SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #83
October 20, 2020A Better Response to Ransomware and Three Critical Vulnerabilities Likely To Be Exploited Imminently
*****************************************************************************
SANS NewsBites October 20, 2020 Vol. 22, Num. 083
*****************************************************************************
THE TOP OF THE NEWS
Mississippi School District Paying a Company to Help it Recover Files After Ransomware Attack
Microsoft Releases Updates for RCE Flaws
SharePoint Vulnerability Warning
SonicWall Fixes Critical Flaw Affecting VPNs
REST OF THE WEEK'S NEWS
Microsoft's Azure Defender for IoT Released for Public Preview
Gitjacker Can Help Find Exposed Git Folders
Microsoft October Patch Tuesday Includes New Option to Disable JScript in IE
People are So Wary of Phishing eMails That They are Missing Legitimate Messages
US Dept. of Justice Indicts Russian Hackers Believed to be Responsible for NotPetya and Other Destructive Cyberattacks
US Cyberspace Solarium Commission ICT Supply Chain Security Recommendations
DDoS Attacks Hit Two Massachusetts School Systems
Fix Available for Vulnerability in TI WooCommerce Wishlist WordPress Plugin
INTERNET STORM CENTER TECH CORNER
************************ Sponsored By SANS *********************************
Virtual Forum | Join Jake Williams as he chairs The SANS Adversary Detection and Response Solutions Forum which will bring security vendors that have proven solutions for dealing with cybersecurity threats together with information security professionals seeking current best practices and effective tools for both detecting and responding to adversary threat activity | October 30 @ 10:30 AM EDT
| http://www.sans.org/info/217940
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
New OnDemand Courses
SEC588: Cloud Penetration Testing
- https://www.sans.org/ondemand/course/cloud-penetration-testing
MGT525: IT Project Management, Effective Communication, and PMP(R) Exam Prep
- https://www.sans.org/ondemand/course/project-management-effective-communication-pmp-exam-prep
View all courses
- https://www.sans.org/cyber-security-courses/?focus-area=&training-format=ondemand
Live Online Training Events and Summits
SANS San Francisco Winter 2020 - Live Online
Nov 30-Dec 5 PST | 11 Courses | Virtual Core NetWars
- https://www.sans.org/event/san-francisco-winter-2020-live-online
Pen Test HackFest - Live Online
Nov 16-21 EST | 15 Courses | Core NetWars + Coin-A-Palooza
- https://www.sans.org/event/pen-test-hackfest-2020-live-online
View complete event schedule
- https://www.sans.org/cyber-security-training-events/north-america
Free Resources
Tools, Posters, and more.
OnDemand Training Special Offer: Get an iPad mini, Surface Go 2, or Take $300 Off with qualified OnDemand courses through October 28.
- www.sans.org/specials/north-america/
*****************************************************************************
TOP OF THE NEWS
--Mississippi School District Paying a Company to Help it Recover Files After Ransomware Attack
(October 19, 2020)
The Yazoo County School District in Mississippi has chosen to pay a private company $300,000 to regain access to encrypted files. The district became aware of the ransomware attack on Monday, October 12. They took their IT systems offline and solicited help from a cybersecurity company to help them recover their files.
[Editor Comments]
[Pescatore] It looks like the $300K is to both improve security and recover the data. Essentially, rather than pay the arsonist to put out the fire in your burning house, you pay a contractor to rebuild it to existing fire codes to build in smoke detectors and sprinklers - essential safety requirements.
[Neely] Paying the company to not only restore files but put in protections to prevent recurrence is a good approach, and it's more cost effective to implement controls prior to a compromise. The challenge we all face is obtaining management support to fund and resource the efforts when the attack is just a potential. The Yazoo School district can be a case study to strengthen your position.
