SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #21
March 13, 2020Hackers Use Interactive COVID-19 Map to Spread Malware; Illinois Public Health Ransomware Attack; Cyberspace Solarium Commission Report
****************************************************************************
SANS NewsBites March 13, 2020 Vol. 22, Num. 021
****************************************************************************
TOP OF THE NEWS
Hackers Use Interactive COVID-19 Map to Spread Malware
Illinois Public Health District Website Suffers Ransomware Attack
Cyberspace Solarium Commission Report
REST OF THE WEEK'S NEWS
IoT Threat Report: Medical Imaging Devices are Running Outdated OSes
Microsoft's Patch Tuesday
Microsoft Patches Wormable Vulnerability in SMBv3 Protocol
Necurs Botnet Takedown
Hackers Spoofing HTTPS Domains to Skim Payment Card Data
Deloitte: Ransomware Attacks Against Local Government Increasing in Frequency and Cost
FBI Arrest Individual Suspected of Operating deer.io
Avast Disables JavaScript Engine Over Security Concerns
INTERNET STORM CENTER TECH CORNER
************************* Sponsored By SANS ******************************
Cloud Security Summit & Training 2020 | Dallas, TX | May 27 - Jun 3. Join us for the 4th annual SANS Cloud Security Summit & Training, where you'll engage with and learn from prominent security practitioners as you explore new approaches, tools, and design models for a cloud-first world. http://www.sans.org/info/215795
****************************************************************************
CYBERSECURITY TRAINING UPDATE
In response to the global escalation of the COVID-19 outbreak, and to keep our community safe, SANS will not run any in-person training between now and June 1st. We are in the process of transitioning these live events to virtual formats when possible. Check https://www.sans.org/information-security-training/by-location/all for a schedule of courses you can complete online.
Any course you have or will purchase is protected by the SANS Training Guarantee. For more information, visit https://www.sans.org/training-guarantee or contact us: https://www.sans.org/about/contact/.
Travel-Free Training with SANS Online
SANS remains committed to providing you with:
-- The world's best cybersecurity training
-- Several battle-tested online platforms
-- The same Instructors, content, and learning results as live training
-- Hands-on labs and subject matter expert support
45 Courses are available now - no travel required. Learn More: sans.org/notravel
-- SANS 2020 - CyberCast | April 3-10 | https://www.sans.org/event/sans-2020
-- SANS Seattle Spring 2020 - CyberCast | March 23-28 | https://www.sans.org/event/seattle-spring-2020
-- SANS Philadelphia 2020 - CyberCast | March 30-April 4 | https://www.sans.org/event/philadelphia-2020
-- SANS Bethesda 2020 - CyberCast | April 14-19 | https://www.sans.org/event/bethesda-2020
-- SANS Minneapolis 2020 - CyberCast | April 14-19 | https://www.sans.org/event/minneapolis-2020
-- SANS Boston Spring 2020 - CyberCast | April 20-25 | https://www.sans.org/event/boston-spring-2020
-- SANS Pen Test Austin 2020 - CyberCast | April 27-May 2 | https://www.sans.org/event/pen-test-austin-2020
-- Cloud Security Summit & Training 2020 - CyberCast | May 27-June 3 | https://www.sans.org/event/cloud-security-summit-2020
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
****************************************************************************
TOP OF THE NEWS
--Hackers Use Interactive COVID-19 Map to Spread Malware
(March 10, 11, 12, & 13, 2020)
Hackers have weaponized a live COVID-19 map to spread the AZORult malware, which steals passwords, payment card information, cookies, and other sensitive data. In a related story, state-sponsored hackers are using COVID-19 information as a lure in phishing attacks.
[Editor Comments]
[Pescatore] By now, your company should have warned employees of the inevitable flood of malware and phishing attacks around the COVID-19 pandemic. Good to remind them it will happen again when things start to return to normal.
[Neely] Expect high quality social engineering attempts due to the plethora of information about COVID-19, and users' desire to keep up-to-date on the illness and its impacts.
