SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #64
August 14, 2020Microsoft IE Flaw Actively Exploited; NSA and FBI: New Linux Rootkit
*****************************************************************************
SANS NewsBites August 14, 2020 Vol. 22, Num. 064
*****************************************************************************
TOP OF THE NEWS
Patch Tuesday: Microsoft: Two Actively Exploited (incl. IE) and File Validation)
NSA and FBI: Fancy Bear Hacking Group Using New Linux Rootkit
*************************** Sponsored By SANS ************************************
SANS Survey | Take the SANS Cloud Security Survey for an opportunity to win a $150 Amazon gift card | This survey is designed to summarize data in three generalized areas including demographics, cloud architecture, and cloud security. The primary goal of this survey is to better understand if security professionals feel cloud-native security tooling is equivalent to industry-leading security tools, and the decisions behind adoption. | Results will be shared during a webcast on December 15 @ 1:00 PM EST
| http://www.sans.org/info/217325
*****************************************************************************
REST OF THE WEEKS NEWS
CISA Warns of Phishing Attempts that Spoof SBA Loan Program
US Financial Regulator FINRA Warns of Phishing Website
TikTok Secretly Collected MAC Addresses
Amazon Alexa Vulnerabilities Patched
Citrix Releases Fixes for Flaws in XenMobile Server
Patch Tuesday: Adobe
TinyMCE Flaw Fixed
Intel Security Updates for Server Boards, Server Systems, and Compute Modules
WordPress 5.5: Option to Update Plugins Automatically
SEPTA (Philadelphia Transit) Malware Attack
INTERNET STORM CENTER TECH CORNER
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
Best Special Offers of the Year for OnDemand are Ending Soon
Choose an iPad Pro with Apple Pencil, Surface Go 2, or Take $300 Off through August 19.
- https://www.sans.org/ondemand/specials
SANS now offers THREE ways to complete a course:
OnDemand | Live Online | In-Person:
- https://www.sans.org/ondemand/
- https://www.sans.org/live-online
- https://www.sans.org/cyber-security-training-events/in-person/north-america
Keep your skills sharp with SANS Online Training:
The worlds top cybersecurity courses
Taught by real world practitioners
Ideal preparation for more than 30 GIAC Certifications
Top OnDemand Courses
SEC401: Security Essentials Bootcamp Style
- https://www.sans.org/ondemand/course/security-essentials-bootcamp-style
SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling
- https://www.sans.org/ondemand/course/hacker-techniques-exploits-incident-handling
SEC560: Network Penetration Testing and Ethical Hacking
- https://www.sans.org/ondemand/course/network-penetration-testing-ethical-hacking
______________________
Upcoming In-Person and Live Online Events:
SANS Baltimore Fall 2020 | September 8-13 | Baltimore, MD or Live Online
- https://www.sans.org/event/baltimore-fall-2020
Threat Hunting and Incident Response Summit & Training | September 10-19 | Live Online
- https://www.sans.org/event/threat-hunting-and-incident-response-summit-2020
SANS Network Security 2020 | September 20-25 | Live Online
- https://www.sans.org/event/network-security-2020
SANS Northern VA - Reston Fall 2020 | Sep 28-Oct 3 | Live Online
- https://www.sans.org/event/northern-va-reston-fall-2020
______________________
Test drive a course: https://www.sans.org/course-preview
View the full SANS course catalog and skills roadmap.
- https://www.sans.org/cyber-security-courses
- https://www.sans.org/cyber-security-skills-roadmap
*****************************************************************************
TOP OF THE NEWS
--Patch Tuesday: Microsoft: Two Actively Exploited (incl. IE) and File Validation)
(August 11 & 12, 2020)
On Tuesday, August 11, Microsoft released updates to address at least 120 vulnerabilities in Windows and other products and services. Two of the flaws are being actively exploited: a memory corruption vulnerability in the scripting engine in Internet Explorer, and a spoofing flaw in Windows file validation that could be exploited to bypass security features.
[Editor Comments]
[Pescatore] I really like The Registers excellent headline, but I will add one thing: A lot of VPN approaches only support connectivity back to corporate data centers when the user has initiated the VPN and it hasnt timed out. Other VPN approaches that are always on dont handle intermittent or low speed home internet connections very well. Patch success rates for those sporadically-connected devices are always lower than LAN-connected or always on VPN approaches on solid remote connectionsworth extra attention on this patch-filled vacation/holiday month.
