SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #85
October 27, 2020*****************************************************************************
SANS NewsBites October 27, 2020 Vol. 22, Num. 085
*****************************************************************************
THE TOP OF THE NEWS
Hackers Disable Georgia County Election Database with Ransomware
CISA and FBI Warn Russian APT Actor is Targeting Government Networks
Cyberattack Hits COVID Vaccine Maker
Finnish Psychotherapy Patients are Being Blackmailed After Vastaamo Data Breach
REST OF THE WEEK'S NEWS
US Treasury Sanctions Russian Research Institution Tied to Triton Malware
Book Excerpt: SANDWORM: The Aurora Generator Test
Botnet Exploits CMS Weaknesses
Sopra Steria Confirms its Network was Hit with Ransomware
Microsoft is Beginning to Nudge Users Away from Internet Explorer
Louisiana Calls in National Guard to Help Fight Cyberattacks
Former Century 21 Sysadmin Charged for Computer Tampering
Exposed Irrigation System Networks
INTERNET STORM CENTER TECH CORNER
***************** Sponsored By Elasticsearch, Inc *************************
Elastic Security, built by the creators of the ELK Stack, solves cybersecurity's core data and scale problems. Leading security teams use the free and open solution for SIEM, endpoint security, threat hunting, cloud monitoring, and more. And with a resource-based pricing model, the Elasticsearch-based technology isn't the only component that's highly scalable
| Learn more at: http://www.sans.org/info/218005
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
New OnDemand Courses
SEC588: Cloud Penetration Testing
- https://www.sans.org/ondemand/course/cloud-penetration-testing
MGT525: IT Project Management, Effective Communication, and PMP(R) Exam Prep
- https://www.sans.org/ondemand/course/project-management-effective-communication
View all courses
- https://www.sans.org/cyber-security-courses/?focus-area=&training-format=ondemand
Live Online Training Events and Summits
Pen Test HackFest - Live Online
Nov 16-21 EST | 15 Courses | Core NetWars + Coin-A-Palooza
- https://www.sans.org/event/pen-test-hackfest-2020-live-online
SANS San Francisco Winter 2020 - Live Online
Nov 30-Dec 5 PST | 10 Courses | Virtual Core NetWars
- https://www.sans.org/event/san-francisco-winter-2020-live-online
View complete event schedule
- https://www.sans.org/cyber-security-training-events/north-america
Free Resources
Tools, Posters, and more.
OnDemand Training Special Offer: Get an iPad mini, Surface Go 2, or Take $300 Off with qualified OnDemand courses through October 28.
- www.sans.org/specials/north-america/
*****************************************************************************
TOP OF THE NEWS
--Hackers Disable Georgia County Election Database with Ransomware
(October 23 & 24, 2020)
A ransomware attack earlier this month disabled a Hall County, Georgia, database that is used to verify voters' signatures on absentee ballots. While the attack did not affect the voting process, county employees have had to manually verify signatures from voter registration cards.
[Editor Comments]
[Murray] It is verification of signatures that makes absentee voting secure. The signature must be used and validated twice: once when applying for the absentee ballot and once when submitting it. This is even more secure than in those jurisdictions that do not check a photo ID for in-person voting.
Read more in:
Security Week: Report: Ransomware Disables Georgia County Election Database
https://www.securityweek.com/report-ransomware-disables-georgia-county-election-database
Threatpost: Georgia Election Data Hit in Ransomware Attack
https://threatpost.com/georgia-election-data-ransomware/160499/
Statescoop: Election-related system impacted by ransomware in Georgia county
https://statescoop.com/ransomware-election-system-hall-county-georgia/
GovInfosecurity: Ransomware Knocks Out Voter Database in Georgia
https://www.govinfosecurity.com/ransomware-knocks-out-voter-database-in-georgia-a-15235
--CISA and FBI Warn Russian APT Actor is Targeting Government Networks
(October 22 & 23, 2020)
In a joint cybersecurity advisory, the US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI warn that a Russian advanced persistent threat (APT) actor has targeted "US state, local, territorial, and tribal (SLTT) government networks, as well as aviation networks." The APT actor has "exfiltrated data from at least two victim servers."
[Editor Comments]
[Neely] Even if you're not a US Government or APT target, the advisory offers good guidance on comprehensive account resets and network defenses. Review the Network Defense in Depth guidance for information on perimeter protections, monitoring, and user education to identify any gaps in your current practices.
