SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXIII - Issue #9
February 2, 2021SolarWinds Attack Vectors and US Federal Judiciary Actions; Attacks Targeting Cyber Researchers; SonicWall Zero-day Exploited; NoxPlayer Update Compromised
******************************************************************************
SANS NewsBites February 2, 2021 Vol. 23, Num. 009
******************************************************************************
TOP OF THE NEWS
Threat Actors Behind SolarWinds Used Multiple Attack Vectors
SolarWinds: US Federal Judiciary Sets New Requirements for Filing Sensitive Documents
Microsoft Provides More Information About Attacks Targeting Researchers
SonicWall Zero-day is Being Exploited in the Wild
NoxPlayer Software Update Mechanism Compromised in Supply-Chain Attack
******************** Sponsored By AWS Marketplace ****************************
SANS book: Practical Guide to Security in the AWS Cloud | AWS Marketplace would like to present you with a digital copy of the new book, Practical Guide to Security in the AWS Cloud, by the SANS Institute. This complimentary book is a collection of knowledge from 18 contributing authors, who share their tactics, techniques, and procedures for securely operating in the cloud. | Register Now!
| http://www.sans.org/info/218810
******************************************************************************
THE REST OF THE WEEK'S NEWS
UK Research and Innovation Discloses Ransomware Attack
FonixCrypter Ransomware Group Shuts Down Operations, Releases Master Decryption Key
US Legislators Want NSA to Answer Questions About 2012 Juniper Networks Supply Chain Attack
Libgcrypt Developers Patch Critical Vulnerability
NITRO Open Source Library Flaws Fixed
WordPress Popup Builder Plugin Users Urged to Update to Fix Vulnerabilities
Vulnerabilities in Fuji Electric ICS Products
INTERNET STORM CENTER TECH CORNER
******************************************************************************
CYBERSECURITY TRAINING UPDATE
New & Updated Courses
SEC401: Security Essentials Bootcamp Style
- https://www.sans.org/cyber-security-courses/security-essentials-bootcamp-style/
SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling
- https://www.sans.org/cyber-security-courses/hacker-techniques-exploits-incident-handling/
FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics
- https://www.sans.org/cyber-security-courses/advanced-incident-response-threat-hunting-training/
Upcoming Live Online Events
Register early to save up to $300 on Live Online courses.
See event pages for specific offers.
ICS Security Summit & Training
FREE Summit: Mar 4-5 | Courses: Mar 8-13 EST
- https://www.sans.org/event/ics-security-summit-2021/
SANS Stay Sharp - Mar 8-9 EST
2-Day Pen Test & Offensive Ops Courses
- https://www.sans.org/event/stay-sharp-pen-test-march-2021/
SANS 2021 - Mar 22-27 EDT
30+ Courses | Core, Cyber Defense, and DFIR NetWars
- https://www.sans.org/event/sans-2021-live-online/
OnDemand Training Special Offer
Get an iPad mini, Galaxy Tab S5e, or Take $300 Off with OnDemand training through February 10.
- https://www.sans.org/specials/north-america/
Offensive Operations Resources
New Cheat Sheets, Slingshot Linux Distro, Posters, and more. View & Download
- https://www.sans.org/offensive-operations/
******************************************************************************
TOP OF THE NEWS
--Threat Actors Behind SolarWinds Used Multiple Attack Vectors
(January 29 & February 1, 2021)
The acting director of the US Cybersecurity and Infrastructure Security Agency (CISA) says that "significant numbers of both the private-sector and government victims linked to this campaign had no direct connection to SolarWinds." The threat actors multiple attack vectors. (Please note that the WSJ story is behind a paywall.)
