SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #68
August 28, 2020Russian Man Arrested for Scheme to Infect Tesla Factory with Malware; DDOS on New Zealand Stock Exchange; Cyberespionage Campaign Exploits Autodesk
*****************************************************************************
SANS NewsBites August 29, 2020 Vol. 22, Num. 068
*****************************************************************************
TOP OF THE NEWS
Russian Man Arrested in Connection with Scheme to Infect Tesla Factory Network with Malware
New Zealand Stock Exchange Struck by DDoS Attack
Autodesk Vulnerability Exploited in Cyberespionage Campaign
REST OF THE WEEK'S NEWS
Fix Available for Pulse Secure VPN Vulnerability
Medical Data Leaked on GitHub
Qbot Trojan Now Hijacking eMail Threads
Microsoft Azure Sphere Bugs Patched
Google Patches Flaw in Chrome Browser
US Government Agencies Warn of North Korean Hackers Targeting ATMs
DARPA's Hardened Hardware Standing Up to Bug Bounty Program
INTERNET STORM CENTER TECH CORNER
************************ Sponsored By SANS ********************************
Survey | This is your chance to be the lucky winner of a $150 Amazon Gift Card for completing the "SANS 2020 Threat Hunting Survey"
| http://www.sans.org/info/217460
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
SANS now offers THREE ways to complete a course:
OnDemand | Live Online | In-Person:
- https://www.sans.org/ondemand/
- https://www.sans.org/live-online
- https://www.sans.org/cyber-security-training-events/in-person/north-america
Keep your skills sharp with SANS Online Training:
. The world's top cybersecurity courses
. Taught by real world practitioners
. Ideal preparation for more than 30 GIAC Certifications
SANS Training Special Offer: Get a GIAC Certification Attempt Included or Take $350 Off through September 2 for qualified OnDemand, Live Online, or In-Person Courses.
- https://www.sans.org/north-america/specials
Top OnDemand Courses
SEC401: Security Essentials Bootcamp Style
- https://www.sans.org/ondemand/course/security-essentials-bootcamp-style
SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling
- https://www.sans.org/ondemand/course/hacker-techniques-exploits-incident-handling
SEC560: Network Penetration Testing and Ethical Hacking
- https://www.sans.org/ondemand/course/network-penetration-testing-ethical-hacking
______________________
Upcoming In-Person and Live Online Events:
Threat Hunting and Incident Response Summit & Training | September 10-19 | Live Online
- https://www.sans.org/event/threat-hunting-and-incident-response-summit-2020
SANS Network Security 2020 | September 20-25 | Live Online
- https://www.sans.org/event/network-security-2020
SANS Northern VA - Reston Fall 2020 | Sep 28-Oct 3 | Live Online
- https://www.sans.org/event/northern-va-reston-fall-2020
Oil & Gas Cybersecurity Summit | October 2-10 | Live Online
- https://www.sans.org/event/oil-gas-cybersecurity-summit-2020/
SANS Cyber Defense Initiative(R) 2020 | Dec 14-19 | Washington, DC or Live Online
- https://www.sans.org/event/cyber-defense-initiative-2020
______________________
Test drive a course: https://www.sans.org/course-preview
View the full SANS course catalog and skills roadmap.
- https://www.sans.org/cyber-security-courses
- https://www.sans.org/cyber-security-skills-roadmap
*****************************************************************************
TOP OF THE NEWS
--Russian Man Arrested in Connection with Scheme to Infect Tesla Factory Network with Malware
(August 26 & 28, 2020)
US law enforcement authorities have arrested and charged a Russian man for allegedly offering $1 million to an employee at Tesla's Sparks, Nevada factory in return for infecting the company's network with malware. The employee contacted the FBI. Egor Igorevich Kriuchkov was arrested earlier this week and charged with one count of conspiring to intentionally cause harm to a protected computer.
[Editor Comments]
[Neely] The goal was to exfiltrate data from Tesla and threaten to release the data unless a $4 million ransom was paid. In this case, the employee reached out to the FBI after the first contact in 2016 and was able to work with them to record subsequent meetings, including negotiating the payment from $500,000 to $1 million. Make sure that your employees know what to do in a similar situation. Pre-establishing points of contact with local law enforcement facilitates the communication when an actual incident occurs.
[Pescatore] This news item is meaningful at several levels. First is to lead to increasing the likelihood that an employee approached in the same way would respond in the right way. Also, while Tesla was a high visibility target, sophisticated ransomware attacks are not just going after the Teslas of the world any more than car thieves are only stealing Teslas. You can do an internet search on your industry and ransomware and find lists of examples to show management.
