
(December 23 & 24, 2019)
Russia's Ministry of Communications said that its test in which it cut the country's Internet, RuNet, off from the rest of the world's was a success. The test was to see if RuNet could effectively operate while cut off from the worldwide DNS system and the rest of the Internet.
Editor's Note
[Neely]
The days of being able to just "pull the plug" on the Internet connection and run business as usual are long past. Operating while disconnected from the Internet takes a lot of planning and walk-throughs before an actual disconnect can be attempted. DR planning now needs to include mitigations and impacts of internet disconnection which should lead to risk assessments of alternate paths to external services and locations.
Read more in:
- https://www.bbc.com/news/technology-50902496
- https://www.zdnet.com/article/russia-successfully-disconnected-from-the-internet/
Phishing Scheme Targeted Canadian Bank Customers
(December 23 & 24, 2019)
A phishing campaign that has been active since 2017 targets customers of 14 Canadian banks. The scheme involved sending people emails that told then they needed to renew their digital certificate to be able to conduct online transactions. The message includes a PDF attachment.
Read more in:
- https://research.checkpoint.com/2019/canadian-banks-targeted-in-a-massive-phishing-campaign/
- https://www.infosecurity-magazine.com/news/canadian-banks-spoofed-in-2year/
- https://www.databreachtoday.com/phishing-scams-target-canadian-bank-customers-a-13551
Cisco ASA and Firewall Appliance Targeted Through Known Vulnerability
(December 20 & 22, 2019)
Recently-detected denial-of-service and information disclosure attacks targeting Cisco's Adaptive Security Appliance (ASA) and Firewall Appliance are exploiting a known vulnerability. The issue lies in the framework of the ASA/Firepower, and can be exploited by sending a specially-crafted URL. A fix for the flaw has been available since June 2018.
Read more in:
- https://cyware.com/news/cisco-asa-dos-vulnerability-exploited-in-the-wild-f83ea9c4
- https://blog.talosintelligence.com/2019/12/ASA-Bug-Attacked-In-The-Wild.html
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180606-asaftd
Cyber Attack Causes RavnAir to Cancel Some Flights
(December 21 & 23, 2019)
The RavnAir Group grounded several flights over the weekend after the company "experienced a malicious cyber attack on [its] network." RavnAir, which offers flights within the US state of Alaska, cancelled all flights involving its Dash 8 aircraft as the attack affected the plane's maintenance system.
Read more in:
- https://www.infosecurity-magazine.com/news/cyberattack-grounds-flights-in/
Twitter Bans Animated APNG Files
(December 23, 2019)
Twitter has banned animated PNG (APNG) files from being added to Tweets after hackers sent out an animated Tweet through the Epilepsy Foundation's Twitter account. The images could potentially trigger seizures in people with epilepsy. APNGs "don't respect autoplay settings," according to Twitter.
Editor's Note
[Pescatore]
When everyone moved from using Windows PCs to using Android/iOS phones and tablets, no one missed the ability to send each other .exe files. Various forms of animation (like Flash) have become the .exe file of the mobile world and the reality is hardly anyone will miss them when they are blocked, either.
Read more in:
****************************************************************************
Internet Storm Center Tech Corner
Citrix Application Delivery Controller (Netscaler ADC) Critical Vulnerability
https://support.citrix.com/article/CTX267027
Extracting VBA Macros From .DWG Files
https://isc.sans.edu/forums/diary/Extracting+VBA+Macros+From+DWG+Files/25634/
Cisco PKI Self-Signed Certificate Expiration
https://www.cisco.com/c/en/us/support/docs/field-notices/704/fn70489.html
AFRINIC IP Address Space Misappropriated By Insider
****************************************************************************
The Editorial Board of SANS NewsBites
Alan Paller: https://www.sans.org/newsletters/newsbites/editorial-board#alan-paller
Brian Honan: https://www.sans.org/newsletters/newsbites/editorial-board#brian-honan
David Hoelzer: https://www.sans.org/newsletters/newsbites/editorial-board#david=hoelzer
David Turley: https://www.sans.org/newsletters/newsbites/editorial-board#david-turley
Dr. Eric Cole: https://www.sans.org/newsletters/newsbites/editorial-board#eric-cole
Ed Skoudis: https://www.sans.org/newsletters/newsbites/editorial-board#ed-skoudis
Eric Cornelius: https://www.sans.org/newsletters/newsbites/editorial-board#eric-cornelius
Gal Shpantzer: https://www.sans.org/newsletters/newsbites/editorial-board#gal-shpantzer
Jake Williams: https://www.sans.org/newsletters/newsbites/editorial-board#jake-williams
Dr. Johannes Ullrich: https://www.sans.org/newsletters/newsbites/editorial-board#johannes-ullrich
John Pescatore: https://www.sans.org/newsletters/newsbites/editorial-board#john-pescatore
Lee Neely: https://www.sans.org/newsletters/newsbites/editorial-board#lee-neely
Mark Weatherford: https://www.sans.org/newsletters/newsbites/editorial-board#mark-weatherford
Rob Lee: https://www.sans.org/newsletters/newsbites/editorial-board#rob-lee
Sean McBride: https://www.sans.org/newsletters/newsbites/editorial-board#sean-mcbride
Shawn Henry: https://www.sans.org/newsletters/newsbites/editorial-board#shawn-henry
Stephen Northcutt: https://www.sans.org/newsletters/newsbites/editorial-board#stephen-northcutt
Suzanne Vautrinot: https://www.sans.org/newsletters/newsbites/editorial-board#suzanne-vautrinot
Tom Liston: https://www.sans.org/newsletters/newsbites/editorial-board#tom-liston
William Hugh Murray: https://www.sans.org/newsletters/newsbites/editorial-board#william-hugh-murray