Special Offer w/ OnDemand: Get an iPad (32 G), Galaxy Tab A, or Take $250 Off OnDemand Training thru Jan 27

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #95

December 6, 2019


SANS NewsBites                 Dec. 6, 2019                Vol. 21, Num. 095



Top of The News


- Data Center Ransomware Infection

- Illinois School District Hit with Ransomware


The Rest of the Week's News


- Evil Corp. Hacking Group Indictments

- Man-in-the-Middle Attack Used to Steal Venture Capital Investment

- Great Cannon DDoS Tool Reportedly Being Used on Hong Kong Protesters' Online Forum

- ZeroCleare Wiper Malware Used Against Energy, Industrial Organizations in Middle East

- US Senators Get Classified Ransomware Briefing

- Rich Communication Services Implementations Found to be Unsecure

- Siemens Provides Workaround for PLC Flaw

- NIST Draft Guidance on Hardware Supply Chain Security


Internet Storm Center Tech Corner




-- SANS OnDemand and vLive Training

Get an iPad Air with Smart Keyboard, a Surface Go, or Take $300 Off through December 11 with OnDemand or vLive training.


-- SANS Security East 2020 | New Orleans, LA | February 1-8 | https://www.sans.org/event/security-east-2020

-- SANS Miami 2020 | January 13-18 | https://www.sans.org/event/miami-2020

-- SANS Threat Hunting & IR Summit & Training | London, UK | January 13-19, 2020 | https://www.sans.org/event/threat-hunting-europe-2020

-- SANS Tokyo January 2020 | January 20-25 | https://www.sans.org/event/tokyo-january-2020

-- SANS Amsterdam January 2020 | January 20-25 | https://www.sans.org/event/amsterdam-january-2020

-- Cyber Threat Intelligence Summit & Training | Arlington, VA | January 20-27 | https://www.sans.org/event/cyber-threat-intelligence-summit-2020

-- SANS Scottsdale 2020 | February 17-22 | https://www.sans.org/event/scottsdale-2020

-- Open-Source Intelligence Summit & Training 2020 | Alexandria, VA | February 18-24 | https://www.sans.org/event/osint-summit-2020

-- SANS Secure Singapore 2020 | 16-28 March | https://www.sans.org/event/secure-singapore-2020

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/

Single Course Training

-- Single Course Training

SANS Mentor | https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/


-- View the full SANS course catalog and Cyber Security Skills Roadmap





Free technical content sponsored by VMRay


Unmasking Context-Aware Malware: Learn from the VMRay Research Team about the techniques malware authors use to understand the context of an analysis environment by dissecting real-world examples Operation ShadowHammer and OopsIE malware.




Top of the News


Data Center Ransomware Infection

(December 5, 2019)

Data Center provider CyrusOne has confirmed that it suffered a ransomware attack earlier this week. The company says that the incident has affected "availability issues" for six of its managed services customers.


Editor's Note



This attack appears to be caused by a version of the REvil (Sokinokibi) ransomware, which also impacted 23 local governments across Texas earlier this year. Consider the impact/risks if one of your providers, such as your colocation service or your MSP, is impacted, and doesn't plan to pay the ransom, as is indicated in this case; are you prepared with alternatives to continue operations for the duration of the incident?



The six customers are called "collateral damage." The drug company, Merck, was such collateral damage when one of its service providers was compromised. It has caused them to re-think and restructure their relationship with the thousands of providers in their "supply chain."


Read more in:

- https://www.zdnet.com/article/ransomware-attack-hits-major-us-data-center-provider/


Illinois School District Hit with Ransomware

(December 4, 2019)

The Sycamore Community School District 427 in Illinois has been hit with ransomware. The attack appears to be limited to the district's "internal technology servers;" many other district systems, including email, phones, and student information systems are reportedly not infected.


Read more in:

- https://edscoop.com/sycamore-community-school-district-ransomware/


Sponsored Links


Webcast December 6 at 1 PM ET: You Have to See the Criminal to Catch the Criminal. The Most Relevant Data to Monitor, Ranked. https://www.sans.org/info/214950


Join us at SANS Open-Source Intelligence Summit | Alexandria, VA | February 18-24. https://www.sans.org/info/214955


ICYMI Webcast: Why It's Time for a New Link Analysis Platform. View this webcast: https://www.sans.org/info/214960



The Rest of the Week's News


Evil Corp. Hacking Group Indictments

(December 5, 2019)

US federal prosecutors have indicted Maksim Yakubets and Igor Turashev, who are allegedly members of the hacking group known as Evil Corp. The pair allegedly "led one of the most sophisticated transnational cybercrime syndicates in the world," according to a US Department of Justice press release.


