SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #53
July 7, 2020NB: US CYBERCOM: Patch Palo Alto Now!; NSA Guidance Securing IPsec VPNs; macOS Ransomware; MSP Hit by Ransomware
****************************************************************************
SANS NewsBites July 7, 2020 Vol. 22, Num. 053
****************************************************************************
TOP OF THE NEWS
US CYBERCOM Warning on Palo Alto Technologies OS Vulnerability; Patch Now!
NSA Issues Guidance on Securing IPsec VPNs
New macOS Ransomware ThiefQuest Found on Torrent Sites
Managed Service Provider Xchanging Hit by Ransomware
REST OF THE NEWS
Barclays Website Was Calling Javascript File from Internet Archive
F5 Releases Patches for Flaws in BIG-IP Networking Devices; POC Exploit Code Released
European Authorities Infiltrated Encrypted Communication Platform Used by Criminals
Cisco Fixes XSS Flaw in Small Business VPN Router Firmware
Cisco Releases Firmware Updates for Vulnerability in Small Business Switches
Apple's Decision Forces Shortening of Digital Certificate Lifespans
Microsoft Releases Two Out-of-Cycle Patches for Windows
Home Router Study Finds "Alarming" Security Issues
Top Three Network Intrusion Signatures Used Against Federal Agencies in May 2020
INTERNET STORM CENTER NOTE
More Security Vulnerabilities in Perimeter Security Devices and What To Do About Them
INTERNET STORM CENTER TECH CORNER
*********************** Sponsored By Splunk ********************************
The Essential Guide to Security. Check out The Essential Guide to Security for 2020 to discover new security use cases as well as how to implement Splunk's security product suite for advanced security analytics, security automation and orchestration (SOAR), Security Information and Event Management (SIEM), MITRE ATT&CK, machine learning and more, all in one place to power your SOC. | http://www.sans.org/info/216925
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
SANS Training now offers THREE ways to complete a course:
OnDemand | Live Online | In-Person:
- https://www.sans.org/ondemand/
- https://www.sans.org/live-online
- https://www.sans.org/cyber-security-training-events/in-person/north-america
Keep your skills sharp with SANS Online Training:
. The world's top cybersecurity courses
. Taught by real world practitioners
. Ideal preparation for more than 30 GIAC Certifications
OnDemand Training Special Offer
Flexible Offer with Flexible Training
Choose an iPad Air, an iPad with Smart Keyboard, a Surface Go, or Take $300 Off with OnDemand Training through July 8.
- https://www.sans.org/ondemand/specials
Top OnDemand Courses
SEC401: Security Essentials Bootcamp Style
- https://www.sans.org/ondemand/course/security-essentials-bootcamp-style
SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling
- https://www.sans.org/ondemand/course/hacker-techniques-exploits-incident-handling
SEC560: Network Penetration Testing and Ethical Hacking
- https://www.sans.org/ondemand/course/network-penetration-testing-ethical-hacking
______________________
Upcoming In-Person and Live Online Events:
DFIR Summit & Training (Free Summit) | July 16-25 | Live Online
- https://www.sans.org/event/digital-forensics-summit-2020
SANS Rocky Mountain Summer 2020 | July 20-25 | Live Online
- https://www.sans.org/event/rocky-mountain-summer-2020
SANS Reboot - NOVA 2020 | August 10-15 | Arlington, VA or Live Online
- https://www.sans.org/event/reboot-nova-2020
SANS Network Security 2020 | September 20-25 | Las Vegas, NV or Live Online
- https://www.sans.org/event/network-security-2020
______________________
Test drive a course: https://www.sans.org/course-preview
View the full SANS course catalog and skills roadmap.
- https://www.sans.org/cyber-security-courses
- https://www.sans.org/cyber-security-skills-roadmap
*****************************************************************************
TOP OF THE NEWS
--US CYBERCOM Warning on Palo Alto Technologies OS Vulnerability; Patch Now!
(June 30, 2020)
On June 29, US Cyber Command issued a cybersecurity alert regarding a critical flaw affecting Palo Alto Networks PAN-OS, the operating system that runs on the company's firewalls and VPN appliances. The alert urges users to "patch all devices affected by CVE-2020-2021 immediately, especially if SAML is in use." US Cyber Command expects that foreign adversaries will likely begin to exploit the vulnerability soon.
