OnDemand Includes 4 Months Access to Course Content - Special Offers Available Now!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #96

December 10, 2019


SANS NewsBites              December 10, 2019              Vol. 21, Num. 096


Top of The News

- 44 Million Compromised Credentials Used on Microsoft Accounts

- China reportedly Orders State Offices To Remove Foreign Tech Which Could Hit US Firms Like Microsoft

The Rest of the Week's News

- New Zealand Releases Cybersecurity Governance Resource

- Google Releases Open Source Tool for Finding File Access Vulnerabilities

- New Phishing Campaign Uses Self-Contained Webpage to Steal Credentials

- US Government Website For Federal Rules Input Inaccessible Due To Expired SSL Certificate

- New Jersey Shakespeare Theater Hit by Ransomware

- China fires "Great Cannon" Cyber-Weapon at the Hong Kong Pro-Democracy Movement

- Apple Explains iPhone 11 Location Requests

- US -CERT AA19-339A: Dridex Malware

- T-Mobile launches 600Mhz 5G

- Car Makers BMW and Hyundai Victims of Cyber Attack

- Amazon Buckets Leak over 750,000 Applicants' Data for US Birth Certificates

Internet Storm Center Tech Corner

*************************** Free technical content sponsored by AWS Marketplace **************************

Convenient and Secure: Leveraging CASBs in AWS, featuring SANS instructor Kyle Dickinson and AWS solutions architect David Aiken. In this webcast, learn how to leverage the convenience of cloud access security brokers (CASBs) to integrate modern technologies and a suite of data protection, auditing and other tools in AWS. Dec. 12, 2 PM ET. https://www.sans.org/info/214970


Cybersecurity Training Update

-- SANS OnDemand and vLive Training

Get an iPad Air with Smart Keyboard, a Surface Go, or Take $300 Off through December 11 with OnDemand or vLive training.


-- SANS Security East 2020 | New Orleans, LA | February 1-8 | https://www.sans.org/event/security-east-2020

-- SANS Miami 2020 | January 13-18 | https://www.sans.org/event/miami-2020

-- SANS Threat Hunting & IR Summit & Training | London, UK | January 13-19, 2020 | https://www.sans.org/event/threat-hunting-europe-2020

-- SANS Tokyo January 2020 | January 20-25 | https://www.sans.org/event/tokyo-january-2020

-- SANS Amsterdam January 2020 | January 20-25 | https://www.sans.org/event/amsterdam-january-2020

-- Cyber Threat Intelligence Summit & Training | Arlington, VA | January 20-27 | https://www.sans.org/event/cyber-threat-intelligence-summit-2020

-- SANS Scottsdale 2020 | February 17-22 | https://www.sans.org/event/scottsdale-2020

-- Open-Source Intelligence Summit & Training 2020 | Alexandria, VA | February 18-24 | https://www.sans.org/event/osint-summit-2020

-- SANS Secure Singapore 2020 | 16-28 March | https://www.sans.org/event/secure-singapore-2020

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/

Single Course Training

-- Single Course Training

SANS Mentor | https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

-- View the full SANS course catalog and Cyber Security Skills Roadmap





44 Million Compromised Credentials Used on Microsoft Accounts

(December 9, 2019)

Microsoft engineers recently analyzed over three billion credentials known to be compromised by criminals. Utilizing sources from law enforcement and public databases of breached accounts the Microsoft Team identified 44 million user accounts of Microsoft services were reusing known compromised credentials. These accounts ranged from Microsoft's consumer services to credentials used by companies for Microsoft Azure.

Editor's Note

[Lee Neely] https://www.sans.org/newsletters/newsbites/editorial-board#lee-neely

Credential reuse, and/or poor password choices by users necessitate the use of multi-factor authentication. IDPs can be configured for location and device awareness to raise the bar, or completely block authentication for unknown devices or untrusted environments. Disable, or highly restrict the use of legacy protocols that cannot be configured for MFA.

[William Hugh Murray] https://www.sans.org/newsletters/newsbites/editorial-board#william-hugh-murray

Reused passwords and fraudulent password reuse are known problems, but they are the result of the bind in which many users find themselves. Users should employ password managers and strong authentication, such as is offered by Microsoft and its peers. Enterprises should avoid overly complex password rules that make choosing a password difficult and should offer strong authentication options to their users.

