SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #48
June 16, 2020In SANS' first "Blueprint" podcast, the nation's highest-rated teacher of SOC management, John Hubbard, and his guest Mark Orlando give you actionable information on key data types to collect, defining characteristics of modern attackers, and a really useful mindset that may help defend your organization against those modern attacks. It's free.
See "Shock to the System: Re-Evaluating Your Security Operations" at https://www.sans.org/blueprint-podcast
****************************************************************************
SANS NewsBites June 16, 2020 Vol. 22, Num. 048
****************************************************************************
TOP OF THE NEWS
Australian Beverage Company Falls Prey to Ransomware
Knoxville Ransomware Attack: More Details
Honda Resumes Production After Ransomware Attack
REST OF THE NEWS
Outages Across the US Blamed on Network Configuration Changes
South African Bank Must Reissue 12 Million Payment Cards After Breach
June's Windows 10 Cumulative Update Causes Problems
Citizen Lab and Amnesty International: Spyware Campaign Targeted Indian Human Rights Activists
D-Link Router Vulnerabilities
Cybersecurity Bills Introduced in US Senate
Data From Multiple Dating Apps Exposed
INTERNET STORM CENTER TECH CORNER
********************** Sponsored By Splunk *******************************
Graphic Novel: Through the Looking Glass Table, Issue 1. Check out the first episode of our graphic novel, Who Spilled the Data? to discover how machine data, as well as an analytics-driven security platform, log management, SIEM, UEBA and SOAR solutions, can get anyone -- ranging from IT managers to the most sophisticated SOC analysts -- ahead of the game, so they can better understand and respond to incidents, breaches, phishing attempts, insider threats, unwanted cryptomining and more. | http://www.sans.org/info/216710
****************************************************************************
CYBERSECURITY TRAINING UPDATE
SANS Training is 100% Online, with two
convenient ways to complete a course:
OnDemand | Live Online
- https://www.sans.org/ondemand/
- https://www.sans.org/live-online
Keep your skills sharp with SANS Online Training:
. The world's top cybersecurity courses
. Taught by real world practitioners
. Ideal preparation for more than 30 GIAC Certifications
Take advantage of the current promotional offer
Get a Free GIAC Certification Attempt or Take $350 Off with OnDemand or Live Online Training through June 24
https://www.sans.org/online-security-training/specials/
Top OnDemand Courses
SEC401: Security Essentials Bootcamp Style
- https://www.sans.org/ondemand/course/security-essentials-bootcamp-style
SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling
- https://www.sans.org/ondemand/course/hacker-techniques-exploits-incident-handling
SEC560: Network Penetration Testing and Ethical Hacking
- https://www.sans.org/ondemand/course/network-penetration-testing-ethical-hacking
______________________
Upcoming In Person and Live Online Events:
2-Day Firehose Training | June 29-30 | Live Online
- https://www.sans.org/event/2-day-firehose-training-jun29-2020
SANS Summer of Cyber | July 6-17 | Live Online
- https://www.sans.org/event/summer-of-cyber-jul-6
DFIR Summit & Training | July 16-25 | Live Online
- https://www.sans.org/event/digital-forensics-summit-2020
SANS Network Security 2020 | September 20-25 | Las Vegas, NV or Live Online
- https://www.sans.org/event/network-security-2020
______________________
Test drive a course: https://www.sans.org/course-preview
View the full SANS course catalog and skills roadmap.
- https://www.sans.org/cyber-security-courses
- https://www.sans.org/cyber-security-skills-roadmap
****************************************************************************
TOP OF THE NEWS
--Australian Beverage Company Falls Prey to Ransomware
(June 11, 12, & 15, 2020)
Australian beverage company Lion has acknowledged that a ransomware attack last week was responsible for "a partial IT system outage," and that the company "immediately shut down key systems as a precaution."
[Editor Comments]
[Neely] Lion is attempting to rebuild rather than pay the ransomware and believes no sensitive data were impacted or exfiltrated. Recovery has necessitated stopping beverage production, just as restrictions are being loosened and Australians are slowly returning to pubs, restaurants, and clubs.
