SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #52
June 30, 2020Medical Research Center Pays Ransomware; Hackers Wiping Lenovo/Iomega NAS Devices, Demanding Ransom; Card Skimming Malware on Government Websites in Eight US Cities
****************************************************************************
SANS NewsBites June 30, 2020 Vol. 22, Num. 052
****************************************************************************
TOP OF THE NEWS
California's Top Medical Research University Pays Ransomware Actors
Hackers are Wiping Old Lenovo/Iomega NAS Devices and Demanding Ransom
Magecart Card Skimming Malware Found on Government Websites in Eight US Cities
REST OF THE NEWS
British Tech Companies Urge Reworking Computer Misuse Act
Michigan House of Representatives Passes Bill Prohibiting Employers From Requiring Implanted Microchips for Workers
Magento 1.x EOL is June 30; Merchants Urged to Upgrade
Tax Software Required by Chinese Bank Installs Backdoor on Companies' Systems
Cardplanet Operator Aleksei Burkov Sentenced to Nine Years in Prison
Medvedev Guilty Plea
Cyber Flag 20-2 Participants Used New Remote Cyber Training Tool
Palo Alto Networks Fixes Critical Flaw in Firewall Operating System
INTERNET STORM CENTER TECH CORNER
********************* Sponsored By Netskope *******************************
Are you really ready to provide safe access to cloud services and keep pace with new threats? Register for Netskope's complimentary cloud security workshop! Take control over your web services. Get 5 CPE credits and hands-on experience with Next Gen Secure Web Gateway (SWG) and Zero Trust Network Access (ZTNA) solutions built for the cloud. | http://www.sans.org/info/216865
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
SANS Training is 100% Online, with two convenient ways to complete a course:
OnDemand | Live Online
- https://www.sans.org/ondemand/
- https://www.sans.org/live-online
Keep your skills sharp with SANS Online Training:
. The world's top cybersecurity courses
. Taught by real world practitioners
. Ideal preparation for more than 30 GIAC Certifications
OnDemand Training Special Offer
Flexible Offer with Flexible Training
Choose an iPad Air, an iPad with Smart Keyboard, a Surface Go, or Take $300 Off with OnDemand Training through July 8.
- https://www.sans.org/ondemand/specials
Live Online Training Special Offer
Get a Free GIAC Certification Attempt or Take $350 Off with Live Online Training through July 4.
- https://www.sans.org/live-online/specials
Top OnDemand Courses
SEC401: Security Essentials Bootcamp Style
- https://www.sans.org/ondemand/course/security-essentials-bootcamp-style
SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling
- https://www.sans.org/ondemand/course/hacker-techniques-exploits-incident-handling
SEC560: Network Penetration Testing and Ethical Hacking
- https://www.sans.org/ondemand/course/network-penetration-testing-ethical-hacking
______________________
Upcoming In-Person and Live Online Events:
DFIR Summit & Training (Free Summit) | July 16-25 | Live Online
- https://www.sans.org/event/digital-forensics-summit-2020
SANS Rocky Mountain Summer 2020 | July 20-25 | Live Online
- https://www.sans.org/event/rocky-mountain-summer-2020
SANS Reboot - NOVA 2020 | August 10-15 | Arlington, VA or Live Online
- https://www.sans.org/event/reboot-nova-2020
SANS Network Security 2020 | September 20-25 | Las Vegas, NV or Live Online
- https://www.sans.org/event/network-security-2020
______________________
Test drive a course: https://www.sans.org/course-preview
View the full SANS course catalog and skills roadmap.
- https://www.sans.org/cyber-security-courses
- https://www.sans.org/cyber-security-skills-roadmap
*****************************************************************************
TOP OF THE NEWS
--California's Top Medical Research University Pays Ransomware Actors
(June 26 & 29, 2020)
The University of California, San Francisco (USCF) has paid a ransomware demand of more than $1.4m. A "limited number of servers" at the public health research facility were encrypted by Netwalker ransomware. UCSF disclosed the incident on June 3. BBC News was able to observe a live chat on the dark web involving UCSF ransom negotiations.
