SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #29
April 10, 2020US/UK Joint Advisory on COVID-19 Cyber Attacks; Interpol: Cyber Threat to Organizations Involved in COVID-19 Response; Working From Home Increases RDP Exposure
Look what SANS students are saying about SANS Live Online training:
"This is quickly becoming my preferred way to take a SANS course." -Dylan Hailey
"I'm really happy with the interaction with the other students. This is my first online/virtual course and I'm surprised at the proactive engagement of the students. I would have thought that you could only get that type of involvement from on-site/in-person course instruction." -Sean Ayers, UPS, MGT512
"I've loved all the SANS delivery platforms. Good quality, excellent tools so we have a lot of variety in learning activities." -Melissa Raney, RSA / Dell Technologies, MGT525
"This is a very smooth transition from in person to Live Online and I'm impressed." Ashlee Harper-Johnson Booze Allen Hamilton, MGT521
"Best platform I've experienced." -Jeremy Swanson, Mantech, FOR500
"Support staff are highly present and offer assistance as required." -Susan Crase, SEC301
"I'm amazed by how smooth everything is, and I honestly prefer this mode of teaching." -Dan Dwyer, SEC504
"Best experience I've had. Worked fantastically and was easy to use. Slack use was a winner. Allowed group to communicate together and do so without interrupting the presentations." -Jay Taala, ACSC.
****************************************************************************
SANS NewsBites April 10, 2020 Vol. 22, Num. 029
****************************************************************************
TOP OF THE NEWS
US and UK Issue Joint Advisory on COVID-19-Related Cyber Attacks
Interpol Warning of Malware Threat to Organizations Involved in COVID-19 Response
More People Working From Home Has Increased Remote Desktop Protocol Internet Exposure
REST OF THE WEEK'S NEWS
Suspected Malicious Domains Suspended
Travelex Paid Ransomware Demand in January 2020
Hammersmith Sending Breach Notifications in Wake of Ransomware Attack
Microsoft Buys Corp.com Domain
Visa: Upgrade Magento
Malicious Website Spoofs Malwarebytes, Spreads Malware
xHelper Android Trojan is Persistent
Firefox and Chrome Browser Updates
Bisq Cryptocurrency Exchange Temporarily Halts Trading After Theft
SEC Settles EDGAR Hack Complaint Against Two Traders
INTERNET STORM CENTER TECH CORNER
********************** Sponsored By SANS *********************************
Rocky Mountain Hackfest Summit & Training 2020 - SANS Live Online | June 1-8. Join us for the first-ever Rocky Mountains HackFest Summit (now a virtual event "SANS Live Online") for 2 days of multi-tracks including in-depth Summit talks, followed by world-class SANS courses taught by our top pen test instructors. http://www.sans.org/info/216070
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
Keep your skills sharp, train online with SANS OnDemand:
* 45 of the world's top cybersecurity courses
* Flexible self-paced format you can take anytime, anywhere
* A battle-tested training platform including 4 months of access
* Hands-on labs and GIAC-certified SME support
Test drive and purchase SANS OnDemand courses.
- https://www.sans.org/ondemand/
SANS Network Security 2020 | Las Vegas, NV | September 20-27
- https://www.sans.org/event/network-security-2020
View the full SANS course catalog and skills roadmap.
- https://www.sans.org/courses
- https://www.sans.org/cyber-security-skills-roadmap
Any course you have or will purchase is protected by the SANS Training Guarantee.
- https://www.sans.org/training-guarantee.
*****************************************************************************
TOP OF THE NEWS
--US and UK Issue Joint Advisory on COVID-19-Related Cyber Attacks
(April 8, 2020)
The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) and the UK's National Cyber Security Centre (NCSC) have issued a joint advisory warning of an increasing volume of cyberattacks exploiting the spread of COVID-19. Cybercriminals have been sending phishing emails that pretend to come from the World Health Organization, or claim to be offering medical equipment.
[Editor Comments]
[Pescatore] The joint advisory covers 4 vectors of observed attacks taking advantage of the current coronavirus situation: (1) Phishing; (2) Targeted Malware; (3) Registration of phony domain names; and (4) Attacks against VPNs, RDP and remote access in general. There are individual news items in this issue of Newsbites on each area with more detailed comments, but the overall theme should be: crank security up a notch - now is the time to risk more false positives until your organization's work and IT processes/temporary architectures have stabilized. SANS continues to add resources to the free Security Work-From-Home Awareness Deployment kit at https://www.sans.org/security-awareness-training/sans-security-awareness-work-home-deployment-kit and there are daily webcasts on the topic at https://www.sans.org/webcasts/: Webcasts
[Neely] The CISA bulletin includes fairly comprehensive lists of attacks seen, IOCs, mitigations as well as resources to help mitigate the risks of COVID-19 related malfeasance.
