SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #39
May 15, 2020British Research Supercomputer Offline; Patch Tuesday: Microsoft and Adobe
****************************************************************************
SANS NewsBites May 15, 2020 Vol. 22, Num. 039
****************************************************************************
TOP OF THE NEWS
- ARCHER Supercomputer Offline - Part of Large UK/Global Cyber Event
- Patch Tuesday: Microsoft and Adobe
REST OF THE NEWS
- US Accuses China of Cyberattacks Aimed at Stealing COVID-19 Research
- Toll Group Says Ransomware Hackers Downloaded Corporate Data
- Customer Data Exfiltrated in Ransomware Attack on Magellan Health
- Scammers Steal Millions from Norwegian State Investment Fund
- CISA Lists Top 10 Most Exploited Vulnerabilities
- Ramsay Cyberespionage Toolkit Targets Air-Gapped Networks
- Privilege Elevation Vulnerability in Google's Site Kit WordPress Plugin
- CISA: Lazarus Hacking Group is Using New Malware
- US Supreme Court Hearing CFAA Case
- UK Power Grid Middleman Suffers Cyberattack
INTERNET STORM CENTER TECH CORNER
********************* Sponsored By Chronicle ******************************
Get a free 15-minute SIEM TCO analysis report. Eventually, the cost isn't worth the effort. If keeping your legacy SIEM running is more than you can handle, unwind your SIEM costs with zero-management security analytics from Chronicle and let us ensure perfect fidelity, no matter how much data you generate. Learn more: http://www.sans.org/info/216395
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
SANS Training is 100% Online, with two convenient ways to complete a course:
OnDemand | Live Online
- https://www.sans.org/ondemand/
- https://www.sans.org/live-online
Keep your skills sharp with SANS Online Training:
. The world's top cybersecurity courses
. Taught by real world practitioners
. Ideal preparation for more than 30 GIAC Certifications
Test drive a course: https://www.sans.org/course-preview
Choose a great promo offer* through May 27 with OnDemand or Live Online training:
* Get a 10.2" iPad (32G) with Smart Keyboard
* Train-From-Home Tech Package: Apple TV 4K (64G) with AirPods Pro
* Take $300 Off
*Restrictions apply, see Terms & Conditions online
https://www.sans.org/online-security-training/specials/
Hot OnDemand Courses:
SEC401: Security Essentials Bootcamp Style | https://www.sans.org/ondemand/course/security-essentials-bootcamp-style
SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling | https://www.sans.org/ondemand/course/hacker-techniques-exploits-incident-handling
SEC560: Network Penetration Testing and Ethical Hacking | https://www.sans.org/ondemand/course/network-penetration-testing-ethical-hacking
FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics | https://www.sans.org/ondemand/course/advanced-incident-response-threat-hunting-training
______________________
Upcoming Live Online Events:
2-Day Firehose Training | May 26-29
- https://www.sans.org/event/2-day-firehose-training-may27-2020
Cloud Security Summit & Training 2020 | May 26-June 5
- https://www.sans.org/event/cloud-security-summit-2020
Pen Test Hackfest & Cyber Ranges Summit 2020 (Free Event) | June 4-13
- https://www.sans.org/event/rockymountainhackfest-summit-2020
SANSFIRE 2020 | June 13-20
- https://www.sans.org/event/sansfire-2020
2-Day Firehose Training | June 29-30
- https://www.sans.org/event/2-day-firehose-training-jun29-2020
SANS Summer Surge: Wave 1 | July 6-11
- https://www.sans.org/event/sans-surge-summer-series-wave-1
In Person Training:
SANS Network Security 2020 | Las Vegas, NV | September 20-27
- https://www.sans.org/event/network-security-2020
______________________
View the full SANS course catalog and skills roadmap.
- https://www.sans.org/courses
- https://www.sans.org/cyber-security-skills-roadmap
Any course you have or will purchase is protected by the SANS Training Guarantee.
- https://www.sans.org/training-guarantee.
*****************************************************************************
TOP OF THE NEWS
--ARCHER Supercomputer Offline
(May 13 & 14, 2020)
The ARCHER supercomputer, used for academic research in the UK, has been offline since Monday, May 11. According to the ARCHER website, the "incident is part of a much broader issue involving many other sites in the UK and internationally." ARCHER is located at the University of Edinburgh.
