SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #84
October 23, 2020The Top 25 Critical Vulnerabilities are Being Exploited by the Chinese: NSA -- Patch Them Now
CISOs and security technical directors are personally at risk of being caught making excuses (COVID-based for the most part) rather than implementing the basic security hygiene that makes their organizations defensible. Lee Neelys comment in the NSA story at the Top of the News should be posted on the (electronic) wall of every security organization, assigned very specifically to individuals who commit to near-term delivery dates, and assessed every day: Regularly patch and verify the security of products, replace old or obsolete products, use internal trusted or isolated management networks, block deprecated services at the perimeter, enable logging, alerting and monitoring. Remember to validate systems for signs of compromise during the interval prior to update, and address any issues discovered.
*****************************************************************************
SANS NewsBites October 23, 2020 Vol. 22, Num. 084
*****************************************************************************
THE TOP OF THE NEWS
NSA: China is Exploiting These Vulnerabilities. Patch Now.
Oracles Quarterly Patch Update Includes Fixes for More than 400 Vulnerabilities
Google Patches Chrome Zero-day
Cisco Releases Fixes for Network Security Products
*************************** Sponsored By Chronicle ************************************
Virtual Forum | Join Jake Williams as he chairs The SANS Adversary Detection and Response Solutions Forum which will bring security vendors that have proven solutions for dealing with cybersecurity threats together with information security professionals seeking current best practices and effective tools for both detecting and responding to adversary threat activity | October 30 @ 10:30 AM EDT | http://www.sans.org/info/217940
*****************************************************************************
REST OF THE WEEKS NEWS
WordPress Forces Update for Loginizer Plugin
Adobe Releases Updates Outside of Schedule
Adobe Content Attribution Tool in Preview
Microsoft Doggedly Targets Trickbot Servers
EU Sanctions Russian Hackers
FDA Approves Medical Device Cybersecurity Scoring Tool
Finnish Psychotherapy Data Held for Ransom
Sopra Sterias Network Suffers Cyberattack
INTERNET STORM CENTER TECH CORNER
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
New OnDemand Courses
SEC588: Cloud Penetration Testing
- https://www.sans.org/ondemand/course/cloud-penetration-testing
MGT525: IT Project Management, Effective Communication, and PMP Exam Prep
- https://www.sans.org/ondemand/course/project-management-effective-communication
View all courses
- https://www.sans.org/cyber-security-courses/?focus-area=&training-format=ondemand
Live Online Training Events and Summits
Pen Test HackFestLive Online
Nov 16-21 EST | 15 Courses | Core NetWars + Coin-A-Palooza
- https://www.sans.org/event/pen-test-hackfest-2020-live-online
SANS San Francisco Winter 2020 - Live Online
Nov 30-Dec 5 PST | 10 Courses | Virtual Core NetWars
- https://www.sans.org/event/san-francisco-winter-2020-live-online
View complete event schedule
- https://www.sans.org/cyber-security-training-events/north-america
Free Resources
Tools, Posters, and more.
OnDemand Training Special Offer: Get an iPad mini, Surface Go 2, or Take $300 Off with qualified OnDemand courses through October 28.
- www.sans.org/specials/north-america/
*****************************************************************************
TOP OF THE NEWS
--NSA: China is Exploiting These Vulnerabilities. Patch Now.
(October 20 & 21, 2020)
The US National Security Agency (NSA) has published a cybersecurity advisory listing 25 vulnerabilities that Chinese state-sponsored hackers are most frequently exploiting to gain access to computer networks of interest that hold sensitive intellectual property, economic, political, and military information. All 25 flaws are known and have fixes available.
[Editor Comments]
[Ullrich] This report shows how nation state actors are using the same flaws everybody else is abusing to compromise networks. The list is led by flaws in perimeter security devices. These flaws have been heavily abused by ransomware gangs, crypto coin miners and essentially anybody interested in breaching a corporate network. A good reminder to review your vulnerability scans. If you find any of these 25 flaws included, assume that it has already been exploited. Even if you are not the target of Chinese nation state attackers.
