SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #65
August 18, 2020Australian Government Plans to Respond to Cyberattacks on Critical Infrastructure; Apache Struts Vulnerabilities; Credential Stuffing Against Canadian Government Website; Critical Flaws for WordPress Users
SANS Data Incident 2020 - Technical Details Webcast | Tuesday, August 18 at 12:30 PM EDT (16:30 UTC)
This webcast walks through the technical details of the incident, how it happened, our investigation details, current indicators of compromises, and finally our overall lessons learned and security awareness recommendations to prevent these incidents in the future.
SANS Data Incident 2020 - Technical Details Webcast | https://youtu.be/x2yNy-atf5g
*****************************************************************************
SANS NewsBites August 18, 2020 Vol. 22, Num. 065
*****************************************************************************
TOP OF THE NEWS
Australian Government Seeks Powers to Respond to Active Cyberattacks Against Critical Infrastructure
Apache Struts Vulnerabilities
Hackers Launched Credential Stuffing Attacks Against Canadian Government Website
Update Available to Address Critical Flaws in WordPress Quiz and Survey Master Plugin
REST OF THE WEEK'S NEWS
Cruise Line Operator Carnival Targeted in Ransomware Attack
R1 RCM Hit With Ransomware
Beverage Company Brown-Forman Suffers Cyberattack
Maze Ransomware Operators Publish File Allegedly Taken From Canon USA
Ritz London Food and Beverage Reservation System Breached
Microsoft Patch Tuesday Included Fix for Flaw First Reported in 2018
The Value of Threat Intelligence Feeds
INTERNET STORM CENTER TECH CORNER
************************* Sponsored By SANS *******************************
We invite you to complete our SANS 2020 Vulnerability Management Survey and enter for a chance to win a $150 Amazon Gift card! This survey will examine how organizations are using automated mechanisms to identify vulnerabilities and how they are managing these vulnerabilities across their enterprise infrastructure, applications, cloud services and business partners. We will also look at who is responsible for different aspects of the program and how vulnerabilities are communicated back to the business. | Results will be shared November 10 @ 1:00 PM ET
| http://www.sans.org/info/217350
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
Best Special Offers of the Year for OnDemand are Ending Soon
Choose an iPad Pro with Apple Pencil, Surface Go 2, or Take $300 Off through August 19.
- https://www.sans.org/ondemand/specials
SANS now offers THREE ways to complete a course:
OnDemand | Live Online | In-Person:
- https://www.sans.org/ondemand/
- https://www.sans.org/live-online
- https://www.sans.org/cyber-security-training-events/in-person/north-america
Keep your skills sharp with SANS Online Training:
. The world's top cybersecurity courses
. Taught by real world practitioners
. Ideal preparation for more than 30 GIAC Certifications
Top OnDemand Courses
SEC401: Security Essentials Bootcamp Style
- https://www.sans.org/ondemand/course/security-essentials-bootcamp-style
SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling
- https://www.sans.org/ondemand/course/hacker-techniques-exploits-incident-handling
SEC560: Network Penetration Testing and Ethical Hacking
- https://www.sans.org/ondemand/course/network-penetration-testing-ethical-hacking
______________________
Upcoming In-Person and Live Online Events:
SANS Baltimore Fall 2020 | September 8-13 | Baltimore, MD or Live Online
- https://www.sans.org/event/baltimore-fall-2020
Threat Hunting and Incident Response Summit & Training | September 10-19 | Live Online
- https://www.sans.org/event/threat-hunting-and-incident-response-summit-2020
SANS Network Security 2020 | September 20-25 | Live Online
- https://www.sans.org/event/network-security-2020
SANS Northern VA - Reston Fall 2020 | Sep 28-Oct 3 | Live Online
- https://www.sans.org/event/northern-va-reston-fall-2020
______________________
Test drive a course: https://www.sans.org/course-preview
View the full SANS course catalog and skills roadmap.
- https://www.sans.org/cyber-security-courses
- https://www.sans.org/cyber-security-skills-roadmap
*****************************************************************************
TOP OF THE NEWS
--Australian Government Seeks Powers to Respond to Active Cyberattacks Against Critical Infrastructure
(August 6 & 14, 2020)
Australia's Cybersecurity Strategy 2020 will require operators of critical infrastructure to report cyber incidents to ASD in real time and potentially allow ASD into their networks to monitor and defend the networks against cyberattacks. Directors will be help legally responsible for ensuring a certain level of cybersecurity. The plan expands the critical infrastructure designation to include universities, the financial sector, the health sector, and food and grocery sector. The government has released a Consultation Paper regarding these issues.
