SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #18
March 3, 2020Apache Tomcat Servers - Act Now; WordPress Plugins Actively Exploited; FBI Talks Ransomware at RSA
SANS Training Guarantee for Those Affected by Coronavirus
SANS cares about bringing exemplary cybersecurity training to classrooms around the world as often as possible, but we also care about your safety. We are working in conjunction with the venues where training events are held to implement appropriate health and safety measures. At this time, SANS does not expect any training events to be affected by the Coronavirus outbreak, but we understand that some of our students may be impacted. We've instituted a global SANS Training Guarantee to ensure that you can select and change your training to an alternative appropriate for your situation with no financial risk - learn more about that Training Guarantee (https://www.sans.org/training-guarantee) or contact us (https://www.sans.org/about/contact/).
****************************************************************************
SANS NewsBites March 3, 2020 Vol. 22, Num. 018
****************************************************************************
TOP OF THE NEWS
GhostCat Vulnerability Affects Apache Tomcat Servers (Important to Act Now)
WordPress Plugin Flaws Are Being Actively Exploited
RSA: FBI Special Agent Talks Ransomware
REST OF THE WEEK'S NEWS
Redcar and Cleveland Council Still Recovering from Ransomware
RailWorks Ransomware Attack
Hackers Target Visser Precision with Ransomware and Steal Data
Walgreens App Bug Exposed Users Personal Messages
Network Rail/C3UK Data Leak
Munson Healthcare Group Data Security Incident
Pro Publica Examines Security of Election-Related Websites
INTERNET STORM CENTER TECH CORNER
*********************** Sponsored By Swimlane ****************************
SOAR Without Limits. Think you can't have it all? With Swimlane's security orchestration, automation and response (SOAR) solution, you can. Don't put limits on what you can do. Automate any use case based on what, how and when you need it. Download this Use Cases for SOAR e-book to learn what processes you should automate. http://www.sans.org/info/215695
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
-- SANS 2020 | Orlando, FL | April 3-10 | https://www.sans.org/event/sans-2020
-- SANS Security West 2020 |San Diego, CA | May 6-13 | https://www.sans.org/event/security-west-2020
-- SANS London March 2020 | March 16-21 | https://www.sans.org/event/london-march-2020
-- SANS San Francisco Spring 2020 | March 16-27 | https://www.sans.org/event/san-francisco-spring-2020
-- SANS Secure Singapore 2020 | 16-28 March | https://www.sans.org/event/secure-singapore-2020
-- SANS Secure Canberra 2020 | March 23-28 | https://www.sans.org/event/secure-canberra-2020
-- SANS London April 2020 | April 20-25 | https://www.sans.org/event/london-april-2020
-- Cloud Security Summit & Training 2020 | Frisco, TX | May 27-June 3 | https://www.sans.org/event/cloud-security-summit-2020
-- Rocky Mountain Hackfest Summit & Training 2020 | Denver,CO | June 1-8 | https://www.sans.org/event/rockymountainhackfest-summit-2020
-- SANS OnDemand and vLive Training
Get an iPad (32G), a Samsung Galaxy Tab A, or Take $250 Off through March 4 with OnDemand or vLive training.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
*****************************************************************************
TOP OF THE NEWS
--GhostCat Vulnerability Affects Apache Tomcat Servers (Important to Act Now)
(March 2, 2020)
A vulnerability in the Tomcat AJP protocol can be exploited to read file contents and access source code and configuration files. If the servers allow file uploads, the flaw can also be exploited to remotely execute code. Dubbed GhostCat because is has existed in Tomcat for more than a decade, the vulnerability affects Tomcat versions 6.x, 7.x, 8.x, and 9.x. Apache Tomcat has released versions 9.0.31, 8.5.51, and 7.0.100 to address the issue.
[Editor Comments]
[Ullrich] This vulnerability got a bit "lost" between RSA and Coronavirus. It should have received much more attention as exploitation is under way. Multiple proof of concept exploits are available.
[Neely] The exploit requires the AJP connector to be enabled and its port, often 8009, accessible. Apply updates to Tomcat where explicitly installed. Where Tomcat is bundled with applications, you'll need to wait for the supplier to provide an update. Mitigations include disabling AJP if you're not using the service, or restrict access to port 8009. If you are using it, enable the requiredSecret attribute to require authenticated connections.
Read more in:
Chaitin: Ghostcat is a high-risk file read / include vulnerability in Tomcat
https://www.chaitin.cn/en/ghostcat
Cyware: Patch Your Tomcat and JBoss Instances to Mitigate New High-Risk GhostCat Vulnerability
--WordPress Plugin Flaws Are Being Actively Exploited
(February 28 & March 2, 2020)
Hackers have been exploiting vulnerabilities in several WordPress plugins. Updates are available to address flaws in the Duplicator, Profile Builder, ThemeGrill Demo Importer, Flexible Checkout Fields for WooCommerce, Async JavaScript, 10Web Map Builder for Google Maps, and Modern Events Calendar Lite plugins. Attackers have also been exploiting a vulnerability in ThemeREX Addons; there is currently no update available to address this flaw, and users are urged to remove the plugin from their sites.