Read more in:

- https://www.justice.gov/opa/pr/russian-national-charged-decade-long-series-hacking-and-bank-fraud-offenses-resulting-tens

- https://arstechnica.com/information-technology/2019/12/members-of-evil-corp-the-cybercrime-group-that-lived-in-luxury-are-indicted/

- https://www.wired.com/story/alleged-russian-hacker-evil-corp-indicted/

- https://www.scmagazine.com/home/security-news/cybercrime/u-s-charges-alleged-members-of-evil-corp-cybercrime-group-for-zeus-and-dridex-campaigns/

- https://thehill.com/policy/cybersecurity/473202-feds-sanction-russian-group-over-100-million-cyber-hack


Man-in-the-Middle Attack Used to Steal Venture Capital Investment

(December 5, 2019)

Hackers used a complex man-in-the-middle attack to steal approximately US $1 million from a Chinese venture capital firm that was supposed to be going to a start-up company in Israel. The hackers set up phony domains and spoofed emails between the companies, even going so far as to cancel a scheduled in-person meeting.


Editor's Note



Verify the log retention period and access requirements for your email and related systems prior to an incident, making sure that there are not only at least six months of information but also that sufficient information is captured and your staff will be able to access it when needed. Always use an out-of-band verification process with wire transfers to ensure they are going to the intended recipient.


Read more in:

- https://research.checkpoint.com/2019/incident-response-casefile-a-successful-bec-leveraging-lookalike-domains/

- https://threatpost.com/ultimate-mitm-attack-steals-1m-from-israeli-startup/150840/

- https://www.vice.com/en_us/article/mbmmaq/hackers-trick-venture-capital-firm-into-sending-them-dollar1-million

- https://www.theregister.co.uk/2019/12/05/vcs_tricked_mitm/


Great Cannon DDoS Tool Reportedly Being Used on Hong Kong Protesters' Online Forum

(December 4 & 5, 2019)

A distributed denial-of-service (DDoS) tool known as the Great Cannon has reportedly been used against the LIHKG social media platform used by protesters in Hong Kong. China's Great Cannon was first described by Citizen Lab in April 2015.


Read more in:

- https://www.bleepingcomputer.com/news/security/the-great-cannon-ddos-tool-used-against-hong-kong-protestors-forum/

- https://www.infosecurity-magazine.com/news/chinas-great-cannon-fires-on-hong/

- https://citizenlab.ca/2015/04/chinas-great-cannon/


ZeroCleare Wiper Malware Used Against Energy, Industrial Organizations in Middle East

(December 4 & 5, 2019)

IBM has detected new malware, dubbed ZeroCleare, that has been used to wipe data at energy and industrial sector organizations in the Middle East. The targeted attacks were likely the work of Iranian state-sponsored hackers.


Editor's Note



We must move away from the default access control rule of "read/write," convenient but risky, to "read-only" for data and "execute only" for programs, marginally less convenient but you will get over it.


Read more in:

- https://securityintelligence.com/posts/new-destructive-wiper-zerocleare-targets-energy-sector-in-the-middle-east/

- https://www.theregister.co.uk/2019/12/05/iran_zerocleare_attack/

- https://www.cyberscoop.com/iran-destructive-malware-ibm/

- https://threatpost.com/iran-mideast-oil-zerocleare-wiper-malware/150814/

- https://www.zdnet.com/article/iranian-hackers-deploy-new-zerocleare-data-wiping-malware/

- https://arstechnica.com/information-technology/2019/12/new-iranian-wiper-discovered-in-attacks-on-middle-eastern-companies/

- https://www.darkreading.com/attacks-breaches/shades-of-shamoon-new-disk-wiping-malware-targets-middle-east-orgs/d/d-id/1336520

- https://www.bleepingcomputer.com/news/security/new-iranian-zerocleare-data-wiper-malware-used-in-targeted-attacks/

- https://duo.com/decipher/new-zerocleare-wiper-malware-used-in-targeted-attacks


US Senators Get Classified Ransomware Briefing

(December 4, 2019)

US legislators received a classified briefing about the threat of ransomware on Wednesday, December 5. Christopher Krebs, director of the US Department of Homeland Security's (DHS's) Cybersecurity and Infrastructure Security Agency (CISA) spoke to the Senate Cybersecurity Caucus.


Editor's Note



Briefings like this are needed to ensure continued support of initiatives and resources to help state and local governments which may not have access to the needed tools and information to implement needed protections in the current threat environment. That said, with the current active exploitation environment, waiting for external help is ill-advised.



Ransomware is now the preferred way to monetize compromised systems and enterprises. We know that the vectors for attacks are e-mail and browsers, but we fail to isolate these from mission critical data, applications, and systems. We know that the vulnerability includes the capability for the system user to modify it on the fly, but we fail to lock them down by denying the user admin privileges and by restricting "write" access. This is not mere negligence but borders on recklessness.


