SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #80
October 9, 2020SANS Bachelors Degree; Election Security; Ransomware Closes Schools
*****************************************************************************
SANS NewsBites October 9, 2020 Vol. 22, Num. 080
*****************************************************************************
THE TOP OF THE NEWS
SANS Bachelors Degree in Applied Cybersecurity
DHS Acting Secretary Speaks About Election Security
Ransomware Closes Schools in Massachusetts
*************************** Sponsored By Chronicle ************************************
Google Cloud has launched modern security detection for modern security threats with Chronicle Detect. Join our webinar on October 21st to see a demo of our next generation rules engine that operates at the speed of search and hear from Paul Farley, the Deputy CISO of NCR, about their journey with Chronicle. Register today!
| http://www.sans.org/info/217865
*****************************************************************************
1) DTEX Insider Threat Kill Chain: Learn the 5 Steps Present in Almost all Insider Attacks| Get the whitepaper now!
| http://www.sans.org/info/217850
2) Survey | Calling all CTI gurus! Take the SANS 2021 CTI Survey and enter for a chance to win a $250 Amazon gift card.
| http://www.sans.org/info/217855
3) Webcast | Join us for an upcoming webcast hosted by Microsoft titled, "Stop attacks and reduce security operations workload with automated cross-domain (XDR) security" | October 15 @ 1:00 PM EDT
| http://www.sans.org/info/217860
REST OF THE WEEKS NEWS
SEC Agrees to Settle Complaint Against Trader Who Used Stolen Data
Wisepay Pulls Site Offline After Spoofing Attempt
Kraken Fileless Malware Exploits Windows Error Reporting
UHS is Restoring Networks After Cyberattack
US Seizes Domains Associated with Disinformation Campaigns
Boom! Mobile Acknowledges Skimming
Cisco Security Updates Include Fixes for Three High Severity Flaws
Adobe Creative Cloud Outage
Azure App Services Flaws
INTERNET STORM CENTER TECH CORNER
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
New OnDemand Courses
SEC588: Cloud Penetration Testing
- https://www.sans.org/ondemand/course/cloud-penetration-testing
SEC401: Security Essentials Bootcamp Style
- https://www.sans.org/ondemand/course/security-essentials-bootcamp-style
View all courses
- https://www.sans.org/cyber-security-courses/?focus-area=&training-format=ondemand
Live Online Training Events and Summits
SANS DFIRCON 2020 - Live Online
Nov 2-7 EST | 9 DFIR Courses | Virtual DFIR NetWars
- https://www.sans.org/event/dfircon-2020-live-online
Pen Test HackFestLive Online
Nov 16-21 EST | 15 Courses | Summit @Night Bonus Sessions
- https://www.sans.org/event/pen-test-hackfest-2020-live-online
View complete event schedule
- https://www.sans.org/cyber-security-training-events/north-america
Free Resources
Tools, Posters, and more.
OnDemand Training Special Offer: Get an iPad (32 G), Galaxy Tab S5e, or Take $250 Off with qualified OnDemand courses through October 14.
- https://www.sans.org/ondemand/specials
*****************************************************************************
TOP OF THE NEWS
--SANS Bachelors Degree in Applied Cybersecurity
(October 8, 2020)
SANS Achieves Full College Status; Bachelors Degree in Applied Cybersecurity starts November 1. SANS (SANS.edu) is now licensed and accredited to grant bachelors degrees. Students will learn from the extraordinary practitioner-scholars on the SANS faculty, earn 8 GIAC certifications, and complete an internship at the Internet Storm Center. Costs are low because students will complete general education and basic computer science courses at low-cost community colleges, then shift to SANS Technology Institute. The recent CISO at a Federal Reserve District who regularly sends his experienced professionals to SANS training described the impact: Never before has it been such a safe bet to hire a graduate and expect them to make a meaningful contribution on day one. The first public information session is Thursday at noon Eastern. Register at https://register.gotowebinar.com/register/7453087257861416464
[Editor Comments]
[Neely] I would have killed for an opportunity like this when I was in college. If you want to get a strong foundation for a career in Cybersecurity, this is an amazing curriculum. Also, the internship at the ISC provides experience responding to and analyzing incidents with extraordinary teammates.