Read more in:
Security Week: CISA Says Many Victims of SolarWinds Hackers Had No Direct Link to SolarWinds
https://www.securityweek.com/cisa-says-many-victims-solarwinds-hackers-had-no-direct-link-solarwinds
SC Magazine: Does SolarWinds change the rules in offensive cyber? Experts say no, but offer alternatives
SC Magazine: As SolarWinds spooks tech firms into rechecking code, some won't like what they find
ZDNet: SolarWinds attack is not an outlier, but a moment of reckoning for security industry, says Microsoft exec
WSJ: Suspected Russian Hack Extends Far Beyond SolarWinds Software, Investigators Say (paywall)
Ars Technica: 30% of "SolarWinds hack" victims didn't actually use SolarWinds
--SolarWinds: US Federal Judiciary Sets New Requirements for Filing Sensitive Documents
(January 31 & February 1, 2021)
The SolarWinds supply chain attack affected the US court system's electronic files, prompting the federal Judiciary to adopt "new security procedures to protect highly sensitive confidential documents filed with the courts." US courts have been instructed to issue standing or general orders that "highly sensitive court documents (HSDs) filed with federal courts will be accepted for filing in paper form or via a secure electronic device, such as a thumb drive, and stored in a secure stand-alone computer system. These sealed HSDs will not be uploaded to" the Judiciary's Case Management/Electronic Case Files system.
[Editor Comments]
[Neely] Isolated or air-gapped systems still have information flowing in and out, so controls are critically needed to ensure that only intended information is permitted. Administration tasks will need one or more of these safeguards: duplication of backup, patching, monitoring and alerting capabilities, or a controlled interface from existing systems, which could be leveraged to affect a compromise. Alternatively, sensitive documents can be secured by encryption where only the intended readers can decrypt them, and third-party key recovery requires security officers not system administrators.
[Murray] The "SolarWinds" attack demonstrates the fragility of our infrastructure and the necessity of "zero trust," of process-to-process isolation, of mutually suspicious processes. It is time to end the convenience of flat enterprise networks, where compromise can spread laterally quickly and efficiently.
Read more in: Judiciary's Case Management/Electronic Case Files system
AP News: Russian hack brings changes, uncertainty to US court system
https://apnews.com/article/coronavirus-pandemic-courts-russia-375942a439bee4f4b25f393224d3d778
The Register: US court system ditches electronic filing, goes paper-only for sensitive documents following SolarWinds hack
https://www.theregister.com/2021/02/01/us_court_papers/
US Courts: Judiciary Addresses Cybersecurity Breach: Extra Safeguards to Protect Sensitive Court Records
--Microsoft Provides More Information About Attacks Targeting Researchers
(January 28 & 29, 2021)
Microsoft is sharing additional information about the North Korean hacking campaign targeting cybersecurity researchers. Google's Threat Analysis Group released an initial warning about the campaign last week. In a January 28 blog post, Microsoft's Threat Intelligence Center (MSTIC) and Microsoft 365 Defender Threat Intelligence Team write that over that past months, they have "detected cyberattacks targeting security researchers by an actor we track as ZINC." The ZINC threat group has ties to the Lazarus Group. Microsoft's report provides additional technical information about the threat actors' use of Visual Studio as an attack vector. The campaign presently appears to be targeting only researchers who are using Windows.
[Editor Comments]
[Murray] These "grooming" attacks, the kind that are used against children, are narrowly targeted, resource intensive, and do not scale well. More are abandoned than succeed. The value of the target to the attacker determines whether or not they are efficient.
Read more in:
Microsoft: ZINC attacks against security researchers
https://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/
Threatpost: Lazarus Affiliate 'ZINC' Blamed for Campaign Against Security Researcher
--SonicWall Zero-day is Being Exploited in the Wild
(February 1, 2021)
SonicWall says that threat actors are exploiting a critical, unpatched vulnerability in one of the company's firewalls. The flaw affects SonicWall Secure Mobile Access 100 series firmware version 10.x. SonicWall is in the process of developing a patch for the vulnerability and expect to make it available by the end of the day on Tuesday, February 2. The company has listed mitigation that could be implemented until the fix is available.
Read more in:
SonicWall: Urgent Security Notice: SonicWall Confirms SMA 100 Series 10. X Zero-Day Vulnerability [Feb. 1, 2 P.M. CST]
ZDNet: SonicWall zero-day exploited in the wild
https://www.zdnet.com/article/sonicwall-zero-day-exploited-in-the-wild/
Bleeping Computer: SonicWall SMA 100 zero-day exploit actively used in the wild
Ars Technica: Hackers are exploiting a critical zeroday in firewalls from SonicWall
--NoxPlayer Software Update Mechanism Compromised in Supply-Chain Attack
(February 1, 2021)
Researchers from Eset say that the NoxPlayer Android emulator was hit with a supply chain attack. The attackers compromised the BigNox software distribution system and sent malicious updates. The malware is installing surveillance software on users' computers. While NoxPlayer has a reported 150 million users around the world, the attackers appear to be targeting only a very small number users, all located in Asia.
