SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #73
September 15, 2020More evidence cyber hygiene is failing during pandemic
SANS Annual Security Awareness Report. This free resource helps you benchmark your awareness program against others and make data-driven decisions on how to best manage your human risk. Complete this anonymized, 10-minute survey (https://survey.sans.org/jfe/form/SV_0DjA8AXKRKANu97) before Oct 13. You will receive a pre-release copy of the completed report and have a chance to win an iPad or a free pass to the SANS Security Awareness Summit. https://www.sans.org/event/security-awareness-summit-2020
*****************************************************************************
SANS NewsBites September 15, 2020 Vol. 22, Num. 073
*****************************************************************************
THE TOP OF THE NEWS (Don't Let Hygiene Lag During the Pandemic)
2,000 eCommerce Sites Running Magento were Hacked Over the Weekend
Malvertising Sneaks Into Banner Ads on Adult Sites, Exploits Flaws in Flash and IE
Update Available for WordPress Email Subscribers & Newsletters Plugin Flaw
REST OF THE WEEK'S NEWS
USPS OIG: Vulnerable Apps Could Have Exposed Data
Dept. of Veterans Affairs Breach Affects 46,000
Fairfax County, Virginia, School System Suffers Ransomware Attack
Artech Information Systems Hit with Ransomware Last January
Tutanota's DDoS Defense Prevented Users From Accessing Accounts
CISA and FBI Alert Warns of China's State-Sponsored Hackers
IRS Seeks Technology to Help it Trace Cryptocurrency
Researchers and Tech Companies Respond to Voatz's CFAA Supreme Court Amicus Brief
FBI Warns Financial Institutions of Credential Stuffing Attacks
INTERNET STORM CENTER TECH CORNER
************************ Sponsored By Exabeam ******************************
Data breaches involving internal actors account for 30 percent of data breaches. Yet for many organizations, detecting insider threats is difficult because the threat actor is using a trusted identity and has legitimate access to its systems and data. For actionable tips to get ahead of insiders, join Exabeam for this September 29th webinar. | http://www.sans.org/info/217620
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
Popular OnDemand Courses
SEC401: Security Essentials Bootcamp Style
- https://www.sans.org/ondemand/course/security-essentials-bootcamp-style
SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling
- https://www.sans.org/ondemand/course/hacker-techniques-exploits-incident-handling
View all courses
- https://www.sans.org/cyber-security-courses/?focus-area=&training-format=ondemand
Upcoming Interactive Training Events
Oil & Gas Cybersecurity Summit & Training - Live Online (Oct 2-10, CDT)
- https://www.sans.org/event/oil-gas-cybersecurity-summit-2020/
SANS San Francisco Fall 2020 - Live Online (Oct 26-31, PDT)
- https://www.sans.org/event/san-francisco-fall-2020-live-online
View complete event schedule
- https://www.sans.org/cyber-security-training-events/north-america
Free Resources
Tools, Posters, and more.
SANS OnDemand Special Offer
Get an iPad (32GB), Galaxy Tab A, or Take $250 Off with a qualifying OnDemand course.
- https://www.sans.org/ondemand/specials
*****************************************************************************
TOP OF THE NEWS (Don't Let Hygiene Lag During the Pandemic)
--2,000 eCommerce Sites Running Magento were Hacked Over the Weekend
(September 14, 2020)
Nearly 2,000 ecommerce sites running on the Magento platform were compromised over the weekend. The attackers installed malicious code to log payment card data. Most of the hacked sites were running Magento version 1, which is no longer supported. Magento 1.x reached EOL at the end of June 2020.
[Editor Comments]
[Neely] With an increased reliance on on-line purchases, users also need to take precautions, such as enabling alerts, and possibly authorization, for card-not-present transactions; rather than depending on merchants keeping their systems patched.
Read more in:
Threatpost: Magecart Attack Impacts More Than 10K Online Shoppers
https://threatpost.com/magecart-campaign-10k-online-shoppers/159216/
Bleeping Computer: Magento stores hit by largest automated hacking attack since 2015
ZDNet: Magento online stores hacked in largest campaign to date
https://www.zdnet.com/article/magento-online-stores-hacked-in-largest-campaign-to-date/
--Malvertising Sneaks Into Banner Ads on Adult Sites, Exploits Flaws in Flash and IE
(September 11 & 12, 2020)
Hackers have placed malicious banner ads on numerous adult websites. The ads redirect users to malicious sites that attempt to install malware through vulnerabilities in Adobe Flash and Internet Explorer.
[Editor Comments]
[Neely] The current isolation and work from home activities have seen a spike in porn site use, which puts systems used for both personal and work purposes at higher risk for this attack. Providing users a secured virtual environment, rather than processing business data directly on their personal system, provides needed separations from compromise on these systems. Additionally, consider limiting or blocking the use of Internet Explorer and Adobe Flash accessing internet sites from corporate systems.