[Editor Comments]
[Murray] It is regrettable but "patching" is now a mandatory, expensive, and continuous, activity. However, all patches are not equal; patch first those vulnerabilities that are being actively exploited.
Read more in:
Ars Technica: Foreign adversaries likely to try exploiting critical networking bug, US says
ZDNet: US Cyber Command says foreign hackers will attempt to exploit new PAN-OS security bug
Twitter: USCYBERCOM Cybersecurity Alert
https://twitter.com/CNMF_CyberAlert/status/1277674547542659074
Knowledge Base: Securing your SAML Deployments
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UXK
Palo Alto Networks: CVE-2020-2021 PAN-OS: Authentication Bypass in SAML Authentication
https://security.paloaltonetworks.com/CVE-2020-2021
--NSA Issues Guidance on Securing IPsec VPNs
(July 2, 2020)
The US National Security Agency (NSA) has released guidance to help organizations secure their IPsec virtual private networks (VPNs). Many organizations are using these to allow their employees to work from home. The BNSA has also released a document with information about configuring IPsec VPNs.
[Editor Comments]
[Pescatore] Related to this item and the one about the Cybercom warning of critical vulnerabilities in Palo Alto Network's PAN-OS based products, Johannes Ullrich of SANS put forth great guidance earlier in the year about critical vulnerabilities in security and VPN appliances and certified. SANS published that guidance as part of the SANS 2020 New Attack and Threat Report available at https://www.sans.org/reading-room/whitepapers/threats/paper/38908
[Murray] This guidance seems to assume that all VPNs will terminate on a network "gateway." While there will be a lot of these in a WFH situation, prefer to terminate VPNs on applications rather than on networks or operating systems.
Read more in:
Bleeping Computer: NSA releases guidance on securing IPsec Virtual Private Networks
Defense: Securing IPsec Virtual Private Networks (PDF)
Defense: Configuring IPsec Virtual Private Networks (PDF)
--New macOS Ransomware ThiefQuest Found on Torrent Sites
(July 1, 2020)
Researchers at Malwarebytes have detected new ransomware that targets devices running macOS. Dubbed ThiefQuest, the ransomware also has spyware capabilities: it can exfiltrate files, search for cryptocurrency wallets and passwords, and log keystrokes. ThiefQuest has been detected bundled with other software on torrent sites.
Read more in:
Malwarebytes: New Mac ransomware spreading through piracy
https://blog.malwarebytes.com/mac/2020/06/new-mac-ransomware-spreading-through-piracy/
Twitter: Dinesh_Devadoss
https://twitter.com/dineshdina04/status/1277668001538433025
Threatpost: EvilQuest: Inside A 'New Class' of Mac Malware
https://threatpost.com/evilquest-inside-mac-malware/157074/
Wired: New Mac Ransomware Is Even More Sinister Than It Appears
https://www.wired.com/story/new-mac-ransomware-thiefquest-evilquest/
The Register: Things that happen every four years: Olympic Games, Presidential elections, and now new Mac ransomware
https://www.theregister.com/2020/07/01/evilquest_ransomware/
--Managed Service Provider Xchanging Hit by Ransomware
(July 6, 2020)
In an 8-K form filed with the US Securities and Exchange Commission (SEC), DXC technologies disclosed that systems at one of its subsidiaries were hit with a ransomware attack. The company, Xchanging, is a managed service provider that focuses primarily on the insurance industry but has customers in other sectors as well. According to the filing, "DXC is actively working with affected customers to restore access to their operating environment as quickly as possible."
Read more in:
Bleeping Computer: Ransomware attack on insurance MSP Xchanging affects clients
SEC: DXC Identifies Ransomware Attack on Part of its Xchanging Environment
https://www.sec.gov/Archives/edgar/data/1688568/000119312520187244/d942699dex991.htm
***************************** SPONSORED LINKS ******************************
1) Webcast | Wednesday, July 15, 2020 at 2:00 PM EDT | Join SANS Expert as he presents "Preventing Runtime Exploits: The SANS Implementation Guide for RunSafe Security's Alkemist" | http://www.sans.org/info/216930
2) Share your knowledge by taking the SANS 2020 Vulnerability Management Survey and be entered for a chance to win a $150 Amazon Gift Card. | http://www.sans.org/info/216935
3) Webcast | July 14, 2020 at 2:00 PM EDT | Everything you need to know before trusting a zero-trust provider. | http://www.sans.org/info/216940
*****************************************************************************
THE REST OF THE WEEK'S NEWS
--Barclays Website Was Calling Javascript File from Internet Archive
(July 3, 2020)
The Barclays Bank website appears to have been calling a Javascript file from the Internet Archive's Wayback Machine. This meant that if the Internet archive went down, the Barclays website would be down as well. Barclays has fixed the issue.