Read more in:
ZDNet: Elon Musk confirms Russian hacking plot targeted Tesla factory
https://www.zdnet.com/article/elon-musk-confirms-russian-hacking-plot-targeted-tesla-factory/
Mashable: Russian hacker tried to bribe a Tesla factory worker to install malware
https://mashable.com/article/hacker-arrested-nevada-extortion/
Ars Technica: Feds avert Russian man's $1 million plot to infect Nevada company's network
ZDNet: Russian arrested for trying to recruit an insider and hack a Nevada company
Bleeping Computer: Elon Musk confirmed Russian's plans to extort Tesla
https://www.bleepingcomputer.com/news/security/elon-musk-confirmed-russians-plans-to-extort-tesla/
Cyberscoop: FBI stopped a ransomware scheme by tricking a suspect to meet in Los Angeles
https://www.cyberscoop.com/russia-ransomware-arrest-nevada-fbi/
--New Zealand Stock Exchange Struck by DDoS Attack
(August 26, 27, & 28, 2020)
The New Zealand stock exchange (NZX) has temporarily halted trading as it deals with the effects of a distributed denial-of-service (DDoS) attack that hit its network on Tuesday, August 25. The attack is likely the work of a group that has been launching DDoS attacks against other high-profile financial service organizations, including MoneyGram, Worldpay, Venmo, and PayPal. The group demands a ransom to be paid in bitcoin to stop the attacks.
[Editor Comments]
[Neely, Pescatore] The exchange was hit by this attack for four days running, including today, and is faced with the choice of paying the ransom or continuing to implement sufficient DDoS protections. Unlike 25 years ago, disconnecting the Internet is no longer a viable option for most businesses. Assess and test your DDoS protections. Verify your outsourced and cloud services are also adequately protected. Verify your plan of action in the event the protections fail.
Read more in:
ZDNet: New Zealand Stock Exchange suffers day four disruption following DDoS attacks
ZDNet: DDoS extortionists target NZX, Moneygram, Braintree, and other financial services
Bleeping Computer: New Zealand stock exchange halted trading after DDoS attacks
The Register: DDoS downs New Zealand stock exchange for third consecutive day
https://www.theregister.com/2020/08/27/nzx_ddos_third_day/
Reuters: New Zealand's stock exchange not to reopen on Thursday after cyber attacks
--Autodesk Vulnerability Exploited in Cyberespionage Campaign
(August 26, 2020)
Hackers launched a cyberespionage campaign against an international architecture and video production firm through a vulnerability in Autodesk 3D computer graphics software. The hackers managed to get someone at the company to download a malicious Autodesk plugin.
Read more in:
Bitdefender: More Evidence of APT Hackers-for-Hire Used for Industrial Espionage (PDF)
Threatpost: Hackers Exploit Autodesk Flaw in Recent Cyberespionage Attack
https://threatpost.com/hackers-exploit-autodesk-flaw-in-recent-cyberespionage-attack/158669/
Cyberscoop: Malicious Autodesk plugin at root of cyber-espionage campaign?https://www.cyberscoop.com/autodesk-plugin-bitdefender-real-estate-hack/
**************************** SPONSORED LINKS ******************************
1) Free two-day virtual event | Mark your calendars to ensure that you're attending the SANS Cyber Solutions Fest 2020 which is the largest virtual event of the year! This event features 4 unique solutions tracks which will be chaired by top SANS experts. Talks will include case studies, demos, and discussions revolving around solutions in the marketplace. We'll see you there! | October 8-9, 2020
| http://www.sans.org/info/217465
2) Webcast | We invite yo to join our upcoming webcast titled, "Securing Common Web-Framework Stacks". This webinar, hosted by Doug Britton, CTO of RunSafe Security, will show you ways of automatically immunizing popular web framework building blocks from memory corruption risks, which comprise 40% of the CVEs in this code base. | September 15 @ 2:00 PM EDT
| http://www.sans.org/info/217470
3) Webcast | Mark your calendars for our upcoming webinar which will be chaired by SANS analyst, Dave Shackleford titled, "Mitigate Access Risk by Enforcing Least Privilege in Cloud Infrastructure". In this webinar, SANS and Ermetic will discuss the challenges and best practices for achieving least privilege in cloud infrastructure environments. We will also demonstrate practical use cases for reducing some of the most common access risks. | September 16 @ 1:00 PM EDT
| http://www.sans.org/info/217475
*****************************************************************************
REST OF THE NEWS
--Fix Available for Pulse Secure VPN Vulnerability
(August 26, 2020)
A code execution vulnerability in Pulses Secure VPN could be exploited to take control of networks. While the exploit requires that the attacker have admin privileges, this can be accomplished by tricking a user with those privileges into clicking on a malicious link. Users are urged to update to version 9.1R8 of Pulse Connect Secure and Pulse Policy Secure.
