SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #23

March 20, 2020

****************************************************************************

SANS NewsBites March 20, 2020 Vol. 22, Num. 023

****************************************************************************

Top of The News

- Hackers Use COVID-19 Tracking Map to Hide Spyware

- Food Delivery Service in Germany Targeted with DDoS Attack

- Mandiant Ransomware Research Shows Window of Opportunity For Defenders

The Rest of the Week's News

- Social Media Turning to AI for Moderators

- Four-Year Sentence for Role in Chinese Espionage Operation

- Adobe Patches 29 Critical Flaws

- Cisco Releases Fixes for SD-WAN Vulnerabilities

- Mozilla Eliminating Support for FTP in Firefox

- Chrome and Chrome OS Releases Paused

- Rogers Communications Notifies Customers of Data Breach

- Local Governments in France are Being Hit With Pysa Ransomware

- Information Sharing and Analysis Organization for Political Campaigns

Internet Storm Center Tech Corner

****************************************************************************

Cybersecurity Training Update

Community Note: SANS and GIAC have all hands on deck right now to create as many immediately useful online resources and challenges for you as possible, so that you can keep your cybersecurity skills sharp while working from home. Watch your email, sans.org, and of course your bi-weekly NewsBites for exciting announcements, like this one:

Cyber FastTrack is a free CTF you can play for fun, or to apply for a scholarship. The deadline to register for the March 26-27 Cyber FastTrack challenge (featuring a $22k scholarship prize for U.S. college students) is this Sunday, March 22. Learn more: https://cyber-fasttrack.org.

Cybersecurity Training Update

Keep your skills sharp, train online with SANS OnDemand:

. The world's top cybersecurity training

. Flexible self-paced format you can take anytime, anywhere

. A battle-tested training platform including 4 months of access

. Hands-on labs and GIAC-certified SME support

Start your OnDemand training now: 45 Courses | No travel required

https://www.sans.org/ondemand/

________________

-- SANS 2020 - CyberCast | April 3-10 | https://www.sans.org/event/sans-2020

-- SANSFIRE 2020 | Washington, DC | June 13-20 | https://www.sans.org/event/sansfire-2020

-- SANS Network Security 2020 | Las Vegas, NV | September 20-27 | https://www.sans.org/event/network-security-2020

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap

Any course you have or will purchase is protected by the SANS Training Guarantee. To learn more, visit www.sans.org/training-guarantee.

****************************************************************************

Free technical content sponsored by Fidelis Cybersecurity

Elevating Enterprise Security with Fidelis Cybersecurity: Endpoint Security Capabilities. SANS Matt Bromiley continues to examine Fidelis Cybersecurity Elevate platform in part two of this webcast series, focusing on features such as behavioral monitoring, built-in threat hunting capabilities, and threat intelligence and scanning designed to make analysts' lives easier.

https://www.sans.org/info/215875

****************************************************************************

Top of the News

Hackers Use COVID-19 Tracking Map to Hide Spyware

(March 18, 2020)

Hackers have weaponized a legitimate COVID-19 tracking map to deliver spyware. Known as SpyMax, the malware can exfiltrate logs for texts and phone calls, and allows the attackers to activate microphones and cameras. The malware appears to be being used to spy on people in Libya.

Editor's Note

[Neely]

With workers out of the office, the normal resources which protect them from malware are reduced or absent. Consider providing references to vetted sources of information, web sites or mobile apps, as part of your COVID-19 communication campaign.

- https://www.scmagazine.com/home/security-news/mobile-security/spyware-disguised-as-covid-19-tracker-app-actually-keeps-track-of-users/

Food Delivery Service in Germany Targeted with DDoS Attack

(March 19, 2020)

Hackers have launched a distributed denial-of-service (DDoS) attack against the website of a food delivery service in Germany. The hackers demanded a ransom of 2 bitcoins to stop the attack. Lieferando.de, the German branch of Takeaway.com, is back online; it is not clear if they paid the ransom.

Editor's Note

[Neely]

Ransomware still depends on social engineering, and the current situation is ripe for users making mistakes which could enable an attack. Encourage workers to focus on deliberate operations - taking an intentional, thoughtful and careful approach to ensure work is conducted safely and securely. A measured approach with regular management check-in, only performing tasks when sufficient staff are available to execute them securely and safely.

- https://www.tripwire.com/state-of-security/security-data-protection/food-delivery-website-in-germany-targeted-by-ddos-attackers/

- https://www.darkreading.com/attacks-breaches/ddos-attack-targets-german-food-delivery-service/d/d-id/1337359

Mandiant Ransomware Research Shows Window of Opportunity For Defenders

(March 16 & 18, 2020)

According to researchers from Mandiant, most ransomware does not deploy until at least three days after attackers have gained their initial foothold in a system. In some cases, the dwell time was much longer. Mandiant looked at "dozens of ransomware incident response investigations from 2017 to 2019." The researchers also found that most ransomware infections occur at night or on weekends. The blog post notes that "there is often a window of time between the first malicious action and ransomware deployment. If network defenders can detect and remediate the initial compromise quickly, it is possible to avoid the significant damage and cost of a ransomware infection."

