SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXIII - Issue #3
January 12, 2021SolarWinds Update, Egregor Ransomware, and 12 Year Jail Sentence
*****************************************************************************
SANS NewsBites January 12, 2021 Vol. 23, Num. 003
*****************************************************************************
SOLARWINDS AND THE TOP OF THE NEWS
SolarWinds Hires Krebs and Stamos; FBI Investigating JetBrains as Possible Victim
SolarWinds CEO Shares New Information About the Attack
FBI Issues Egregor Ransomware Advisory
Hacker Involved in JP Morgan Chase Data Theft is Sentenced to 12 Years in Prison
THE REST OF THE WEEK'S NEWS
Major Browsers Updated to Fix Hijacking Bugs
UK High Court Says Intelligence Agencies May Not Use Bulk Hacking
Two People Sentenced for Data Theft from UK Roadside Assistance Organization
Bitdefender Releases DarkSide Ransomware Decryption Tool
macOS Cryptomining Malware Variant is Hard to Analyze
Reserve Bank of New Zealand is Investigating a Data Breach
Civil Liberties Groups Ask US Supreme Court to Hear Case Regarding Personal Device Passcodes
Ubiquiti Networks Urges Customers to Change Passwords
INTERNET STORM CENTER TECH CORNER
******************* Sponsored By AWS Marketplace ****************************
Virtual event: Enhance remote workforce security | Dispersed workforces require changes in security parameters and requirements for connecting business-critical resources. In this virtual event, remote workforce security thought leaders, strategists, and technologists will discuss key innovations enabling AWS customers to transform their security for a remote and hybrid workforce.
| http://www.sans.org/info/218630
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
New & Updated Courses
SEC401: Security Essentials Bootcamp Style
- https://www.sans.org/cyber-security-courses/security-essentials-bootcamp-style/
SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling
- https://www.sans.org/cyber-security-courses/hacker-techniques-exploits-incident-handling/
FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics
- https://www.sans.org/cyber-security-courses/advanced-incident-response-threat-hunting-training/
Upcoming Live Online Events
SANS Stay Sharp - Feb 1-4 CST
1-3 Day Management & Cloud Courses
- https://www.sans.org/event/stay-sharp-management-and-cloud-feb-2021/
SANS Pen Test & Offensive Training - Feb 8-13 CST
14 Courses | Core NetWars | Coin-A-Palooza!
- https://www.sans.org/event/pen-test-and-offensive-training-2021/
Open-Source Intelligence (OSINT) Summit & Training
FREE Summit: Feb 11-12 | Courses: Feb 8-10 & 15-20 EST
- https://www.sans.org/event/osint-summit-2021/
OnDemand Training Special Offer
Get an iPad mini, an ASUS ZenScreen LED Monitor, or take $300 Off with OnDemand training through January 16.
- www.sans.org/specials/north-america/
Blue Team Operations Resources
Cheat Sheets, Papers, Podcasts, and more. View & Download
- https://www.sans.org/blue-team/
*****************************************************************************
SOLARWINDS AND TOP OF THE NEWS
--SolarWinds Hires Krebs and Stamos; FBI Investigating JetBrains as Possible Victim
(January 8, 9, & 11, 2021)
SolarWinds has hired Christopher Krebs, former head of the US Cybersecurity and Infrastructure Security Agency (CISA) and Alex Stamos, former Facebook CISO, to help manage the aftermath of the discovery of the supply-chain attack affecting the SolarWinds Orion management tool. In a related story, the FBI is investigating the possibility that Czech software company JetBrains may have been a victim of the SolarWinds attack as well.
[Editor Comments]
[Neely] Indications are that the JetBrains TeamCity connection was misconfigured rather than compromised and provided a path into SolarWinds code repository.
