SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #93
November 24, 2020Tesla Hack To Steal Model X; GoDaddy's Inadvertent CryptoMining Error; VMWare Critical Flaws
****************************************************************************
SANS NewsBites November 24, 2020 Vol. 22, Num. 093
****************************************************************************
THE TOP OF THE NEWS
GoDaddy Employees Tricked Into Changing DNS Settings for Cryptocurrency Domains
Tesla Bluetooth Vulnerability Could be Exploited to Steal Model X Vehicles
VMware Working on Fixes for Critical Privilege Elevation Vulnerability
VMware Issues Patches for ESXi Hypervisor Vulnerabilities
REST OF THE WEEK'S NEWS
Ransomware Attack Against Managed.com Affects Local Governments
Brazilian Superior Electoral Court System Recovers from Ransomware Attack
South Korean Retailer E-Land Suffers Ransomware Attack
Manchester United Says Cyberattack is Disrupting IT Systems
Romanian Police Arrest Malware Purveyors
Google Plans to Add End-to-End Encryption to Android Messaging App
Cryptocurrency and Criminal Finances Conference
OMB Directs Agencies to Prepare for IPv6-only Infrastructure
INTERNET STORM CENTER TECH CORNER
*************************** Sponsored By Lookout ************************************
Google Chromebooks are a popular choice for employees looking for an affordable laptop. By applying a defense-in-depth approach to Chromebooks, Google has built-in several layers of security to keep its customers at ease. Join Lookout on December 9th to take a closer look at Chrome OS security and gain insight into the modern endpoint threat environment. Register here:
| http://www.sans.org/info/218305
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
OnDemand and Live Online Training Special Offer
Best offers of the year! Get the latest MacBook Air, a Microsoft Surface Pro 7, or take $350 Off with ANY qualifying SANS Training Course through December 9.
- www.sans.org/specials/north-america/
New & Updated Courses
MGT516: Managing Security Vulnerabilities: Enterprise and Cloud
- https://www.sans.org/cyber-security-courses/managing-enterprise-cloud-security-vulnerabilities/
SEC460: Enterprise and Cloud | Threat and Vulnerability Assessment
- https://www.sans.org/cyber-security-courses/enterprise-cloud-threat-vulnerability-assessment/
SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling
- https://www.sans.org/cyber-security-courses/hacker-techniques-exploits-incident-handling/
View all courses
- https://www.sans.org/cyber-security-courses/
Upcoming Live Online Events
SANS Cyber Defense Initiative(R) 2020 - Dec 14-19 EST
35+ Courses | Core, Cyber Defense, and DFIR NetWars
- https://www.sans.org/event/cyber-defense-initiative-2020-live-online/
Cyber Threat Intelligence Summit & Training
FREE Summit: Jan 21-22 | Courses: Jan 25-30
- https://www.sans.org/event/cyber-threat-intelligence-summit-2021/
View complete event schedule
- https://www.sans.org/cyber-security-training-events/north-america/
Free Resources
Tools, Posters, and more.
****************************************************************************
TOP OF THE NEWS
--GoDaddy Employees Tricked Into Changing DNS Settings for Cryptocurrency Domains
(November 21 & 23, 2020)
Attackers used social engineering to trick employees at domain name registrar GoDaddy into transferring control of several cryptocurrency-related domains. The bad actors managed to gain access to some Liquid.com customer data. NiceHash noticed traffic was being redirected. The company froze customer accounts for 24 hours while it ensured that the domain settings were returned to normal.
[Editor Comments]
[Honan] Your organisation's domain name is a key asset and should be appropriately protected. Ask your registrar about getting a registry lock or domain lock service for your domain to make unauthorized changes more difficult.
Read more in:
KrebsOnSecurity: GoDaddy Employees Used in Attacks on Multiple Cryptocurrency Services
ZDNet: GoDaddy staff fall prey to social engineering scam in cryptocurrency exchange attack wave
Threatpost: GoDaddy Employees Tricked into Compromising Cryptocurrency Sites
https://threatpost.com/godaddy-employees-tricked-compromise-cryptocurrency/161520/
The Register: Crooks social-engineer GoDaddy staff into handing over control of crypto-biz domain names
https://www.theregister.com/2020/11/23/godaddy_dns_hijack/
--Tesla Bluetooth Vulnerability Could be Exploited to Steal Model X Vehicles
(November 23, 2020)
The keyless entry system for Tesla Model X automobiles is vulnerable to a Bluetooth attack that could be exploited to steal a Model X. The attack involves a flaw in the firmware update process for Tesla Model X key fobs. Telsa will start pushing out over-the-air updates for the affected key fobs this week.
