SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #27
April 3, 2020FBI Warning On Zoom Security Issues and More Zoom Info; Microsoft Warns Hospitals of Vulnerabilities in VPN and Gateway Appliances
****************************************************************************
SANS NewsBites April 3, 2020 Vol. 22, Num. 027
****************************************************************************
TOP OF THE NEWS
FBI Issues Warning About Zoom Security Issues
Zoom: Two Zero-days Patched; Credential Theft Flaw Not Yet Fixed; Password Problems
Zoom Founder Says Company Will Focus on Security and Privacy
Microsoft Warns Hospitals of Vulnerabilities in VPN and Gateway Appliances
REST OF THE WEEK'S NEWS
FCC Order Requires Carriers to Implement STIR/SHAKEN Protocol
Marriott Discloses Second Data Breach in 16 Months
Microsoft Will Postpone Disabling TLS 1.0 and 1.1 in Browsers
COVID-19 Malware Overwrites Master Boot Record
GoDaddy Phishing Attack
Update Addresses Two Vulnerabilities in WordPress Rank Math SEO Plugin
Biotech Company Doing COVID-19 Research Hit With Ransomware
NERC Releases Report on November 2019 Power Grid Security Exercise
Hackers with Alleged Iranian Ties Have Targeted WHO Staff eMail Accounts
INTERNET STORM CENTER TECH CORNER
********************* Sponsored By Netskope *******************************
Join Netskope's Cloud Security Workshop. Are you really ready to provide safe access to cloud services and keep pace with new threats? Register for Netskope's complimentary cloud security workshop! Take control over your web services. Get 5 CPE credits and hands-on experience with Next Gen Secure Web Gateway (SWG) and Zero Trust Network Access (ZTNA) solutions built for the cloud. http://www.sans.org/info/216010
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
Keep your skills sharp, train online with SANS OnDemand:
* 45 of the world's top cybersecurity courses
* Flexible self-paced format you can take anytime, anywhere
* A battle-tested training platform including 4 months of access
* Hands-on labs and GIAC-certified SME support
Test drive and purchase SANS OnDemand courses.
- https://www.sans.org/ondemand/
SANS Network Security 2020 | Las Vegas, NV | September 20-27
- https://www.sans.org/event/network-security-2020
View the full SANS course catalog and skills roadmap.
- https://www.sans.org/courses
- https://www.sans.org/cyber-security-skills-roadmap
Any course you have or will purchase is protected by the SANS Training Guarantee.
- https://www.sans.org/training-guarantee.
*****************************************************************************
TOP OF THE NEWS
--FBI Issues Warning About Zoom Security Issues
(March 30 & 31, 2020)
The FBI has issued a warning that Zoom and other teleconferencing apps may be vulnerable to hijacking. The FBI advises users not to make meetings or classrooms, public, to restrict screensharing capability, and to use meeting passwords. Zoom has a "waiting room" feature that allows the host to control who is admitted.
[Editor Comments]
[Honan] Today The Citizen Lab released the results of their examination of the security and privacy features in Zoom (https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-quick-look-at-the-confidentiality-of-zoom-meetings/: Move Fast & Roll Your Own Crypto: A Quick Look at the Confidentiality of Zoom Meetings) Their findings back up the warnings from the FBI and raised several concerns over how encryption is enabled within the application. However, we need to remember that companies are using Zoom, and other conferencing platforms, to enable them to survive through the COVID19 pandemic and companies need to do a risk assessment that suits them. For many companies the warnings from the FBI and The Citizen Lab will be an acceptable risk for them, while others who may be discussing sensitive data it may not.
[Pescatore] The easy answer is there are more secure alternatives to Zoom and companies should be providing and recommending those. The real answer is that many employees working at home and their families will be using Zoom for the next few months. Security vendor Checkpoint recently put good safe use guidelines for using Zoom at (https://blog.checkpoint.com/2020/03/26/whos-zooming-who-guidelines-on-how-to-use-zoom-safely/: Who's Zooming Who? Guidelines on How to Use Zoom Safely) and SANS has released a secure work at home awareness kit at (https://www.sans.org/security-awareness-training/sans-security-awareness-work-home-deployment-kit: SANS Security Awareness Work-from-Home Deployment Kit) Zoom (see item below) has also pledged to make security job one over the next few months - much needed.
