SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #57
July 21, 2020NB: Brampton, Ontario First "Cyber Talent" City; Ransomware Hits Maryland Health and Argentine ISP; WordPress XSS Flaw
****************************************************************************
SANS NewsBites July 21, 2020 Vol. 22, Num. 057
****************************************************************************
TOP OF THE NEWS
Brampton, Ontario Becomes The First "Cyber Talent" City
Netwalker Ransomware Hits Maryland Health Services Organization
Sodinokibi Ransomware Operators Demand $7.5M from Argentinian ISP
WordPress All in One SEO Plugin Updated to Fix XSS Flaw
REST OF THE NEWS
More Twitter Hack Details
Emotet Botnet is Back
Many F5 BIG-IP Network Devices Still Not Patched
Magento Introducing Two-Factor Authentication Across its Platform
UK's COVID-19 Test and Trace Program Did Not Complete Required Privacy Assessment Prior to Launch
Cloudflare DNS Failure Caused Problems Last Week
Cyberattacks Targeted Two Israeli Water Management Facilities in June
Hacking Suspect Extradited to US from Cyprus
Microsoft Sets TLS Deprecation Date for Office 365
INTERNET STORM CENTER TECH CORNER
************************ Sponsored By Splunk ********************************
Graphic Novel: Through the Looking Glass Table, Issue 2. Check out the second episode of our graphic novel, Cloudy With a Chance of Tapped Data to discover how machine data, as well as an analytics-driven security platform, log management, SIEM, UEBA and SOAR solutions, can get anyone -- ranging from IT managers to the most sophisticated SOC analysts -- ahead of the game, so they can better understand and respond to incidents, breaches, phishing attempts, insider threats, unwanted cryptomining and more.
| http://www.sans.org/info/217070
******************************************************************************
CYBERSECURITY TRAINING UPDATE
Best Special Offers of the Year with OnDemand Cybersecurity Training
Get an 11" iPad Pro w/ Magic Keyboard, a Microsoft Surface Go 2 (256GB SSD), or Take $350 Off with your OnDemand registration through July 22.
- https://www.sans.org/ondemand/specials
SANS now offers THREE ways to complete a course:
OnDemand | Live Online | In-Person:
- https://www.sans.org/ondemand/
- https://www.sans.org/live-online
- https://www.sans.org/cyber-security-training-events/in-person/north-america
Keep your skills sharp with SANS Online Training:
. The world's top cybersecurity courses
. Taught by real world practitioners
. Ideal preparation for more than 30 GIAC Certifications
Top OnDemand Courses
SEC401: Security Essentials Bootcamp Style
- https://www.sans.org/ondemand/course/security-essentials-bootcamp-style
SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling
- https://www.sans.org/ondemand/course/hacker-techniques-exploits-incident-handling
SEC560: Network Penetration Testing and Ethical Hacking
- https://www.sans.org/ondemand/course/network-penetration-testing-ethical-hacking
______________________
Upcoming In-Person and Live Online Events:
Instructor-Led Training | Aug 3-8 | Live Online
- https://www.sans.org/event/live-online-aug3-2020-mdt
SANS Reboot - NOVA 2020 | August 10-15 | Arlington, VA or Live Online
- https://www.sans.org/event/reboot-nova-2020
SANS Baltimore Fall 2020 | September 8-13 | Baltimore, MD or Live Online
- https://www.sans.org/event/baltimore-fall-2020
SANS Network Security 2020 | September 20-25 | Las Vegas, NV or Live Online
- https://www.sans.org/event/network-security-2020
______________________
Test drive a course: https://www.sans.org/course-preview
View the full SANS course catalog and skills roadmap.
- https://www.sans.org/cyber-security-courses
- https://www.sans.org/cyber-security-skills-roadmap
******************************************************************************
TOP OF THE NEWS
--Brampton, Ontario Becomes The First "Cyber Talent" City
(July 20, 2020)
Five hundred Brampton, Ontario, students are getting a head start on preparing for computer science and cybersecurity careers during COVID-19 through the Catalyst Cyber Camp, a public-private partnership of Rogers Communications, the City of Brampton, Ryerson, and Cybersecure Catalyst. This first-of-its-kind camp provides free, online programming to youth ages 13-18 in Brampton, Ontario, through the city and its community partners. Campers engage in up to 400 hours of cutting-edge games, activities, and puzzles of increasing complexity while learning how to solve security challenges, write computer programs, and find flaws in web sites. The students compete to collect points along the way and win prizes. Top performers will be recognized by city and business leaders for their success in the camp and learning new skills.
