SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXI - Issue #95
December 6, 2019****************************************************************************
SANS NewsBites Dec. 6, 2019 Vol. 21, Num. 095
****************************************************************************
Top of The News
- Data Center Ransomware Infection
- Illinois School District Hit with Ransomware
The Rest of the Week's News
- Evil Corp. Hacking Group Indictments
- Man-in-the-Middle Attack Used to Steal Venture Capital Investment
- Great Cannon DDoS Tool Reportedly Being Used on Hong Kong Protesters' Online Forum
- ZeroCleare Wiper Malware Used Against Energy, Industrial Organizations in Middle East
- US Senators Get Classified Ransomware Briefing
- Rich Communication Services Implementations Found to be Unsecure
- Siemens Provides Workaround for PLC Flaw
- NIST Draft Guidance on Hardware Supply Chain Security
Internet Storm Center Tech Corner
****************************************************************************
CYBERSECURITY TRAINING UPDATE
-- SANS OnDemand and vLive Training
Get an iPad Air with Smart Keyboard, a Surface Go, or Take $300 Off through December 11 with OnDemand or vLive training.
https://www.sans.org/online-security-training/specials/
-- SANS Security East 2020 | New Orleans, LA | February 1-8 | https://www.sans.org/event/security-east-2020
-- SANS Miami 2020 | January 13-18 | https://www.sans.org/event/miami-2020
-- SANS Threat Hunting & IR Summit & Training | London, UK | January 13-19, 2020 | https://www.sans.org/event/threat-hunting-europe-2020
-- SANS Tokyo January 2020 | January 20-25 | https://www.sans.org/event/tokyo-january-2020
-- SANS Amsterdam January 2020 | January 20-25 | https://www.sans.org/event/amsterdam-january-2020
-- Cyber Threat Intelligence Summit & Training | Arlington, VA | January 20-27 | https://www.sans.org/event/cyber-threat-intelligence-summit-2020
-- SANS Scottsdale 2020 | February 17-22 | https://www.sans.org/event/scottsdale-2020
-- Open-Source Intelligence Summit & Training 2020 | Alexandria, VA | February 18-24 | https://www.sans.org/event/osint-summit-2020
-- SANS Secure Singapore 2020 | 16-28 March | https://www.sans.org/event/secure-singapore-2020
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
****************************************************************************
Free technical content sponsored by VMRay
Unmasking Context-Aware Malware: Learn from the VMRay Research Team about the techniques malware authors use to understand the context of an analysis environment by dissecting real-world examples Operation ShadowHammer and OopsIE malware.
https://www.sans.org/info/214965
****************************************************************************
Top of the News
Data Center Ransomware Infection
(December 5, 2019)
Data Center provider CyrusOne has confirmed that it suffered a ransomware attack earlier this week. The company says that the incident has affected "availability issues" for six of its managed services customers.
Editor's Note
[Neely]
This attack appears to be caused by a version of the REvil (Sokinokibi) ransomware, which also impacted 23 local governments across Texas earlier this year. Consider the impact/risks if one of your providers, such as your colocation service or your MSP, is impacted, and doesn't plan to pay the ransom, as is indicated in this case; are you prepared with alternatives to continue operations for the duration of the incident?
[Murray]
The six customers are called "collateral damage." The drug company, Merck, was such collateral damage when one of its service providers was compromised. It has caused them to re-think and restructure their relationship with the thousands of providers in their "supply chain."
Read more in:
- https://www.zdnet.com/article/ransomware-attack-hits-major-us-data-center-provider/
Illinois School District Hit with Ransomware
(December 4, 2019)
The Sycamore Community School District 427 in Illinois has been hit with ransomware. The attack appears to be limited to the district's "internal technology servers;" many other district systems, including email, phones, and student information systems are reportedly not infected.
Read more in:
- https://edscoop.com/sycamore-community-school-district-ransomware/
****************************************************************************
Sponsored Links
Webcast December 6 at 1 PM ET: You Have to See the Criminal to Catch the Criminal. The Most Relevant Data to Monitor, Ranked. https://www.sans.org/info/214950
Join us at SANS Open-Source Intelligence Summit | Alexandria, VA | February 18-24. https://www.sans.org/info/214955
ICYMI Webcast: Why It's Time for a New Link Analysis Platform. View this webcast: https://www.sans.org/info/214960
****************************************************************************
The Rest of the Week's News
Evil Corp. Hacking Group Indictments
(December 5, 2019)
US federal prosecutors have indicted Maksim Yakubets and Igor Turashev, who are allegedly members of the hacking group known as Evil Corp. The pair allegedly "led one of the most sophisticated transnational cybercrime syndicates in the world," according to a US Department of Justice press release.
