SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #19
March 6, 2020Phony Corona Virus Sites; Phony Certificate Alerts; Dangerous Browser Extensions
****************************************************************************
SANS NewsBites March 6, 2020 Vol. 22, Num. 019
****************************************************************************
TOP OF THE NEWS
World Health Organization: Scammers are Exploiting Coronavirus Fears
Phony Certificate Alerts Spreading Malware
The Long Arm of Browser Extensions
REST OF THE WEEK'S NEWS
Intel Chip Flaw is Unfixable
Breach Exposed T-Mobile Data
EMCOR Discloses Ransomware Attack
Browsers to Start Blocking Sites That Use Old TLS Protocols
UK's ICO Fines Cathay Pacific Over Data Leak
"Let's Encrypt" Removes Deadline for Revoking Certificates Over CCA Code Problem
Netgear Releases Firmware Updates to Fix Router Vulnerabilities
Epiq Ransomware Attack
West Virginia Will No Longer Use Voatz Mobile Voting App
Cisco Issues Fixes for Webex Flaws
INTERNET STORM CENTER TECH CORNER
****************** Sponsored By AWS Marketplace **************************
Webinar: How to Prioritize Security Controls for Situational Awareness in AWS. By establishing visibility and accountability in Amazon Web Services (AWS), organizations gain situational awareness to detect and discern unusual events in their environment. Join this webinar to discover ways to strengthen your foundational controls and enhance your security posture in AWS. http://www.sans.org/info/215735
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
-- SANS 2020 | Orlando, FL | April 3-10 | https://www.sans.org/event/sans-2020
-- SANS Security West 2020 |San Diego, CA | May 6-13 | https://www.sans.org/event/security-west-2020
-- SANS London March 2020 | March 16-21 | https://www.sans.org/event/london-march-2020
-- SANS San Francisco Spring 2020 | March 16-27 | https://www.sans.org/event/san-francisco-spring-2020
-- SANS Secure Singapore 2020 | 16-28 March | https://www.sans.org/event/secure-singapore-2020
-- SANS Secure Canberra 2020 | March 23-28 | https://www.sans.org/event/secure-canberra-2020
-- SANS London April 2020 | April 20-25 | https://www.sans.org/event/london-april-2020
-- Cloud Security Summit & Training 2020 | Frisco, TX | May 27-June 3 | https://www.sans.org/event/cloud-security-summit-2020
-- Rocky Mountain Hackfest Summit & Training 2020 | Denver,CO | June 1-8 | https://www.sans.org/event/rockymountainhackfest-summit-2020
-- SANS OnDemand and vLive Training
Get an iPad mini (64GB), HP Chromebook 14 G5, or Take $300 Off through March 18 with OnDemand or vLive training.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
*****************************************************************************
TOP OF THE NEWS
--World Health Organization: Scammers are Exploiting Coronavirus Fears
(March 6, 2020)
The World Health Organization (WHO) is warning that scammers posing as WHO representatives are trying to trick people into sharing their account access credentials or opening malicious email attachments. Scammers have also been sending email that exploits concerns about COVID-19 to spread malware. Researchers note that more than 4,000 coronavirus-related domains have been registered since the beginning of the year; of those, three percent are considered malicious, and another five percent are suspicious.
Read more in:
UN: UN health agency warns against coronavirus COVID-19 criminal scams
https://news.un.org/en/story/2020/02/1058381
Vox: Coronavirus email scams are trying to cash in on your fear
https://www.vox.com/recode/2020/3/5/21164745/coronavirus-phishing-email-scams
ZDNet: Nasty phishing scams aim to exploit coronavirus fears
https://www.zdnet.com/article/nasty-phishing-scams-aim-to-exploit-coronovirus-fears/
--Phony Certificate Alerts Spreading Malware
(March 5, 2020)
Kaspersky researchers have found that attackers are using fake certificate update warnings to spread malware. When users visit previously infected sites, they see a notification about an expired security certificate. Users are urged to accept the "update," which downloads a file that, when installed, will deliver either the Mokes or Buerak malware.
[Editor Comments]
[Pescatore] When the browsers start blocking sites running outdated SSL/TLS levels, we will see a similar round of phony alerts and attacks.
[Neely] With the Let's Encrypt story below, browsers such as Safari raising the bar on certificate security, users are likely to get fooled. They need to know that updates will only come through proper channels.
