SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #26
March 31, 2020Kwampirs Malware Targets Healthcare Sector; Beware of USBs in the Mail; Injunctions Against VoIP Carriers for Facilitating Fraudulent Robocalls
****************************************************************************
SANS NewsBites March 31, 2020 Vol. 22, Num. 026
****************************************************************************
TOP OF THE NEWS
Kwampirs Malware Targets Healthcare Sector
Snail Mail Malware Delivery
Court Orders Injunctions Against VoIP Carriers for Facilitating Fraudulent Robocalls
REST OF THE WEEK'S NEWS
Georgian Database Published Online
Apple VPN Bypass Flaw
Windows Font Parsing Bug
FTC Warns VoIP Companies Not to Facilitate Robocalls Preying on Coronavirus Concerns
US Federal Court: Terms of Service Violations is Not CFAA Violation
Zeus Sphinx Trojan
Russian Man Arrested in Connection with Money Laundering Scheme
HackerOne Boots Voatz from Platform
INTERNET STORM CENTER TECH CORNER
********************* Sponsored By Netskope ******************************
Join Netskope's Cloud Security Workshop. Are you really ready to provide safe access to cloud services and keep pace with new threats? Register for Netskope's complimentary cloud security workshop! Take control over your web services. Get 5 CPE credits and hands-on experience with Next Gen Secure Web Gateway (SWG) and Zero Trust Network Access (ZTNA) solutions built for the cloud. http://www.sans.org/info/215970
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
Keep your skills sharp, train online with SANS OnDemand:
* 45 of the world's top cybersecurity courses
* Flexible self-paced format you can take anytime, anywhere
* A battle-tested training platform including 4 months of access
* Hands-on labs and GIAC-certified SME support
Test drive and purchase SANS OnDemand courses.
- https://www.sans.org/ondemand/
SANS Network Security 2020 | Las Vegas, NV | September 20-27
- https://www.sans.org/event/network-security-2020
View the full SANS course catalog and skills roadmap.
- https://www.sans.org/courses
- https://www.sans.org/cyber-security-skills-roadmap
Any course you have or will purchsase is protected by the SANS Training Guarantee.
- https://www.sans.org/training-guarantee.
*****************************************************************************
TOP OF THE NEWS
--Kwampirs Malware Targets Healthcare Sector
(March 31, 2020)
The FBI has released a private industry notification for the Kwampirs malware. Kwampirs, also known as "Orangeworm," has been used to target different industries in the past, and according to this latest update, is now also being used to target the healthcare sector. Likely the work of nation state linked attackers, Kwampirs uses the software supply chain to spread. This makes it particularly difficult to defend against. Kwampirs will likely enter your network as part of a software update from a trusted vendor.
[Editor Comments]
[Ullrich] In defending against threats like Kwampirs, do not focus too much on specific indicators of compromise. They will change quickly, and are only useful to detect past infections. Instead, verify how well you are able to detect the techniques the malware uses to spread. For example, Kwampirs like other malware, seeks out administrative shares and installs as a new service. These are fairly generic techniques used by other malware as well. Implementing techniques to detect this type of behavior has the benefit that it will not just detect this particular malware, but more generically help identify malicious behavior.
Read more in:
HelpNet Security: Kwampirs threat actor continues to breach transnational healthcare orgs
https://www.helpnetsecurity.com/2020/03/31/kwampirs/
ISC: Kwampirs Targeted Attacks Involving Healthcare Sector
https://isc.sans.edu/forums/diary/Kwampirs+Targeted+Attacks+Involving+Healthcare+Sector/25968/
--Snail Mail Malware Delivery
(March 27, 2020)
The FIN7 hacking group is distributing malware through the U.S. Postal service - sending users USB sticks in the mail. If users plug the stick in, it installs a backdoor on their computer. Some of the packages have included gift cards and teddy bears.
[Editor Comments]
[Pescatore] A good analogy for security awareness around this issue is to equate USB sticks that aren't from IT or a store to be like a piece of what kids used to call ABC gum: Already Been Chewed gum. Don't put ABC USB drives in your computer's mouth.
[Neely] It remains imperative to not insert unknown or untrusted media in systems. Right now many users are working from home outside many of the normal corporate security controls, so increased attention to work-from-home security measures is appropriate. Also, while enabling controls which limit the insertion of removable media to approved devices only will help raise the bar, the current environment makes it attractive for the user to insert these into their personal devices, so be sure to include that scenario in your awareness training.
Read more in:
Bleeping Computer: FBI: Hackers Sending Malicious USB Drives & Teddy Bears via USPS
Cyberscoop: Malware from notorious FIN7 group is being delivered by snail mail
https://www.cyberscoop.com/fin7-usps-fireeye-trustwave/
--Court Orders Injunctions Against VoIP Carriers for Facilitating Fraudulent Robocalls
(March 27 & 30, 2020)
A US district court in New York has issued injunctions against two companies for "facilitate[ing] the transmission of massive volumes of fraudulent robocalls to consumers in the United States.". The callers claimed to be from government agencies or legitimate businesses and were designed to trick people into giving up information and money. The calls targeted elderly and otherwise vulnerable people.
