SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #101
December 29, 2020NB: Solarwinds; Regulators and Senators Propose Breach Notification Requirements
******************************************************************************
SANS NewsBites December 29, 2020 Vol. 22, Num. 101
******************************************************************************
SOLARWINDS AND OTHER TOP OF THE NEWS
SolarWinds: NERC Advisory
SolarWinds: CISA Incident Response Guide
SolarWinds: SUPERNOVA
US Financial Regulators Propose Breach Notification Requirement; Senators Introduce Bill That Would Require Agencies to File Incident Reports
THE REST OF THE WEEK'S NEWS
Worst Hacks of 2020
DHS Warns US Businesses Against Chinese Tech
International Law Enforcement Effort Takes Down VPN Services Used by Criminals
Eurojust Becomes Full Partner in SIRIUS Project
Kaspersky: Lazarus Group Hackers are After COVID-19 Intellectual Property
Cyberattack Against Finland's Parliament Affected MP eMail Accounts
Whirlpool Hit with Ransomware
INTERNET STORM CENTER TECH CORNER
*************************** Sponsored By SANS ******************************
Free Virtual Event | January 22nd @ 9:00 AM EST | We invite you to join us for the 2021 Cyber Threat Intelligence Summit Solutions Track! Chaired by Robert M. Lee, this virtual event will consist of presentations that focus on case-studies and thought leadership using specific examples relevant to the industry as we know it today | 4 CPE Credits
| http://www.sans.org/info/218535
******************************************************************************
CYBERSECURITY TRAINING UPDATE
New & Updated Courses
SEC401: Security Essentials Bootcamp Style
- https://www.sans.org/cyber-security-courses/security-essentials-bootcamp-style/
SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling
- https://www.sans.org/cyber-security-courses/hacker-techniques-exploits-incident-handling/
FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics
- https://www.sans.org/cyber-security-courses/advanced-incident-response-threat-hunting-training/
Upcoming Live Online Events
SANS Security East 2021 - Jan 11-16 CST
20 Courses | Core and GRID NetWars
https://www.sans.org/event/security-east-2021-live-online/
SANS Stay Sharp - Feb 1-4 CST
1-3 Day Management & Cloud Courses
https://www.sans.org/event/stay-sharp-management-and-cloud-feb-2021/
Open-Source Intelligence (OSINT) Summit & Training
FREE Summit: Feb 11-12 | Courses: Feb 8-10 & 15-20 EST
https://www.sans.org/event/osint-summit-2021/
OnDemand Training Special Offer
Get a free GIAC Certification Attempt or take $350 off with OnDemand Training through December 30.
- www.sans.org/specials/north-america/
Blue Team Operations Resources
Cheat Sheets, Papers, Podcasts, and more. View & Download
- https://www.sans.org/blue-team/
******************************************************************************
SOLARWINDS AND OTHER TOP OF THE NEWS
--SolarWinds: NERC Advisory
(December 23, 2020)
The North American Electric Reliability Corp. (NERC) has issued an advisory noting that the SolarWinds supply chain attack "poses a potential threat" to elements of the power sector. NERC is also asking utilities and other power companies to respond to a list of questions on the level of exposure their systems have to the SolarWinds campaign.
[Editor Comments]
[Neely] Even if you're using SolarWinds on an isolated network, you may still have impacted versions as updates would have passed file integrity checks before deployment there. The list of impacted versions continues to increase; it's prudent to locate all instances of the product and disable them until new clean versions can be installed, or replace SolarWinds entirely.
Read more in:
Cyberscoop: Grid regulator warns utilities of risk of SolarWinds backdoor, asks how exposed they are
https://www.cyberscoop.com/nerc-alert-solarwinds-grid-russia/
--SolarWinds: CISA Incident Response Guide
(December 23 & 24, 2020)
The US Cybersecurity and Infrastructure Security Agency (CISA) has warned that federal, state, and local governments, critical infrastructure entities, and private organizations "may need to rebuild all network assets" in the wake of the SolarWinds supply chain attack. CISA urges organizations to determine whether or not they are affected by the SolarWinds issue and if they are, to make response and remediation their top priority.
