SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #32
April 21, 2020Dangerous VMware Vulnerability; CISA Warns On: Pulse Secure VPN Servers; Microsoft Windows Defender Definition Crash Issue; Malicious Libraries In RubyGems Repository
SANS has started publishing "NewsBites Drilldown" on Mondays. Each week SANS Director of Emerging Security Trends and others will provide some additional analysis of the top items from the previous week's issues of NewsBites. You can find "NewsBites Drilldown" on the SANS Blog site at https://www.sans.org/blog/ under the Cybersecurity Insights focus area. If you have comments on any items, you can send them to trends@sans.org
****************************************************************************
SANS NewsBites April 21, 2020 Vol. 22, Num. 032
****************************************************************************
TOP OF THE NEWS
Dangerous VMware Vulnerability
CISA: Pulse Secure VPN Servers Vulnerable to Attacks After Patching Unless Passwords Changed
Microsoft Releases New Windows Defender Definition to Fix Crash Issue
Malicious Libraries Uploaded to RubyGems Repository
REST OF THE WEEK'S NEWS
"Is BGP Safe Yet?" Tool
GitHub Users Targeted in Phishing Attacks
Cryptocurrency Theft
German State May Have Lost Millions in COVID-19 Aid to Phishers
Cognizant Hit with Ransomware Attack
State Dept. Concerned About Reports of Healthcare Organization Cyberattacks in Czech Republic
UK Ministry of Defence Temporarily Eases Cybersecurity Requirement for Contractors
Virtual Exam Monitoring Raises Privacy Concerns
US Supreme Court Will Review Case Involving Computer Fraud and Abuse Act
INTERNET STORM CENTER TECH CORNER
*********************** Sponsored By Splunk *******************************
Closing the Cybersecurity Gap: 3 Keys to Analytics-Driven Security. According to the 2018 Security Priorities study from IDG, 28% of IT leaders say that external cyberthreats force them to redirect time and focus away from more strategic tasks. Read this Executive Brief from CSO to learn how you can improve your security posture and gain real bottom-line benefits. http://www.sans.org/info/216155
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
SANS Training is 100% Online, with two convenient ways to complete a course:
OnDemand | Live Online
- https://www.sans.org/ondemand/
- https://www.sans.org/live-online
Keep your skills sharp with SANS Online Training:
. The world's top cybersecurity courses
. Taught by real world practitioners
. Ideal preparation for more than 30 GIAC Certifications
Test drive a course: https://www.sans.org/course-preview
______________________
Upcoming Live Online Events:
Pen Test Austin 2020 | April 27-May 2
- https://www.sans.org/event/pen-test-austin-2020
Security West 2020 | May 11-16
- https://www.sans.org/event/security-west-2020
Cloud Security Summit & Training 2020 | May 28-June 6
- https://www.sans.org/event/cloud-security-summit-2020
Rocky Mountain Hackfest Summit & Training 2020 | June 4-13
- https://www.sans.org/event/rockymountainhackfest-summit-2020
SANSFIRE 2020 | June 13-20
- https://www.sans.org/event/sansfire-2020
2-Day Firehose Training | June 29-30
- https://www.sans.org/event/2-day-firehose-training-jun29-2020
In Person Training:
SANS Network Security 2020 | Las Vegas, NV | September 20-27
- https://www.sans.org/event/network-security-2020
______________________
View the full SANS course catalog and skills roadmap.
- https://www.sans.org/courses
- https://www.sans.org/cyber-security-skills-roadmap
Any course you have or will purchase is protected by the SANS Training Guarantee.
- https://www.sans.org/training-guarantee.
*****************************************************************************
TOP OF THE NEWS
--Dangerous VMware Vulnerability
(April 17, 2020)
VMware recently released a patch for a vulnerability in vCenter management product; the vulnerability was given a CVSS score of 10. It is now known that the flaw could be exploited by anyone on the network to create new administrator accounts in the vCenter Directory. Admins are urged to apply the patch as soon as possible.
[Editor Comments]
[Honan] A gap I regularly see when reviewing patch management strategies is the narrow focus on server and desktop operating systems and the applications that reside on them, but ignoring the virtualisation platforms on which many of those systems rely.
