SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #1
January 3, 2020California Privacy Law Now in Effect; Ransomware Infections at US Coast Guard and Maastricht University; Malware on Landry's Restaurant POS Systems
The holidays aren't over yet folks! The free annual SANS Holiday Hack Challenge is open through January 13 so you can start the year by building your capabilities with world-class cyber defense, DFIR, and pen test challenges. Plus: Don't miss your chance to win a complimentary SANS Live Training course, SANS Online Training course, or a 4-month subscription to SANS NetWars Continuous. All skill levels can and should participate! We've got a lot of fun in store for you at https://holidayhackchallenge.com.
****************************************************************************
SANS NewsBites January 3, 2020 Vol. 22, Num. 001
****************************************************************************
TOP OF THE NEWS
California Privacy Law Now in Effect
US Coast Guard Discloses Ransomware Infection at Maritime Facility
Landry's Acknowledges Malware Found on Restaurant POS Systems
Maastricht University Systems Infected with Ransomware
REST OF THE WEEK'S NEWS
Wyze Database Leaks eMail Addresses and IoT Device Information
US Army and Navy Ban TikTok
South Korean Officials Investigating TikTok
Microsoft Takes Down Domains Linked to North Korean Hackers
Starbucks API Key Exposed
RavnAir Cyberattack Update
Mozilla to Give Firefox Users More Control of Their Own Data
INTERNET STORM CENTER TECH CORNER
************************** Sponsored By Sans *****************************
Blue Team Summit & Training 2020 | Louisville, KY | Mar 2-9. Join your fellow blue teamers for two days of in-depth Summit presentations covering actionable techniques, new tools, and innovative methods that will help you improve your ability to prevent and detect attacks against your organization. http://www.sans.org/info/215160
*****************************************************************************
-- SANS Security East 2020 | New Orleans, LA | February 1-8 | https://www.sans.org/event/security-east-2020
-- SANS Threat Hunting & IR Summit & Training | London, UK | January 13-19, 2020 | https://www.sans.org/event/threat-hunting-europe-2020
-- SANS Tokyo January 2020 | January 20-25 | https://www.sans.org/event/tokyo-january-2020
-- SANS Amsterdam January 2020 | January 20-25 | https://www.sans.org/event/amsterdam-january-2020
-- SANS Scottsdale 2020 | February 17-22 | https://www.sans.org/event/scottsdale-2020
-- Open-Source Intelligence Summit & Training 2020 | Alexandria, VA | February 18-24 | https://www.sans.org/event/osint-summit-2020
-- SANS Northern VA-Reston Spring 2020 | March 2-7 | https://www.sans.org/event/northern-va-spring-reston-2020
-- Blue Team Summit & Training 2020 | Louisville, KY | March 2-9 | https://www.sans.org/event/blue-team-summit-2020
-- ICS Security Summit & Training 2020 | Orlando, FL | March 2-9 | https://www.sans.org/event/ics-security-summit-2020
-- SANS Secure Singapore 2020 | 16-28 March | https://www.sans.org/event/secure-singapore-2020
-- SANS OnDemand and vLive Training
Get an iPad Mini, a Samsung Galaxy Tab S2, or Take $300 Off through January 8 with OnDemand or vLive training.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
********************************************
TOP OF THE NEWS
--California Privacy Law Now in Effect
(December 31, 2019 & January 2, 2020)
A new California state privacy law took effect on Wednesday, January 1, 2020. The California Consumer Privacy Act (CCPA) requires companies to disclose what data they collect from consumers and how they plan to use them. The CCPA also allows consumers to request that their data not be sold and that the companies delete their data. The law applies to companies that have revenue of $25 million or more and that make more than half of their money selling data, and to companies that collect data on 50,000 or more individuals. California's attorney general says the law will start being enforced until July 1, 2020.
[Editor Comments]
[Pescatore] Meaningful enforcement action by July 1 is very unlikely, as there are many areas where the wording of the Act is broad and open to interpretation and the industry legal actions to fight/delay will be fast and furious. Advice to corporate management: whether CCPA gets delayed or not, consumer demand and legislative trends are definitely on the side in the companies needed to give customers more visibility and more control over the use of their personally identifiable information. Companies can save money in the long run by skipping the "OK, let's just wallpaper our website with disclaimers" stage by starting with "let's make our customers happy and safe, and then be able to easily demonstrate GDPR/CCPA et al compliance."
