SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #70
September 4, 2020US Supreme Court to Determine Limits on Computer Fraud And Abuse Act; DDoS is Back: European ISPs and Student Attacks Online School Platform
*****************************************************************************
SANS NewsBites September 4, 2020 Vol. 22, Num. 070
*****************************************************************************
TOP OF THE NEWS
US Supreme Court to Hear CFAA Case
European ISPs Hit by DDoS Attacks
Student Admits Launching DDoS Attacks Against Online School Platform
*************************** Sponsored By Palo Alto Networks ************************************
XSOAR Hands-On Workshop || September 16th, 11:00 AM CEST (5:00 AM EDT)
If you thought security operations was all fun and games, think again. Security analysts can often feel like theyre in a perpetual Pac-Man state, gobbling repetitive pellets and racing against time while malicious ghosts loom in the distance. Its time to level up your SOC skills with Cortex XSOAR (an evolution of Demisto)! Learn how to build automated playbooks to help you get the job done faster.
| http://www.sans.org/info/217525
*****************************************************************************
REST OF THE WEEKS NEWS
Fix Available for One of Two Vulnerabilities in MAGMI Magento Plugin
MIT CSAIL Researchers Develop Cyber Risk Platform
Cisco Updates for Jabber Flaw Available
WordPress File Manager Plugin Flaw is Being Actively Exploited
Cyberattack on Norways Parliament Affected eMail Accounts
CISA: Agencies Must Have Vulnerability Disclosure Policies
National Guard Cyber Exercise Will be Entirely Virtual
Five Eyes Countries Issue Joint Cybersecurity Advisory
INTERNET STORM CENTER TECH CORNER
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
Popular OnDemand Courses
SEC401: Security Essentials Bootcamp Style
- https://www.sans.org/ondemand/course/security-essentials-bootcamp-style
SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling
- https://www.sans.org/ondemand/course/hacker-techniques-exploits-incident-handling
View all courses
- https://www.sans.org/cyber-security-courses/?focus-area=&training-format=ondemand
Upcoming Interactive Training Events
Oil & Gas Cybersecurity Summit & Training - Live Online (Oct 2-10, CDT)
- https://www.sans.org/event/oil-gas-cybersecurity-summit-2020/
SANS San Francisco Fall 2020 - Live Online (Oct 26-31, PDT)
- https://www.sans.org/event/san-francisco-fall-2020-live-online/
View complete event schedule
- https://www.sans.org/cyber-security-training-events/north-america
Free Resources
Tools, Posters, and more.
SANS OnDemand Special Offer
Get an iPad (32GB), Galaxy Tab A, or Take $250 Off with a qualifying OnDemand course.
- https://www.sans.org/ondemand/specials
*****************************************************************************
1) Earn 16 CPE Credits | October 8-9, 2020 | Cyber Solutions Fest 2020 features 4 tracks including Cloud / DevSecOps / Threat Intel / Network Security. Join our 4 of our most popular SANS instructors along with experts from the top solutions providers in the industry. Exciting 2 day event featuring great content, numerous prize drawings, peer-to-peer chat rooms and much more. Register Now!
| http://www.sans.org/info/217530
2) Webcast | Thursday, September 10, 2020 at 1:00 PM EDT | Don't miss Matt Bromiley, SANS & Anton Chuvakin, Chronicle as they present "Detecting Malicious Activity in Large Enterprises"
| http://www.sans.org/info/217535
3) Featured SANS On-Demand Webinar | SANS Instructor Matt Bromiley and Fred Wilmot from Devo present "All for One, One for All: Bringing Data Together"
| http://www.sans.org/info/217540
*****************************************************************************
TOP OF THE NEWS
--US Supreme Court to Hear CFAA Case
(September 4, 2020)
US Supreme Court will hear a case that could determine whether the 1986 Computer Fraud and Abuse Act (CFAA) is overly broad. The Electronic Privacy Information Center (EPIC) has filed an amicus brief on behalf of the plaintiff, a police officer who was convicted of violating the CFAA when he accessed a law enforcement database to obtain personal information for a third party. Voting app maker Voatz has submitted an amicus brief on behalf of the US government in the case, arguing that researchers who do not have permission to examine code for vulnerabilities should not be exempt from prosecution under CFAA.