Read more in:
KrebsOnSecurity: Live Coronavirus Map Used to Spread Malware
https://krebsonsecurity.com/2020/03/live-coronavirus-map-used-to-spread-malware/
SC Magazine: Malicious coronavirus map hides AZORult info-stealing malware
Malwarebytes: Battling online coronavirus scams with facts
ZDNet: State-sponsored hackers are now using coronavirus lures to infect their targets
--Illinois Public Health District Website Suffers Ransomware Attack
(March 12, 2020)
The website of the Champaign-Urbana Public Health District (C-UPHD) in Illinois was hit with ransomware earlier this week. C-UPHD, which serves more than 200,000 people, including students at the University of Illinois's largest campus, has set up an alternate website while it works to restore its primary site.
Read more in:
The Hill: Illinois public health agency website taken down by hackers
The Register: Fresh virus misery for Illinois: Public health agency taken down by... web ransomware. Great timing, scumbags
https://www.theregister.co.uk/2020/03/12/ransomware_illinois_health/
--Cyberspace Solarium Commission Report
(March 11, 2020)
The US Cyberspace Solarium Commission's report, mandated by the 2019 National Defense Authorization Act, "advocates a new strategic approach to cybersecurity: layered cyber deterrence." The report makes more than 80 recommendations, which are organized under six pillars: reform the U.S. government's structure and organization for cyberspace, strengthen norms and non-military tools, promote national resilience, reshape the cyber ecosystem, operationalize cybersecurity collaboration with the private sector, and preserve and employ the military instrument of national power.
[Editor Comments]
[Murray] We need a revolution; what we are doing is not working. We need to raise the cost of attack tenfold in 2020, a hundredfold in the next five years. We know what to do; we lack the will.
Read more in:
FNN: Cyberspace Solarium Commission seeks to restore cyber coordinator roles
LawFare Blog: The Cyberspace Solarium Commission Report: A Lawfare Series
https://www.lawfareblog.com/cyberspace-solarium-commission-report-lawfare-series
Fifth Domain: Congressional report outlines new American cyber strategy
Nextgov: Solarium Cyber Report Recommends New Government Structures, Major Policy Overhauls
Duo: Commission Outlines Ways to Overhaul Federal Cybersecurity
https://duo.com/decipher/commission-outlines-ways-to-overhaul-federal-cybersecurity
Solarium: Report
https://www.solarium.gov/report
Google Drive: Cyberspace Solarium Commission Final Report: Executive Summary
https://drive.google.com/file/d/1c1UQI74Js6vkfjUowI598NjwaHD1YtlY/view
Google Drive: Cyberspace Solarium Commission Report: Full Report
https://drive.google.com/file/d/1ryMCIL_dZ30QyjFqFkkf10MxIXJGT4yv/view
**************************** SPONSORED LINKS ******************************
1) Webcast March 19th at 3:30PM ET: Join this webcast to see a demonstration and deconstruction of a full-stack attack. http://www.sans.org/info/215800
2) 2020 SANS SOC Skills Survey | Take this survey and enter to win a $400 Amazon gift card! http://www.sans.org/info/215805
3) Live Simulcast | Join Robert M. Lee and industry experts for the Cyber Threat Intelligence Solutions Forum. http://www.sans.org/info/215810
*****************************************************************************
REST OF THE WEEK'S NEWS
--IoT Threat Report: Medical Imaging Devices are Running Outdated OSes
(March 10 & 11, 2020)
A report from Palo Alto Networks found that 83 percent of medical imaging devices in the US are running outdated operating systems. This marks a 56 percent increase over two years, which can be attributed in part to Microsoft's end of support for Window 7 in January 2020. The report "analyzed 1.2 million IoT devices in thousands of physical locations across enterprise IT and healthcare organizations in the United States." The researchers also found that 98 percent of traffic sent by IoT devices is unencrypted.
Read more in:
Unit42.PaloAltoNetworks: 2020 Unit 42 IoT Threat Report
https://unit42.paloaltonetworks.com/iot-threat-report-2020/
Wired: Most Medical Imaging Devices Run Outdated Operating Systems
https://www.wired.com/story/most-medical-imaging-devices-run-outdated-operating-systems/
The Register: The Internet of Things is a security nightmare reveals latest real-world analysis: unencrypted traffic, network crossover, vulnerable OSes
Threatpost: More Than Half of IoT Devices Vulnerable to Severe Attacks
https://threatpost.com/half-iot-devices-vulnerable-severe-attacks/153609/
ZDNet: How poor IoT security is allowing this 12-year-old malware to make a comeback
--Microsoft's Patch Tuesday
(March 10, 2020)
Microsoft's monthly security update for March 2020 addresses 115 security issues, 26 of which are rated critical. None of the vulnerabilities is currently being actively exploited.