[Neely] While it is interesting to note that the list includes vulnerabilities from 2015 and 2018, dont look to the specific vulnerabilities exploited, look to the general cyber hygiene recommendations. Regularly patch and verify the security of products, replace old or obsolete products, use internal trusted or isolated management networks, block deprecated services at the perimeter, enabling logging, alerting and monitoring. Remember to validate systems for signs of compromise during the interval prior to update, and address any issues discovered.
[Honan] Excellent resource.
Read more in:
Threatpost: Bug Parade: NSA Warns on Cresting China-Backed Cyberattacks
https://threatpost.com/bug-nsa-china-backed-cyberattacks/160421/
ZDNet: NSA publishes list of top vulnerabilities currently targeted by Chinese hackers
Duo: Enterprises Should Fix These 25 Flaws
https://duo.com/decipher/enterprises-should-fix-these-25-flaws
SC Magazine: NSA releases list of 25 vulnerabilities targeted by China
Defense: Chinese State-Sponsored Actors Exploit Publicly Known Vulnerabilities (PDF)
--Oracles Quarterly Patch Update Includes Fixes for More than 400 Vulnerabilities
(October 20 & 21, 2020)
Oracle has released its scheduled quarterly Critical Patch Update (CPU) for October 2020. The CPU includes fixes for more than 400 security flaws affecting multiple product lines. More than half of the vulnerabilities are remotely exploitable without authentication.
[Editor Comments]
[Pescatore] This issue of NewsBites is chock-full of high criticality patches; this Oracle mega-patch is one of many on the server or appliance side of things. IT ops groups may be consumed by supporting large-scale Work From Home, with critical Exchange, VPN server and other actively exploited vulnerabilities staying unpatched and often unmitigated even longer than in past years. The item detailing the NSA warning is a good one to use to convince CIOs and upper management that providing sufficient change-window time right now needs to be a high priority.
[Neely] These updates are spread across 27 products. The larger update interval Oracle uses provides for application of updates to business applications and services with less interruption and more regression testing. There are hopes that Oracle continues to grow, more frequent updates to commodity products will become available to reduce the number of updates released at each interval.
[Murray] Expect another 400 or so next quarter. A quarterly schedule is more efficient for the maintainer but means that the vulnerabilities have a longer life, some longer than three months. 400 suggests a large reservoir of both known and unknown vulnerabilities.
Read more in:
Threatpost: Oracle Kills 402 Bugs in Massive October Patch Update
https://threatpost.com/oracle-october-patch-update/160407/
The Register: How much does Oracle love you? Thiiiis much: Latest patch bundle has 402 fixes
https://www.theregister.com/2020/10/21/oracle_october_patches/
DarkReading: Oracle Releases Another Mammoth Security Patch Update
Oracle: Oracle Critical Patch Update Advisory - October 2020
https://www.oracle.com/security-alerts/cpuoct2020.html
--Google Patches Chrome Zero-day
(October 20 & 21, 2020)
Google has fixed a vulnerability in Chrome that was being actively exploited. The heap buffer overflow memory corruption flaw affects the FreeType font-rendering engine. The issue has been fixed in Chrome 86.0.4240.111. It has also been fixed in FreeType 2.10.4.
[Editor Comments]
[Neely] The urgency is being driven by the active exploitation of the vulnerability. You should already be pushing this update out to your Mac, Windows and Linux systems. An update was also just released for ChromeOS and Android platforms (86.0.4240.112 and 86.0.4240.114 respectively) which systems will be receiving through the regular update process over the next several days. If you are using the non-browser embedded FreeType, push updates for that as well.
[Murray] Browsers are notoriously porous because they are feature-rich and easily extensible. They should be routinely maintained and isolated from mission critical applications.
