SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #8
January 28, 2020Judge Says Insurance Company Must Pay for Ransomware Attack; Google Suspends Paid Chrome Extensions; Mozilla Bans Malicious Firefox Add-ons
****************************************************************************
SANS NewsBites January 28, 2020 Vol. 22, Num. 008
****************************************************************************
TOP OF THE NEWS
Judge Says Insurance Company Must Help Customer After Ransomware Attack
Google Temporarily Suspends Publishing Paid Chrome Extensions
Mozilla Bans Malicious Firefox Add-ons
REST OF THE WEEK'S NEWS
State Department OIG Finds Cybersecurity Concerns
DHS Advisory Warns of Vulnerabilities in GE Medical Devices
Researchers Say Hackers Targeted European Energy Sector
Factory Environment Honeypot
Mitsubishi Hit with Malware Attack
Cisco Releases Fix for Webex Vulnerability
Relaxed Utility Cybersecurity Incident Reporting Rules Raise Concerns
RANSOMWARE
Hackers Exploiting Citrix Flaw to Spread Ransomware
German Automotive Parts Company Hit with Sodinokibi Ransomware
Tillamook County, Oregon, Malware Attack
Tampa Bay Times Hit with Ryuk Ransomware
Potsdam Servers Offline After Cyberattack
Galt Ransomware Recovery
NIST Draft Ransomware Response Guidelines
INTERNET STORM CENTER TECH CORNER
*********************** Sponsored By AWS Marketplace ***********************
More Signal, Less Noise: Enhancing Security Ops and Actionable Response in AWS. SANS GIAC technical director Dave Shackleford and AWS security principal Vinay Sukumar discuss how to aggregate security information from various sources and automate incident response to improve visibility and prioritize threats in the AWS cloud. Thursday, January 30, 2 PM ET. http://www.sans.org/info/215375
****************************************************************************
Cybersecurity Training Update
-- SANS 2020 | Orlando, FL | April 3-10 | https://www.sans.org/event/sans-2020
-- SANS Scottsdale 2020 | February 17-22 | https://www.sans.org/event/scottsdale-2020
-- Open-Source Intelligence Summit & Training 2020 | Alexandria, VA | February 18-24 | https://www.sans.org/event/osint-summit-2020
-- SANS Munich March 2020 | March 2-7 | https://www.sans.org/event/munich-march-2020
-- SANS Northern VA - Reston Spring 2020 | March 2-7 | https://www.sans.org/event/northern-va-spring-reston-2020
-- Blue Team Summit & Training 2020 | Louisville, KY | March 2-9 | https://www.sans.org/event/blue-team-summit-2020
-- ICS Security Summit & Training 2020 | Orlando, FL | March 2-9 | https://www.sans.org/event/ics-security-summit-2020
-- SANS London March 2020 | March 16-21 | https://www.sans.org/event/london-march-2020
-- SANS Secure Singapore 2020 | 16-28 March | https://www.sans.org/event/secure-singapore-2020
-- SANS Secure Canberra 2020 | March 23-28 | https://www.sans.org/event/secure-canberra-2020
-- SANS OnDemand and vLive Training
Get an iPad Mini, an HP Chromebook 14 G5, or Take $300 Off through February 5 with OnDemand or vLive training.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
****************************************************************************
TOP OF THE NEWS
--Judge Says Insurance Company Must Help Customer After Ransomware Attack
(January 24, 2020)
A US federal judge in Maryland has ordered State Auto Property & Casualty Insurance to cover the costs one of its customers incurred as the result of a ransomware attack. National Ink & Stitch had sought $310,000 in damages from the State Auto following the late 2016 attack that forced the screen printing company to replace its computer system.
[Editor Comments]
[Pescatore] Good to see some rulings being made to serve as case law that may force cyber insurance policies to pay up more often. Sadly, a very likely outcome is insurance carriers changing the wording of their policies to make sure this ruling doesn't apply. Buyers' legal counsel review of all policy terms is very important.
Read more in:
Cyberscoop: Judge forces insurer to help small business to clean up after a crippling ransomware attack
https://www.cyberscoop.com/cyber-insurance-court-state-auto/
--Google Temporarily Suspends Publishing Paid Chrome Extensions
(January 25, 26, & 27, 2020)
All paid Chrome extensions have been suspended from being published or updated in the Google Chrome Web Store. Google cited a "significant increase in the number of fraudulent transactions involving paid Chrome extensions that aim to exploit users." The suspension is temporary while Google determines the best long-term solution to the issue.
