SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #33
April 24, 2020Zoom Security and Privacy; FBI Stops Malicious COVID-19 Websites; NSA and Australian ASD Advisory on Web Shell Malware
Quite remarkable how many SANS students are taking the time to tell us that SANS courses and instructors are just as satisfying in their on-line format, as they are in face-to-face classes.
"The instructor was one of the best instructors I've ever had. She was passionate, energetic, and had depth in every subject she talked about. She's the type of instructor you dream about getting when you go to a technical course." - Joshua M. (commenting on Alissa Torres' forensics class)
****************************************************************************
SANS NewsBites April 24, 2020 Vol. 22, Num. 033
****************************************************************************
TOP OF THE NEWS
Zoom 5.0 Includes Security and Privacy Improvements
FBI and Domain Name Registries Take Down Malicious COVID-19 Websites
NSA and Australian Signals Directorate Issue Joint Advisory on Web Shell Malware
REST OF THE NEWS
New GNU Compiler Collection (GCC) 10 Feature Detected OpenSSL Flaw
Apple Will Fix Flaws in iOS Mail
US Small Business Administration Data Breach
Hacked Ad Servers
Microsoft Releases Unscheduled Fixes for Autodesk FBX Library
IBM Data Risk Manager Zero-days
Phishing Campaign Targets Skype Credentials
DoppelPaymer Ransomware Group Posts Files Stolen From Torrance, California Systems
Private Equity Firms Fall Prey to Business Email Compromise
INTERNET STORM CENTER TECH CORNER
********************* Sponsored By ExtraHop ******************************
WhatWorks in Migrating to the Cloud While Maintaining Security and Network Performance (with a Remote Workforce). The need for businesses to rapidly move to near 100% work at home has increased the importance of detailed and accurate visibility into user activity in remote connections. SANS John Pescatore will interview Juan Canales from HPMG to hear details on his selection, deployment and experience using ExtraHop Reveal(x) to increase visibility into network traffic. http://www.sans.org/info/216195
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
SANS Training is 100% Online, with two convenient ways to complete a course:
OnDemand | Live Online
- https://www.sans.org/ondemand/
- https://www.sans.org/live-online
Keep your skills sharp with SANS Online Training:
. The world's top cybersecurity courses
. Taught by real world practitioners
. Ideal preparation for more than 30 GIAC Certifications
Test drive a course: https://www.sans.org/course-preview
______________________
Upcoming Live Online Events:
Instructor-Led Training | May 4-9
- https://www.sans.org/event/live-online-may4-2020
Security West 2020 | May 11-16
- https://www.sans.org/event/security-west-2020
2-Day Firehose Training | May 26-29
- https://www.sans.org/event/2-day-firehose-training-may27-2020
Cloud Security Summit & Training 2020 | May 26-June 5
- https://www.sans.org/event/cloud-security-summit-2020
Rocky Mountain Hackfest Summit & Training 2020 | June 4-13
- https://www.sans.org/event/rockymountainhackfest-summit-2020
SANSFIRE 2020 | June 13-20
- https://www.sans.org/event/sansfire-2020
2-Day Firehose Training | June 29-30
- https://www.sans.org/event/2-day-firehose-training-jun29-2020
In Person Training
SANS Network Security 2020 | Las Vegas, NV | September 20-27
- https://www.sans.org/event/network-security-2020
______________________
View the full SANS course catalog and skills roadmap.
- https://www.sans.org/courses
- https://www.sans.org/cyber-security-skills-roadmap
Any course you have or will purchase is protected by the SANS Training Guarantee.
- https://www.sans.org/training-guarantee.
*****************************************************************************
TOP OF THE NEWS
--Zoom 5.0 Includes Security and Privacy Improvements
(April 22, 2020)
Zoom has released a new version of its teleconferencing software. New features in Zoom 5.0 include controlled data routing, and passwords on by default for all meetings; administrators can now establish password complexity requirements. Zoom is also implementing stronger encryption, which is expected to be enabled system-wide by the end of May. The newest version of Zoom will be rolled out to users over the next week.
