SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #2
January 7, 2020Ransomware's Real World Impacts: Corporate Fatality, School District Delays Start Date, Law Suit Against Attackers, and More
Ransomware has now closed down a company. Saying you have a cyber hygiene program, but implementing it incompletely, is now an existential mistake.
****************************************************************************
SANS NewsBites January 7, 2020 Vol. 22, Num. 002
****************************************************************************
TOP OF THE NEWS
Company Closes After Ransomware Attack
Ransomware Forces School District to Delay Start Date
Company Targeted by Ransomware Sues Attackers
Bicycle Maker Experiences "Massive Cyber Attack"
REST OF THE WEEK'S NEWS
DHS Warns of Possibility of Cyber Retaliation from Iran
New Orleans Cyberattack Update
Cisco Releases Fixes for 12 Vulnerabilities in Data Center Network Manager
Travelex Currency Exchange Takes Down Online Services After Malware Attack
Erie, CO Lost $1 Million to Scammers
Austria's Foreign Ministry Hit with Cyberattack
Chrome Extension Stole Cryptocurrency
UK Government is Taking a Closer Look at August London Stock Exchange Outage
Active Network Discloses Breach Affecting Blue Bear Software Platform
SANS Holiday Hack Challenge Open Now Through January 13
INTERNET STORM CENTER TECH CORNER
************************ Sponsored By Splunk *****************************
How to Uplevel Your Defenses With Security Analytics. If you don't have actionable insights to detect and respond to emerging and current threats, you're not reaping the rewards of modern security information event management (SIEM) technology. Download How to Uplevel Your Defenses With Security Analytics, and find out what you (and your SIEM) are missing and how to harden your defenses. http://www.sans.org/info/215180
****************************************************************************
Cybersecurity Training Update
-- SANS Security East 2020 | New Orleans, LA | February 1-8 | https://www.sans.org/event/security-east-2020
-- SANS Tokyo January 2020 | January 20-25 | https://www.sans.org/event/tokyo-january-2020
-- SANS Amsterdam January 2020 | January 20-25 | https://www.sans.org/event/amsterdam-january-2020
-- SANS Scottsdale 2020 | February 17-22 | https://www.sans.org/event/scottsdale-2020
-- Open-Source Intelligence Summit & Training 2020 | Alexandria, VA | February 18-24 | https://www.sans.org/event/osint-summit-2020
-- SANS Munich March 2020 | March 2-7 | https://www.sans.org/event/munich-march-2020
-- SANS Northern VA-Reston Spring 2020 | March 2-7 | https://www.sans.org/event/northern-va-spring-reston-2020
-- Blue Team Summit & Training 2020 | Louisville, KY | March 2-9 | https://www.sans.org/event/blue-team-summit-2020
-- ICS Security Summit & Training 2020 | Orlando, FL | March 2-9 | https://www.sans.org/event/ics-security-summit-2020
-- SANS Secure Singapore 2020 | 16-28 March | https://www.sans.org/event/secure-singapore-2020
-- SANS OnDemand and vLive Training
Get an iPad Mini, a Samsung Galaxy Tab S2, or Take $300 Off through January 8 with OnDemand or vLive training.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
********************************************
TOP OF THE NEWS
---Company Closes After Ransomware Attack
(December 23 & January 3, 2020)
Last month, an Arkansas-based telemarketing company told employees that it was "temporarily suspending operations" after struggling to recover from an October 2019 ransomware attack. The Heritage Company notified employees of its decision on December 23. On January 2, 2020, employees learned that the company is urging them to seek new employment elsewhere because it has not made sufficient strides in its recovery.
[Editor Comments]
[Pescatore] That size business (300 - 500 employees) often faces the toughest cybersecurity challenge - big enough to have fairly complex IT operations but too small to routinely staff IT and security teams with enough skilled people to achieve basic security hygiene. If you work at one of those companies and have been fighting that battle, this is a good case study to show management. The Center for Internet Security has a good starting point in a Small Midsize Enterprise guide to the Critical Security Controls found at https://www.cisecurity.org/white-papers/cis-controls-sme-guide/: CIS Controls SME Companion Guide
[Neely] As we have seen with other attacks, such as the attacks to NOLA and Baltimore, IT and business process recovery can take a long time. Further, recovery of necessary capital to continue to make payroll and other expenses can be even harder, particularly after the added expenditures associated with system recovery. In this case, both billing and payment processing capabilities were shut down, closing off the business income sources. Beyond purchasing cyber insurance, make sure to take a hard look at your business resumption plan and identify conditions which, if present, are fatal to the business and develop a plan accordingly. Clear communication about the nature and breadth of incidents can help employees make good decisions and build support around recovery efforts.
