SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #34
April 28, 2020Vulnerability in Teams (Zoom Competitor); Sophos XG Firewall Vulnerability; Water Treatment Plant Cyberattacks
Even more SANS students are sharing their enthusiasm (and sometimes their surprise) at how well they are learning and how much they are enjoying the online learning experience at SANS. That's because we started 18 years ago and have been teaching 10,000 people online each year, continually improving our technology and technique.
From SEC504 "The Live Online training platform is a stable and great environment for people who don't have time to travel and attend events. I will recommend this platform to my management." - Muhiballah Mohammed, Cisco.
"SANS courses are a perfect blend between teaching processes/best practices and useful tools," and "All labs provide a great hands-on experience to test newly learned material." - John R., US Government
****************************************************************************
SANS NewsBites April 28, 2020 Vol. 22, Num. 034
****************************************************************************
TOP OF THE NEWS
Microsoft Fixes Vulnerability in Teams (A Zoom Competitor)
Sophos Fixes XG Firewall Vulnerability
Israeli Government Warns Water Treatment Plants of Cyberattacks
REST OF THE NEWS
Expired Certificate Causes Problems for Rabobank Android App Users in Australia
Hupigon RAT Spear Phishing Campaign
Shade Ransomware Operators Stop Development, Release Decryption Keys
Hackers Stole Data From Chinese Firm Conducting COVID-19 Research
Ransomware Hits Hospital in Colorado
In Wake of Ransomware Attack, Hackers Post Information Stolen From Pharmaceutical Outsourcing Company
Ransomware Targets Architecture Firm
No Fix Available for WordPress OneTone Theme Vulnerability
INTERNET STORM CENTER TECH CORNER
********************* Sponsored By Netskope *****************************
Join Netskope's Cloud Security Workshop. Are you really ready to provide safe access to cloud services and keep pace with new threats? Register for Netskope's complimentary cloud security workshop! Take control over your web services. Get 5 CPE credits and hands-on experience with Next Gen Secure Web Gateway (SWG) and Zero Trust Network Access (ZTNA) solutions built for the cloud. https://www.sans.org/info/216215
****************************************************************************
CYBERSECURITY TRAINING UPDATE
SANS Training is 100% Online, with two convenient ways to complete a course:
OnDemand | Live Online
- https://www.sans.org/ondemand/
- https://www.sans.org/live-online
Keep your skills sharp with SANS Online Training:
. The world's top cybersecurity courses
. Taught by real world practitioners
. Ideal preparation for more than 30 GIAC Certifications
Test drive a course: https://www.sans.org/course-preview
______________________
Upcoming Live Online Events:
Instructor-Led Training | May 4-9
- https://www.sans.org/event/live-online-may4-2020
Security West 2020 | May 11-16
- https://www.sans.org/event/security-west-2020
2-Day Firehose Training | May 26-29
- https://www.sans.org/event/2-day-firehose-training-may27-2020
Cloud Security Summit & Training 2020 | May 26-June 5
- https://www.sans.org/event/cloud-security-summit-2020
Rocky Mountain Hackfest Summit & Training 2020 | June 4-13
- https://www.sans.org/event/rockymountainhackfest-summit-2020
SANSFIRE 2020 | June 13-20
- https://www.sans.org/event/sansfire-2020
2-Day Firehose Training | June 29-30
- https://www.sans.org/event/2-day-firehose-training-jun29-2020
In Person Training:
SANS Network Security 2020 | Las Vegas, NV | September 20-27
- https://www.sans.org/event/network-security-2020
______________________
View the full SANS course catalog and skills roadmap.
- https://www.sans.org/courses
- https://www.sans.org/cyber-security-skills-roadmap
Any course you have or will purchase is protected by the SANS Training Guarantee.
- https://www.sans.org/training-guarantee.
