SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #30
April 14, 2020DHS Telework Security Guidance; Oracle Patches 405 Bugs
****************************************************************************
SANS NewsBites April 14, 2020 Vol. 22, Num. 030
****************************************************************************
TOP OF THE NEWS
CISA Releases Temporary Telework Security Guidance
Oracle's Quarterly Critical Patch Update - 405 Bugs
REST OF THE WEEK'S NEWS
Criminal Ransomware Group Publishes Data Stolen from Industrial Contractor
San Francisco Airport Website Compromised to Steal Device Credentials
Card Skimmers Target WooCommerce WordPress Plugin
Police in Netherlands Take Down DDoS-for-Hire Sites, Arrest Alleged Attacker
VMware Releases Fix for Critical Vulnerability in vCenter Server
Zoom to Allow Paying Users to Choose Meeting Traffic Routing
Dell Releases BIOS Attack Detector Tool
Google Temporarily Re-enabling FTP in Chrome
DESMI Acknowledges Cyber Attack
INTERNET STORM CENTER TECH CORNER
******************* Sponsored By AWS Marketplace **************************
Deploying Least Privilege and Micro-Segmentation in the AWS Cloud. Learn how to reduce risk and strengthen attack resistance by allowing only the minimum authority to perform tasks. Also learn how to use micro-segmentation to restrict east-west movement and more methods for architecting a granular security environment. Webcast Tuesday, April 14, 2 PM ET. http://www.sans.org/info/216090
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
SANS Training is 100% Online, with two convenient ways to complete a course:
OnDemand | Live Online
- https://www.sans.org/ondemand/
- https://www.sans.org/live-online
Keep your skills sharp with SANS Online Training:
. The world's top cybersecurity courses
. Taught by real world practitioners
. Ideal preparation for more than 30 GIAC Certifications
Test drive a course: https://www.sans.org/course-preview
______________________
Upcoming Live Online Events:
Pen Test Austin 2020 | April 27-May 2
- https://www.sans.org/event/pen-test-austin-2020
Security West 2020 | May 11-16
- https://www.sans.org/event/security-west-2020
SANSFIRE 2020 | June 13-20
- https://www.sans.org/event/sansfire-2020
2-Day Firehose Training | June 29-30
- https://www.sans.org/event/2-day-firehose-training-jun29-2020
In Person Training:
SANS Network Security 2020 | Las Vegas, NV | September 20-27
- https://www.sans.org/event/network-security-2020
______________________
View the full SANS course catalog and skills roadmap.
- https://www.sans.org/courses
- https://www.sans.org/cyber-security-skills-roadmap
Any course you have or will purchase is protected by the SANS Training Guarantee.
- https://www.sans.org/training-guarantee.
*****************************************************************************
TOP OF THE NEWS
--CISA Releases Temporary Telework Security Guidance
(April 8 & 10, 2020)
The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has issued temporary telework guidance "to help agencies leverage existing resources to secure their networks" as the number of federal employees working from home has increased. The Trusted Internet Connections 3.0 Interim Telework Guidance has five security objectives: manage tragic, protect traffic confidentiality, protect traffic integrity, ensure service resilience, and ensure effective response.
[Editor Comments]
[Neely] While this guidance is set to expire at the end of 2020, and is U.S. Government focused, it provides an approach to accessing cloud and on-premise services with sufficient visibility to ensure security and compliance requirements are met, irrespective of your industry or having a formal TIC.
[Pescatore] The Trusted Internet Connect 3.0 update is still in draft but added a lot of much-needed flexibility to make it clear how agencies can do remote user access and use cloud services and still stay secure and stay compliant. Between the Managed Trusted Internet Protocol Services (MTIPS) offered by TIC ISPs on the government EIS and other contracts, and the numerous FedRAMP certified cloud-based Security as a Service offerings, government agencies have both guidance and options to make long lasting improvements in both security and productivity for remote work forces.
