SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #46
June 9, 2020Ransomware Attacks Using Storage Devices; Critical Windows Vulnerability; DARPA's Bug Bounty
****************************************************************************
SANS NewsBites June 9, 2020 Vol. 22, Num. 046
****************************************************************************
TOP OF THE NEWS
Ransomware Attacks Targeting QNAP NAS Devices - Dangerous
SMBGhost Proof-of-Concept Exploit Code Released - Important
DARPA Announces Bug Bounty Program
REST OF THE NEWS
CPA Canada Data Breach Affects More Than 329,000 People
Phishing Scheme Targeting Members of German Coronavirus Task Force
Honda Network Problems in Europe and Japan May be Due to Ransomware
Maze Ransomware Encrypts Servers at VT San Antonio Aerospace
Fitness Depot Acknowledges Data Breach
Conduent Hit with Ransomware
Researchers Find Serious Security Issues in OmniBallot Online Voting System
INTERNET STORM CENTER TECH CORNER
******************** Sponsored By AWS Marketplace ***********************
Webinar Series June 18,2020 @ 2:00 EDT | Join Sounil Yu and AWS Marketplace to learn how you can better understand your sensitive data, including its location, configuration, and access privileges. Having the ability to identify and secure sensitive workloads through visibility layers and controls helps strengthen that understanding as well as your overall security posture. | http://www.sans.org/info/216635
****************************************************************************
CYBERSECURITY TRAINING UPDATE
SANS Training is 100% Online, with two convenient ways to complete a course:
OnDemand | Live Online
- https://www.sans.org/ondemand/
- https://www.sans.org/live-online
Keep your skills sharp with SANS Online Training:
The worlds top cybersecurity courses
Taught by real world practitioners
Ideal preparation for more than 30 GIAC Certifications
Take advantage of the current promotional offer Featuring a Free iPad Air w/Smart Keyboard, Surface GO, Or $300 Off through June 10
https://www.sans.org/online-security-training/specials/
Top OnDemand Courses
SEC401: Security Essentials Bootcamp Style
- https://www.sans.org/ondemand/course/security-essentials-bootcamp-style
SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling
- https://www.sans.org/ondemand/course/hacker-techniques-exploits-incident-handling
SEC560: Network Penetration Testing and Ethical Hacking
- https://www.sans.org/ondemand/course/network-penetration-testing-ethical-hacking
______________________
Upcoming In Person and Live Online Events:
2-Day Firehose Training | June 29-30 | Live Online
- https://www.sans.org/event/2-day-firehose-training-jun29-2020
SANS Summer of Cyber: Week 1 | July 6-11 | Live Online
- https://www.sans.org/event/summer-of-cyber-jul-6
DFIR Summit & Training | July 16-25 | Live Online
- https://www.sans.org/event/digital-forensics-summit-2020
SANS Network Security 2020 | September 20-27 | Las Vegas, NV or Live Online
- https://www.sans.org/event/network-security-2020
______________________
Test drive a course: https://www.sans.org/course-preview
View the full SANS course catalog and skills roadmap.
- https://www.sans.org/courses
- https://www.sans.org/cyber-security-skills-roadmap
****************************************************************************
TOP OF THE NEWS
--Ransomware Attacks Targeting QNAP NAS Devices - Dangerous
(June 5, 2020)
Operators of the eCh0raix ransomware have begun a campaign that targets QNAP network-attached storage (NAS) devices. The attackers are gaining access to the devices through known vulnerabilities or through brute-force password attacks.
[Editor Comments]
[Ullrich] If you own a QNAP or similar storage device (Netgear, Synology, Western Digital..), do the following today: (1) Patch. These devices tend to be difficult to patch. You will need to be careful to not disrupt any work if users use the device to store documents they work on, or worse, if the device is used as an iSCSI drive in a virtual environment. (2) Make sure the device is not exposed to the internet. (3) Uninstall all components that are not required to operate the device. These devices often come with a large number of vulnerable web applications preinstalled. Uninstall as many of them as possible. Vendors try to sell these functions based on the number of features bundled with them. It is easy and cheap to add features by adding random open source components to the device. But vendors also often fail to secure these components and with patching being difficult, these devices will be compromised after some time exposed to the internet.
