SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #31
April 17, 2020GAO: DoD Failing On Cyber Hygiene; Texas Judge Approves Mail-in Voting for Anyone Who Requests It; Air Force Bounty Program Found 460 Bugs
Top Note:
More evidence is arriving that the combination of SANS live instructors with the unique Live Online delivery system provides an experience as satisfying and effective as the face-to-face courses. Examples from yesterday's classes:
From SEC511: "I love the Live Online delivery method and cannot say enough about the merits it offers me while I am studying and learning from the instructor. It is making my overall experience excellent." (Thomas L., U.S. Military)
From SEC504: "The labs are well-crafted, entertaining and insightful. I can tell that a lot of hard work went into designing and outlining the labs but you still managed to keep it fun. Quite brilliant from all sides!" (Kirill Boychenko, Recorded Future)
****************************************************************************
SANS NewsBites April 17, 2020 Vol. 22, Num. 030
****************************************************************************
TOP OF THE NEWS
GAO Report: Department of Defense Needs to Renew Focus on Cyber Hygiene
Texas Judge Approves Mail-in Voting for Anyone Who Requests It
Air Force Bug Bounty Program Found More Than 460 Vulnerabilities
REST OF THE WEEK'S NEWS
Linksys Forces Password Reset
Google Removes Malicious Chrome Extensions From Web Store
Patch Tuesday
Zoom Brings in Help to Address Security Issues
Czech Republic Cybersecurity Body Warns of Attacks in Healthcare Sector
European Energy Company Faces Ransomware Demand
Immunity Passports
PoetRAT Targeting Organizations in Azerbaijan
Microsoft Will Extend Support for Windows 10 1809
INTERNET STORM CENTER TECH CORNER
*********************** Sponsored By Netskope *****************************
Join Netskope's Cloud Security Workshop. Are you really ready to provide safe access to cloud services and keep pace with new threats? Register for Netskope's complimentary cloud security workshop! Take control over your web services. Get 5 CPE credits and hands-on experience with Next Gen Secure Web Gateway (SWG) and Zero Trust Network Access (ZTNA) solutions built for the cloud. http://www.sans.org/info/216135
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
SANS Training is 100% Online, with two convenient ways to complete a course:
OnDemand | Live Online
- https://www.sans.org/ondemand/
- https://www.sans.org/live-online
Keep your skills sharp with SANS Online Training:
. The world's top cybersecurity courses
. Taught by real world practitioners
. Ideal preparation for more than 30 GIAC Certifications
Test drive a course: https://www.sans.org/course-preview
______________________
Upcoming Live Online Events:
Pen Test Austin 2020 | April 27-May 2
- https://www.sans.org/event/pen-test-austin-2020
Security West 2020 | May 11-16
- https://www.sans.org/event/security-west-2020
Cloud Security Summit & Training 2020 | May 28-June 6
- https://www.sans.org/event/cloud-security-summit-2020
Rocky Mountain Hackfest Summit & Training 2020 | June 4-13
- https://www.sans.org/event/rockymountainhackfest-summit-2020
SANSFIRE 2020 | June 13-20
- https://www.sans.org/event/sansfire-2020
2-Day Firehose Training | June 29-30
- https://www.sans.org/event/2-day-firehose-training-jun29-2020
In Person Training:
SANS Network Security 2020 | Las Vegas, NV | September 20-27
- https://www.sans.org/event/network-security-2020
______________________
View the full SANS course catalog and skills roadmap.
- https://www.sans.org/courses
- https://www.sans.org/cyber-security-skills-roadmap
Any course you have or will purchase is protected by the SANS Training Guarantee.
- https://www.sans.org/training-guarantee.
*****************************************************************************
TOP OF THE NEWS
GAO Report: Department of Defense Needs to Renew Focus on Cyber Hygiene
(April 14, 2020)
A report from the US Government Accountability Office (GAO) says that the Department of Defense (DoD) has either abandoned or stopped keeping track of many of the cyber hygiene goals the agency set for itself in 2015. GAO makes seven recommendations for DoD, several of which focus on assigning responsibility for implementation of cyber hygiene tasks.
[Editor Comments]
[Pescatore] One line in this 54-page report captures the glaring problem: "The department does not know the extent that cyber hygiene practices have been implemented to protect DOD networks from key cyberattack techniques." Importantly, DoD CIOs stated they did not know they were responsible for implementing and monitoring the key Cybersecurity Culture and Compliance Initiatives (DC3I). One reason for this: the report notes that in December 2016, the DoD moved responsibility for DC3I implementation and oversight from the US Cyber Command to the DoD CIO office as part of implementing the November 2014 DOD Directive 5144.02 that said the DoD CIO office had overall cybersecurity responsibility. While I think there has been a lot of progress at the DoD working levels, it looks like over the transition of Presidential administrations, the transition of responsibility for DoD cybersecurity at the top didn't happen.