Read more in:
CISA: TRUSTED INTERNET CONNECTIONS 3.0 INTERIM TELEWORK GUIDANCE (PDF)
Fifth Domain: DHS releases new network security guidance for telework
FCW: CISA looks to help secure federal telework
https://fcw.com/articles/2020/04/08/tic-telework-guide-johnson.aspx
FNN: Path for agencies to more easily use cloud services paved by TIC pilots
Nextgov: CISA Offers Ways to Lessen Lag for Teleworkers Without Sacrificing Security
--Oracle's Quarterly Critical Patch Update - 405 Bugs
(April 13, 2020)
Oracle will release its quarterly Critical Patch Update on Tuesday, April 14. It addresses more than 400 vulnerabilities in a range of products. Of those, 286 are remotely exploitable.
[Editor Comments]
[Neely] This update offers another chance to validate your ability to regression test and patch remotely, including teleworker systems. With the current enhanced remote-work state, regression testing is emphasized as in-person assistance for remediation is more complicated, if not impossible. Postponing updates is sub-optimal as we are seeing increases in malfeasance by those taking advantage of the current situation.
Read more in:
Threatpost: Oracle Tackles a Massive 405 Bugs for Its April Quarterly Patch Update
https://threatpost.com/oracle-tackles-405-bugs-for-april-quarterly-patch-update/154737/
Oracle: Oracle Critical Patch Update Pre-Release Announcement - April 2020
https://www.oracle.com/security-alerts/cpuapr2020.html
**************************** SPONSORED LINKS ******************************
1) Download Splunk's IT Security Predictions 2020 to learn how to best protect your organization, and your data, against a fast-approaching future. http://www.sans.org/info/216095
2) Rocky Mountain Hackfest Summit & Training 2020 - SANS Live Online | June 1-8. http://www.sans.org/info/216100
3) Webcast April 22nd at 10:30AM ET: Securing the Shift to Cloud-based Business Operations. Register: http://www.sans.org/info/216105
*****************************************************************************
REST OF THE WEEK'S NEWS
--Criminal Ransomware Group Publishes Data Stolen from Industrial Contractor
(April 10, 2020)
Cybercriminals have posted data stolen from Visser Precision, a company that manufactures parts for the aerospace, automotive, industrial, and manufacturing industries. Visser's systems were infected with ransomware earlier this year, but the company did not pay the ransom. The leaked data belong to a number of companies, including Tesla, Boeing, Lockheed Martin, and SpaceX.
Read more in:
The Register: Ransomware scumbags leak Boeing, Lockheed Martin, SpaceX documents after contractor refuses to pay
https://www.theregister.co.uk/2020/04/10/lockheed_martin_spacex_ransomware_leak/
--San Francisco Airport Website Compromised to Steal Device Credentials
(April 10, 2020)
Two San Francisco International Airport websites were infected with data-stealing malware last month. The hackers may have obtained the login credentials for devices belonging to some people who used the sites while they were infected. Users potentially affected by the malware are those who accessed the sites from outside the airport network using Internet Explorer on a Windows device or on a device not maintained by the airport. The malicious code has been removed from the sites, and the airport forced a reset for email and network passwords on March 23.
[Editor Comments]
[Murray] Travelers should be aware that airports are targets of miscreants and vulnerabilities for the traveler. Airport (WiFi) networks, websites, and (USB 5v) power should be used with caution. Prefer cellular broadband and battery power.
Read more in:
Document Cloud: Notice of Data Breach
https://www.documentcloud.org/documents/6834642-SFO-Notice-of-Data-Breach.html
SC Magazine: San Francisco airport websites hacked to swipe personal device credentials
Threatpost: SFO Websites Hacked: Airport Discloses Data Breach
https://threatpost.com/sfo-websites-hacked-airport-discloses-data-breach/154709/
Bleeping Computer: San Francisco Intl Airport discloses data breach after hack
--Card Skimmers Target WooCommerce WordPress Plugin
(April 8 & 10, 2020)
Cybercriminals have been using JavaScript malware to skim payment card details from websites running a WordPress plugin called WooCommerce. In a separate story, the prevalence of online card skimming is rising, likely due to the increase in online shopping related to COVID-19. Data collected by Malwarebytes shows a 26 percent increase in inline card skimming between February and March of this year.
