SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #61
August 4, 2020Organizations Paying Ransomware Extortion as More Exfiltrated Data Is Published
*****************************************************************************
SANS NewsBites August 4, 2020 Vol. 22, Num. 061
*****************************************************************************
RANSOMWARE AT THE TOP OF THE NEWS
Ransomware Operators Publish Data Allegedly Stolen from LG, Xerox
Blackbaud Paid Ransomware Demand
Bleeping Computer: Garmin Paid Ransomware Demand
US Travel Agency CWT Reportedly Paid $4.5M Ransomware Demand
Texas School District Will Pay Ransomware Demand
No More Ransom Website Helps Ransomware Victims
REST OF THE NEWS
Three Arrested in Connection With the Twitter Hack
GandCrab Suspect Arrested
FastPOS Author Pleads Guilty to RICO Conspiracy
Taidoor RAT
BootHole Fix is Causing Problems
Update Available for WordPress Newsletter Plugin Flaws
Citizen Lab: NSO Used to Spy on Clergy, Supporters of Political Opposition in Togo
INTERNET STORM CENTER TECH CORNER
*********************** Sponsored By RiskIQ *******************************
Build Your Threat Hunting Skills & Earn CPE Credits
Learn new threat hunting methods and data sets that will enable quicker and more thorough investigations. Join RiskIQ's virtual threat hunting workshop Summer Camp to fortify your skillset through hands-on exercises and earn CPE credits. Register today!
| http://www.sans.org/info/217230
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
Best Special Offers of the Year are Available Now with OnDemand
Choose a MacBook Air, Surface Pro 7, or Take $350 Off through August 5.
- https://www.sans.org/ondemand/specials
SANS now offers THREE ways to complete a course:
OnDemand | Live Online | In-Person:
- https://www.sans.org/ondemand/
- https://www.sans.org/live-online
- https://www.sans.org/cyber-security-training-events/in-person/north-america
Keep your skills sharp with SANS Online Training:
. The world's top cybersecurity courses
. Taught by real world practitioners
. Ideal preparation for more than 30 GIAC Certifications
Top OnDemand Courses
SEC401: Security Essentials Bootcamp Style
- https://www.sans.org/ondemand/course/security-essentials-bootcamp-style
SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling
- https://www.sans.org/ondemand/course/hacker-techniques-exploits-incident-handling
SEC560: Network Penetration Testing and Ethical Hacking
- https://www.sans.org/ondemand/course/network-penetration-testing-ethical-hacking
______________________
Upcoming In-Person and Live Online Events:
SANS Baltimore Fall 2020 | September 8-13 | Baltimore, MD or Live Online
- https://www.sans.org/event/baltimore-fall-2020
Threat Hunting and Incident Response Summit & Training | September 10-19 | Live Online
- https://www.sans.org/event/threat-hunting-and-incident-response-summit-2020
SANS Network Security 2020 | September 20-25 | Las Vegas, NV or Live Online
- https://www.sans.org/event/network-security-2020
SANS Northern VA - Reston Fall 2020 | Sep 28-Oct 3 | Reston, VA or Live Online
- https://www.sans.org/event/northern-va-reston-fall-2020
______________________
Test drive a course: https://www.sans.org/course-preview
View the full SANS course catalog and skills roadmap.
- https://www.sans.org/cyber-security-courses
- https://www.sans.org/cyber-security-skills-roadmap
*****************************************************************************
RANSOMWARE AT THE TOP OF THE NEWS
--Ransomware Operators Publish Data Allegedly Stolen from LG, Xerox
(August 4, 2020)
Maze ransomware operators have published data they claim to have taken from internal networks at LG and Xerox after the companies declined to pay a ransom. In a June email exchange with ZDNet, Maze operators say they did not launch ransomware on LG's network, but only exfiltrated data.
[Editor Comments]
[Neely] Both systems ran Citrix ADC servers, vulnerable to CVE-2019-19781, which has been characterized as a favorite entry point for Maze Operators. Keeping your boundary and remote access devices patched, expeditiously, is critical with today's threat environment. Verify you can monitor and alert on exfiltration of data, including tuning and testing. Also, when considering breached data, remember to include assessing loss of intellectual property. Too often, the review is of customer or employee personal information.
Read more in:
ZDNet: Ransomware gang publishes tens of GBs of internal data from LG and Xerox
--Blackbaud Paid Ransomware Demand
(August 3, 2020)
Blackbaud's CEO says the company "discovered and stopped a sophisticated attempted ransomware attack." Blackbaud paid the ransomware demand in May 2020; the attack was publicly disclosed in July. Blackbaud provides customer relationship management (CRM) software for colleges and universities, non-profit groups, and others.