Read more in:
Fifth Domain: DHS cybersecurity agency warns of coronavirus phishing attacks
Cyberscoop: U.S., U.K. authorities warn of state-linked and criminal hacking exploiting coronavirus pandemic
https://www.cyberscoop.com/coronavirus-hacking-dhs-ncsc/
ZDNet: Hackers are scanning for vulnerable VPNs in order to launch attacks against remote workers
US-CERT: COVID-19 Exploited by Malicious Cyber Actors
https://www.us-cert.gov/ncas/alerts/aa20-099a
--Interpol Warning of Malware Threat to Organizations Involved in COVID-19 Response
(April 4 & 8, 2020)
Interpol is warning organizations that are helping with the response to COVID-19 that they are being targeted by ransomware. Interpol has also issued a Purple Notice to inform police in its 194 member countries about the increased threat of ransomware against hospitals and other organizations.
[Editor Comments]
[Pescatore] Employees working at home are very unlikely to be rigorous about backing up any newly created information they might develop on their home PCs. Guidance on existing or temporary (such as using cloud storage capabilities of corporate Office365/Dropbox etc. services) should be pushed out.
Read more in:
SC Magazine: Interpol warns hospitals about COVID-19-based ransomware threat
Interpol: Cybercriminals targeting critical healthcare institutions with ransomware
--More People Working From Home Has Increased Remote Desktop Protocol Internet Exposure
(April 9, 2020)
Hackers are taking advantage of the increased exposure of the remote desktop protocol (RDP) due to people working from home. In late March, Shodan noted an increase in exposed RDP services. If RDP is going to be exposed to the Internet, it should be carefully configured.
[Editor Comments]
[Pescatore] Last year Johannes Ulrich and the SANS Internet Storm Center posted a good writeup about RDP security - it was focused on the Bluekeep vulnerability but has good general purpose advice for reducing the risk if you have to use RDP https://isc.sans.edu/forums/diary/An+Update+on+the+Microsoft+Windows+RDP+Bluekeep+Vulnerability+CVE20190708+now+with+pcaps/24960/: An Update on the Microsoft Windows RDP "Bluekeep" Vulnerability (CVE-2019-0708) [now with pcaps]
[Neely] Having users connect to a VPN or other security gateway first, which they then use to access a RDP session, protects the RDP server from direct attacks. Exposing port 3389 to the Internet creates a highly attractive target. Additionally ensure that strong (e.g. multi-factor) authentication is required before access is granted to prevent use of discovered credentials. Follow security best practice guides. Implement monitoring and alerting for awareness of unexpected activities. Whether or not you can change your implementation, verify that your security monitoring and controls implemented are working.
[Murray] Connect to applications, not "desktops." Prefer end-to-end application layer encryption. Prefer the production of work product on enterprise owned and managed systems; employee owned computers should be used only for the remote operation of enterprise applications.
Read more in:
ISC: Increase in RDP Scanning
https://isc.sans.edu/forums/diary/Increase+in+RDP+Scanning/25994/
Duo: RDP Drawing Unwanted Attention
https://duo.com/decipher/rdp-drawing-unwanted-attention
******************************* SPONSORED LINKS ********************************
1) Don't miss this upcoming webcast: Outside-In Scanning Is Not Cyber Risk Management. http://www.sans.org/info/216075
2) Survey | How does your organization define security metrics? Take the SANS 2020 Security Metrics Survey. http://www.sans.org/info/216080
3) Webcast April 14th at 10:30 AM ET: Pre-Runtime vs. Runtime Protection: What's Best for your IaaS Security? Register: http://www.sans.org/info/216085
**********************************************************************************
REST OF THE WEEK'S NEWS
--Suspected Malicious Domains Suspended
(April 7, 2020)
UK domain name registry Nominet has suspended the registration of about 600 websites due to concerns that they may be designed to spread COVID-19 misinformation or to sell phony products. Rather than waiting until a domain has been reported as malicious, Nominet is scrutinizing websites with names that contain COVID-19-related strings. Nominet does this with the help of its Domain Watch initiative, which uses both automated and manual checking for suspicious domains.
[Editor Comments]
[Ullrich] Help us at SANS Internet Storm Center find some of the scams and phishing sites trying to take advantage of COVID19. We improved our "domain classifier". It now includes screen shots of the sites so you don't have to visit them. To help, go to https://isc.sans.edu/covidclassifier.html. Several domains identified by volunteers have already been shut down.
