SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #100
December 22, 2020SolarWinds Updates; Mobile Device Emulators in Massive Bank Account Theft; DoJ Seizes Fake COVID Domains
******************************************************************************
High school and junior high students with an interest in a career in cyber security are invited to SANS Cyber Camp for Teens on December 29 and 30. It's Free. Learn about the different roles in cybersecurity and enjoy hands-on workshops to learn programming, networking, mobile forensics and more.
More information and videos of previous camps: https://www.sans.org/cyber-camp/
******************************************************************************
SANS NewsBites December 22, 2020 Vol. 22, Num. 100
******************************************************************************
SOLARWINDS AND OTHER TOP OF THE NEWS
SolarWinds: An Updated SEC Filing, a Revised CISA Alert, and an NSA Advisory on Authentication Mechanism Abuse
SolarWinds: Victims Include US Treasury Dept., VMware, Cisco
SolarWinds: Hackers May Have Conducted a Test Run Last Fall
Mobile Device Emulator Farms Used in Massive Bank Account Theft
DoJ Seizes Fake COVID Domains
*************************** Sponsored By SANS ************************************
Free Virtual Event | January 22nd @ 9:00 AM EST | We invite you to join us for the 2021 Cyber Threat Intelligence Summit Solutions Track! Chaired by Robert M. Lee, this virtual event will consist of presentations that focus on case-studies and thought leadership using specific examples relevant to the industry as we know it today | 4 CPE Credits | http://www.sans.org/info/218515
******************************************************************************
THE REST OF THE WEEK'S NEWS
Dell Issues Fixes for Critical Flaws in Wyse ThinOS
iOS "Zero-Click" Exploit Used to Infect Journalists' Phones
Browser Makers Ban Kazakhstan's Traffic Interception Certificate
Firefox Will Introduce Anti-Tracking Feature Next Year
Crypto Wallet Data Exposed
Europol Launches Decryption Platform for Law Enforcement
Trucking Company Recovering from Ransomware Attack
INTERNET STORM CENTER TECH CORNER
******************************************************************************
CYBERSECURITY TRAINING UPDATE
New & Updated Courses
SEC588: Cloud Penetration Testing
- https://www.sans.org/cyber-security-courses/cloud-penetration-testing/
MGT516: Managing Security Vulnerabilities: Enterprise and Cloud
- https://www.sans.org/cyber-security-courses/managing-enterprise-cloud-security-vulnerabilities/
SEC487: Open-Source Intelligence (OSINT) Gathering and Analysis
- https://preview.sans.org/cyber-security-courses/open-source-intelligence-gathering/
Upcoming Live Online Events
SANS Stay Sharp: Blue Team Ops 2021 - Jan 18-22 MST
Targeted Short Courses | Cyber Defense NetWars
- https://www.sans.org/event/stay-sharp-blue-team-operations-jan-2021/
Cyber Threat Intelligence Summit & Training
FREE Summit: Jan 21-22 | Courses: Jan 25-30 EST
- https://www.sans.org/event/cyber-threat-intelligence-summit-2021/
SANS Cyber Security West 2021 - Feb 1-6 PST
Cloud Security, Blue Team, DFIR, and More
- https://www.sans.org/event/cyber-security-west-feb-2021/
OnDemand Training Special Offer
Get a free GIAC Certification Attempt or take $350 off with OnDemand Training through December 30.
- www.sans.org/specials/north-america/
Cloud Security Resources
Cheat Sheets, Papers, eBooks, and more. View & Download
- https://www.sans.org/cloud-security/
******************************************************************************
TOP OF THE NEWS
--SolarWinds: An Updated SEC Filing, a Revised CISA Alert, and an NSA Advisory on Authentication Mechanism Abuse
(December 17, 18, 2020)
SolarWinds has updated its US Securities and Exchange Commission (SEC) Form 8-K filing to provide additional information about the supply-chain breach. The Cybersecurity and Infrastructure Security Agency (CISA) revised its alert to include information about additional initial access vectors, an updated list of IOCs, and the National Security Agency (NSA)'s advisory about hackers abusing authentication mechanisms.