[Editor Comments]
[Neely] While unauthorized use of resources or unexpected jobs running on a Super Computer raise flags immediately, campus data center resources are a current target for crypto mining. Raising the bar on authentication is appropriate. Adding multi-factor authentication, and deliberate update of SSH keys go a long way towards keeping this in check.
Read more in:
Cyberscoop: Security incident knocks UK supercomputer service offline for days
https://www.cyberscoop.com/archer-supercomputer-security-incident/
The Register: Danger zone! Brit research supercomputer ARCHER's login nodes exploited in cyber-attack, admins reset passwords and SSH keys
https://www.theregister.co.uk/2020/05/13/uk_archer_supercomputer_cyberattack/
Archer: Service Status
https://www.archer.ac.uk/status/
--Patch Tuesday: Microsoft and Adobe
(May 12 & 13, 2020)
Microsoft's Patch Tuesday for May includes more than 110 fixes. Of those, Microsoft has rated 16 as critical; the rest are rated as important. Adobe's Patch Tuesday release includes fixes for 24 issues in Acrobat and Reader, as well as 12 in the Adobe DNG Software Development Kit.
[Editor Comments]
[Pescatore] A couple of important points: (1) There have been reports of this Microsoft patch release causing more "application error code 0X..." errors than usual, often meaning the update either didn't take, or memory needs were exceeded or there were connectivity issues. The size of the updates and the number of business Windows laptops being updated over marginal home WiFi connectivity could be part of the problem - this is a good month to recheck that all business PCs actually did install the updates. (2) SAP issued a notice about many vulnerabilities in several of their SaaS cloud-based applications and Cisco issued a big list of patches for their ASA appliances and Firepower software, too.
[Neely] Adobe gives this update a priority rating of 2, which means there is an elevated risk but no known exploits, and none are expected imminently. Which means pushing the patch with your monthly patch cycle, versus an out-of-band patch is sufficient and should not distract you from applying the larger Microsoft update.
[Murray] The rate of published "fixes" suggests that there is a reservoir of known and unknown vulnerabilities in these popular products (e.g., operating systems, browsers, readers, content managers). They present an attack surface much larger than the applications for which they are used and cannot be relied upon to resist those attacks. They should not be exposed to the public networks. Hiding them behind firewalls and end-to-end application layer encryption moves from "good" practice to "essential."
Read more in:
MICROSOFT
KrebsOnSecurity: Microsoft Patch Tuesday, May 2020 Edition
https://krebsonsecurity.com/2020/05/microsoft-patch-tuesday-may-2020-edition/
The Register: Sadly, 111 in this story isn't binary. It's decimal. It's the number of security fixes emitted by Microsoft this week
https://www.theregister.co.uk/2020/05/13/patch_tuesday_may/
SC Magazine: Microsoft again surpasses 100 vulnerabilities on Patch Tuesday
MSRC: Release Notes | May 2020 Security Updates
https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2020-May
ADOBE
SC Magazine: Adobe Reader and Acrobat in the spotlight for Patch Tuesday updates
ZDNet: Adobe issues patches for 36 vulnerabilities in DNG, Reader, Acrobat
https://www.zdnet.com/article/adobe-issues-patches-for-36-vulnerabilities-in-dng-reader-acrobat/
Adobe: Security?update available?for?Adobe?DNG Software Development Kit (SDK) | APSB20-26
https://helpx.adobe.com/security/products/dng-sdk/apsb20-26.html
Adobe: Security Update available for Adobe Acrobat and Reader | APSB20-24
https://helpx.adobe.com/security/products/acrobat/apsb20-24.html
**************************** SPONSORED LINKS ******************************
1) Tune in for the Automation and Integration Survey Results on May 19th with Don Murdoch and Barb Filkins! http://www.sans.org/info/216400
2) Pen Test HackFest & Cyber Ranges Summit | June 4-13. http://www.sans.org/info/216405
3) Survey | Take the 2020 SANS Firewalls in the Modern Enterprise Survey: http://www.sans.org/info/216410
*****************************************************************************
The REST OF THE WEEK'S NEWS
--US Accuses China of Cyberattacks Aimed at Stealing COVID-19 Research
(May 13, 2020)
In a joint statement, the US Federal Bureau of Investigation (FBI) and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) accused the hackers working on behalf of the People's Republic of China (PRC) of launching cyberattacks against US organizations involved in COVID-19 research and attempting to steal intellectual property.
