SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXIII - Issue #1
January 5, 2021SolarWinds Started Earlier and is Looking Worse Than Previously Thought
*****************************************************************************
SANS NewsBites January 5, 2021 Vol. 23, Num. 001
*****************************************************************************
SOLARWINDS AT THE TOP OF THE NEWS
SolarWinds: Attack May Have Started Earlier and is Looking Worse
SolarWinds: Hackers Accessed Microsoft Source Code
SolarWinds: CISA Updates Guidance - Update SolarWinds Orion Now
THE REST OF THE WEEK'S NEWS
TransLink Ransomware Update: Most Systems are Still Down
Zyxel Releases Fixes for Hardcoded Backdoor
T-Mobile Discloses Fourth Breach in Three Years
FBI: Smart Home Devices are Being Hijacked for Swatting Attacks
Kawasaki Aerospace Company Discloses Breach, Reports of Phony Recruiting eMails
Ticketmaster to Pay $10M Fine for Hacking Competitor
Citrix Offers Feature Enhancement to Block DDoS Amplification Attacks
Bye-bye, Flash
Apex Laboratory Patient Data Stolen
INTERNET STORM CENTER TECH CORNER
*********************** Sponsored By AWS Marketplace **************************
Virtual event: Enhance remote workforce security | Dispersed workforces require changes in security parameters and requirements for connecting business-critical resources. In this virtual event, remote workforce security thought leaders, strategists, and technologists will discuss key innovations enabling AWS customers to transform their security for a remote and hybrid workforce.
| http://www.sans.org/info/218560
*****************************************************************************
SOLARWINDS AT THE TOP OF THE NEWS
--SolarWinds: Attack May Have Started Earlier and is Looking Worse
(December 30, 2020 & January 2 & 4, 2021)
More details about the SolarWinds supply chain attack are coming to light. It is now believed that at least 250 US government agencies and private businesses were affected. US Senator Mark Warner (D-Virginia), who serves as Vice-Chair of the Senate Intelligence Committee said that the attackers may have begun even earlier than March/April 2020. Warner also noted that "if FireEye had not come forward, I'm not sure we would be fully aware of [the attack] to this day."
[Editor Comments]
[Honan] Throughout this whole story kudos have to be given to FireEye for their open and transparent way in dealing with this incident. It is a great example of why sharing and being transparent about incidents helps the overall community at large.
Read more in:
ZDNet: SolarWinds: The more we learn, the worse it looks
https://www.zdnet.com/article/solarwinds-the-more-we-learn-the-worse-it-looks/
The Register: SolarWinds mess that flared in the holidays: Biz confirms malware targeted crocked Orion product
https://www.theregister.com/2021/01/04/solarwinds_malware_confirmed/
NYT: As Understanding of Russian Hacking Grows, So Does Alarm
https://www.nytimes.com/2021/01/02/us/politics/russian-hacking-government.html
The Verge: SolarWinds hack may be much worse than originally feared
https://www.theverge.com/2021/1/2/22210667/solarwinds-hack-worse-government-microsoft-cybersecurity
Reuters: Cyber attack on U.S. government may have started earlier than initially thought - U.S. senator
--SolarWinds: Hackers Accessed Microsoft Source Code
(December 31, 2020 & January 4, 2021)
Microsoft says that the hackers behind the SolarWinds supply chain attack accessed Microsoft source code repositories. Microsoft said that the hackers did not alter the code because the compromised account they used to access the repositories had read-only permission. Microsoft is not concerned that the source code was viewed. In a December 31 blog post, the MSRC Team writes, "We do not rely on the secrecy of source code for the security of products, and our threat models assume that attackers have knowledge of source code. So viewing source code isn't tied to elevation of risk."
[Editor Comments]
[Neely] Kudos to Microsoft for being transparent on the impact of the SolarWinds attack in their environment. Keep source code repositories mostly read-only, audit updates, and use multi-person processes, including security reviews, for promoting code to reduce the likelihood of unauthorized updates or injection of malware.