Read more in:

- https://www.infosecurity-magazine.com/news/microsoft-44-million-passwords/: Microsoft: 44 Million User Passwords Have Been Breached

- https://www.helpnetsecurity.com/2019/12/09/compromised-passwords-microsoft-accounts/: Compromised passwords used on 44 million Microsoft accounts

China Reportedly Orders State Offices To Remove Foreign Tech Which Could Hit US Firms Like Microsoft

(December 9, 2019)

China's Communist Party has ordered all state offices to remove foreign hardware and software within three years. Systems and software are to be replaced with Chinese provided equivalents. The replacement encompasses 20-30 million pieces of equipment and commences in 2020. Organizations are required to meet milestones of 30%, 50% and 20% 2020, 2021 and 2022 respectively. China began building a Windows and iOS replacement in 2013, with the help of British company Canonical. This move affects US providers including HP, Dell and Microsoft. China's latest policy may be seen as one of the most direct moves against U.S. technology firms during the trade war.

Editor's Note

[John Pescatore] https://www.sans.org/newsletters/newsbites/editorial-board#john-pescatore

Unfortunately, the longer these types of trade war escalations continue, the likelihood of impact on buying and selling of security products and services continues to increase. Huawei and Kaspersky have seen the impact of US directives against buying their security products; large US security vendors could see similar impacts from large foreign markets. From an enterprise perspective, this dictates the need for backup planning in case your existing vendors are caught in the crossfire. [Neely] This is motivated by trade wars and threats of economic sanctions rather than increased security or locally produced products. Even Chinese vendors such as Lenovo or Huawei are heavily impacted by these sanctions. Businesses need to consider location when developing lists of alternate suppliers, particularly when suppliers are overseas and can be impacted such actions.

Read more in:

- https://www.cnbc.com/2019/12/09/china-reportedly-orders-state-offices-to-remove-foreign-tech.html: China reportedly orders state offices to remove foreign tech which could hit US firms like Microsoft

- https://www.ft.com/content/b55fc6ee-1787-11ea-8d73-6303645ac406: Beijing orders state offices to replace foreign PCs and software

- https://www.telegraph.co.uk/technology/2019/12/09/china-orders-officials-remove-foreign-tech-computers/: China orders officials to remove foreign tech from computers

- https://www.zdnet.com/article/chinese-government-to-replace-foreign-hardware-and-software-within-three-years/: Chinese government to replace foreign hardware and software within three years

- https://techcrunch.com/2019/12/09/china-moves-to-ban-foreign-software-and-hardware-from-state-offices/: China moves to ban foreign software and hardware from state offices


**************************  SPONSORED LINKS  ********************************

Webcast December 12th at 1 PM ET: Learn how to identify and block dangerous sites with Mimecast Web Security. https://www.sans.org/info/214975

Missed this webcast? Converged Threat and Performance Management - Listen to Your Network! View here: https://www.sans.org/info/214980

In the Austin area? Join Chris Crowley for this free event on security orchestration & automation: https://www.sans.org/info/214985



New Zealand Releases Cybersecurity Governance Resource

(December, 9 2019)

New Zealand's Government Communications Security Bureau's National Cyber Security Centre (NCSC) has produced a resource for boards to help improve cybersecurity governance. The NCSC study interviewed cybersecurity professionals from 250 of New Zealand's nationally significant organisations. The governance resource, called Charting Your Course: Cyber Security Governance, sets out six areas that will help focus engagement between an organisation's governance and its security practitioners.

Editor's Note

[John Pescatore] https://www.sans.org/newsletters/newsbites/editorial-board#john-pescatore

This initial publication is a good deal too buzzword-laden for me - anytime I see "resilient", "security culture" and "holistic" on one page my eyes glaze over. Hopefully, the follow on drill-down documents will focus more on bridging the realities of corporate governance and operations to the realities of effective cybersecurity as a critical and integral factor in the success of the corporation.

