SANS NewsBites
March 17, 2020 | Volume XXII - Issue #22
2020-03-13
An APT group has been sending spear phishing emails that claim to contain information about COVID-19. The messages, which target users in Mongolia, maliciously crafted Rich Text Format (RTF) document attachments that are used to infect computers with a remote access Trojan (RAT).
Threatpost: Coronavirus-Themed APT Attack Spreads Malware
2020-03-13
An Android app that purports to track confirmed cases of COVID-19 actually locks up the phone and demands $100 in bitcoin to unlock it. If victims do not pay within 48 hours, the malware says it will erase all the data on the phone. A password to unlock frozen devices has been obtained.
This app will also set a lock on your device if one is not already configured. The DomainTools researchers have reverse engineered the decryption key for the "CovidLock" app and are preparing to release it. Note that financially motivated threat actors are leveraging the COVID-19 crisis for profit. Users need to be careful installing offered mobile applications, particularly from unofficial app stores, expect some apps to make it into the legitimate app stores as well. Read more in: - https://www.cyberscoop.com/coronavirus-app-locked-phones/ - https://www.scmagazine.com/home/security-news/news-archive/coronavirus/password-found-to-rescue-victims-of-malicious-covid-19-tracker-app/ - https://www.scmagazine.com/home/security-news/news-archive/coronavirus/coronavirus-tracking-app-locks-up-android-phones-for-ransom/
2020-03-13
A Czech hospital that is one of the centers for COVID-19 testing in that country was the target of a cyberattack on Friday, March 13. Details of the breach have not been disclosed, but the hospital's entire IT system was shut down and all surgeries have been canceled. Two of the hospital's branches were also affected.
2016-03-16
The US Department of Health and Human Services (HHS) noted increased network scanning over the weekend. While it appears to have been an attempt to launch a distributed denial-of-service attack (DDoS), the agency's systems were not significantly affected.
Expect increased attacks in the name of COVID-19, particularly against businesses involved in testing and treatment; it's similar to other efforts to shortcut development by exfiltrating other's intellectual property or research. Verify your defenses, including monitoring and alerting capabilities, with an eye to operational impacts of increased numbers of remote workers, possibly even your SOC. Be prepared to alter your definition of normal due to modified working arrangements.
Cyberscoop: HHS saw increase in network scanning in midst of COVID-19 outreach
Bloomberg: Cyber-Attack Hits U.S. Health Agency Amid Covid-19 Outbreak
ZD Net: HHS targeted by hackers as it responds to novel coronavirus, COVID-19 pandemic
Bleeping Computer: U.S. Health Department Site Hit With DDoS Cyber Attack
The Hill: Top US health agency suffers cyberattack
2020-03-17
Organizations worldwide are implementing work-from-home policies. At SANS, we want to do whatever we can to ensure companies and their security teams have the information and resources they need to create a secure remote workforce. We have made public a Securely Working From Home Deployment Kit to enable organizations to quickly train and secure their remote workforce. Full download and information can be found here: https://www.sans.org/security-awareness-training/sans-security-awareness-work-home-deployment-kit.
The SANS Security Awareness Work-from-Home Deployment Kit includes:
2020-03-16
Cisco has withdrawn its funding from the all-volunteer non-profit organization Shadowserver.org. ShadowServer "help[s] Internet service providers (ISPs) identify and quarantine malware infections and botnets," and serves Computer Emergency Response Teams (CERTs) around the world, providing daily network reports. The organization needs to migrate operations to a new data center by mid-May.
FluTrackers.com started up around the same time ShadowServer did. FluTrackers enables infectious disease experts to share data about outbreaks and treatments, regardless of whether governments or for-profit companies wanted that information to get out. It put out one of the first early warnings that something was happening in China. I'm sure other security companies will help replace the lost Cisco funding - this kind of model is an important component of the mix of government, commercial and crowd-sourced tools to use against cybersecurity risks.
Krebs On Security: The Web’s Bot Containment Unit Needs Your Help
Wired: A Critical Internet Safeguard Is Running Out of Time
ShadowServer: What We Do
2020-03-13
A new audit of the Voatz mobile voting app conducted by Trail of Bits found 16 "severe" security issues. Unlike previous audits, this audit had access to the Voatz Core Server and backend software. Trail of Bits confirmed the vulnerabilities found by researchers at the Massachusetts Institute of Technology (MIT) and found additional flaws.
