SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #43
May 29, 2020Ransomware's Expanding Footprint; Another Dangerous WordPress Vulnerability
****************************************************************************
SANS NewsBites May 29, 2020 Vol. 22, Num. 043
****************************************************************************
TOP OF THE NEWS
Michigan State University Suffers Ransomware Attack
Microsoft Warns Users Over PonyFinal Ransomware
New Mexico County Government Suffers Ransomware Attack
WordPress PageLayer Vulnerabilities
REST OF THE NEWS
Russian Cyber Actor Group Sandworm is Exploiting Exim Flaw
Shadowserver Finds Funding From Multiple Sources After Cisco Withdraws Support
Germany Urges Users to Install iOS Updates; Apple Releases macOS Updates, Too
Open Letter Calls on Governments to Work Together to Stop Cyberattacks Targeting Healthcare Organizations
SSH Maintainers Say SHA-1 Support Will be Discontinued
Cisco Servers Breached Through SaltStack Vulnerabilities
Israeli Government Official Says Water Systems Cyberattack Thwarted Last Month
Germany Warns of Russian Cyberthreats to Critical Infrastructure Operators
INTERNET STORM CENTER TECH CORNER
********************** Sponsored By Chronicle ****************************
Get a free 15-minute SIEM TCO analysis report. Eventually, the cost isn't worth the effort. If keeping your legacy SIEM running is more than you can handle, unwind your SIEM costs with zero-management security analytics from Chronicle and let us ensure perfect fidelity, no matter how much data you generate. Learn more http://www.sans.org/info/216535
****************************************************************************
CYBERSECURITY TRAINING UPDATE
SANS Training is 100% Online, with two convenient ways to complete a course:
OnDemand | Live Online
- https://www.sans.org/ondemand/
- https://www.sans.org/live-online
Keep your skills sharp with SANS Online Training:
. The world's top cybersecurity courses
. Taught by real world practitioners
. Ideal preparation for more than 30 GIAC Certifications
Take advantage of the current promotional offer featuring a Free iPad Air w/Smart Keyboard, Surface GO, or $300 Off through June 10
https://www.sans.org/online-security-training/specials/
______________________
Upcoming In Person and Live Online Events:
SANSFIRE 2020 | June 13-20 | Live Online
- https://www.sans.org/event/sansfire-2020
2-Day Firehose Training | June 29-30 | Live Online
- https://www.sans.org/event/2-day-firehose-training-jun29-2020
SANS Summer of Cyber: Week 1 | July 6-11 | Live Online
- https://www.sans.org/event/summer-of-cyber-jul-6
DFIR Summit & Training | July 16-25 | Live Online
- https://www.sans.org/event/digital-forensics-summit-2020
SANS Network Security 2020 | September 20-27 | Las Vegas, NV or Live Online
- https://www.sans.org/event/network-security-2020
______________________
Test drive a course: https://www.sans.org/course-preview
View the full SANS course catalog and skills roadmap:
- https://www.sans.org/courses
- https://www.sans.org/cyber-security-skills-roadmap
*****************************************************************************
TOP OF THE NEWS
--Michigan State University Suffers Ransomware Attack
(May 27 & 28, 2020)
The computer network at Michigan State University (MSU) was hit with ransomware earlier this week. The ransomware operators, who used malware known as NetWalker, have given MSU one week to pay the ransom. The NetWalker operators have threatened to publish data stolen from MSU's network if the payment is not received within the given time frame. Researchers at Sophos investigating NetWalker found that the ransomware uses "tools include[ing] legitimate, publicly-available software (like TeamViewer), files cribbed from public code repositories (such as Github), and scripts (PowerShell) that appeared to have been created by the attackers themselves."
[Editor Comments]
[Pescatore] Virginia Tech CISO and Senior SANS Instructor Randy Marchany detailed in a recent SANS webinar how his team has maintained security operations before and through the current situation and increase in ransomware attacks - you can view the recorded version and download the .pdf version with Randy's links from https://www.sans.org/webcasts/making-keeping-work-home-operations-safe-productive-114490: Making and Keeping Work at Home Operations Safe and Productive
Read more in:
Edscoop: Michigan State hit by ransomware threatening leak of student and financial data
https://edscoop.com/michigan-state-hit-by-ransomware-threatening-leak-of-student-and-financial-data/
ZDNet: Michigan State University hit by ransomware gang
https://www.zdnet.com/article/michigan-state-university-hit-by-ransomware-gang/
Bleeping Computer: Michigan State University network breached in ransomware attack
Dark Reading: Netwalker Ransomware Tools Reveal Attacker Tactics and Techniques
Sophos: Netwalker ransomware tools give insight into threat actor
https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/
--Microsoft Warns Users Over PonyFinal Ransomware
(May 27 & 28, 2020)
Microsoft Security Intelligence has warned organizations about Java-based ransomware known as PonyFinal. Microsoft says that "organizations should focus less on this payload and more on how it's delivered." PonyFinal gathers and exfiltrates information about systems it infects and waits for an opportune time to encrypt files.
