Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #82

October 16, 2020

Two Big Cyber Takedowns and the New NSA


*****************************************************************************

SANS NewsBites               October 16, 2020               Vol. 22, Num. 082

*****************************************************************************


THE TOP OF THE NEWS


   Cyber Command's TrickBot Disruption Efforts are "Precedent-Setting"

   Microsoft's TrickBot Legal Maneuver Could Help with Botnet Takedowns in the Future



REST OF THE WEEK'S NEWS


   New York Dept. of Financial Services Calls for Regulation of Social Media Companies After Twitter Hack

   Zoom Will Release Preview of End-to-End Encryption Next Week

   Updates Address Vulnerabilities in PhantomPDF

   Barnes and Noble Hit by Cyberattack

   German Authorities Conduct Raids in Connection with FinFisher Spyware

   Microsoft's October 2020 Patch Tuesday

   Adobe Issues Fixes for Another Critical Flash Flaw

   Adobe Releases Updates to Fix Nine Flaws in Magento


INTERNET STORM CENTER TECH CORNER

************************  Sponsored By Chronicle  *******************************


Google Cloud has launched modern security detection for modern security threats with Chronicle Detect.  Join our webinar on October 21st to see a demo of our next generation rules engine that operates at the speed of search and hear from Paul Farley, the Deputy CISO of NCR, about their journey with Chronicle.  Register today!

| http://www.sans.org/info/217920


*****************************************************************************

CYBERSECURITY TRAINING UPDATE

 

New OnDemand Courses


SEC588: Cloud Penetration Testing

- https://www.sans.org/ondemand/course/cloud-penetration-testing


MGT525: IT Project Management, Effective Communication, and PMP(R) Exam Prep

- https://www.sans.org/ondemand/course/project-management-effective-communication-pmp-exam-prep


View all courses

- https://www.sans.org/cyber-security-courses/?focus-area=&training-format=ondemand


Live Online Training Events and Summits


SANS San Francisco Winter 2020 - Live Online

Nov 30-Dec 5 PST | 11 Courses | Virtual Core NetWars

- https://www.sans.org/event/san-francisco-winter-2020-live-online


Pen Test HackFest - Live Online

Nov 16-21 EST | 15 Courses | Core NetWars + Coin-A-Palooza

- https://www.sans.org/event/pen-test-hackfest-2020-live-online


View complete event schedule

- https://www.sans.org/cyber-security-training-events/north-america

 

Free Resources

Tools, Posters, and more.

- https://www.sans.org/free

 

OnDemand Training Special Offer: Get an iPad mini, Surface Go 2, or Take $300 Off with qualified OnDemand courses through October 28.

- www.sans.org/specials/north-america/


*****************************************************************************

TOP OF THE NEWS   

 

-- Cyber Command's TrickBot Disruption Efforts are "Precedent-Setting"

(October 14, 2020)

US Cyber Command's efforts to disrupt the TrickBot botnet mark "the first public, obvious operation to stop someone's cyber capability before it could be used against us to cause even greater harm," according to Columbia University cyber conflict researcher Jason Healey. Cyber Command severed communication between infected machines and the botnet's command-and-control servers, and it injected nonsense data into the information TrickBot stole. While the efforts did not cause serious damage to the botnet, the action Cyber Command took "shows the growing reach of US military hackers."


[Editor Comments]


[Paller] This is a "tip of the iceberg" story. Paul Nakasone, and the extraordinarily capable leadership team he assembled, created a new NSA that is making a quiet but powerful difference on both the defensive and offensive side of cybersecurity. Both directly and through partnerships with DHS and other organizations, this is the NSA and Cyber Command we always hoped would emerge. Garrett Graff published an insightful review of Gen. Nakasone and his accomplishments in Wired on Monday: https://www.wired.com/story/general-paul-nakasone-cyber-command-nsa/: The Man Who Speaks Softly--and Commands a Big Cyber Army


[Neely] Beyond demonstrating the capability of US Cyber Command, this also reveals the recovery capabilities of the TrickBot botnet which will help with the eventual takedown. TrickBot uses Tor to obfuscate C&C servers as well as EmerDNS to register backup servers for fail-over. While it's not clear if a military response was appropriate, statements by Microsoft (www.nytimes.com/2020/10/12/us/politics/election-hacking-microsoft.html: Microsoft Takes Down a Risk to the Election, and Finds the U.S. Doing the Same) and Cyber Command (https://www.washingtonpost.com/national-security/cyber-command-trickbot-disrupt/2020/10/09/19587aae-0a32-11eb-a166-dc429b380d10_story.html: Cyber Command has sought to disrupt the world's largest botnet, hoping to reduce its potential impact on the election) support the actions to include election security concerns.


