SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #98
December 15, 2020SolarWinds impact broader than first thought: Emergency national webcast
FLASH: SolarWinds Emergency National Webcast: https://sansurl.com/solarwinds
If you were not one of the 17,000 security professionals who attended last night's national webcast on SolarWinds, the breadth and depth of the attack and the model it offers for future attacks makes the webcast well worth your time. The archive version is now free and available to all cybersecurity professionals, not just SANS alumni or NewsBites readers. It covers
- Latest information and the mechanics of the attack.
- Known detection mechanisms, including IOCs.
- Impact to organizations
Webcast Archive: https://sansurl.com/solarwinds
****************************************************************************
SANS NewsBites December 15, 2020 Vol. 22, Num. 098
****************************************************************************
THE TOP OF THE NEWS
SolarWinds: What is Known So Far
SolarWinds: CISA Order and Mitigations
SolarWinds: SEC Filing
SolarWinds: Who is Affected?
THE REST OF THE WEEK'S NEWS
Prison for Disgruntled Former Cisco Employee
Fix is Available for Vulnerability in Easy WP SMTP WordPress Plugin
Fixes Available for PoS Terminal Vulnerabilities
Google Services Affected by Authentication System Outage
Norwegian Cruise Link Hit with Cyberattack
US CISA-CERT Warns of Vulnerabilities Affecting Medtronic MyCareLink Devices
US Federal Trade Commission is Looking Into Social Media Company Privacy
INTERNET STORM CENTER TECH CORNER
************************* Sponsored By Lookout **********************************
The world's first mobile Endpoint Detection and Response | Today's cyberattackers utilize sophisticated methods over many days or weeks to execute a data breach. Organizations must adapt to keep their sensitive data safe. Aaron Cockerill, Chief Strategy Officer at Lookout discusses how businesses are now able to conduct their own threat hunting. Listen now.
| http://www.sans.org/info/218450
****************************************************************************
CYBERSECURITY TRAINING UPDATE
OnDemand and Live Online Training Special Offer
Best Offers of the Year! Get an 11" iPad Pro w/ Apple Pencil, a Microsoft Surface Go 2 - 128GB SSD, or Take $350 Off with ANY qualifying SANS Training Course through December 16.
- www.sans.org/specials/north-america/
New & Updated Courses
SEC588: Cloud Penetration Testing
- https://www.sans.org/cyber-security-courses/cloud-penetration-testing/
MGT516: Managing Security Vulnerabilities: Enterprise and Cloud
- https://www.sans.org/cyber-security-courses/managing-enterprise-cloud-security-vulnerabilities/
SEC487: Open-Source Intelligence (OSINT) Gathering and Analysis
- https://preview.sans.org/cyber-security-courses/open-source-intelligence-gathering/
Upcoming Live Online Events
SANS Stay Sharp: Blue Team Ops 2021 - Jan 18-22 MST
Targeted Short Courses | Cyber Defense NetWars
- https://www.sans.org/event/stay-sharp-blue-team-operations-jan-2021/
Cyber Threat Intelligence Summit & Training EST
FREE Summit: Jan 21-22 | Courses: Jan 25-30
- https://www.sans.org/event/cyber-threat-intelligence-summit-2021/
SANS Cyber Security West 2021 - Feb 1-6 PST
Cloud Security, Blue Team, DFIR, and More
- https://www.sans.org/event/cyber-security-west-feb-2021/
Cloud Security Resources
Cheat Sheets, Papers, eBooks, and more. View & Download
- https://www.sans.org/cloud-security/
****************************************************************************
TOP OF THE NEWS
--SolarWinds: What is Known So Far
(December 13 & 14, 2020)
Hackers believed to be part of a Russian advanced persistent threat (APT) group managed to infiltrate the SolarWinds software update system and "trojanize" updates sent to customers. The backdoor installed on infected networks waited at least two weeks before contacting command and control systems, which helped the intruders evade detection. FireEye, which was one of the companies targeted, noted the operation's tactics included "some of the best operational security." The threat actors were operating from March until this past weekend, which provided lots of opportunity for information gathering. It will take a while to get a picture of what information the attackers harvested and what they left inside occupied systems. (Please note that the WSJ story is behind a paywall.)
