SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #72
September 11, 2020NB: Microsoft: Russian Hackers are Targeting US Presidential Campaigns; Zoom Will Offer Two-Factor Authentication; Irish Data Protection Commission Will Order Facebook to Stop Sending EU User Data to US
*****************************************************************************
SANS NewsBites September 11, 2020 Vol. 22, Num. 072
*****************************************************************************
THE TOP OF THE NEWS
Microsoft: Russian Hackers are Targeting US Presidential Campaigns
Zoom Will Offer Two-Factor Authentication to All Users
Irish Data Protection Commission Will Order Facebook to Stop Sending EU User Data to US
REST OF THE WEEK'S NEWS
School Openings Delayed Due to Ransomware and Other Digital Disruptions
Pakistani Power Company Hit with Ransomware
Equinix Internal Systems Hit with Ransomware
Microsoft Patch Tuesday
Adobe Patch Tuesday
CodeMeter Vulnerabilities
Bluetooth Vulnerability
INTERNET STORM CENTER TECH CORNER
****************** Sponsored By AWS Marketplace ***************************
"How to strengthen your security posture in AWS.
Join SANS and AWS Marketplace to learn how to create and implement an effective continuous monitoring and assessment strategy. They will provide practical guidance that will help you secure your cloud control plane, identify misconfigurations, uncover security gaps, and enable you to better predict, prevent, and respond to events."
| http://www.sans.org/info/217575
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
Popular OnDemand Courses
SEC401: Security Essentials Bootcamp Style
- https://www.sans.org/ondemand/course/security-essentials-bootcamp-style
SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling
- https://www.sans.org/ondemand/course/hacker-techniques-exploits-incident-handling
View all courses
- https://www.sans.org/cyber-security-courses/?focus-area=&training-format=ondemand
Upcoming Interactive Training Events
Oil & Gas Cybersecurity Summit & Training - Live Online (Oct 2-10, CDT)
- https://www.sans.org/event/oil-gas-cybersecurity-summit-2020/
SANS San Francisco Fall 2020 - Live Online (Oct 26-31, PDT)
- https://www.sans.org/event/san-francisco-fall-2020-live-online/
View complete event schedule
- https://www.sans.org/cyber-security-training-events/north-america
Free Resources
Tools, Posters, and more.
SANS OnDemand Special Offer
Get an iPad (32GB), Galaxy Tab A, or Take $250 Off with a qualifying OnDemand course.
- https://www.sans.org/ondemand/specials
*****************************************************************************
TOP OF THE NEWS
--Microsoft: Russian Hackers are Targeting US Presidential Campaigns
(September 10, 2020)
In a blog post, Microsoft writes that it "has detected cyberattacks targeting people and organizations involved in the upcoming presidential election." Microsoft has seen malicious activity from hacking groups operating from Russia, China, and Iran. The attacks are targeting "candidates and campaign staffers, but also those they consult on key issues."
[Editor Comments]
[Murray] People on this target list had best be using strong authentication.
Read more in:
Microsoft: New cyberattacks targeting U.S. elections
https://blogs.microsoft.com/on-the-issues/2020/09/10/cyberattacks-us-elections-trump-biden/
Wired: Russia's Fancy Bear Hackers Are Hitting US Campaign Targets Again
https://www.wired.com/story/russias-fancy-bear-hackers-are-hitting-us-campaign-targets-again/
Threatpost: Microsoft Warns of Cyberattacks on Trump, Biden Election Campaigns
https://threatpost.com/microsoft-cyberattacks-trump-biden-election-campaigns/159143/
ZDNet: Microsoft confirms Chinese, Iranian, and Russian cyber-attacks on Biden and Trump campaigns
--Zoom Will Offer Two-Factor Authentication to All Users
(September 10, 2020)
Zoom has announced plans to roll out two-factor authentication (2FA) to all users. There will be several 2FA options for users to choose from: authentication apps like Google Authenticator, Microsoft Authenticator, and FreeOTP, or a code from Zoom sent via SMS or a phone call.