Read more in:
- https://www.wired.com/story/alleged-russian-hacker-evil-corp-indicted/
Man-in-the-Middle Attack Used to Steal Venture Capital Investment
(December 5, 2019)
Hackers used a complex man-in-the-middle attack to steal approximately US $1 million from a Chinese venture capital firm that was supposed to be going to a start-up company in Israel. The hackers set up phony domains and spoofed emails between the companies, even going so far as to cancel a scheduled in-person meeting.
Editor's Note
[Neely]
Verify the log retention period and access requirements for your email and related systems prior to an incident, making sure that there are not only at least six months of information but also that sufficient information is captured and your staff will be able to access it when needed. Always use an out-of-band verification process with wire transfers to ensure they are going to the intended recipient.
Read more in:
- https://threatpost.com/ultimate-mitm-attack-steals-1m-from-israeli-startup/150840/
- https://www.theregister.co.uk/2019/12/05/vcs_tricked_mitm/
Great Cannon DDoS Tool Reportedly Being Used on Hong Kong Protesters' Online Forum
(December 4 & 5, 2019)
A distributed denial-of-service (DDoS) tool known as the Great Cannon has reportedly been used against the LIHKG social media platform used by protesters in Hong Kong. China's Great Cannon was first described by Citizen Lab in April 2015.
Read more in:
- https://www.infosecurity-magazine.com/news/chinas-great-cannon-fires-on-hong/
- https://citizenlab.ca/2015/04/chinas-great-cannon/
ZeroCleare Wiper Malware Used Against Energy, Industrial Organizations in Middle East
(December 4 & 5, 2019)
IBM has detected new malware, dubbed ZeroCleare, that has been used to wipe data at energy and industrial sector organizations in the Middle East. The targeted attacks were likely the work of Iranian state-sponsored hackers.
Editor's Note
[Murray]
We must move away from the default access control rule of "read/write," convenient but risky, to "read-only" for data and "execute only" for programs, marginally less convenient but you will get over it.
Read more in:
- https://www.theregister.co.uk/2019/12/05/iran_zerocleare_attack/
- https://www.cyberscoop.com/iran-destructive-malware-ibm/
- https://threatpost.com/iran-mideast-oil-zerocleare-wiper-malware/150814/
- https://www.zdnet.com/article/iranian-hackers-deploy-new-zerocleare-data-wiping-malware/
- https://duo.com/decipher/new-zerocleare-wiper-malware-used-in-targeted-attacks
US Senators Get Classified Ransomware Briefing
(December 4, 2019)
US legislators received a classified briefing about the threat of ransomware on Wednesday, December 5. Christopher Krebs, director of the US Department of Homeland Security's (DHS's) Cybersecurity and Infrastructure Security Agency (CISA) spoke to the Senate Cybersecurity Caucus.
Editor's Note
[Neely]
Briefings like this are needed to ensure continued support of initiatives and resources to help state and local governments which may not have access to the needed tools and information to implement needed protections in the current threat environment. That said, with the current active exploitation environment, waiting for external help is ill-advised.
[Murray]
Ransomware is now the preferred way to monetize compromised systems and enterprises. We know that the vectors for attacks are e-mail and browsers, but we fail to isolate these from mission critical data, applications, and systems. We know that the vulnerability includes the capability for the system user to modify it on the fly, but we fail to lock them down by denying the user admin privileges and by restricting "write" access. This is not mere negligence but borders on recklessness.
Read more in:
- https://www.cyberscoop.com/dhs-senators-classified-ransomware-briefing/
Rich Communication Services Implementations Found to be Unsecure
(November 28 & December 4, 2019)
Researchers have found that telecommunications carriers are implementing a new messaging standard in ways that could allow communications to be intercepted, modified, or spoofed. The Rich Communication Services (RCS) standard is fairly new and has a broader range of features than SMS.
Editor's Note
[Neely]
What's being called into question are implementation flaws, rather than flaws in the protocol itself. RCS shows promise to provide a more secure alternative to SMS and avoid the pitfalls in SS7. RCS is one to keep an eye on, especially when a verified secure implementation is available.
[Murray]
It looks as if messaging may be going the route of the browsers: adding features until the product is porous, not to say broken.
