Core Netwars Continuous Hones New Skills - FREE with OnDemand Training for One Week Only!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #95

December 6, 2019


****************************************************************************

SANS NewsBites                 Dec. 6, 2019                Vol. 21, Num. 095

****************************************************************************

 

Top of The News

 

- Data Center Ransomware Infection

- Illinois School District Hit with Ransomware

 

The Rest of the Week's News

 

- Evil Corp. Hacking Group Indictments

- Man-in-the-Middle Attack Used to Steal Venture Capital Investment

- Great Cannon DDoS Tool Reportedly Being Used on Hong Kong Protesters' Online Forum

- ZeroCleare Wiper Malware Used Against Energy, Industrial Organizations in Middle East

- US Senators Get Classified Ransomware Briefing

- Rich Communication Services Implementations Found to be Unsecure

- Siemens Provides Workaround for PLC Flaw

- NIST Draft Guidance on Hardware Supply Chain Security

 

Internet Storm Center Tech Corner

 

****************************************************************************

CYBERSECURITY TRAINING UPDATE


-- SANS OnDemand and vLive Training

Get an iPad Air with Smart Keyboard, a Surface Go, or Take $300 Off through December 11 with OnDemand or vLive training.

https://www.sans.org/online-security-training/specials/


-- SANS Security East 2020 | New Orleans, LA | February 1-8 | https://www.sans.org/event/security-east-2020


-- SANS Miami 2020 | January 13-18 | https://www.sans.org/event/miami-2020


-- SANS Threat Hunting & IR Summit & Training | London, UK | January 13-19, 2020 | https://www.sans.org/event/threat-hunting-europe-2020


-- SANS Tokyo January 2020 | January 20-25 | https://www.sans.org/event/tokyo-january-2020


-- SANS Amsterdam January 2020 | January 20-25 | https://www.sans.org/event/amsterdam-january-2020


-- Cyber Threat Intelligence Summit & Training | Arlington, VA | January 20-27 | https://www.sans.org/event/cyber-threat-intelligence-summit-2020


-- SANS Scottsdale 2020 | February 17-22 | https://www.sans.org/event/scottsdale-2020


-- Open-Source Intelligence Summit & Training 2020 | Alexandria, VA | February 18-24 | https://www.sans.org/event/osint-summit-2020


-- SANS Secure Singapore 2020 | 16-28 March | https://www.sans.org/event/secure-singapore-2020


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


Single Course Training

-- Single Course Training

SANS Mentor | https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap

 

****************************************************************************

Free technical content sponsored by VMRay

 

Unmasking Context-Aware Malware: Learn from the VMRay Research Team about the techniques malware authors use to understand the context of an analysis environment by dissecting real-world examples Operation ShadowHammer and OopsIE malware.


https://www.sans.org/info/214965

 

****************************************************************************

Top of the News

 

Data Center Ransomware Infection

(December 5, 2019)

Data Center provider CyrusOne has confirmed that it suffered a ransomware attack earlier this week. The company says that the incident has affected "availability issues" for six of its managed services customers.

 

Editor's Note

 

[Neely]

This attack appears to be caused by a version of the REvil (Sokinokibi) ransomware, which also impacted 23 local governments across Texas earlier this year. Consider the impact/risks if one of your providers, such as your colocation service or your MSP, is impacted, and doesn't plan to pay the ransom, as is indicated in this case; are you prepared with alternatives to continue operations for the duration of the incident?

 

[Murray]

The six customers are called "collateral damage." The drug company, Merck, was such collateral damage when one of its service providers was compromised. It has caused them to re-think and restructure their relationship with the thousands of providers in their "supply chain."

 

Read more in:

- https://www.zdnet.com/article/ransomware-attack-hits-major-us-data-center-provider/


 

Illinois School District Hit with Ransomware

(December 4, 2019)

The Sycamore Community School District 427 in Illinois has been hit with ransomware. The attack appears to be limited to the district's "internal technology servers;" many other district systems, including email, phones, and student information systems are reportedly not infected.

