Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #74

September 18, 2020

Interior's Wireless Network Problems (An Audit Success); Four Major Criminal Charges  


****************************************************************************

SANS NewsBites             September 18, 2020              Vol. 22, Num. 074

****************************************************************************


THE TOP OF THE NEWS


  US Department of the Interior OIG Audit Report Details Wireless Network Security Problems

  DOJ Charges Seven in Connection with Multiple Cyberattacks

  US Charges Alleged Iranian Hackers

  US Indicts Three for Alleged Theft of Intellectual Property and Other Information

  Criminal Charges and Financial Sanctions in Cryptocurrency Phishing Case



REST OF THE WEEK'S NEWS


  Germany Authorities Investigating Patient Death After Ransomware Attack on Hospital

  NCSC Warns of Ransomware Attacks Against Education Sector

  Ransomware Attack Disrupts Online Learning for California School District

  Adobe Patches Flaws in Media Encoder

  BLESA: Bluetooth Low Energy Spoofing Attacks Vulnerability

  Apple iOS Security Updates


INTERNET STORM CENTER TECH CORNER



***************************  Sponsored By Chronicle  ************************************


Chronicle launches advanced threat detection at Google Cloud Security Talks on September 23rd. Chronicle introduces Google-scale threat detection.  The new solution equips enterprises with an unrivaled set of tools for modern threat detection. The result is a new way to find threats at scale, something you can only get from Google.  Register today!

| http://www.sans.org/info/217655


****************************************************************************

CYBERSECURITY TRAINING UPDATE


New OnDemand Courses

SEC588: Cloud Penetration Testing

- https://www.sans.org/ondemand/course/cloud-penetration-testing


SEC760: Advanced Exploit Development for Penetration Testers

- https://www.sans.org/ondemand/course/advanced-exploit-development-penetration-testers


View all courses

- https://www.sans.org/cyber-security-courses/?focus-area=&training-format=ondemand


Live Online Training Events and Summits

Cyber Defense Forum & Training - Live Online

Free Forum: Oct 9 | Training: Oct 12-17, CDT

- https://www.sans.org/event/cyber-defense-summit-2020


SANS Rocky Mountain Fall - Live Online Nov 2-7 MT

17 Interactive Courses | Virtual NetWars

- https://www.sans.org/event/rocky-mountain-fall-2020-live-online


View complete event schedule

- https://www.sans.org/cyber-security-training-events/north-america

 

Free Resources

Tools, Posters, and more.

- https://www.sans.org/free

 

OnDemand Training Special Offer: Get an iPad mini, Surface Go, or Take $300 Off with qualified OnDemand courses through September 30.

- https://www.sans.org/ondemand/specials


 

****************************************************************************

TOP OF THE NEWS   

 

--US Department of the Interior OIG Audit Report Details Wireless Network Security Problems

(September 17, 2020)

According to an audit report from the Department of the Interior Office of Inspector General (DOIOIG), "the Department did not deploy and operate a secure wireless network infrastructure, as required by the National Institute of Standards and Technology (NIST) guidance and industry best practices." Penetration testers were able to access DOI's internal wireless network with a smartphone and about $200 of equipment stashed in a backpack. They were able to intercept and decrypt traffic. The attacks the pen testers conducted were not detected by DOI employees.


[Editor Comments]


[Paller] This story is in "The Top of the News" not so much because the results are remarkable, but rather because the organization is remarkable; this is one of only two audit groups in government that have developed the technical skills to perform hands-on audits that go beyond checklists and questionnaires.


[Neely] While there are always tradeoffs between security and usability, particularly with Wi-Fi, having an independent entity perform an active test is an important component to verifying the resulting security meets expectations for protecting services available from that network. Also make sure that you are able to detect these activities, which may necessitate the deployment and integration of a Wireless IPS, which can also help detect use of wireless in areas it is not permitted, rogue networks, and unauthorized devices.


[Pescatore] This is an example of the value of active testing by auditors/IGs that I mentioned in the Newsbites 73 item about the USPS audit results. In the DoI report, the authors point out doing active testing is NOT beyond the capabilities of audit team budgets, though it definitely requires investment on the technical skills side. Here's the quote from the report: "We conducted reconnaissance and penetration testing of wireless networks representing each bureau and office. To do this, we assembled portable test units for less than $200 that were easily concealed in a backpack or purse and operated these units with smartphones from publicly accessible areas and locations open to visitors. Our attacks simulated the techniques of malicious actors attempting to break into departmental wireless networks, such as eavesdropping, evil twin, and password cracking."