Read more in:
ZDNet: Backdoor malware is being spread through fake security certificate alerts
Bleeping Computer: Attackers Deliver Malware via Fake Website Certificate Errors
Securelist: Mokes and Buerak distributed under the guise of security certificates
https://securelist.com/mokes-and-buerak-distributed-under-the-guise-of-security-certificates/96324/
--The Long Arm of Browser Extensions
(March 3, 2020)
When Blue Shield of California learned that its website had been flagged for serving malicious content, further investigation revealed that the malicious code was the result of an employee's browser extension. The employee had recently edited the website, and the Page Ruler extension for Chrome injected the code in question. The Page Ruler extension was sold several years ago and since then, has been reported for spreading malicious code. Brian Krebs reminds us "that browser extensions -- however useful or fun they may seem when you install them -- typically have a great deal of power and can effectively read and/or write all data in your browsing sessions."
[Editor Comments]
[Neely] Avoid browser extensions where possible. They not only may have security risks but may also interfere with updates to security and functionality. Review selected extensions regularly to make sure they are needed, supported, and do what you think they do.
[Murray] As we said last week, the managers and the developers of applications are both responsible for the content of all software. So-called "extensions" and "plug-ins" have a bad track record and are difficult to evaluate.
Read more in:
KrebsOnSecurity: The Case for Limiting Your Browser Extensions
https://krebsonsecurity.com/2020/03/the-case-for-limiting-your-browser-extensions/
**************************** SPONSORED LINKS ******************************
1) Webcast March 18th at 10:30AM ET: Family Matters: Practical Malware Family Identification for Incident Responders. http://www.sans.org/info/215740
2) Free Event | Robert M. Lee to host the Cyber Threat Intelligence Solutions Forum on March 27th in D.C. Register: http://www.sans.org/info/215745
3) Survey | Tell us how you currently measure your threat hunting efforts and enter to win a $400 Amazon gift card. http://www.sans.org/info/215750
*****************************************************************************
REST OF THE WEEK'S NEWS
--Intel Chip Flaw is Unfixable
(March 5, 2020)
Researchers have found another flaw affecting Intel chips. This one affects most Intel chips manufactured within the last five years. While the flaw is not trivial to exploit and Intel has released mitigations that can lessen the damage from exploits, the issue cannot be fixed without physically replacing the chip. The problem lies in the Converged Security and Management Engine (CSME).
[Editor Comments]
[Neely] There are no active exploits and exploitation is difficult. Mitigate the risk by applying the updates provided. The flaw impacts the trusted platform module and allows for bypass of their Enhance Privacy ID (EPID) digital rights management and on chip encryption system.
[Pescatore] When you look at how easily all the levels of servers and PCs running above the CSME level are compromised, for most enterprises worrying about this is like worrying about a meteorite hitting your house when you don't lock your front doors. However, it does point out that it is always a bad decision to make security an option to turn on after booting up, vs. starting up securely and making it optional to take more risks.
Read more in:
Ars Technica: 5 years of Intel CPUs and chipsets have a concerning flaw that's unfixable
The Register: 'Unfixable' boot ROM security flaw in millions of Intel chips could spell 'utter chaos' for DRM, file encryption, etc
https://www.theregister.co.uk/2020/03/05/unfixable_intel_csme_flaw/
ZDNet: Intel CSME bug is worse than previously thought
https://www.zdnet.com/article/intel-csme-bug-is-worse-than-previously-thought/
--Breach Exposed T-Mobile Data
(March 5, 2020)
T-Mobile has disclosed a data breach that exposed customers' and employees' personal information. An attack launched against T-Mobile's email vendor gave the attackers access to T-Mobile employee email accounts. Some of those accounts contained customer and employee data.
[Editor Comments]
[Neely] Email System compromise is a recurring theme. Implementing multi-factor-authentication, strong passwords where used, and disabling legacy protocols that don't support strong authentication are key aids to prevention.
Read more in:
The Register: Staffer emails compromised and customer details exposed in T-Mobile US'sthird data whoopsie in as many years
https://www.theregister.co.uk/2020/03/05/tmobile_breach/
ZDNet: T-Mobile says hacker gained access to employee email accounts, user data
Bleeping Computer: T-Mobile Data Breach Exposes Customer's Personal, Financial Info
T-Mobile: NOTICE OF DATA BREACH
https://www.t-mobile.com/responsibility/consumer-info/cpni-notice
--EMCOR Discloses Ransomware Attack
(March 5, 2020)
Connecticut-based engineering and industrial construction company EMCOR Group has acknowledged that its systems became infected with ransomware on February 15, 2020. EMCOR says it is restoring services but has not disclosed whether or not it paid the ransom demand.
