SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #81
October 13, 2020CISA: Hackers Successfully Combining Long-Known Vulnerabilities to Penetrate Federal Systems, Plus Escalating Ransomware Attacks
*****************************************************************************
SANS NewsBites October 13, 2020 Vol. 22, Num. 081
*****************************************************************************
THE TOP OF THE NEWS
CISA: Hackers are Chaining Long-Known Vulnerabilities to Attack Government Networks
Software AG Recovering from Ransomware Attack
US Senator Demands Answers on Healthcare Ransomware Attacks
Carnival Acknowledges Data Theft from Ransomware Attack
Ransomware Operators Post School District Data Online
REST OF THE WEEK'S NEWS
DHS Homeland Threat Assessment Report Reveals Hackers Targeted Census Bureau
Electrum Bitcoin Wallet Scam
Disrupting TrickBot
Governments Call for Encryption Backdoors
GAO: FAA Needs to Improve Avionics Cybersecurity Oversight
INTERNET STORM CENTER TECH CORNER
******************** Sponsored By AWS Marketplace *****************************
Webcast | How to Create a Scalable and Automated Edge Strategy in the AWS Cloud. Tune in for this upcoming webcast with SANS and AWS as they discuss how you can implement a scalable security solution for your network's edge. Register now and be among the first to receive the associated whitepaper written by SANS cloud security expert Dave Shackleford | Thursday, October 15th at 2PM ET
| http://www.sans.org/info/217895
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
New OnDemand Courses
SEC588: Cloud Penetration Testing
- https://www.sans.org/ondemand/course/cloud-penetration-testing
SEC401: Security Essentials Bootcamp Style
- https://www.sans.org/ondemand/course/security-essentials-bootcamp-style
View all courses
- https://www.sans.org/cyber-security-courses/?focus-area=&training-format=ondemand
Live Online Training Events and Summits
SANS DFIRCON 2020 - Live Online
Nov 2-7 EST | 9 DFIR Courses | Virtual DFIR NetWars
- https://www.sans.org/event/dfircon-2020-live-online
Pen Test HackFest - Live Online
Nov 16-21 EST | 15 Courses | Summit @Night Bonus Sessions
- https://www.sans.org/event/pen-test-hackfest-2020-live-online
View complete event schedule
- https://www.sans.org/cyber-security-training-events/north-america
Free Resources
Tools, Posters, and more.
- https://www.sans.org/free
OnDemand Training Special Offer: Get an iPad (32 G), Galaxy Tab S5e, or Take $250 Off with qualified OnDemand courses through October 14.
- https://www.sans.org/ondemand/specials
*****************************************************************************
TOP OF THE NEWS
--CISA: Hackers are Chaining Long-Known Vulnerabilities to Attack Government Networks
(October 9 & 12, 2020)
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory warning that hackers have been using a combination of vulnerabilities in several different VPNs along with the Windows Netlogon vulnerability to gain access to government networks. The advisory notes that there have been "some instances where this activity resulted in unauthorized access to elections support systems," but that the integrity of election data has not been compromised. The advisory includes advice for protecting systems.
[Editor Comments]
[Ullrich] Exactly a year ago, the NSA released an advisory warning of exploitations of exactly the same vulnerability (e.g. CVE-2018-13379). Additional warnings for these types of attacks were released in February, May, about a month ago, and again now. The headlines should be "CISA: Government networks still don't know how to manage VPN vulnerabilities." Any attacker would be negligent not to take advantage of this point easy-to-exploit "VPN + Zerologon" attack vector.
[Murray] Weaknesses in so-called "VPN" products, services, and implementations should not discourage "virtual private connections," that is, the use of end-to-end application-layer encryption. The term "VPN" has become synonymous with marketed proxy services intended to merely hide the origin of traffic to avoid geographic or political controls. Such services are not "private" in the original sense of the term. Neither are they truly (user to application) end-to-end.
Read more in:
UC-CERT CISA: Alert (AA20-283A) APT Actors Chaining Vulnerabilities Against SLTT, Critical Infrastructure, and Elections Organizations
https://us-cert.cisa.gov/ncas/alerts/aa20-283a
ZDNet: Hacker groups chain VPN and Windows bugs to attack US government networks
https://www.zdnet.com/article/hacker-groups-chain-vpn-and-windows-bugs-to-attack-us-government-networks/
Cyberscoop: Foreign hackers are targeting federal, state and local IT networks, feds warn
https://www.cyberscoop.com/foreign-hackers-targeting-federal-state-local-networks-feds-warn/
--Software AG Recovering From Ransomware Attack
(October 9, 2020)
German software company Software AG was hit with a ransomware attack on October 3. The ransomware operators encrypted files and demanded more than $20 million in return for the decryption key. Software AG attempted to negotiate with the attackers; after the communication broke down, the attackers published screenshots of what they say are data stolen from the company. Software AG says that the attack affected its internal network, but that customer services were not affected.
