SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #94
December 1, 2020Malware Targets macOS; New Zealand's Privacy Law; Texas Governor Brings 1,150 Students in 235 High Schools To Discover Cybersecurity Talent
Practical Cloud Security Half-Day Workshop - Free for NewsBites readers
Learn the highlights of AWS security from the SANS authors of the insightful new book, Practical Guide to Security in the AWS Cloud. Be able to quickly assess the risks in your use of Infrastructure as a Service (IAAS) offerings and immediately begin remediating or mitigating those risks. Friday Dec 11, 10:30 AM EST.
Register at https://www.sans.org/webcasts/cloud-security-solutions-forum-117055
*****************************************************************************
SANS NewsBites December 1, 2020 Vol. 22, Num. 094
*****************************************************************************
THE TOP OF THE NEWS
Malware Targets macOS
New Zealand's New Data Privacy Law Takes Effect December 1, 2020
Texas Governor's Support Leads to 1,150 Students in 235 High Schools Discovering Their Level of Cybersecurity Talent
RANSOMWARE AND THE REST OF THE WEEK'S NEWS
Pennsylvania County Pays $500,000 After Ransomware Attack
Baltimore (Maryland) County Schools Suffers Ransomware Attack
University of Vermont Medical Health Network Still Recovering from October Ransomware Attack
AspenPointe Discloses September Data Breach
Advantech Confirms Ransomware Attack
Microsoft Teams No Longer Supports Internet Explorer
Spamhaus Says 50+ Dormant Domains Springing Back to Life is Suspicious
TrickBot Botnet Comes Creeping Back
US Supreme Court Hears Arguments in CFAA Case
Microsoft Defender for Identity Can Detect Zerologon Exploits
INTERNET STORM CENTER TECH CORNER
********************* Sponsored By Bolster Inc. *****************************
Webcast | We invite you to join SANS Senior Instructor, Jake Williams, as he chairs our upcoming webcast titled, "Leverage AI to Protect Against Phishing and Fraud Scams." Viewers will learn how to protect your customers and employees from rampant phishing and fraudulent sites that pop up every day. | December 10 @ 10:30 AM EST
| http://www.sans.org/info/218310
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
OnDemand and Live Online Training Special Offer
Best offers of the year! Get the latest MacBook Air, a Microsoft Surface Pro 7, or take $350 Off with ANY qualifying SANS Training Course through December 9.
- www.sans.org/specials/north-america/
New & Updated Courses
SEC588: Cloud Penetration Testing
- https://www.sans.org/cyber-security-courses/cloud-penetration-testing/
MGT525: IT Project Management, Effective Communication, and PMP(R) Exam Prep
- https://www.sans.org/cyber-security-courses/project-management-effective-communication/
SEC487: Open-Source Intelligence (OSINT) Gathering and Analysis
- https://preview.sans.org/cyber-security-courses/open-source-intelligence-gathering/
Upcoming Live Online Events
SANS Security East 2021 - Jan 11-16 CST
20 Courses | Core and GRID NetWars
- https://www.sans.org/event/security-east-2021-live-online/
SANS Stay Sharp: Blue Team Ops 2021 - Jan 18-22 MST
Targeted Short Courses | Cyber Defense NetWars
- https://www.sans.org/event/stay-sharp-blue-team-operations-jan-2021/
Cyber Threat Intelligence Summit & Training
FREE Summit: Jan 21-22 | Courses: Jan 25-30
- https://www.sans.org/event/cyber-threat-intelligence-summit-2021/
Cloud Security Resources
Cheat Sheets, Papers, eBooks, and more. View & Download
- https://www.sans.org/cloud-security/
*****************************************************************************
TOP OF THE NEWS
--Malware Targets macOS
(November 30, 2020)
Researchers have detected a new malware variant that targets macOS systems. The malware has been linked to the OceanLotus advanced persistent threat (APT) group, which has ties to the Vietnamese government. The malware spreads through malicious files included in phishing emails.
[Editor Comments]
[Neely] The attack depends on users opening a malicious zip file, which uses special characters to avoid detection. As zip files are often a vehicle to deliver malware, consider removing them from inbound messages as well as tagging external messages to raise awareness of their external origin. Additional mitigations include keeping the systems patched as well as reminding users to not open attachments from untrusted/unknown sources.