Read more in:

The Register: Feeling bad about your last security audit? Check out what just happened to the US Department of Interior

https://www.theregister.com/2020/09/17/dot_pentesers_expose_wifi/

Cyberscoop: The Interior Department OIG clearly had some fun hacking the agency's Wi-Fi networks

https://www.cyberscoop.com/interior-department-inspector-general-wireless-hacking/

The Hill: Interior Department watchdog 'highly successful' at hacking agency's networks

https://thehill.com/policy/cybersecurity/516786-inspectors-at-interior-department-highly-successful-at-hacking-agencys

DOIOIG: Evil Twins, Eavesdropping, and Password Cracking: How the Office of Inspector General Successfully Attacked the U.S. Department of the Interior's Wireless Networks (PDF)

https://www.doioig.gov/sites/doioig.gov/files/FinalAudit_WirelessNetworkSecurity_Public.pdf


 

--DOJ Charges Seven in Connection with Multiple Cyberattacks

(September 16, 2020)

The US Department of Justice has charged seven individuals in connection with a series of cyberattacks against software, pharmaceutical and technology companies, non-profit organizations, and universities. Two of the individuals have been arrested in Malaysia; the other five remain at large in China. Some of those charged are allegedly part of the APT41 hacking group.


Read more in:

Wired: Feds Charge Chinese Hackers With Ripping Off Video Game Loot From 9 Companies

https://www.wired.com/story/barium-winnti-china-hackers-video-game-loot-indictments/

The Register: Good: US boasts it collared two in Chinese hacking bust. Bad: They aren't the actual hackers, rest are safe in China

https://www.theregister.com/2020/09/16/doj_china_hack_arrests/

Ars Technica: Hammer drops on hackers accused of targeting game and software makers

https://arstechnica.com/tech-policy/2020/09/china-sponsored-hackers-charged-for-a-decade-of-alleged-hacks-on-game-makers/

Threatpost: APT41 Operatives Indicted as Sophisticated Hacking Activity Continues

https://threatpost.com/apt41-operatives-indicted-hacking/159324/

Duo: US CHARGES FIVE ALLEGED MEMBERS OF APT41 GROUP

https://duo.com/decipher/us-charges-five-alleged-members-of-apt41-group

Justice: Seven International Cyber Defendants, Including "Apt41" Actors, Charged In Connection With Computer Intrusion Campaigns Against More Than 100 Victims Globally

https://www.justice.gov/opa/pr/seven-international-cyber-defendants-including-apt41-actors-charged-connection-computer


 

--US Charges Alleged Iranian Hackers

(September 16, 2020)

The US Department of Justice has filed charges against two Iranian men, Hooman Heidarian and Mehdi Farhadi, for allegedly launching numerous cyberattacks over the past seven years. The targeted organizations include universities, a defense contractor, a foreign policy organization, and government agencies. Prosecutors believe that Heidarian and Farhadi shared stolen data with Iranian government intelligence officials. Heidarian and Farhadi have not been arrested; they are on the FBI's wanted list.


Read more in:

ZDNet: US charges two Iranian hackers for years-long cyber-espionage, cybercrime spree

https://www.zdnet.com/article/us-charges-two-iranian-hackers-for-years-long-cyber-espionage-cybercrime-spree/

Document Cloud: Indictment

https://www.documentcloud.org/documents/7211914-Heidarian-and-Farhadi-indictment.html

 
 

--US Indicts Three for Alleged Theft of Intellectual Property and Other Information

(September 17, 2020)

The US Department of Justice has indicted three Iranian individuals, Said Pourkarim Arabi, Mohammad Reza Espargham, and Mohammad Bayati, for allegedly hacking aerospace and satellite companies. Their campaign allegedly ran from July 2015 until at least February 2019 and targeted organizations in the US as well as in other countries. The campaign was allegedly orchestrated "to steal critical information related to United States aerospace and satellite technology and resources."


