SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #75
September 22, 2020NSA and FERC/NERC Issue Extremely Valuable Security Guides; CISA Emergency Directive on Windows
******************************************************************************
SANS NewsBites September 22, 2020 Vol. 22, Num. 075
******************************************************************************
THE TOP OF THE NEWS
NSA Cybersecurity Information Sheets
FERC/NERC Report Looks at Electric Utility Cyber Incident Response
CISA Emergency Directive on Windows Server Vulnerability
REST OF THE WEEK'S NEWS
Researchers: Rampant Kitten Hacking Campaign Uses an Arsenal of Data-Stealing Malware
Hijacking Flaw in Firefox for Android is Fixed in Version 79
Internet Archive and Cloudflare Collaborate to Archive More Website Content
Another Patch for Discount Rules for WooCommerce WordPress Plugin
Jekyll Island Authority Systems Hit with Ransomware
Ransomware Operators Stole Data from ArbiterSports
INTERNET STORM CENTER TECH CORNER
************************ Sponsored By Exabeam ******************************
Thirty percent of data breaches involve internal actors, yet many organizations have difficulties detecting insider threats, because the threat actor is using a trusted identity and has legitimate access to its systems and data. Join Exabeam for this September 29th webinar, in order to learn actionable tips to get ahead of insiders. | http://www.sans.org/info/217700
******************************************************************************
CYBERSECURITY TRAINING UPDATE
New OnDemand Courses
SEC588: Cloud Penetration Testing
- https://www.sans.org/ondemand/course/cloud-penetration-testing
SEC760: Advanced Exploit Development for Penetration Testers
- https://www.sans.org/ondemand/course/advanced-exploit-development-penetration-testers
View all courses
- https://www.sans.org/cyber-security-courses/?focus-area=&training-format=ondemand
Live Online Training Events and Summits
Cyber Defense Forum & Training - Live Online
Free Forum: Oct 9 | Training: Oct 12-17, CDT
- https://www.sans.org/event/cyber-defense-summit-2020
SANS Rocky Mountain Fall - Live Online Nov 2-7 MT
17 Interactive Courses | Virtual NetWars
- https://www.sans.org/event/rocky-mountain-fall-2020-live-online
View complete event schedule
- https://www.sans.org/cyber-security-training-events/north-america
Free Resources
Tools, Posters, and more.
OnDemand Training Special Offer: Get an iPad mini, Surface Go, or Take $300 Off with qualified OnDemand courses through September 30.
- https://www.sans.org/ondemand/specials
******************************************************************************
TOP OF THE NEWS
--NSA Cybersecurity Information Sheets
(September 21, 2020)
The US National Security Agency (NSA) has published two cybersecurity information sheets. The first, "Compromised Personal Network Indicators and Mitigations," is for government teleworkers; it "provides guidance to users who have received authorization to connect GFE (government furnished equipment) to personal networks." The second document, "Performing Out-of-Band Network Management," provides information for system admins on isolating management traffic from operational traffic.
[Editor Comments]
[Neely] There is information in the first document we can all leverage as we are all connecting assets to a personal or other non-company managed networks, providing IoCs and mitigations for home users, including aggressive measures if your home network is actively compromised. The second document not only outlines out-of-band management practices, it also provides alternatives for either physical or virtual separations, which help raise the bar on corporate IT devices and services.
[Honan] Excellent resources.
Read more in:
Security Week: NSA Issues Cybersecurity Guidance for Remote Workers, System Admins
https://www.securityweek.com/nsa-issues-cybersecurity-guidance-remote-workers-system-admins
Defense: Compromised Personal Network Indicators and Mitigations (PDF)
Defense: Performing Out-of-Band Network Management (PDF)
--FERC/NERC Report Looks at Electric Utility Cyber Incident Response
(September 21, 2020)
A report from the U.S. Federal Energy Regulatory Commission (FERC) and the North American Electricity Reliability Corporation (NERC) outlines best practices for cybersecurity incident response. The report is based on information gleaned from cybersecurity incident response plans of eight US utilities.
[Editor Comments]
[Neely, Murray, Honan] This is a great source of best practices and successes. Leverage this report to see if you've missed anything, as well as a source for solutions you may not have derived on your own, possibly facilitating that "ah ha!" moment.
[Pescatore] Good to see FERC/NERC highlighting common successful practices across very individual security programs of the eight utilities interviewed. There is no shortage of information about failures in security - finding out how others have overcome the barriers to higher levels of security is what is needed. During my years at Gartner, Case Study research notes were among the highest page views of all Gartner documents and here at SANS the What Works program continues that approach. The value is not in "I never thought of doing that," it is in the "Oh, that is how they were able to do that."