Read more in:
CISA: People's Republic of China (PRC) Targeting of COVID-19 Research Organizations (PDF)
ZDNet: US formally accuses China of hacking US entities working on COVID-19 research
SC Magazine: FBI, CISA warn China targeting orgs conducting Covid-19-related vaccine, treatment research
Bleeping Computer: US warns of Chinese hackers targeting COVID-19 research orgs
Cyberscoop: U.S. accuses Chinese hackers of trying to steal coronavirus vaccine research
https://www.cyberscoop.com/coronavirus-vaccine-china-hacking-dhs-fbi/
--Toll Group Says Ransomware Hackers Downloaded Corporate Data
(May 12 & 13, 2020)
Australian shipping company Toll Group said that the hackers behind a recent ransomware attack "downloaded some data stored on [a] corporate server." The Toll Group, which experienced another ransomware attack earlier this year, is determined not to pay the ransom.
[Editor Comments]
[Neely] This appears to be the Nefilim ransomware which often spreads through unsecure RDP services. It is yet not known if Nefilim operators will threaten to reveal exfiltrated data to ensure payment, as the Maze operators do. The Toll Group claims there was no operational data affected, indicating they not only are aware of what data was on that server, but also that they have taken the necessary steps to assess the risk of that data being exposed.
Read more in:
GovInfosecurity: Toll Group Says Ransomware Attackers Stole Data
https://www.govinfosecurity.com/toll-group-says-ransomware-attackers-stole-data-a-14271
Toll Group: Toll IT systems update
https://www.tollgroup.com/toll-it-systems-updates
--Customer Data Exfiltrated in Ransomware Attack on Magellan Health
(May 12 & 13, 2020)
Arizona-based Magellan Health, Inc., has disclosed that it was the victim of a ransomware attack. The company's systems were initially breached on April 6, 2020, through a phishing email that was spoofed to appear to come from a client. Magellan detected the ransomware attack on April 11. Between the initial breach and launch of the ransomware, the attackers exfiltrated data taken from a company server. The stolen data include customers' personally identifiable information, including names, Social Security numbers, and Taxpayer ID numbers.
[Editor Comments]
[Murray] It is essential that healthcare institutions address their vulnerability to extortion attacks; their ability to perform their mission depends on making improvements. At a minimum, there must be a documented plan or risk acceptance that describes how the institution will respond to such attacks.
Read more in:
SC Magazine: Magellan Health warns ransomware attack exposed PII
https://www.scmagazine.com/home/security-news/magellan-health-warns-ransomware-attack-exposed-pii/
Bleeping Computer: Healthcare giant Magellan Health hit by ransomware attack
Document Cloud: Sample Notification Letter (PDF)
https://assets.documentcloud.org/documents/6889299/Magellan-Sample-Individual-Notice.pdf
--Scammers Steal Millions from Norwegian State Investment Fund
(May 13 & 14, 2020)
Fraudsters stole $10 million from Norfund, Norway's state-owned investment fund for developing countries. The scammers gained access to Norfund's network and spent months laying the groundwork for the theft, monitoring the organizations' operations and injecting themselves into communications. The $10 million investment was intended for a Cambodian microfinance organization. The fraudsters infiltrated communications between Norfund and the Cambodian organization over a period of several months. The money that was supposed to go to that organization was instead transferred to an account in Mexico. The fraudulent transaction took place on March 16, 2020, but Norfund did not realize the funds had been stolen until April 30.
Read more in:
Norfund: Norfund Has Been Exposed to a Serious Case Of Fraud
https://www.norfund.no/norfund-has-been-exposed-to-a-serious-case-of-fraud/
The Register: There's Norway you're going to believe this: World's largest sovereign wealth fund conned out of $10m in cyber-attack
https://www.theregister.co.uk/2020/05/14/they_cant_affjord_it/
Bleeping Computer: Scammers steal $10 million from Norway's state investment fund
Cyberscoop: Scammers steal $10 million from Norfund, the largest sovereign wealth fund
https://www.cyberscoop.com/norfund-hacked-wealth-fund-10-million/
--CISA Lists Top 10 Most Exploited Vulnerabilities
(May 12, 13, & 14, 2020)
The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has released a list of the 10 vulnerabilities most commonly exploited by foreign hackers between 2016 and 2019. CISA has also listed the vulnerabilities that are most frequently being exploited in 2020. The alert includes a listing of indicators of compromise and mitigations for each of the vulnerabilities. CISA notes that "a concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries' operational tradecraft and force them to develop or acquire exploits that are more costly and less widely effective."