Read more in:

Wired: A Trickbot Assault Shows US Military Hackers' Growing Reach

https://www.wired.com/story/cyber-command-hackers-trickbot-botnet-precedent/

 
 

-- Microsoft's TrickBot Legal Maneuver Could Help with Botnet Takedowns in the Future

(October 13, 2020)

Microsoft, along with several security firms and the Financial Services Information Sharing and Analysis Center (FS-ISAC), also took steps to disrupt TrickBot's activity. While the efforts only temporarily hindered the botnet's operations, the court case in which Microsoft was granted control of TrickBot servers did set a new legal precedent that could help take action against botnets more quickly in the future.  


[Editor Comments]


[Neely] In the legal filing, Microsoft argued that Trickbot irreparably harms the company "by damaging its reputation, brands, and customer goodwill." In essence, the TrickBot behavior leads users to believe they are seeing intended actions in the Microsoft product. Brian Krebs provides detailed analysis of the case. https://krebsonsecurity.com/2020/10/microsoft-uses-copyright-law-to-disrupt-trickbot-botnet/: Microsoft Uses Trademark Law to Disrupt Trickbot Botnet


[Murray] The legal basis for this takedown is arguable; the bad guys are unlikely to come into court to argue their case.  Enterprise applications should be as resilient as this botnet.


Read more in:

ZDNet: TrickBot botnet survives takedown attempt, but Microsoft sets new legal precedent

https://www.zdnet.com/article/trickbot-botnet-survives-takedown-attempt-but-microsoft-sets-new-legal-precedent/


*******************************  SPONSORED LINKS  ********************************


1) October 22 |  A deep dive webinar into how Passive DNS can support rapid investigation into criminal activity associated with your network.

| http://www.sans.org/info/217925


2) Virtual Forum | We have an incredible virtual solutions forum coming up in less than 2 weeks! The SANS Adversary Detection and Response Solutions Forum brings security vendors that have proven solutions for dealing with cybersecurity threats together with information security professionals seeking current best practices and effective tools for both detecting and responding to adversary threat activity | October 30 @ 10:30 AM EDT

| http://www.sans.org/info/217930


3) Webcast | Join SANS director, John Pescatore as he takes part in our upcoming webcast, "Modernizing Detection and Response with XDR in the Cloud Computing Era" | October 21 @ 3:30 PM EDT

| http://www.sans.org/info/217935


*********************************************************************************

THE REST OF THE WEEK'S NEWS

 

-- New York Dept. of Financial Services Calls for Regulation of Social Media Companies After Twitter Hack

(October 14 & 15, 2020)

In an investigative report into the July 2020 Twitter cybersecurity incident, the New York Department of Financial Services calls for "public oversight of social media," to help improve their cybersecurity practices. The report notes that the "Twitter hack demonstrates the need for strong cybersecurity to curb the potential weaponization of major social media companies."


[Editor Comments]


[Murray] While the authority of the NY DFS is limited to enterprises that are licensed or chartered by the state of New York, all enterprises can and should operate consistent with their reasonable and useful requirements. The large states are playing a useful role in defining standards of care. In some cases, the states have asserted their authority beyond enterprises that they "license or charter" to those that "operate or offer services in."


Read more in:

DFS: Twitter Investigation Report

https://www.dfs.ny.gov/Twitter_Report

Duo: New York Wants Social Media Companies to be Regulated

https://duo.com/decipher/new-york-wants-social-media-companies-to-be-regulated

Cyberscoop: New York regulator faults Twitter for lax security measures prior to big account breach

https://www.cyberscoop.com/twitter-hack-social-engineering-new-york-financial-services/

The Register: Security much? Twitter should have had a CISO to prevent Bitcoin hack, says US state financial body

https://www.theregister.com/2020/10/15/twitter_hack_report_new_york_post_censorship/

 
 

-- Zoom Will Release Preview of End-to-End Encryption Next Week

(October 14 & 15, 2020)

Zoom plans to release a technical preview of its end-to-end encryption (E2EE) next week. The company will be "proactively soliciting feedback from users for the first 30 days." When Zoom's E2EE is rolled out, the feature will be available to all users.