[Editor Comments]
[Pescatore] A monthly patch day from Microsoft is beginning to sound very outdated, kinda like "telephone dial." Imagine if the health care recommendation to prevent infection of open wounds was "on every second Tuesday of the month, apply protective covering..." Somehow businesses and IT manage to live through faster patching for phones, tablets and browsers, cloud apps and just about everything else, but Windows still has Vulnerability Tuesday?
[Neely] While patch Tuesday is familiar and convenient for scheduling, and more vendors scheduling releases to this cadence is welcomed, the volume of fixes of late warrants a shorter interval between patch releases; particularly for endpoints.
Read more in:
KrebsOnSecurity: Microsoft Patch Tuesday, March 2020 Edition
https://krebsonsecurity.com/2020/03/microsoft-patch-tuesday-march-2020-edition/
ZDNet: Microsoft March 2020 PatchTuesday fixes 115 vulnerabilities
https://www.zdnet.com/article/microsoft-march-2020-patch-tuesday-fixes-115-vulnerabilities/
Threatpost: Microsoft Patches 26 Critical Bugs in Big March Update
https://threatpost.com/microsoft-patches-bugs-march-update/153597/
--Microsoft Patches Wormable Vulnerability in SMBv3 Protocol
(March 12, 2020)
Microsoft has released a fix for a critical remote code execution flaw in the Microsoft Server Message Block 3.1.1 (SMBv3) protocol. Details of the vulnerability were inadvertently released online earlier this week. The vulnerability could be exploited to execute code remotely and spread to other vulnerable machines with no user interaction. The issue affects 32- and 64-bit Windows 10 versions 1903 and 1909 and Windows Server 2019 versions 1903 and 1909.
Read more in:
MSRC: CVE-2020-0796 | Windows SMBv3 Client/Server Remote Code Execution Vulnerability
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796
Microsoft: March 12, 2020--KB4551762 (OS Builds 18362.720 and 18363.720)
https://support.microsoft.com/en-us/help/4551762/windows-10-update-kb4551762
Duo: Microsoft Releases Emergency Fix For SMBv3 Flaw
https://duo.com/decipher/microsoft-advisory-warns-of-smbv3-flaw
ZDNet: Microsoft patches SMBv3 wormable bug that leaked earlier this week
https://www.zdnet.com/article/microsoft-patches-smbv3-wormable-bug-that-leaked-earlier-this-week/
Ars Technica: Microsoft delivers emergency patch to fix wormable Windows 10 flaw
--Necurs Botnet Takedown
(March 10 & 11, 2020)
Working alongside partners in 35 countries, Microsoft has helped to take down the infrastructure that supported the Necurs botnet, which had been used to spread malware. Necurs comprises more than 9 million computers worldwide. On March 5, 2020, a federal judge in New York gave Microsoft the authority to take control of the computers in the US that are supporting Necurs. Microsoft then analyzed the Necurs algorithm for generating new domains, predicted six million of these potentially harmful domains, and reported them to the associated registry so they could be blocked and prevented from being used by the Necurs operators.
Read more in:
Microsoft: New action to disrupt world's largest online criminal network
https://blogs.microsoft.com/on-the-issues/2020/03/10/necurs-botnet-cyber-crime-disrupt/
The Register: Microsoft nukes 9 million-strong Necurs botnet after unpicking domain name-generating algorithm
https://www.theregister.co.uk/2020/03/11/microsoft_necurs_botnet_takedown/
ZDNet: Microsoft orchestrates coordinated takedown of Necurs botnet
https://www.zdnet.com/article/microsoft-orchestrates-coordinated-takedown-of-necurs-botnet/
Threatpost: Necurs Botnet in Crosshairs of Global Takedown Offensive
https://threatpost.com/necurs-botnet-in-crosshairs-of-global-takedown-offensive/153607/
Cyberscoop: Microsoft strikes back at Necurs botnet by preemptively disabling hacking tools
https://www.cyberscoop.com/necurs-botnet-microsoft-strikes-back/
Duo: Microsoft Disrupts Necurs Botnet
https://duo.com/decipher/microsoft-disrupts-necurs-botnet
--Hackers Spoofing HTTPS Domains to Skim Payment Card Data
(March 11, 2020)
Hackers inserted malicious code into a website belonging to a US meat delivery service. The code, which includes a malicious domain, allowed the hackers to intercept customers' payment information. While the malicious domain has been removed from the company's website, it has been detected on other companies' sites.
