SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #28
April 7, 2020Zoom Security Problems; Critical Unpatched Microsoft Exchange Servers; NASA's "Exponential" Increase in Malware Attacks as Employees Work from Home
FLASH: SANS Update on Zoom Conferencing
As we reported in NewsBites #27 last Friday, the Zoom teleconferencing system has been in the news both for its widespread use by home-bound workers and consumers, as well as for the FBI and others for warnings of incidents compromising Zoom sessions. SANS instructor Mick Douglas put together a measured and detailed analysis of the real-world risks of using Zoom, most of which can be minimized by using the configuration settings Douglas details. He also provides an overview of the steps Zoom is taking to increase security and where they will still need to make progress. You can watch the webinar at https://www.sans.org/webcasts/zomg-zoom-114670.
For more see top two stories below.
Also: SANS Security Awareness Work at Home Deployment toolkit is available for free at https://www.sans.org/security-awareness-training/sans-security-awareness-work-home-deployment-kit
****************************************************************************
SANS NewsBites April 7, 2020 Vol. 22, Num. 028
****************************************************************************
TOP OF THE NEWS
Zoom Acknowledges Encryption Problems
Some US School Districts Will Stop Using Zoom
Critical Unpatched Microsoft Exchange Servers
NASA Experiencing "Exponential" Increase in Malware Attacks as Employees Work from Home
REST OF THE WEEK'S NEWS
FireEye Report on Zero-Day Exploits
Jupiter, Florida Recovering From Ransomware
DarkHotel APT Group Allegedly Targeting Chinese Government Agencies
Firefox Updates Fix Two Actively Exploited Flaws
Border Gateway Protocol Hijacking Sends Traffic Through Russian Telecom
Microsoft DART Case Report: Emotet Caused Full Operational Shutdown
INTERNET STORM CENTER TECH CORNER
************************* Sponsored By Splunk *****************************
The Present and Future of Security Operations. Organizations are realizing that in order to effectively mitigate risk, they need new strategies for detecting, triaging, investigating and responding to the growing volume of security alerts they receive. Download your copy of ESG's The Present and Future of Security Operations to learn best practices that proactive CISOs are using to modernize their cybersecurity defenses. http://www.sans.org/info/216030
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
Keep your skills sharp, train online with SANS OnDemand
- https://www.sans.org/ondemand/
45 of the world's top cybersecurity courses
Flexible self-paced format you can take anytime, anywhere
A battle-tested training platform including 4 months of access
Hands-on labs and GIAC-certified SME support
Test drive and purchase SANS OnDemand courses.
________________
SANS Network Security 2020 | Las Vegas, NV | September 20-27
- https://www.sans.org/event/network-security-2020
View the full SANS course catalog and skills roadmap
- https://www.sans.org/courses
- https://www.sans.org/cyber-security-skills-roadmap
Any course you have or will purchase is protected by the SANS Training Guarantee. To learn more, visit www.sans.org/training-guarantee.
********************************************
TOP OF THE NEWS
--Zoom Acknowledges Encryption Problems
(April 1, 3, & 6, 2020)
The University of Toronto's Citizen Lab has examined Zoom's encryption and concluded that the teleconferencing app is "not suitable for secrets." Zoom initially claimed it offered "end-to-end encryption" for meetings, but last week published a blog saying that it "recognize[s] that there is a discrepancy between the commonly accepted definition of end-to-end encryption and how we were using it." Citizen Lab also found a security issue with Zoom's Waiting Room feature and recommends that Zoom meetings use passwords.
[Editor Comments]
[Pescatore] On 5 April, Zoom changed defaults to enable passwords and start with the waiting room feature. I'll pretty much repeat what I said last Friday in Newsbites: "The easy answer is there are more secure alternatives to Zoom and companies should be providing and recommending those. The real answer is that many employees working at home and their families will be using Zoom for the next few months." On the end-to-end crypto issue - a term that is thrown around a lot - many issues arise across many products. The bigger issue with Zoom has been user-stored sessions being easily findable and accessible on the Internet - another issue Zoom is working on. Great webcast on how to mitigate many Zoom issues by SANS instructor Mick Davis is available at https://www.sans.org/webcasts/zomg-zoom-114670: ZOMG it's ZOOM
[Ullrich] Great work by Citizen Lab analyzing the Zoom encryption issues. The part I find most concerning is the fact that simple statements, like the length of the key used, were obviously wrong in Zoom's description of the encryption protocol. This shows, yet again, a common tech startup problem: a leadership group that is over-confident in the capabilities of their product but has little connection to the reality of what their product is actually capable of doing. This is not uniquely a Zoom issue; it is pervasive among startups including security startups. Always double check the vendor's claims.
