SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXIII - Issue #11
February 9, 2021Hacker Changed Chemical Concentration at Water Treatment Plant; Ransomware Hits Brazilian Utilities; Google Launches Open Source Vulnerability Website
Lab-based cybersecurity training: the bar went up again in 2020.
"NetWars was way more challenging than a real hacking environment. My folks unanimously said it is the best training they ever had. They aren't newbies, so quite a compliment to your product."
- Felecia Vlahos, SDSU
Combine that level of lab-based training with America's highest-rated instructors who are all active practitioners, and you understand why 50,000 of the nation's best cybersecurity professionals rely on SANS training, labs and cyber ranges each year. See https://www.sans.org/cyber-ranges/ for more on lab-based training and ranges.
*****************************************************************************
SANS NewsBites February 9, 2021 Vol. 23, Num. 011
*****************************************************************************
TOP OF THE NEWS
Hacker Tampered With Chemical Processes Controls at Florida Water Treatment Plant
Ransomware Hits Brazilian Utility Companies
Google Launches Open Source Vulnerability Website
THE REST OF THE WEEK'S NEWS
German Authorities Seize Bitcoin Wallet Worth $60M, But Don't Have the Password
SitePoint Data Breach
Google Patches Chrome Zero-day
NextGen Gallery WP Plugin Vulnerabilities Fixed in Update
Stolen Healthcare Data Leaked
NIST Issues Guidance on Protecting Controlled Unclassified Information
FERC Proposed Rulemaking: Cybersecurity Incentives for Electric Companies
Android Barcode Scanner App Got a Malicious Update in December
INTERNET STORM CENTER TECH CORNER
******************** Sponsored By AWS Marketplace ****************************
SANS book: Practical Guide to Security in the AWS Cloud | AWS Marketplace would like to present you with a digital copy of the new book, Practical Guide to Security in the AWS Cloud, by the SANS Institute. This complimentary book is a collection of knowledge from 18 contributing authors, who share their tactics, techniques, and procedures for securely operating in the cloud. Register Now!
| http://www.sans.org/info/218870
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
New & Updated Courses
SEC301: Introduction to Cybersecurity
- https://www.sans.org/cyber-security-courses/introduction-cyber-security/
SEC401: Security Essentials Bootcamp Style
- https://www.sans.org/cyber-security-courses/security-essentials-bootcamp-style/
MGT512: Security Leadership Essentials for Managers
- https://www.sans.org/cyber-security-courses/security-leadership-essentials-managers/
Upcoming Live Online Events
Register early to save up to $300 on Live Online courses.
See event pages for specific offers.
ICS Security Summit & Training
FREE Summit: Mar 4-5 | Courses: Mar 8-13 EST
- https://www.sans.org/event/ics-security-summit-2021/
SANS Stay Sharp - Mar 8-9 EST
2-Day Pen Test & Offensive Ops Courses
- https://www.sans.org/event/stay-sharp-pen-test-march-2021/
SANS Cyber Security West 2021 - Mar 15-20 | PDT
10 Interactive Courses | Core NetWars Tournament
- https://www.sans.org/event/cyber-security-west-march-2021/
OnDemand Training Special Offer
Get an iPad mini, Galaxy Tab S5e, or Take $300 Off with OnDemand training through February 10.
- www.sans.org/specials/north-america/
Offensive Operations Resources
New Cheat Sheets, Slingshot Linux Distro, Posters, and more. View & Download
- https://www.sans.org/offensive-operations/
*****************************************************************************
TOP OF THE NEWS
--Hacker Tampered With Chemical Processes Controls at Florida Water Treatment Plant
(February 8, 2021)
On February 5, a hacker altered the amount of sodium hydroxide (lye) added to the water supply for Oldsmar, Florida, from 100 ppm to 11,100 ppm. "According to the county's sheriff, the hacker gained access via an unnamed remote software program that allows employees to troubleshoot IT problems. The same program also includes some screen-monitoring capabilities. As a result, the operator who first noticed the intrusion initially suspected the remote access belonged to another worker." A plant operator noticed the change and reversed it before the tainted water entered the municipality's water supply. Officials have disabled the remote access system. FBI and Secret Service are investigating.