[Editor Comments]
[Pescatore] Zoom continues to live up to its promise to enhance security, but there is a predictable trajectory when IT platforms retroactively add security features. Security management capabilities tend to lag, providing limited visibility into and tracking of critical security policies/events. The Business version of Zoom has an admin dashboard that is mostly performance oriented and relies on exporting .CSV files for any deeper analysis - never a scalable approach. Third-party partner vendors can fill the gap, but the Zoom App Marketplace has a very limited choice of small vendors. Zoom may add more security management capabilities, but training will be required for admins and security analysts on how to properly configure and monitor security relevant features, how to integrate to SIEM, etc. Many will require direct vendor support until these capabilities mature. At the Enterprise pricing level of Zoom ($1999/month minimum) you get a dedicated "Customer Success Manager" which many may need to buy.
[Neely] The update is not available yet; yes, I tried to update before reading that, too. The plan is to push out client updates next week. They are updating to AES 265 GCM encryption, and allowing your account admin to control meeting routing. They are also grouping the security settings together under a new security icon. The Zoom blog explains the new features: https://blog.zoom.us/wordpress/2020/04/22/zoom-hits-milestone-on-90-day-security-plan-releases-zoom-5-0/: Zoom Hits Milestone on 90-Day Security Plan, Releases Zoom 5.0
Read more in:
The Register: After intense scrutiny, Zoom tightens up security with version 5. New features include not, er, spilling video calls to network snoops
https://www.theregister.co.uk/2020/04/22/zoom_5/
ZDNet: Zoom adds data center routing, security updates
https://www.zdnet.com/article/zoom-adds-data-center-routing-security-updates/
Cyberscoop: Zoom bolsters software security in latest move to reassure users
https://www.cyberscoop.com/zoom-software-update-security-coronavirus/
Silicon Angle: Zoom update addresses security issues with enhanced encryption and new features
--FBI and Domain Name Registries Take Down Malicious COVID-19 Websites
(April 22, 2020)
The FBI, working in cooperation with domain registries and other technology companies, has removed hundreds of malicious websites with names related to COVID-19. Some of the websites pretended to be legitimate sites seeking donations; others pretended to be US government websites and sought to collect personal information. The FBI's Internet Crime Complaint Center has received more than 3,600 complaints related to COVID-19 scams.
[Editor Comments]
[Pescatore] It is important that we accept the risk of more false positive blocking of URLs than in more normal times. Bad guys have their greatest successes taking advantage of people (users, admins, CFOs, CEO, directors of boards, etc.) when the targets are distracted and can be made to feel a sense of urgency. Let's all hope we never see this high level of distraction and uncertainty again in our lifetimes, but while we are stuck in it is the time to err on the side of caution and having to deal with "Hey, your stupid security system kept me away from this perfectly safe website" complaints.
Read more in:
The Hill: DOJ thwarts hundreds of websites tied to coronavirus scams, security threats
Cyberscoop: FBI enlists internet domain registries in fight against coronavirus scams
https://www.cyberscoop.com/fbi-coronavirus-scams-internet-domains/
Justice: Department of Justice Announces Disruption of Hundreds of Online COVID-19 Related Scams
--NSA and Australian Signals Directorate Issue Joint Advisory on Web Shell Malware
(April 23, 2020)
A joint security advisory from the US National Security Agency (NSA)and Australian Signals Directorate (ASD) urging organizations to take steps to detect and prevent web shell malware. Suggested detection techniques include "Known-Good" Comparison, Web Traffic Anomaly Detection, and Signature-Based detection. Suggested prevention techniques include Web Application Permissions, File Integrity Monitoring, and Network Segregation. The advisory also includes a list of commonly exploited web application vulnerabilities.