Read more in:
Wired: The Pentagon Hasn't Fixed Basic Cybersecurity Blind Spots
https://www.wired.com/story/pentagon-cybersecurity-blind-spots/
Fifth Domain: Watchdog finds the Pentagon is behind on several cybersecurity initiatives
MeriTalk: GAO Rakes DoD Over Cyber Hygiene Implementation
https://www.meritalk.com/articles/gao-rakes-dod-over-cyber-hygiene-implementation/
GAO: DOD Needs to Take Decisive Actions to Improve Cyber Hygiene (Highlights) (PDF)
https://www.gao.gov/assets/710/705894.pdf
GAO: DOD Needs to Take Decisive Actions to Improve Cyber Hygiene (PDF)
https://www.gao.gov/assets/710/705886.pdf
Texas Judge Approves Mail-in Voting for Anyone Who Requests It
(April 15 & 16, 2020)
Despite the Texas Attorney general's insistence that concerns about the COVID-19 pandemic would not qualify as a reason to request a mail-in ballot in that state, a Texas District Judge said he will issue a temporary injunction that will allow registered voters in that state to request mail-in ballots. In Texas, absentee ballots are limited to individuals with a disability that prevents them from voting in person.
[Editor Comments]
[Murray] So called "computer scientists" (you know who you are) are projecting security requirements onto online voting that are very difficult to meet. They have made the perfect the enemy of the good. Some of these requirements will have to be relaxed to meet the emerging requirement for "travel and date free" voting. We cannot achieve risk free online voting but we can achieve "good enough," perhaps equal to what we now do with mail, signatures, rubber stamps, and double envelopes. The good enough systems will be diverse and multi-step, to include registration, distribution of ballots, recording of votes, return of ballots, early tabulating and reporting, and late auditing and certifying of the results. It is time to stop carping and to begin designing and implementing.
Read more in:
SC Magazine: Texas judge OKs expanded mail-in voting during COVID-19 pandemic
The Hill: Texas AG: Fear of COVID-19 not a qualifying reason to receive absentee ballot
Air Force Bug Bounty Program Found More Than 460 Vulnerabilities
(April 15 & 16, 2020)
A US Air Force bug bounty program that ran last fall turned up more than 460 security issues in the Air Force Virtual Data Center. The remote challenge ran from October 23-November 20, 2019; there was a one-day live element on November 7, 2019.
Read more in:
HackerOne: Over 460 Vulnerabilities Resolved in Tenth Bug Bounty Challenge with U.S. Department of Defense Thanks to Hackers on HackerOne
Fifth Domain: Ethical hackers find hundreds of vulnerabilities during latest Air Force bug bounty
Forbes: U.S. Air Force Successfully Hacked By 'Battalion' Of 60 Hackers
**************************** SPONSORED LINKS ******************************
1) Webcast April 23rd at 3:30PM ET: Addressing Practical Challenges to Implementing Micro-segmentation. http://www.sans.org/info/216140
2) Cloud Security Summit & Training 2020 - SANS Live Online | May 28 - June 6. http://www.sans.org/info/216145
3) Register for this webcast and learn about the fundamentals of how Zeek operates and how to implement it in your own environment. http://www.sans.org/info/216150
*****************************************************************************
REST OF THE WEEK'S NEWS
Linksys Forces Password Reset
(April 15, 2020)
Linksys locked all SmartWiFi user accounts on April 2, 2020, after discovering that hackers were breaking into Linksys and D-Link routers and changing their DNS settings to redirect them to malicious sites. The attackers accessed the routers using credential-stuffing attacks. Users need to reset their passwords to regain access to their accounts.
[Editor Comments]
[Neely] When users reset their Linksys accounts, it triggers a check of all their associated Linksys devices and alerts the users if any their DNS settings were compromised. Of note, there was some confusion about the account reset notification sent. The email legitimate comes fromsubscribermangement@linksys-email.com rather than a linksys.com email address.
Read more in:
The Register: Linksys forces password reset for Smart Wi-Fi accounts after router DNS hack pointed users at COVID-19 malware
https://www.theregister.co.uk/2020/04/15/linksys_wifi_password_reset_malware_app/
ZDNet: Linksys asks users to reset passwords after hackers hijacked home routers last month
Google Removes Malicious Chrome Extensions From Web Store
(April 15, 2020)
Google has pulled nearly 50 malicious extensions from the Chrome Web Store. These bad apps were pretending to be legitimate cryptocurrency wallet apps, but actually stole cryptowallet keys and other sensitive information.