[Editor Comments]
[Neely] Vendors often offer remote support and monitoring, which helps maintain their systems. That support mechanism needs to be well understood. If you must expose access to monitor and manage an internal service, make sure that it is properly secured, including mandatory multi-factor authentication, regular reviews of which accounts have access, and logs that not only capture activities, but are also forwarded to your SIEM//SOC. Pay particular attention to any accounts which cannot be MFA, and, if possible, don't allow remote access to them. If cellular or other private networks are used, understand what else is on those networks and how the communications are protected.
[Murray] Utility operator convenience must not be allowed to trump security of the utility.
[Honan] Many organisations have remote access solutions in place to enable vendors and staff to work remotely, and in the pandemic this has increased, so now is a good time to review all your remote access solutions to ensure that they are configured in a secure manner and where possible MFA is enabled.
Read more in:
Vice: Hacker Tried to Poison Florida City's Water Supply, Police Say
https://www.vice.com/en/article/88ab33/hacker-poison-florida-water-pinellas-county
Wired: A Hacker Tried to Poison a Florida City's Water Supply, Officials Say
https://www.wired.com/story/oldsmar-florida-water-utility-hack/
Ars Technica: Computer intruder tried to poison Florida city's drinking water with lye
Cyberscoop: Hacker breached Florida water facility to alter sodium hydroxide level, police say
https://www.cyberscoop.com/florida-hacker-water-plant-sodium-hydroxide/
SC Magazine: Security gaps in operational tech exposed with hacker attempt to poison Florida city water
--Ransomware Hits Brazilian Utility Companies
(February 5, 2021)
Networks at two Brazilian utility companies have been hit with ransomware attacks. The ransomware operators stole and leaked data from at least one of the companies; that information includes network access credentials and engineering plans. While both Centrais Eletricas Brasileiras (Eletrobras) and Companhia Paranaense de Energia (Copel) have had to temporarily suspend some administrative operations, the attacks had no impact on the companies' ability to provide power.
Read more in:
Bleeping Computer: Eletrobras, Copel energy companies hit by ransomware attacks
Threatpost: Ransomware Attacks Hit Major Utilities
https://threatpost.com/ransomware-attacks-major-utilities/163687/
--Google Launches Open Source Vulnerability Website
(February 3, 4, & 8, 2021)
Google has launched the Open Source Vulnerabilities website, "a vulnerability database and triage infrastructure for open source projects aimed at helping both open source maintainers and consumers of open source." Google is also starting a conversation about open source project security, proposing "a framework for shifting the discussion around vulnerabilities in open source."
[Editor Comments]
[Murray] This initiative is very important and the Google blog on the subject informative. Neither Open Source or proprietary development are delivering the reliability or quality that are needed. We must dramatically and urgently improve code quality to shore up our crumbling infrastructure. Both transparency and accountability are necessary and current practices are delivering neither.
[Pescatore] Solid concepts. Back in 2014 when the Heartbleed OpenSSL vulnerabilities were discovered, Google was one of the founding members of the Core Infrastructure Initiative that had similar goals, including a focus on "open source supply chain security." However, that seemed to go dormant around 2016. There seem to be many of these voluntary efforts that lose steam for lack of a continued forcing function. In the food industry, the loss of revenue after signs on restaurants and notices in newspapers that the restaurant was closed due to discovered vermin infestations or potentially poisonous ingredients found seem to result in higher levels of essential restaurant hygiene than restaurant trade association websites.
Read more in:
ZDNet: Google: Our new tool makes open-source security bugs easier to spot
https://www.zdnet.com/article/google-our-new-tool-makes-open-source-security-bugs-easier-to-spot/
OSV.dev: Database for open source vulnerabilities
ZDNet: Open source: Google wants new rules for developers working on 'critical' projects
SC Magazine: Google pitches security standards for 'critical' open-source projects
Google Blog: Know, Prevent, Fix: A framework for shifting the discussion around vulnerabilities in open source
******************************* SPONSORED LINKS ********************************
1) on-Demand Webcast | Did you catch our latest webcast featuring SANS Senior Instructor, Dave Shackleford and AWS Marketplace specialist, Nam Le? You can view "How to Build an Effective Cloud Threat Intelligence Program in the AWS Cloud", On-Demand now!
