SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #55
July 14, 2020NB: Health Care Cyber Attacks Skyrocketing; Many SAP and Zoom Installations Need Immediate Patching
****************************************************************************
SANS NewsBites July 7, 2020 Vol. 22, Num. 055
****************************************************************************
TOP OF THE NEWS
Cyber Attacks Against Health Care Facilities Skyrocketing During COVID Pandemic
SAP Patches Critical Flaw - Severity 10 - Patch Now
Zoom Releases Fix for RCE Flaw Affecting Older Versions of Windows - Patch Now
REST OF THE NEWS
Amazon Walks Back its TikTok Ban; Wells Fargo Imposes One
Conti Ransomware Can Encrypt Files Very Quickly
Secret Service Cyber Fraud Task Force
Mozilla Will Reduce TLS Certificates' Lifespan to 398 Days
Amnesty International Loses Bid to Revoke NSO Export License
Nikulin Found Guilty of Breaking Into LinkedIn, DropBox, and Formspring
US Dept. of Energy Report: DOE's Office of Science Lacks Sufficient Peripheral Device Security
Belgian Bank Closes Down Older ATMs After Jackpotting Attacks
Ukrainian Police Arrest Alleged Government Database Hacker
EFF Files Amicus Brief in Supreme Court Case Involving CFAA
INTERNET STORM CENTER TECH CORNER
******************* Sponsored By AWS Marketplace *************************
As organizations deploy larger AWS Cloud environments with numerous and varied interconnected services, the need for protection across all services and surfaces is critical. To keep up with this growth, security teams need to learn and use more advanced controls and develop more dynamic and continuous processes for evaluating security conditions. Join SANS and AWS Marketplace, as they discuss best practices for implementing a multi-layer defense strategy for security in the cloud . | July 16 @ 11:00 AM EDT
| http://www.sans.org/info/216895
****************************************************************************
CYBERSECURITY TRAINING UPDATE
Best Special Offers of the Year with OnDemand Cybersecurity Training
Get an 11" iPad Pro w/ Magic Keyboard, a Microsoft Surface Go 2 (256GB SSD), or Take $350 Off with your OnDemand registration through July 22.
- https://www.sans.org/ondemand/specials
SANS now offers THREE ways to complete a course:
OnDemand | Live Online | In-Person:
- https://www.sans.org/ondemand/
- https://www.sans.org/live-online
- https://www.sans.org/cyber-security-training-events/in-person/north-america
Keep your skills sharp with SANS Online Training:
. The world's top cybersecurity courses
. Taught by real world practitioners
. Ideal preparation for more than 30 GIAC Certifications
Top OnDemand Courses
SEC401: Security Essentials Bootcamp Style
- https://www.sans.org/ondemand/course/security-essentials-bootcamp-style
SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling
- https://www.sans.org/ondemand/course/hacker-techniques-exploits-incident-handling
SEC560: Network Penetration Testing and Ethical Hacking
- https://www.sans.org/ondemand/course/network-penetration-testing-ethical-hacking
______________________
Upcoming In-Person and Live Online Events:
SANS Summer of Cyber | Jul 27-Aug 1 | Live Online
- https://www.sans.org/event/summer-of-cyber-jul-27
Instructor-Led Training | Aug 3-8 | Live Online
- https://www.sans.org/event/live-online-aug3-2020-mdt
SANS Reboot - NOVA 2020 | August 10-15 | Arlington, VA or Live Online
- https://www.sans.org/event/reboot-nova-2020
SANS Network Security 2020 | September 20-25 | Las Vegas, NV or Live Online
- https://www.sans.org/event/network-security-2020
______________________
Test drive a course: https://www.sans.org/course-preview
View the full SANS course catalog and skills roadmap.
- https://www.sans.org/cyber-security-courses
- https://www.sans.org/cyber-security-skills-roadmap
****************************************************************************
TOP OF THE NEWS
--Cyber Attacks Against Health Care Facilities Skyrocketing During COVID Pandemic
(July 12, 2019)
Attacks against hospitals and other healthcare providers have increased during the pandemic as more employees switched to working from home and medical facilities were cash-strapped and stretched thin because of COVID-19. IBM reported a 6,000 percent increase in spam attacks leveraging COVID-19 on information technology system between March and April; many of the targeted systems are at health care facilities.