[Murray] [Editor Comments]
"Ransomware" attacks have become so routine that every enterprise must have a plan for resisting and mitigating such attacks. While "shutting down key systems" may be part of such a plan, it should be planned rather than ad hoc.
Read more in:
SC Magazine: Ransomware attack compromises Australian beer supply
The Register: Now you've done it: Cyber attack targeted Australian brewery 'n' dairy biz Lion
https://www.theregister.com/2020/06/11/australia_brewery_lion_cyber_attack/
ZDNet: Lion warns of beer shortages following ransomware attack
https://www.zdnet.com/article/lion-warns-of-beer-shortages-following-ransomware-attack/
LionCo: Lion Cyber incident update 15 June 2020
https://www.lionco.com/media-centre/lion-update-re-cyber-issue
--Knoxville Ransomware Attack: More Details
(June 12, 2020)
The city of Knoxville, Tennessee, was hit with a ransomware attack last week. The attack prevented police from responding to non-emergency car accidents and forced court sessions to be rescheduled. Knox County systems did not appear to be affected, but connectivity between the networks has been cut off until the issue is resolved. Local news reports say that the hackers have contacted the city to demand a ransom to be paid. There is no word on whether or not the city intends to pay.
Read more in:
Threatpost: Knoxville Ransomware Attack Leads to IT Network Shutdown
https://threatpost.com/knoxville-ransomware-attack-leads-to-it-network-shutdown/156537/
--Honda Resumes Production After Ransomware Attack
(June 11, 2020)
A Honda spokesperson said the company has resumed production at plants in the US, Turkey, India, Brazil and other countries. Some Honda call centers and certain online functions were still affected by the attack. Honda's computer network was infected with ransomware earlier this month.
Read more in:
Reuters: Honda resumes production at plants hit by suspected cyber attack
***************************** SPONSORED LINKS *****************************
1) Cyber Solutions Fest | This FREE action packed 2-day virtual event brings together an ensemble of security professionals, solution providers, and experts ready to share the latest developments and innovative technologies in the cybersecurity industry. | October 8-9, 2020 | http://www.sans.org/info/216715
2) Webcast | June 23, 2020 at 12:00 PM EDT | Join John Pescatore, Brian Brockway, David DeVries as they discuss "Securing your data, your recovery and your mission" | http://www.sans.org/info/216720
3) Free Virtual Event | SANS Oil & Gas Solutions Forum: Objective-based Security Drives Effective Solutions | Chairman: Jason Dely | July 10, 2020 at 9:30 AM EDT | http://www.sans.org/info/216725
****************************************************************************
THE REST OF THE WEEK'S NEWS
--Outages Across the US Blamed on Network Configuration Changes
(June 15, 2020)
Numerous service outages across the US on Monday, June 15, affected mobile providers, ISPs, streaming services, social media platforms and games. While there has been some speculation that the problems were the result of a massive distributed denial-of-service (DDoS) attack, a tweet from Cloudflare CEO Matthew Prince said the cascading failures were caused by "T-Mobile ... making some changes to their network configurations ... [that] went badly."
[Editor Comments]
[Pescatore] Once again, I'll skew old here: just over 30 years ago, a botched ATT switch upgrade took down around half of ATT's network for almost 8 hours. That was 4 years before the first browser came out, but it was a serious interruption to major path of "online" orders of the day. Good reminder about backup plans for employee connectivity during current and future work at home. Cellular data service is not immune to outages either, but most mobile phones can be used as hot spots for backup purposes. Lance Spitzner of SANS has blogged security guidelines for personal hotspots at https://www.sans.org/security-awareness-training/blog/security-awareness-iphone-personal-hotspot-feature
[Neely] Routing configuration mistakes have a much more dramatic impact and take longer to rectify than they once did. When I started telecommuting full time, a mentor and seasoned telecommuter wisely advised me to have both a backup computer and a backup network connection such as a cellular hotspot. He also advised me to keep both updated and operational as you never know when they'll be pressed into service. Today, I would add QOS, no data cap, and minimum bandwidth to that list.