[Editor Comments]
[Neely] This is hard to detect, as the update MD5 checksum matched the information provided over the BigNox API. The tell-tale sign was that the bogus updates were not digitally signed. Until BigNox provides a verified clean version, do not apply updates. Better still, uninstall the NoxPlayer. The IOCs in the WeLiveSecurity article below should be leveraged to detect compromise.
[Pescatore] When internet commerce was growing rapidly in the early 90s, bad guys learned they could turn vulnerable servers into network sniffers and see all the user logins that were carried in the clear at the time. Netscape was the leading browser company, and they came up with SSL to encrypt login connections - adding a lot of complexity but a much needed raising of the bar that took several years to do right. We are long past the point where a similar raising of the bar in assuring all software (which includes updates) is required to demonstrate evidence of testing before being installed. Software vendors having their development and distribution systems compromised will be a growing threat vector until enterprises demand better.
Read more in:
Ars Technica: New supply chain attack uses poisoned updates to infect gamers' computers
Threatpost: Alleged Gaming Software Supply-Chain Attack Installs Spyware
https://threatpost.com/gaming-software-attack-spyware/163537/
ZDNet: Hacker group inserted malware in NoxPlayer Android emulator
https://www.zdnet.com/article/hacker-group-inserted-malware-in-noxplayer-android-emulator/
Bleeping Computer: Android emulator supply-chain attack targets gamers with malware
WeLiveSecurity: Operation NightScout: Supply-chain attack targets online gaming in Asia
******************************* SPONSORED LINKS ********************************
1) Webcast | Join our upcoming webcast, "Best Practices for Securing Modern Cloud Native Application with ActiveCampaign CISO" where Chaim Mazal, ActiveCampaign CISO, shares his experience in the cloud native space and offers tips for others. | February 4th @ 10:30 AM EST
| http://www.sans.org/info/218815
2) Webcast | Tune in for our upcoming prerecorded webcast featuring SANS senior instructor, Dave Shackleford and Nam Le from AWS Marketplace, built to teach attendees how to understand cloud-specific data sources for threat intelligence such as static indicators and TTPs, and more! | February 9th @ 1:00 PM EST
| http://www.sans.org/info/218820
3) Webcast | We invite you to join us for our upcoming webcast, "A step-by-step guide to implementing Moving Target Defense in OT Environments" | February 10th @ 3:30 PM EST
| http://www.sans.org/info/218825
******************************************************************************
THE REST OF THE WEEK'S NEWS
--UK Research and Innovation Discloses Ransomware Attack
(January 28, 30, & February 1, 2021)
UK Research and Innovation (UKRI), a UK government organization that manages research grants for UK organizations, has acknowledged that its network was hit with a ransomware attack. UKRI disclosed the incident on January 28. The attack affected a Brussels-based UK Research Office (UKRO) portal, and an extranet known as the BBSRC extranet; both have been taken offline. UKRI has reported the incident to authorities.
[Editor Comments]
[Neely] In the US, the CISA has launched a campaign to reduce the risk of ransomware, including a one-stop resource for alerts, guides, fact sheets, training and other resources. While the initial focus is on supporting COVID-19 response organizations and K-12 educational institutions, there is real value to any organization wanting to combat ransomware. See CISA Launches Campaign to Reduce the Risk of Ransomware: https://www.cisa.gov/news/2021/01/21/cisa-launches-campaign-reduce-risk-ransomware
[Murray] The more segmented one's network, the more the damage of "ransomware" will be limited.
