SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #97
December 11, 2020Red Team Tools Stolen From FireEye; EU COVID-19 Cyberattack and more Healthcare Breaches
****************************************************************************
On December 17, 2020, SANS Institute will celebrate the winners of the SANS 2020 Difference Makers Awards in an online ceremony. Join us as we give well-deserved recognition to the most dedicated and innovative "People Who Made a Difference in Security in 2020." You can see the full list of 2020 Difference Makers at https://www.sans.org/cyber-innovation-awards and register to attend the ceremony and learn details about their innovative contributions here: https://www.sans.org/webcasts/117154.
****************************************************************************
Look what the 10,000 people playing Holiday Hack Challenge are saying today:
I love that Holiday Hack is designed to teach both fundamental and current hands-on skills. It starts at an easy level so I don't get blown away at the start, and then gradually increases difficulty to advanced skills. It's the most professional CTF I've ever seen. (It's addictive as ****, so watch out!) - John York, retired ISO Blue Ridge Community College, Cyber Sec instructor Shenandoah Valley Governor's School
Its free as a holiday gift to you! Join anytime for free, play along until January 4: https://holidayhackchallenge.com
****************************************************************************
SANS NewsBites December 11, 2020 Vol. 22, Num. 097
****************************************************************************
THE TOP OF THE NEWS
FireEye Discloses Theft of Red Team Tools
EU Medicines Agency Hit with COVID-19-related Cyberattack
Healthcare Breach Roundup: GBMC, Georgia Dentistry Practice, Tufts Health Plan
*************************** Sponsored By AWS Marketplace ************************************
SANS Book: Practical Guide to Security in the AWS Cloud | AWS Marketplace would like to present you with a digital copy of the new book, Practical Guide to Security in the AWS Cloud, by the SANS Institute. This complimentary book is a collection of knowledge from 18 contributing authors, who share their tactics, techniques, and procedures for securely operating in the cloud. Download Now: | http://www.sans.org/info/218430
****************************************************************************
RANSOMWARE AND THE REST OF THE WEEKS NEWS
Foxconn Discloses Ransomware Attack
Payment Processor TSYS Suffers Ransomware Attack
Microsoft December Patch Tuesday
Amnesia:33 Vulnerabilities Affect Multiple TCP/IP Libraries
Adobes December Patch Tuesday Includes Last Update for Flash
CISA Warns of Vulnerabilities in Certain GE Healthcare Devices
Vulnerabilities in PageLayer WP Plugin
South Korea Ends Government Digital Certificate Authority That Relied on ActiveX
Another Mirai Suspect Pleads Guilty
INTERNET STORM CENTER TECH CORNER
****************************************************************************
CYBERSECURITY TRAINING UPDATE
OnDemand and Live Online Training Special Offer
Best Offers of the Year! Get an 11" iPad Pro w/ Apple Pencil, a Microsoft Surface Go 2 - 128GB SSD, or Take $350 Off with ANY qualifying SANS Training Course through December 16.
- www.sans.org/specials/north-america/
New & Updated Courses
SEC588: Cloud Penetration Testing
- https://www.sans.org/cyber-security-courses/cloud-penetration-testing/
MGT516: Managing Security Vulnerabilities: Enterprise and Cloud
- https://www.sans.org/cyber-security-courses/managing-enterprise-cloud-security-vulnerabilities/
SEC487: Open-Source Intelligence (OSINT) Gathering and Analysis
- https://preview.sans.org/cyber-security-courses/open-source-intelligence-gathering/
Upcoming Live Online Events
SANS Stay Sharp: Blue Team Ops 2021Jan 18-22 MST
Targeted Short Courses | Cyber Defense NetWars
- https://www.sans.org/event/stay-sharp-blue-team-operations-jan-2021/
Cyber Threat Intelligence Summit & Training
FREE Summit: Jan 21-22 | Courses: Jan 25-30
- https://www.sans.org/event/cyber-threat-intelligence-summit-2021/
SANS Cyber Security West 2021Feb 1-6 PST
Cloud Security, Blue Team, DFIR, and More
- https://www.sans.org/event/cyber-security-west-feb-2021/
Cloud Security Resources
Cheat Sheets, Papers, eBooks, and more. View & Download
- https://www.sans.org/cloud-security/
****************************************************************************
TOP OF THE NEWS
--FireEye Discloses Theft of Red Team Tools
(December 8 & 9, 2020)
FireEye has acknowledged that it was attacked by a highly sophisticated threat actor, one whose discipline, operational security, and techniques lead us to believe it was a state-sponsored attack. The attacker appears to have accessed FireEye Red team tools, which the company uses to assess the security of customers systems. FireEye is investigating the incident in cooperation with the FBI, Microsoft, and other key partners.