[Editor Comments]
[Neely] PonyFinal gains access via brute force attacks against system management servers rather than exploiting an endpoint or user clicking a malicious link. As such, securing system management services, including multi-factor authentication are the best mitigations. Verify access controls and monitoring on services which may have been exposed to the Internet to better support work from home.
[Murray] The obvious, but still resisted, defense is strong authentication on those servers, on all servers. Enterprise failure to use strong authentication puts us all at risk.
Read more in:
Threatpost: PonyFinal Ransomware Targets Enterprise Servers Then Bides Its Time
https://threatpost.com/ponyfinal-ransomware-enterprise-servers/156083/
Dark Reading: Microsoft Shares PonyFinal Threat Data, Warns of Delivery Tactics
ZDNet: Microsoft warns about attacks with the PonyFinal ransomware
https://www.zdnet.com/article/microsoft-warns-about-attacks-with-the-ponyfinal-ransomware/
SC Magazine: PonyFinal deployed in human-operated ransomware attacks
Twitter: Microsoft Security Intelligence
https://twitter.com/MsftSecIntel/status/1265674287404343297
--New Mexico County Government Suffers Ransomware Attack
(May 27, 2020)
Computers at the Rio Arriba County, New Mexico government were hit with ransomware. According to a news release, "nearly every county server that has files or databases on it has been affected in some way, including the County's backup servers." Officials discovered the situation on Tuesday, May 26.
Read more in:
Los Alamos Reporter: Rio Arriba County Commission Chair Leo Jaramillo Says FBI Investigating Tuesday's Cyber Attack On County
Santa Fe New Mexican: Rio Arriba County hit in ransomware cyberattack
--WordPress PageLayer Vulnerabilities
(May 28, 2020)
A pair of flaws in the PageLayer WordPress plugin could be exploited to take control of or even wipe vulnerable sites. Version 1.1.2 of PageLayer, which was released on May 6, addresses the issues. The plugin has more than 200,000 active installations. As of May 27, the updated version of the plugin had been downloaded 85,000 times; that number includes both updates and new installs.
[Editor Comments]
[Murray] The Verizon DBIR reported that 43% of "breaches" involved web applications.
[Paller] There are few more dangerous applications than content management systems like WordPress.
Read more in:
Wordfence: High Severity Vulnerabilities in PageLayer Plugin Affect Over 200,000 WordPress Sites
Bleeping Computer: 200K sites with buggy WordPress plugin exposed to wipe attacks
**************************** SPONSORED LINKS ******************************
1) Webcast June 4th at 3:30PM ET | How Are Remote Workers Working? A SANS Poll featuring SANS Heather Mahalik. http://www.sans.org/info/216540
2) Survey | Share insights into the current state of your organization's cloud incident response capabilities! Survey closes June 15th. http://www.sans.org/info/216545
3) Don't miss this webcast June 9th at 1PM ET | Breaking Down Zero Trust: What does it Actually Mean? http://www.sans.org/info/216550
*****************************************************************************
THE REST OF THE WEEK'S NEWS
--Russian Cyber Actor Group Sandworm is Exploiting Exim Flaw
(May 28, 2020)
A cybersecurity advisory from the US National Security Agency (NSA) warns that "Russian cyber actors ... have been exploiting a vulnerability in Exim Mail Transfer Agent (MTA) software since at least August 2019." The hacking group, known as Sandworm, has likely been exploiting the known vulnerability to gain purchase in targeted systems and move through networks. Sandworm is believed to have been involved in cyberattacks targeting Ukraine's power grid.
[Editor Comments]
[Neely] If you're running Exim servers, make sure that you're running version 4.92 or higher, and watch for connections from Sandworm-associated domains and address.
