SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #99

December 20, 2019

****************************************************************************

SANS NewsBites Dec. 20, 2019 Vol. 21, Num. 099

****************************************************************************

Introducing SANS Holiday Hack Challenge 2019

Ta-da--the world's most fun and festive cybersecurity challenge is available now for free. SANS Holiday Hack Challenge is the best place to learn about InfoSec trends, gain exposure to new technologies, and get information that is not accessible anywhere else. This year's challenge includes offensive and defensive training opportunities, machine learning scenarios, an extensive line-up of KringleCon speakers, and so much more. It's game-based training at its best--highly engaging, designed for all skill levels, and actually free. Whether you want to expand on-the-job skills, see the latest tools, or get fresh inspiration from thought leaders in cybersecurity, exploring SANS Holiday Hack Challenge is a smart use of your holiday time. Hurry and secure your complimentary pass today at https://holidayhackchallenge.com

****************************************************************************

Top of The News

Tis the Season! Emotet Christmas Phishing Emails

The Year 2019 in review: Same Threats, More Targets

Critical Vulnerabilities found in WAGO Programmable Logic Controllers

218 Million Passwords Stolen in Zynga Hack

The Rest of the Week's News

WhatsApp bug allows for app crash and permanent deletion of group chats

German City of Frankfurt Victim of Emotet

City of Galt suffers Cyber Attack

Cyber Attack Against German University Causes Thousands of Students To Queue for New Accounts

Man Sentenced for Planting Logic Bombs

Identifying DNS-Over-HTTPS Traffic Without Decryption Possible

Wawa Discovers Point of Sale Malware Breach

Senators Introduce K-12 Cybersecurity Act

Published Stolen Card Data Is Used Within Two Hours

Internet Storm Center Tech Corner

****************************************************************************

SANS NewsBites Default Training Update for Friday, December 20, 2019 (NB 21.099)

-- SANS Security East 2020 | New Orleans, LA | February 1-8 | https://www.sans.org/event/security-east-2020

-- SANS Miami 2020 | January 13-18 | https://www.sans.org/event/miami-2020

-- SANS Threat Hunting & IR Summit & Training | London, UK | January 13-19, 2020 | https://www.sans.org/event/threat-hunting-europe-2020

-- SANS Tokyo January 2020 | January 20-25 | https://www.sans.org/event/tokyo-january-2020

-- SANS Amsterdam January 2020 | January 20-25 | https://www.sans.org/event/amsterdam-january-2020

-- Cyber Threat Intelligence Summit & Training | Arlington, VA | January 20-27 | https://www.sans.org/event/cyber-threat-intelligence-summit-2020

-- SANS Scottsdale 2020 | February 17-22 | https://www.sans.org/event/scottsdale-2020

-- Open-Source Intelligence Summit & Training 2020 | Alexandria, VA | February 18-24 | https://www.sans.org/event/osint-summit-2020

-- SANS Secure Singapore 2020 | 16-28 March | https://www.sans.org/event/secure-singapore-2020

-- SANS OnDemand and vLive Training

Get a Free GIAC Certification Attempt or Take $350 Off through December 25 with OnDemand or vLive training.

https://www.sans.org/online-security-training/specials/

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/

Single Course Training

-- Single Course Training

SANS Mentor | https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap

****************************************************************************

Free technical content sponsored by Cisco

The Security Bottom. When organizations have dozens of security products and still get breached, it begs the question: How much security is enough? How many products does an organization need? How much should be spent on security? We aim to answer these questions through a double-blind survey of security professionals, along with expert commentary. https://www.sans.org/info/215080

****************************************************************************

Top of the News

Tis the Season! Emotet Christmas Phishing Emails

(December 17 & 18, 2019)

New campaign from Emotet spammers features messages with subject "Christmas Party" or "Christmas. " The messages include a malicious Microsoft Word attachment with names like "Annual Holiday Lunch" and "Party Menu." While the use of holiday themed spam featuring Emotet is not new, alerts were published by US-CERT in July of 2018, holidays remain a time when users are more easily engaged. Credential theft trojan Emotet was initially a banking Trojan, it now has multiple modules that could be loaded including password stealers for email and browser clients, spam mailers, proxies, network spreaders, and ransomware.

Editor's Note

[Pescatore, Neely] https://www.sans.org/newsletters/newsbites/editorial-board#john-pescatore https://www.sans.org/newsletters/newsbites/editorial-board#lee-neely

Good "news hook" for a reminder to tell employees "no legitimate email communications during the holiday season will include attachments! Please don't open any!" There are a lot of urgent reminders at the end of the year that can be legitimate, none of the legitimate ones ever need to attach documents.