[Editor Comments]
[Neely] The tricky part is connecting the two halves of this story. The officer was convicted after tracing a phony license plate in exchange for money, under the CFAA, rather than other laws he is alleged to have violated. As such, the subject of authorized use is being scrutinized, as it is not currently defined in the CFAA. The risk is that the current interpretation would make it a crime to violate any web sites terms of service, allowing the service owner to decide who goes to prison for what offense, which is control Voatz wishes to maintain. The downside of that approach is that security researchers could also run afoul of the law. Irrespective of how this comes down, make sure you have verified authorization to research the security of any given service before doing so.
[Murray] "Examining code" is research; attacking live systems is rogue hacking. If accessing law enforcement databases for third parties is found not to be a crime, then it is one more example of why the CFAA needs to be re-written. The CFAA was written long before so many systems were attached to the public networks and most abuse was by otherwise "authorized" personnel.
Read more in:
EPIC: Van Buren v. United States
https://epic.org/amicus/cfaa/van-buren/
The Register: Surprise! Voting app maker roasted by computer boffins for poor security now begs US courts to limit flaw finding
https://www.theregister.com/2020/09/04/voatz_supreme_court/
--European ISPs Hit by DDoS Attacks
(September 3, 2020)
Multiple European Internet service providers (ISPs) were hit with distributed denial-of-service (DDoS) attacks last week. The attacks affected ISPs in France, Belgium, and the Netherlands. Some experts have suggested that last weeks CenturyLink outage in the US may have been triggered by a DDoS attack; two separate analysis reports say that the CenturyLink outage was due to a problem with a tool commonly used while mitigating DDoS attacks.
Read more in:
ZDNet: European ISPs report mysterious wave of DDoS attacks
https://www.zdnet.com/article/european-isps-report-mysterious-wave-of-ddos-attacks/
--Student Admits Launching DDoS Attacks Against Online School Platform
(September 3, 2020)
A Florida high school student has been arrested for orchestrating distributed denial-of-service (DDoS) attacks against the Miami-Dade schools online learning platform. The attacks disrupted teachers and students access to virtual classrooms. The 16-year-old has been charged with felony computer use in an attempt to defraud and misdemeanor interference with an educational institution.
[Editor Comments]
[Neely] The student attacked the My School Online platform. While Comcast added DDOS protections, they were not able to fully stop the attacks. Teachers were able to pivot to alternate options such as Zoom and MS Teams. Services such as Zoom and Teams have anti-DDOS protections; it would be prudent for educators to ensure their e-learning platform is similarly protected, as well as having a verified contingency plan for their system being off-line or otherwise unavailable.
Read more in:
Edscoop: Miami high school student charged in DDoS attacks against school district
https://edscoop.com/miami-dade-schools-ddos-attack-student-charged/
NBC News: Miami-Dade Public Schools' remote learning platform endures days of cyberattacks
*****************************************************************************
REST OF THE NEWS
--Fix Available for One of Two Vulnerabilities in MAGMI Magento Plugin
(September 1 & 2, 2020)
Two vulnerabilities in the Magento Mass Import (MAGMI) plugin could be exploited to allow remote code execution. An authentication bypass vulnerability exists because MAGMI versions 0.7.23 and older allow default ... credentials to be used in the event a database connection fails. The issue has been fixed in MAGMI v.0.7.24. A cross-site forgery vulnerability exists because of a lack of CSRF tokens. There is not yet a fix for this issue. The flaws were detected by researchers at Tenable.
Read more in:
Tenable: MAGMI Multiple Vulnerabilties
https://www.tenable.com/security/research/tra-2020-51
Tenable: CVE-2020-5776
https://www.tenable.com/cve/CVE-2020-5776
Tenable: CVE-2020-5777
https://www.tenable.com/cve/CVE-2020-5777
SC Magazine: Attackers could exploit flaws in MAGMI Magento plugin to hijack admin sessions
Threatpost: Magento Sites Vulnerable to RCE Stemming From Magmi Plugin Flaws
https://threatpost.com/magento-sites-vulnerable-to-rce-stemming-from-magmi-plugin-flaws/158864/
Bleeping Computer: Magento plugin Magmi vulnerable to hijacking admin sessions
--MIT CSAIL Researchers Develop Cyber Risk Platform
(September 3, 2020)
Researchers at MITs Computer Science and Artificial Intelligence Lab (CSAIL) have developed a [cryptographic] platform for securely measuring cyber risk. Dubbed SCRAM (Secure Cyber Risk Aggregation and Measurement), the platform allows organizations to assess their risk without exposing sensitive data.
