SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXI - Issue #91
November 19, 2019Phishing Office 365 Admins; Disney+ Accounts Offered on Hacker Forums; Louisiana Takes Down Servers to Contain Ransomware; Nunavut Ransomware Attack
****************************************************************************
SANS NewsBites Nov. 19, 2019 Vol. 21, Num. 091
****************************************************************************
TOP OF THE NEWS
Phishing Campaign Targets Office 365 Admins
Disney+ Accounts Compromised, Offered for Sale on Hacker Forums
Louisiana's Office of Technology Services Takes Down Servers to Contain Ransomware Attack on State Government
Nunavut Government Recovering from Ransomware Attack
REST OF THE WEEK'S NEWS
Intel to Pull Old Drivers and BIOS Updates from Website
Google Fixes Gmail Cross-Site Scripting Flaw
Sometimes Medical Device Security is at Vendors' Discretion
Some Macy's Pages Infected with MageCart Malware
Bluetooth Scanning and Device Theft
Facebook Fixes WhatsApp Remote Code Execution Flaw
Prison Sentence for Man Operating DDoS-for-Hire Scheme
INTERNET STORM CENTER TECH CORNER
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
-- SANS OnDemand and vLive Training
Get an 11" iPad Pro, a 12.3" Surface Pro, or Take $350 Off through December 4 with OnDemand or vLive training.
https://www.sans.org/online-security-training/specials/
-- SANS Cyber Defense Initiative(R) 2019 | Washington, DC | December 10-17 | https://www.sans.org/event/cyber-defense-initiative-2019
-- SANS Miami 2020 | January 13-18 | https://www.sans.org/event/miami-2020
-- SANS Threat Hunting & IR Summit & Training | London, UK | January 13-19, 2020 | https://www.sans.org/event/threat-hunting-europe-2020
-- SANS Tokyo January 2020 | January 20-25 | https://www.sans.org/event/tokyo-january-2020
-- SANS Amsterdam January 2020 | January 20-25 | https://www.sans.org/event/amsterdam-january-2020
-- Cyber Threat Intelligence Summit & Training | Arlington, VA | January 20-27 | https://www.sans.org/event/cyber-threat-intelligence-summit-2020
-- SANS Scottsdale 2020 | February 17-22 | https://www.sans.org/event/scottsdale-2020
-- Open-Source Intelligence Summit & Training 2020 | Alexandria, VA | February 18-24 | https://www.sans.org/event/osint-summit-2020
-- SANS Secure Singapore 2020 | 16-28 March | https://www.sans.org/event/secure-singapore-2020
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
**************************** Sponsored By Splunk ***************************
The SIEM Buyer's Guide for 2020. In 2020, security information event management (SIEM) solutions will be far more than an information platform, expanding to include compliance reporting and logs from firewalls and other devices, as well as User and Entity Behavior Analytics (UEBA) -- now considered an essential capability by Gartner. Download The SIEM Buyer's Guide for 2020 to learn the ROI benefits of adopting a modern SIEM solution. http://www.sans.org/info/214785
*****************************************************************************
TOP OF THE NEWS
--Phishing Campaign Targets Office 365 Admins
(November 18, 2019)
A phishing campaign uses legitimate sender domains to target Office 365 administrators. The emails appear to come from Microsoft, but are actually coming from other compromised organizations. If a phish is successful, the attackers can then use that account to set up more email accounts that appear legitimate and can be used to send additional phishing messages.
[Editor Comments]
[Pescatore] The major cause for compromise of cloud services has been enterprise admins using reusable passwords. The business and user side wants to move to cloud; IT should be saying "OK, part of the transition cost is strong authentication by our admins." This admin privilege management issue does not impact users at all!
[Neely] Enable MFA for administrator accounts and monitor their use. Your admins may wish to keep a "break glass" account with a reusable password. If so, it should be audited, and password changed when used. To help minimize the number of Global Admins in O365, Microsoft is previewing a new role called Global Reader to enable visibility without update capabilities. Disable legacy protocols (IMAP/POP/SMTP) which use legacy or non-MFA authentication. Microsoft can be engaged to assess the security of your O365 environment.
[Murray] In addition to strong authentication, privileged access management mechanisms are indicated here. It is beyond ironic that the place where we are least likely to find strong authentication and are most likely to have shared ID's and passwords is among privileged users.
Read more in:
Threatpost: Office 365 Admins Targeted in Ongoing Phishing Scam
https://threatpost.com/office-365-admins-phishing/150352/
Infosecurity Magazine: Office 365 Admins Singled Out in Phishing Campaign
https://www.infosecurity-magazine.com/news/office-365-admins-singled-out-in/
--Disney+ Accounts Compromised, Offered for Sale on Hacker Forums
(November 16, 2019)
Within hours after the launch of the Disney+ video streaming service, hackers began hijacking accounts and making them available on hacker forums.
