SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #79
October 6, 2020Ransomware IS the Story
****************************************************************************
SANS NewsBites October 6, 2020 Vol. 22, Num. 079
****************************************************************************
THE TOP OF THE NEWS
Europol: Ransomware Attacks are Going Unreported
Ransomware Attack Affects Software Used in COVID Treatment Clinical Trials
NJ Hospital Paid Ransom to Stop More Data from Being Leaked
REST OF THE WEEK'S NEWS
Microsoft Provides More Information About Last Week's Office 365 Outage
FBI: Chinese Hackers Targeting Users with US Government Security Clearances
Telstra Apologizes for Inadvertent BGP Hijacking
Visa Security Alert: New Malware Samples Found in Point-of-Sale Terminal Compromises
Ttint Botnet Exploits Unpatched Flaws in Tenda Routers
WordPress: Vulnerabilities Fixed in Post Grid and Team Showcase Plugins
International Maritime Organization Hit by Cyberattack
"Technical Issue" Delays Reporting of COVID Test Results in England
INTERNET STORM CENTER TECH CORNER
*************************** Sponsored By Snyk **********************************
Webcast | Tune in for our upcoming webcast, "Prioritizing the security backlog" to learn how Snyk helps organizations drive effective prioritization decisions by providing development and security teams with a suite of developer-first prioritization capabilities | October 15 @ 10:30 AM EST
| http://www.sans.org/info/217810
****************************************************************************
CYBERSECURITY TRAINING UPDATE
New OnDemand Courses
SEC588: Cloud Penetration Testing
- https://www.sans.org/ondemand/course/cloud-penetration-testing
SEC401: Security Essentials Bootcamp Style
- https://www.sans.org/ondemand/course/security-essentials-bootcamp-style
View all courses
- https://www.sans.org/cyber-security-courses/?focus-area=&training-format=ondemand
Live Online Training Events and Summits
SANS DFIRCON 2020 - Live Online
Nov 2-7 EST | 9 DFIR Courses | Virtual DFIR NetWars
- https://www.sans.org/event/dfircon-2020-live-online
Pen Test HackFest - Live Online
Nov 16-21 EST | 15 Courses | Summit @Night Bonus Sessions
- https://www.sans.org/event/pen-test-hackfest-2020-live-online
View complete event schedule
- https://www.sans.org/cyber-security-training-events/north-america
Free Resources
Tools, Posters, and more.
- https://www.sans.org/free
OnDemand Training Special Offer: Get an iPad (32 G), Galaxy Tab S5e, or Take $250 Off with qualified OnDemand courses through October 14.
- https://www.sans.org/ondemand/specials
****************************************************************************
TOP OF THE NEWS
--Europol: Ransomware Attacks are Going Unreported
(October 5, 2020)
According to a report from Europol, many ransomware attacks are not reported to police. In some cases, organizations targeted by ransomware bring in "private sector security firms" to manage the response to the attack. The Internet Organised Crime Threat Assessment 2020 "provides a unique law enforcement focused assessment of emerging challenges and key developments in the area of cybercrime."
[Editor Comments]
[Murray] However an enterprise elects to deal with a compromise resulting in extortion demands, and even though most will never be investigated by law enforcement, they should all be reported via the Internet Crime Complaint Center (IC3). This is about intelligence, not law enforcement. It is essential that we measure the threat rate, sources, and methods.
Read more in:
ZDNet: Ransomware victims aren't reporting attacks to police. That's causing a big problem
https://www.zdnet.com/article/ransomware-victims-arent-reporting-attacks-to-police-thats-causing-a-big-problem/
Europol: Internet Organised Crime Threat Assessment (IOCTA) 2020
https://www.europol.europa.eu/activities-services/main-reports/internet-organised-crime-threat-assessment-iocta-2020
--Ransomware Attack Affects Software Used in COVID Treatment Clinical Trials
(October 3 & 5, 2020)
A ransomware attack affecting eResearchTechnology (ERT) has impacted clinical trials of potential COVID treatments. ERT sells software that is used in clinical trials. The attack did not affect the patients participating in the trials, but organizations using the software were unable to access their digital data and resorted to recording information with pen and paper.
[Editor Comments]
[Neely] COVID related activities remain a target of ransomware operators. With the intense pressure to deliver a cure, your support for your users to help them continue to make good choices is critical, both through training and technical countermeasures. Also watch for attempts to exfiltrate data, including IP related to the security measures being developed to counter the threat. Verify externally facing and collaboration services remain securely configured and monitor for unauthorized access.