[Editor Comments]
[Neely] In this issue we have several articles where the ransom was paid. Back in October, the FBI published updated guidance on payment (https://www.ic3.gov/media/2019/191002.aspx) acknowledging that there are cases where companies will pay. With exfiltrated data being published, payment is vastly incentivized. Beyond payment, ensure that adequate steps are taken to prevent recurrence as well as timely notification of the incident, status, and resolution to affected parties to allow them to take appropriate actions, and to include required breach notifications to regulators and customers.
Read more in:
The Register: 'We stopped ransomware' boasts Blackbaud CEO. And by 'stopped' he means 'got insurance to pay off crooks'
https://www.theregister.com/2020/08/03/blackbaud_glosses_over_ransomware_payoff/
--Bleeping Computer: Garmin Paid Ransomware Demand
(August 3, 2020)
According to a report in Bleeping Computer, Garmin received the WastedLocker ransomware encryption key on July 25, two days after its network was hit with the malware. While it is not known how much Garmin paid the WastedLocker operators, the initial demand was reportedly $10 million. Bleeping Computer obtained "access to an executable created by the Garmin IT department to decrypt a workstation and then install a variety of security software on the machine."
[Editor Comments]
[Pescatore] Dealing with the Covid virus has reinforced the importance of data-based decision making. There are many good reasons not to pay ransomware demands but there is not good data to support when/if it does make financial sense. One factor that can swing the decision: if your company has extortion insurance and the language in that policy covers/does not exclude ransomware, management may find that the cost of paying off is reduced enough to be well below the business disruption costs. In next week's NewsBites DrillDown I'll publish a deeper dive into the issues with a few example data sets.
Read more in:
Bleeping Computer: Confirmed: Garmin received decryptor for WastedLocker ransomware?
Threatpost: Garmin Pays Up to Evil Corp After Ransomware Attack -- Reports
https://threatpost.com/garmin-pays-evil-corp-ransomware-attack-reports/157971/
--US Travel Agency CWT Reportedly Paid $4.5M Ransomware Demand
(July 31, 2020)
Corporate travel agency CWT, formerly known as Carlson Wagonlit Travel) has confirmed that its network was shut down due to a ransomware attack in late July. The company reportedly paid $4.5 million to regain access to its encrypted data. The strain of ransomware used in the attack appears to be Ragnar Locker.
Read more in:
The Register: First rule of Ransomware Club is do not pay the ransom, but it looks like Carlson Wagonlit Travel didn't get the memo
https://www.theregister.com/2020/07/31/carlson_wagonlit_travel_ragnarlocker_ransom_paid/
Reuters: 'Payment sent' - travel giant CWT pays $4.5 million ransom to cyber criminals
Threatpost: CWT Travel Agency Faces $4.5M Ransom in Cyberattack, Report
https://threatpost.com/cwt-travel-agency-ransom-cyberattack-report/157911/
--Texas School District Will Pay Ransomware Demand
(July 31, 2020)
The Athens (Texas) Independent School District (ISD) will pay $50,000 to ransomware operators to regain access to the data in its servers that have been encrypted. The district's board of trustees voted to pay the ransom, which will be covered by insurance. The attack will postpone the start of the school year by at least a week.
Read more in:
Govtech: Texas School District Forks Over $50K in Ransomware Attack
https://www.govtech.com/security/Texas-School-District-to-Fork-Over-50K-in-Ransomware-Attack.html
--No More Ransom Website Helps Ransomware Victims
(July 27, 2020)
The No More Ransom decryption tool repository was established four years ago this month. No More Ransom offers free tools to decrypt 140 strains of ransomware. "The website is an initiative by the National High Tech Crime Unit of the Netherlands' police, Europol's European Cybercrime Centre, Kaspersky and McAfee with the goal to help victims of ransomware retrieve their encrypted data without having to pay the criminals."
[Editor Comments]
[Neely] This site doesn't eliminate the need for good disconnected differential backups; it provides a potential resource where you could retrieve the decryption key for your particular ransomware attack. Be sure to take steps to fix and verify that the entry point is closed to prevent recurrence first. This also doesn't eliminate the need to respond to ransom demands for exfiltrated and published content.
Read more in:
Europol: No More Ransom: How 4 Millions Victims of Ransomware Have Fought Back Against Hackers
No More Ransom: No more ransom!
