SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXIII - Issue #5
January 19, 2021Stolen COVID Data Were Altered Before Leak; FBI Vishing Warning; Apache Vulnerability
This Thursday, Chris Krebs, Fmr. Director, US Cybersecurity and Infrastructure Security Agency (CISA) and Founding Partner of Krebs Stamos Group, will be keynoting the SANS Cyber Threat Intelligence Summit. Chris has a unique vantage point on the role of cyber threat intelligence in a world where disinformation is rampant and confidence in government intelligence services has been impacted as well. The keynote will not be recorded, so plan to attend live at 9:15 a.m. EST (UTC 14:15) Thursday, January 21. Register here: https://www.sans.org/event/cyber-threat-intelligence-summit-2021/
*****************************************************************************
SANS NewsBites January 19, 2021 Vol. 23, Num. 005
*****************************************************************************
THE TOP OF THE NEWS
Stolen COVID Data Were Altered Before They Were Leaked
FBI Warns About Vishing
Apache Velocity XSS Vulnerability
THE REST OF THE WEEK'S NEWS
Scottish Environment Protection Agency Suffers Ransomware Attack
Singapore's Financial Institutions Get Updated Cyber Defense Guidelines
Multiple Vulnerabilities in FiberHome Routers' Firmware
Feedback Prompts Bugtraq to Reverse Decision to Shut Down
Microsoft Zerologon Flaw Enforcement Phase Begins February 9
OpenWRT Breach
$5.1M Fine for HIPAA Violation
INTERNET STORM CENTER TECH CORNER
***************** Sponsored By Security Risk Advisors **********************
Purple Team "Essentials" is an effective way to begin purple teaming, obtain benchmarks, and strengthen your defenses against the most used attacker TTPs. Security Risk Advisors will help you measure the effectiveness of your defensive tools and track performance over time. SRA is a thought-leader in purple team methodology, represented by the free VECTR(TM) platform.
| http://www.sans.org/info/218690
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
New & Updated Courses
SEC401: Security Essentials Bootcamp Style
- https://www.sans.org/cyber-security-courses/security-essentials-bootcamp-style/
SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling
- https://www.sans.org/cyber-security-courses/hacker-techniques-exploits-incident-handling/
FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics
- https://www.sans.org/cyber-security-courses/advanced-incident-response-threat-hunting-training/
Upcoming Live Online Events
SANS Stay Sharp - Feb 1-4 CST
1-3 Day Management & Cloud Courses
- https://www.sans.org/event/stay-sharp-management-and-cloud-feb-2021/
SANS Pen Test & Offensive Training - Feb 8-13 CST
14 Courses | Core NetWars | Coin-A-Palooza!
- https://www.sans.org/event/pen-test-and-offensive-training-2021/
Open-Source Intelligence (OSINT) Summit & Training
FREE Summit: Feb 11-12 | Courses: Feb 8-10 & 15-20 EST
- https://www.sans.org/event/osint-summit-2021/
OnDemand Training Special Offer
Get an iPad, a Galaxy Tab A, or take $250 Off with OnDemand training through January 27.
- www.sans.org/specials/north-america/
Blue Team Operations Resources
Cheat Sheets, Papers, Podcasts, and more. View & Download
- https://www.sans.org/blue-team/
*****************************************************************************
TOP OF THE NEWS
--Stolen COVID Data Were Altered Before They Were Leaked
(January 15 & 18, 2021)
The hackers who stole COVID-19-related data from the European Medicines Agency (EMA) altered it before posting it on the dark web. The data pertain to the BNT162b2 vaccine, which was jointly developed by Pfizer and BioNTech. According EMA's most recent update on the cyberattack, "some of the correspondence has been manipulated by the perpetrators prior to publication in a way which could undermine trust in vaccines." Amsterdam-based EMA evaluates applications for medicines to be marketed in the European Union.
[Editor Comments]
[Pescatore] The integrity of data has always been the most overlooked element of the Confidentiality Integrity Availability triad, but there have been many attacks over the years (most aimed at stock price manipulation) that modified critical data. At a Cybersecurity Moonshot Initiative stakeholders' workshop back in 2019, we highlighted fighting "deep fakes" and disinformation as top of the priority list - more focus on hardening the information is needed.