[Editor Comments]
[Pescatore] FireEyes CEO blog post and press release focus on the sophistication of the threat actors and point to great information for detecting the use of the stolen tools, but offer no lessons learned on what vulnerabilities were exploited or what mistakes FireEye made that enabled the attacks to succeed. Putting that out for public consumption obviously carries riskI hope FireEye is providing those lessons learned via trusted channels.
[Paller] Security organizations are under constant attack. Once in a while the attacker wins. This happened twice to us at SANS, 23 years ago and in 2020. As John Pescatore notes, (in addition to finding ways to block the specific intrusion vector and to correct systemic flaw(s) it uncovered) security organizations have a unique and important obligation to share the lessons learned, broadly and quickly.
Read more in:
FireEye: FireEye Shares Details of Recent Cyber Attack, Actions to Protect Community
Vice: One of The Biggest Cybersecurity Companies In The World Just Got Hacked
https://www.vice.com/en/article/bvxv4a/fireeye-hacked-steal-hacking-tools
Dark Reading: Nation-State Hackers Breached FireEye, Stole Its Red Team Tools
ZDNet: FireEye, one of the world's largest security firms, discloses security breach
The Register: Cybersecurity giant FireEye says it was hacked by govt-backed spies who stole its crown-jewels hacking tools
https://www.theregister.cosm/2020/12/09/fireeye_tools_hacked/
Wired: Russia's FireEye Hack Is a Statementbut Not a Catastrophe
https://www.wired.com/story/russia-fireeye-hack-statement-not-catastrophe/
SC Magazine: FireEye hacked, red team tools stolen
Ars Technica: Premiere security firm FireEye says it was breached by nation-state hackers
Threatpost: FireEye Cyberattack Compromises Red-Team Security Tools
https://threatpost.com/fireeye-cyberattack-red-team-security-tools/162056/
Bleeping Computer: FireEye reveals that it was hacked by a nation state APT group
--EU Medicines Agency Hit with COVID-19-related Cyberattack
(December 9 & 10, 2020)
The European Medicines Agency is investigating a cyberattack against its network. The organization is in the process of reviewing two COVID-19 vaccines for use in the EU. According to a joint statement from Pfizer and BioNTech, documents relating to the regulatory submission for Pfizer and BioNTechs COVID-19 vaccine candidate, BNT162b2, which has been stored on an EMA server, [have] been unlawfully accessed.
[Editor Comments]
[Neely] If youre in healthcare, youre already a big target this year, even more so if youre even peripherally associated with the COVID-19 vaccine production, authorization or distribution. Companies like Johnson & Johnson, Gilead, Moderna, AstraZenica, Genexine, Celltrion and Novavax have been targeted. If you havent verified your security measures, now is a good time to engage a third-party review.
