SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #40
May 19, 2020Ransomware Succeeding; AirGaps Failing
****************************************************************************
SANS NewsBites May 19, 2020 Vol. 22, Num. 040
****************************************************************************
TOP OF THE NEWS
Texas Department of Transportation Hit With Ransomware
Four Arrests in Ransomware Plot Against Romanian Hospitals
Hackers are Using Malware Designed to Target Airgapped Networks
REST OF THE NEWS
The FBI Cracked iPhone Encryption Without Apple's Help
BlueScope Steel Cyber Incident
European Supercomputers are Shut Down After Cryptomining Malware Infections
Chrome is Testing a Feature That Will Stop Ads From Consuming Too Many Resources
WP Product Review Lite Plugin Vulnerability
US Department of Commerce Rule Places More Restrictions on Huawei
Bill Would Have US Dept. of Commerce Establish Cybersecurity Grand Challenges
INTERNET STORM CENTER TECH CORNER
********************** Sponsored By Splunk ********************************
Forrester Study: The Total Economic Impact(TM) of Splunk for Security Operations. Evaluating Splunk for your ML-driven security operations? Through interviews, data collection and financial analysis, Forrester's study found that Splunk reduced resources dedicated to security audits and other compliance reporting by 50%, in addition to decreasing the cost of a breach by 37%. Read on to discover the potential ROI that your organization can realize. http://www.sans.org/info/216415
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
SANS Training is 100% Online, with two convenient ways to complete a course:
OnDemand | Live Online
- https://www.sans.org/ondemand/
- https://www.sans.org/live-online
Keep your skills sharp with SANS Online Training:
. The world's top cybersecurity courses
. Taught by real world practitioners
. Ideal preparation for more than 30 GIAC Certifications
Test drive a course: https://www.sans.org/course-preview
Choose a great promo offer* through May 27 with OnDemand or Live Online training:
* Get a 10.2" iPad (32G) with Smart Keyboard
* Train-From-Home Tech Package: Apple TV 4K (64G) with AirPods Pro
* Take $300 Off
*Restrictions apply, see Terms & Conditions online
https://www.sans.org/online-security-training/specials/
Hot OnDemand Courses:
SEC401: Security Essentials Bootcamp Style | https://www.sans.org/ondemand/course/security-essentials-bootcamp-style
SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling | https://www.sans.org/ondemand/course/hacker-techniques-exploits-incident-handling
SEC560: Network Penetration Testing and Ethical Hacking | https://www.sans.org/ondemand/course/network-penetration-testing-ethical-hacking
FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics | https://www.sans.org/ondemand/course/advanced-incident-response-threat-hunting-training
______________________
Upcoming Live Online Events:
2-Day Firehose Training | May 26-29
- https://www.sans.org/event/2-day-firehose-training-may27-2020
Cloud Security Summit & Training 2020 | May 26-June 5
- https://www.sans.org/event/cloud-security-summit-2020
Pen Test Hackfest & Cyber Ranges Summit 2020 (Free Summit) | June 4-13
- https://www.sans.org/event/rockymountainhackfest-summit-2020
SANSFIRE 2020 | June 13-20
- https://www.sans.org/event/sansfire-2020
2-Day Firehose Training | June 29-30
- https://www.sans.org/event/2-day-firehose-training-jun29-2020
SANS Summer Surge: Wave 1 | July 6-11
- https://www.sans.org/event/sans-surge-summer-series-wave-1
In Person Training:
SANS Network Security 2020 | Las Vegas, NV | September 20-27
- https://www.sans.org/event/network-security-2020
______________________
View the full SANS course catalog and skills roadmap.
- https://www.sans.org/courses
- https://www.sans.org/cyber-security-skills-roadmap
Any course you have or will purchase is protected by the SANS Training Guarantee.
- https://www.sans.org/training-guarantee.
*****************************************************************************
TOP OF THE NEWS
--Texas Department of Transportation Hit With Ransomware
(May 18, 2020)
Computer systems at the Texas Department of Transportation (TxDOT) were hit with ransomware. The agency detected unauthorized network access on Thursday, May 14, and determined that they were experiencing a ransomware incident. TxDOT is the second Texas state agency to suffer a ransomware attack this month; on May 8, computers at the Texas Court System were infected with ransomware.
