SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #41
May 22, 2020Virtual Cyber Schools Open In U.K. and U.S.; Verizons 2020 Data Breach Report; Toll Group Ransomware Data Published on Dark Web
****************************************************************************
SANS NewsBites May 22, 2020 Vol. 22, Num. 041
****************************************************************************
TOP OF THE NEWS
U.K. and U.S. Virtual Cyber Schools Open This Month
Verizons 2020 Data Breach Investigations Report
Data Stolen from The Toll Group Published on Dark Web
*************************** Sponsored By Chronicle ************************************
Get a free 15-minute SIEM TCO analysis report. Eventually, the cost isn't worth the effort. If keeping your legacy SIEM running is more than you can handle, unwind your SIEM costs with zero-management security analytics from Chronicle and let us ensure perfect fidelity, no matter how much data you generate. http://www.sans.org/info/216455" class=""> http://www.sans.org/info/216455
*****************************************************************************
REST OF THE NEWS
US Legislators Push for Complete Phone Encryption Between House and Senate
Facebook New Messenger Warnings are Based on Metadata
Lawsuits Filed Against ADT Over Former Employee Spying On Customers
EasyJet Data Breach
Cisco Releases Update to Fix Deserialization Flaw in Cisco Unified CCX
Adobe Releases Unscheduled Updates
Info Leaked from 2019 Mitsubishi Breach May Include Missile Data
Data Stolen from Fresenius Dialysis Facility Data Leaked
INTERNET STORM CENTER TECH CORNER
****************************************************************************
CYBERSECURITY TRAINING UPDATE
SANS Training is 100% Online, with two convenient ways to complete a course:
OnDemand | Live Online
- https://www.sans.org/ondemand/
- https://www.sans.org/live-online
Keep your skills sharp with SANS Online Training:
The worlds top cybersecurity courses
Taught by real world practitioners
Ideal preparation for more than 30 GIAC Certifications
Test drive a course: https://www.sans.org/course-preview
Choose a great promo offer* through May 27 with OnDemand or Live Online training
https://www.sans.org/online-security-training/specials/
Hot OnDemand Courses:
SEC401: Security Essentials Bootcamp Style | https://www.sans.org/ondemand/course/security-essentials-bootcamp-style
SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling | https://www.sans.org/ondemand/course/hacker-techniques-exploits-incident-handling
SEC560: Network Penetration Testing and Ethical Hacking | https://www.sans.org/ondemand/course/network-penetration-testing-ethical-hacking
______________________
Upcoming Live Online Events:
Pen Test Hackfest & Cyber Ranges Summit 2020 (Free Summit) | June 4-13
- https://www.sans.org/event/rockymountainhackfest-summit-2020
SANSFIRE 2020 | June 13-20
- https://www.sans.org/event/sansfire-2020
2-Day Firehose Training | June 29-30
- https://www.sans.org/event/2-day-firehose-training-jun29-2020
SANS Summer of Cyber: Week 1 | July 6-11
- https://www.sans.org/event/summer-of-cyber-jul-6
DFIR Summit & Training | July 16-25
- https://www.sans.org/event/digital-forensics-summit-2020
In Person Training:
SANS Network Security 2020 | Las Vegas, NV | September 20-27
- https://www.sans.org/event/network-security-2020
______________________
View the full SANS course catalog and skills roadmap.
- https://www.sans.org/courses
- https://www.sans.org/cyber-security-skills-roadmap
Any course you have or will purchase is protected by the SANS Training Guarantee.
- https://www.sans.org/training-guarantee.
****************************************************************************
TOP OF THE NEWS
--U.K. and U.S. Virtual Cyber Schools Open This Month
(May 20, 2020)
Students ages 13-18 in the UK and the US have the opportunity to take part in a virtual cyber school that offers more than 200 cybersecurity challenges. The program is government sponsored: free for residents of the UK; students in the US can participate for US $100 a year. No background in computers expected or needed. Kids observations: The most fun Ive ever had learning, and I had no idea I could be so good at computer science.
[Editor Comments]
[Pescatore] Great opportunity to take advantage of current crazy times and get your kids or your companys employees kids into the cybersecurity skills pipeline. The gaming aspect is very coolmuch like in the makers movement, the fact that the technology is really a tool vs. the entire focus attracts and holds types of kids who had no interest in computers or networks for technologys sake.
[Neely] My 13 year-old-self would love this type of opportunity. My present-day-self is thinking of all the friends and family who ask how their kids can get started in cyber security and sending this to them. If they object to the cost, Ill suggest they also look to the SANS Holiday Hack Challenge web site for some fun challenges, reminding them the past solutions are published if they want a hint.