[Neely] As IE is being actively exploited, it may also be time to change the default browser. Consider limiting IE through the perimeter to reduce the likelihood of interaction with malicious sites. While you're busy queueing up application of this months suite of patches, take a check of your backup system to make sure youre covered in case something goes wrong.
[Murray] This is the third "Patch Tuesday" in a row when the number of vulnerabilities addressed exceeded one hundred. One does not know whether to credit Microsoft for its diligence or condemn it for the quality of its code. Suffice it to say that the next Patch Tuesday will address far more than zero vulnerabilities and most of them will be older than a month. While patching is mandatory, one cannot patch one's way to security. Use "least privilege" access control at all layers, internal firewalls, strong authentication, structured networks, and end-to-end application layer encryption to reduce your attack surface and hide potentially vulnerable processes. While I still do not like the expression "Zero Trust," it is an old idea whose time has come.
Read more in:
KrebsOnSecurity: Microsoft Patch Tuesday, August 2020 Edition
https://krebsonsecurity.com/2020/08/microsoft-patch-tuesday-august-2020-edition/
The Register: We spent way too long on this Microsoft, Intel, Adobe, SAP, Red Hat Patch Tuesday article. Just click on it, pretend to read it, apply updates
https://www.theregister.com/2020/08/11/patch_tuesday_august/
Duo: Microsoft Patches Zero Days Used in Targeted Attacks
https://duo.com/decipher/microsoft-patches-zero-days-used-in-targeted-attacks
Threatpost: Two 0-Days Under Active Attack, Among 120 Bugs Patched by Microsoft
https://threatpost.com/0-days-active-attack-bugs-patched-microsoft/158280/
Ars Technica: 0-days, a failed patch, and a backdoor threat. Update Tuesday highlights
Dark Reading: Microsoft Patches 120 Vulnerabilities, Two Zero-Days
SC Magazine: Microsoft patches 2 actively exploited zero-day flaws
ZDNet: Microsoft August 2020 Patch Tuesday fixes 120 vulnerabilities, two zero-days
Bleeping Computer: Microsoft August 2020 Patch Tuesday fixes 2 zero-days, 120 flaws
MSRC: Security Update Summary
https://portal.msrc.microsoft.com/en-us/security-guidance/summary
--NSA and FBI: Fancy Bear Hacking Group Using New Linux Rootkit
(August 13, 2020)
In a joint cybersecurity advisory, the US National Security Agency (NSA) and the FBI warn of a new strain of malware being used by hackers with ties to Russias government. Drovorub is a rootkit designed to infect Linux systems and steal data.
Read more in:
ZDNet: FBI and NSA expose new Linux malware Drovorub, used by Russian state hackers
The Register: This NSA, FBI security advisory has four words you never want to see together: Fancy Bear Linux rootkit
https://www.theregister.com/2020/08/13/drovorub_nsa_fbi/
Defense: Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware (PDF)
FBI: NSA and FBI Expose Russian Previously Undisclosed Malware Drovorub in Cybersecurity Advisory
NSA: Drovorub Malware Fact Sheet & FAQs (PDF)
******************************* SPONSORED LINKS ********************************
1) Webcast | Join SANS analyst and instructor, Dave Shackleford as he hosts one of our upcoming webcasts titled, "Securing Lift-and-Shift Cloud Migrations". Tune in to our live webinar, to help you better understand how to adapt your security strategy to address new security requirements for lift-and-shift migrations. | August 26 @ 1:00 PM EDT
| http://www.sans.org/info/217330
2) Webcast | Join Google Cloud Security's Ansh Patnaik and Dr. Anton Chavakin, with SANS moderator Matt Bromiley as they host, "Rethinking Security Detection in an XDR World" to learn more about the dimensions of modern security analytics that will enable you to fully unleash your XDR investment. | August 27 @ 12:30 PM EDT
| http://www.sans.org/info/217335
3) Webcast | During our upcoming webcast, "Intuitive Endpoint Security: A SANS Review of Morphisec Shield" SANS Instructor Matt Bromiley reviews Morphisec Shield, a tool that uses moving target defense to defeat threats such as zero-days, evasive malware, fileless attacks and exploits by morphing process memory. | August 18 @ 10:30 AM EDT
| http://www.sans.org/info/217345
*****************************************************************************
REST OF THE NEWS
--CISA Warns of Phishing Attempts that Spoof SBA Loan Program
(August 10, 12, & 13, 2020)
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory warning of a phishing attack that sends users to a spoofed version of the Small Business Administrations (SBAs) COVID-19 loan relief webpage.