Read more in:
US-CERT CISA: Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets
https://us-cert.cisa.gov/ncas/alerts/aa20-296a
Duo: Energetic Bear Attackers Targeting US Government Agencies
https://duo.com/decipher/energetic-bear-attackers-targeting-us-government-agencies
Bleeping Computer: Russian state hackers stole data from US government networks
Cyberscoop: Russia-linked group that breached US state and local IT draws official accusation from feds
https://www.cyberscoop.com/temp-isotope-russia-cisa-election-security/
NYT: Russians Who Pose Election Threat Have Hacked Nuclear Plants and Power Grid
https://www.nytimes.com/2020/10/23/us/politics/energetic-bear-russian-hackers.html
Axios: FBI: Russian hacking group stole data after targeting local governments
The Hill: DHS, FBI say Russian hackers targeting US state and local systems
--Cyberattack Hits COVID Vaccine Maker
(October 23, 2020)
A company that is manufacturing a COVID-19 vaccine for Russia has shut down operations in five countries following a cyberattack against its network. Dr. Reddy's is based in India and is about to enter Phase 2 human trials of the vaccine, which has been given the nickname Sputinik V. Dr. Reddy's has also isolated its data centers.
[Editor Comments]
[Neely] It is likely the attack was targeting the IP behind the vaccine to give competition a leg up. Dr. Reddy's took immediate action to isolate their systems to remediate and prevent further harm. A side effect is their production of generic drugs in the US may be impacted causing some shortages. The lesson here is to verify security, particularly around key assets, in a scenario such as producing the COVID-19 vaccine which pushes the business to rapidly implement services, possibly leaving security behind.
Read more in:
Threatpost: COVID-19 Vaccine-Maker Hit with Cyberattack, Data Breach
https://threatpost.com/covid-19-vaccine-cyberattack-data-breach/160495/
--Finnish Psychotherapy Patients are Being Blackmailed After Vastaamo Data Breach
(October 25 & 26, 2020)
Patients of Finland's Vastaamo psychotherapy clinic are reporting that they are being contacted with blackmail demands. Last week, Vastaamo disclosed a data breach compromised patient data. The hackers have reportedly posted some patient information on the dark web; patients who have been contacted by the hackers say they have been asked to pay 200 EUR (236 USD) to prevent their information from being exposed.
Read more in:
Helsinki Times: Hacking may have compromised privacy of thousands of psychotherapy clients in Finland
Threatpost: Vastaamo Breach: Hackers Blackmailing Psychotherapy Patients
https://threatpost.com/vastaamo-hackers-blackmailing-therapy-patients/160536/
Security Week: Finland Shocked by Therapy Center Hacking, Client Blackmail
https://www.securityweek.com/finland-shocked-therapy-center-hacking-client-blackmail
Cyberscoop: Data breach at Finnish psychotherapy center takes a darker turn with extortion attempts
https://www.cyberscoop.com/finnish-psychotherapy-data-breach-vastaamo/
BBC: Therapy patients blackmailed for cash after clinic data breach
https://www.bbc.com/news/technology-54692120
***************************** SPONSORED LINKS *******************************
1) Webcast | Our upcoming webcast, "Small businesses deserve big protection" teaches you how to get powerful protection against todays biggest threats using Cisco Umbrella, a cloud-delivered security service that's simple and cost-effective for a team of any size to deploy, use, and manage, with no hardware to maintain or upgrade | October 29 @ 10:30 AM EDT
| http://www.sans.org/info/218010
2) Webcast | Join the incredibly knowledgeable Jake Williams as he chairs, "Doing More with Less: Detection and Response Planning for 2021" | November 3 @ 10:30 AM EST
| http://www.sans.org/info/218015
3) Webcast | Our upcoming webcast, "Are you protected from a resurgence of APT29?" will teach you how to operationalize MITRE ATT&CK framework and leverage it to validate your controls against threat groups | November 3 @ 1:00 PM EST
| http://www.sans.org/info/218020
*****************************************************************************
THE REST OF THE WEEK'S NEWS
--US Treasury Sanctions Russian Research Institution Tied to Triton Malware
(October 23 & 24, 2020)
The US Department of the Treasury's Office of Foreign Assets Control (OFAC) has sanctioned "a Russian government research institution that is connected to the destructive Triton malware." The State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM or TsNIIKhM) supported threat actors' use of Triton, which has been described as "the most dangerous threat activity publicly known."