[Neely] It is important to understand the security of any video teleconferencing system used. The Zoom Blog below explains the encryption options for Zoom, including noting they have an option for customers to use their own key management systems. Understanding and accepting the risk of where the encryption keys are and how they are managed is important for any outsourced service. User guides need to be clear regarding the differences in security of room meeting systems, telephone and using the native meeting client. Irrespective of the software used, using the native client for all functions by all participants is the most secure option for meeting participation.
Read more in:
Citizen Lab: Move Fast and Roll Your Own Crypto | A Quick Look at the Confidentiality of Zoom Meetings
Zoom Blog: The Facts Around Zoom and Encryption for Meetings/Webinars
https://blog.zoom.us/wordpress/2020/04/01/facts-around-zoom-encryption-for-meetings-webinars/
ZDNet: Zoom concedes custom encryption is substandard as Citizen Lab pokes holes in it
Wired: So Wait, How Encrypted Are Zoom Meetings Really?
https://www.wired.com/story/zoom-security-encryption/
--Some US School Districts Will Stop Using Zoom
(April 4 & 6, 2020)
New York City public schools and other US school districts have said that security and privacy concerns about Zoom has prompted them to stop using the teleconferencing platform for distance learning. New York City Schools Chancellor Richard Carranza says they are aiming to "get more classrooms videoconferencing on a safe and secure platform." Other school distracts have decided to stop using Zoom or have mandated stricter security measures for its use.
[Editor Comments]
[Pescatore] See more detailed comments on the "Zoom Acknowledges Encryption Problems" item, but with some basic security hygiene instruction for users and admins Zoom can used safely for many purposes, like education. One reality: just as all businesses learned they needed emergency backup power and had to periodically test switchover in advance of need, the same will be true for remote work/remote education etc. Businesses, schools, government will need to turn these emergency remote measures into safer and management backup capabilities. Just like schools have fire drills, the future should have "remote education" drills.
[Ullrich] For schools, configuration issues that lead to issues like "Zoom Bombing" are a real problem. Other collaboration platforms may have similar problems, and these problems are fixable in Zoom (and Zoom has addressed them with better default configurations).
[Neely] Rather than a wholesale switch to another teleconferencing platform, look first at securing what you have. Simple changes may provide sufficient security without incurring the expense of replacement. Mick Douglas has an excellent analysis on Zoom security and associated risks. https://www.sans.org/webcasts/zomg-zoom-114670: ZOMG it's ZOOM
[Murray] Zoom is not the only video conferencing game in town. It has more mature, if more expensive, competitors. The decision not to use it should include the allocation of funds to pay for the more expensive options. If the schools pay as little attention to the secure use of the more mature systems as they have to that of Zoom, a simple change in platform will not help much. Properly configured and setup, Zoom remains a good choice for primary and secondary schools, if somewhat less so for college class sizes. (Simply by altering the default settings, Zoom has become more resistant to the more notorious abuses.)
Read more in:
Washington Post: School districts, including New York City's, start banning Zoom because of online security issues
SC Magazine: NYC schools step away as Zoom sets remediation plan
https://www.scmagazine.com/home/security-news/nyc-schools-ban-zoom-amid-privacy-concerns/
--Critical Unpatched Microsoft Exchange Servers
(April 6, 2020)
More than 350,000 Internet-facing Microsoft Exchange servers have still not been patched against a known vulnerability, according to data gathered by Rapid7. Microsoft released a fix for the remote code execution flaw in February.
[Editor Comments]
[Ullrich] This vulnerability has been overlooked by many organizations because it can be exploited without requiring user credentials. Any user will do. If you are concerned about users re-using credentials, or being subject to phishing, then you should be concerned about this vulnerability. Exploitation will lead to a full compromise of the exchange server.
Read more in:
Rapid7: Phishing for SYSTEM on Microsoft Exchange (CVE-2020-0688)
https://blog.rapid7.com/2020/04/06/phishing-for-system-on-microsoft-exchange-cve-2020-0688/
Duo: Too Many Exchange Servers Remain Unpatched
https://duo.com/decipher/too-many-exchange-servers-remain-unpatched
MSRC: CVE-2020-0688 | Microsoft Exchange Validation Key Remote Code Execution Vulnerability
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688
Microsoft: Description of the security update for Microsoft Exchange Server 2019 and 2016: February 11, 2020
https://support.microsoft.com/en-us/help/4536987/security-update-for-exchange-server-2019-and-2016
--NASA Experiencing "Exponential" Increase in Malware Attacks as Employees Work from Home
(April 6, 2020)
A memo from NASA's Chief Information Officer (CIO) says that the agency has experienced an "exponential increase in malware attacks on NASA systems" since employees started working from home due to the COVID-19 outbreak. NASA has also noted that the numbers of phishing attempts and of agency devices trying to access malicious websites are twice what they regularly are.