Read more in:
ZDNet: Hackers are targeting MacOS users with this updated malware
https://www.zdnet.com/article/hackers-are-targeting-macos-users-with-this-updated-malware/
Threatpost: MacOS Users Targeted By OceanLotus Backdoor
https://threatpost.com/macos-users-targeted-oceanlotus-backdoor/161655/
--New Zealand's New Data Privacy Law Takes Effect December 1, 2020
(November 30, 2020)
New Zealand's Privacy Act 2020 takes effect on December 1. Under the new law, organization are obligated to report data breaches that pose a "risk of harm." The law applies to New Zealand-based organizations that handle data as well as organizations that conduct business and/or collect data about New Zealand residents.
[Editor Comments]
[Pescatore and Neely] The direct fines are pretty low, maximum of NZ $10K, but could rise to NZ $230K if the NZ Office of the Privacy Commissioner files and succeeds in an Official Complaint. NZ and many US states are moving closer to the EU GDPR which means security controls need to be updated. The demand of consumers is captured by the NZ slogan "Privacy is Precious."
Read more in:
Portswigger: New Zealand Privacy Act: Updated data breach legislation comes into effect tomorrow
--Texas Governor's Support Leads to 1,150 Students in 235 High Schools Discovering Their Level of Cybersecurity Talent and Vying for $2 Million in Scholarships
(December 1, 2020)
Texas Governor Abbott's active support has enabled more than 1,000 high school students to use CyberStart America to discover their cyber aptitude in less than 30 days. Many participants are finding they are hooked on solving cybersecurity problems as "cyber protection agents," even those who never took a computer science or networking or cybersecurity class. New Jersey's Governor Murphy also promoted the program to students and New Jersey's students are cutting into Texas's lead. With 100 more days to go in CyberStart America and every high school student in every state eligible for the free program, at least 30,000 America high school students will be able to begin their professional journey toward a career in cybersecurity and/or computer science with $2 million in college scholarships available to those who do well.
Governor Abbott's Support: https://gov.texas.gov/news/post/governor-abbott-announces-partnership-with-cyberstart-america-to-promote-cybersecurity-career-track-for-texas-high-school-students
Governor Murphy's Support: https://www.njhomelandsecurity.gov/media/governor-murphy-strongly-encourages-high-school-girls-to-participate-in-upcoming-2020-girls-go-cyberstart-competition
Leaderboard to see how students in your state are doing: https://www.cyberstartamerica.org/leaderboard/
Site to Learn More and Sign Up for CyberStart America: https://www.cyberstartamerica.org/
****************************** SPONSORED LINKS *******************************
1) Virtual Event | December 14th-19th | Discover the most effective steps to prevent cyber-attacks and detect adversaries with actionable techniques you can apply immediately. Join us for our exciting upcoming event, SANS Cyber Defense Initiative 2020 - Live Online (EST), and receive relevant cyber security training from real-world practitioners. Choose your course and register now!
| http://www.sans.org/info/218315
2) Webcast | Our upcoming webcast, "Smart Enterprise Visibility with DTEX InTERCEPT", SANS instructor Matt Bromiley reviews DTEX InTERCEPT, a platform that offers holistic visibility and provides unique insight into user behavior | December 8 @ 3:30 PM EST
| http://www.sans.org/info/218320
3) Webcast | Join us for our upcoming webcast, "Bringing validity to defense-in-depth" to learn how Elastic helps customers break down artificial silos between teams and use cases in our movement towards a DevSecOps culture | December 9 @ 1:00 PM EST
| http://www.sans.org/info/218325
*****************************************************************************
THE REST OF THE WEEK'S NEWS
--Pennsylvania County Pays $500,000 After Ransomware Attack
(November 24 & 30, 2020)
The government of Delaware County (Pennsylvania) paid $500,000 to regain access to their systems following a ransomware attack. The county took some of its systems offline after discovering the incident.
Read more in:
DelCoPa: Disruption to Portions of Delaware County's Computer Network
https://www.delcopa.gov/publicrelations/releases/2020/networkdisruption.html
Bleeping Computer: Pennsylvania county pays 500K ransom to DoppelPaymer ransomware
Infosecurity Magazine: Delaware County Pays $500,000 Ransom After Outages
https://www.infosecurity-magazine.com/news/delaware-county-pays-500k-ransom/
--Baltimore (Maryland) County Schools Suffers Ransomware Attack
(November 25, 30 & December 1, 2020)
The Baltimore County Public School (BCPS) system was forced to cancel classes and shut its offices on Wednesday, November 25 after its network was hit with ransomware. BCPS exhorted students and staff not to use district-issued Windows computers. District-issued Chromebooks were not affected.
