SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #22
March 17, 2020A positive surprise: SANS students are saying they like the new CyberCast live-on-line training as well as (and in a few cases, better than) in-person training.
****************************************************************************
SANS NewsBites March 17, 2020 Vol. 22, Num. 022
****************************************************************************
Top of The News
- COVID-19 Spear Phishing eMails Used to Spread Malware
- Malicious COVID-19 Android App is Ransomware
- Czech Hospital Conducting COVID-19 Testing Hit With Cyberattack
- US Dept. of Health and Human Services Fended Off Cyberattack
- SANS Security Awareness Work-from-Home Deployment Kit Released
The Rest of the Week's News
- ShadowServer is Losing its Funding
- New Voatz Audit Finds Severe Flaws
- WordPress Auto-Update Feature
- Fixes Available for Popup Builder WordPress Vulnerabilities
- Slack Flaw Fixed
- Europol and European Law Enforcement Arrest Alleged SIM-Swappers
- ENTSO-E Breach: More Details
- Crypto-Currency Scams
Internet Storm Center Tech Corner
****************************************************************************
Cybersecurity Training Update
In response to the global escalation of the COVID-19 outbreak, and to keep our community safe, SANS will not run any in-person training between now and June 1st. We are in the process of transitioning these live events to virtual formats when possible. Check https://www.sans.org/information-security-training/by-location/all for a schedule of courses you can complete online.
Any course you have or will purchase is protected by the SANS Training Guarantee. For more information, visit https://www.sans.org/training-guarantee or contact us: https://www.sans.org/about/contact/.Travel-Free Training with SANS Online
SANS remains committed to providing you with:
. The world's best cybersecurity training
. Several battle-tested online platforms
. The same Instructors, content, and learning results as live training
. Hands-on labs and subject matter expert support
45 Courses are available now - no travel required. Learn More: sans.org/notravel
-- SANS 2020 - CyberCast | April 3-10 | https://www.sans.org/event/sans-2020-- SANS Seattle Spring 2020 - CyberCast | March 23-28 | https://www.sans.org/event/seattle-spring-2020
-- SANS Philadelphia 2020 - CyberCast | March 30-April 4 | https://www.sans.org/event/philadelphia-2020
-- SANS Bethesda 2020 - CyberCast | April 14-19 | https://www.sans.org/event/bethesda-2020
-- SANS Minneapolis 2020 - CyberCast | April 14-19 | https://www.sans.org/event/minneapolis-2020
-- SANS Boston Spring 2020 - CyberCast | April 20-25 | https://www.sans.org/event/boston-spring-2020
-- SANS Pen Test Austin 2020 - CyberCast | April 27-May 2 | https://www.sans.org/event/pen-test-austin-2020
-- Cloud Security Summit & Training 2020 - CyberCast | May 27-June 3 | https://www.sans.org/event/cloud-security-summit-2020
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
****************************************************************************
Free technical content sponsored by Netskope
Join Netskope's Cloud Security Workshop. Are you really ready to provide safe access to cloud services and keep pace with new threats? Register for Netskope's complimentary cloud security workshop! Take control over your web services. Get 5 CPE credits and hands-on experience with Next Gen Secure Web Gateway (SWG) and Zero Trust Network Access (ZTNA) solutions built for the cloud.
https://www.sans.org/info/215825
****************************************************************************
Top of the News
COVID-19 Spear Phishing eMails Used to Spread Malware
(March 13, 2020)
An APT group has been sending spear phishing emails that claim to contain information about COVID-19. The messages, which target users in Mongolia, maliciously crafted Rich Text Format (RTF) document attachments that are used to infect computers with a remote access Trojan (RAT).
Read more in:
- https://threatpost.com/coronavirus-apt-attack-malware/153697/
Malicious COVID-19 Android App is Ransomware
(March 13 & 16, 2020)
An Android app that purports to track confirmed cases of COVID-19 actually locks up the phone and demands $100 in bitcoin to unlock it. If victims do not pay within 48 hours, the malware says it will erase all the data on the phone. A password to unlock frozen devices has been obtained.
Editor's Note
[Neely]
This app will also set a lock on your device if one is not already configured. The DomainTools researchers have reverse engineered the decryption key for the "CovidLock" app and are preparing to release it. Note that financially motivated threat actors are leveraging the COVID-19 crisis for profit. Users need to be careful installing offered mobile applications, particularly from unofficial app stores, expect some apps to make it into the legitimate app stores as well.