Read more in:
The Register: That critical VMware vuln allowed anyone on your network to create new admin users, no creds needed
https://www.theregister.co.uk/2020/04/17/vmware_vcenter_critical_vuln_anyone_create_admin_users/
Dark Reading: Researchers Explore Details of Critical VMware Vulnerability
Guardicore: WHAT'S A 10? PWNING VCENTER WITH CVE-2020-3952
https://www.guardicore.com/2020/04/pwning-vmware-vcenter-cve-2020-3952/
--CISA: Pulse Secure VPN Servers Vulnerable to Attacks After Patching Unless Passwords Changed
(April 17, 18, & 20, 2020)
A patch was made available for an arbitrary file reading vulnerability in Pulse Secure VPN a year ago. However, the US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has warned that even if an organization has applied the fix, hackers could still use credentials stolen before the flaw was patched to access the system unless the organization has changed those credentials. Hackers used stolen Active Directory credentials to place ransomware on systems at US hospitals.
[Editor Comments]
[Neely] Use the CISA "check-your-pulse" tool to analyze your Pulse Secure VPN logs for indications of compromise. If any are found, a full AD password reset, including administrator and service accounts is indicated. Implementing 2FA on your Pulse Secure VPN can also reduce the risk of compromised credentials being used to enter your network.
https://github.com/cisagov/check-your-pulse
Read more in:
Bleeping Computer: US govt: Hacker used stolen AD credentials to ransom hospitals
SC Magazine UK: Pulse Secure remains vulnerable even after VPN patching
https://www.scmagazineuk.com/pulse-secure-remains-vulnerable-even-vpn-patching/article/1680745
Threatpost: DHS Urges Pulse Secure VPN Users To Update Passwords
https://threatpost.com/dhs-urges-pulse-secure-vpn-users-to-update-passwords/154925/
GovInfosecurity: CISA Warns Patched Pulse Secure VPNs Still Vulnerable
https://www.govinfosecurity.com/cisa-warns-patched-pulse-secure-vpns-still-vulnerable-a-14143
US-CERT: Continued Threat Actor Exploitation Post Pulse Secure VPN Patching
https://www.us-cert.gov/ncas/alerts/aa20-107a
--Microsoft Releases New Windows Defender Definition to Fix Crash Issue
(April 16 & 17, 2020)
A recent Windows Defender definition update caused Windows 10 machines running the Microsoft anti-malware component to crash while in the middle of a full antivirus scan. Late last week, Microsoft pushed out a new definition to fix the problem.
Read more in:
ZDNet: Windows Defender crashes: Microsoft fixes bug causing full scans to fail
Bleeping Computer: Windows Defender broken by recent updates, how to fix
Ask Woody: Reports of Windows Security (nee Microsoft Security Essentials) crashing after installing this morning's definition updates
--Malicious Libraries Uploaded to RubyGems Repository
(April 17 & 20, 2020)
Hackers uploaded malicious files to the RubyGems package manager. The files have names that are a character or two off from legitimate files. If users download the malicious libraries, the software they build with them will include bitcoin stealing malware.
Read more in:
Ars Technica: Supply-chain attack hits RubyGems repository with 725 malicious packages
Threatpost: Bitcoin Stealers Hide in 700+ Ruby Developer Libraries
https://threatpost.com/bitcoin-stealers-700-ruby-developer-libraries/154937/
******************************* SPONSORED LINKS ********************************
1) Webcast | WhatWorks in High Security Alternatives for Remote Collaboration and Communications. Register: http://www.sans.org/info/216160
2) Cloud Security Summit & Training 2020 - SANS Live Online | May 28 - June 6. http://www.sans.org/info/216165
3) Don't miss this webcast | The Power of Open-Source Zeek (formerly Bro). Register: http://www.sans.org/info/216170
*********************************************************************************
REST OF THE WEEK'S NEWS
--"Is BGP Safe Yet?" Tool
(April 17, 2020)
Users can check to see whether their ISP is using features that improve the stability of the Border Gateway Protocol (BGP) through the "Is BGP Safe Yet" site. Sometimes BGP problem are accidental, sending traffic on unexpected routes, and sometimes it is deliberately disrupted, hijacked to route traffic through certain servers so attackers can steal data.
[Editor Comments]
[Neely] While BGP was a vast improvement over prior options, anyone remember RIP? It does allow the updates to preferred routes. ISPs can implement RPKI which adds a trust anchor to BGP updates. The "Is BGP Safe Yet?" provides an easy way to check your ISP. The site also provides suggestions for encouraging your ISP implement RPKI and join MANRS.