Read more in:
Infosecurity Magazine: Cyber-attack on Mississippi Schools Costs $300k
https://www.infosecurity-magazine.com/news/cyberattack-on-mississippi-schools/
--Microsoft Releases Updates for RCE Flaws
(October 15 & 16, 2020)
Microsoft has released fixes to address remote code execution vulnerabilities in the Windows Codecs Library and Visual Studio Code. The fixes come just days after Microsoft's scheduled monthly security update. The US Cybersecurity and Infrastructure Security Agency (CISA) is urging users and admins to review the advisories and apply the patches as necessary.
[Editor Comments]
[Ullrich] The Visual Code Studio flaw is especially interesting. This editor is popular with developers, a group that has been targeted previously. Opening a json file in Visual Code Studio would be somewhat common, and it may be possible to trick a developer into opening a malicious file given the right pretext. This vulnerability is an effective vector for more targeted attacks.
Read more in:
ZDNet: Microsoft releases emergency security updates for Windows and Visual Studio
Threatpost: Microsoft Fixes RCE Flaws in Out-of-Band Windows Update
https://threatpost.com/microsoft-rce-flaws-windows-update/160244/
Security Week: CISA Warns of Remote Code Execution Bugs in Visual Studio, Windows Codecs Library
Bleeping Computer: Microsoft issues out-of-band Windows security updates for RCE bugs
US-CERT CISA: Microsoft Releases Security Updates to Address Remote Code Execution Vulnerabilities
MSRC: CVE-2020-17022 | Microsoft Windows Codecs Library Remote Code Execution Vulnerability
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-17022
MSRC: CVE-2020-17023 | Visual Studio JSON Remote Code Execution Vulnerability
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-17023
--SharePoint Vulnerability Warning
(October 16 & 19, 2020)
The UK's National Cyber Security Centre (NCSC) has issued a warning about a vulnerability in Microsoft SharePoint. Proof-of-concept exploit code has been released. The US Cybersecurity and Infrastructure Security Agency (CISA) is urging users to heed the NCSC warning and patch vulnerable systems.
[Editor Comments]
[Ullrich] I pointed to this vulnerability in the last patch Tuesday update as one to watch out for. It is more severe than the ICMPv6 issue that got more press. Also note that, based on anecdotal evidence, at least several states have in the past shared early election results via SharePoint sites (and what better way to sow uncertainty and fear then to make early results reported by states look "off"). This vulnerability has a lot of potential for evil.
[Neely] Apply the October updates to your on-premise SharePoint (versus hosted/M365) servers. The update, categorized as critical by Microsoft, is the primary mitigation to the vulnerability, followed by monitoring for IOCs and attempted lateral movement.
[Murray] "Proof-of-concept" code reduces the cost of attack to miscreants. While it may be evidence of how clever the authors of it are, it reduces both the amount of special knowledge that the attackers have to have and the work they have to do. This is particularly true where the vulnerability is so obscure or difficult to exploit that it must be demonstrated to be believed.
Read more in:
Health IT Security: Proof-of-Concept Prompts Alert on SharePoint Remote Execution Flaw
https://healthitsecurity.com/news/proof-of-concept-prompts-alert-on-sharepoint-remote-execution-flaw
Infosecurity Magazine: Government Spooks Urge Firms to Patch SharePoint Bug
https://www.infosecurity-magazine.com/news/government-spooks-urge-firms-patch/
NCSC: Alert: Risk of SharePoint vulnerability to UK organisations
https://www.ncsc.gov.uk/news/sharepoint-vulnerability-uk-organisations
--SonicWall Fixes Critical Flaw Affecting VPNs
(October 14 & 16, 2020)
A stack buffer overflow vulnerability in the SonicWall Network Security Appliance could be exploited to run arbitrary code or cause denial-of-service conditions. At the end of last week, "Shodan show[ed] over 800,000 VPN devices running vulnerable SonicOS software versions." SonicWall has released updates to address the problem.
[Editor Comments]
[Ullrich] Yet another vulnerability in a perimeter security device. This one looks a bit more tricky to exploit compared to some flaws in similar devices, but I am pretty sure someone is already working on the right exploit for this vulnerability.