[Editor Comments]
[Pescatore] Back in August 2019 more than 20 Texas state and local agencies were hit with ransomware. At the time, Texas Governor Abbott was quoted as "stressing the importance of public and private sectors alike practicing 'good cyber hygiene.'" Obviously, some continued failings in basic security hygiene that require investigation and rapid application of lessons that should have been learned from last year's incidents.
Read more in:
Bleeping Computer: Ransomware attack impacts Texas Department of Transportation
GovTech: Cyberattack Disrupts Texas Department of Transportation
https://www.govtech.com/security/Cyberattack-Disrupts-Texas-Department-of-Transportation.html
--Four Arrests in Ransomware Plot Against Romanian Hospitals
(May 15 & 18, 2020)
Four people have been arrested in connection with a plan to target public health organizations in Romania with ransomware. The plan appeared to be to send spoofed email messages that appeared to come from government officials and to contain COVID-19 information, but which actually would lead to ransomware infections. Three of the suspects were arrested in Romania; the fourth was arrested in Moldova.
Read more in:
Threatpost: Ransomware Gang Arrested for Spreading Locky to Hospitals
https://threatpost.com/ransomware-gang-arrested-locky-hospitals/155842/
ZDNet: Hackers preparing to launch ransomware attacks against hospitals arrested in Romania
Bleeping Computer: Wannabe ransomware operators arrested before hospital attacks
Cyberscoop: Romanian police bust hackers allegedly plotting ransomware attacks on hospitals
https://www.cyberscoop.com/romania-ransomware-hospitals-coronavirus/
Infosecurity Magazine: Police Catch Suspects Planning #COVID19 Hospital Ransomware
https://www.infosecurity-magazine.com/news/police-catch-hackers-covid19/
--Hackers are Using Malware Designed to Target Airgapped Networks
(May 12 & 15, 2020)
Hackers have targeted airgapped networks that belong to Taiwan's and the Philippines's militaries. The hackers, who are believed to be working on behalf of China's government, used malware called USBferry, "a USB malware that performs different commands on specific targets, maintains stealth in environments, and steals critical data through USB storage." According to Trend Micro, the hacking group has been using the malware since 2014.
[Editor Comments]
[Ullrich] As Ed Skoudis says: Airgaps are just high latency network links. This malware takes advantage of USB drives to bridge airgaps. Also note that some of the more obscure methods to bridge airgaps that make the news from time to time are more of a curiosity and probably work better to generate headlines and clickbait vs. actual exploits.
[Neely] This malware uses USB removable media to spread and collect data. Judicious use of a USB kiosk or other scanner or one-way link to sanitize media or data transferred between environments can stop or mitigate risks to the air-gapped systems.
Read more in:
Trend Micro: Tropic Trooper's Back: USBferry Attack Targets Air-gapped Environments
ZDNet: Hackers target the air-gapped networks of the Taiwanese and Philippine military
***************************** SPONSORED LINKS ******************************
1) Pen Test HackFest & Cyber Ranges Summit | June 4-13. http://www.sans.org/info/216420
2) Survey | Firewalls in the Modern Enterprise. Take the survey. http://www.sans.org/info/216425
3) Webcast May 21st | SOAR is Not a Product: Steps to Achieve Meaningful and Measurable Cyber Defense with a Proper SOAR Strategy. Register: http://www.sans.org/info/216430
*****************************************************************************
The REST OF THE WEEK'S NEWS
--The FBI Cracked iPhone Encryption Without Apple's Help
(May 18, 2020)
The FBI has unlocked two iPhones that belonged to a man who shot 11 people at a Florida Naval Air Station in December 2019. The FBI initially asked for Apple's help unlocking the devices. FBI Director Christopher Wray criticized Apple for not helping, saying that their refusal delayed the investigation. Apple says it responded immediately, providing DOJ with gigabytes of data from cloud backups.
[Editor Comments]
[Neely] Although the devices in question, an iPhone 5 and iPhone 7, had security weaknesses which could have been used to access the device, the trick is maintaining forensic integrity of the device while obtaining access as well as not triggering a device wipe. While the FBI continues to seek a general use way to access recovered devices, they were able to develop a technique to access these devices which they claim was specific to this situation.