[Pescatore] The entire vaccine supply chain is or will be under attack. Many proactive efforts to harden the cyber side of operations have been launched, but there are too many links in that complex supply chain. One 2020 SANS Difference Makers award winner (volunteer organization CTI League) has been very active in supporting smaller organizations that may not have sufficient skilled resources to reduce risk. https://www.sans.org/cyber-innovation-awards
Read more in:
BioNTech: Statement Regarding Cyber Attack on European Medicines Agency
ZDNet: EU agency in charge of COVID-19 vaccine approval says it was hacked
https://www.zdnet.com/article/eu-agency-in-charge-of-covid-19-vaccine-approval-says-it-was-hacked/
The Register: EU Medicines Agency hacked, BioNTech-Pfizer coronavirus vaccine paperwork stolen, probe launched
https://www.theregister.com/2020/12/09/european_medicines_agency_cyberattack/
Ars Technica: COVID-19 vaccine data has been unlawfully accessed in hack of EU regulator
Bleeping Computer: Pfizer COVID-19 vaccine documents accessed in EMA cyberattack
Health IT Security: Pfizer, BioNTech COVID-19 Vaccine Data Breached in EU Regulator Hack
Cyberscoop: Hackers breach European agency to access BioNTech, Pfizer COVID-19 vaccine files
https://www.cyberscoop.com/hackers-breach-european-medicines-agency-biontech-pfizer/
EMA: Cyberattack on the European Medicines Agency
https://www.ema.europa.eu/en/news/cyberattack-european-medicines-agency
--Healthcare Breach Roundup: GBMC, Georgia Dentistry Practice, Tufts Health Plan
(December 9 & 10, 2020)
As of Wednesday, December 9, GMBC Health was still operating under electronic health record (EHR) downtime procedures following a ransomware attack over the weekend. A Georgia dentistry practice suffered a ransomware attack, earlier this year and have recently notified patients.; The Tufts Health Plan notified more than 60,000 members that their personal information had been compromised in a security incident at a third-party entity that provides vision benefits.
Read more in:
Health IT Security: Ransomware Attack on Marylands GBMC Health Spurs EHR Downtime
https://healthitsecurity.com/news/ransomware-attack-on-marylands-gbmc-health-spurs-ehr-downtime
******************************* SPONSORED LINKS ********************************
1) Virtual Event | December 14th-19th EST | Discover the most effective steps to prevent cyber-attacks and detect adversaries with actionable techniques you can apply immediately. Join us for our exciting upcoming event, SANS Cyber Defense Initiative 2020 - Live Online, and receive relevant cyber security training from real-world practitioners. Choose your course and register now! | http://www.sans.org/info/218435
2) Virtual Event | December 14th-19th EST | Discover the most effective steps to prevent cyber-attacks and detect adversaries with actionable techniques you can apply immediately. Join us for our exciting upcoming event, SANS Cyber Defense Initiative 2020 - Live Online, and receive relevant cyber security training from real-world practitioners. Choose your course and register now! | http://www.sans.org/info/218435
3) Take Back Control. Stop bad things from happening when users click bad links. Get ahead of threats by stopping attacks earlier in the kill chain before they succeed. See how isolating web access eliminates browser exploits, and prevents ransomware, phishing attacks, and credential theft. Watch Implementing Lessons Learned from Threat Patterns on the Endpoint. | http://www.sans.org/info/218440
****************************************************************************
RANSOMWARE AND THE REST OF THE WEEKS NEWS
--Foxconn Discloses Ransomware Attack
(December 7 & 8, 2020)
Electronics manufacturer Foxconn has acknowledged that the network at a facility in Mexico was hit with ransomware in late November. The ransomware operators also stole data.
Read more in:
Bleeping Computer: Foxconn electronics giant hit by ransomware, $34 million ransom
Threatpost: Apple Manufacturer Foxconn Confirms Cyberattack
https://threatpost.com/foxconn-confirms-cyber-attack/162035/
Reuters: Foxconn says internet connection back to normal after ransomware attacks
--Payment Processor TSYS Suffers Ransomware Attack
(December 10, 2020)
Data stolen from payment processor TSYS has been posted online. The files were stolen during a ransomware attack that affected TSYSs systems earlier this month. TSYS said that the attack affected systems that support certain corporate back office functions of a legacy TSYS merchant business.
[Editor Comments]
[Neely] The systems compromised are part of Cayan, an in-store physical payment processor, acquired in 2018, which highlights the criticality of securing and merging acquired business systems. Conti operators, who are hosting the stolen data, claim card data was present, while TSYS denies any card data loss. Make sure your cards are set up to alert you for unexpected transactions, particularly card-not-present use.
Read more in:
KrebsOnSecurity: Payment Processing Giant TSYS: Ransomware Incident Immaterial to Company
--Microsoft December Patch Tuesday
(December 8, 2020)
Microsofts final patch Tuesday release for 2020 includes fixes for 58 security issues in a variety of products, including Windows, Edge, Office, Exchange Server, and Visual Studio. Nine of the vulnerabilities are deemed critical.
[Editor Comments]
[Neely] While there are only 58 issues this month, other flaws announced this week will require attention. The trick with these updates will be consistent application to remote systems in spite of the December and January holidays. It may be prudent to remind users to leave systems up and reachable by your update service during this patch window.