[Neely] Update the QNAP OTS and Security Counselor software, use stronger admin passwords, limit network accessibility, disable Telnet and unused SSH services and enable QNAP snapshot service. Flaws in eCh0raix have been fixed which neutralized the free decryption option released by BloodDolly.
[Murray] NAS devices should not be connected to the public networks or hidden by end-to-end application layer encryption.
Read more in:
Bleeping Computer: Ongoing eCh0raix ransomware campaign targets QNAP NAS devices
ZDNet: QNAP NAS devices targeted in another wave of ransomware attacks
https://www.zdnet.com/article/qnap-nas-devices-targeted-in-another-wave-of-ransomware-attacks/
--SMBGhost Proof-of-Concept Exploit Code Released - Important
(June 5, 6, & 8, 2020)
The US Department of Homeland Securitys Cybersecurity and Infrastructure Security Agency (CISA) has warned that functional proof-of-concept code to exploit a known vulnerability in Microsoft Windows is publicly available. The flaw, SMBGhost, lies in version 3.1.1 of the Microsoft Server Message Block protocol; it affects Windows 10 and Windows Server 2019. Microsoft released a fix for the issue in March 2020.
[Editor Comments]
[Ullrich] This is not a big deal because we all patch our Windows systems on patch Tuesday (today..) and we would never allow SMB to traverse our perimeter. If this statement is not true for your organization: Panic. You are probably already compromised by an exploit targeting dozens of other vulnerabilities.
[Neely] The critical Microsoft patch for CVE-2020-0796 was released March 12th and affects both Windows 10 and Windows Server versions 1093 & 1909. While the risk can be mitigated slightly by disabling SMB compression and blocking port 445, the complete fix is to apply the patch, particularly with an increased percentage of remote workers.
Read more in:
Ars Technica: Exploit code for wormable flaw on unpatched Windows devices published online
Threatpost: SMBGhost RCE Exploit Threatens Corporate Networks
https://threatpost.com/smbghost-rce-exploit-corporate-networks/156391/
SC Magazine: Attackers are using exploit code for SMBGhost bug, CISA warns
US-CERT: Unpatched Microsoft Systems Vulnerable to CVE-2020-0796
--DARPA Announces Bug Bounty Program
(June 8, 2020)
The US Defense Departments Defense Advanced Research Project Agency (DARPA) has announced a bug bounty program. The focus will be on DARPA's System Security Integration Through Hardware and Firmware (SSITH). Synack, a security company partnering with DARPA for the program, is holding a Capture-the-Flag (CTF) qualifying competition which runs from June 15-29, 2020. The DARPA bug bounty program will run from July-September 2020.
[Editor Comments]
[Pescatore] This will be an interesting one to watch. Good to see DoD building on the success of years of Hack-the-Pentagon managed bug bounty programs but this has a different focus than almost all previous bug bounty programsfinding vulnerabilities in specialty hardware. This is badly neededthe vulnerabilities in Apples A4 chip and in PC motherboards and basement management controllers have made this very clear. Much more specialized skills are required, but too often hardware devices have relied on security through obscurity. Programs like this can shine a bright light on why that doesnt work.
Read more in:
DARPA: DARPA Announces First Bug Bounty Program to Hack SSITH Hardware Defenses
https://www.darpa.mil/news-events/2020-06-08a
Synack: FETT Bug Bounty Program with Synack, DARPA, and DDS
https://go.synack.com/darpa-ctf-registration-page.html
Cyberscoop: DARPA invites hackers to break hardware to make it more secure
https://www.cyberscoop.com/darpa-bug-bounty-hardware-synack/
Dark Reading: DARPA Launches Bug Bounty Program
******************************* SPONSORED LINKS ********************************
1) Splunk Security Predictions 2020. Download Splunk's IT Security Predictions 2020 to learn how to best protect your organization, and your data, against a fast-approaching future. | http://www.sans.org/info/216640
2) Take the 2020 SANS Enterprise Cloud Incident Response Survey and provide insight into your current state of enterprise cloud incident response capabilities. Survey closes June 15th. | http://www.sans.org/info/216645
3) Webcast June 11,2020 @ 10:30am EDT | Join Jake Williams and Tamas Boczan as they present "A Wolf in Sheep's Clothing: Dissecting Living off the Land Techniques" | http://www.sans.org/info/216660
**********************************************************************************
THE REST OF THE WEEK'S NEWS
--CPA Canada Data Breach Affects More Than 329,000 People
(June 4 & 8, 2020)
Chartered Professional Accountants of Canada (CPA Canada) has acknowledged a data breach that affected personal information of more than 329,000 individuals. The majority of the compromised information is related to the CPAS Magazine mailing list. The breach was detected after a phishing campaign targeted CPA Canada members earlier this year.
