SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #51
June 26, 2020FLASH! Patch Exchange Servers Now; and More Ransomware News - Some Good
****************************************************************************
SANS NewsBites June 26, 2020 Vol. 22, Num. 051
****************************************************************************
TOP OF THE NEWS
Microsoft: Patch Exchange Servers Now
Lion Breweries are Operational Again After Ransomware Attack
Maze Ransomware Operators Say They Stole Data From LG Electronics Network
Sodinokibi/REvil Ransomware Group Scanning Compromised Networks for POS Systems
REST OF THE NEWS
Google Will Enable Auto-Delete for User Data by Default on New Accounts
Legislators Introduce Bill Requiring Breakable Encryption
Cyberbunker Analysis
Akamai Mitigated Massive Packet-per-Second Based DDoS Attack
Lucifer Malware Exploits Multiple Known Windows Vulnerabilities
Ripple20
Suzette Kent is Leaving Government Service
Prison Sentence for Botnet Creator
INTERNET STORM CENTER TECH CORNER
********************* Sponsored By Netskope ******************************
Join Netskope's Cloud Security Workshop. Are you really ready to provide safe access to cloud services and keep pace with new threats? Register for Netskope's complimentary cloud security workshop! Take control over your web services. Get 5 CPE credits and hands-on experience with Next Gen Secure Web Gateway (SWG) and Zero Trust Network Access (ZTNA) solutions built for the cloud.
| http://www.sans.org/info/216850
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
SANS Training is 100% Online, with two convenient ways to complete a course:
OnDemand | Live Online
- https://www.sans.org/ondemand/
- https://www.sans.org/live-online
Keep your skills sharp with SANS Online Training:
. The world's top cybersecurity courses
. Taught by real world practitioners
. Ideal preparation for more than 30 GIAC Certifications
OnDemand Training Special Offer
Flexible Offer with Flexible Training
Choose an iPad Air, an iPad with Smart Keyboard, a Surface Go, or Take $300 Off with OnDemand Training through July 8.
- https://www.sans.org/ondemand/specials
Live Online Training Special Offer
Get a Free GIAC Certification Attempt or Take $350 Off with Live Online Training through July 4.
- https://www.sans.org/live-online/specials
Top OnDemand Courses
SEC401: Security Essentials Bootcamp Style
- https://www.sans.org/ondemand/course/security-essentials-bootcamp-style
SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling
- https://www.sans.org/ondemand/course/hacker-techniques-exploits-incident-handling
SEC560: Network Penetration Testing and Ethical Hacking
- https://www.sans.org/ondemand/course/network-penetration-testing-ethical-hacking
______________________
Upcoming In Person and Live Online Events:
DFIR Summit & Training (Free Summit) | July 16-25 | Live Online
- https://www.sans.org/event/digital-forensics-summit-2020
SANS Rocky Mountain Summer 2020 | July 20-25 | Live Online
- https://www.sans.org/event/rocky-mountain-summer-2020
SANS Reboot - NOVA 2020 | August 10-15 | Arlington, VA or Live Online
- https://www.sans.org/event/reboot-nova-2020
SANS Network Security 2020 | September 20-25 | Las Vegas, NV or Live Online
- https://www.sans.org/event/network-security-2020
______________________
Test drive a course: https://www.sans.org/course-preview
View the full SANS course catalog and skills roadmap.
- https://www.sans.org/cyber-security-courses
- https://www.sans.org/cyber-security-skills-roadmap
*****************************************************************************
TOP OF THE NEWS
--Microsoft: Patch Exchange Servers Now
(June 24 & 25, 2020)
In a recent blog post, the Microsoft Defender ATP Research Team describes a recent increase in attacks targeting Microsoft Exchange servers. The attacks exploit a critical flaw in the Internet Information Service (IIS) component of Exchange servers. Fixes for the vulnerability have been available since February 2020.
[Editor Comments]
[Neely] While the initial attacks leveraged client access to reach your Exchange server, the new focus leverages a flaw in the servers' IIS component to launch a web shell. Additionally, once accessed, misconfigured servers allowed for credential harvesting. Two actions are needed. First, patch your servers. Second, review the security configuration. Microsoft has published security guides for Exchange and CIS (www.cisecurity.org) has configuration guides which can also be leveraged.
