SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #24
March 24, 2020Surge In COVID-19 Related Malware; Windows 0-day is Being Actively Exploited
****************************************************************************
SANS NewsBites March 24, 2020 Vol. 22, Num. 024
****************************************************************************
TOP OF THE NEWS
COVID-19 Related Malware
Windows 0-day is Being Actively Exploited
REST OF THE WEEK'S NEWS
Hackers Steal Data from Clinical Medical Research Organization
South Carolina Fire Department Computers Infected with Ransomware
Finastra Systems Infected with Ransomware
Countries Are Using Geolocation and Facial Recognition to Track COVID-19
Google and Microsoft Pausing Major Version Updates for Chrome and Edge Browsers
Firefox Enables TLS 1.0 and 1.1 Again to Aid Access to COVID-19 Information
NIST Draft Document on Cybersecurity and Enterprise Risk Management
Medical Device Maker Discloses Phishing Attack
INTERNET STORM CENTER TECH CORNER
********************** Sponsored By Splunk *******************************
How to Uplevel Your Defenses With Security Analytics. If you don't have actionable insights to detect and respond to emerging and current threats, you're not reaping the rewards of modern security information event management (SIEM) technology. Download How to Uplevel Your Defenses With Security Analytics, and find out what you (and your SIEM) are missing and how to harden your defenses. http://www.sans.org/info/215895
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
Keep your skills sharp, train online with SANS OnDemand:
* The world's top cybersecurity training
* Flexible self-paced format you can take anytime, anywhere
* A battle-tested training platform including 4 months of access
* Hands-on labs and GIAC-certified SME support
Start your OnDemand training now: 45 Courses | No Travel Required
- https://www.sans.org/ondemand/
SANS Network Security 2020 | Las Vegas, NV | September 20-27
- https://www.sans.org/event/network-security-2020
View the full SANS course catalog and skills roadmap.
- https://www.sans.org/courses
- https://www.sans.org/cyber-security-skills-roadmap
Any course you have or will purchase is protected by the SANS Training Guarantee.
- https://www.sans.org/training-guarantee.
*****************************************************************************
TOP OF THE NEWS
--COVID-19 Related Malware
(March 20 & 23, 2020)
The FBI has issued a warning of an increase in COVID-19-related fraud schemes. The announcement urges people to be alert to phony messages from the Centers for Disease Control (CDC), phishing emails, and offers of phony COVID-19 treatment. There have been reports of phony email messages that pretend to be from head of World Health Organization and actually place keystroke logger on users' computers, and of a fake COVID-19 vaccine website that tries to steal payment card and other personal data.
[Editor Comments]
[Neely] Also warn users to be on the alert for phishing campaigns, particularly targeting the elderly, around the pending US financial relief package. These campaigns promise extra social security, investment schemes or COVID-19 relief payments in exchange for bank account information. Also beware of pay-in-advance offers to help victims with services.
Read more in:
IC3: FBI Sees Rise in Fraud Schemes Related to the Coronavirus (COVID-19) Pandemic
https://www.ic3.gov/media/2020/200320.aspx
ZDNet: WHO chief emails claiming to offer coronavirus drug advice plant keyloggers on your PC
Threatpost: Revamped HawkEye Keylogger Swoops in on Coronavirus Fears
https://threatpost.com/revamped-hawkeye-keylogger-coronavirus-fears/154013/
Threatpost: Fake Coronavirus 'Vaccine' Website Busted in DoJ Takedown
https://threatpost.com/fake-coronavirus-vaccine-website-busted-in-doj-takedown/154031/
GovInfosecurity: COVID-19 Phishing Schemes Escalate; FBI Issues Warning
https://www.govinfosecurity.com/covid-19-phishing-schemes-escalate-fbi-issues-warning-a-13998
SC Magazine: FBI warns of COVID-19 phishing scams promising stimulus checks, vaccines
Portswigger: Coronavirus fraud: DoJ takes action against website claiming to offer Covid-19 vaccine
ISC: More COVID-19 Themed Malware
https://isc.sans.edu/forums/diary/More+COVID19+Themed+Malware/25930/
ISC: COVID-19 Themed Multistage Malware
https://isc.sans.edu/forums/diary/COVID19+Themed+Multistage+Malware/25922/
GitHub: parthdmaniar / coronavirus-covid-19-SARS-CoV-2-IoCs
https://github.com/parthdmaniar/coronavirus-covid-19-SARS-CoV-2-IoCs
--Windows 0-day is Being Actively Exploited
(March 23, 2020)
Microsoft warns of limited attacks that could leverage two as-yet unpatched vulnerabilities in the Adobe Type Manager Library resulting in remote code execution. For supported versions of Windows 10, this can result in code execution within an AppContainer with limited privileges and capabilities. Microsoft has not yet released a patch, and offers a choice of three fixes: disabling preview and details pane in Windows Explorer, disabling the WebClient service, and renaming ATMFD.DLL. Enhanced Security Configuration, which is on by default in Windows Servers, does not mitigate the problem.