Read more in:
SC Magazine: Outages draw speculation of DDoS attack on U.S. but reality likely more 'boring'
Twitter: Matthew Prince
https://twitter.com/eastdakota/status/1272678705903685633
--South African Bank Must Reissue 12 Million Payment Cards After Breach
(June 15, 2020)
South Africa's Postbank will reissue more than 12 million payment cards to its customers following a December 2018 breach. The bank's 32-character master encryption key, which is used to generate keys for customers' payment cards, was stolen. Between March and December 2019, thieves accessed Postbank accounts and conducted more than $3.2 million in fraudulent transactions. The issue affects not only payment cards, but also cards issued to people for receiving government benefits.
[Editor Comments]
[Neely] This is a good story of not only why we protect master encryption keys but also why separation of duties is paramount. Also, master keys and the people who can access them need to be updated periodically to prevent fraud. Lastly, store the keys on dedicated resources designed to protect them.
[Pescatore] Just replacing the cards will cost Postbank $60M; the total cost of the failures that enabled this insider attack will likely be twice that. The failure was in access control of high privilege administrators in what should also require two-person control under onerous change control, tracking, and auditing. That extraordinary level of control over encryption keys is key to the value of encryption and the cost of doing so is invariably a small fraction of the cost of compromise.
[Murray] Encryption keys are more likely to be compromised when they are used. Keys that are used routinely should be changed routinely.
Read more in:
ZDNet: South African bank to replace 12m cards after employees stole master key
--June's Windows 10 Cumulative Update Causes Problems
(June 12, 2020)
Users have been reporting that Microsoft's latest cumulative update for Windows 10 has caused problems with their networked printers. Users have also been reporting that they have been unable to launch some applications after installing the update.
Read more in:
Computerworld: June cumulative updates cause multiple problems with network printers
ZDNet: Windows 10 printer mystery: More complain June Patch Tuesday is causing havoc
The Register: Wailing Wednesday follows Patch Tuesday as versions of Windows 10 stop playing nicely with plugged-in printers
https://www.theregister.com/2020/06/12/microsoft_printer_problems/
Bleeping Computer: Windows 10 printing breaks due to Microsoft June 2020 updates
Bleeping Computer: Recent Windows 10 updates block programs from running
--Citizen Lab and Amnesty International: Spyware Campaign Targeted Indian Human Rights Activists
(June 15, 2020)
A joint report from Citizen Lab and Amnesty International describes a spyware scheme that targeted human rights defenders in India. The nine individuals, who are lawyers, activists, and journalists, were targeted with spear phishing emails crafted to install malware that tracked their communications. Three of the nine people are also believed to have been targeted by NSO's Pegasus spyware.
Read more in:
Citizen Lab: Citizen Lab and Amnesty International Uncover Spyware Operation Against Indian Human Rights Defenders
Cyberscoop: Research shows human rights activists in India were targeted with spyware, including NSO's Pegasus
https://www.cyberscoop.com/india-spyware-nso-group-amnesty-international-citizen-lab/
Amnesty: India: Human Rights Defenders Targeted by a Coordinated Spyware Operation
--D-Link Router Vulnerabilities
(June 12, 2020)
Researchers at Palo Alto Networks Unit 42 global threat intelligence team have found six vulnerabilities on D-Link routers. The flaws affect the DIR-865L model of D-Link routers, a model used for home networks. The researchers found the vulnerabilities in late February 2020. D-Link released a beta patch in late May but noted that support for the routers ended in February 2016. D-Link is urging users to replace the outdated devices.
[Editor Comments]
[Ullrich] It is a sad truth of IoT security that, too often, the upgrade path to fix a security vulnerability involves a dumpster. These devices still function well and may have a few years of life left in them. There are reports of being able to install open source firmware on these devices, but doing so will involve opening the device and soldering a connect to the board. Maybe a good lesson to be learned from buying highly proprietary products.