[Editor Comments]
[Pescatore] Pay particular attention to the ones listed for 2020 - the vulnerabilities in VPN (and other security) appliances being exploited is something Johannes Ullrich pointed out in the SANS Top New Attack Trends keynote at RSA (https://www.sans.org/reading-room/whitepapers/threats/paper/38908). The scanning for misconfigured cloud applications is an ongoing issue, but the rush to cloud-based teleconferencing and storage/collaboration apps to support Work From Home has made misconfigurations even more likely.
[Neely] Note that the vulnerabilities are listed by CVE which are then summarized, such as vulnerabilities in Microsoft OLE. Mitigations start with basic cyber hygiene - timely application of patches and following security configuration guides. Leverage continuous monitoring, including scanning and testing, to verify products remain updated and secure.
Read more in:
US-CERT: Top 10 Routinely Exploited Vulnerabilities
https://www.us-cert.gov/ncas/alerts/aa20-133a
Nextgov: CISA Releases Top 10 Most Routinely Exploited Vulnerabilities
The Register: US-CERT lists the 10 most-exploited security bugs and, yeah, it's mostly Microsoft holes people forgot to patch
https://www.theregister.co.uk/2020/05/14/uscert_most_pwned_bugs/
Dark Reading: Attackers Routinely Use Older Vulnerabilities to Exploit Businesses, US Cyber Agency Warns
Bleeping Computer: US govt shares list of most exploited vulnerabilities since 2016
--Ramsay Cyberespionage Toolkit Targets Air-Gapped Networks
(May 13 & 14, 2020)
Researchers at ESET have found samples of malware that steals information from air-gapped networks. The cyber-espionage toolkit, dubbed Ramsay, appears to be under development; each of the three samples contains new features. Each of the three has been used to conduct attacks through varying attack vectors.
[Editor Comments]
[Neely] The ESET research provides information about how the malware spreads, actions it can provide, and how it gathers and exfiltrates data, as well as IOCs to aid discovery and response. Ramsay appears to share roots with the PLANEPATCH and Retro Malware strains. There is no explicit information on how data from air-gapped computer is accessed; the assumption is that data would be intercepted when transferred to those systems over thumb drives or by an attacker with physical access to target systems. The use of a media kiosk, which prevents transfer of malware and direct insertion of media from one system to another, could prevent the transfer of the malware to the air-gapped system; this would not prevent the capture of data from media inserted into a connected compromised system.
Read more in:
WeLiveSecurity: Ramsay: A cyber�x1Eespionage toolkit tailored for air�x1Egapped networks
https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/
Dark Reading: New Cyber-Espionage Framework Dubbed Ramsay
Threatpost: Ramsay Malware Targets Air-Gapped Networks
https://threatpost.com/ramsay-malware-air-gapped-networks/155695/
Bleeping Computer: New Ramsay malware steals files from air-gapped computers
Cyberscoop: Researchers expose new malware designed to steal data from air-gapped networks
https://www.cyberscoop.com/eset-ramsay-air-gap-malware/
GovInfosecurity: Cyber-Espionage Malware Targets Air-Gapped Networks: Report
https://www.govinfosecurity.com/cyber-espionage-malware-targets-air-gapped-networks-report-a-14281
--Privilege Elevation Vulnerability in Google's Site Kit WordPress Plugin
(May 13, 2020)
A critical flaw in Google's Site Kit WordPress plugin could be exploited to access vulnerable sites' Google Search Console. The privilege elevation vulnerability could be exploited "to modify sitemaps, remove pages from Google search engine result pages (SERPs), or to facilitate black hat SEO campaigns." Google was alerted to the problem on April 21, 2020, and a fix was released on May 7.
[Editor Comments]
[Neely] WordPress plugin weaknesses remain a popular target of exploitation. As the plugins are run with privileges needed to modify the entire WordPress site and installation, any weakness, when exploited, can be significant. While there are ways to convert a site to read only, that requires new processes for updating content and software which may outweigh the benefits or the overhead of judicious monitoring and updating of your site.