Read more in:
Computing: Ryuk ransomware attack forced industrial conglomerate EMCOR to shut down IT systems
https://www.computing.co.uk/news/4011905/ryuk-ransomware-emcor
ZDNet: Ryuk ransomware hits Fortune 500 company EMCOR
https://www.zdnet.com/article/ryuk-ransomware-hits-fortune-500-company-emcor/
--Browsers to Start Blocking Sites That Use Old TLS Protocols
(March 4, 2020)
By the end of this month, most major browsers will be blocking websites that are using TLS 1.0 and TLS 1.1, which date back to 1996 and 2006, respectively. An estimated 850,000 sites still use the outdated protocols. TLS 1.3 was released in 2018. Shortly thereafter, Mozilla, Google, Apple, and Microsoft announced that they would end support for the older versions of TLS in 2020.
[Editor Comments]
[Neely] Make sure your sites and your business partner sites support TLS 1.2 so these changes will be transparent. Leverage services like SSLReports to check and give you a report on your public facing sites.
Read more in:
ZDNet: Browsers to block access to HTTPS sites using TLS 1.0 and 1.1 starting this month
--UK's ICO Fines Cathay Pacific Over Data Leak
(March 4 & 5, 2020)
The UK's Information Commissioner's Office (ICO) has fined Cathay Pacific Airways #500,000 (US $647,000) for a data leak that went undetected for four years. The issue exposed personal data of 9.4 million Cathay Pacific customers between 2014 and 2018. The ICO says that during that time, Cathay Pacific systems were inadequately protected.
Read more in:
BBC: Cathay Pacific fined #500,000 over customer data protection failure
https://www.bbc.com/news/technology-51736857
ZDNet: Cathay Pacific hit with #500,000 fine for customer data breach
https://www.zdnet.com/article/cathay-pacific-hit-with-500000-fine-for-customer-data-breach/
The Register: UK data watchdog slaps a #500,000 fine on Cathay Pacific for 2018 9.4m customer data leak
https://www.theregister.co.uk/2020/03/04/ico_fines_cathay_pacific_500000/
Gov Infosecurity: Cathay Pacific Airlines Fined Over Data Breach
https://www.govinfosecurity.com/cathay-pacific-airlines-fined-over-data-breach-a-13879
--"Let's Encrypt" Removes Deadline for Revoking Certificates Over CCA Code Problem
(February 29 & 5, 2020)
Last week, certificate authority (CA) Let's Encrypt discovered a bug in its Certification Authority Authorization (CAA) code. The organization initially set a deadline of March 4 for administrators to replace affected certificates before it would begin revoking those that had not been replaced. On Wednesday, March 4, Let's Encrypt said it would revoke the 1.7 million certificates it knows have been replaced as well as 445 certificates it has deemed high priority. The has not set a revocation deadline for the remaining certificates, noting that it will "revoke more certificates as we become confident that doing so will not be needlessly disruptive to Web users."
[Editor Comments]
[Neely] Let's Encrypt is also concerned that the balance of the bad certificates will not be replaced. As the certificates are issued for only 90 days, non-updated certificates will expire. You can check the status of your certificates here. https://checkhost.unboundtest.com/
Read more in:
Let's Encrypt: 2020.02.29 CAA Rechecking Bug
https://community.letsencrypt.org/t/2020-02-29-caa-rechecking-bug/114591/2
Ars Technica: Let's Encrypt changes course on certificate revocation
Threatpost: Let's Encrypt Pushes Back Deadline to Revoke Some TLS Certificates
https://threatpost.com/lets-encrypt-pushes-back-deadline-to-revoke-some-tls-certificates/153456/
The Register: Let's Encrypt: OK, maybe nuking three million HTTPS certs at once was a tad ambitious. Let's take time out
https://www.theregister.co.uk/2020/03/05/lets_encrypt_halts/
--Netgear Releases Firmware Updates to Fix Router Vulnerabilities
(March 4, 2020)
Netgear has made firmware updates available to address a critical remote code execution vulnerability affecting its Wireless AC Router Nighthawk (R7800). Netgear has also warned of 24 additional security issues affecting Nighthawk devices; two of those are rated high severity. Those flaws are both post-authentication command injection issues. One affects the same Nighthawk model R7800, and the other affects "five router models within the R6400, R6700, R6900 and R7900 SKUs and that are running specific vulnerable firmware."
[Editor Comments]
[Murray] In a world of cheap hardware and scarce knowledge, skills, abilities, and experience, simply replacing flawed wireless access points is often more efficient than trying to fix them.