[Murray] This demonstrates that the risk of "ransomware" attacks is existential. This will not be the last enterprise to be destroyed by "ransomware." However, at this stage in the game, every enterprise should be aware and prepared. Preparations should include strong authentication, "least privilege" access control, end-to-end application layer encryption, "three" copies of mission critical data, on "two" kinds of media, at least "one" offsite, with a capability to recover critical applications in a timely manner.
Read more in:
ZDNet: Company shuts down because of ransomware, leaves 300 without jobs just before holidays
Threatpost: Ransomware Attack Topples Telemarketing Firm, Leaving Hundreds Jobless
https://threatpost.com/ransomware-attack-topples-telemarketing-firm/151530/
KATV: Sherwood telemarketing company temporarily shuts down, blames cyber attack ransom
---Ransomware Forces School District to Delay Start Date
(January 2 & 3, 2020)
A ransomware attack forced Richmond Community Schools in Michigan to delay their re-opening after the holidays. The malware, which hit the district's IT systems on December 27, appears to have made its way onto school systems through a network connection with the district's HVAC provider. The attack affected numerous Richmond Community Schools systems, including heating, telephones, and classroom technology. IT staff are restoring systems from the district's backup server. The district was scheduled to reopen on January 2, 2020, but pushed the start date out to January 6.
Read more in:
Edscoop: Ransomware used HVAC to infect Michigan K-12 district
https://edscoop.com/michigan-richmond-community-schools-k12-district-ransomware/
SC Magazine: Ransomware forces Richmond Community Schools to close
---Company Targeted by Ransomware Sues Attackers
(January 3, 2020)
Wire and cable manufacturer Southwire is suing the operators of the Maze ransomware that infected its computers in December 2019. When Southwire refused to pay the $6 million ransom, the operators posted data taken from the company's systems online. The company is suing the unknown operators "for injunctive relief and damages" under the Computer Fraud and Abuse Act (CFAA). The company is also seeking injunctions against the company that hosts the site the attackers used to post the stolen data.
[Editor Comments]
[Neely] While the identities of the operator of the Maze ransomware remain unknown, and the outcome of that action is uncertain, the injunction against the hosting company resulted in taking down the site that hosted the stolen data. The question remains of will this be an effective way to recover this type of content or will this result in the content being moved to other providers or Tor which will be harder to take down.
Read more in:
Bleeping Computer: Maze Ransomware Sued for Publishing Victim's Stolen Data
Dark Reading: Ransomware Victim Southwire Sues Maze Operators
Infosecurity Magazine: US Biz Wins Court Case Against Ransomware Data Thieves
https://www.infosecurity-magazine.com/news/us-biz-court-case-ransomware-data/
---Bicycle Maker Experiences "Massive Cyber Attack"
(January 6 & 7, 2020)
Canyon Bicycles was hit with what is likely a ransomware attack at the very end of 2019. The company, which is based in Koblenz, Germany, says that the incident will affect customer contact and delivery for several days.
[Editor Comments]
[Pescatore] With 800 employees and just under $300M in revenue, Canyon is a good example of the higher end of small midsize enterprise space in the manufacturing space. If you work at a company with a similar profile, this is a good example to use to get across the direct connection between basic security hygiene and revenue - when products don't ship, revenue stops and competitors zoom forward.
[Neely] Make sure that your DR/COOP plans include objectives that support the company remaining both viable and competitive. Those plans may also need to include verified alternate business options to bridge the gap.
