SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #50
June 23, 2020Australia is Under State-Sponsored Cyberattack; 269 GB of US Law Enforcement Data Published
****************************************************************************
SANS NewsBites June 23, 2020 Vol. 22, Num. 050
****************************************************************************
TOP OF THE NEWS
Prime Minister: Australia is Under State-Sponsored Cyberattack
Group Posts 269 GB of Data Stolen from US Law Enforcement Databases
REST OF THE NEWS
VMware Update for macOS
Australia's Lion Brewery Suffers Another Cyberattack
Former FEMA IT Specialist Arrested for Allegedly Hacking University of Pittsburgh Medical Center
Crozer-Keystone Health System Suffers Ransomware Attack
Open Letter to Congress Urges it to Save the Open Technology Fund After Head of USAGM is Replaced
Flash End-of-Life is December 31, 2020
Former Defense Intelligence Agency Analyst Sentenced to Prison for Leaking Data
US Government Websites Will be Accessible Through HTTPS Only After September 1
NSO Group Spyware Used to Track Moroccan Journalist, Says Amnesty International
INTERNET STORM CENTER TECH CORNER
********************* Sponsored By Anomali *******************************
Anomali Weekly Threat Briefing | Every week the Anomali Threat Research Team publishes the Weekly Threat Briefing which provides a key summary of the cybersecurity threat intelligence alerts of the week. As a subscriber you will receive trending threat intelligence information and details on observed threats across the global Anomali community. Sign up for your copy today. | http://www.sans.org/info/216775
****************************************************************************
CYBERSECURITY TRAINING UPDATE
SANS Training is 100% Online, with two convenient ways to complete a course:
OnDemand | Live Online
- https://www.sans.org/ondemand/
- https://www.sans.org/live-online
Keep your skills sharp with SANS Online Training:
. The world's top cybersecurity courses
. Taught by real world practitioners
. Ideal preparation for more than 30 GIAC Certifications
Take advantage of the current promotional offer
Get a Free GIAC Certification Attempt or Take $350 Off with OnDemand or Live Online Training through June 24
https://www.sans.org/online-security-training/specials/
Top OnDemand Courses
SEC401: Security Essentials Bootcamp Style
- https://www.sans.org/ondemand/course/security-essentials-bootcamp-style
SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling
- https://www.sans.org/ondemand/course/hacker-techniques-exploits-incident-handling
SEC560: Network Penetration Testing and Ethical Hacking
- https://www.sans.org/ondemand/course/network-penetration-testing-ethical-hacking
______________________
Upcoming In Person and Live Online Events:
SANS Summer of Cyber | July 6-17 | Live Online
- https://www.sans.org/event/summer-of-cyber-jul-6
DFIR Summit & Training (Free Summit) | July 16-25 | Live Online
- https://www.sans.org/event/digital-forensics-summit-2020
SANS Rocky Mountain Summer 2020 | Jul 20-25 | Live Online
- https://www.sans.org/event/rocky-mountain-summer-2020
SANS Network Security 2020 | September 20-25 | Las Vegas, NV or Live Online
- https://www.sans.org/event/network-security-2020
______________________
Test drive a course: https://www.sans.org/course-preview
View the full SANS course catalog and skills roadmap.
- https://www.sans.org/cyber-security-courses
- https://www.sans.org/cyber-security-skills-roadmap
****************************************************************************
TOP OF THE NEWS
--Prime Minister: Australia is Under State-Sponsored Cyberattack
(June 19, 2020)
At a press conference on Friday, June 19, Australian Prime Minister Scott Morrison warned that the country's public sector is under cyberattack from a state backed actor. The attacks have targeted organizations in a range of sectors including government, private industry, education, health and essential services, and operators of critical infrastructure. Morrison declined to identify the country he believes is responsible for the attacks. A technical advisory from the Australian Signals Directorate (ASD) describes the "tactics, techniques and procedures used to target multiple Australian networks."