[Editor Comments]
[Neely] Judicious review of third-party applications, including plugins for your content management site, is prudent. Payment card processing plugins remain a popular target, particularly with the current world crisis. Beyond keeping plugins updated, make sure that your site and servers are also secured to prevent alternate avenues of attack. Remove unused administrative accounts, ensure strong authentication is used on active accounts, uninstall unused plugins.
[Murray] This is only one more of many vulnerabilities in WordPress plugins. Most WordPress plugins come without any measure or warranty of quality and should be used only with risk assessment, scrutiny, and maintenance.
[Paller] Because of the problems Murray and Neely point out, along with the fact that most WordPress users have no IT or cybersecurity expertise, WordPress and its content management system competitors have been the primary vector by which important organizations (including large numbers of city and state agencies and major non-profits) have been compromised.
Read more in:
Threatpost: WooCommerce Falls to Fresh Card-Skimmer Malware
https://threatpost.com/woocommerce-card-skimmer-malware/154699/
SC Magazine: WordPress WooCommerce sites targeted by credit card skimmers
SC Magazine: Coronavirus-driven online shopping driving more payment card skimming
Malwarebytes: Online credit card skimming increased by 26 percent in March
--Police in Netherlands Take Down DDoS-for-Hire Sites, Arrest Alleged Attacker
(April 10, 2020)
Police in the Netherlands have arrested a man in connection with distributed denial-of-service (DDoS) attacks against government websites there last month. Police also took down 15 DDoS-for-hire (also known as stresser or booter) websites over the course of one week.
[Editor Comments]
[Pescatore] Good to see take-downs of malicious web sites and "attacks as a service" sites now, when everyone is much more dependent on online services. Even better to see ISPs turn on "cleaner pipe" services for free during these times.
Read more in:
ZDNet: Dutch police take down 15 DDoS services in a week
https://www.zdnet.com/article/dutch-police-take-down-15-ddos-services-in-a-week/
Bleeping Computer: Dutch police arrests suspect behind DDoS attacks on government sites
Politie: Police arrests suspect for DDoS attack on Dutch government website
--VMware Releases Fix for Critical Vulnerability in vCenter Server
(April 10 & 13, 2020)
VMware has released a fix for a critical vulnerability in its VMware vCenter Server. The flaw has been given a CVSS rating of 10.0. The flaw, which lies in VMware's Directory Service (vmdir), could be exploited to bypass authentication measures and gain access to sensitive information.
[Editor Comments]
[Neely] Read the VMware security advisory for specifics on applicability of the vulnerability. The fix is to update affected 6.7 installations to 6.7u3f.
Read more in:
SC Magazine: VMware issues 10.0 CVSS rating on vCenter Server vulnerability
Threatpost: Critical VMware Bug Opens Up Corporate Treasure to Hackers
https://threatpost.com/critical-vmware-bug-corporate-treasure-hackers/154682/
Bleeping Computer: VMWare releases fix for critical vCenter Server vulnerability
VMware: VMware Security Advisories | VMSA-2020-0006
https://www.vmware.com/security/advisories/VMSA-2020-0006.html
US-CERT: VMware Releases Security Updates for VMware Directory Service
--Zoom to Allow Paying Users to Choose Meeting Traffic Routing
(April 14, 2020)
Staring Saturday, April 18, users who pay for the Zoom videoconferencing platform will be able to choose which data center regions their meeting traffic travels through. Users will not be able to opt out of their default data center region, which is where their account is provisioned. Zoom's current data center regions are the United States, Canada, Europe, India, Australia, China, Latin America, and Japan/Hong Kong.