[Editor Comments]
[Pescatore] Rolling out 2FA has been announced by many other large players before but has never been followed by incenting/encouraging users to move away from re-usable passwords. Zoom's position in the current consumer and business online conferencing stampede could be a game changer if they take that second step.
[Honan] A welcome move from Zoom; should be replicated by all service providers.
Read more in:
Zoom: Secure Your Zoom Account with Two-Factor Authentication
https://blog.zoom.us/secure-your-zoom-account-with-two-factor-authentication/
Dark Reading: Zoom Brings Two-Factor Authentication to All Users
--Irish Data Protection Commission Will Order Facebook to Stop Sending EU User Data to US
(September 9 & 10, 2020)
Facebook has received a preliminary order to stop sending European Union (EU) user data to the US. Facebook has until mid-September to respond to the order from the Irish Data Protection Commission. The order grew out of a July 2020 ruling from the Court of Justice of the European Union (CJEU) that invalidated Privacy Shield, the current EU-US data transfer agreement because the protections it offered against US Surveillance laws were found to be inadequate to protect the rights of EU data subjects. The CJEU ruling left in place Standard Contractual Clauses (SCC), which provide for data transfers between EU and non-EU countries. The Irish Data Protection Commission believes that the SCC provisions are not sufficient and is therefore asking Facebook to stop data transfers. (Please note that the WSJ story is behind a paywall.)
[Editor Comments]
[Pescatore] Facebook's CEO needs to learn from Bill Gates' 2002 "Security is Job 1" direction change at Microsoft, and more recently from Zoom CEO Eric Yuan's similar (but much faster!) epiphany and subsequent security focus in April of this year. The increasing demand for privacy and data rights is coming from consumers, not just regulatory bodies. Getting data protection and stronger user authentication built into products and services meets that demand while greatly raising the bar against attackers.
[Honan] This has major ramifications for all companies transferring personal data of EU data subjects to the US, and potentially for the transferring of personal data of EU data subjects to the United Kingdom in the event of a no deal Brexit. The core of the issue is that the EU does not believe that US privacy laws and mechanisms are robust enough to protect the privacy rights of EU data subjects against US surveillance laws and abuse of that personal data by US corporates. Privacy comes at a price which for too long has been borne by the individual. This move sends a clear message to governments and companies that they too have a responsibility to protect the privacy of individuals.
Read more in:
WSJ: Ireland to Order Facebook to Stop Sending User Data to U.S. (paywall)
https://www.wsj.com/articles/ireland-to-order-facebook-to-stop-sending-user-data-to-u-s-11599671980
Politico.EU: Facebook to stop moving data from EU to US: 5 things you need to know
https://www.politico.eu/article/facebook-data-ireland-privacy/
The Register: Ireland unfriends Facebook: Oh Zucky Boy, the pipes, the pipes are closing...from glen to US, and through the EU-side
https://www.theregister.com/2020/09/10/facebook_ireland/
ZDNet: Privacy concerns prompt Irish regulators to ask Facebook to stop sending EU user data to the US
FB: Securing the Long Term Stability of Cross-Border Data Flows
https://about.fb.com/news/2020/09/securing-the-long-term-stability-of-cross-border-data-flows/
**************************** SPONSORED LINKS ******************************
1) Earn 16 CPE Credits | October 8-9, 2020 | Cyber Solutions Fest 2020 features 4 tracks including Cloud / DevSecOps / Threat Intel / Network Security. Join our 4 of our most popular SANS instructors along with experts from the top solutions providers in the industry. Exciting 2 day event featuring great content, numerous prize drawings, peer-to-peer chat rooms and much more. Register Now!
| http://www.sans.org/info/217580
2) DTEX Insider Threat Kill Chain: Learn the 5 Steps Present in Almost all Insider Attacks| Get the whitepaper now!