[Editor Comments]
[Pescatore] Two telling quotes from the ASD alert: (1) "The Australian Government is currently aware of, and responding to, a sustained targeting of Australian governments and companies by a sophisticated state-based actor" and (2) "ACSC Recommended Prioritised Mitigations ... Prompt patching of internet facing software, operating systems and devices. All exploits utilised by the actor in the course of this campaign were publicly known and had patches or mitigations available." The attacks were sophisticated, but basic security hygiene (patching) would have disabled those attacks. The ASD has shown data on how the "Top 4" basic security hygiene control alone mitigate 85% of sophisticated, targeted cyber attacks.
[Neely] While attribution is a nice to have, ensuring sufficient security is in place for systems as well as recovery from attacks are critical activities. The ASD/ACSC advisory below provides prioritized mitigations, starting with patching and implementing MFA, followed by their essential 8 controls (https://www.cyber.gov.au/sites/default/files/2020-04/PROTECT%20-%20Essential%20Eight%20Explained%20%28April%202020%29.pdf). Those are common sense changes which will dramatically reduce the attack surface.
Read more in:
SMH: Morrison reveals malicious 'state-based' cyber attack on governments, industry
SC Magazine: Australia says state-based actor is behind surge of sophisticated cyberattacks
The Register: Australian PM says nation under serious state-run 'cyber attack' - Microsoft, Citrix, Telerik UI bugs 'exploited'
https://www.theregister.com/2020/06/19/australia_state_cyberattack/
Gov.au (ASD): Advisory 2020-008: Copy-Paste Compromises - tactics, techniques and procedures used to target multiple Australian networks (PDF)
--Group Posts 269 GB of Data Stolen from US Law Enforcement Databases
(June 22, 2020)
A group calling itself Distributed Denial of Secrets has posted 269 gigabytes of police data online. According to a memo from the National Fusion Center Association obtained by Brian Krebs, the data were taken from state owned and operated law enforcement fusion centers, which serve to coordinate communications between state, local, federal, tribal, territorial, private law enforcement partners. The memo notes that "Preliminary analysis of the data contained in this leak suggests that Netsential, a web services company used by multiple fusion centers, law enforcement, and other government agencies across the United States, was the source of the compromise."
Read more in:
KrebsOnSecurity: 'BlueLeaks' Exposes Files from Hundreds of Police Departments
https://krebsonsecurity.com/2020/06/blueleaks-exposes-files-from-hundreds-of-police-departments/
Ars Technica: Millions of documents from >200 US police agencies published in "BlueLeaks" trove
Wired: Hack Brief: Anonymous Stole and Leaked a Megatrove of Police Documents
https://www.wired.com/story/blueleaks-anonymous-law-enforcement-hack/
ZDNet: BlueLeaks: Data from 200 US police departments & fusion centers published online
Cyberscoop: 'Distributed Denial of Secrets' publishes 'Blue Leaks,' a trove of law enforcement records
https://www.cyberscoop.com/blue-leaks-police-database-ddosecrets/
Vice: 'BlueLeaks': Group Releases 270GB of Sensitive Police Documents
**************************** SPONSORED LINKS ******************************
1) Free Event| Oil and Gas Forum | Join SANS Instructor Jason Dely along with top experts from Cyberinc, Dispel, Siemplify, Swimlane, ThreatConnect, and Tripwire, as they discuss the latest technologies in the Oil and Gas industry. | July 10, 2020 @ 9:30am EDT | http://www.sans.org/info/216785
2) Webcast | Join Heather Mahalik and Josh Snow as they discuss "How To Secure Remote Workers For The Long Haul: Protecting VPN, RDP, Webcams and Beyond" | June 25, 2020 @ 3:30pm EDT | http://www.sans.org/info/216780
3) Webcast | Join Alex Kirk, John Gamble, and Matt Bromiley as they dive into "The Power of Fusing Network Alerts and Evidence with Open-Source Suricata and Zeek (Bro)" | June 25, 2020 @ 12:00pm EDT | http://www.sans.org/info/216790
****************************************************************************
THE REST OF THE WEEK'S NEWS
--VMware Update for macOS
(June 18, 2020)
A denial-of-service vulnerability affecting VMware tools for macOS. Updates are available. The flaw is in the Host-Guest File System implementation. Users should update to VMware Tools for macOS 11.1.1.