Read more in:
ZDNet: NSA shares list of vulnerabilities commonly exploited to plant web shells
Defense: Detect and Prevent Web Shell Malware (PDF)
***************************** SPONSORED LINKS ******************************
1) Remote Worker Poll | Help SANS get a baseline on how remote workers are accessing their resources. http://www.sans.org/info/216200
2) Webcast April 28 at 3:30PM ET | How Operational Technology (OT) Security is Redefining the CISO Role. http://www.sans.org/info/216205
3) Did you miss this webcast? WhatWorks in High Security Alternatives for Remote Collaboration and Communications. http://www.sans.org/info/216210
*****************************************************************************
THE REST OF THE WEEK'S NEWS
--New GNU Compiler Collection (GCC) 10 Feature Detected OpenSSL Flaw
(April 23, 2020)
A high-severity flaw in OpenSSL could be exploited to crash servers and applications running vulnerable OpenSSL builds. The flaw was detected by GCC 10's new static analysis feature.
[Editor Comments]
[Ullrich] It is exciting to see features like this incorporated in a popular compiler like GCC. I hope that this feature will find many more vulnerabilities. The fact that it found the problem in OpenSSL, a project that has already seen quite a few reviews in recent years, shows how valuable it is.
Read more in:
The Register: GCC 10 gets security bug trap. And look what just fell into it: OpenSSL and a prod-of-death flaw in servers and apps
https://www.theregister.co.uk/2020/04/23/gcc_openssl_vulnerability/
OpenSSL: OpenSSL Security Advisory [21 April 2020] Segmentation fault in SSL_check_chain (CVE-2020-1967)
https://www.openssl.org/news/secadv/20200421.txt
GCC: Static Analyzer project
https://gcc.gnu.org/wiki/DavidMalcolm/StaticAnalyzer
--Apple Will Fix Flaws in iOS Mail
(April 22, 2020)
A pair of vulnerabilities in Apple's mail app on iOS devices have been actively exploited since 2018. The ZecOps researchers who found the vulnerabilities say that they have been present since iOS 6, which was released in 2012. ZecOps says the vulnerabilities have been exploited to spy on employees of a North American Fortune 500 company, a European journalist, managed security service providers in the Middle East, and others. Apple has patched the flaws in the iOS 13.4.5 beta release. (Please note that the WSJ story is behind a paywall.)
[Editor Comments]
[Ullrich] There is no great work-around for users right now. You may be able to filter some attacks on the mail server using the IOCs provided, but it is hard to tell how good these IOCs are. If you are using a cloud-based mail service, there is usually little you can unless the provider already implemented these filters. I feel that ZecOps was too fast in releasing that much detail. But they are right in their assessment that while the flaw does allow arbitrary code execution, due to additional safeguards iOS put in place, a compromise of the phone would require additional kernel exploits.
[Neely] iOS 13.4.5 public beta is available for testing on devices enrolled in Apple's beta software program. Enroll from your device at https://beta.apple.com. While Apple holds release dates close, they have been working towards publishing updates on patch Tuesday.
Read more in:
ZecOps: You've Got (0-click) Mail!
https://blog.zecops.com/vulnerabilities/youve-got-0-click-mail/
Cyberscoop: Hackers have been exploiting two zero-days to break into iPhones and iPads
https://www.cyberscoop.com/apple-mail-ios-zero-day-zecops/
The Register: Zero-click, zero-day flaws in iOS Mail 'exploited to hijack' VIP smartphones. Apple rushes out beta patch
https://www.theregister.co.uk/2020/04/22/apple_ios_mail_zeroday/
Ars Technica: A critical iPhone and iPad bug that lurked for 8 years may be under active attack
Vice: Researchers Say They Caught an iPhone Zero-Day Hack in the Wild
https://www.vice.com/en_us/article/pken5n/iphone-email-zero-day-hack-in-the-wild
WSJ: Apple iPhone May Be Vulnerable to Email Hack (paywall)
https://www.wsj.com/articles/apple-iphone-may-be-vulnerable-to-email-hack-11587556802
SC Magazine: Eight-year-old zero day vulnerabilities found in iOS email app
Dark Reading: Apple iOS Zero-Day Vulnerabilities Exploited in Targeted Attacks
Threatpost: Apple Patches Two iOS Zero-Days Abused for Years
https://threatpost.com/apple-patches-two-ios-zero-days-abused-for-years/155042/
--US Small Business Administration Data Breach
(April 21 & 23, 2020)
The US Small Business Administration (SBA) has disclosed a suspected data breach that may have exposed information entered into an emergency loan application portal. Potentially compromised data include names, Social Security numbers, addresses, dates of birth, and insurance information. Of nearly 8,000 applicants to the SBA's Economic Injury Disaster Loans (EIDL) program. The possible breach was detected in late March.