Read more in:
ZDNet: Porn site users targeted with malicious ads redirecting to exploit kits, malware
Ars Technica: Porn surfers have a dirty secret. They're using Internet Explorer
--Update Available for WordPress Email Subscribers & Newsletters Plugin Flaw
(September 11 & 14, 2020)
Developers of the Email Subscribers & Newsletters plugin for WordPress have released an updated version to fix a spoofing vulnerability. The plugin has more than 100,000 active installations. Users are urged to upgrade to version 4.5.6.
Read more in:
Portswigger: Vulnerability in WordPress email marketing plugin patched
https://portswigger.net/daily-swig/vulnerability-in-wordpress-email-marketing-plugin-patched
Threatpost: WordPress Plugin Flaw Allows Attackers to Forge Emails
https://threatpost.com/wordpress-plugin-flaw/159172/
Tenable: Unauthenticated email forgery/spoofing in WordPress Email Subscribers plugin
https://www.tenable.com/security/research/tra-2020-53
***************************** SPONSORED LINKS *****************************
1) Webcast | September 17th @ 2:00 pm EDT | This webinar is dedicated to teaching security practitioners, cloud architects and senior security leadership how to strengthen and maintain their security posture in the cloud. Join Dave Shackleford, SANS and Nam Le, AWS as they discuss ways security teams can leverage automated means of continually assessing cloud network traffic, user activity, and configuration of systems and services running within the cloud environment. | http://www.sans.org/info/217455
2) Webcast | September 23 @ 10:30 AM ET | Power! Unlimited Power! Understanding the Techniques of Malicious Kernel-Mode Code. Tune into our upcoming Webcast, hosted by SANS Senior Instructor Jake Williams and VMRay's Tamas Boczan. Register today! | http://www.sans.org/info/217625
3) Webinar | Thursday, September 24th @ 3:30PM BST (10:30AM EDT) | SANS on Elastic Security: Discover the integration of endpoint security into the new Elastic Agent. Featuring John Pescatore, SANS Director of Emerging Trends, along with industry experts Mike Nichols & James Spiteri from Elastic Security. | http://www.sans.org/info/217630
*****************************************************************************
REST OF THE NEWS
--USPS OIG: Vulnerable Apps Could Have Exposed Data
(September 11, 2020)
According to a July 27, 2020, memorandum from the US Postal Service (USPS) Office of Inspector General, USPS has been using six applications that contained known vulnerabilities and which remained unpatched for years. The flaws in the apps could have been exploited to gain access to sensitive data. USPS has since addressed the security issues.
[Editor Comments]
[Neely] Application security testing, utilizing both dynamic and static analysis and resolution of discovered issues, has to be baked into the CI-CD pipeline. The auditor should not be the first one to analyze your code for defects. If you are running regulated systems, in this case FISMA, the NIST risk management framework allows for a lot of local control and attestation of adherence to required standards as dictated by the system accreditation letter. Even so, those choices require both monitoring and regularly verified, documented adherence to requirements continue to use this lighter wait ongoing authorization.
[Pescatore] The USPS IG audit appears to be the typical document review that found missing certification/accreditation documentation, vs. any active testing. That did find mention of the "... 12 vulnerabilities related to ***** labeled as catastrophic by the CISO" but assumes all the other apps that had C&A documentation did not have vulnerabilities. Last year SANS gave Interior a SANS Difference Makers Award to Jefferson Gilkeson, the Director of IT Audit at the Department for his implementation and championing of active testing by Inspectors General.
[Paller] John Pescatore is correct to point to the work of Interior's Jefferson Gilkeson and his staff as the model for effective recruiting, skills development, and technical auditing that can be trusted. Gilkeson identified the skills and methods that are needed by professionals on an effective cybersecurity audit team and has shared his finding with audit leaders throughout government.
Read more in:
Vice: Postal Service Used Apps That Had 'Catastrophic' Vulnerabilities for Years
Cyberscoop: Postal Service left vulnerable IT applications unaddressed for years, inspector general finds
https://www.cyberscoop.com/postal-service-inspector-general-cyber-vulnerabilities/
USPSOIG: Management Alert - Risks Associated with Information Technology Applications (Report Number 20-251-R20) (PDF)
https://www.uspsoig.gov/sites/default/files/document-library-files/2020/20-251-R20.pdf
--Dept. of Veterans Affairs Breach Affects 46,000
(September 14, 2020)
A data breach affecting the US Department of Veterans Affairs (VA) Financial Service Center (FSC) compromised personal information belonging to 46,000 veterans. The malicious actors accessed a FSC application without authorization. FSC has taken the application offline.