[Editor Comments]
[Neely] The Netwalker operators used multiple techniques to entice UCSF into paying the ransom, including making both samples of exfiltrated data and the ransom negotiations visible to the press. For UCSF reputation risk is key to continued support as they are working on research to support the public good including a cure for C-19. Sophos has published information about the tactics and tools used by Netwalker ransomware: https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/
[Murray] Extortion attacks will continue as long as the value of success exceeds the cost of attack. Currently the excess of the value of success over the cost of attack is so high as to suggest that we need to increase the cost of attack perhaps ten-fold while reducing the value of success. The strategy of some enterprises of attempting to assign the risk to insurance underwriters is aggravating a problem that we have had years to fix.
Read more in:
The Register: University of California San Francisco pays ransomware gang $1.14m as BBC publishes 'dark web negotiations'
https://www.theregister.com/2020/06/29/ucsf_1_14m_dollar_ransom_paid_netwalker/
SC Magazine: UCSF paid $1.4 million ransom in NetWalker attack
https://www.scmagazine.com/home/security-news/ucsf-paid-1-4-million-ransom-in-netwalker-attack/
Cyberscoop: California university pays $1 million ransom amid coronavirus research
https://www.cyberscoop.com/ucsf-ransomware-payment-coronavirus/
BBC: How hackers extorted $1.14m from University of California, San Francisco
https://www.bbc.com/news/technology-53214783
UCSF: Update on IT Security Incident at UCSF
https://www.ucsf.edu/news/2020/06/417911/update-it-security-incident-ucsf
--Hackers are Wiping Old Lenovo/Iomega NAS Devices and Demanding Ransom
(June 29, 2020)
Hackers have been breaking into old LenovoEMC/Iomega network-attached storage (NAS) devices, wiping them, and demanding between $200 and $275 in ransom for the return of the data. The attacks targeted NAS devices that exposed their management interface on the Internet with no password protection. Similar attacks were reported a year ago. The LenovoEMC and Iomega NAS lines were discontinued in 2018.
[Editor Comments]
[Neely, Murray] These devices should not be exposed to the Internet. Refer to the Lenovo support page (https://support.lenovo.com/us/en/solutions/LEN_11575) on how to secure these devices. Then start taking steps to replace them. While they are still functional, Lenovo will no longer be releasing updates or fixes.
Read more in:
ZDNet: A hacker gang is wiping Lenovo NAS devices and asking for ransoms
https://www.zdnet.com/article/a-hacker-gang-is-wiping-lenovo-nas-devices-and-asking-for-ransoms/
--Magecart Card Skimming Malware Found on Government Websites in Eight US Cities
(June 26 & 29, 2020)
Researchers at Trend Micro found that local government websites in eight US cities were infected with Magecart card skimming malware. The common factor appears to be that all the affected sites were using the Click2Gov municipal payment software. The attacks began on April 10 and appear to still be active. This is not the first time that Click2Gov has been the target of attacks.
[Editor Comments]
[Neely] With past attacks, in 2018 and 2019, some cities took the added step of reverting to taking payments over the phone or US mail. The current attack, which may not be connected to the prior incidents, has been characterized as relatively easy. This would be a good time to investigate alternatives to Click2Gov. Include the cost of breach and transition timing in the research to understand your ongoing exposure and total costs.
[Murray] Any enterprise providing checkout on a website is a potential target for these attacks and should behave accordingly. Click2Gov is used widely for municipal utility bill collection. You know who you are.
[Northcutt] This style of attack has been going on for at least six years. If British Airways can get tagged via this threat vector, thinly staffed municipal IT staffs face a serious risk.