Read more in:

Dark Reading: Iranian Hackers Indicted for Stealing Aerospace & Satellite Tracking Data

https://www.darkreading.com/vulnerabilities---threats/iranian-hackers-indicted-for-stealing-aerospace-and-satellite-tracking-data/d/d-id/1338950

ZDNet: US charges Iranian hackers for breaching US satellite companies

https://www.zdnet.com/article/us-charges-iranian-hackers-for-breaching-us-satellite-companies/

Justice: Iranian Hackers Indicted for Stealing Data from Aerospace and Satellite Tracking Companies

https://www.justice.gov/usa,o-edva/pr/iranian-hackers-indicted-stealing-data-aerospace-and-satellite-tracking-companies

 
 

--Criminal Charges and Financial Sanctions in Cryptocurrency Phishing Case

(September 17, 2020)

The US Department of the Treasury's Office of Foreign Assets Control has officially sanctioned two Russian individuals, Danil Potekhin and Dmitrii Karasavidi, in connection with a phishing campaign "that targeted customers of two U.S.-based and one foreign-based virtual asset service providers." In addition, the Department of Justice has filed charges against Potekhin and Karasavidi for allegedly stealing millions of dollars' worth of cryptocurrency. They remain at large.


Read more in:

KrebsOnSecurity: Two Russians Charged in $17M Cryptocurrency Phishing Spree

https://krebsonsecurity.com/2020/09/two-russians-charged-in-17m-cryptocurrency-phishing-spree/

ZDNet: US charges two Russians for stealing $16.8m via cryptocurrency phishing sites

https://www.zdnet.com/article/us-charges-two-russians-for-stealing-16-8m-via-cryptocurrency-phishing-sites/

Treasury: Treasury Sanctions Russian Cyber Actors for Virtual Currency Theft

https://home.treasury.gov/news/press-releases/sm1123

Document Cloud: Superseding Indictment

https://www.documentcloud.org/documents/7211805-Potekhin-Superseding-Indictment.html


*******************************  SPONSORED LINKS  ********************************

 

1) Register for Snyk and AWS webinar featuring Auth0 on mitigating risk in your code base.

| http://www.sans.org/info/217660


2) DTEX Insider Threat Kill Chain: Learn the 5 Steps Present in Almost all Insider Attacks| Get the whitepaper now!

| http://www.sans.org/info/217665


3) Webcast | Monday Sept 21st @3:30 EDT | Join Richard Bejtlich as he presents "Network Security Monitoring vs Encryption."

| http://www.sans.org/info/217670


****************************************************************************

REST OF THE NEWS    

 

--German Authorities Investigating Patient Death After Ransomware Attack on Hospital

(September 10 & 17, 2020)

In the wake of a ransomware on its network, Dusseldorf University Hospital determined that it would not be equipped to conduct scheduled and outpatient procedures or offer emergency care. A patient with a life-threatening condition was rerouted to a different hospital, which resulted in treatment being delayed by an hour; the patient did not survive. German authorities are investigating the incident as negligent manslaughter.


[Editor Comments]


[Neely] While the result here is terrible, the take-away is to verify the viability of your contingency plans. Over the last six months we've been made painfully aware of our limitations in supporting a 100% remote workforce, and adapted accordingly. Now that we've got the mindset, apply that sort of thinking and review to DR plans and adjust where needed.


[Honan]  Those organizations and Cyber Insurance companies who have made extortion payments to the criminals behind ransomware attacks have enabled these criminals to become better funded, more sophisticated, and more motivated. It's a sad reality that inevitably this evolution in criminals' capabilities would result in serious consequences. If your organization becomes a victim of ransomware take a good look at the long term consequences of what paying that ransom may have. You may get your data back, but others may pay higher cost at a later stage.

 

[Murray] Not so much "negligent" as "reckless," that is unless one wants to charge the hospital with negligence. With the number of extortion attacks against the health care sector, it was only a matter of time until one would result in serious injury or death.  