[Editor Comments]


[Neely] Kudos to Zoom for delivering the solution so rapidly. The primary difference here is where encryption keys are generated and who can decrypt the content. In short, with E2EE, the meeting host generates the key and uses PKI to transmit them to participants, while previously the Zoom server generated and transmitted those keys, which meant that Zoom could share them with supporting services such as meeting transcription and live streaming which need decrypted content. Several features are disabled with E2EE such as join before host, breakout rooms, cloud recording and transcription. Read Zoom's FAQs on their blog below to see all the impacts.


[Murray] ???


Read more in:

Zoom: Zoom Rolling Out End-to-End Encryption Offering

https://blog.zoom.us/zoom-rolling-out-end-to-end-encryption-offering/

ZDNet: Zoom to roll out end-to-end encrypted (E2EE) calls

https://www.zdnet.com/article/zoom-to-roll-out-end-to-end-encrypted-e2ee-calls/

Threatpost: Zoom Rolls Out End-to-End Encryption After Setbacks

https://threatpost.com/zoom-end-to-end-encryption/160150/

The Register: Remember when Zoom was rumbled for lousy crypto? Six months later it says end-to-end is ready

https://www.theregister.com/2020/10/15/zoom_end_to_end_security/

 
 

-- Updates Address Vulnerabilities in PhantomPDF

(October 13, 2020)

Updates are available to address four high-severity security flaws in Foxit's PhantomPDF. Users are urged to upgrade PhantomPDF version 10.1 for Windows and PhantomPDF version 4.1 for Mac. The Us Cybersecurity and Infrastructure Security Agency (CISA) warned of the flaws in a vulnerability summary earlier this month.


[Editor Comments]


[Neely] The exploit leverages a use-after-free condition to cause malicious code to be executed. The updates address CVE-2020-26534, CVE-2020-26535, CVE-2020-26537 and CVE-2020-26539. The Windows update was released September 28th, Mac version October 9th. The CVSS 3.x scores are 9.8, indicating rapid update is prudent.


Read more in:

The Register: For Foxit's sake: Windows and Mac users alike urged to patch PhantomPDF over use-after-free vulns

https://www.theregister.com/2020/10/13/foxit_phantompdf_vulns_update/

TechRadar: This popular PDF software needs to be updated ASAP

https://www.techradar.com/news/this-popular-pdf-software-needs-to-be-updated-asap

US-CERT CISA: Vulnerability Summary for the Week of October 5, 2020

https://us-cert.cisa.gov/ncas/bulletins/sb20-286

 
 

-- Barnes and Noble Hit by Cyberattack

(October 14 & 15, 2020)

US bookseller Barnes & Noble has disclosed a security breach that may have compromised customer data. The company issued a statement, saying, "We have a serious network issue and are in the process of restoring our server backups." The attack reportedly occurred on October 10. Since then, users of Barnes & Noble's Nook Digital eBook and eReader platform have said they are unable to access their libraries of eBooks and periodical subscriptions.


[Editor Comments]


[Neely] Barnes & Noble believes the attack was due to an intrusion, rather than ransomware, possibly leveraging a previously identified flaw in their VPN servers (CVE-2019-11510). Be sure to not only monitor for inappropriate system access, but also mitigate or remediate flaws in boundary protection devices expeditiously.


Read more in:

ZDNet: Barnes & Noble confirms cyberattack, suspected customer data breach

https://www.zdnet.com/article/barnes-noble-confirms-cyberattack-customer-data-breach/

Threatpost: Barnes & Noble Hack: A Reading List for Phishers and Crooks

https://threatpost.com/barnes-noble-hack-phishers-crooks/160148/

Bleeping Computer: Barnes & Noble hit by cyberattack that exposed customer data

https://www.bleepingcomputer.com/news/security/barnes-and-noble-hit-by-cyberattack-that-exposed-customer-data/

 
 

-- German Authorities Conduct Raids in Connection with FinFisher Spyware

(October 14 & 15, 2020)

Earlier this month, German authorities searched 15 homes and businesses in connection with FinFisher, a company that develops and sells surveillance software. The company is being investigated over suspicions that it exported its FinSpy surveillance software to countries without an export license. If this is true, the company could be charged with violating the Foreign Trade and Payments Act.


[Editor Comments]


[Murray] ???


