SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #36
May 5, 20208,300 Attend Virtual ICS Conference; US Executive Order on Grid Security; Hackers Infected Android Devices Through MDM Server
****************************************************************************
SANS NewsBites May 5, 2020 Vol. 22, Num. 036
****************************************************************************
TOP OF THE NEWS
8,300 Cybersecurity Professionals Attend Virtual ICS Conference
US Executive Order on Grid Security
Hackers Infected Company's Android Devices Through its MDM Server
REST OF THE NEWS
Hackers Exploit SaltStack Vulnerabilities to Breach Servers at Ghost, LineageOS, and Others
Mozilla is Developing a Firefox eMail Alias Service
Oracle Says WebLogic Server Vulnerability Patched in April is Being Used in Attacks
WordPress Ninja Forms Update Available to Fix Cross-Site Request Forgery Flaw
Contact Tracing Apps: India, Singapore, UK
Downloader Bundles Malware with Older Version of Zoom
Cyberthieves Targeting COVID-19 Research at UK Universities
Phishing eMails Look Like Microsoft Teams Alerts
CISA Reminds Agency CIOs to Use Approved DNS Resolution Service
North Dakota Broadband Service Provider Hit With Ransomware
NGA Selects Seven States for Cybersecurity Policy Development Program
INTERNET STORM CENTER TECH CORNER
*********************** Sponsored By Splunk *******************************
Closing the Cybersecurity Gap: 3 Keys to Analytics-Driven Security. According to the 2018 Security Priorities study from IDG, 28% of IT leaders say that external cyberthreats force them to redirect time and focus away from more strategic tasks. Read this Executive Brief from CSO to learn how you can improve your security posture and gain real bottom-line benefits. http://www.sans.org/info/216305ster: http://www.sans.org/info/216300
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
SANS Training is 100% Online, with two convenient ways to complete a course:
OnDemand | Live Online
- https://www.sans.org/ondemand/
- https://www.sans.org/live-online
Keep your skills sharp with SANS Online Training:
. The world's top cybersecurity courses
. Taught by real world practitioners
. Ideal preparation for more than 30 GIAC Certifications
Test drive a course: https://www.sans.org/course-preview
Get a 10.2" iPad (34GB), Samsung Galaxy Tab A, or Take $250 Off through May 13 with OnDemand or Live Online training.
https://www.sans.org/online-security-training/specials/
______________________
Upcoming Live Online Events:
Security West 2020 | May 11-16
- https://www.sans.org/event/security-west-2020
2-Day Firehose Training | May 26-29
- https://www.sans.org/event/2-day-firehose-training-may27-2020
Cloud Security Summit & Training 2020 | May 26-June 5
- https://www.sans.org/event/cloud-security-summit-2020
Rocky Mountain Hackfest Summit & Training 2020 | June 4-13
- https://www.sans.org/event/rockymountainhackfest-summit-2020
SANSFIRE 2020 | June 13-20
- https://www.sans.org/event/sansfire-2020
2-Day Firehose Training | June 29-30
- https://www.sans.org/event/2-day-firehose-training-jun29-2020
In Person Training:
SANS Network Security 2020 | Las Vegas, NV | September 20-27
- https://www.sans.org/event/network-security-2020
______________________
View the full SANS course catalog and skills roadmap.
- https://www.sans.org/courses
- https://www.sans.org/cyber-security-skills-roadmap
Any course you have or will purchase is protected by the SANS Training Guarantee.
- https://www.sans.org/training-guarantee.
*****************************************************************************
TOP OF THE NEWS
--8,300 Cybersecurity Professionals Attend Virtual ICS Conference
(May 4, 2020)
Last week, 8,300 ICS cybersecurity professionals attended a virtual conference and NetWars competition hosted by SANS and Dragos. The NetWars CTF was limited to the first 1,000 and every virtual seat filled up. The program, designed to provide timely, actionable information in support the ICS community along with a fun simulated ICS environment where they can practice and hone their skills, included the most dangerous current threats and hands-on demonstrations, as well as helping operators understand the thinking behind the new White House Executive Order (see the next story). Most remarkable was the demonstration of a "controller-in-the-middle" attack that had not previously been seen. All SANS alumni will have complete access to presentation recordings as well as a downloadable CTF solution package.
https://www.sans.org/webcasts/disc-ics-virtual-conference-114285: DISC - SANS ICS Virtual Conference
--US Executive Order on Grid Security
(May 1 & 4, 2020)
A White House executive order declares "a national emergency with respect to the threat to the United States bulk-power system" and takes steps to ban the US power grid from acquiring or installing using equipment "in which any foreign country or a national thereof has any interest."