Read more in:

Ars Technica: Patient dies after ransomware attack reroutes her to remote hospital

https://arstechnica.com/information-technology/2020/09/patient-dies-after-ransomware-attack-reroutes-her-to-remote-hospital/

ZDNet: First death reported following a ransomware attack on a German hospital

https://www.zdnet.com/article/first-death-reported-following-a-ransomware-attack-on-a-german-hospital/

Bleeping Computer: Ransomware attack at German hospital leads to death of patient

https://www.bleepingcomputer.com/news/security/ransomware-attack-at-german-hospital-leads-to-death-of-patient/

Uniklinik: Hospital currently only accessible to a very limited extent - patient care limited (in German)

https://www.uniklinik-duesseldorf.de/ueber-uns/pressemitteilungen/detail/krankenhaus-derzeit-nur-sehr-eingeschraenkt-erreichbar-patientenversorgung-eingeschraenkt

 
 

--NCSC Warns of Ransomware Attacks Against Education Sector

(September 17, 2020)

The UK's National Cyber Security Centre (NCSC) has issued an alert warning of increasing number of ransomware attacks targeting schools and universities. The alert describes common ransomware infection vectors (phishing emails, Remote Desktop Protocol, and unpatched hardware and software vulnerabilities) and provides a list of suggested mitigations.


[Editor Comments]


[Neely] Increased distance learning and rapid adoption of technologies to support that has presented both a larger attack surface and increased opportunities for adversaries. This increased remote access heightens the need for diligent application of patches and verified security configurations for new and existing capabilities. Lastly, UAT activities, such as phishing exercises, must continue. Think twice before avoiding COVID-themed items as these are being actively used by adversaries.


[Honan] The NCSC has a great guide on combatting malware and ransomware which was recently updated and is available at https://www.ncsc.gov.uk/blog-post/rebooting-malware-and-ransomware-guidance. Europol also has excellent resources on dealing with ransomware at their NoMoreRansom website at https://www.nomoreransom.org.


Read more in:

NCSC: Alert: Targeted ransomware attacks on the UK education sector by cyber criminals

https://www.ncsc.gov.uk/news/alert-targeted-ransomware-attacks-on-uk-education-sector

The Register: GCHQ agency 'strongly urges' Brit universities, colleges to protect themselves after spike in ransomware infections

https://www.theregister.com/2020/09/17/ncsc_education_ransomware_warning/

ZDNet: Ransomware warning: Hackers are launching fresh attacks against universities

https://www.zdnet.com/article/ransomware-warning-hackers-are-launching-fresh-attacks-against-universities/

 
 

--Ransomware Attack Disrupts Online Learning for California School District

(September 15 & 17, 2020)

A ransomware attack affecting the network of the Newhall School District in Valencia, California, resulted in a temporary shutdown of remote learning. District servers remain shut down to allow a forensic investigation.


Read more in:

Threatpost: California Elementary Kids Kicked Off Online Learning by Ransomware

https://threatpost.com/california-elementary-kids-online-learning-ransomware/159319/

LA Times: Ransomware attack hits Newhall schools, halting online classes

https://www.latimes.com/california/story/2020-09-15/newhall-elementary-schools-ransomware-attack


 

--Adobe Patches Flaws in Media Encoder

(September 15 & 16, 2020)

Adobe has released an unscheduled update for Media Encoder to address "out-of-bounds read vulnerabilities that could lead to information disclosure in the context of the current user." The flaws affect Adobe Media Encoder versions 14.3.2 and earlier.


[Editor Comments]


[Neely] Adobe gives this update a priority of 3, meaning the product is historically not a target for attackers, and that updates can be applied at your discretion. While creative cloud users are likely already being prompted to update, make sure the update is added to your minimum baseline checks. Asses your install base when weighing the risks of patching now versus waiting for your October update cycle.


Read more in:

Bleeping Computer: Adobe releases out-of-band security update for Adobe Media Encoder

https://www.bleepingcomputer.com/news/security/adobe-releases-out-of-band-security-update-for-adobe-media-encoder/

ZDNet: Adobe out-of-band patch released to tackle Media Encoder vulnerabilities

https://www.zdnet.com/article/adobe-out-of-band-patch-released-to-tackle-media-encoder-vulnerabilities/

Adobe: Security Updates Available for Adobe Media Encoder | APSB20-57

https://helpx.adobe.com/security/products/media-encoder/apsb20-57.html

 

--BLESA: Bluetooth Low Energy Spoofing Attacks Vulnerability

(September 16, 2020)

Researchers from Purdue University have uncovered "design weaknesses" in Bluetooth Low Energy protocol that could put devices at risk of spoofing attacks. The researchers note that "BLE requires limited or no user interaction to establish a connection

between two devices." The weaknesses lie in the fact that "link-layer encryption/authentication is optional" and that authentication procedures can be circumvented.