Read more in:
CNN: Virtual cybersecurity school teaches kids to fix security flaws and hunt down hackers
https://www.cnn.com/2020/05/20/tech/virtual-cyber-security-school/index.html
Gov.uk: New virtual cyber school gives teens chance to try out as cyber security agents from home
U.K. Cyber-School: Cyber Discovery Virtual Cyber School
https://cyber-school.joincyberdiscovery.com/
U.S. Sign-ups: https://cyberstart.com
--Verizons 2020 Data Breach Investigations Report
(May 19, 2020)
Some takeaways from Verizons 2020 Data Breach Investigations Report: Eighty-six percent of breaches in 2019 were financially motivated, compared with 71 percent in 2018; 70 percent of breaches were caused by outsiders; and 27 percent of incidents were attributed to ransomware. The information in the report is derived from more than 150,000 security incidents experienced by Verizon clients as well as by other organizations in data shared by partners, law enforcement agencies, CSIRTs, and security firms.
[Editor Comments]
[Neely] The Verizon DBIR is always a good synopsis of incidents and trends to watch for. The report also notes that unsecured or misconfigured cloud data storage opens the doors of small businesses to attacks previously faced only by larger organizations. The report also shows a trend in breaches related to configuration errors catching up with socially engineered ones.
[Honan] This is one of the most valuable reports a security professional can read. The report will give you valuable insights into how to defend your systems and networks. It also gives you good data points when dealing with security vendors to ask them how their product would deal with the breaches and issues raised in the report.
[Murray] The DBIR continues to be a valuable source of open source intelligence. Be sure to read the disclaimers.
Read more in:
Verizon: 2020 Data Breach Investigations Report
https://enterprise.verizon.com/resources/reports/dbir/
SC Magazine: Six need-to-know takeaways from the Verizon breach report
ZDNet: Verizon's data breach report highlights how unsecured cloud storage opens door to attacks
Threatpost: Verizon Data Breach Report: DoS Skyrockets, Espionage Dips
https://threatpost.com/verizon-data-breach-report-dos-skyrockets-espionage-dips/155843/
Cyberscoop: Money is still the main motivating factor for hackers, Verizon report finds
https://www.cyberscoop.com/verizon-dbir-report-hacking-2020/
--Data Stolen from The Toll Group Published on Dark Web
(May 21, 2020)
Data stolen from Australian transportation and logistics company The Toll Group have been published to the dark web. The data were taken from a corporate server during an April ransomware attack. Toll has not paid the ransom and has shut down its IT systems to contain the malware. The company was the victim of a ransomware attack in January as well.
[Editor Comments]
[Neely] When the decision was made not to pay the ransom and recover systems, The Toll Group identified the server and data they believed had been exfiltrated. They are now faced with the challenge of validating the scope and depth of data published to determine appropriate response actions, including deciding whether it is worth paying ransom to prevent additional disclosures.
Read more in:
ZDNet: Toll's stolen data finds itself on the 'dark web'
https://www.zdnet.com/article/tolls-stolen-data-finds-itself-on-the-dark-web/
***************************** SPONSORED LINKS ******************************
1) DFIR Summit Solutions Track | July 17th at 9AM ET | Join Lodrina Cherne and guest speakers for this free virtual event! http://www.sans.org/info/216460" class="">http://www.sans.org/info/216460
2) Take the SANS 2020 Enterprise Cloud Incident Response Survey! Survey closes June 15th. http://www.sans.org/info/216465" class="">http://www.sans.org/info/216465
3) Webcast May 28th at 10:30AM ET | How Dangerous File Uploads Disrupt Business-Critical Web & Mobile Apps. Register: http://www.sans.org/info/216470" class="">http://www.sans.org/info/216470
****************************************************************************
The REST OF THE WEEKS NEWS
--US Legislators Push for Complete Phone Encryption Between House and Senate
(May 19, 2020)
US legislators want to ensure that phone communications between the House and the Senate are protected by encryption. Currently, most internal calls in both chambers are encrypted. In a letter dated May 19, 2020, legislators ask the Senate Sergeant at Arms and the House Chief Administrative Officer to take immediate action to encrypt, in bulk, all internal calls and other electronic communications between the Senate, House and other components of the legislative branch.
[Editor Comments]
[Neely] Not a bad idea for protecting corporate secrets, too. VoIP phones make the encryption within the system practical, without having to invest in formal COMSEC equipment, provided you have the infrastructure to manage the certificates. The challenge is more and more communications also happen over mobile devices necessitating either a smartphone client on the device, or training users to have sensitive conversations only over the secure phone system. Even with encryption, situational awareness is important to prevent eavesdropping.