Read more in:

dw: Police carry out raids linked to German spyware firm FinFisher

https://www.dw.com/en/police-carry-out-raids-linked-to-german-spyware-firm-finfisher/a-55270507

ZDNet: German authorities raid FinFisher offices

https://www.zdnet.com/article/german-authorities-raid-finfisher-offices/

Portswigger: German police raid tech firm FinFisher over spyware allegations

https://portswigger.net/daily-swig/german-police-raid-tech-firm-finfisher-over-spyware-allegations

 
 

-- Microsoft's October 2020 Patch Tuesday

(October 13 & 14, 2020)

On Tuesday, October 13, Microsoft released updates to address nearly 90 security issues in Windows and Windows-related products. Eleven of the vulnerabilities are rated critical. One of the most concerning flaws, CVE-2020-16898, is a Windows TCP/IP remote code execution vulnerability that has been dubbed "Bad Neighbor." The vulnerability can be exploited by sending maliciously crafted packets.


[Editor Comments]


[Ullrich] A lot has been written about the ICMPv6 "Bad Neighbor" vulnerability. While the flaw is pretty straight-forward, exploitation isn't quite as easy, and calling the vulnerability "wormable", while technically correct, is a bit of a stretch. In order to exploit the vulnerability, an attacker has to be on the same network segment as the victim. A worm would only spread in one network segment as the packets are not routable. Remote code execution will also require an information disclosure vulnerability in addition to this code execution vulnerability. If an attacker has a foothold in your network, there are probably a dozen easier to exploit vulnerabilities.

https://isc.sans.edu/forums/diary/CVE202016898+Windows+ICMPv6+Router+Advertisement+RRDNS+Option+Remote+Code+Execution+Vulnerability/26684/: CVE-2020-16898: Windows ICMPv6 Router Advertisement RRDNS Option Remote Code Execution Vulnerability


[Murray] ???


Read more in:

KrebsOnSecurity: Microsoft Patch Tuesday, October 2020 Edition

https://krebsonsecurity.com/2020/10/microsoft-patch-tuesday-october-2020-edition/

SC Magazine: Microsoft Patch Tuesday fixes 87 flaws, 11 critical

https://www.scmagazine.com/home/patch-management/microsoft-patch-tuesday-fixes-87-flaws-11-critical/

Threatpost: October Patch Tuesday: Microsoft Patches Critical, Wormable RCE Bug

https://threatpost.com/october-patch-tuesday-wormable-bug/160044/

McAfee: CVE-2020-16898: "Bad Neighbor"

https://www.mcafee.com/blogs/other-blogs/mcafee-labs/cve-2020-16898-bad-neighbor/

Bleeping Computer: US Cyber Command: Patch Windows 'Bad Neighbor' TCP/IP bug now

https://www.bleepingcomputer.com/news/security/us-cyber-command-patch-windows-bad-neighbor-tcp-ip-bug-now/

MSRC: Windows TCP/IP Remote Code Execution Vulnerability

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-16898

 
 

-- Adobe Issues Fixes for Another Critical Flash Flaw

(October 13, 2020)

Adobe has released updates to fix for a critical flaw in Flash Player that could be exploited to crash vulnerable installations and allow remote code execution. The NULL pointer dereference vulnerability is fixed in versions 32.0.0.445 of Flash Player products.


[Editor Comments]


[Ullrich] Adobe Flash support will be ending this year. As part of this latest update, Adobe will also suggest uninstalling Flash. Please follow Adobe's advice.


[Neely] Fixes to Chrome and Microsoft Edge are included in their latest updates. Verify Flash update status via chrome://components and edge://components functions. Better still, disable Flash where not needed.


[Murray] Enterprises should have, by now, long since gotten rid of Flash.


Read more in:

Threatpost: Critical Flash Player Flaw Opens Adobe Users to RCE

https://threatpost.com/flash-player-flaw-adobe-rce/160034/

Adobe: Security updates available for Adobe Flash Player | APSB20-58

https://helpx.adobe.com/security/products/flash-player/apsb20-58.html

nvd.nist: CVE-2020-9746 Detail

https://nvd.nist.gov/vuln/detail/CVE-2020-9746

 
 

-- Adobe Releases Updates to Fix Nine Flaws in Magento

(October 15, 2020)

A pair of critical vulnerabilities in Adobe's Magento ecommerce platform could be exploited to gain read/write access to the database or to execute arbitrary code. These flaws, along with seven other less severe issues, affect both Magento Commerce, which has a licensing fee, and Magento Open Source, which does not. Adobe has released updates to address the vulnerabilities.  


Read more in:

Threatpost: Critical Magento Holes Open Online Shops to Code Execution

https://threatpost.com/critical-magento-holes-online-shops-code-execution/160181/

Adobe: Security Updates Available for Magento | APSB20-59

https://helpx.adobe.com/security/products/magento/apsb20-59.html

 

INTERNET STORM CENTER TECH CORNER

 

******************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create