Read more in:
UKRI: UKRI response to IT incident
https://www.ukri.org/news/ukri-response-to-it-incident/
ZDNet: UK Research and Innovation suffers ransomware attack
https://www.zdnet.com/article/uk-research-and-innovation-suffers-ransomware-attack/
The Register: Ransomware attack takes out UK Research and Innovation's Brussels networking office
https://www.theregister.com/2021/02/01/ukri_ransomware_ukro_brussels/
Bleeping Computer: UK Research and Innovation (UKRI) suffers ransomware attack
--FonixCrypter Ransomware Group Shuts Down Operations, Releases Master Decryption Key
(January 29 & 30, 2021)
Operators of the Fonix ransomware say they will cease operations and have made a decryption tool and the decryption key available so its victims can regain access to their data. The tool is what the operators have used to decrypt files as proof that they really can be decrypted, but it might not be useful to decrypt large quantities of data. The master decryption key could be used to build a more efficient decryptor.
[Editor Comments]
[Neely] The master decryption key, coupled with the recently-released decryptor, works for decrypting small groups of files. It is not, by itself, however, an effective mechanism to recover your entire file repository nor should it be trusted to be free of backdoors or malware. For that scale and confidence, you need to wait for an updated general purpose ransomware decryption tool such as the Emsisoft decryptor. Beware of fake source code for the Fonix ransomware that was released by FonixCrypter gang members who disagreed with the shutdown.
Read more in:
Bleeping Computer: Fonix ransomware shuts down and releases master decryption key
ZDNet: FonixCrypter ransomware gang releases master decryption key
https://www.zdnet.com/article/fonixcrypter-ransomware-gang-releases-master-decryption-key/
Twitter: Fonix Ransomware Master RSA Key (Spub.key & Spriv.key) and Sample Decryptor
https://twitter.com/fnx67482837/status/1355255873581539333
--US Legislators Want NSA to Answer Questions About 2012 Juniper Networks Supply Chain Attack
(January 29 & February 1, 2021)
US legislators are seeking answers from the National Security Agency (NSA) about a 2012 supply-chain attack that affected Juniper Networks. A statement released by Senator Ron Wyden's (D-Oregon) office notes, "In 2015, Juniper revealed a security breach in which hackers modified the software the company delivered to its customers. Researchers subsequently discovered that Juniper had been using an NSA-designed encryption algorithm, which experts had long argued contained a backdoor, and that the hackers modified the key to this backdoor." A letter dated January 28, 2021, and signed by 10 US legislators asks the NSA to describe the actions it took "to protect itself, the Department of Defense, and the US government from future software supply chain attacks." Renewed interest in the older case was prompted by the SolarWinds supply chain attack that came to light in December 2020.
[Editor Comments]
[Neely] In both cases, code was modified before delivery to customers. Software providers need to make sure that code repositories can be updated or accessed only by authorized systems and users. Consumers need to ask what suppliers are doing to ensure the code delivered is genuine and unaltered, beyond the digital signature. Where possible, ask to see verifiable test results to assure only intended operations are enabled.
Read more in:
Threatpost: SolarWinds Hack Prompts Congress to Put NSA in Encryption Hot Seat
https://threatpost.com/solarwinds-nsa-encryption/163561/
Cyberscoop: After SolarWinds breach, lawmakers ask NSA for help in cracking Juniper cold case
https://www.cyberscoop.com/nsa-juniper-backdoor-wyden-espionage/
FCW: Lawmakers press NSA for answers about Juniper hack from 2015
https://fcw.com/articles/2021/01/31/juniper-hack-algo-nsa-letter.aspx
Security Week: Lawmakers Ask NSA About Its Role in Juniper Backdoor Discovered in 2015
https://www.securityweek.com/lawmakers-ask-nsa-about-its-role-juniper-backdoor-discovered-2015
Wyden: Wyden and Booker Question NSA Response Following Supply Chain Hacks of SolarWinds And Juniper Networks
Document Cloud: Letter to NSA Director (PDF)
https://assets.documentcloud.org/documents/20466647/congress-letter-to-nsa.pdf
--Libgcrypt Developers Patch Critical Vulnerability
(January 29 & February 1, 2021)
A critical heap overflow vulnerability in the Libgcrypt open-source cryptographic library and GNU Privacy Guard module could be exploited to write arbitrary data and execute code. The flaw affects Libgcrypt 1.9.0, which was released in mid-January. Developers have addressed the vulnerability in Libgcrypt 1.9.1.
