SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #58
July 24, 2020NSA Urges "Immediate Action" to OT and ICS; Chinese Citizens Indicted for Hacking; "Meow" Wiping Databases; Financial Services Company Charged for Data Leak
Google's Scholarships for Women in Cybersecurity (WiCyS)
Google is offering 100 WiCyS members seeking careers in cybersecurity an opportunity for a reliable pathway to launch and advance their careers through SANS Immersion Academies.
https://www.wicys.org/sans-security-training-scholarship
****************************************************************************
SANS NewsBites July 24, 2020 Vol. 22, Num. 058
****************************************************************************
TOP OF THE NEWS
CISA and NSA Urge "Immediate Action" to Secure Critical Infrastructure Operations Technology and Control Systems
Alleged Chinese Hackers Indicted on Multiple Charges for Stealing Intellectual Property
Mysterious "Meow" Attacks Wiping Databases
NY Financial Regulators Charge First American Financial in Connection with Data Leak
REST OF THE NEWS
NIST Enters Next Round of Review in Public Key Cryptographic Algorithm Selection
Additional Information Emerging About Twitter Hack
Adobe Releases Unscheduled Patches
Prometei Cryptominer Botnet
Diebold Nixdorf Warns ATM's Own Software Stack Used in Jackpotting Attacks
Garmin Mobile App Unavailable Due to Apparent Ransomware Attack
Blackbaud Ransomware Attack Affects Multiple Universities
GEDmatch Breach Resulted in Data Exposure
INTERNET STORM CENTER TECH CORNER
************************ Sponsored By SANS ********************************
Share your knowledge with your peers in the SANS Community! Take the SANS 2020 Risk Based Vulnerability Survey and be entered for a chance to win a $150 Amazon Gift Card.
| http://www.sans.org/info/217120
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
Best Special Offers of the Year are Available Now with OnDemand
Choose a MacBook Air, Surface Pro 7, or Take $350 Off through August 5.
- https://www.sans.org/ondemand/specials
SANS now offers THREE ways to complete a course:
OnDemand | Live Online | In-Person:
- https://www.sans.org/ondemand/
- https://www.sans.org/live-online
- https://www.sans.org/cyber-security-training-events/in-person/north-america
Keep your skills sharp with SANS Online Training:
. The world's top cybersecurity courses
. Taught by real world practitioners
. Ideal preparation for more than 30 GIAC Certifications
Top OnDemand Courses
SEC401: Security Essentials Bootcamp Style
- https://www.sans.org/ondemand/course/security-essentials-bootcamp-style
SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling
- https://www.sans.org/ondemand/course/hacker-techniques-exploits-incident-handling
SEC560: Network Penetration Testing and Ethical Hacking
- https://www.sans.org/ondemand/course/network-penetration-testing-ethical-hacking
______________________
Upcoming In-Person and Live Online Events:
Instructor-Led Training | August 3-8 | Live Online
- https://www.sans.org/event/live-online-aug3-2020-mdt
SANS Reboot - NOVA 2020 | August 10-15 | Arlington, VA or Live Online
- https://www.sans.org/event/reboot-nova-2020
SANS Baltimore Fall 2020 | September 8-13 | Baltimore, MD or Live Online
- https://www.sans.org/event/baltimore-fall-2020
Threat Hunting and Incident Response Summit & Training | September 10-19 | Live Online
- https://www.sans.org/event/threat-hunting-and-incident-response-summit-2020
SANS Network Security 2020 | September 20-25 | Las Vegas, NV or Live Online
- https://www.sans.org/event/network-security-2020
______________________
Test drive a course: https://www.sans.org/course-preview
View the full SANS course catalog and skills roadmap.
- https://www.sans.org/cyber-security-courses
- https://www.sans.org/cyber-security-skills-roadmap
*****************************************************************************
TOP OF THE NEWS
--CISA and NSA Urge "Immediate Action" to Secure Critical Infrastructure Operations Technology and Control Systems
(July 23, 2020)
The Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have issued a joint advisory warning that foreign hackers are targeting systems that support US critical infrastructure, The advisory urges critical infrastructure operators to secure their operational technology and control systems as soon as possible. The advisory lists several "recently observed tactics, techniques, and procedures," including spear phishing, ransomware, connecting to Internet-accessible PLCS that do not require authorization for initial access, and modifying control logic and parameters on PLCs.