****************************************************************************
TOP OF THE NEWS
--Microsoft Fixes Vulnerability in Teams (a Zoom competitor)
(April 27, 2020)
Microsoft has fixed a subdomain takeover flaw in its Teams communication and collaboration platform that could have been exploited to take control of vulnerable accounts. A proof-of-concept exploit demonstrated that would-be attackers could take over accounts by tricking users into viewing a maliciously-crafted GIF.
[Editor Comments]
[Neely] Teams is positioned to subsume Skype for Business as well as provide collaboration services. While collaboration is restricted to your Microsoft 365 tenant, meetings can include external, guest, participants which necessitated providing support for sharing images in the chat channel. The token needed for the attack to work is good for only an hour, but is renewed each time the GIF is viewed. Exploiting this weakness is difficult, due to the requirement for identifying a vulnerable Microsoft Teams subdomain. Microsoft claims to have secured those domains and added anti-exploitation measures.
Read more in:
CyberArk: Beware of the GIF: Account Takeover Vulnerability in Microsoft Teams
Infosecurity Magazine: Microsoft Teams Funny GIFs Vulnerability Mended
https://www.infosecurity-magazine.com/news/microsoft-teams-funny-gifs/
Silicon Angle: Microsoft fixes wormlike account hijacking exploit in Teams
https://siliconangle.com/2020/04/27/microsoft-fixes-wormlike-account-hijacking-exploit-teams/
Threatpost: Single Malicious GIF Opened Microsoft Teams to Nasty Attack
https://threatpost.com/single-malicious-gif-opened-microsoft-teams-to-nasty-attack/155155/
Bleeping Computer: Microsoft Teams patched against image-based account takeover
The Register: We could have pwned Microsoft Teams with a GIF, claims Israeli infosec outfit
https://www.theregister.co.uk/2020/04/27/microsoft_teams_gif_pwn_patch/
Cyberscoop: Researchers used a GIF to prove they could access Microsoft Teams user data
https://www.cyberscoop.com/microsoft-teams-security-flaw-cyberark-gif/
Security Week: Microsoft Teams Vulnerability Exposed Organizations to Attacks
https://www.securityweek.com/microsoft-teams-vulnerability-exposed-organizations-attacks
--Sophos Fixes XG Firewall Vulnerability
(April 26 & 27, 2020)
Sophos has released a patch to fix an SQL injection vulnerability in its XG Firewall that was being actively exploited. Hackers were using the flaw to install a malicious payload, which then exfiltrated sensitive data. Sophos pushed out the hotfix to all supported versions of the XG Firewall that have enabled automatic hotfix installations.
[Editor Comments]
[Murray] OWASP has documented how difficult it is to do complete input checking at the application layer because the developer usually cannot know the environment in which the application will run. Therefore, every layer in the stack must parse its own input. That said, SQL injection attacks exploit the failure of the application layer to check for SQL commands in the input.
Read more in:
Sophos: Fixing SQL injection vulnerability and malicious code execution in XG Firewall/SFOS
https://community.sophos.com/kb/en-us/135412
Portswigger: Sophos XG Firewall zero-day vulnerability gets patched
https://portswigger.net/daily-swig/sophos-xg-firewall-zero-day-vulnerability-gets-patched
Threatpost: Hackers Mount Zero-Day Attacks on Sophos Firewalls
https://threatpost.com/hackers-zero-day-attacks-sophos-firewalls/155169/
Ars Technica: Attackers exploit 0-day code-execution flaw in the Sophos firewall
ZDNet: Hackers are exploiting a Sophos firewall zero-day
https://www.zdnet.com/article/hackers-are-exploiting-a-sophos-firewall-zero-day/
Bleeping Computer: Hackers exploit zero-day in Sophos XG Firewall, fix released
--Israeli Government Warns Water Treatment Plants of Cyberattacks
(April 27, 2020)
Hackers have reportedly launched attacks against wastewater treatment facilities, pumping stations, and sewers in Israel. An alert from the Israeli National Cyber-Directorate (INCD) is urging employees at water and energy facilities in that country to change their passwords for all Internet connected systems. The Israeli government Water Authority and the country's Computer Emergency Response team have also released alerts.