[Editor Comments]
[Neely] While the VA is offering credit monitoring to affected veterans, as well as guidance on how to protect their information, don't wait to find out if you're impacted. If you don't already have credit monitoring from the 2006 VA breach, now is the perfect time to get it.
Read more in:
VA: VA notifies Veterans of compromised personal information
https://www.va.gov/opa/pressrel/pressrelease.cfm?id=5519
FCW: VA reports data breach affecting 46,000 veterans
https://fcw.com/articles/2020/09/14/veterans-affairs-breach-choice-billing.aspx
Fedscoop: Personal information of 46,000 veterans was compromised in breach
https://www.fedscoop.com/veterans-data-breach-va-hack/
The Hill: VA hit by data breach impacting 46,000 veterans
Nextgov: 46,000 Veterans' Data Exposed In Financial Services Center Breach
--Fairfax County, Virginia, School System Suffers Ransomware Attack
(September 11,12, & 14, 2020)
The Fairfax County (Virginia) Public Schools (FCPS) is investigating a ransomware attack on "some of [its] technology systems." While the attack did not disrupt the district's remote learning program, FCPS is working with federal authorities and "cybersecurity consultants to investigate the nature, scope and extent of any possible data compromise."
[Editor Comments]
[Murray] School systems and municipalities continue to be targets of extortion attacks in part because they have access to the (taxpayers') funds to pay but lack the necessary scale, resources, and organization to resist the attacks.
Read more in:
FCPS: Ransomware Investigation Update
https://www.fcps.edu/blog/ransomware-investigation-update
Dark Reading: Virginia's Largest School System Hit With Ransomware
NBC Washington: Hackers Break Into FCPS Network, Hold Info for Ransom
Bleeping Computer: Fairfax County schools hit by Maze ransomware, student data leaked
--Artech Information Systems Hit with Ransomware Last January
(September 11, 2020)
Artech Information Systems has disclosed that its systems were targeted in a ransomware attack in January 2020. While investigating reports of unusual activity on a user account, Artech discovered ransomware on several of its systems. The company brought in a third-party forensic investigation firm, which "determined that an unauthorized actor had access to certain Artech systems between January 5, 2020 and January 8, 2020." The compromised systems contained sensitive information, including health and financial data.
Read more in:
Document Cloud: Notice of Data Event
https://www.documentcloud.org/documents/7206968-2020-9-4-Artech-Web-Notice-BleepinComputer.html
Bleeping Computer: US staffing firm Artech discloses ransomware attack, data breach
--Tutanota's DDoS Defense Prevented Users From Accessing Accounts
(September 14, 2020)
Tutanota, a company that offers an encrypted email service, has apologized to its users for unintentionally shutting them out of their accounts while the company dealt with a distributed denial-of-service (DDoS) attack. Tutanota experienced DDoS attacks on at least five occasions in the past month.
[Editor Comments]
[Honan] If your incident response in itself causes a Denial-of-Service (in this case an "overreacting IP block") then you inadvertently help your attackers achieve their goals. Incident response plans and procedures should be regularly tested and simulated to ensure your processes respond to an attack work as expected.
Read more in:
The Register: Sorry we shut you out, says Tutanota: Encrypted email service weathers latest of ongoing DDoS storms
https://www.theregister.com/2020/09/14/tutanota_ddos_storms_ongoing/
--CISA and FBI Alert Warns of China's State-Sponsored Hackers
(September 11, 2020)
The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have issued a joint alert warning that cyber threat actors affiliated with China's Ministry of State Security (MSS) have been targeting US government agencies. According to the alert, the Chinese hackers are exploiting vulnerabilities in Microsoft Exchange Server, F5 Big-IP, Pulse Secure VPN, and Citrix VPN. Patches are available for the flaws.
[Editor Comments]
[Neely] Keeping services such as these updated and secured has to be a basic part of your Cyber Hygiene. A bulletin such as this can be leveraged to start the conversation about overall protections, particularly on boundary control devices. Don't limit the conversation to only the services identified; be sure to examine your overall process.
[Pescatore] There is a common thread between this item and the item on Magento vulnerabilities being exploited - these are well-known vulnerabilities with existing patches or new versions. The "state-sponsored" in the headline is click-bait - the attacks are easily avoided by basic security hygiene. I'd like to see a follow-up article on what percentage of these attacks succeed.
Read more in:
The Register: What do F5, Citrix, Pulse Secure all have in common? China exploiting their flaws to hack govt, biz - Feds
https://www.theregister.com/2020/09/14/chinas_hackers_f5_citrix/
ZDNet: CISA: Chinese state hackers are exploiting F5, Citrix, Pulse Secure, and Exchange bugs
US-CERT: Alert (AA20-258A) | Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity
https://us-cert.cisa.gov/ncas/alerts/aa20-258a
--IRS Seeks Technology to Help it Trace Cryptocurrency
(September 9, 11, & 14, 2020)
The US Internal Revenue Service (IRS) is seeking proposals that will allow the agency to trace cryptocurrency transactions as part of its investigations into money laundering and other cybercrimes. The deadline for proposals is Wednesday, September 16.