Read more in:
Wired: You Can Now Check If Your ISP Uses Basic Security Measures
https://www.wired.com/story/cloudflare-bgp-routing-safe-yet/
ZDNet: Cloudflare debuts Border Gateway Protocol safety check tool
https://www.zdnet.com/article/cloudflare-debuts-border-gateway-protocol-safety-check-tool/
Is BGP Safe Yet: Is BGP safe yet? No.
--GitHub Users Targeted in Phishing Attacks
(April 17, 2020)
GitHub users are being targeted in a phishing scheme. The message in the malicious email says that unauthorized activity has been detected on a user's account, and provides a link that purportedly will show the questionable activity. Instead, the link takes users to a phony GitHub login page where their credentials could be stolen. Attackers have been accessing accounts of people who have fallen for the phish and have been downloading the contents of their repositories.
[Editor Comments]
[Honan] Where multi-factor authentication is available, it should be enabled. Instructions to turn on MFA for Github are available here: https://help.github.com/en/github/authenticating-to-github/configuring-two-factor-authentication: Configuring two-factor authentication
Read more in:
SC Magazine: GitHub users being hit with credential stealing phishing messages
Bleeping Computer: GitHub accounts stolen in ongoing phishing attacks
https://www.bleepingcomputer.com/news/security/github-accounts-stolen-in-ongoing-phishing-attacks/
--Cryptocurrency Theft
(April 20, 2020)
Hackers stole a total of $25 million worth of cryptocurrency from Lendf.me and Uniswap. The thefts are being investigated; they are believed to be related. The hackers used a combination of vulnerabilities and legitimate features to steal the funds.
Read more in:
ZDNet: Hackers steal $25 million worth of cryptocurrency from Uniswap and Lendf.me
Infosecurity Magazine: Hackers Raid Crypto Firms in $25m Attacks
https://www.infosecurity-magazine.com/news/hackers-raid-crypto-firms-in-25/
--German State May Have Lost Millions in COVID-19 Aid to Phishers
(April 18, 2020)
The government of the German state of North Rhine-Westphalia appears to have lost between [euro]31.5 million ($34.2 million) and [euro]100 million ($109 million) to a phishing scheme. The funds were meant to be distributed to individuals and companies affected by the COVID-19 pandemic. The thieves set up a website that looked just like the one the North Rhine-Westphalia government created to help distribute the money. The thieves then sent links to their site, harvested information from people and organizations applying for the funds, and used the information to direct the payments into bank accounts under their control.
[Editor Comments]
[Pescatore] Most scams take advantage of targets being distracted and in a hurry, and these are distracting and rapidly changing times. Even before this, we've seen CFOs and financial managers fall for similar schemes where financial disbursement processes did not have a formal approval checkpoint or were shortcut. Good idea to use this item to remind financial managers of the increased danger and to step up email quarantining of anything suspect.
[Neely] Strong validation of users or organization enrolling for financial transactions, including out-of-band validation of bank information when setup or changed, is crucial. While remote enrollment introduces challenges, use existing services which use multiple sources for validation to raise the bar without having to roll your own solution.
Read more in:
ZDNet: German government might have lost tens of millions of euros in COVID-19 phishing attack
--Cognizant Hit with Ransomware Attack
(April 18 & 20, 2020)
IT services company Cognizant was the target of a ransomware attack last week. The company notified its clients and shared "indicators of compromise" with them so they could take steps to protect their systems. Forensic information shared with Cognizant clients suggests that the Maze ransomware was used in the attack.
Read more in:
SC Magazine: Maze ransomware attack catches IT services firm Cognizant unawares
Cyberscoop: IT services firm Cognizant hit with Maze ransomware
https://www.cyberscoop.com/cognizant-maze-ransomware-fortune-500/
Bleeping Computer: IT services giant Cognizant suffers Maze Ransomware cyber attack
Cognizant: Cognizant Security Incident Update
https://news.cognizant.com/2020-04-18-cognizant-security-update
--State Dept. Concerned About Reports of Healthcare Organization Cyberattacks in Czech Republic
(April 17 & 18, 2020)
A press statement from the US Department of State expresses concern of a recent warning from the Czech Republic's National Cyber and Information Security Agency that hackers were targeting organizations in the country's healthcare sector. Reuters reports that the Prague Airport and a hospital in the Czech Republic both say they staved off cyberattacks against their IT systems.