Read more in:
Duo: Google Patches Bug Used in Active Attacks Against Chrome
https://duo.com/decipher/google-patches-bug-used-in-active-attacks-against-chrome
Threatpost: Google Patches Actively-Exploited Zero-Day Bug in Chrome Browser
https://threatpost.com/google-patches-zero-day-browser/160393/
ZDNet: Google releases Chrome security update to patch actively exploited zero-day
--Cisco Releases Fixes for Network Security Products
(October 21, 2020)
Cisco has released 17 advisories to address high-severity flaws in Cisco Adaptive Security Appliance (ASA), Firepower Threat Defense (FTD), and Firepower Management Center (FMC). Most of the vulnerabilities can be exploited remotely without authentication to create denial-of-service conditions.
[Editor Comments]
[Neely] While there is no current evidence of active exploitation, the DOS conditions, if enacted, require a device reboot to clear, making updating now a more attractive option.
Read more in:
Threatpost: Cisco Warns of Severe DoS Flaws in Network Security Software
https://threatpost.com/cisco-dos-flaws-network-security-software/160414/
Security Week: Cisco Patches 17 High-Severity Vulnerabilities in Security Appliances
https://www.securityweek.com/cisco-patches-17-high-severity-vulnerabilities-security-appliances
Cisco: Cisco Event Response: October 2020 Cisco ASA, FMC, and FTD Software Security Advisory Bundled Publication
https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-74302
******************************* SPONSORED LINKS ************************
1) Be sure to join us for the Adversary Detection and Response Solutions Forum, chaired by security expert Jake Williams! This forum will present carefully curated technologies that can be used by practitioners to both detect intrusions and remediate issues quickly | October 30 @ 10:30 AM EDT | http://www.sans.org/info/217985
2) Tune in to our upcoming webcast titled, "Quick Wins for Securing your Cloud Workloads." This webcast will be chaired by SANS analyst Dave Shackleford and will cover examples of recent attacks against cloud workloads, what they have in common, and discuss quick wins to gain maximum coverage quickly | October 28 @ 10:30 AM EDT | http://www.sans.org/info/217995
3) In our upcoming webcast, "Immunizing Modern Application Frameworks", participants will be shown how to deploy open source code pre-hardened from dangerous attacks | October 27 @ 12:00 PM EDT | http://www.sans.org/info/218000
*****************************************************************************
THE REST OF THE WEEKS NEWS
--WordPress Forces Update for Loginizer Plugin
(October 21, 2020)
WordPress has forced an update for the Loginizer plugin to address an unauthenticated SQL injection vulnerability. The flaw could be exploited to take over vulnerable sites. WordPress has had the ability to force plugin updates since 2013 but has rarely used the feature. The plugin is installed on more than one million sites; the issue is fixed in Loginizer 1.6.4.
[Editor Comments]
[Neely] While WordPress has forced the update, deemed one of the most severe flaws in recent history by their security team, its still prudent to validate that your WordPress installation has been updated. The issue is in the brute force login protection, which is enabled by default, that stores bad login username in the database. A malformed login, which includes SQL statements, is then stored in the database without sanitization, which allows for those statements to be executed without authentication.
Read more in:
ZDNet: WordPress deploys forced security update for dangerous bug in popular plugin
WPScan: Loginizer < 1.6.4 - Unauthenticated SQL Injection
https://wpscan.com/vulnerability/10441
--Adobe Releases Updates Outside of Schedule
(October 21, 2020)
Adobe has released updates to address critical flaws in 10 products, including Illustrator, Dreamweaver, After Effects, Photoshop, and the Creative Cloud Desktop application. All of the flaws could be exploited to allow arbitrary code execution. This is the second out-of-schedule round of fixes Adobe has released this month; last week, Adobe released fixes for flaws in its Magento ecommerce platform.
[Editor Comments]
[Neely] These updates affect both the Windows and macOS products. Users with the Creative Cloud desktop app will be automatically updated; even so, verify the updated versions are deployed.