Read more in:
FCW: Lawmakers want more complete phone encryption on Capitol Hill
https://fcw.com/articles/2020/05/19/house-senate-wyden-phone-encryption.aspx
The Verge: Calls between the House and Senate should be encrypted, lawmakers say
Wyden: Letter to Senate Sergeant at Arms and House Chief Administrative Officer (PDF)
--Facebook New Messenger Warnings are Based on Metadata
(May 21, 2020)
Governments have criticized Facebooks plans to implement end-to-end encryption for all its apps because they say it allows criminals to escape detection. Facebook is debuting tools that use metadata analysis to generate warnings in its Messenger app when messages appear to come from scammers, child abusers, or other criminals.
Read more in:
Wired: Facebook Messenger Adds Safety AlertsEven in Encrypted Chats
https://www.wired.com/story/facebook-messenger-safety-alerts-encryption/
--Lawsuits Filed Against ADT Over Former Employee Spying On Customers
(May 15 & 19, 2020)
ADT Security Services is facing lawsuits over the companys alleged intentional and negligent tortious acts in providing security services to its customers with remote-viewing capabilities. ADT has admitted that an ADT technician created admin accounts for himself on customers systems and then abused that privilege to spy on them. More than 200 customer accounts were compromised; the activity went on for seven years before it was detected. The scheme was uncovered when a customer in Texas reported an unknown email address as an admin user on their system. ADT conducted an internal investigation and determined that the issue was with one of their employees. ADT fired the individual, reported them to the police, and contacted all affected customers.
[Editor Comments]
[Neely] Have a clear understanding of what the remote monitoring service can and cannot do. Review accounts with access to your home systems regularly. Even so, the service provider may still have legitimate access to your system for emergency response. If you must have cameras in your home, make sure that privacy needs are considered, including where images can be accessed and stored. Make sure that electronic locks are not the only access control on outer doors so you can prevent them from being unsecured when desired.
[Honan] Quis custodiet ipsos custodes? (Who will guard the guards themselves?)A great example of why people need to check the security settings of all devices installed in their homes and businesses. Trusting default settings or relying on third parties to set up devices securely can lead to security and/or privacy breaches. Always, review settings on devices to ensure they are secure.
[Murray] Supervision and multi-party controls are indicated to resist insider abuse and misuse. Privileged Access Management software should be considered to provide accountability for privileged users.
Read more in:
The Register: Rogue ADT tech spied on hundreds of customers in their homes via CCTVincluding me, says teen girl
https://www.theregister.co.uk/2020/05/19/adt_spying_lawsuit/
ADT: ADT Internal Investigation Reveals Improper Behavior By Former Dallas-Based Employee
https://www.adt.com/adt-privacy-notice
Regmedia: Class Action Complaint and Demand for Jury Trial (PDF)
https://regmedia.co.uk/2020/05/19/adt-spycam-lawsuit.pdf
Regmedia: Class Action Complaint and Demand for Jury Trial (PDF)
https://regmedia.co.uk/2020/05/19/adt-second-spy-lawsuit.pdf
--EasyJet Data Breach
(May 19, 2020)
UK-based EasyJet has disclosed a breach that compromised information, including email addresses and travel details, belonging to 9 million customers. For a small subset of customers, payment card information was also compromised. EasyJet has reported the incident to the UK Information Commissioners Office (ICO) and to the National Cyber Security Centre.
[Editor Comments]
[Murray] As an accommodation to frequent travelers, airlines and hotel chains offer them the option of storing a credit card number for convenience with future bookings. There have been enough successful attacks in the travel industry to make the risk of doing so obvious and significant. Frequent travelers can limit this risk by using tokens from Privacy.com that can only be used by that airline or hotel chain.
Read more in:
The Register: Easyjet hacked: 9 million people's data accessed plus 2,200 folks' credit card details grabbed
https://www.theregister.co.uk/2020/05/19/easyjet_hack_9million_2000_credit_cards/
SC Magazine: British airline easyJet breached, data of 9 million customers compromised
ZDNet: EasyJet hack: 9 million customers hit and 2,000 credit cards exposed
https://www.zdnet.com/article/easyjet-hack-9-million-customers-hit-and-2000-credit-cards-exposed/
Threatpost: EasyJet Hackers Take Off with Travel Details for 9M Customers
https://threatpost.com/easyjet-hackers-travel-details-9m-customers/155894/
Bleeping Computer: EasyJet hacked: data breach affects 9 million customers
--Cisco Releases Update to Fix Deserialization Flaw in Cisco Unified CCX
(May 21, 2020)
Cisco has released updates to fix a critical deserialization flaw in the Java Remote Interface of its Unified Contact Center Express (CCX). The vulnerability could be exploited to install malware on unpatched devices.