Read more in:
The Hill: Trump issues executive order to protect power grid from attack
Nextgov: Citing Cyber Threats, Trump Orders Ban on Buying Energy Sector Equipment from Foreign Adversaries
Infosecurity Magazine; National Emergency as Trump Bans Foreign Power Grid Kit
https://www.infosecurity-magazine.com/news/national-emergency-trump-bans/
SC Magazine: Trump cites cybersecurity concerns issuing order to protect power grid
MeriTalk: White House EO Aims to Ban 'Foreign Adversary'-Made Grid Equipment
https://www.meritalk.com/articles/white-house-eo-aims-to-ban-foreign-adversary-made-grid-equipment/
White House: Executive Order on Securing the United States Bulk-Power System
--Hackers Infected Company's Android Devices Through its MDM Server
(April 29, May 1 & 4, 2020)
A banking Trojan has infected more than 75 percent of a multinational conglomerate's Android devices. A new variant of the Cerberus malware was placed on the mobile devices by compromising the unnamed company's Mobile Device Manager (MDM) server.
[Editor Comments]
[Pescatore] Every end-point security agent has a server somewhere behind it whether it is on premises or in the cloud. If that server is compromised, the security agent turns from a beneficial rootkit to a malicious rootkit. Basic security hygiene for all servers and vigilance on all admin accounts for those servers or cloud services has to be high priority.
[Ullrich] Conventional wisdom says that any system used to configure your infrastructure should live on a dedicated management network. But mobile device management (MDM) has to interact with devices on the internet and can be difficult to segregate. Many of these systems are also cloud based, which typically leaves only strong authentication and the often-misplaced trust in vendors as your last remaining security controls.
Read more in:
SC Magazine: Banking trojan attack exposes dangers of not securing MDM solutions
Threatpost: Upgraded Cerberus Spyware Spreads Rapidly via MDM
https://threatpost.com/cerberus-trojan-major-spyware-targeted-attack/155415/
Bleeping Computer: Hackers breach company's MDM server to spread Android malware
Portswigger: Multinational's mobile endpoints engulfed by Cerberus banking trojan
Check Point: First seen in the wild - Malware uses Corporate MDM as attack vector
https://research.checkpoint.com/2020/mobile-as-attack-vector-using-mdm/
***************************** SPONSORED LINKS ******************************
1) Webcast May 6th at 10:30AM ET: Learn key factors to consider when evaluating, implementing and testing browser isolation solutions. Register: http://www.sans.org/info/216285
2) Survey | Share best practices for improving cloud incident response functions and capabilities! http://www.sans.org/info/216295
3) Don't miss this webcast: Transforming Detection and Response: A SANS Review of Cortex XDR. Register: http://www.sans.org/info/216300
*****************************************************************************
The REST OF THE WEEK'S NEWS
--Hackers Exploit SaltStack Vulnerabilities to Breach Servers at Ghost, LineageOS, and Others
(May 1, 3, & 4, 2020)
Hackers have exploited recently patched vulnerabilities in the Salt management framework to gain unauthorized access to Salt servers belonging to LineageOS, the Ghost blogging platform, and other organizations. Ghost developers noted that the malware drove up CPU usage, which is how they knew something was wrong. SaltStack has released patches to fix the flaws; companies running Salt servers are urged to apply the patches as soon as possible or ensure that they are behind a firewall.