[Editor Comments]
[Northcutt] For 16 years I have been hearing how important it is to share data and I agree. But the idea of a cryptographic front end to ensure there are no OPSEC leaks is misguided. Five or six pieces of information would be enough to identify most corporations. What is truly needed is a trustworthy information broker.
Read more in:
Assets.pubpub: SCRAM: A Platform for Securely Measuring Cyber Risk (PDF)
https://assets.pubpub.org/6konmefn/21597242874854.pdf
ZDNet: MIT SCRAM: a new analysis platform for prioritizing enterprise security investments
--Cisco Updates for Jabber Flaw Available
(September 2 & 3, 2020)
Cisco has released fixes for a critical vulnerability affecting Jabber for Windows. The flaw, which is due to improper validation of message contents, affects multiple versions of the desktop collaboration application. The vulnerability can be exploited with no user interaction to remotely execute code with privileges of the targeted user. The issue does not affect Jabber for macOS or for mobile platforms.
Read more in:
ZDNet: Patch now: Cisco warns Jabber IM client for Windows has a critical flaw
https://www.zdnet.com/article/cisco-warns-jabber-im-client-for-windows-has-a-critical-flaw/
Threatpost: Attackers Can Exploit Critical Cisco Jabber Flaw With One Message
https://threatpost.com/attackers-can-exploit-critical-cisco-jabber-flaw-with-one-message/158942/
Bleeping Computer: Cisco fixes critical code execution bug in Jabber for Windows
Cisco: Cisco Jabber for Windows Message Handling Arbitrary Code Execution Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-jabber-UyTKCPGg
--WordPress File Manager Plugin Flaw is Being Actively Exploited
(September 1 & 3, 2020)
Developers of the File Manager plugin for WordPress have released an updated version to address a vulnerability that affects File Manager versions 6.0 through 6.8. Users are urged to update to version 6.9. The flaw could be exploited to allow unauthenticated users to execute commands and upload malicious files on a target site. File Manager has been installed more than 700,000 times.
[Editor Comments]
[Neely] Now that youre running Wordpress 5.5, enable auto-updates for your plugins. To validate the fix is in place, make sure lib/php/connector.minimal.php is no longer present. Consider uninstalling utility plugins, like File Manager, when not in use, to remove possible exploit paths. The Wordfence article below includes IOCs and an explanation of the vulnerability.
Read more in:
Ars Technica: Hackers are exploiting a critical flaw affecting >350,000 WordPress sites
ZDNet: WordPress File Manager plugin flaw causing website hijack exploited in the wild
Wordfence: 700,000 WordPress Users Affected by Zero-Day Vulnerability in File Manager Plugin
--Cyberattack on Norways Parliament Affected eMail Accounts
(September 1, 2020)
Authorities in Norway are investigating a significant cyberattack that compromised the email accounts of several members and employees of Stortinget, the countrys parliament. Stortinget administrator Marianne Andreassen said the attackers downloaded data.
[Editor Comments]
[Neely, Honan] It has to become standard operating procedure to enable multi-factor authentication for internet facing services. Also consider using email message encryption options, such as OME, S/MIME or PGP to encrypt sensitive information to protect it even if downloaded. Check your email provider for records retention capabilities to preserve information, creating a long-term archive, irrespective of malicious actions, such as deleting the mailbox.
Read more in:
ZDNet: Norwegian Parliament discloses cyber-attack on internal email system
https://www.zdnet.com/article/norwegian-parliament-discloses-cyber-attack-on-internal-email-system/
Cyberscoop: Norway is investigating a cyberattack on its parliament
https://www.cyberscoop.com/norway-parliament-cyberattack/
NYT: Norway's Parliament Says It Was Hit by 'Significant' Cyber Attack
https://www.nytimes.com/reuters/2020/09/01/world/europe/01reuters-norway-parliament.html
--CISA: Agencies Must Have Vulnerability Disclosure Policies
(September 2, 2020)
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a binding operational directive (BOD) that requires federal government agencies to establish vulnerability disclosure policies. The Office of Management and Budget (OMB) has issued a memorandum supporting the BOD and establishing deadlines for implementation.
[Editor Comments]
[Neely] Having a defined place to report discovered vulnerabilities, with clear definition of remuneration, scoped systems, and how to remain within authorized testing scope is excellent. The intent is for agency policies to align with the DOJ Vulnerability Disclosure Framework (https://www.justice.gov/criminal-ccips/page/file/983996/download), which also provides guidance on implementation and administration of a policy. While allowing anyone to conduct testing without constraint feels like open-season on internet-facing systems, our adversaries dont get permission before finding and exploiting vulnerabilities. To support increased testing activities, agencies will need to ensure they have visibility to all internet-facing service logs and alerts, including cloud-based services. Those data must feed to centralized logging, SIEM and/or SOAR platforms to support automated detection, correlation and response of activities.