Read more in:
Trend Micro: US Local Government Services Targeted by New Magecart Credit Card Skimming Attack
Threatpost: 8 U.S. City Websites Targeted in Magecart Attacks
https://threatpost.com/8-city-gov-websites-magecart/156954/
SC Magazine: Eight cities using Click2Gov targeted in Magecart skimming attacks
Statescoop: Click2Gov breaches in eight cities attributed to Magecart hackers
https://statescoop.com/click2gov-breaches-eight-cities-magecart/
***************************** SPONSORED LINKS *****************************
1) Webcast | Join SANS Instructor, John Pescatore as he discusses "Insights on Remote Access Cybersecurity and Workplace Flexibility - A SANS Whitepaper". This expert, practitioner webcast will explore how enterprises have built-up from existing remote access approaches, and how they can progress remote access and WFH cybersecurity capabilities. | July 8 @ 12:00PM EDT
| http://www.sans.org/info/216870
2) Webcast | Tune in as Senior SANS Instructor, Jake Williams hosts the "4 Secrets to Power Charge Your SOC - How prevention and detection can deliver new work stream efficiencies". | July 8 @ 1:00PM EDT
| http://www.sans.org/info/216875
3) Webcast | Join top security analyst John Pescatore, accompanied by Nemi George and Nayeem Islam as they discuss "AI and Emerging Threat Protection - the new security normal" to learn the critical role security leaders will play in protecting their companies while driving change for continued cyber resilience.
| http://www.sans.org/info/216880
*****************************************************************************
THE REST OF THE WEEK'S NEWS
--British Tech Companies Urge Reworking Computer Misuse Act
(June 29, 2020)
A group of British technology organizations and individuals have signed a letter to Prime Minister Boris Johnson, urging him to act to reform the Computer Misuse Act (CMA). The law was created 30 years ago, when less than one percent of the UK's population used the Internet and "the concept of cyber security and threat intelligence research did not exist." The letter also notes that "the CMA inadvertently criminalises a large proportion of modern cyber defence practices."
[Editor Comments]
[Neely] Writing legislation that stands the test of time is challenging, particularly in this space where both technologies and practices evolve rapidly. As such, it is optimal to include a plan for review and updating cyber legislation at the outset.
[Murray] We have often noted here that drafting legislation that has only the intended results while avoiding unintended consequences is difficult. On the other hand, we have a much better understanding of computer misuse and abuse than we did thirty years ago. It is time to undertake the task of replacing the CMA and CFAA.
Read more in:
BBC: Yes, Prime Minister, rewrite the Computer Misuse Act: Brit infosec outfits urge reform
https://www.theregister.com/2020/06/29/computer_misuse_act_reform_cyberup_letter_pm/
Regmedia: Letter to PM Boris Johnson (PDF)
https://regmedia.co.uk/2020/06/26/cyberuplettertopmfinal.pdf
--Michigan House of Representatives Passes Bill Prohibiting Employers From Requiring Implanted Microchips for Workers
(June 29, 2020)
The Michigan State House of Representatives has passed a bill that would prohibit employers from requiring workers to have RFID chips implanted. The measure is proactive; there have not been instances in which employers have actually imposed this requirement. A Wisconsin company has used implantable ID chips for their employees on a voluntary basis. The Microchip Protection Act now heads to the Michigan State Senate for consideration.
[Editor Comments]
[Pescatore] I usually try to only comment on news items where there is a meaningful or interesting tie-in to real world enterprise security issues but this one was hard to pass up. Proactive-ness seems to be in short supply across politicians and legislators. I'd certainly rather see states focus that scarce resource more on increasing election security (where the Michigan Secretary of State has been taking steps) than on preemptive technology-specific laws.
Read more in:
ZDNet: Michigan tackles compulsory microchip implants for employees with new bill
https://www.zdnet.com/article/michigan-fights-compulsory-chip-implants-for-employees-with-new-bill/
abc12: Bill requires employers to keep implanted microchips voluntary for workers
Michigan Legislature: HOUSE BILL NO. 5672 (as passed by the Michigan House)
https://www.legislature.mi.gov/documents/2019-2020/billengrossed/House/htm/2020-HEBH-5672.htm
--Magento 1.x EOL is June 30; Merchants Urged to Upgrade
(June 27 & 29, 2020)
Magento 1.x will no longer be supported after June 30, 2020. Payment processors are urging merchants to update; Visa informed merchants that failing to update to Magento 2.x will eventually cost them PCI DSS (Payment Card Industry Data Security Standard) compliance. Adobe's Security Bulletin for Magento updates last week included a reminder: "Support for Magento Commerce 1.14 and Magento Open Source 1 is ending in June 2020. This will be the final security patches available for these editions."