Read more in:
MSRC Blog: Microsoft Internal Solorigate Investigation Update
https://msrc-blog.microsoft.com/2020/12/31/microsoft-internal-solorigate-investigation-update/
ZDNet: SolarWinds hackers accessed Microsoft source code
https://www.zdnet.com/article/solarwinds-hackers-accessed-microsoft-source-code/
Duo: SolarWinds Attackers Accessed, But Did Not Modify, Microsoft Source Code
https://duo.com/decipher/solarwinds-attackers-accessed-but-did-not-modify-microsoft-source-code
--SolarWinds: CISA Updates Guidance - Update SolarWinds Orion Now
(December 26, 29, 30, & 31, 2020 & January 4, 2021)
The US Cybersecurity and Infrastructure Security Agency (CISA) has updated its guidance regarding the SolarWinds supply chain attack. The update comes in response to the discovery of a new vulnerability in SolarWinds Orion - an authentication bypass flaw in the SolarWinds Orion API. Government agencies were instructed to update their SolarWinds Orion platforms to version 2020.2.1HF2 by the end of 2020. Agencies unable to update by the deadline were instructed to take all their Orion systems offline.
[Editor Comments]
[Neely] SolarWinds has been actively producing updates to mitigate the discovered vulnerabilities used to launch attacks via their Orion software. If you are installing the update, be sure to also follow the guidance on the CERT KB article below to harden your IIS server by installing and configuring the IIS URL Rewrite extension on your Orion polling engines. Given that more is still being learned, it's prudent to investigate alternative solutions.
Read more in:
KB.CERT: SolarWinds Orion API authentication bypass allows remote command execution
https://kb.cert.org/vuls/id/843464
CISA: Emergency Directive 21-01 - Supplemental Guidance v2 - Mitigate SolarWinds Orion Code Compromise
https://cyber.dhs.gov/ed/21-01/#supplemental-guidance
ZDNet: CISA updates SolarWinds guidance, tells US govt agencies to update right away
*****************************************************************************
SANS Holiday Hack Challenge
There's still time left to play the SANS Holiday Hack Challenge from now through January 11 -- even if you only have 15 minutes, you should hop in and see what it's all about. Over 18,000 people have played so far, and the reviews have been wonderful. You can learn how to scan for S3 buckets, clone wireless badges, build regular expression skills, and analyze blockchain information.
"When I have to turn down young job interview candidates and they ask me for pointers on how to get better, I suggest to them to play SANS Holiday Hack Challenge. To me, they are always welcome back in the future." -- @Reedphish
https://holidayhackchallenge.com/2020/
***************************** SPONSORED LINKS *****************************
1) Webcast | Join SANS Senior Instructor, Jake Williams for "How to Stay Ahead of Cyberthreats." This webcast and associated whitepaper reviews Deep Instinct, the deep learning cybersecurity software for zero-time prevention | January 13th @ 1:00 PM ET
| http://www.sans.org/info/218565
2) Product Review | Join SANS Instructor, Matt Bromiley for our upcoming webcast, "Automated Testing Against an Ever-Changing Landscape." Bromiley will review Cymulate Continuous Validation, a highly integrated, customizable platform built to challenge, assess, and optimize the security posture of your organization | January 12th @ 10:30 AM ET
| http://www.sans.org/info/218570
3) Webcast | Tune in for our upcoming webcast, "Security stories from the field: a fireside chat with Barak Engel and Brian Ahern." Engel and Ahern will share real-world stories and lessons learned from their decades of experience in the technology and cybersecurity space | January 12th @ 1:00 PM ET
| http://www.sans.org/info/218575
*****************************************************************************
THE REST OF THE WEEK'S NEWS
--TransLink Ransomware Update: Most Systems are Still Down
(January 4, 2021)
Vancouver, BC, transportation agency TransLink says that as of January 4, most of its IT systems are still unavailable a month after they suffered a ransomware attack. Employees have been receiving pay advances rather than their regular paychecks. TransLink has acknowledged that the ransomware operators also compromised employee data.