[Editor Comments]
[Neely] When working remotely, the user has an added responsibility as their system is not protected by the enterprise perimeter and network security systems. Consider leveraging information in the SANS Security Awareness Work at Home Deployment toolkit (https://www.sans.org/security-awareness-training/sans-security-awareness-work-home-deployment-kit) to help users be secure and make good choices.
[Honan] Criminals will take advantage of any crisis and will target your company and employees. Revise your detection and response capabilities and processes to see how you can manage an incident when your response team is working from home.
[Murray] Note that the "increase in malware attacks" results in part from users visiting unsafe sites from home or from their own computers that they cannot or do not visit from work. Some will result from the use of home or family use computers that may already have been contaminated. Prefer enterprise owned and managed computers for all enterprise use without regard to the location where it is used. Recognize the need for user direction, compensating controls, or intentional risk acceptance.
Read more in:
Ars Technica: NASA sees an "exponential" jump in malware attacks as personnel work from home
******************************* SPONSORED LINKS ********************************
1) Did you miss this webcast? Strengthening and Optimizing Your Security Posture from the Foundation Up. http://www.sans.org/info/216035
2) New Survey | Take the SANS 2020 Security Metrics Survey and enter to win a $400 Amazon gift card. http://www.sans.org/info/216040
3) Webcast April 8th at 1PM ET: Detecting the Deceivers through Deception. http://www.sans.org/info/216045
**********************************************************************************
REST OF THE WEEK'S NEWS
--FireEye Report on Zero-Day Exploits
(April 6, 2020)
In a blog post published in Monday, April 6, FireEye observes that while exploiting zero-day vulnerabilities used to be a sign of a sophisticated malware actor, now it means that the attackers have the funds to purchase zero-day exploits from companies that sell offensive cyber tools. FireEye tracked exploited zero-day vulnerabilities in 2019; more zero-day vulnerabilities were exploited in 2019 than in any of the three previous years. FireEye also noted an increase in the use of zero-day exploits by governments and law enforcement agencies.
[Editor Comments]
Read more in:
FireEye: Zero-Day Exploitation Increasingly Demonstrates Access to Money, Rather than Skill -- Intelligence for Vulnerability Management, Part One
Wired: This Map Shows the Global Spread of Zero-Day Hacking Techniques
https://www.wired.com/story/zero-day-hacking-map-countries/
The Register: Roaring trade in zero-days means more vulns are falling into the hands of state spies, warn security researchers
https://www.theregister.co.uk/2020/04/06/zero_days_popular_state_hackers_fireeye/
Dark Reading: More Attackers Have Begun Using Zero-Day Exploits
Threatpost: A Brisk Private Trade in Zero-Days Widens Their Use
https://threatpost.com/brisk-private-trade-zero-days/154502/
--Jupiter, Florida Recovering From Ransomware
(April 3, 2020)
Computers belonging to the town of Jupiter, Florida, were hit with ransomware on March 23. Due to the attack, the town's email and utility payment systems were still not available, as was the system for submitting plans. Jupiter does not plan to pay the ransom demand.
[Editor Comments]
[Neely] Unlike the recovery for Lake City and Riviera Beach Florida last year, there are two new variables in this incident. First that REvil/Sodinokibi are now promising to publish exfiltrated data from victims and second that COVID-19 introduces health-saftey challenges to the tasks of recovery and response. I have not seen a COOP/DR plan that includes provisions for preventing of infection, and including best practices from this pandemic in them is prudent.
Read more in:
SC Magazine: Jupiter, Fla., fighting REvil/Sodinokibi ransomware and Coronavirus
--DarkHotel APT Group Allegedly Targeting Chinese Government Agencies
(April 6, 2020)
Hackers allegedly working on behalf of an unnamed government used an unpatched vulnerability in virtual private networks (VPNs) to launch cyberattacks against Chinese government agencies around the world. The perpetrators are believed to be the advanced persistent threat (APT) group known as DarkHotel.
Read more in:
ZDNet: DarkHotel hackers use VPN zero-day to breach Chinese government agencies
Threatpost: Government VPN Servers Targeted in Zero-Day Attack
https://threatpost.com/government-vpn-servers-zero-day-attack/154472/
--Firefox Updates Fix Two Actively Exploited Flaws
(April 3, 4, & 6, 2020)
Mozilla has released an update for Firefox that addresses two critical vulnerabilities that are being actively exploited. Both of the vulnerabilities, a use-after-free while running the nsDocShell destructor, and a use-after-free when handling a ReadableStream, can be exploited to execute arbitrary code or cause machines to crash. The most current versions of the browsers are Firefox 704.0.1 and Firefox ESR 68.6.1.