[Editor Comments]
[Ullrich] If you are reading this and you still have an unpatched SaltStack in your environment: Call your IR team (no need to patch first). Now stop reading. For the rest of you still with me: A system used to manage your entire infrastructure should not be exposed to the internet. The idea of a central system like this is that you will be able to spend resources to adequately secure and monitor it. This isn't easy. But at least you have to do it only once (vs. having many configuration management systems). Yes, these systems have to interact with cloud components. But I am sure with all the money you are saving by moving to the cloud, there was plenty left to actually secure it (read last sentence with sarcasm).
Read more in:
DUO: SaltStack Flaw Used in Numerous Attacks
https://duo.com/decipher/saltstack-flaw-used-in-numerous-attacks
The Register: AsSalt-ed at the weekend: Miscreants roast Ghost, LineageOS totters as Salt bug bites
https://www.theregister.co.uk/2020/05/04/salty_salty_tears/
The Hacker News: Critical SaltStack RCE Bug (CVSS Score 10) Affects Thousands of Data Centers
https://thehackernews.com/2020/05/saltstack-rce-vulnerability.html
The Hacker News: Hackers Breach LineageOS, Ghost, DigiCert Servers Using SaltStack Vulnerability
https://thehackernews.com/2020/05/saltstack-rce-exploit.html
Cyberscoop: Hackers seize on software flaw to breach two victims, despite patch availability
https://www.cyberscoop.com/salt-stack-vulnerability-lineage-remote-code/
Bleeping Computer: LineageOS outage caused by hackers breaching main infrastructure
ZDNet: Hackers breach LineageOS servers via unpatched vulnerability
https://www.zdnet.com/article/hackers-breach-lineageos-servers-via-unpatched-vulnerability/
ZDNet: Ghost blogging platform servers hacked and infected with crypto-miner
https://www.zdnet.com/article/ghost-blogging-platform-servers-hacked-and-infected-with-crypto-miner/
Dark Reading: Attackers Exploit SaltStack Flaws to Compromise Open Source OS & Blogging Platform
--Mozilla is Developing a Firefox eMail Alias Service
(May 1, 2020)
Mozilla is developing an email alias service for its Firefox browser. Firefox Private Relay will be an addon. It will allow users to easily generate email aliases they can use to register new accounts, subscribe to newsletters, or conduct other business where they do not want to expose their email addresses. Private Relay is currently in closed beta testing; a public beta is expected later this year.
[Editor Comments]
[Northcutt] After reading about this I applied for the beta. I spend about 15 minutes every Saturday unsubscribing from the useless emails that found my account. Some are even cheeky enough to say, things like "Wanting to make sure you got my last email", now click and it will take whoever sold my email out at the same time; what is not to like?
[Pescatore] Apple has a similar service for users who don't want to use their real email address when registering with apps downloaded from the Apple App Store. This is one of those "put all of your eggs in one basket and really, really trust that basket - or watch it very, very closely" kind of scenarios. The Firefox browser has an 8% market share, so it is not going to have a large impact. A simple, more universal approach is just to have a "burner" freemail address you use with all apps and web sites that require an email address.
Read more in:
ZDNet: New Firefox service will generate unique email aliases to enter in online forms
--Oracle Says WebLogic Server Vulnerability Patched in April is Being Used in Attacks
(April 30, May 1 & 4, 2020)
Oracle is urging users to apply patches it released last month as part of its quarterly Critical Patch Update. Oracle says it has learned that several of the patched flaws are being actively exploited. One of those, CVE-2020-2883, is a critical remote code execution flaw in WebLogic Server.
[Editor Comments]
[Ullrich] A PoC exploit was released the day after the patch. Oracle only discovering now that this vulnerability is being actively exploited is a bit late. If you haven't patched yet, your first call should be your incident response team. Unless they are quite skilled, they will find a crypto coin miner, and call it a day, leaving the actual compromise undetected. You may want to read up on ransomware as this is probably what will hit you next.
[Murray] The failure to "patch" in a timely manner demonstrates that the strategy of placing responsibility for the quality of software on the end user is not merely expensive but ineffective.