[Pescatore] Three weeks ago Rapid7 pointed out the high percentage of unpatched Exchange servers, and we ran a NewsBites item. We also did a NewsBites drilldown on this issue with a general reminder to double check that server patching is still actually happening while your IT staff is largely consumed with supporting Work at Home. https://www.sans.org/blog/newsbites-drilldown-for-the-week-ending-5-june-2020/
Read more in:
Microsoft: Defending Exchange servers under attack
https://www.microsoft.com/security/blog/2020/06/24/defending-exchange-servers-under-attack/
ZDNet: Microsoft: Patch your Exchange servers, they're under attack
https://www.zdnet.com/article/microsoft-patch-your-exchange-servers-theyre-under-attack/
Bleeping Computer: Microsoft: Attackers increasingly exploit Exchange servers
MSRC: CVE-2020-0688 | Microsoft Exchange Validation Key Remote Code Execution Vulnerability
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688
--Lion Breweries are Operational Again After Ransomware Attack
(June 26, 2020)
Australian beverage company Lion says that all of its breweries are up and running, and that its dairy and juice facilities are operational. Lion suffered a ransomware attack earlier this month.
[Editor Comments]
[Neely] With all the ransomware attacks reported, it's nice to have news about recovery. Although Lion is still finishing up the IT cleanup and may have some disruptions related to that process, the restoration of service to their customers will make this transparent. As Australia remains an active target for ransomware attacks, Lion's mitigations to prevent recurrence will continue to be tested.
Read more in:
LionCo: Lion Cyber incident update 26 June 2020
https://www.lionco.com/media-centre/lion-update-re-cyber-issue
ZDNet: Lion gets breweries up and running following ransomware attack
https://www.zdnet.com/article/lion-gets-breweries-up-and-running-following-ransomware-attack/
--Maze Ransomware Operators Say They Stole Data From LG Electronics Network
(June 25, 2020)
Operators of the Maze ransomware claim they have stolen proprietary data from LG Electronics. They also claim to have encrypted the company's network. As of Thursday afternoon, June 25, LG has not commented.
Read more in:
Bleeping Computer: LG Electronics allegedly hit by Maze ransomware attack
--Sodinokibi/REvil Ransomware Group Scanning Compromised Networks for POS Systems
(June 23 & 24, 2020)
Researchers at Symantec have detected a Sodinokibi/REvil ransomware campaign that in some cases, also scans infected networks for point-of-sale (POS) software. It is unclear whether the Sodinokibi/REvil operators are seeking to encrypt POS systems or if they are looking to steal payment card data.
[Editor Comments]
[Neely] The Symantec blog post provides insight into the TTPs used for distribution, control, and exploitation as well as IOCs that should be used to consider mitigations which can reduce the chances of success for an attempted introduction of REvil. The Sodiokibi operators have demonstrated that no matter what data they access, they are prepared to leverage it to ensure payment. Compromised card data, in sufficient volume, is still marketable commodity independent of any business specific data.
[Murray] Once your systems are breached there are multiple ways for the perpetrators to monetize the breach. While one may be able to assign part of the risk to insurance underwriters, it is usually more efficient to resist the breach, and all the risk, in the first place.
Read more in:
Symantec: Sodinokibi: Ransomware Attackers also Scanning for PoS Software, Leveraging Cobalt Strike
Bleeping Computer: REvil ransomware scans victim's network for Point of Sale systems
Threatpost: Sodinokibi Ransomware Now Scans Networks For PoS Systems
https://threatpost.com/sodinokibi-ransomware-now-scans-networks-for-pos-systems/156855/
***************************** SPONSORED LINKS *****************************
1) Webcast | Join SANS Senior Instructor, Dave Shackleford as he discusses "Securing Assets Using Micro-Segmentation: A SANS Review of Guardicore Central" | June 30, 2020 @ 1:00pm EDT
| http://www.sans.org/info/216835
2) On- Demand Webcast | If you missed the "SANS ICS Asset Identification: It's More Than Just Security: A SANS Report" you can still listen online.
| http://www.sans.org/info/216840
3) Webcast | Join leading industry expert, Jake Williams as he hosts the upcoming webcast "4 Secrets to Power Charge Your SOC - How prevention and detection can deliver new work stream efficiencies." | July 8,2020 @ 1:00pm EDT
| http://www.sans.org/info/216845
*****************************************************************************
THE REST OF THE WEEK'S NEWS
--Google Will Enable Auto-Delete for User Data by Default on New Accounts
(June 24, 2020)
New Google accounts will now "automatically and continuously" delete user data after 18 months by default. Last year, Google introduced an opt-in data deletion feature; users could choose to have their data deleted after three months or after 18 months. If users already have the feature enabled, their setting will not be changed.
[Editor Comments]
[Neely] Existing accounts have three settings: Forever, 18 Months and 3 Months. These settings will not be changed. You can review your settings on the myactivity.google.com page under Activity Controls. This page also allows you to see what activity is tracked and manually delete it. Take a moment and review your settings as well as educate yourself on what's being tracked.
