SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #45
June 5, 2020Ransomware at US Military Contractor, NASA Contractor, and UCSF; Foreign Hackers Targeting US Presidential Campaigns
****************************************************************************
SANS NewsBites June 5, 2020 Vol. 22, Num. 045
****************************************************************************
TOP OF THE NEWS
Maze Ransomware Hits US Military Subcontractor Westech
DoppelPaymer Ransomware Operators Claim to Have Hit NASA Contractor
Netwalker Ransomware Operators Claim to Have Hit University of California, San Francisco Systems
Foreign Hackers Targeting US Presidential Campaigns
REST OF THE NEWS
Large Scale WordPress Attack Campaign
Zoom Explains Why End-to-End Encryption is for Paying Customers Only
Zoom Addresses Two Remote Code Execution Flaws
Large Number of Exchange Servers Remain Unpatched Against Critical Flaw
Kaspersky: Chinese APT Group's USBCulprit Malware Targets Air-Gapped Systems
Cisco Semi-Annual IOS and IOS XE Software Security Advisory Bundled Publication
Cisco Releases Fix for Nexus Switch Flaw
Users Urged to Patch SAP Adaptive Server Enterprise Software
Mozilla Updates Firefox to Version 77, then to 77.0.1
INTERNET STORM CENTER TECH CORNER
********************* Sponsored By Chronicle ******************************
Get a free 15-minute SIEM TCO analysis report. Eventually, the cost isn't worth the effort. If keeping your legacy SIEM running is more than you can handle, unwind your SIEM costs with zero-management security analytics from Chronicle and let us ensure perfect fidelity, no matter how much data you generate. Learn more http://www.sans.org/info/216555
****************************************************************************
CYBERSECURITY TRAINING UPDATE
SANS Training is 100% Online, with two
convenient ways to complete a course:
OnDemand | Live Online
- https://www.sans.org/ondemand/
- https://www.sans.org/live-online
Keep your skills sharp with SANS Online Training:
. The world's top cybersecurity courses
. Taught by real world practitioners
. Ideal preparation for more than 30 GIAC Certifications
Take advantage of the current promotional offer
Featuring a Free iPad Air w/Smart Keyboard, Surface GO,
Or $300 Off through June 10
https://www.sans.org/online-security-training/specials/
Top OnDemand Courses
SEC401: Security Essentials Bootcamp Style
- https://www.sans.org/ondemand/course/security-essentials-bootcamp-style
SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling
- https://www.sans.org/ondemand/course/hacker-techniques-exploits-incident-handling
SEC560: Network Penetration Testing and Ethical Hacking
- https://www.sans.org/ondemand/course/network-penetration-testing-ethical-hacking
______________________
Upcoming In Person and Live Online Events:
2-Day Firehose Training | June 29-30 | Live Online
- https://www.sans.org/event/2-day-firehose-training-jun29-2020
SANS Summer of Cyber: Week 1 | July 6-11 | Live Online
- https://www.sans.org/event/summer-of-cyber-jul-6
DFIR Summit & Training | July 16-25 | Live Online
- https://www.sans.org/event/digital-forensics-summit-2020
SANS Network Security 2020 | September 20-27 | Las Vegas, NV or Live Online
- https://www.sans.org/event/network-security-2020
______________________
Test drive a course: https://www.sans.org/course-preview
View the full SANS course catalog and skills roadmap.
- https://www.sans.org/courses
- https://www.sans.org/cyber-security-skills-roadmap
****************************************************************************
TOP OF THE NEWS
--Maze Ransomware Hits US Military Subcontractor Westech
(June 3 & 4, 2020)
The operators of Maze ransomware have hit Westech, a US military subcontractor that is involved in maintenance for the US's Minuteman III nuclear missile program. Hackers appear to have stolen sensitive nuclear missile data from Westech and have begun leaking the files online.
[Editor Comments]
[Neely] Maze operators continue to publish exfiltrated data in an attempt to get income irrespective of system recovery plans. Additionally, Maze operators maintain a web site of those who refuse to cooperate with their demands for payment, further complicating the recovery decision process.