[Editor Comments]
[Neely] This is an instance of the Egregor ransomware, which many Maze affiliates switched to when Maze shut down their operation last September. Egregor operations include data exfiltration prior to encryption to support a double-extortion option. They also leverage affiliates to hack into the targeted network to drop the ransomware for a 70/30 revenue split. The pay advances used by TransLink replaces the old model of simply repeating the last payroll during a COOP event as banks will reject a duplicate payroll submission. Make sure that you have verified your COOP plans to pay employees and continue benefits with your service providers and financial institutions.
Read more in:
Bleeping Computer: TransLink confirms ransomware data theft, still restoring systems
Vancouver Sun: Some transit employees tighten belts after payroll hit by TransLink ransomware attack
--Zyxel Releases Fixes for Hardcoded Backdoor
(December 23, 2020 & January 2 & 4, 2021)
Researchers from Eye Control discovered an undocumented user account with administrative rights hardcoded in the firmware of Zyxel firewall and AP controller devices. The account can be accessed via SSH or web interface. Eye Control reported the vulnerability to Zyxel in late November. Zyxel has released updated firmware for affected devices.
Read more in:
Ars Technica: Hackers are exploiting a backdoor built into Zyxel devices. Are you patched?
Security Week: Hardcoded Credentials Expose Zyxel Firewalls and WLAN Controllers to Remote Attacks
Bleeping Computer: Secret backdoor discovered in Zyxel firewalls and AP controllers
ZDNet: Backdoor account discovered in more than 100,000 Zyxel firewalls, VPN gateways
Business Forum: ZLD v4.60 Revoke and WK48 Firmware release
https://businessforum.zyxel.com/discussion/5252/zld-v4-60-revoke-and-wk48-firmware-release
Zyxel: Zyxel security advisory for hardcoded credential vulnerability
https://www.zyxel.com/support/CVE-2020-29583.shtml
EyeControl: Undocumented user account in Zyxel products (CVE-2020-29583)
https://www.eyecontrol.nl/blog/undocumented-user-account-in-zyxel-products.html
--T-Mobile Discloses Fourth Breach in Three Years
(January 4, 2021)
T-Mobile has disclosed a data breach that exposed some customers' call-related information. This is the fourth breach T-Mobile has acknowledged in the past three years. T-Mobile did not provide specifics about the attack, except to say its "cybersecurity team recently discovered and shut down malicious, unauthorized access to some" customer proprietary network information (CPNI).
[Editor Comments]
[Neely] The breached information could be used to conduct SMS phishing attacks as it includes customer phone numbers and call records. Beware of spurious texts claiming to be from T-Mobile sending you to non-T-Mobile sites to collect additional identity or account information from consumers.
Read more in:
Cyberscoop: T-Mobile: Breach exposed call information for some customers
https://www.cyberscoop.com/tmobile-data-breach-december-2020/
Threatpost: T-Mobile Faces Yet Another Data Breach
https://threatpost.com/t-mobile-another-data-breach/162703/
ZDNet: T-Mobile discloses its fourth data breach in three years
https://www.zdnet.com/article/t-mobile-discloses-its-fourth-data-breach-in-three-years/
T-Mobile: Notice of Security Incident
https://www.t-mobile.com/responsibility/consumer-info/security-incident
--FBI: Smart Home Devices are Being Hijacked for Swatting Attacks
(December 29, 30, & 31, 2020)
The FBI has released a public service announcement warning that vulnerable smart home security devices are being hijacked by attackers to use in swatting attacks. By hijacking devices with voice and camera features, the attackers can watch the arrival of law enforcement teams and interact with them. The FBI's announcement urges people "to use complex, unique passwords and enable two-factor authentication to help protect against "swatting" attacks."