[Neely] One of the challenges in implementing CCPA is that legal guidance is not finalized. For example, while it appears to exclude non-profit entities, a small institution doing online business may have data on over 50,000 devices, which may put them back in-scope for CCPA. Work with your legal department to establish and record your applicability decision. The good news is the implementation can leverage measures taken for GDPR; even so, CCPA specific guidance is still maturing.
[Murray] One has been thankful to the California Legislature in the past for going where angels fear to tread. Their reach has been long, their aim true, and their impact salutary. One hopes that this effort will prove to be as effective. However, as with much law, the devil is in the detail and the enforcement.
Read more in:
The Verge: No one is ready for California's new consumer privacy law
Threatpost: California Adopts Strictest Privacy Law in U.S.
https://threatpost.com/california-adopts-strictest-privacy-law-in-u-s/151497/
ISC: CCPA - Quick Overview
https://isc.sans.edu/forums/diary/CCPA+Quick+Overview/25668/
--US Coast Guard Discloses Ransomware Infection at Maritime Facility
(December 16 & 30, 2019)
The US Coast Guard (USCG) has acknowledged that systems at a Maritime Transportation Security Act regulated facility were infected with Ryuk ransomware. The incident resulted in 30 hours of downtime for the facility's primary operations. The USCG Marine Safety Information Bulletin does not identify the facility or indicate when the incident occurred beyond noting that it was "recent."
Read more in:
USCG: Cyberattack Impacts MTSA Facility Operations
https://www.dco.uscg.mil/Portals/9/DCO%20Documents/5p/MSIB/2019/MSIB_10_19.pdf
ZDNet: US Coast Guard discloses Ryuk ransomware infection at maritime facility
Cyberscoop: Coast Guard says Ryuk ransomware hit systems that monitor cargo transfers at maritime facility
https://www.cyberscoop.com/ryuk-coast-guard-ransomware/
Bleeping Computer: U.S. Coast Guard Says Ryuk Ransomware Took Down Maritime Facility
Cyware: US Coast Guard Finds Ryuk Ransomware Responsible for Attack on its Maritime Facility
--Landry's Acknowledges Malware Found on Restaurant POS Systems
(January 2, 2020)
Landry's, a Texas-based restaurant chain, is investigating a breach of its point-of-sale (POS) system. The company's security team found malware designed to steal payment card data. Following a 2016 breach of its POS system, Landry's stepped up the security with end-to-end encryption of payment card data while the information is being processed. However, order entry terminals, which are also used to swipe rewards cards, did not receive the same security upgrade; some wait staff may have mistakenly swiped customers' cards on these machines, which exposed the data to theft. The malware is believed to have existed on the system between from March 13, 2019, to October 17, 2019, although at some locations, the malware was active since January 18, 2019.
[Editor Comments]
[Neely] End-to-End encryption protected the cardholder data where applied. The trick is making sure all the points where the data is entered have equivalent protection, or ensure omitted devices can no longer process or collect that data. In this case, the order entry terminals were intended to process reward card data not payment cards, so neither the security fix was applied, nor was payment card processing disabled. Additionally, Landry's has taken steps to remove the malware and increase security to prevent re-introduction.
[Murray] Hospitality has been a major target for PCI data for a decade. It is unconscionable, even in a business that has grown by acquisition, that is should take so long to identify and remediate such a compromise. These compromises persist for so long because no one is looking for them. One should have in place an objective, stated in days, for mean-time to detection of a compromise and a plan to achieve it.
Read more in:
ZDNet: Landry's restaurant chain disclose POS malware incident
https://www.zdnet.com/article/landrys-restaurant-chain-disclose-pos-malware-incident/
Dark Reading: Landry's Restaurant Chain Discloses Payment Security Incident
Bleeping Computer: Popular U.S. Restaurant Owner Hit by Credit Card Stealing Malware
Data Breach Today: Restaurant Chain Landry's Investigates Malware Incident
https://www.databreachtoday.com/restaurant-chain-landrys-investigates-malware-incident-a-13571
Landry's Inc: NOTICE OF DATA BREACH
https://www.landrysinc.com/CreditNotice/CANotice.asp
--Maastricht University Systems Infected with Ransomware
(December 24 & 28, 2019 & January 2, 2020)
Systems at Maastricht University in the Netherlands were infected with ransomware on December 23. Nearly all of the institution's Windows systems were affected, which made using email services "particularly difficult." Maastricht University took all systems offline and planned to bring them back in stages. As of Thursday, January 2, "the most important education-related computers systems [are] up and running again, albeit to a limited extent."