[Editor Comments]
[Neely] While the impact of attack is lowest on supported versions of Windows 10, there is a chance the attackers are also capable of executing a sandbox escape. Be sure to read the caveats with each of the fixes before rolling one out. The second workaround, disabling the WebClient service, will block attacks attackers are most likely to use, and impacts web distributed authoring and versioning as well as stopping, and blocking starting of, any services based on WebClient.
[Ullrich] There is no public exploit right now, but targeted attacks are taking advantage of this vulnerability. Microsoft's initial advisory caused some confusion as the DLL mentioned is not present on newer versions of Windows 10, and Microsoft clarified this in the 1.1 version of the advisory released last night.
https://isc.sans.edu/forums/diary/Windows+Zeroday+Actively+Exploited+Type+1+Font+Parsing+Remote+Code+Execution+Vulnerability/25936/: Windows Zeroday Actively Exploited: Type 1 Font Parsing Remote Code Execution Vulnerability
Read more in:
MSRC: ADV200006 | Type 1 Font Parsing Remote Code Execution Vulnerability
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv200006#march-23-flaw
Threatpost: Microsoft Warns of Critical Windows Zero-Day Flaws
https://threatpost.com/microsoft-warns-of-critical-windows-zero-day-flaws/154040/
Duo: Unpatched Windows Flaws Under Active Attack
https://duo.com/decipher/unpatched-windows-flaws-under-active-attack
ZDNet: Microsoft warns of Windows zero-day exploited in the wild
https://www.zdnet.com/article/microsoft-warns-of-windows-zero-day-exploited-in-the-wild/
The Register: It's 2020 and hackers are still hijacking Windows PCs by exploiting font parser security holes. No patch, either
https://www.theregister.co.uk/2020/03/23/microsoft_issues_red_alert/
Ars Technica: Windows code-execution zeroday is under active exploit, Microsoft warns
**************************** SPONSORED LINKS ******************************
1) Don't miss this upcoming webcast | Keeping Network Inspection Visibility in the Age of TLS 1.3: What To Do When The Network Goes Dark. http://www.sans.org/info/215900
2) Rocky Mountain Hackfest Summit & Training 2020 - SANS CyberCast | June 1-8. http://www.sans.org/info/215905
3) See how Infoblox BloxOne Threat Defense can help address the changing threat environment and optimize your security from the foundation up. http://www.sans.org/info/215910
*****************************************************************************
REST OF THE WEEK'S NEWS
--Hackers Steal Data from Clinical Medical Research Organization
(March 22 & 23, 2020)
Earlier this month, a UK clinical medical research company detected and stopped a ransomware attack launched against its systems. Hammersmith Medicines Research (HMR) has conducted trials of various vaccines and drugs, and is planning to begin trials for a potential COVID-19 vaccine. The attackers stole data from Hammersmith, including sensitive information about people who participated in other clinical trials. The data include medical questionnaires, and passport and driver's license numbers. The group responsible for the ransomware attack has begun posting the stolen information in an attempt to get Hammersmith to pay a ransom.
[Editor Comments]
[Murray] When one's networks, systems, applications, and data are compromised, there are many ways for the attackers to monetize the compromise.
Read more in:
SC Magazine: Maze ransomware attackers extort vaccine testing facility
Silicon Angle: Hackers leak data from medical company set to carry out COVID-19 vaccine trials
https://siliconangle.com/2020/03/22/data-leaked-medical-company-set-carry-covid-19-vaccine-trials/
Forbes: COVID-19 Vaccine Test Center Hit By Cyber Attack, Stolen Data Posted Online
--South Carolina Fire Department Computers Infected with Ransomware
(March 20, 2020)
Computers belonging to the Bluffton Township (South Carolina) Fire Department became infected with ransomware in mid-March. The attack did not affect the department's ability to respond to emergency calls.