Read more in:
NYT: Clinical Trials Hit by Ransomware Attack on Health Tech Firm
https://www.nytimes.com/2020/10/03/technology/clinical-trials-ransomware-attack-drugmakers.html
Infosecurity Magazine: Ransomware Disrupts COVID-19 Medical Trials
https://www.infosecurity-magazine.com/news/ransomware-disrupts-covid19/
--NJ Hospital Paid Ransom to Stop More Data from Being Leaked
(October 3, 2020)
A hospital in New Jersey paid ransomware operators $670,000 to not publish data they had stolen during a ransomware attack that took place in early September. University Hospital New Jersey (UHNJ) in Newark, NJ, paid the demanded ransom after the ransomware actors published 48,000 documents they had stolen in September. The ransomware operators agreed to provide UHNJ with a decryption key, a security report, the stolen data, and a promise not to attack the hospital again.
[Murray] Note that the breach of this enterprise and the exfiltration of this data took time measured in days, not minutes or hours. Enterprises should have measures in place to detect breaches and remedy them in hours, not days.
Read more in:
Bleeping Computer: New Jersey hospital paid ransomware gang $670K to prevent data leak
https://www.bleepingcomputer.com/news/security/new-jersey-hospital-paid-ransomware-gang-670k-to-prevent-data-leak/
******************************* SPONSORED LINKS ********************************
1) DTEX Insider Threat Kill Chain: Learn the 5 Steps Present in Almost all Insider Attacks| Get the whitepaper now!
| http://www.sans.org/info/217825
2) Survey | Calling all CTI gurus! Take the SANS 2021 CTI Survey and enter for a chance to win a $250 Amazon gift card.
| http://www.sans.org/info/217815
3) Webcast | Join us for an upcoming webcast hosted by Microsoft titled, "Stop attacks and reduce security operations workload with automated cross-domain (XDR) security" | October 15 @ 1:00 PM EDT
| http://www.sans.org/info/217820
****************************************************************************
THE REST OF THE WEEK'S NEWS
--Microsoft Provides More Information About Last Week's Office 365 Outage
(September 28, October 1 & 2, 2020)
According to a preliminary report from Microsoft, last week's Office 365 outage was caused by an improperly deployed Azure Active Directory (AD) service update. The September 28 outage prevented users from accessing Microsoft apps and services for several hours.
[Editor Comments]
[Pescatore] Most Azure services have an SLA of 99.9% availability but with many limitations, specific definitions, and other contractual language. Service levels that don't meet the terms enable your company to claim credits, but they generally don't happen automatically. Bottom line is that cloud SLAs do not really cover outage costs and continuity plans have to be in place (and periodically tested) for all critical cloud services.
[Neely] As John says, make sure you understand the SLA for your cloud and outsourced service providers. Monitor services to ensure the service levels are met and provide evidence for requesting credits or other compensation. Also keep an eye on costs associated with service monitoring to make sure they don't exceed actual returns.
[Murray] Changes to such systems should be applied at a measured rate and in such a way that they can be easily backed off if they cause a problem.
Read more in:
ZDNet: Microsoft's Azure AD authentication outage: What went wrong
https://www.zdnet.com/article/microsofts-azure-ad-authentication-outage-what-went-wrong/
Bleeping Computer: Microsoft explains the cause of the recent Office 365 outage
https://www.bleepingcomputer.com/news/microsoft/microsoft-explains-the-cause-of-the-recent-office-365-outage/
status.azure: 9/28: RCA - Authentication errors across multiple Microsoft services and Azure Active Directory integrated applications (Tracking ID SM79-F88)
https://status.azure.com/en-us/status/history/
--FBI: Chinese Hackers Targeting Users with US Government Security Clearances
(October 2020)
The FBI is warning that hackers with ties to China's government are targeting individuals with US government security clearances through social media sites. The document's resources include a list of indicators that you are being targeted and suggestions of steps to take to protect yourself.
[Editor Comments]
[Neely] Foreign agents targeting cleared individuals is nothing new; making the indicators and steps readily available is a nice assist from the FBI. They are valuable whether or not you have a security clearance. If you have a social media presence, as most of us do, reviewing account settings and ensuring you're only connecting with known or legitimate contacts needs to be SOP.
Read more in:
FBI: The China Threat: Foreign Intelligence Services Use Social Media Sites to Target People with Security Clearances
https://www.fbi.gov/investigate/counterintelligence/the-china-threat/clearance-holders-targeted-on-social-media-nevernight-connection
--Telstra Apologizes for Inadvertent BGP Hijacking
(October 2, 2020)
Australian telecommunications company Telstra has apologized for a technical error that caused some traffic bound for the ProtonMail encrypted mail service to be diverted through Telstra's servers. The inadvertent Border Gateway Protocol (BGP) hijacking occurred when "a technical error early on Wednesday morning (AEST) [caused] approximately 500 IPv4 prefixes [to be] incorrectly advertised as Telstra's." Once Telstra realized what was happening, they fixed the problem.