[Editor Comments]
[Pescatore, Paller, Neely] Jake Williams, a SANS NewsBites editor, and Rob Lee, SANS Curriculum Lead for Forensics and Incident Response, produced an authoritative special webcast last night providing drilldown and advice, available at https://sansurl.com/solarwinds Another excellent analysis has been published on the SANS Internet Storm Center (https://isc.sans.edu/diary/rss/26884). Fireeye and Microsoft have put out very detailed information about the attack and the SolarWinds vulnerabilities, including indicators and detection signatures. Beyond shutting down Solarwinds Orion nodes, review IOC information on the FireEye GitHub repo: https://github.com/fireeye/sunburst_countermeasures. If you are using a Network Management System product other than SolarWinds, it's still important to check the configuration and threat model so you would know if that product had been compromised. Also important to make sure you are checking that all of your suppliers that are/were using SolarWinds are doing the right mitigation and recovery.
[Ullrich] Having your Network Management system compromised is a worst case scenario, and nothing that should be brushed off with a "We are not important enough to be hit". The options for an attacker are endless, and we have probably not seen most of it yet. PLEASE rebuild affected SolarWinds Orion installs from scratch. Do not just "patch and move on". It is painful to rebuild, but incident response is harder. Change passwords stored in SolarWinds while you are at it (and it isn't easy to find them all). Finally, take published indicators of compromise as a "good start" but don't assume they are complete.
Read more in:
FireEye: Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor
Washington Post: Russian hack was 'classic espionage' with stealthy, targeted tactics
https://www.washingtonpost.com/technology/2020/12/14/russia-hack-us-government/
WSJ: Suspected Russian Hack Said to Have Gone Undetected for Months (paywall)
Cyberscoop: US investigates suspected cyber-espionage campaign against government agencies dating back months
https://www.cyberscoop.com/russian-hacking-treasury-commerce-fireeye/
Cyberscoop: SolarWinds hack exposes underbelly of supply-chain attacks
https://www.cyberscoop.com/solarwinds-supply-chain-treasury-commerce-espionage/
--SolarWinds: CISA Order and Mitigations
(December 13 & 14, 2020)
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive instructing federal civilian agencies to disconnect from SolarWinds systems. Agencies that use SolarWinds products were required to submit a completion report to CISA by mid-day Monday, December 14. Agencies are also ordered to wait for CISA guidance before applying any fixes from SolarWinds.
[Editor Comments]
[Neely] CISA also requested that agencies with the capability create a forensic memory image prior to shutdown, as well as identify and shutdown any threat actor created accounts. Also agencies are to block all traffic to and from external hosts where _ANY_ version of SolarWinds Orion was installed.
[Murray] Indicators of compromise are already available; search for them in your network.
Read more in:
Cyber DHS: Emergency Directive 21-01 | Mitigate SolarWinds Orion Code Compromise
https://cyber.dhs.gov/ed/21-01/
SC Magazine: 'Disconnect or power down': After high profile hacks hit federal agencies, CISA demands drastic SolarWinds mitigation
FCW: Hack at Treasury and Commerce spurs emergency order from CISA
https://fcw.com/articles/2020/12/14/solar-winds-hack-treasury-ntia.aspx
The Hill: US cybersecurity agency issues emergency directive following government hacks
--SolarWinds: SEC Filing
(December 14, 2020)
In a filing with the US Securities and Exchange Commission (SEC) regarding the compromise of its software update system, Austin, Texas-based SolarWinds said it "has evidence that the vulnerability was inserted within the Orion products and existed in updates released between March and June 2020." The company notified 33,000 customers of the compromise and noted that it "believes the actual number of customers that may have had an installation of the Orion products that contained this vulnerability to be fewer than 18,000."
Read more in:
Cloudfront: Securities and Exchange Commission | Form 8-K (PDF)
https://d18rn0p25nwr6d.cloudfront.net/CIK-0001739942/57108215-4458-4dd8-a5bf-55bd5e34d451.pdf
ZDNet: SEC filings: SolarWinds says 18,000 customers were impacted by recent hack
Ars Technica: ~18,000 organizations downloaded backdoor planted by Cozy Bear hackers
Dark Reading: 18,000 Organizations Possibly Compromised in Massive Supply-Chain Cyberattack
The Register: SolarWinds: Hey, only as many as 18,000 customers installed backdoored software linked to US govt hacks
https://www.theregister.com/2020/12/15/solar_winds_update/
The Register: US Treasury, Dept of Commerce hacks linked to SolarWinds IT monitoring software supply-chain attack
https://www.theregister.com/2020/12/14/solarwinds_fireeye_cozybear_us_government/
--SolarWinds: Who is Affected?