Read more in:
The Register: Software AG hit with ransomware: Crooks leak staffers' passports, want millions for stolen files
https://www.theregister.com/2020/10/09/software_ag_ransomware/
ZDNet: German tech giant Software AG down after ransomware attack
https://www.zdnet.com/article/german-tech-giant-software-ag-down-after-ransomware-attack/
Bleeping Computer: Software AG IT giant hit with $23 million ransom by Clop ransomware
https://www.bleepingcomputer.com/news/security/software-ag-it-giant-hit-with-23-million-ransom-by-clop-ransomware/
--US Senator Demands Answers on Healthcare Ransomware Attacks
(October 9, 2020)
In the wake of a ransomware attack that affected multiple Universal Health Services (UHS) healthcare facilities, US Senator Mark Warner (D-Virginia) has written a letter to the CEO expressing "grave concerns" about the attack. Warner is seeking answers to a number of questions, including a description of UHS's vulnerability management process, how various UHS networks are segmented and isolated, and whether the company has paid a ransom demand.
[Editor Comments]
[Neely] This close to an incident, you need to be focused on forensics, system recovery, preventing recurrence, and refining contingency plans so that systems and processes are more resistant to attack. In the UHS case, there is the additional responsibility to ensure future events don't result in loss of life. When these processes are complete, response to external or regulatory questions will be more accurate and more valuable.
Read more in:
The Hill: Senate Democrat raises concerns around Universal Health Services breach
https://thehill.com/policy/cybersecurity/520410-senate-democrat-raises-concerns-around-united-health-services-breach
SC Magazine: Here are the questions Congress asks after a ransomware attack
https://www.scmagazine.com/home/security-news/here-are-the-questions-congress-asks-after-a-ransomware-attack/
Warner: Letter to Universal Health Services CEO (PDF)
https://www.warner.senate.gov/public/_cache/files/8/6/86b695e4-b032-44ad-8f8e-156381f7f1d8/F0A17385872CFF73A07075BE1D7D5641.letter-unitedhealthservices.pdf
--Carnival Acknowledges Data Theft from Ransomware Attack
(October 9, 2020)
Carnival Corporation has acknowledged that ransomware actors who launched an attack on the cruise line operator's network in August also stole personal data. Carnival disclosed the attack in a US Securities and Exchange Commission (SEC) filing on August 17, 2020. On October 8, 2020, Carnival filed an additional SEC form that acknowledged that the attackers accessed customer and employee information.
Read more in:
Bleeping Computer: Largest cruise line operator Carnival confirms ransomware data theft
https://www.bleepingcomputer.com/news/security/largest-cruise-line-operator-carnival-confirms-ransomware-data-theft/
--Ransomware Operators Post School District Data Online
(October 10 & 12, 2020)
Maze ransomware operators have published data stolen from Fairfax County (Virginia) Public Schools. The information about students and employees was taken during a September 2020 attack.
[Editor Comments]
[Neely] Maze is known for their pay-or-publish stance. Unless you know the specific data taken, that's an effective threat. The school district's actions indicate they are not paying the ransom, but instead offering credit monitoring to those impacted. Know, document, and verify locations of sensitive data before an incident occurs - not just personal information, but also company proprietary information and records. Walk through your response process for attempted disclosure of this information.
Read more in:
Washington Post: Hackers post stolen information from Fairfax school district
https://www.washingtonpost.com/local/education/hackers-post-stolen-information-from-fairfax-school-district/2020/10/10/edf5f050-0b1a-11eb-859b-f9c27abe638d_story.html
Security Week: Hackers Publish Public School District's Stolen Data Online
https://www.securityweek.com/hackers-publish-public-school-districts-stolen-data-online
Statescoop: Maze ransomware attackers leak data stolen from suburban Washington schools
https://statescoop.com/maze-ransomware-attackers-leak-data-stolen-from-suburban-washington-schools/
******************************* SPONSORED LINKS ********************************
1) Webcast | Join SANS director, John Pescatore as he takes part in our upcoming webcast, "Modernizing Detection and Response with XDR in the Cloud Computing Era" | October 21 @ 3:30 PM EDT
| http://www.sans.org/info/217875
2) Webcast | Email authentication (DMARC at enforcement) is the key to protecting your domains and your brand from being used to phish your customers, partners, and employees. Join us for this DMARC Ask the Expert roundtable and learn how to quickly and easily authenticate who is sending email for you and achieve DMARC enforcement with the confidence that no good email will be blocked | October 27 @ 10:30 AM EDT
| http://www.sans.org/info/217880
3) Webcast | In our upcoming webcast, "Immunizing Modern Application Frameworks", participants will be shown how to deploy open source code pre-hardened from dangerous attacks | October 27 @ 12:00 PM EDT
| http://www.sans.org/info/217885
*****************************************************************************
THE REST OF THE WEEK'S NEWS
--DHS Homeland Threat Assessment Report Reveals Hackers Targeted Census Bureau
(October 9, 2020)
The US Department of Homeland Security says that hackers targeted the US Census Bureau's computer network several times over the last year. The information was disclosed in a Homeland Threat Assessment report released last week. In addition to the threats posed to the US democratic process, the Cyber Threat to the Homeland section of the report also addresses nation state threats, cybercrime, and opportunities for cyber actors to exploit COVID-19.