| http://www.sans.org/info/218875
2) Download Cyral's Complimentary Forrester Report | The Zero Trust eXtended Ecosystem: Data
| http://www.sans.org/info/218880
3) Webcast | February 10th @ 3:30 PM EST: A step-by-step guide to implementing Moving Target Defense in OT Environments. Register Now:
| http://www.sans.org/info/218885
*****************************************************************************
THE REST OF THE WEEK'S NEWS
--German Authorities Seize Bitcoin Wallet Worth $60M, But Don't Have the Password
(February 5, 2021)
Authorities in Germany have seized a bitcoin wallet that contains more than 50 million euros ($60 million) worth of the cryptocurrency, but the owner of the wallet has refused to disclose the password. That individual served more than two years in prison for hijacking other people's computers to mine the bitcoin. If authorities ever manage to gain access to the wallet, the bitcoin will be sold, and the proceeds given to the state treasury.
[Editor Comments]
[Neely] Key escrow is critical with encryption, particularly with valuable assets. Make sure that your enterprise can recover the password for corporate information protected by employees. When using a password vault, make sure that you can also recover the password to that vault, or that it is stored in a known secure location and kept updated.
Read more in:
Reuters: Police seize $60 million of bitcoin! Now, where's the password?
Ars Technica: Cops can't access $60M in seized bitcoin--fraudster won't give password
--SitePoint Data Breach
(February 5, 2021)
Web-development resource website SitePoint has disclosed a 2020 data breach in which the attackers stole a customer database which was eventually leaked online. Compromised information includes names, email addresses, hashed passwords, usernames, and IP addresses. Some SitePoint users say they have received spam that is likely related to the breach.
[Editor Comments]
[Neely] The hack coincided with their promotion of "Hacking for Dummies" by Kevin Beaver. The good news is that these were salted password hashes, making compromise more difficult. If you reused your SitePoint password elsewhere, or have an old account you've not used, change those passwords.
Read more in:
The Register: SitePoint hacked: Hashed, salted passwords pinched from web dev learning site via GitHub tool pwnage
https://www.theregister.com/2021/02/05/sitepoint_hack_supply_chain/
ZDNet: Webdev tutorials site SitePoint discloses data breach
https://www.zdnet.com/article/webdev-tutorials-site-sitepoint-discloses-data-breach/
Bleeping Computer: SitePoint discloses data breach after stolen info used in attacks
--Google Patches Chrome Zero-day
(February 4 & 5, 2021)
Google has fixed a heap overflow memory corruption vulnerability in the V8 JavaScript engine. The flaw is being actively exploited. Users are urged to update to Chrome 88.0.4324.150 for Windows, macOS, and Linux, which was released to the stable channel last week.
[Editor Comments]
[Neely] Make sure that you're updating Chromium-based browsers, as well: Edge, Brave, etc. Note that the Chromium latest version and the latest browser version may not match, e.g, Edge is 88.0.705.63 while Brave is V1.19.92. As there is a published exploit for CVE-2021-21148 in the wild, assume it is being actively exploited.
Read more in:
Threatpost: Google Chrome Zero-Day Afflicts Windows, Mac Users
https://threatpost.com/google-chrome-zero-day-windows-mac/163688/
ZDNet: Google patches an actively exploited Chrome zero-day
https://www.zdnet.com/article/google-patches-an-actively-exploited-chrome-zero-day/
The Register: Chrome zero-day bug that is actively being abused by bad folks affects Edge, Vivaldi, and other Chromium-tinged browsers
https://www.theregister.com/2021/02/05/chrome_zero_day_update/
Google Blog: Stable Channel Update for Desktop
https://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop_4.html
--NextGen Gallery WP Plugin Vulnerabilities Fixed in Update
(February 8, 2021)
The publisher NextGen Gallery plugin for WordPress has released an updated version to address two cross-site request forgery vulnerabilities. The flaws could be exploited to take control of vulnerable websites. NextGen Gallery has more than 800,000 installations. Users should upgrade to version 3.5.0 or newer.
[Editor Comments]
[Neely] The patched version of the plugin was released December 17th. Even with automatic updates, make sure that your plugins are updated, and remove the unused ones. While the volume and adoption of plugins for WordPress drives warnings at least weekly, you can mitigate much of the risk by enabling auto-updates for plugins, removing unneeded ones, and installing a WAF. If you do install a WAF, make sure that you understand how frequently it's updated to understand your exposure to newly discovered vulnerabilities.