 

Read more in:

- https://edscoop.com/sycamore-community-school-district-ransomware/


****************************************************************************

Sponsored Links

 

Webcast December 6 at 1 PM ET: You Have to See the Criminal to Catch the Criminal. The Most Relevant Data to Monitor, Ranked. https://www.sans.org/info/214950

 

Join us at SANS Open-Source Intelligence Summit | Alexandria, VA | February 18-24. https://www.sans.org/info/214955

 

ICYMI Webcast: Why It's Time for a New Link Analysis Platform. View this webcast: https://www.sans.org/info/214960

 

****************************************************************************

The Rest of the Week's News

 

Evil Corp. Hacking Group Indictments

(December 5, 2019)

US federal prosecutors have indicted Maksim Yakubets and Igor Turashev, who are allegedly members of the hacking group known as Evil Corp. The pair allegedly "led one of the most sophisticated transnational cybercrime syndicates in the world," according to a US Department of Justice press release.

 

Read more in:

- https://www.justice.gov/opa/pr/russian-national-charged-decade-long-series-hacking-and-bank-fraud-offenses-resulting-tens

- https://arstechnica.com/information-technology/2019/12/members-of-evil-corp-the-cybercrime-group-that-lived-in-luxury-are-indicted/

- https://www.wired.com/story/alleged-russian-hacker-evil-corp-indicted/

- https://www.scmagazine.com/home/security-news/cybercrime/u-s-charges-alleged-members-of-evil-corp-cybercrime-group-for-zeus-and-dridex-campaigns/

- https://thehill.com/policy/cybersecurity/473202-feds-sanction-russian-group-over-100-million-cyber-hack


 

Man-in-the-Middle Attack Used to Steal Venture Capital Investment

(December 5, 2019)

Hackers used a complex man-in-the-middle attack to steal approximately US $1 million from a Chinese venture capital firm that was supposed to be going to a start-up company in Israel. The hackers set up phony domains and spoofed emails between the companies, even going so far as to cancel a scheduled in-person meeting.

 

Editor's Note

 

[Neely]

Verify the log retention period and access requirements for your email and related systems prior to an incident, making sure that there are not only at least six months of information but also that sufficient information is captured and your staff will be able to access it when needed. Always use an out-of-band verification process with wire transfers to ensure they are going to the intended recipient.

 

Read more in:

- https://research.checkpoint.com/2019/incident-response-casefile-a-successful-bec-leveraging-lookalike-domains/

- https://threatpost.com/ultimate-mitm-attack-steals-1m-from-israeli-startup/150840/

- https://www.vice.com/en_us/article/mbmmaq/hackers-trick-venture-capital-firm-into-sending-them-dollar1-million

- https://www.theregister.co.uk/2019/12/05/vcs_tricked_mitm/


 

Great Cannon DDoS Tool Reportedly Being Used on Hong Kong Protesters' Online Forum

(December 4 & 5, 2019)

A distributed denial-of-service (DDoS) tool known as the Great Cannon has reportedly been used against the LIHKG social media platform used by protesters in Hong Kong. China's Great Cannon was first described by Citizen Lab in April 2015.

 

Read more in:

- https://www.bleepingcomputer.com/news/security/the-great-cannon-ddos-tool-used-against-hong-kong-protestors-forum/

- https://www.infosecurity-magazine.com/news/chinas-great-cannon-fires-on-hong/

- https://citizenlab.ca/2015/04/chinas-great-cannon/


 

ZeroCleare Wiper Malware Used Against Energy, Industrial Organizations in Middle East

(December 4 & 5, 2019)

IBM has detected new malware, dubbed ZeroCleare, that has been used to wipe data at energy and industrial sector organizations in the Middle East. The targeted attacks were likely the work of Iranian state-sponsored hackers.

 

Editor's Note

 

[Murray]

We must move away from the default access control rule of "read/write," convenient but risky, to "read-only" for data and "execute only" for programs, marginally less convenient but you will get over it.

