SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #92
November 20, 2020IoT Law to Set Standards Mandatory for Government Purchase; Cisco Webex Flaws Could be Exploited to Join Meetings Surreptitiously; Bad Actors Scanning WordPress Sites; COVID-19 Response Organizations Hit by Cyberattacks
*****************************************************************************
SANS NewsBites November 20, 2020 Vol. 22, Num. 092
*****************************************************************************
THE TOP OF THE NEWS
Internet of Things Security Bill To Establish Security Standards Mandatory for Government
Cisco Webex Flaws Could be Exploited to Join Meetings Surreptitiously
Bad Actors Scanning for Vulnerable WordPress Sites
Organizations Involved in COVID-19 Response Hit by Cyberattacks
REST OF THE WEEK'S NEWS
CISA Director Krebs Fired
Firefox 83 has HTTPS-Only Mode Feature
Mozilla Seeks Input Before Rolling Out DNS-over-HTTP to All Firefox Users
Firefox Says Goodbye to Flash in January
Industrial Control System Vulnerabilities
Managed.com Hit with Ransomware
INTERNET STORM CENTER TECH CORNER
************************ Sponsored By Lookout *********************************
Introducing the world's first mobile Endpoint Detection and Response - Today's cyberattackers utilize sophisticated methods over many days or weeks to execute a data breach. Organizations must adapt to keep their sensitive data safe. Aaron Cockerill, Chief Strategy Officer at Lookout discusses how businesses are now able to conduct their own threat hunting. Listen now.
| http://www.sans.org/info/218225
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
OnDemand and Live Online Training Special Offer
Best offers of the year! Get the latest MacBook Air, a Microsoft Surface Pro 7, or take $350 Off with ANY qualifying SANS Training Course through December 9.
- www.sans.org/specials/north-america/
New & Updated Courses
MGT516: Managing Security Vulnerabilities: Enterprise and Cloud
- https://www.sans.org/cyber-security-courses/managing-enterprise-cloud-security-vulnerabilities/
SEC460: Enterprise and Cloud | Threat and Vulnerability Assessment
- https://www.sans.org/cyber-security-courses/enterprise-cloud-threat-vulnerability-assessment/
SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling
- https://www.sans.org/cyber-security-courses/hacker-techniques-exploits-incident-handling/
View all courses
- https://www.sans.org/cyber-security-courses/
Upcoming Live Online Events
SANS Cyber Defense Initiative(R) 2020 - Dec 14-19 EST
35+ Courses | Core, Cyber Defense, and DFIR NetWars
- https://www.sans.org/event/cyber-defense-initiative-2020-live-online/
Cyber Threat Intelligence Summit & Training
FREE Summit: Jan 21-22 | Courses: Jan 25-30
- https://www.sans.org/event/cyber-threat-intelligence-summit-2021/
View complete event schedule
- https://www.sans.org/cyber-security-training-events/north-america/
Free Resources
Tools, Posters, and more.
*****************************************************************************
TOP OF THE NEWS
--Internet of Things Security Bill To Establish Security Standards Mandatory for Government
(November 18 & 19, 2020)
The US Senate has unanimously passed the IoT Cybersecurity Improvement Act. The bill will require that Internet of Things (IoT) devices purchased by the federal government meet certain cybersecurity standards which will be set by the National Institute of Standards and Technology (NIST). Agencies will also need to establish vulnerability disclosure processes for IoT devices. The House of Representatives passed the bill in September.
[Editor Comments]
[Neely] While not yet law, having standards for IoT security will give us a baseline to hold manufacturers accountable, as well as aid in measuring the security, and possible certification, of current and future devices. Note that USG agencies will not be permitted to purchase devices not compliant with the standards once established.
Read more in:
FCW: Senate passes IoT cybersecurity bill
https://fcw.com/articles/2020/11/18/iot-cyber-bill-passes-senate.aspx
Threatpost: IoT Cybersecurity Improvement Act Passed, Heads to President's Desk
https://threatpost.com/iot-cybersecurity-improvement-act-passed/161396/
govtrack: H.R. 1668: IoT Cybersecurity Improvement Act of 2020
https://www.govtrack.us/congress/bills/116/hr1668/text
--Cisco Webex Flaws Could be Exploited to Join Meetings Surreptitiously
(November 18 & 19, 2020)
Three vulnerabilities in Cisco's Webex video conferencing application could be exploited to join meetings as ghost users, able to listen in without the knowledge of other meeting participants or the host. An attacker could exploit one of the flaws to access the names, email addresses, and IP addresses of meeting participants. Another flaw could be exploited to remain in a meeting even after being dismissed by the host. Cisco has released updates to address the vulnerabilities.
