SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXIII - Issue #6
January 22, 2021SolarWinds Update and NSA Year In Review
****************************************************************************
SANS NewsBites January 22, 2021 Vol. 23, Num. 006
****************************************************************************
SOLAR WINDS UPDATE
SolarWinds: FireEye Offers Remediation Strategies and Auditing Tool
SolarWinds: New "Raindrop" Malware Installs Cobalt Strike
SolarWinds: Hackers Hit Malwarebytes
SolarWinds: Microsoft Details How Threat Actors Evaded Detection
NSA Cybersecurity 2020 Year in Review
THE REST OF THE WEEK'S NEWS
Dnsmasq Vulnerabilities
Malware Found on Some Laptops Provided to UK Schoolchildren
CISA Increasing Effort to Get Ransomware Information to Local Government
Wordfence Offers Free Site Security Audits to US K-12 Public Schools
Windows RDP Servers are Being Used to Amplify DDoS Attacks
Hospital's Network Hit with Cyberattack
Amazon Fixes Flaws That Could be Exploited to Take Control of Kindle Accounts
INTERNET STORM CENTER TECH CORNER
****************** Sponsored By AWS Marketplace ***************************
Webcast | We invite you to join us for our upcoming webinar on Cloud Threat Intelligence in the AWS Cloud. SANS and AWS Marketplace will discuss detection and prevention metrics, finding effective intelligence data feeds and sources, and determining how best to integrate them into security operations functions. Register today and be one of the first to receive the associated whitepaper written by SANS Senior Instructor, Dave Shackleford! | January 28th @ 2:00 PM ET
| http://www.sans.org/info/218730
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
New & Updated Courses
SEC401: Security Essentials Bootcamp Style
- https://www.sans.org/cyber-security-courses/security-essentials-bootcamp-style/
SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling
- https://www.sans.org/cyber-security-courses/hacker-techniques-exploits-incident-handling/
FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics
- https://www.sans.org/cyber-security-courses/advanced-incident-response-threat-hunting-training/
Upcoming Live Online Events
ICS Security Summit & Training
FREE Summit: Mar 4-5 | Courses: Mar 8-13 EST
- https://www.sans.org/event/ics-security-summit-2021/
SANS Stay Sharp - Mar 8-9 EST
2-Day Pen Test & Offensive Ops Courses
- https://www.sans.org/event/stay-sharp-pen-test-march-2021/
SANS 2021 - Mar 22-27 EDT
30+ Courses | Core, Cyber Defense, and DFIR NetWars
- https://www.sans.org/event/sans-2021-live-online/
OnDemand Training Special Offer
Get an iPad, a Galaxy Tab A, or take $250 Off with OnDemand training through January 27.
- www.sans.org/specials/north-america/
Offensive Operations Resources
New Cheat Sheets, Slingshot Linux Distro, Posters, and more. View & Download
- https://www.sans.org/offensive-operations/
*****************************************************************************
SOLAR WINDS UPDATE
--SolarWinds: FireEye Offers Remediation Strategies and Auditing Tool
(January 19 & 20, 2021)
FireEye has published a white paper, Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452, as well as a tool, Mandiant Azure AD Investigator, "for detecting artifacts that may be indicators of UNC2452 and other threat actor activity."
[Editor Comments]
[Neely] Check the results of the FireEye tool against your current tool output to avoid blind spots.