[Editor Comments]
[Pescatore] Carriers of all flavors have refused to filter malicious calls/data that are known to be from spoofed addresses. It is good to see courts and the FTC (noted in another item) start to put appropriate pressure on them. Imagine if the water company said "Well, we knew the dangerous chemicals were in the water, but we just pass the water from left to right; don't blame us. But, we will sell you a water cleaning service."
[Neely] The elderly are some of the hardest users to protect, as they have not "grown up" with these threats, and are not necessarily connected with, or may not understand security awareness campaigns. Taking the time to work with them one-on-one to understand call security and enabling appropriate controls is the best mitigation while technical and carrier level controls evolve.
Read more in:
Infosecurity Magazine: VoIP Carriers Investigated Over Fraudulent Robocalls
https://www.infosecurity-magazine.com/news/injunctions-fraudulent-robocalls/
Justice: District Court Orders Injunctions against Two Telecom Carriers Who Facilitated Hundreds of Millions of Fraudulent Robocalls to Consumers in the United States
**************************** SPONSORED LINKS ******************************
1) SANS Live Online | See a brief primer on the problem of software memory vulnerabilities and how to approach this. Register: http://www.sans.org/info/215975
2) Survey | Take the SANS SOC Skills Survey and enter to win a $400 Amazon gift card! http://www.sans.org/info/215980
3) April 7 at 12:30 PM ET | Learn 5 common SOAR uses cases that make the biggest improvements in your SOC. Register: http://www.sans.org/info/215985
*****************************************************************************
REST OF THE WEEK'S NEWS
--Georgian Database Published Online
(March 30, 2020)
A database containing personal information about every citizen in the Republic of Georgia has been posted to a hacker forum. The database includes information for more than 4.9 million people, some of whom are deceased. Georgian authorities are investigating.
Read more in:
ZDNet: Personal details for the entire country of Georgia published online
https://www.zdnet.com/article/personal-details-for-the-entire-country-of-georgia-published-online/
--Apple VPN Bypass Flaw
(March 25, 26, & 27, 2020)
An unpatched flaw in Apple's iOS could be exploited to access some traffic data. The issue prevents virtual private network (VPN) applications from protecting some data that are being sent between the iOS device and the servers they are communicating with. The vulnerability exists in the most recent version of the mobile operating system, iOS 13.4.
[Editor Comments]
[Neely] While this bug remains in iOS 13.4, it also impacts iOS 13.3.1 and later. The problem is the VPN does not terminate all existing network connections when established. The primary risk is moderate, as this can be used to reveal metadata about the device's connections as most application connections are themselves encrypted and short lived. The risk can be partly mitigated by enabling auto-connect features in third-party VPNs or setting the always connected feature of managed devices accessing the corporate VPN.
Read more in:
Threatpost: Apple Unpatched VPN Bypass Bug Impacts iOS 13, Warn Researchers
https://threatpost.com/apple-unpatched-vpn-bypass-bug-impacts-ios-13-warn-researchers/154232/
Silicon Angle: Vulnerability in Apple's iOS exposes VPN user location data
https://siliconangle.com/2020/03/26/vulnerability-apples-ios-exposes-vpn-user-location-data/
Bleeping Computer: Unpatched iOS Bug Blocks VPNs From Encrypting All Traffic
ProtonVPN: VPN bypass vulnerability in Apple iOS
https://protonvpn.com/blog/apple-ios-vulnerability-disclosure/
--Windows Font Parsing Bug
(March 27, 2020)
Microsoft has suggested several workarounds to help protect their computers from attacks exploiting two critical vulnerabilities. The flaws affect the Windows font parsing component, Adobe Type Manager Library. On systems older than Windows 10, these flaws can be exploited to allow remote code execution. Microsoft is aware that there are targeted attacks exploiting these flaws and is working on a fix.
Read more in:
Beeping Computer: Actively Exploited Windows Font Parsing Bugs Get Temporary Fix
MSRC: ADV200006 | Type 1 Font Parsing Remote Code Execution Vulnerability
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv200006
--FTC Warns VoIP Companies Not to Facilitate Robocalls Preying on Coronavirus Concerns
(March 27, 2020)
The US Federal Trade Commission (FTC) has issued warnings to nine VoIP service providers take steps to ensure that their services are not being used to make fraudulent robocalls that exploit the current COVID-19 pandemic. The nine companies were given until March 30 to respond to the FTC, "describing the specific actions [they] have taken to ensure [their] company's services are not being used in Coronavirus/COVID-19 robocall schemes."
[Editor Comments]
[Pescatore} The FTC was awarded a prestigious SANS Difference Maker's award a few years ago. It is good to see them continuing to make a difference.