Read more in:
USA Today: A game of 'cat and mouse': Hacking attacks on hospitals for patient data increase during coronavirus pandemic
--SAP Patches Critical Flaw - Severity 10 - Patch Now
(July 13 & 14, 2020)
SAP has released a fix for a critical vulnerability in the SAP NetWeaver Application Server Java component LM Configuration Wizard. The flaw could be remotely exploited to create user accounts with maximum privileges on vulnerable systems.
[Editor Comments]
[Neely] The vulnerability has been given a severity rating of 10. Apply the available mitigations, and verify the security configuration of your SAP instance, including applying patches to the OS and other layered products, while the patches are regression tested in your non-production environment.
[Pescatore] In the best of times, business apps usually have longer "time-to-patch" because of shorter change windows and enhanced QA testing requirements. Supporting work from home with IT operations teams that have to work remotely, as well, seems to have degraded the time to patch IT servers in general. At a minimum, the recommended workaround (disabling the LM Configuration Wizard) should be prioritized.
Read more in:
ZDNet: RECON bug lets hackers create admin accounts on SAP servers
https://www.zdnet.com/article/recon-bug-lets-hackers-create-admin-accounts-on-sap-servers/
Bleeping Computer: Critical SAP Recon flaw exposes thousands of systems to attacks
S-CERT: Critical Vulnerability in SAP NetWeaver AS Java
https://us-cert.cisa.gov/ncas/alerts/aa20-195a
--Zoom Releases Fix for RCE Flaw Affecting Older Versions of Windows
(July 11 & 13, 2020)
Zoom has released an update to address a remote code execution vulnerability that affects the Zoom client running on Windows 7 and on older versions of Windows. Zoom released version 5.1.3 of the Zoom client on July 10. Zoom released additional updates on Sunday, July 12 to address "minor bug fixes" and implement "new and enhanced features" for phone and web users.
[Editor Comments]
[Neely] Update your Zoom clients now. Even with this fix, these older unsupported operating systems should not be used for Internet activities.
Read more in:
Bleeping Computer: Zoom fixes zero-day RCE bug affecting Windows 7, more updates soon
Infosecurity Magazine: Zoom Patches Legacy Windows Zero-Day Bug
https://www.infosecurity-magazine.com/news/zoom-patches-legacy-windows/
Zoom: New updates for Windows
https://support.zoom.us/hc/en-us/articles/201361953
Zoom: New updates for July 12, 2020 for Web and Phones
https://support.zoom.us/hc/en-us/articles/360045630812-New-updates-for-July-12-2020
******************************* SPONSORED LINKS ********************************
1) Splunk Security Predictions 2020. Download Splunk's IT Security Predictions 2020 to learn how to best protect your organization, and your data, against a fast-approaching future.
| http://www.sans.org/info/216990
2) July 16 @ 3:30 PM EDT | Join SANS Senior Instructor, Chris Crowley as he presents "Force Multiplier: How we use SOAR to maximize our own SOC analyst efficiency while minimizing fatigue and burnout".
| http://www.sans.org/info/216995
3) Webcast | Join SANS Senior Instructor, Dave Shackleford and Guillaume Ross for this informative webcast as they discuss "Securing the Remote Workforce without VPNs: Uptycs and JA3" | Thursday, July 16, 2020 at 1:00 PM EDT | http://www.sans.org/info/217000
*********************************************************************************
THE REST OF THE WEEK'S NEWS
--Amazon Walks Back its TikTok Ban; Wells Fargo Imposes One
(July 10 & 11, 2020)
Amazon said that an email sent to employees last week banning them from using TikTok on mobile devices that connect to corporate email "was sent in error." The message told the employees to remove the app from those devices or risk losing access to work email on those devices. TikTok has come under scrutiny by US legislators and administration officials because it is owned by a Chinese company and some are concerned that the app could be used to spy on people. Late last year, the US Department of Defense told personnel to delete TikTok from government-issued phones. Wells Fargo has also told its employees to delete the app from company-owned devices.