Read more in:
Cyberscoop: FBI warns Zoom, teleconference meetings vulnerable to hijacking
https://www.cyberscoop.com/zoom-fbi-teleconference-hijacking/
FBI: FBI Warns of Teleconferencing and Online Classroom Hijacking During COVID-19 Pandemic
--Zoom: Two Zero-days Patched; Credential Theft Flaw Not Yet Fixed; Password Problems
(April 1 & 2, 2020)
Fixes Available for two zero-day vulnerabilities in Zoom for macOS; Zoom is working on a fix for a vulnerability that lets attackers steal Windows credentials; and an automated Zoom meeting discovery tool found that many meetings are not password protected.
[Editor Comments]
[Neely] Disclosing vulnerabilities should be done responsibly, and directly to the affected provider prior to a public blog posting to give them time to respond. Zoom has been working to accelerate addressing security issues discovered. Of late, the patches are released as quickly as 24 hours after issue discovery. These discovered issues have been resolved.
[Murray] For reasons of audience convenience, few Zoom meetings employ passwords. However, they are essential for many business applications. Be particularly careful about privileges granted to meeting participants.
Read more in:
Threatpost: Two Zoom Zero-Day Flaws Uncovered
https://threatpost.com/two-zoom-zero-day-flaws-uncovered/154337/
GovInfosecurity: Zoom Rushes Patches for Zero-Day Vulnerabilities
https://www.govinfosecurity.com/zoom-rushes-patches-for-zero-day-vulnerabilities-a-14049
Ars Technica: Attackers can use Zoom to steal users' Windows credentials with no warning
KrebsOnSecurity: 'War Dialing' Tool Exposes Zoom's Password Problems
https://krebsonsecurity.com/2020/04/war-dialing-tool-exposes-zooms-password-problems/
--Zoom Founder Says Company Will Focus on Security and Privacy
(April 1 & 2, 2020)
Due to the number of people currently working and learning from home, use of the Zoom videoconferencing app has risen sharply from 10 million users in December 2019 to more than 200 million in March 2020. The company has faced complaints about myriad security and privacy issues, including meetings disrupted by intruders, user data being shared with Facebook, and the fact that the app's end-to-end encryption feature does not actually function as end-to-end encryption. The company has taken steps to remedy some of the issues. Zoom's founder Eric Yuan says that the company will spend the next three months working on addressing security issues.
[Editor Comments]
[Pescatore] Zoom's founder came from Cisco where security is the top priority. He should have made security a top requirement from the start. I hope Zoom's Board of Directors is hearing the message - you can help by giving Zoom feedback about how important security is. Their feedback form is at https://zoom.us/feed
[Honan] Credit is due to Zoom for how quickly they responded to the issues raised and how openly they have communicated to their users. There are many lessons here for companies to learn on how they can improve their vulnerability management processes.
Read more in:
Zoom: A Message to Our Users
https://blog.zoom.us/wordpress/2020/04/01/a-message-to-our-users/
ZDNet: Zoom: We're freezing all new features to sort out security and privacy
https://www.zdnet.com/article/zoom-were-freezing-all-new-features-to-sort-out-security-and-privacy/
Cyberscoop: Zoom founder promises to remedy security, privacy concerns during a 'feature freeze'
https://www.cyberscoop.com/zoom-security-privacy-founder-eric-s-yuan-apology/
CNET: Zoom boss says it'll freeze feature updates to address security issues
https://www.cnet.com/news/zoom-boss-says-itll-freeze-feature-updates-to-address-security-issues/
Wired: The Zoom Privacy Backlash Is Only Getting Started
https://www.wired.com/story/zoom-backlash-zero-days/
The Register: Zoom's end-to-end encryption isn't actually end-to-end at all. Good thing the PM isn't using it for Cabinet calls. Oh, for f...
https://www.theregister.co.uk/2020/04/01/zoom_spotlight/
--Microsoft Warns Hospitals of Vulnerabilities in VPN and Gateway Appliances
(April 1 & 2, 2020)
Microsoft has directly warned hospitals that their virtual private network (VPN) and gateway appliances contain security flaws that are being exploited by attackers behind the REvil/Sodinokibi ransomware. In a blog post, the Microsoft Threat Protection Intelligence Team writes, "Through Microsoft's vast network of threat intelligence sources, we identified several dozens of hospitals with vulnerable gateway and VPN appliances in their infrastructure."