[Editor Comments]
[Neely] Check the version of VMware tools in your environment; you may need to download this version of VMware Tools explicitly even after using the built-in check for updates features.
Read more in:
VMware: VMware Tools for macOS update addresses a denial-of-service vulnerability (CVE-2020-3972)
https://www.vmware.com/security/advisories/VMSA-2020-0014.html
--Australia's Lion Brewery Suffers Another Cyberattack
(June 18 & 19, 2020)
Australian beverage company Lion, which has been in the process of recovering from a June 8 ransomware attack, reportedly suffered a second cyberattack over the weekend. As a result, the company has shifted its focus from recovery to defense. The company is struggling to meet demands for its beer, dairy, and juice products.
[Editor Comments]
[Neely] They are now confirming this was the REvil malware family whose operators are known for publishing exfiltrated data to ensure the ransom is paid. In this case about $800,000USD. Lion has implemented measures to prevent added attacks as well as analyzed what data was accessed to make the determination not to pay the ransom. The process is further complicated by a takeover bid from Chinese dairy giant Mengniu. When faced with multiple factors like this, management needs to determine what to prioritize and then support those decisions. In this case, the priority remains getting beverage production online with improved security posture, and hiring external security firms to support those goals as well as standing behind the decision not to pay ransom.
Read more in:
SMH: 'Cyber crisis' deepens at Lion as second attack bites beer giant
The Register: Australia's Lion brewery hit by second cyber attack as nation staggers under suspected Chinese digital assault
https://www.theregister.com/2020/06/19/lion_brewery_second_cyber_attack_australia/
LionCo: Lion Cyber incident update 19 June 2020
https://www.lionco.com/media-centre/lion-update-re-cyber-issue
--Former FEMA IT Specialist Arrested for Allegedly Hacking University of Pittsburgh Medical Center
(June 18 & 19, 2020)
The US Department of Justice announced the arrest of Justin Sean Johnson, who was indicted on charges of conspiracy, wire fraud, and aggravated identity theft for his alleged role in a cyberattack against human resources databases at the University of Pittsburgh Medical Center in 2014. Johnson, who was formerly an information technology specialist at the Federal Emergency management Agency (FEMA), allegedly sold personally identifiable information stolen in that attack.
[Editor Comments]
[Neely] In this case the UPMC HR system was not sufficiently protected from access to prevent a hacker exploiting bugs to access data. Protect information systems containing sensitive data though multi-factor authentication and by limiting direct access to APIs and databases to trusted systems, supported with monitoring to detect attempted unauthorized access and data exfiltration.
Read more in:
The Register: Feds cuff Detroit man for allegedly hacking University of Pittsburgh Medical Center
https://www.theregister.com/2020/06/19/feds_arrest_detroit_man_believed/
KrebsOnSecurity: FEMA IT Specialist Charged in ID Theft, Tax Refund Fraud Conspiracy
Bleeping Computer: Hacker arrested for stealing, selling PII of 65K hospital employees
Justice: Michigan Man Arrested for 2014 Hack of UPMC HR Databases and Theft of Employees' Personal Information
Regmedia: Indictment filed May 20, 2020 (PDF)
https://regmedia.co.uk/2020/06/18/johnson_indictment.pdf
--Crozer-Keystone Health System Suffers Ransomware Attack
(June 19, 2020)
The Crozer-Keystone Health System in Philadelphia was recently the victim of a ransomware attack. Operators of the NetWalker ransomware claim to have stolen information from Crozer-Keystone and are threatening to publish it later this week. Crozer-Keystone has taken "necessary systems offline to prevent further risk," according to an emailed statement from a Crozer-Keystone spokesperson.