[Editor Comments]
[Murray] It is tempting to include both data and procedure by reference, rather than by copying. Be careful what you refer to.
Read more in:
The Register: Barclays Bank appeared to be using the Wayback Machine as a 'CDN' for some Javascript
https://www.theregister.com/2020/07/03/barclays_bank_javascript_wayback_machine/
--F5 Releases Patches for Flaws in BIG-IP Networking Devices; POC Exploit Code Released
(July 2, 3, 4, 5, & 6, 2020)
F5 has released fixes to address a critical flaw in its BIG-IP networking equipment that could be exploited to take complete control of vulnerable devices. US Cyber Command tweeted last week that patching this vulnerability is urgent. On Sunday, July 5, CISA Director Christopher Krebs tweeted. "If you didn't patch by this morning, assume compromised." Proof-of-concept exploit code for the critical vulnerability, which has been given a CVSS score of 10, has been released. Hackers have begun exploiting the vulnerability. F5 has also released fixes for a high-severity cross-site scripting vulnerability in the BIG-IP Configuration utility.
[Editor Comments]
[Murray] We continue to see the publication by "researchers" of work product, "exploits," that reduces the cost of attack against our systems rather than that increases it. This appears to be a part of a "culture of hacking" left over from an era when hackers were motivated by, and recognized for, "cleverness."
Read more in:
Bleeping Computer: PoC exploits released for F5 BIG-IP vulnerabilities, patch now!
PT Security: F5 fixes critical vulnerability discovered by Positive Technologies in BIG-IP application delivery controller
Wired: Hack Brief: Hackers Are Exploiting a 5-Alarm Bug in Networking Equipment
https://www.wired.com/story/f5-big-ip-networking-vulnerability/
Cyberscoop: Cyber Command backs 'urgent' patch for F5 security vulnerability
https://www.cyberscoop.com/cyber-command-f5-security-flaw/
ZDNet: Hackers are trying to steal admin passwords from F5 BIG-IP devices
https://www.zdnet.com/article/hackers-are-trying-to-steal-admin-passwords-from-f5-big-ip-devices/
ZDNet: F5 patches vulnerability that received a CVSS 10 severity score
https://www.zdnet.com/article/f5-patches-vulnerability-that-received-a-cvss-10-severity-score/
The Register: F5 emits fixes for critical flaws in BIG-IP gear: Hopefully yours aren't internet-facing while you ready a patch
https://www.theregister.com/2020/07/03/f5_critical_flaws_big_ip/
Support.F5: K52145254: TMUI RCE vulnerability CVE-2020-5902
https://support.f5.com/csp/article/K52145254
Support.F5: K43638305: BIG-IP TMUI XSS vulnerability CVE-2020-5903
https://support.f5.com/csp/article/K43638305
--European Authorities Infiltrated Encrypted Communication Platform Used by Criminals
(July 2 & 3, 2020)
Law enforcement authorities in Europe countries were able to infiltrate EncroChat, an encrypted communication platform frequented by criminals. Hundreds of people have been arrested; large quantities of luxury items and illegal drugs and nearly EUR 20 million in cash have been seized.
Read more in:
Vice: How Police Secretly Took Over a Global Phone Network for Organized Crime
https://www.vice.com/en_us/article/3aza95/how-police-took-over-encrochat-hacked
Ars Technica: Police infiltrate encrypted phones, arrest hundreds in organized crime bust
Threatpost: E.U. Authorities Crack Encryption of Massive Criminal and Murder Network
https://threatpost.com/eu-authorities-crack-encryption-murder-network/157146/
The Register: Euro police forces infiltrated encrypted phone biz - and now 'criminal' EncroChat users are being rounded up
https://www.theregister.com/2020/07/02/encrochat_op_venetic_encrypted_phone_arrests/
Bleeping Computer: Hundreds arrested after encrypted messaging network takeover
Cyberscoop: European police crack encrypted phone network, arrest hundreds of alleged criminals
https://www.cyberscoop.com/encrochat-encryption-drug-bust/
--Cisco Fixes XSS Flaw in Small Business VPN Router Firmware
(July 1, 2, & 6 2020)
Cisco has released fixes for a cross-site scripting vulnerability that affects two of its small business VPN routers. The flaw is the result of "insufficient validation of user-supplied input by the web-based management interface of the affected software." The issue affects Cisco Small Business RV042 and RV042G Routers running firmware releases older than 4.2.3.14.