[Editor Comments]
[Neely] Threat actors are leveraging anything relating to COVID-19, from wellness advice, contract tracing, and testing to financial relief programs to lure users into clicking/opening their content. With the increased telecommuting, its easy to forget that on-premise protections may not be protecting users full time. Step up user training, keeping in mind that current concerns and stress are leading users to click where they otherwise would not.
[Murray] "Phishing," i.e., bait attacks, remains efficient and popular. Because such attacks exploit human frailty and there are so many of us, they are difficult to address. The bait is generally offered in e-mails and on web sites. E-mail and browsing applications are implicated in a majority of breaches. They should be isolated from the rest of the the enterprise network. As a user, I hated it when any of my clients blocked my access to my e-mail (e.g., OWA) from their networks, but as their security adviser I had to appreciate it. Note that one no longer needs the enterprise network to access e-mail or to browse; one uses one's mobile and the cellular data network.
Read more in:
Fedscoop: Malicious cyber actor spoofing SBAs coronavirus loan relief webpage
https://www.fedscoop.com/cisa-spoofing-sba-loan-relief/
Bleeping Computer: CISA alerts of phishing attack targeting SBA loan relief accounts
FCW: Scammers spoof SBA to get disaster loan dollars
https://fcw.com/articles/2020/08/10/johnson-sba-loan-scam-email.aspx
US-CERT.CISA: Alert (AA20-225A) | Malicious Cyber Actor Spoofing COVID-19 Loan Relief Webpage via Phishing Emails
https://us-cert.cisa.gov/ncas/alerts/aa20-225a
--US Financial Regulator FINRA Warns of Phishing Website
(August 13, 2020)
The US Financial Industry Regulatory Authority (FINRA) has issued an alert warning of the existence of a fraudulent copycat website that includes a registration form for collecting data that could be used in targeted phishing attacks. Observant users will note an extra n in the domain name of the copycat site. FINRA has requested that the domain registrar suspend the phony domain.
Read more in:
Bleeping Computer: U.S. stock broker regulator FINRA warns of copycat phishing site
FINRA: FINRA Alerts Firms to Use of Fake FINRA Domain Name
https://www.finra.org/rules-guidance/notices/20-27
--TikTok Secretly Collected MAC Addresses
(August 11 & 12, 2020)
According to a report in the Wall Street Journal, the TikTok video-sharing app collected MAC addresses from Android users for more than a year. The app hid the questionable activity with encryption. The activity was conducted for 15 months, ending in November 2019. (Please note that the WSJ story is behind a paywall.)
[Editor Comments]
[Neely] As more information about inappropriate behavior from TikTok emerges, its time to make an active decision whether to block or prohibit the application. Use your MDM to inventory your corporate mobile devices for TikTok. Also took a look at application protections on your BYO devices to make sure that your enterprise information is protected from malicious behavior. Note that not all device/MDM combinations allow blocking installation or removal of disallowed apps.
Read more in:
Threatpost: TikTok Surreptitiously Collected Android User Data Using Google-Prohibited Tactic
WSJ: TikTok Tracked User Data Using Tactic Banned by Google (paywall)
https://www.wsj.com/articles/tiktok-tracked-user-data-using-tactic-banned-by-google-11597176738
--Amazon Alexa Vulnerabilities Patched
(August 13, 2020)
Earlier this year, researchers from Check Point found that some Amazon Alexa subdomains were vulnerable to cross-origin resource sharing (CORS) misconfiguration and cross site scripting. Check Point notified Amazon of the issues in June. The issues could be exploited to access users voice history logs to discover which skill are installed, and to install additional skills. Amazon has fixed the issues.