[Editor Comments]
[Neely] Not only is MU prioritizing recovery, they are providing alternative options for students needing services which are still offline. Because they have not determined the exact scope of the incident, all systems are suspect and being investigated. MU has brought in external expertise as well to aid with analysis, response, and recovery. Additionally, they are paying attention to the status of their scientific data, adding protections where needed, not only to ensure integrity of that data but also as current Ransomware TTPs now include requests for payment to prevent release of customer data.
Read more in:
Maastricht University: Update #9: cyber attack UM (January 2)
https://www.maastrichtuniversity.nl/news/update-9-cyber-attack-um
Softpedia: University Hit by Ransomware, Almost All Windows Systems Compromised
**************************** SPONSORED LINKS ******************************
1) Webcast January 16th: SANS Dave Shackleford to discuss detection of attack behaviors and how Vectra Cognito can help. http://www.sans.org/info/215165
2) Free Event: Automation & Orchestration Solutions Forum on January 30th in Austin, Texas. Register: http://www.sans.org/info/215170
3) Missed this webcast? Pivotal Platform - Getting Started with Native Runtime Protection for PAS. http://www.sans.org/info/215175
*****************************************************************************
REST OF THE WEEK'S NEWS
--Wyze Database Leaks eMail Addresses and IoT Device Information
(December 29 & 30, 2019)
An insufficiently secured database that belongs to Internet of Things (IoT) vendor Wyze exposed device information and customer email addresses. The leak affects 2.4 million users; the database was unsecured for more than three weeks. Wyze sells smart cameras, smart door locks and other household IoT products. Some of the compromised data include personal health information.
[Editor Comments]
[Murray] The disclosure of "health information" was limited to tens of people in the beta test of a connected scale. The ZDNet article is worth a read for what it says about irresponsible disclosure by those who ought to know better. We continue to see disclosure motivated by the desire for recognition by the discloser rather than by the safe, timely, and effective repair of the compromise or vulnerability.
Read more in:
ZDNet: IoT vendor Wyze confirms server leak
https://www.zdnet.com/article/iot-vendor-wyze-confirms-server-leak/
SC Magazine: Wyze Labs data breach exposes 2.4 million, includes PHI
Ars Technica: Employee error to blame for massive data leak, Wyze says
Threatpost: IoT Company Wyze Leaks Emails, Device Data of 2.4M
https://threatpost.com/iot-company-wyze-leaks-emails-device-data-of-2-4m/151451/
--US Army and Navy Ban TikTok
(December 30, 2019 & January 2, 2020)
The US Army has banned the TikTok social media app from use on government-owned devices. An army spokesperson said that the app is considered a security threat. The US Navy banned the use of TikTok earlier in December 2019. TikTok is owned by a company based in China.
[Editor Comments]
[Neely] Consider the question: Is this type of application appropriate for corporate devices, and does it fit within your incidental use policy; further, what action should be taken when devices are introduced to your network. In this case, devices with the disallowed application are blocked from the network. The issue is that the app is passing PII information to China through the services provided by the Musical.ly component. U.S. Senate Minority Leader Chuck Schumer and Senator Tom Cotton asked for a national security probe in a letter to Joseph Macguire, acting director of national intelligence. The Committee on Foreign Investment in the United States (CFIUS), which reviews deals by foreign acquirers for potential national security risks, has started to review the Musical.ly deal. CFIUS reviews are confidential.
Read more in:
Military.com: Army Follows Pentagon Guidance, Bans Chinese-Owned TikTok App
Axios: Army bans TikTok from government-owned phones
Threatpost: TikTok Banned By U.S. Army Over China Security Concerns
https://threatpost.com/tiktok-banned-by-u-s-army-over-china-security-concerns/151480/
ZDNet: China's TikTok banned by US Army amid security concerns: Report
https://www.zdnet.com/article/chinas-tiktok-banned-by-us-army-amid-security-concerns-report/
The Hill: Army bans TikTok from being used on government-issued devices citing security risk
GovInfoSecurity: US Army Follows Navy in Banning TikTok App: Report
https://www.govinfosecurity.com/us-army-follows-navy-in-banning-tiktok-app-report-a-13570
--South Korean Officials Investigating TikTok
(December 30, 2019)
Authorities in South Korea are investigating TikTok due to data security concerns raised by a legislator there. The Korea Communications Commission (KCC) has launched an investigation.