Read more in:
ZDNet: Cisco: Critical Java flaw strikes 'call center in a box', patch urgently
https://www.zdnet.com/article/cisco-critical-java-flaw-strikes-call-center-in-a-box-patch-urgently/
Threatpost: Critical Cisco Bug in Unified CCX Allows Remote Code Execution
https://threatpost.com/critical-cisco-rce-flaw-unified-ccx/155980/
Cisco: Cisco Unified Contact Center Express Remote Code Execution Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-uccx-rce-GMSC6RKN
--Adobe Releases Unscheduled Updates
(May 19 & 20, 2020)
Adobe has released updates to address a critical vulnerability in Adobe Character Animator. The issue affects Character Animator 2020 versions 3.2 and earlier. The buffer overflow vulnerability could be exploited to allow arbitrary code execution. Adobe has also released fixes for vulnerabilities in its Premiere Rush, Audition, and Premiere Pro products.
Read more in:
Threatpost: Adobe Patches Critical RCE Flaw in Character Animator App
https://threatpost.com/adobe-patches-critical-rce-flaw-character-animator/155882/
ZDNet: Adobe issues out-of-band patch to fix remote code execution flaw in animation software
Bleeping Computer: Adobe releases critical out-of-band security update
https://www.bleepingcomputer.com/news/security/adobe-releases-critical-out-of-band-security-update/
Adobe: Security Updates Available for Adobe Character Animator | APSB20-25
https://helpx.adobe.com/security/products/character_animator/apsb20-25.html
Adobe: Recent bulletins and advisories
https://helpx.adobe.com/security.html
--Info Leaked from 2019 Mitsubishi Breach May Include Missile Data
(May 20 & 21, 2020)
Japans Defense Ministry is investigating the leak of information about a prototype missile. The data are believed to have been compromised during a cyberattack against systems at Mitsubishi Electric Corp. in late June 2019; the incident was not disclosed until January 2020. The attack exploited a then-zero-day vulnerability in Trend Micro OfficeScan antivirus software.
[Editor Comments]
[Neely] Am I the only one thinking that I would be able to buy a missile equipped vehicle in the future? The exploited zero-day vulnerability in the Trend Micro AV product has since been patched. Attribution is still tricky, although initial indications point to the Tick group which has previously targeted Japanese and South Korean technology and defense industries.
Read more in:
ZDNet: Japan investigates potential leak of prototype missile data in Mitsubishi hack
ZDNet: Trend Micro antivirus zero-day used in Mitsubishi Electric hack (January 2020)
https://www.zdnet.com/article/trend-micro-antivirus-zero-day-used-in-mitsubishi-electric-hack/
Fifth Domain: Japan suspects missile data leak in Mitsubishi cyberattack
--Data Stolen from Fresenius Dialysis Facility Data Leaked
(May 20 & 21, 2020)
Fresenius Medical Care says that some patient data from dialysis facilities in Serbia has been posted to the Internet. The data include personally identifiable patient information. Fresenius was the target of a ransomware attack earlier this year.
Read more in:
Bleeping Computer: Snake ransomware leaks patient data from Fresenius Medical Care
Reuters: Germany's Fresenius Medical Care confirms data leak in Serbia after hacker attack
****************************************************************************
INTERNET STORM CENTER TECH CORNER
Spike of Scans for Port 62234
https://isc.sans.edu/forums/diary/What+is+up+on+Port+62234/26144/
IcedID Malware Update
Malware Triage with FLOSS: API Calls Based Behavior
https://isc.sans.edu/forums/diary/Malware+Triage+with+FLOSS+API+Calls+Based+Behavior/26156/
Cisco Patches
https://tools.cisco.com/security/center/publicationListing.x
Google Chrome 83 Released
https://chromereleases.googleblog.com/
QNAP Vulnerability Details Released
ISC YouTube Channel
https://www.youtube.com/channel/UCfbOsqPmWg1H_34hTjKEW2A
NXNSAttack DNS Amplification
https://cyber-security-group.cs.tau.ac.il/
Adobe Updates
https://helpx.adobe.com/security.html
Verizon Breach Report
https://enterprise.verizon.com/resources/reports/dbir/
Apple Updates
https://support.apple.com/en-us/HT201222
Sophos Firewall Vulnerability Exploit
https://news.sophos.com/en-us/2020/05/21/asnarok2/
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