[Editor Comments]
[Neely] The use of SAML to support federated authentication has been a huge enabler for cloud services, and also to allow for alternative authentication mechanisms including SSO, MFA, as well as changing the authentication requirement based on location. Attackers are using forged SAML tokens to access your cloud services, particularly email systems, but also any insourced applications using federated authentication. This is done either by stealing the private key which signs SAML authentication tokens, or by obtaining sufficient privileges to create new trust relationships. Verify the security configuration of federated authentication components and monitor for any malicious behavior. Talk to your cloud service providers about their use of SolarWinds and their response plans, if any.
Read more in:
US-CERT-CISA: Alert (AA20-352A) | Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations (revised 12/21/2020)
https://us-cert.cisa.gov/ncas/alerts/aa20-352a
Cloudfront: Form 8-K | SolarWinds Corporation (PDF)
https://d18rn0p25nwr6d.cloudfront.net/CIK-0001739942/6dd04fe2-7d10-4632-89f1-eb8f932f6e94.pdf
Health IT Security: Fed Cybersecurity Advisory Alerts to Abuse of Authentication Mechanisms
Bleeping Computer: NSA warns of hackers forging cloud authentication information
Defense: Detecting Abuse of Authentication Mechanisms (PDF)
--SolarWinds: Victims Include US Treasury Dept., VMware, Cisco
(December 18 & 21, 2020)
The SolarWinds supply chain attack was used to compromise email accounts at the US Treasury Department. The hackers were able to gain access to the email accounts after taking control of the Treasury Department's single sign-on cryptographic key. Other victims of the attack include the US Department of Homeland Security, The Department of Energy, VMware, Cisco, and Intel, as well as a hospital, a university, technology and accounting companies, and a "very, very large" as-yet unnamed telecommunications company. (Please note that the WSJ story is behind a paywall.)
[Editor Comments]
[Neely] When considering the impact of email account compromise, look beyond BEC to other services, such as file, meeting, and collaboration services protected by the same authentication tokens. Verify trust relationships used with federated authentication are genuine, and that they are also verifying their security.
[Honan] A key lesson from this supply chain compromise is that defensive controls by themselves are not enough. No matter how robust they are, you also need good and effective detective and responsive controls in place. Do not think of your defensive controls as ways to stop attackers but as ways to detect an attacker fast enough and delay the attacker long enough for you to respond to them.
[Murray] While all SolarWinds customers must be assumed to have been compromised, many are not immediate targets. All should apply updates, assume that there are now backdoors on their networks, and attempt to isolate the backdoors with "zero trust" strategies on a timely basis. These strategies are indicated for most large enterprises in any case.
Read more in:
Reuters: 'Dozens of email accounts' were hacked at U.S. Treasury -Senator Wyden
WSJ: SolarWinds Hack Victims: From Tech Companies to a Hospital and University (paywall)
Bleeping Computer: VMware latest to confirm breach in SolarWinds hacking campaign
SC Magazine: 'Very, very large' telecom organization and Fortune 500 company breached in SolarWinds hack
ZDNet: Partial lists of organizations infected with Sunburst malware released online
--SolarWinds: Hackers May Have Conducted a Test Run Last Fall
(December 18 & 21, 2020)
FireEye's Kevin Mandia says there is evidence the SolarWinds hackers tried a test run last fall. A code change in the Orion platform in October 2019 "was innocuous code. It was not a backdoor."
[Editor Comments]
[Neely] As the discovered depth of compromise of SolarWinds systems increases, it becomes prudent to consider all versions of SolarWinds Orion as suspect, include copies deployed on isolated or air-gapped networks; follow CISA guidelines for response and mitigation. https://us-cert.cisa.gov/ncas/alerts/aa20-352a#mitigations
Read more in:
FCW: Cyber exec: 50 orgs 'genuinely impacted' by SolarWinds hack
https://fcw.com/articles/2020/12/21/sunburst-hack-fifty-orgs-russia.aspx
Yahoo: Hackers last year conducted a 'dry run' of SolarWinds breach
https://news.yahoo.com/hackers-last-year-conducted-a-dry-run-of-solar-winds-breach-215232815.html
The Register: SolarWinds releases known attack timeline but new data suggests hackers may have done a dummy run last year
https://www.theregister.com/2020/12/21/in_brief_security/
--Mobile Device Emulator Farms Used in Massive Bank Account Theft
(December 15, 16, & 17, 2020)
Researchers with IBM Trusteer has "discovered a major mobile banking fraud operation" that drained millions from bank accounts. With "an infrastructure of mobile device emulators to set up thousands of spoofed devices," the thieves used previously compromised online banking account access credentials to steal funds from bank accounts in the US and the EU.