Read more in:
State: The United States Concerned by Threat of Cyber Attack Against the Czech Republic's Healthcare Sector
Reuters: Prague Airport says thwarted several cyber attacks; hospitals also targeted
--UK Ministry of Defence Temporarily Eases Cybersecurity Requirement for Contractors
(April 6 & 20, 2020)
The UK Ministry of Defence (MoD) is temporarily suspending certain cybersecurity requirements for its contractors. Until the COVID-19 threat abates, UK defence contractors will not need the Cyber Essentials Plus cybersecurity certification, which requires a visit from a third-party assessor.
Read more in:
The Register: Ministry of Defence lowers supplier infosec standards thanks to COVID-19 outbreak
https://www.theregister.co.uk/2020/04/20/mod_relaxes_cyber_essentials_plus_suppliers/
Gov.uk: Guidance: Cyber security model and cyber essentials plus certification during COVID-19 isolation
--Virtual Exam Monitoring Raises Privacy Concerns
(April 1 & 20, 2020)
Students at the Australian National University (ANU) are protesting the school's plan to install monitoring software on their home computers to ensure that they do not cheat on exams. The software Proctorio, identifies students biometrically, locks down the system to prevent outside information from being transmitted during the exam, and records the environment during the exam. It also tracks students' eye movements. In a separate story, some schools in the US are using Proctorio as well as live remote proctors to monitor students during exams.
[Editor Comments]
[Pescatore] In many ways dealing with the current impact of the Coronavirus and coming out of it will require some tradeoffs between privacy and safety/security/trustability. Some US states are suspending laws requiring in-person notarization of legal documents; some are not. Some will risk cheating over invasive controls - for now these will be local "learn as we go" decisions, but in the future I think we will see "remote drills" to test processes a few times per year, just as we do fire drills in most buildings.
[Neely] A great success story, while it still uses in-person proctors, is the Anchorage Amateur Radio Club remote testing which has been performed in 32 states and Antarctica to date. For those seeking GIAC certification attempts, or other exams proctored by Pearson Vue, check their site for relevant information https://home.pearsonvue.com/coronavirus-update.aspx: Impact to candidate exam schedules
Read more in:
ZDNet: Students, university clash over forced installation of remote exam monitoring software on home PCs
Washington Post: Mass school closures in the wake of the coronavirus are driving a new wave of student surveillance
https://www.washingtonpost.com/technology/2020/04/01/online-proctoring-college-exams-coronavirus/
--US Supreme Court Will Review Case Involving Computer Fraud and Abuse Act
(April 20, 2020)
The US Supreme Court has agreed to review a case in which a former police officer was convicted of violating the Computer Fraud and Abuse Act (CFAA) for accessing data in a system he was authorized to use for a non-work-related purpose. Critics of the CFAA say the 34-year-old is overly broad and does not serve the current cyber climate.
[Editor Comments]
[Pescatore] Lower courts have ping-ponged around how they interpret the Authorized Access wording in the CFAA for years. CFAA has been used semi-randomly against security researchers in the past and many times not supported charging malicious insiders with unauthorized use of data. The law is long overdue for rewriting but this case is more focused on the insider authorized access issue vs. the security researcher issue - a narrow ruling may not address security researcher liability issue at all.
[Murray] Drafting legislation the accomplishes its intent while avoiding unintended consequences is difficult. When the CFAA was drafted most of those who could send a message to a system worked for the owners of the system.
Read more in:
Duo: Supreme Court to Review CFAA for First Time
https://duo.com/decipher/supreme-court-to-review-cfaa-for-first-time
******************************************************************************
INTERNET STORM CENTER TECH CORNER
Weaponized RTF Document Generator Mailer in PowerShell
https://isc.sans.edu/forums/diary/Weaponized+RTF+Document+Generator+Mailer+in+PowerShell/26030/
KPOT AutoIt Script: Analysis
https://isc.sans.edu/forums/diary/KPOT+AutoIt+Script+Analysis/26012/
Microsoft Fixes Bad Anti-Malware Signatures
https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes
Sophos Pulls Bad Firmware Update
https://community.sophos.com/kb/en-us/135383
Credentials Stolen from Pulse Secure VPN Abused
https://www.us-cert.gov/ncas/alerts/aa20-107a
Chrome Update
https://chromereleases.googleblog.com/2020/04/stable-channel-update-for-desktop_15.html
FPGA Vulnerability
https://www.usenix.org/conference/usenixsecurity20/presentation/ender
Nagios XI Vulnerability
https://exchange.xforce.ibmcloud.com/vulnerabilities/179406
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