Read more in:
Threatpost: Critical Netgear Bug Impacts Flagship Nighthawk Router
https://threatpost.com/critical-netgear-bug-impacts-nighthawk-router/153445/
Netgear: Security Advisory for Unauthenticated Remote Code Execution on R7800, PSV-2019-0076
Netgear: Security Advisory for Post-Authentication Command Injection on Some Routers and Gateways, PSV-2018-0352
Netgear: Security Advisory for Pre-Authentication Command Injection on Some Routers, PSV-2019-0051
--Epiq Ransomware Attack
(March 2 & 4, 2020)
Computer systems at Epiq Global, a legal services and e-discovery company, became infected with ransomware on February 29, 2020. The company made the decision to take its systems offline to prevent the malware from spreading further. Clients have been unable to access e-discovery documents. Tech Crunch reported that an unnamed source said the infection affected all of Epiq's 80 offices. It appears that in December 2019, Epiq's systems became infected with TrickBot malware, which was used as a means for the Ryuk ransomware to infiltrate the systems.
Read more in:
Tech Crunch: https://techcrunch.com/2020/03/02/epiq-global-ransomware/
https://techcrunch.com/2020/03/02/epiq-global-ransomware/
Bleeping Computer: Ryuk Ransomware Attacked Epiq Global Via TrickBot Infection
LawSites: Epiq Global Down As Company Investigates Unauthorized Activity on Systems
--West Virginia Will No Longer Use Voatz Mobile Voting App
(March 3 & 5, 2020)
West Virginia's Office of the Secretary of State has announced that it will no longer use the Voatz mobile voting app. West Virginia piloted the app in the 2018 general election, allowing voters living overseas to cast their ballots with the help of their mobile devices. The decision in the wake of reports that found "fundamental flaws" in the Voatz app. West Virginia has not ruled out using Voatz in the future if the security concerns are addressed.
[Editor Comments]
[Pescatore] Good decision by West Virginia and other states should follow their lead. Not because we know the Voatz app is not secure, but because Voatz hasn't provided the level of transparency needed to make that critical decision.
Read more in:
Nextgov: West Virginia Scraps Voatz Mobile Voting App
https://www.nextgov.com/cybersecurity/2020/03/west-virginia-scraps-voatz-mobile-voting-app/163478/
MeriTalk: West Virginia Ditches Controversial Voatz App for May Election
https://www.meritalk.com/articles/west-virginia-ditches-controversial-voatz-app-for-may-election/
--Cisco Issues Fixes for Webex Flaws
(March 5, 2020)
Cisco has released updates to address multiple remote code execution vulnerabilities in Cisco Webex Network Recording Player for Microsoft Windows and Cisco Webex Player for Microsoft Windows. The issues "are due to insufficient validation of certain elements within a Webex recording that is stored in either the Advanced Recording Format (ARF) or the Webex Recording Format (WRF)."
[Editor Comments]
[Neely] These flaws are specific to their recordings player on Windows; the update is bundled with the Webex meetings client software. Current supported versions have the fix.
Read more in:
Cisco: Cisco Webex Network Recording Player and Cisco Webex Player Arbitrary Code Execution Vulnerabilities
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200304-webex-player
Portswigger: Cisco fixes Webex video conferencing RCE vulnerability
https://portswigger.net/daily-swig/cisco-fixes-webex-video-conferencing-rce-vulnerability
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
Introduction to EvtxEcmd (Evtx Explorer)
https://isc.sans.edu/forums/diary/Introduction+to+EvtxEcmd+Evtx+Explorer/25858/
Survey Phish
https://isc.sans.edu/forums/diary/Will+You+Put+Your+Password+in+a+Survey/25866/
SANS Coronavirus Training Guarantee
https://www.sans.org/training-guarantee
Let's Encrypt Revoking Certificates
https://community.letsencrypt.org/t/revoking-certain-certificates-on-march-4/114864
Let's Encrypt Revises Revocation Plan
https://community.letsencrypt.org/t/2020-02-29-caa-rechecking-bug/114591/2
MSFT Subdomain Takeover
https://vullnerability.com/blog/microsoft-subdomain-account-takeover
Homoglyph Attacks in the News Again
https://www.soluble.ai/blog/public-disclosure-emoji-to-zero-day
Coronavirus Phish
https://twitter.com/JCyberSec_/status/1234806881195044865
Healthcare.gov Sending E-Mail Looking Like Phishing
https://twitter.com/johullrich/status/1235740586717720577
Using Smart Devices in the Home Securely (NCSC Version)
https://www.ncsc.gov.uk/guidance/smart-devices-in-the-home
Intel x86 Root of Trust: Loss of Trust
https://blog.ptsecurity.com/2020/03/intelx86-root-of-trust-loss-of-trust.html
Ransomware and Cloud Backups
Trust Me, I'm Certified Podcast
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