[Editor Comments]
[Neely] The most likely source of compromised account information is credential reuse. While it is tempting to reuse passwords or select passwords that are easy to enter on your streaming device, use unique long passphrases on every account. Disney+ doesn't support MFA.
Read more in:
ZDNet: Thousands of hacked Disney+ accounts are already for sale on hacking forums
Infosecurity Magazine: Hacked Disney+ Accounts on Sale for $1
https://www.infosecurity-magazine.com/news/hacked-disney-accounts-on-sale-for/
--Louisiana's Office of Technology Services Takes Down Servers to Contain Ransomware Attack on State Government
(November 18 & 19, 2019)
State government IT systems and websites in Louisiana were unavailable on Monday. Governor John Bel Edwards said that the state's cybersecurity team was activated "in response to an attempted ransomware attack." The state's Office of Technology Services (OTS) took agency servers offline as a precaution.
Read more in:
ZDNet: Ransomware hits Louisiana state government systems
https://www.zdnet.com/article/ransomware-hits-louisiana-state-government-systems/
Reuters: Louisiana government computers knocked out after ransomware attack
The Hill: Louisiana activates cybersecurity team in response to attack on state agencies
Bleeping Computer: Louisiana Government Suffers Outage Due to Ransomware Attack
--Nunavut Government Recovering from Ransomware Attack
(November 14 & 15, 2019)
Computer systems belonging to the Nunavut (Canada) government are starting to be restored after a ransomware attack that hit its computers on November 2. The government did not pay the ransom demanded and has instead reverted to faxes, paper forms, and telephone calls to conduct business while government machines are being wiped and reformatted. The Nunavut government keeps monthly and annual backups of its systems and takes a nightly snapshot.
Read more in:
CBC: Nunavut government computer systems coming back online after cyber attack
https://www.cbc.ca/news/canada/north/nunavut-government-cyber-attack-1.5361662
Nunatsiaq: Government of Nunavut slowly rebuilds computer network following ransomware attack
**************************** SPONSORED LINKS ******************************
1) Webcast November 20th at 10:30 AM ET: Threat Intelligence Driven Detect and Response Operations. Register: http://www.sans.org/info/214790
2) Are you a woman with 5 years in cybersecurity and currently in a senior or leadership role? Take this survey: http://www.sans.org/info/214795
3) ICYMI Webcast: A Blueprint for Designing a New Security Perimeter. View this webcast: http://www.sans.org/info/214800
*****************************************************************************
REST OF THE WEEK'S NEWS
--Intel to Pull Old Drivers and BIOS Updates from Website
(November 18, 2019)
Intel has announced that it will remove old drivers and BIOS updates from its website by Friday, November 22. Many of the drivers that will be purged are for versions of Windows operating systems that Microsoft no longer supports. This means that users running legacy systems need to download the drivers and BIOS updates they need as soon as possible. If they miss the November 22 deadline, there are mirrors of the Intel FTP site.
Read more in:
ZDNet: Intel to remove old drivers and BIOS updates from its site by the end of the week
Bleeping Computer: Intel is Removing End of Life Drivers and BIOS Downloads
--Google Fixes Gmail Cross-Site Scripting Flaw
(November 18, 2019)
Google has fixed a cross-site scripting flaw in the AMP4Email feature. AMP4Email, also known as dynamic email, makes it easier for email to display dynamic content. The feature was made generally available in July. The researcher who found the vulnerability said it "is an example of a real-world exploitation of well-known browser issue called DOM Clobbering." He notified Google of the flaw in August, and a fix was made available before the issue was publicly disclosed.
Read more in:
Security: XSS in GMail's AMP4Email via DOM Clobbering
https://research.securitum.com/xss-in-amp4email-dom-clobbering/
ZDNet: Google patches 'awesome' XSS vulnerability in Gmail dynamic email feature
https://www.zdnet.com/article/google-patches-awesome-xss-vulnerability-in-gmail/
--Sometimes Medical Device Security is at Vendors' Discretion
(November 18, 2019)
In some cases, the security of Internet of Things (IoT) medical devices on health care organizations' networks is managed by the vendors. Often, the vendors do not allow the organization to apply patches, change admin credentials, or add anti-malware protection; if the organizations make such changes, the devices' warranty is voided. One way of managing this issue is to segment the devices.
[Editor Comments]
[Pescatore] Big sigh. At Gartner in 2006, I wrote a research note that pointed out "The Food and Drug Administration issued guidance that removed barriers to medical equipment vendors rapidly issuing patches for vulnerabilities in their products because of FDA certification issues. Enterprises should demand that vendors step up the timeliness of their patch processes." The FDA reiterated that guidance in 2014 and in 2018 put out additional guidance. What has been lacking is health care enterprises mandating security requirements and evaluation criteria for all device procurements. If heath care organizations continue to buy junk, the device manufacturers will continue to sell junk.