[Murray] In a world of rapidly changing technology, it will be increasingly valuable to be able to demonstrate current skills. While a college education will continue to be valuable for living a life, certifications will be increasingly useful for making a living.
Read more in:
SANS: Bachelor's Program in Applied Cybersecurity
https://www.sans.edu/academics/applied-cybersecurity-bachelors-degree
PRNewswire: Maryland to Bridge Cybersecurity Workforce Gap with Groundbreaking Bachelor's Degree Program
gotowebinar: SANS.edu & Montgomery CollegeBachelors Degree Online Information Session
https://register.gotowebinar.com/register/7453087257861416464
--DHS Acting Secretary Speaks About Election Security
(October 7, 2020)
US Department of Homeland Security (DHS) Acting Secretary Chad Wolf told an audience at the Cybersecurity and Infrastructure Security Agencys (CISA) Cyber Summit 2020 that DHS has not identified any threats that would prevent Americans from voting, or that would change vote tallies. He also noted that final election tallies may not be available on election night. Ninety-two percent of jurisdictions are using voting systems with auditable paper trails.
Read more in:
MeriTalk: DHS Sees No Threat to Vote Tallies, Warns of Election Outcome Lag
https://www.meritalk.com/articles/dhs-sees-no-threat-to-vote-tallies-warns-of-election-outcome-lag/
--Ransomware Closes Schools in Massachusetts
(October 8, 2020)
Springfield (Massachusetts) Public Schools have been closed in the wake of a ransomware attack on its IT network. Students were told to shut down district-owned devices. The district has been teaching remotely since the start of the school year.
Read more in:
Bleeping Computer: Massachusetts school district shut down by ransomware attack
*****************************************************************************
THE REST OF THE WEEKS NEWS
--SEC Agrees to Settle Complaint Against Trader Who Used Stolen Data
(October 7, 2020)
The US Securities and Exchange Commission (SEC) has agreed to settle a complaint against Kyungja Cho, a trader who used information stolen in a hack of the SECs EDGAR filing system to conduct lucrative transactions. Settlement agreements must be reviewed and approved by SEC Commissioners before they become binding.
Read more in:
Cyberscoop: SEC settles with trader accused of illegal trades using hacked data
https://www.cyberscoop.com/sec-settlement-edgar-hack-cho/
SEC: Civil Action No. 19-cv-505 (PDF)
https://www.sec.gov/litigation/complaints/2019/comp-pr2019-1.pdf
--Wisepay Pulls Site Offline After Spoofing Attempt
(October 7 & 8, 2020)
Wisepay, a UK school payments company, took its website offline after it became aware that someone was attempting to spoof its card payment page. The website has been down for maintenance since Sunday, October 4; on Monday, the site displayed a down for maintenance message.
[Editor Comments]
[Pescatore] The two reports give conflicting information: The Register piece says Wisepay has pulled its website offline after spotting a miscreant trying to spoof its card payment page. Generally, if you discover someone spoofing your site, you work to have that site taken down, you dont take down your own legitimate site! The BBC piece is even more confusing, saying Wisepay said a hack of its website meant an attacker was able to harvest payment details between 2 and 5 October via a spoof page. the hacker had managed to find a "backdoor" into the system's database and had modified one page. That seems to imply more than discovery of a spoofed site. Web site security essential security practices are well known. Dealing with spoofing sites usually needs to be part of a broader brand and fraud detection strategy with anti-phishing, strong email authentication, and the use of detection/take-down support services.
Read more in:
The Register: Wisepay 'outage' is actually the school meal payments biz trying to stop an intruder from stealing customer card details
https://www.theregister.com/2020/10/07/wisepay_outage_was_cyber_attack/
BBC: Wisepay: School payments service hit by cyber-attack
https://www.bbc.com/news/technology-54465359
--Kraken Fileless Malware Exploits Windows Error Reporting
(October 6 & 7, 2020)
A fileless attack method, dubbed Kraken, hides itself in the Microsoft Windows Error Reporting (WER) service to evade detection. The malware is spreading through a phishing campaign; the messages purport to be information about a workers compensation claim.
