SANS NewsBites

Dept. of Justice Guide for Cyber Research; ENTSO-E IT Security Breach; CPI and Durham NC Ransomware Attacks

March 10, 2020  |  Volume XXII – Issue #20

Top of the News


2020-03-03

DoJ Issues Guide for Cyber Research

The US Department of Justice (DoJ) has published a document, Legal Considerations when Gathering Online Cyber Threat Intelligence and Purchasing Data from Illicit Sources, to guide "information security practitioners' cyber threat intelligence gathering efforts that involve online forums in which computer crimes are discussed and planned and stolen data is bought and sold."

Editor's Note

There will always be cases on the edges, where criminals claim to be researchers, researchers get accused of being criminals, or companies with deficient software try to use laws like the DMCA to stop researchers from pointing out how bad their software is. If you or your company are thinking about doing your own cyber threat research, the DoJ paper is a good starting point for decreasing the odds that you become one of those edge cases and for defending your actions if you do.

John Pescatore
John Pescatore

2020-03-09

ENTSO-E IT Security Breach

The European Network of Transmission System Operators for Electricity (ENTSO-E) has disclosed that its IT network was breached. In a brief statement, ENTSO-E notes that its network is not connected to those of operational Transmission System Operators (TSO). ENTSO-E's website notes that its security mission is "Pursuing coordinated, reliable and secure operations of the interconnected electricity transmission network, while anticipating the decision to cope with upcoming system evolutions."

Editor's Note

That said, the industry culture is to connect the controls of the grid to the public networks to allow operators timely and convenient access to them in a crisis.

William Hugh Murray
William Hugh Murray

2020-03-05

CPI Ransomware Attack

Electronics manufacturer Communications & Power Industries (CPI) suffered a ransomware attack in mid-January 2020. The infection spread quickly to all CPI offices as the company's computers were on an unsegmented network. CPI paid a ransom of US $500,000, but is still working on recovering its systems. CPI customers include the US Department of Defense and the Defense Advanced Research Projects Agency (DARPA).

Editor's Note

The root cause appears to be a domain administrator clicking on the malicious link. Controlled use of administrative privileges, including running with the lowest level of privilege is CIS Control 4. Network segmentation, particularly for older operating systems such as XP, is key to not only restrict lateral movement but also mitigate shortfalls in legacy system security.

Lee Neely
Lee Neely

2020-03-09

Durham, NC Ransomware Attack

Computers belonging to the city of Durham, North Carolina, were infected with Ryuk ransomware over the weekend. The city made the decision to shut down certain systems, including its phone system. The decision rendered an information phone line unavailable, but emergency services "are operational and emergency calls are being handled."

The Rest of the Week's News


2020-03-04

Lawmakers Ask Treasury Secretary if Cyber Sanctions Are Working

At a congressional hearing earlier this month, members of the US House Appropriations Committee asked Treasury Secretary Steven Mnuchin if the Treasury Department's financial sanctions against countries that had launched cyberattacks against the organizations in the US have produced "any sizable positive impact on the reduction of breach attempts on U.S. companies."

2020-03-06

Siemens Cybersecurity Incident Response Handbook for Energy Sector

Siemens has published its energy sector cybersecurity incident response handbook. The book, which is based on an exercise involving a simulated attack against a fictional electrical utility. The handbook notes that "the focus of cyberattacks against the energy industry has shifted from targeting information technologies (IT) toward operating technologies (OT)," and spells out incident response steps.

2020-03-06

DoJ Charges Two Chinese Citizens With Cryptocurrency Money Laundering

The US Department of Justice (DoJ) has indicted two Chinese citizens, Tian Yinyin and Li Jiadong, on charges of helping North Korean cyber thieves launder more than US $100 million in funds stolen in a 2018 cryptocurrency heist. In addition, the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) has imposed sanctions on the pair.

2020-03-06

Unsupported Android Devices

UK consumer rights and advice organization Which? Estimates that more than one billion Android devices worldwide are no longer receiving updates. Of particular concern are devices released in 2012 or earlier, because they do not have built-in protections that newer devices have. Any devices running versions prior to Android "will carry security risks."

Editor's Note

Android devices, where updates are provided, are supported for only three years; and the last year is typically limited to security updates. As devices age, security updates may move from monthly to quarterly. If you're an Android shop, plan for at most a three-year lifecycle for these devices. When qualifying devices for enterprise or personal use, verify the support lifecycle prior to purchase.