[Editor Comments]
[Neely] CISA also released a free detection PowerShell script (Sparrow) for your Azure/M365 environment. This tool is designed to be used by incident responders for detecting unusual and/or malicious activities in those environments and requires the CloudConnect, AzureAD and MSOnline PowerShell modules. See https://us-cert.cisa.gov/ncas/current-activity/2020/12/24/cisa-releases-free-detection-tool-azurem365-environment
Read more in:
CISA: CISA Insights | What Every Leader Needs to Know About the Ongoing APT Cyber Activity
https://www.cisa.gov/insights
CISA: What Every Leader Needs to Know About the Ongoing APT Cyber Activity (PDF)
https://www.cisa.gov/sites/default/files/publications/CISA%20Insights%20-%20What%20Every%20Leader%20Needs%20to%20Know%20About%20the%20Ongoing%20APT%20Cyber%20Activity%20-%20FINAL_508.pdf
Gov Infosecurity: CISA Warns SolarWinds Incident Response May Be Substantial
https://www.govinfosecurity.com/cisa-warns-solarwinds-incident-response-may-be-substantial-a-15661
--SolarWinds: SUPERNOVA
(December 17, 18, 26, & 27, 2020)
SolarWinds has updated its security advisory to include information about malware known as SUPERNOVA. Unlike SUNBURST, "SUPERNOVA is not malicious code embedded within the builds of [the SolarWinds] Orion(R) Platform as a supply chain attack. It is malware that is separately placed on a server that requires unauthorized access to a customer's network and is designed to appear to be part of a SolarWinds product."
Read more in:
SolarWinds: SolarWinds Security Advisory
https://www.solarwinds.com/securityadvisory
Bleeping Computer: SolarWinds releases updated advisory for new SUPERNOVA malware
https://www.bleepingcomputer.com/news/security/solarwinds-releases-updated-advisory-for-new-supernova-malware/
Unit 42: SUPERNOVA: A Novel .NET Webshell
https://unit42.paloaltonetworks.com/solarstorm-supernova/
Microsoft: Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers
https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/
--US Financial Regulators Propose Breach Notification Requirement; Senators Introduce Bill That Would Require Agencies to File Incident Reports
(December 18 & 24, 2020)
US federal financial regulatory agencies have published a notice of proposed rulemaking "that would require a banking organization to provide its primary federal regulator with prompt notification of any 'computer-security incident' that rises to the level of a 'notification incident.' The proposed rule would require such notification upon the occurrence of a notification incident as soon as possible and no later than 36 hours after the banking organization believes in good faith that the incident occurred." In a separate story, a bill introduced in the US Senate would require federal agencies that experience cyberattacks that could cause significant harm to national security or agency operations to provide congress with an incident report within seven days of the attacks.
[Editor Comments]
[Pescatore] I think the more important part of the proposed regulatory language is that "...a bank service provider would be required to notify at least two individuals at affected banking organization customers immediately after the bank service provider experiences a computer-security incident that it believes in good faith could disrupt, degrade, or impair services provided for four or more hours." Incident notification of customers being required is a much more powerful measure than simply the regulators being notified. Also, including service outages caused by incidents, and not just information disclosure events, is a positive move.
[Neely] Financial Institutions remain at the top of the list as primary cyber-attack targets, and the proposed breach notification could allow regulators to have timely insight into current actions and trends. The current Bank Security Act (BSA) reporting requires a Suspicious Activity Report (SAR) within 30 days, and other regulations require notification to the regulator "as soon as possible"; this legislation now defines the requirement at 36 hours, to keep the information timely and relevant. Additionally, notification is required from service providers, aka outsourced services, to their impacted financial institution customers. If you are a financial institution, review the proposed regulation and provide comment.
Read more in:
Federal Reserve: Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers (PDF)
https://www.federalreserve.gov/newsevents/pressreleases/files/bcreg20201218a1.pdf
Federal Reserve: Agencies propose requirement for computer security incident notification
https://www.federalreserve.gov/newsevents/pressreleases/bcreg20201218a.htm
MeriTalk: Senate Bill Would Mandate Timely Reporting of Cyber Attacks
https://www.meritalk.com/articles/senate-bill-would-mandate-timely-reporting-of-cyber-attacks/
******************************************************************************
SANS HOLIDAY HACK CHALLENGE 2020
"Holiday Hack Challenge is my annual holiday grab bag; every year I reach in, and inevitably pull out new skills I can apply to my day job, and new friends to have coffee with at security conferences!" - Mary Ellen Kennel, Security Researcher
It's free as a holiday gift to you! Join anytime; deadline extended until January 11: https://holidayhackchallenge.com
***************************** SPONSORED LINKS ******************************
1) Webcast | Zero trust has become one of the hottest topics in IT and cybersecurity, especially in light of the global pandemic. Join us for our upcoming webcast, "Zero Trust must include the workforce, workloads, AND workplace." | January 7th @ 3:30 PM ET
| http://www.sans.org/info/218540
2) Webcast | Join SANS Senior Instructor, Jake Williams for "How to Stay Ahead of Cyberthreats." This webcast and associated whitepaper reviews Deep Instinct, the deep learning cybersecurity software for zero-time prevention | January 13th @ 1:00 PM EST
| http://www.sans.org/info/218555
3) Webcast | Tune in for our upcoming webcast, "Security stories from the field: a fireside chat with Barak Engel and Brian Ahern." Engel and Ahern will share real-world stories and lessons learned from their decades of experience in the technology and cybersecurity space | January 12th @ 1:00 PM ET
| http://www.sans.org/info/218550
******************************************************************************
THE REST OF THE WEEK'S NEWS
--Worst Hacks of 2020
(December 27 & 28, 2020)
The SolarWinds supply chain attack tops two lists of the worst hacks and breaches of 2020. Also included are the Twitter hack, the University Hospital Duesseldorf ransomware attack, and the data theft at Finland's Vastaamo mental healthcare provider.