[Neely] While there is currently no evidence of this being exploited in the wild, this is still a high-risk vulnerability which can also be used to cause a persistent denial-of-service condition. When prioritizing the needed update, be sure to incorporate any complexities of attempting this remotely.
[Honan] Updating firewalls, or indeed many other devices, during the pandemic is going to be a challenge for many IT teams as they try to do this remotely. Given that many ransomware attacks are now being launched via vulnerable remote access points, it is imperative that you review your change management processes to clarify how your IT team operates during the pandemic and to ensure they have the tools and training to apply critical patches remotely.
[Murray] Prefer end-to-end encryption that terminates on the application, not on the perimeter, not on an operating system. Whatever one thinks of its name, "Zero Trust" is an old idea whose time has come.
Read more in:
Duo: SonicWall Fixes Critical Flaw in Firewall Appliances
https://duo.com/decipher/sonicwall-fixes-critical-flaw-in-firewall-appliances
Threatpost: Critical SonicWall VPN Portal Bug Allows DoS, Worming RCE
https://threatpost.com/critical-sonicwall-vpn-bug/160108/
ZDNet: 800,000 SonicWall VPNs vulnerable to new remote code execution bug
https://www.zdnet.com/article/800000-sonicwall-vpns-vulnerable-to-new-remote-code-execution-bug/
Security Week: Critical Vulnerability Allows Hackers to Disrupt SonicWall Firewalls
https://www.securityweek.com/critical-vulnerability-allows-hackers-disrupt-sonicwall-firewalls
The Register: If you want to practise writing exploits and worms, there's a big hijacking hole in SonicWall firewall VPNs
https://www.theregister.com/2020/10/16/sonicwall_firewall_vuln/
Bleeping Computer: Critical SonicWall vulnerability affects 800K firewalls, patch now
Tripwire: SonicWall VPN Portal Critical Flaw (CVE-2020-5135)
https://www.tripwire.com/state-of-security/vert/sonicwall-vpn-portal-critical-flaw-cve-2020-5135/
******************************* SPONSORED LINKS ********************************
1) DTEX Insider Threat Kill Chain: Learn the 5 Steps Present in Almost all Insider Attacks| Get the whitepaper now!
| http://www.sans.org/info/217945
2) StrongKey has the only open sour e FIDO2 Certified Server. Ready to ELIMINATE PASSWORDS?
| http://www.sans.org/info/217950
3) Survey Available | The SANS 2020 Spending Survey is officially open and we are asking all people who work in the telecommunications, media, and technology industries to participate to help us gauge the spending trends in your industries! | Survey closes November 20
| http://www.sans.org/info/217955
*********************************************************************************
THE REST OF THE WEEK'S NEWS
--Microsoft's Azure Defender for IoT Released for Public Preview
(October 16, 2020)
Microsoft has released a new agentless Internet of Things (IoT) security solution for pubic preview. Organizations can use Azure Defender for IoT to help them "discover unmanaged IoT/OT assets, identify IoT/OT vulnerabilities, and continuously monitor for threats."
[Editor Comments]
[Murray] Appliances ("Things") should include only that functionality that is essential to their application. They must be able to protect themselves from any traffic that they are likely to encounter in their intended environment.
Read more in:
Microsoft: Azure Defender for IoT is now in public preview
ZDNet: Azure Defender for IoT enters public preview
https://www.zdnet.com/article/azure-defender-for-iot-enters-public-preview/
Bleeping Computer: Microsoft releases Azure Defender for IoT in public preview
--Gitjacker Can Help Find Exposed Git Folders
(October 19, 2020)
A new tool called Gitjacker can help users find exposed .git folders. It can also be used to download Git repositories, which puts sensitive information at risk of exposure.
Read more in:
ZDNet: New Gitjacker tool lets you find .git folders exposed online
https://www.zdnet.com/article/new-gitjacker-tool-lets-you-find-git-folders-exposed-online/
--Microsoft October Patch Tuesday Includes New Option to Disable JScript in IE
(October 19, 2020)
When Microsoft released its monthly security update last week, is also added an option for sys admins to disable JScript execution in Internet Explorer (IE). JScript was introduced to IE in version 3.0 in 1996. It is no longer actively developed and receives updates only when there is evidence of active attacks exploiting it.