Lee Neely
Lee Neely

2020-03-05

Google Releases March Android Updates

Google's monthly batch of updates for Android includes fixes for 70 security issues. Seventeen of the vulnerabilities are critical remote code execution flaws, sixteen of which are in Qualcomm components. A high severity privilege elevation flaw that affects MediaTek chipsets is being actively exploited.

Editor's Note

Unlike computer operating systems, Android updates tend to be cumulative, so make sure that you've applied all the updates for your device. Also, check your device manufacturer's web site to verify the update schedule for your particular devices.

Lee Neely
Lee Neely

2020-03-09

Hackers Exploiting Known Vulnerability in Microsoft Exchange Servers

Attackers are exploiting a known remote code execution vulnerability in Microsoft Exchange servers. The issue lies in the Exchange Control Panel; all Microsoft Exchange email servers released over the past decade have the same backend cryptographic keys. The vulnerability is being exploited by multiple groups of hackers. Microsoft issued a fix for the flaw in its February Patch Tuesday updates.

Editor's Note

The patches were released February 11th; attempted exploits began after the zero-day report went live on February 26. While proof-of-concept code was released to GitHub, and there is also a Metasploit module. This is a difficult bug to exploit. Rolling out the patch quickly is still prudent, even if APT groups are not in your threat matrix.

Lee Neely
Lee Neely

2020-03-05

FDA Warns of Cybersecurity Flaws That Could Affect Medical Devices

The US Food and Drug Administration (FDA) is warning about a group of cybersecurity vulnerabilities that could impact certain medical devices. The vulnerabilities, known collectively as SweynTooth, could be exploited to crash devices, cause denial-of-service or deadlock conditions, and to circumvent security protections to access sensitive functions without authorization. The FDA offers recommendations for patients, healthcare providers, and medical device manufacturers.

2020-03-07

GSA Makes .Gov Domains Somewhat Harder to Obtain

As of March 10, 2020, the US General Services Administration (SA) will require entities requesting .gov domains to include notarized signatures on their authorization letters. Previously, applicants needed to submit a completed authorization letter, listing admin, tech, and billing contacts, printed on official letterhead. The IS Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) would like to assume responsibility for granting .gov domains and to "ensure that only authorized users obtain a .gov domain, and proactively validate existing .gov holders."

Editor's Note

Notaries seem like such a quaint idea in the digital age but a few years ago I didn't notice that my driver's license had expired, and in over 6 months of traveling, neither did any TSA inspectors at airport security. Then I had to get some form notarized at my local bank, and the Notary said "Nope, can't do it - your license expired 6 months ago!" Moral of the story: there is still benefit to a detailed manual inspection of credentials.

John Pescatore
John Pescatore

Validating the identity of the person authorizing the domain request, which is required for granting .GOV domains, is a good start. Strongly issued digital signatures, such as the HSPD-12 credentials, should be considered as an alternative to a Notary.

Lee Neely
Lee Neely

Enterprise identity and authentication is more important than individual. At enrollment time, it is necessary to ensure that the agent of the enterprise establishing the identity is both authentic and authorized.

William Hugh Murray
William Hugh Murray

Internet Storm Center Tech Corner

Excel Maldocs: Hidden Sheets

https://isc.sans.edu/forums/diary/Excel+Maldocs+Hidden+Sheets/25876/


Malicious Spreadsheet With Data Connection and Excel 4 Macros

https://isc.sans.edu/forums/diary/Malicious+Spreadsheet+With+Data+Connection+and+Excel+4+Macros/25880/


Wireshark 3.2.2 Released

https://www.wireshark.org/docs/relnotes/wireshark-3.2.2.html


Linux PPP Vulnerability

https://www.kb.cert.org/vuls/id/782301/


NordVPN Vulnerability

https://www.theregister.co.uk/2020/03/06/nordvpn_no_auth_needed_view_user_payments/


Unpatched Android Devices

https://www.which.co.uk/news/2020/03/more-than-one-billion-android-devices-at-risk-of-malware-threats/


Take A Way: Exploring the Security Implications of AMD's Cache Way Predictors

https://mlq.me/download/takeaway.pdf

https://www.amd.com/en/corporate/product-security


Google Play Store Protect Fails Security Test

https://www.av-test.org/en/news/here-s-how-well-17-android-security-apps-provide-protection/