Read more in:
Treasury: Treasury Sanctions Russian Government Research Institution Connected to the Triton Malware
https://home.treasury.gov/news/press-releases/sm1162
Wired: The US Sanctions Russians for Potentially 'Fatal' Triton Malware
https://www.wired.com/story/russia-sanctions-triton-malware/
ZDNet: US Treasury sanctions Russian research institute behind Triton malware
Ars Technica: Hackers behind life-threatening attack on chemical-maker are sanctioned
SC Magazine: Treasury sanctions Russian research institute for Triton attack
Threatpost: U.S. Levies Sanctions Against Russian Research Institution Linked to Triton Malware
https://threatpost.com/us-sanctions-russian-triton-malware/160518/
Cyberscoop: US sanctions Russian government institution in connection with Trisis malware
https://www.cyberscoop.com/us-sanctions-russia-trisis-malware/
--Book Excerpt: SANDWORM: The Aurora Generator Test
(October 23, 2020)
In an excerpt from Andy Greenberg's book, "SANDWORM: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers," Michael Assante's 2007 Aurora demonstration proves the danger hackers could pose to the power grid by manipulating protective relays.
[Editor Comments]
[Neely] Much has been learned since 2007 about the importance of segregating OT, not only from the Internet but also other systems which don't need to interact with it. Additionally, as we pass the ten-year anniversary of Stuxnet, we are reminded of the importance of OPSEC, that providing too much information about your OT to adversaries, e.g. PR photos with recognizable components in view, can be leveraged against you.
Read more in:
Wired: How 30 Lines of Code Blew Up a 27-Ton Generator
https://www.wired.com/story/how-30-lines-of-code-blew-up-27-ton-generator/
--Botnet Exploits CMS Weaknesses
(October 22 & 26, 2020)
Researchers from Imperva have detected a botnet that is exploiting vulnerabilities in various content management systems (CMS) to infect websites. The botnet, which has been given the nickname KashmirBlack, is being used for cryptomining and spam. It uses Dropbox for its command-and-control infrastructure and stores files on GitHub and Pastebin. Hundreds of thousands of sites are believed to have been infected since late 2019.
Read more in:
Imperva: CrimeOps of the KashmirBlack Botnet - Part II
https://www.imperva.com/blog/crimeops-of-the-kashmirblack-botnet-part-ii/
ZDNet: KashmirBlack botnet behind attacks on CMSs like WordPress, Joomla, Drupal, others
Dark Reading: Botnet Infects Hundreds of Thousands of Websites
Infosecurity Magazine: KashmirBlack Botnet Uses DevOps to Stay Agile
https://www.infosecurity-magazine.com/news/kashmirblack-botnet-uses-devops-to/
--Sopra Steria Confirms its Network was Hit with Ransomware
(October 26, 2020)
Sopra Steria, the French IT service company, has acknowledged the cyberattack that hit its network last week was actually a ransomware attack. The company says the infection was kept to "a limited part" of its IT systems. Sopra Steria predicts "it will take a few weeks for a return to normal."
[Editor Comments]
[Neely] The claim is this is a never before seen strain of Ryuk which was activated after systems were infected, a couple of days previously, with either TrickBot or BazarLoader. The signature for the new version of Ryuk has been released for incorporation into detection tools. Even with an interval of a couple of days, assume data has been exfiltrated and fully analyze your logs to determine what systems have been accessed. In this case, Sopra Steria seems to have avoided customer data loss; others may not be so lucky.
[Murray] Lessons include system-to-system isolation to resist lateral spread of ransomware, and the ability to restore mission-critical applications in hours.
Read more in:
Bleeping Computer: Sopra Steria confirms being hit by Ryuk ransomware attack
Infosecurity Magazine: Sopra Steria Hit by New Ryuk Variant
https://www.infosecurity-magazine.com/news/sopra-steria-hit-by-new-ryuk/
Sopra Banking: Sopra Steria Group: Cyberattack information update
https://www.soprabanking.com/news/sopra-steria-group-cyberattack-information-update/
--Microsoft is Beginning to Nudge Users Away from Internet Explorer
(October 19, 25, & 26, 2020)
When users browsing in Internet Explorer attempt to access a website that is not IE-compatible, the site will launch in Microsoft Edge. Users will be notified that the site is not compatible with IE, and will be prompted to update to Edge, migrating their settings from IE. Microsoft plans to disable support for Internet Explorer in certain services starting in mid-November.