[Pescatore] All the registries should be more aggressive and proactive now - kudos to Nominet. Settings in web security gateways should be moved up in aggressiveness and frequency of updates. The OpenDNS (now part of Cisco) Family Shield or Home DNS-based web blocking services are still free, as are similar home-based capabilities from CleanBrowsing.org, Cloudflare and many major security vendors.
[Neely] According to SpyCloud researchers, over 136,000 COVID-19 themed domains have popped up since December 2019. Many are merely placeholder domains for future uses. As few as 22% of these domains use HTTPS. https://spycloud.com/resource/covid19-domain-dataset/
Read more in:
ZDNet: Domain name registry suspends 600 suspicious coronavirus websites
https://www.zdnet.com/article/domain-name-registrar-suspends-600-suspicious-coronavirus-websites/
Nominet: Keeping a close watch on coronavirus domains
https://www.nominet.uk/keeping-a-close-watch-on-coronavirus-domains/
--Travelex Paid Ransomware Demand in January 2020
(April 9, 2020)
According to a report in the Wall Street Journal, London-based currency exchange Travelex paid a 285 bitcoin (the equivalent of $2.3 million at the time of the payment) ransom to regain access to its systems after a ransomware attack earlier this year. (Please note that the WSJ story is behind a paywall.)
Read more in:
Bleeping Computer: Travelex Reportedly Paid $2.3 Million Ransom to Restore Operations
WSJ: Travelex Paid Hackers Multimillion-Dollar Ransom Before Hitting New Obstacles (paywall)
--Hammersmith Sending Breach Notifications in Wake of Ransomware Attack
(April 7, 2020)
UK-based Hammersmith Medicines Research has begun notifying individuals that their personal information was stolen/compromised in a ransomware attack. The hackers published the stolen data on their website, which has since been taken down. Hammersmith is slated to test potential COVID-19 vaccines.
Read more in:
Bleeping Computer: Drug testing firm sends data breach alerts after ransomware attack
--Microsoft Buys Corp.com Domain
(April 7, 2020)
Microsoft has agreed to buy the Corp.com domain to keep it out of the hands of potential criminals. The issue is namespace collision, a situation where domain names intended to be used exclusively on an internal company network end up overlapping with domains that can resolve normally on the open Internet."
Read more in:
KrebsOnSecurity: Microsoft Buys Corp.com So Bad Guys Can't
https://krebsonsecurity.com/2020/04/microsoft-buys-corp-com-so-bad-guys-cant/
--Visa: Upgrade Magento
(April 9, 2020)
Visa is encouraging online retailers to migrate to the Magento 2.x ecommerce platform before Adobe ends support for Magento 1.x in June 2020. Visa warns that sites that have not migrated to Magento 2.x by the June cutoff date risk exposing payment card information to breaches and will no longer be PCI compliant.
[Editor Comments]
[Ullrich] Adobe's Magento has a history of multiple critical vulnerabilities that are exploited by attackers to steal credit card numbers. Magento 2 was released a few years ago, and support for Magento 1 will end in July. Adobe has given its Magento customers plenty of warning to switch over to Magento 2.
Read more in:
Bleeping Computer: Visa urges merchants to migrate e-commerce sites to Magento 2.x
--Malicious Website Spoofs Malwarebytes, Spreads Malware
(April 7 & 9, 2020)
Malicious actors set up a phony Malwarebytes website that attempts to infect visitors' computers with information stealing malware known as Raccoon. Malwarebytes's Threat Intelligence Team examined the phony site's source code, noting "that someone stole the content from our original site but added something extra."
Read more in:
Malwarebytes: Copycat criminals abuse Malwarebytes brand in malvertising campaign
Threatpost: Copycat Site Serves Up Raccoon Stealer
https://threatpost.com/malwarebytes-copycat-site-raccoon-stealer/154638/
SC Magazine: Malvertising campaign spoofs Malwarebytes website to deliver Raccoon info-stealer
--xHelper Android Trojan is Persistent
(April 7 & 8, 2020)
Android malware known as xHelper is proving difficult to get rid of. It spreads by posing as smartphone clean up and speed enhancing apps in unofficial apps stores, affecting Android 6 and 7 devices in Russia, Europe, and parts of Asia. xHelper stays on devices even after it has been deleted and the factory settings have been restored.
[Editor Comments]
[Neely] The best protection is to only install apps from the official App Store. Do not enable third party app stores or side-loading of applications. Keep device hardware and software updated to ensure current protections are in place on your device. You should be running Android 9 or higher. This application obtains root privileges and mounts the root file system read-write so it can be written to persistent storage outside the user area, thus surviving a device reset.