Read more in:
Threatpost: SolarWinds Hires Chris Krebs, Alex Stamos in Wake of Hack
https://threatpost.com/solarwinds-chris-krebs-alex-stamos-hack/162889/
ZDNet: SolarWinds hires Chris Krebs and Alex Stamos as part of security review
https://www.zdnet.com/article/solarwinds-hires-chris-krebs-and-alex-stamos-as-part-of-security-review/
The Register: SolarWinds takes a leaf out of Zoom's book, hires A-Team of Stamos and Krebs to sort out its security woes
https://www.theregister.com/2021/01/11/security_in_brief/
Wired: Security News This Week: The SolarWinds Investigation Ramps Up
https://www.wired.com/story/solarwinds-krebs-nissan-source-code-security-roundup/
--SolarWinds CEO Shares New Information About the Attack
(January 11, 2021)
In a blog post, SolarWinds CEO Sudhakar Ramakrishna writes, "We believe we have found a highly sophisticated and novel malicious code injection source the perpetrators used to insert the SUNBURST malicious code into builds of our Orion Platform software." Ramakrishna adds that they are sharing the information because "we believe that sharing this information openly will help the industry guard against similar attacks in the future and create safer environments for customers."
[Editor Comments]
[Pescatore] The SolarWinds timeline shows that the initial intrusion happened in September 2019 and went undetected by SolarWinds until they were notified externally in December 2020 that their software was compromised. That time-to-detect is more typical of small companies, not $1B annual revenue/turnover high-tech companies. The repeated use of the term "highly sophisticated and novel" malware in the CEO's post is likely recommended by legal counsel but this kind of verbiage always seems to indicate the victim was only anticipating rudimentary, non-persistent and well-known threats.
Read more in:
OrangeMatter: New Findings From Our Investigation of SUNBURST
https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/
Cyberscoop: SolarWinds details stealthy code used to launch hacking campaign
https://www.cyberscoop.com/solarwinds-malicious-code-crowdstrike-russia/
--FBI Issues Egregor Ransomware Advisory
(January 6, 8, & 9, 2021)
The FBI has released a Private Industry Notification (TLP: white) warning of an increased threat to businesses from the Egregor ransomware operators. The notification describes Egregor's ransomware-as-a-service operation model and suggests mitigations organizations can apply.
[Editor Comments]
[Neely] The Egregor operators leverage affiliates to hack into the targeted network to drop the ransomware for a 70/30 revenue split as well as publishing exfiltrated data on external sites to ensure ransom is paid. To the mitigations listed by the FBI, add: know where your critical data is housed. Knowing where data is stored allows you to assess the impact of public release as well as recovery alternatives, possibly including paying the ransom.
Read more in:
FBI: Egregor Ransomware Targets Businesses Worldwide, Attempting to Extort Businesses by Publicly Releasing Exfiltrated Data (PDF)
https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf
Threatpost: FBI Warns of Egregor Attacks on Businesses Worldwide
https://threatpost.com/fbi-egregor-attacks-businesses-worldwide/162885/
Gov Infosecurity: FBI Issues Alert on Growing Egregor Ransomware Threat
https://www.govinfosecurity.com/fbi-issues-alert-on-growing-egregor-ransomware-threat-a-15733
--Hacker Involved in JP Morgan Chase Data Theft is Sentenced to 12 Years in Prison
(January 7 & 8, 2021)
A US federal judge in New York has sentenced Andrei Tyurin to 12 years in prison for numerous offenses, including computer intrusion, wire fraud, and bank fraud. Tyurin and three accomplices hacked major US financial institutions, brokerages, and other companies. They stole personal information of more than 80 million JP Morgan Chase customers. Tyurin has been in US custody since was extradited from the country of Georgia in September 2018.