[Editor Comments]
[Neely] A risk assessment of using TikTok on corporate devices is appropriate. If you decide the risk is unacceptable, use your MDM to remove and monitor for installation after users are notified. Consider sharing the risk assessment with users to build support and understanding.
[Honan] Researchers have identified other apps that access data copied into the clipboard similar to TikTok and have similar privacy and security concerns. This is why having a robust Mobile Device Management (MDM) solution that sandboxes or containerizes corporate apps and data from other apps on the device is so important.
Read more in:
The Register: An email banning our staff from using TikTok? Haha, funny story about that, we didn't mean it - Amazon
https://www.theregister.com/2020/07/11/amazon_tiktok_use/
Wired: Amazon Says It Didn't Mean to Ban Employees From Using TikTok
https://www.wired.com/story/amazon-bans-tiktok-employees-phones/
Ars Technica: Amazon bans TikTok on employee phones, then calls it a mistake [Updated]
NYT: Amazon Backtracks From Demand That Employees Delete TikTok
https://www.nytimes.com/2020/07/10/technology/tiktok-amazon-security-risk.html
Gov Infosecurity: Wells Fargo Bans TikTok App on Company Devices
https://www.govinfosecurity.com/wells-fargo-bans-tiktok-app-on-company-devices-a-14606
--Conti Ransomware Can Encrypt Files Very Quickly
(July 8, 9, & 10, 2020)
Researchers from Carbon Black have detected Conti, a new strain of ransomware that appears to share some code with Ryuk. Conti is a human operated ransomware, meaning that its operators control it rather than allowing it to execute automatically. One of Conti's notable features is that it uses 32 simultaneous CPU threads to encrypt data.
Read more in:
Carbon Black: TAU Threat Discovery: Conti Ransomware
https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/
Bleeping Computer: Conti ransomware shows signs of being Ryuk's successor
ZDNet: Conti ransomware uses 32 simultaneous CPU threads for blazing-fast encryption
SC Magazine: Conti ransomware encrypts files quicker, targets SMB network shares
--Secret Service Cyber Fraud Task Force
(July 9, 10, & 13, 2020)
The US Secret Service has merged two existing units to create the Cyber Fraud Task Force. In a July 9 press release, the Secret Service said, "In today's environment, no longer can investigators effectively pursue a financial or cybercrime investigation without understanding both the financial and internet sectors, as well as the technologies and institutions that power each industry," prompting the decision to unify the Electronic Crimes Task Forces (ECTFs) and Financial Crimes Task Forces (FCTFs).
Read more in:
Secret Service: Secret Service Announces the Creation of the Cyber Fraud Task Force (PDF)
Threatpost: Secret Service Creates Cyber Fraud Task Forces
https://threatpost.com/secret-service-cyber-fraud-task-forces/157384/
Bleeping Computer: US Secret Service creates new Cyber Fraud Task Force
https://www.bleepingcomputer.com/news/security/us-secret-service-creates-new-cyber-fraud-task-force/
Cyberscoop: Secret Service merging electronic and financial crime task forces to combat cybercrime
https://www.cyberscoop.com/secret-service-reorganization-task-force-cybercrime-financial-crime/
--Mozilla Will Reduce TLS Certificates' Lifespan to 398 Days
(July 9 & 10, 2020)
Mozilla has announced its intent to reduce the lifespan of TLS certificates it deems valid from 825 days (about 27.5 months) to 398 days (just over 13 months). As of September 1, 2020, Mozilla will consider new TLS certificates with expiration dates further out than 398 days as invalid. Earlier this year, Apple announced it will require certificates issued after September 1, 2020 to have lifespans of 398 days or less. Mozilla and Apple plan to make this change regardless of any decision reached by the CA/B Forum.
[Editor Comments]
[Ullrich] This move was first proposed by Apple. Now all major browsers are following and all certificates issued after September 1st are affected. Your existing certificates will be fine for now. The real effect of this is that you will have to automate certificate renewal and deployment. The "ACME" protocol used by Letsencrypt is a good candidate, and Letsencrypt is a good solution for publicly used certificates. For internal certificates, consider setting up your own internal "ACME" support for your internal certificate authority.
[Neely] Certificates issued before September 1st will still work with the longer lifetime. The challenges here are both implementing new processes to update certificates more frequently as well as making sure you're being issued certificates with a shortened lifetime. If your issuer and platform doesn't support an automated update, you'll want to include annual updates in your service management system.