[Editor Comments]
[Murray] This attack involved fraudulent credential reuse. Both bankers and their customers should require strong authentication on mobile banking apps. This should include the use of device identifiers that are difficult to mimic.
Read more in:
Security Intelligence: IBM Trusteer Exposes Massive Fraud Operation Facilitated by Evil Mobile Emulator Farms
https://securityintelligence.com/posts/massive-fraud-operation-evil-mobile-emulator-farms/
Ars Technica: "Evil mobile emulator farms" used to steal millions from US and EU banks
Bleeping Computer: Emulated mobile devices used to steal millions from US, EU banks
--DoJ Seizes Fake COVID Domains
(December 18 & 21, 2020)
The US Department of Justice (DoJ) has seized domains that were being used to impersonate pharmaceutical companies involved in COVID-19 treatments. The domains, which were spoofing Moderna and Regeneron, were being used to harvest personal information of site visitors.
Read more in:
Gov Infosecurity: DOJ Seizes Fake Domains Impersonating Moderna, Regeneron
https://www.govinfosecurity.com/doj-seizes-fake-domains-impersonating-moderna-regeneron-a-15638
Justice: Maryland U.S. Attorney's Office Seizes Two Domain Names Purporting to be Websites of Biotechnology Companies Developing Treatments for Covid-19
******************************************************************************
Look what the 10,000 people playing Holiday Hack Challenge are saying today:
"(The Holiday Hack Challenge) is the one platform which truly shows the meaning of the Holiday Season! Community, Festive, Fun! Everybody is invited, there is something for everyone!" - Brenda van Rensburg
It's free as a holiday gift to you! Join anytime for free, play along until January 4: https://holidayhackchallenge.com
******************************* SPONSORED LINKS ********************************
1) Webcast | Zero trust has become one of the hottest topics in IT and cybersecurity, especially in light of the global pandemic. Join us for our upcoming webcast, "Zero Trust must include the workforce, workloads, AND workplace." | January 7th @ 3:30 PM ET
| http://www.sans.org/info/218520
2) Product Review Webcast | Join SANS Instructor, Matt Bromiley for our upcoming webcast, "Automated Testing Against an Ever-Changing Landscape." Bromiley will review Cymulate Continuous Validation, a highly integrated, customizable platform built to challenge, assess, and optimize the security posture of your organization | January 12th @ 10:30 AM ET
| http://www.sans.org/info/218525
3) Webcast | Tune in for our upcoming webcast, "Security stories from the field: a fireside chat with Barak Engel and Brian Ahern." Engel and Ahern will share real-world stories and lessons learned from their decades of experience in the technology and cybersecurity space | January 12th @ 1:00 PM ET
| http://www.sans.org/info/218530
******************************************************************************
THE REST OF THE WEEK'S NEWS
--Dell Issues Fixes for Critical Flaws in Wyse ThinOS
(December 21, 2020)
Dell has released updates to address a pair of critical vulnerabilities in its Dell Wyse ThinOS. The flaws affect all Dell Wyse Thin Clients running ThinOS versions 8.6 and earlier. The vulnerabilities could be exploited to remotely execute code and access files. Both vulnerabilities received CVSS scores of 10. Researchers at CyberMDX detected the flaws and reported them to Dell in June 2020.
[Editor Comments]
[Murray] While customers should expect security representations from vendors, history suggests that they be taken with a grain of salt. Vendors making such claims should specify the limits of the remedy that they will offer when they fail to meet their security goals.