[Editor Comments]
[Neely] While movement to a standard like RPKI which would cause changes to routing to be verified before problems arise is needed, according to the NIST RPKI monitor, only about 23% of unique IPV4 Prefix/Origin pairs are using it. https://rpki-monitor.antd.nist.gov/
Read more in:
The Register: Aussie telco Telstra says soz after accidentally diverting traffic meant for encrypted email biz through its servers
https://www.theregister.com/2020/10/02/protonmail_telstra_bgp_hijack/
--Visa Security Alert: New Malware Samples Found in Point-of-Sale Terminal Compromises
(October 4 & 5, 2020)
According to a Security Alert from Visa, the company's Payment Fraud Department "analyzed malware samples recovered from the independent compromises of two North American merchants." The attackers targeted the point-of-sale (POS) systems of the two unnamed companies. The incidents occurred earlier this year; both victims are in the hospitality industry.
[Editor Comments]
[Pescatore] Just as in last week's DHS/CISA alert about a compromised government agency, this Visa alert starts out with "Legitimate user accounts, including an administrator account, were compromised as part of this phishing attack and were used by the threat actors to login to the merchant's environment." Administrator accounts that don't require more than a reusable password are the gaping wound that is continually causing high rates of damage to entire businesses. And they are easily treatable.
[Murray] "Card-not-present" fraud will likely continue as long as the brands and issuers continue to publish Primary Account Numbers in the clear, merchants continue to accept them, and consumers tolerate these unsafe practices. With exceptions, the European Banking Authority is now requiring "multi-factor" authentication for "card-not-present" transactions. The preferred implementations for meeting this requirement use one-time passwords sent out-of-band (e.g., SMS, e-mail). Merchants should prefer check-out proxies like PayPal, Apple Pay, Click to Pay, and their competitors and brands and issuers should encourage their use. Consumers should prefer merchants who provide access to these proxies and, in their absence, consider the use of one-time or one-merchant tokens, from, for example, Privacy.com.
Read more in:
Visa: New Malware Samples Identified in Point-of-Sale Compromises (PDF)
https://usa.visa.com/dam/VCOM/global/support-legal/documents/new-pos-malware-samples.pdf
Security Week: Visa Warns of Attack Involving Mix of POS Malware
https://www.securityweek.com/visa-warns-attack-involving-mix-pos-malware
ZDNet: Two North American hospitality merchants hacked in May and June
https://www.zdnet.com/article/two-north-american-hospitality-merchants-hacked-in-may-and-june/
--Ttint Botnet Exploits Unpatched Flaws in Tenda Routers
(October 4 & 5, 2020)
A pair of zero-day vulnerabilities in Tenda routers are being exploited to spread a variant of the Mirai Internet of Things (IoT) botnet called Ttint. Ttint is capable of launching distributed denial-of-service (DDoS) attacks as well as spreading remote access trojans (RATs) and spyware.
Read more in:
ZDNet: New Ttint IoT botnet caught exploiting two zero-days in Tenda routers
https://www.zdnet.com/article/new-ttint-iot-botnet-caught-exploiting-two-zero-days-in-tenda-routers/
Threatpost: Tenda Router Zero-Days Emerge in Spyware Botnet Campaign
https://threatpost.com/tenda-router-zero-days-spyware-botnet/159834/
--WordPress: Vulnerabilities Fixed in Post Grid and Team Showcase Plugins
(October 5, 2020)
Developers of the Post Grid and Team Showcase WordPress plugins have released updated version to address two high severity security issues - a cross-site scripting flaw and a PHP object-injection issue - that affect both plugins. Users are urged to update to Post Grid version 2.0.73 and Team Showcase version 1.22.16.
[Editor Comments]
[Neely] The developer was notified of the vulnerabilities on September 16th and had released patches the next day. Free Wordfence users will have firewall rules to prevent exploitation October 16th; don't wait to verify that you've already deployed the updates.
[Murray] "Cross-site scripting" describes an attack, not a "flaw." The vulnerability is "incomplete parameter checking" at the application layer. While complete parameter checking in the modern "stack" is difficult, it is easiest and necessary at the application layer. However, in this case, the problem is aggravated by the failure to limit and compensate for the use of WordPress plugins; one imports the vulnerability. These plugins come with no representations of quality and historically have been problematic. They should be used sparingly and the risk should be compensated for.