[Editor Comments]
[Pescatore] This is a critical time to re-focus on phishing prevention. By 2019, over 80% of businesses had at least turned on DMARC services to fight spoofed emails but only around 20% have moved to active prevent policies. Disruption for those that have turned active prevent on has been minimal, security gain enormous. Also, do a user education revisit - especially about all the new messaging/conferencing/collaboration channels that are in use with work from home operations. Finally, try to get at least IT admins moved to two factor authentication and plant the flag to fight for wider adoption after that.
[Neely] I shuddered when I read "Internet accessible PLC". PLCs are not designed to be Internet accessible. Fundamentally separate OT from IT; further, separate experiment control systems from environmental health/safety systems. For example, keep the C&C machine separated from the oxygen safety monitor, neither of which should be directly accessible. Use a controlled interface, or air-gap. While remote access is desirable in the current work environment, controls must be maintained to prevent direct attack on these systems, including not providing some remote access. Additionally, have processes for verifying transfer of data and software to and from these systems to prevent introduction of malware.
[Murray] In addition to the recommendation that we made earlier in the week that strong authentication should be considered essential for infrastructure controls connected to the public networks, and in addition to implementing DMARC, strong consideration should be given to isolating e-mail and browsing from operational networks.
Read more in:
The Hill: Federal agencies warn foreign hackers are targeting critical infrastructure
Defense: NSA and CISA Recommend Immediate Actions to Reduce Exposure Across all Operational Technologies and Control Systems (PDF)
https://media.defense.gov/2020/Jul/23/2002462846/-1/-1/1/OT_ADVISORY-DUAL-OFFICIAL-20200722.PDF
--Alleged Chinese Hackers Indicted on Multiple Charges for Stealing Intellectual Property
(July 7 & 21, 2020)
The US Department of Justice (DoJ) has unsealed a July 7, 2020 indictment charging two Chinese citizens in connection with a decade of hacking. Li Xiaoyu and Dong Jiazhi allegedly hacked into networks at numerous companies around the world and stole intellectual property and other sensitive data. The defendants allegedly hacked both for personal gain and on behalf of various Chinese government agencies. They also allegedly attempted to extort cryptocurrency by threatening to post stolen source code online. Li and Dong are facing charges of conspiracy to commit computer fraud; conspiracy to commit theft of trade secrets; conspiracy to commit wire fraud; unauthorized access of a computer; and aggravated identity theft.
[Editor Comments]
(Paller] Although there is little chance these people will see the inside of a jail - much less a courtroom, indictments like these limit travel flexibility, shine a bright light on the behavior, and thereby raise the cost of attacks.
Read more in:
Justice: Two Chinese Hackers Working with the Ministry of State Security Charged with Global Computer Intrusion Campaign Targeting Intellectual Property and Confidential Business Information, Including COVID-19 Research
Wired: Chinese Hackers Charged in Decade-Long Crime and Spying Spree
https://www.wired.com/story/chinese-hackers-charged-decade-long-crime-spying-spree/
Dark Reading: US Indicts 2 Chinese Nationals for Stealing IP & Business Secrets, Including COVID-19 Research
The Register: Bad: US govt says Chinese duo hacked, stole blueprints from just about everyone. Also bad: They extorted cash
https://www.theregister.com/2020/07/21/feds_charge_chinese_hackers/
Justice: Indictment (PDF)
https://www.justice.gov/opa/press-release/file/1295981/download
--Mysterious "Meow" Attacks Wiping Databases
(July 22 & 23, 2020)
A hacker has been wiping misconfigured databases for no apparent reason other than that they were accessible on the Internet. The attacker overwrites data with the word "Meow." At least 1,800 databases have been affected.
[Editor Comments]
[Neely] These attacks don't leave a message or ransom note, they just wipe. There seems to be an uptick in unsecure cloud resource discovery, at least partly due to moving applications and services to better support working from home, to include changing access controls which restricted access to the corporate network. Security scanning and review processes must include verification that your cloud storage has appropriate ACLs implemented. Consider scanning for access from outside your corporate network to locate exposed services. Lastly, verify you have verified backups that you know how to restore for those services.
[Ullrich] I guess in some ways, these attacks are doing us all a favor by taking unprotected, probably already leaked, data out of its misery?
[Murray] The default access control rule of "read/write" must be replaced with "read-only" and "execute-only," the rules that were written for large-scale "shared resource" computers. While computers are now so cheap that even children have their own, we share applications, networks, and data on a scale that could not even be imagined when those rules were first recommended.