[Editor Comments]
[Neely] The DHS report provides useful insight into motivations and tactics of foreign and domestic adversaries - which highlight patterns we are likely to see in the future. The attempted accesses to the US Census Bureau have been, so far, unsuccessful. Expect continued attempts to manipulate the election process and steal information around COVID-19 and supply chains. Impacting the distribution of over $675 billion makes the Census Bureau a very attractive target.
Read more in:
Bleeping Computer: DHS: Unknown hackers targeted the US Census Bureau network
https://www.bleepingcomputer.com/news/security/dhs-unknown-hackers-targeted-the-us-census-bureau-network/
DHS: Homeland Threat Assessment October 2020 (PDF)
https://www.dhs.gov/sites/default/files/publications/2020_10_06_homeland-threat-assessment.pdf
--Electrum Bitcoin Wallet Scam
(October 12, 2020)
Cybercriminals are targeting users of the Electrum cryptocurrency app. They send users what appears to be an update for the app, but which actually transfers the contents of the wallet to one controlled by the attackers. Over the past two years, the thieves have stolen more than $22 million.
[Editor Comments]
[Neely] This attack works because the Electrum network allows for anyone to add an ElectumX gateway server, and the app doesn't block popups from the bitcoin network, an egregious failing. Since the attacks started, Electum has added both bad-server blocking and popup blockers in the latest versions of the app. Verify that you're downloading your cryptocurrency wallet from the genuine source. Also, be mindful of unexpected OTP requests at application start up; that's what allows the transfer of all funds to the attackers account.
[Murray] The security of wallets and exchanges, for crypto or other currencies, is not a space for amateurs. Wallets and exchanges have proven to be lucrative targets for criminals. Most of us should rely upon banks, credit unions, and other insured and regulated institutions.
Read more in:
ZDNet: Bitcoin wallet update trick has netted criminals more than $22 million
https://www.zdnet.com/article/bitcoin-wallet-trick-has-netted-criminals-more-than-22-million/
--Disrupting TrickBot
(October 10 & 12, 2020)
Microsoft, ESET, Black Lotus Labs, and Symantec worked with the Financial Services Information Sharing and Analysis Center (FS-ISAC) to disrupt the TrickBot botnet. The organizations obtained a court order allowing them to seize TrickBot command-and-control servers. US Cyber Command has also taken steps to disrupt the TrickBot botnet by sending out configuration files that cut off communications between the infected machines and the command-and-control servers.
[Editor Comments]
[Ullrich] Kudos to Microsoft and its partners for being more aggressive against these botnets. Let's hope this takedown will have a lasting effect.
Read more in:
KrebsOnSecurity: Microsoft Uses Trademark Law to Disrupt Trickbot Botnet
https://krebsonsecurity.com/2020/10/microsoft-uses-copyright-law-to-disrupt-trickbot-botnet/
KrebsOnSecurity: Report: U.S. Cyber Command Behind Trickbot Tricks
https://krebsonsecurity.com/2020/10/report-u-s-cyber-command-behind-trickbot-tricks/
Washington Post: Cyber Command has sought to disrupt the world's largest botnet, hoping to reduce its potential impact on the election
https://www.washingtonpost.com/national-security/cyber-command-trickbot-disrupt/2020/10/09/19587aae-0a32-11eb-a166-dc429b380d10_story.html
Washington Post: Microsoft seeks to disrupt Russian criminal botnet it fears could seek to sow confusion in the presidential election
https://www.washingtonpost.com/technology/2020/10/12/microsoft-trickbot-ransomware/
Dark Reading: Security Firms & Financial Group Team Up to Take Down Trickbot
https://www.darkreading.com/vulnerabilities---threats/advanced-threats/security-firms-and-financial-group-team-up-to-take-down-trickbot/d/d-id/1339155
Cyberscoop: Cyber Command, Microsoft take action against TrickBot botnet before Election Day
https://www.cyberscoop.com/trickbot-takedown-cyber-command-microsoft/
ZDNet: Microsoft and others orchestrate takedown of TrickBot botnet
https://www.zdnet.com/article/microsoft-and-other-tech-companies-orchestrate-takedown-of-trickbot-botnet/
Bleeping Computer: TrickBot botnet targeted in takedown operations, little impact seen
https://www.bleepingcomputer.com/news/security/trickbot-botnet-targeted-in-takedown-operations-little-impact-seen/
--Governments Call for Encryption Backdoors
(October 11, 2020)
An "International Statement" calls for technology companies to provide a means for law enforcement to access communications protected by end-to-end encryption. The statement is signed by justice officials from the Five Eyes intelligence alliance - the UK, the US, Canada, Australia, and New Zealand - and from Japan and India.