[Editor Comments]
[Neely] If you are using GPG, Homebrew, or other packages sitting on top of Libgcrypt, apply both the Libgcrypt update and updates to those packages necessitated by changes in Libgcrypt 1.9.1. An alternative is to roll back to LTS 1.8.5 or better, check compatibility with applications prior to rolling back.
Read more in:
Threatpost: Critical Libgcrypt Crypto Bug Opens Machines to Arbitrary Code
https://threatpost.com/critical-libgcrypt-crypto-bug-arbitrary-code/163546/
ZDNet: Libgcrypt developers release urgent update to tackle severe vulnerability
The Register: Severe bug in Libgcrypt - used by GPG and others - is a whole heap of trouble, prompts patch scramble
https://www.theregister.com/2021/01/29/severe_libgcrypt_bug/
GNUPG: [Announce] [Security fix] Libgcrypt 1.9.1 relased
https://lists.gnupg.org/pipermail/gnupg-announce/2021q1/000456.html
--NITRO Open Source Library Flaws Fixed
(January 29, 2021)
At least two vulnerabilities detected in the NITRO open source library could be exploited to allow remote code execution. The NITRO library is used by the US Department of Defense (DoD) and intelligence agencies to store, share, and send digital images taken by satellites. Researchers at GRIMM defected the flaws; they are working with the Cybersecurity and Infrastructure Security Agency (CISA) to make sure affected organizations are aware of the issue. The vendor has issued fixes for all the vulnerabilities.
[Editor Comments]
[Neely] Version 2.10.0 of the NITRO library addresses the flaws and is available from the GitHub NITRO site (https://github.com/mdaus/nitro). The GitHub site below contains information on the flaws as well as example utilities which demonstrate the vulnerabilities.
Read more in:
SC Magazine: Flaws in open source library used by DoD, IC for satellite imagery could lead to system takeovers
GitHub: grimm-co / NotQuite0DayFriday | Resolve "NITRO Issues"
https://github.com/grimm-co/NotQuite0DayFriday/commit/8b083a0a8d485d32f53ae5d13bc9dd35b50bcea6
--WordPress Popup Builder Plugin Users Urged to Update to Fix Vulnerabilities
(January 29, 2021)
Vulnerabilities in the Popup Builder - Responsive WordPress Pop up - Subscription & Newsletter plugin could be exploited to send newsletters, and delete or add newsletter subscribers. The plugin is installed on 200,000 WordPress sites. The vulnerability affects Popup Builder versions 3.71 and earlier. The issue is fixed in version 3.72 and the most recent version is 3.73.
[Editor Comments]
[Neely] While some fixes were introduced in 3.71, the complete fix wasn't available until version 3.72 of the plugin. Beyond automatic updates to WordPress and plugins, consider protecting your WordPress site with both a WAF and MFA to reduce the attack surface. Lastly, remove unneeded plugins and only install them after validating the function and security. Also see Wordfence's 2020 WordPress Threat Report: https://www.wordfence.com/blog/2021/01/the-wordfence-2020-wordpress-threat-report/
Read more in:
Threatpost: WordPress Pop-Up Builder Plugin Flaw Plagues 200K Sites
https://threatpost.com/wordpress-pop-up-builder-plugin-flaw-plagues-200k-sites/163500/
WebARX: Multiple Vulnerabilities In WordPress Plugin Popup Builder
https://www.webarxsecurity.com/multiple-vulnerabilities-wordpress-plugin-popup-builder/
--Vulnerabilities in Fuji Electric ICS Products
(January 26 & 29, 2021)
Five vulnerabilities affecting industrial control system products from Fuji Electric could be exploited to execute code. The flaws are not remotely exploitable. The vulnerabilities affect Fuji Electric's Tellus Lite V-Simulator and V-Server Lite. The company recommends upgrading to version 4.0.10.0.
Read more in:
Threatpost: Industrial Gear at Risk from Fuji Code-Execution Bugs
https://threatpost.com/industrial-gear-fuji-code-execution-bugs/163490/
US-CERT CISA: ICS Advisory (ICSA-21-026-01) Fuji Electric Tellus Lite V-Simulator and V-Server Lite
https://us-cert.cisa.gov/ics/advisories/icsa-21-026-01
******************************************************************************
INTERNET STORM CENTER TECH CORNER
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, https://www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
