SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #5
January 17, 2020Exploit Code Released for Critical Cryptographic Flaw in Windows; The U.S. National Cybersecurity Talent Discovery Program; Russian Hackers Breached Ukrainian Gas Company
NSA played a central role in this week's critical cryptographic vulnerability affecting tens of millions of Windows systems. Upon discovering the flaw, NSA moved quickly to protect systems rather than exploiting the vulnerability until information about it leaked out. And they did it with government-wide and vendor coordination. Impressive.
****************************************************************************
SANS NewsBites January 17, 2020 Vol. 22, Num. 005
****************************************************************************
TOP OF THE NEWS
Proof-of-Concept Exploit Code Released for Critical Cryptographic Flaw in Windows 10
Microsoft Patch Tuesday
The U.S. National High School Cybersecurity Talent Discovery Program
Report: Russian Hackers Breached Systems at Ukrainian Gas Company Burisma
REST OF THE WEEK'S NEWS
Adobe Patch Tuesday
Oracle Critical Patch Update for January 2020
Android Mobile App Data Sharing is "Out of Control"
P&N Bank Discloses Breach
Users Urged to Patch Cisco Data Center Network Manager Vulnerabilities
WordPress Plugin Flaws Affect 320,000 Sites
Alleged Swatter Arrested
Ryuk Ransomware Tries to Wake Powered-Down Devices
FBI Changes Breach Notification Policy for Election Systems
INTERNET STORM CENTER TECH CORNER
************************* Sponsored By SANS ******************************
Join SANS Chris Crowley and experts from SaltyCloud, Swimlane and ThreatConnect for this informative half day event as they provide actionable actionable examples of the sequence of steps your organization needs to utilize security orchestration, automation and response tools. FREE to attendees with Discount Code AUTO20. http://www.sans.org/info/215285
*****************************************************************************
Cybersecurity Training Update
-- SANS Security East 2020 | New Orleans, LA | February 1-8 | https://www.sans.org/event/security-east-2020
-- SANS Scottsdale 2020 | February 17-22 | https://www.sans.org/event/scottsdale-2020
-- Open-Source Intelligence Summit & Training 2020 | Alexandria, VA | February 18-24 | https://www.sans.org/event/osint-summit-2020
-- SANS Munich March 2020 | March 2-7 | https://www.sans.org/event/munich-march-2020
-- SANS Northern VA - Reston Spring 2020 | March 2-7 | https://www.sans.org/event/northern-va-spring-reston-2020
-- Blue Team Summit & Training 2020 | Louisville, KY | March 2-9 | https://www.sans.org/event/blue-team-summit-2020
-- ICS Security Summit & Training 2020 | Orlando, FL | March 2-9 | https://www.sans.org/event/ics-security-summit-2020
-- SANS London March 2020 | March 16-21 | https://www.sans.org/event/london-march-2020
-- SANS Secure Singapore 2020 | 16-28 March | https://www.sans.org/event/secure-singapore-2020
-- SANS Secure Canberra 2020 | March 23-28 | https://www.sans.org/event/secure-canberra-2020
-- SANS OnDemand and vLive Training
Get an iPad (32G), a Samsung Galaxy Tab A, or Take $250 Off through January 22 with OnDemand or vLive training.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
*****************************************************************************
TOP OF THE NEWS
--Proof-of-Concept Exploit Code Released for Critical Cryptographic Flaw in Windows 10
(January 14, 15, & 16, 2020)
The US National Security Agency (NSA) has deemed a cryptographic flaw it found in Windows 10 so critical that it took the unusual step of disclosing the flaw itself. The flaw could be exploited to spoof code signing certificates. The issue also affects Windows Server 2016 and 2019 and "applications that rely on Windows for trust functionality." The Department of Homeland Security's (DHS's) Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive instructing federal agencies to patch the issue by January 29. Proof-of-concept exploit code for the vulnerability has been released.