[Editor Comments]
[Neely] A strong proactive relationship like this can be a win-win, much like hiring a skilled managed security service provider. The first challenge, once data is flowing, will be defining normal, from connections, to accepted risks of discovered vulnerabilities, which is required to eliminate false positives and cement the working relationship. This process may identify areas for improvement, in which case the third party, in this case ASD, needs to understand not only how improvements can be made, but also how the current state was achieved, to neither jeopardize mission objectives nor resource and budget constraints.
[Paller] I know of few organizations in the cybersecurity world as effective as ASD in identifying what needs to be done and following through to do it. I am betting initiative this will lead to a model for other nations to follow.
[Murray] Australia seems intent on being proactive, while much of the world is reactive.
Read more in:
SMH: Cyber spy agency to be called in to protect critical infrastructure
Home Affairs: Australia's Cyber Security Strategy 2020 (PDF)
https://www.homeaffairs.gov.au/cyber-security-subsite/files/cyber-security-strategy-2020.pdf
The Register: Australian government wants power to run cyber-response for businesses under attack
https://www.theregister.com/2020/08/14/australian_critical_infrastructure_defence_plan/
Home Affairs: Protecting Critical Infrastructure and Systems of National Significance (PDF)
Home Affairs: Protecting Critical Infrastructure and Systems of National Significance
--Apache Struts Vulnerabilities
(August 13, 14, & 17, 2020)
Vulnerabilities detected in Apache Struts can be exploited to execute remote code and to create denial-of-service conditions. The issues affect Apache Struts versions 2.0.0 through 2.5.20. Users are urged to upgrade to Apache Struts version 2.5.22.
[Editor Comments]
[Neely] Apache has a mitigation to proactively protect from OGNL expression attack (https://struts.apache.org/security/#proactively-protect-from-ognl-expression-injections-attacks-if-easily-applicable) which utilizes the Java Security Manager to run them in a sandbox without permissions. This is disabled by default, and is enabled by adding Dognl.security.manager to your JVM arguments. Test this before rolling the change to production. Additionally use the Struts configuration key struts.ognl.esxpressionMaxLengh to limit expressions those valid for your application, generally between 200 and 400 characters.
[Pescatore] The 2017 Equifax breach (CVE-2017-5638) is a good example of the danger of not patching/upgrading Struts. The vulnerability and exploit code were out in March 2017, Equifax was compromised in May, didn't notice until July - and in 2019 stated that the total cost of dealing with the breach was $1.4B and resulted in the CEO and top cybersecurity staff leaving the company. That cost is about $10 per record exposed and Equifax's cybersecurity insurance paid out less than 10% of the incident cost. Post-mortem investigations conclude the incident was entirely preventable.
[Murray] Websites are intended to be attached to the public networks and often must also have some access to enterprise data, application services, or even networks. They constitute an attractive target. At a minimum, they should be built to OWASP standards and be subjected to the OWASP Application Security Verification Standard (ASVS). Access to the enterprise resources should be limited and carefully controlled. Development tools, libraries, and content managers (e.g., Apache Struts, WordPress) must be carefully chosen and kept current.
Read more in:
Duo: Apache Warns of Serious Flaw in Struts
https://duo.com/decipher/apache-warns-of-serious-flaw-in-struts
Threatpost: PoC Exploit Targeting Apache Struts Surfaces on GitHub
https://threatpost.com/poc-exploit-github-apache-struts/158393/
CISA: Apache Releases Security Advisory for Struts 2
https://us-cert.cisa.gov/ncas/current-activity/2020/08/14/apache-releases-security-advisory-struts-2
struts.apache: 13 August 2020 - Security Advice: Announcing CVE-2019-0230 (Possible RCE) and CVE-2019-0233 (DoS) security issues
https://struts.apache.org/announce.html#a20200813
cwiki.apache: Forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
https://cwiki.apache.org/confluence/display/WW/S2-059
cwiki.apache: Access permission override causing a Denial of Service when performing a file upload
https://cwiki.apache.org/confluence/display/ww/s2-060
--Hackers Launched Credential Stuffing Attacks Against Canadian Government Website
(August 16 & 17, 2020)
Hackers used credential stuffing attacks to access thousands of accounts used by Canadian citizens to access various government services websites. The attacks targeted the Canada Revenue Agency (CRA) and the GCKey portal that provides single sign-on to multiple Canadian government services websites. The hackers used the compromised accounts to access government services and apply for COVID-19 relief payments. The Canada Revenue Agency has temporarily disabled the site. The attacks targeted the Canada Revenue Agency (CRA) and the GCKey portal that provides single sign-on to multiple Canadian government services websites suspended online services.