Read more in:
Ars Technica: Russian hackers are exploiting bug that gives control of US servers
Wired: NSA: Russia's Sandworm Hackers Have Hijacked Mail Servers
https://www.wired.com/story/nsa-sandworm-exim-mail-server-warning/
ZDNet: NSA warns of new Sandworm attacks on email servers
https://www.zdnet.com/article/nsa-warns-of-new-sandworm-attacks-on-email-servers/
Dark Reading: NSA Warns Russia's 'Sandworm' Group Is Targeting Email Servers
Bleeping Computer: NSA: Russian govt hackers exploiting critical Exim flaw since 2019
Cyberscoop: NSA calls out Russian military hackers targeting mail relay software
https://www.cyberscoop.com/nsa-advisory-sandworm-mail-relay-software/
FCW: NSA warns Russian hackers exploited email flaw
https://fcw.com/articles/2020/05/28/nsa-sandworm-email-hack-gru.aspx
Defense: Sandworm Actors Exploiting Vulnerability in Exim Mail Transfer Agent (PDF)
--Shadowserver Finds Funding From Multiple Sources After Cisco Withdraws Support
(May 27, 2020)
Earlier this year, security nonprofit Shadowserver learned that it was losing its main source of support. Cisco, which had been Shadowserver's primary source of funding for 15 years, announced in March that it would no longer fill that role. On Wednesday, May 27, Trend Micro announced that it will help fund Shadowserver over the next three years; other organizations have also stepped forward to help with funding. Shadowserver scans billions of IP addresses every day, provides activity reports to computer emergency response teams (CERTs) around the world, and helps track hackers and contain attacks.
[Editor Comments]
[Neely] It's nice to have good news these days. Not only did Shadowserver have to find new funding sources, they also had to move out of Cisco's data centers. Good non-biased threat intel sources, such as Shadowserver, are key for effective make analysis and response.
[Pescatore] Kudos to Trend Micro and others for supporting Shadowserver's efforts. In most areas of life we find a mix of private enterprise, government agencies, and non-profit/non-government organizations is an effective "triad" - same is true with cybersecurity.
[Honan] This is very welcome news. I know from my involvement with IRISSCERT that the data we get from Shadowserver is invaluable.
Read more in:
Wired: Shadowserver, an Internet Guardian, Finds a Lifeline
https://www.wired.com/story/shadowserver-funding-trend-micro-internet-society/
--Germany Urges Users to Install iOS Updates; Apple Releases macOS Updates, Too
(May 27 & 28, 2020)
Germany's Federal Office for Information Security (Bundesamt fuer Sicherheit in der Informationstechnik, or BSI) is urging iOS users to install updates Apple released on May 20 to address a pair of zero-click vulnerabilities that are being actively exploited. The attacks have been occurring since at least January 2018. In a separate story, Apple has also released security updates for macOS and related software.
[Editor Comments]
[Murray] Apple iOS updates are usually very low risk and users do not resist them; "urging" not required. 13.5 was an exception; it had a conflict with an iOS feature called "family sharing" in which one family member pays for all apps used by the family. The fix to this was to re-install the apps, which for many simply happened automagically.
[Neely] iOS & iPadOS 13.5 and iOS 12.4.7 were released with fixes to the long standing email security flaw reported in NewsBites Volume 22, Number 33. iOS & iPadOS 13.5 include a number of features aimed at COVID-19, such as improvements in facial recognition when wearing a mask which focus on the user's eyes. Check the Apple Security Updates page for the other products updated: https://support.apple.com/en-us/HT201222
Read more in:
Bleeping Computer: German govt urges iOS users to patch critical Mail app flaws
The Register: You, Apple Mac fan. Put down the homemade oat-milk latte, you need to patch a load of security bugs, too
https://www.theregister.co.uk/2020/05/28/apple_may_updates/
--Open Letter Calls on Governments to Work Together to Stop Cyberattacks Targeting Healthcare Organizations
(May 25, 26, & 27, 2020)
In a joint statement, the International Committee of the Red Cross and the Cyber Peace Institute have called for governments to take steps to help prevent cyberattacks against healthcare organizations. The signatories of an open letter "call on the world's governments to take immediate and decisive action to stop all cyberattacks on hospitals, healthcare and medical research facilities, as well as on medical personnel and international public health organizations."
Read more in:
ICRC: Call to governments: Work together to stop cyber attacks on health care
https://www.icrc.org/en/document/governments-work-together-stop-cyber-attacks-health-care
Cyber Peace Institute: A Call to All Governments: Work Together Now to Stop Cyberattacks on the Healthcare Sector
https://cyberpeaceinstitute.org/campaign/call-for-government
The Register: If someone could stop hackers pwning medical systems right now, that would be cool, say Red Cross and friends
https://www.theregister.co.uk/2020/05/26/red_cross_coronavirus_hacking/
ZDNet: Cyberattacks against hospitals must stop, says Red Cross
https://www.zdnet.com/article/cyberattacks-against-hospitals-must-stop-says-red-cross/
SC Magazine: Execs, dignitaries call on nations to help end cyberattacks on health care orgs
--SSH Maintainers Say SHA-1 Support Will be Discontinued
(May 27 & 28, 2020)
SSH developers OpenSSH and libssh plan to retire the SHA-1 hashing algorithm, as its vulnerability to being cracked increases. SHA-1 has been known to be vulnerable for 15 years, but the cost of attacks is falling. "It is now possible to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K."
