SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #9
January 31, 2020Dept. of Interior Grounds Drones; Hunting Down Ransomware Crooks and More Victims; US National Cybersecurity High School Talent Search
Great News: California's entry into the national women's cybersecurity talent search, Girls Go CyberStart 2020, means all U.S. high schools have 2 extra weeks to allow their girls to enter. Boys can join too, in every high school where the girls do well. As of this morning, 10,700 high school girls are participating.
Check it out at https://www.girlsgocyberstart.org
Interested in how your state is doing? Check out the Leaderboard at www.girlsgocyberstart.org/leaderboard
****************************************************************************
SANS NewsBites January 31, 2020 Vol. 22, Num. 009
****************************************************************************
TOP OF THE NEWS
US Dept. of Interior Grounds Drones
Hunting Down Ransomware Crooks
Government Contractor Hit with Ransomware
Regis University Ransomware
REST OF THE WEEK'S NEWS
UN European IT Systems Hacked Through SharePoint Vulnerability
Zoom Fixes Video Conferencing Vulnerability
Apple Updates
Stolen Wawa Data for Sale Online
Updates Available to Address DMA Vulnerabilities in Dell and HP Laptops
Russia Blocks ProtonMail and ProtonVPN
WordPress Code Snippets Plug-in Flaw
NYC Medical Center Issues Notice of Data Privacy Incident
INTERNET STORM CENTER TECH CORNER
************************* Sponsored By SANS ********************************
Implementer's Guide to Deception Technologies. In today's digital environment, organizations tend to have difficulty detecting attackers on their networks in a reasonable time frame. Join SANS Kyle Dickinson on February 6th as he shares how deception technologies can assist with common attack types, including account hijacking, human error, vulnerable applications and insider threat. Register here: http://www.sans.org/info/215415
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
-- SANS 2020 | Orlando, FL | April 3-10 | https://www.sans.org/event/sans-2020
-- SANS Scottsdale 2020 | February 17-22 | https://www.sans.org/event/scottsdale-2020
-- Open-Source Intelligence Summit & Training 2020 | Alexandria, VA | February 18-24 | https://www.sans.org/event/osint-summit-2020
-- SANS Munich March 2020 | March 2-7 | https://www.sans.org/event/munich-march-2020
-- SANS Northern VA - Reston Spring 2020 | March 2-7 | https://www.sans.org/event/northern-va-spring-reston-2020
-- Blue Team Summit & Training 2020 | Louisville, KY | March 2-9 | https://www.sans.org/event/blue-team-summit-2020
-- ICS Security Summit & Training 2020 | Orlando, FL | March 2-9 | https://www.sans.org/event/ics-security-summit-2020
-- SANS London March 2020 | March 16-21 | https://www.sans.org/event/london-march-2020
-- SANS Secure Singapore 2020 | 16-28 March | https://www.sans.org/event/secure-singapore-2020
-- SANS Secure Canberra 2020 | March 23-28 | https://www.sans.org/event/secure-canberra-2020
-- SANS OnDemand and vLive Training
Get an iPad Mini, an HP Chromebook 14 G5, or Take $300 Off through February 5 with OnDemand or vLive training.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
*****************************************************************************
TOP OF THE NEWS
--US Dept. of Interior Grounds Drones
(January 29 & 30, 2020)
The US Secretary of the Interior has issued an order grounding its entire fleet of drones except in the event of an emergency, such as fighting wildfires, search-and-rescue missions, and natural disasters. The decision to ground the unmanned aircraft was made to "ensure the cybersecurity and supply of American technology of unmanned aircraft systems."
[Editor Comments]
[Pescatore] A general worry about the security of drones, and all IT devices/systems, is a good thing, but country specific worry creates a giant blind spot. We know in security that in a global business environment that simple geo blocking is rarely an effective solution. However, cybersecurity teams often have to react to management directives (whether business or government management or political/legislative) mandates, like DoI had to in this case react to Presidential Determination 2019-13 that has the stated aim of favoring US-based drone manufacturers. The best security team actions use the mandate as a justification to actually increase security. In this case, how about DoI saying "We will require all drones to demonstrate that their software and systems have been tested for vulnerabilities and hidden capabilities as part of the procurement and/or deployment processes" and US-based drone manufacturers taking the lead in meeting that requirement?