(December 14, 2020)
A supply chain attack has leveraged compromise of the SolarWinds software update system to infiltrate systems at numerous organizations around the world, including FireEye and the US Treasury, Commerce, and Homeland Security departments. The Register notes "that SolarWinds' Orion is used widely across the British public sector, ranging from the Home Office and Ministry of Defence through NHS hospitals and trusts, right down to local city councils."
[Editor Comments]
[Neely, Paller] Sadly for them, we are all benefitting from FireEye being an affected customer and not only reporting but also actively sharing information relating to mitigations and recovery. If your network management system (NMS) is _NOT_ SolarWinds, there are a lot of lessons to be learned about securing NMSs, which should be applied to your NMS solution. Examples: make sure that you're not using domain accounts where unneeded, that services can only reach necessary components, including restricting Internet access to only where explicitly needed.
Read more in:
Reuters: Suspected Russian hackers spied on U.S. Treasury emails - sources
Wired: No One Knows How Deep Russia's Hacking Rampage Goes
https://www.wired.com/story/russia-solarwinds-supply-chain-hack-commerce-treasury/
KrebsOnSecurity: U.S. Treasury, Commerce Depts. Hacked Through SolarWinds Compromise
ZDNet: Microsoft, FireEye confirm SolarWinds supply chain attack
https://www.zdnet.com/article/microsoft-fireeye-confirm-solarwinds-supply-chain-attack/
Threatpost: DHS Among Those Hit in Sophisticated Cyberattack by Foreign Adversaries - Report
https://threatpost.com/dhs-sophisticated-cyberattack-foreign-adversaries/162242/
The Register: SolarWinds' 'breached by nation state spies' software is in wide use throughout the British public sector
https://www.theregister.com/2020/12/14/solarwinds_public_sector/
Ars Technica: Russian hackers hit US government using widespread supply chain attack
FedScoop: SolarWinds' federal footprint is large, and compromise is a 'nightmare scenario' for affected agencies
https://www.fedscoop.com/solarwinds-federal-footprint-nightmare/
The Hill: DHS hacked as part of massive cyberattack on federal agencies: report
Duo: Broad Cyber Espionage Campaign Follows Supply Chain Attack on SolarWinds
https://duo.com/decipher/broad-cyber-espionage-campaign-follows-supply-chain-attack-on-solarwinds
***************************** SPONSORED LINKS ******************************
1) SANS Book: Practical Guide to Security in the AWS Cloud | AWS Marketplace would like to present you with a digital copy of the new book, Practical Guide to Security in the AWS Cloud, by the SANS Institute. This complimentary book is a collection of knowledge from 18 contributing authors, who share their tactics, techniques, and procedures for securely operating in the cloud.
| Download Now: http://www.sans.org/info/218455
2) Survey Results | If you took the SANS 2020 Threat Hunting Survey and shared your insights with us about your knowledge and experience working with threat, please join us for our upcoming webcast that reveals the survey results! | December 15 @ 10:30 AM ET
| http://www.sans.org/info/218460
3) Featured Archived Webcast | We have an incredible product review webcast, chaired by SANS Senior Instructor Matt Bromiley. In this webcast, Bromiley reviews DTEX InTERCEPT, a platform that offers holistic visibility and provides unique insight into user behavior.
| http://www.sans.org/info/218465
****************************************************************************
THE REST OF THE WEEK'S NEWS
--Prison for Disgruntled Former Cisco Employee
(December 9, 12, & 14, 2020)
A US district judge in California has sentenced a man to two years in prison for deleting thousands of WebEx accounts. Sudhish Kasaba Ramesh pleaded guilty earlier this year to accessing a protected computer without authorization and recklessly damaging Cisco's network. Ramesh resigned from his position at Cisco in April 2018 after being with the company for 21 months. In September 2018, he accessed Cisco's cloud infrastructure and deleted more than 450 virtual machines hosting the WebEx Teams application, which resulted in the temporary deletion of more than 16,000 WebEx accounts.