[Murray] One may also delete more recent activity, including third-party cookies, on a one-time basis. This can be useful in stopping nuisance ads based upon recent activity. (I recently googled an MIT project whose name was also the name of a popular dog food. I do not have a dog.)
Read more in:
Google: Keeping your private information private
https://blog.google/technology/safety-security/keeping-private-information-private/amp/
The Hill: Google adds automatic data deletion for new accounts
https://thehill.com/policy/technology/504543-google-sets-automatic-data-deletion-date
Wired: Google Will Delete Your Data by Default--in 18 Months
https://www.wired.com/story/google-auto-delete-data/
--Legislators Introduce Bill Requiring Breakable Encryption
(June 24, 2020)
Three US senators have introduced a bill that would compel technology companies to help law enforcement by helping them obtain access to encrypted data on their networks when the request is accompanied by a warrant. The bill would apply to both data at rest and data in motion. The bill would not apply to products and services sold and operated outside the US.
[Editor Comments]
[Pescatore] This bill is looking to amend the Communications Assistance to Law Enforcement Act (CALEA) which was passed back in 1994 to require digital switch makers and telecoms service providers to support targeted surveillance of a particular connection in a digital stream of voice data. That was a much simpler issue than this bill addresses in trying to extend the model to all consumer devices, operating systems, and cloud services. I've commented on various bills like this in the past - any data analysis shows an order of magnitude more digital crime has succeeded because data was NOT encrypted than the amount of damage from law enforcement being impeded by the user of strong encryption.
[Murray] Our colleague, David Kennedy at Verizon, cautions us not to even consider legislative proposals until they at least get a committee hearing. Related to "signal-to-noise."
Read more in:
Threatpost: New Bill Targeting 'Warrant-Proof' Encryption Draws Ire
https://threatpost.com/new-bill-targeting-warrant-proof-encryption-draws-ire/156877/
ZDNet: US Republican Senators develop Bill to end use of 'warrant-proof' encryption
Vice: Republicans Who Don't Understand Encryption Introduce Bill to Break It
https://www.vice.com/en_us/article/y3z3z7/republican-encryption-bill-privacy-signal
Duo: New Bill Takes Direct Aim At Encrypted Devices and Services
https://duo.com/decipher/new-bill-takes-direct-aim-at-encrypted-devices-and-services
The Register: After huffing and puffing for years, US senators unveil law to blow the encryption house down with police backdoors
https://www.theregister.com/2020/06/24/us_encryption_backdoor/
Regmedia: Lawful Access to Encrypted Data Act (PDF)
https://regmedia.co.uk/2020/06/24/laeda_bill.pdf
--Cyberbunker Analysis
(June 23 & 25, 2020)
Last September, German police raided a cold-war era nuclear bunker outside of Frankfurt. The facility was being used by "Cyberbunker," a criminal organization that provided hosting services for various illegal purposes. A few months ago, the Internet Storm Center was able to access the Cyberbunker's IP address space. SANS.edu graduate student Karim Lalji's analysis found evidence of various illegal activities including several botnets with thousands of hosts trying to reach command-and-control servers months after law enforcement took them down.
Read more in:
ISC: Cyberbunker 2.0: Analysis of the Remnants of a Bullet Proof Hosting Provider
The Register: Honeypot behind sold-off IP subnet shows Cyberbunker biz hosted all kinds of filth, says SANS Institute
https://www.theregister.com/2020/06/25/sans_cyberbunker_traffic_analysis/
--Akamai Mitigated Massive Packet-per-Second Based DDoS Attack
(June 25, 2020)
In a June 25, 2020 blog post, Akamai writes that it "mitigated the largest packet per second (pps) distributed denial-of-service (DDoS) attack ever recorded on the Akamai platform." The 809 million packets-per-second attack targeted an unnamed European bank on June 21. The blog also draws a distinction between DDoS attacks measured in bits per second (bps), which aim "to overwhelm the inbound internet pipeline," and attacks measured in packets per second (pps), which "are largely designed to overwhelm network gear and/or applications in the customer's data center or cloud environment."
Read more in:
Akamai: Largest Ever Recorded Packet Per Second-Based DDoS Attack Mitigated By Akamai
Bleeping Computer: European bank suffers biggest PPS DDoS attack, new botnet suspected
The Register: There are DDoS attacks, then there's this 809 million packet-per-second tsunami Akamai says it just caught
https://www.theregister.com/2020/06/25/akamai_809mpps_attack/
Ars Technica: Two record DDoSes disclosed this week underscore their growing menace
--Lucifer Malware Exploits Multiple Known Windows Vulnerabilities
(June 25, 2020)
Malware that has been dubbed Lucifer exploits a number of known high and critical severity Windows vulnerabilities, some dating back several years. The malware is multi-faceted: once it infects computers, it uses their resources for cryptomining or for launching distributed denial-of-service attacks.