[Murray] Out-of-schedule fixes suggest urgency and are often to vulnerabilities that are being actively exploited. Even though such fixes are expensive to the user, they deserve special attention.
Read more in:
Threatpost: Adobe Fixes 16 Critical Code-Execution Bugs Across Portfolio
https://threatpost.com/adobe-critical-code-execution-bugs/160369/
ZDNet: Adobe releases another out-of-band patch, squashing critical bugs across creative software
Adobe: Recent bulletins and advisories
https://helpx.adobe.com/security.html
--Adobe Content Attribution Tool in Preview
(October 20, 2020)
Adobe is offering a preview of a secure digital watermark technology, an attribution tool for Photoshop and Behance, to help identify images as real and to combat deepfake information. The tool will be available to select customers in pre-release within Photoshop and Behance within the coming weeks. The development of the tool is part of the larger Content Authenticity Initiative, a coalition of organizations working toward a common goal of building a system to provide provenance and history for digital media, giving creators a tool to claim authorship and empowering consumers to assess whether what they are seeing is trustworthy.
[Editor Comments]
[Murray] Be sure that your copyright notice is included in the content so protected.
Read more in:
ZDNet: Adobe previews content attribution tool in Photoshop to fight deep fakes
https://www.zdnet.com/article/adobe-previews-content-attribution-tool-in-photoshop/
GovTech: Adobe Transparency Tool to Help Prove Images Arent Doctored
https://www.govtech.com/security/Adobe-Transparency-Tool-to-Help-Prove-Images-Arent-Doctored.html
Adobe: The Content Authenticity Initiative unveils content attribution tool within Photoshop and Behance
Content Authenticity: Creating the standard for digital content attribution.
https://contentauthenticity.org/
--Microsoft Doggedly Targets Trickbot Servers
(October 20 & 21, 2020)
The Trickbot botnet is being assailed from multiple angles. Earlier this month, Microsoft obtained a court order that allowed it to seize Trickbot servers operating within the US. Aware that the action was a temporary roadblock for the botnet, Microsoft has more recently been successful in efforts to seize Trickbot servers operating outside the US. US Cyber Command has also taken action to thwart Trickbot, and Europol has arrested 20 people in connection with laundering money for Trickbot operators.
[Editor Comments]
[Honan] Kudos to all involved in these takedowns. We regularly hear that criminals are becoming more efficient and effective due to various groups working together. It is great to see those on the side of good working together to make life more difficult for criminals.
Read more in:
Duo: Microsoft Continues Dismantling Trickbot
https://duo.com/decipher/microsoft-continues-dismantling-trickbot
Ars Technica: Trickbotthe for-hire botnet Microsoft attackedis scrambling to stay alive
ZDNet: Microsoft says it took down 94% of TrickBot's command and control servers
--EU Sanctions Russian Hackers
(October 22, 2020)
The Council of the European Union has imposed sanctions on Russian hackers for their roles in a 2015 cyberattack against Germanys Federal Parliament (Deutscher Bundestag). The sanctions impose travel bans and freeze assets. Additionally, EU organizations and individuals are prohibited from transferring funds to the sanctioned entities.
Read more in:
Consilium: Malicious cyber-attacks: EU sanctions two individuals and one body over 2015 Bundestag hack
Bleeping Computer: EU sanctions Russian hackers over 2015 German parliament attack
Cyberscoop: EU slaps sanctions on GRU leader, Fancy Bear, FBI-wanted hacker over Bundestag attack
https://www.cyberscoop.com/eu-gru-fancy-bear-bundestag-russia/
--FDA Approves Medical Device Cybersecurity Scoring Tool
(October 22, 2020)
The US Food and Drug Administration (FDA) has approved a rubric for assigning Critical Vulnerability Scoring System (CVSS) scores to vulnerabilities in medical devices. MITRE submitted its proposed rubric last year. The FDA has just announced that it has been approved as a Medical Device Development Tool (MDDT). Vendors can use this MDDT to communicate measurements from the rubric about their devices with the FDA for pre-market security and risk assessments.
