SANS NewsBites

A positive surprise: SANS students are saying they like the new CyberCast live-on-line training as well as (and in a few cases, better than) in-person training.

March 17, 2020  |  Volume XXII - Issue #22

Top of the News


2020-03-13

COVID-19 Spear Phishing eMails Used to Spread Malware

An APT group has been sending spear phishing emails that claim to contain information about COVID-19. The messages, which target users in Mongolia, maliciously crafted Rich Text Format (RTF) document attachments that are used to infect computers with a remote access Trojan (RAT).


2020-03-13

Malicious COVID-19 Android App is Ransomware

An Android app that purports to track confirmed cases of COVID-19 actually locks up the phone and demands $100 in bitcoin to unlock it. If victims do not pay within 48 hours, the malware says it will erase all the data on the phone. A password to unlock frozen devices has been obtained.

Editor's Note

This app will also set a lock on your device if one is not already configured. The DomainTools researchers have reverse engineered the decryption key for the "CovidLock" app and are preparing to release it. Note that financially motivated threat actors are leveraging the COVID-19 crisis for profit. Users need to be careful installing offered mobile applications, particularly from unofficial app stores, expect some apps to make it into the legitimate app stores as well. Read more in: - https://www.cyberscoop.com/coronavirus-app-locked-phones/ - https://www.scmagazine.com/home/security-news/news-archive/coronavirus/password-found-to-rescue-victims-of-malicious-covid-19-tracker-app/ - https://www.scmagazine.com/home/security-news/news-archive/coronavirus/coronavirus-tracking-app-locks-up-android-phones-for-ransom/

Lee Neely
Lee Neely

2020-03-13

Czech Hospital Conducting COVID-19 Testing Hit With Cyberattack

A Czech hospital that is one of the centers for COVID-19 testing in that country was the target of a cyberattack on Friday, March 13. Details of the breach have not been disclosed, but the hospital's entire IT system was shut down and all surgeries have been canceled. Two of the hospital's branches were also affected.


2016-03-16

US Dept. of Health and Human Services Fended Off Cyberattack

The US Department of Health and Human Services (HHS) noted increased network scanning over the weekend. While it appears to have been an attempt to launch a distributed denial-of-service attack (DDoS), the agency's systems were not significantly affected.

Editor's Note

Expect increased attacks in the name of COVID-19, particularly against businesses involved in testing and treatment; it's similar to other efforts to shortcut development by exfiltrating other's intellectual property or research. Verify your defenses, including monitoring and alerting capabilities, with an eye to operational impacts of increased numbers of remote workers, possibly even your SOC. Be prepared to alter your definition of normal due to modified working arrangements.

Lee Neely
Lee Neely

2020-03-17

SANS Security Awareness Work-from-Home Deployment Kit Released

Organizations worldwide are implementing work-from-home policies. At SANS, we want to do whatever we can to ensure companies and their security teams have the information and resources they need to create a secure remote workforce. We have made public a Securely Working From Home Deployment Kit to enable organizations to quickly train and secure their remote workforce. Full download and information can be found here: https://www.sans.org/security-awareness-training/sans-security-awareness-work-home-deployment-kit.


The SANS Security Awareness Work-from-Home Deployment Kit includes:

  • A strategic planning guide to which risks to focus on, and how to effectively train on those risks
  • A communications template to engage your workforce
  • Training materials (in multiple languages): Security Awareness Videos, Important Checklists & Fact Sheets, Podcasts and audio files, Posters & Newsletters, and Digital Signage

The Rest of the Week's News


2020-03-16

ShadowServer is Losing its Funding

Cisco has withdrawn its funding from the all-volunteer non-profit organization Shadowserver.org. ShadowServer "help[s] Internet service providers (ISPs) identify and quarantine malware infections and botnets," and serves Computer Emergency Response Teams (CERTs) around the world, providing daily network reports. The organization needs to migrate operations to a new data center by mid-May.

Editor's Note

FluTrackers.com started up around the same time ShadowServer did. FluTrackers enables infectious disease experts to share data about outbreaks and treatments, regardless of whether governments or for-profit companies wanted that information to get out. It put out one of the first early warnings that something was happening in China. I'm sure other security companies will help replace the lost Cisco funding - this kind of model is an important component of the mix of government, commercial and crowd-sourced tools to use against cybersecurity risks.

John Pescatore
John Pescatore

2020-03-13

New Voatz Audit Finds Severe Flaws

A new audit of the Voatz mobile voting app conducted by Trail of Bits found 16 "severe" security issues. Unlike previous audits, this audit had access to the Voatz Core Server and backend software. Trail of Bits confirmed the vulnerabilities found by researchers at the Massachusetts Institute of Technology (MIT) and found additional flaws.

Editor's Note

One of the hard parts of audits is moving through the process of acceptance to validation and remediation. While the Trail of Bits audit confirms vulnerabilities from the MIT researchers, the acceptance of and rapid response to their findings shows the advantage of a self-selected audit.

