homepage
Open menu

SANS NewsBites

Surge In COVID-19 Related Malware; Windows 0-day is Being Actively Exploited

March 24, 2020  |  Volume XXII - Issue #24

Top of the NewsThe Rest of the Week's NewsInternet Storm Center Tech Corner

Top of the News

2020-03-20

COVID-19 Related Malware

The FBI has issued a warning of an increase in COVID-19-related fraud schemes. The announcement urges people to be alert to phony messages from the Centers for Disease Control (CDC), phishing emails, and offers of phony COVID-19 treatment. There have been reports of phony email messages that pretend to be from head of World Health Organization and actually place keystroke logger on users' computers, and of a fake COVID-19 vaccine website that tries to steal payment card and other personal data.

Editor's Note

Also warn users to be on the alert for phishing campaigns, particularly targeting the elderly, around the pending US financial relief package. These campaigns promise extra social security, investment schemes or COVID-19 relief payments in exchange for bank account information. Also beware of pay-in-advance offers to help victims with services.

Lee Neely
Lee Neely

2020-03-23

Windows 0-day is Being Actively Exploited

Microsoft warns of limited attacks that could leverage two as-yet unpatched vulnerabilities in the Adobe Type Manager Library resulting in remote code execution. For supported versions of Windows 10, this can result in code execution within an AppContainer with limited privileges and capabilities. Microsoft has not yet released a patch, and offers a choice of three fixes: disabling preview and details pane in Windows Explorer, disabling the WebClient service, and renaming ATMFD.DLL. Enhanced Security Configuration, which is on by default in Windows Servers, does not mitigate the problem.

Editor's Note

While the impact of attack is lowest on supported versions of Windows 10, there is a chance the attackers are also capable of executing a sandbox escape. Be sure to read the caveats with each of the fixes before rolling one out. The second workaround, disabling the WebClient service, will block attacks attackers are most likely to use, and impacts web distributed authoring and versioning as well as stopping, and blocking starting of, any services based on WebClient.

Lee Neely
Lee Neely

There is no public exploit right now, but targeted attacks are taking advantage of this vulnerability. Microsoft's initial advisory caused some confusion as the DLL mentioned is not present on newer versions of Windows 10, and Microsoft clarified this in the 1.1 version of the advisory released last night. Windows Zeroday Actively Exploited: Type 1 Font Parsing Remote Code Execution Vulnerability: https://isc.sans.edu/forums/diary/Windows+Zeroday+Actively+Exploited+Type+1+Font+Parsing+Remote+Code+Execution+Vulnerability/25936/

Johannes Ullrich
Johannes Ullrich

The Rest of the Week's News

2020-03-22

Hackers Steal Data from Clinical Medical Research Organization

Earlier this month, a UK clinical medical research company detected and stopped a ransomware attack launched against its systems. Hammersmith Medicines Research (HMR) has conducted trials of various vaccines and drugs, and is planning to begin trials for a potential COVID-19 vaccine. The attackers stole data from Hammersmith, including sensitive information about people who participated in other clinical trials. The data include medical questionnaires, and passport and driver's license numbers. The group responsible for the ransomware attack has begun posting the stolen information in an attempt to get Hammersmith to pay a ransom.

Editor's Note

When one's networks, systems, applications, and data are compromised, there are many ways for the attackers to monetize the compromise.

William Hugh Murray
William Hugh Murray

2020-03-20

South Carolina Fire Department Computers Infected with Ransomware

Computers belonging to the Bluffton Township (South Carolina) Fire Department became infected with ransomware in mid-March. The attack did not affect the department's ability to respond to emergency calls.

Editor's Note

By this time, most large enterprises should be both resistant to and resilient in the face of "ransomware" attacks. However, many of the measures that they have put in place may be beyond the capabilities of many small and medium size enterprises (SME). That may be why SMEs are being targeted and successfully attacked. They must look to their vendors and contractors.

William Hugh Murray
William Hugh Murray

2020-03-20

Finastra Systems Infected with Ransomware

UK financial technology company Finastra has disclosed that earlier this month, the company's "IT security and risk teams actively detected... that a bad-actor was attempting to introduce malware into [their] network in what appears to have been a common ransomware attack." Finastra took its servers offline in an effort to contain the infection.