Read more in:
SecureList: Unkillable xHelper and a Trojan matryoshka
https://securelist.com/unkillable-xhelper-and-a-trojan-matryoshka/96487/
DarkReading: 'Unkillable' Android Malware App Continues to Infect Devices Worldwide
The Register: Please, just stop downloading apps from unofficial stores: Android users hit with 'unkillable malware'
https://www.theregister.co.uk/2020/04/08/xhelper_android_malware/
--Firefox and Chrome Browser Updates
(April 7, 8, & 9, 2020)
Mozilla and Google have released a second sent up updates for their Firefox and Chrome browsers. The Firefox updates include fixes for six security issues, three high risk and three moderate risk. Users are urged to update to Firefox 75 and Firefox ESR 68.7. Google's update for Chrome addresses 32 security issues. Chrome 81 was originally scheduled to be released on March 17, but was delayed until April 7.
[Editor Comments]
[Neely] The new ESR 68.7 introduces features to use the client certificate store on the Mac and exclude domains from the Trusted Recursive Resolver (TRR) using DNS over HTTPS. Using OS Certificate stores is a win over having to provision certificates to both the OS and the provisioned browser and avoids inconsistencies in trust.
Read more in:
SC Magazine: Mozilla and Google release second batch of patches in one week
ZDNet: Mozilla: Firefox 75 gets this new address bar, but we're pausing features over coronavirus
Bleeping Computer: Firefox 75 released with Windows 10 performance improvements
ZDNet: Chrome 81 released with initial support for the Web NFC standard
https://www.zdnet.com/article/chrome-81-released-with-initial-support-for-the-web-nfc-standard/
Bleeping Computer: Chrome 81 Released With 32 Security Fixes and Web NFC API
--Bisq Cryptocurrency Exchange Temporarily Halts Trading After Theft
(April 8 & 9, 2020)
The Bisq cryptocurrency exchange temporarily stopped trading after hackers exploited a critical vulnerability and stole $250,000 in Bitcoin and Monero from users. A network update had introduced a flaw that allowed the thieves to direct funds to wallets they controlled. The incident was detected the evening of Tuesday, April 7; trading resumed the following day.
Read more in:
ZDNet: Bisq Bitcoin exchange slams on the brakes after exploit of critical security flaw, crypto theft
Coindesk: Hacker Exploits Flaw in Decentralized Bitcoin Exchange Bisq to Steal $250K
https://www.coindesk.com/hacker-exploits-flaw-in-decentralized-exchange-bisq-to-steal-250k
--SEC Settles EDGAR Hack Complaint Against Two Traders
(April 9, 2020)
The US Securities and Exchange Commission has settled a complaint against two traders who accessed the SEC's EDGAR electronic filing system and viewed corporate earnings information before it became public. David Kwon and Igor Sabodakha used that information to make trades. Kwon and Sabodakha have agreed to repay their profits and pre-judgment interest from the illegal trades. Sabodakha has also agreed to pay a civil penalty. (Please note that the WSJ story is behind a paywall.)
Read more in:
Reuters: U.S. SEC settles with two traders over hack of its EDGAR filing system
WSJ: Traders Accused of Profiting From Hack Agree to Settle With SEC (paywall)
SEC: Foreign National and American Trader Settle Fraud Charges in EDGAR Hacking Case
https://www.sec.gov/news/press-release/2020-85
SEC: Complaint, filed January 15, 2019 (PDF)
https://www.sec.gov/litigation/complaints/2019/comp-pr2019-1.pdf
INTERNET STORM CENTER TECH CORNER
RDP Scanning Increase
https://isc.sans.edu/forums/diary/Increase+in+RDP+Scanning/25994/
Spoofing OS Fingerprints
https://isc.sans.edu/forums/diary/Performing+deception+to+OS+Fingerprint+Part+1+nmap/25960/
German Malspam Pushes ZLoader Malware; Decrypting HTTPs
https://isc.sans.edu/forums/diary/German+malspam+pushes+ZLoader+malware/25996/
Atlassian Advices Users To Secure Jira Service Desk
Android Updates
https://support.google.com/pixelphone/thread/38337876
Microsoft Purchases Corp.com
https://krebsonsecurity.com/2020/04/microsoft-buys-corp-com-so-bad-guys-cant/
Microsoft Delaying Removal of Basic Authentication from Exchange Online
Dark Nexus Botnet
Dell iDRAC Patch
VISA Ends Magento 1 Support (PDF)
Slack WebRTC TURN Compromise
https://www.rtcsec.com/2020/04/01-slack-webrtc-turn-compromise/
COVID 19 Domain Classifier
https://isc.sans.edu/covidclassifier.html
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