[Editor Comments]
[Pescatore] Johannes Ulrich of SANS Internet Storm Center highlighted these vulnerabilities in his part of the SANS "Five Most Dangerous Attack Techniques and How to Prevent Them" keynote panel at the 2020 RSA Conference - you can see it at https://www.sans.org/the-five-most-dangerous-new-attack-techniques: The Five Most Dangerous New Attack Techniques). SANS will present the 2020 Threat Trends report that includes those 5 areas and more, on an April 28th webinar - info at https://www.sans.org/webcasts/top-attacks-threat-report-112665: SANS Top New Attacks and Threat Report.
[Murray] Terminate VPNs on the application, not the perimeter and not an on operating system. The additional design, setup, and administration will be more than offset by the reduction in risk.
Read more in:
ZDNet: Coronavirus: Microsoft directly warns hospitals, 'Fix your vulnerable VPN appliances'
Bleeping Computer: Microsoft is Alerting Hospitals Vulnerable to Ransomware Attacks
Infosecurity Magazine: Ransomware Attackers Exploit #COVID19 to Target Hospital VPNs
https://www.infosecurity-magazine.com/news/hospitals-vpns-ransomware-covid19/
Microsoft: Microsoft works with healthcare organizations to protect from popular ransomware during COVID-19 crisis: Here's what to do
******************************* SPONSORED LINKS ********************************
1) Webcast April 3rd at 1 PM ET: Shared Responsibility of Salesforce Security. View here: http://www.sans.org/info/216015
2) Did you miss this webcast? An Inside Look at Security and Compliance at a Hypergrowth Startup. View here: http://www.sans.org/info/216020
3) Learn where deception is at today and why its having a major impact in the defensive fighting for companies. Register: http://www.sans.org/info/216025
**********************************************************************************
REST OF THE WEEK'S NEWS
--FCC Order Requires Carriers to Implement STIR/SHAKEN Protocol
(March 31 & April 1, 2020)
The US Federal Communications Commission (FCC) has unanimously approved an anti-robocall order, which "requires all originating and terminating voice service providers to implement STIR/SHAKEN in the Internet Protocol (IP) portions of their networks by June 30, 2021." This action from the FCC was required as a part of the TRACED Act, which passed Congress and became law in December 2019.
[Editor Comments]
[Neely] While some carriers, including AT&T, Verizon, Sprint and T-Mobile, have voluntarily implemented STIR/SHAKEN, sometimes a regulatory requirement is needed to get resources and commitment to implement security measures. Once implemented, carriers need to verify their solution works with other networks. The last step: users need devices which display the "Caller Verified" notification and have the notification enabled for their account.
[Pescatore] STIR/SHAKEN is the first critical step, providing call authentication - raising the bar against spoofing of the calling number. Congress finally acted on that, a good thing. The next step is another chance for the carriers to raise the bar through rapid voluntary action - the addition of better call analytics to detect malicious calls, even if they are coming from an authenticated calling number. Then apply those same major bar raisers to data traffic.
Read more in:
Ars Technica: FCC requires anti-robocall tech after "voluntary" plan didn't work out [Updated]
Engadget: FCC will require phone carriers to authenticate calls by June 2021
https://www.engadget.com/2020-03-31-fcc-stir-shaken-june-30-2021.html
TransNexus: STIR/SHAKEN overview
https://transnexus.com/whitepapers/stir-and-shaken-overview/
--Marriott Discloses Second Data Breach in 16 Months
(March 31, 2020)
Marriott International has disclosed a data breach that exposed information belonging to 5.2 million customers. The information was compromised through the use of access credentials belonging to "two employees at a franchise property." In November 2018, Marriott disclosed that a breach of the Starwood hotel reservation database that affected nearly 400 million people. Both breaches illustrate the need for organizations to ensure the security not only of their own systems, but also of those of their partners.
[Editor Comments]
[Neely] Judicious use of multi-factor authentication reduces the value of captured credentials. Make sure that all entry points that accept those credentials have the same authentication requirements.