[Editor Comments]
[Murray] Most enterprises, including all municipalities and healthcare institutions, should, by now, have measures in place to resist breaches and mitigate damage to their data and applications. Failure to do so is at best negligent, probably reckless.
Read more in:
Cyberscoop: Philadelphia-area health system says it 'isolated' a malware attack
https://www.cyberscoop.com/crozer-keystone-cyber-attack-netwalker-ransomware/
SC Magazine: NetWalker claims credit for attack on Crozer-Keystone Health System
--Open Letter to Congress Urges it to Save the Open Technology Fund After Head of USAGM is Replaced
(June 17 & 22, 2020)
Nearly 400 organizations and more than 2,300 individuals have signed a letter asking Congress to preserve funding for the Open Technology Fund. OTF has received funding from the US Agency for Global Media (USAGM) since 2012. Last week, the current administration replaced the head of USAGM and fired heads of associated non-profits that USAGM sponsors. OTF's CEO resigned last week; in her resignation letter, Libby Liu wrote that she had "become aware of lobbying efforts to convince the new USAGM CEO to interfere with the current FY2020 OTF funding stream and redirect some of our resources to a few closed-source circumvention tools."
Read more in:
Save Internet Freedom: Save Internet Freedom: Support the Open Technology Fund
https://saveinternetfreedom.tech/
Vice: CEO of Open Technology Fund Resigns After Closed-Source Lobbying Effort
https://www.vice.com/en_us/article/935k5p/open-technology-fund-ceo-resigns
ZDNet: 400 organizations sign open letter to save Open Technology Fund (OTF)
https://www.zdnet.com/article/400-organizations-sign-petition-to-save-open-technology-fund-otf/
--Flash End-of-Life is December 31, 2020
(June 20 & 22, 2020)
Adobe is recommending that users uninstall Flash by the end of this calendar year. Adobe announced in July 2017 that Flash's planned EOL will be December 31, 2020. After that date, Adobe will no longer distribute or issue updates for the software. "Users will be prompted by Adobe to uninstall Flash Player on their machines later this year and Flash-based content will be blocked from running in Adobe Flash Player after the EOL Date."
Read more in:
Adobe: Adobe Flash Player EOL General Information Page
https://www.adobe.com/products/flashplayer/end-of-life.html
ZDNet: Adobe wants users to uninstall Flash Player by the end of the year
https://www.zdnet.com/article/adobe-wants-users-to-uninstall-flash-player-by-the-end-of-the-year/
Threatpost: Adobe Prompts Users to Uninstall Flash Player As EOL Date Looms
https://threatpost.com/adobe-prompts-users-to-uninstall-flash-player-as-eol-date-looms/156794/
--Former Defense Intelligence Agency Analyst Sentenced to Prison for Leaking Data
(June 19 & 22, 2020)
A former analyst for the US Defense Intelligence Agency (DIA) has been sentenced to two-and-a-half years in prison for leaking data to journalists. In February 2020, Henry Kyle Frese pleaded guilty to willful transmission of Top Secret national defense information. Frese was employed at DIA from February 2018 through October 2019 as a counter-terrorism analyst.
Read more in:
Threatpost: Former DIA Analyst Sentenced to Prison Over Data Leak
https://threatpost.com/former-dia-analyst-sentenced-to-prison-over-data-leak/156775/
Infosecurity Magazine: DIA Analyst Jailed for Disclosing Secrets to Journalist Girlfriend
https://www.infosecurity-magazine.com/news/dia-analyst-jailed-for-disclosing/
Justice: Former DIA Analyst Sentenced for Leaking Classified Information to Journalists (June 2020)
Justice: Former DIA Employee Pleads Guilty to Leaking Classified National Defense Information to Journalists (February 2020)
--US Government Websites Will be Accessible Through HTTPS Only After September 1
(June 21 & 22, 2020)
Starting September 1, 2020, new US government websites (.gov) will be available only through HTTPS. The entire .gov top level domain (TLD) will eventually be pre-loaded, which means that site visitors will automatically have a secure connection when they visit a .gov website.