Read more in:
SC Magazine: CPA Canada breach put 329,000 accounting pros at risk
Bleeping Computer: CPA Canada discloses data breach affecting 329,000 individuals
Infosecurity Magazine: CPA Canada Breach Hits Over 300,000 Accountants
https://www.infosecurity-magazine.com/news/cpa-canada-breach-hits-over-300000/
Newswire: CPA Canada Provides Notice of Data Security Incident
--Phishing Scheme Targeting Members of German Coronavirus Task Force
(June 8, 2020)
A phishing scheme has targeted more than 100 executives of German multinational company involved in procuring personal protective equipment (PPE) for COVID-19 frontline healthcare workers. The unnamed company is part of a task force commissioned to use international contacts and knowledge to help obtain PPE.
[Editor Comments]
[Neely] With the current environment and pressure to deliver solutions, users are more susceptible than usual to these sorts of attacks. One of the best mitigations for credential harvesting attacks like this is implementing multi-factor authentication, reducing the value of any captured credentials.
Read more in:
Security Intelligence: German Task Force for COVID-19 Medical Equipment Targeted in Ongoing Phishing Campaign
Threatpost: Phishing Attack Hits German Coronavirus Task Force
https://threatpost.com/phishing-attack-german-coronavirus-task-force/156377/
Cyberscoop: Hackers target senior executives at German company procuring PPE
https://www.cyberscoop.com/germany-ppe-coronavirus-hackers-ibm/
SC Magazine: German phishing scheme preyed on high-level execs needing PPE
--Honda Network Problems in Europe and Japan May be Due to Ransomware
(June 8, 2020)
Automobile manufacturer Honda is investigating computer problems affecting networks in Japan and Europe; the issues may be due to a ransomware infection. Honda told Bleeping Computer that it can confirm that there is an issue with its IT network. This is currently under investigation, to understand the cause.
Read more in:
Bleeping Computer: Honda investigates possible ransomware attack, networks impacted
Sky: Japanese car giant Honda probes suspected cyber attack
https://news.sky.com/story/japanese-car-giant-honda-probes-suspected-cyber-attack-12002837
--Maze Ransomware Encrypts Servers at VT San Antonio Aerospace
(June 5 & 8, 2020)
The network of VT San Antonio Aerospace (VT SAA) was infected with Maze ransomware. The malware operators stole data from the company before encrypting company servers. VT SAA provides maintenance, repair, and overhaul services for North American aircraft.
[Editor Comments]
[Neely] The attack on VT SAA and Westech are further indicators that the Maze Operators are focusing more on US Defense contractors. The Maze operators are not only attempting to sell data they have exfiltrated, but are also working with other cybercriminal gangs to auction off their stolen data. The trick is catching and stopping the data exfiltration before the attack moves to the encryption stage.
Read more in:
Bleeping Computer: US aerospace services provider breached by Maze Ransomware
Gov Infosecurity: Maze Ransomware Gang Hits Defense Contractor ST Engineering
https://www.govinfosecurity.com/maze-ransomware-gang-hits-defense-contractor-st-engineering-a-14399
--Fitness Depot Acknowledges Data Breach
(June 5, 2020)
Canadian fitness equipment retailer Fitness Depot has acknowledged a data breach affecting its ecommerce platform. Details of the incident suggest that the system was infected with Magecart skimming malware. Affected customers who conducted transactions for delivery or for in-store pick-up between February 18 and May 22, 2020. The compromised information includes names, street and email addresses, phone numbers, and payment card data.
[Editor Comments]
[Murray] We now have the tools to resist "card not present" fraud if we would only use them. Consumers should prefer online merchants that use check-out proxies such as PayPal, Apple Pay, and Click-to-Pay. Otherwise they should use one-time or one-merchant tokens from Privacy.com or others in lieu of Primary Account Numbers. The card brands should be encouraging online merchants to use Click-to-Pay, their co-branded check-out proxy.