One of the hard parts of audits is moving through the process of acceptance to validation and remediation. While the Trail of Bits audit confirms vulnerabilities from the MIT researchers, the acceptance of and rapid response to their findings shows the advantage of a self-selected audit.
It is much easier to secure a purpose-built app running on a single user device than to secure a server running on a general purpose operating system. As ever, election fraud is far more likely in the tabulating and reporting steps than in vote recording. While not all of the problems identified by Trail of Bits have yet been addressed, most appear to be implementation shortcomings rather than fundamental vulnerabilities.
Statescoop: Audit finds severe vulnerabilities in Voatz mobile voting app
Trail of Bits blog: Our Full Report on the Voatz Mobile Voting Platform
2020-03-16
WordPress developers plan to add an auto-update feature to plugins and themes. The WordPress core has had an auto-update mechanism for minor updates since October 2013, with the release of WordPress version 3.7. Users must still manually update between major versions of WordPress core.
This is slated to release with WordPress core version 5.5 scheduled to be released in August. Version 5.4 was just released this March. The feature will include the ability to select which plugins are auto-updated and when updates will happen.
2020-03-13
Two flaws in the Popup Builder WordPress plugin have been fixed. One of the vulnerabilities is rated high severity; it could be exploited to inject JavaScript into a popup. Users are advised to upgrade to Popup Builder version 3.64.1.
2020-03-13
Slack has fixed a vulnerability in its messaging platform that could have been exploited to take control of accounts. Slack learned of the flaw in November 2019 though its bug bounty program. Slack fixed the issue within 24 hours of being notified; the report was disclosed to the public last week.
This fix was a server side fix. Even so, make sure that users with the desktop or mobile app have updated to the current versions - 4.3.2 Linux, 4.3.3 Mac, 4.3.4 Win, 20.03.20 iOS and Android.
2020-03-17
Europol, along with law enforcement authorities in Spain, Romania, and Austria, have arrested a total of 26 people in connection with two SIM-swapping operations. A SIM-swapping group in Spain stole more than [euro]3 million ($3.35 million), and a group in Austria and Romania stole [euro]500,000 ($559,000).
All security measures have limitations. It is important to recognize those limitations and compensate accordingly. If a subscriber loses service on their mobile, they should contact their service provider immediately. While service providers are anxious to respond courteously and promptly to provisioning requests from subscribers, it is essential to do so securely. Provisioning requests should be authenticated in and out of band before acting on them. Out-of-band confirmation is one of our most efficient fraud resistance tools.
2020-01-23
More details are emerging about the data breach at the European Network of Transmission System Operators for Electricity (ENTSO-E). Hackers appear to have had access to ENTSO-E's IT network for several weeks. According to analysis from Recorded Future that was published in January, a remote access Trojan (RAT) "command and control (C2) server [was found to be] communicating with a mail server for a European energy sector organization from late November 2019 until at least January 5, 2020."
2020-03-09
Nigerians have reportedly lost hundreds of millions of Naira after being targeted in crypto-currency Ponzi schemes by firms that claim to speculate on cryptocurrency price movements. The scammers are capitalizing on weak regulations for crypto-currency as well as the fast moving technology that drives it. The Better Business Bureau started tracking crypto currency in 2018. The BBB now lists cryptocurrency as the second riskiest scam. 14% of crypto scam victims are in Nigeria, 11% in Indonesia, 9% in U.S. and 8% in Vietnam.
Beware of scams that offer high return on investment, particularly cryptocurrency. Lack of regulation and oversight make cryptocurrency attractive for this purpose. The current economic turmoil increases users' likelihood of falling for of these scams.
Phishing PDFs With Incremental Updates
https://isc.sans.edu/forums/diary/Phishing+PDF+With+Incremental+Updates/25904/
VPN Access and Active Monitoring
https://isc.sans.edu/forums/diary/VPN+Access+and+Activity+Monitoring/25906/
Capturing Invalid Ethernet Frames
Desktop.ini as a post-exploitation tool
https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/
SANS Security Awareness Deployment Kit for Securing Your Workforce at Home
https://www.sans.org/webcasts/113875
Cookiethief Android Cookie Stealing Malware
https://securelist.com/cookiethief/96332/
VMware Workstation/Fusion Update
https://www.vmware.com/security/advisories/VMSA-2020-0004.html
Blackwater Malware Abuses Cloudflare Workers
tcpdump Heap Based Buffer Over-Read
https://nvd.nist.gov/vuln/detail/CVE-2018-19325
Slack Account Takevoer Bug