[Editor Comments]
[Neely] This attack leverages password re-use. Use different passwords for smart home device services. Enable multi-factor authentication where available. As the attackers are leveraging stolen email account credentials, don't select email processes for second-factor authentication; choose option such as TOTP, aka mobile authenticator app, or SMS.
Read more in:
IC3: Recent Swatting Attacks Targeting Residents With Camera and Voice-Capable Smart Devices
https://www.ic3.gov/Media/Y2020/PSA201229
Threatpost: FBI Warn Hackers are Using Hijacked Home Security Devices for 'Swatting'
https://threatpost.com/fbi-warn-home-security-devices-swatting/162678/
Security Week: FBI: Home Surveillance Devices Hacked to Record Swatting Attacks
https://www.securityweek.com/fbi-home-surveillance-devices-hacked-record-swatting-attacks
Gov Infosecurity: FBI Warns Of Swatting Attacks Targeting Smart Home Devices
https://www.govinfosecurity.com/fbi-warns-swatting-attacks-targeting-smart-home-devices-a-15685
--Kawasaki Aerospace Company Discloses Breach, Reports of Phony Recruiting eMails
(December 29, 2020)
Japanese aerospace company Kawasaki Heavy Industries has disclosed that its network was hit by a data breach in June 2020. Kawasaki says that intruders may have accessed customer data. Separately, Kawasaki has warned that it has received reports of phony emails pretending to be from recruiters from Kawasaki heavy Industries Group in the US.
Read more in:
Threatpost: Japanese Aerospace Firm Kawasaki Warns of Data Breach
https://threatpost.com/japanese-aerospace-firm-kawasaki-warns-of-data-breach/162642/
Portswigger: Kawasaki Heavy Industries reports data breach as attackers found with year-long network access
Kawasaki: Notice Regarding Fraudulent Emails Pretending to be Recruiters from Kawasaki Heavy Industries Group
https://global.kawasaki.com/en/info/001.html
--Ticketmaster to Pay $10M Fine for Hacking Competitor
(December 31 & January 4, 2021)
Ticketmaster has agreed to pay a $10 million fine for accessing a competitor's computer systems without authorization. A Ticketmaster employee who formerly worked at the rival company retained access credentials, which were used to snoop on that company's activity with the intent of stealing business.
[Editor Comments]
[Neely] Deleting or disabling accounts for former employees has to be done immediately, particularly for privileged accounts. Include privileged accounts within applications, services and OS. User behavior analytics tools can help monitor for this type of activity as well as help detect insider threats.
[Pescatore] There are large ethical issues around this one (this DoJ action appears to stem from a $110 million anti-trust action settlement by Ticketmaster in response to legal action by Songkick). The cybersecurity lessons: (1) detect hidden backdoors and undocumented URLs in your software and services before they are used against you; and (2) have automated and frequently audited processes to remove access when employees leave the company.
Read more in:
Ars Technica: Ticketmaster admits it hacked rival company before it went out of business
Threatpost: Ticketmaster Coughs Up $10 Million Fine After Hacking Rival Business
https://threatpost.com/ticketmaster-10-million-fine-hacking-rival/162695/
ZDNet: Ticketmaster fined $10 million after staff hacked competitor to 'choke off' presale ticket business
Bleeping Computer: Ticketmaster fined $10 million for breaking into rival's systems
Cyberscoop: Ticketmaster pays $10M fine to settle charges of using stolen passwords to spy on rival company
https://www.cyberscoop.com/tickemaster-fined-10-million/
Justice: Ticketmaster Pays $10 Million Criminal Fine for Intrusions into Competitor's Computer Systems
--Citrix Offers Feature Enhancement to Block DDoS Amplification Attacks
(January 4, 2021)
Citrix has released an enhancement to prevent the Datagram Transport Layer Security (DTLS) feature in its ADC and Gateway devices from being used to amplify distributed denial-of-service (DDoS) attacks. Reports emerged last month about attacks taking advantage of vulnerable devices.