[Editor Comments]
[Murray] Before upgrading to Magento 2.0, merchants should consider taking the opportunity to switch to the exclusive use of checkout proxies like PayPal, Apple Pay, and Click2Pay. Payment collection should be separate from order entry. We have known that to be true since the days of the Sears and Roebuck Catalog.
Read more in:
ZDNet: Adobe, Mastercard, Visa warn online store owners of Magento 1.x EOL
https://www.zdnet.com/article/adobe-mastercard-visa-warn-online-store-owners-of-magento-1-x-eol/
HelpNet Security: Magento 1 reaches EOL: Merchants urged to upgrade or risk breaches, falling out of PCI DSS compliance
https://www.helpnetsecurity.com/2020/06/29/magento-1-eol/
Adobe: Security Updates Available for Magento | APSB20-41
https://helpx.adobe.com/security/products/magento/apsb20-41.html
--Tax Software Required by Chinese Bank Installs Backdoor on Companies' Systems
(June 25, 26, & 29, 2020)
At least two western companies opening offices in China were forced to install tax software on their systems; the software has been found to download and install a backdoor. The companies said that a bank in China "required that they install a software package called Intelligent Tax produced by the Golden Tax Department of Aisino Corporation, for paying local taxes." The backdoor, which has been named GoldenSpy, operates with SYSTEM-level privileges.
[Editor Comments]
[Pescatore] This echoes the 2017 NotPetya ransomware and the Ukrainian M.E. Doc accounting software that enabled the initial backdoor. Another strong reminder about supply chain security overall and when testing can't be done, the need for the network security equivalent of "quarantining" any software or appliances that must be used but hasn't been tested. A few years ago, I did a Board of Director's briefing around the risks of travel to foreign countries and most CXOs and Boards these days understand the risks of using their corporate devices in foreign countries. I made a point of emphasizing the same risk existed in the company's IT operations in those countries - special effort towards whitelisting, isolation and segmentation has to be part of the cost of doing business in those countries.
[Neely] When faced with a mandate like this, it is very hard to slow down and assess the security of the required software. Even so, testing and approving all installed software prior to general deployment is key to maintaining the integrity of your systems. Support that process with a transparent interface that anyone can use to request approval, and follow-up in a timely fashion to prevent an end-around.
Read more in:
Trustwave: The Golden Tax Department and the Emergence of GoldenSpy Malware
Ars Technica: Chinese bank requires foreign firm to install app with covert backdoor
ZDNet: Chinese bank forced western companies to install malware-laced tax software
SC Magazine: Tax software used by Chinese bank clients installs GoldenSpy backdoor
Infosecurity Magazine: Chinese Bank Forces Firms to Download Backdoored Software
https://www.infosecurity-magazine.com/news/chinese-bank-forces-download/
--Cardplanet Operator Aleksei Burkov Sentenced to Nine Years in Prison
(June 26 & 27, 2020)
Aleksei Burkov has been sentenced to nine years in prison for his role in operating the Cardplanet carding website, which sold payment card information that was used to make millions of dollars in fraudulent transactions. Burkov was arrested in Israel in December 2015; he was extradited to the US in 2019. Earlier this year, he pleaded guilty to access device fraud, conspiracy to commit access device fraud, identity theft, computer intrusions, wire fraud, and money laundering.