[Murray] Think digital signatures, hashes (TripWire), and blockchain.
[Neely] Beyond encrypting data at rest and in transit, data integrity, particularly for official records, needs to be verifiable to detect tampering. Consider digitally signing official correspondence and records. Just as you check the digital signatures for software updates, the same capabilities need to exist for official formation.
Read more in:
Ars Technica: Hackers alter stolen regulatory data to sow mistrust in COVID-19 vaccine
Bleeping Computer: Hackers leaked altered Pfizer data to sabotage trust in vaccines
ZDNet: Hackers 'manipulated' stolen COVID-19 vaccine data before leaking it online
https://www.zdnet.com/article/hackers-manipulated-stolen-vaccine-data-before-leaking-it-online/
EMA: Cyberattack on EMA - update 5
https://www.ema.europa.eu/en/news/cyberattack-ema-update-5
--FBI Warns About Vishing
(January 14 & 18, 2021)
The FBI has issued a TLP:WHITE Private Industry Notification (PIN) warning that cyber threat actors are using Voice over Internet Protocol (VoIP) platforms to contact employees at companies around the world and try to trick them into visiting a webpage that harvests their personal data. The threat actors have used the account credentials they collect to access companies' networks. The FBI's recommended mitigations include implementing multi-factor authentication, a least-privilege policy, network segmentation, and providing admins with two accounts: one for system changes and another for email, generating reports, and deploying updates.
[Editor Comments]
[Neely] Over the last year, more services were made Internet-accessible to promote frictionless remote work. Often those services were secured only with AD credentials, which allows new attack vectors when accounts are compromised. Add multi-factor authentication to all internet accessible services, and make sure they are monitored for unexpected activity, particularly services used to convey sensitive information such as eMail, Phone, VTC and Chat.
[Murray] That these measures are effective against, not only this attack vector, but many others, is what makes them efficient.
Read more in:
Bleeping Computer: FBI warns of vishing attacks stealing corporate accounts
Security Week: FBI Warns of Employee Credential Phishing via Phone, Chat
https://www.securityweek.com/fbi-warns-employee-credential-phishing-phone-chat
Document Cloud: Cyber Criminals Exploit Network Access and Privilege Escalation (PDF)
--Apache Velocity XSS Vulnerability
(January 15, 2021)
Apache was notified of a cross-site scripting vulnerability in its Velocity Java-based template engine in October 2020; a publicly visible fix was posted to GitHub in early November, but Apache Velocity Tools has not yet formally disclosed the issue.
[Editor Comments]
[Neely] This is being tracked as CVE-2020-13959. Don't wait for the disclosure to apply updates to your Apache Velocity tools. Review the ongoing use of Java for application delivery.
Read more in:
Bleeping Computer: Undisclosed Apache Velocity XSS vulnerability impacts GOV sites
****************************** SPONSORED LINKS *******************************
1) Webcast | Join SANS Senior Instructor, Dave Shackleford and Nam Le from AWS Marketplace host a prerecorded webcast where they'll discuss CTI detection and prevention metrics, finding effective intelligence data feeds and sources, and determining how best to integrate them into security operations functions | February 9th @ 1:00 PM EST
| http://www.sans.org/info/218695
2) Webcast | Join SANS senior instructor, Dave Shackleford for "Driving a Stake in Advanced Threats (SUNBURST) with the Network", a talk that will use the SUNBURST backdoor exploit as a backdrop since the majority of the IOCS were Network visible. | January 26th @ 1:00 PM EST
| http://www.sans.org/info/218700
3) Webcast | We invite you to join us for our upcoming webcast, "Slacking on insider threats? Investigative and monitoring approaches to use within Slack to locate bad actors" | January 27th @ 10:30 AM EST
| http://www.sans.org/info/218705
*****************************************************************************
THE REST OF THE WEEK'S NEWS
--Scottish Environment Protection Agency Suffers Ransomware Attack
(January 15 & 18, 2021)
The Scottish Environment Protection Agency (SEPA) has acknowledged that its network was infected with ransomware; the agency says it does not intend to pay the ransomware operators' demand. The attack began in late December 2020. The attackers have reportedly stolen more than 1GB of data. The attack has affected SEPA's "contact centre, internal systems, processes and internal communications." SEPA's critical services, including monitoring and flood forecasting and warning, are operational.