Read more in:
Ars Technica: Ongoing Meow attack has nuked >1,000 databases without telling anyone why
Bleeping Computer: New 'Meow' attack has wiped over 1,800 unsecured databases
Infosecurity Magazine: Over 1500 Exposed Online Databases Wiped by "Meow" Attacker
https://www.infosecurity-magazine.com/news/1000-exposed-databases-wiped-meow/
--NY Financial Regulators Charge First American Financial in Connection with Data Leak
(July 21, 22, & 23, 2020)
The New York State Department of Financial Services (NYSDFS) has charged First American Financial Corp. with exposing millions of documents containing sensitive information between October 2014 and May 2019. The compromised data include driver's license, bank account, and Social Security numbers. This is the first cybersecurity enforcement action NYSDFS has taken.
[Editor Comments]
[Neely] Fully verify your access controls are working and comprehensive, particularly for internet facing applications. The problem is the application that provided access to customer data didn't require access control once a valid ImageDocumentID number was provided. Additionally, predictable ID numbers were used, and were indexed by search engines.
Read more in:
KrebsOnSecurity: NY Charges First American Financial for Massive Data Leak
https://krebsonsecurity.com/2020/07/ny-charges-first-american-financial-for-massive-data-leak/
The Register: Congrats, First American Title Insurance, you've made technology history. For all the wrong reasons
https://www.theregister.com/2020/07/23/american_title_insurance_ny/
Reuters: New York charges big title insurer First American over security gap
DFS.NY: Statement of Charges and Notice of Hearing (PDF)
https://www.dfs.ny.gov/system/files/documents/2020/07/ea20200721_first_american_notice_charges.pdf
***************************** SPONSORED LINKS ******************************
1) Free SANS Event- 16 CPE Credits | Cyber Solutions Fest 2020 | Join our two-day virtual event featuring four unique tracks chaired by top SANS experts, talks will feature case studies, demos, and discussions revolving around solutions available in the marketplace. | October 8-9
| http://www.sans.org/info/217125
2) Webcast | Mark your calendars for our upcoming webcast hosted by SANS Expert, TJ Banasik as he presents "Threat Intelligence Solutions: A SANS Review of Anomali Threatstream" | August 11 @ 1:00 PM EDT
| http://www.sans.org/info/217135
3) Webcast | Don't miss our webcast that's right around the corner titled "Understanding and Leveraging the MITRE ATT&CK Framework: A SANS Roundtable" which will be hosted by SANS Instructor John Hubbard | August 6 @ 1:00 PM EDT
| http://www.sans.org/info/217140
*****************************************************************************
THE REST OF THE WEEK'S NEWS
--NIST Enters Next Round of Review in Public Key Cryptographic Algorithm Selection
(July 22, 2020)
The US National Institute of Standards and technology (NIST) has begun the third round of public review of submissions for the Post-Quantum Cryptography Standardization Process. The initial 65 submissions have been winnowed town through two rounds and now stand at 15. NOST mathematician Dustin Moody said, "At the end of this round, we will choose some algorithms and standardize them."
[Editor Comments]
[Pescatore] Selecting and validating new cryptography standards takes time - it took about 4 years from when NIST first engaged the cryptographic community in 1997 before the Rijndael algorithm was announced for the Advanced Encryption (AES). That open process paid off -- good to see it being followed again. So, not any immediate action around this news item but if you are part of strategic planning, you should include this in the 5 year window.
[Neely] This is exciting. Too often we hear of old algorithms which are no longer viable due to increases in computing capabilities. The candidates are grouped into a set that needs to mature more and candidates that could find wide adoption. Expect selected algorithms (two new encryption and two new signature) to be announced in 2022. Check the CRSC publication below for the list of algorithms moving forward.
[Murray] There will be no Quantum Apocalypse. Not all algorithms are vulnerable to quantum computing. Unfortunately for us, the RSA algorithm that is widely used for symmetric key exchange is one that is vulnerable and must be replaced. The sooner we address this, the less it will cost us. The later we address it, the greater the chance that we get it right. We must strike a balance. However, quantum computing is likely to be expensive for years to decades; we have time.
Read more in:
NIST: Chosen algorithms will become part of first standard devised to counter quantum decryption threat.