[Editor Comments]
[Ullrich] If you absolutely need to run WordPress: Let Wordpress.com run it for you. It appears to be the WordPress business model to make the software impossible to run securely on your own unless you spend a lot of effort or run a very limited, stripped-down version.
[Neely] Don't just disable unused plugins, remove them so the vulnerable code is deleted from your server. Check your site for new admin accounts, and unexpected content, particularly .php and .zip files in /wp-content/uploads/. Also, make sure you have regular backups of both your site and its database so you can roll back if needed.
[Murray] Application managers and developers are responsible for the quality of all included code, without regard to its source. "Plugins" rarely come with any representation or measure of quality.
Read more in:
ZDNet: Hackers are actively exploiting zero-days in several WordPress plugins
Bleeping Computer: Critical Bugs in WordPress Plugins Let Hackers Take Over Sites
--RSA: FBI Special Agent Talks Ransomware
(March 2, 2020)
At the RSA Conference in San Francisco last week, Joel DeCapua, FBI special agent in the Global Operations and Targeting Unit, told an audience that victims of ransomware have paid more than $140 million over the past six-and-a-half years. That figure accounts only for ransom demands paid in bitcoin. DeCapua also said that the initial vector of intrusion for about three-quarters of ransomware attacks is Remote Desktop Protocol (RDP).
[Editor Comments]
[Neely] Only expose the RDP service to the Internet by exception on systems sufficiently configured for the service, including strong authentication, active monitoring and patching. Better still, require a VPN prior to allowing RDP access.
[Murray] Other speakers suggest the main source of ransomware is phishing. Strong authentication schemes are better than any kind of passwords in resisting either RDP or phishing.
Read more in:
ZDNet: Ransomware victims are paying out millions a month. One particular version has cost them the most.
**************************** SPONSORED LINKS ******************************
1) Webinar: How to prioritize security controls for situational awareness in AWS. http://www.sans.org/info/215700
2) Don't miss this webcast: Innovative Application Security Testing Techniques for Modern Software Development. Register: http://www.sans.org/info/215705
3) Learn the characteristics of a malware family and practical identification techniques in this upcoming webcast. View here: http://www.sans.org/info/215710
*****************************************************************************
REST OF THE WEEK'S NEWS
--Redcar and Cleveland Council Still Recovering from Ransomware
(February 27, 2020)
A ransomware attack hit servers in the UK council of Redcar and Cleveland more than three weeks ago; residents are still unable to access online services. One councilor said they were told recovery would take several months and cost between #11 million and #18 million (US $14 million and $23 million).
[Editor Comments]
[Neely] Time to recover includes impacts of deciding to rebuild or repair impacted systems, as well as experience with recovery from DR media. When planning for ransomware, don't forget to include active exercises rebuilding systems to assure those procesess work in a timely fashion.
[Honan] We need to accept that there is no guarantee our preventive controls will detect and prevent a ransomware attack. Having an effective BCP can minimise the impact of many ransomware attacks. This story reinforces that stance and the old adage "Fail to prepare, prepare to fail."
Read more in:
Computer Weekly: Redcar & Cleveland Council confirms ransomware attack
https://www.computerweekly.com/news/252479241/Redcar-Cleveland-Council-confirms-ransomware-attack
The Guardian: Ransomware attack leaves council facing huge bill to restore services
https://www.theguardian.com/technology/2020/feb/27/redcar-and-cleveland-council-hit-by-cyber-attack
BBC: Redcar council IT hack confirmed as ransomware attack
https://www.bbc.com/news/uk-england-tees-51651405
--RailWorks Ransomware Attack
(February 28, 29, & March 1, 2020)
RailWorks Corp., a railroad track and transit system provider, suffered a ransomware attack in late January 2020. The breach may have compromised personally identifiable information of current and former employees as well as their beneficiaries and dependents; the company has begun notifying affected individuals.
Read more in:
TechNadu: RailWorks Corporation Disclosed Catastrophic Ransomware Infection
https://www.technadu.com/railworks-corporation-disclosed-catastrophic-ransomware-infection/94045/
Bleeping Computer: US Railroad Contractor Reports Data Breach After Ransomware Attack
Silicon Angle: Railroad firm Railworks hit by ransomware and employee data stolen
https://siliconangle.com/2020/03/01/railroad-firm-railworks-hit-ransomware-employee-data-stolen/
Document Cloud: Re: Notice of a Data Breach (PDF)
https://www.documentcloud.org/documents/6789873-RailWorks-Employee-US-Individual-Notification.html
--Hackers Target Visser Precision with Ransomware and Steal Data
(March 1 & 2, 2020)
A "cybersecurity incident" at Visser Precision, a maker of custom parts for companies in the automotive, aerospace, and other industries, is believed to be a ransomware attack. The attackers also stole data belonging to its business partners, and have reportedly already posted some of the stolen documents.