Read more in:
KrebsOnSecuruty: Crafty Web Skimming Domain Spoofs "https"
https://krebsonsecurity.com/2020/03/crafty-web-skimming-domain-spoofs-https/
--Deloitte: Ransomware Attacks Against Local Government Increasing in Frequency and Cost
(March 11, 2020)
According to a study from Deloitte, ransomware attacks targeting state and local government systems have grown more sophisticated and have become more frequent. The study says that in 2019, there were 163 reported ransomware attacks against local governments; at least $1.8 million in ransom was paid, and millions more spent on recovery efforts. In 2018, there were 55 reported attacks and less than $60,000 in ransom paid.
[Editor Comments]
[Neely] Part of the issue is these organizations may not have the resources to implement the mitigations needed, particularly differential backups, to aid with recovery as well as mitigations to prevent re-infection. While cyber insurance helps with the ransom payment, the funding for mitigations must be separately obtained, and are reliant on support during the already contested budget negotiation and funding cycle.
Read more in:
Dark Reading: Ransomware Increasingly Targeting Small Governments
Statescoop: Study: Governments struggle against more frequent and sophisticated ransomware
--FBI Arrest Individual Suspected of Operating deer.io
(March 10 & 12, 2020)
US federal law enforcement agents have arrested Kirill Victorovitch Firsov for allegedly operating deer.io, an online forum where cybercriminals could buy and sell stolen account credentials. Firsov is scheduled to be arraigned later this week.
Read more in:
KrebsOnSecurity: FBI Arrests Alleged Owner of Deer.io, a Top Broker of Stolen Accounts
Cyberscoop: FBI arrests alleged operator of a Russian hosting service meant for scammers
https://www.cyberscoop.com/deerio-arrest-fbi-cybercrime/
GovInfosecurity: FBI Arrests Suspected Admin of Russian Cybercrime Market
https://www.govinfosecurity.com/fbi-arrests-suspected-admin-russian-cybercrime-market-a-13928
KrebsOnSecurity: Indictment (PDF)
https://krebsonsecurity.com/wp-content/uploads/2020/03/firsovindictment.pdf
--Avast Disables JavaScript Engine Over Security Concerns
(March 11 & 13, 2020)
Avast has disabled the JavaScript engine in its antivirus product after it was found to contain a remote code execution vulnerability. Researchers at Google Project Zero say that the emulator, which checks JavaScript code tor malware before it is allowed to execute, "is unsandboxed and has poor mitigation coverage."
[Editor Comments]
[Neely] Timely disablement of the emulator was a good call on Avast's part. Other endpoint protections will continue to provide protections; even so, consider enablement of JavaScript only for trusted sites.
Read more in:
The Register: Avast pulls plug on insecure JavaScript engine in its security software suite
https://www.theregister.co.uk/2020/03/13/avast_javascript_security/
ZDNet: Avast disables JavaScript engine in its antivirus following major bug
https://www.zdnet.com/article/avast-disables-javascript-engine-in-its-antivirus-following-major-bug/
GitHub: Avast Antivirus JavaScript Interpreter
https://github.com/taviso/avscript/blob/master/README.md
******************************************************************************
INTERNET STORM CENTER TECH CORNER
Microsoft Patch Tuesday
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200005
https://isc.sans.edu/diary.html?storyid=25886
Mystery SMB3 Flaw Update
https://isc.sans.edu/forums/diary/Critical+SMBv3+Vulnerability+Remote+Code+Execution/25890/
Microsoft Releases Patch for Windows SMBv3 Compression Vulnerability CVE-2020-0796
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0796
Agent Tesla Spread by Fake Canon EOS Notification Email
COVID19 Malware
Hancitor Distributed Through Coronavirus-Themed Malspam
https://isc.sans.edu/forums/diary/Hancitor+distributed+through+coronavirusthemed+malspam/25892/
Avast Removes Vulnerable JavaScript Emulator from Products
https://github.com/taviso/avscript
Checkra1n Exploit Works Against T2 Equipped Macs
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