Read more in:
Oracle: Customers should apply the April 2020 Critical Patch Update without delay!
https://blogs.oracle.com/security/apply-april-2020-cpu
ZDNet: Oracle warns of attacks against recently patched WebLogic security bug
Threatpost: Oracle: Unpatched Versions of WebLogic App Server Under Active Attack
https://threatpost.com/oracle-unpatched-versions-of-weblogic-app-server-under-active-attack/155420/
--WordPress Ninja Forms Update Available to Fix Cross-Site Request Forgery Flaw
(April 29 & May 1, 2020)
A vulnerability in the Ninja Forms WordPress plug in could be exploited to create new admin accounts and take control of unpatched websites. Ninja Forms has released an updated version of the plugin, 3.4.24.2, that fixes the flaw. Ninja Forms is installed on more than one million websites.
Read more in:
ZDNet: Ninja Forms WordPress bug exposed over a million users to XSS attacks, website hijacking
Wordfence: High Severity Vulnerability Patched in Ninja Forms
https://www.wordfence.com/blog/2020/04/high-severity-vulnerability-patched-in-ninja-forms/
--Contact Tracing Apps: India, Singapore, UK
(May 4, 2020)
In parts of India where COVID-19 is spreading, people are being required to use a contact tracing app called Aarogya Setu. Starting May 12, Singapore's "SmartEntry" system will require smartphone check-ins at all businesses. The system will log names, phone numbers, national ID numbers, and the time individuals enter and exit a business. In the UK, healthcare workers and local government officials on the Isle of Wight will be able to download a test version of the NHS's contact tracing app, which was developed by NHS's digital unit, NHSX.
[Editor Comments]
[Ullrich] As they say for cryptography: Do not roll your own. Researchers have developed a number of contact tracing protocols that carefully weigh the value of the data vs. the privacy of the participants. Apple and Google are working on an API to implement these protocols in their devices. Contact tracing applications will not work if early implementations are not using these protocols and destroy the public's trust in contact tracing. Trust matters. These applications will work only if a majority of users turn them on. An overview of some of the proposed contact tracing protocols can be found here: https://isc.sans.edu/forums/diary/Privacy+Preserving+Protocols+to+Trace+Covid19+Exposure/26066/
Read more in:
The Register: India makes contact-tracing app compulsory in viral hot zones despite most local phones not being smart
https://www.theregister.co.uk/2020/05/04/india_makes_contacttracing_app_compulsory/
ZDNet: India orders mandatory use of COVID-19 contact tracing app for all workers
The Register: Singapore to require smartphone check-ins at all businesses and will log visitors' national identity numbers
https://www.theregister.co.uk/2020/05/04/safe_entry_singapore_visitor_logging/
BBC: Coronavirus: UK contact-tracing app is ready for Isle of Wight downloads
https://www.bbc.com/news/technology-52532435
--Downloader Bundles Malware with Older Version of Zoom
(April 29 & May 4, 2020)
Users urged to be vigilant about the source when downloading Zoom software. Researchers at Trend Micro has detected a campaign that bundles shady Zoom downloads with the RevCode WebMonitor remote access Trojan (RAT).
Read more in:
TrendMicro: WebMonitor RAT Bundled with Zoom Installer
ZDNet: Hackers target remote workers with fake Zoom downloader
https://www.zdnet.com/article/hackers-target-remote-workers-with-fake-zoom-downloader/
--Cyberthieves Targeting COVID-19 Research at UK Universities
(May 3 & 4, 2020)
The UK's National Cyber Security Centre (NCSC) has warned that foreign hackers are targeting British universities and research facilities in an effort to steal COVID-19-related research. None of the attacks appears to have been successful.
Read more in:
The Guardian: Hostile states trying to steal coronavirus research, says UK agency
ZDNet: Hackers are targeting UK universities to steal coronavirus research, NCSC warns
--Phishing eMails Look Like Microsoft Teams Alerts
(May 1 & 2, 2020)
A recently detected phishing campaign uses messages that pretend to be Microsoft Teams notifications. The emails attempt to get users to divulge their Office365 credentials. The campaign is especially worrisome as people working from home are likely to be expecting to receive such notifications.