[Murray] Keep in mind that "certificates" are information, meta-data, about the keys. It is the security of the keys, not the certificates, that is important.
Read more in:
Mozilla: Reducing TLS Certificate Lifespans to 398 Days
https://blog.mozilla.org/security/2020/07/09/reducing-tls-certificate-lifespans-to-398-days/
GitHub: SC31 - Browser Alignment #195
https://github.com/cabforum/documents/pull/195
Bleeping Computer: Mozilla reduces TLS certificate lifespan to 1 year in September
Duo: Mozilla to Cut TLS Certificate Lifespan Nearly in Half
https://duo.com/decipher/mozilla-to-cut-tls-certificate-lifespan-nearly-in-half
--Amnesty International Loses Bid to Revoke NSO Export License
(July 13, 2020)
An Israeli court has denied Amnesty International's petition to revoke the export license of NSO Group, which sells surveillance software. Amnesty International filed the lawsuit in 2019, alleging that NSO group's Pegasus software had been used against an Amnesty International employee.
Read more in:
Vice: Israeli Court Rules NSO Group Can Continue Exporting Spyware
Cyberscoop: Israeli court rejects request to revoke NSO Group's export license
https://www.cyberscoop.com/nso-group-amnesty-international-israel-export/
Reuters: Israeli court dismisses Amnesty's petition against spyware firm NSO
--Nikulin Found Guilty of Breaking Into LinkedIn, DropBox, and Formspring
(July 10 & 13, 2020)
A federal jury in California has found Russian citizen Yevgeniy Nikulin guilty of breaking into computers that belonged to social networking companies, installing malware on those computers, stealing employees' access credentials, and selling that information. Nikulin was arrested in the Czech Republic in 2016 and held there for over a year before being extradited to the US. Sentencing is scheduled for September 29, 2020.
Read more in:
Justice: Russian Man Found Guilty Of Hacking Into Three Bay Area Tech Companies
https://www.justice.gov/usao-ndca/pr/russian-man-found-guilty-hacking-three-bay-area-tech-companies
Cyberscoop: Russian hacker Yevgeniy Nikulin found guilty on most serious charges after years of legal wrangling
https://www.cyberscoop.com/yevgeniy-nikulin-verdict-linkedin-hack/
Infosecurity Magazine: Russian Hacker Finally Found Guilty of 2012 LinkedIn Breach
https://www.infosecurity-magazine.com/news/hacker-breached-linkedin-2012/
--US Dept. of Energy Report: DOE's Office of Science Lacks Sufficient Peripheral Device Security
(July 13, 2020)
A report from the US Department of Energy Office of Inspector General warns that DOE's Office of Science does not have adequate security for peripheral devices. The IG reviewed four DoE field sites. Among the reasons given site officials for the lack of security are that DoE's security standards are "technically not feasible or extremely difficult to implement," and that they are expensive to implement and hinder collaboration.
[Editor Comments]
[Neely] The most effective method of conveying new security measures is tying them to real threats and mission impact as well as understanding the culture of the intended audience. DoE's Science labs are focused on external collaboration and publishing scientific discoveries, often strongly aligned with colleges and universities and as such perceive a different risk with these peripherals.
[Murray] Convenience trumps security. These so-called "peripherals" often include von Neumann architecture computers with all the capabilities and vulnerabilities that that implies.
Read more in:
MeriTalk: DoE's Science Offices Lack Peripheral Device Security, IG Warns
https://www.meritalk.com/articles/does-science-offices-lack-peripheral-device-security-ig-warns/
Cyberscoop: Energy Department watchdog finds research labs fail to secure 'peripheral' devices like USBs
Energy: Evaluation Report | Security over Information Technology Peripheral Devices at Select Office of Science Locations (PDF)
https://www.energy.gov/sites/prod/files/2020/07/f76/DOE-OIG-20-47.pdf
--Belgian Bank Closes Down Older ATMs After Jackpotting Attacks
(July 13, 2020)
Two Argenta ATMs in Belgium were hit with jackpotting attacks over the weekend. These were older machines that were scheduled to be replaced. ATMs belonging to the same bank were hit with jackpotting attacks in late June as well. Argenta's Christine Vermylen told The Brussels Times, "We have decided to shut down the 143 devices of this type now, pending the installation of new devices later this year. We are looking into whether that operation can be speeded up."