[Editor Comments]
[Neely] This creates a common language and terminology for discussion and publishing issues, which should help making assessment and risk acceptance decisions more consistent. Even so, the pure score has to be weighted with environmental factors relating to the ability of vulnerabilities to be exploited. When using those factors, regular validation is necessary to ensure they havent been circumvented or bypassed.
[Pescatore] Note that vendors *can* use this tool/approach, but the FDA is *not* requiring them to do so. Ive been a big fan of the CVSS standard since V1 came out in 2005 or so. That same year, the FDA issued Guidance for Industry 1553 to the medical device industry, which removed barriers to medical equipment vendors rapidly issuing patches for vulnerabilities in their products because of FDA certification issues. In 2020, we are on V3 of the CVSS standard (which vendors originally fought) and CVSS has proven to be very usefulbut the medical device industry is pretty much where it was 15 years ago vulnerability-wise. We really need to see the FDA force progress in making medical devices saferjust removing barriers has not been enough.
[Murray] The attack surface of a medical device should be as limited as its application and environment permit. If it includes an operating system, it is already too big.
Read more in:
Security Week: FDA Approves Use of New Tool for Medical Device Vulnerability Scoring
https://www.securityweek.com/fda-approves-use-new-tool-medical-device-vulnerability-scoring
SC Magazine: FDA vulnerability grading system proves all risk not created equal
MITRE: Rubric for Applying CVSS to Medical Devices (September 2019)
https://www.mitre.org/publications/technical-papers/rubric-for-applying-cvss-to-medical-devices
--Finnish Psychotherapy Data Held for Ransom
(October 21, 2020)
Vastaamo, a Finnish organization that provides psychotherapy to thousands of people across the country, says they have been contacted by an unknown hostile party claiming to have stolen patient data. Vastaamo has notified authorities about the incident.
Read more in:
NewsNowFinland: Hackers hold patient information for ransom in psychotherapy data breach
--Sopra Sterias Network Suffers Cyberattack
(October 22, 2020)
French IT outsourcing firm Sopra Steria has been hit with a cyberattack. According to a regulatory statement, the company detected the attack on the evening of October 20. Reports suggest that the Sopra Steria network was infected with Ryuk ransomware, which was also used in the attack targeting Universal Health Services last month.
Read more in:
Bleeping Computer: French IT giant Sopra Steria hit by Ryuk ransomware
https://www.bleepingcomputer.com/news/security/french-it-giant-sopra-steria-hit-by-ryuk-ransomware/
The Register: French IT outsourcer Sopra Steria hit by 'cyberattack', Ryuk ransomware suspected
https://www.theregister.com/2020/10/22/sopra_steria_ryuk_ransomware_reports/
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
Mirai-alike Python Scanner
https://isc.sans.edu/forums/diary/Miraialike+Python+Scanner/26698/
Shipping Dangerous Goods
https://isc.sans.edu/forums/diary/Shipping+dangerous+goods/26702/
BazarLoader Phishing Lures
Google Chrome Update (actively exploited vulnerability fixed)
https://chromereleases.googleblog.com/2020/10/stable-channel-update-for-desktop_20.html
QNAP Fixes ZeroLogon Vulnerability
https://www.qnap.com/en/security-advisory/qsa-20-07
GravityRat Going Multi Platform
Chinese State-Sponsored Actors Exploit Same Vulnerabilities as Others
US Census Spoof
URL Bar Spoofing Vulnerabilities
https://thehackernews.com/2020/10/browser-address-spoofing-vulnerability.html
Stalled Reviews for Secure Boot Shim
https://github.com/rhboot/shim-review/issues/120
https://github.com/rhboot/shim-review/issues/102#issuecomment-698963751
Oracle Quarterly Critical Patch Update
https://www.oracle.com/security-alerts/cpuoct2020.html
Cisco Advisories
https://tools.cisco.com/security/center/publicationListing.x
*****************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