[Pescatore] The lodging industry is obviously hard hit by the travel restrictions to fight the pandemic. This would be a good time for lodging IT operations to upgrade the security of their IT systems, just as they will be upgrading sanitary protections at the facilities.
Read more in:
Marriott: Marriott International: Incident Notification
https://mysupport.marriott.com/
SC Magazine: New Marriott data breach impacts 5.2 million guests
Wired: Hack Brief: Marriott Got Hacked. Yes, Again
https://www.wired.com/story/marriott-hacked-yes-again-2020/
The Register: Marriott Hotels hacked AGAIN: Two compromised employee logins abused to siphon off 5.2m guests' personal info
https://www.theregister.co.uk/2020/03/31/marriott_hotels_hacked_5m_guests/
ZDNet: Marriott discloses new data breach impacting 5.2 million hotel guests
https://www.zdnet.com/article/marriott-discloses-new-data-breach-impacting-5-2-million-hotel-guests/
Bleeping Computer: Marriott Reports Data Breach Affecting Up to 5.2 Million Guests
--Microsoft Will Postpone Disabling TLS 1.0 and 1.1 in Browsers
(April 1, 2020)
Microsoft will delay disabling of TLS 1.0 and 1.1 in its browsers. The change, originally scheduled for the first half of 2020 will be pushed back to the second half of the year. TLS 1.0 and 1.1 will now be disabled by default "no sooner than Microsoft Edge version 84," scheduled for release in July 2020. The protocols will be disabled by default in Internet Explorer 11 and Microsoft Edge Legacy as of September 8, 2020. Microsoft made the decision to postpone the changes "in light of current global circumstances."
[Editor Comments]
[Neely] Continue to queue up efforts to update services to support TLS 1.2 & 1.3 as regardless of when the support is deprecated, the perception will be a problem with your service rather than their browser.
Read more in:
Windows: Plan for change: TLS 1.0 and TLS 1.1 soon to be disabled by default
https://blogs.windows.com/msedgedev/2020/03/31/tls-1-0-tls-1-1-schedule-update-edge-ie11/
The Register: Microsoft finds itself in odd position of sparing elderly, insecure protocols: Grants stay of execution to TLS 1.0, 1.1
https://www.theregister.co.uk/2020/04/01/microsoft_extends_tls_support/
--COVID-19 Malware Overwrites Master Boot Record
(April 1 & 2, 2020)
Researchers have identified several strains of coronavirus-themed malware that wipe files or overwrite master boot records on infected computers.
Read more in:
Threatpost: Wiper Malware Called "Coronavirus" Spreads Among Windows Victims
https://threatpost.com/wiper-malware-coronavirus-windows-victims/154368/
ZDNet: There's now COVID-19 malware that will wipe your PC and rewrite your MBR
--GoDaddy Phishing Attack
(March 31, 2020)
A spear phishing attack that targeted employees of domain name registrar GoDaddy managed to obtain access credentials that allowed the attacker to alter domain settings for at least six GoDaddy customers.
[Editor Comments]
[Neely] Dealing with entities that are trolling domain registries and sending users messages designed to modify their registration is common; attackers are trying to target less savvy associates for success. Additionally, make sure that your registrar accounts use two-factor authentication, your domains are locked, and DNSSEC is enabled. GoDaddy support will help you analyze any unexpected messages if you cannot verify they are genuine on your own.
Read more in:
KrebsOnSecurity: Phish of GoDaddy Employee Jeopardized Escrow.com, Among Others
https://krebsonsecurity.com/2020/03/phish-of-godaddy-employee-jeopardized-escrow-com-among-others/
--Update Addresses Two Vulnerabilities in WordPress Rank Math SEO Plugin
(March 31 & April 1, 2020)
A critical vulnerability in the WordPress Rank Math search engine optimization (SEO) plugin could be exploited to gain elevated privileges. A second, high-severity vulnerability in the same plugin could be exploited to install redirects on a vulnerable website. Users are urged to update to Rank Math version 1.0.41.1.
[Editor Comments]
[Murray] Plug-ins are a major source of vulnerability in WordPress use and come with few indicators of quality. They may even put other applications at risk. Minimize and maintain those that you use; consider focused penetration testing of them.