[Editor Comments]
[Neely] The Ars article includes notable hacks, like the iPhone zero-click vulnerability, which are both impressive and elegant. When reviewing these, look to the lessons learned and ask whether you have the same weaknesses in your systems and processes. Multi-factor authentication, separation of duties, and user awareness training remain key and have to be supported by monitoring, patching, backup and incident response programs.
Read more in:
Wired: The Worst Hacks of 2020, a Surreal Pandemic Year
https://www.wired.com/story/worst-hacks-2020-surreal-pandemic-year/
Ars Technica: 2020 had its share of memorable hacks and breaches. Here are the top 10
https://arstechnica.com/information-technology/2020/12/2020-had-its-share-of-merorable-hacks-and-breaches-here-are-the-top-10/
--DHS Warns US Businesses Against Chinese Tech
(December 23, 2020)
The US Department of Homeland Security (DHS) has published a Data Security Business Advisory, urging US businesses to avoid using Chinese hardware or digital services. DHS warns that using Chinese technology could expose companies to "theft of trade secrets, of intellectual property, and of other confidential business information; violations of U.S. export control laws; violations of U.S. privacy laws; breaches of contractual provisions and terms of service; security and privacy risks to customers and employees; risk of PRC surveillance and tracking of regime critics; and reputational harm to U.S. businesses."
[Editor Comments]
[Neely] The DHS advisory provides a good synopsis of China's privacy and cryptography laws, and how they impact businesses partnering with or buying data services from PRC. The recommendations include mitigations, including clear contract language which identifies sensitive data, its location and who has access, coupled with language which clearly states how liability is allocated due to a failure to adhere to legal requirements.
Read more in:
ZDNet: DHS warns against using Chinese hardware and digital services
https://www.zdnet.com/article/dhs-warns-against-using-chinese-hardware-and-digital-services/
The Register: US Department of Homeland Security warns American business not to use Chinese tech or let data behind the Great Firewall
https://www.theregister.com/2020/12/23/dhs_warns_us_businesses_dont_use_china_tech/
DHS: Data Security Business Advisory: Risks and Considerations for Businesses Using Data Services and Equipment from Firms Linked to the People's Republic of China (PDF)
https://www.dhs.gov/sites/default/files/publications/20_1222_data-security-business-advisory.pdf
--International Law Enforcement Effort Takes Down VPN Services Used by Criminals
(December 22, 2020)
In a coordinated operation, Europol, along with law enforcement agencies from Germany, the Netherlands, France, Switzerland, and the US, have taken down three VPN services that were widely used by criminals to conduct cyberattacks. The three services, insorg<dot>org, safe-inet<dot>com, and safe-inet<dot>net, had been active for more than a decade.
[Editor Comments]
[Neely] These services were characterized as bulletproof, meaning that they ignore or fabricate responses to complaints about user activities, and proactively move users between servers, countries, and IP addresses to help avoid detection. While agencies have disclosed they intend to use the seized assets to track and prosecute criminals that had been using them, they have not disclosed any intentions to file charges against the service operators as co-conspirators.
Read more in:
ZDNet: Law enforcement take down three bulletproof VPN providers
https://www.zdnet.com/article/law-enforcement-take-down-three-bulletproof-vpn-providers/
Europol: Cybercriminals' Favourite VPN Taken Down in Global Action
https://www.europol.europa.eu/newsroom/news/cybercriminals%E2%80%99-favourite-vpn-taken-down-in-global-action
Justice: U.S. Law Enforcement Joins International Partners to Disrupt a VPN Service Used to Facilitate Criminal Activity
https://www.justice.gov/usao-edmi/pr/us-law-enforcement-joins-international-partners-disrupt-vpn-service-used-facilitate
--Eurojust Becomes Full Partner in SIRIUS Project
(December 23, 2020)
Europol and Eurojust have signed a new contribution agreement making Eurojust a full partner in the SIRIUS project, which was "launched by Europol in 2017 ... [and which] aims to foster the co-development of practical and innovative tools and solutions for EU law enforcement and judicial authorities that can support internet-based investigations."