[Editor Comments]
[Ullrich] I refuse to comment on yet another article about this outrageously bad idea. Everybody seems to agree that freedom is dangerous.
[Neely] Secure encryption does not need a back door to be decrypted. While we often talk about encryption algorithms, we don't often focus on key escrow. Key escrow can be used to recover the encryption key and then decrypt encrypted items, such as files or disks, and should be part of your processes to protect corporate information. The problem is that Internet protocols, such as TLS, are not intended or designed to use escrowed keys, and implementing processes so that "only law enforcement" can access and use keys has such significant risk of abuse as to be impractical.
[Murray] The struggle continues; it is not likely to end well for the Infrastructure, the economy, or the citizen.
Read more in:
Justice: International Statement: End-To-End Encryption and Public Safety
https://www.justice.gov/opa/pr/international-statement-end-end-encryption-and-public-safety
Security Week: 'Five Eyes' Alliance Demands Ways to Access Encrypted Apps
https://www.securityweek.com/five-eyes-alliance-demands-ways-access-encrypted-apps
ZDNet: Five Eyes governments, India, and Japan make new call for encryption backdoors
https://www.zdnet.com/article/five-eyes-governments-india-and-japan-make-new-call-for-encryption-backdoors/
The Register: Five Eyes nations plus Japan and India call for Big Tech to bake backdoors into everything
https://www.theregister.com/2020/10/11/international_statementon_end_to_end_encryption_and_public_safety/
--GAO: FAA Needs to Improve Avionics Cybersecurity Oversight
(October 12, 2020)
A report from the US Government Accountability Office (GAO) says that the Federal Aviation Administration (FAA) needs to strengthen its avionics cybersecurity oversight program. Avionics systems share information, including weather and positioning data, with "pilots, passengers, maintenance crews, other aircraft, and air-traffic controllers." As the systems become increasingly interconnected, the surface for cyberattacks also increases.
[Editor Comments]
[Neely] This is a reminder to regularly re-assess protection measures between OT and IT systems. Consider not only undesired access to OT systems, but also how data provided by those systems could be used inappropriately or used to reach inaccurate conclusions when taken out of context.
[Murray] If we have learned nothing else over the last decade, we should have learned that we cannot patch our way to security, not in "cyber," not in aviation. We must add "attack surface" management to our strategy. From aviation, "cybersecurity" needs to learn "failure mode" management, starting with "pilot (user) error" and "ransomware."
Read more in:
FCW: Watchdog: FAA needs to do more to address aircraft cybersecurity
https://fcw.com/articles/2020/10/12/aviation-cyber-faa-gao.aspx
GAO: AVIATION CYBERSECURITY | FAA Should Fully Implement Key Practices to Strengthen Its Oversight of Avionics Risks (PDF)
https://www.gao.gov/assets/720/710095.pdf
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
Phishing Kits As Far As The Eye Can See
https://isc.sans.edu/forums/diary/Phishing+kits+as+far+as+the+eye+can+see/26660/
Open Packaging Conventions
https://isc.sans.edu/forums/diary/Open+Packaging+Conventions/26662/
Analyzing MSG Files
https://isc.sans.edu/forums/diary/Analyzing+MSG+Files+With+pluginmsgsummary/26664/
Nested .MSGs: Turtles All The Way Down
https://isc.sans.edu/forums/diary/Nested+MSGs+Turtles+All+The+Way+Down/26668/
Cisco Video Surveillance 8000 Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cdp-rcedos-mAHR8vNx
55 New Apple Flaws
https://samcurry.net/hacking-apple/
Microsoft Attempting To Take Down Trickbot C2 Infrastructure
https://blogs.microsoft.com/on-the-issues/2020/10/12/trickbot-ransomware-cyberthreat-us-elections/
Google Chrome Cache Partitioning
https://developers.google.com/web/updates/2020/10/http-cache-partitioning
*****************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
