SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #88
November 6, 2020Bipartisan Coalition of State Governors Announce Cyber Talent Discovery and Scholarship Program; National Guard Called in on Ransomware Attacks; Ransomware Hits Brazil (country), Mattel (toys), Campari (booze), and Prison
*****************************************************************************
SANS NewsBites November 6, 2020 Vol. 22, Num. 088
*****************************************************************************
THE TOP OF THE NEWS
Bipartisan Coalition of State Governors Announce Cyber Talent Discovery and Scholarship Program For High School Students
Vermont National Guard Called in to Help Hospital Recover from Ransomware
Brazilian Courts Suffer Ransomware Attack
Mattel Discloses Ransomware Attack
Campari Group Network Hit With Ransomware
Private Prison Operator Discloses Ransomware Attack
REST OF THE WEEK'S NEWS
Chrome Zero-days are Being Actively Exploited
Adobe Acrobat and Reader Updates Fix Flaws, Remove Insert Flash Option
DoJ Seizes $1 Billion in Silk Road-related Cryptocurrency
Capcom Discloses Cyberattack
Massachusetts Votes to Grant Third-Party Access to Wireless Car Repair Data
Update Available for WordPress Welcart eCommerce Plugin
Apple Releases Update to Fix Three Actively Exploited Flaws in iOS, macOS
INTERNET STORM CENTER TECH CORNER
************************* Sponsored By Chronicle *******************************
Join Google Cloud Security Talks on November 18th. During this digital event, learn about the latest innovations coming out of Google Cloud's security team, and hear directly from Google Cloud's Office of the CISO on how cloud migration is a unique opportunity to dismantle the legacy security debt of the past two decades. Register today.
| http://www.sans.org/info/218100
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
OnDemand and Live Online Training Special Offer
Best Offers of the Year! Get an 11" iPad Pro w/ Magic Keyboard, a Microsoft Surface Go 2 - 256 GB SSD, or Take $350 Off with ANY qualifying SANS Training Course through November 18.
- www.sans.org/specials/north-america/
New OnDemand Courses -- Available Now
SEC588: Cloud Penetration Testing
- https://www.sans.org/ondemand/course/cloud-penetration-testing
MGT525: IT Project Management, Effective Communication, and PMP(R) Exam Prep
- https://www.sans.org/ondemand/course/project-management-effective-communication
View all courses
- https://www.sans.org/cyber-security-courses/?focus-area=&training-format=ondemand
Live Online Training Events and Summits
Pen Test HackFest + Summit @Night
Nov 16-21 EST | 15 Courses | Core NetWars + Coin-A-Palooza
- https://www.sans.org/event/pen-test-hackfest-2020-live-online
SANS Cyber Defense Initiative(R) 2020 - Dec 14-19 EST
35+ Courses | Core, Cyber Defense, and DFIR NetWars
- https://www.sans.org/event/cyber-defense-initiative-2020-live-online
View complete event schedule
- https://www.sans.org/cyber-security-training-events/north-america
Free Resources
Tools, Posters, and more.
*****************************************************************************
TOP OF THE NEWS
--Bipartisan Coalition of State Governors Announce Cyber Talent Discovery and Scholarship Program For High School Students
(November 5, 2020)
Governors from Texas, North Dakota, Alabama, New Jersey, Utah, Idaho, Maryland, and Virginia announced CyberStart America - enabling all high school students in their states to discover whether they have an aptitude to excel in cybersecurity and to win millions in college scholarships.
Read more in:
Gov.texas: Governor Abbott Announces Partnership With CyberStart America To Promote Cybersecurity Career Track For Texas High School Students
Scholarship Program: https://www.nationalcyberscholarship.org
Talent Search: https://www.cyberstartamerica.org
--Vermont National Guard Called in to Help with Hospital Recover from Ransomware
(November 5, 2020)
Vermont's governor has called in the state's Army National Guard's Combined Cyber Response Team to help the University of Vermont Health Network respond to a ransomware attack that affected six area hospitals.
[Editor Comments]
[Neely] Finding skilled help to help recovery efforts can be challenging and expensive; leveraging existing trained response teams like this, particularly with hospital and other community services, should be investigated prior to needing them. Identify and verify where you can get help, now, before you're dealing with a significant incident such as ransomware.
