SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #95

December 6, 2019

****************************************************************************

SANS NewsBites Dec. 6, 2019 Vol. 21, Num. 095

****************************************************************************

Top of The News

- Data Center Ransomware Infection

- Illinois School District Hit with Ransomware

The Rest of the Week's News

- Evil Corp. Hacking Group Indictments

- Man-in-the-Middle Attack Used to Steal Venture Capital Investment

- Great Cannon DDoS Tool Reportedly Being Used on Hong Kong Protesters' Online Forum

- ZeroCleare Wiper Malware Used Against Energy, Industrial Organizations in Middle East

- US Senators Get Classified Ransomware Briefing

- Rich Communication Services Implementations Found to be Unsecure

- Siemens Provides Workaround for PLC Flaw

- NIST Draft Guidance on Hardware Supply Chain Security

Internet Storm Center Tech Corner

****************************************************************************

CYBERSECURITY TRAINING UPDATE

-- SANS OnDemand and vLive Training

Get an iPad Air with Smart Keyboard, a Surface Go, or Take $300 Off through December 11 with OnDemand or vLive training.

https://www.sans.org/online-security-training/specials/

-- SANS Security East 2020 | New Orleans, LA | February 1-8 | https://www.sans.org/event/security-east-2020

-- SANS Miami 2020 | January 13-18 | https://www.sans.org/event/miami-2020

-- SANS Threat Hunting & IR Summit & Training | London, UK | January 13-19, 2020 | https://www.sans.org/event/threat-hunting-europe-2020

-- SANS Tokyo January 2020 | January 20-25 | https://www.sans.org/event/tokyo-january-2020

-- SANS Amsterdam January 2020 | January 20-25 | https://www.sans.org/event/amsterdam-january-2020

-- Cyber Threat Intelligence Summit & Training | Arlington, VA | January 20-27 | https://www.sans.org/event/cyber-threat-intelligence-summit-2020

-- SANS Scottsdale 2020 | February 17-22 | https://www.sans.org/event/scottsdale-2020

-- Open-Source Intelligence Summit & Training 2020 | Alexandria, VA | February 18-24 | https://www.sans.org/event/osint-summit-2020

-- SANS Secure Singapore 2020 | 16-28 March | https://www.sans.org/event/secure-singapore-2020

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/

Single Course Training

-- Single Course Training

SANS Mentor | https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap

****************************************************************************

Free technical content sponsored by VMRay

Unmasking Context-Aware Malware: Learn from the VMRay Research Team about the techniques malware authors use to understand the context of an analysis environment by dissecting real-world examples Operation ShadowHammer and OopsIE malware.

https://www.sans.org/info/214965

****************************************************************************

Top of the News

Data Center Ransomware Infection

(December 5, 2019)

Data Center provider CyrusOne has confirmed that it suffered a ransomware attack earlier this week. The company says that the incident has affected "availability issues" for six of its managed services customers.

Editor's Note

[Neely]

This attack appears to be caused by a version of the REvil (Sokinokibi) ransomware, which also impacted 23 local governments across Texas earlier this year. Consider the impact/risks if one of your providers, such as your colocation service or your MSP, is impacted, and doesn't plan to pay the ransom, as is indicated in this case; are you prepared with alternatives to continue operations for the duration of the incident?

[Murray]

The six customers are called "collateral damage." The drug company, Merck, was such collateral damage when one of its service providers was compromised. It has caused them to re-think and restructure their relationship with the thousands of providers in their "supply chain."

Illinois School District Hit with Ransomware

(December 4, 2019)

The Sycamore Community School District 427 in Illinois has been hit with ransomware. The attack appears to be limited to the district's "internal technology servers;" many other district systems, including email, phones, and student information systems are reportedly not infected.

****************************************************************************

- https://arstechnica.com/information-technology/2019/12/members-of-evil-corp-the-cybercrime-group-that-lived-in-luxury-are-indicted/

- https://www.wired.com/story/alleged-russian-hacker-evil-corp-indicted/

- https://www.scmagazine.com/home/security-news/cybercrime/u-s-charges-alleged-members-of-evil-corp-cybercrime-group-for-zeus-and-dridex-campaigns/

- https://thehill.com/policy/cybersecurity/473202-feds-sanction-russian-group-over-100-million-cyber-hack

Man-in-the-Middle Attack Used to Steal Venture Capital Investment

(December 5, 2019)

Hackers used a complex man-in-the-middle attack to steal approximately US $1 million from a Chinese venture capital firm that was supposed to be going to a start-up company in Israel. The hackers set up phony domains and spoofed emails between the companies, even going so far as to cancel a scheduled in-person meeting.

Editor's Note

[Neely]

Verify the log retention period and access requirements for your email and related systems prior to an incident, making sure that there are not only at least six months of information but also that sufficient information is captured and your staff will be able to access it when needed. Always use an out-of-band verification process with wire transfers to ensure they are going to the intended recipient.

- https://threatpost.com/ultimate-mitm-attack-steals-1m-from-israeli-startup/150840/

- https://www.vice.com/en_us/article/mbmmaq/hackers-trick-venture-capital-firm-into-sending-them-dollar1-million

- https://www.theregister.co.uk/2019/12/05/vcs_tricked_mitm/

Great Cannon DDoS Tool Reportedly Being Used on Hong Kong Protesters' Online Forum

(December 4 & 5, 2019)

A distributed denial-of-service (DDoS) tool known as the Great Cannon has reportedly been used against the LIHKG social media platform used by protesters in Hong Kong. China's Great Cannon was first described by Citizen Lab in April 2015.