Read more in:
WordFence: Critical Vulnerabilities Affecting Over 200,000 Sites Patched in Rank Math SEO Plugin
Threatpost: Critical WordPress Plugin Bug Can Lock Admins Out of Websites
https://threatpost.com/critical-wordpress-plugin-bug-lock-admins-out/154354/
Bleeping Computer: Critical WordPress Plugin Bug Lets Hackers Turn Users Into Admins
--Biotech Company Doing COVID-19 Research Hit With Ransomware
(April 2, 2020)
According to information provided in a financial disclosure filing to the US Securities and Exchange Commission (SEC), biotech company 10x Genomics experienced a ransomware attack in March 2020 in which some company data were stolen. 10x Genomics writes that it has "isolated the source of the attack and restored normal operations with no material day-to-day impact to the Company or the Company's ability to access its data." 10x Genomics, along with other companies around the world, is sequencing cells from people who have recovered from COVID-19 to look for antibodies.
Read more in:
Cyberscoop: Ransomware strikes biotech firm researching possible COVID-19 treatments
https://www.cyberscoop.com/covid-19-ransomware-10x-genomics-data-breach/
Bloomberg: Hackers 'Without Conscience' Target Health-Care Providers
SEC: FORM 8-K | 10x Genomics, Inc.
https://www.sec.gov/Archives/edgar/data/1770787/000119312520094606/d913176d8k.htm
--NERC Releases Report on November 2019 Power Grid Security Exercise
(April 1, 2020)
The North American Electric Reliability Corporation (NERC) has released its report on the results of the November 2019 GridEx grid security and emergency response exercise. In all, over 7,000 people at more than 500 organizations participated in the exercise, which simulated a malware attack against utilities' industrial control systems. The report includes recommendations from NERC on how to improve grid resilience.
[Editor Comments]
[Murray] It should not come as too big a surprise that the conclusions and recommendations of the exercise report focus on communications among the organizations rather than on the security and resilience of those organizations.
Read more in:
Cyberscoop: North American utilities drill 'GridEx' brings record turnout -- except from supply chain vendors
https://www.cyberscoop.com/gridex-electric-sector-ukraine/
NERC: GridEx V Grid Security Exercise | Lessons Learned Report March | 2020 (PDF)
--Hackers with Alleged Iranian Ties Have Targeted WHO Staff eMail Accounts
(April 2, 2020)
Hackers with alleged ties to Iran's government have been trying to break into staff members' email accounts systems at the World Health Organization (WHO) since early March. It is not known if the phishing attacks succeeded.
Read more in:
Reuters: Exclusive: Hackers linked to Iran target WHO staff emails during coronavirus - sources
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
Kwampirs Update
https://isc.sans.edu/forums/diary/Kwampirs+Targeted+Attacks+Involving+Healthcare+Sector/25968/
Quakbot Malspam Sent From an Infected Windows Host
https://isc.sans.edu/forums/diary/Qakbot+malspam+sent+from+an+infected+Windows+host/25972/
TPOT Cowrie to ISC Logs
https://isc.sans.edu/forums/diary/TPOTs+Cowrie+to+ISC+Logs/25976/
Exposed RDP
https://blog.shodan.io/trends-in-internet-exposure/
D-Link DSL-2640B Vulnerability
https://raelize.com/posts/d-link-dsl-2640b-security-advisories/
SMB 3.1.1 (CVE-2020-0796) Local Privilege Escalation Exploit
https://github.com/danigargu/CVE-2020-0796
SSH Issues After MacOS Update
https://feed.tyler.io/so-uh-i-think-catalina-10154-broke-ssh/
Cloudflare DNS For Families
https://blog.cloudflare.com/introducing-1-1-1-1-for-families/
Zoom Leaks Windows Password Hashes via UNC Links
https://twitter.com/hackerfantastic/status/1245133371262619654
More Zoom Vulnerabilities
https://objective-see.com/blog/blog_0x56.html
Twitter Cache Bug in Firefox
https://privacy.twitter.com/en/blog/2020/data-cache-firefox
MS-SQL Server Attack
https://www.guardicore.com/2020/04/vollgar-ms-sql-servers-under-attack/
Covid-19 Economic Impact Payments Scams
https://www.justice.gov/usao-edky/press-release/file/1265371/download
Safari Camera Access Bug
https://www.ryanpickren.com/webcam-hacking-overview
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