Read more in:
FireEye: Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452
FireEye: Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452 (White paper PDF)
https://www.fireeye.com/content/dam/collateral/en/wp-m-unc2452.pdf
Github: fireeye / Mandiant-Azure-AD-Investigator
https://github.com/fireeye/Mandiant-Azure-AD-Investigator
The Register: FireEye publishes details of SolarWinds hacking techniques, gives out free tool to detect signs of intrusion
https://www.theregister.com/2021/01/19/fireeye_solarwinds_code/
ZDNet: FireEye releases tool for auditing networks for techniques used by SolarWinds hackers
Gov Infosecurity: Free Auditing Tool Helps Detect SolarWinds Hackers' Malware
https://www.govinfosecurity.com/free-auditing-tool-helps-detect-solarwinds-hackers-malware-a-15808
--SolarWinds: New "Raindrop" Malware Installs Cobalt Strike
(January 19, 2021)
A fourth piece of malware used by the Solar Winds hackers has been detected. Dubbed Raindrop, the malware is a backdoor loader that places Cobalt Strike on targeted systems to allow the attackers to move laterally through the network. While Cobalt Strike is a commercially available penetration testing tool, "threat actors have since figured out how to turn it against networks to spread through an environment, exfiltrate data, deliver malware and more."
[Editor Comments]
[Neely] The Symantec Report includes both IOC and YARA rules to detect Raindrop, which have been incorporated into their endpoint protection product. https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware
Read more in:
ZDNet: Fourth malware strain discovered in SolarWinds incident
https://www.zdnet.com/article/fourth-malware-strain-discovered-in-solarwinds-incident/
Threatpost: SolarWinds Malware Arsenal Widens with Raindrop
https://threatpost.com/solarwinds-malware-arsenal-raindrop/163153/
Duo: New Raindrop Tool Tied to Solarwinds Attackers
https://duo.com/decipher/new-raindrop-tool-tied-to-solarwinds-attackers
--SolarWinds: Hackers Hit Malwarebytes
(January 20, 2021)
The threat actors behind the SolarWinds Orion supply chain attack have hit systems/the network at Malwarebytes. In a January 19 blog post, Malwarebytes writes, "We can confirm the existence of another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments." Malwarebytes does not use SolarWinds products.
Read more in:
Malwarebytes: Malwarebytes targeted by Nation State Actor implicated in SolarWinds breach. Evidence suggests abuse of privileged access to Microsoft Office 365 and Azure environments
The Register: Malwarebytes says its Office 365, Azure tenancies invaded by SolarWinds hackers, insists its tools are still safe to use
https://www.theregister.com/2021/01/20/malwarebytes_solarwinds_hack_latest/
ZDNet: Malwarebytes said it was hacked by the same group who breached SolarWinds
Ars Technica: Security firm Malwarebytes was infected by same hackers who hit SolarWinds
Threatpost: Malwarebytes Hit by SolarWinds Attackers
https://threatpost.com/malwarebytes-solarwinds-attackers/163190/
--SolarWinds: Microsoft Details How Threat Actors Evaded Detection
(January 20 & 21, 2021)
Researchers from Microsoft's 365 Defender Research Team, Threat Intelligence Center (MSTIC), and Microsoft Cyber Defense Operations Center (CDOC) have published new information about operational security techniques and anti-forensic behavior the SolarWinds attackers used to evade detection. Microsoft's "goal is to continue empowering the defender community by helping to increase their ability to hunt for the earliest artifacts of compromise and protect their networks from this threat."
[Editor Comments]
[Neely] One of the lessons from SolarWinds is early detection. Your 2021 supply chain security plan needs to include validation and possibly upgrading your detection and response capabilities. Understanding how they evaded detection is key to developing capabilities to prevent future abuses.
Read more in:
Microsoft: Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop
ZDNet: Microsoft: This is how the sneaky SolarWinds hackers hid their onward attacks for so long
The Register: Microsoft SolarWinds analysis: Attackers hid inside Windows systems by wearing the skins of legit processes
https://www.theregister.com/2021/01/21/microsoft_solarwinds_deep_dive/
Bleeping Computer: Microsoft shares how SolarWinds hackers evaded detection
Cyberscoop: Microsoft details how SolarWinds hackers hid their espionage
https://www.cyberscoop.com/solarwinds-hack-russia-spying-microsoft/
--NSA Cybersecurity 2020 Year in Review
(January 2021)
The US National Security Agency's (NSA) Cybersecurity Directorate has published its first Cybersecurity Year in Review. The document "outlines key milestones and mission outcomes achieved during NSA Cybersecurity's first year." The NSA Cybersecurity Directorate was established in October 2019 "with a mission to prevent and eradicate cyber actors from systems critical to national security and critical infrastructure, with a focus on the Defense Industrial Base."