[Editor Comments]
[Neely] Phasing out SHA-1 hashing has taken much longer than expected. Seems like we've been removing SHA-1 hash support for 10 years. Generate new SSH keys, including host keys, using a stronger hash like SHA-2 before the library is retired and make sure that other less secure encryption algorithms are also disabled to both mitigate attacks and ensure operations continue after support is deprecated.
Read more in:
Ars Technica: Dangerous SHA-1 crypto function will die in SSH linking millions of computers
ZDNet: OpenSSH to deprecate SHA-1 logins due to security risk
https://www.zdnet.com/article/openssh-to-deprecate-sha-1-logins-due-to-security-risk/
The Register: Got $50k spare? Then you can crack SHA-1 - so OpenSSH is deprecating flawed hashing algo in a 'near-future release'
https://www.theregister.co.uk/2020/05/28/openssh_deprecating_sha1/
OpenSSH: OpenSSH 8.3/8.3p1 (2020-05-27)
https://www.openssh.com/releasenotes.html
Gitlab: Disable RSA and DSA keys with sha1 by default
https://gitlab.com/libssh/libssh-mirror/-/commit/fecdc3cc0e6d051ebbe06414a15c6634a4126a8b
--Cisco Servers Breached Through SaltStack Vulnerabilities
(May 28, 2020)
Earlier this month, six Cisco servers that support its Virtual Internet Routing Lab Personal Edition (VIRL-PE) were compromised. The hackers exploited critical vulnerabilities in the Salt management framework. The breach occurred on May 7; Cisco remediated the issue the same day. Cisco disclosed the incident on Thursday, May 28.
Read more in:
Threatpost: Hackers Compromise Cisco Servers Via SaltStack Flaws
https://threatpost.com/hackers-compromise-cisco-servers-saltstack/156091/
Ars Technica: Cisco security breach hits corporate servers that ran unpatched software
ZDNet: Cisco discloses security breach that impacted VIRL-PE infrastructure
https://www.zdnet.com/article/cisco-discloses-security-breach-that-impacted-virl-pe-infrastructure/
--Israeli Government Official Says Water Systems Cyberattack Thwarted Last Month
(May 28, 2020)
An Israeli government official confirmed water systems in that country were recently the target of a cyberattack. Israel's National Cyber Directorate detected the attack as it was happening and managed to thwart it.
Read more in:
Cyberscoop: Israeli official confirms attempted cyberattack on water systems
https://www.cyberscoop.com/israel-cyberattacks-water-iran-yigal-unna/
Stripes: Israeli cyber chief: Major attack on water systems thwarted
--Germany Warns of Russian Cyberthreats to Critical Infrastructure Operators
(May 26, 2020)
A memo sent from German intelligence and security agencies to operators of the country's critical infrastructure warns that a hacking group that may have ties to Russia's government has been targeting German power, energy, and water sector organizations. The hackers' goal appears to be to gain persistent access to IT networks, to steal information and gain access to operational technology (OT) networks.
Read more in:
Cyberscoop: German intelligence agencies warn of Russian hacking threats to critical infrastructure
https://www.cyberscoop.com/german-intelligence-memo-berserk-bear-critical-infrastructure/
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
Where is SHA3?
https://isc.sans.edu/forums/diary/Seriously+SHA3+where+art+thou/26170/
Phishing With Google Cloud
https://isc.sans.edu/forums/diary/Frankensteins+phishing+using+Google+Cloud+Storage/26174/
Apple Updates
https://support.apple.com/en-us/HT201222
Google ZDI Releases Details Regarding Unpatched Windows Vulnerabilities
https://www.zerodayinitiative.com/advisories/ZDI-20-666/
https://www.zerodayinitiative.com/advisories/ZDI-20-665/
https://www.zerodayinitiative.com/advisories/ZDI-20-663/
https://www.zerodayinitiative.com/advisories/ZDI-20-662/
https://www.zerodayinitiative.com/advisories/ZDI-20-664/
Research into Phish Detection
https://medium.com/@curtbraz/these-arent-the-phish-you-re-looking-for-7374c3986af5
Trend Micro AntiVirus Blocked by Microsoft
https://billdemirkapi.me/How-to-use-Trend-Micro-Rootkit-Remover-to-Install-a-Rootkit/
Netgear Nighthawk Firmware Update Vulnerability
https://iot-lab-fh-ooe.github.io/netgear_update_vulnerability/
USBFuzz Finds Numerous USB Flaws
https://www.nebelwelt.net/files/20SEC3.pdf
Cisco Products Vulnerable to Saltstack Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-salt-2vx545AG
Another Nail in the Coffin for SHA-1
https://eprint.iacr.org/2020/014.pdf
STI Student: Andy Piazza; Qualifying Threat Actor Assessments
https://www.sans.org/reading-room/whitepapers/threatintelligence/paper/39585
*****************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