[Editor Comments]
[Murray] Do not grant privileges that you cannot revoke upon termination. Prefer hardware-token-based strong authentication for all employees. Consider Privileged Access Management systems.
Read more in:
Threatpost: Ex-Cisco Employee Convicted for Deleting 16K Webex Accounts
https://threatpost.com/cisco-employee-convicted-deleting-webex-accounts/162246/
ZDNet: Former Cisco engineer sentenced to prison for deleting 16k Webex accounts
The Register: Rogue ex-Cisco employee who crippled WebEx conferences and cost Cisco millions gets two years in US prison
https://www.theregister.com/2020/12/12/in_brief_security/
Justice: San Jose Man Sentenced To Two Years Imprisonment For Damaging Cisco's Network
--Fix is Available for Vulnerability in Easy WP SMTP WordPress Plugin
(December 11, 2020)
A vulnerability in Easy WP SMTP WordPress plugin is being actively exploited to reset admin account passwords. The plugin is installed in more than 500,000 WordPress sites. An update has been available since Monday, December 7. Users are urged to update to the most recent version of the plugin, Easy WP SMTP 1.4.4.
[Editor Comments]
[Neely] The attack leverages both enabled directory indexing on the plugin's folder and that the SMTP plugin is used for emailing password reset links, which could then be intercepted and used nefariously. Beyond updating the plugin, disable directory indexing by adding "Options -Indexes" to the .htaccess file in the site's root directory.
[Ullrich] WordPress plugins are a never-ending source of vulnerabilities. Don't just patch them. Uninstall as many of them as you can afford to.
Read more in:
ZDNet: Zero-day in WordPress SMTP plugin abused to reset admin account passwords
WordPress: Easy WP SMTP Changelog
https://wordpress.org/plugins/easy-wp-smtp/#developers
--Fixes Available for PoS Terminal Vulnerabilities
(December 11, 2020)
Manufacturers of two widely-used point-of-sale (PoS) terminals have issued security updates for their products. Researchers found vulnerabilities in Verifone and Ingenico PoS terminals that could be exploited to steal payment card information, clone terminals, and conduct other sorts of financial fraud. The Verifone VX520 and Verifone MX series, and the Ingenico Telium 2 series devices ship with default manufacturer passwords for service modes. The service modes have "undeclared functions" which can be exploited to execute arbitrary code. Ingenico prevents users from changing the default passwords. Both Verifone and Ingenico have released patches.
[Editor Comments]
[Murray] Developers appear to be very reluctant to give up control of their products, even after sale, shipment, and installation. They should learn from Apple how to maintain their products without putting their customers and their reputations at risk.
Read more in:
ZDNet: Update now: Researchers warn of security vulnerabilities in these widely used point-of-sale terminals
Threatpost: Security Issues in PoS Terminals Open Consumers to Fraud
https://threatpost.com/security-issues-pos-terminals-fraud/162210/
--Google Services Affected by Authentication System Outage
(December 14, 2020)
Several Google applications were temporarily unavailable on Monday morning, December 14. The outage was due to an internal storage quota issue with Google's authentication system. The outage affected YouTube, Gmail, and Google Docs. The authentication system outage began about 6:45AM ET; services were restored by 9:00AM ET.
[Editor Comments]
[Neely] The root cause was exceeding a quota on their authentication server. The modern federated authentication services used to support Cloud, Legacy and hybrid use cases necessitates active monitoring and response as outages can have an enterprise-wide impact. Even so, consider over-provisioning these services, not only redundant implementations, but also maintaining free storage to handle surges or unexpected events.
[Pescatore] This is a harsh reminder that most service level agreements do not guarantee levels of availability, they just define levels of available service hours per month below which there will be some granting of fee reduction. Google's Cloud Functions Service Level Agreement (SLA), for example, has a 99.5% monthly availability threshold before any recompense. If there were four 1-hour outages of your services in one billing month, you could file for credits equal to the cost of 3 days of service. Doesn't matter if those 4 hours were every Monday during highest usage time or in the wee hours of the morning when business might be minimally impacted. SLAs do not cover business impact - they really just provide guidance on how much backup/redundancy of critical services you need to plan for.