[Editor Comments]
[Pescatore] Two key areas I'm glad to see NSA focused on in 2020: (1) Encryption - modernization and driving higher adoption; (2) Supply chain security in the Defense Industrial Base. These are two key areas that lead to avoiding or preventing damaging incidents where NSA can add unique value.
[Neely] This includes links to guides on secure telecommuting and home network security. Leverage these to close any gaps in your current practices as telecommuting is expected to be utilized by a much higher percentage of the workforce than in years past.
Read more in:
Defense: 2020 Cybersecurity Year in Review (PDF)
******************************* SPONSORED LINKS ********************************
1) Webcast | Join SANS Senior Instructor, Dave Shackleford for a prerecorded webcast where SANS and AWS Marketplace discuss CTI detection and prevention metrics, finding effective intelligence data feeds and sources, and determining how best to integrate them into security operations functions | February 9th @ 1:00 PM EST
| http://www.sans.org/info/218735
2) Webcast | Join SANS senior instructor, Dave Shackleford for "Driving a Stake in Advanced Threats (SUNBURST) with the Network", a talk that will use the SUNBURST backdoor exploit as a backdrop since the majority of the IOCS were Network visible. | January 26th @ 1:00 PM EST
| http://www.sans.org/info/218740
3) Webcast | Join SANS senior instructor, Jake Williams, as he dives into how new generation anti-bot technology fundamentally changes the game in our upcoming webcast, "Bot Disruption: Beating Cybercriminals at their Own Game" | January 28th @ 1:00 PM EST
| http://www.sans.org/info/218745
*****************************************************************************
THE REST OF THE WEEK'S NEWS
--Dnsmasq Vulnerabilities
(January 19 & 20, 2021)
Researchers from "JSOF" have disclosed seven vulnerabilities in dnsmasq open-source DNS forwarding software. The flaws could be exploited to allow DNS cache poisoning and remote code execution. The vulnerabilities are addressed in dnsmasq 2.83. The issues are believed to affect products from at least at least 40 vendors.
[Editor Comments]
[Neely] The vulnerable versions of dnsmasq are also embedded in products from Android/Google, Comcast, Cisco, Redhat, Netgear, and Ubiquiti, meaning a firmware update is needed. The JSOF Technical Whitepaper [https://www.jsof-tech.com/wp-content/uploads/2021/01/DNSpooq-Technical-WP.pdf] provides some workarounds and detailed analysis. Mitigations include enabling and confusing HSTS on your websites and switching to DNSSEC which make DNS spoofing nearly ineffective.
[Murray] "Open Source" continues to fail to live up to its security promise. It appears as though this is code used by tens of vendors, not one of which sufficiently validated its quality. Developers are responsible for the quality of all the code in their products, regardless of its source. Wide reuse of code is not a guarantee of its quality but it is an indicator of its importance.
Read more in:
JSOF: DNSpooq - Kaminsky attack is back!
https://www.jsof-tech.com/disclosures/dnspooq/
The Register: Dnsmasq, used in only a million or more internet-facing devices globally, patches not-so-secret seven spoofing, hijacking flaws
https://www.theregister.com/2021/01/20/dns_cache_poisoning/
Dark Reading: Vulnerabilities in Popular DNS Software Allow Poisoning
Threatpost: DNSpooq Flaws Allow DNS Hijacking of Millions of Devices
https://threatpost.com/dnspooq-flaws-allow-dns-hijacking-of-millions-of-devices/163163/
Bleeping Computer: List of DNSpooq vulnerability advisories, patches, and updates
CERT: Dnsmasq is vulnerable to memory corruption and cache poisoning
https://www.kb.cert.org/vuls/id/434904
--Malware Found on Some Laptops Provided to UK Schoolchildren
(January 21, 2021)
Laptops provided to some British schoolchildren were found to be infected with malware. The laptops were distributed through a government program to help disadvantaged students learn remotely. The computers were infected with malware known as Gamarue (aka Andromeda). The UK's Department for Education (DfE) told The Register, "We are aware of an issue with a small number of devices and we are investigating as an urgent priority to resolve the matter as soon as possible. DfE IT teams are in touch with those who have reported this issue. We believe this is not widespread."