- https://www.bleepingcomputer.com/news/security/most-ransomware-gets-executed-three-days-after-initial-breach/

- https://www.zdnet.com/article/most-ransomware-attacks-take-place-during-the-night-or-the-weekend/

****************************************************************************

- https://www.scmagazine.com/home/security-news/bug-leads-facebook-to-mark-covid-19-posts-as-spam/

- https://www.zdnet.com/article/was-your-facebook-post-on-the-coronavirus-deleted-this-is-why/

Four-Year Sentence for Role in Chinese Espionage Operation

(March 17 & 19, 2020)

A US federal district judge in California has sentenced Xuehua Edward Peng to 48 months in prison for acting as an agent of the People's Republic of China (PRC). Peng, who is a US citizen, participated in several "dead-drops," a scheme to exchange money for information in which the two parties involved do not meet. Peng hid money in designated places and returned later to retrieve Secure Digital (SD) cards containing classified US information. Peng brought the SD cards to China, where he delivered them to a PRC official.

- https://www.theregister.co.uk/2020/03/19/sd_card_spy_china/

Adobe Patches 29 Critical Flaws

(March 18, 2020)

Adobe has issued fixes for more than 40 security issues in Acrobat, Reader, Photoshop, ColdFusion, Genuine Integrity Service, Experience Manager, and Bridge. Twenty-nine of the vulnerabilities are rated critical.

Editor's Note

[Neely]

In addition to pushing these updates to your traditional targets, verify that your systems that are now working remotely are both monitored and updated. In the past, it may have been an acceptable risk to wait for updates on remote systems until they reconnected to the corporate network. With the current crisis, that interval is undefined; you should look to patching them in place.

- https://www.scmagazine.com/home/security-news/vulnerabilities/adobe-patches-41-vulnerabilities-22-in-photoshop/

- https://www.zdnet.com/article/windows-10-or-mac-user-patch-adobe-reader-and-acrobat-now-to-fix-9-critical-security-flaws/

- https://threatpost.com/critical-adobe-photoshop-acrobat-reader-flaws/153902/

- https://helpx.adobe.com/security/products/acrobat/apsb20-13.html

- https://helpx.adobe.com/security/products/photoshop/apsb20-14.html

- https://helpx.adobe.com/security/products/integrity_service/apsb20-12.html

Cisco Releases Fixes for SD-WAN Vulnerabilities

(March 18 & 19, 2020)

Cisco has released updates to address three vulnerabilities in its software-defined networking for wide-area network (SD-WAN) Solutions software. All three flaws have been rated high severity. The issues affect a range of Cisco products that are running SD-WAN software that is older than the current version: Release 19.2.2.

- https://threatpost.com/cisco-warns-of-high-severity-sd-wan-flaws/153942/

- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwclici-cvrQpH9v

- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwanbo-QKcABnS2

- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwpresc-ySJGvE9

Mozilla Eliminating Support for FTP in Firefox

(March 19, 2020)

Mozilla says that it plans to eliminate support for the FTP protocol in Firefox by the start of 2021. Support for FTP will initially be disabled in Firefox 77, which is scheduled for release in June 2020. Users who want to view and download files over FTP will be able to re-enable support through the Firefox about:config page. However, Mozilla plans to completely eliminate support for FTP by the start of 2021.

Editor's Note

[Neely]

While there are extensions to secure FTP, it is fundamentally an unsecure protocol. Delivery of files over HTTPS is a technically viable alternative. If you retain FTP capabilities, identify the specific use cases and regularly check for alternatives.

[Murray]

While low profile and often "legacy" or "orphan," FTP servers continue to be a source of leakage of data. Enterprises should replace FTP servers in favor of SFTP and HTML.

Chrome and Chrome OS Releases Paused

(March 18, 2020)

Google has paused the upcoming releases of its Chrome browser and Chrome OS. Google says that the reason for the delay is adjusted work schedules due to the Coronavirus. Chrome 81 was scheduled to be released on Tuesday March 17. In its blog statement, Google notes that it will "continue to prioritize any updates related to security, which will be included in Chrome 80."

- https://www.zdnet.com/article/google-pauses-chrome-and-chrome-os-releases-due-to-coronavirus-outbreak/

Rogers Communications Notifies Customers of Data Breach

(March 19, 2020)

Canadian telecomm company Rogers Communications has begun notifying customers that their personal information was compromised. In late February, Rogers learned that an external service provider had exposed a customer database to the Internet.

- https://www.rogers.com/support/10022020

Local Governments in France are Being Hit With Pysa Ransomware

(March 19, 2020)

France's Computer Emergency Response Team (CERT) has issued an alert about ransomware targeting networks of local governments. The attackers are using a new variant of the Mespinoza ransomware, which is also known as Pysa. The alert describes how the attacks operate and indicators of infection; it also provides recommendations to help organizations minimize the effect of the ransomware.

- https://www.cert.ssi.gouv.fr/cti/CERTFR-2020-CTI-002/

Information Sharing and Analysis Organization for Political Campaigns

(March 19, 2020)

The US now has a Political Campaign Information Sharing and Analysis Organization (PC-ISAO). Established earlier this month by US CyberDome, PC-ISAO "facilitate[s] fully anonymous cyber threat information sharing, ...provide[s] technical information in formats that are easy to read, ... [and] also facilitate[s] connections amongst members on cybersecurity challenges."

- https://uscyberdome.com/isao/

****************************************************************************

Internet Storm Center Tech Corner

A Quick Summary of Current Reflective DNS DDoS Attacks

https://isc.sans.edu/forums/diary/A+Quick+Summary+of+Current+Reflective+DNS+DDoS+Attacks/25916/

Trickbot gtag red5 distributed as DLL File

https://isc.sans.edu/forums/diary/Trickbot+gtag+red5+distributed+as+a+DLL+file/25918/

COVID-19 Themed Multistage Malware

https://isc.sans.edu/forums/diary/COVID19+Themed+Multistage+Malware/25922/

Is Cryptojacking Dead after Coinhive Shutdown?

https://arxiv.org/pdf/2001.02975.pdf

Adobe Patches