[Editor Comments]
[Neely] Take a look at the voice history your digital assistants are storing. Both Amazon and Google allow you to delete messages from their website, mobile app, or the device itself. Also, review the enabled skills and connected smart devices to make sure that no extra features are enabled, or devices connected.
Read more in:
Wired: An Alexa Bug Could Have Exposed Your Voice History to Hackers
https://www.wired.com/story/amazon-alexa-bug-exposed-voice-history-hackers/
ZDNet: In one click: Amazon Alexa could be exploited for theft of voice history, PII, skill tampering
Threatpost: Amazon Alexa One-Click Attack Can Divulge Personal Data
https://threatpost.com/amazon-alexa-one-click-attack-can-divulge-personal-data/158297/
CNET: Alexa vulnerability is a reminder to delete your voice history
https://www.cnet.com/news/alexa-vulnerability-is-a-reminder-to-delete-your-voice-history/
Check Point: Keeping the gate locked on your IoT devices: Vulnerabilities found on Amazons Alexa
https://research.checkpoint.com/2020/amazons-alexa-hacked/
--Citrix Releases Fixes for Flaws in XenMobile Server
(August 11 & 12, 2020)
Citrix has released updates to address vulnerabilities in its Citrix Endpoint Management, often known as XenMobile Server. Users are urged to apply the updates as soon as possible, as Citrix says they anticipate malicious actors will move quickly to exploit. Two of the vulnerabilities are rated critical.
Read more in:
Citrix: Citrix provides security update on Citrix Endpoint Management
Support.Citrix: Citrix Endpoint Management (CEM) Security Update
https://support.citrix.com/article/CTX277457
Cyberscoop: Citrix releases fix for software bug that hackers will move quickly to exploit
https://www.cyberscoop.com/citrix-xenmobile-bug-positive-technologies/
Bleeping Computer: Citrix fixes critical bugs allowing takeover of XenMobile Servers
Threatpost: Citrix Warns of Critical Flaws in XenMobile Server
https://threatpost.com/citrix-warns-of-critical-flaws-in-xenmobile-server/158293/
The Register: Citrix warns of patch-ASAP-grade bugs in its working-from-home products, just as we're all working from home
https://www.theregister.com/2020/08/12/citrix_endpoint_management_critical_bug/
--Patch Tuesday: Adobe
(August 11 & 12, 2020)
Adobe has released updates to address vulnerabilities in Reader and Acrobat; 11 of the flaws are rated critical. Adobe also released an update to address a privilege elevation vulnerability in Lightroom.
[Editor Comments]
[Neely] While the Lightroom and Acrobat updates are not actively being exploited, the Reader and Acrobat vulnerabilities are considered elevated risk because of past issues with these products. The updates for Reader and Acrobat affect a wide range of versions, back to Acrobat and Reader 2015. Check the Adobe Security Bulletin for the full list of products impacted. This would be a good time to replace older versions with current, patched ones.
[Murray] After ten years, we are finally nailing the final nail into the coffin of Flash. Perhaps it is time to consider the future of Reader and Acrobat. Many enterprises already restrict pdf attachments and others use alternative application programs to handle them.
Read more in:
ZDNet: Adobe tackles critical code execution vulnerabilities in Acrobat, Reader
Bleeping Computer: Adobe fixes critical code execution bugs in Acrobat and Reader
Threatpost: Critical Adobe Acrobat and Reader Bugs Allow RCE
https://threatpost.com/critical-adobe-acrobat-reader-bugs-rce/158261/
Adobe: Recent bulletins and advisories
https://helpx.adobe.com/security.html
--TinyMCE Flaw Fixed
(August 9, 12, & 13, 2020)
TinyMCE developers have released a fix for a cross-site scripting vulnerability in the open-source text editor. The flaw could be remotely exploited to gain administrative access to vulnerable websites. TinyMCE is usually part of content management systems (CMS) used by websites.