Read more in:
KrebsOnSecurity: Russian Cybercrime Boss Burkov Gets 9 Years
https://krebsonsecurity.com/2020/06/russian-cybercrime-boss-burkov-gets-9-years/
Threatpost: 'Cardplanet' Operator Sentenced to 9 Years for Selling Stolen Credit Cards
https://threatpost.com/cardplanet-operator-sentenced-stolen-credit-cards/156956/
KrebsOnSecurity: UNITED STATES OF AMERICA V. ALEKSEI YURIEVICH BURKOV (PDF)
https://krebsonsecurity.com/wp-content/uploads/2020/06/burkov-judgment.pdf
Justice: Russian National Sentenced to Prison for Operating Websites Devoted to Fraud and Malicious Cyber Activities
--Medvedev Guilty Plea
(June 26, 2020)
Sergey Medvedev has pleaded guilty to RICO conspiracy for his role in "an Internet-based cybercriminal enterprise" known as Infraud. The group's activity resulted in more than $586m in losses. US authorities have indicted 36 people in connection with Infraud.
Read more in:
Cyberscoop: Russian national pleads guilty to being part of $568 million fraud ring
https://www.cyberscoop.com/sergey-medvedev-guilty-plea-russia-infraud/
Bleeping Computer: Admin of carding portal behind $568M in losses pleads guilty
Justice: Russian National Pleads Guilty for Role in Transnational Cybercrime Organization Responsible for more than $568 Million in Losses
--Cyber Flag 20-2 Participants Used New Remote Cyber Training Tool
(June 25, 2020)
US Cyber Command's Cyber Flag 20-2 training exercise took place earlier this month. More than 500 people participated; there were 17 teams from five countries. For the first time, participants had access to a new remote access training tool. The Persistent Cyber Training Environment (PCTE) "is an online client that allows Cyber Command's cyber warriors, as well as partner nations, to log on from anywhere in the world to conduct individual or collective cyber training as well as mission rehearsal." The Cyber Flag exercise is run by US Cyber Command.
Read more in:
c4isrnet: This training tool could be the answer to stop mass cyberattacks
--Palo Alto Networks Fixes Critical Flaw in Firewall Operating System
(June 29, 2020)
Palo Alto Networks has released fixes for a critical authentication bypass vulnerability that affects PAN-OS, the operating system used in many its firewalls. According to the Palo Alto Advisory, "Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources." If SAML authentication is not enabled, the flaw cannot be exploited. The affected versions of the operating system are PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL). PAN-OS 7.1 is not affected.
[Editor Comments
[Neely] This was given a CVSSv3.1 base score of 10, which indicates rapid response is appropriate if you're using this configuration of SAML authentication. Verify your exposure per the Palo Alto KB article (https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXK: Securing your SAML Deployments).Suggest verifying the update in your test firewall prior to production deployment.
Read more in:
Palo Alto Networks: CVE-2020-2021 PAN-OS: Authentication Bypass in SAML Authentication
https://security.paloaltonetworks.com/CVE-2020-2021
DUO: Palo Alto Fixes Critical Authentication Bypass Flaw
https://duo.com/decipher/palo-alto-fixes-critical-authentication-bypass-flaw
Bleeping Computer: Palo Alto Networks patches critical vulnerability in firewall OS
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
Sysmon 11.10 and ADS Logging
https://isc.sans.edu/forums/diary/Sysmon+and+Alternate+Data+Streams/26292/
MacOS 11 Security Changes
https://www.sentinelone.com/blog/macos-big-sur-9-big-surprises-for-enterprise-security/
Cisco Telnet Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-telnetd-EFJrEzPx
https://appgateresearch.blogspot.com/2020/02/bravestarr-fedora-31-netkit-telnetd_28.html
Palo Alto PAN-OS SAML Vulnerability
https://security.paloaltonetworks.com/CVE-2020-2021
Certificate Lifetime Limited to 1 Year Starting September
https://chromium.googlesource.com/chromium/src/+/ae4d6809912f8171b23f6aa43c6a4e8e627de784
https://support.apple.com/en-us/HT211025
https://lists.cabforum.org/pipermail/servercert-wg/2020-June/002000.html
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create