[Editor Comments]
[Neely] If you have apps that require IE, or IE-specific plugins such as Silverlight, consider using an isolated hosted business (IE) browser only for use with those applications, while moving your systems to newer browsers such as Chrome, Firefox or Chromium Edge.
Read more in:
Bleeping Computer: Microsoft begins to finally kill off Internet Explorer
Threatpost: Microsoft IE Browser Death March Hastens
https://threatpost.com/ie-browser-death-march/160571/
Microsoft: Redirection from Internet Explorer to Microsoft Edge for compatibility with modern web sites
https://docs.microsoft.com/en-us/deployedge/edge-learnmore-neededge
--Louisiana Calls in National Guard to Help Fight Cyberattacks
(October 23, 2020)
Officials in Louisiana have called in the state's National Guard to help handle cyberattacks against government systems. Multiple local government systems in Louisiana have reportedly been infected with a remote access Trojan (RAT) that has previously been linked to hackers with ties to North Korea's government.
Read more in:
Politico: Cyberattacks hit Louisiana government offices as worries rise about election hacking
https://www.politico.com/news/2020/10/23/cyberattacks-louisiana-election-431825
Threatpost: Louisiana Calls Out National Guard to Fight Ransomware Surge
https://threatpost.com/louisiana-national-guard-ransomware/160508/
Reuters: Exclusive: National Guard called in to thwart cyberattack in Louisiana weeks before election
--Former Century 21 Sysadmin Charged for Computer Tampering
(October 21 & 23, 2020)
A former systems administrator for the Century 21 department store has been indicted on several charges, including computer tampering and computer trespass. Prior to resigning from his position in November 2019, Hector Navarro allegedly stole employee data and created a superuser account that he used to access the system after he had left the company. Navarro allegedly deleted data to prevent people hired to replace him from accessing the network.
[Editor Comments]
[Neely] Verification of all active accounts, particularly those not centrally managed, must be a regular activity - even more so on boundary protection devices. Additionally, make sure that you're monitoring privileged operations on those devices to include account creation and detect actions from previously unknown accounts.
[Murray] It is essential to grant only those privileges that one can effectively withdraw upon termination. That includes the ability to terminate any accounts that the privileged user has created.
Read more in:
Infosecurity Magazine: Systems Admin Arrested for Hacking Former Employer
https://www.infosecurity-magazine.com/news/systems-admin-arrested-for-hacking/
Manhattan DA: D.A. Vance: Former Century 21 Employee Charged with Computer Tampering, Larceny For Breach of Company Data
--Exposed Irrigation System Networks
(October 26, 2020)
An Israeli security company found more than 100 smart irrigation systems were left unprotected on the Internet. The vulnerable CC PRO systems were installed with the factory default settings unchanged, which means that the default account does not require a password. From there, malicious actors could access the system's control panel and change settings and delete other users from the system. The company notified CERT Israel of the situation, which contacted affected companies as well as Motorola, the manufacturer, and shared information with CERTs in other countries. The number of exposed systems is falling.
[Editor Comments]
[Pescatore] In 2018, the International Society of Automation produced ISA/IEC 62443-4-1-2018 that focused on building security into industrial control systems. That same year a group of Israeli researchers presented a paper on vulnerabilities in connected irrigation systems at DEFCON. Since irrigation systems (and many other "smart systems") bring electricity into close proximity to water (and moving machinery into close proximity to living things) there have long been electrical code standards for safe installation of those systems. This is a good item to show to a COO around the cybersecurity aspect of safety of these systems.
Read more in:
ZDNet: Over 100 irrigation systems left exposed online without a password
https://www.zdnet.com/article/over-100-irrigation-systems-left-exposed-online-without-a-password/
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
An Alternative to Shodan: Censys
Sooty: SOC Analyst's All-in-One Tool
https://isc.sans.edu/forums/diary/Sooty+SOC+Analysts+AllinOne+Tool/26714/
Excel 4 Macros: "Abnormal Sheet Visibility"
https://isc.sans.edu/forums/diary/Excel+4+Macros+Abnormal+Sheet+Visibility/26726/
Adversarial ML Threat Matrix
https://github.com/mitre/advmlthreatmatrix
Samsung S20 RCE
https://labs.f-secure.com/blog/samsung-s20-rce-via-samsung-galaxy-store-app/
VMWare Advisory
https://www.vmware.com/security/advisories/VMSA-2020-0023.html
HP Printer Applications Certificate Revoked
Link Previews and Privacy
https://www.mysk.blog/2020/10/25/link-previews/
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