[Neely] Mitigations for these devices are similar to other unpatched/minimally secure devices on your network: segment them, monitor their actions, and restrict connectivity to only devices and services that are absolutely needed.
Read more in:
Dark Reading: How Medical Device Vendors Hold Healthcare Security for Ransom
--Some Macy's Pages Infected with MageCart Malware
(November 14 & 18, 2019)
Macy's, the US department store, has published a Notice of Breach document explaining that the "Checkout" and "My Wallet" pages on macys.com were infected with MageCart malware last month. The malware was added to the pages on October 7, 2019. Macy's became aware of the situation and removed the malware on October 15. The incident compromised customers' personal information, including names, addresses, email addresses, payment card numbers, expiration dates, and security codes.
[Editor Comments]
[Murray] Online merchants that accept credit cards at checkout put themselves and their customers at unnecessary risk of fraud. Merchants should provide, and consumers should prefer, the use of proxies such as PayPal, Apple Pay, and Click2Pay.
Read more in:
SC Magazine: Macys.com Magecart attack yields payment, personal info
Bleeping Computer: Macy's Customer Payment Info Stolen in MageCart Data Breach
Document Cloud: Macy's Notice of Data Breach, November 14, 2019
https://www.documentcloud.org/documents/6552530-MACY-S-NOTICE-OF-DATA-BREACH.html
--Bluetooth Scanning and Device Theft
(November 18, 2019)
An increase in the number of laptops and other devices from cars suggests that thieves may be using Bluetooth scanners to detect devices left inside vehicles. On some devices, if Bluetooth is turned on, the devices will put out a detectable beacon even when they are idle. Law enforcement officials in some jurisdictions say they are aware of thieves using scanners, but did not provide details.
[Editor Comments]
[Neely] Replacing sleep mode with hibernate turns off the laptop and stops detectable emissions. Also remember to turn off emissions from other mobile devices stored in the car. The simplest fix may be a policy of not leaving devices in vehicles at all.
Read more in:
Wired: Burglars Really Do Use Bluetooth Scanners to Find Laptops and Phones
https://www.wired.com/story/bluetooth-scanner-car-thefts/
--Facebook Fixes WhatsApp Remote Code Execution Flaw
(November 18, 2019)
Facebook has patched a vulnerability in WhatsApp that could be used to launch remote code execution attacks or cause denial-of-service conditions. The stack-based buffer overflow flaw could be exploited by sending a specially-crafted MP4 video file to a targeted user.
[Editor Comments]
[Neely] While there are no reports of active exploitation, it's prudent to update your application now. If you're no longer using the WhatsApp, uninstall it.
Read more in:
Threatpost: WhatsApp Remote Code Execution Triggered by Videos
https://threatpost.com/whatsapp-remote-code-execution-videos/150360/
Facebook: CVE-2019-11931
https://www.facebook.com/security/advisories/cve-2019-11931
--Prison Sentence for Man Operating DDoS-for-Hire Scheme
(November 15, 2019)
A US District Judge in North Carolina has sentenced an Illinois man to 13 months in prison for "owning, administering, and supporting illegal booter services" that were used to launch distributed denial-of-service (DDoS) attacks. Sergiy Usatyuk was also ordered to pay more than $500,000 in restitution.
Read more in:
Justice: Former Operator of Illegal Booter Services Sentenced for Conspiracy to Commit Computer Damage and Abuse
The Register: Denial of service kingpin hit with 13 months denial of freedom and a massive bill to pay
https://www.theregister.co.uk/2019/11/15/ddos_owner_13_months_prison/
Regmedia: USA v. Sergiy Petrovich Usatyuk
https://regmedia.co.uk/2019/11/15/usatyuk_complaint.pdf
******************************************************************************
INTERNET STORM CENTER TECH CORNER
TPM Fail Update
https://downloadcenter.intel.com/download/28632
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00241.html
Carriers Filter SMS Messages Sent By Applications
https://isc.sans.edu/forums/diary/SMS+and+2FA+Another+Reason+to+Move+away+from+It/25526/
Office November Update Issues
https://borncity.com/win/2019/11/13/office-november-2019-updates-are-causing-access-error-3340/
WhatsApp Stack Based Buffer Overflow
https://nvd.nist.gov/vuln/detail/CVE-2019-11931
Android Qualcom Data Exfiltration Bug
https://research.checkpoint.com/the-road-to-qualcomm-trustzone-apps-fuzzing/
Nextcloud Ransomware NextCry
Intel Removing BIOS Downloads for EOL Hardware
https://www.vogons.org/viewtopic.php?f=46&t=69184
https://news.ycombinator.com/item?id=21563309
Outlook 365 Remains Top Phishing Target
https://info.phishlabs.com/blog/active-office-365-phishing-campaign-targeting-admin-credentials
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