Read more in:
SC Magazine: Data-stealing ransomware hits parts maker for Tesla, Boeing and Lockheed Martin
Tech Crunch: Visser, a parts manufacturer for Tesla and SpaceX, confirms data breach
https://techcrunch.com/2020/03/01/visser-breach/
--Walgreens App Bug Exposed Users Personal Messages
(March 1 & 2, 2020)
A privacy issue in the Walgreens mobile app (Android and iOS) secure messaging feature exposed users' information to other users. The bug allowed some user to view others' personal messages, which included some health-related information, for several days last month. Walgreens became aware of the issue on January 15, 2020. It has since been fixed. Walgreens operates more than 9,000 drugstores across the US.
Read more in:
ZDNet: Walgreens says mobile app leaked users' personal data
https://www.zdnet.com/article/walgreens-says-mobile-app-leaked-users-personal-data/
Bleeping Computer: US Drugstore Giant Walgreens Leaked Users' Sensitive Info
--Network Rail/C3UK Data Leak
(March 2, 2020)
A database maintained by Internet service provider C3UK was found to be unprotected, exposing information belonging to roughly 10,000 people who used the company's wi-fi service at railway stations. C3UK is a contractor for Network Rail, which owns and manages the infrastructure of most of the railway network in Great Britain.
[Editor Comments]
[Neely] While this was a backup, not the full production database, it still included email addresses, gender, mobile device OS information, as well as travel reason, which was intended to be used for targeted advertising. Think twice about the amount of information requested to use free services.
Read more in:
BBC: Rail station wi-fi provider exposed traveller data
https://www.bbc.com/news/technology-51682280
TechNadu: 'Network Rail' in the UK Leaked the Data of 10000 Travelers
https://www.technadu.com/network-rail-uk-leaked-data-of-10000-travelers/94160/
--Munson Healthcare Group Data Security Incident
(February 26, 27, & 28, 2020)
Hackers gained access to email accounts of at least two employees at Munson Healthcare Group in Michigan between July 31 and October 22, 2019. The breach was not detected until January 16, 2020. The compromised accounts had access to patient data, including names, financial account information, Social Security numbers, and insurance, diagnostic, and treatment information. Munson Healthcare operates nine hospitals in Northern Michigan.
[Editor Comments]
[Murray] It is this kind of continued fraudulent reuse of compromised credentials that strong authentication is designed to resist.
Read more in:
Munson Healthcare: Munson Healthcare Notifies Patients of Data Security Incident
https://www.munsonhealthcare.org/about-the-system/news-media-relations/news/news-details?&news=1030
Infosecurity Magazine: Michigan Healthcare Group Hack Went Undetected for Six Months
https://www.infosecurity-magazine.com/news/munson-healthcare-data-breach/
SC Magazine: Munson Healthcare data breach exposes PHI
https://www.scmagazine.com/home/security-news/data-breach/munson-healthcare-data-breach-exposes-phi/
--Pro Publica Examines Security of Election-Related Websites
(March 2, 2020)
Pro Publica found that at least 50 election-related websites in the US have serious security issues. Some of the sites are running on software that dates back to 2003, some have inadequate encryption, and some contain unnecessary software. The election-related sites provide information for voters about where to vote, how to register to vote, and they provide election results. None of the sites Pro Publica examined had reported cyberattacks.
[Editor Comments]
[Murray] "Unnecessary software," including operating system code, is a significant source of vulnerability. Such software often increases the attack surface of systems and applications by more than ten times. This code is often included without any thought being given to its provenance or quality.
Read more in:
Pro Publica: Some Election-Related Websites Still Run on Vulnerable Software Older Than Many High Schoolers
******************************************************************************
INTERNET STORM CENTER TECH CORNER
Show me Your Clipboard Data!
https://isc.sans.edu/forums/diary/Show+me+Your+Clipboard+Data/25846/
Hazelcast IMDG Discover Scan
https://isc.sans.edu/forums/diary/Hazelcast+IMDG+Discover+Scan/25850/
Microsoft Exchange Server Vulnerability Scans
https://twitter.com/GossiTheDog/status/1232369036438233088
Tomcat GhostCat Vulnerability
SSL Distribution by Country
https://isc.sans.edu/forums/diary/Secure+vs+cleartext+protocols+couple+of+interesting+stats/25854/
Checkpoint Evasion Encyclopedia
https://research.checkpoint.com/2020/cpr-evasion-encyclopedia-the-check-point-evasion-repository/
OWASP Threat Dragon
https://github.com/mike-goodwin/owasp-threat-dragon-desktop
SANS Free Things
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create