[Editor Comments]
[Neely] Use the Microsoft documentation on URLPOLICY flags to allow Jscript only from trusted systems if still used; otherwise disable it altogether. You should be migrating off IE to newer actively supported browsers such as the new Chromium based Edge.
[Murray] One small step in the right direction. Browsers are porous, in part because of the default to include a lot of rarely used, and even, obscure, functionality. Browsers ought to be safe, at least by default, at least "out-of-the-box." Now if we could only rid the world of Flash.
Read more in:
ZDNet: Microsoft adds option to disable JScript in Internet Explorer
https://www.zdnet.com/article/microsoft-adds-option-to-disable-jscript-in-internet-explorer/
Microsoft: Option to disable JScript execution in Internet Explorer
https://support.microsoft.com/en-us/help/4586060/option-to-disable-jscript-execution
--People are So Wary of Phishing eMails That They are Missing Legitimate Messages
(October 16, 2020)
The Anti-Phishing Working group says that users are becoming wary of communications that might be phishing messages that they are ignoring legitimate communications. For example, organizations attempting to notify people that they may have come in contact with someone who tested positive for COVID-19 are finding it difficult to make sure those people get that information. Suggestions for improving the credibility of email messages include deploying domain-based message authentication, reporting & conformance (DMARC), using a specification standard such as brand indicators for message identification (BIMI), or offering a different way for message recipients to respond.
[Editor Comments]
[Pescatore] As the article points out, there is not great data on the false positive (recipients mistrusting trustable communications) rate. On the other hand, most legitimate health care companies were already using trustable ways of contacting their customers prior to the pandemic. Extending this out to the unique issues of contact tracing should be a driver for a national approach on how to do so for the next time, and really needs to include the FCC moving beyond "urging" carriers to block spoofed numbers.
[Neely] The message of not clicking on unknown senders and being aware of COVID-19 themed phishing attacks clearly got through. Now is the time to refine user awareness so messages aren't missed. As part of your Phishing/Spam reporting, provide timely feedback on reporting of legitimate and illicit emails, to include affirmation of reporting test messages accurately. Additionally, if you have outside services sending legitimate alerts to employees, inform them of this activity early on so they can recognize it.
[Murray] Users are a large part of the attack surface of the enterprise. Like any other process, they must be suspicious of, and authenticate, the origin of all "inputs." The failure of users to authenticate inputs is implicated in more breaches than not. The total absence of false rejects would be an indication that this level of "zero trust" was not working.
Read more in:
SC Magazine: Phishing fears cause workers to reject genuine business communications
--US Dept. of Justice Indicts Russian Hackers Believed to be Responsible for NotPetya and Other Destructive Cyberattacks
(October 19, 2020)
The US Department of Justice (DoJ) has indicted six people in connection with their alleged involvement with a hacker group known as Sandworm. The group is widely believed to have been responsible for the cyberattack that cut off power to hundreds of thousands of people in Ukraine in late 2015, a second attack in Ukraine that cut off power in Kyiv, and the NotPetya worm that caused millions of dollars in damage. The six men are facing changes including computer fraud and conspiracy.
Read more in:
Wired: US Indicts Sandworm, Russia's Most Destructive Cyberwar Unit
https://www.wired.com/story/us-indicts-sandworm-hackers-russia-cyberwar-unit/
Vice: The U.S. Government Charged Russia's Most Destructive Hackers
https://www.vice.com/en/article/88a4da/us-charged-sandworm-gru-russia-most-destructive-hackers
Bleeping Computer: US indicts Russian GRU 'Sandworm' hackers for NotPetya, worldwide attacks
Security Week: U.S. Charges Russian Intelligence Officers for NotPetya, Industroyer Attacks
https://www.securityweek.com/us-charges-russian-intelligence-officers-notpetya-industroyer-attacks
Cyberscoop: US charges Russian GRU officers for NotPetya, other major hacks
https://www.cyberscoop.com/russian-hackers-notpetya-charges-gru/
Justice: Six Russian GRU Officers Charged in Connection with Worldwide Deployment of Destructive Malware and Other Disruptive Actions in Cyberspace
Justice: Indictment, filed October 15, 2020 (PDF)
https://www.justice.gov/opa/press-release/file/1328521/download
--US Cyberspace Solarium Commission ICT Supply Chain Security Recommendations
(October 19, 2020)
The US Cyberspace Solarium Commission (CSC) has published a whitepaper outlining recommendations for improving information and communications technologies (ICT) supply chain cybersecurity. The whitepaper is one of several to have followed CSC's overarching strategic report that was released in March 2020.