Read more in:
Infosecurity Magazine: National Guard to Help Vermont Health Network After Cyber-Attack
https://www.infosecurity-magazine.com/news/national-guard-uvm-health-network/
Security Week: Guard Cyber Team to Help Respond to Hospitals Cyberattack
https://www.securityweek.com/guard-cyber-team-help-respond-hospitals-cyberattack
--Brazilian Courts Suffer Ransomware Attack
(November 5, 2020)
The computer network of Brazil's Superior Court of Justice was the victim of a ransomware attack earlier this week. The country's Secretariat for Information and Communication Technology (STI) is working to recover affected systems. A Brazilian journalist said that other Brazilian government agencies are offline.
[Editor Comments]
Read more in:
Bleeping Computer: Brazil's court system under massive RansomExx ransomware attack
--Mattel Discloses Ransomware Attack
(November 4, 2020)
Toy manufacturer Mattel has disclosed that its network was hit with a ransomware attack in late July. The company revealed the information in a form 10-Q filing with the US Securities and Exchange Commission (SEC).
Read more in:
ZDNet: Toy maker Mattel discloses ransomware attack
https://www.zdnet.com/article/toy-maker-mattel-discloses-ransomware-attack/
Threatpost: Toymaker Mattel Hit by Ransomware Attack
https://threatpost.com/mattel-hit-by-ransomware/160947/
Cyberscoop: Nothing is sacred: Ransomware attack hit toy maker Mattel's systems this summer
https://www.cyberscoop.com/ransomware-attack-mattel-toys/
Investors.mattel: United States Securities and Exchange Commission | Form 10-Q | Mattel, Inc.
https://investors.mattel.com/node/32206/html
--Campari Group Network Hit With Ransomware
(November 5, 2020)
Italian beverage company Campari Group disclosed that ransomware infiltrated its network on Sunday, November 1. The company said that it isolated affected systems and temporarily suspended IT services, and that it plans to wipe and restore affected systems.
Read more in:
ZDNet: Italian beverage vendor Campari knocked offline after ransomware attack
--Private Prison Operator Discloses Ransomware Attack
(November 5, 2020)
A company that operates private prisons says it was the victim of a ransomware attack. GEO Group says that attackers may have stolen data during the incident, which occurred in August 19, 2020. The company's 120 facilities include several US immigration and Customs Enforcement (ICE) detention centers. The information was disclosed in a form 8-K filing with the US Securities and Exchange Commission (SEC).
Read more in:
Security Week: Private Prison Operator GEO Group Discloses Data Breach
https://www.securityweek.com/private-prison-operator-geo-group-discloses-data-breach
ZDNet: Company that runs US illegal immigration detention centers discloses ransomware attack
SEC: United States Securities and Exchange Commission Form 8-K | The GEO Group, Inc.
https://www.sec.gov/ix?doc=/Archives/edgar/data/923796/000119312520284748/d39807d8k.htm
****************************** SPONSORED LINKS *******************************
1) Is the SOC becoming obsolete? Learn how teams are leveraging cloud migration to gain visibility. | Join us on December 3rd @ 12:00pm ET | Register Now!
| http://www.sans.org/info/218105
2) How Look-alike Domains Drive BEC, Brand Abuse, and More [LIVE EXPERT WEBINAR]
| http://www.sans.org/info/218110
3) On-Demand Webcast | In case you missed it yesterday, view this webcast to explore key steps to managing cloud permissions with CIEM and see how quickly you can reduce your attack surface by getting ahead of the #1 unmanaged risk to cloud infrastructure identities with excessive high-risk permissions.
| http://www.sans.org/info/218115
*****************************************************************************
THE REST OF THE WEEK'S NEWS
--Chrome Zero-days are Being Actively Exploited
(November 3 & 4, 2020)
Google has fixed vulnerabilities in its Chrome Browser that are being actively exploited. Users of the Chrome browser for Windows, macOS, and Linux should update to Chrome version 86.0.4240.183; users of Chrome for Android should update to Chrome version 86.0.4240.185.
[Editor Comments]
[Neely] Chrome is a popular target this month. The weakness in the Android version allows for sandbox escape and OS level code execution. It is also being leveraged to exploit other system weaknesses such as the Windows Kernel Cryptography Driver vulnerability. Long story short, push the updates now.