[Editor Comments]
[Neely] This provides an opportunity to verify your software update capability when the majority of the workforce is remote. Can your management systems provide updates when the VPN is disconnected? Consider communication to leave systems running or self-service update options. With the duration of current events unknown, waiting for systems to return for updates is unwise.
Read more in:
Mozilla: Mozilla Foundation Security Advisory 2020-11 | Security Vulnerabilities fixed in Firefox 74.0.1 and Firefox ESR 68.6.1
https://www.mozilla.org/en-US/security/advisories/mfsa2020-11/
US-CERT: Mozilla Patches Critical Vulnerabilities in Firefox, Firefox ESR
ZDNet: Firefox gets fixes for two zero-days exploited in the wild
https://www.zdnet.com/article/firefox-gets-fixes-for-two-zero-days-exploited-in-the-wild/
Threatpost: Firefox Zero-Day Flaws Exploited in the Wild Get Patched
https://threatpost.com/firefox-zero-day-flaws-exploited-in-the-wild-get-patched/154466/
Bleeping Computer: Mozilla Patches Two Actively Exploited Firefox Zero-Days
Duo: Mozilla Fixes Two Firefox Flaws Under Active Attack
https://duo.com/decipher/mozilla-fixes-two-firefox-flaws-under-active-attack
The Register: Mozilla plugs two Firefox browser holes exploited in the wild by hackers to hijack victims' computers
https://www.theregister.co.uk/2020/04/06/mozilla_firefox_security_patches/
--Border Gateway Protocol Hijacking Sends Traffic Through Russian Telecom
(April 5, 2020)
A border gateway protocol (BGP) hijacking incident caused traffic intended for more than 200 content delivery networks and cloud hosting providers to be rerouted through Russia's telecommunications provider, Rostelecom. The situation lasted for approximately one hour.
[Editor Comments]
[Honan and Murray]
It is incidents like this, and the ever increasing concerns raised over vulnerabilities in the networking and communications hardware we deploy on the Internet, that we should be using to highlight why strong encryption is so important to secure our data and inserting backdoors or golden keys only weakens that security.
Read more in:
ZDNet: Russian telco hijacks internet traffic for Google, AWS, Cloudflare, and others
--Microsoft DART Case Report: Emotet Caused Full Operational Shutdown
(April 2, 3, & 6, 2020)
Microsoft's Detection and Response Team (DART) has published a case report that describes an incident in which the Emotet malware shut down an entire operational network. The attack began with a malicious attachment to a phishing email. Once the attackers gained purchase within the system, they proceeded to spread Emotet throughout the system. Emotet updated with new definitions every few days, enabling it to evade detection by antivirus programs. The malware maxed out computers' CPUs and consumed the network's bandwidth, shutting down the company's core services.
[Editor Comments]
[Murray] "Phishing" and other attacks designed to dupe and exploit users will continue to be the Achilles heel of the enterprise unless and until we isolate e-mail and browsing from other enterprise applications.
Read more in:
Microsoft: Full Operational Shutdown (PDF)
Microsoft: Full Operational Shutdown--another cybercrime case from the Microsoft Detection and Response Team
Dark Reading: Microsoft: Emotet Attack Shut Down an Entire Business Network
Bleeping Computer: Microsoft: Emotet Took Down a Network by Overheating All Computers
INTERNET STORM CENTER TECH CORNER
New Bypass Technique or Corrupt Word Document
https://isc.sans.edu/forums/diary/New+Bypass+Technique+or+Corrupt+Word+Document/25984/
CitizenLab Analyzes Zoom Encryption
https://www.sans.org/webcasts/zomg-its-zoom-114670
Microsoft Exchange Server Vulnerability Still Not Patched
https://blog.rapid7.com/2020/04/06/phishing-for-system-on-microsoft-exchange-cve-2020-0688/
Mozilla Patches Critical Firefox Flaws
https://www.mozilla.org/en-US/security/advisories/mfsa2020-11/
Malicious JavaScript Injected Into Discord
Vuln Cost Security Scanner for VS Code
https://snyk.io/security-scanner-vuln-cost/
ROSTELECOM Reroutes Traffic for Multiple Cloud Providers
https://twitter.com/bgpmon/status/1246842916502302723
https://bgpstream.com/event/230837
Fake Zoom Installer
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create