[Editor Comments]
[Pescatore] In the 2020 SANS Top New Attacks and Threat Report, Johannes Ullrich pointed out the risk of vulnerabilities in the numerous "Persistent and Promiscuous Web Agents" in use for applications such as Webex, Zoom and others. The Center for Internet Security recently released a good security guide for videoconferencing systems at https://www.cisecurity.org/white-papers/videoconferencing-security-guide/
[Neely] Cisco patched their cloud based servers. You need to patch or update on premise Cisco Webex Meetings Server 3.0M3 Security Patch 4 and earlier; 4.0MR3 Security Patch 3 and earlier as well as mobile versions prior to 40.10.9.
Read more in:
ZDNet: Cisco Webex bugs allow attackers to join meetings as ghost users
https://www.zdnet.com/article/cisco-webex-bugs-allow-attackers-to-join-meetings-as-ghost-users/
Ars Technica: Cisco rolls out fix for Webex flaws that let hackers eavesdrop on meetings
Dark Reading: Cisco Webex Vulns Let 'Ghost' Attendees Spy on Meetings
Threatpost: Cisco Webex 'Ghost' Flaw Opens Meetings to Snooping
https://threatpost.com/cisco-webex-flaw-snooping/161355/
Bleeping Computer: Cisco fixes WebEx bugs allowing 'ghost' attackers in meetings
Security Week: Cisco Webex Vulnerability Allows Ghost Access to Meetings
https://www.securityweek.com/cisco-webex-vulnerability-allows-ghost-access-meetings
Cisco: Cisco Webex Meetings and Cisco Webex Meetings Server Ghost Join Vulnerability
Cisco: Cisco Webex Meetings and Cisco Webex Meetings Server Unauthorized Audio Information Exposure Vulnerability
Cisco: Cisco Webex Meetings and Cisco Webex Meetings Server Information Disclosure Vulnerability
--Bad Actors Scanning for Vulnerable WordPress Sites
(November 17 & 18, 2020)
Hackers appear to be scanning for WordPress sites that use Epsilon Framework-based themes. Multiple function injection vulnerabilities could be exploited together to execute code remotely and to take over vulnerable websites. Users are urged to update to a fixed version of the theme(s) they use, if they are available. Themes built with Epsilon Framework are used on at least 150,000 sites.
[Editor Comments]
[Neely] While the attacks appear to be probing, intel-gathering attacks at this time, don't wait for that information to be leveraged. The Wordfence site below lists the specific vulnerable theme versions. If there is not an update for your Theme, and switching themes is impractical, add an application firewall to block the attacks.
Read more in:
Wordfence: Large-Scale Attacks Target Epsilon Framework Themes
https://www.wordfence.com/blog/2020/11/large-scale-attacks-target-epsilon-framework-themes/
Threatpost: Widespread Scans Underway for RCE Bugs in WordPress Websites
https://threatpost.com/widespread-scans-rce-bugs-wordpress-websites/161374/
Bleeping Computer: Hackers are actively probing millions of WordPress sites
--Organizations Involved in COVID-19 Response Hit by Cyberattacks
(November 18 & 19, 2020)
Two companies with ties to COVID-19 research and treatment were recently targeted by cyberattacks. Americold, an Atlanta-based company that provides cold storage for food distributors and is planning to be involved with COVID vaccine storage has disclosed that its network was hit with a cyberattack earlier this month. The disclosure was made in a US Securities and Exchange Commission (SEC) filing. Miltenyi Biotec, a biotechnology company based in Germany, was hit with a cyberattack that affected some operational processes; Miltenyi supplies research companies with antigens for use in developing COVID-19 treatments.