Read more in:
Wired: The FBI Backs Down Against Apple--Again
https://www.wired.com/story/fbi-backs-down-apple-encryption-pensacola-iphones/
ZDNet: FBI criticizes Apple for not helping crack Pensacola shooter's iPhones
https://www.zdnet.com/article/fbi-criticizes-apple-for-not-helping-crack-pensacola-shooters-iphones/
Cyberscoop: US officials say they've cracked Pensacola shooter's iPhones, blast Apple
https://www.cyberscoop.com/fbi-pensacola-terrorism-iphone-encryption/
--BlueScope Steel Cyber Incident
(May 14, 15, & 18, 2020)
Australia's BlueScope Steel Ltd has disclosed that a cyber incident disrupted some of its manufacturing and sales operations in Australia. The incident also caused minor disruptions in Asia, New Zealand, and the US. In a message to investors, BlueScope said it had reverted to manual operations in some impacted areas. A BlueSteel official said the company is working with external providers to restore its systems.
Read more in:
Secure.weblink: BlueScope Response to Cyber Incident
SMH: BlueScope Steel says cyber 'incident' causing disruptions
ZDNet: BlueScope reports cyber incident affecting Australian operations
https://www.zdnet.com/article/bluescope-reports-cyber-incident-affecting-australian-operations/
Reuters: Australia's BlueScope Steel says cyber 'incident' causing disruptions
--European Supercomputers are Shut Down After Cryptomining Malware Infections
(May 11, 16, 17, & 18, 2020)
Supercomputers throughout the Europe are shut down to allow investigations after hackers targeted them to hijack their CPU power to mine cryptocurrency. The attackers are moving from one system to another with compromised SSH credentials. The incident has affected super computers in UK, Germany, Switzerland, and Spain.
[Editor Comments]
[Neely] Primary access is via compromised SSH credentials, but there is also some evidence of compromised SSH binaries. Multi-factor authentication is a key tool to protect access to valuable resources. HPC relies on exhaustive configuration management to guarantee smooth operation, which should also include identifying and replacing unauthorized binaries or configuration files.
Read more in:
DUO: Supercomputer Sites Still Struggling After Attacks
https://duo.com/decipher/supercomputer-sites-still-struggling-after-attacks
BBC: Europe's supercomputers hijacked by attackers for crypto mining
https://www.bbc.com/news/technology-52709660
Bleeping Computer: European supercomputers hacked in mysterious cyberattacks
ZDNet: Supercomputers hacked across Europe to mine cryptocurrency
https://www.zdnet.com/article/supercomputers-hacked-across-europe-to-mine-cryptocurrency/
Infosecurity Magazine: Crypto-Miners Take Out Supercomputers Working on #COVID19
https://www.infosecurity-magazine.com/news/cryptominers-out-supercomputers/
--Chrome is Testing a Feature That Will Stop Ads From Consuming Too Many Resources
(May 14, 2020)
Chrome is testing a feature that will block ads that consume large quantities of computer resources. In the Chromium blog, Chrome Product manager Marshall Vale writes, "a fraction of a percent of ads consume a disproportionate share of device resources, such as battery and network data, without the user knowing about it." The feature "will limit the resources a display ad can use before the user interacts with the ad," and display an error message when the ad reaches the consumption limit. The feature is expected to be introduced on the stable version of Chrome toward the end of August.
[Editor Comments]
[Neely] You can enable this feature today with chrome://flags/#enable-heavy-ad-intervention. This approach uses resource consumption as opposed to Firefox's anti-crypomining prevention which relies on blocking known bad domains. Either approach should help keep browser resource use in check.
[Pescatore] In a recent SANS webinar (https://www.sans.org/webcasts/making-keeping-work-home-operations-safe-productive-114490: Making and Keeping Work at Home Operations Safe and Productive), Virginia Tech University CISO and SANS Senior Instructor Randy Marchany commented that the dependence on the internet during the pandemic has shown that in many ways internet access has become as important a utility as water, electricity, etc. Browser vendors are building security and viewing controls into browsers for advertising-laden services, while ISPs who charge for access are doing very little about equal access to and secure delivery of digital services needed by school children, small businesses, etc.