[Editor Comments]
[Pescatore] Kudos to Google for having the gumption to temporarily pull the plug. I'm beginning to feel that browser extensions are now what Flash has been for the past decade: nothing users really need, just vulnerable code to help advertisers and thieves trick users into questionable behavior. Going to software whitelists like the Apple App Store and Google Play got us away from an infinite number of executables down to just a very large number that had some level of testing and immensely raised the bar against malware on iOS and Android devices. But, browser extensions seem like going back to the bad old days. In the related item below, Mozilla is not suspending add-ons, just still at the "blocking more" stage.
[Neely] Bravo on Google for calling a halt to the process while the long-term solution for paid extensions is found. Unlike the Mozilla ban below, installed paid extensions will continue to work, but no updates will be available until the long-term solution is determined, making it prudent to review extension use. This also ties back to the March 2019 announcement of policies for Project Strobe to strengthen their third-party extension auditing process.
Read more in:
Google: Announcement: Paid CWS Item Rejections
https://groups.google.com/a/chromium.org/forum/#!topic/chromium-extensions/EW0VuDjZSO4
Forbes: Google Confirms Chrome Security Shocker: All Paid Extension Updates Suspended
ZDNet: The Chrome Web Store is currently facing a wave of fraudulent transactions
The Register: Google halts paid-for Chrome extension updates amid fraud surge: Web Store in lockdown 'due to the scale of abuse'
https://www.theregister.co.uk/2020/01/27/google_disables_web_store/
--Mozilla Bans Malicious Firefox Add-ons
(January 25, 2020)
Mozilla has banned close to 200 Firefox add-ons over the past two weeks. The banned add-ons were found to be executing malicious code, stealing data, or hiding their source code. Not only have they been removed from Mozilla's add-on portal, they have also been disabled in browsers where they are already installed.
[Editor Comments]
[Neely] The identified plugins don't follow Mozilla's rules for add-ons: https://extensionworkshop.com/documentation/publish/add-on-policies/: Add-on Policies. The rules are only recently being strictly enforced. Mozilla is not publishing the names of the banned plugins, only their IDs to support anonymity during the appeal process. The question remains, as John states, do we (still) need them? Have you evaluated the add-ons in use and determined which are absolutely needed, if any?
[Pescatore] See comments on Google temporarily suspending browser extensions. Remember when the world would end if Flash was disabled?
Read more in:
ZDNet: Mozilla has banned nearly 200 malicious Firefox add-ons over the last two weeks
**************************** SPONSORED LINKS ******************************
1) Webcast February 5th at 3:30 PM ET: Your Password Doesn't Matter, hosted by Microsoft. Register here: http://www.sans.org/info/215380
2) Did you miss this webcast? Spends and Trends: SANS 2020 Cybersecurity Spending Survey Panel Discussion. View here: http://www.sans.org/info/215385
3) Don't miss this upcoming webcast: Implementer's Guide to Deception Technologies featuring SANS Kyle Dickinson. http://www.sans.org/info/215390
*****************************************************************************
REST OF THE NEWS
--State Department OIG Finds Cybersecurity Concerns
(January 14 & 23, 2020)
A report from the US State Department's Office of Inspector General (OIG) noted that an "assessment of the Department's information security program identified numerous control weaknesses that affected program effectiveness and increased the Department's vulnerability to cyberattacks and threats." The report comes just a week after Senator Mark Warner (D-Virginia) asked Secretary of State Mike Pompeo what he has done to address the security problems identified in the earlier reports. In the letter, Warner expressed concerns about the State Department's abilities to address increasing "offensive cyber activity by Iran," and referenced risks noted in earlier OIG audit reports.
Read more in:
Nextgov: Another Poor Cybersecurity Audit at State Department Draws Scrutiny
Warner: Warner Presses State Department for Plan to Address Iranian Cyber-Threats
Oversight.gov: Inspector General Statement on the Department of State's Major Management and Performance Challenges (PDF)
--DHS Advisory Warns of Vulnerabilities in GE Medical Devices
(January 23 & 24, 2020)
The US Department of Homeland Security's (DHS's) Cybersecurity and Infrastructure Security Agency (CISA) has released an advisory warning about six critical vulnerabilities affecting GE CARESCAPE Telemetry Server, ApexPro Telemetry Server, CARESCAPE Central Station (CSCS) and Clinical Information Center (CIC) systems, CARESCAPE B450, B650, B850 monitors. GE is developing fixes for the vulnerabilities and has suggested mitigations to help protect vulnerable devices until the patches are available.