[Editor Comments]
[Ullrich] SANS created a test site at https://curveballtest.com. The site also offers a benign executable that was signed with an exploit signature. Use it to test your defenses. Many end point protection products and even Chrome have added rules to detect bad signatures, possibly protecting you even if you are not yet patched.
Read more in:
Defense: Patch Critical Cryptographic Vulnerability in Microsoft Windows Clients and Servers (PDF)
https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF
DHS: Mitigate Windows Vulnerabilities from January 2020 Patch Tuesday
https://cyber.dhs.gov/ed/20-02/
FNN: CISA demands 'emergency action' from agencies on Windows vulnerability patch
Wired: Windows 10 Has a Security Flaw So Severe the NSA Disclosed It
https://www.wired.com/story/nsa-windows-10-vulnerability-disclosure/
SC Magazine: NSA reveals to Microsoft critical Windows 10 flaw
ZDNet: Proof-of-concept exploits published for the Microsoft-NSA crypto bug
https://www.zdnet.com/article/proof-of-concept-exploits-published-for-the-microsoft-nsa-crypto-bug/
Ars Technica: Critical Windows 10 vulnerability used to Rickroll the NSA and Github
Ars Technica: Patch Windows 10 and Server now because certificate validation is broken
Dark Reading: Microsoft Patches Windows Vuln Discovered by the NSA
Threatpost: PoC Exploits Published For Microsoft Crypto Bug
https://threatpost.com/poc-exploits-published-for-microsoft-crypto-bug/151931/
--Microsoft Patch Tuesday
(January 14, 2020)
On Tuesday, January 14, Microsoft released fixes for 50 security issues, including a critical cryptographic vulnerability in Windows 10. While that vulnerability has grabbed headlines, users are also being urged to apply the update to fix a pair of Remote Desktop Protocol (RDP) vulnerabilities. January 14 also marks the last update Microsoft will provide for Windows 7; the operating system will no longer be supported for home users.
[Editor Comments]
[Ullrich] Do not overlook the RD Gateway issues (CVE-2020-0609 and CVE-2020-0610). These are critical and on the same level as the famous "BlueKeep" vulnerability in RDP if you are using RD Gateway.
[Neely] DHS/CISA considers these vulnerabilities severe enough to have issued Emergency Directive 20-02 (https://cyber.dhs.gov/ed/20-02/) which requires federal agencies to apply these patches within ten business days (1/29/20) as well as report progress on applying the fixes. DHS's last emergency directive was ED 19-01 (Jan. 22, 2019) to "Mitigate DNS Infrastructure Tampering." It is expected that products that leverage the Microsoft crypto library, or otherwise use or implement ECC should be checked for similar flaws. Vendors are starting to publish their assessments.
Read more in:
KrebsOnSecurity: Patch Tuesday, January 2020 Edition
https://krebsonsecurity.com/2020/01/patch-tuesday-january-2020-edition/
The Register: Welcome to the 2020s: Booby-trapped Office files, NSA tipping off Windows cert-spoofing bugs, RDP flaws...
https://www.theregister.co.uk/2020/01/14/patch_tuesday_january_2020/
ZDNet: Microsoft January 2020 Patch Tuesday fixes 49 security bugs
https://www.zdnet.com/article/microsoft-january-2020-patch-tuesday-fixes-49-security-bugs/
Ars Technica: Another reason to hurry with Windows server patches: A new RDP vulnerability
MSRC: Security Update Summary
https://portal.msrc.microsoft.com/en-us/security-guidance/summary
--The U.S. National High School Cybersecurity Talent Discovery Program
(January 17, 2020)
The U.S. National high school cybersecurity talent discovery program (an extracurricular program) has 6,669 high school girls participating in just the first four days of the multi-week program. Texas, New Jersey and Nevada are leading the nation with Maryland and Virginia rounding out the top 5. In all those states and in 22 more, governors personally invited students to "just try it." California seems to be gaining momentum - reflecting Cisco's initiatives to encourage employees to get the word out and help high school teams. Playing the game doubles the likelihood that a young woman will be interested in pursuing computer science. And students learn far more while playing than in any other cybersecurity competition and in fact more than in most high school or college cybersecurity classes.