[Editor Comments]
[Neely] This will apply to new .gov domains. Existing domains have been converting to HSTS since May 2017, and can submit themselves to the HSTS preload list. For .gov domain holders, GSA hosts a DotGov HSTS listserv (dotgovhttps@listserv.gsa.gov) for comments, questions and feedback. Users of that mailing list must subscribe from a .gov email address.
Read more in:
dotgov: Making .gov More Secure by Default
https://home.dotgov.gov/management/preloading/dotgovhttps/
dotgov: It should be easy to identify governments on the internet.
Bleeping Computer: US govt to enforce HTTPS on new .gov sites starting September 1
--NSO Group Spyware Used to Track Moroccan Journalist, Says Amnesty International
(June 21 & 22, 2020)
An Amnesty International investigation revealed evidence that spyware made by NSO Group was used to target Moroccan journalist and activist Omar Radi between January 2019 and January 2020. Attacks against Radi's phone to install the Pegasus spyware occurred on at least three dates. One of the attacks occurred just three days after "NSO Group publicly committed to abide by the UN Guiding Principles on Business and Human Rights."
Read more in:
Amnesty: Moroccan Journalist Targeted With Network Injection Attacks Using NSO Group's Tools
Amnesty: NSO Group spyware used against Moroccan journalist days after company pledged to respect human rights
https://www.amnesty.org/en/latest/news/2020/06/nso-spyware-used-against-moroccan-journalist/
Vice: Days After New Human Rights Policy, NSO Client Hacked an Activist
https://www.vice.com/en_us/article/v7gbpj/nso-group-human-rights-hacked-activist
Reuters: Morocco used NSO's spyware to snoop on journalist, Amnesty says
****************************************************************************
INTERNET STORM CENTER TECH CORNER
Cyberbunker 2.0: Analysis of the Remnants of a Bullet Proof Hosting Provider
In September last year, German police raided a cold-war era nuclear bunker used by "Cyberbunker," a criminal organization that provided hosting services for various illegal purposes. A few months ago, the Internet Storm Center was able to access the Cyberbunker's IP address space. One of our SANS.edu graduate students, Karim Lalji, analyzed it. He found evidence of various illegal activities including several botnets with thousands of hosts trying to reach command-and-control servers months after law enforcement took them down. One of the lessons learned is how long it takes victims to realize that systems are infected. Some phishing sites hosted on Cyberbunker are still receiving hits today.
Sigma Rules! The Generic Signature Format for SIEM Systems
https://isc.sans.edu/forums/diary/Sigma+rules+The+generic+signature+format+for+SIEM+systems/26258/
Pi Zero Honeypot
https://isc.sans.edu/forums/diary/Pi+Zero+HoneyPot/26260/
Comparing Office Documents with WinMerge
https://isc.sans.edu/forums/diary/Comparing+Office+Documents+with+WinMerge/26268/
Ransomware Operators Lurk on Your Network
Discord Modified to Steal Accounts
Remote Code Execution Vulnerability in Bitdefender
https://palant.info/2020/06/22/exploiting-bitdefender-antivirus-rce-from-any-website/
Google Analytics Used to Exfiltrate Data
https://www.perimeterx.com/tech-blog/2020/bypassing-csp-exflitrate-data/
VMWare Tools and Microsoft Office Updates for macOS
https://www.vmware.com/security/advisories/VMSA-2020-0014.html
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-1225
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-1226
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-1229
****************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