Read more in:

- https://www.us-cert.gov/ncas/current-activity/2019/12/05/ncsc-nz-releases-cyber-governance-resource-leaders: NCSC-NZ Releases Cyber Governance Resource for Leaders

- https://www.opengovasia.com/new-zealand-releases-cybersecurity-governance-resource/: New Zealand releases cybersecurity governance resource

- https://www.ncsc.govt.nz/guidance/charting-your-course-cyber-security-governance/: Charting Your Course: Cyber Security Governance

Google Releases Open Source Tool for Finding File Access Vulnerabilities

(December 9, 2019)

Google on Monday has released the source code of a tool designed to help developers identify vulnerabilities related to file access. The tool, named PathAuditor, has been useful to Google and the company has now decided to release it as open source. The tech giant is still actively working on PathAuditor, and pointed out that it's not an officially supported Google product.

Editor's Note

[John Pescatore]https://www.sans.org/newsletters/newsbites/editorial-board#john-pescatore

Many vulnerability assessment/management tools will find similar vulnerabilities, check with your existing vendor. Google often throw spaghetti on the wall and then moves on - unless this gets broad support, better to see existing products incorporate such capabilities.

Read more in:

- https://www.securityweek.com/google-releases-open-source-tool-finding-file-access-vulnerabilities: Google Releases Open Source Tool for Finding File Access Vulnerabilities

- https://security.googleblog.com/2019/12/detecting-unsafe-path-access-patterns.html: Detecting unsafe path access patterns with PathAuditor

New Phishing Campaign Uses Self-Contained Webpage to Steal Credentials

(December 9, 2019)

Researchers have spotted a new phishing campaign that attempts to steal credentials. However, this campaign is different from the commonly observed ones. The phishing attack does not redirect victims to another site for login, like a lot of phishing campaigns usually do. Instead, it bundles the scam's landing page in the HTML attachment, likely in an attempt to to bypass security filters and analytics on web proxies.

Editor's Note

[Lee Neely] https://www.sans.org/newsletters/newsbites/editorial-board#lee-neely

Scanners don't typically inspect the attached html content sufficiently to discover malicious content embedded in these attachments. While we coach users to use caution with attachments, the prevalence of applications that attach content in html attachments encourages the opposite behavior. In addition to focusing on updated user awareness, consider endpoint protection strategies that include blocking access to non-categorized and known bad sites.

Read more in:

- https://isc.sans.edu/forums/diary/Phishing+with+a+selfcontained+credentialsstealing+webpage/25580/: Phishing with a self-contained credentials-stealing webpage

- https://cyware.com/news/new-phishing-campaign-uses-self-contained-webpage-to-steal-credentials-b118967: New Phishing Campaign Uses Self-Contained Webpage to Steal Credentials

US Government Website For Federal Rules Input Inaccessible Due To Expired SSL Certificate

(December 9, 2019)

Regulations.gov, the US Government's portal for industry and the public to make comments in response to proposed regulations, suffered a self-inflicted denial of service attack when the digital certificate to enable secure HTTP expired. The website returned to service on Monday night after being out for much of the day. At least one government agency had to extend the deadline on public comment. [Neely] Current browser versions do a really good job of blocking access to sites with certificate problems, whether expired, untrusted issuer, name-mismatch, etc. raising the bar on the IT team to keep certificates updated. Consider using certificate issuers that support automated updates. Alternately, a script to scan and alert on certificates that are due to expire is not difficult to create, making sure the alerts trigger ITSM tickets, so it won't be missed.

Read more in:

- https://www.sfchronicle.com/business/article/Government-website-for-federal-rules-input-shuts-14894556.php: Government website for federal rules input shuts off

- https://news.bloombergtax.com/payroll/labor-department-extends-comment-period-on-tip-pool-proposal: Labor Department Extends Comment Period on Tip-Pool Proposal

New Jersey Shakespeare Theater Hit By Ransomware

(December 6, 2019)

The Shakespeare Theatre of New Jersey was forced to cancel a performance of "A Christmas Carol" after their reservation and ticketing system was hit by ransomware. They are currently selling tickets, but not able to perform seat assignments until patrons arrive at the venue. Other businesses in their area were reportedly also affected at the same time.