Read more in:
Wordfence: Vulnerability in Google WordPress Plugin Grants Attacker Search Console Access
GitHub: google / site-kit-wp
https://github.com/google/site-kit-wp/releases/tag/1.8.0
Bleeping Computer: Google WordPress plugin bug can be exploited for black hat SEO
--CISA: Lazarus Hacking Group is Using New Malware
(May 12 & 14, 2020)
The Cybersecurity and Infrastructure Security Agency (CISA) has released three Malware Analysis Reports detailing new variants of malware that are being used by hackers acting on behalf of North Korea's government. The new malware variants are a remote access tool called Copperhedge, and two Trojans, knowns as Taintedscribe and Pebbledash.
Read more in:
US-CERT: North Korean Malicious Cyber Activity
https://www.us-cert.gov/northkorea
GovInfosecurity: Group Behind WannaCry Now Using New Malware
https://www.govinfosecurity.com/group-behind-wannacry-now-using-new-malware-a-14279
DUO: US Exposes New North Korean Malware Tools
https://duo.com/decipher/us-exposes-new-north-korean-malware-tools
--US Supreme Court Hearing CFAA Case
(May 14, 2020)
The US Supreme Court is hearing a case that could affect the way the Computer Fraud and Abuse Act (CFAA) is enforced. The case the court is hearing involves a police officer who used his access to law enforcement databases to conduct a search in return for payment. Circuit courts are not in agreement about the scope of CFAA. Some say there has to be deliberate malicious hacking for a CFAA violations; others say that merely violating terms of service is sufficient.
[Editor Comments]
[Murray] It seems unlikely that the SCOTUS can "fix" the CFAA, written when most access to computers was by insiders. Congress must undertake the thankless job of crafting a law that will outlaw abuse and misuse of computer applications and the Internet while minimizing unintended consequences. Drafting such a law will be difficult but not impossible.
Read more in:
Portswigger: US Computer Fraud and Abuse Act: How an upcoming Supreme Court ruling could have serious ramifications for ethical hackers
--UK Power Grid Middleman Suffers Cyberattack
(May 14, 2020)
British power grid middleman Elexon has suffered a cyberattack that affected its internal IT systems. In a bulletin posted to its website, the company provided few details about the incident, but did note that they "are unable to send or receive any emails." The company said on Thursday that it has found the "root cause" of the problem.
Read more in:
Elexon Portal: BSC Bulletin 335 -ELEXON's internal IT systems have been impacted by a cyber attack
https://www.elexonportal.co.uk/news/view/27108
ZDNet: UK electricity middleman hit by cyber-attack
https://www.zdnet.com/article/uk-electricity-middleman-hit-by-cyber-attack/
Cyberscoop: Cyberattack hits internal IT systems of key player in British power market
https://www.cyberscoop.com/elexon-cyberattack-uk-electricity-market/
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
Microsoft Patch Tuesday
https://isc.sans.edu/forums/diary/Microsoft+May+2020+Patch+Tuesday/26114/
Adobe Security Updates
https://helpx.adobe.com/security.html
Top Exploited Vulnerabilities
https://www.us-cert.gov/ncas/alerts/aa20-133a
ISC Handler Series (SANSFIRE)
https://www.sans.org/event/sansfire-2020/bonus-sessions/
Rethinking Severity
Malspam with Links to ZIP Archives Pushes Dridex Malware
https://isc.sans.edu/forums/diary/Malspam+with+links+to+zip+archives+pushes+Dridex+malware/26116/
Android Applications Expose Firebase Databases
https://www.comparitech.com/blog/information-security/firebase-misconfiguration-report/
More Magecart Sighted
https://maxkersten.nl/2020/05/06/backtracking-magecart-infections/
Glitter vs. Thunderspy
https://www.youtube.com/watch?v=vlK5rrlc44g
Ramsay Cyber Espionage Toolkit
https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/
Windows DNS over HTTPS Preview
Zerodium Drops Payouts For iOS/Safari Exploits
https://twitter.com/Zerodium/status/1260541578747064326?s=20
BigIP Edge Client Vulnerability
https://support.f5.com/csp/article/K20346072
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