Read more in:
Security Week: FERC, NERC Conduct Study on Cyber Incident Response at Electric Utilities
https://www.securityweek.com/ferc-nerc-conduct-study-cyber-incident-response-electric-utilities
Smart Energy: Cybersecurity incident response - best practices from the US
CMSA FERC: Cyber Planning for Response and Recovery Study (CYPRES) (PDF)
https://cms.ferc.gov/sites/default/files/2020-09/FERC%26NERC_CYPRES_Report.pdf
--CISA Emergency Directive on Windows Server Vulnerability
(September 18, 20, & 21, 2020)
On Friday, September 18, the US's Cybersecurity and Infrastructure Security Agency (CISA) issued an Emergency Directive ordering federal agencies to patch a critical vulnerability in Windows Server for which Microsoft issued a fix in August. The flaw lies in an Active Directory authentication component called Microsoft Windows Netlogon Remote Protocol (MS-NRPC). Agencies have been directed to "update all Windows Servers with the domain controller role by 11:59 PM EDT, Monday, September 21, 2020." The privilege elevation vulnerability has been given a CVSS score of 10.
[Editor Comments]
[Neely] The flaw can be leveraged for an unauthenticated attacker to obtain administrative privileges on your domain controller. Double check that you applied the update to all your Domain Controllers. The fix applies to Windows Server 2008 or later. Next, build a plan for the required post-patch activities prior to the Q1 2021 DC enforcement phase to avoid devices losing access: https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc
[Murray] We are at the point where most enterprises should apply Windows patches by default. The risk of not doing so now exceeds that of applying without testing for their impact on applications.
Read more in:
ZDNet: US govt orders federal agencies to patch dangerous Zerologon bug by Monday
FCW: CISA orders agencies to patch dire Window flaw
https://fcw.com/articles/2020/09/21/cisa-windows-flaw-federal-networks.aspx
The Register: US Cybersecurity agency issues super-rare Emergency Directive to patch Windows Server flaw ASAP
https://www.theregister.com/2020/09/21/cisa_zerologon_emergency_directive/
Cyberscoop: CISA orders agencies to quickly patch critical Netlogon bug
https://www.cyberscoop.com/cisa-netlogon-microsoft-vulnerability-emergency/
SC Magazine: Critical Zerologon bug uses weak cryptography to spoof network users
Cyber.DHS: Mitigate Netlogon Elevation of Privilege Vulnerability from August 2020 Patch Tuesday
https://cyber.dhs.gov/ed/20-04/
MSRC: CVE-2020-1472 | Netlogon Elevation of Privilege Vulnerability
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
***************************** SPONSORED LINKS ******************************
1) Webinar | Thursday, September 24th @ 3:30PM BST (10:30AM EDT) | SANS on Elastic Security: Discover the integration of endpoint security into the new Elastic Agent. Featuring John Pescatore, SANS Director of Emerging Trends, along with industry experts Mike Nichols & James Spiteri from Elastic Security.
| http://www.sans.org/info/217690
2) Survey | Now Open: SANS 2021 CTI Survey. Take this survey and enter for a chance to win a $250 Amazon gift card.
| http://www.sans.org/info/217695
3) DTEX Insider Threat Kill Chain: Learn the 5 Steps Present in Almost all Insider Attacks| Get the whitepaper now!
| http://www.sans.org/info/217705
******************************************************************************
REST OF THE NEWS
--Researchers: Rampant Kitten Hacking Campaign Uses an Arsenal of Data-Stealing Malware
(September 18 & 21, 2020)
Researchers at Check Point have detected a long-standing surveillance campaign used by Iranian entities to target dissidents and expatriates. Dubbed Rampant Kitten, the campaign employs malware to steal information, including two-factor authentication (2FA) SMS codes, take screenshots, and record sounds near infected devices.
[Editor Comments]
[Murray] The CheckPoint blog notes that most of the targets of this campaign are "Iranian Nationals" (and a few neighbors), those seen as opponents of the regime. While the blog did point to tools (including CheckPoint products) useful for resisting this campaign, this editor was unable to find indicators of compromise (IOCs). The investigation is of interest, but this campaign does not represent a risk for most of our readers.
Read more in:
Check Point: RampantKitten: An Iranian Surveillance Operation unraveled
https://blog.checkpoint.com/2020/09/18/rampantkitten-an-iranian-surveillance-operation-unraveled/
Ars Technica: Telegram messages are a focus in newly uncovered hack campaign from Iran
ZDNet: Iranian hacker group developed Android malware to steal 2FA SMS codes
https://www.zdnet.com/article/iranian-hacker-group-developed-android-malware-to-steal-2fa-sms-codes/
Threatpost: Android Malware Bypasses 2FA And Targets Telegram, Gmail Passwords
https://threatpost.com/android-2fa-telegram-gmail/159384/
--Hijacking Flaw in Firefox for Android is Fixed in Version 79
(September 18 & 21, 2020)
Firefox for Android users are urged to update their apps to version 79 or newer to protect the browser from being hijacked. An attacker on the same Wi-Fi network as someone running a vulnerable version of Firefox for Android could cause a new browser window to open. The issue lies in the browser's Simple Service Discovery Protocol (SSDP) engine.