[Neely] A requirement to buy American is common for US Government agencies. Even so, at the time of selection, the best of class drones were likely the DHJ provided units. Rather than focus on a single threat, having security guidance and standards for purchases independent of origin would allow the most flexibility for use of products independent of source and manufacturing location.
Read more in:
ZDNet: US DOI halts operations for its entire drone fleet over Chinese cybersecurity concerns
CNET: Interior Department grounds drone fleet amid concerns of Chinese spying
https://www.cnet.com/news/interior-department-officially-grounds-drones-made-in-china/
Infosecurity Magazine: US Downs Drone Fleet on China Security Fears
https://www.infosecurity-magazine.com/news/us-downs-drone-fleet-on-china/
Cyberscoop: Department of Interior grounding drone fleet over cybersecurity concerns
https://www.cyberscoop.com/drone-ban-interior-department-cybersecurity/
DOI: Temporary Cessation of Non-Emergency Unmanned Aircraft Systems Fleet Operations (PDF)
https://www.doi.gov/sites/doi.gov/files/elips/documents/signed-so-3379-uas-1.29.2020-508.pdf
--Hunting Down Ransomware Crooks
(January 29 & 30, 2020)
A Canadian insurance company was hit with a ransomware attack in October 2019. The company had purchased cyber insurance from a UK company, which paid US $950,000 in Bitcoin to regain access to its data. Once the company had the decryption key, it still took more than a week to fully recover the data. The UK insurance company hired an investigation company specializing in blockchain to track down to perpetrators and get its money back.
[Editor Comments]
[Murray] Ransomware attacks are proving to be lucrative and low-risk. They will continue until something changes. Historically extortion has been addressed by "following the money." So far digital currency has made that ineffective.
Read more in:
The Register: Canadian insurer paid for ransomware decryptor. Now it's hunting the scum down
https://www.theregister.co.uk/2020/01/29/canadian_insurer_paid_ransomware_hunt/
CBC: Hackers were paid ransom after attack on Canadian insurance firm, court documents reveal
https://www.cbc.ca/news/technology/unnamed-insurance-company-cyberattack-1.5445326
--Government Contractor Hit with Ransomware
(January 29, 2020)
Systems at US Government contractor Electronic Warfare Associates (EWA) were hit with Ryuk ransomware last week. EWA took the compromised servers offline following the infection. While EWA has not made a public statement about the incident, evidence of the infection - including encrypted files and ransom notes - is visible online.
Read more in:
ZDNet: DOD contractor suffers ransomware infection
https://www.zdnet.com/article/dod-contractor-suffers-ransomware-infection/
--Regis University Ransomware
(January 28 & 30, 2020)
Regis University in Denver, Colorado, was hit with a ransomware attack in August 2019. The school paid the ransom, but the recovery still took months. The attack occurred as the fall 2019 semester began. Regis held a summit on Tuesday, January 29 to share what it learned from the incident.
Read more in:
GovTech: Denver Private University IT Still Impaired After Paying Ransom
Inside Higher Ed: Regis Paid Ransom to Cyberattackers
https://www.insidehighered.com/quicktakes/2020/01/30/regis-paid-ransom-cyberattackers
**************************** SPONSORED LINKS ******************************
1) Webcast February 5th at 3:30 PM ET: Your Password Doesn't Matter. Sign up: http://www.sans.org/info/215420
2) Blue Team Summit & Training 2020 | Louisville, KY | Mar 2-9. http://www.sans.org/info/215425
3) Did you miss this webcast? Pivotal Platform - Getting Started with Native Runtime Protection for PAS. View here: http://www.sans.org/info/215430
*****************************************************************************
REST OF THE NEWS
--UN European IT Systems Hacked Through SharePoint Vulnerability
(January 29 & 30, 2020)
In the summer of 2019, officials at the United Nations discovered that hackers broke into IT systems at the organizations headquarters in Vienna, Austria and Geneva, Switzerland. The incident was not disclosed until earlier this week. The attackers were able to access the systems through a known vulnerability in Microsoft SharePoint; a fix for the flaw had been available for months prior to the breach.