Read more in:
Cycling Tips: Canyon bicycles hit by cyber attack
https://cyclingtips.com/2020/01/canyon-bicycles-hit-by-cyber-attack-over-holidays/
Bicycle Retailer: Canyon Bicycles hit by 'massive' cyber attack. US operations unaffected
The Register: Wheelie bad end to 2019 for Canyon Bicycles as hackers puncture IT systems
https://www.theregister.co.uk/2020/01/07/hackers_canyon_bicycles/
**************************** SPONSORED LINKS ******************************
1) Did you miss this webcast? Addressing Consumer Safety Concerns With Zero Trust Security. http://www.sans.org/info/215185
2) Take SANS Training at RSA Conference 2020 | San Francisco, CA | Feb 23-24. http://www.sans.org/info/215190
3) Take the SANS 2020 Automation and Integration Survey and enter to win a $400 Amazon gift card: http://www.sans.org/info/215195
*****************************************************************************
REST OF THE WEEK'S NEWS
---DHS Warns of Possibility of Cyber Retaliation from Iran
(January 3, 4, & 6, 2020)
The US Department of Homeland Security (DHS) has issued a National Terrorism Advisory System Bulletin warning of possible avenues of retaliation Iran could take against the US. The bulletin notes that "Iran maintains a robust cyber program and can execute cyber attacks against the United States. Iran is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States."
[Editor Comments]
[Neely] While Iran has cyber offense capabilities, there is no indication as to what to expect when. The best thing to do now is report suspicious activities, ensure security personnel are monitoring for relevant IOCs and TTPs, exercise incident response plans, and make sure you take care of the basics, such as effective backups and multifactor authentication. The CISA.gov and DHS Hometown Security Campaign are good resources here: https://www.dhs.gov/cisa/hometown-security: Hometown Security
[Pescatore] It is never a bad idea to use current events to ramp up attention being paid to cybersecurity. However, physical attacks are more often met with physical retaliation. Good idea to make sure your mail room is alert for suspicious packages - US Postal Service Publication 166 is a good set of guidelines at https://about.usps.com/publications/pub166.pdf: Who Protects Your Mail? (PDF)
[Murray] The same pervasive vulnerabilities that are being exploited in "ransomware" attacks can be exploited in "wiper" attacks by nation states in times of hostility. The problem of attribution of these attacks makes them particularly attractive.
Read more in:
DHS: Summary of Terrorism Threat to the U.S. HOMELAND (PDF)
https://www.dhs.gov/sites/default/files/ntas/alerts/20_0104_ntas_bulletin.pdf
Vice: We Talked to Experts About Iran's Cyberwar Capabilities
https://www.vice.com/en_us/article/v74mx9/we-talked-to-experts-about-irans-cyberwar-capabilities
ZDNet: DHS: Iran maintains a robust cyber program and can execute cyber-attacks against the US
The Register: Cyber-warnings, cyber-speculation over cyber-Iran's cyber-retaliation cyber-plans post-Soleimani assassination
https://www.theregister.co.uk/2020/01/06/iran_attack_speculation/
SC Magazine: DHS warns Iran retaliation could include cyberattacks
https://www.scmagazine.com/home/security-news/dhs-warns-iran-retaliation-could-include-cyberattacks/
---New Orleans Cyberattack Update
(January 2, 2020)
Three weeks after computer systems at the city of New Orleans, Louisiana, were hit with a ransomware attack, city officials said that the city's Police department and its court system were expected to have access to their computer networks. The system for paying city-related bills should be bank online by the end of January.
Read more in:
NOLA: Cyberattack update: New Orleans police, court systems to be restored by Monday, officials say
https://www.nola.com/news/article_d880d35a-2d9b-11ea-aabe-ff584b1dca3e.html
---Cisco Releases Fixes for 12 Vulnerabilities in Data Center Network Manager
(January 3 & 6, 2020)
Cisco has released fixes to address a dozen vulnerabilities in its Data Center Network Manager. Three of the vulnerabilities are rated critical. Cisco also warned of an increase in attacks exploiting a known denial-of-service and information disclosure flaw in its Adaptive Security Appliance and Firepower Appliance.
[Editor Comments]
[Murray] As a general rule, it is more important to patch thoroughly than urgently. That said, patches to infrastructure should get priority.