Read more in:
Unit 42 Palo Alto Networks: Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices
https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/
Dark Reading: Lucifer Malware Aims to Become Broad Platform for Attacks
ZDNet: Lucifer: Devilish malware that abuses critical vulnerabilities on Windows machines
Bleeping Computer: New Lucifer DDoS malware creates a legion of Windows minions
--Ripple20
(June 25, 2020)
The 19 vulnerabilities in the Treck TCP/IP stack, known collectively as Ripple20, affect millions of IoT devices. The health care industry appears to have significantly more affected devices than other sectors, according to information from Forescout. The Bleeping Computer article includes a list of vendors with products that are confirmed to be affected by Ripple20.
[Editor Comments]
[Pescatore] Medical devices comprise a large share of users of the flawed Treck software. You will find a NewsBites drilldown on the issue at https://www.sans.org/blog/newsbites-drilldown-for-the-week-ending-19-june-2020/.
Read more in:
Bleeping Computer: List of Ripple20 vulnerability advisories, patches, and updates
Forescout: Identifying and Protecting Devices Vulnerable to Ripple20
https://www.forescout.com/company/blog/identifying-and-protecting-devices-vulnerable-to-ripple20/
--Suzette Kent is Leaving Government Service
(June 25, 2020)
US Federal CIO Suzette Kent has announced that she will leave her government position next month. Kent has served as Federal CIO since January 2018.
Read more in:
Fedscoop: Suzette Kent leaving government in July
https://www.fedscoop.com/suzette-kent-leaving-government-july/
Nextgov: Federal CIO Suzette Kent Tells Staff She's Retiring
Meritalk: Federal CIO Suzette Kent Stepping Down in July
https://www.meritalk.com/articles/federal-cio-suzette-kent-stepping-down-in-july/
--Prison Sentence for Botnet Creator
(June 25, 2020)
Kenneth Currin Schuchman has been sentenced to 13 months in prison for his role in the creation of numerous Internet-of-Things (IoT)-based botnets. Schuchman had earlier pleaded guilty to violating the Computer Fraud and Abuse Act (CFAA). Two accomplices have been charged with conspiracy to commit fraud in connection with the scheme.
Read more in:
KrebsOnSecurity: New Charges, Sentencing in Satori IoT Botnet Conspiracy
https://krebsonsecurity.com/2020/06/new-charges-sentencing-in-satori-iot-botnet-conspiracy/
ZDNet: DDoS botnet coder gets 13 months in prison
https://www.zdnet.com/article/ddos-botnet-coder-gets-13-months-in-prison/
Justice: Washington Man Sentenced for Role in Developing "Mirai" Successor Botnets
https://www.justice.gov/usao-ak/pr/washington-man-sentenced-role-developing-mirai-successor-botnets
KrebsOnSecurity: Indictment (PDF)
https://krebsonsecurity.com/wp-content/uploads/2020/06/Dkt-2-Indictment.pdf
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
Analysis Of Traffic Targeting CyberBunker IP Space
SANS.edu Student Karim Lalji: Real-Time Honeypot Forensic Investigation on a German Organized Crime Network
Using Shell Links as zero-touch downloaders and to initiate network connections
Recordings of the Tech Tuesday Workshop
https://www.youtube.com/channel/UCfbOsqPmWg1H_34hTjKEW2A
Microsoft Offering Enterprise Security Products for Linux/Android
Microsoft Safe Documents
Chrome Updates Released
https://chromereleases.googleblog.com/2020/06/stable-channel-update-for-desktop_22.html
QNAP Updates for Helpdesk
https://www.qnap.com/de-de/security-advisory/qsa-20-03
Magento Update
https://helpx.adobe.com/security/products/magento/apsb20-41.html
Attacks Against Microsoft Exchange Servers
https://www.microsoft.com/security/blog/2020/06/24/defending-exchange-servers-under-attack/
Credit Card Skimmers Hide Code in Favicon EXIF Data
GeoVision Scanners Vulnerabilities
https://thehackernews.com/2020/06/geovision-scanner-vulnerabilities.html
Docker Images Containing Cryptojacking Malware
https://unit42.paloaltonetworks.com/cryptojacking-docker-images-for-mining-monero/
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/creat