[Editor Comments]
[Neely] The primary mitigation is network isolation. Allow only absolutely required communications to and from these devices, following GE's configuration guides such that a successful attack requires physical access. Access to those guides is available through their customer support portal and requires a valid support account. Additionally, the FDA has published medical device security guidance - https://www.fda.gov/medical-devices/digital-health/cybersecurity: Cybersecurity
Read more in:
US-CERT: ICS Advisory (ICSMA-20-023-01) | GE CARESCAPE, ApexPro, and Clinical Information Center systems
https://www.us-cert.gov/ics/advisories/icsma-20-023-01
Cyberscoop: DHS pushes alert on vulnerable patient monitors sold by GE Healthcare
https://www.cyberscoop.com/ge-healthcare-dhs-alert/
SC Magazine: Critical vulnerabilities found in GE medical gear
https://www.scmagazine.com/home/health-care/critical-vulnerabilities-found-in-ge-medical-gear/
Threatpost: Critical, Unpatched 'MDhex' Bugs Threaten Hospital Devices
https://threatpost.com/critical-mdhex-bugs-ge-medical-devices/152163/
--Researchers Say Hackers Targeted European Energy Sector
(January 24, 2020)
According to a report from Recorded Future, hackers targeted systems at "a key organization in the European energy sector." The report says that the attack likely began in late fall 2019 and continues through the beginning of January, 2020. The hackers used the Pupy remote access Trojan (RAT) in the attack.
Read more in:
Recorded Future: European Energy Sector Organization Targeted by PupyRAT Malware in Late 2019
https://go.recordedfuture.com/hubfs/reports/cta-2020-0123.pdf
GovInfosecurity: Hackers Target European Energy Firm: Researchers
https://www.govinfosecurity.com/hackers-target-european-energy-firm-researchers-a-13645
--Factory Environment Honeypot
(January 22 & 24, 2020)
Researchers from Trend Micro created a honeypot that imitates a factory environment. The honeypot, which was launched in May 2019, drew a variety of attacks, including cryptominers and ransomware. The report notes that "organizations should ensure that their equipment and the components of their ICSs are not exposed online... [and should implement] strict authentication policies to minimize the possibility of intrusions.
[Editor Comments]
[Neely] The trick with ICS, or other purpose-built equipment, remains allowing only appropriate access with monitoring, which may require implementing gateways or other border protections to limit access where embedded authentication is not sufficient or configurable. ICS components often use proprietary protocols, and while not every tool can decipher those, the presence of standard protocols on that network may be a sign of compromise.
Read more in:
Trend Micro: Caught in the Act: Running a Realistic Factory Honeypot to Capture Real Threats (PDF)
ZDNet: Ransomware, snooping and attempted shutdowns: See what hackers did to these systems left unprotected online
Threatpost: Fake Smart Factory Honeypot Highlights New Attack Threats
https://threatpost.com/fake-smart-factory-honeypot-highlights-new-attack-threats/152170/
--Mitsubishi Hit with Malware Attack
(January 20 & 24, 2020)
Last week, Mitsubishi Electric disclosed that it was the victim of a cyber attack in June 2019. The attackers appear to have exploited a then-unknown vulnerability in TrendMicro OfficeScan antivirus; they stole 200MB of company files. TrendMicro patched the flaw in October 2019, noting at the time that it was being actively exploited.
Read more in:
ZDNet: Trend Micro antivirus zero-day used in Mitsubishi Electric hack
https://www.zdnet.com/article/trend-micro-antivirus-zero-day-used-in-mitsubishi-electric-hack/
Japan Times: Mitsubishi Electric data likely compromised in massive cyberattack blamed on Chinese group
--Cisco Releases Fix for Webex Vulnerability
(January 24 & 27, 2020)
Cisco has released a fix for a vulnerability in its Webex video conferencing platform. The flaw could be exploited to access password protected meetings without authorization; attackers would need a valid meeting ID along with the Webex app on an Android or iOS device. Unauthorized attendees appear in the attendee list. The issue is fixed in Cisco Webex Meetings Suite sites version 39.11.5 and Cisco Webex Meetings Online sites version 40.1.3.
[Editor Comments]
[Murray] Webex is often used for large (and sensitive) meetings where the participation of an unauthorized party might well go unnoticed.
Read more in:
Cisco: Cisco Webex Meetings Suite and Cisco Webex Meetings Online Unauthenticated Meeting Join Vulnerability
The Register: Cisco Webex bug allowed anyone to join a password-protected meeting
Threatpost: Cisco Webex Flaw Lets Unauthenticated Users Join Private Online Meetings
--Relaxed Utility Cybersecurity Incident Reporting Rules Raise Concerns
(January 27, 2020)
New Federal Energy Regulatory Commission (FERC) rules for reporting cybersecurity incidents allow organizations to decide themselves whether or not an incident merits reporting. The president of the Utility Workers Union of America is concerned that utilities may place profits ahead of addressing cybersecurity issues. The new rules, which were introduced in June 2019, say that "Each responsible entity will be required to develop criteria for identifying an attempt to compromise a cyber asset and then apply those criteria during its cyber security incident identification process."