Read more in:
Sky News: Hackers steal secrets from US nuclear missile contractor
https://news.sky.com/story/hackers-steal-secrets-from-us-nuclear-missile-contractor-11999442
Threatpost: U.S. Nuclear Contractor Hit with Maze Ransomware, Data Leaked
https://threatpost.com/nuclear-contractor-maze-ransomware-data-leaked/156289/
--DoppelPaymer Ransomware Operators Claim to Have Hit NASA Contractor
(June 3, 2020)
The operators behind the DoppelPaymer ransomware say they have infected the network of DMI, a managed IT and cybersecurity services firm. DMI customers include Fortune 100 companies and government agencies. The hackers appear to have obtained NASA-related files from DMI's network and posted some on a dark web portal.
Read more in:
ZDNet: Ransomware gang says it breached one of NASA's IT contractors
https://www.zdnet.com/article/ransomware-gang-says-it-breached-one-of-nasas-it-contractors/
SiliconAngle: NASA contractor allegedly hit by DopplePaymer ransomware group
https://siliconangle.com/2020/06/03/nasa-contractor-allegedly-hit-dopplepaymer-ransomware-group/
--Netwalker Ransomware Operators Claim to Have Hit University of California, San Francisco Systems
(June 3 & 4, 2020)
Operators of the Netwalker ransomware have recently been targeting colleges and universities in the US and threatening to publish stolen data if the ransom is not paid. The group has launched attacks against Michigan State University, Columbia College of Chicago, and most recently, they say they have launched a successful attack against systems at the University of California, San Francisco (UCSF). Researchers at UCSF are running "antibody testing and clinical trials for possible coronavirus treatments," according to Bloomberg Law.
Read more in:
Bleeping Computer: Netwalker ransomware continues assault on US colleges, hits UCSF
Bloomberg Law: Hackers Target California University Leading Covid Research (1)
--Foreign Hackers Targeting US Presidential Campaigns
(June 4, 2020)
Google's Threat Analysis group (TAG) says that hackers believed to be acting on behalf of China and Iran have targeted the US presidential campaigns of candidates in both major political parties. The attackers targeted campaign staff with spearphishing emails.
Read more in:
ZDNet: Google: Chinese and Iranian hackers targeted Biden and Trump campaign staffers
SC Magazine: Chinese, Iranian phishing campaigns target Biden, Trump campaigns
Reuters: Chinese and Iranian hackers targeted Biden and Trump campaigns, Google says
*************************** SPONSORED LINKS ******************************
1) Share your perception of the use of firewalls inside the modern enterprise and how your organization is using firewalls! Survey closes June 24th | http://www.sans.org/info/216620
2) Friday, July 24, 2020 at 10:30 AM EDT | SANS Malware & Ransomware Solutions Forum | Chaired by Jake Williams | http://www.sans.org/info/216625
3) Join Jake Williams on Tuesday, June 09, 2020 at 3:30 PM EDT where he will discuss "Implementing Lessons Learned from Threat Patterns on the Endpoint" | http://www.sans.org/info/216630
****************************************************************************
THE REST OF THE WEEK'S NEWS
--Large Scale WordPress Attack Campaign
(June 3, 2020)
Between May 29 and May 31, attackers tried to steal configuration files from more than 1.3 million WordPress websites. The attackers exploited known vulnerabilities in unpatched WordPress plugins and themes. Researchers at WordFence detected and blocked more than 130 million attempted attacks targeting the sites.
[Editor Comments]
[Neely] WordPress continues to be a popular target for exploitation. Mitigate the risks by ensuring that you've enabled WordPress core auto-updates. If you don't have a plugin that watches and updates plugins and themes automatically, you can enable those updates by adding a filter as per the WordPress Automatic Updates configuration page (https://wordpress.org/support/article/configuring-automatic-background-updates/: Configuring Automatic Background Updates). WordPress 5.5, when released, makes this easier to enable. Also, even with automatic updates, monitor your site to ensure it is updated and secure.