Read more in:
ZDNet: Israel government tells water treatment companies to change passwords
SC Magazine: Israeli cyber defenders warn of attacks on water supply
***************************** SPONSORED LINKS ******************************
1) Rocky Mountain Hackfest Summit & Training 2020 - SANS Live Online | June 4-13. https://www.sans.org/info/216220
2) Webcast April 30th at 10:30AM ET: Using Visibility and Analytics to Secure and Optimize Today's Networks. https://www.sans.org/info/216225
3) Don't miss this upcoming webcast: The New Normal: How Employees Stay Secure and Productive While Working-from-Home. https://www.sans.org/info/216230
****************************************************************************
THE REST OF THE WEEK'S NEWS
--Expired Certificate Causes Problems for Rabobank Android App Users in Australia
(April 27, 2020)
An expired security certificate prevented Australian Rabobank customers from accessing their bank accounts on Android mobile devices. The security certificate issue has been addressed and an updated version of the app has been released.
[Editor Comments]
[Pescatore] SSL certificate management is easy if you use only one Certificate Authority, because most CA's provide tools to track the certificates you bought from them. However, it is very rare for larger organizations to have only one source of SSL certificates in use. So, discovery and expiry tracking are too often done, if done at all, in manually updated spreadsheets or via the "Oops" method as happened to Rabobank. Commercial certificate management products are available from vendors like Entrust DataCard, ManageEngine, SolarWinds, Venafi and others with free trial offers.
[Neely] If you're embedding certificates in applications at the endpoint, such as a mobile device, particularly for customer-managed devices, the method for updating that certificate must be documented and verified. To offset the impacts of reduced staffing the Rabobank team has setup an email list (clienservicesAU@rabobank.com) for users to request help.
Read more in:
The Register: Rabobank security cert expires and gives its Australian Android app a case of internet-blindness
https://www.theregister.co.uk/2020/04/27/rabobank_australia_android_app_outage/
--Hupigon RAT Spear Phishing Campaign
(April 24 & 27, 2020)
A phishing campaign aiming to spread the Hupigon remote access Trojan (RAT) has been targeting users in multiple sectors, including faculty and students at US colleges and universities. In the past the Hupigon RAT has been linked to hackers working on behalf of China's government.
Read more in:
Threatpost: U.S. Universities Hit With 'Adult Dating' Spear-Phishing Attack
https://threatpost.com/us-universities-adult-dating-spear-phishing-attack/155170/
Bleeping Computer: US universities targeted with malware used by state-backed actors
--Shade Ransomware Operators Stop Development, Release Decryption Keys
(April 27, 2020)
The operators responsible for ransomware known as Shade say they have stopped developing and distributing the malware. They have created a GitHub repository that includes decryption keys. Shade, also known as Troldesh, has been associated with Russian hackers.
[Editor Comments]
[Neely] The Shade ransomware was often sold to others for use, but active use of that strain seems to have ended at the close of 2019. The decryption keys have been verified and may be incorporated into third-party decryption tools. The group also published instructions for decryption of files on systems still impacted by Shade.
Read more in:
Bleeping Computer: Shade Ransomware shuts down, releases 750K decryption keys
ZDNet: Shade (Troldesh) ransomware shuts down and releases decryption keys
https://www.zdnet.com/article/shade-troldesh-ransomware-shuts-down-and-releases-all-decryption-keys/
DUO: Shade Ransomware Decryption Keys Published
https://duo.com/decipher/shade-ransomware-decryption-keys-published
--Hackers Stole Data From Chinese Firm Conducting COVID-19 Research
(April 27, 2020)
Hackers have stolen data from Huiying Medical, a Chinese company that is developing COVID-19 screening technology that uses artificial intelligence. Some of the stolen information has been offered for sale on the dark web. The compromised data include technology source code and reports.