Read more in:

- https://www.bleepingcomputer.com/news/security/emotet-trojan-is-inviting-you-to-a-malicious-christmas-party/ : Emotet Trojan is Inviting You To A Malicious Christmas Party

- https://www.infosecurity-magazine.com/news/emotet-spammers-send-christmas/ : Emotet Spammers Send Christmas Phishing Emails

- https://www.trendmicro.com/vinfo/us/threat-encyclopedia/spam/686/emotet-arrives-via-spam-greeting-you-a-merry-christmas : EMOTET Arrives via Spam, Greeting You a Merry Christmas

The Year 2019 in review: Same Threats, More Targets

(December 10, 2019)

The Council on Foreign Relations published their synopsis of Cyberattacks in 2019. Noteworthy were increases in attacks on critical infrastructure attributed to hackers developing more advanced tools and introduction of systems to the internet which were not engineered for the security necessitated by that connection.

Read more in:

- https://www.cfr.org/blog/year-2019-review-same-threats-more-targets : The Year 2019 in review: Same Threats, More Targets

Critical Vulnerabilities found in WAGO Programmable Logic Controllers

(December 16 & 17, 2019)

Researchers at Cisco Talos found critical flaws, assigned CVSS scores of 9.8 or 10, in the protocol handling code of the I/O check configuration code used by Germany-based WAGO in their PFC100 and PFC200 PLCs. The flaws allow for arbitrary code execution and are exploited via buffer overflows which don't require authentication. The exploits can be used to reset the device to factory conditions, including default passwords. WAGO has released firmware updates.

Read more in:

- https://www.securityweek.com/several-critical-vulnerabilities-found-wago-controllers : Several Critical Vulnerabilities Found in WAGO Controllers

- https://blog.talosintelligence.com/2019/12/vulnerability-spotlight-multiple.html : Vulnerability Spotlight: Multiple vulnerabilities in WAGO PFC200

- https://cert.vde.com/de-de/advisories/vde-2019-022 : VDE-CERT: WAGO Multiple Vulnerabilities in I/O-Check Service in Multiple devices

218 Million Passwords Stolen in Zynga Hack

(December 18, 2019)

Popular social game developer Zynga has reportedly become the latest victim of a massive data breach impacting some 218 million Words with Friends accounts. Per gnosticplayers, the data breach affected all Android and iOS game players who installed and signed up for the Words With Friends game on and before September 2 this year.

Editor's Note

[Neely] https://www.sans.org/newsletters/newsbites/editorial-board#lee-neely

More than just "Words With Friends;" specific data was exfiltrated, including password reset and Facebook account information. If you use any Zynga games, assume your information is included. If you use your Facebook credentials to authenticate to those games, ensure the password is unique and consider enabling multi-factor authentication.

[Pescatore] https://www.sans.org/newsletters/newsbites/editorial-board#john-pescatore

Many people using Firefox Monitor, Have I Been Pwned? or equivalent monitoring services are likely to get an alert and say "I've never heard of Zynga" but will admit "I did play Words with Friends a few times..." - need to make sure that password is not in use elsewhere.

Read more in:

- https://thenextweb.com/security/2019/10/01/218m-words-with-friends-players-data-reportedly-stolen-in-zynga-hack/ : 218M 'Words with Friends' players' data reportedly stolen in Zynga hack

- https://www.digitaltrends.com/mobile/words-with-friends-hack-news/ : Massive Words with Friends hack exposes 218 million account login details

****************************************************************************

Read more in:

- https://www.zdnet.com/article/this-whatsapp-bug-could-allow-hackers-to-crash-the-app-and-delete-group-chats-forever/ : This WhatsApp bug could allow hackers to crash the app and delete group chats forever

- https://www.wired.com/story/whatsapp-group-chat-crash-bug/ : WhatsApp Fixes Yet Another Group Chat Security Gap

- https://www.livemint.com/technology/tech-news/whatsapp-new-bug-found-that-crashes-group-chat-deletes-history-forever-11576580651220.html : Steer clear of this WhatsApp bug crashing group chats, deleting history forever

German City of Frankfurt Victim of Emotet

(December 18, 2019)

The German city of Frankfurt has had to close down its computer networks due to infection by the Emotet malware. Several organisations in Germany have also fallen victim to those behind the Emotet malware. The recent wave of attacks has prompted the German Bundesamt fuer Sicherheit in der Informationstechnik (Federal Office for Information Security, the BSI) to issue an alert to German organisations (note the alert is in German https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2019/Spam-Bundesbehoerden_181219.html)

Read more in:

- https://www.zdnet.com/article/frankfurt-shuts-down-it-network-following-emotet-infection/ : Frankfurt shuts down IT network following Emotet infection

- https://www.en24.news/2019/12/city-of-frankfurt-restarts-after-virus-alert-it-systems.html : City of Frankfurt restarts after virus alert IT systems

- https://www.heise.de/newsticker/meldung/IT-Systeme-der-Stadt-Frankfurt-am-Main-wegen-Malware-Befall-offline-4619634.html : Malware-Befall: IT-Systeme der Stadt Frankfurt am Main offline

City of Galt suffers Cyber Attack

(December 16, 2019)

A Ransomware attack in the south Sacramento county city of Galt, California not only encrypted needed files but also allowed for placement of malware which took out their email and phone systems. While the ransom amount is not yet known, the city is engaging the FBI and State Department of Justice to determine the full scope and best path forward.