| http://www.sans.org/info/217605
3) Webinar | Thursday, September 24th @ 3:30PM BST (10:30AM EDT) | SANS on Elastic Security: Discover the integration of endpoint security into the new Elastic Agent. Featuring John Pescatore, SANS Director of Emerging Trends, along with industry experts Mike Nichols & James Spiteri from Elastic Security. | http://www.sans.org/info/217610
*****************************************************************************
REST OF THE NEWS
--School Openings Delayed Due to Ransomware and Other Digital Disruptions
(September 9 & 10, 2020)
School districts in Connecticut, North Carolina, Nevada, and other US states have been hit with ransomware, interrupting plans for both online and in-person classes. In some districts, online classes have been interrupted by Zoom-bombing and distributed denial-of-service (DDoS) attacks. Hartford (Connecticut) Public Schools, which are resuming both in-person and remote classes, postponed the first day of school after suffering a ransomware attack.
Read more in:
Dark Reading: Ransomware Attacks Disrupt School Reopenings
Threatpost: Ransomware And Zoom-Bombing: Cyberattacks Disrupt Back-to-School Plans
https://threatpost.com/ransomware-zoom-cyberattacks-school/159093/
Hartford Schools: HPS Opening Postponed: Tuesday Sept 8
https://www.hartfordschools.org/hps-opening-postponed-tuesday-sept-8/
ZDNet: City of Hartford postpones first day of school after ransomware attack
NBC Connecticut: Classes Begin in Hartford After Ransomware Attack Postponed First Day of School
--Pakistani Power Company Hit with Ransomware
(September 8, 2020)
Systems at K-Electric, the company that provides electricity to Karachi, Pakistan, were infected with Netwalker ransomware. The attack disrupted billing and online services. The attack reportedly occurred on September 7.
Read more in:
Bleeping Computer: Netwalker ransomware hits Pakistan's largest private power utility
--Equinix Internal Systems Hit with Ransomware
(September 9 & 10, 2020)
Data colocation center company Equinix has acknowledged that its internal systems were hit with ransomware. In a blog post, Equinix writes, "Note that as most customers operate their own equipment within Equinix data centers, this incident has had no impact on their operations or the data on their equipment at Equinix."
[Editor Comments]
[Honan] It is prudent to include a scenario in your incident response and business continuity planning on how your organisation will react when one of your providers is impacted by ransomware.
Read more in:
ZDNet: Data center giant Equinix discloses ransomware incident
https://www.zdnet.com/article/data-center-giant-equinix-discloses-ransomware-incident/
Bleeping Computer: Equinix data center giant hit by Netwalker Ransomware, $4.5M ransom
Equinox: Equinix Statement on Security Incident
https://blog.equinix.com/blog/2020/09/09/equinix-statement-on-security-incident/
--Microsoft Patch Tuesday
(September 8 & 10, 2020)
Microsoft's monthly security update release for September includes fixes for 129 security issues. Twenty-three of the vulnerabilities are considered critical. One of the more worrisome flaws patched earlier this week is a memory corruption issue in Microsoft Exchange that could be exploited simply by sending a maliciously-crafted email.
[Editor Comments]
[Murray] This is the fourth month in a row where the number of security issues addressed by Microsoft has exceeded a hundred. This is more evidence, if any more was needed, that, while patching remains mandatory, it is a very expensive and tardy way to achieve quality. One cannot patch one's way to security. One must reduce one's attack surface. One place to start might be hiding operating systems from public, or even large enterprise, networks.
Read more in:
The Register: Enjoyed the US Labor Day weekend? Because it's September 2020 and Exchange Server can be pwned via email
https://www.theregister.com/2020/09/08/patch_tuesday_september/
SC Magazine: Microsoft fixes 129 flaws, 23 critical, in massive Patch Tuesday
KrebsOnSecurity: Microsoft Patch Tuesday, Sept. 2020 Edition
https://krebsonsecurity.com/2020/09/microsoft-patch-tuesday-sept-2020-edition/
Threatpost: Microsoft's Patch Tuesday Packed with Critical RCE Bugs
https://threatpost.com/microsofts-patch-tuesday-critical-rce-bugs/159044/
MSRC: Security Update Summary
https://portal.msrc.microsoft.com/en-us/security-guidance/summary
--Adobe Patch Tuesday
(September 8, 2020)
On Tuesday, September 8, Adobe released fixes for vulnerabilities in Experience Manager, Framemaker, and InDesign. Nine of the 11 vulnerabilities fixed in Experience Manager could be exploited to execute arbitrary JavaScript in the browser. The two fixes for Framemaker could be exploited to allow arbitrary code execution, as could the five memory corruption flaws fixed in InDesign.