[Editor Comments]
[Neely] The flaw allowed access to other businesses' data while in the application portal and was only exploitable through the EIDL portal. The flaw was fixed March 25th. Businesses affected were notified and offered a year of free credit monitoring.
Read more in:
ZDNet: SBA reveals potential data breach impacting 8,000 emergency business loan applicants
Ars Technica: Almost 8,000 could be affected by federal emergency loan data breach
--Hacked Ad Servers
(April 22, 2020)
Researchers at Confiant have detected a malvertising scheme that has been ongoing since at least August 2019. Hackers have been breaking into ad networks running older versions of the Revive ad server. They then add malicious code to existing ads so that the ads will redirect users to malicious sites. The hackers have compromised about 60 ad servers.
Read more in:
ZDNet: Hackers have breached 60 ad servers to load their own malicious ads
https://www.zdnet.com/article/hackers-have-breached-60-ad-servers-to-load-their-own-malicious-ads/
Confiant: Tag Barnakle: The Malvertiser That Hacks Revive Ad Servers, Redirects Victims To Malware
--Microsoft Releases Unscheduled Fixes for Autodesk FBX Library
(April 21 & 22, 2020)
Microsoft has released fixes to address vulnerabilities in the Autodesk FBX library outside of its regular patch schedule. The Autodesk FBX library is integrated in Microsoft office, Office 365 ProPlus, and Paint 3D. The vulnerabilities, which are rated "important," could be exploited to allow remote code execution.
[Editor Comments]
[Honan] As always, if Microsoft deem a vulnerability important enough to release a patch out of cycle, then you should deem it important enough to apply that patch.
Read more in:
Threatpost: Microsoft Issues Out-Of-Band Security Update For Office, Paint 3D
https://threatpost.com/microsoft-issues-out-of-band-security-update-for-office-paint-3d/155016/
ZDNet: Microsoft issues out-of-band Office and Paint 3D security updates to stop 3D graphic attack
SC Magazine: Microsoft patches Word and Office 365 for Autodesk FBX library flaws
MSRC: ADV200004 | Availability of updates for Microsoft software utilizing the Autodesk FBX library
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200004
Autodesk: Vulnerabilities in the Autodesk(R) FBX Software Development Kit
https://www.autodesk.com/trust/security-advisories/adsk-sa-2020-0002
--IBM Data Risk Manager Zero-days
(April 21 & 22, 2020)
After initially rejecting reports of four vulnerabilities in IBM Data Risk Manager (IDRM), IBM has acknowledged that "a process error resulted in an improper response to the researcher who reported this situation to IBM." The person who discovered the flaws disclosed them on April 21, after IBM would not accept their disclosure through the company's vulnerability disclosure program. The vulnerabilities could be exploited to allow unauthenticated remote code execution.
[Editor Comments]
[Neely] When running a vulnerability disclosure program, treating the reported issues as legitimate and respecting those reporting is key to not undermining the program credibility as well as preventing undesired disclosure of flaws, irrespective of the exploitability of those flaws.
Read more in:
IBM: IBM Data Risk Manager Vulnerabilities
https://www.ibm.com/support/pages/node/6195705
TechRadar: IBM confirms four new zero-day vulnerabilities
https://www.techradar.com/news/ibm-confirms-four-new-zero-day-vulnerabilities
ZDNet: Security researcher discloses four IBM zero-days after company refused to patch
Bleeping Computer: Researcher discloses four IBM zero-days after refusal to fix
Portswigger: IBM DRM vulnerabilities: 'Process error' resulted in miscommunication with security researcher
DUO: FOUR ZERO DAYS FOUND IN IBM DATA RISK MANAGER
https://duo.com/decipher/four-zero-days-found-in-ibm-data-risk-manager
GitHub: Multiple Vulnerabilities in IBM Data Risk Manager
https://github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md
--Phishing Campaign Targets Skype Credentials
(April 23, 2020)
Phishers are sending phony emails to Skype users in the hopes of harvesting their account credentials. The email messages tell users that they have pending Skype notifications and provide a link to what looks like a Skype login page.