Read more in:
Threatpost: Attackers Target 1M+ WordPress Sites To Harvest Database Credentials
https://threatpost.com/attackers-target-1m-wordpress-sites-to-harvest-database-credentials/156255/
ZDNet: Large-scale attack tries to steal configuration files from WordPress sites
Wordfence: Large Scale Attack Campaign Targets Database Credentials
https://www.wordfence.com/blog/2020/06/large-scale-attack-campaign-targets-database-credentials/
--Zoom Explains Why End-to-End Encryption is for Paying Customers Only
(June 3 & 4, 2020)
Zoom says that its end-to-end encryption will be available to paying customers only because it will be easier for the company to comply with FBI requests for access to communications data. A Zoom spokesperson said "We plan to provide end-to-end encryption to users for whom we can verify identity, thereby limiting harm to these vulnerable groups. Free users sign up with an email address, which does not provide enough information to verify identity."
[Editor Comments]
[Pescatore] Zoom first has to get end-to-end encryption working before we spend much time on whether it should be part of a free offering. Other teleconferencing apps that do include end-to-end encryption on free services get revenue by collecting user information as part of offerings to advertisers - a major privacy issue. Others don't offer it for free either, or only upon submission of a request to support. Businesses evaluating competing offerings should make overall security management tools and security of the application software (especially the client-side agents) more highly weighted criteria than end-to-end encryption for this kind of application.
[Neely] When considering end-to-end encryption for video conferencing, understand both your data protection requirements and what the given solution provides. Know what and where content is not encrypted. For example, voice traffic over the PSTN is not encrypted until it reaches the entry point for the service. Also, understand who is managing the keys and who can access them. Lastly, look at any tradeoffs of using end-to-end encryption. The key exchange process may disable or impede functions you utilize, such as joining before the meeting host. Beyond encryption, make sure that you also have the other meeting security settings properly configured.
Read more in:
Wired: Zoom's End-to-End Encryption Will Be for Paying Customers Only
https://www.wired.com/story/zoom-end-to-end-encryption-paid-accounts/
Infosecurity Magazine: Zoom: Free Users Won't Get Encryption So We Can Help FBI
https://www.infosecurity-magazine.com/news/zoom-free-users-wont-get/
CNET: Zoom won't add end-to-end encryption to free calls so it can keep aiding police
--Zoom Addresses Two Remote Code Execution Flaws
(June 3, 2020)
Zoom has addressed two vulnerabilities that could be exploited to execute code remotely. Cisco Talos researchers detected the flaws earlier this year. They say that Zoom's mitigations fixed one of the flaws in May and partially addressed the other in a server-side update, but "Cisco Talos believes it still requires a fix on the client-side to completely resolve the security risk," according to a Talos Intelligence blog.
[Editor Comments]
[Ullrich] These flaws only affect earlier 4.x versions of Zoom. Current 5.x versions are not affected. You should be using the most recent 5.x version. If you are holding back because of virtual camera support, Zoom added virtual camera support back in recent 5.x versions. It was removed in late 4.x and early 5.x versions. Virtual camera support will allow the use of tools like Manycam to pre-process video.
Read more in:
Talos Intelligence: Vulnerability Spotlight: Two vulnerabilities in Zoom could lead to code execution
https://blog.talosintelligence.com/2020/06/vuln-spotlight-zoom-code-execution-june-2020.html
Cyberscoop: Zoom has partially fixed two new flaws, with other security hurdles ahead
https://www.cyberscoop.com/zoom-flaws-cisco-talos-encryption/
The Hacker News: Two Critical Flaws in Zoom Could've Let Attackers Hack Systems via Chat
https://thehackernews.com/2020/06/zoom-video-software-hacking.html
--Large Number of Exchange Servers Remain Unpatched Against Critical Flaw
(June 3, 2020)
According to Rapid7 Research's 2020: Q1 Threat Report, as many as 350,000 Microsoft Exchange Servers remain unpatched against a critical privilege elevation flaw. Microsoft released a patch for the vulnerability in February 2020.The flaw exists in the Exchange Control Panel component, which uses a static cryptographic key that is identical on every installation.
[Editor Comments]
[Pescatore] The patch has been out since February and the CISA CERT put out an alert in March about exploitation of CVE 2020-0688, but three months later 82% of Exchange servers are unpatched, according to Rapid7 scanning! This may indicate delayed server patching since Coronavirus shut downs hit - an important warning sign to check all patch levels immediately.