Editor's Note

[Neely] https://www.sans.org/newsletters/newsbites/editorial-board#lee-neely

Galt city services have set up and published alternate numbers not dependent on the offline VoIP system. This is a reminder to consider what actions are needed if your VoIP system is offline for an extended period, both for inbound and outbound communication. Ransomware has, more than older malicious attack behaviors, provided an opportunity to learn the importance of our DR plans as well as revealing areas that may not have previously been considered for both impact and fail-over strategy.

Read more in:

- https://www.kcra.com/article/cyber-attack-galt-sacramento-county-california/30262868 : 5 things you need to know about the cyberattack on the city of Galt

- https://fox40.com/2019/12/17/ransomware-hackers-attack-city-of-galt-disabling-public-agencys-email-and-phone-systems/ : Ransomware hackers attack City of Galt, disabling public agency's email and phone systems

- https://www.sacbee.com/news/local/crime/article238474338.html : Hackers hit Galt with ransomware attack, downing city employee phones and email, police say

Cyber Attack Against German University Causes Thousands of Students To Queue for New Accounts

(December 18, 2019)

The Justus Liebig University (JLU) in the German city of Giessen suffered a malware attack on the 8th of December which resulted in many of the university's systems going offline. USB sticks were issued to 1,200 staff so that they could scan their computers for viruses. As a result of the attack the university's email system was wiped and over 38,000 students and staff had to queue in person to get a new email password to access the system. According to legal requirements imposed by the German National Research and Education Network (DFN), the university can only give staff and students their new password upon presentation of a physical ID card.

Read more in:

- https://www.zdnet.com/article/more-than-38000-people-will-stand-in-line-this-week-to-get-a-new-password/ : More than 38,000 people will stand in line this week to get a new password

- https://www.businessinsider.com/university-giessen-hack-paper-passwords-germany-38000-students-2019-12?r=US&IR=T : A university had to hand out paper passwords to 38,000 students and staff after being hacked

- https://www.bbc.com/news/technology-50838673 : Thousands of students in Germany queue for email access

Man Sentenced for Planting Logic Bombs

(December 17, 2019)

David Tinley of Harrison City, Pennsylvania, was sentenced to 6 months in a federal prison, and ordered to pay a US $7,500 for planting malicious logic bomb code in his software he developed as a means to ensure his contract would be renewed. From 2014 to 2016 Tinley, who worked as a contract computer programmer at the Monroeville branch of Siemens in Pennsylvania, deliberately inserted malicious code into software he developed so that problems would arise after certain dates, requiring Tinley to be retained on contract to "fix" the problems.

Editor's Note

[Neely] https://www.sans.org/newsletters/newsbites/editorial-board#lee-neely

Finding logic bombs like this requires code review or walkthroughs, which is challenging with today's limits on staff and time to deliver. Retain license to developed code, as well as a copy of the source where possible, so that you can not only review but also update/fix it without dependency on the original internal or external developers.

[Northcutt] https://www.sans.org/newsletters/newsbites/editorial-board#stephen-northcutt

I hope Siemens will take the opportunity to refactor their order management system. Using spreadsheets, and locking them for security, allows for a number of problems that would be remediated by a modern database.

Read more in:

- https://www.infosecurity-magazine.com/news/siemens-contractor-jailed-for/ : Siemens Contractor Jailed for Planting Logic Bombs

- https://www.darkreading.com/application-security/siemens-contractor-sentenced-for-writing-logic-bombs-/d/d-id/1336641 : Siemens Contractor Sentenced for Writing 'Logic Bombs'

- https://arstechnica.com/tech-policy/2019/12/contractor-admits-planting-logic-bombs-in-his-software-to-ensure-hed-get-new-work : Contractor admits planting logic bombs in his software to ensure he'd get new work

Identifying DNS-Over-HTTPS Traffic Without Decryption Possible

(December 18, 2019)

DNS-over-HTTPS (DoH) traffic can apparently be identified without actually decrypting it, a security researcher has discovered. According to Johannes Ullrich, dean of research at the SANS Technology Institute, one could actually identify DoH traffic by observing all traffic to and from a host.