Read more in:
Cisco: Cisco Security Advisories
https://tools.cisco.com/security/center/publicationListing.x
Talos Intelligence: Cisco ASA DoS bug attacked in wild
https://blog.talosintelligence.com/2019/12/ASA-Bug-Attacked-In-The-Wild.html
The Register: New year, new critical Cisco patches to install - this time for a dirty dozen of bugs that can be exploited to sidestep auth, inject commands, etc
https://www.theregister.co.uk/2020/01/03/critical_cisco_patches/
ZDNet: Cisco critical bugs: Nexus data center switch software needs patching now
Threatpost: 3 Critical Bugs Allow Remote Attacks on Cisco NX-OS and Switches
https://threatpost.com/cisco-patches-3-critical-bugs-nx-os/151529/
Help Net Security: Cisco Data Center Network Manager flaws fixed, Cisco ASA appliances under attack
https://www.helpnetsecurity.com/2020/01/06/cisco-data-center-network-manager-flaws-fixed/
---Travelex Currency Exchange Takes Down Online Services After Malware Attack
(January 2, 3, & 6, 2020)
Currency exchange Travelex was hot with malware on New Year's Eve, prompting it to take down all of its online services as well as its mobile app. As of Monday, January 6, the online services were still unavailable. (Please note that the WSJ story is behind a paywall.)
[Editor Comments]
[Neely] Travelex was hit by REvil/Sodinokibi Ransomware and the current demand is $3 million. The compromise appears to be the result of exploiting the Critical Pulse Secure VPN vulnerability (CVE-2019-11510); highlighting the importance of patching services which provide or control access to your network. The exfiltrated data includes dates of birth, social security numbers and card numbers, and as Sodinokibi says they will publish it if not paid; if you are (or were) a Travelex customer, verifying that you have active credit monitoring, including any Travelex issued cards, would be prudent.
Read more in:
WSJ: Travelex Currency-Exchange Network Shut Down by Virus Attack (paywall)
Infosecurity Magazine: Travelex Site Still Down After New Year's Eve Attack
https://www.infosecurity-magazine.com/news/travelex-site-down-new-years-eve/
Threatpost: Travelex Knocked Offline by System-Wide Malware Attack
https://threatpost.com/travelex-knocked-offline-malware-attack/151522/
Dark Reading: Malware Hits Travelex Currency Exchange Service
Bleeping Computer: Sodinokibi Ransomware Hits Travelex, Demands $3 Million
---Erie, CO Lost $1 Million to Scammers
(January 3 & 4, 2020)
Hackers pretending to be a contractor hired by the town of Erie, Colorado stole more than $1 million from the town's coffers. The hackers requested a change in the method of payment from a check to an electronic funds transfer.
[Editor Comments]
[Neely] Out-of-band confirmation of all payment mechanisms, no longer just wire transfers, is essential for both establishment of and changes to payment methods. Even legitimate communications can include transcription errors that can be corrected prior to failed or misdirected payments.
Read more in:
Bleeping Computer: Colorado Town Wires Over $1 Million to BEC Scammers
https://www.bleepingcomputer.com/news/security/colorado-town-wires-over-1-million-to-bec-scammers/
TechNadu: Town of Erie in Colorado Paid $1 Million to BEC Scammers
https://www.technadu.com/town-of-erie-colorado-paid-1-million-bec-scammers/89209/
---Austria's Foreign Ministry Hit with Cyberattack
(January 5 & 6, 2020)
A "serious cyberattack" on systems at Austria's Foreign Ministry may be the work of another foreign country, according to the ministry. The attack began on Saturday, January 4.
Read more in:
BBC: 'Serious cyber-attack' on Austria's foreign ministry
https://www.bbc.com/news/world-europe-50997773
SC Magazine: State actors may be behind ongoing cyberattack on Austria's foreign ministry
Information Security Buzz: Security Awareness Advocate On Austria's Foreign Ministry Targeted By 'Serious' Cyber Attack
Reuters: Austria suspects foreign state behind cyberattack on ministry
---Chrome Extension Stole Cryptocurrency
(January 6, 2020)
A Chrome extension that purported to be a cryptocurrency wallet actually stole $16,000 in cryptocurrency from at least one user. The extension, called "Ledger Secure," had been available in the Chrome Web Store. It is not related to the physical cryptocurrency wallet maker Ledger. The extension has been removed from the store.