[Neely] The DIR-865L was D-Link's first router to support 802.11ac released in June of 2012. While D-Link provides instructions for installing the updated beta firmware, the better fix is to replace these devices with current routers which have active support and newer technology and security options.
Read more in:
Unit 42: 6 New Vulnerabilities Found on D-Link Home Routers
https://unit42.paloaltonetworks.com/6-new-d-link-vulnerabilities-found-on-home-routers/
Cyberscoop: Palo Alto Networks reveals D-Link home router vulnerabilities
https://www.cyberscoop.com/d-link-home-routers-vulnerabilities-palo-alto-networks/
Threatpost: WFH Alert: Critical Bug Found in Old D-Link Router Models
https://threatpost.com/work-from-home-alert-critical-d-link-bug/156573/
DLink: DIR-865L :: Rev. Ax :: End of Service Product :: Multiple Vulnerabilities
https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10174
--Cybersecurity Bills Introduced in US Senate
(June 15, 2020)
US Senator Gary D. Peters (D-Michigan) has introduced two bills aimed to improving the country's cyber security defenses. The Continuity of Economy Act would direct the White House to "develop a plan to ensure essential functions of the economy are able to continue operating in the event of a cyberattack." The bill grew out of a recommendation made by the Cyber Solarium Commission. The National Guard Cybersecurity Interoperability Act of 2020 would help ensure that the National Guard could provide remote cybersecurity support in the event of a cyber incident.
Read more in:
MeriTalk: Two Bills to Bolster Cyber Defenses Introduced in the Senate
https://www.meritalk.com/articles/two-bills-to-bolster-cyber-defenses-introduced-in-the-senate/
--Data From Multiple Dating Apps Exposed
(June 15, 2020)
Researchers found 845 gigabytes of data from a number of dating apps in misconfigured AWS buckets. The researchers who found the unprotected data noticed similarities between the apps that suggested they had a common developer. They reached out to one of the apps, which "quickly replied, asking for additional details about the breach." The researchers sent a link to the unsecured AWS bucket for that particular app; that same day, buckets for all the affected apps were locked down. The exposed data include photos, audio recordings, and screenshots of private chats.
[Editor Comments]
[Pescatore] It may seem like an odd comparison, but all online teleconferencing applications are similar to dating apps - lots of sensitive information needing to (or at least wanting to) be shared, much of it stored and almost all of it stored on cloud storage services that are often misconfigured. This item is a good reminder that we need to remind admins and employees of the security guidelines for online teleconferencing.
Read more in:
vpnMentor: Report: Niche Dating Apps Expose 100,000s of Users in Massive Data Breach
https://www.vpnmentor.com/blog/report-dating-apps-leak/
Wired: Dating Apps Exposed 845GB of Explicit Photos, Chats, and More
https://www.wired.com/story/dating-apps-leak-explicit-photos-screenshots/
******************************************************************************
INTERNET STORM CENTER TECH CORNER
Fileless Excel Malware
https://isc.sans.edu/forums/diary/Malicious+Excel+Delivering+Fileless+Payload/26232/
HTML Based Phishing Run
https://isc.sans.edu/forums/diary/HTML+based+Phishing+Run/26242/
Windows Update Issues
Privnote.com Phishing
Major T-Mobile Outage (may affect other carriers as well)
https://twitter.com/NevilleRay/status/1272650750665953280
https://status.duo.com/incidents/txv7kq6tr0h8
Vulnerabilities in LTE and 5G Networks
https://positive-tech.com/storage/articles/gtp-2020/threat-vector-gtp-2020-eng.pdf
SANSFIRE Handler Talks
Xavier Mertens: https://www.sans.org/webcasts/sansatmic-walk-logs-hell-115420
Bojan Zdrnja: https://www.sans.org/webcasts/sansatmic-arcane-web-mobile-application-vulnerabilities-115425
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create