[Editor Comments]
[Pescatore] There was once a myth that "cloud makes location obsolete." It has never been true. For many reasons, location of data centers still matters. All the major enterprise-class Software as a Service and Infrastructure as a Service providers have offered data center location selection (not always for free). It is good to see Zoom listening to enterprise needs and following suit. Zoom also continues to release security improvements - important to keep up with them and ratchet up the safety of your use of Zoom.
[Neely] Zoom is not the only video teleconference (VTC) service which routes through distributed data centers. While the primary focus for VTCs should be secure meeting configuration, if you are covering information with location or export controls, the region needs to be appropriate to avoid penalties.
[Murray] The leakage of video conferencing traffic in the network is a potential risk, but for most applications and environments, this risk does not compare to the risk of improper settings and misuse.
Read more in:
Zoom: Coming April 18: Control Your Zoom Data Routing
https://blog.zoom.us/wordpress/2020/04/13/coming-april-18-control-your-zoom-data-routing/
ZDNet: Paying Zoom customers to choose which data centre regions route their traffic
--Dell Releases BIOS Attack Detector Tool
(April 10 & 13, 2020)
Dell has debuted a tool that can detect attempts to modify a device's BIOS component. The SafeBIOS Events & Indicators of Attack tool will allow admins to isolate computers that may have been compromised.
Read more in:
Dark Reading: Dell Releases Security Tool to Defend PCs from BIOS Attacks
ZDNet: Dell releases new tool to detect BIOS attacks
https://www.zdnet.com/article/dell-releases-new-tool-to-detect-bios-attacks/
DellEMC: Dell Technologies Bolsters PC Security for Today's Remote Workers
https://blog.dellemc.com/en-us/dell-technologies-bolsters-pc-security-todays-remote-workers/
--Google Temporarily Re-enabling FTP in Chrome
(April 9 & 13, 2020)
Google has decided to re-enable support for FTP in Chrome on the stable channel so users will not run into difficulties accessing information during the COVID-19 crisis. Google disabled support for FTP in Chrome 81, which was released to the stable channel less than a week ago.
[Editor Comments]
[Murray] FTP has been broken and a vulnerability for a generation. It is an orphan. There is hardly anything legitimate that is not available via an alternate service. Its inclusion in already porous browsers is one more reason to prefer application-specific clients.
Read more in:
Chrome Status: Deprecate FTP support (deprecated)
https://www.chromestatus.com/feature/6246151319715840
Bleeping Computer: Google reenables FTP support in Chrome due to pandemic
https://www.bleepingcomputer.com/news/google/google-reenables-ftp-support-in-chrome-due-to-pandemic/
--DESMI Acknowledges Cyber Attack
(April 13, 2020)
A Danish company that manufactures pumps for a variety of industries was hit with a cyberattack last week. All IT systems at DESMI were shut down and are now in the process of being restored with the help of third party experts. DESMI has reported the incident to authorities and police.
Read more in:
DESMI: DESMI hit by Cyber attack
https://www.desmi.com/news-(3)/desmi-hit-by-cyber-attack.aspx
Security Affairs: Danish pump maker DESMI reveals cyber attack
https://securityaffairs.co/wordpress/101495/hacking/desmi-discloses-cyber-attack.html
******************************************************************************
INTERNET STORM CENTER TECH CORNER
Dynamic Analysis Technique to Get Decrypted KPOT Malware
Comparing the Same Phishing Campaign 3 Months Apart
https://isc.sans.edu/forums/diary/Look+at+the+same+phishing+campaign+3+months+apart/26018/
VMWare vCenter Server Vulnerability
https://www.vmware.com/security/advisories/VMSA-2020-0006.html
Sodinokibi Ransomware Switching to Monero
Setting 3D Printers On Fire
https://www.coalfire.com/The-Coalfire-Blog/April-2020/With-IoT-Common-Devices-Pose-New-Threats
Junos OS: vMX Default Credentials
https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10998
Malware Impersonates Security Researchers
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create.