[Editor Comments]
[Neely] This attack leverages vulnerabilities in the key fob firmware update, the target vehicle's VIN, as well as the use of an electronic control unit salvaged from another Model X to accomplish, making the attack rig a bit bulky. Updates are being released for both the in-vehicle systems and the key fob firmware.
[Pescatore] Keyless entry on cars is, to me, like digital watches - what seems like a cool use of technology turns out to be a downgrade in capabilities and safety. There is a good reason why ATM machines still require a physical card to be inserted, not just a PIN entered.
[Murray] Keyless entry systems are all about the eternal trade-off between convenience and security. For security, prefer keyless entry based upon mobiles to those based on tokens or "fobs."
Read more in:
Wired: This Bluetooth Attack Can Steal a Tesla Model X in Minutes
https://www.wired.com/story/tesla-model-x-hack-bluetooth/
ZDNet: Tesla Model X hacked and stolen in minutes using new key fob hack
https://www.zdnet.com/article/tesla-model-x-hacked-and-stolen-in-minutes-using-new-key-fob-hack/
Bleeping Computer: Tesla Model X key fobs could be hacked to steal cars, fix released
CNET: Tesla Model X vulnerable to Bluetooth hack that makes theft a breeze, report says (audio)
https://www.cnet.com/roadshow/news/tesla-model-x-bluetooth-hack-theft/
--VMware Working on Fixes for Critical Privilege Elevation Vulnerability
(November 23, 2020)
A critical privilege elevation vulnerability in six VMware products could be exploited to "execute commands with unrestricted privileges on the underlying operating system." VMware has released workarounds as a temporary solution until patches are available.
[Editor Comments]
[Neely] Apply the workaround ONLY to the specifically-identified product versions. While the workaround is in place, configurator-managed settings changes will not be possible without first reverting the fix. Additionally, the fix disables most of the system diagnostics dashboard. Subscribe to VMware's security announcement mailing list to be notified when the patches are released. https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
Read more in:
Threatpost: Critical VMware Zero-Day Bug Allows Command Injection; Patch Pending
https://threatpost.com/vmware-zero-day-patch-pending/161523/
Bleeping Computer: VMware discloses critical zero-day vulnerability in Workspace One
VMware: VMware Workspace One Access, VMware Identity Manager, VMware Identity Manager Connector Workaround Instructions for CVE-2020-4006 (81731)
https://kb.vmware.com/s/article/81731
VMware: Advisory | VMSA-2020-0027
https://www.vmware.com/security/advisories/VMSA-2020-0027.html
--VMware Issues Patches for ESXi Hypervisor Vulnerabilities
(November 20, 2020)
VMware has released fixes for multiple flaws affecting its ESXi hypervisor. A critical use -after-free vulnerability could be exploited "to execute code as the virtual machine's VMX process running on the host." An important privilege elevation vulnerability affects the way some system calls are managed. Both of the vulnerabilities were discovered during the Tianfu Cup Hacking Challenge earlier this month.
[Editor Comments]
[Neely] The flaw impacts both ESXi and Workstation, including Fusion. Where patches are not yet available, the vulnerability can be mitigated by removing XHCI (USB 3.x) controller from the virtual machines.
Read more in:
Threatpost: VMware Fixes Critical Flaw in ESXi Hypervisor
https://threatpost.com/vmware-critical-flaw-esxi-hypervisor/161457/
VMware: Advisory | VMSA-2020-0026
https://www.vmware.com/security/advisories/VMSA-2020-0026.html
******************************* SPONSORED LINKS ********************************
1) Webcast | An upcoming webcast, "5 things you need to know to future-proof your data security today" chaired by cybersecurity expert, John Pescatore, is designed to teach you the steps to build an intelligent roadmap for protecting your business and reduce the risk of data breaches by gaining better control over your IT environment | December 3 @ 1:00 PM EST
| http://www.sans.org/info/218250
2) Webcast | With Zero Trust, we always assume breach. In our upcoming webcast, "Assume Breach! How to implement Zero Trust" you will learn how to face challenging threats with speed and velocity, making you the hero in your organization! | December 1 @ 1:00 PM EST
| http://www.sans.org/info/218255
3) Webcast | SANS Director of Emerging Security Trends, John Pescatore hosts our upcoming webcasts titled, "The failures of static DLP and how to protect against tomorrow's email breaches" | December 2 @ 12:00 PM EST
| http://www.sans.org/info/218260
****************************************************************************
THE REST OF THE WEEK'S NEWS
--Ransomware Attack Against Managed.com Affects Local Governments
(November 20 & 23, 2020)
The ransomware attack against the network of hosting provider Managed.com has affected local governments in the US. The company took down its web hosting services after becoming aware of the attack last week. That action has rendered some Managed.com client websites unavailable. The affected organizations include some local governments in Indiana, North Carolina, and Oregon. The website of the Arizona Judicial Branch has also been affected.