Read more in:
- https://www.cyberscoop.com/coronavirus-app-locked-phones/
Czech Hospital Conducting COVID-19 Testing Hit With Cyberattack
(March 13 & 14, 2020)
A Czech hospital that is one of the centers for COVID-19 testing in that country was the target of a cyberattack on Friday, March 13. Details of the breach have not been disclosed, but the hospital's entire IT system was shut down and all surgeries have been canceled. Two of the hospital's branches were also affected.
Read more in:
- https://www.bleepingcomputer.com/news/security/covid-19-testing-center-hit-by-cyberattack/
US Dept. of Health and Human Services Fended Off Cyberattack
(March 16, 2020)
The US Department of Health and Human Services (HHS) noted increased network scanning over the weekend. While it appears to have been an attempt to launch a distributed denial-of-service attack (DDoS), the agency's systems were not significantly affected.
Editor's Note
[Neely]
Expect increased attacks in the name of COVID-19, particularly against businesses involved in testing and treatment; it's similar to other efforts to shortcut development by exfiltrating other's intellectual property or research. Verify your defenses, including monitoring and alerting capabilities, with an eye to operational impacts of increased numbers of remote workers, possibly even your SOC. Be prepared to alter your definition of normal due to modified working arrangements.
Read more in:
- https://www.cyberscoop.com/hhs-cyberattack-coronavirus-ddos/
- https://www.bleepingcomputer.com/news/security/us-health-department-site-hit-with-ddos-cyber-attack/
- https://thehill.com/policy/cybersecurity/487756-top-us-health-agency-suffers-cyberattack-report
SANS Security Awareness Work-from-Home Deployment Kit Released
(March 17, 2020)
Organizations worldwide are implementing work-from-home policies. At SANS, we want to do whatever we can to ensure companies and their security teams have the information and resources they need to create a secure remote workforce. We have made public a Securely Working From Home Deployment Kit to enable organizations to quickly train and secure their remote workforce. Full download and information can be found here: https://www.sans.org/security-awareness-training/sans-security-awareness-work-home-deployment-kit.
The SANS Security Awareness Work-from-Home Deployment Kit includes:
- A strategic planning guide to which risks to focus on, and how to effectively train on those risks
- A communications template to engage your workforce
- Training materials (in multiple languages): Security Awareness Videos, Important Checklists & Fact Sheets, Podcasts and audio files, Posters & Newsletters, and Digital Signage
Lance Spitzner will be hosting webcasts to walk you through all the key concepts of the SANS Security Awareness Work-from-Home Deployment Kit.
- Tuesday, March 17th at 5:30 PM EDT (21:30 UTC) Register here: https://www.sans.org/webcasts/113875
- Wednesday, March 18th at 8:00 AM EDT (12:00 UTC) Register here: https://www.sans.org/webcasts/deployment-kit-securing-workforce-home-114035
****************************************************************************
Sponsored Links
Download Splunk's IT Security Predictions 2020 to learn how to best protect your organization, and your data, against a fast-approaching future. https://www.sans.org/info/215830
Start making threat intelligence more approachable by tuning in for this webcast on March 18th at 1PM ET: https://www.sans.org/info/215835
Webcast March 20th at 3:30PM ET: Learn how to leverage osquery for incident response and threat hunting. https://www.sans.org/info/215840
****************************************************************************
The Rest of the Week's News
ShadowServer is Losing its Funding
(March 16, 2020)
Cisco has withdrawn its funding from the all-volunteer non-profit organization Shadowserver.org. ShadowServer "help[s] Internet service providers (ISPs) identify and quarantine malware infections and botnets," and serves Computer Emergency Response Teams (CERTs) around the world, providing daily network reports. The organization needs to migrate operations to a new data center by mid-May.
Editor's Note
[Pescatore]
FluTrackers.com started up around the same time ShadowServer did. FluTrackers enables infectious disease experts to share data about outbreaks and treatments, regardless of whether governments or for-profit companies wanted that information to get out. It put out one of the first early warnings that something was happening in China. I'm sure other security companies will help replace the lost Cisco funding - this kind of model is an important component of the mix of government, commercial and crowd-sourced tools to use against cybersecurity risks.