[Editor Comments]
[Murray] By this time, most large enterprises should be both resistant to and resilient in the face of "ransomware" attacks. However, many of the measures that they have put in place may be beyond the capabilities of many small and medium size enterprises (SME). That may be why SMEs are being targeted and successfully attacked. They must look to their vendors and contractors.
Read more in:
GovTech: South Carolina Fire Department Servers Disabled by Hacker
https://www.govtech.com/security/South-Carolina-Fire-Department-Servers-Disabled-by-Hacker.html
--Finastra Systems Infected with Ransomware
(March 20 & 23, 2020)
UK financial technology company Finastra has disclosed that earlier this month, the company's "IT security and risk teams actively detected... that a bad-actor was attempting to introduce malware into [their] network in what appears to have been a common ransomware attack." Finastra took its servers offline in an effort to contain the infection.
Read more in:
Finastra: Statement from Tom Kilroy, Chief Operating Officer
https://www.finastra.com/statement-coo-finastra
KrebsOnSecurity: Security Breach Disrupts Fintech Firm Finastra
https://krebsonsecurity.com/2020/03/security-breach-disrupts-fintech-firm-finastra/
ZDNet: Fintech company Finastra hit by ransomware
https://www.zdnet.com/article/fintech-company-finastra-hit-by-ransomware/
Bleeping Computer: UK Fintech Firm Finastra Hit By Ransomware, Shuts Down Servers
--Countries Are Using Geolocation and Facial Recognition to Track COVID-19
(March 17, 19, 20, & 23, 2020)
Governments in several countries are using technologies like geolocation and facial recognition to track the spread of COVID-19. In the UK, health officials plan to test a new app that will let people know if they have been in contact with someone who has tested positive for COVID-19. In China, the government has created a system called Health Code, which assigns each individual a color to identify them as infected, quarantined, or healthy. In Hong Kong, people who have tested positive for COVID-19 or who have been quarantined are given an electronic bracelet, the latest version of which includes geofencing technology. South Korea has been using CCTV images, payment card records, and mobile phone data, which allows them to retrace the steps of people who test positive for the virus. Israel and the US are also considering surveillance methods. (Please note that the WSJ story is behind a paywall.)
[Editor Comments]
[Pescatore] There seems to be pretty clear agreement in the experienced medical community about the right steps to take, and investigating the contacts by newly discovered infections is pretty important. Doing that quickly and accurately, not just quickly, is key. Any untested technology use that generates high rates of false positives or false negatives will be counterproductive - just as we've seen in security.
Read more in:
qz: Hong Kong is using tracker wristbands to geofence people under coronavirus quarantine
https://qz.com/1822215/hong-kong-uses-tracking-wristbands-for-coronavirus-quarantine/
The Register: It's time to track people's smartphones to ensure they self-isolate during this global pandemic, says WHO boffin
https://www.theregister.co.uk/2020/03/23/track_phones_coronavirus_who/
ZDNet: US, Israel, South Korea, and China look at intrusive surveillance solutions for tracking COVID-19
NYT: Translating a Surveillance Tool into a Virus Tracker for Democracies
https://www.nytimes.com/2020/03/19/us/coronavirus-location-tracking.html
WSJ: To Track Virus, Governments Weigh Surveillance Tools That Push Privacy Limits (paywall)
--Google and Microsoft Pausing Major Version Updates for Chrome and Edge Browsers
(March 20, 21, 22, & 23, 2020)
Last week, Google announced that it was pausing major releases of its Chrome browser because of COVID-19-related adjusted work schedules. Google will release new versions of Chrome 80 (which is the current stable version) to address security issues. Microsoft has now announced that it, too, is pausing the release of major versions of its Edge browser, which is based on Chromium.
[Editor Comments]
[Ullrich] With most employees working from home, some companies have decided to delay patching to reduce the risks of home users getting "cut off". That may not be sensible because software makers will focus on patching security flaws and not on new features that may increase tech support traffic. Firefox also reverted a change that would have disabled TLS 1.0/1.1 to avoid problems with some government sites that still require these older TLS versions (see next story).