Read more in:
Bleeping Computer: Fitness Depot hit by data breach after ISP fails to 'activate the antivirus'
Document Cloud: Notice of Data Breach (PDF)
https://assets.documentcloud.org/documents/6937614/Fitness-Depot-Notice-of-Data-Breach.pdf
--Conduent Hit with Ransomware
(June 5, 2020)
Operators of the Maze ransomware hit systems at IT services firm Conduent late last month. The company says the attack caused just a partial interruption and that most systems were operating as usual within hours of the attack.
[Editor Comments]
[Murray] A plan for mitigating "ransomware" and other data changing attacks must include rapid restoration of mission critical applications.
Read more in:
Cyberscoop: Ransomware crooks attack Conduent, another large IT provider
https://www.cyberscoop.com/conduent-maze-ransomware/
Infosecurity Magazine: IT Services Firm Conduent Felled by Maze Ransomware
https://www.infosecurity-magazine.com/news/it-services-firm-conduent-felled/
--Researchers Find Serious Security Issues in OmniBallot Online Voting System
(June 7 & 8, 2020)
Researchers from the Massachusetts Institute of Technology (MIT) and the University of Michigan have released a report detailing their findings about the security of the OmniBallot Internet voting and ballot delivery system. OnmiBallot, which is produced by Democracy Live, has been used in the past to let voters print ballots, complete them by hand, and return them by mail. For the 2020 election, the system will include online ballot return. The researchers, J. Alex Halderman and Michael Specter, write that the safest option is to avoid using OmniBallot. They note that OmniBallot is vulnerable to vote manipulation by malware on the voters device and by insiders or other attackers and that it appears not to have a privacy policy.
[Editor Comments]
[Pescatore] Two analogies here: (1) A few years ago, I had rotator cuff surgery and the morning of the operation the surgeon came to the prep room with a black marker and wrote This arm and his signature on my right arm; (2) I have never seen, and never want to see, a traffic light that is showing green in all four directions. Errors in presidential elections are pretty much up there with operations on the wrong body part or cars colliding at intersections. There needs to be both manual mechanisms and auditing and safety interlocks built-in to any software-based voting system, just as it is built into surgical procedures even though we have Electronic Health Records, and in traffic signal controller hardware even though we have online light control systems. Every state has rigorous control of traffic lights and there are national standards for them, as well. Since election systems are considered part of the critical national infrastructure, they should be treated just as rigorously.
[Neely] If you must use OmniBallot, the most secure option for remote voting remains printing, hand marking, and then returning a paper ballot by mail. The electronic ballot return mechanisms dont include sufficient anti-tampering protections, and even when printing paper ballots, if youre using the application to mark your ballot, OmniBallot collects and sends privacy information from the voters for tabulation. As electronic voting continues to move forward, rigorous testing and validation of security is essential to election integrity and voter confidence.
[Murray] There is a fundamental flaw in all such systems. If one makes the ballot unique, even though it would require collusion between the issuer and the counter of ballots, the voter cannot be sure that it cannot be identified with him.
Read more in:
Internet Policy: How to Protect Your Vote
https://internetpolicy.mit.edu/omniballot-advice/
Internet Policy: Security Analysis of the Democracy Live Online Voting System (PDF)
https://internetpolicy.mit.edu/wp-content/uploads/2020/06/OmniBallot.pdf
Statescoop: Researchers say OmniBallot online voting platform is vulnerable to manipulation
NYT: Amid Pandemic and Upheaval, New Cyberthreats to the Presidential Election
https://www.nytimes.com/2020/06/07/us/politics/remote-voting-hacking-coronavirus.html
******************************************************************************
INTERNET STORM CENTER TECH CORNER
PHP FastCGI Attacks
https://isc.sans.edu/forums/diary/Not+so+FastCGI/26208/
Protest Cybersecurity
https://isc.sans.edu/forums/diary/Cyber+Security+for+Protests/26210/
Translating BASE64 Obfuscated Scripts
https://isc.sans.edu/forums/diary/Translating+BASE64+Obfuscated+Scripts/26214/
uBlock Origin Blocks Portscans
QNAP Vulnerability
https://www.qnap.com/en/security-advisory/qsa-20-01
Fake Ransomware Decryptor
GNUTLS TLS 1.3 Machine in the Middle
https://gitlab.com/gnutls/gnutls/-/issues/1011
CallStranger UPNP Vulnerability
Shellcode Analysis 101
https://www.sans.org/webcasts/sansatmic-shellcode-analysis-101-114160
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