Lee Neely
Lee Neely

It is much easier to secure a purpose-built app running on a single user device than to secure a server running on a general purpose operating system. As ever, election fraud is far more likely in the tabulating and reporting steps than in vote recording. While not all of the problems identified by Trail of Bits have yet been addressed, most appear to be implementation shortcomings rather than fundamental vulnerabilities.

William Hugh Murray
William Hugh Murray

2020-03-16

WordPress Auto-Update Feature

WordPress developers plan to add an auto-update feature to plugins and themes. The WordPress core has had an auto-update mechanism for minor updates since October 2013, with the release of WordPress version 3.7. Users must still manually update between major versions of WordPress core.

Editor's Note

This is slated to release with WordPress core version 5.5 scheduled to be released in August. Version 5.4 was just released this March. The feature will include the ability to select which plugins are auto-updated and when updates will happen.

Lee Neely
Lee Neely

2020-03-13

Fixes Available for Popup Builder WordPress Vulnerabilities

Two flaws in the Popup Builder WordPress plugin have been fixed. One of the vulnerabilities is rated high severity; it could be exploited to inject JavaScript into a popup. Users are advised to upgrade to Popup Builder version 3.64.1.


2020-03-13

Slack Flaw Fixed

Slack has fixed a vulnerability in its messaging platform that could have been exploited to take control of accounts. Slack learned of the flaw in November 2019 though its bug bounty program. Slack fixed the issue within 24 hours of being notified; the report was disclosed to the public last week.

Editor's Note

This fix was a server side fix. Even so, make sure that users with the desktop or mobile app have updated to the current versions - 4.3.2 Linux, 4.3.3 Mac, 4.3.4 Win, 20.03.20 iOS and Android.

Lee Neely
Lee Neely

2020-03-17

Europol and European Law Enforcement Arrest Alleged SIM-Swappers

Europol, along with law enforcement authorities in Spain, Romania, and Austria, have arrested a total of 26 people in connection with two SIM-swapping operations. A SIM-swapping group in Spain stole more than [euro]3 million ($3.35 million), and a group in Austria and Romania stole [euro]500,000 ($559,000).

Editor's Note

All security measures have limitations. It is important to recognize those limitations and compensate accordingly. If a subscriber loses service on their mobile, they should contact their service provider immediately. While service providers are anxious to respond courteously and promptly to provisioning requests from subscribers, it is essential to do so securely. Provisioning requests should be authenticated in and out of band before acting on them. Out-of-band confirmation is one of our most efficient fraud resistance tools.

William Hugh Murray
William Hugh Murray

2020-01-23

ENTSO-E Breach: More Details

More details are emerging about the data breach at the European Network of Transmission System Operators for Electricity (ENTSO-E). Hackers appear to have had access to ENTSO-E's IT network for several weeks. According to analysis from Recorded Future that was published in January, a remote access Trojan (RAT) "command and control (C2) server [was found to be] communicating with a mail server for a European energy sector organization from late November 2019 until at least January 5, 2020."


2020-03-09

Crypto-Currency Scams

Nigerians have reportedly lost hundreds of millions of Naira after being targeted in crypto-currency Ponzi schemes by firms that claim to speculate on cryptocurrency price movements. The scammers are capitalizing on weak regulations for crypto-currency as well as the fast moving technology that drives it. The Better Business Bureau started tracking crypto currency in 2018. The BBB now lists cryptocurrency as the second riskiest scam. 14% of crypto scam victims are in Nigeria, 11% in Indonesia, 9% in U.S. and 8% in Vietnam.

Editor's Note

Beware of scams that offer high return on investment, particularly cryptocurrency. Lack of regulation and oversight make cryptocurrency attractive for this purpose. The current economic turmoil increases users' likelihood of falling for of these scams.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Phishing PDFs With Incremental Updates

https://isc.sans.edu/forums/diary/Phishing+PDF+With+Incremental+Updates/25904/


VPN Access and Active Monitoring

https://isc.sans.edu/forums/diary/VPN+Access+and+Activity+Monitoring/25906/


Capturing Invalid Ethernet Frames

https://isc.sans.edu/forums/diary/Not+all+Ethernet+NICs+are+Created+Equal+Trying+to+Capture+Invalid+Ethernet+Frames/25896/


Desktop.ini as a post-exploitation tool

https://isc.sans.edu/forums/diary/Desktopini+as+a+postexploitation+tool/25912/


SANS Security Awareness Deployment Kit for Securing Your Workforce at Home

https://www.sans.org/webcasts/113875


Cookiethief Android Cookie Stealing Malware

https://securelist.com/cookiethief/96332/


VMware Workstation/Fusion Update

https://www.vmware.com/security/advisories/VMSA-2020-0004.html


Blackwater Malware Abuses Cloudflare Workers

https://www.bleepingcomputer.com/news/security/blackwater-malware-abuses-cloudflare-workers-for-c2-communication/


tcpdump Heap Based Buffer Over-Read

https://nvd.nist.gov/vuln/detail/CVE-2018-19325


Slack Account Takevoer Bug

https://hackerone.com/reports/737140