 

Read more in:

- https://securityintelligence.com/posts/new-destructive-wiper-zerocleare-targets-energy-sector-in-the-middle-east/

- https://www.theregister.co.uk/2019/12/05/iran_zerocleare_attack/

- https://www.cyberscoop.com/iran-destructive-malware-ibm/

- https://threatpost.com/iran-mideast-oil-zerocleare-wiper-malware/150814/

- https://www.zdnet.com/article/iranian-hackers-deploy-new-zerocleare-data-wiping-malware/

- https://arstechnica.com/information-technology/2019/12/new-iranian-wiper-discovered-in-attacks-on-middle-eastern-companies/

- https://www.darkreading.com/attacks-breaches/shades-of-shamoon-new-disk-wiping-malware-targets-middle-east-orgs/d/d-id/1336520

- https://www.bleepingcomputer.com/news/security/new-iranian-zerocleare-data-wiper-malware-used-in-targeted-attacks/

- https://duo.com/decipher/new-zerocleare-wiper-malware-used-in-targeted-attacks


 

US Senators Get Classified Ransomware Briefing

(December 4, 2019)

US legislators received a classified briefing about the threat of ransomware on Wednesday, December 5. Christopher Krebs, director of the US Department of Homeland Security's (DHS's) Cybersecurity and Infrastructure Security Agency (CISA) spoke to the Senate Cybersecurity Caucus.

 

Editor's Note

 

[Neely]

Briefings like this are needed to ensure continued support of initiatives and resources to help state and local governments which may not have access to the needed tools and information to implement needed protections in the current threat environment. That said, with the current active exploitation environment, waiting for external help is ill-advised.

 

[Murray]

Ransomware is now the preferred way to monetize compromised systems and enterprises. We know that the vectors for attacks are e-mail and browsers, but we fail to isolate these from mission critical data, applications, and systems. We know that the vulnerability includes the capability for the system user to modify it on the fly, but we fail to lock them down by denying the user admin privileges and by restricting "write" access. This is not mere negligence but borders on recklessness.

 

Read more in:

- https://www.cyberscoop.com/dhs-senators-classified-ransomware-briefing/

- https://www.fifthdomain.com/congress/capitol-hill/2019/12/04/heres-what-senators-learned-about-the-ransomware-threat/

- https://thehill.com/policy/cybersecurity/473095-senators-sound-alarm-on-dangers-of-ransomware-attacks-after-briefing


 

Rich Communication Services Implementations Found to be Unsecure

(November 28 & December 4, 2019)

Researchers have found that telecommunications carriers are implementing a new messaging standard in ways that could allow communications to be intercepted, modified, or spoofed. The Rich Communication Services (RCS) standard is fairly new and has a broader range of features than SMS.

 

Editor's Note

 

[Neely]

What's being called into question are implementation flaws, rather than flaws in the protocol itself. RCS shows promise to provide a more secure alternative to SMS and avoid the pitfalls in SS7. RCS is one to keep an eye on, especially when a verified secure implementation is available.

 

[Murray]

It looks as if messaging may be going the route of the browsers: adding features until the product is porous, not to say broken.

 

Read more in:

- https://www.vice.com/en_us/article/j5ywxb/rcs-rich-communications-services-text-call-interception

- https://www.wired.com/story/rcs-texting-security/


 

Siemens Provides Workaround for PLC Flaw

(December 3, 2019)

Siemens has released workarounds to address a vulnerability in its S7-1200 programmable logic controllers (PLCs) while is develops a fix for the problem. The issue lies in "an undocumented hardware-based special access feature," and could be exploited to take control of vulnerable devices.

 

Read more in:

- https://www.darkreading.com/vulnerabilities---threats/siemens-offers-workarounds-for-newly-found-plc-vulnerability/d/d-id/1336503

- https://cert-portal.siemens.com/productcert/pdf/ssa-686531.pdf


 

NIST Draft Guidance on Hardware Supply Chain Security

(December 3, 2019)

The US National Institute of Standards and Technology (NIST) has published draft guidance on hardware supply chain security, Validating the Integrity of Servers and Client Devices. NIST will accept comments on the document through January 6, 2020.

 

Editor's Note

 

[Neely]

This is about building standards to support supply chain security, which has been a challenge of late. The document is a short, easy read, encapsulating information from a number of other NIST and external documents on OEM supply chain security. Despite the short timeline, and the holiday season, it's worth reading and contributing to.