Read more in:
Justice: Russian Hacker Sentenced To 12 Years In Prison For Involvement In Massive Network Intrusions At U.S. Financial Institutions, Brokerage Firms, A Major News Publication, And Other Companies
https://www.justice.gov/usao-sdny/pr/russian-hacker-sentenced-12-years-prison-involvement-massive-network-intrusions-us
Cyberscoop: Russian man sentenced to 12 years in prison for massive JPMorgan data heist
https://www.cyberscoop.com/andrei-tyurin-jp-morgan-hack-sentencing/
******************************* SPONSORED LINKS ********************************
1) Purple Team "Essentials" - Begin purple teaming. Strengthen your defenses against the most used attacker TTPs.
| http://www.sans.org/info/218635
2) Register Now! | January 22nd @ 9:00 AM EST | Join us for the 2021 Cyber Threat Intelligence Summit Solutions Track! Chaired by Robert M. Lee, this virtual event will explore various CTI topics through invited speakers while showcasing current capabilities available today! | 4 CPE Credits
| http://www.sans.org/info/218640
3) Webcast Tomorrow | Network Detection and Response Solutions record all network activity and flag any anomalous behavior to detect threats before they can have a major business impact. Tune in to our upcoming webcast "Beyond Network Detection and Response (NDR)" to dive deeper into NDR. | January 13th @ 3:30 PM EST
| http://www.sans.org/info/218645
*****************************************************************************
THE REST OF THE WEEK'S NEWS
--Major Browsers Updated to Fix Hijacking Bugs
(January 6 & 8, 2021)
The developers of the Firefox, Chrome, and Edge browsers are urging users to update to the newest versions to protect their systems from hijacking. Firefox users should update to the browsers' most recent versions to fix a critical use-after-free vulnerability. Chrome and Edge users should update their browsers to fix an out-of-bounds write vulnerability. The Chrome and Edge updates also address a dozen other security issues.
[Editor Comments]
[Neely] While you may have Chrome & Firefox browsers configured for automatic updates, you will need to push out updates to Firefox ESR. As today is also patch Tuesday, don't lose sight of these updates while evaluating the other updates. Fortunately, the prediction is for a lightweight update from Microsoft this month.
Read more in:
Threatpost: Bugs in Firefox, Chrome, Edge Allow Remote System Hijacking
https://threatpost.com/firefox-chrome-edge-bugs-system-hijacking/162873/
Mozilla: Mozilla Foundation Security Advisory 2021-01: Security Vulnerabilities fixed in Firefox 84.0.2, Firefox for Android 84.1.3, and Firefox ESR 78.6.1
https://www.mozilla.org/en-US/security/advisories/mfsa2021-01/
MSRC: Chromium Security Updates for Microsoft Edge (Chromium-Based)
https://msrc.microsoft.com/update-guide/vulnerability/ADV200002
--UK High Court Says Intelligence Agencies May Not Use Bulk Hacking
(January 11, 2021)
The UK High Court has ruled that authorities may not use bulk equipment interference warrants, also known as general warrants, to gather information about millions of people at once while conducting surveillance. The practice raises privacy concerns, as sensitive information of innocent people gets captured when authorities cast a broad net. The High Court's ruling strikes down a 2016 ruling by the Investigatory Powers Tribunal, which allowed that a single warrant could be used by the likes of GCHQ, MI5, and MI6 to conduct mass surveillance.
[Editor Comments]
[Neely] The trick here is balancing the scope of the warrant with effective data collection. Much like the ACLU story below, citizens' right to privacy over broad-scope data collection is being challenged. While data collection invariably also contains information out-of-scope, direction is needed on minimization techniques, as well as due process similar to the US FISA and EO 12333 to protect those who have information inadvertently collected.
Read more in:
Infosecurity Magazine: High Court Rules Against Government Bulk Hacking
https://www.infosecurity-magazine.com/news/high-court-rules-against/
The Register: Thou shalt not hack indiscriminately, High Court of England tells Britain's spy agencies
https://www.theregister.com/2021/01/11/equipment_interference_privacy_international_judgment/
--Two People Sentenced for Data Theft from UK Roadside Assistance Organization
(January 11, 2021)
Two people have received suspended sentences for their roles in the theft of data from UK emergency roadside assistance company RAC. Kim Doyle, an RAC employee, sold customer data to William Shaw, who is the director of an accident claims management company. Doyle received an eight-month suspended sentence; Williams received a two-year suspended sentence.