Read more in:
Health IT Security: Hackers Hit COVID-19 Biotech Firm, Cold Storage Giant with Cyberattacks
Threatpost: Food-Supply Giant Americold Admits Cyberattack
https://threatpost.com/food-supply-americold-cyberattack/161402/
Miltenyi Biotec: Customer Service and Technical Support Contacts
https://www.miltenyibiotec.com/US-en/about-us/customer-technical-support-1.html
******************************* SPONSORED LINKS ********************************
1) Virtual Event | Looking for practical guidance on security in the AWS Cloud? Join SANS instructors and other cloud security leaders as they share tactics, techniques, and procedures for operating effectively and securely in the cloud. This virtual event is based on the recently released book Practical Guide for Security in the AWS Cloud. | December 11 @ 10:30 AM EST
| http://www.sans.org/info/218230
2) Webcast | An upcoming webcast, "5 things you need to know to future-proof your data security today" chaired by cybersecurity expert, John Pescatore, is designed to teach you the steps to build an intelligent roadmap for protecting your business and reduce the risk of data breaches by gaining better control over your IT environment | December 3 @ 1:00 PM EST
| http://www.sans.org/info/218235
3) Webcast | Tune in to our upcoming webcast, "What Works in Maintaining Deep Security and Enabling Detection and Response Across Data Center and Cloud Apps" to gain insight into the business justification for advanced network detection and response (NDR) capabilities and the key evaluation factors that resulted in the election and deployment of ExtraHop's Reveal(x) platform. | November 24 @ 1:00 PM EST
| http://www.sans.org/info/218240
*****************************************************************************
THE REST OF THE WEEK'S NEWS
--CISA Director Krebs Fired
(November 17 & 18, 2020)
Cybersecurity and Infrastructure Security Agency (CISA) Director Christopher Krebs has been fired. The decision to fire Krebs has met with condemnation from legislators and from cybersecurity experts.
[Editor Comments]
[Neely] Under Krebs' leadership, the CISA raised the bar on cyber security alerting and partnerships with public and private sector entities. It's hoped his model will continue in his absence.
[Murray] Security professionals must take care not to give unwarranted comfort nor to raise unnecessary alarm. They are often called upon to speak truth to power and they must be willing to put their jobs on the line for their credibility. Let Christopher Krebs be our example and our hero.
[Honan] This dismissal has long-term ramifications for global cybersecurity. Many relationships at an international level are based on the individuals in various organisations and the personal relationships and trust they build with their peers elsewhere. The dismissal of Mr. Krebs sends a message to the US's international partners that building those personal relationships and the trust that comes with it can be quickly undermined by a political decision.
Read more in:
Threatpost: Firing of CISA Chief Christopher Krebs Widely Condemned
https://threatpost.com/firing-of-krebs-condemned/161338/
KrebsOnSecurity: Trump Fires Security Chief Christopher Krebs
https://krebsonsecurity.com/2020/11/trump-fires-security-chief-christopher-krebs/
Wired: Firing Christopher Krebs Crosses a Line--Even for Trump
https://www.wired.com/story/trump-fires-christopher-krebs-cisa/
Ars Technica: "Krebs has been terminated": Trump fires cybersecurity chief on Twitter
SC Magazine: Trump fires DHS cyber official, widely credited for repairing fractured relations with industry
SC Magazine: 'We can't do this every four years': Critical infrastructure rattled by Krebs DHS departure
Cyberscoop: Trump fires CISA chief Chris Krebs, who guarded the 2020 election from interference and domestic misinformation
https://www.cyberscoop.com/trump-chris-krebs-2020-election-security-twitter/
--Firefox 83 has HTTPS-Only Mode Feature
(November 17 & 18, 2020)
Firefox 83 has a new mode that connects only to HTTPS sites; users will be asked to approve connections to unsecure websites. The feature is disabled by default. Mozilla released Firefox 83 to the stable channel earlier this week.
Read more in:
Mozilla: Firefox 83 introduces HTTPS-Only Mode
https://blog.mozilla.org/security/2020/11/17/firefox-83-introduces-https-only-mode/
ZDNet: Firefox 83 released with 'HTTPS-Only Mode' that only loads HTTPS sites
https://www.zdnet.com/article/firefox-83-released-with-https-only-mode-that-only-loads-https-sites/
Bleeping Computer: Firefox 83 boosts security with HTTPS-Only mode, zero-day fix
Security Week: Mozilla Boosts Security in Firefox With HTTPS-Only Mode
https://www.securityweek.com/mozilla-boosts-security-firefox-https-only-mode
--Mozilla Seeks Input Before Rolling Out DNS-over-HTTP to All Firefox Users
(November 19, 2020)
Mozilla plans to rollout the DNS-over-HTTPS (DoH) protocol for Firefox for all users worldwide, but is asking companies, governments, and Internet service providers (ISPs) for their input. The public comment period runs through January 4, 2021.
[Editor Comments]
[Neely] It would be better to roll out DNS over TLS as specified by RFC 7858, providing secure DNS for all system services, not just the browser, to avoid inconsistencies between the browser and host-based resolvers as well as support existing investment in enterprise DNS architecture.