[Editor Comments]
[Neely] An advantage of Chromebooks and tablets is that they are self-contained and can be easily reset to a known good state. Even so, they have a different attack surface and need to be securely configured and kept updated. Just as you would have a mobile device management for phones and tablets, use Chrome device management to ensure devices are running appropriate security policies, students operate with minimum privilege and only authorized apps are installed.
[Murray] While Chromebooks are used in schools for many reasons, such thin clients are resistant to contamination. They also protect the environment in which they run from security failures on the part of their users. While some enterprise users may require the capabilities of a "personal computer," including programmability, many do not. A preference for thin clients may dramatically reduce the attack surface of an enterprise.
Read more in:
Statescoop: Class canceled in Baltimore County, Md., in latest school ransomware attack
https://statescoop.com/baltimore-county-ransomware-classes-canceled/
The Hill: Cyberattack forces shutdown of Baltimore County schools for the day
Bleeping Computer: Baltimore students told to ditch Windows PCs after ransomware attack
The Register: Forget Snow Day: Baltimore's 115,000+ public school kids get Ransomware Day, must check Win PCs for infection
https://www.theregister.com/2020/12/01/baltimore_ransomware_attack/
--University of Vermont Medical Health Network Still Recovering from October Ransomware Attack
(November 27 & 30, 2020)
More than a month after a ransomware attack hit systems at the University of Vermont Medical Health Network (UVMHN), the organization is still working on restoring services. UVMHN comprises seven facilities in Vermont and New York State.
Read more in:
Threatpost: Post-Cyberattack, UVM Health Network Still Picking Up Pieces
https://threatpost.com/cyberattack-uvm-health-picking-up-pieces/161681/
Bleeping Computer: Vermont hospitals still recovering from October ransomware attack
Security Week: U of Vermont Medical Center Continuing Cyber-Attack Recovery
https://www.securityweek.com/u-vermont-medical-center-continuing-cyber-attack-recovery
--AspenPointe Discloses September Data Breach
(November 30, 2020)
Colorado-based healthcare company AspenPointe has disclosed a data breach that affected nearly 300,000 patients. The attackers compromised both personal health information (PHI) and personally identifiable information (PII). The attackers had access to the system for 10 days in mid-September 2020.
Read more in:
Bleeping Computer: Healthcare provider AspenPointe data breach affects 295K patients
--Advantech Confirms Ransomware Attack
(November 30, 2020)
Advantech, a Taiwan-based company that manufactures chips used in Internet of Things (IoT) devices, has confirmed that its systems were hit with a ransomware attack. The threat actors have posted some Advantech documents online; they are reportedly demanding 750 Bitcoins for ransom.
Read more in:
Bleeping Computer: IoT chip maker Advantech confirms ransomware attack, data theft
Threatpost: Conti Gang Hits IoT Chipmaker Advantech with $14M Ransom Demand
https://threatpost.com/conti-iot-chip-advantech-ransom-demand/161691/
--Microsoft Teams No Longer Supports Internet Explorer
(November 30, 2020)
As of Monday, November 30, Microsoft Teams no longer supports Internet Explorer 11. If users log into the web version of Microsoft Teams with IE 11, they will see a message reminding them that the browser is no longer supported and recommending that they use the desktop client instead. The withdrawal of support is one in a series of changes Microsoft is implementing to encourage users to move to their Edge browser.
[Editor Comments]
[Neely] Plan to be off Edge Legacy by March 9th and IE 11 by August 17th. For business applications that must use IE 11 after those dates, provide a hosted browser with access only to approved applications. Deploy alternate browsers, e.g. Chromium Edge, Chrome, or Firefox now so users can get used to them before removing/blocking IE.
Read more in:
Bleeping Computer: Microsoft really wants you to stop using Internet Explorer
Tech Republic: Microsoft Teams will no longer support Internet Explorer 11
https://www.techrepublic.com/article/microsoft-teams-will-no-longer-support-internet-explorer-11/
--Spamhaus Says 50+ Dormant Domains Springing Back to Life is Suspicious
(November 30, 2020)
According to Spamhaus, more than 50 networks sprung back to life after being dormant for some time. The networks, all of which are in the North American region, were revived at the same time; each of the networks was introduced by autonomous system numbers that have also been dormant. Spamhaus has placed most of the suspect networks on its DROP list "until their owners clarify the situation."