***************************** SPONSORED LINKS ******************************
1) Webcast | Tune in for our upcoming webcast hosted by Bitglass as SANS Senior Instructor, Dave Shackleford dives into "Comparing CASB Technologies: What's the Difference?" In this webinar, you will learn: 1. The major differences between CASB architectures. 2. CASB deployment modes and how they provide different data protection. 3. Key items you need to consider to secure any app or device. | August 12 @ 2:00 PM EDT
| http://www.sans.org/info/217215
2) Webcast | Join us for an informative webcast hosted by SANS Instructor, Matt Bromiley as he presents "All for One, One for All: Bringing Data Together with Devo" In this webcast, SANS instructor Matt Bromiley reviews Security Operations as an intuitive solution that empowers analysts to put their data to use. | August 19 @ 12:00 PM EDT
| http://www.sans.org/info/217220
3) Webcast | Mark your calendars for our webcast that will be hosted by SANS Analyst, Serge Borso titled "Securing the Future of Work: How to Achieve Complete Malware and Phishing Protection" | August 19 @ 2:00 PM EDT
| http://www.sans.org/info/217225
*****************************************************************************
REST OF THE NEWS
--Three Arrested in Connection With the Twitter Hack
(July 31 & August 1, 2020)
Authorities have arrested and charged three people in connection with the July 15 Twitter hack that took over several high-profile accounts and used them in a Bitcoin fraud scheme. The attackers allegedly used social engineering to gain access to internal Twitter tools. One of the suspects, a 17-year-old, faces 30 felony charges and will be tried as an adult.
[Editor Comments]
[Neely] With enhanced working from home, there are more opportunities for accessing malicious content from outside the company perimeter. Take a pause to identify and resolve gaps. Ask whether your users are using personal phones or the corporate softphone with its VoIP firewall and associated protections? Are users able to browse to disallowed sites normally blocked by NGFW or outbound proxy rules? Even with remote or virtual desktops, understand what work is permitted off those systems as well as data interchange capabilities between the remote and local systems. Take steps to minimize data exchange to prevent paths for inbound malfeasance.
Read more in:
KrebsOnSecurity: Three Charged in July 15 Twitter Compromise
https://krebsonsecurity.com/2020/07/three-charged-in-july-15-twitter-compromise/
Wired: How the Alleged Twitter Hackers Got Caught
https://www.wired.com/story/how-alleged-twitter-hackers-got-caught-bitcoin/
ZDNet: How the FBI tracked down the Twitter hackers
https://www.zdnet.com/article/how-the-fbi-tracked-down-the-twitter-hackers/
Ars Technica: Florida teen charged as "mastermind" in Twitter hack hitting Biden, Bezos, and others
--GandCrab Suspect Arrested
(July 31 & August 3, 2020)
Authorities in Belarus have arrested an individual allegedly involved in the distribution of the GandCrab ransomware. GandCrab ceased operations in June 2019. The FBI released master encryption keys for GandCrab, and Bitdefender released a decryptor.
Read more in:
ZDNet: GandCrab ransomware distributor arrested in Belarus
https://www.zdnet.com/article/gandcrab-ransomware-distributor-arrested-in-belarus/
Bleeping Computer: GandCrab ransomware operator arrested in Belarus
https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-operator-arrested-in-belarus/
--FastPOS Author Pleads Guilty to RICO Conspiracy
(August 1 & 3, 2020)
A Moldovan citizen has pleaded guilty to RICO (Racketeer Influenced and Corrupt Organizations) conspiracy in a Nevada courtroom for his role in the Infraud cybercriminal organization. In a plea agreement, Valerian Chiochiu admitted to creating malware known as FastPOS, which was designed to facilitate payment card data theft. Chiochiu is the second person in just over a month to plead guilty in connection with Infraud; in late June, Sergey Medvedev also pleaded guilty to RICO conspiracy.
Read more in:
ZDNet: Author of FastPOS malware revealed, pleads guilty
https://www.zdnet.com/article/author-of-fastpos-malware-revealed-pleads-guilty/
Cyberscoop: Another guilty plea in $568 million Infraud crime ring
https://www.cyberscoop.com/infraud-valerian-chiochiu-guilty-plea/
Infosecurity Magazine: Malware Author Admits Role in $568m Cyber-Fraud
https://www.infosecurity-magazine.com/news/malware-author-admits-role-in-568m/
Justice: Malware Author Pleads Guilty for Role in Transnational Cybercrime Organization Responsible for more than $568 Million in Losses
--Taidoor RAT
(August 3, 2020)
The FBI, the US Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense have issued a joint malware analysis report about malware that China has been using since 2008. Taidoor, as the malware is known, is a remote access trojan (RAT) and has been used in cyberespionage campaigns.