[Editor Comments]
[Neely] The phish uses an attached document relating to compensation applicability which includes a variant of the CactusTorch VBA macro module, which then loads a .Net compiled binary executed from vbscript. The code detects the use of a sandbox and uses a debugger to thwart analysis. The Malwarebytes writeup includes IOCs including URLs used.
Read more in:
Malwarebytes: Release the Kraken: Fileless APT attack abuses Windows Error Reporting service
https://blog.malwarebytes.com/malwarebytes-news/2020/10/kraken-attack-abuses-wer-service/
Threatpost: APT Attack Injects Malware into Windows Error Reporting
https://threatpost.com/apt-attack-malware-windows-error-reporting/159861/
ZDNet: Hackers exploit Windows Error Reporting service in new fileless attack
--UHS is Restoring Networks After Cyberattack
(October 6, 2020)
Universal Health Services is restoring services to facilities affected by a cyberattack that began on September 27. According to an October 5 statement from UHS, the UHS IT Network has been restored and applications are in the process of being reconnected.
[Editor Comments]
[Murray] Contingency plans should include the ability to restore critical applications in hours, not days. Not all applications are "critical."
Read more in:
Duo: UHS Recovering From Malware Infection
https://duo.com/decipher/uhs-recovering-from-malware-infection
UHSINC: Statement from Universal Health Services: Updated Monday, October 5, 2020, 12:30 PM ET
https://www.uhsinc.com/statement-from-universal-health-services/
--US Seizes Domains Associated with Disinformation Campaigns
(October 8, 2020)
The US Department of Justice (DoJ) has announced the takedown of 92 domains owned by Irans Islamic Revolutionary Guard Corps (IRGC); several of the domains have been used to spread propaganda in the US. All 92 of the domains were being used in violation of sanctions against Iran and against IRGC.
[Editor Comments]
[Murray] We now live in a world where many governments, including our own, engage in active propaganda programs, some open, many covert. The Internet lowers the cost and improves the effectiveness. Social media often serves to amplify the messages and hide the source. While "takedowns" are useful, we all need to become more critical and skillful consumers of information. Indeed, in a world where all information is at our fingertips, critical thinking skills become the purpose and essence of education. See Carl Sagan's "BS" detector kit for useful tools.
Read more in:
Justice: United States Seizes Domain Names Used by Irans Islamic Revolutionary Guard Corps
Cyberscoop: Takedown of 92 Iran-owned domains includes 4 used for disinformation in US, feds say
https://www.cyberscoop.com/iran-propaganda-domains-takedown/
Infosecurity Magazine: US Seizes Domains Used to Spread Disinformation
https://www.infosecurity-magazine.com/news/us-seizes-domains-used-to-spread/
The Hill: US seizes 92 domains used by Iran for 'global disinformation campaign'
--Boom! Mobile Acknowledges Skimming
(October 5 & 6, 2020)
A page on the Boom! Mobile telecommunications company website has been infected with malware that steals payment card information and sends it to a server controlled by criminals. Boom! Mobile is urging customers who made purchases between September 30 and October 5, 2020, to take the necessary precautions with their credit card company. Boom!s shopping cart provider said that the malware has been removed.
[Editor Comments]
[Neely] This is another instance of threat actors leveraging web skimmers (aka "sniffers") to target card-not-present (CNP) data. Additionally, this is a reminder to keep all components updated. In this instance, the site was reportedly using PHP 5.6.40, a version that hasnt been supported since January 2019.
[Murray] The use of credit and debit card numbers in e-commerce remains risky. Merchants can protect themselves and their customers, and improve convenience and reduce abandoned transactions, by offering check-out proxies like PayPal, Apple Pay, Click to Pay, and their competitors. Consumers should prefer the use of such proxies for payments. On sites that do not offer access to proxies, consumers should consider the use of one-time or one-merchant tokens, available from such free services as Privacy.com.