[Editor Comments]
[Neely] When having a vendor or supplier image systems for you, checking samples to verify the image is as intended is critical. The Gamarue malware has been in AV products for a long time, so updating your AV software and running a full scan should eliminate it from your laptop. Better still is to have it reimaged from a known good copy.
Read more in:
The Register: Laptops given to British schoolkids came preloaded with malware and talked to Russia when booted
https://www.theregister.com/2021/01/21/dept_education_school_laptops_malware/
Bleeping Computer: UK govt gives malware infected laptops to vulnerable students
BBC: Malware found on laptops given out by government
https://www.bbc.com/news/technology-55749959
--CISA Increasing Effort to Get Ransomware Information to Local Government
(January 21, 2021)
The US Cybersecurity and Infrastructure Security Agency (CISA) is ramping up efforts to boost ransomware awareness at the local government level. CISA has created a new page on its website that provides ransomware guidance and resources, including a guidebook CISA published last fall along with the Multi-State Information Sharing and Analysis Center. CISA acting director Brandon Wales announced the awareness campaign in a talk at the US Conference of Mayors virtual winter meeting this week. Wales urged mayors to "Get to know your CISO ... [and] get to know the protocols they will put in place to preserve continuity of services."
[Editor Comments]
[Pescatore] The Center for Internet Security has done a good job of providing guidance and monitoring capabilities to state, local, tribal and territorial organizations to minimize the impact of ransomware. In addition to the guidebook this piece references, CIS has published a series of primers and tips. https://www.cisecurity.org/white-papers/security-primer-ransomware/: Security Primer - Ransomware
Read more in:
The Hill: Federal cyber agency announces new campaign to fight ransomware attacks
Statescoop: CISA boosts anti-ransomware messaging for local government
https://statescoop.com/cisa-anti-ransomware-messaging-local-government/
CISA: Ransomware Guidance and Resources
https://www.cisa.gov/ransomware
CISA: Ransomware Guide September 2020 (PDF)
https://www.cisa.gov/sites/default/files/publications/CISA_MS-ISAC_Ransomware%20Guide_S508C.pdf
--Wordfence Offers Free Site Security Audits to US K-12 Public Schools
(January 20, 2021)
Wordfence is offering free site cleaning and site security audits to US K-12 public schools that use the WordPress content management system. The organization is also offering those schools a free version of Wordfence that its analysts will configure.
[Editor Comments]
[Neely] Having Wordfence installed and configured on these systems is a big win. Beyond offering discounted licensing, having trained resources to both audit your systems and configure the firewall is a win-win. Too often security tools remain on the shelf because trained resources aren't available. Even so, you must act to resolve issues discovered and build the process to maintain a secure site. This is not set-it and forget it.
Read more in:
Wordfence: Announcing Free Site Cleaning & Site Security Audits for K-12 Public Schools
--Windows RDP Servers are Being Used to Amplify DDoS Attacks
(January 20 & 21, 2021)
Distributed denial-of-service (DDoS) attack-for-hire services, also called DDoS Booters or illegal IP Stressers, have been using Windows Remote Desktop Protocol (RDP) servers to amplify their attacks. According to a Netscout advisory, "When enabled on UDP/3389, the Microsoft Windows RDP service may be abused to launch UDP reflection/amplification attacks with an amplification ratio of 85.9:1." Network operators are urged to move RDP servers that provide remote access via UDP behind VPN concentrators; if that is not possible, then RDP via UDP/3389 should be disabled.