Read more in:
C4isrNet: Cyber Solarium Commission outlines recommendations for strengthening the supply chain
SC Magazine: Cyber Solarium Commission lays out plan to secure supply chain
Solarium: Cyberspace Solarium Commission White Paper #4: Building a Trusted ICT Supply Chain
https://www.solarium.gov/public-communications/supply-chain-white-paper
--DDoS Attacks Hit Two Massachusetts School Systems
(October 16, 2020)
Two Massachusetts school systems have had classes disrupted by distributed denial-of-service (DDoS) attacks. Sandwich Public Schools experienced connectivity problems that disrupted remote learning for a week; the district said that the problems were due to a firewall failure. In Tyngsboro, the local middle school and high school were hit with a DDoS that forced the schools to remote learning for several days. The source of the Tyngsboro attacks was reportedly a device that someone brought to one of the schools.
[Editor Comments]
[Neely] The Tyngsboro DDoS attack was linked to a device being connected daily to their network. Implement isolation of visiting devices on your network and consider a device posture check as part of (re)admitting them to your corporate segments to reduce the potential for them to cause harm.
Read more in:
Infosecurity Magazine: DDoS Attacks Disrupt Massachusetts Schools
https://www.infosecurity-magazine.com/news/ddos-attacks-disrupt-massachusetts/
WickedLocal: Cyberattack disrupts remote learning in Sandwich schools
https://www.wickedlocal.com/news/20201014/cyberattack-disrupts-remote-learning-in-sandwich-schools
WHDH: Investigation underway after Tyngsboro schools hit by cyberattack
https://whdh.com/news/investigation-underway-after-tyngsboro-schools-hit-by-cyberattack/
--Fix Available for Vulnerability in TI WooCommerce Wishlist WordPress Plugin
(October 19, 2020)
A critical flaw in the TI WooCommerce Wishlist WordPress plugin could be exploited to gain full administrative access to vulnerable sites. The flaw is being actively exploited; plugin has more than 70,000 active installations. Users are urged to update to TI WooCommerce Wishlist version 1.21.12.
[Editor Comments]
[Neely] If your automatic plugin updates are configured but not working, you may need to reset permissions on your WordPress site.
Read more in:
Portswigger: Vulnerability in WordPress plugin TI WooCommerce Wishlist could allow full site takeover
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
CVE-2020-5135 SonicWall Buffer Overflow
https://isc.sans.edu/forums/diary/CVE20205135+Buffer+Overflow+in+SonicWall+VPNs+Patch+Now/26692/
Spammer Attached Mass Mailer Configuration Instead of Malware
https://isc.sans.edu/forums/diary/File+Selection+Gaffe/26694/
Traffic Analysis Quiz: Ugly-Wolf.net
https://isc.sans.edu/forums/diary/Traffic+Analysis+Quiz+UglyWolfnet/26688/
Qualcomm QCMAP Vulnerabilities
https://www.vdoo.com/blog/qualcomm-qcmap-vulnerabilities
Discord Desktop App RCE
https://mksben.l0.cm/2020/10/discord-desktop-rce.html
Out of Band MSFT Patches
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-17022
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-17023
Adobe Magento Patches
https://helpx.adobe.com/security/products/magento/apsb20-59.html
Attacks against SS7
*****************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create