Read more in:
Cyberscoop: CISA orders agencies to set up vulnerability disclosure programs
https://www.cyberscoop.com/cisa-vulnerability-disclosure-directive-omb/
Threatpost: U.S. Agencies Must Adopt Vulnerability-Disclosure Policies by March 2021
https://threatpost.com/u-s-agencies-vulnerability-disclosure-policies-march-2021/158913/
MeriTalk: OMB Issues Final Vulnerability Disclosure Policies Guidance for Agencies
Nextgov: OMB Starts Clock on Agencies Implementing Policies to Welcome Public Security Research
Whitehouse: Memorandum: Improving Vulnerability Identification, Management, and Remediation (PDF)
https://www.whitehouse.gov/wp-content/uploads/2020/09/M-20-32.pdf
cyber.DHS: Binding Operational Directive 20-01 | Develop and Publish a Vulnerability Disclosure Policy
https://cyber.dhs.gov/bod/20-01/
--National Guard Cyber Exercise Will be Entirely Virtual
(September 2 & 3, 2020)
The US National Guards annual cyber exercise, Cyber Shield, will be entirely online this year. The event will take place over a two-week period later this month. Cyber Shield exercise director George Battistelli says this years exercise will focus on information operations.
[Editor Comments]
[Neely] This has been a year of learning how to work closely together while physically separated. Learning is more difficult as ad-hoc teamwork and coaching, such as looking over a teammate's shoulder to help, requires advance planning and technology configuration. The lessons learned from these activities should be leveraged to help teams be better prepared for remote collaboration and assistance scenarios as well as greater self-reliance and sufficiency.
Read more in:
c4isrnet: National Guard cyber exercise to increase focus on information operations
FCW: National Guard plans all-virtual cyber exercise
https://fcw.com/articles/2020/09/03/williams-guard-cyber-shield-virtual.aspx
--Five Eyes Countries Issue Joint Cybersecurity Advisory
(September 1, 2020)
A joint advisory from cybersecurity authorities in Australia, Canada, New Zealand, the UK, and the US highlights technical approaches to uncovering malicious activity and includes mitigation steps according to best practices. The purpose of [the] report is to enhance incident response among partners and network administrators along with serving as a playbook for incident investigation.
Read more in:
MeriTalk: Five Eyes Nations Release Joint Cybersecurity Advisory
https://www.meritalk.com/articles/five-eyes-nations-release-joint-cybersecurity-advisory/
Nextgov: CISA, International Counterparts Highlight Mistakes Organizations Make After a Cyber Intrusion
US-CERT CISA: Alert (AA20-245A) Technical Approaches to Uncovering and Remediating Malicious Activity
https://us-cert.cisa.gov/ncas/alerts/aa20-245a
US-CERT CISA: Joint Cybersecurity Advisory: Technical Approaches to Uncovering and Remediating Malicious Activity (PDF)
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
Exposed Domain Controllers Used in DDoS Attacks
Python and Risky Windows API Calls
https://isc.sans.edu/forums/diary/Python+and+Risky+Windows+API+Calls/26530/
Sandbox Evasion Using NTP
https://isc.sans.edu/forums/diary/Sandbox+Evasion+Using+NTP/26534/
Microsoft Reviving SHA-1
Trend Micro Updating Anti Malware Products
https://success.trendmicro.com/solution/000263632
QNAP Updates
https://www.qnap.com/en/release-notes/qts/4.3.6.1411/20200825
https://www.qnap.com/en/release-notes/qts/4.4.3.1400/20200817
iOS 13.7 Update
https://support.apple.com/en-us/HT201222
Cisco Jabber Update
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-jabber-UyTKCPGg
Cisco Jabber Vulnerability Followup
https://watchcom.no/nyheter/nyhetsarkiv/uncovers-cisco-jabber-vulnerabilities/
MoFi Router Vulnerabilities
https://www.criticalstart.com/critical-vulnerabilities-discovered-in-mofi-routers/
Android DNS over HTTPS
https://blog.chromium.org/2020/09/a-safer-and-more-private-browsing.html
Public Voter Data Sold as "Breach"
https://www.cyberscoop.com/russia-hack-michigan-voter-data-kommersant/
*****************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