[Editor Comments]
[Neely] Physical protection is a key factor in ATM security here. Logical access, which is necessary for a Jackpotting attack, is most often gained via the USB port. As such, in-wall units are much harder to compromise than the free standing devices in convenience stores and malls. While newer ATMs have implemented additional security to resist this sort of attack, older units often have no upgrade option and must be replaced. The tricky part is balancing the risk of compromise with the budgeted lifecycle replacement date as well having units delivered on schedule.
[Pescatore] Jackpotting kicked up in 2018, generally requiring physical access inside ATM machines. ATM machines that are easy for criminals to enter seem like immediate candidates for disconnecting or replacing in any event. It is kinda like if the bank vault had screen windows. There is always the financial equation of hanging on to vulnerable technology long enough to write off the full depreciation. Target learned in 2013 that doing so without some form of mitigation or enhanced monitoring will end up with incident costs that swamp the depreciation write off.
Read more in:
Brussels Times: Argenta shuts down 143 cash machines after new cyber-attack
Infosecurity Magazine: Belgium Suffers First Jackpotting Attack
https://www.infosecurity-magazine.com/news/belgium-suffers-first-jackpotting/
--Ukrainian Police Arrest Alleged Government Database Hacker
(July 13, 2020)
Police in Ukraine have arrested an individual who is suspected of breaking into government databases, stealing information, and then selling it. The suspect allegedly accessed 50 Ukrainian government databases by "hacking passwords to e-mail accounts, messengers, [and] social media accounts" of government employees.
[Editor Comments]
[Honan] Given the prolific reuse of passwords across personal and corporate websites and systems, implementing multi-factor authentication for corporate systems is fast becoming a basic necessity.
Read more in:
Portswigger: Ukraine arrests government database hack suspect
https://portswigger.net/daily-swig/ukraine-arrests-government-database-hack-suspect
--EFF Files Amicus Brief in Supreme Court Case Involving CFAA
(July 8, 2020)
The Electronic Frontier Foundation (EFF) has filed an amicus brief on behalf of cybersecurity researchers and companies urging the US Supreme Court to narrow the scope of the Computer Fraud and Abuse Act (CFAA). Specifically, the EFF urges the Supreme Court to decide that accessing computers in ways that violate terms of service does not violate the CFAA. The brief was filed in reference to Nathan Van Buren v. United States.
[Editor Comments]
[Murray] The CFAA is the poster child for well-intended legislation that has outlived its effectiveness. It was drafted in an era when computers were scarce and most access was by employees. It is overdue for revision. That said, "research" must not be permitted to become a cover for rogue hacking. If it is not supervised, or at least collaborative, it is not research.
Read more in:
EFF: EFF To Supreme Court: Violating Terms of Service Isn't a Crime Under the CFAA
SC Magazine: Security researchers face harm if CFAA upheld, EFF tells SCOTUS
EFF: Van Buren - EFF Security Researchers Amicus Brief
https://www.eff.org/document/van-buren-eff-security-researchers-amicus-brief
******************************************************************************
INTERNET STORM CENTER TECH CORNER
Excel Spreadsheet Macro Kicks Off Formbook Infection
https://isc.sans.edu/forums/diary/Excel+spreasheet+macro+kicks+off+Formbook+infection/26332/
Purged VBA Code
https://isc.sans.edu/forums/diary/Maldoc+VBA+Purging+Example/26342/
Password protected VBA Code
https://isc.sans.edu/forums/diary/VBA+Project+Passwords/26346/
DigiCert Replaces 50,000 EV Certificates
https://knowledge.digicert.com/alerts/DigiCert-ICA-Replacement
Zoom Update Fixing Zoom on Windows 7 Vulnerability
https://support.zoom.us/hc/en-us/articles/360046081271-New-updates-for-July-10-2020
Microsoft Warns of OAUTH consent Phishing
MacOS mount_apfs TCC Bypass
https://theevilbit.github.io/posts/cve_2020_9771/
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create