SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #77
September 29, 2020Largest Ever Ransomware Attack and More; $6.85M Penalty for HIPAA Data Breach Violation
Help the security community recognize unsung heroes of cybersecurity so that others can learn from their successes. Please nominate people and teams for the 2020 SANS Difference Makers Awards. Recipients will be recognized in a virtual broadcast in December. Choose people who deserve recognition for making meaningful progress in cybersecurity either by increasing security levels or by advancing security controls and processes to enable new business needs. Send nominations to trends@sans.org. Deadline: October 16. Full details on how to nominate at http://www.sans.org/cyber-innovation-awards
****************************************************************************
SANS NewsBites September 29, 2020 Vol. 22, Num. 077
****************************************************************************
THE TOP OF THE NEWS
Largest Ransomware Attack? UHS Hospital Network
Ransomware Impacts Many State and Local Governments: Tyler Technologies
School Data Leaked After Ransomware Demand is Not Paid
$6.85M Penalty for HIPAA Data Breach Violation
REST OF THE WEEK'S NEWS
Former Employee Sentenced for Damaging Company Computers
Microsoft Source Code Leaked
Twitter Fixes Caching Bug That May Have Exposed API Keys
Microsoft Pulls Azure Apps Being Used to Support Phishing Attacks
Student Arrested for Allegedly Launching Attacks Against Indiana School District System
911 Emergency Service Outages Affect Several US States
Microsoft Office 365 Outage
INTERNET STORM CENTER TECH CORNER
********************* Sponsored By Dtex Systems *****************************
DTEX Insider Threat Kill Chain: Learn the 5 Steps Present in Almost all Insider Attacks| Get the whitepaper now!
| http://www.sans.org/info/217750
****************************************************************************
CYBERSECURITY TRAINING UPDATE
New OnDemand Courses
SEC588: Cloud Penetration Testing
- https://www.sans.org/ondemand/course/cloud-penetration-testing
SEC760: Advanced Exploit Development for Penetration Testers
- https://www.sans.org/ondemand/course/advanced-exploit-development-penetration-testers
View all courses
- https://www.sans.org/cyber-security-courses/?focus-area=&training-format=ondemand
Live Online Training Events and Summits
Cyber Defense Forum & Training - Live Online
Free Forum: Oct 9 | Training: Oct 12-17, CDT
- https://www.sans.org/event/cyber-defense-summit-2020
SANS Rocky Mountain Fall - Live Online Nov 2-7 MT
17 Interactive Courses | Virtual NetWars
- https://www.sans.org/event/rocky-mountain-fall-2020-live-online
View complete event schedule
- https://www.sans.org/cyber-security-training-events/north-america
Free Resources
Tools, Posters, and more.
- https://www.sans.org/free
OnDemand Training Special Offer: Get an iPad mini, Surface Go, or Take $300 Off with qualified OnDemand courses through September 30.
- https://www.sans.org/ondemand/specials
****************************************************************************
TOP OF THE NEWS
--Largest Ransomware Attack? UHS Hospital Network
(September 28, 2020)
Universal Health Service (UHS) suffered a ransomware attack over the weekend. The attack prompted the organization to shut down systems at its healthcare facilities in the US. Reports from UHS employees indicate that facilities in several US states, including California, Texas, and Florida, were without access to phone systems and computers. Affected facilities are redirecting ambulances to other hospitals, and patients who require surgery are being transferred. A public statement from UHS says that its "IT Network across Universal Health Services (UHS) facilities is currently offline, due to an IT security issue."
Read more in:
Wired: A Ransomware Attack Has Struck a Major US Hospital Chain
https://www.wired.com/story/universal-health-services-ransomware-attack/
ZDNet: UHS hospital network hit by ransomware attack
https://www.zdnet.com/article/uhs-hospital-network-hit-by-ransomware-attack/
Bleeping Computer: UHS hospitals hit by reported country-wide Ryuk ransomware attack
https://www.bleepingcomputer.com/news/security/uhs-hospitals-hit-by-reported-country-wide-ryuk-ransomware-attack/
The Register: UK, US hospital computers are down, early unofficial diagnosis is a suspected outbreak of Ryuk ransomware
https://www.theregister.com/2020/09/28/united_health_services_ransomware/
SC Magazine: UHS confirms hospitals hit by cyberattack, some systems down
https://www.scmagazine.com/home/security-news/uhs-confirms-hospitals-hit-by-cyber-attack-some-systems-down/
UHSINC: Statement from Universal Health Services
https://www.uhsinc.com/statement-from-universal-health-services/
--Ransomware Impacts Many State and Local Governments: Tyler Technologies
(September 26 & 28, 2020)
A company that provides IT services to US state and local governments has confirmed that a cyber incident reported last week was a ransomware attack. Some Tyler Technologies customers have reported detecting suspicious logins. The company is urging its customers to change their passwords for remote access accounts.