Read more in:
MSRC: December 2020 Security Updates
https://msrc.microsoft.com/update-guide/releaseNote/2020-Dec
KrebsOnSecurity: Patch Tuesday, Good Riddance 2020 Edition
https://krebsonsecurity.com/2020/12/patch-tuesday-good-riddance-2020-edition/
ZDNet: Microsoft December 2020 Patch Tuesday fixes 58 vulnerabilities
https://www.zdnet.com/article/microsoft-december-2020-patch-tuesday-fixes-58-vulnerabilities/
The Register: Patch Tuesday brings bug fixes for OpenSSL, IBM, SAP, Kubernetes, Adobe, and Red Hat. And Microsoft, of course
https://www.theregister.com/2020/12/08/patch_tuesday_fixes/
SC Magazine: Patch Tuesday fixes 9 critical flaws, but Microsoft Teams vulnerability a bigger concern
--Amnesia:33 Vulnerabilities Affect Multiple TCP/IP Libraries
(December 8, 2020)
Researchers at Forescout have detected a group of vulnerabilities in open source TCP/IP libraries that are used in the firmware of products sold by more than 150 vendors. The vulnerabilities, which have been given the name Amnesia:33, affect the uIP, FNET, picoTCP, and Nut/NetTCP/IP stacks. The flaws could be exploited to execute code remotely, cause denial-of-service conditions, leak information, and conduct DNS cache poisoning attacks.
[Editor Comments]
[Neely] The good news is that these are specific to embedded/IoT devices, not smartphones, computers, servers, etc. The primary mitigation is segmentation. Limit access to and from these devices to only services they need to communicate with. At home, put them on your guest wireless segment, and if possible, turn on device isolation.
Read more in:
Forescout: Amnesia:33
https://www.forescout.com/research-labs/amnesia33/
Wired: Critical Flaws in Millions of IoT Devices May Never Get Fixed
https://www.wired.com/story/amnesia33-iot-vulnerabilitiesmay-never-get-fixed/
ZDNet: Amnesia:33 vulnerabilities impact millions of smart and industrial devices
SC Magazine: Amnesia-33 vulnerabilities affect 158 vendors, millions of devices
--Adobes December Patch Tuesday Includes Last Update for Flash
(December 9, 2020)
Adobes scheduled patch release for December includes the last ever scheduled update for Flash Player. As of January 12, 2021, Adobe will block Flash content from running. Adobe has also released security updates for Lightroom, Prelude, Experience Manager, and Acrobat and Reader.
[Editor Comments]
[Neely] The January 21st kill switch for Flash was embedded in prior releases; this update simply adds language to remind users that it will no longer run and suggests uninstalling. You should be ready, or in final QA, to pull the trigger on your plan to remove Flash from the enterprise. Major browsers have already shifted to a default disabled deliver for Flash content and are scheduled to remove support for Flash from their codebases throughout December and January. If you must provide a Flash-enabled environment, you will need to support both older browsers and older Flash versions, and make certain they are tightly controlled to limit exposure and access to exploitation of unpatched weaknesses.
Read more in:
Adobe: Recent bulletins and advisories
https://helpx.adobe.com/security.html
ZDNet: Adobe to block Flash content from running on January 12, 2021
https://www.zdnet.com/article/adobe-to-block-flash-content-from-running-on-january-12-2021/
ZDNet: Adobe security update squashes critical vulnerabilities in Lightroom, Prelude
Bleeping Computer: Adobe fixes critical security vulnerabilities in Lightroom, Prelude
--CISA Warns of Vulnerabilities in Certain GE Healthcare Devices
(December 8 & 9, 2020)
The US Cybersecurity and Infrastructure Security Agency (CISA) has published an advisory warning of vulnerabilities in GE Healthcare imaging and ultrasound products. The devices have hardcoded default passwords that are used to conduct maintenance. The passwords are not easily changed and are available on the Internet. Customers are advised to contact GE to change the passwords.
[Editor Comments]
[Neely] In addition to applying updates and changing the default passwords, mitigate the risks by segmenting networks to include specific rules regarding TELNET, REXEC, FTP, and SSH traffic. Require remote access over VPN and permit traffic only for authorized users.
