homepage
Open menu

SANS NewsBites

Kwampirs Malware Targets Healthcare Sector; Beware of USBs in the Mail; Injunctions Against VoIP Carriers for Facilitating Fraudulent Robocalls

March 31, 2020  |  Volume XXII - Issue #26

Top of the NewsThe Rest of the Week's NewsInternet Storm Center Tech Corner

Top of the News

2020-03-31

Kwampirs Malware Targets Healthcare Sector

The FBI has released a private industry notification for the Kwampirs malware. Kwampirs, also known as "Orangeworm," has been used to target different industries in the past, and according to this latest update, is now also being used to target the healthcare sector. Likely the work of nation state linked attackers, Kwampirs uses the software supply chain to spread. This makes it particularly difficult to defend against. Kwampirs will likely enter your network as part of a software update from a trusted vendor

Editor's Note

In defending against threats like Kwampirs, do not focus too much on specific indicators of compromise. They will change quickly, and are only useful to detect past infections. Instead, verify how well you are able to detect the techniques the malware uses to spread. For example, Kwampirs like other malware, seeks out administrative shares and installs as a new service. These are fairly generic techniques used by other malware as well. Implementing techniques to detect this type of behavior has the benefit that it will not just detect this particular malware, but more generically help identify malicious behavior.

Johannes Ullrich
Johannes Ullrich

2020-03-27

Snail Mail Malware Delivery

The FIN7 hacking group is distributing malware through the U.S. Postal service - sending users USB sticks in the mail. If users plug the stick in, it installs a backdoor on their computer. Some of the packages have included gift cards and teddy bears.

Editor's Note

A good analogy for security awareness around this issue is to equate USB sticks that aren't from IT or a store to be like a piece of what kids used to call ABC gum: Already Been Chewed gum. Don't put ABC USB drives in your computer's mouth.

John Pescatore
John Pescatore

It remains imperative to not insert unknown or untrusted media in systems. Right now many users are working from home outside many of the normal corporate security controls, so increased attention to work-from-home security measures is appropriate. Also, while enabling controls which limit the insertion of removable media to approved devices only will help raise the bar, the current environment makes it attractive for the user to insert these into their personal devices, so be sure to include that scenario in your awareness training.

Lee Neely
Lee Neely

2020-03-27

Court Orders Injunctions Against VoIP Carriers for Facilitating Fraudulent Robocalls

A US district court in New York has issued injunctions against two companies for "facilitate[ing] the transmission of massive volumes of fraudulent robocalls to consumers in the United States.". The callers claimed to be from government agencies or legitimate businesses and were designed to trick people into giving up information and money. The calls targeted elderly and otherwise vulnerable people.

Editor's Note

Carriers of all flavors have refused to filter malicious calls/data that are known to be from spoofed addresses. It is good to see courts and the FTC (noted in another item) start to put appropriate pressure on them. Imagine if the water company said "Well, we knew the dangerous chemicals were in the water, but we just pass the water from left to right; don't blame us. But, we will sell you a water cleaning service."

John Pescatore
John Pescatore

The elderly are some of the hardest users to protect, as they have not "grown up" with these threats, and are not necessarily connected with, or may not understand security awareness campaigns. Taking the time to work with them one-on-one to understand call security and enabling appropriate controls is the best mitigation while technical and carrier level controls evolve.

Lee Neely
Lee Neely

The Rest of the Week's News

2020-03-30

Georgian Database Published Online

A database containing personal information about every citizen in the Republic of Georgia has been posted to a hacker forum. The database includes information for more than 4.9 million people, some of whom are deceased. Georgian authorities are investigating.

2020-03-25

Apple VPN Bypass Flaw

An unpatched flaw in Apple's iOS could be exploited to access some traffic data. The issue prevents virtual private network (VPN) applications from protecting some data that are being sent between the iOS device and the servers they are communicating with. The vulnerability exists in the most recent version of the mobile operating system, iOS 13.4.

Editor's Note

While this bug remains in iOS 13.4, it also impacts iOS 13.3.1 and later. The problem is the VPN does not terminate all existing network connections when established. The primary risk is moderate, as this can be used to reveal metadata about the device's connections as most application connections are themselves encrypted and short lived. The risk can be partly mitigated by enabling auto-connect features in third-party VPNs or setting the always connected feature of managed devices accessing the corporate VPN.

Lee Neely
Lee Neely

2020-03-27

Windows Font Parsing Bug

Microsoft has suggested several workarounds to help protect their computers from attacks exploiting two critical vulnerabilities. The flaws affect the Windows font parsing component, Adobe Type Manager Library. On systems older than Windows 10, these flaws can be exploited to allow remote code execution. Microsoft is aware that there are targeted attacks exploiting these flaws and is working on a fix.