Read more in:
Mozilla: Mozilla DNS over HTTPS (DoH) and Trusted Recursive Resolver (TRR) Comment Period: Help us enhance security and privacy online
https://blog.mozilla.org/netpolicy/2020/11/18/doh-comment-period-2020
ZDNet: Fearing drama, Mozilla opens public consultation before worldwide Firefox DoH rollout
SC Magazine: In an unusual move, Mozilla asks for public comment about browser privacy feature
--Firefox Says Goodbye to Flash in January
(November 18, 2020)
Mozilla has announced that it will end support for Flash in Firefox as of January 26, 2021. With the release of Firefox 85, "there will be no setting to re-enable Flash support."
[Editor Comments]
[Neely] Develop and test your strategy to uninstall and disable Flash now. Leverage browsers no longer supporting Flash, Microsoft's Flash removal "patch" as well as verification to ensure it's truly disabled.
Read more in:
Mozilla: Ending Firefox support for Flash
https://blog.mozilla.org/futurereleases/2020/11/17/ending-firefox-support-for-flash/
ZDNet: Firefox support for Flash ends on January 26
https://www.zdnet.com/article/firefox-support-for-flash-ends-on-january-26/
--Industrial Control System Vulnerabilities
(November 17, 2020)
Four industrial control system (ICS) vendors have recently disclosed vulnerabilities in their products. Real Time Automation disclosed a stack overflow flaw in its 499ES ENIP stack protocol. Paradox disclosed two vulnerabilities in its IP150 Internet Module. Schneider Electric disclosed nine security issues in its Interactive Graphical SCADA System, and Sensormatic Electronics disclosed a vulnerability in the American Dynamics victor Web Client and Software House C*CURE Web Client.
Read more in:
Threatpost: Multiple Industrial Control System Vendors Warn of Critical Bugs
https://threatpost.com/ics-vendors-warn-critical-bugs/161333/
--Managed.com Hit with Ransomware
(November 17 & 18, 2020)
Hosting provider Managed.com was hit with a ransomware attack that began earlier this week. The company has taken down all its servers to contend with the incident. The attack affected Managed.com's public facing hosting systems; some customers' sites were encrypted.
[Editor Comments]
[Neely] Make sure you have backups of hosted services, ideally stored at a separate service, as hosting services have become a new attack target with the goal that once the hosting provider's systems are compromised, manipulation or disruption client services will result. Other hosting providers attacked include Equinix, CyrusOne, Cognizant, X-Cart, A2 Hosting, SmarterASP.Net, Dataresolution.net and Internet Nayana.
[Honan] A classic example of why you need to include external providers in your Business Continuity Planning. Just because you outsource something to a third party, it does not mean it is no longer your responsibility.
[Murray] Consider Tripwire's Configuration Manager.
Read more in:
ZDNet: Ransomware attack forces web hosting provider Managed.com to take servers offline
https://www.zdnet.com/article/web-hosting-provider-managed-shuts-down-after-ransomware-attack/
Bleeping Computer: REvil ransomware hits Managed.com hosting provider, 500K ransom
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
When Security Controls Lead to Security Issues
https://isc.sans.edu/forums/diary/When+Security+Controls+Lead+to+Security+Issues/26804/
PowerShell Dropper Delivering Formbook
https://isc.sans.edu/forums/diary/PowerShell+Dropper+Delivering+Formbook/26806/
Google Chrome Update
https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop_17.html
Firefox 83 HTTPS Only Mode
https://blog.mozilla.org/security/2020/11/17/firefox-83-introduces-https-only-mode/
OOB Windows Kerberos Update
https://docs.microsoft.com/en-us/windows/release-information/windows-message-center
Cisco WebEx Patch Fixes "Ghost Users"
https://securityintelligence.com/posts/ibm-works-with-cisco-exorcise-ghosts-webex-meetings/
Apple Binaries Used to Bypass 3rd Party Security Products on MacOS 11
https://twitter.com/patrickwardle/status/1327726496203476992
Apple Improving Privacy on App Certificate Checks
https://support.apple.com/en-us/HT202491
Cisco Security Manager Vulnerabilities
https://gist.github.com/Frycos/8bf5c125d720b3504b4f28a1126e509e
https://tools.cisco.com/security/center/publicationListing.x
Ransomware Flooding Printers
https://twitter.com/Irlenys/status/1327784305465188353
Google Leading the Way in Phishing
https://www.armorblox.com/blog/ok-google-build-me-a-phishing-campaign
Identifying Malicious Servers With JARM
Daniel Behrens: Industrial Traffic Collection: Understanding the Implications of Deploying Visibility Without Impacting Production
*****************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