[Editor Comments]
[Neely] Enable multi-factor authentication on your Microsoft accounts. All Microsoft/Skype account types allow addition of MS Authenticator, SMS or Email second factor validation.
Read more in:
Threatpost: Skype Phishing Attack Targets Remote Workers' Passwords
https://threatpost.com/skype-phishing-attack-targets-remote-workers-passwords/155068/
Bleeping Computer: Creative Skype phishing campaign uses Google's .app gTLD
--DoppelPaymer Ransomware Group Posts Files Stolen From Torrance, California Systems
(April 21 & 22, 2020)
Computers belonging to the City of Torrance, California, were infected with DoppelPaymer ransomware earlier this year. At the time, the Los Angeles-area city said that no public personal information had been compromised. The attackers have begun leaking files they say were stolen from the city's computers and are demanding a payment of 100 bitcoin (roughly $750,000 as of Thursday evening) to take down the data.
Read more in:
Threatpost: LA County Hit with DoppelPaymer Ransomware Attack
https://threatpost.com/la-county-hit-with-doppelpaymer-ransomware-attack/155024/
Bleeping Computer: DoppelPaymer Ransomware hits Los Angeles County city, leaks files
Statescoop: Hackers post Calif. city's data online after it denied leak
https://statescoop.com/hackers-post-torrance-california-data-online-after-denied-leak/
SC Magazine: Online leak undermines Torrance's claim that no personal data was affected by cyberattack
--Private Equity Firms Fall Prey to Business Email Compromise
(April 23, 2020)
Criminals fooled three separate private equity firms in the UK into wiring funds to accounts the companies believed belonged to startups they intended to invest in, but which were actually controlled by the criminals. In all, the companies wired $1.3 million to the fraudsters' accounts; roughly $600,000 has been recovered.
[Editor Comments]
[Neely] The hackers have been refining their techniques to be harder to detect. This attack used a combination of look-alike domains and email account takeovers, including adding filters to divert messages to a different folder to facilitate MITM activities. High level executives are targeted to add legitimacy to the fake messages generated. Aside from training on spotting spear phishing and using strong authentication on all email accounts, out of band validation of financial account information prior to setup or change remains a key mitigation.
Read more in:
The Hacker News: Hackers Trick 3 British Private Equity Firms Into Sending Them $1.3 Million
https://thehackernews.com/2020/04/bec-scam-wire-transfer-money.html
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
SpectX: Log Parser for DFIR
https://isc.sans.edu/forums/diary/SpectX+Log+Parser+for+DFIR/26040/
Microsoft Patches Autodesk Library in Office
https://www.autodesk.com/trust/security-advisories/adsk-sa-2020-0002
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200004
Stripe Data Collection
https://mtlynch.io/stripe-recording-its-customers/
IBM Data Risk Manager Vulnerabilities
https://github.com/pedrib/PoC/blob/master/advisories/IBM/ibm_drm/ibm_drm_rce.md
iOS Mail 0Day
https://blog.zecops.com/vulnerabilities/unassisted-ios-attacks-via-mobilemail-maild-in-the-wild/
Zoom 5 To Be Released Shortly Addressing Encryption Issues
OpenSSL Fixes DOS Flaw
https://www.openssl.org/news/secadv/20200421.txt
GCC's New Security Analyzer Finds Flaw in OpenSSL
https://developers.redhat.com/blog/2020/03/26/static-analysis-in-gcc-10/
IBM Spectrum Protect Server Stack Based Buffer Overflow
https://www.ibm.com/support/pages/node/6195706
Possible Issues With Cumulative Windows Updates
https://www.reddit.com/search/?q=KB4549951
Using a GPU as a Radio
https://duo.com/labs/research/finding-radio-sidechannels
Comparing Red Team Platforms
https://redcanary.com/blog/comparing-red-team-platforms/
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