[Editor Comments]
[Neely] The UN is exempt from the disclosure requirements of legislation such as the GDPR. Attempts to keep the incident under wraps, versus disclosing it, have resulted in inconsistent claims of impact and severity. The accessed systems included domain controllers, and actions included clearing the logs of their actions, so the full scope will likely not be known. What is known is the attack used an unpatched system. Whether production or development, comprehensive maintenance of the security posture, including patching with validation, has to be the norm. The cycle of discoverable weakness to exploitation is too rapid to assume otherwise.
Read more in:
The Register: UN didn't patch SharePoint, got mega-hacked, covered it up, kept most staff in the dark, finally forced to admit it
https://www.theregister.co.uk/2020/01/29/un_covered_up_hack/
SC Magazine: Report: United Nations withheld news of systems hack in European offices
Threatpost: U.N. Hack Stemmed From Microsoft SharePoint Flaw
https://threatpost.com/un-hack-microsoft-sharepoint-flaw/152378/
TechNadu: The United Nations was Hacked and Tried to Keep it a Secret
https://www.technadu.com/the-united-nations-hacked-keep-it-a-secret/91051/
The New Humanitarian: EXCLUSIVE: The cyber attack the UN tried to keep under wraps
https://www.thenewhumanitarian.org/investigation/2020/01/29/united-nations-cyber-attack
--Zoom Fixes Video Conferencing Vulnerability
(January 28, 2020)
Zoom has fixed a flaw in the its video conferencing tool's URL scheme that could have been exploited to eavesdrop on meetings. Prior to the fix, Zoom meetings did not require passwords by default, which means that anyone who guessed the meeting ID number could join. Zoom learned of the issue in July 2019 and fixed the issue: passwords are now required by default for all scheduled meetings. Zoom made other security enhancements as well.
[Editor Comments]
[Neely] Zoom also has a setting to lock a meeting in progress so that others cannot join, which could be useful when having sensitive conversations.
Read more in:
The Register: The duke of URL: Zoom meetups' info leaked out through eavesdrop hole
https://www.theregister.co.uk/2020/01/28/zoom_eavesdrop_hack/
SC Magazine: Zoom fixes meeting ID flaw allowing unauthorized entry
ZDNet: Zoom fixes security flaw that could have let hackers join video conference calls
Threatpost: Zoom Fixes Flaw Opening Meetings to Hackers
https://threatpost.com/zoom-fixed-flaw-opening-meetings-to-hackers/152266/
--Apple Updates
(January 28 & 29, 2020)
Apple has released fixes for vulnerabilities in multiple products, including iOS, macOS, and Safari. The most current version of iOS, 13.3.1, addresses 23 security issues. The macOS updates address 35 issues, and the Safari update (v.13.0.5) addresses two issues.
[Editor Comments]
[Neely] Apple has been moving towards a monthly patch cycle, coupled with code reuse across platforms, drives a need to update all things Apple on a more regular cadence. Apple makes information on published updates available through their security updates page (https://support.apple.com/en-us/HT201222) and their security-announce mailing list.
[Murray] Apple's policy is to not release information about vulnerabilities until after a fix has been made available. This is the same policy followed by IBM for decades but different from that followed by most of the industry. While Microsoft customers express a preference for knowing about vulnerabilities, few actually implement workarounds in advance of fixes.
Read more in:
SC Magazine: Apple patches dozens of security issues
Threatpost: Apple Security Updates Tackle iOS Device Tracking, RCE Flaws
https://threatpost.com/apple-patches-ios-device-tracking/152364/
Bleeping Computer: Apple iOS 13.3.1 Released With Fix for Location Tracking
https://www.bleepingcomputer.com/news/apple/apple-ios-1331-released-with-fix-for-location-tracking/
--Stolen Wawa Data for Sale Online
(January 28 & 29, 2020)
Payment card information stolen from the Wawa convenience store chain has been posted for sale on the Internet. The attackers may have stolen details for as many as 30 million payment cards. Wawa's systems were compromised in March 2019; the company detected the issue and notified customers in December.
[Editor Comments]
[Neely] The Wawa data has been spotted on the Joker's Stash darkweb carding fraud forum under the name BIGBADABOOM-III. Claims are that using EMV (chip enabled) card readers reduces fraud by as much as 40%, and gas stations have been slow to migrate to chip readers at the pump, predominantly due to perceived costs. The deadline to support EMV sits at October 1st 2020; in October 2019, it was estimated there are 800,000 pumps in the US that still needed to migrate.