Read more in:
SC Magazine: Zero-day XSS vulnerability found in Cisco small business routers
The Register: Cisco SMB kit harbors cross-site scripting bug: One wrong link click... and that's your router pwned remotely
https://www.theregister.com/2020/07/02/cisco_smb_router_hole/
Cisco: Cisco Small Business RV042 and RV042G Routers Cross-Site Scripting Vulnerability
--Cisco Releases Firmware Updates for Vulnerability in Small Business Switches
(July 1, 2020)
Cisco has released a security update to fix a high-severity flaw in its Small Business Smart and Managed Switches. The vulnerability, which "is due to the use of weak entropy generation for session identifier values," could be exploited to gain administrator privileges. The issue is fixed in version 2.5.5.47 of the firmware release for affected products that ae still supported.
[Editor Comments]
[Murray] The smaller the entity for which an appliance is intended, the more of them there are likely to be and the less likely that they will be actively managed.
Read more in:
Threatpost: Cisco Warns of High-Severity Bug in Small Business Switch Lineup
https://threatpost.com/cisco-warns-high-severity-bug-small-business-switch/157090/
Cisco: Cisco Small Business Smart and Managed Switches Session Management Vulnerability
--Apple's Decision Forces Shortening of Digital Certificate Lifespans
(June 28 & 30, 2020)
Starting September 1, 2020, Apple software, Chrome, and Firefox will identify new TLS certificates that are valid for more than 398 days as invalid. The changes arises from a unilateral decision Apple made earlier this year, bypassing the expected practice of bringing issues like this one to the CA/B Forum, "a voluntary group of certification authorities (CAs), vendors of Internet browser software, and suppliers of other applications that use X.509 v.3 digital certificates for SSL/TLS and code signing." The intent of reducing certificates' lifespans is to force websites and apps to issue new certificates every year. This will introduce more certificates that use the newest cryptographic standards.
[Editor Comments]
[Pescatore] In 2007 the CA/Browser forum moved quickly to specify Extended Validation certificates that would cost more but turn out to be of minimal security value. Ever since then, the Browser companies (who mostly do not charge for their browser software) have driven all increases in related security areas while the Certificate Authority part of the CA/Browser Forum (who mostly charge for certificates) have moved much more slowly or voted against proposed enhancements. Google at times, Mozilla at times, now Apple - in areas other than certificates, too - good to see the browser world pushing the security envelope.
Read more in:
The Register: Remember when we warned in February Apple will crack down on long-life HTTPS certs? It's happening: Chrome, Firefox ready to join in, too
https://www.theregister.com/2020/06/30/tls_cert_lifespan/
ZDNet: Apple strong-arms entire CA industry into one-year certificate lifespans
CAB Forum: CA/Browser Forum
--Microsoft Releases Two Out-of-Cycle Patches for Windows
(July 1 & 5, 2020)
On June 30, Microsoft released two unscheduled patches to address remote code execution vulnerabilities in the Windows Codecs Library. Microsoft took the unusual step of delivering the fixes through the Microsoft Store rather than through Windows Update. The advisories for the vulnerabilities say, "Affected customers will be automatically updated by Microsoft Store. Customers do not need to take any action to receive the update."
Read more in:
Bleeping Computer: Windows 10's Microsoft Store Codecs patches are confusing users
Ars Technica: Unscheduled fixes released for critical flaw in optional Windows codec
ZDNet: Microsoft releases emergency security update to fix two bugs in Windows codecs
Threatpost: Microsoft Releases Emergency Security Updates for Windows 10, Server
https://threatpost.com/microsoft-releases-emergency-security-updates-for-windows-10-server/157055/
MSRC: CVE-2020-1425 | Microsoft Windows Codecs Library Remote Code Execution Vulnerability
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-1425
MSRC: CVE-2020-1457 | Microsoft Windows Codecs Library Remote Code Execution Vulnerability
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-1457
--Home Router Study Finds "Alarming" Security Issues
(July 6, 2020)
A study of 127 home routers from seven manufacturers found numerous security issues. The Fraunhofer Institute for Communication (FKIE) in Germany looked at each router's most current firmware, focusing on five security aspects: when the firmware was last updated; which operating systems are used and how many known flaws they have; what exploit mitigation techniques the vendors use; whether the firmware images contain private cryptographic key material; and whether there are any hard-coded login credentials. Among the report's findings: 46 of the routers had not had a security update in the past year; some vendors ship firmware updates that contain known vulnerabilities, and just one of the seven vendors did not publish private cryptographic keys in its firmware.