Read more in:
- https://krebsonsecurity.com/2020/03/the-webs-bot-containment-unit-needs-your-help/
- https://www.wired.com/story/shadowserver-cisco-internet-cybersecurity/
- https://www.shadowserver.org/what-we-do/
New Voatz Audit Finds Severe Flaws
(March 13 & 16, 2020)
A new audit of the Voatz mobile voting app conducted by Trail of Bits found 16 "severe" security issues. Unlike previous audits, this audit had access to the Voatz Core Server and backend software. Trail of Bits confirmed the vulnerabilities found by researchers at the Massachusetts Institute of Technology (MIT) and found additional flaws.
Editor's Note
[Neely]
One of the hard parts of audits is moving through the process of acceptance to validation and remediation. While the Trail of Bits audit confirms vulnerabilities from the MIT researchers, the acceptance of and rapid response to their findings shows the advantage of a self-selected audit.
[Murray]
It is much easier to secure a purpose-built app running on a single user device than to secure a server running on a general purpose operating system. As ever, election fraud is far more likely in the tabulating and reporting steps than in vote recording. While not all of the problems identified by Trail of Bits have yet been addressed, most appear to be implementation shortcomings rather than fundamental vulnerabilities.
Read more in:
- https://statescoop.com/audit-finds-severe-vulnerabilities-voatz-mobile-voting-app/
- https://blog.trailofbits.com/2020/03/13/our-full-report-on-the-voatz-mobile-voting-platform/
WordPress Auto-Update Feature
(March 16, 2020)
WordPress developers plan to add an auto-update feature to plugins and themes. The WordPress core has had an auto-update mechanism for minor updates since October 2013, with the release of WordPress version 3.7. Users must still manually update between major versions of WordPress core.
Editor's Note
[Neely]
This is slated to release with WordPress core version 5.5 scheduled to be released in August. Version 5.4 was just released this March. The feature will include the ability to select which plugins are auto-updated and when updates will happen.
Read more in:
- https://www.zdnet.com/article/wordpress-to-add-auto-update-feature-for-themes-and-plugins/
Fixes Available for Popup Builder WordPress Vulnerabilities
(March 13, 2020)
Two flaws in the Popup Builder WordPress plugin have been fixed. One of the vulnerabilities is rated high severity; it could be exploited to inject JavaScript into a popup. Users are advised to upgrade to Popup Builder version 3.64.1.
Read more in:
- https://threatpost.com/wordpress-plugin-bug-popup-builder/153715/
Slack Flaw Fixed
(March 13 & 16, 2020)
Slack has fixed a vulnerability in its messaging platform that could have been exploited to take control of accounts. Slack learned of the flaw in November 2019 though its bug bounty program. Slack fixed the issue within 24 hours of being notified; the report was disclosed to the public last week.
Editor's Note
[Neely]
This fix was a server side fix. Even so, make sure that users with the desktop or mobile app have updated to the current versions - 4.3.2 Linux, 4.3.3 Mac, 4.3.4 Win, 20.03.20 iOS and Android.
Read more in:
- https://www.zdnet.com/article/slack-vulnerability-allowed-session-hijacking-account-takeovers/
- https://hackerone.com/reports/737140
Europol and European Law Enforcement Arrest Alleged SIM-Swappers
(March 13, 2020)
Europol, along with law enforcement authorities in Spain, Romania, and Austria, have arrested a total of 26 people in connection with two SIM-swapping operations. A SIM-swapping group in Spain stole more than [euro]3 million ($3.35 million), and a group in Austria and Romania stole [euro]500,000 ($559,000).
Editor's Note
[Murray]
All security measures have limitations. It is important to recognize those limitations and compensate accordingly. If a subscriber loses service on their mobile, they should contact their service provider immediately. While service providers are anxious to respond courteously and promptly to provisioning requests from subscribers, it is essential to do so securely. Provisioning requests should be authenticated in and out of band before acting on them. Out-of-band confirmation is one of our most efficient fraud resistance tools.
Read more in:
- https://www.zdnet.com/article/europol-tackles-massive-sim-swap-hacking-rings/
- https://www.cyberscoop.com/sim-swapping-spain-europol-austria/
ENTSO-E Breach: More Details
(January 23 & March 13, 2020)
More details are emerging about the data breach at the European Network of Transmission System Operators for Electricity (ENTSO-E). Hackers appear to have had access to ENTSO-E's IT network for several weeks. According to analysis from Recorded Future that was published in January, a remote access Trojan (RAT) "command and control (C2) server [was found to be] communicating with a mail server for a European energy sector organization from late November 2019 until at least January 5, 2020."