[Murray] Several of today's reports involve "patches." Unfortunately, the cost of using these popular but porous products includes the hidden cost of routine patching or accepting the risk of not doing so. Only you know which is the efficient strategy for your enterprise but for most it will be patching.
Read more in:
Rapid7: 2020: Q1 Threat Report | Microsoft Exchange Outlook Web Application (OWA)
https://www.rapid7.com/research/report/2020Q1-threat-report/
Dark Reading: Many Exchange Servers Are Still Vulnerable to Remote Exploit
DUO: Into the Great Wide Open With CVE-2020-0688
https://duo.com/decipher/into-the-great-wide-open-with-cve-2020-0688
--Kaspersky: Chinese APT Group's USBCulprit Malware Targets Air-Gapped Systems
(June 3 & 4, 2020)
Malware dubbed USBCulprit targets air-gapped devices. USBCulprit is being used by a Chinese advanced persistent threat (APT) group, known as Cycldek, that has been attempting to steal government and state secrets from Southeast Asian countries since 2013. Kaspersky says that USBCulprit has been used in attacks on systems in Vietnam, Thailand, and Laos.
Read more in:
SecureList: Cycldek: Bridging the (air) gap
https://securelist.com/cycldek-bridging-the-air-gap/97157/
Threatpost: Sophisticated Info-Stealer Targets Air-Gapped Devices via USB
https://threatpost.com/info-stealer-air-gapped-devices-usb/156262/
Dark Reading: Kaspersky IDs Sophisticated New Malware Targeted at Air-Gapped Systems
Bleeping Computer: USBCulprit malware targets air-gapped systems to steal govt info
--Cisco Semi-Annual IOS and IOS XE Software Security Advisory Bundled Publication
(June 3 & 4, 2020)
Cisco has released updates to address four critical vulnerabilities affecting equipment that use Cisco IOS and IOS XE software. The updates are part of Cisco's June 2020 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication, which includes a total of 23 advisories addressing 25 vulnerabilities in IOS and IOS XE software.
[Editor Comments]
[Pescatore] This, and the Cisco Nexus vulnerability item, are another reminder that patch processes need to be extended to, and actually prioritized for, critical network security and operational appliances. The CVE-2020-0688 item indicates patching levels overall may have declined with the forced work at home status of employees.
Read more in:
ZDNet: Cisco's warning: Critical flaw in IOS routers allows 'complete system compromise'
Cisco: Cisco Event Response: June 2020 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication
https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-73388
Cisco: Cisco IOx for IOS XE Software Privilege Escalation Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ioxPE-KgGvCAf9
Cisco: Cisco IOS Software for Cisco Industrial Routers Virtual Device Server Inter-VM Channel Command Injection Vulnerability
Cisco: Cisco IOS Software for Cisco Industrial Routers Arbitrary Code Execution Vulnerabilities
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ios-iot-rce-xYRSeMNH
--Cisco Releases Fix for Nexus Switch Flaw
(June 1 & 2, 2020)
Cisco has released a fix for a high severity vulnerability in its Nexus switches running NX-OS software. The flaw lies in the network stack and could be exploited to bypass network access controls or cause denial-of-service conditions.
Read more in:
Threatpost: Severe Cisco DoS Flaw Can Cripple Nexus Switches
https://threatpost.com/cisco-dos-flaw-nexus-switches/156203/
ZDNet: Cisco warns: These Nexus switches have been hit by a serious security flaw
kb.cert: IP-in-IP protocol routes arbitrary traffic by default
https://kb.cert.org/vuls/id/636397
Cisco: Cisco NX-OS Software Unexpected IP in IP Packet Processing Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-nxos-ipip-dos-kCT9X4
--Users Urged to Patch SAP Adaptive Server Enterprise Software
(June 3, 2020)
Researchers at Trustwave have found several vulnerabilities in SAP Adaptive Server Enterprise 16.0 database software. Two of the vulnerabilities are rated critical; they could be exploited to remotely execute code and manipulate system data. The were addressed in SAP's May update; users who have not patched their systems are advised to apply the patches as soon as possible.