[Editor Comments]
[Neely] Managed.com contained the attack by shutting off hosting services. Standing up alternative sites and services to mitigate the shutdown requires access to backups of the initial sites. Store those backups with a separate service provider to mitigate the risk of failed restoration because the service is offline. Include procedures for service providers being offline in your COOP plans.
Read more in:
Statescoop: Local governments forced offline after ransomware targets web host
https://statescoop.com/local-governments-forced-offline-after-ransomware-targets-web-host/
Security Week: Attack on Vendor Affects Website of Arizona Court System
https://www.securityweek.com/attack-vendor-affects-website-arizona-court-system
--Brazilian Superior Electoral Court System Recovers from Ransomware Attack
(November 23, 2020)
Brazil's Superior Electoral Court has its IT systems fully operational following a ransomware attack that hit on November 3. The court was operating "with limited functionality" before November 20. The incident is being called "the worst-ever" cyberattack suffered by a Brazilian government department.
Read more in:
ZDNet: Brazilian government recovers from "worst-ever" cyberattack
https://www.zdnet.com/article/brazilian-government-recovers-from-worst-ever-cyberattack/
--South Korean Retailer E-Land Suffers Ransomware Attack
(November 23, 2020)
E-Land, a South Korean retail company, has temporarily suspended operations at 23 of its NC Department Stores and NewCore Outlet stores in the wake of a ransomware attack. The ransomware was activated on systems at E-Land headquarters on November 22.
Read more in:
Bleeping Computer: Ransomware forces E-Land South Korean retail giant to close stores
--Manchester United Says Cyberattack is Disrupting IT Systems
(November 20 & 21, 2020)
On Friday, November 20, the Manchester United football club has disclosed that its network experienced a cyberattack that is causing "ongoing IT disruption." The incident is under investigation. Manchester United said "All critical systems required for matches to take place" over the weekend were operational.
[Editor Comments]
[Neely] Of late, attacks of this nature turn out to be ransomware. Improved technical measures and supporting procedures were implemented and tested to prepare for this type of incident. The current trend for cyber attacks includes capitalizing on human weaknesses via social engineering. Studies have found that awareness training fades after a few months; support technical protections with refresher training at least bi-annually.
Read more in:
Threatpost: Manchester United: IT Systems Disrupted in Cyberattack
https://threatpost.com/manchester-united-disrupted-cyberattack/161488/
ZDNet: Manchester United football club discloses security breach
https://www.zdnet.com/article/manchester-united-football-club-discloses-security-breach/
The Register: Manchester United working with infosec experts to 'minimize ongoing IT disruption' caused by 'cyber attack'
https://www.theregister.com/2020/11/21/manchester_united_working_with_infosec/
ManUtd: Manchester United PLC Update on Cyber Security Breach
https://ir.manutd.com/press-releases.aspx
--Romanian Police Arrest Malware Purveyors
(November 20 & 23, 2020)
Police in Romania have arrested two individuals in connection with three online services that are designed to help malware evade detection by antivirus software. The investigators also took down relevant servers in Romania, Norway, and the US.
[Editor Comments]
[Honan and Murray] Congratulations to all those involved in this operation. It is heartening to see the increasing numbers of successful international operations against cybercriminals.
Read more in:
ZDNet: Two Romanians arrested for running three malware services
https://www.zdnet.com/article/two-romanians-arrested-for-running-multiple-malware-services/
Security Week: Two Romanians Arrested for Running Malware Encryption Services
https://www.securityweek.com/two-romanians-arrested-running-malware-encryption-services
Cyberscoop: Police arrest 2 in connection with CyberSeal, Dataprotector crime services
https://www.cyberscoop.com/romania-europol-crypting-arrests/
--Google Plans to Add End-to-End Encryption to Android Messaging App
(November 19 & 20, 2020)
Google plans to begin beta-testing end-to-end encryption (E2EE) for its Android Messaging App. The feature will be rolled out to one-on-one Rich Communication Services (RCS) conversations. Google has been touting the RCS text-messaging standard as an alternative to SMS.