[Editor Comments]
[Pescatore] A key element of the world recovering from the COVID-19 virus is testing, and a critical part of making widespread testing work will be cellphone apps used for demonstrating an individual's testing status and tracing possible contacts if someone is found to be infected. Google and Apple need to really step up the security of apps and extensions that make it through their testing. Longer times for most apps and extensions to come out of the process are worth it now to significantly elevate the trust/safety level of phones for this coming critical use. Google and Apple are already working together on the tracing side of the problem. A joint effort on radically reducing "badware" that gets through their testing regimes should be a key part of that.
Read more in:
The Register: Another day, another Google cull: Chocolate Factory axes 49 malicious Chrome extensions from web store
https://www.theregister.co.uk/2020/04/15/google_malicious_chrome/
ZDNet: Exclusive: Google removes 49 Chrome extensions caught stealing crypto-wallet keys
Threatpost: Malicious Google Web Extensions Harvest Cryptowallet Secrets
https://threatpost.com/malicious-google-web-extensions-cryptowallet/154832/
Patch Tuesday
(April 14, 2020)
On Tuesday, April 14, Microsoft released fixes for more than 100 security issues in Windows and related software. Nineteen of the flaws are rated critical, which means they can be remotely exploited to gain control of vulnerable machines with no user interaction. Three of the vulnerabilities addressed in the update are being actively exploited: two remote code execution flaws in Adobe Font Manager Library, and a remote code execution flaw in Internet Explorer. Adobe released fixes for vulnerabilities in ColdFusion, After Effects, and Digital Editions.
Read more in:
ISC: Microsoft April 2020 Patch Tuesday
https://isc.sans.org/forums/diary/Microsoft+April+2020+Patch+Tuesday/26022/
KrebsOnSecurity: Microsoft Patch Tuesday, April 2020 Edition
https://krebsonsecurity.com/2020/04/microsoft-patch-tuesday-april-2020-edition/
Computerworld: Don't Panic, but do make this month's Patch Tuesday a priority
The Register: April 2020 and - rest assured - your Windows PC can still be pwned by something so innocuous as an unruly font
https://www.theregister.co.uk/2020/04/14/april_patch_tuesday/
Threatpost: Adobe Fixes 'Important' Flaws in ColdFusion, After Effects and Digital Editions
Adobe: Security Bulletins Posted
https://blogs.adobe.com/psirt/?p=1859
MSRC: Security Update Guide
https://portal.msrc.microsoft.com/en-us/security-guidance
Zoom Brings in Help to Address Security Issues
(April 13 & 16, 2020)
Zoom is calling in experts to help it address security and privacy concerns. With millions of people working at home during the COVID-19 epidemic, Zoom's popularity has ballooned. It has also been subjected to greater scrutiny by both hackers and security experts, who have unearthed a number of security and privacy issues. The company has hired numerous security consultants, many of whom are former privacy and security experts from other high-profile tech companies. (Please note that the WSJ story is behind a paywall.)
[Editor Comments]
[Pescatore] Zoom's CEO publicly apologized for "falling short" on security and privacy and Zoom has taken a lot of important steps to improve. But, they aren't the only video conferencing approach in use and we know attackers are going after them all. SANS is doing a series of webinars on the key elements to making sure all remote work is done as securely as possible that you can access at https://www.sans.org/webcasts/
[Neely] There is a lot of FUD around Zoom, and rather than drop it like a hot potato, consideration needs to be given to implementing it securely and applying fixes as they come out. Before jumping to another solution, careful analysis of the security, user experience, and transition costs need to be performed.
Read more in:
WSJ: Zoom Hires Security Heavyweights to Fix Flaws (paywall)
https://www.wsj.com/articles/zoom-hires-security-heavyweights-to-fix-flaws-11587061868
Security Ledger: Amid Security Concerns: to Zoom or not to Zoom?
https://securityledger.com/2020/04/amid-security-concerns-to-zoom-or-not-to-zoom/
Czech Republic Cybersecurity Body Warns of Attacks in Healthcare Sector
(April 16, 2020)
The Czech Republic's central government cybersecurity body has issued a warning that cyberattackers may be targeting healthcare organizations in that country. The Czech health ministry said it had detected and stopped cyberattacks against hospitals. In a separate story, an FBI official said that hackers who appear to be working with the backing of foreign governments are breaking into systems that belong to companies working on COVID-19 research.
Read more in:
Reuters: Czechs on alert over hospital cyberattacks
Reuters: FBI official says foreign hackers have targeted COVID-19 research
European Energy Company Faces Ransomware Demand
(April 16, 2020)
Systems at European energy company Energias de Portugal (EDP) were hit with ransomware on Monday, April 13, 2020. The Lisbon-based company says it is working with authorities regarding the attack. The operators of the Ragnar Locker ransomware are threatening to publish or sell data stolen from the company if it does not pay the 1,580 bitcoin ([euro]10.3 million, US $11.2 million) demand.