[Paller] Boys also get to play in every school where five or more girls are making progress.
Texas success:
KXAN: Girls' cybersecurity contest aims to promote equity, fill worker shortage
More info at www.girlsgocyberstart.org
--Report: Russian Hackers Breached Systems at Ukrainian Gas Company Burisma
(January 14, 15, & 16, 2020)
According to a report from security company Area 1, Russian hackers successfully targeted systems at Ukrainian gas company Burisma through phishing attacks late last year. The attacks appear to be an effort to obtain potentially embarrassing information to be used against Joe Biden. Biden's son once served on Burisma's board of directors. Ukraine's Ministry of Internal Affairs has begun criminal proceedings in connection with the attacks, and is reportedly seeking help from the FBI.
Read more in:
CDN.area1security: PHISHING BURISMA HOLDINGS (PDF)
https://cdn.area1security.com/reports/Area-1-Security-PhishingBurismaHoldings.pdf
NYT: Russians Hacked Ukrainian Gas Company at Center of Impeachment
https://www.nytimes.com/2020/01/13/us/politics/russian-hackers-burisma-ukraine.html
CS Monitor: Russians hacked Ukrainian company key to Trump's impeachment
Wired: If Russia Hacked Burisma, Brace for the Leaks to Follow
https://www.wired.com/story/russia-burisma-hack-leaks/
SC Magazine: Russia's Fancy Bear successfully hacked Burisma during impeachment probe
Vice: The Russian Group That Hacked the DNC Has Now Breached the Company at the Center of Trump's Impeachment
The Hill: Ukrainian authorities ask FBI for help investigating Russian hack on Burisma
**************************** SPONSORED LINKS ******************************
1) Webcast January 22nd at 3:30PM ET: Optimize Decision Support Through Verifiable Classification. http://www.sans.org/info/215290
2) Take the SANS 2020 Automation & Integration Survey and enter for a chance to win a $400 Amazon gift card: http://www.sans.org/info/215305
3) Join Anomali January 23rd as they cover how the cyber threat landscape appeared in 2019 and the most common TTPs used. http://www.sans.org/info/215310
*****************************************************************************
REST OF THE NEWS
--Adobe Patch Tuesday
(January 14 & 15, 2020)
Adobe's monthly security release includes fixes for five critical memory corruption flaws in Illustrator CC and four flaws in Adobe Experience Manager.
[Editor Comments]
[Neely] The good news is Adobe's creative cloud desktop service by default will automatically apply these patches and are fixes specific to their Illustrator and Experience Manager products which are typically not as widely deployed as Acrobat or Flash in the enterprise, so ensuring they are mitigated should be much easier.
Read more in:
SC Magazine: Adobe rolls out a light Patch Tuesday offering
ZDNet: Adobe's first 2020 security patch update fixes code execution vulnerabilities
Bleeping Computer: Adobe Releases Their January 2020 Security Updates
https://www.bleepingcomputer.com/news/security/adobe-releases-their-january-2020-security-updates/
Adobe: Security Updates Available for Adobe Illustrator CC | APSB20-03
https://helpx.adobe.com/security/products/illustrator/apsb20-03.html
Adobe: Security updates available for Adobe Experience Manager | APSB20-01
https://helpx.adobe.com/security/products/experience-manager/apsb20-01.html
--Oracle Critical Patch Update for January 2020
(January 14, 15, & 16, 2020)
Oracle's Critical Patch Update for January 2020 includes fixes for 334 security issues across a wide spectrum of product families. Forty-three of the vulnerabilities addressed in the update are rated critical.
[Editor Comments]
[Ullrich] The WebLogic and Peoplesoft flaws are my main concern. We have seen similar flaws exploited in the wild before. It is a bit disappointing that Oracle still patches two year old flaws in open source libraries like Apache Commons and log4j.