Read more in:
Threatpost: Post Grid WordPress Plugin Flaws Allow Site Takeovers
https://threatpost.com/wordpress-plugin-flaws/159856/
Wordfence: High Severity Vulnerabilities in Post Grid and Team Showcase Plugins
https://www.wordfence.com/blog/2020/10/high-severity-vulnerabilities-in-post-grid-and-team-showcase-plugins/
--International Maritime Organization Hit by Cyberattack
(October 5, 2020)
The United Nations agency for regulating international shipping, the International Maritime Organization (IMO), experienced a cyberattack at the end of September. The agency's Global Integrated Shipping Information Systems (GISIS) database, document repository IMODOCS, and its Virtual Publications service were temporarily unavailable. According to an IMO statement, "The interruption of web-based services was caused by a sophisticated cyber-attack against the Organization's IT systems that overcame robust security measures in place."
Read more in:
Infosecurity Magazine: UN Shipping Agency Forced Offline After Cyber-Attack
https://www.infosecurity-magazine.com/news/un-shipping-agency-offline/
IMO: IMO web services - update 02/10/2020 Access to the www.imo.org website restored
https://imo-newsroom.prgloo.com/news/imo-web-services-update-02102020
--"Technical Issue" Delays Reporting of COVID Test Results in England
(October 5, 2020)
Public Health England (PHE) has acknowledged that a "technical issue" caused nearly 16,000 cases of COVID from being reported between September 25 and October 2. PHE aggregates test result data from both public and private entities and publishes daily statistics. While the people who tested positive received their results in a timely manner, the error delayed contact-tracing efforts. PHE has not confirmed the source of the problem; reports in several news sources suggest that it was due to limits on the size of Excel files.
[Editor Comments]
[Neely] The number of data elements required for COVID reporting, and the protection of that data, quickly exceeds what you can manage in Excel, which was likely selected as a fast path to capture and report data in the midst of a crisis. The hard part will be qualifying an application, verifying its security and moving reporting to APIs rather than uploaded Excel files, all without introducing further delays. While this is the same process we use to convert a manual process to an enterprise one, and the pandemic changes the priority, care must be taken to ensure the data is properly handled and recorded to prevent data loss, disclosure, or other legal entanglements.
Read more in:
gov.uk: PHE statement on delayed reporting of COVID-19 cases
https://www.gov.uk/government/news/phe-statement-on-delayed-reporting-of-covid-19-cases
Ars Technica: Botched Excel import may have caused loss of 15,841 UK COVID-19 cases
https://arstechnica.com/tech-policy/2020/10/excel-glitch-may-have-caused-uk-to-underreport-covid-19-cases-by-15841/
Engadget: An Excel error may have led England to under-report COVID-19 cases
https://www.engadget.com/microsoft-excel-england-covid-19-delay-114634846.html
The Verge: Excel spreadsheet error blamed for UK's 16,000 missing coronavirus cases
https://www.theverge.com/2020/10/5/21502141/uk-missing-coronavirus-cases-excel-spreadsheet-error
BBC: Excel: Why using Microsoft's tool caused Covid-19 results to be lost
https://www.bbc.com/news/technology-54423988
NYT: In U.K.'s Test and Trace: Now You See 'em, Now You Don't
https://www.nytimes.com/2020/10/05/world/europe/uk-testing-johnson-hancock.html
******************************************************************************
INTERNET STORM CENTER TECH CORNER
Analysis of a Phishing Kit
https://isc.sans.edu/forums/diary/Analysis+of+a+Phishing+Kit/26634/
Hoaxcalls Botnet Scanning for Huawei Home Gateway
https://isc.sans.edu/forums/diary/Scanning+for+SOHO+Routers/26638/
Obfuscation and Repetition
https://isc.sans.edu/forums/diary/Obfuscation+and+Repetition/26648/
SQL Server Cumulative Update 8
https://support.microsoft.com/en-us/help/4577194/cumulative-update-8-for-sql-server-2019
Telstra Accidentally Reroutes Proton Mail Traffic
https://protonmail.com/blog/bgp-hijacking-september-2020/
"Raccine" Ransomware Vaccine
https://github.com/Neo23x0/Raccine
Compromised UEFI Payload Found
https://securelist.com/mosaicregressor/98849/
Privilege Escalation Flaw in All AntiVirus Products
https://www.cyberark.com/resources/threat-research-blog/anti-virus-vulnerabilities-who-s-guarding-the-watch-tower
Rapid7 SMTP "NICER" Report
https://blog.rapid7.com/2020/10/02/nicer-protocol-deep-dive-internet-exposure-of-smtp/
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create