Read more in:
US-CERT CISA: ICS Medical Advisory (ICSMA-20-343-01) | GE Healthcare Imaging and Ultrasound Products
https://us-cert.cisa.gov/ics/advisories/icsma-20-343-01
GE Healthcare: Vulnerability Disclosure regarding Default Passwords in GE Healthcare Products
https://www.gehealthcare.com/en-US/security
Health IT Security: Flaws in GE Radiology Medical Device Authentication Pose Patient Data Risk
Ars Technica: GE puts default password in radiology devices, leaving healthcare networks exposed
Tech Crunch: Researchers say hardcoded passwords in GE medical imaging devices could put patient data at risk
--Vulnerabilities in PageLayer WP Plugin
(December 10, 2020)
An update for the PageLayer WordPress plugin addresses two reflected cross-site scripting vulnerabilities that could be exploited to allow malicious code execution leading to site takeover. The PageLayer plugin is installed on more than 200,000 websites.
[Editor Comments]
[Neely] While exploiting the XSS flaw still involves a WP Admin clicking the malicious link, updating the plugin is the right approach as the injected Javascript is running in the context of the WP Admins browser. The fix was released on November 9th. Update to at least version 1.3.8 if youre using this plugin. The paid and free versions of Wordfence include XSS protection that help prevent exploitation.
[Murray] WordPress plugins continue to introduce vulnerabilities in websites. Use them only by design and intent; monitor and patch zealously.
Read more in:
WordFence: Reflected XSS in PageLayer Plugin Affects Over 200,000 WordPress Sites
--South Korea Ends Government Digital Certificate Authority That Relied on ActiveX
(December 10, 2020)
South Koreas government has made good on its promise to get rid of a government-run digital certificate service that depends on Microsofts ActiveX technology. The change is included in South Koreas new Digital Signature Act, which was passed earlier this year. The majority of the acts provisions took effect on Thursday, December 10, 2020.
Read more in:
The Register: South Korea kills ActiveX-based government digital certificate service
https://www.theregister.com/2020/12/10/south_korea_activex_certs_dead/
The Investor: New era for online ID certifications opens
https://www.theinvestor.co.kr/view.php?ud=20201209000864
LOC: South Korea: New Digital Signature Act to Take Effect in December 2020
--Another Mirai Suspect Pleads Guilty
(December 9 & 10, 2020)
A fourth individual has pleaded guilty to charges stemming from their role in the operation of the Mirai botnet, which caused major Internet disruptions in autumn 2016. The attack at the center of this case targeted the Sony PlayStation Network platform; it also affected the Dyn Domain Name System (DNS) provider. Sentencing is scheduled for January 7, 2021. Three other individuals have already pleaded guilty in the case.
Read more in:
Bleeping Computer: Teen who shook the Internet in 2016 pleads guilty to DDoS attacks
Cyberscoop: Suspect in case of Mirai botnet, which knocked major sites offline in 2016, pleads guilty
https://www.cyberscoop.com/mirai-botnet-dyn-suspect-guilty/
******************************************************************************
INTERNET STORM CENTER TECH CORNER
Microsoft Patch Tuesday
Adobe Patch Tuesday
https://helpx.adobe.com/security.html
OpenSSL Patch (Tuesday)
https://www.openssl.org/news/secadv/20201208.txt
Python Backdoor Talking to a C2 Through Ngrok
https://isc.sans.edu/forums/diary/Python+Backdoor+Talking+to+a+C2+Through+Ngrok/26866/
SANS Holiday Hack Challenge
https://holidayhackchallenge.com/2020/
Oblivious DoH
https://blog.cloudflare.com/oblivious-dns/
HTTP Archive Almanac
https://almanac.httparchive.org/en/2020/security
Open Source IoT TCP/IP Stack Vulnerabilities
FireEye Red Team Tool Signatures
Cisco Releases Improved Patch for Jabber Vulnerabilities
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-jabber-ZktzjpgO
https://watchcom.no/nyheter/nyhetsarkiv/uncovers-cisco-jabber-vulnerabilities/
Karim Lalji: Fear of the Unknown: A Metanalysis of Insecure Object Deserialization Vulnerabilities
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create