Read more in:
SC Magazine: Adobe releases update to patch critical flaws that could leave networks, data vulnerable
Threatpost: Critical Adobe Flaws Allow Attackers to Run JavaScript in Browsers
https://threatpost.com/critical-adobe-flaws-attackers-javascript-browsers/159026/
Bleeping Computer: Adobe fixes critical vulnerabilities in InDesign and Framemaker
Adobe: Security Bulletins and Advisories
https://helpx.adobe.com/security.html
--CodeMeter Vulnerabilities
(September 9, 2020)
US-CERT has released an industrial control systems (ICS) advisory warning of multiple vulnerabilities affecting Wibu-Systems CodeMeter. The flaws could be exploited "to alter and forge a license file, cause a denial-of-service condition, potentially attain remote code execution, read heap data, and prevent normal operation of third-party software dependent on the CodeMeter."
Read more in:
Threatpost: Critical Flaws in 3rd-Party Code Allow Takeover of Industrial Control Systems
https://threatpost.com/severe-industrial-bugs-takeover-critical-systems/159068/
US-CERT-CISA: ICS Advisory (ICSA-20-203-01) | Wibu-Systems CodeMeter
https://us-cert.cisa.gov/ics/advisories/icsa-20-203-01
--Bluetooth Vulnerability
(September 10, 2020)
A high-severity flaw in the pairing process for Bluetooth implementations 4.0 - 5.0 could be exploited to snoop on vulnerable devices. Devices that use the pairing process, known as Cross-Transport Key Derivation (CTKD) in implementations supporting pairing and encryption with both Bluetooth BR/EDR and LE in Bluetooth Specifications 4.2 through 5.0, are vulnerable to key overwrite. Attackers would need to be within wireless range of targeted devices.
[Editor Comments]
[Murray] While Bluetooth vulnerabilities are interesting, even when not alarming, attacks against them do not scale well.
Read more in:
Threatpost: Bluetooth Bug Opens Devices to Man-in-the-Middle Attacks
https://threatpost.com/bluetooth-bug-mitm-attacks/159124/
KB.CERT: Devices supporting Bluetooth BR/EDR and LE using CTKD are vulnerable to key overwrite
https://kb.cert.org/vuls/id/589825
Bluetooth: Bluetooth SIG Statement Regarding the Exploiting Cross-Transport Key Derivation in Bluetooth Classic and Bluetooth Low Energy Vulnerability (BLURtooth)
https://www.bluetooth.com/learn-about-bluetooth/bluetooth-technology/bluetooth-security/blurtooth/
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
Microsoft Patch Tuesday
https://isc.sans.edu/forums/diary/Microsoft+September+2020+Patch+Tuesday/26544/
Adobe Security Bulletins
https://helpx.adobe.com/security.html
Intel Patches
https://www.intel.com/content/www/us/en/security-center/default.html
MacOS 11 Network Traffic
Recent Dridex Activity
https://isc.sans.edu/forums/diary/Recent+Dridex+activity/26550/
Azure Offers Automatic Windows VM Patching
https://azure.microsoft.com/en-us/updates/automatic-vm-guest-patching-now-in-preview/
WeaveScope Used to Attack Docker Infrastructure
Zoom Bombings and Zoom 2FA
https://arxiv.org/abs/2009.03822
https://blog.zoom.us/secure-your-zoom-account-with-two-factor-authentication/
AMD Server CPUs May Be Locked to Particular Motherboard
https://www.servethehome.com/amd-psb-vendor-locks-epyc-cpus-for-enhanced-security-at-a-cost/
BLURtooth Vulnerability
https://www.bluetooth.com/learn-about-bluetooth/bluetooth-technology/bluetooth-security/blurtooth/
*****************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