[Editor Comments]
[Neely] Tyler Tech is still recovering from the attack, and their web site still only references compromise of internal resources. Those with a trusted connection to Tyler Tech should assess the risk of that connection in light of their current situation. Remote access accounts, including remote support accounts, need to be multi-factor to prevent access in a credential stealing attack. If you have a network trust relationship with a service provider, make sure you have incident response plans to include the assurance needed for the connection to continue, and disconnect it when that cannot be met.
Read more in:
ZDNet: Suspicious logins reported after ransomware attack on US govt contractor
https://www.zdnet.com/article/suspicious-logins-rats-reported-after-ransomware-attack-on-us-govt-contractor/
Bleeping Computer: Tyler Technologies warns clients to change remote support passwords
https://www.bleepingcomputer.com/news/security/tyler-technologies-warns-clients-to-change-remote-support-passwords/
Statescoop: Tyler Technologies confirms cyberattack was ransomware
https://statescoop.com/tyler-technologies-confirms-cyberattack-ransomware/
Reuters: Tyler Technologies says clients reported suspicious logins after hack
https://www.reuters.com/article/us-tyler-tech-cyber/tyler-technologies-says-clients-reported-suspicious-logins-after-hack-idUSKBN26H13I
Statescoop: Tyler Technologies customers report suspicious logins after ransomware attack
https://statescoop.com/tyler-customers-report-suspicious-logins-after-ransomware-attack-on-vendor/
Tylertech: Information on Tyler's Security Incident Response
https://www.tylertech.com/
--School Data Leaked After Ransomware Demand is Not Paid
(September 28 & 29, 2020)
Ransomware operators published data stolen from the Clark County (Nevada) School District after the district declined to pay the ransomware demand. The Clark County School District has 320,000 students; the leaked data include Social Security numbers, grades, and other personal information. (Please note that the WSJ story is behind a paywall.)
[Editor Comments]
[Northcutt] As schools increase dependence on technology and distance access in response to COVID, their exposure to attack also increases. Publishing the data marks an increase in the risk to school systems from availability, (data on encrypted systems may be lost), to include confidentiality. Unauthorized school system data exposure could result in significant cleanup and legal costs.
[Neely] Ransomware operators are well aware of the impact of the adjustments made by educators in response to COVID which has created new opportunities for attack. Mitigate risks by reviewing and updating security settings on new and legacy systems as well as making sure that UAT remains current and required to help users be vigilant and make good choices.
Read more in:
ZDNet: Nevada school district refuses to submit to ransomware blackmail, hacker publishes student data
https://www.zdnet.com/article/nevada-school-district-refuses-to-submit-to-ransomware-blackmail-hacker-responds-by-publishing-student-data/
WSJ: Hacker Releases Information on Las Vegas-Area Students After Officials Don't Pay Ransom (paywall)
https://www.wsj.com/articles/hacker-releases-information-on-las-vegas-area-students-after-officials-dont-pay-ransom-11601297930
--$6.85M Penalty for HIPAA Data Breach Violation
(September 28, 2020)
The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has imposed a financial penalty of $6.85 million on Premera Blue Cross for violating the Health Insurance Portability and Accountability Act (HIPAA). A 2014 data breach affected the protected health information (PHI) of 10.4 million patients. An OCR investigation of the breach found "systemic noncompliance" with HIPAA rules.
[Editor Comments]
[Neely] Whether you're assessing benefits providers or leveraging an outsource or cloud service for processing PHI, be sure to assess the HIPAA or HITRUST certifications of your service providers. Understand not only which certifications are in place, but how their compliance is monitored and corrected if needed. This is doubly important if you're creating a COVID testing lab as the state reporting requirements include a lot of PII & PHI which must be managed.
Read more in:
Infosecurity Magazine: OCR Imposes $6.85M Penalty Over Data Breach
https://www.infosecurity-magazine.com/news/ocr-imposes-685m-penalty-over-data/
******************************* SPONSORED LINKS ********************************
1) SIEM Optimization eBook: How to cut costs without sacrificing endpoint security observability
| http://www.sans.org/info/217765
2) Survey | Now Open: SANS 2021 CTI Survey. Take this survey and enter for a chance to win a $250 Amazon gift card.
| http://www.sans.org/info/217755
3) Webcast | Join us for, "More than a Buzzword: How to Deliver on the Promise of Machine Learning" an upcoming webcast, chaired by SANS Analyst Jake Williams. This webcast will discuss how you can get actual value from machine learning in real world cloud security deployments |September 30 @ 1:00 PM EDT
| http://www.sans.org/info/217760
****************************************************************************
THE REST OF THE WEEK'S NEWS
--Former Employee Sentenced for Damaging Company Computers
(September 24 & 25, 2020)
A US District Judge has sentenced a former tech support person to a year and a day in prison for accessing his former employer's computer system, deleting file storage drives, and changing the storage management system password. Shannon Stafford was also ordered to pay his former employer nearly $200,000 in restitution. Stafford was found guilty of intentional damage to a computer and attempted intentional damage to a computer. Stafford's responsibilities included "disabling company users' network access credentials at the end of their employment."