Read more in:
SEPA: Cyber attack
https://www.sepa.org.uk/about-us/cyber-attack/
The Register: Scottish Environment Protection Agency refuses to pay ransomware crooks over 1.2GB of stolen data
https://www.theregister.com/2021/01/18/scottish_environment_protection_agency_refuses_to_pay_ransom/
ZDNet: Ongoing ransomware attack leaves systems badly affected, says Scottish environment agency
Bleeping Computer: Scotland environmental regulator hit by 'ongoing' ransomware attack
BBC: Cyber criminals demand ransom to unlock Sepa systems
https://www.bbc.com/news/uk-scotland-55661248
--Singapore's Financial Institutions Get Updated Cyber Defense Guidelines
(January 18, 2021)
The Monetary Authority of Singapore (MAS) has revised its Technology Risk Management Guidelines to include directing financial institutions to ensure that third-party service providers are adequately securing data. The guidelines also call for increased security controls and strong risk mitigation for cloud technologies and APIs.
[Editor Comments]
[Neely] Flowing down cybersecurity requirements to third-party service providers includes not only contract language but also validation that they are indeed doing what is required. When reviewing assessment reports, make sure they are relevant to protecting your data, particularly for cloud-based solutions where the CSP audit report provides a foundation but doesn't address the implementation of your service.
Read more in:
ZDNet: Singapore tightens cyber defence guidelines for financial services sector
MAS: Technology Risk Management Guidelines January 2021 (PDF)
--Multiple Vulnerabilities in FiberHome Routers' Firmware
(January 18, 2021)
Numerous vulnerabilities, including at least 28 backdoor accounts, have been found in the firmware of FiberHome FTTH ONT routers. The routers are used mainly in South America and Southeast Asia. The researcher who detected the vulnerabilities also noted that the devices' firewall is active on the IPv4 interface, but not on the IPv6 interface.
[Editor Comments]
[Neely] When using a device like this which terminates your ISP service with an Ethernet connection, be sure to have your own firewall/router as routers from ISPs are typically externally managed, and you cannot control the updates or security features.
Read more in:
ZDNet: Multiple backdoors and vulnerabilities discovered in FiberHome routers
Pierre Kim: Multiple vulnerabilities found in FiberHome HG6245D routers
https://pierrekim.github.io/blog/2021-01-12-fiberhome-ont-0day-vulnerabilities.html
--Feedback Prompts Bugtraq to Reverse Decision to Shut Down
(January 15, 16, 17, & 18, 2021)
On January 15, the Bugtraq mailing list announced it would be shutting down on January 31, 2021. Bugtraq was established in November 1993. A day later, Bugtraq wrote, "based on the feedback we've received both from the community-at-large and internally, we've decided to keep the Bugtraq list running."
Read more in:
seclists: BugTraq Shutdown
https://seclists.org/bugtraq/2021/Jan/0
Seclists.bugtraq: On Second Thought...
https://seclists.org/bugtraq/2021/Jan/1
ZDNet: Iconic BugTraq security mailing list shuts down after 27 years
https://www.zdnet.com/article/iconic-bugtraq-security-mailing-list-shuts-down-after-27-years/
The Register: Hallowed Bugtraq infosec list killed then resurrected over the weekend: We heard your feedback, says Accenture
https://www.theregister.com/2021/01/18/security_in_brief/
--Microsoft Zerologon Flaw Enforcement Phase Begins February 9
(January 14, 15, & 18, 2021)
Organizations that have not yet patched the Microsoft Zerologon vulnerability are being urged to do so before February 9, 2021. As of that date, Microsoft "will be enabling Domain Controller enforcement mode by default. This will block vulnerable connections from non-compliant devices." Microsoft released a fix for the Zerologon vulnerability in its August 2020. In September 2020, the US Department of Homeland Security (DHS) issued an emergency directive instructing agencies to patch systems against the flaw.