Read more in:
Bleeping Computer: Google outage affecting YouTube, Gmail and more
https://www.bleepingcomputer.com/news/google/google-outage-affecting-youtube-gmail-and-more/
SC Magazine: Google outage tied to authentication system outage, not supply chain attacks
The Verge: Gmail, YouTube, Google Docs, and other Google services hit by massive outage
https://www.theverge.com/2020/12/14/22173803/gmail-youtube-google-assistant-docs-down-outage
Google: Gmail - Service Details
https://www.google.com/appsstatus#hl=en&v=issue&sid=1&iid=fb8d75414a47ec5d83d0ae0157083efe
Google: Google Workspace Status Dashboard
https://www.google.com/appsstatus#hl=en&v=status
--Norwegian Cruise Link Hit with Cyberattack
(December 14, 2020)
Norwegian cruise line Hurtigruten has acknowledged that its systems were hit with a cyberattack over the weekend. The incident appears to have affected the company's global infrastructure. Hurtigruten says it was likely ransomware. The website and email systems are down as of Monday, December 14.
Read more in:
Security Week: Norwegian Cruise Company Hurtigruten Hit by Cyberattack
https://www.securityweek.com/norwegian-cruise-company-hurtigruten-hit-cyberattack
Life in Norway: Norway's Hurtigruten Hit By Major IT Hack
https://www.lifeinnorway.net/norways-hurtigruten-hit-by-major-it-hack/
--US CISA-CERT Warns of Vulnerabilities Affecting Medtronic MyCareLink Devices
(December 10 & 14, 2020)
The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert warning of a trio of serious vulnerabilities in some Medtronic MyCareLink medical devices. The flaws could be exploited to modify or fabricate data from certain implanted cardiac devices and remotely execute code to gain control of cardiac devices paired to vulnerable MCL Smart patient Reader devices. Medtronic has developed a firmware update to address the flaws.
[Editor Comments]
[Neely] These are home-use devices. Make sure that the mobile app and the mobile device are both kept updated. Further, only connect the Medronic device to your private home network and only use devices from a known trusted source.
[Murray] While these are serious vulnerabilities, they are relatively low risk. They are difficult to monetize or exploit at scale. Thorough mitigation (patching or replacing) trumps urgent.
Read more in:
US-CERT-CISA: ICS Medical Advisory (ICSMA-20-345-01) | Medtronic MyCareLink Smart
https://us-cert.cisa.gov/ics/advisories/icsma-20-345-01
Health IT Security: DHS CISA Alerts to MedTronic MyCareLink Medical Device Flaws
https://healthitsecurity.com/news/dhs-cisa-alerts-to-medtronic-mycarelink-medical-device-flaws
--US Federal Trade Commission is Looking Into Social Media Company Privacy
(December 14, 2020)
The US Federal Trade Commission (FTC) has sent orders to nine social media and video streaming companies, seeking details about "how [they] use, track, estimate, or derive personal and demographic information; how they determine which ads and other content are shown to consumers; whether they apply algorithms or data analytics to personal information; how they measure, promote, and research user engagement; and how their practices affect children and teens." The companies that received the orders must reply within 45 days.
[Editor Comments]
[Pescatore] The FTC won one of the prestigious "Difference Makers" awards back in 2013 for just this kind of enforcement and the staff there has continued to focus on making sure companies live up to their claims of privacy and safety.
Read more in:
Ars Technica: FTC kicks off sweeping privacy probe of nine major social media firms
FTC: FTC Issues Orders to Nine Social Media and Video Streaming Services Seeking Data About How They Collect, Use, and Present Information
FTC: Order to File a Special Report Sample Letter (PDF)
******************************************************************************
INTERNET STORM CENTER TECH CORNER
SolarWinds Followup
https://sansurl.com/solarwinds
Writing Yara Rules for Fun and Profit: Notes form the FireEye Breach Countermeasures
Flash Player EoL
https://helpx.adobe.com/flash-player/release-note/fp_32_air_32_release_notes.html
Subway Marketing System Hacked to Send TrickBot Malware Emails
Apple Updates Everything
https://support.apple.com/en-us/HT201222
Sophos and Reversing Labs Release 20 Million Malware Samples
https://github.com/sophos-ai/SOREL-20M
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