Read more in:
Bleeping Computer: Critical bugs in Dell Wyse ThinOS allow thin client take over
Threatpost: Critical Bugs in Dell Wyse Thin Clients Allow Code Execution, Client Takeovers
https://threatpost.com/critical-bugs-dell-wyse-thin-clients/162452/
The Register: Dell Wyse Thin Client scores two perfect 10 security flaws
https://www.theregister.com/2020/12/21/dell_wyse_thin_client_scores/
Security Week: Critical Vulnerabilities Expose Dell Wyse Thin Client Devices to Attacks
https://www.securityweek.com/critical-vulnerabilities-expose-dell-wyse-thin-client-devices-attacks
CyberMDX: CyberMDX Research Team Discovers Vulnerability in Dell Wyse Thin Clients
https://www.cybermdx.com/vulnerability-research-disclosures/dell-wyse-thin-client-vulnerability
Dell: DSA-2020-281: Dell Wyse ThinOS 8.6 Security Update for Insecure Default Configuration Vulnerabilities.
https://www.dell.com/support/kbdoc/en-us/000180768/dsa-2020-281
--iOS "Zero-Click" Exploit Used to Infect Journalists' Phones
(December 20 & 21, 2020)
Earlier this year, state-backed attackers placed spyware on 36 personal phones that belonged to Al Jazeera journalists and other employees of the news channel. According to University of Toronto's Citizen Lab, "[t]he phones were compromised using an exploit chain that we call KISMET, which appears to involve an invisible zero-click exploit in iMessage."
[Editor Comments]
[Neely] The mitigation is to update to iOS 14. This attack was very targeted, and leveraged zero-click infection vectors, making it both harder to detect, and harder to prevent, as there was no user action required. Even so, enable on-device protection mechanisms to block or filter unknown senders to prevent messages from being processed.
[Murray] It appears that this attack was narrowly focused, required a lot of special knowledge, but no special privileges. Current versions of iOS are not vulnerable to this attack, but it seems clear that iOS is a continuing target, at least in part because it is relied upon by so many for so much.
Read more in:
Citizen Lab: The Great iPwn | Journalists Hacked with Suspected NSO Group iMessage 'Zero-Click' Exploit
Ars Technica: Zero-click iMessage zeroday used to hack the iPhones of 36 journalists
ZDNet: Zero-click iOS zero-day found deployed against Al Jazeera employees
https://www.zdnet.com/article/zero-click-ios-zero-day-found-deployed-against-al-jazeera-employees/
Security Week: Journalists' Phones Hacked via iMessage Zero-Day Exploit
https://www.securityweek.com/journalists-phones-hacked-imessage-zero-day-exploit
Cyberscoop: Zero-click iPhone exploit, NSO Group spyware used to target Mideast journalists, Citizen Lab says
https://www.cyberscoop.com/nso-group-zero-click-saudi-uae-citizen-lab-al-jazeera/
CNET: Powerful iPhone hack targets dozens of journalists, report says
https://www.cnet.com/news/powerful-iphone-hack-targets-dozens-of-journalists-report-says/
--Browser Makers Ban Kazakhstan's Traffic Interception Certificate
(December 18 & 19, 2020)
Major browser makers have blocked a root certificate that Kazakhstan's government Is requiring users to install. The certificate allows the Kazakh government to intercept HTTPS traffic; without the certificate, users will be unable to access foreign websites, including Facebook, Twitter, Instagram, and YouTube. Kazakhstan's government attempted a similar requirement in August 2019. The Kazakh government maintains that the certificate requirement is part of a public/private cybersecurity training exercise. Apple, Microsoft, Google, and Mozilla have all blocked the certificate.
[Editor Comments]
[Neely] Having a certificate like this provides visibility to user action rather than preventing cyber attacks. A different approach is needed to truly provide endpoint protection and should not be limited to only certain sites.
[Pescatore] This is the logical equivalent of a postal service requiring the use of stamps that send a copy of every letter to the government. That is not a recipe for high levels of security.
Read more in:
ZDNet: Apple, Google, Microsoft, and Mozilla ban Kazakhstan's MitM HTTPS certificate
Ars Technica: Kazakhstan spies on citizens' HTTPS traffic; browser-makers fight back
--Firefox Will Introduce Anti-Tracking Feature Next Year
(December 19, 2020)
When Mozilla releases Firefox 85 in January 2021, the browser will include an anti-tracking feature called Network Partitioning. The feature will allow Firefox to store website data like favicon caches, CSS files, and images in partitioned, per-website storage rather than in one pool. This should make it more difficult for users to be tracked across websites.