[Neely] What is needed is the implementation of security solutions such as SHAKEN / STIR to raise the bar on VoIP call security. Take note of the FTC advice on robocalls, particularly COVID-19 related ones, at core: hang up, don't press any buttons, better still don't answer unrecognized calls. Leverage options to block unwanted calls. Some services have free call blocking tools, iOS allows you to silently send unrecognized callers to voicemail and Android allows you to block anonymous callers.
Read more in:
Bleeping Computer: FTC Warns VoIP Providers to Stop Facilitating Coronavirus Scams
--US Federal Court: Terms of Service Violations is Not CFAA Violation
(March 27 & 30, 2020)
A US federal court has ruled that violating a website's terms of service is not a violation of the Computer Fraud and Abuse Act (CFAA). The plaintiffs in the case wanted to investigate racism in online job markets by creating accounts for phony employers and job seekers. They were concerned that the activity might find them in violation of the CFAA, so they filed a pre-enforcement challenge alleging that the portion of the CFAA that says it is a crime to "access a computer without authorization or exceed authorized access" is a violation of First Amendment rights. The Court did not address the constitutional issue, instead writing "that the CFAA does not criminalize mere terms-of-service violations on consumer websites and, thus, that plaintiffs' proposed research plans are not criminal under the CFAA."
[Editor Comments]
[Murray] Creating fraudulent accounts may not be criminal but it is unethical and not something we want to encourage. In this case it contaminates the application and interferes with its objective.
Read more in:
Ars Technica: Court: Violating a site's terms of service isn't criminal hacking
FCW: Court: Algorithmic bias research doesn't count as hacking
https://fcw.com/articles/2020/03/30/algo-research-cfaa-ruling.aspx
ACLU: Civil Action No. 16-1368 (JDB) | MEMORANDUM OPINION (PDF)
https://www.aclu.org/sites/default/files/field_document/sandvig_opinion.pdf
--Zeus Sphinx Trojan
(March 30, 2020)
A banking Trojan has made a resurgence after three years of relative quiet. The Zeus Sphinx Trojan is being used to exploit the economic relief measures that governments are sending to citizens. The campaigns tell email recipients that they need to fill out forms to receive the payments; those forms capture bank account access credentials.
Read more in:
Threatpost: Zeus Sphinx Banking Trojan Arises Amid COVID-19
https://threatpost.com/zeus-sphinx-banking-trojan-covid-19/154274/
ZDNet: Zeus Sphinx malware resurrects to abuse COVID-19 fears
--Russian Man Arrested in Connection with Money Laundering Scheme
(March 30, 2020)
US federal law enforcement agents have arrested Maksim Boiko, a Russian Citizen, for his alleged role in a money laundering scheme. Boiko is allegedly part of an organized crime group known as QQAAZZ, which converted stolen money into cryptocurrency to obscure its origins.
Read more in:
Cyberscoop: FBI accuses Russian man of laundering money for a transnational cybercrime network
https://www.cyberscoop.com/fbi-accuses-russian-money-laundering-qqaazz/
--HackerOne Boots Voatz from Platform
(March 30, 2020)
HackerOne has "terminate[d] the [Voatz] program on the HackerOne platform." HackerOne provides a number of security services, including facilitation of bug bounty programs. Last month Voatz updated its policy with regard to HackerOne, noting that it could not guarantee safe harbor for hackers who access its live election systems. That change, along with "hostile interactions with security researchers," contributed to HackerOne's decision.
[Editor Comments]
[Neely] There needs to be a balance between supporting research for bug identification and restricting activities which are out of scope of the bug bounty program. This typically requires an organization of some size and maturity to have the resources to manage this balance as well as verify and respond to issues discovered.
[Pescatore] Since Voatz has been discouraging bug bounty style assessment of the security of its product, and points to the Department of Homeland Security as evaluating the remote voting application, no elections should use the software until DHS completes an exhaustive evaluation, any and all issues noted are fixed, the DHS re-evaluates the app and publicly gives it a clean bill of health for state and local use.
[Murray] Said another way, Voatz has decided that inviting unknown "researchers" to attack its application is not a good idea.
Read more in:
Cyberscoop: HackerOne cuts ties with mobile voting firm Voatz after it clashed with researchers
https://www.cyberscoop.com/voatz-hackerone-bug-bounty-election-security/
******************************************************************************
INTERNET STORM CENTER TECH CORNER
Covid19 Domain Classifier
https://isc.sans.edu/covidclassifier.html
https://www.youtube.com/watch?v=yNIlyJ3gI-4
Attackers Mail Malicious USB Drives and Teddy Bears
HongKong News Sites Used to Install Malware on iOS Devices
Crashing Windows Explorer Without a Click
https://isc.sans.edu/forums/diary/Crashing+explorerexe+without+a+click/25966/
Zoom Privacy Policy
https://blogs.harvard.edu/doc/2020/03/27/zoom/
Zoom Bombing
Zoom Related Domains Used for Phishing
https://blog.checkpoint.com/2020/03/30/covid-19-impact-cyber-criminals-target-zoom-domains/
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