Read more in:
Threatpost: High-Severity TinyMCE Cross-Site Scripting Flaw Fixed
https://threatpost.com/high-severity-tinymce-cross-site-scripting-flaw-fixed/158306/
Bishop Fox: TinyMCEVersion 5.2.1 | ADVISORY SUMMARY
https://labs.bishopfox.com/advisories/tinymce-version-5.2.1
GitHub: Cross-site scripting vulnerability in TinyMCE
https://github.com/tinymce/tinymce/security/advisories/GHSA-vrv8-v4w8-f95h
--Intel Security Updates for Server Boards, Server Systems, and Compute Modules
(August 11, 2020)
Intel has released updates to address 22 security issues in certain Intel Server Boards, Server Systems, and Compute Modules. One of the flaws is rated critical; it could be exploited by an unauthenticated remote attacker to gain elevated privileges. Ten of the flaws are rated high severity.
[Editor Comments]
[Pescatore] The most critical one is a flaw in baseboard management controller software, an issue Johannes Ullrich covered in the 2019 SANS The Five Most Dangerous New Attack Techniques keynote at the RSA conference and we covered in the 2019 SANS Threat Report. In addition to the usual local patching issues, this is an important risk issue to address with supply chain partners that may be using the impacted server boards.
Read more in:
Threatpost: Critical Intel Flaw Afflicts Several Motherboards, Server Systems, Compute Modules
https://threatpost.com/critical-intel-flaw-motherboards-server-compute-modules/158270/
Intel: Intel Server Boards, Server Systems and Compute Modules Advisory
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00384.html
CVE Mitre: CVE-2020-8708 | Improper authentication for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8708
--WordPress 5.5: Option to Update Plugins Automatically
(August 11 & 12, 2020)
WordPress has released version 5.5 of its content management platform. Among the new features is the option to enable automatic updates for plugins and themes. Users can choose to have all background updates, or to enable or disable them on specific themes and plugins.
[Editor Comments]
[Neely] WordPress 5.5 has added automatic update status to the plugins listing, as well as the ability to select and bulk enable automatic updates. Even so, not all your plugins will support automatic update. Review and enable it for those which do, consider removing or replacing those which do not. Also look for plugins which are redundant, such as a cache plugin which overlaps the caching of your CDN which may not have been in place when you stood up your site.
[Murray] WordPress plugins are popular but of questionable quality. Consider enabling "all" by default until and unless "the solution becomes the problem."
Read more in:
WordPress: WordPress 5.5 Eckstine
https://wordpress.org/news/2020/08/eckstine/
Portswigger: WordPress 5.5 rolls out with auto-updates for plugins, themes
https://portswigger.net/daily-swig/wordpress-5-5-rolls-out-with-auto-updates-for-plugins-themes
WordPress: WordPress 5.5 Field Guide
https://make.wordpress.org/core/2020/07/30/wordpress-5-5-field-guide/
--SEPTA (Philadelphia Transit) Malware Attack
(August 12, 2020)
Servers belonging to the Southeastern Pennsylvania Transit Authority (SEPTA) were infected with malware last weekend; SEPTA has called in help from cybersecurity experts and the FBI. Since the infection, SEPTA has shut down employee email, payroll access, remote timekeeping, and real-time data feeds for customers.
Read more in:
GovTech: Pennsylvania Transit Agency Disrupted by Malware Attack
https://www.govtech.com/security/Pennsylvania-Transit-Agency-Disrupted-by-Malware-Attack.html
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
vBulletin 0-Day Exploit
https://blog.exploitee.rs/2020/exploiting-vbulletin-a-tale-of-patch-fail/
Microsoft Patches
https://isc.sans.edu/forums/diary/Microsoft+August+2020+Patch+Tuesday/26452/
Adobe Patches
https://helpx.adobe.com/security.html
Citrix End Point Management Updates
To the Brim at the Gates of Mordor
https://isc.sans.edu/forums/diary/To+the+Brim+at+the+Gates+of+Mordor+Pt+1/26456/
Large Group of Malicious Tor Exit Nodes
https://medium.com/@nusenu/how-malicious-tor-relays-are-exploiting-users-in-2020-part-i-1097575c0cac
SAP Updates
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552603345
Intel Updates
https://www.intel.com/content/www/us/en/security-center/default.html
Decrypting Voice over LTE Calls
Vulnerabilities found on Amazon's Alexa
https://research.checkpoint.com/2020/amazons-alexa-hacked/
DROVORUB Russian GRU Linux Malware (PDF)
*****************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