[Murray] The WordPress plugin vulnerability of the week. WordPress plugins are a major source of vulnerability. They come with no representation or assurance of quality. They should be used sparingly, and, where used, actively policed.
Read more in:
Wordfence: Severe Vulnerabilities Patched in NextGen Gallery Affect over 800,000 WordPress Sites
Threatpost: Critical WordPress Plugin Flaw Allows Site Takeover
https://threatpost.com/critical-wordpress-plugin-flaw-site-takeover/163734/
Bleeping Computer: Critical vulnerability fixed in WordPress plugin with 800K installs
--Stolen Healthcare Data Leaked
(February 8, 2021)
Ransomware operators have leaked large quantities of data stolen during attacks against Florida-based Leon Medical Centers and Nocona General Hospital in Texas. The attack against Leon Medical Centers took place in November 2020; it is not clear when data were stolen from Nocona General Hospital.
[Editor Comments]
[Pescatore] Back in July 2016, the US the Department of Health and Human Service Office for Civil Rights issued HIPAA guidance that said that all successful ransomware attacks should be considered as reportable security incidents, not just as denial of service attacks. If the attackers encrypted patient health information, they (and not the patient) had control of it ("acquired" it in HIPAA terminology) and thus an unauthorized disclosure had occurred.
Read more in:
SC Magazine: Conti ransomware gang tied to latest attacks on hospitals in Florida and Texas
Health IT Security: Hackers Dump More Health Data, as Feds Share Ransomware Factsheet
https://healthitsecurity.com/news/hackers-dump-more-health-data-as-feds-share-ransomware-factsheet
CISA: Ransomware: What It Is & What To Do About It (PDF)
https://www.cisa.gov/sites/default/files/2021-01/NCIJTF%20Ransomware_Fact_Sheet.pdf
--NIST Issues Guidance on Protecting Controlled Unclassified Information
(February 5, 2021)
The US National Institute of Standards and Technology (NIST) has released SP 800-172: Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171. The publication offers advice for "recommendations for enhanced security requirements to provide additional protection for Controlled Unclassified Information (CUI) in nonfederal systems and organizations when such information is associated with critical programs or high value assets."
[Editor Comments]
[Neely] NIST SP 800-171 focused on protecting confidentiality; SP 800-172 adds suggested protections for integrity and availability as well as discussion around the value and purpose of each control to aid understanding. These two publications are examples of how to flow down protection requirements for consistent protection of sensitive information. Make sure to leverage a known referenceable standard, as well as a clear definition of your data sensitivity wherever you are having someone else process it, such as cloud, outsourcer, or service bureau. Include this in your contract language. Then verify the controls are in place, not just at inception, but throughout the life of the contract.
Read more in:
FCW: NIST offers tools to defend against nation state cyber threats
https://fcw.com/articles/2021/02/05/nist-cyber-defense-tools-cui.aspx
Fedscoop: New guidelines from NIST on how to avoid cyberattacks from a nation-state
https://www.fedscoop.com/nist-800-172-cybersecurity-guidelines/
CSRC NIST: Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 (with abstract)
https://csrc.nist.gov/publications/detail/sp/800-172/final
nvlpubs.NIST: Protecting Controlled Unclassified Information | A Supplement to NIST Special Publication 800-171 (PDF)
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-172.pdf
--FERC Proposed Rulemaking: Cybersecurity Incentives for Electric Companies
(February 5 & 8, 2021)
Proposed rulemaking from the Federal Energy Regulatory Commission (FERC) would offer incentives for electric companies to implement cybersecurity improvements that exceed the minimum requirements as established by the National Institute of Standards and Technology (NIST). FERC is accepting comments on the proposal until April 6, 2012.