2020-03-17

Countries Are Using Geolocation and Facial Recognition to Track COVID-19

Governments in several countries are using technologies like geolocation and facial recognition to track the spread of COVID-19. In the UK, health officials plan to test a new app that will let people know if they have been in contact with someone who has tested positive for COVID-19. In China, the government has created a system called Health Code, which assigns each individual a color to identify them as infected, quarantined, or healthy. In Hong Kong, people who have tested positive for COVID-19 or who have been quarantined are given an electronic bracelet, the latest version of which includes geofencing technology. South Korea has been using CCTV images, payment card records, and mobile phone data, which allows them to retrace the steps of people who test positive for the virus. Israel and the US are also considering surveillance methods. (Please note that the WSJ story is behind a paywall.)

Editor's Note

There seems to be pretty clear agreement in the experienced medical community about the right steps to take, and investigating the contacts by newly discovered infections is pretty important. Doing that quickly and accurately, not just quickly, is key. Any untested technology use that generates high rates of false positives or false negatives will be counterproductive - just as we've seen in security.

John Pescatore
John Pescatore

2020-03-20

Google and Microsoft Pausing Major Version Updates for Chrome and Edge Browsers

Last week, Google announced that it was pausing major releases of its Chrome browser because of COVID-19-related adjusted work schedules. Google will release new versions of Chrome 80 (which is the current stable version) to address security issues. Microsoft has now announced that it, too, is pausing the release of major versions of its Edge browser, which is based on Chromium.

Editor's Note

With most employees working from home, some companies have decided to delay patching to reduce the risks of home users getting "cut off". That may not be sensible because software makers will focus on patching security flaws and not on new features that may increase tech support traffic. Firefox also reverted a change that would have disabled TLS 1.0/1.1 to avoid problems with some government sites that still require these older TLS versions (see next story).

Johannes Ullrich
Johannes Ullrich

We're all learning the impacts of increased telework coupled by reduced availability of those that are caring for those impacted by the illness, such as having children home from school or being a caretaker for one who is ill. With the uncertainty, it may still be too soon to re-baseline projects; instead, take a flexible approach and focus on prioritizing deliverables.

Lee Neely
Lee Neely

2020-03-20

Firefox Enables TLS 1.0 and 1.1 Again to Aid Access to COVID-19 Information

Mozilla has reverted to allowing TLS 1.0 and 1.1 to enable users to access COVID-19 information on government websites that have not yet made the switch to TLS 1.2 or 1.3. Earlier this month, Mozilla announced it was ending support for TLS 1.0 and 1.1 with the release of Firefox 74 on March 10.

Editor's Note

To make sure you have support for older TLS enabled, go to settings:config and check the value of security.tls.version.fallback-limit. 1 for TLS 1.0, 2 for TLS 1.1, 3 for TLS 1.2 and 4 for TLS 1.3. This setting applies to Firefox 74 and ESR 68.6.

Lee Neely
Lee Neely

2020-03-20

NIST Draft Document on Cybersecurity and Enterprise Risk Management

The US National Institute of Standards and Technology (NIST) is seeking public comment on a draft report, NIST-Interagency Report 8286 | Integrating Cybersecurity and Enterprise Risk Management. NIST will accept comments through April 20, 2020.

Editor's Note

This document attempts to create a bridge between Enterprise Risk Management and Cybersecurity Risk Management. One of the challenges is a consistent message relating to cyber risks and how they translate into costs for the organization so that the resulting risk registers are appropriately factored into ERM.

Lee Neely
Lee Neely

2020-03-23

Medical Device Maker Discloses Phishing Attack

Insulin pump manufacturer Tandem Diabetes has disclosed a phishing attack. On its website, Tandem noted that "a limited number of Tandem employee email accounts may have been accessed by an unauthorized user between January 17, 2020 and January 20, 2020." The affected accounts contained customer information, including names, contact information, clinical data related to diabetes therapy, and in some cases, Social Security numbers.

Internet Storm Center Tech Corner