[Editor Comments]
[Neely] Review your systems to make sure the patch has been fully deployed. Check behavior on non-Windows systems. If you're enabling the non-secure net login for specific accounts, set time limits to resolve the issue and remove the exception. Review the Microsoft bulletin below to make sure you are ready. Validate you're able to detect attempted abuse.
Read more in:
Security Week: Microsoft Reminds Organizations of Upcoming Phase in Patching Zerologon Vulnerability
Bleeping Computer: Microsoft warns of incoming Windows Zerologon patch enforcement
Threatpost: Microsoft Implements Windows Zerologon Flaw 'Enforcement Mode'
https://threatpost.com/microsoft-implements-windows-zerologon-flaw-enforcement-mode/163104/
MSRC-blog: Netlogon Domain Controller Enforcement Mode is enabled by default beginning with the February 9, 2021 Security Update, related to CVE-2020-1472
--OpenWRT Breach
(January 18, 2021)
A hacker breached an admin account on the OpenWRT forum. The account was protected by a password, but did not have two-factor authentication implemented. According to an OpenWRT security notice, "the intruder was able to download a copy of the user list that contains email addresses, handles, and other statistical information about the users of the forum." All forum passwords have been reset and API keys have been flushed. The breach occurred on Saturday, January 16.
[Editor Comments]
[Neely] Take a moment to verify you're implementing multi-factor authentication (MFA) on all admin and privileged accounts. Make sure any "break glass" accounts (admin accounts with a reusable password) are both minimized and used only in emergencies. Monitor for the use of reusable passwords on privileged accounts. Have an approval, review, and validation process for accounts that cannot be made MFA.
[Murray] The year of Strong Authentication was 2018. By now, all admin accounts should be using it. No exceptions, no excuses.
Read more in:
ZDNet: OpenWRT reports data breach after hacker gained access to forum admin account
Bleeping Computer: OpenWRT Forum user data stolen in weekend data breach
OpenWRT: Security Notice - Forum break-in
https://lists.openwrt.org/pipermail/openwrt-announce/2021-January/000008.html
--$5.1M Fine for HIPAA Violation
(January 18, 2021)
Excellus Health Plan has agreed to pay a $5.1 million fine to the US Department of Health and Human Services (HHS) Office for Civil Rights for violations of the Health Insurance Portability and Accountability Act (HIPAA). The hackers breached the Excellus network in December 2013 and maintained access until at least mid-May 2015. The breach exposed personally identifiable information of more than 9.3 million patients. The exposed data included names, bank account information, and clinical treatment information. Excellus filed a breach report in September 2015.
[Editor Comments]
[Pescatore] HIPAA fines have been infrequent: in the 17 years since compliance started, OCR has levied fines in only 92 cases out of about 70,000 investigated. On the other hand, the average fine has been about $1.4M - good to highlight to CXOs and boards if you are in the healthcare vertical.
[Murray] In light of the "ransomware" attacks in the healthcare industry, the time-to-detection of a breach must shrink from months to hours. Providers must have an objective and strategy and tactics for achieving it.
Read more in:
Infosecurity Magazine: Health Insurer Fined $5.1m Over Data Breach
https://www.infosecurity-magazine.com/news/health-insurer-fined-5m-over-data/
HHS: RESOLUTION AGREEMENT (PDF)
https://www.hhs.gov/sites/default/files/excellus-ra-cap.pdf
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
Scans for DNS over HTTPs
https://isc.sans.edu/forums/diary/Obfuscated+DNS+Queries/26992/
Doc And RTF Malicious Document
https://isc.sans.edu/forums/diary/Doc+RTF+Malicious+Document/26996/
Exploit for Shazam Geolocation Vulnerability
https://ash-king.co.uk/blog/Shazlocate-abusing-CVE-2019-8791-CVE-2019-8792
Apple Removing ContentFilterExclusionList
https://www.patreon.com/posts/46179028
Center for Internet Security Cisco NX-OS Benchmark
https://www.cisecurity.org/cis-benchmarks/
Netlogon Domain Controller Enforcement Mode Starting February 9th
Voice Phishing and Internal Messaging Systems Used to Escalate Privileges
https://www.ic3.gov/Media/News/2021/210115.pdf
*****************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