[Neely] The large number here is due to the breadth of products included in the patch bundle which includes 10 Solaris fixes, 38 Fusion Middleware fixes, 23 for the E-Business suite and 12 for their database server. The urgency of the update is due to 191 fixes for flaws that can be remotely executed without authentication. When pared down to products running in your environment, the number is much more manageable. Even so, timely regression testing and application is prudent, particularly for externally accessible services.
Read more in:
The Register: Yo, sysadmins! Thought Patch Tuesday was big? Oracle says 'hold my Java' with huge 334 security flaw fix bundle
https://www.theregister.co.uk/2020/01/15/oracle_january_patches/
ZDNet: Oracle just released a whopping 334 security fixes in critical patch update
Threatpost: Oracle Ties Previous All-Time Patch High with January Updates
https://threatpost.com/oracle-cpu-all-time-patch-high-january/151861/
Oracle: Oracle Critical Patch Update Advisory - January 2020
https://www.oracle.com/security-alerts/cpujan2020.html
--Android Mobile App Data Sharing is "Out of Control"
(January 16, 2020)
A report from the Norwegian Consumer Council says that the sharing of sensitive information by Android apps is "out of control." According to analysis of 10 popular Android apps conducted by Mnemonic, the apps share sensitive user data with numerous third-parties. Mnemonic conducted its analyses between June and November 2019. In all, the 10 examined apps sent user data to a total of 135 separate third-party entities that all engage in advertising or behavioral marketing.
[Editor Comments]
[Ullrich] At the same time, users are complaining that the latest iOS release from Apple is "too noisy" with its location tracking alerts. In the end, many people just want things to work and don't care who they are sharing what information with.
[Neely] For many applications, enabling access to sensitive data is needed for desired functionality. Even so, in current Android operating systems, you can now review application privileges and ensure that you've not granted extra permissions in the heat of installing a new app. While reading the privacy/data sharing agreements is a good way to find out where a given application will share data, providers need to make sure they are short, easy to understand, and quick to read so users will look at them.
Read more in:
SC Magazine: Analysis of popular apps finds rampant sharing of personal data
Forbrukerradet: Out of Control: How consumers are exploited by the online advertising industry (PDF)
https://fil.forbrukerradet.no/wp-content/uploads/2020/01/2020-01-14-out-of-control-final-version.pdf
--P&N Bank Discloses Breach
(January 15 & 16, 2020)
Australia's P&N Bank has disclosed a breach that compromised customer data, including names, account numbers, and account balances. The incident occurred around the second week of December 2019 during a server upgrade. P&N believes that the intruders gained entry through third-party hosting provider.
Read more in:
PN Bank: Statement from the CEO - information breach
https://www.pnbank.com.au/about/news/2020/information-breach/
ZDNet: P&N Bank discloses data breach, customer account information, balances exposed
Bleeping Computer: Customer-Owned Bank Informs 100k of Breach Exposing Account Balance, PII
Softpedia: Hackers Break Into Western Australia's Largest Bank, Personal Data Exposed
--Users Urged to Patch Cisco Data Center Network Manager Vulnerabilities
(January 15, 2020)
Cisco released fixes for a trio of critical flaws in its Data Center Network Manager software earlier this month. Users are urged to apply the patches as soon as possible because proof-of-concept exploit code has been released.
Read more in:
ZDNet: Critical Cisco DCNM flaws: Patch right now as PoC exploits are released
Cisco: Cisco Data Center Network Manager Authentication Bypass Vulnerabilities
--WordPress Plugin Flaws Affect 320,000 Sites
(January 14 & 15, 2020)
Critical flaws in two WordPress plugins could be exploited to access websites' administrator accounts without a password. The affected plugins - InfiniteWP Client and WP Time Capsule, run on 300,000 and 20,000 websites, respectively. The developers of both plugins have addressed the issues in updates.
[Editor Comments]
[Ullrich] WordPress just can't get its act together. There are two ways to run WordPress: Either you run it at WordPress.com and pay, or you don't run it. WordPress's business model is based on the fact that the only way to run its product securely is if you let them manage it for you.