Editor's Note

[Lee Neely] https://www.sans.org/newsletters/newsbites/editorial-board#lee-neely

This underscores the value of reaching out to customers during an incident, being transparent about the incident and asking for their support. Patrons continue to make reservations and bear with the theater as they work to restore normal operations. Make sure your DR/Incident response plan includes customer notification and support.

Read more in:

- https://www.scmagazine.com/home/security-news/cybercrime/my-kingdom-for-a-decryptor-ransomware-creates-ticketing-snafu-for-n-j-shakespeare-theater: My Kingdom for a decryptor! Ransomware creates ticketing snafu for N.J. Shakespeare theater

- https://www.bleepingcomputer.com/news/security/ransomware-writes-drama-at-shakespeare-theatre/: Ransomware Writes Drama at Shakespeare Theatre

- https://www.newjerseystage.com/articles/2019/12/05/severe-ransomware-attack-strikes-the-shakespeare-theatre-of-new-jersey-ticketing-system-on-eve-of-a-christmas-carol-run/: Severe Ransomware Attack Strikes The Shakespeare Theatre of New Jersey Ticketing System On Eve of "A Christmas Carol" run

China fires "Great Cannon" Cyber-Weapon at the Hong Kong Pro-Democracy Movement

(December 6, 2019)

China's "Great Cannon" - a massive DDOS tool, which is used sparingly due to negative publicity when used, captures traffic at the country perimeter and redirects it by use of JavaScript injection. The tool has been resurrected in response to the pro-democracy movements in Hong Kong

Read more in:

- https://www.forbes.com/sites/daveywinder/2019/12/05/china-fires-great-cannon-cyber-weapon-at-the-hong-kong-pro-democracy-movement/#17431db47c85: China Fires 'Great Cannon' Cyber-Weapon At The Hong Kong Pro-Democracy Movement

- https://www.zdnet.com/article/china-resurrects-great-cannon-for-ddos-attacks-on-hong-kong-forum/: China resurrects Great Cannon for DDoS attacks on Hong Kong forum

Apple Explains iPhone 11 Location Requests

(December 5, 2019)

Apple's iPhone 11 USES Ultra Wideband radio for short-range high bandwidth file exchange. UWB uses location services to find other UWB devices. These requests happen even when applications and services are set not to request location data. This is disabled in airplane mode. The checks for location also verify the device is in a country where UWB is permitted.

Editor's Note

[Lee Neely] https://www.sans.org/newsletters/newsbites/editorial-board#lee-neely

Future versions of iOS are supposed to contain a setting explicitly for toggling UWB. The wide spectrum, multi-channel use by UWB permits data transfer at up to 1.6Gbps for a few meters. UWB is currently used to improve the performance of Airdrop.

Read more in:

- https://krebsonsecurity.com/2019/12/apple-explains-mysterious-iphone-11-location-requests: Apple Explains Mysterious iPhone 11 Location Requests

- https://techcrunch.com/2019/12/05/apple-ultra-wideband-newer-iphones-location/: Apple says its ultra wideband technology is why newer iPhones appear to share location data, even when the setting is disabled

- https://support.apple.com/guide/iphone/ultra-wideband-information-iph771fd0aad/ios: Ultra Wideband information

US -CERT AA19-339A: Dridex Malware

(December 5, 2019)

Recent collaboration between the Department of Treasury's FinCEN and CIG groups, in response to Dridex malware's continued use in the financial sector, provides a consolidated reference on Dridex including overview, related activities, IOCs, mitigations and recommendations.

Read more in:

- https://www.us-cert.gov/ncas/alerts/aa19-339a: US-CERT Alert (AA19-339A)

- https://safebreach.com/Post/Hackers-Playbook-Already-Protects-for-Methods-used-in-US-CERT-Malware-Analysis-Alert-AA19-339A: Hacker's Playbook Already Protects for Methods used in US-CERT Malware Analysis Alert AA19-339A

T-Mobile Launches 600Mhz 5G

(December 2, 2019)

T-Mobile pushed out 5G services across the US, but using their 600MHz LTE-like spectrum. This service doesn't operate at the full 5G speeds. The fastest 5G requires millimeter wave (mmWave) which is easily obstructed and doesn't go far.