Read more in:
ZDNet: Firefox bug lets you hijack nearby mobile browsers via WiFi
https://www.zdnet.com/article/firefox-bug-lets-you-hijack-nearby-mobile-browsers-via-wifi/
Threatpost: Firefox for Android Bug Allows 'Epic Rick-Rolling'
https://threatpost.com/firefox-android-bug-rick-rolling/159397/
--Internet Archive and Cloudflare Collaborate to Archive More Website Content
(September 17 & 18, 2020)
A partnership between the Internet Archive and Cloudflare will automatically archive content of websites that use Cloudflare's Always Online service. The Always Online feature serves cached static versions of websites when the sites are experiencing downtime. The partnership will help increase the number of sites the Internet Archive's Wayback Machine archives.
Read more in:
Wired: The Wayback Machine and Cloudflare Want to Backstop the Web
https://www.wired.com/story/cloudflare-internet-archive-wayback-machine/
Ars Technica: Wayback Machine and Cloudflare team up to archive more of the Web
--Another Patch for Discount Rules for WooCommerce WordPress Plugin
(September 17 & 18, 2020)
The developers of the Discount Rules for WooCommerce WordPress plugin have released an update to address a pair of high-severity cross-site scripting vulnerabilities. This is the third time that updates have been issued to address the flaws; two earlier versions did not sufficiently fix the problem. Users are urged to update to version 2.2.1.
[Editor Comments]
[Neely] There were three separate updates to the rules as incremental fixes were quickly released, rather than delaying to only release the comprehensive fix; make sure you have the latest which fully addresses the problem. Initial exploits were possible as a parameter could be changed to move to the less secure v1 code base, either by request manipulation or CSRF. Both exploit paths are closed. If you're relying on the free Wordfence firewall, rules were released September 19th and 20th. Rules for the paid version were released 30 days previously.
[Murray] It is now routine to identify vulnerabilities in WordPress Plug-ins. Many of these remain unpatched, in part because the decision to include the plug-in was made casually, at a low-level of management, and was not documented. Said another way, no one is responsible for knowing what plug-ins are in use, much less for patching them. If you are using WordPress, identify and minimize the plug-ins that are in place, and monitor announcements about those that you continue to use.
Read more in:
Threatpost: Stubborn WooCommerce Plugin Bugs Gets Third Patch
https://threatpost.com/woocommerce-plugin-bug-allows-site-takeover/159364/
Wordfence: High-Severity Vulnerabilities Patched in Discount Rules for WooCommerce
--Jekyll Island Authority Systems Hit with Ransomware
(September 16, 2020)
The Jekyll Island Authority (JIA) has acknowledged that its network was hit with a ransomware attack last week. (Jekyll Island is located off the coast of the US state of Georgia.) The JIA executive director said, "All of our computer systems ... were impacted, and it's a very serious situation." JIA employed a third-party IT services provider that is working on restoring JIA systems.
Read more in:
GovTech: Jekyll Island Authority Targeted by Ransomware Attack
https://www.govtech.com/security/Jekyll-Island-Authority-Targeted-by-Ransomware-Attack.html
--Ransomware Operators Stole Data from ArbiterSports
(September 21, 2020)
ArbiterSports has acknowledged that its network suffered a ransomware attack in July. According to its website, "ArbiterSports provides a complete suite of tools and technology that caters to the needs of Assigners, Coordinators, Business Offices, Game officials and Athletic or Federal Program Directors." The company said that the attackers stole data belonging to 540,000 users. Although ArbiterSports paid the demanded ransom and the hackers said they deleted the stolen files, there is no guarantee that the information is not still in their possession.
Read more in:
ZDNet: Details of 540,000 sports referees taken in failed ransomware attack
https://www.zdnet.com/article/details-of-540000-sports-referees-taken-in-failed-ransomware-attack/
******************************************************************************
INTERNET STORM CENTER TECH CORNER
A Mix of Python and VBA in a Malicious Word Document
https://isc.sans.edu/forums/diary/A+Mix+of+Python+VBA+in+a+Malicious+Word+Document/26578/
Salesforce Phish
https://isc.sans.edu/forums/diary/Analysis+of+a+Salesforce+Phishing+Emails/26582/
Slightly Broken Overlay Phishing
https://isc.sans.edu/forums/diary/Slightly+broken+overlay+phishing/26586/
Google App Engine Used in Phishing Attacks
Sysmon Adds Clipboard Monitoring
https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
Windows Defender No Longer Able to Download Files
MacOS Code Injection via Third Party Frameworks
https://www.trustedsec.com/blog/macos-injection-via-third-party-frameworks
Snort/ClamAV Cobalt Strike Detection
https://blog.talosintelligence.com/2020/09/coverage-strikes-back-cobalt-strike-paper.html
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