Read more in:
Threatpost: Microsoft Teams Impersonation Attacks Flood Inboxes
https://threatpost.com/microsoft-teams-impersonation-attacks/155404/
Bleeping Computer: Convincing Office 365 phishing uses fake Microsoft Teams alerts
GovInfosecurity: Latest Phishing Campaign Spoofs Microsoft Teams Messages
https://www.govinfosecurity.com/latest-phishing-campaign-spoofs-microsoft-teams-messages-a-14219
Dark Reading: Fake Microsoft Teams Emails Phish for Credentials
https://www.darkreading.com/cloud/fake-microsoft-teams-emails-phish-for-credentials/d/d-id/1337717
--CISA Reminds Agency CIOs to Use Approved DNS Resolution Service
(April 30 & May 1, 2020)
The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has sent a memo to federal agency CIOs reminding them that they are required to use the EINSTEIN 3 Accelerated DNS resolution service for devices connected to federal networks. The reminder comes while many federal employees are working from home and may attempt to connect to government networks through unsupported DNS encryption services. CISA is also planning to notify agencies of DNS traffic anomalies.
[Editor Comments]
Pescatore] In the April 10th NewsBites, I pointed to several good choices of DNS services to recommend to home workers. The CISA memo recommends many of the same ones: Cisco (OpenDNS), Cloudflare, Google and Quad9.
Read more in:
FedScoop: CISA to inform agencies of DNS traffic anomalies
https://www.fedscoop.com/cisa-dns-traffic-anomalies/
FCW: Amid telework boom, CISA reminds agencies of DNS resolution requirements
https://fcw.com/articles/2020/05/01/amid-telework-boom-cisa-reminds-on-dns-resolution.aspx
GovInfosecurity: CISA Urges Federal Agencies to Use Approved DNS Service
https://www.govinfosecurity.com/cisa-urges-federal-agencies-to-use-approved-dns-service-a-14218
CISA: Addressing DNS Resolution on Federal Networks
https://www.cisa.gov/blog/2020/04/30/addressing-dns-resolution-federal-networks
CISA: Memorandum for Agency Chief Information Officers (PDF)
--North Dakota Broadband Service Provider Hit With Ransomware
(May 1, 2020)
Dakota Carrier Network (DCN), a consortium of more than a dozen broadband companies, was the victim of a ransomware attack. DCN CEO said the attack was detected early in the morning of Sunday, April 26. The company "quickly shut everything down and restored all of [its] data from the most recent tape backup, which was Friday, April 24." The hackers have posted information stolen from DCN to a website.
Read more in:
Statescoop: North Dakota government fiber provider hit by ransomware
https://statescoop.com/north-dakota-government-fiber-provider-hit-maze-ransomware/
--NGA Selects Seven States for Cybersecurity Policy Development Program
(May 1, 2020)
The US National Governors Association (NGA) has selected seven states to be the 2020 cohort for its cybersecurity policy development program. Colorado, Michigan, Mississippi, New York, Oregon, Pennsylvania, and Tennessee will receive guidance to help them "create strategic plans to address statewide cybersecurity governance, critical infrastructure cybersecurity, statewide cyber disruption response planning, cybersecurity workforce development and state-local partnerships in cybersecurity."
Read more in:
Statescoop: NGA picks next seven states for cybersecurity program
https://statescoop.com/nga-picks-next-seven-states-cybersecurity-program/
NGA: NGA Selects 7 States To Focus On Advancing Statewide Cybersecurity
https://www.nga.org/center/issues/hsps-issues/selction-seven-states-advancing-cybersecurity/
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
ZIP Files and AES
https://isc.sans.edu/forums/diary/ZIP+AES/26080/
Saltstack Vulnerability Exploited in the Wild
Exploring the Sysmon 11 File Deletion Protection
https://isc.sans.edu/forums/diary/Sysmon+and+File+Deletion/26084/
Mobile Device Manager Compromise
https://research.checkpoint.com/2020/first-seen-in-the-wild-mobile-as-attack-vector-using-mdm/
Digicert CT Compromise
https://groups.google.com/a/chromium.org/forum/#!topic/ct-policy/aKNbZuJzwfM
WebLogic Flaw (new one..) Exploited in the Wild
https://blogs.oracle.com/security/apply-april-2020-cpu
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