Editor's Note

[Lee Neely] https://www.sans.org/newsletters/newsbites/editorial-board#lee-neely

Mobile Operators are rolling out 5G in stages, leveraging their existing LTE resources and spectrum. Your device may report a 5G (or 5Ge) connection without delivering the increased speed promised by 5G. mmWave deployments, needed for those increased speeds, require a very dense deployment of radios and supporting fiber infrastructure, which some communities are challenging.

Read more in:

- https://www.theverge.com/2019/12/2/20991566/tmobile-nationwide-5g-600mhz-launch-samsung-oneplus: T-Mobile launches 600MHz 5G across the US, but no one can use it until December 6th

- https://www.cnbc.com/2019/12/02/t-mobile-5g-network-rolling-out-but-dont-buy-a-new-phone-yet.html: T-Mobile shows why it's still too early to buy a 5G phone

Car Makers BMW and Hyundai Victims of Cyber Attack

(December 9, 2020)

The car makers BMW and Hyundai are reported to have been hacked by a criminal group known as Ocean Lotus, also known as APT 32. The alleged compromise is reported to have happened in the spring of 2019 when BMW's security team discovered an instance of a commercial hacking tool, Cobalt Strike, installed on a workstation. The reports also state the car manufacturer Hyundai were also victims of this group. The Ocean Lotus group is alleged to been behind attacks against other car manufacturers such as Toyota Japan, Toyota Australia, and Toyota Vietnam

Read more in:

- https://www.zdnet.com/article/bmw-and-hyundai-hacked-by-vietnamese-hackers-report-claims/: BMW and Hyundai hacked by Vietnamese hackers, report claims

- https://www.bleepingcomputer.com/news/security/bmw-infiltrated-by-hackers-hunting-for-automotive-trade-secrets/: BMW Infiltrated by Hackers Hunting for Automotive Trade Secrets

- https://www.br.de/nachrichten/wirtschaft/fr-autoindustrie-im-visier-von-hackern-bmw-ausgespaeht,RjnLkD4: Autoindustrie im Visier von Hackern: BMW ausgespaeht (Original reporting from German media - note reports are in German)

- https://www.tagesschau.de/investigativ/br-recherche/bmw-hacker-101.html: BMW von Hackern ausgespaeht

Amazon Buckets Leak over 750,000 Applicants' Data for US Birth Certificates

(December 9, 2019)

A company that provides a service to allow customers to apply for copies of birth certificates from US States has allegedly exposed the personal details of those applicants. A UK based security research company identified the unsecured Amazon Bucket which contained the personal details of 750,000 people. The data includes their name, date of birth, email address, and home address, amongst other details.

Read more in:

- https://techcrunch.com/2019/12/09/birth-certificate-applications-exposed/: Over 750,000 applications for US birth certificate copies exposed online

- https://mashable.com/article/birth-certificate-copies-exposed-online/?europe=true: Nearly 800,000 applications for birth certificate copies exposed online for anyone to access


Internet Storm Center Tech Corner

OpenBSD Authentication Bypass and Privilege Escalation Vulnerability


Hijacking Linux (and BSD) VPN Connections


RASP vs. WAF: Alexander Fry SANS Technology Inst. Research Paper


E-Mail Includes Entire HTML/JavaScript Phishing Kit


Great Canon / Red Canon Activated to Silence Pro Hongkong Forum


Another Word Maldoc


Snatch Ransomware Reboots System Into Safe Mode To Disable Anti-Virus


Ryuk Ransomware Decryptor May No Longer Work / Corrupt Documents


Extending Windows 7 Security Updates


Swift on Security Updates Sysmon Rules


The Editorial Board of SANS NewsBites

Alan Paller


Brian Honan


David Hoelzer


David Turley


Dr. Eric Cole


Ed Skoudis


Eric Cornelius


Gal Shpantzer


Jake Williams


Dr. Johannes Ullrich


John Pescatore


Mark Weatherford


Rob Lee


Sean McBride


Shawn Henry


Stephen Northcutt


Suzanne Vautrinot


Tom Liston


William Hugh Murray