 

Read more in:

- https://www.nccoe.nist.gov/sites/default/files/library/project-descriptions/tpm-sca-draft-project-description.pdf

- https://duo.com/decipher/nist-developing-hardware-security-guidelines-for-enterprises


****************************************************************************

Internet Storm Center Tech Corner

 

Avast Online Security and Avast Secure Browser Blocked for Spying on Users

https://palant.de/2019/10/28/avast-online-security-and-avast-secure-browser-are-spying-on-you/


Google Android Updates

https://source.android.com/security/bulletin/2019-12-01


Strandhogg Vulnerability

https://promon.co/security-news/strandhogg/


Firefox 71 Released

https://www.mozilla.org/en-US/security/advisories/mfsa2019-34/


OpenBSD Authentication Bypass and Privilege Escalation Vulnerability

https://www.qualys.com/2019/12/04/cve-2019-19521/authentication-vulnerabilities-openbsd.txt?_ga=2.58244398.587934852.1575530822-682141427.1570559125


Fake Python Library in PyPi

https://github.com/dateutil/dateutil/issues/984


GoAhead Web Server Vulnerability

https://talosintelligence.com/vulnerability_reports/TALOS-2019-0888


Hijacking Linux (and BSD) VPN Connections

https://seclists.org/oss-sec/2019/q4/122


RASP vs. WAF: Alexander Fry Research Paper

https://www.sans.org/reading-room/whitepapers/application/runtime-application-self-protection-rasp-investigation-effectiveness-rasp-solution-protecting-vulnerable-target-applications-38950


Atlassian Companion App/IBM Aspera Cloud

https://www.theregister.co.uk/2019/12/05/atlassian_zero_day_bug/

https://confluence.atlassian.com/doc/administering-the-atlassian-companion-app-958456281.html

https://twitter.com/tmslft/status/1202056063878606848?s=20

 

****************************************************************************

The Editorial Board of SANS NewsBites


Alan Paller: https://www.sans.org/newsletters/newsbites/editorial-board#alan-paller


Brian Honan: https://www.sans.org/newsletters/newsbites/editorial-board#brian-honan


David Hoelzer: https://www.sans.org/newsletters/newsbites/editorial-board#david=hoelzer


David Turley: https://www.sans.org/newsletters/newsbites/editorial-board#david-turley


Dr. Eric Cole: https://www.sans.org/newsletters/newsbites/editorial-board#eric-cole


Ed Skoudis: https://www.sans.org/newsletters/newsbites/editorial-board#ed-skoudis


Eric Cornelius: https://www.sans.org/newsletters/newsbites/editorial-board#eric-cornelius


Gal Shpantzer: https://www.sans.org/newsletters/newsbites/editorial-board#gal-shpantzer


Jake Williams: https://www.sans.org/newsletters/newsbites/editorial-board#jake-williams


Dr. Johannes Ullrich: https://www.sans.org/newsletters/newsbites/editorial-board#johannes-ullrich


John Pescatore: https://www.sans.org/newsletters/newsbites/editorial-board#john-pescatore


Lee Neely: https://www.sans.org/newsletters/newsbites/editorial-board#lee-neely


Mark Weatherford: https://www.sans.org/newsletters/newsbites/editorial-board#mark-weatherford


Rob Lee: https://www.sans.org/newsletters/newsbites/editorial-board#rob-lee


Sean McBride: https://www.sans.org/newsletters/newsbites/editorial-board#sean-mcbride


Shawn Henry: https://www.sans.org/newsletters/newsbites/editorial-board#shawn-henry


Stephen Northcutt: https://www.sans.org/newsletters/newsbites/editorial-board#stephen-northcutt


Suzanne Vautrinot: https://www.sans.org/newsletters/newsbites/editorial-board#suzanne-vautrinot


Tom Liston: https://www.sans.org/newsletters/newsbites/editorial-board#tom-liston


William Hugh Murray: https://www.sans.org/newsletters/newsbites/editorial-board#william-hugh-murray


To create a SANS Portal Account visit: https://www.sans.org/account/create