Read more in:
Ars Technica: Code-execution bug in Pulse Secure VPN threatens patch laggards everywhere
Tech Radar: Nasty code execution vulnerability discovered in Pulse Secure VPN
https://www.techradar.com/news/nasty-code-execution-vulnerability-discovered-in-pulse-secure-vpn
Pulse Secure: SA44516 - 2020-07: Security Bulletin: Multiple Vulnerabilities Resolved in Pulse Connect Secure / Pulse Policy Secure 9.1R8
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44516/?kA23Z000000L6i5SAC
--Medical Data Leaked on GitHub
(August 24 & 26, 2020)
Medical data belonging to as many as 200,000 people were exposed on GitHub. The information from clinics, hospitals, billing services, and other healthcare-related organizations was not leaked by hackers but was insufficiently protected due to faulty access control configuration and hardcoded credentials.
Read more in:
Duo: Medical Data Leaks Linked to Hardcoded Credentials in Code
https://duo.com/decipher/medical-data-leaks-linked-to-hardcoded-credentials-in-code
Threatpost: Medical Data Leaked on GitHub Due to Developer Errors
https://threatpost.com/medical-data-leaked-on-github-due-to-developer-errors/158653/
Databreaches: No need to hack when it's leaking | GITHUB HEALTHCARE LEAKS (PDF)
https://www.databreaches.net/wp-content/uploads/No-need-to-hack-when-its-leaking.pdf
--Qbot Trojan Now Hijacking eMail Threads
(August 27, 2020)
A new variant of the Qbot Trojan is hijacking email threads, according to a report from Check Point. Qbot , which is also called Qakbot and Pinkslipbot, has been in use since at least 2008. It also is capable of stealing information, installing additional malware, and conducting fraudulent bank transactions.
Read more in:
Check Point: An Old Bot's Nasty New Tricks: Exploring Qbot's Latest Attack Methods
https://research.checkpoint.com/2020/exploring-qbots-latest-attack-methods/
Threatpost: Revamped Qbot Trojan Packs New Punch: Hijacks Email Threads
https://threatpost.com/revamped-qbot-trojan-packs-new-punch-hijacks-email-threads/158715/
ZDNet: Your email threads are now being hijacked by the QBot Trojan
https://www.zdnet.com/article/your-email-threads-are-now-being-hijacked-by-qbot-trojan/
--Microsoft Azure Sphere Bugs Patched
(August 24 & 25, 2020)
Researchers at Cisco Talos found four vulnerabilities in Microsoft's Azure Sphere: two of the flaws could lead to unsigned code execution, and two could be exploited to gain elevated privileges. Microsoft has released Azure Sphere 20.08, which addresses these vulnerabilities.
Read more in:
Threatpost: Four More Bugs Patched in Microsoft's Azure Sphere IoT Platform
https://threatpost.com/four-more-bugs-patched-in-microsofts-azure-sphere-iot-platform/158643/
Talos Intelligence: Vulnerability Spotlight: Remote code execution, privilege escalation bugs in Microsoft Azure Sphere
https://blog.talosintelligence.com/2020/08/vuln-spotlight-microsoft-azure-aug-2020.html
techcommunity.microsoft: Azure Sphere 20.08 Security Updates
--Google Patches Flaw in Chrome Browser
(August 24 & 25, 2020)
Google has fixed a high-severity use-after-free vulnerability in its Chrome browser. The flaw exists because Chrome's Web Graphics Library (WebGL) component does not properly handle objects in memory. The vulnerability could be exploited to execute arbitrary code. The issue is fixed in Chrome 85, which has been released to the stable channel for Windows, Mac, and Linux.
[Editor Comments]
[Neely] The use-after-free read vulnerability has been verified in Chrome 81.0.4044.138 (Stable), 84.0.4136.5 (Dev) and 84.0.4143.7 (Canary). Additionally the Chrome 85 update includes a number of other fixes including a fix for CVE-202-6558: Insufficient Policy Enforcement on iOS, which is also a high-severity vulnerability. The Chrome 85 is now available for Mac, Windows, Linux and iOS systems. The Mac and Windows version include the new Profile Guided Optimization which is speeds page loads about 10% by prioritizing most common tasks.