[Editor Comments]
[Murray] Currently US Government websites are designed to resist such attacks. They require, not just offer, strong authentication with strict enrollment and verification procedures. (See login.gov). I say, well done.
Read more in:
CBC: Cyberattacks targeting CRA, Canadians' COVID-19 benefits have been brought under control: officials
https://www.cbc.ca/news/politics/cra-gckey-cyberattack-1.5689106
Threatpost: Cyberattacks Hit Thousands of Canadian Tax, Benefit Accounts
https://threatpost.com/cyberattacks-canadian-tax-benefit-accounts/158400/
Bleeping Computer: Canada suffers cyberattack used to steal COVID-19 relief payments
--Update Available to Address Critical Flaws in WordPress Quiz and Survey Master Plugin
(August 14, 2020)
Two critical flaws in the Quiz and Survey Master WordPress plugin could be exploited to take control of vulnerable websites. The flaws are an arbitrary file upload vulnerability and an unauthenticated arbitrary file deletion error. Users are urged to update to Quiz and Survey Master version 7.0.1. The plugin is installed in more than 30,000 sites.
[Editor Comments]
[Neely] These flaws leverage an unauthenticated AJAX action, irrespective of having a quiz which accepts file uploads. That's a good reason to uninstall the plugin if you're no longer using it. If you are retaining it, make sure that you're running WordPress 5.5 and you enable automatic updates. Wordfence released firewall rules for their paid version which will be available to the free version September 5th.
Read more in:
Threatpost: Critical Flaws in WordPress Quiz Plugin Allow Site Takeover
https://threatpost.com/critical-flaws-wordpress-quiz-plugin-site-takeover/158379/
WordFence: Critical Vulnerabilities Patched in Quiz and Survey Master Plugin
**************************** SPONSORED LINKS ******************************
1) Webcast Tomorrow| August 19th @ 12:00 PM EDT | Security analysts need to be putting their data to use instead of drowning in it. Join SANS expert Matt Bromiley and Fred Wilmot as they explore techniques for bringing together disparate data sets for analyst consumption in our upcoming webcast, "All for One, One for All: Bringing Data Together with Devo".
| http://www.sans.org/info/217355
2) Webcast Tomorrow | Don't forget to tune into our webcast that will be hosted by SANS Analyst, Serge Borso titled, "Securing the Future of Work: How to Achieve Complete Malware and Phishing Protection" | August 19 @ 2:00 PM EDT
| http://www.sans.org/info/217360
3) Webcast | Join NetErich's CTO and security executive, Brandon Hoffman for our upcoming webcast titled, "To build or not to build: Can SOC-aaS bridge your security skills gap?" | August 27 @ 1:00 PM EDT
| http://www.sans.org/info/217365
*****************************************************************************
REST OF THE NEWS
--Cruise Line Operator Carnival Targeted in Ransomware Attack
(August 17, 2020)
Carnival Corporation, the world's largest cruise line operator, was the victim of a ransomware attack. The August 15 incident was disclosed in a US Securities and Exchange Commission (SEC) 8-K form filing. In the filing, Carnival writes, "We detected a ransomware attack that accessed and encrypted a portion of one brand's information technology systems. The unauthorized access also included the download of certain of our data files."
Read more in:
Bleeping Computer: World's largest cruise line operator Carnival hit by ransomware
ZDNet: World's largest cruise line operator discloses ransomware attack
https://www.zdnet.com/article/worlds-largest-cruise-line-operator-discloses-ransomware-attack/
Document Cloud: United States Securities and Exchange Commission Form 8-K (PDF)
https://assets.documentcloud.org/documents/7038711/Carnival-8K-Other-Events-CCL-17-Aug-20.pdf
--R1 RCM Hit With Ransomware
(August 14, 2020)
Medical debt collection company R1 RCM was the target of a ransomware attack. The company says it took its systems offline in response to the attack. While it is not known how long the ransomware operators were inside R1 RCM's systems, the ransomware was activated earlier this month. R1 RCM was formerly known as Accretive Health Inc.