Read more in:
Bleeping Computer: Windows Remote Desktop servers now used to amplify DDoS attacks
Netscout: Microsoft Remote Desktop Protocol (RDP) Reflection/Amplification DDoS Attack Mitigation Recommendations - January 2021
https://www.netscout.com/blog/asert/microsoft-remote-desktop-protocol-rdp-reflectionamplification
--Belgian Hospital's Network Hit with Cyberattack
(January 21, 2021)
A cyberattack against a Belgian hospital resulted in roughly 20 percent of its servers being encrypted. The attackers app[ear to have used Windows BitLocker software to encrypt the servers. Center Hospitalier de Wallonie Picarde (CHwapi) said that patients arriving through emergency services have been rerouted to other facilities.
Read more in:
NetSec: Patients Rerouted to Other Hospitals After Cyberattack on Belgian Hospital
https://www.netsec.news/patients-rerouted-to-other-hospitals-after-cyberattack-on-belgian-hospital/
Bleeping Computer: CHwapi hospital hit by Windows BitLocker encryption cyberattack
--Amazon Fixes Flaws That Could be Exploited to Take Control of Kindle Accounts
(January 21, 2021)
Amazon has fixed a trio of vulnerabilities in its Send to Kindle feature that could have been exploited to take control of Kindle e-Readers, allowing attackers to make purchases in the Kindle store with linked credit cards and to access personal information stores on the devices. To exploit the flaws, a hacker would need to spoof the Kindle owner's email address, send them a maliciously-crafted ebook, and convince them to click on a link inside that ebook.
[Editor Comments]
[Pescatore] My first reaction to this news item was "What's next, patches for Palm Pilots??" But Amazon is in the top 4 in market share for tablets and has shipped over 50M of them. The pandemic has caused an increase in homes dusting off their Kindles to "take out" books from their local libraries, so they are probably more active on home WiFi networks than you might think. Good to remind home users patching isn't just Windows, IoS and Android.
[Neely] Just like laptops and tablets, you need to keep the Kindle updated. Think of the Fire as an Android tablet not just an e-Reader, as such apps and content should only come from known sources.
Read more in:
Vice: Bugs Allowed Hackers to Hijack Kindle Accounts With Malicious Ebooks
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
Qakbot Activity Resumes After Holiday Break
https://isc.sans.edu/forums/diary/Qakbot+activity+resumes+after+holiday+break/27008/
Powershell Dropping REvil Ransomware
https://isc.sans.edu/forums/diary/Powershell+Dropping+a+REvil+Ransomware/27012/
Multiple dnsmasq Vulnerabilities
https://www.jsof-tech.com/wp-content/uploads/2021/01/DNSpooq_Technical-Whitepaper.pdf
FreakOut Malware
Kids Break Screensaver
https://github.com/linuxmint/cinnamon-screensaver/issues/354
SolarWinds Updates
Cisco Advisories
Eavesdropping Vulnerabilities in Various WebRTC Based Video Conferencing Systems
https://googleprojectzero.blogspot.com/2021/01/the-state-of-state-machines.html
Oracle Business Intelligence Enterprise Edition XSS
https://www.exploit-db.com/exploits/49444
Oracle Critical Patch Update
https://www.oracle.com/security-alerts/cpujan2021.html
SAP Exploit Circulating
https://onapsis.com/blog/new-sap-exploit-published-online-how-stay-secure
RDP Used for DDoS
https://www.netscout.com/blog/asert/microsoft-remote-desktop-protocol-rdp-reflectionamplification
Billy Wilson: Mitigating Attacks Against Supercomputers with KRSI
https://www.sans.org/reading-room/whitepapers/linux/mitigating-attacks-supercomputer-krsi-40010
*****************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