Read more in:
The Register: If you're an update laggard, buck up: Chrome zero-days are being exploited in the wild
https://www.theregister.com/2020/11/04/google_chrome_critical_updates/
ZDNet: After two zero-days in Chrome desktop, Google patches a third zero-day in the Android version
Ars Technica: Google fixes two more Chrome zero-days that were under active exploit
Threatpost: Two Chrome Browser Updates Plug Holes Actively Targeted by Exploits
https://threatpost.com/chrome-holes-actively-targeted/160890/
--Adobe Acrobat and Reader Updates Fix Flaws, Remove Insert Flash Option
(November 3 & 4, 2020)
Adobe has released updates to address a total of 14 security issues in Reader and Acrobat. Four of the vulnerabilities are rated critical; they could be exploited to allow "arbitrary code execution in the context of the current user." The updates also remove the Embed Flash and Insert Media options from the PDFMaker menu.
[Editor Comments]
[Neely] Adobe categorizes the updates as priority 2, products which have been historically targeted and the vulnerabilities have no known exploits. Given that the exploits enable arbitrary code and JavaScript execution, as well as privilege escalation, inclusion with your November patch cycle is the latest you'll want to deploy the updates. Sooner is better.
Read more in:
Threatpost: Adobe Warns Windows, MacOS Users of Critical Acrobat and Reader Flaws
https://threatpost.com/adobe-windows-macos-critical-acrobat-reader-flaws/160903
ZDNet: Adobe kills Flash in Acrobat and Reader - pushes out these critical security bug fixes
The Register: Was that November's Patch Tuesday? Already? Oh, no, it's just Adobe issuing 14 emergency security fixes
https://www.theregister.com/2020/11/04/adobe_emergency_patch/
Adobe: Security Updates Available for Adobe Acrobat and Reader | APSB20-67
https://helpx.adobe.com/security/products/acrobat/apsb20-67.html
Adobe: Reader & Acrobat November 2020 Release (DC Continuous, Acrobat 2020 & Acrobat 2017)
Adobe: What's new in Acrobat DC
https://helpx.adobe.com/acrobat/using/whats-new.html
--DoJ Seizes $1 Billion in Silk Road-related Cryptocurrency
(November 5, 2020)
A Bitcoin wallet was mysteriously relieved of 1 billion USD worth of the cryptocurrency on November 3. The action was revealed to be the work of the US Department of Justice (DoJ). The funds in the wallet were linked to Silk Road, the darknet marketplace that was shut down in 2013. The funds appear to have been stolen from Silk Road prior to the founder's trial and sentencing. The person who stole the funds, identified only as Individual X, has signed a Consent and Agreement to Forfeiture. Silk Road's founder is currently serving two life sentences in prison.
Read more in:
Wired: The Feds Seized $1 Billion in Stolen Silk Road Bitcoins
https://www.wired.com/story/feds-seize-billion-stolen-silk-road-bitcoin/
Vice: U.S. Feds Seized Nearly $1 Billion in Bitcoin from Wallet Linked to Silk Road
Ars Technica: The feds just seized Silk Road's $1 billion stash of bitcoin
Bleeping Computer: US govt behind $1 billion Bitcoin transfer of Silk Road funds
--Capcom Discloses Cyberattack
(November 4 & 5, 2020)
Video game developer Capcom has disclosed that some of its networks were hit with a cyberattack on November 2. In a press release, Capcom said "it has halted some operations of its internal networks." The attack appears to have affected Capcom's email system as well; a notice on the company's website says that it is currently "unable to reply to inquiries and/or to fulfill requests for documents."
Read more in:
ZDNet: Capcom quietly discloses cyberattack impacting email, file servers
https://www.zdnet.com/article/capcom-quietly-discloses-cyberattack-impacting-email-file-servers/
Bleeping Computer: Capcom hit by Ragnar Locker ransomware, 1TB allegedly stolen
--Massachusetts Votes to Grant Third-Party Access to Wireless Car Repair Data
(November 4 & 5, 2020)
Massachusetts has voted to extend the state's automotive right-to-repair law to connected car platforms and telematics. The initial right to repair automotive law passed in 2013 and took effect in 2018. It requires that all vehicles sold in Massachusetts have a "non-proprietary vehicle interface device" to allow repair businesses to access mechanical data. The newly passed ballot initiative will allow car owners and independent repair businesses access to wireless vehicle maintenance and repair information.