Read more in:
Europol: Europol and Eurojust Sign New Contribution Agreement Expanding Cooperation on the SIRIUS Project
https://www.europol.europa.eu/newsroom/news/europol-and-eurojust-sign-new-contribution-agreement-expanding-cooperation-sirius-project
Eurojust: Europol and Eurojust sign new contribution agreement expanding cooperation on the SIRIUS project
https://www.eurojust.europa.eu/europol-and-eurojust-sign-new-contribution-agreement-expanding-cooperation-sirius-project
--Kaspersky: Lazarus Group Hackers are After COVID-19 Intellectual Property
(December 23 & 24, 2020)
According to a report from Kaspersky, a hacking group with ties to North Korea has been targeting organizations involved in COVID-19 vaccine research and development. The Lazarus Group has broken into networks at a pharmaceutical company and a government health ministry. Kaspersky researchers say the attackers are trying to steal intellectual property.
Read more in:
SecureList: Lazarus covets COVID-19-related intelligence
https://securelist.com/lazarus-covets-covid-19-related-intelligence/99906/
Threatpost: Lazarus Group Hits COVID-19 Vaccine-Maker in Espionage Attack
https://threatpost.com/lazarus-covid-19-vaccine-maker-espionage/162591/
Bleeping Computer: North Korean state hackers breach COVID-19 research entities
https://www.bleepingcomputer.com/news/security/north-korean-state-hackers-breach-covid-19-research-entities/
--Cyberattack Against Finland's Parliament Affected MP eMail Accounts
(December 28, 2020)
Finland's Parliament says that a cyberattack targeting its systems compromised email accounts of several Finnish members of parliament (MPs). The incident occurred in autumn 2020 and was detected earlier this month. It bears similarities to an cyberattack against Norway's Parliament earlier this year.
[Editor Comments]
[Neely] This is similar to the Norway Parliament attack by APT28 (Russia's GRU) which used credential stuffing and brute force to gain access. Multi-factor authentication for internet accessible services, including your VPN, is a good first step. Monitor access to email, including impossible logins, to detect anomalous behavior.
Read more in:
Eduskunta: Cyberattack against Parliament of Finland
https://www.eduskunta.fi/EN/tiedotteet/Pages/Cyberattack-against-Parliament-of-Finland.aspx
ZDNet: Finland says hackers accessed MPs' emails accounts
https://www.zdnet.com/article/finland-says-hackers-accessed-mps-emails-accounts/
Bleeping Computer: Finnish Parliament attackers hack lawmakers' email accounts
https://www.bleepingcomputer.com/news/security/finnish-parliament-attackers-hack-lawmakers-email-accounts/
--Whirlpool Hit with Ransomware
(December 28, 2020)
Home appliance maker Whirlpool was hit by a ransomware attack in November or early December 2020. The attackers stole company data before encrypting files on the company's network. Whirlpool says that their systems have been fully restored.
Read more in:
Bleeping Computer: Home appliance giant Whirlpool hit in Nefilim ransomware attack
https://www.bleepingcomputer.com/news/security/home-appliance-giant-whirlpool-hit-in-nefilim-ransomware-attack/
******************************************************************************
INTERNET STORM CENTER TECH CORNER
base64dump.py Supported Encodings
https://isc.sans.edu/forums/diary/base64dumppy+Supported+Encodings/26924/
String Analysis and Maldocs
https://isc.sans.edu/forums/diary/Quickie+String+Analysis+Maldocs/26922/
Malicious Word Document Delivering an Octopus Backdoor
https://isc.sans.edu/forums/diary/Malicious+Word+Document+Delivering+an+Octopus+Backdoor/26918/
Analysis Dridex Dropper, IoC extraction
https://isc.sans.edu/forums/diary/Analysis+Dridex+Dropper+IoC+extraction+guest+diary/26920/
Malware Victim Selection Through WiFi Identification
https://isc.sans.edu/forums/diary/Malware+Victim+Selection+Through+WiFi+Identification/26910/
SolarWinds SUPERNOVA Malware / API Vulnerability
https://www.solarwinds.com/securityadvisory
Extending Android Device Compatibility for Let's Encrypt Certificates
https://letsencrypt.org/2020/12/21/extending-android-compatibility.html
Citrix ADC DDoS Attack
https://support.citrix.com/article/CTX289674
AT&T Outage due to Nashville Explosion
https://about.att.com/pages/disaster_relief/nashville.html
Crowdstrike Reporting Tool for Azure
https://github.com/CrowdStrike/CRT
Insufficient Patch for Windows 8.1/10 Print Spooler
https://bugs.chromium.org/p/project-zero/issues/detail?id=2096
Google Docs Vulnerability
https://savebreach.com/stealing-private-documents-through-a-google-docs-bug/
CCC Conferences Virtual
https://streaming.media.ccc.de/rc3
New Treck IP Stack Vulnerabilities
https://treck.com/vulnerability-response-information/
Detecting Treck IP Stack
https://github.com/Forescout/project-memoria-detector
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