[Editor Comments]
[Neely] While the employee's account was disabled after he was terminated, he was able to use co-workers' accounts to access the systems, using his company issued laptop which he refused to return. Mitigate the risk of shared credentials by requiring multi-factor authentication, particularly to any privileged accounts. MDM systems can manage and wipe Windows and Mac laptops; leverage this capability just as you would for a lost or stolen smartphone/tablet to render it unable to access corporate resources, as well as delete any company data.
Read more in:
The Register: IT guy whose job was to stop ex-staff running amok on the network is jailed for running amok on the network
https://www.theregister.com/2020/09/25/it_support_jailed_storage/
Justice: Maryland Man Sentenced to Prison for Intentionally Damaging the Computers of His Former Employer
https://www.justice.gov/opa/pr/maryland-man-sentenced-prison-intentionally-damaging-computers-his-former-employer
--Microsoft Source Code Leaked
(September 25 & 26, 2020)
Source code for Microsoft Windows XP, Windows Server 2003, and other older operating systems has been leaked online. The data have been posted by a 4chan user. Microsoft is investigating the issue. It appears that much of what was made available was previously leaked material.
[Editor Comments]
[Neely] While most of this represents previously released code, it's still a risk if you're running the affected operating systems. At this point, you should only have Windows XP or Server 2003 in isolation, typically OT systems. Irrespective of the source code availability, those older operating systems should not be generally accessible as the security model is not sufficient, by itself, to withstand current attacks.
Read more in:
The Register: Microsoft claims to love open source - this alleged leak of Windows XP code is probably not what it had in mind, tho
https://www.theregister.com/2020/09/25/windowsxp_source_code_leak/
ZDNet: Windows XP source code leaked online, on 4chan, out of all places
https://www.zdnet.com/article/windows-xp-source-code-leaked-online-on-4chan-out-of-all-places/
Bleeping Computer: The Windows XP source code was allegedly leaked online
https://www.bleepingcomputer.com/news/microsoft/the-windows-xp-source-code-was-allegedly-leaked-online/
Security Week: Source Code of Windows XP, Server 2003 Allegedly Leaked
https://www.securityweek.com/source-code-windows-xp-server-2003-allegedly-leaked
Engadget: Windows XP source code leak sheds light on Microsoft's OS history
https://www.engadget.com/windows-xp-source-code-leak-170715593.html
--Twitter Fixes Caching Bug That May Have Exposed API Keys
(September 25 & 28, 2020)
Twitter has warned developers that a caching bug in developer.twitter.com may have exposed API keys and access tokens. Twitter says it has fixed the issue by changing caching instructions so that browsers will no longer store information about developer accounts or apps.
Read more in:
Threatpost: Twitter Warns Developers of API Bug That Exposed App Keys, Tokens
https://threatpost.com/twitter-bug-api-keys-tokens/159591/
ZDNet: Twitter warns of possible API keys leak
https://www.zdnet.com/article/twitter-warns-of-possible-api-keys-leak/
SC Magazine: Twitter bug may have exposed API keys, access tokens
https://www.scmagazine.com/home/security-news/twitter-bug-may-have-exposed-api-keys-access-tokens/
Bleeping Computer: Twitter is warning devs that API keys and tokens may have leaked
https://www.bleepingcomputer.com/news/security/twitter-is-warning-devs-that-api-keys-and-tokens-may-have-leaked/
--Microsoft Pulls Azure Apps Being Used to Support Phishing Attacks
(September 24, 26, & 27, 2020)
Microsoft has pulled 18 Azure Active Directory apps after determining that they were components of a command-and-control structure supporting malicious activity of China-based cyberthreat actors. The apps were being used to help the group launch phishing attacks.
[Editor Comments]
[Pescatore] All of the major cloud service providers (AWS, Google, Microsoft) and other "platform" providers (like Zoom) have application marketplaces that are like the App Stores that Apple and Google have for iPhones and Android phones. However, the level of security testing done by the cloud vendors before allowing an app to be sold through the cloud marketplaces varies widely across the CSPs and changes frequently. Malicious actors can simply host their malware on cloud instances without going through the marketplace - and the CSPs have varying track records of detecting and removing/blocking those malicious customer apps. The level of security testing of marketplace apps and security monitoring of hosted app activity should be key questions in when security is part of cloud platform evaluation.