Read more in:
Ars Technica: Boom! Hacked page on mobile phone website is stealing customers card data
Infosecurity Magazine: Skimming Attack on Boom! Mobile
https://www.infosecurity-magazine.com/news/skimming-attack-on-boom-mobile/
ZDNet: Boom! Mobile falls prey to Magecart card-skimming attack
https://www.zdnet.com/article/boom-mobile-falls-prey-to-magecart-card-skimming-attack/
--Cisco Security Updates Include Fixes for Three High Severity Flaws
(October 7 & 8, 2020)
Cisco has made fixes available to address three high-severity vulnerabilities affecting the Cisco Discovery Protocol implementation for Cisco Video Surveillance 8000 Series IP Cameras, Webex Teams for Windows, and the Cisco Identity Services Engine. Cisco has also released security updates to address 11 medium security vulnerabilities in a variety of products.
[Editor Comments]
[Neely] There are no workarounds for these vulnerabilities, and the updates are free. If you are not on a service contract, or cannot obtain them from your Cisco reseller, you will need to contact the Cisco TAC to get them.
Read more in:
ZDNet: Cisco security warning: Patch Webex Teams for Windows and surveillance camera now
Threatpost: Cisco Fixes High-Severity Webex, Security Camera Flaws
https://threatpost.com/cisco-webex-security-camera-flaws/159969/
Cisco: Cisco Video Surveillance 8000 Series IP Cameras Cisco Discovery Protocol Remote Code Execution and Denial of Service Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cdp-rcedos-mAHR8vNx
Cisco: Cisco Webex Teams Client for Windows DLL Hijacking Vulnerability
Cisco: Cisco Identity Services Engine Authorization Bypass Vulnerability
Cisco: Cisco Security Advisories
https://tools.cisco.com/security/center/publicationListing.x
--Adobe Creative Cloud Outage
(October 8, 2020)
An outage is preventing Adobe Creative Cloud users from logging in or accessing stored data and applications to which they subscribe. The problem began at about 9:30am EST. Adobe acknowledged the issue on the status.adobe.com page but has not offered details.
[Editor Comments]
[Neely] The issues have been resolved. Use the All option on the status page to see status of current and past incidents as well as planned maintenance information. With increased reliance on cloud services, its important to have status and event data incorporated in your SOC or SIEM. To get alerts on outages/events, set up Events subscriptions in your Adobe account.
Read more in:
Bleeping Computer: Adobe Creative Cloud down: Users report login, data access issues
--Azure App Services Flaws
(October 8, 2020)
A pair of security flaws in Azure App Services could be exploited to take control of vulnerable administrative servers. Microsoft was notified of the flaws in July and has fixed the issues.
[Editor Comments]
[Neely] The Intezer writeup below does a good job of describing not only the two vulnerabilities discovered but also mitigations that limited their exploitability. Of note, use caution with hard coding of credentials, particularly root logins, and verify that your Docker containers are truly running as non-root users.
Read more in:
Threatpost: Microsoft Azure Flaws Open Admin Servers to Takeover
https://threatpost.com/microsoft-azure-flaws-servers-takeover/159965/
Intezer: Kud I Enter Your Server? New Vulnerabilities in Microsoft Azure
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
Today, Nobody is Going to Attack You
https://isc.sans.edu/forums/diary/Today+Nobody+is+Going+to+Attack+You/26654/
Apple T2 Chip Vulnerability
https://ironpeak.be/blog/crouching-t2-hidden-danger/
NVIDIA Patches
https://nvidia.custhelp.com/app/answers/detail/a_id/5075
Cloudflare DDoS Alerts
https://blog.cloudflare.com/announcing-ddos-alerts/
Gravatar Privacy Issue
Google Chrome Patches
https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop.html
Android Security Update
https://source.android.com/security/bulletin/2020-10-01
QNAP Patches Helpdesk Application
https://www.qnap.com/en/security-advisory/QSA-20-08
Comcast Remote Control Eavesdropping
https://www.guardicore.com/2020/10/wareztheremote-turning-remotes-into-listening-devices/
HashiCorp Vault Vulnerabilities
https://googleprojectzero.blogspot.com/2020/10/enter-the-vault-auth-issues-hashicorp-vault.html
Ryuk Ransomware Writeup
https://thedfirreport.com/2020/10/08/ryuks-return/
Ricky Tan: Zeek Log Reconnaissance with Network Graphs Using Maltego Casefile
*****************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create