Read more in:
The Register: Unauthorised RAC staffer harvested customer details then sold them to accident claims management company
https://www.theregister.com/2021/01/11/rac_staffer_unauthorised_computer_access/
IT Pro: Two sentenced under the Computer Misuse Act for data theft
https://www.itpro.co.uk/policy-legislation/computer-misuse-act/358280/two-sentenced-under-the-computer-misuse-act-for-data
--Bitdefender Releases DarkSide Ransomware Decryption Tool
(January 11, 2021)
Romanian security company Bitdefender has released a free decryption tool for victims of the DarkSide ransomware. DarkSide first appeared late last summer; it uses a ransomware-as-a-service operating model.
[Editor Comments]
[Pescatore] First, note the disclaimer by Bitdefender: "We do not encourage you to do this until you made sure that your files can be opened safely and there is no damage to the decrypted files." The best way to be sure your critical files/executables can be opened safely and could not be corrupted by the attacker is to safely back them up in advance and restore from the backup. Ransomware attacks can easily leave encrypted malware files in the place of legitimate files.
[Neely] If you elect to use their tool to recover after the DarkSide ransomware, be sure to follow the guidance on the Bitdefender Labs site (https://labs.bitdefender.com/2021/01/darkside-ransomware-decryption-tool) regarding backup as well as verifying that your system is fully operational before removing any copies of encrypted files. Having a separate differential backup is still the best option for ransomware recovery.
Read more in:
ZDNet: Free decrypter released for victims of Darkside ransomware
https://www.zdnet.com/article/free-decrypter-released-for-victims-of-darkside-ransomware/
Bleeping Computer: DarkSide ransomware decryptor recovers victims' files for free
https://www.bleepingcomputer.com/news/security/darkside-ransomware-decryptor-recovers-victims-files-for-free/
Security Week: Decryptor Released for Ransomware That Allegedly Helped Cybercriminals Make Millions
https://www.securityweek.com/decryptor-released-ransomware-allegedly-helped-cybercriminals-make-millions
--macOS Cryptomining Malware Variant is Hard to Analyze
(January 11, 2021)
A new variant of malware that is being used to mine cryptocurrency on macOS computers is proving difficult to analyze. The malware's "payloads are exported as run-only AppleScript files, which makes decompiling them" complicated. OSAMiner has been around since at least 2015.
[Editor Comments]
[Neely] SentinelLabs has released their AVET decompiler for others to use. The analysis by SentinelLabs discusses how their Apple Event (AVET) decompiler works, includes IOCs and hashes, as well as detailing the operation of the macOS.OSAminer which appears to be the Monero RandomX Miner. https://labs.sentinelone.com/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/
Read more in:
Bleeping Computer: Mac malware uses 'run-only' AppleScripts to evade analysis
https://www.bleepingcomputer.com/news/security/mac-malware-uses-run-only-applescripts-to-evade-analysis/
Dark Reading: New Tool Sheds Light on AppleScript-Obfuscated Malware
https://www.darkreading.com/threat-intelligence/new-tool-sheds-light-on-applescript-obfuscated-malware/d/d-id/1339870
--Reserve Bank of New Zealand is Investigating a Data Breach
(January 10, 11, & 12, 2021)
The Reserve Bank of New Zealand is investigating a security breach of a third-party file-sharing service provider. The bank disclosed the incident on Sunday, January 10, noting that "a third party file sharing service used by the Reserve Bank to share and store some sensitive information, has been illegally accessed." The Reserve Bank uses the system to share information outside its organization.