[Editor Comments]
[Pescatore] Apple and Google already do limited versions of this in the Safari and Chrome browsers. There is increasing demand from consumers for privacy, as well as increased government scrutiny of intrusive practices (well, not so much in Kazakhstan...). Good to let the product/business side know that privacy and security are increasingly features of top products, not impediments to their adoption and use.
Read more in:
ZDNet: Firefox to ship 'network partitioning' as a new anti-tracking defense
https://www.zdnet.com/article/firefox-to-ship-network-partitioning-as-a-new-anti-tracking-defense/
--Crypto Wallet Data Exposed
(December 21, 2020)
Information that was stolen from Ledger, a cryptocurrency wallet website, in June 2020 has been leaked on a hacker forum. The information is reportedly being used in phishing attacks. Ledger has been notifying customers via Twitter. Ledger provided information about the breach in a July 2020 blog post.
Read more in:
Bleeping Computer: Physical addresses of 270K Ledger owners leaked on hacker forum
Threatpost: Hacker Dumps Crypto Wallet Customer Data; Active Attacks Followhttps://threatpost.com/ledger-dump-active-attacks-follow/162477/
Ledger: Addressing the July 2020 e-commerce and marketing data breach -- A Message From Ledger's Leadership
https://www.ledger.com/addressing-the-july-2020-e-commerce-and-marketing-data-breach
--Europol Launches Decryption Platform for Law Enforcement
(December 18, 2020)
Europol, along with the European commission, has launched a new decryption platform to help EU law enforcement "decrypt information lawfully obtained in criminal investigations." The platform is operated by the European Cybercrime Centre (EC3).
[Editor Comments]
[Honan] Kudos to Europol and the European Commission for this initiative. This now enables smaller EU member states' police forces access to decryption technologies that normally are the preserve of police forces with much larger budgets. Having a centralized platform also enables better intelligence and data analysis capabilities targeting criminal activities.
[Murray] Such efforts are most likely to succeed against device encryption where the key, the method, and the cryptogram are all available, at least at some cost. They are more expensive for message encryption, and so expensive that they cannot be used for wide-spread surveillance.
Read more in:
Europol: Europol and the European Commission Inaugurate New Decryption Platform to Tackle the Challenge of Encrypted Material for Law Enforcement Investigations
Bleeping Computer: Europol launches new decryption platform for law enforcement
--Trucking Company Recovering from Ransomware Attack
(December 21, 2020)
US trucking and freight logistics company Forward Air has acknowledged that its network was hit with ransomware earlier this month. Forward Air made the disclosure in a Form 8-K filing with the US Securities and Exchange Commission (SEC). Forward Air detected the attack on December 15, 2020.
Read more in:
Bleeping Computer: Trucking giant Forward Air hit by new Hades ransomware gang
FreightWaves: Forward Air reveals ransomware attack, warns of revenue hit
Cloudfront: Form 8-K | Forward Air Corporation (PDF)
https://d1io3yog0oux5.cloudfront.net/sec/0000912728-20-000183/0000912728-20-000183.pdf
******************************************************************************
INTERNET STORM CENTER TECH CORNER
A slightly optimistic tale of how patching went for CVE-2019-19781
Heads-up: VirusTotal Functionality in Sysinternals Tools Not Working
What's The Deal With Openportstats.com?
https://isc.sans.edu/forums/diary/Whats+the+deal+with+openportstatscom/26912/
Kazakhstan: Browsers Block Government Certificate Authority
5G Vulnerabilities
Bouncy Castle BCrypt Password Verification Error
https://www.synopsys.com/blogs/software-security/cve-2020-28052-bouncy-castle/
Dell Wyse ThinOS 8.6 Security Update
https://www.dell.com/support/kbdoc/en-hr/000180768/dsa-2020-281
SolarWinds 2nd Backdoor
SolarWinds Domains
https://securelist.com/sunburst-connecting-the-dots-in-the-dns-requests/99862/
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