Read more in:
Microsoft: Microsoft Security--detecting empires in the cloud
https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/
Security Week: Microsoft Says China-Linked Hackers Abused Azure in Attacks
https://www.securityweek.com/microsoft-says-china-linked-hackers-abused-azure-attacks
GovInfosecurity: Microsoft Shutters Azure Apps Used by China-Linked Hackers
https://www.govinfosecurity.com/microsoft-shutters-azure-apps-used-by-china-linked-hackers-a-15069
--Student Arrested for Allegedly Launching Attacks Against Indiana School District System
(September 25, 2020)
Authorities in Indiana have arrested a 13-year-old middle school student in connection with a series of cyberattacks against the computer network of the Valparaiso School District. The student is believed to be responsible for a string of attacks that disrupted remote learning activities.
Read more in:
Infosecurity Magazine: Student Arrested Over Cyber-attacks on Indiana Schools
https://www.infosecurity-magazine.com/news/student-arrested-over-school/
--911 Emergency Service Outages Affect Several US States
(September 29, 2020)
At least 14 US states reported outages of 911 emergency service lines on Monday, September 28. Most of the systems are now operational. The outages were reported in Arizona, California, Colorado, Delaware, Florida, Illinois, Indiana, Missouri, Minnesota, Nevada, North Carolina, North Dakota, Ohio, Pennsylvania, and Washington.
[Editor Comments]
[Pescatore] Not enough data yet to definitively state the cause, but so far looks like an example of "aggregation risk" - many different players using the same provider are impacted when that provider (whether Microsoft or the Public Service Answering Point vendor) suffers an outage. Part of supply chain security is determining how many critical suppliers use common services that increase your exposure to aggregation risk.
[Neely] If your business has implemented its own 911 service connection, or you host an emergency response center, understand the load and fail-over capabilities and make sure they fit your service level expectations for life/safety response. Beyond multi-path connections, and secure SIP, look at fail-over to a PSTN service.
Read more in:
ZDNet: 911 services down in multiple US states
https://www.zdnet.com/article/911-services-down-in-multiple-us-states/
The Hill: 911 outages reported nationwide
https://thehill.com/blogs/blog-briefing-room/news/518684-911-outages-reported-nationwide
--Microsoft Office 365 Outage
(September 28, 2020)
A Microsoft Office 365 outage on Monday, September 28 affected users in the US and Australia. The outage started at 21:25 UTC. Microsoft first attempted to fix the problem by rolling back a change identified as causing the outage, but the roll back did not resolve the problem. Microsoft then began "rerouting traffic to alternate systems to provide further relief to the affected users." As of 4:00 UTC Tuesday, September 29, Microsoft says the issue has been resolved.
[Editor Comments]
[Neely] This manifested itself as an inability to login, and disconnected services unless your authentication token was still valid. The default token life is 14 days. Users may have to reauthenticate or restart impacted applications.
Read more in:
Bleeping Computer: Microsoft Office 365 is down in the USA, shows 'transient' error
https://www.bleepingcomputer.com/news/microsoft/microsoft-office-365-is-down-in-the-usa-shows-transient-error/
ZDNet: Office 365 outage with roll back failure ends after more than six hours
https://www.zdnet.com/article/office-365-outage-ongoing-after-roll-back-fails/
****************************************************************************
INTERNET STORM CENTER TECH CORNER
Securing Exchange Online
https://isc.sans.edu/forums/diary/Securing+Exchange+Online+Guest+Diary/26600/
Decoding Corrupt BASE64
https://isc.sans.edu/forums/diary/Decoding+Corrupt+BASE64+Strings/26606/
Some Tyler Technologies Customers Targeted after Breach
https://isc.sans.edu/forums/diary/Some+Tyler+Technologies+Customers+Targeted+with+The+Installation+of+a+Bomgar+Client/26610/
Obfuscated PowerShell Backdoor
https://isc.sans.edu/forums/diary/PowerShell+Backdoor+Launched+from+a+ShellCode/26602/
Fortinet VPN Default Setting Problem
https://securingsam.com/breaching-the-fort/
Single Use Credit Cards Numbers
https://www.helpnetsecurity.com/2020/09/25/privacy-cards/
QNAP Fixes AgeLocker Vulnerability in Photo Station
https://www.qnap.com/de-de/security-advisory/qsa-20-06
TrendMicro Apex One Vulnerability
https://success.trendmicro.com/product-support/apex-one
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create