Read more in:
- https://www.cyberscoop.com/europe-grid-pupy-rat/
- https://www.recordedfuture.com/pupyrat-malware-analysis/
Crypto-Currency Scams
(March 9, 10, & 13, 2020)
Nigerians have reportedly lost hundreds of millions of Naira after being targeted in crypto-currency Ponzi schemes by firms that claim to speculate on cryptocurrency price movements. The scammers are capitalizing on weak regulations for crypto-currency as well as the fast moving technology that drives it. The Better Business Bureau started tracking crypto currency in 2018. The BBB now lists cryptocurrency as the second riskiest scam. 14% of crypto scam victims are in Nigeria, 11% in Indonesia, 9% in U.S. and 8% in Vietnam.
Editor's Note
[Neely]
Beware of scams that offer high return on investment, particularly cryptocurrency. Lack of regulation and oversight make cryptocurrency attractive for this purpose. The current economic turmoil increases users' likelihood of falling for of these scams.
Read more in:
- https://guardian.ng/technology/authorities-helpless-as-crypto-currency-scams-rock-nigeria/
- https://www.cryptopolitan.com/riskiest-business-in-the-world-cryptocurrency-stand-2nd/
- https://decrypt.co/21763/cryptocurrency-is-deemed-the-second-riskiest-scam
****************************************************************************
Internet Storm Center Tech Corner
Phishing PDFs With Incremental Updates
https://isc.sans.edu/forums/diary/Phishing+PDF+With+Incremental+Updates/25904/
VPN Access and Active Monitoring
https://isc.sans.edu/forums/diary/VPN+Access+and+Activity+Monitoring/25906/
Capturing Invalid Ethernet Frames
Desktop.ini as a post-exploitation tool
https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/
SANS Security Awareness Deployment Kit for Securing Your Workforce at Home
https://www.sans.org/webcasts/113875
Cookiethief Android Cookie Stealing Malware
https://securelist.com/cookiethief/96332/
VMware Workstation/Fusion Update
https://www.vmware.com/security/advisories/VMSA-2020-0004.html
Blackwater Malware Abuses Cloudflare Workers
tcpdump Heap Based Buffer Over-Read
https://nvd.nist.gov/vuln/detail/CVE-2018-19325
Slack Account Takevoer Bug
https://hackerone.com/reports/737140
****************************************************************************
The Editorial Board of SANS NewsBites
Alan Paller: https://www.sans.org/newsletters/newsbites/editorial-board#alan-paller
Brian Honan: https://www.sans.org/newsletters/newsbites/editorial-board#brian-honan
David Hoelzer: https://www.sans.org/newsletters/newsbites/editorial-board#david=hoelzer
David Turley: https://www.sans.org/newsletters/newsbites/editorial-board#david-turley
Dr. Eric Cole: https://www.sans.org/newsletters/newsbites/editorial-board#eric-cole
Ed Skoudis: https://www.sans.org/newsletters/newsbites/editorial-board#ed-skoudis
Eric Cornelius: https://www.sans.org/newsletters/newsbites/editorial-board#eric-cornelius
Gal Shpantzer: https://www.sans.org/newsletters/newsbites/editorial-board#gal-shpantzer
Jake Williams: https://www.sans.org/newsletters/newsbites/editorial-board#jake-williams
Dr. Johannes Ullrich: https://www.sans.org/newsletters/newsbites/editorial-board#johannes-ullrich
John Pescatore: https://www.sans.org/newsletters/newsbites/editorial-board#john-pescatore
Lee Neely: https://www.sans.org/newsletters/newsbites/editorial-board#lee-neely
Mark Weatherford: https://www.sans.org/newsletters/newsbites/editorial-board#mark-weatherford
Rob Lee: https://www.sans.org/newsletters/newsbites/editorial-board#rob-lee
Sean McBride: https://www.sans.org/newsletters/newsbites/editorial-board#sean-mcbride
Shawn Henry: https://www.sans.org/newsletters/newsbites/editorial-board#shawn-henry
Stephen Northcutt: https://www.sans.org/newsletters/newsbites/editorial-board#stephen-northcutt
Suzanne Vautrinot: https://www.sans.org/newsletters/newsbites/editorial-board#suzanne-vautrinot
Tom Liston: https://www.sans.org/newsletters/newsbites/editorial-board#tom-liston
William Hugh Murray: https://www.sans.org/newsletters/newsbites/editorial-board#william-hugh-murray
To create a SANS Portal Account visit: https://www.sans.org/account/create