Read more in:
Forbes: Chinese 'Frontline' COVID-19 Research Firm Reported Hacked: Data Now On Dark Web
TechNadu: Chinese Firm Researching Coronavirus Detection Got Hacked and the Data Is on the Dark Web
Medium: Huiying Medical Breached; Source Code for AI-assisted COVID-19 Detection, and Experimental Data of COVID-19 on Sale
--Ransomware Hits Hospital in Colorado
(April 27, 2020)
Parkview Medical Center in Pueblo, Colorado, was the victim of a ransomware attack last week. On Monday, April 27, the hospital's website said the facility was "currently experiencing a network outage."
Read more in:
SC Magazine: Cyberattack strikes down Colorado's Parkview Medical Center
Gov Infosecurity: Colorado Hospital Latest Cyberattack Victim Amid COVID-19
https://www.govinfosecurity.com/colorado-hospital-latest-cyberattack-victim-amid-covid-19-a-14189
--In Wake of Ransomware Attack, Hackers Post Information Stolen From Pharmaceutical Outsourcing Company
(April 27, 2020)
Hackers have published data taken from systems at Pennsylvania-based ExecuPharm. The company suffered a ransomware attack in mid-March.
[Editor Comments]
[Neely] Add the CLOP ransomware group to the list of entities that will publish your data if they are not paid. There is no known decryption tool for the CLOP ransomware. ExecuPharm rebuilt their systems and implemented measures, including password resets, multi-factor authentication and updated endpoint protection to prevent recurrence, avoiding paying the ransom. Read the letter to the Vermont Attorney General for a description of the data exfiltrated.
Read more in:
Tech Crunch: Hackers publish ExecuPharm internal data after ransomware attack
https://techcrunch.com/2020/04/27/execupharm-clop-ransomware/
Silicon Angle: Data stolen from outsourcing group ExecuPharm published after ransomware attack
AGO.vermont: ExecuPharm Inc Notice of Data Breach to Consumers
--Ransomware Targets Architecture Firm
(April 27, 2020)
Systems at Zaha Hadid Architects (ZHA), a London-based firm, were the target of a ransomware attack last week. ZHA has brought in a cyber forensics team to investigate the incident. ZHA appears not to have paid the demanded ransom.
Read more in:
Archinect: Zaha Hadid Architects hit with ransomware attack
https://archinect.com/news/article/150195258/zaha-hadid-architects-hit-with-ransomware-attack
--No Fix Available for WordPress OneTone Theme Vulnerability
(April 28, 2020)
Hackers are exploiting an unpatched cross-site scripting issue in the OneTone WordPress theme to create backdoor admin accounts. The vulnerability was detected in September 2019; the developer did not release a fix. WordPress delisted the free version of the OneTone theme in October 2019.
[Editor Comments]
[Neely] The OneTone theme plugin has not been updated since 2018. While replacing the theme of a web site can be painful, being compromised is even more painful. Plugins need to be on your software support watch list, and just like other layered products, replaced or removed when they reach end-of-life.
Read more in:
ZDNet: Hackers are creating backdoor accounts and cookie files on WordPress sites running OneTone
****************************************************************************
INTERNET STORM CENTER TECH CORNER
Malware Bazaar
https://isc.sans.edu/forums/diary/MALWARE+Bazaar/26052/
Powershell Payload Stored in a PSCredential Object
https://isc.sans.edu/forums/diary/Powershell+Payload+Stored+in+a+PSCredential+Object/26058/
CIRA Launches Canadian Shield
Microsoft Teams Account Takeover Bug
COVID-19 Tracing Protocols
https://github.com/DP-3T/documents
https://www.pepp-pt.org/content
https://www.apple.com/covid19/contacttracing/
Sophos XG Firewall SQL Injection Vulnerability Exploited
https://community.sophos.com/kb/en-us/135412
USB Drives Used to Spread Crypto Coin Mining Botnet
https://www.welivesecurity.com/2020/04/23/eset-discovery-monero-mining-botnet-disrupted/
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