2020-03-27

FTC Warns VoIP Companies Not to Facilitate Robocalls Preying on Coronavirus Concerns

The US Federal Trade Commission (FTC) has issued warnings to nine VoIP service providers take steps to ensure that their services are not being used to make fraudulent robocalls that exploit the current COVID-19 pandemic. The nine companies were given until March 30 to respond to the FTC, "describing the specific actions [they] have taken to ensure [their] company's services are not being used in Coronavirus/COVID-19 robocall schemes."

Editor's Note

The FTC was awarded a prestigious SANS Difference Maker's award a few years ago. It is good to see them continuing to make a difference.

John Pescatore
John Pescatore

What is needed is the implementation of security solutions such as SHAKEN / STIR to raise the bar on VoIP call security. Take note of the FTC advice on robocalls, particularly COVID-19 related ones, at core: hang up, don't press any buttons, better still don't answer unrecognized calls. Leverage options to block unwanted calls. Some services have free call blocking tools, iOS allows you to silently send unrecognized callers to voicemail and Android allows you to block anonymous callers.

Lee Neely
Lee Neely

2020-03-27

US Federal Court: Terms of Service Violations is Not CFAA Violation

A US federal court has ruled that violating a website's terms of service is not a violation of the Computer Fraud and Abuse Act (CFAA). The plaintiffs in the case wanted to investigate racism in online job markets by creating accounts for phony employers and job seekers. They were concerned that the activity might find them in violation of the CFAA, so they filed a pre-enforcement challenge alleging that the portion of the CFAA that says it is a crime to "access a computer without authorization or exceed authorized access" is a violation of First Amendment rights. The Court did not address the constitutional issue, instead writing "that the CFAA does not criminalize mere terms-of-service violations on consumer websites and, thus, that plaintiffs' proposed research plans are not criminal under the CFAA."

Editor's Note

Creating fraudulent accounts may not be criminal but it is unethical and not something we want to encourage. In this case it contaminates the application and interferes with its objective.

William Hugh Murray
William Hugh Murray

2020-03-30

Zeus Sphinx Trojan

A banking Trojan has made a resurgence after three years of relative quiet. The Zeus Sphinx Trojan is being used to exploit the economic relief measures that governments are sending to citizens. The campaigns tell email recipients that they need to fill out forms to receive the payments; those forms capture bank account access credentials.

2020-03-30

Russian Man Arrested in Connection with Money Laundering Scheme

US federal law enforcement agents have arrested Maksim Boiko, a Russian Citizen, for his alleged role in a money laundering scheme. Boiko is allegedly part of an organized crime group known as QQAAZZ, which converted stolen money into cryptocurrency to obscure its origins.

2020-03-30

HackerOne Boots Voatz from Platform

HackerOne has "terminate[d] the [Voatz] program on the HackerOne platform." HackerOne provides a number of security services, including facilitation of bug bounty programs. Last month Voatz updated its policy with regard to HackerOne, noting that it could not guarantee safe harbor for hackers who access its live election systems. That change, along with "hostile interactions with security researchers," contributed to HackerOne's decision.

Editor's Note

There needs to be a balance between supporting research for bug identification and restricting activities which are out of scope of the bug bounty program. This typically requires an organization of some size and maturity to have the resources to manage this balance as well as verify and respond to issues discovered.

Lee Neely
Lee Neely

Since Voatz has been discouraging bug bounty style assessment of the security of its product, and points to the Department of Homeland Security as evaluating the remote voting application, no elections should use the software until DHS completes an exhaustive evaluation, any and all issues noted are fixed, the DHS re-evaluates the app and publicly gives it a clean bill of health for state and local use.

John Pescatore
John Pescatore

Said another way, Voatz has decided that inviting unknown "researchers" to attack its application is not a good idea.

William Hugh Murray
William Hugh Murray

Internet Storm Center Tech Corner

Covid19 Domain Classifier

https://isc.sans.edu/covidclassifier.html

https://www.youtube.com/watch?v=yNIlyJ3gI-4


Attackers Mail Malicious USB Drives and Teddy Bears

https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/would-you-exchange-your-security-for-a-gift-card/


HongKong News Sites Used to Install Malware on iOS Devices

https://blog.trendmicro.com/trendlabs-security-intelligence/operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links/


Crashing Windows Explorer Without a Click

https://isc.sans.edu/forums/diary/Crashing+explorerexe+without+a+click/25966/


Zoom Privacy Policy

https://blogs.harvard.edu/doc/2020/03/27/zoom/


Zoom Bombing

https://www.fbi.gov/contact-us/field-offices/boston/news/press-releases/fbi-warns-of-teleconferencing-and-online-classroom-hijacking-during-covid-19-pandemic


Zoom Related Domains Used for Phishing

https://blog.checkpoint.com/2020/03/30/covid-19-impact-cyber-criminals-target-zoom-domains/