[Editor Comments]
[Neely] Identification of anomalous behavior such as this is admirable, and a coordinated approach is needed to avoid DOSing legitimate networks, particularly with the criticality of the Internet to business and service delivery.
Read more in:
Security Week: Tens of Dormant North American Networks Suspiciously Resurrected at Once
https://www.securityweek.com/tens-dormant-north-american-networks-suspiciously-resurrected-once
Spamhaus: Suspicious network resurrections
https://www.spamhaus.org/news/article/802/suspicious-network-resurrections
--TrickBot Botnet Comes Creeping Back
(November 24 & 30, 2020)
The TrickBot botnet appears to be re-emerging after Microsoft and US Cyber Command efforts to disrupt it earlier this fall. Both organizations targeted the botnet's command-and-control servers. The newest iteration of TrickBot uses a clever obfuscation technique to sneak the payload past detection tools.
Read more in:
Dark Reading: Latest Version of TrickBot Employs Clever New Obfuscation Trick
Cyberscoop: It's hard to keep a big botnet down: TrickBot sputters back toward full health
https://www.cyberscoop.com/trickbot-status-microsoft-cyber-command-takedown/
--US Supreme Court Hears Arguments in CFAA Case
(November 30, 2020)
The US Supreme Court is hearing appeal arguments in a case that is likely to determine how broadly or narrowly the Computer Fraud and Abuse Act (CFAA) is interpreted. The case seeks to overturn the conviction of a Georgia police officer who used his legitimate access to a license plate database to search for information at the request of an individual who turned out to be an undercover FBI agent.
[Editor Comments]
[Pescatore] Between 1996 and 2008, the CFAA was amended 4 times; but in the 12 years since then not at all. It is long overdue for more precision in the language. Legislation will always lag technology and threat advances, but overly-broad language not only impacts legitimate security activities but wastes scarce law enforcement and prosecutorial resources.
Read more in:
Politico: Justices express qualms about sweeping computer crime law
https://www.politico.com/news/2020/11/30/supreme-court-computer-crime-law-441441
Ars Technica: The Supreme Court will finally rule on controversial US hacking law
Portswigger: US Supreme Court hears Van Buren appeal arguments in light of Computer Fraud and Abuse Act ambiguity
--Microsoft Defender for Identity Can Detect Zerologon Exploits
(November 30, 2020)
Microsoft Defender for Identity, a cloud-based security product, is now capable of detecting attacks that exploit the Zerologon. Microsoft says that customers "will be able to identify the device that attempted the impersonation, the domain controller, the targeted asset, [and] whether the impersonation attempts were successful."
[Editor Comments]
[Neely] If you are a MS 365 Defender user, Defender for Identity can help detect network identity compromise attempts, successful or otherwise. Even so, make sure that internet-accessible services require multi-factor authentication to make account compromise far more difficult.
Read more in:
Microsoft: Zerologon is now detected by Microsoft Defender for Identity
Bleeping Computer: Microsoft Defender for Identity now detects Zerologon attacks
******************************************************************************
INTERNET STORM CENTER TECH CORNER
Live Patching Windows API Calls Using PowerShell
https://isc.sans.edu/forums/diary/Live+Patching+Windows+API+Calls+Using+PowerShell/26826/
Decrypting PowerShell Payloads
https://isc.sans.edu/forums/diary/Decrypting+PowerShell+Payloads+video/26838/
Threat Hunting with JARM
https://isc.sans.edu/forums/diary/Threat+Hunting+with+JARM/26832/
https://isc.sans.edu/forums/diary/Quick+Tip+Using+JARM+With+a+SOCKS+Proxy/26834/
The Special Case of TCP Resets
https://isc.sans.edu/forums/diary/The+special+case+of+TCP+RST/26824/
Active Exploitation of MobileIron Vulnerabilities
https://www.ncsc.gov.uk/news/alert-multiple-actors-attempt-exploit-mobileiron-vulnerability
Be Careful With IoT Gifts
https://www.cyberscoop.com/smart-doorbells-amazon-ebay-ncc-vulnerabilities/
Trend Micro ServerProtect for Linux
https://success.trendmicro.com/solution/000281950
WebKit Vulnerabilities
https://blog.talosintelligence.com/2020/11/vuln-spotlight-webkit-use-after-free-nov-2020.html
New Skimmer JS
https://twitter.com/AffableKraut/status/1333258498910588928
VMWare Workspace Vulnerability
https://www.theregister.com/2020/11/24/vmware_urges_sysadmins_to_implement/
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create