CSRC: Status Report on the Second Round of the NIST Post-Quantum Cryptography Standardization Process
https://csrc.nist.gov/publications/detail/nistir/8309/final
--Additional Information Emerging About Twitter Hack
(July 22 & 23, 2020)
Twitter says that the hackers who hijacked high profile accounts last week accessed private messages from 36 accounts, including one that belongs to an elected official from the Netherlands.
Read more in:
Reuters: Twitter says hackers saw messages from 36 accounts, including Netherlands official
The Register: Twitter hack latest: Up to 36 compromised accounts had their private messages read - including a Dutch politician's
https://www.theregister.com/2020/07/23/twitter_hack_dutch_politician_dms_accessed/
ZDNet: Twitter says hackers accessed DMs for 36 users in last week's hack
https://www.zdnet.com/article/twitter-says-hackers-accessed-dms-for-36-users-in-last-weeks-hack/
Ars Technica: Hackers obtained Twitter DMs for 36 high-profile account holders
--Adobe Releases Unscheduled Patches
(July 21 & 22, 2020)
On Tuesday, July 21, Adobe released four unscheduled security updates that address a total of 13 vulnerabilities in Adobe Reader Mobile, Prelude, Photoshop, and Bridge. Twelve of the vulnerabilities are rated critical.
[Editor Comments]
[Ullrich] Tech sites should stop referring to these "random" patches Adobe releases as "emergency patches." These updates are not particularly important and should be treated like any other patch. See Adobe's "Priority" rating for more guidance on how to prioritize these patches. In this particular case, the priority is quite low. Adobe just stopped sticking with a particular "Patch Tuesday" pattern. The lineup with Microsoft's patch Tuesday is only important for Adobe Flash which is integrated in Microsoft's software.
[Neely] Check the Adobe security bulletin site (link below) to be certain which products need updating. Creative Cloud users should already be getting prompts to update Prelude, Photoshop and Bridge. You will need to leverage your MDM to monitor Adobe Reader Mobile.
Read more in:
The Register: It's July 2020, and your PC or Mac can be pwned by a dodgy Photoshop file - Adobe emits critical patch batch
https://www.theregister.com/2020/07/21/adobe_photoshop_patches/
SC Magazine: Adobe fixes 12 critical bugs in second round of July patches
ZDNet: Adobe issues emergency fixes for critical vulnerabilities in Photoshop, Bridge, Prelude
https://www.zdnet.com/article/adobe-issues-emergency-fixes-for-vulnerabilities-in-photoshop-prelude/
Threatpost: Critical Adobe Photoshop Flaws Patched in Emergency Update
https://threatpost.com/critical-adobe-photoshop-flaws-patched-in-emergency-update/157581/
Adobe: Security Bulletins and Advisories
https://helpx.adobe.com/security.html
--Prometei Cryptominer Botnet
(July 22 & 23, 2020)
The Prometei cryptocurrency mining botnet spreads in several ways, including through the Eternal Blue exploit for Windows Server Message Block. The malware campaign appears to have been active since March.
Read more in:
Talos Intelligence: Prometei botnet and its quest for Monero
https://blog.talosintelligence.com/2020/07/prometei-botnet-and-its-quest-for-monero.html
SC Magazine: New cryptominer botnet spreads payload, less intrusive
https://www.scmagazine.com/home/security-news/new-cryptominer-botnet-spreads-payload-less-intrusive/
ZDNet: Prometei botnet exploits Windows SMB to mine for cryptocurrency
https://www.zdnet.com/article/prometei-botnet-is-infecting-machines-to-mine-for-cryptocurrency/
Bleeping Computer: New cryptojacking botnet uses SMB exploit to spread to Windows systems
--Diebold Nixdorf Warns ATM's Own Software Stack Used in Jackpotting Attacks
(July 20 & 21, 2020)
Diebold Nixdorf has issued a warning that jackpotting attacks against some of their ATMs are being conducted with black boxes that contain part of the targeted machines' software stack. Diebold recommends that terminal operators make sure their software is up-to-date, that encryption is enabled on the terminal, and to implement hard-disk encryption and limit physical access to the machines.
[Editor Comments]
[Murray] After a rocky start, when many ATMs were not online, they became an example of how to do security and Diebold was a leader. ATMs were on bank premises, operated by banks, using hardened hardware, purpose-built software, and proprietary networks and protocols. Then came the 90s. Every diner and convenience store advertised "ATM inside," ATMs became appliances, used Windows, used dial-up with modems, and IP with ethernet adapters. Cheap and convenient drove out trust and security.