Read more in:
- https://www.vice.com/en_us/article/j5ywxb/rcs-rich-communications-services-text-call-interception
- https://www.wired.com/story/rcs-texting-security/
Siemens Provides Workaround for PLC Flaw
(December 3, 2019)
Siemens has released workarounds to address a vulnerability in its S7-1200 programmable logic controllers (PLCs) while is develops a fix for the problem. The issue lies in "an undocumented hardware-based special access feature," and could be exploited to take control of vulnerable devices.
Read more in:
- https://cert-portal.siemens.com/productcert/pdf/ssa-686531.pdf
NIST Draft Guidance on Hardware Supply Chain Security
(December 3, 2019)
The US National Institute of Standards and Technology (NIST) has published draft guidance on hardware supply chain security, Validating the Integrity of Servers and Client Devices. NIST will accept comments on the document through January 6, 2020.
Editor's Note
[Neely]
This is about building standards to support supply chain security, which has been a challenge of late. The document is a short, easy read, encapsulating information from a number of other NIST and external documents on OEM supply chain security. Despite the short timeline, and the holiday season, it's worth reading and contributing to.
Read more in:
- https://duo.com/decipher/nist-developing-hardware-security-guidelines-for-enterprises
****************************************************************************
Internet Storm Center Tech Corner
Avast Online Security and Avast Secure Browser Blocked for Spying on Users
https://palant.de/2019/10/28/avast-online-security-and-avast-secure-browser-are-spying-on-you/
Google Android Updates
https://source.android.com/security/bulletin/2019-12-01
Strandhogg Vulnerability
https://promon.co/security-news/strandhogg/
Firefox 71 Released
https://www.mozilla.org/en-US/security/advisories/mfsa2019-34/
OpenBSD Authentication Bypass and Privilege Escalation Vulnerability
Fake Python Library in PyPi
https://github.com/dateutil/dateutil/issues/984
GoAhead Web Server Vulnerability
https://talosintelligence.com/vulnerability_reports/TALOS-2019-0888
Hijacking Linux (and BSD) VPN Connections
https://seclists.org/oss-sec/2019/q4/122
RASP vs. WAF: Alexander Fry Research Paper
Atlassian Companion App/IBM Aspera Cloud
https://www.theregister.co.uk/2019/12/05/atlassian_zero_day_bug/
https://confluence.atlassian.com/doc/administering-the-atlassian-companion-app-958456281.html
https://twitter.com/tmslft/status/1202056063878606848?s=20
****************************************************************************
The Editorial Board of SANS NewsBites
Alan Paller: https://www.sans.org/newsletters/newsbites/editorial-board#alan-paller
Brian Honan: https://www.sans.org/newsletters/newsbites/editorial-board#brian-honan
David Hoelzer: https://www.sans.org/newsletters/newsbites/editorial-board#david=hoelzer
David Turley: https://www.sans.org/newsletters/newsbites/editorial-board#david-turley
Dr. Eric Cole: https://www.sans.org/newsletters/newsbites/editorial-board#eric-cole
Ed Skoudis: https://www.sans.org/newsletters/newsbites/editorial-board#ed-skoudis
Eric Cornelius: https://www.sans.org/newsletters/newsbites/editorial-board#eric-cornelius
Gal Shpantzer: https://www.sans.org/newsletters/newsbites/editorial-board#gal-shpantzer
Jake Williams: https://www.sans.org/newsletters/newsbites/editorial-board#jake-williams
Dr. Johannes Ullrich: https://www.sans.org/newsletters/newsbites/editorial-board#johannes-ullrich
John Pescatore: https://www.sans.org/newsletters/newsbites/editorial-board#john-pescatore
Lee Neely: https://www.sans.org/newsletters/newsbites/editorial-board#lee-neely
Mark Weatherford: https://www.sans.org/newsletters/newsbites/editorial-board#mark-weatherford
Rob Lee: https://www.sans.org/newsletters/newsbites/editorial-board#rob-lee
Sean McBride: https://www.sans.org/newsletters/newsbites/editorial-board#sean-mcbride
Shawn Henry: https://www.sans.org/newsletters/newsbites/editorial-board#shawn-henry
Stephen Northcutt: https://www.sans.org/newsletters/newsbites/editorial-board#stephen-northcutt
Suzanne Vautrinot: https://www.sans.org/newsletters/newsbites/editorial-board#suzanne-vautrinot
Tom Liston: https://www.sans.org/newsletters/newsbites/editorial-board#tom-liston
William Hugh Murray: https://www.sans.org/newsletters/newsbites/editorial-board#william-hugh-murray
To create a SANS Portal Account visit: https://www.sans.org/account/create