Read more in:
Rogers: Rogers Cybersecure Catalyst launches free virtual cyber security camp for Brampton youth this summer
Mobilesyrup: Rogers Cybersecure Catalyst launches cybersecurity camp in Brampton, Ontario
https://mobilesyrup.com/2020/07/20/rogers-cybersecure-catalyst-cybersecurity-camp-brampton/
Newswire: Rogers Cybersecure Catalyst launches Catalyst Cyber Camp for 500 youth in Brampton, Ontario
--Netwalker Ransomware Hits Maryland Health Services Organization
(July 20, 2020)
Computer systems/network at Lorien Health Services, an eldercare and nursing services organization in Maryland, was hit with Netwalker ransomware in June. The attackers stole and encrypted data. Lorien did not pay the ransom, and the malware's operators began posting the stolen data online. The compromised information includes names, Social Security numbers, and medical diagnoses and treatments. The incident affects close to 50,000 people.
Read more in:
Bleeping Computer: Lorien Health Services discloses ransomware attack affecting nearly 50,000
Lorien Health: Security Incident
https://www.lorienhealth.com/contact/security-incident
--Sodinokibi Ransomware Operators Demand $7.5M from Argentinian ISP
(July 20, 2020)
Internet service provider Telecom Argentina's internal network was hit with Sodinokibi (REvil) ransomware on Saturday, July 18. The operators are demanding a payment of $7.5 million. The ransomware affected more than 18,000 workstations. The attack did not affect Internet connectivity, telephony, or cable, but some company websites have been unavailable since Saturday. Telecom Argentina has not issued a statement; employees have been sharing information about the incident on social media.
Read more in:
ZDNet: Ransomware gang demands $7.5 million from Argentinian ISP
https://www.zdnet.com/article/ransomware-gang-demands-7-5-million-from-argentinian-isp/
--WordPress All in One SEO Plugin Updated to Fix XSS Flaw
(July 16 & 17, 2020)
A cross-site scripting vulnerability in the All in One SEO Pack WordPress plug-in could be exploited to hijack websites. The plugin has been installed more than two million times. The developers have fixed the problem in All in One SEO Pack version 3.6.2.
[Editor Comments]
[Neely] If you are relying on a WordPress application firewall, make sure it has the signature for exploiting this weakness. Don't forget to update the plugin. The core issue was a lack of input sanitization which permitted injection of HTML.
[Murray] Web (and other) developers are responsible not only for the quality of all code that they write, but also for the quality of all code that they incorporate from other sources. This has proven to be particularly problematic for web site developers who use "WordPress plug-ins."
Read more in:
Wordfence: 2 Million Users Affected by Vulnerability in All in One SEO Pack
The Register: Ew, that's unsanitary: SEO plugin for WordPress would run arbitrary JavaScript inputs instead of scrubbing them
https://www.theregister.com/2020/07/17/all_in_one_seo_pack_javascript_sanitisation_vuln/
***************************** SPONSORED LINKS ******************************
1) Webcast | July 29 @ 10:30 AM EDT | We are only 8 days away from our informative webcast hosted by, SANS Instructor, Matt Bromiley as he presents "Browser Isolation: A SANS Review of Cyberinc's Isla".
| http://www.sans.org/info/217075
2) Free Virtual Forum | August 28 @ 10:30 AM EDT | Join SANS instructor Ismael Valenzuela, co-author of Security 530: Defensible Security Architecture and Engineering, as he chairs a one-day solutions forum of featuring security professionals who will share their experience and provide specific advice on how to implement Zero Trust strategies. Attendees are eligible for 4 CPE credits.
| http://www.sans.org/info/217080
3) Free Workshop | July 23 @ 10:00 AM EDT | We are less than 48 hours away from an incredible start to "XSOAR HANDS-ON WORKSHOP: Take Your SOC To The Next Level!". If you have advanced security IR skills and python knowledge or are familiar with basic security incident handling and log sources, this workshop hosted by Palo Alto Networks is for you.
| http://www.sans.org/info/217095
******************************************************************************
THE REST OF THE WEEK'S NEWS
--More Twitter Hack Details
(July 18, 2020)
Twitter has released more information about a hack that took over high profile accounts to use in a cryptocurrency scam. After the hackers managed to gain access to Twitter's internal system, they used Twitter's tech support tools to target 130 accounts. They changed passwords of 45 accounts and downloaded data from eight accounts.
[Editor Comments]
[Pescatore] This is a good news hook to launch one or more tabletop exercises in your organization: (1) For CXO/Board: How would we handle our corporate Twitter (or Instagram or Facebook etc.) account being compromised through site compromise or our own compromise; and (2) How could someone compromise our high privilege system administrators and how quickly would we know and deal with it?
[Neely] Multi-factor authentication, particularly for privileged users, is no longer optional. Historically, system administrators didn't embrace the same level of security as was required for end-users. With the current environment, including internet-facing services, this introduces an unacceptable level of risk. The culture change has to be led from the top.