[Neely] We're all learning the impacts of increased telework coupled by reduced availability of those that are caring for those impacted by the illness, such as having children home from school or being a caretaker for one who is ill. With the uncertainty, it may still be too soon to re-baseline projects; instead, take a flexible approach and focus on prioritizing deliverables.
Read more in:
Windows: Update on Stable channel releases for Microsoft Edge
https://blogs.windows.com/msedgedev/2020/03/20/update-stable-channel-releases/
CNET: Google Chrome, Microsoft Edge 'pause' updates because of coronavirus
https://www.cnet.com/news/google-pauses-chrome-updates-because-of-coronavirus-disruptions/
ZDNet: Microsoft pauses Edge releases amid coronavirus outbreak
https://www.zdnet.com/article/microsoft-pauses-edge-releases-amid-coronavirus-outbreak/
Bleeping Computer: Microsoft Pauses New Edge Browser Versions Due to Coronavirus
Bleeping Computer: Google to Abandon Chrome 82 Development Due to Release Delays
--Firefox Enables TLS 1.0 and 1.1 Again to Aid Access to COVID-19 Information
(March 20, 2020)
Mozilla has reverted to allowing TLS 1.0 and 1.1 to enable users to access COVID-19 information on government websites that have not yet made the switch to TLS 1.2 or 1.3. Earlier this month, Mozilla announced it was ending support for TLS 1.0 and 1.1 with the release of Firefox 74 on March 10.
[Editor Comments]
[Neely] To make sure you have support for older TLS enabled, go to settings:config and check the value of security.tls.version.fallback-limit. 1 for TLS 1.0, 2 for TLS 1.1, 3 for TLS 1.2 and 4 for TLS 1.3. This setting applies to Firefox 74 and ESR 68.6.
Read more in:
Mozilla: 74.0: Changed
https://www.mozilla.org/en-US/firefox/74.0/releasenotes/
Bleeping Computer: Firefox Reenables Insecure TLS to Improve Access to COVID19 Info
--NIST Draft Document on Cybersecurity and Enterprise Risk Management
(March 20, 2020)
The US National Institute of Standards and Technology (NIST) is seeking public comment on a draft report, NIST-Interagency Report 8286 | Integrating Cybersecurity and Enterprise Risk Management. NIST will accept comments through April 20, 2020.
[Editor Comments]
[Neely] This document attempts to create a bridge between Enterprise Risk Management and Cybersecurity Risk Management. One of the challenges is a consistent message relating to cyber risks and how they translate into costs for the organization so that the resulting risk registers are appropriately factored into ERM.
Read more in:
NIST: Integrating Cybersecurity and Enterprise Risk Management (ERM) (PDF)
https://nvlpubs.nist.gov/nistpubs/ir/2020/NIST.IR.8286-draft.pdf
Fifth Domain: NIST asks for public comments on new cybersecurity risk management document
--Medical Device Maker Discloses Phishing Attack
(March 23, 2020)
Insulin pump manufacturer Tandem Diabetes has disclosed a phishing attack. On its website, Tandem noted that "a limited number of Tandem employee email accounts may have been accessed by an unauthorized user between January 17, 2020 and January 20, 2020." The affected accounts contained customer information, including names, contact information, clinical data related to diabetes therapy, and in some cases, Social Security numbers.
Read more in:
Tandem Diabetes: Notice of Email Security Incident
https://www.tandemdiabetes.com/support-update/substitute-notice
Portswigger: Healthcare data breach: Medical device manufacturer discloses phishing attack
******************************************************************************
INTERNET STORM CENTER TECH CORNER
More Covid19 Malware
https://isc.sans.edu/forums/diary/More+COVID19+Themed+Malware/25930/
Covid-19 Malware Summary
https://github.com/parthdmaniar/coronavirus-covid-19-SARS-CoV-2-IoCs
Windows Font Parsing 0-Day
Working Exploit for the Kr00k WiFi Exploit
https://hexway.io/research/r00kie-kr00kie/
ZDI Pwn2Own Results
Firefox Turns TLS 1.0/1.1 Back on
https://www.mozilla.org/en-US/firefox/74.0/releasenotes/
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