[Editor Comments]
[Pescatore] Car manufacturers having proprietary interfaces to car telematics in no way guarantees a higher level of security - nor does having an open common access platform. The real issue is the societal decision about market competition for diagnostic and repair services and then the security level has to enable that. This reminds me of the old debate: "Proprietary code is safer than open source code because attackers can't see the code" vs. "Open source code is safer than proprietary code because of all the eyes looking at it." The real answer has always been "code written and tested with security and safety as a key focus/requirement by developers and testers skilled in security is the only software that will be safe and secure."
[Neely] Of note is the trend that almost every new car sold in 2020 included a cellular modem to allow for remote monitoring and data collection, promising a more proactive maintenance/service notification and tracking experience for consumers. And while some manufacturers are working to monetize that information, a big concern about providing access to the online interface by third-parties is that it also has the ability to send commands to vehicle components for maintenance, diagnostics and repair, which heightens the need to get security right quickly.
Read more in:
Ars Technica: Connected cars must be open to third parties, say Massachusetts voters
Securepairs: SecuRepairs Celebrates Huge Win for Right To Repair in Massachusetts
https://securepairs.org/securepairs-celebrates-huge-win-for-right-to-repair-in-massachusetts/
Security Ledger: Episode 193: Repair, Cyber and Your Car with Assaf Harel of Karamba Security
--Update Available for WordPress Welcart eCommerce Plugin
(November 5, 2020)
A critical vulnerability in the Welcart eCommerce WordPress plugin could be exploited to inject a PHP Object. The plugin's publisher was notified of the issue earlier this month and released an updated version, Welcart eCommerce 1.9.36, on October 20.
[Editor Comments]
[Neely] The exploit uses vulnerabilities resolved in last week's WordPress emergency 5.5.2/5.5.3 update. Verify both updates were automatically installed on your WordPress system. The free version of Wordfence will get a firewall rule to block attempted exploits on November 8th.
Read more in:
Wordfence: Object Injection Vulnerability in Welcart e-Commerce Plugin
https://www.wordfence.com/blog/2020/11/object-injection-vulnerability-in-welcart-e-commerce-plugin/
--Apple Releases Update to Fix Three Actively Exploited Flaws in iOS, macOS
(November 5, 2020)
Apple has updated its mobile and desktop operating systems to fix three security flaws that are being actively exploited. The three vulnerabilities were detected by Google's Project Zero, which gives developers just seven days to fix flaws that are being exploited in the wild. Users are urged to update their devices to iOS 14.2 and macOS 10.15.7. Updates are also available for iPadOS, watchOS, and for older iPhones.
[Editor Comments]
[Neely] The vulnerabilities were severe enough to warrant updates to iOS 12, and watchOS 6, which are for older unsupported devices. If, after updating to iOS 14.2 you have applications that die on startup, you can use the "Offload App" option under the device storage setting, followed by Reinstall App on that same screen to reinstall the application without losing data or settings.
Read more in:
Ars Technica: Apple patches iOS against 3 actively exploited 0-days found by Google
ZDNet: Apple fixes three iOS zero-days exploited in the wild
https://www.zdnet.com/article/apple-fixes-three-ios-zero-days-exploited-in-the-wild/
The Register: Apple emits iOS, iPadOS, watchOS, macOS patches to fix three hijack-my-device flaws exploited in the wild
https://www.theregister.com/2020/11/05/apple_drops_patches_to_fix/
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
Attackers Exploiting WebLogic Servers to Install Cobalt Strike
Did You Spot "Invoke-Expression" ?
https://isc.sans.edu/forums/diary/Did+You+Spot+InvokeExpression/26762/
New SaltStack Vulnerabilities
https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/
Adobe Releases Acrobat/Reader Update
https://helpx.adobe.com/security/products/acrobat/apsb20-67.html
Malicious Twilio NPM Package
https://www.npmjs.com/advisories/1574
GitHub Workflow Injection Vulnerabilities
Cisco AnyConnect Security Mobility Client
Google Chrome Root CA Policy
https://www.chromium.org/Home/chromium-security/root-ca-policy
Android November 2020 Security Bulletin
https://source.android.com/security/bulletin/2020-11-01
Apple Security Updates
https://support.apple.com/en-us/HT201222
Corporate VoIP Phone System Attacks
Mark Lucas: Replacing WINS in an Open Environment with Policy Managed DNS Servers
*****************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