Read more in:
Chromium: Protecting against resource-heavy ads in Chrome
https://blog.chromium.org/2020/05/resource-heavy-ads-in-chrome.html
Ars Technica: Chrome will soon block resource-draining ads. Here's how to turn it on now
--WP Product Review Lite Plugin Vulnerability
(May 15, 2020)
A critical flaw in the WP Product Review Lite plugin could be exploited to take control of vulnerable WordPress websites. The issue has been fixed in WP Product Review Lite version 3.7.6, which was released on May 14. Users are urged to upgrade as soon as possible. The plugin is installed on at least 40,000 WordPress sites.
[Editor Comments]
[Neely] WordPress has a hardening guide (https://wordpress.org/support/article/hardening-wordpress/: Hardening WordPress) which includes links to additional resources for consideration. In addition to updating this plugin, verify that your plugins are as expected and configurations are as intended.
[Murray] Warnings about vulnerabilities in WordPress plugins are becoming as routine as "patch Tuesday." While patching is mandatory, it should now be obvious that we cannot patch our way to security. Since we cannot hide WordPress plugins, we best use them sparingly.
Read more in:
Bleeping Computer: Critical WordPress plugin bug allows for automated takeovers
--US Department of Commerce Rule Places More Restrictions on Huawei
(May 15 & 18, 2020)
The US Department of Commerce's Bureau of Industry and Security (BIS) has issued an interim final rule amending an existing rule that aims to prevent Huawei from using US technology in its semiconductor design and production. Foreign companies that use certain US technology will be required to obtain a license before selling it to Huawei. The amended rule will take effect in September 2020. Comments on the document will be accepted through July 14, 2020.
Read more in:
MeriTalk: DoC Restricts Huawei's Use of U.S. Tech in Semiconductor Production
https://www.meritalk.com/articles/doc-restricts-huaweis-use-of-u-s-tech-in-semiconductor-production/
Cyberscoop: US Commerce Department tightens screws on Huawei export controls
https://www.cyberscoop.com/huawei-export-controls-commerce-department/
FCW: U.S squeezes Huawei on chip design
https://fcw.com/articles/2020/05/15/us-squeezes-huawei-chip-design.aspx
NYT: U.S. Delivers Another Blow to Huawei With New Tech Restrictions
https://www.nytimes.com/2020/05/15/business/economy/commerce-department-huawei.html
Federal Register: Export Administration Regulations: Amendments to General Prohibition Three (Foreign-Produced Direct Product Rule) and the Entity List
--Bill Would Have US Dept. of Commerce Establish Cybersecurity Grand Challenges
(May 15, 2020)
A trio of US Senators has introduced the Cyber Leap Act of 2020, which directs the Department of Commerce to create competitions to solve cybersecurity grand challenges, such as making it more expensive for criminals to conduct cyberattacks, improving federal agencies' response to cyberattacks, and re-imagining digital identity to improve security. The idea of establishing cybersecurity grand challenges grew out of the November 2018 "Cybersecurity Moonshot" report from the National Security Telecommunications Advisory Committee.
Read more in:
Fifth Domain: Senators introduce bill to create more cyber grand challenges
Nextgov: Bill Proposes to Incentivize Cybersecurity Innovations With Cash Prizes
Commerce.senate: Cyber Leap Act of 2020 (PDF)
https://www.commerce.senate.gov/services/files/60A3EF97-3FE3-47D9-A5B9-04E2A8AE2200
CISA: NSTAC Report to the President on a Cybersecurity Moonshot November 14, 2018 (PDF)
https://www.cisa.gov/sites/default/files/publications/NSTAC_CyberMoonshotReport_508c.pdf
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
OWA Scans
Edison iOS E-Mail Client Leaks Data
https://www.theverge.com/2020/5/16/21260967/edison-mail-update-ios-security-bug
Antivirus & Multiple Detections
https://isc.sans.edu/forums/diary/Antivirus+Multiple+Detections/26134/
COMpfun Malware Uses Status Codes to Communicate
https://securelist.com/compfun-http-status-based-trojan/96874/
PAN OS Patches
https://securityaffairs.co/wordpress/103265/security/palo-alto-networks-pan-os-flaws.html
MagicPairing Vulnerabilities
https://arxiv.org/pdf/2005.07255.pdf
BIAS: Bluetooth Impersonation AttackS
https://francozappa.github.io/about-bias/
Office 365 Returning Search Results from Other Organizations
https://www.theregister.co.uk/2020/05/18/microsoft_office_365_internal_search_mixup/
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