[Editor Comments]
[Neely] Not a bad idea to scan for and remove this extension if detected. Also, relative to the use of cryptocurrency wallets on corporate computers: users right to privacy, or lack thereof, and corporate liability, particularly for security, needs to be carefully considered.
[Murray] While the blockchain on which cryptocurrency is based is secure, the wallets and exchanges are so vulnerable as to put the whole scheme at risk.
Read more in:
Softpedia: Shady Google Chrome Extension Steals $16,000 Worth of Cryptocurrency
Decrypt: A malicious Google Chrome extension cost one user $16,000
https://decrypt.co/15803/a-malicious-google-chrome-extension-cost-one-user-16000
---UK Government is Taking a Closer Look at August London Stock Exchange Outage
(January 5 & 6, 2020)
Government authorities in the UK are reportedly taking a closer look at an August 2019 outage that delayed trading at the London Stock Exchange (LSE) for more than an hour and a half. At the time, the incident was attributed to a software glitch. Sources say that British intelligence has requested additional information from the LSE. GCHQ has denied that it is investigating the incident. (Please note that the WSJ story is behind a paywall.)
Read more in:
WSJ: U.K. Examines if Cyberattack Triggered London Stock Exchange Outage (paywall)
ZDNet: UK government investigates possible cyberattack link to London Stock exchange
The Register: GCHQ: A cyber-what-now? Rumours of our probe into London Stock Exchange 'cyberattack' have been greatly exaggerated
---Active Network Discloses Breach Affecting Blue Bear Software Platform
(December 30, 2019 & January 5, 2020)
Active Network, the company that makes the Blue Bear web-based accounting software platform used by K-12 schools in the US, has acknowledged a data breach. People who accessed schools' Blue Bear web stores between October 1 and November 13, 2019 may have had their data exposed. The compromised information includes names and payment card numbers, expiration dates, and security codes. The attackers appear to have skimmed the information in real-time during transactions. Active Network reported the incident to the California Attorney General's office late last year.
[Editor Comments]
[Murray] "Card not present" fraud is now the preferred way to compromise and monetize credit and debit card numbers. Only a small number of merchants can provide the necessary security required to process credit or debit card account numbers safely. Online merchants must employ checkout proxies like PayPal and Apple Pay and must not accept, process, or store credit or debit card numbers in the clear. Consumers who deal with merchants that require credit or debit card numbers should use one-time or one merchant card numbers like those provided by privacy.com.
Read more in:
ZDNet: School management software provider discloses severe security breach
https://www.zdnet.com/article/school-management-software-provider-discloses-severe-security-breach/
SC Magazine: School software vendor Active Network suffers data breach
---SANS Holiday Hack Challenge Open Now Through January 13
The holidays aren't over yet folks! The free annual SANS Holiday Hack Challenge is open through January 13 so you can start the year by building your capabilities with world-class cyber defense, DFIR, and pen test challenges. Plus: Don't miss your chance to win a complimentary SANS Live Training course, SANS Online Training course, or a 4-month subscription to SANS NetWars Continuous. All skill levels can and should participate! We've got a lot of fun in store for you at https://holidayhackchallenge.com.
INTERNET STORM CENTER TECH CORNER
Quick Summary of the California Consumer Privacy Act
https://isc.sans.edu/forums/diary/CCPA+Quick+Overview/25668/
Cisco Vulnerabilities
https://tools.cisco.com/security/center/publicationListing.x
Xiaomi Camera Cache Bug
https://www.reddit.com/r/googlehome/comments/eine1m/when_i_load_the_xiaomi_camera_in_my_google_home/
Spoofed Scans from 103/8
https://isc.sans.edu/forums/diary/Increase+in+Number+of+Sources+January+3rd+and+4th+spoofed/25678/
Iran Terror Threat
https://www.dhs.gov/sites/default/files/ntas/alerts/20_0104_ntas_bulletin.pdf
BusKill Laptop Kill Cord
https://tech.michaelaltfield.net/2020/01/02/buskill-laptop-kill-cord-dead-man-switch/
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