Read more in:
Nextgov: Union Leader Says Utilities Not Incentivized to Report Cyber Incidents or Implement Protections
FERC: FERC Strengthens Cyber Security Standards for Bulk Electric System
https://www.ferc.gov/media/news-releases/2019/2019-2/06-20-19-E-2.asp#.Xi-pUhNKjq1
RANSOMWARE
--Hackers Exploiting Citrix Flaw to Spread Ransomware
(January 25, 2020)
The recently patched flaw in Citrix products is being exploited to infect systems with Sodinokibi ransomware.
Read more in:
Forbes: Critical Security Warning As Citrix Hackers Ramp-Up Attacks
--German Automotive Parts Company Hit with Sodinokibi Ransomware
(January 23, 2020)
The hackers behind the ransomware attack on the Travelex international currency exchange have launched an attack against Gedia Automotive Group, a German automotive parts manufacturer, infecting its systems with the ransomware known as Sodinokibi. Gedia says it has shut down its IT systems and that its employees have been sent home. The hackers say they have taken data from Gedia's systems and plan to upload them if the company does not pay the ransom.
Read more in:
SC Magazine: Travelex hackers strike again, closes German automotive firm
Computer Weekly: Travelex hackers shut down German car parts company Gedia in massive 'cyber attack'
--Tillamook County, Oregon, Malware Attack
(January 23 & 24, 2020)
Tillamook County in Oregon is reporting that it was hit with a ransomware attack that prompted the county to take its computer and telephone systems offline as a precaution.
Read more in:
GovTech: Cyberattack Hobbles Oregon County Network, Services
https://www.govtech.com/security/Cyberattack-Hobbles-Oregon-County-Network-Services.html
Oregon Live: Cyberattack takes down Tillamook County's computers, phones, website
--Tampa Bay Times Hit with Ryuk Ransomware
(January 27, 2020)
The Tampa Bay Times was hit with Ryuk ransomware last week. The company did not pay a ransom, and it is working to restore systems from backups and cleaning malware from its systems.
Read more in:
SC Magazine: Tampa Bay Times hit by Ryuk, new variant of stealer aimed at gov't, finance
--Potsdam Servers Offline After Cyberattack
(January 24, 2020)
Servers belonging to the city of Potsdam, Germany have been taken offline in the wake of a cyberattack.
Read more in:
Bleeping Computer: City of Potsdam Servers Offline Following Cyberattack
--Galt Ransomware Recovery
(January 27, 2020)
Since a December 2019 ransomware attack, systems at the California city of Galt are roughly 85 percent rebuilt and restored.
Read more in:
GovTech: Small Town Nearly Done Recovering from Ransomware Attack
https://www.govtech.com/news/Small-Town-Nearly-Done-Recovering-from-Ransomware-Attack.html
--NIST Draft Ransomware Response Guidelines
(January 27, 2020)
The National Cybersecurity Center of Excellence (NCCoE) has released a National Institute of Standards and Technology (NIST) draft document aimed at helping "organizations detect and respond to data integrity events across multiple industries." NCCoE is accepting comments on Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events through February 26.
[Editor Comments]
[Neely] The guide identifies NIST 800-53, ISO 27001, and NIST 800-181 controls to aid with Ransomware preparedness and response. If you have experience with ransomware, or other security baselines which should be referenced, review the draft and provide input.
Read more in:
The Hill: Federal agency offers guidelines for businesses defending against ransomware attacks
NCCOE: Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events
https://www.nccoe.nist.gov/projects/building-blocks/data-integrity/detect-respond
******************************************************************************
INTERNET STORM CENTER TECH CORNER
Citrix Releases ADC Updates For All Versions
https://www.citrix.com/blogs/2020/01/24/citrix-releases-final-fixes-for-cve-2019-19781/
Critical Vulnerabilities in GE Medical Devices
https://www.us-cert.gov/ics/advisories/icsma-20-023-01
Mitsubishi Electric Compromised via Trend Micro Vulnerability
https://www.zdnet.com/article/trend-micro-antivirus-zero-day-used-in-mitsubishi-electric-hack/
Coronavirus Preparedness and Associated Scams
https://isc.sans.edu/forums/diary/Network+Security+Perspective+on+Coronavirus+Preparedness/25750/
Temporary Windows 0-Day Fix Breaks Printers
https://www.reddit.com/r/sysadmin/comments/etumy7/microsoft_ie_zeroday_fix_breaks_hp_printing/
RD Gateway RCE Exploit Demoed
https://twitter.com/layle_ctf/status/1221514332049113095?s=12
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