- https://www.infosecurity-magazine.com/news/chinas-great-cannon-fires-on-hong/

- https://citizenlab.ca/2015/04/chinas-great-cannon/

ZeroCleare Wiper Malware Used Against Energy, Industrial Organizations in Middle East

(December 4 & 5, 2019)

IBM has detected new malware, dubbed ZeroCleare, that has been used to wipe data at energy and industrial sector organizations in the Middle East. The targeted attacks were likely the work of Iranian state-sponsored hackers.

Editor's Note

[Murray]

We must move away from the default access control rule of "read/write," convenient but risky, to "read-only" for data and "execute only" for programs, marginally less convenient but you will get over it.

- https://www.theregister.co.uk/2019/12/05/iran_zerocleare_attack/

- https://www.cyberscoop.com/iran-destructive-malware-ibm/

- https://threatpost.com/iran-mideast-oil-zerocleare-wiper-malware/150814/

- https://www.zdnet.com/article/iranian-hackers-deploy-new-zerocleare-data-wiping-malware/

- https://arstechnica.com/information-technology/2019/12/new-iranian-wiper-discovered-in-attacks-on-middle-eastern-companies/

- https://www.darkreading.com/attacks-breaches/shades-of-shamoon-new-disk-wiping-malware-targets-middle-east-orgs/d/d-id/1336520

- https://www.bleepingcomputer.com/news/security/new-iranian-zerocleare-data-wiper-malware-used-in-targeted-attacks/

- https://duo.com/decipher/new-zerocleare-wiper-malware-used-in-targeted-attacks

US Senators Get Classified Ransomware Briefing

(December 4, 2019)

US legislators received a classified briefing about the threat of ransomware on Wednesday, December 5. Christopher Krebs, director of the US Department of Homeland Security's (DHS's) Cybersecurity and Infrastructure Security Agency (CISA) spoke to the Senate Cybersecurity Caucus.

Editor's Note

[Neely]

Briefings like this are needed to ensure continued support of initiatives and resources to help state and local governments which may not have access to the needed tools and information to implement needed protections in the current threat environment. That said, with the current active exploitation environment, waiting for external help is ill-advised.

[Murray]

Ransomware is now the preferred way to monetize compromised systems and enterprises. We know that the vectors for attacks are e-mail and browsers, but we fail to isolate these from mission critical data, applications, and systems. We know that the vulnerability includes the capability for the system user to modify it on the fly, but we fail to lock them down by denying the user admin privileges and by restricting "write" access. This is not mere negligence but borders on recklessness.

- https://www.fifthdomain.com/congress/capitol-hill/2019/12/04/heres-what-senators-learned-about-the-ransomware-threat/

- https://thehill.com/policy/cybersecurity/473095-senators-sound-alarm-on-dangers-of-ransomware-attacks-after-briefing

Rich Communication Services Implementations Found to be Unsecure

(November 28 & December 4, 2019)

Researchers have found that telecommunications carriers are implementing a new messaging standard in ways that could allow communications to be intercepted, modified, or spoofed. The Rich Communication Services (RCS) standard is fairly new and has a broader range of features than SMS.

Editor's Note

[Neely]

What's being called into question are implementation flaws, rather than flaws in the protocol itself. RCS shows promise to provide a more secure alternative to SMS and avoid the pitfalls in SS7. RCS is one to keep an eye on, especially when a verified secure implementation is available.

[Murray]

It looks as if messaging may be going the route of the browsers: adding features until the product is porous, not to say broken.

- https://www.wired.com/story/rcs-texting-security/

Siemens Provides Workaround for PLC Flaw

(December 3, 2019)

Siemens has released workarounds to address a vulnerability in its S7-1200 programmable logic controllers (PLCs) while is develops a fix for the problem. The issue lies in "an undocumented hardware-based special access feature," and could be exploited to take control of vulnerable devices.

- https://cert-portal.siemens.com/productcert/pdf/ssa-686531.pdf

NIST Draft Guidance on Hardware Supply Chain Security

(December 3, 2019)

The US National Institute of Standards and Technology (NIST) has published draft guidance on hardware supply chain security, Validating the Integrity of Servers and Client Devices. NIST will accept comments on the document through January 6, 2020.

Editor's Note

[Neely]

This is about building standards to support supply chain security, which has been a challenge of late. The document is a short, easy read, encapsulating information from a number of other NIST and external documents on OEM supply chain security. Despite the short timeline, and the holiday season, it's worth reading and contributing to.

- https://duo.com/decipher/nist-developing-hardware-security-guidelines-for-enterprises

****************************************************************************

Internet Storm Center Tech Corner

Avast Online Security and Avast Secure Browser Blocked for Spying on Users

https://palant.de/2019/10/28/avast-online-security-and-avast-secure-browser-are-spying-on-you/

Google Android Updates

https://source.android.com/security/bulletin/2019-12-01

Strandhogg Vulnerability

https://promon.co/security-news/strandhogg/

Firefox 71 Released

https://www.mozilla.org/en-US/security/advisories/mfsa2019-34/

OpenBSD Authentication Bypass and Privilege Escalation Vulnerability