Read more in:
Bleeping Computer: Citrix adds NetScaler ADC setting to block recent DDoS attacks
Citrix: Threat Advisory - DTLS Amplification Distributed Denial of Service Attack on Citrix ADC and Citrix Gateway
support.citrix.com/article/CTX289674
--Bye-bye, Flash
(December 30 & 31, 2020 & January 5, 2021)
Adobe Flash Player reached end-of-life status as of January 1, 2021. Windows users have begun receiving alerts from Adobe urging them to uninstall Flash. Adobe will block Flash from running as of January 12, 2021. Chrome 88 and Firefox 85, both scheduled for release this month, will remove support for Flash. Microsoft plans to release an update for Windows 10 that will permanently remove Flash. An optional Windows 10 update, released in October 2020, removes Flash Player that was installed by Windows in Internet Explorer, Edge, and Chrome; users who installed Flash Player manually can remove it using Adobe's uninstall instructions.
[Editor Comments]
[Neely] Monitor for Flash use to discover any remaining processes or services which still rely on it. If you must create an environment which will still run Flash after January 12, isolate that environment carefully as you will need to run older browser and plugin versions which have not disabled Flash and will also contain unpatched vulnerabilities. Deploy your Flash uninstall scripts for the rest of your environment this month and monitor for unauthorized re-introduction.
Read more in:
ZDNet: Adobe Flash: It's finally over (well, almost)
https://www.zdnet.com/article/adobe-flash-its-finally-over-well-almost/
Bleeping Computer: Adobe Flash Player is officially dead tomorrow
https://www.bleepingcomputer.com/news/security/adobe-flash-player-is-officially-dead-tomorrow/
Bleeping Computer: Adobe now shows alerts in Windows 10 to uninstall Flash Player
Adobe: Uninstall Flash Player | Windows
https://helpx.adobe.com/flash-player/kb/uninstall-flash-player-windows.html
--Apex Laboratory Patient Data Stolen
(December 31, 2020 & January 4, 2021)
New York-based medical testing company Apex Laboratory has disclosed that the operators responsible for a July 2020 ransomware attack against the company's network stole patient data. The compromised information includes patient names, dates of birth, test results, and in some cases, Social Security numbers.
[Editor Comments]
[Pescatore] A good reminder that if an attacker encrypted sensitive data, a breach has occurred - it is not just a denial of service event. HIPAA was the first compliance regime to make this distinction; most have moved in that direction.
Read more in:
Security Week: Apex Laboratory Says Patient Data Stolen in Ransomware Attack
https://www.securityweek.com/apex-laboratory-says-patient-data-stolen-ransomware-attack
Apex Lab Inc: Notice of Data Event
https://www.apexlabinc.com/notification/
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
Traffic Analysis Quiz
https://isc.sans.edu/forums/diary/End+of+Year+Traffic+Analysis+Quiz/26940/
From a Small BAT File to Mass Logger Infostealer
https://isc.sans.edu/forums/diary/From+a+small+BAT+file+to+Mass+Logger+infostealer/26946/
Accessing Restricted Directory Listings via Your AV Solution
Zyxel Backdoor
https://www.eyecontrol.nl/blog/undocumented-user-account-in-zyxel-products.html
Citrix Releases Updates Addressing DTLS Flaw
https://support.citrix.com/article/CTX289674
Microsoft Source Code Accessed As a Result of SolarWinds Backdoor
https://msrc-blog.microsoft.com/2020/12/31/microsoft-internal-solorigate-investigation-update/
Zend Framework Deserialization Flaw
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3007
https://github.com/Ling-Yizhou/zendframework3-/blob/main/zend%20framework3%20????%20rce.md
Coin Miner Malware Written in Go
AutoHotKey Credential Stealer
*****************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.