[Editor Comments]
[Murray] It is very late to be seeing so many successful extortions based on weak cyber security. Raise the cost of attack against your systems and improve your resilience. The bad news is that you need to raise the cost of attack about ten-fold to be effective. The good news is that you are on the flat part of the security cost curve where you can get a big bang for your bucks. Lack of budget is not an excuse; there is always money for that which must be done. Ask for it over and over until you get it. That is called "your job."
Read more in:
Infosecurity Magazine: Energy Giant EDP Hit With [euro]10 Million Ransomware Threat
https://www.infosecurity-magazine.com/news/energy-giant-edp-hit-10-million/
Bleeping Computer: RagnarLocker ransomware hits EDP energy giant, asks for [euro]10M
SC Magazine: Ragnar Locker's well-conceived ransomware attack on Energias de Portugal
Immunity Passports
(April 15 & 16, 2020)
Several countries have begun floating the idea of an "immunity passport," which would certify that someone is immune to COVID-19. Not only does the idea raise a number of security and privacy issues, but there are still unknowns about immunity to this particular virus.
[Editor Comments]
[Neely] I carry an immunization record with me when traveling internationally, typically a paper form, as well as a digital backup, to be surrendered for examination by border control based on the risk of your origin point, or verification that you meet local mandatory immunization requirements. While COVID-19 changes those factors, the bigger issue is having an internationally recognized indicator of immunity to COVID-19.
Read more in:
Dark Reading: Post Pandemic, Technologists Pose Secure Certification for Immunity
qz: Is it too soon for a "CoronaPass" immunity app?
https://qz.com/1838764/is-it-too-soon-for-immunity-passports/
to help people and organizations focus their attention on retaining business continuity
PoetRAT Targeting Organizations in Azerbaijan
(April 16, 2020)
A new remote access Trojan (RAT) that is being called PoetRAT is targeting organizations in Azerbaijan. According to Cisco Talos, "the malware was distributed using URLs that mimic some Azerbaijan government domains." Once they gained access to a system, PoetRAT operators used additional tools, including keystroke loggers, password stealers, and "a tool used to monitor the hard disk and exfiltrate data automatically."
Read more in:
Cisco: PoetRAT Uses Covid-19 Lures To Attack Azerbajian
https://blogs.cisco.com/security/talos/poetrat-uses-covid-19-lures-to-attack-azerbajian
Threatpost: New PoetRAT Hits Energy Sector With Data-Stealing Tools
https://threatpost.com/new-poetrat-hits-energy-sector-with-data-stealing-tools/154876/
Microsoft Will Extend Support for Windows 10 1809
(April 14 & 16, 2020)
Microsoft is extending support for Windows 10 1809 and Windows Server 1809. The original end-of-service date, May 12, 2020, has been pushed back to November 10, 2020. Microsoft has recently extended end-of service dates for several other products, including Windows 10 1709, Configuration Manager 1810, SharePoint Server 2010, SharePoint Foundation 2010, and Project Server 2010. Microsoft made the decision to extend support "to help people and organizations focus their attention on retaining business continuity."
Read more in:
Microsoft: Lifecycle changes to end of support and servicing dates
Infosecurity Magazine: Microsoft Extends Windows 10 Support as #COVID19 Rages
https://www.infosecurity-magazine.com/news/microsoft-extends-windows-10/
The Register: Microsoft throws extended support lifeline for folk stuck on car-crash Windows 10 1809
https://www.theregister.co.uk/2020/04/15/windows_10_1809_support_extended/
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
Microsoft Patch Tuesday
https://isc.sans.edu/forums/diary/Microsoft+April+2020+Patch+Tuesday/26022/
Adobe Security Bulletins
https://helpx.adobe.com/security.html
Microsoft Extending EOL For Windows 10 1709/1809
Dell Safe BIOS
https://blog.dellemc.com/en-us/dell-technologies-bolsters-pc-security-todays-remote-workers/
Hunting Without IOCs
Cloudflare/Online Banking Outages
https://twitter.com/eastdakota/status/1250520852354854912
Crypto Currency Stealing Browser Extensions
Applocker vs. Living off the Land Attacks
https://isc.sans.edu/forums/diary/Using+AppLocker+to+Prevent+Living+off+the+Land+Attacks/26032/
Windows Security Crashing After Definition Update
700 Malicious Ruby Gems Found
https://thehackernews.com/2020/04/rubygem-typosquatting-malware.html
vCenter Exploit for CVE-2020-3952
https://www.guardicore.com/2020/04/pwning-vmware-vcenter-cve-2020-3952/
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