Read more in:
KrebsOnSecurity: Medical Debt Collection Firm R1 RCM Hit in Ransomware Attack
https://krebsonsecurity.com/2020/08/medical-debt-collection-firm-r1-rcm-hit-in-ransomware-attack/
--Beverage Company Brown-Forman Suffers Cyberattack
(August 15, 2020)
Kentucky-based alcoholic beverage company Brown-Forman was the victim of an apparent ransomware attack. In communications with Bleeping Computer, Brown-Forman wrote, "Unfortunately, we believe some information, including employee data, was impacted. We are working closely with law enforcement, as well as world-class third-party data security experts, to mitigate and resolve this situation as soon as possible." The company is not actively negotiating with the attackers. The company also told Bleeping Computer that they managed to prevent their systems from being encrypted.
Read more in:
Bleeping Computer: U.S. spirits and wine giant hit by cyberattack, 1TB of data stolen
--Maze Ransomware Operators Publish File Allegedly Taken From Canon USA
(August 14, 2020)
Files allegedly stolen from electronics company Canon USA have been posted online by ransomware operators. Internal communications obtained by Bleeping Computer indicate that Canon USA was the victim of a ransomware attack earlier this month.
[Editor Comments]
[Neely] A key component in making the decision to pay or not is the importance of the data exfiltrated. Beyond financial or personal data, imagine if your future strategic plans, or mergers and acquisitions candidates, or product roadmap were lost. Tracking sensitive data so you know which services contain sensitive data is important when assessing what was accessed during an incident.
Read more in:
Bleeping Computer: Canon USA's stolen files leaked by Maze ransomware gang
Threatpost: UPDATE: Canon Ransomware Attack Results in Leaked Data, Report
https://threatpost.com/canon-ransomware-attack-employee-note/158157/
SC Magazine: Maze delivers on threat to publish data stolen from Canon
--Ritz London Food and Beverage Reservation System Breached
(August 17, 2020)
London's Ritz Hotel is investigating a data breach of its food and beverage reservation system that compromised personal information belonging to some of its clients. Clients have reported being contacted by phone by people claiming to be Ritz Hotel staff seeking to confirm payment card details. The calls were spoofed to appear to be coming from the hotel.
Read more in:
ZDNet: Ritz London suspects data breach, fraudsters pose as staff in credit card data scam
Threatpost: Jack Daniels, Ritz London Face Cyberattacks
https://threatpost.com/jack-daniels-ritz-london-cyberattacks/158409/
Infosecurity Magazine: Phone Fraudsters Target Guests at The Ritz After Data Breach
https://www.infosecurity-magazine.com/news/breach-luxury-hotel-ritz-leads/
--Microsoft Patch Tuesday Included Fix for Flaw First Reported in 2018
(August 11 & 17, 2020)
One of the vulnerabilities Microsoft patched in its monthly release last week was first reported to the company in August 2018. The Windows spoofing vulnerability affects all supported versions of Windows. The flaw could be exploited to "bypass security features intended to prevent improperly signed files from being loaded."
Read more in:
KrebsOnSecurity: Microsoft Put Off Fixing Zero Day for 2 Years
https://krebsonsecurity.com/2020/08/microsoft-put-off-fixing-zero-day-for-2-years/
Bleeping Computer: Microsoft fixes actively exploited Windows bug reported 2 years ago
MSRC: CVE-2020-1464 | Windows Spoofing Vulnerability
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1464
--The Value of Threat Intelligence Feeds
(August 14, 2020)
Researchers from universities in the Netherlands and Germany compared information provided by two commercial and four open source threat intelligence services. They found very little overlap between the six feeds, noting, "These findings raise questions on the coverage and timeliness of paid threat intelligence."
Read more in:
Dark Reading: Research Casts Doubt on Value of Threat Intel Feeds
static.sched: A different cup of TI? The added value of commercial threat intelligence (PDF)
https://static.sched.com/hosted_files/usenixsecurity20/c6/sec20-bouwman.pdf
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
SANS Data Incident 2020 - Indicators of Compromise
https://www.sans.org/blog/sans-data-incident-2020-indicators-of-compromise/
Large File Used to Obfuscate Malware
Apache Struts Patch and PoC Exploit
https://cwiki.apache.org/confluence/display/WW/S2-059
Mac Malware Spreading via XCode
https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf
Citrix Broker Service Detected as Trojan by Windows Defender
https://support.citrix.com/article/CTX279897
Emotet Bug Used to Inoculate Systems
https://www.binarydefense.com/emocrash-exploiting-a-vulnerability-in-emotet-malware-for-defense/
*****************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