Read more in:
Threatpost: Google Fixes High-Severity Chrome Browser Code Execution Bug
https://threatpost.com/google-fixes-high-severity-chrome-browser-code-execution-bug/158600/
Talos Intelligence: Vulnerability Spotlight: Use-after-free vulnerability in Google Chrome WebGL could lead to code execution
https://blog.talosintelligence.com/2020/08/vuln-spotlight-chrome-use-free-aug-2020.html
Chrome Releases: Stable Channel Update for Desktop
https://chromereleases.googleblog.com/2020/08/stable-channel-update-for-desktop_25.html
--US Government Agencies Warn of North Korean Hackers Targeting ATMs
(August 26, 2020)
The US Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury, the FBU, and US Cyber Command have issued a joint technical alert regarding an automated teller machine (ATM) cash-out scheme that is being conducted by actors working on behalf of the North Korean government. According to the alert, the group has been stealing large sums of money through the cash-out schemes and fraudulent international funds transfers.
[Editor Comments]
[Neely] The CISA FASTCash alert diagrams the process used to obtain funds. The starts with phishing, which results in loading a malicious application which installs a DLL which is used to hook API calls and send modified send and pay messages, which effectively allow an attacker to withdraw more funds than are available through an ATM. Mitigation requires user awareness, such as monthly phishing campaigns. Provide users with a mechanism that not only makes it simple to report, such as an Outlook plugin, but also respond to the reports rapidly, particularly acknowledging legitimate reports, to support and motivate use.
Read more in:
CISA: CISA, Treasury, FBI and USCYBERCOM Release Cyber Alert on Latest North Korea Bank Robbing Scheme
US-CERT CISA: FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks
https://us-cert.cisa.gov/ncas/alerts/aa20-239a
US-CERT.CISA: Analysis Reports
https://us-cert.cisa.gov/ncas/analysis-reports
Bleeping Computer: US govt warns of North Korean hackers targeting banks worldwide
Cyberscoop: US government exposes North Korean government ATM cashout hacking campaign
https://www.cyberscoop.com/north-korea-atm-cashout-hacking-fbi-dhs-treasury-dod/
c4isrnet: US publicly blames North Korean cyber scheme in attempt to protect the private sector
--DARPA's Hardened Hardware Standing Up to Bug Bounty Program
(August 24, 2020)
The US Defense Advanced Research Projects Agency's (DARPA) bug bounty program, Find Exploits to Thwart Tampering (FETT), began in July and runs through September. The program is designed to find bugs in DARPA's System Security Integrated Through Hardware and Firmware (SSITH) program. To date, no bugs have been found.
[Editor Comments]
[Pescatore] As we have learned from various hardware-based protections built into CPUs, it usually takes longer to find weaknesses, but good to see this lack of immediate success. Probably more importantly, quite often operational realities rarely support running the hardware-based protections at the most stringent levels. Good news here is improvements in hardware-based security can definitely raise the bar on some forms of attack but they don't change the need for basic security hygiene levels of protection.
[Murray] The issue is not whether or not one can build a tamper resistant system by integrating hardware and software. IBM did that with what is now the iSeries decades ago. Apple has done pretty well with iOS. The issue is to build one that is convenient to use, will run legacy applications, is user programmable, and is sufficiently general and flexible to be attractive to the market. Note that both IBM and Apple started from "tamper resistant" but then, for the market, layered on pseudo generality and flexibility.
Read more in:
FETT: DARPA FETT Bug Bounty Program
FCW: DARPA's new hardware proves tough to crack
https://fcw.com/articles/2020/08/24/williams-darpa-cyber-hardware.aspx
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
Keep an Eye on LOLBins
https://isc.sans.edu/forums/diary/Keep+An+Eye+on+LOLBins/26502/
Malicious Excel Sheet with a NULL VT Score
https://isc.sans.edu/forums/diary/Malicious+Excel+Sheet+with+a+NULL+VT+Score/26506/
A Reminder about Security.txt
Malicious iOS Adnetwork SDK
https://snyk.io/research/sour-mint-malicious-sdk/
Apache Update
https://httpd.apache.org/security/vulnerabilities_24.html
DNS Queries to Root Name Servers
https://blog.apnic.net/2020/08/21/chromiums-impact-on-root-dns-traffic/
Google Chrome User-Agent Client Hints
https://web.dev/user-agent-client-hints/
APT Attack Uses Autodesk Plugin (PDF)
Firefox Update
https://www.mozilla.org/en-US/security/advisories/mfsa2020-36/
Arrest in Insider Attack (download)
https://www.justice.gov/opa/press-release/file/1308766/download
Microsoft Extends Windows 10 1803 Deadline
https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet
LemonDuck Adding New Tricks
https://news.sophos.com/en-us/2020/08/25/lemon_duck-cryptominer-targets-cloud-apps-linux/
*****************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