[Neely] Automating plugin updates for CMS systems prevents more problems than it creates. Coupled with incremental backups which permit easy roll-back, the risks are largely mitigated. Reviewing and removing unused plugins regularly is also prudent.
Read more in:
ZDNet: Critical bugs in WordPress plugins InfiniteWP, WP Time Capsule expose 320,000 websites to attack
The Register: Updated your WordPress plugins lately? Here are 320,000 auth-bypassing reasons why you should
https://www.theregister.co.uk/2020/01/15/update_wordpress_plugins/
Threatpost: Critical WordPress Bug Leaves 320,000 Sites Open to Attack
https://threatpost.com/wordpress-bug-leaves-sites-open-to-attack/151911/
Bleeping Computer: Critical WordPress Plugin Bug Allows Admin Logins Without Password
--Alleged Swatter Arrested
(January 14, 2020)
US federal authorities have arrested a Virginia man for his alleged involvement with a neo-Nazi group that launched swatting attacks and bomb threats against hundreds of targets. John William Kirby Kelley was identified after he phoned in a bomb threat to Old Dominion University in November 2018, while he was a student there. Two other individuals involved in the attacks remain at large.
Read more in:
KrebsOnSecurity: Alleged Member of Neo-Nazi Swatting Group Charged
https://krebsonsecurity.com/2020/01/alleged-member-of-neo-nazi-swatting-group-charged/
Ars Technica: FBI arrests man suspected of orchestrating dozens of "swatting" calls
Court Listener: Affidavit (PDF)
https://www.courtlistener.com/recap/gov.uscourts.vaed.464952/gov.uscourts.vaed.464952.2.0.pdf
--Ryuk Ransomware Tries to Wake Powered-Down Devices
(November 1, 2019 & January 14, 2020)
Ryuk Ransomware is capable of using the Wake-on-LAN feature to cause devices in standby state to turn on so it can attempt to encrypt them. The Wake-on-LAN feature allows devices that have been powered down to be woken up by sending a special network packet. Administrators are advised to restrict Wake-on-LAN packet permissions. Researchers at CrowdStrike noted this capability in November 2019.
[Editor Comments]
[Neely] Wake-on-Lan needs to be activated from the local subnet and is more likely used on workstations and desktops than servers which run continuously. Apply filters to only allow Wake-on-Lan packets from authorized devices. Also check for permissions on shares, which is how the Ransomware is attempting to access and encrypt awakened systems.
Read more in:
Bleeping Computer: Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices
CrowdStrike: WIZARD SPIDER Adds New Features to Ryuk for Targeting Hosts on LAN
https://www.crowdstrike.com/blog/wizard-spider-adds-new-feature-to-ryuk-ransomware/
--FBI Changes Breach Notification Policy for Election Systems
(January 16, 2020)
The FBI will now notify state officials when election systems within their states have been breached in a cyber attack. Previously, the FBI notified only affected counties. (Please note that the WSJ story is behind a paywall.)
Read more in:
The Hill: FBI announces new policy to give election officials 'timely' notification of cyber breaches
WSJ: FBI Changes Policy for Notifying States of Election Systems Cyber Breaches (paywall)
****************************************************************************
INTERNET STORM CENTER TECH CORNER
Microsoft January 2020 Patch Tuesday and #CryptoAPI Flaw
Webcast: https://sans.org/cryptoapi-isc
Diary: https://isc.sans.edu/forums/diary/Microsoft+Patch+Tuesday+for+January+2020/25710/
NSA Release: https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF
CVE-2020-0601 Followup
https://isc.sans.edu/forums/diary/CVE20200601+Followup/25714/
CVE-2020-0601 Update ("Curveball", "Letsdecrypt")
https://isc.sans.edu/forums/diary/Summing+up+CVE20200601+or+the+Lets+Decrypt+vulnerability/25720/
Oracle Patches
https://www.oracle.com/security-alerts/cpujan2020.html
Certain Netscaler Devices Do Not Support Mitigation (article in Dutch)
Cable Haunt Vulnerability
STI Student Interview: Jon Michael Lacek
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create