Editor's Note

[Pescatore] https://www.sans.org/newsletters/newsbites/editorial-board#john-pescatore

The DNS over HTTPS issue for security teams is kind of like encryption in general for law enforcement. Use of encryption (done right) can make data and communications safer but monitoring harder. In many (really, pretty much all) cases the gains in safety by using encryption are greater than the loss in monitoring, and as Johannes Ulrich points out, skilled security folks can often find workarounds to enable business use of encryption while gaining back some level of visibility.

Read more in:

- https://www.securityweek.com/identifying-dns-over-https-traffic-without-decryption-possible-researcher : Identifying DNS-Over-HTTPS Traffic Without Decryption Possible: Researcher

- https://portswigger.net/daily-swig/from-dns-hijacking-to-domain-fronting-sans-security-pros-offer-retrospective-on-2019-threat-predictions : From DNS hijacking to domain fronting - SANS security pros offer retrospective on 2019 threat predictions

Wawa Discovers Point of Sale Malware Breach

(December 19, 2019)

Wawa customers who paid with credit or debit cards in the last nine months may have had their card information compromised. In a letter, Wawa CEO Chris Gheysens said the chain's information security team "discovered malware on Wawa payment processing servers" on Dec. 10, "contained" the malware by Dec. 12 and "immediately engaged a leading external forensics firm and notified law enforcement."

Editor's Note

[Neely] https://www.sans.org/newsletters/newsbites/editorial-board#lee-neely

Wawa reports the compromised data does not include CCV2 or PIN numbers. Even so, your issuer's fraud unit may elect to issue a new card to ensure the data exposed cannot be used. If you're uneasy, ask for a replacement card. Some financial institutions offer "instant issue" where a card can be printed real-time, eliminating mail delivery delays or risks.

Read more in:

- https://www.usatoday.com/story/money/2019/12/19/wawa-data-breach-2019-company-warns-data-security-incident/2703276001/ : Wawa warns of 'data security incident' involving credit and debit card information

- https://6abc.com/wawa-announces-data-breach-potentially-all-locations-affected-ceo-/5769537/ : Wawa announces massive data breach, 'potentially all' locations affected, CEO says

Senators Introduce K-12 Cybersecurity Act

(December 18, 2019)

Two US senators are calling on the Department of Homeland Security to offer more support. Their new bill, the K-12 Cybersecurity Act of 2019, tasks the DHS with assessing the scope of the problem and establishing guidelines to help schools improve their cybersecurity systems. The legislation comes from Sens. Gary Peters, D-Mich., and Rick Scott, R-Fla., both members of the Senate Homeland Security and Governmental Affairs Committee.

Editor's Note

[Pescatore] https://www.sans.org/newsletters/newsbites/editorial-board#john-pescatore

SANS just gave Difference Makers awards to a high school teacher (Mark Estep of Poolesville MD High School) and a school district CTO/CISO (Neal Richardson of the Hillsboro-Deering NH School District) for the progress they have made in both increasing cybersecurity at their schools and in efforts to get kids interested in cybersecurity. The proposed legislation is pretty lightweight but would help schools (which always have limited budgets and staffs) by making free online cybersecurity training available.

Read more in:

- https://www.zdnet.com/article/senators-introduce-k-12-cybersecurity-act/ : Senators introduce K-12 Cybersecurity Act

- https://www.congress.gov/bill/116th-congress/senate-bill/3033/text?q=%7B%22search%22%3A%5B%22K-12+Cybersecurity%22%5D%7D&r=1&s=1 : S.3033 - K-12 Cybersecurity Act of 2019

Published Stolen Card Data Is Used Within Two Hours

(December 18, 2019)

A researcher from ThreatPipes decided to run an experiment on how long it would take thieves to find his stolen card data. Two hours, it turns out. That's how long it recently took somebody - or something, if it turns out to have been an automated bot - to find, and use, a credit card he purchased and posted.

Read more in:

- https://nakedsecurity.sophos.com/2019/12/18/doxed-credit-card-data-has-two-hours-max-before-its-nabbed/ : Doxed credit card data has two hours max before it's nabbed

- https://www.threatpipes.com/blog/2019/i-put-my-credit-card-on-the-darkweb/ : I Put My Credit Card on the Darkweb

****************************************************************************

Internet Storm Center Tech Corner

More DNS over HTTPS Details

https://isc.sans.edu/forums/diary/More+DNS+over+HTTPS+Become+One+With+the+Packet+Be+the+Query+See+the+Query/25628/

Ransomware Outing Victims

https://krebsonsecurity.com/2019/12/ransomware-gangs-now-outing-victim-businesses-that-dont-pay-up/

Google Chrome Update

https://chromereleases.googleblog.com/2019/12/stable-channel-update-for-desktop_17.html

An Emotet Update