Read more in:
Trustwave: System Takeover Through New SAP ASE Vulnerabilities
Bleeping Computer: Patch SAP Adaptive Server Enterprise now to avoid takeover risk
Threatpost: Critical SAP ASE Flaws Allow Complete Control of Databases
https://threatpost.com/critical-sap-ase-flaws-complete-control-databases/156239/
GovInfosecurity: Researchers Disclose 2 Critical Vulnerabilities in SAP ASE
https://www.govinfosecurity.com/researchers-disclose-2-critical-vulnerabilities-in-sap-ase-a-14375
--Mozilla Updates Firefox to Version 77, then to 77.0.1
(June 3 & 4, 2020)
On Tuesday, June 2, Mozilla released Firefox 77, which includes fixes for eight security issues. Five of the vulnerabilities are designated high impact; of those, three could be exploited to allow remote code execution. On Wednesday, June 3, Mozilla updated Firefox to version 77.0.1 in which it "disabled automatic selection of DNS over HTTPS providers during a test to enable wider deployment in a more controlled way."
[Editor Comments]
[Ullrich] DNS over HTTPS remains a hot topic. The original DNS protocol was designed to be very low latency and require minimum resources. No surprise that servers are having a hard time keeping up with requests once TLS and HTTP overhead is added.
[Neely] One of the concerns is not overloading the DNS over HTTPS (DOH) providers. DOH can be enabled and provider selected in the Firefox preferences under network settings. For enterprises, the current version of ESR is 68.9.0 also released June 2.
Read more in:
The Register: Update Firefox: Mozilla just patched three hijack-me holes and a bunch of other flaws
https://www.theregister.com/2020/06/04/firefox_77_security_fixes/
Bleeping Computer: Firefox 77.0.1 released to prevent DDoSing DoH DNS providers
Mozilla: Version 77.0.1, first offered to Release channel users on June 3, 2020
https://www.mozilla.org/en-US/firefox/77.0.1/releasenotes/
Mozilla: Mozilla Foundation Security Advisory 2020-20 | Security Vulnerabilities fixed in Firefox 77
https://www.mozilla.org/en-US/security/advisories/mfsa2020-20/
****************************************************************************
INTERNET STORM CENTER TECH CORNER
Type 2 Strackstrings
https://isc.sans.edu/forums/diary/Stackstrings+type+2/26192/
Polish Malspam Pushes ZLoader Malware
https://isc.sans.edu/forums/diary/Polish+malspam+pushes+ZLoader+malware/26196/
Anti-Debugging Technique Based on Memory Protection
https://isc.sans.edu/forums/diary/AntiDebugging+Technique+based+on+Memory+Protection/26200/
Suspending Suspicious Domain Feed/Update to Researcher IP Feed
Firefox Disables Automatic DNS over HTTPS Selection to Prevent DDoS
https://www.mozilla.org/en-US/firefox/77.0.1/releasenotes/
More Details About AddTrust External CA Root Expiration
https://www.agwa.name/blog/post/fixing_the_addtrust_root_expiration
VMware Cloud Director Vulnerability and Exploit
https://citadelo.com/en/blog/full-infrastructure-takeover-of-vmware-cloud-director-CVE-2020-3956/
Cisco Patches IP-in-IP Flaw
https://securityaffairs.co/wordpress/104192/security/ip-in-ip-flaw-cisco.html
Zoom Fixes Two Critical Flaws
https://blog.talosintelligence.com/2020/06/vuln-spotlight-zoom-code-execution-june-2020.html
Android Security Bulletin
https://source.android.com/security/bulletin/2020-06-01
Android Wallpaper Crash
https://www.androidauthority.com/android-wallpaper-crash-1124577/
Bank Transaction Comments Used for Abusive Messages
https://www.theregister.com/2020/06/04/commonwealth_bank_bans_indecent_transaction_descriptions/
STI Research Paper: Janusz Pazgier; Efficacy of UNIX HIDS
https://www.sans.org/reading-room/whitepapers/detection/efficacy-unix-hids-39565
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