Read more in:
Twitter: An update on our security incident
https://blog.twitter.com/en_us/topics/company/2020/an-update-on-our-security-incident.html
ZDNet: Twitter says hackers downloaded the data of eight users in Wednesday's hack
Threatpost: Twitter Hack Update: What We Know (and What We Don't)
https://threatpost.com/the-great-twitter-hack-what-we-know-what-we-dont/157538/
--Emotet Botnet is Back
(July 17 & 18, 2020)
The Emotet botnet, which has been dormant since early February 2020, has re-emerged. On Friday, the botnet became active again, sending spam in an attempt to infect new users with the malware using malicious Word and Excel documents.
Read more in:
ZDNet: Emotet botnet returns after a five-month absence
https://www.zdnet.com/article/emotet-botnet-returns-after-a-five-month-absence/
Ars Technica: There's a reason your inbox has more malicious spam--Emotet is back
Bleeping Computer: Emotet spam trojan surges back to life after 5 months of silence
--Many F5 BIG-IP Network Devices Still Not Patched
(July 17, 2020)
Thousands of F5 BIG-IP network devices remain unpatched against a critical vulnerability that is being actively exploited. F5 released fixes late last month. In a July 3 tweet, US Cyber Command urged users to apply the fixes as soon as possible. Proof of concept exploits started appearing on July 5. Researchers say that as of July 15, there were roughly 8,000 installations that had not been updated.
[Editor Comments]
[Neely] While a certain amount of caution is appropriate with changes to application entry points, these vulnerabilities are significant enough to warrant fast-tracking the process, particularly with internet-facing services.
[Pescatore] Lack of critical patches on perimeter infrastructure software and appliances has been a steady drip, drip, drip of high risk over the past few months. Risk-based vulnerability prioritization should be pushing these to the top of the IT/networks op work queue.
Read more in:
Threatpost: Thousands of Vulnerable F5 BIG-IP Users Still Open to Takeover
https://threatpost.com/thousands-f5-big-ip-users-takeover/157543/
--Magento Introducing Two-Factor Authentication Across its Platform
(July 17, 2020)
The Magento ecommerce platform has begun offering two-factor authentication. Adobe says that it is "supporting (and in some cases requiring) two-factor authentication (2FA) across multiple areas of the Magento ecosystem:" Magento.com accounts, Cloud Admin, and Magento Admin. 2FA is now an option for Magento.com accounts and will be an option for Cloud Admin with the release of Magento 2.4. In both instances, users must enable the feature as it will not be enabled by default. 2FA will be enabled by default in Magento Admin starting in version 2.4; it cannot be disabled.
[Editor Comments]
[Murray] One should not say "2FA" (two factor authentication) when one means "strong authentication," defined as "at least two forms of evidence, at least one of which is resistant to replay."
Bleeping Computer: Magento adds 2FA to protect against card skimming attacks
Magento: Implementing Two-Factor Authentication Throughout Magento
https://magento.com/blog/magento-news/implementing-two-factor-authentication-magento
--UK's COVID-19 Test and Trace Program Did Not Complete Required Privacy Assessment Prior to Launch
(July 20, 2020)
The UK's Department of Health has admitted that it launched its COVID-19 test and tracing effort without conducting a Data Protection Impact Assessment (DPIA) as required by the general data protection regulation (GDPR). The Open Rights Group, a digital rights organization, says that the acknowledgment means the program "has been operating unlawfully since its launch on 28th May 2020." The organization that runs the test and trace program says it is working to complete the DPAI.
[Editor Comments]
[Neely] Rushing out the system and doing the paperwork later doesn't work without documented support from those who authorize and regulate your system. Even when you pick this path, you're going to need a minimum level of security and risk mitigation coupled with a clear, documented plan with milestones and delivery dates or you'll run afoul of the consequences relating to non-compliance.
Read more in:
BBC: Coronavirus: England's test and trace programme 'breaks GDPR data law'
https://www.bbc.com/news/technology-53466471
The Register: UK.gov admits it has not performed legally required data protection checks for COVID-19 tracing system
https://www.theregister.com/2020/07/20/uk_test_trace_data_protection/
Infosecurity Magazine: UK Government Fails to Meet GDPR Requirement in Test and Trace Program
https://www.infosecurity-magazine.com/news/government-gdpr-requirement-test/
SC Magazine: U.K. Covid-19 Test and Trace violated GDPR
--Cloudflare DNS Failure Caused Problems Last Week
(July 17 & 20, 2020)
Cloudflare says that a network outage on Friday, July 17 was caused by an error in a router configuration update. When the problematic update was applied, "a router on [Cloudflare's] global backbone announced bad routes and caused some portions of the network to not be available." The outage lasted less than half an hour and affected only certain geographic areas.