[Editor Comments]


[Neely] Previous research revealed weaknesses in the pairing activities, and impacted both BTLE and traditional Bluetooth.  This weakness takes advantage of the specification's provision for things to "just work," which allowed the reconnection to continue without the authentication. Exploiting the weakness requires physical proximity and network access. The weakness is not being exploited in the wild. Some vendors, such as Apple, have released vendor-specific fix for this vulnerability, but not all vendors are expected to follow suit.


[Murray] So called "researchers" continue to disclose problems instead of recommending solutions.  


Read more in:

ZDNet: Billions of devices vulnerable to new 'BLESA' Bluetooth security flaw

https://www.zdnet.com/article/billions-of-devices-vulnerable-to-new-blesa-bluetooth-security-flaw/

Threatpost: Bluetooth Spoofing Bug Affects Billions of IoT Devices

https://threatpost.com/bluetooth-spoofing-bug-iot-devices/159291/

Friends: BLESA: Spoofing Attacks against Reconnections in Bluetooth Low Energy (PDF)

https://friends.cs.purdue.edu/pubs/WOOT20.pdf

 
 

--Apple iOS Security Updates

(September 16 & 17, 2020)

Apple has released updates for iOS and iPadOS. The newest versions - iOS 14 and iPadOS 14 - fix 11 security issues, including a privilege elevation vulnerability that can be exploited if users are manipulated into opening a maliciously-crafted file. Apple has also issued updates for Safari, tvOS, and watchOS.


[Editor Comments]


[Neely] Unlike last week's release of iOS 13.7 and 13.6 prior to that which did not address any CVEs, iOS 14 does address 11 security issues, so you're going to want to require adoption of this version. Make sure that your MDM agent supports iOS 14; even so you may need to push (or have users install) updated software on their devices prior to installing iOS 14. If you have been using the keychain to store passwords, the new password management functionality now includes breach notification and will alert you as to which of your account passwords have been compromised as well as assist you in changing them.  


Read more in:

Bleeping Computer: Hands on with iOS 14's new data breach notification feature

https://www.bleepingcomputer.com/news/apple/hands-on-with-ios-14s-new-data-breach-notification-feature/

Threatpost: Apple Bug Allows Code Execution on iPhone, iPad, iPod

https://threatpost.com/apple-bug-code-execution-iphone/159332/

support.apple: About the security content of iOS 14.0 and iPadOS 14.0

https://support.apple.com/en-us/HT211850

 

****************************************************************************


INTERNET STORM CENTER TECH CORNER


Traffic Analysis Quiz: Oh No... Another Infection

https://isc.sans.edu/forums/diary/Traffic+Analysis+Quiz+Oh+No+Another+Infection/26566/


Most Recent "Mirai" Bot Includes Code to Target Backups

https://isc.sans.edu/forums/diary/Do+Vulnerabilities+Ever+Get+Old+Recent+Mirai+Variant+Scanning+for+20+Year+Old+Amanda+Version/26572/


OSSEC Active Response

https://isc.sans.edu/forums/diary/Suspicious+Endpoint+Containment+with+OSSEC/26576/


Magento 1 Stores Targeted By Recent Attack

https://sansec.io/research/largest-magento-hack-to-date


Adobe Media Encoder Patch

https://helpx.adobe.com/security/products/media-encoder/apsb20-57.html


Zerologin Reminder

https://www.secura.com/pathtoimg.php?id=2055


Windows "Finger" Utility Abused

http://hyp3rlinx.altervista.org/advisories/Windows_TCPIP_Finger_Command_C2_Channel_and_Bypassing_Security_Software.txt


Apple Security Updates

https://support.apple.com/en-us/HT201222


Microsoft Patch for Office for Mac

https://docs.microsoft.com/en-us/officeupdates/release-notes-office-for-mac


VMWare Fusion Vulnerability

https://www.vmware.com/security/advisories/VMSA-2020-0020.html


NSA Secure Boot Configuration Guide (PDF)

https://media.defense.gov/2020/Sep/15/2002497594/-1/-1/0/CTR-UEFI-SECURE-BOOT-CUSTOMIZATION-20200915.PDF/CTR-UEFI-SECURE-BOOT-CUSTOMIZATION-20200915.PDF


Microsoft Edge Warns Users of Adobe Flash End of Support

https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/


****************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create