Read more in:
Duo: DHS Exposes Chinese Malware Tools
https://duo.com/decipher/dhs-exposes-chinese-malware-tools
Cyberscoop: DOD, FBI, DHS release info on malware used in Chinese government-led hacking campaigns
https://www.cyberscoop.com/taidoor-malware-report-china-cisa-dod-fbi/
Bleeping Computer: US govt exposes Chinese espionage malware secretly used since 2008
ZDNet: CISA, DOD, FBI expose new Chinese malware strain named Taidoor
https://www.zdnet.com/article/cisa-dod-fbi-expose-new-chinese-malware-strain-named-taidoor/
US-CERT.CISA: Malware Analysis Report (AR20-216A) | MAR-10292089-1.v1 - Chinese Remote Access Trojan: TAIDOOR
https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a
--BootHole Fix is Causing Problems
(July 31, 2020)
Users are urged to take steps to mitigate the issue. Linux distributions have released fixes for the GNU GRUB2 bootloader vulnerability, a.k.a. BootHole. However, some users are reporting that these fixes are causing problems themselves. Users are rebooting booting and dual-booting issues in Debian, Ubuntu, Red Hat, CentOS, and Fedora. The US National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued advisories that include suggestions for mitigating the BootHole vulnerability.
Read more in:
ZDNet: BootHole fixes causing boot problems across multiple Linux distros
https://www.zdnet.com/article/boothole-fixes-causing-boot-problems-across-multiple-linux-distros/
Ars Technica: Red Hat and CentOS systems aren't booting due to BootHole patches
FCW: NSA and CISA push guidance for BootHole fix
https://fcw.com/articles/2020/07/31/johnson-guidance-fix-your-boothole.aspx
kb.cert: GRUB2 bootloader is vulnerable to buffer overflow
https://www.kb.cert.org/vuls/id/174059
--Update Available for WordPress Newsletter Plugin Flaws
(August 3, 2020)
Flaws in the Newsletter plugin for WordPress can be exploited to establish backdoors, create admin accounts, and possibly take control of vulnerable sites. The plugin's developers have released an updated version, Newsletter 6.8.3, which addresses these vulnerabilities.
[Editor Comments]
[Neely] This flaw includes a PHP Object Injection as well as a reflected Cross-Site Scripting (XSS) vulnerability. The good news is that the plugin author provided an update the day after the vulnerability was disclosed. The bad news is you still need to update your plugins, or make sure you have an application firewall rule to detect attempted exploitation. While Wordfence premium has the firewall rule, and it will be released to the free version users on August 14th, don't wait to update.
Read more in:
Wordfence: Newsletter Plugin Vulnerabilities Affect Over 300,000 Sites
https://www.wordfence.com/blog/2020/08/newsletter-plugin-vulnerabilities-affect-over-300000-sites/
Bleeping Computer: Newsletter plugin bugs let hackers inject backdoors on 300K sites
--Citizen Lab: NSO Used to Spy on Clergy, Supporters of Political Opposition in Togo
(August 3, 2020)
A report from Citizen Lab says that spyware made by NSO Group was used to target political opposition members and members of the clergy in Togo. All of the targets had spoken out about the need for government reform in the West African country.
Read more in:
Citizen Lab: Religious and Secular Voices for Reform in Togo Targeted with NSO Spyware
https://citizenlab.ca/2020/08/nothing-sacred-nso-sypware-in-togo/
Vice: NSO Spyware Was Used to Hack Clergy in Togo
https://www.vice.com/en_us/article/7kpdpe/nso-spyware-was-used-to-hack-clergy-in-togo
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
Pages Hit By Bad Bots
https://isc.sans.edu/forums/diary/What+pages+do+bad+bots+look+for/26414/
VBA Macro With Multiple Command and Control Channels
https://isc.sans.edu/forums/diary/Powershell+Bot+with+Multiple+C2+Protocols/26420/
KeePassRPC Vulnerability
https://forum.kee.pm/t/a-critical-security-update-for-keepassrpc-is-available/3040
QNAP Updates Malware Remover
Android Phone Updates
https://www.theregister.com/2020/07/31/nearly_a_third_of_secondhand/
BootHole Patch Causes Unbootable Systems
https://access.redhat.com/solutions/5272311
https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GRUB2SecureBootBypass#Recovery
Disabling MacOS TCC
https://objective-see.com/blog/blog_0x4C.html
CISA Publishes Details about Chinese Malware
https://us-cert.cisa.gov/ncas/current-activity/2020/08/03/chinese-malicious-cyber-activity
*****************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