Read more in:
FKIE: Home Router Security Report 2020 (PDF)
ZDNet: Home router warning: They're riddled with known flaws and run ancient, unpatched Linux
--Top Three Network Intrusion Signatures Used Against Federal Agencies in May 2020
(June 30 & July 2, 2020)
The top three network intrusion signatures detected by the US Department of Homeland Security's (DHS's) EINSTEIN intrusion detection system during May 2020 are the NetSupport Manager Remote Access Tool (RAT) - legitimate software that is also being used in phishing campaigns; the Kovter fileless Trojan; and the XMRig cryptocurrency miner. EINSTEIN gathers and analyzes traffic flowing into and out of federal civilian organizations systems and networks.
Read more in:
US-CERT: Alert (AA20-182A) | EINSTEIN Data Trends - 30-day Lookback
https://www.us-cert.gov/ncas/alerts/aa20-182a
FCW: CISA's hit parade of malware aimed at federal agencies
https://fcw.com/articles/2020/07/02/johnson-cisa-malware-hit-parade.aspx
*****************************************************************************
INTERNET STORM CENTER NOTE
--More Security Vulnerabilities in Perimeter Security Devices and What To Do About Them
The last two weeks highlighted yet again security problems with software and devices that are supposed to protect our perimeters. Most notable, F5's BigIP devices were found to suffer from a trivially exploitable remote code execution vulnerability. This vulnerability is already heavily exploited, and a vulnerable, badly configured device was likely exploited over the weekend. But F5 wasn't alone. About a week ago, Palo Alto reported a problem allowing authentication bypass in certain configurations of its devices. And less noted, but still important were vulnerabilities in the open source RDP gateway Guacamole. As a cheaper alternative to commercial solutions, some organizations implemented this solution to provide controlled access to RDP services for remote workers. One of the most important things you can do, even if you do not use any of these products, is to ensure that any administrative interfaces for these devices are accessible only from management networks or VPNs. Limiting access will prevent the vast majority of the exploits used against these vulnerabilities.
INTERNET STORM CENTER TECH CORNER
F5 BigIP Critical RCE
https://support.f5.com/csp/article/K52145254
https://isc.sans.edu/forums/diary/CVE20205902+F5+BIGIP+Exploitation+Attempt/26310/
Special F5 BigIP Webcast
https://www.sans.org/webcasts/116065
More BigIP Exploits
https://isc.sans.edu/forums/diary/Summary+of+CVE20205902+F5+BIGIP+RCE+Vulnerability+Exploits/26316/
Guacamole RDP Gateway Vulnerability
Barclays Caught Serving Code from Wayback Machine
https://www.theregister.com/2020/07/03/barclays_bank_javascript_wayback_machine/
Microsoft ATP Web Content Filtering
Ouch Newsletter: Ransomware
https://www.sans.org/security-awareness-training/resources/ransomware
Extended Research Feed: Added Net Systems Research
https://isc.sans.edu/api/threatcategory/research
Window 10 / 2019 Server Out of Order Patch
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-1425
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-1457
MacOS Ransomware Arrives as Fake Little Snitch Software
https://blog.malwarebytes.com/mac/2020/06/new-mac-ransomware-spreading-through-piracy/
Evil Quest "Ransomware" Update
https://objective-see.com/blog/blog_0x59.html
VPN Privilege Escalation
https://0xsha.io/posts/zombievpn-breaking-that-internet-security
DNSSEC Phishing Scam
Alina PoS Malware Exfiltrating Data via DNS
https://blog.centurylink.com/alina-point-of-sale-malware-still-lurking-in-dns/
IBM Cyber Resilient Organization Report
https://www.ibm.com/account/reg/us-en/signup?formid=urx-45839
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