[Editor Comments]
[Neely] As with the US, the KCC also doesn't want their citizens PII routed to China.
Read more in:
Softpedia: Security Concerns Trigger TikTok Investigation in South Korea
--Microsoft Takes Down Domains Linked to North Korean Hackers
(December 30 & 31, 2019)
Microsoft has taken control of 50 domains that were allegedly being used by North Korean hackers to launch phishing and other malware campaigns. Microsoft filed a lawsuit late last year alleging that the hackers' activity was targeting Microsoft customers and was infringing company trademarks and brands.
Read more in:
Microsoft: Microsoft takes court action against fourth nation-state cybercrime group
Cyberscoop: Microsoft seizes 50 websites used by North Korean hackers to gather intelligence
https://www.cyberscoop.com/microsoft-north-korea-lawsuit-website-seizing/
Bleeping Computer: Microsoft Takes North Korean Hacking Group Thallium to Court
GovInfoSecurity: Microsoft Removes 50 Domains Tied to North Korean Hackers
https://www.govinfosecurity.com/microsoft-removes-50-domains-tied-to-north-korean-hackers-a-13566
--Starbucks API Key Exposed
(December 31, 2019)
Developers working for Starbucks appear to have left an API key in a public GitHub repository. The incident was reported to Starbucks in October 2019; the company removed the repository and revoked the key within days.
[Editor Comments]
[Neely] With the current rapid software production and update cycles, automation is necessary to verify code is not pushed to repositories that contain sensitive configuration items, including API & SSH keys, passwords, or other sensitive configuration files. Additionally, if possible, configure services to limit access to only authorized addresses and make sure that you have good key management and revocation processes.
Read more in:
Bleeping Computer: Starbucks Devs Leave API Key in GitHub Public Repo
https://www.bleepingcomputer.com/news/security/starbucks-devs-leave-api-key-in-github-public-repo/
--RavnAir Cyberattack Update
(December 30, 2019)
A cyberattack that caused Alaska-based RavnAir to cancel flights on December 20 "now appears more extensive than initially reported," according to a statement on the company's website. The attack affected the maintenance system the company uses for its Dash aircraft. RavnAir said that it could be as long as a month before all systems are back to normal, and that there will likely be additional delays and cancellations.
Read more in:
FlyRavn: RavnAir Group update on cyber-attack -- Update for 12/28/19
https://www.flyravn.com/ravn-news/ravnair-group-update-on-cyber-attack-update-for-12-28-19/
KTVA: Ravn expects more delays, cancellations after 'malicious' cyberattack
https://www.ktva.com/story/41484763/malicious-cyber-attack-cancels-some-ravnair-flights
--Mozilla to Give Firefox Users More Control of Their Own Data
(January 2, 2020)
Prompted by the California Consumer Privacy Act, Mozilla says that Firefox users will be able to choose to delete their personal data that Mozilla collects. The option will be available in the next version of Firefox, which is scheduled to be released on January 7. The option will be available to all Firefox users, not just California residents.
[Editor Comments]
[Pescatore] Good to see the major browser providers (Google and Firefox) getting behind CCPA. Facebook acts as a "browser" to the walled garden that is Facebook - it doesn't look like they are taking a proactive stance. As part of providing information/recommendations around what CCPA will mean to your company, it is worth mentioning that a special look should be given to any corporate Facebook presence or advertising efforts.
Read more in:
Mozilla: Bringing California's privacy law to all Firefox users in 2020
CNET: Firefox will let users delete collected data thanks to California's new privacy law
INTERNET STORM CENTER TECH CORNER
PiHole Dashboard
https://isc.sans.edu/forums/diary/ELK+Dashboard+for+Pihole+Logs/25652/
Corrupt Office Documents
https://isc.sans.edu/forums/diary/Corrupt+Office+Documents/25650/
Enumerating Office 365 Users
https://isc.sans.edu/forums/diary/Enumerating+office365+users/25648/
Ransomware written in JavaScript using Node.js
https://isc.sans.edu/forums/diary/Ransomware+in+Nodejs/25664/
Breaking 2FA Soft Tokens
https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf ISC API Update
CCC Conference
Landry Restaurant PoS Breach
https://www.landrysinc.com/CreditNotice/CANotice.aspCitrix/
NetScaler Vulnerability Special Webcast Recording
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create