[Editor Comments]
[Ullrich] This is an internet "choke point" that is easily overlooked. Cloudflare handles a large percentage of DNS traffic internet-wide, and also acts as the end point for many HTTP connections. Between the three large cloud providers, and a few load balancing/filtering services, the Internet of today is a lot more concentrated and vulnerable than it should be. A next, worse, outage could be caused by cross-dependencies between these remaining hosting providers.
[Neely] From the school of good intentions, the change made was intended to alleviate congestion which routed all their traffic to Atlanta effectively DOSing the router. Cloudflare has changed its BGB preferences and prefix limits to prevent recurrence. Even so, having a second set of eyes to review a change like this can help locate errors before they go live.
Read more in:
Cloudflare: Cloudflare outage on July 17, 2020
https://blog.cloudflare.com/cloudflare-outage-on-july-17-2020/
ZDNet: Why the internet went haywire last week
https://www.zdnet.com/article/why-the-internet-went-haywire-last-week/
Tech Crunch: Cloudflare DNS goes down, taking a large piece of the internet with it
--Cyberattacks Targeted Two Israeli Water Management Facilities in June
(July 20, 2020)
Israel's Water Authority said that two more of its water management facilities were targeted by cyberattacks in June. Another attack targeting Israeli water treatment systems was reported in April. The Israel National Cyber-Directorate have issued an alert, urging water treatment facilities to change passwords for Internet-connected equipment, and recommending that they take systems offline if they cannot change passwords.
[Editor Comments]
[Murray] Strong authentication, not "passwords," is essential for infrastructure controls that are connected to the public networks.
Read more in:
ZDNet: Two more cyber-attacks hit Israel's water system
https://www.zdnet.com/article/two-more-cyber-attacks-hit-israels-water-system/
--Hacking Suspect Extradited to US from Cyprus
(July 18, 19, & 20, 2020)
A 21-year-old individual from Cyprus has been extradited to the US to face charges of conspiracy to commit wire fraud, wire fraud, conspiracy to commit computer fraud and identity theft, and extortion related to a protected computer. Joshua Polloso Epifaniou allegedly hacked into websites, stole data, and threatened to leak the data if he did not receive payment. He arraignment was scheduled for Monday, July 20, 2020.
Read more in:
Cyberscoop: Accused Cypriot scammer threatened to publish stolen data if victims didn't pay huge extortion fees
https://www.cyberscoop.com/joshua-epifaniou-scam-hacker-ransomware/
ZDNet: Hacker behind Ripoff Report extortion attempt extradited to the US
https://www.zdnet.com/article/hacker-behind-ripoff-report-extortion-attempt-extradited-to-the-us/
Justice: Two Alleged Criminals - A Hezbollah Associated Narco-Money Launderer and a Computer Hacker - Extradited from Cyprus to the United States
--Microsoft Sets TLS Deprecation Date for Office 365
(July 15 & 20, 2020)
Microsoft will no longer support Transport Layer Security (TLS) 1.0 and 1.1 in Office 365 after October 15, 2020. Microsoft initially intended to make the change sooner but pushed back the cutoff date due to COVID-19.
[Editor Comments]
[Neely] This change was initially scheduled for June. With the current work environment, it likely fell off your IT radar. Pay attention to legacy operating systems and browsers that don't support TLS 1.2. If they can't support TLS 1.2, using them to access Internet sites, including O365, may be inappropriate. If these systems are being used to augment work-from-home capabilities, start planning for upgrades now before their access is cutoff.
Read more in:
Bleeping Computer: Microsoft will disable insecure TLS in Office 365 on Oct 15
Microsoft: TLS 1.0 and 1.1 deprecation for Office 365
Microsoft: Update to enable TLS 1.1 and TLS 1.2 as default secure protocols in WinHTTP in Windows
******************************************************************************
INTERNET STORM CENTER TECH CORNER
#SigRed Update
https://isc.sans.edu/forums/diary/Hunting+for+SigRed+Exploitation/26362/
Cloudflare Outage
https://blog.cloudflare.com/cloudflare-outage-on-july-17-2020/
Exploitation of ZeroShell Routers
https://isc.sans.edu/forums/diary/Scanning+Activity+for+ZeroShell+Unauthenticated+Access/26368/
Zone.Identifier: A Coupe of Observations
https://isc.sans.edu/forums/diary/ZoneIdentifier+A+Coupe+Of+Observations/26366/
Forgotten tcpdump Options
https://showmethepackets.com/index.php/2020/07/18/a-few-forgotten-tcpdump-options/
Zoom Phishing
Sextortion Follow the Money Wrap-up
https://isc.sans.edu/forums/diary/Sextortion+Update+The+Final+Final+Chapter/26334/
"BadPower" USB-C Charger Firmware Weakness
Microsoft Office TLS 1.x Phaseout
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