[Guest Editor: Tim Conway (https://www.sans.org/profiles/tim-conway)] As the FERC looks at potential incentives that could be offered to electric entities they need to consider what the measuring stick will be to determine adequate achievement of "exceed the minimum requirements as established by the National Institute of Standards and Technology (NIST)". It would be far more appropriate to measure entity implementations that exceed the existing CIP Standards applicable at a particular site based on the determined impact rating of the site. Additionally, entities truly need flexibility in recategorizing expenditures associated with cybersecurity initiatives beyond just the initial CapEx spend and include traditional cybersecurity related O&M spend, this ability to leverage incentive plan elements to pursue cybersecurity tasks associated with programs focused on asset inventory, configuration validations, ICS network collection and response capabilities, and workforce development opportunities would significantly help the industry. This action alone could have a significant positive impact on the cybersecurity our nations critical infrastructure. The concepts of incentivizing additional security controls around moving CIP Low to Med and Med to High treatment will encourage and help fund security improvements at interconnected sites that have by definition a Low impact on the electric system, but have trusted communications paths into higher criticality sites, so they represent the weakest link and will benefit greatly from additional security investments. The concepts around hub and spoke incentives need careful architectural and operations based engineering review to determine if the benefits out way the additional risks in each entities unique system.
[Pescatore] The proposed rules provide for incentives on two types of 'going beyond the minimum.' The first doesn't make much sense: Incentives for applying security controls for high and medium impact systems to low impact systems. This would kind of be like giving auto manufactures financial incentives for making coffee cup holders more crash-resistant. The second incentive is kind of a variant on the same theme: a "hub and spoke" incentive if all low impact systems external connectivity is routed through presumably more secure high impact systems. This could make more sense but could also result in exploitable low impact systems becoming pathways into high impact systems. An example might be a small/low-impact hydropower system with external connectivity for remote monitoring. If compromised, minimal impact - but if financial incentives resulted in that small/low-impact facility being networked to a major dam or water supply system, did overall risk go up or down?
Read more in:
FCW: FERC proposes incentives for electric companies to improve cybersecurity
https://fcw.com/articles/2021/02/08/ferc-bulk-power-cyber-rule.aspx
Federal Register: Cybersecurity Incentives | A Proposed Rule by the Federal Energy Regulatory Commission on 02/05/2021
https://www.federalregister.gov/documents/2021/02/05/2021-01986/cybersecurity-incentives
nvlpubs.NIST: Framework for Improving Critical Infrastructure Cybersecurity - April 2018 (PDF)
https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
--Android Barcode Scanner App Got a Malicious Update in December
(February 8, 2021)
Late last year, Android users began reporting that ads were opening on their default browsers for no detectable reason. Investigation revealed that the source of the ads was a barcode scanning app that had been available in Google Play for years. A December 4, 2020 update to Lavabird Ltd.'s Barcode Scanner appears to have turned the app malicious. Google has removed the app from the store.
[Editor Comments]
[Neely] The update to the app included obfuscated malicious code, rather than a change to the SDK which changed advertisement behavior. While Google has raised the bar on Android applications, a lot of applications have not been reviewed for proper security/behavior. In this case, the app was removed from the Play Store, not Play Protect, so it will not be uninstalled on devices automatically. Even so, allowing only applications from the Play Store or your corporate App Store is best practice. On Android, your MDM can also be used to disable or otherwise block banned or otherwise disallowed applications.
Read more in:
ZDNet: With one update, this malicious Android app hijacked millions of devices
The Register: Barcode scan app amassed millions of downloads before weird update starting popping open webpages...
https://www.theregister.com/2021/02/08/barcode_scan_app_malwarebytes_update/
Malwarebytes: Barcode Scanner app on Google Play infects 10 million users with one update
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
VBA Macro Trying to Alter the Application Menus
https://isc.sans.edu/forums/diary/VBA+Macro+Trying+to+Alter+the+Application+Menus/27068/
Tshark and Malware Analysis
https://isc.sans.edu/forums/diary/Quickie+tshark+Malware+Analysis/27076/
The Great Suspender Going Malicious
https://www.zdnet.com/article/google-kills-the-great-suspender-heres-what-you-should-do-next/
https://github.com/greatsuspender/thegreatsuspender/issues/1263
Barcode Scanner Going Bad
Google Chrome Zero Day
https://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop_4.html
Plex Media SSDP Amplification DDoS
https://www.netscout.com/blog/asert/plex-media-ssdp-pmssdp-reflectionamplification-ddos-attack
Morse Code Obfuscation
Firefox Update
https://www.mozilla.org/en-US/security/advisories/mfsa2021-06/
Water Treatment Facility Compromised
*****************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.