[Editor Comments]
[Murray] The good news is that the distributed ledger retains all the transaction data and the blockchain preserves and protects it. The bad news is that the amount of activity, some generated for this purpose, obscures the information. What is needed are tools and services to analyze the data so as to provide transparency and accountability. Some tools and services are already in use.
Read more in:
Nextgov: IRS Wants to Be Able to Trace 'Untraceable' Digital Currencies
ZDNet: IRS offers grants for software to trace privacy-focused cryptocurrency trades
GovInfosecurity: IRS Seeks Fresh Ways to Trace Cryptocurrency Transactions
https://www.govinfosecurity.com/irs-seeks-fresh-ways-to-trace-cryptocurrency-transactions-a-14992
Beta.sam: Pilot IRS Cryptocurrency Tracing
https://beta.sam.gov/opp/3b7875d5236b47f6a77f64c19251af60/view?index=opp
--Researchers and Tech Companies Respond to Voatz's CFAA Supreme Court Amicus Brief
(September 14, 2020)
Nearly 70 individuals and organizations in the cybersecurity community have signed a letter criticizing the argument put forth in an amicus brief submitted to the US Supreme Court regarding a case that could have wide-reading implications for security research. Voatz's brief argues that the Computer Fraud and Abuse Act (CFAA) should not protect security researchers who do not have explicit permission to examine code for vulnerabilities. The signatories say that "As representatives of the security community, including pioneers of coordinated vulnerability disclosure, bug bounties, and election security, it is our opinion that Voatz's brief to the Court fundamentally misrepresents widely accepted practices in security research and vulnerability disclosure, and that the broad interpretation of the CFAA threatens security research activities at a national level."
Read more in:
Dark Reading: Researchers, Companies Slam Mobile Voting Firm Voatz for 'Bad Faith' Attacks
Cyberscoop: Security researchers slam Voatz brief to the Supreme Court on anti-hacking law
https://www.cyberscoop.com/voatz-supreme-court-cfaa-security-research/
Infosecurity Magazine: Cybersecurity Leaders Oppose Voatz
https://www.infosecurity-magazine.com/news/cybersecurity-leaders-oppose-voatz/
Disclose: Response to Voatz's Supreme Court Amicus Brief
https://disclose.io/voatz-response-letter/
--FBI Warns Financial Institutions of Credential Stuffing Attacks
(September 14, 2020)
An FBI warning sent to US organizations in the financial sector warns of an increase in credential stuffing attacks targeting their institutions. Suggested mitigations include advising customers and employees to use unique passwords for accounts and to change Internet login page responses so that they do not indicate if just one component of the login is correct.
[Editor Comments]
[Neely] Multi-factor authentication is also a win here. Many financial institutions offer security questions as part of the authentication process; users have to be careful to choose questions and answers which cannot be readily derived via OSINT. Use of security questions or one-time-passwords in conjunction with a memorized secret (PIN or Passcode) reduces the likelihood of a successful attack. If your FI doesn't offer multi-factor authentication, ask them how they are protecting accounts from an attack like this before enabling on-line account access.
[Murray] Financial institutions should offer their customers Strong Authentication options and encourage their use. (Customers can use password managers and biometrics to reduce any inconvenience.)
Read more in:
ZDNet: FBI says credential stuffing attacks are behind some recent bank hacks
Document Cloud: Private Industry Notification: Cyber Actors Conduct Credential Stuffing Attacks Against US Financial Sector
https://www.documentcloud.org/documents/7208239-FBI-PIN-on-credential-stuffing-attacks.html
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
Pillaging and Protecting the Clipboard
Not Everything About ".well-known" is Well Known
https://isc.sans.edu/forums/diary/Not+Everything+About+wellknown+is+Well+Known/26564/
Critical Vulnerability in PANOS
https://security.paloaltonetworks.com/CVE-2020-2040
Linux VoIP Softswitch Malware
https://www.welivesecurity.com/2020/09/10/who-callin-cdrthief-linux-voip-softswitches/
CVE-2020-1472 Zerologon Privilege Escalation Vulnerability
https://www.secura.com/blog/zero-logon
BLE Lock Vulnerable to Replay Attack
https://www.pentestpartners.com/security-blog/360lock-smart-lock-review/
Mobile Iron Exploit Released
https://blog.orange.tw/2020/09/how-i-hacked-facebook-again-mobileiron-mdm-rce.html
*****************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