Read more in:
ZDNet: Reserve Bank of New Zealand investigates illegal access of third-party system
https://www.zdnet.com/article/reserve-bank-of-new-zealand-investigates-illegal-access-of-third-party-system/
Bleeping Computer: New Zealand Reserve Bank suffers data breach via hacked storage partner
https://www.bleepingcomputer.com/news/security/new-zealand-reserve-bank-suffers-data-breach-via-hacked-storage-partner/
Security Week: New Zealand Central Bank Hit by Cyber Attack
https://www.securityweek.com/new-zealand-central-bank-hit-cyber-attack
Gov Infosecurity: Reserve Bank of New Zealand Investigates Data Breach
https://www.govinfosecurity.com/reserve-bank-new-zealand-investigates-data-breach-a-15737
--Civil Liberties Groups Ask US Supreme Court to Hear Case Regarding Personal Device Passcodes
(January 8, 2021)
The American Civil Liberties Union (ACLU) is asking the US Supreme Court to hear a case involving the question of whether or not passcodes for privately owned mobile devices are protected under the Fifth Amendment. The ACLU, along with along with the Electronic Frontier Foundation (EFF), has filed a petition for a writ of certiorari to the Supreme Court in the case of Robert Andrews v. the State of New Jersey. Andrews is a Newark, NJ, sherriff's officer who refused to provide police with passcodes for two iPhones. (Please note that the WSJ story is behind a paywall.)
[Editor Comments]
[Neely] The challenge is one of scope and equivalent access to forensically imaging a desktop. Because mobile devices are strongly encrypted, the passcode is necessary to access any information. The device passcode provides access to all information on the device, as well as possible bypass for applications which use biometric (e.g. fingerprint or facial scan) for access, which may exceed the scope of the warrant. Keep sensitive information off the device and configure services to retain information on-device for the minimum period only.
[Pescatore] Sooner or later, this issue will get addressed by the courts. There is precedent in the US that someone cannot be required to provide the combination to a safe. But, there have also been different rulings around privacy/self-incrimination in work environments and employers can require access to privately-owned devices used by employees for work applications.
Read more in:
Gizmodo: Supreme Court Asked to Consider if Fifth Amendment Protects Passwords
https://gizmodo.com/supreme-court-asked-to-consider-if-fifth-amendment-prot-1846022228
WSJ: Is Your iPhone Passcode Off Limits to the Law? Supreme Court Ruling Sought (paywall)
https://www.wsj.com/articles/can-you-keep-your-iphone-passcode-from-the-law-supreme-court-may-decide-11610130114
ACLU: PETITION FOR A WRIT OF CERTIORARI
https://www.aclu.org/legal-document/petition-writ-certiorari-supreme-court-united-states
--Ubiquiti Networks Urges Customers to Change Passwords
(January 11, 2021)
Ubiquiti Networks has notified customers of a data breach that affected servers containing user profile information for the company's account.ui.com web portal. The site allows customers to manage devices remotely. Ubiquiti encouraged customers to change their passwords.
Read more in:
KrebsOnSecurity: Ubiquiti: Change Your Password, Enable 2FA
https://krebsonsecurity.com/2021/01/ubiquiti-change-your-password-enable-2fa/
ZDNet: Ubiquiti tells customers to change passwords after security breach
https://www.zdnet.com/article/ubiquiti-tells-customers-to-change-passwords-after-security-breach/
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
Maldoc Strings Analysis
https://isc.sans.edu/forums/diary/Maldoc+Strings+Analysis/26966/
Using the NVD Database API Part 3/3
https://isc.sans.edu/forums/diary/Using+the+NVD+Database+and+API+to+Keep+Up+with+Vulnerabilities+and+Patches+Tool+Drop+CVEScan+Part+3+of+3/26974/
CVSS Reliability Survey
https://user-surveys.cs.fau.de/index.php?r=survey/index&sid=248857
Fake Trump Video Malware
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/updated-qnode-rat-downloader-distributed-as-trump-video-scandal/
SMS Phishing (Smishing)
https://www.bbc.com/news/business-55563748
dnsrecon Vulnerability
https://www.exploit-db.com/exploits/49394
Sysinternals Update
https://docs.microsoft.com/en-us/sysinternals/
Ubiquiti Breach
https://www.bleepingcomputer.com/news/security/networking-giant-ubiquiti-alerts-customers-of-potential-data-breach/
Run-Only AppleScript Reversing
https://labs.sentinelone.com/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/
*****************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.