[Editor Comments]
[Neely] To use RCS you need to be using the latest version of Google's Messages App with the chat features enabled. RCS uses WiFi or cellular data for message delivery, rather than SMS. Encryption keys exist only on the endpoints, so decryption on servers or relay points is not possible.
[Murray] Device-to-device encryption may look end-to-end to Google but should not be relied upon for sensitive applications in hostile environments.
Read more in:
Google: Helping you connect around the world with Messages
https://blog.google/products/messages/helping-you-connect-around-world-messages/
ZDNet: Google is adding end-to-end encryption to its Android Messages app
https://www.zdnet.com/article/google-is-adding-end-to-end-encryption-to-android-messages-app/
The Register: End-to-end encryption? In Android's default messaging app? Don't worry, nobody else noticed either
https://www.theregister.com/2020/11/20/google_rcs_e2e_brouhaha/
Ars Technica: Google is testing end-to-end encryption in Android Messages
https://arstechnica.com/gadgets/2020/11/google-is-testing-end-to-end-encryption-in-android-messages/
--Cryptocurrency and Criminal Finances Conference
(November 20, 2020)
Europol hosted the fourth Global Conference on Criminal Finances and Cryptocurrencies, which was held virtually. There were more than 2,000 participants, representing "law enforcement and judicial authorities, financial intelligence units, international organisations and the private sector." Presentations included "case examples to exchange knowledge and best practices on investigations related to cryptocurrency facilitated crime and subsequent money-laundering activities."
Read more in:
Europol: Over 2 000 Participants from 132 Countries Logged on for the 4th Global Conference on Criminal Finances and Cryptocurrencies
--OMB Directs Agencies to Prepare for IPv6-only Infrastructure
(November 20, 2020)
A memo from the US Office of Management and Budget (OMB) directs federal agencies to take steps to prepare for the transition to IPv6. Agencies have 45 days to create IPv6 integrated project teams that will "govern and enforce IPv6 efforts." Within 180 days, agencies must establish and publish on their websites their own IPv4 policies. They are also required to conduct at least one pilot of an IPv6-only operational system and to develop an IPv6 implementation plan prior to the end of FY 2021.
[Editor Comments]
[Neely] This memo rescinds M-05-22, Transition Planning for IPv6, August 2005 and Transition to IPv6, September 2010. The 2010 requirements to upgrade public/external facing services to IPv6 by FY end 2012 as well as upgrade client applications which communicate with public Internet servers, including their supporting networks, to IPv6 by FY end 2014 remain. OMB expects agencies who have not already met those requirements to do so as soon as possible. Before jumping into an upgrade, understand the change in network security introduced by IPv6. Align thinking to consider all IPv6 addresses to be public IP space.
Read more in:
Fedscoop: IPv6 is now the standard for federal agencies' internet traffic
https://www.fedscoop.com/omb-finalizes-ipv6-memo/
WhiteHouse: Memorandum | Completing the Transition to Internet Protocol Version 6 (1Pv6) (PDF)
https://www.whitehouse.gov/wp-content/uploads/2020/11/M-21-07.pdf
****************************************************************************
INTERNET STORM CENTER TECH CORNER
Quick Tip: Cobalt Strike Beacon Analysis
https://isc.sans.edu/forums/diary/Quick+Tip+Cobalt+Strike+Beacon+Analysis/26818/
Updates for VMWare ESXi; Fusion and Workstation
https://www.vmware.com/security/advisories/VMSA-2020-0026.html
IBM DB2 Vulnerability
https://www.ibm.com/support/pages/node/6370025 (CVE-2020-4701)
https://www.ibm.com/support/pages/node/6370023 (CVE-2020-4739)
Fortinet SSL VPN Exploit Used to Collect Credentials
https://twitter.com/Bank_Security/status/1329426020647243778
GoDaddy Social Engineering Used to Compromise Bitcoin Exchange Domains
https://blog.liquid.com/security-incident-november-13-2020
Spoofed FBI Domains
https://www.ic3.gov/Media/Y2020/PSA201123
****************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create