Read more in:

- https://www.cyberscoop.com/dhs-senators-classified-ransomware-briefing/

- https://www.fifthdomain.com/congress/capitol-hill/2019/12/04/heres-what-senators-learned-about-the-ransomware-threat/

- https://thehill.com/policy/cybersecurity/473095-senators-sound-alarm-on-dangers-of-ransomware-attacks-after-briefing


Rich Communication Services Implementations Found to be Unsecure

(November 28 & December 4, 2019)

Researchers have found that telecommunications carriers are implementing a new messaging standard in ways that could allow communications to be intercepted, modified, or spoofed. The Rich Communication Services (RCS) standard is fairly new and has a broader range of features than SMS.


Editor's Note



What's being called into question are implementation flaws, rather than flaws in the protocol itself. RCS shows promise to provide a more secure alternative to SMS and avoid the pitfalls in SS7. RCS is one to keep an eye on, especially when a verified secure implementation is available.



It looks as if messaging may be going the route of the browsers: adding features until the product is porous, not to say broken.


Read more in:

- https://www.vice.com/en_us/article/j5ywxb/rcs-rich-communications-services-text-call-interception

- https://www.wired.com/story/rcs-texting-security/


Siemens Provides Workaround for PLC Flaw

(December 3, 2019)

Siemens has released workarounds to address a vulnerability in its S7-1200 programmable logic controllers (PLCs) while is develops a fix for the problem. The issue lies in "an undocumented hardware-based special access feature," and could be exploited to take control of vulnerable devices.


Read more in:

- https://www.darkreading.com/vulnerabilities---threats/siemens-offers-workarounds-for-newly-found-plc-vulnerability/d/d-id/1336503

- https://cert-portal.siemens.com/productcert/pdf/ssa-686531.pdf


NIST Draft Guidance on Hardware Supply Chain Security

(December 3, 2019)

The US National Institute of Standards and Technology (NIST) has published draft guidance on hardware supply chain security, Validating the Integrity of Servers and Client Devices. NIST will accept comments on the document through January 6, 2020.


Editor's Note



This is about building standards to support supply chain security, which has been a challenge of late. The document is a short, easy read, encapsulating information from a number of other NIST and external documents on OEM supply chain security. Despite the short timeline, and the holiday season, it's worth reading and contributing to.


Read more in:

- https://www.nccoe.nist.gov/sites/default/files/library/project-descriptions/tpm-sca-draft-project-description.pdf

- https://duo.com/decipher/nist-developing-hardware-security-guidelines-for-enterprises


Internet Storm Center Tech Corner


Avast Online Security and Avast Secure Browser Blocked for Spying on Users


Google Android Updates


Strandhogg Vulnerability


Firefox 71 Released


OpenBSD Authentication Bypass and Privilege Escalation Vulnerability


Fake Python Library in PyPi


GoAhead Web Server Vulnerability


Hijacking Linux (and BSD) VPN Connections


RASP vs. WAF: Alexander Fry Research Paper


Atlassian Companion App/IBM Aspera Cloud






The Editorial Board of SANS NewsBites

Alan Paller: https://www.sans.org/newsletters/newsbites/editorial-board#alan-paller

Brian Honan: https://www.sans.org/newsletters/newsbites/editorial-board#brian-honan

David Hoelzer: https://www.sans.org/newsletters/newsbites/editorial-board#david=hoelzer

David Turley: https://www.sans.org/newsletters/newsbites/editorial-board#david-turley

Dr. Eric Cole: https://www.sans.org/newsletters/newsbites/editorial-board#eric-cole

Ed Skoudis: https://www.sans.org/newsletters/newsbites/editorial-board#ed-skoudis

Eric Cornelius: https://www.sans.org/newsletters/newsbites/editorial-board#eric-cornelius

Gal Shpantzer: https://www.sans.org/newsletters/newsbites/editorial-board#gal-shpantzer

Jake Williams: https://www.sans.org/newsletters/newsbites/editorial-board#jake-williams

Dr. Johannes Ullrich: https://www.sans.org/newsletters/newsbites/editorial-board#johannes-ullrich

John Pescatore: https://www.sans.org/newsletters/newsbites/editorial-board#john-pescatore

Lee Neely: https://www.sans.org/newsletters/newsbites/editorial-board#lee-neely

Mark Weatherford: https://www.sans.org/newsletters/newsbites/editorial-board#mark-weatherford

Rob Lee: https://www.sans.org/newsletters/newsbites/editorial-board#rob-lee

Sean McBride: https://www.sans.org/newsletters/newsbites/editorial-board#sean-mcbride

Shawn Henry: https://www.sans.org/newsletters/newsbites/editorial-board#shawn-henry

Stephen Northcutt: https://www.sans.org/newsletters/newsbites/editorial-board#stephen-northcutt

Suzanne Vautrinot: https://www.sans.org/newsletters/newsbites/editorial-board#suzanne-vautrinot

Tom Liston: https://www.sans.org/newsletters/newsbites/editorial-board#tom-liston

William Hugh Murray: https://www.sans.org/newsletters/newsbites/editorial-board#william-hugh-murray

To create a SANS Portal Account visit: https://www.sans.org/account/create