Read more in:
Threatpost: Diebold ATM Terminals Jackpotted Using Machine's Own Software
https://threatpost.com/diebold-atm-terminals-jackpotted-using-machines-own-software/157575/
Ars Technica: Crooks have acquired proprietary Diebold software to "jackpot" ATMs
--Garmin Mobile App Unavailable Due to Apparent Ransomware Attack
(July 23 & 24, 2020)
Garmin's mobile application and related services are down due to a probable ransomware attack. The company has not acknowledged that it was hit with ransomware, but employees have talked about it on social media. Garmin has informed its staff that the company will be offline for planned maintenance on July 24 and 25.
Read more in:
ZDNet: Garmin services and production go down after ransomware attack
https://www.zdnet.com/article/garmin-services-and-production-go-down-after-ransomware-attack/
Cyberscoop: Garmin mobile app down amid possible ransomware attack
https://www.cyberscoop.com/garmin-outage-ransomware-wastedlocker/
Bleeping Computer: Garmin outage caused by confirmed WastedLocker ransomware attack
Forbes: Garmin Suffers Global Outage And Ransomware May Be To Blame
--Blackbaud Ransomware Attack Affects Multiple Universities
(July 16, 22, & 23, 2020)
A May 2020 ransomware attack against Blackbaud, a cloud-based education, administration, and fund-raising management software company, compromised personal information belonging to staff and students from at least 10 colleges and universities, as well as non-profits such as Human Rights Watch and Young Minds. Blackbaud disclosed the incident on July 16, noting that it had "paid the cybercriminal's demand with confirmation that the copy they removed had been destroyed."
Read more in:
BBC: Blackbaud Hack: Universities lose data to ransomware attack
https://www.bbc.com/news/technology-53516413
ZDNet: University of York discloses data breach, staff and student records stolen
Blackbaud: Learn more about the Ransomware attack we recently stopped
--GEDmatch Breach Resulted in Data Exposure
(July 22, 2020)
DNA analysis website GEDmatch has acknowledged that following a breach earlier this month, users' permissions were reset, which allowed law enforcement agencies to access their information during searches. GEDmatch gained notoriety in 2018 when police used information in the company's database to catch a serial killer. Following that incident, GEDmatch allowed users to choose whether or not to allow their information to appear in law enforcement search results. The reset permissions were exposed for about three hours before the company became aware of the situation and took the site offline. As of the evening of Thursday, July 23, the site was still unavailable.
Read more in:
Tech Crunch: GEDmatch confirms data breach after users' DNA profile data made available to police
https://techcrunch.com/2020/07/22/gedmatch-investigating-dna-profile-law-enforcement/
Gizmodo: Genealogy Site Exposes One Million Profiles to Law Enforcement in Security Breach
https://gizmodo.com/genealogy-site-exposes-one-million-profiles-to-law-enfo-1844484679
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
Comparing Covid19 Remote Services in Different Countries
https://isc.sans.edu/forums/diary/Couple+of+interesting+Covid19+related+stats/26374/
A Few IoCs Related to the F5 Vulnerability CVE-2020-5092
https://isc.sans.edu/forums/diary/A+few+IoCs+related+to+CVE20205092/26378/
Simple Blocklisting with MISP and pfSense
https://isc.sans.edu/forums/diary/Simple+Blocklisting+with+MISP+pfSense/26380/
ISC Intel Feed (Beta. DO NOT USE AS BLOCKLIST)
https://isc.sans.edu/api/intelfeed?json
(also see isc.sans.edu/api)
Adobe Patches Photoshop
https://helpx.adobe.com/security/products/bridge/apsb20-44.html
https://helpx.adobe.com/security/products/photoshop/apsb20-45.html
Microsoft Publishes Sysinternals Procmon for Linux
https://github.com/microsoft/ProcMon-for-Linux
Citrix Workspace App Vulnerability
https://www.pentestpartners.com/security-blog/raining-system-shells-with-citrix-workspace-app/
PDF Signature Weaknesses
Sharepoint Vulnerabiliity PoC CVE-2020-1147
Twilio Compromise
https://www.theregister.com/2020/07/21/twilio_sdk_code_injection/
ASUS RT-AC1900P Router Vulnerability
https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=27440
DLink Leaks Firmware Encryption Key
https://nstarke.github.io/0036-decrypting-dlink-proprietary-firmware-images.html
Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software Vulnerability
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create