Read more in:
ZDNet: Wawa's massive card breach: 30 million customers' details for sale online
https://www.zdnet.com/article/wawa-card-breach-may-rank-as-one-of-the-biggest-of-all-times/
Ars Technica: Skimming heist that hit convenience chain may have compromised 30 million cards
KrebsOnSecurity: Wawa Breach May Have Compromised More Than 30 Million Payment Cards
--Updates Available to Address DMA Vulnerabilities in Dell and HP Laptops
(January 30, 2020)
Dell and HP have issued BIOS updates to fix flaws in laptops' Direct Memory Access (DMA) capability. The issues could be exploited to gain kernel privileges on vulnerable laptops.
Read more in:
Threatpost: Dell, HP Memory-Access Bugs Open Attacker Path to Kernel Privileges
https://threatpost.com/dell-hp-memory-access-bugskernel-privileges/152369/
Eclypsium: Direct Memory Access Attacks - A Walk Down Memory Lane
https://eclypsium.com/2020/01/30/direct-memory-access-attacks/
--Russia Blocks ProtonMail and ProtonVPN
(January 30, 2020)
Russia has blocked blocked ProtonMail and ProtonVPN. Russia's telecommunications watchdog, Roskomnadzor, says the decision to block was made because Proton Technologies' did not register its services with Russian authorities and did not provide Russian authorities with information about the owners of mailboxes that were used to send threats.
Read more in:
Bleeping Computer: Russia Blocks ProtonMail and ProtonVPN, Tor to the Rescue
--WordPress Code Snippets Plug-in Flaw
(January 29, 2020)
A high-severity vulnerability in the Code Snippets WordPress plug-in could be exploited to take over websites running unpatched versions of the plug-in. Code Snippets is running on approximately 200,000 websites.
Read more in:
Bleeping Computer: 200K WordPress Sites Exposed to Takeover Attacks by Plugin Bug
--NYC Medical Center Issues Notice of Data Privacy Incident
(January 30, 2020)
According to a notice from Village Care Rehabilitation and Nursing (VCRN) Center in New York City, an employee was tricked by a spoofed email into sharing patient information with a threat actor. The disclosed data include names, birthdates, and medical insurance information. VCRN learned of the incident in late December 30, 2019.
Read more in:
Infosecurity Magazine: Fake Exec Tricks New York City Medical Center into Sharing Patient Info
https://www.infosecurity-magazine.com/news/fake-exec-tricks-new-york-city/
Village Care: VCRN Notice of Data Privacy Incident
https://www.villagecare.org/vcrn-notice-data-privacy-incident
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
Recent Emotet Infection Installs Trickbot
https://isc.sans.edu/forums/diary/Emotet+epoch+1+infection+with+Trickbot+gtag+mor84/25752/
Apple Updates
https://support.apple.com/en-us/HT201222
Zoom Fixes Video Conferencing Brute Forcing Vulnerability
https://www.theregister.co.uk/2020/01/28/zoom_eavesdrop_hack/
Intel Fixes Yet Another Information Leakage Flaw
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00329.html
Magento Update
https://helpx.adobe.com/security/products/magento/apsb20-02.html
Malware Using Text from Impeachment News Coverage
Avast Anti Virus Selling Users' Browsing Data
https://www.vice.com/en_us/article/qjdkq7/avast-antivirus-sells-user-browsing-data-investigation
Avast Apology
https://blog.avast.com/a-message-from-ceo-ondrej-vlcek
Coronavirus Themed Malware Targets Japan with Emotet
https://twitter.com/Cryptolaemus1/status/1222388971428294656
https://exchange.xforce.ibmcloud.com/collection/18f373debc38779065a26f1958dc260b
abuse.ch Offers new "I got phished" service
OpenSMTPD RCE Vulnerability
https://www.openwall.com/lists/oss-security/2020/01/28/3
Chrome Same-Site Cookie Change
https://www.chromestatus.com/feature/5088147346030592
https://caniuse.com/#feat=same-site-cookie-attribute
*****************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create