NewsBites Volume XXII– Issue #29 April 10, 2020

Top of the News

2020-04-08

US and UK Issue Joint Advisory on COVID-19-Related Cyber Attacks

The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) and the UK's National Cyber Security Centre (NCSC) have issued a joint advisory warning of an increasing volume of cyberattacks exploiting the spread of COVID-19. Cybercriminals have been sending phishing emails that pretend to come from the World Health Organization, or claim to be offering medical equipment.

Editor's Note

The joint advisory covers 4 vectors of observed attacks taking advantage of the current coronavirus situation: (1) Phishing; (2) Targeted Malware; (3) Registration of phony domain names; and (4) Attacks against VPNs, RDP and remote access in general. There are individual news items in this issue of Newsbites on each area with more detailed comments, but the overall theme should be: crank security up a notch - now is the time to risk more false positives until your organization's work and IT processes/temporary architectures have stabilized. SANS continues to add resources to the free Security Work-From-Home Awareness Deployment kit at https://www.sans.org/security-awareness-training/sans-security-awareness-work-home-deployment-kit and there are daily webcasts on the topic at https://www.sans.org/webcasts/: Webcasts

John Pescatore

The CISA bulletin includes fairly comprehensive lists of attacks seen, IOCs, mitigations as well as resources to help mitigate the risks of COVID-19 related malfeasance.

Lee Neely

Interpol Warning of Malware Threat to Organizations Involved in COVID-19 Response

Interpol is warning organizations that are helping with the response to COVID-19 that they are being targeted by ransomware. Interpol has also issued a Purple Notice to inform police in its 194 member countries about the increased threat of ransomware against hospitals and other organizations.

Editor's Note

Employees working at home are very unlikely to be rigorous about backing up any newly created information they might develop on their home PCs. Guidance on existing or temporary (such as using cloud storage capabilities of corporate Office365/Dropbox etc. services) should be pushed out.

John Pescatore

More People Working From Home Has Increased Remote Desktop Protocol Internet Exposure

Hackers are taking advantage of the increased exposure of the remote desktop protocol (RDP) due to people working from home. In late March, Shodan noted an increase in exposed RDP services. If RDP is going to be exposed to the Internet, it should be carefully configured.

Editor's Note

Last year Johannes Ulrich and the SANS Internet Storm Center posted a good writeup about RDP security - it was focused on the Bluekeep vulnerability but has good general purpose advice for reducing the risk if you have to use RDP https://isc.sans.edu/forums/diary/An+Update+on+the+Microsoft+Windows+RDP+Bluekeep+Vulnerability+CVE20190708+now+with+pcaps/24960/: An Update on the Microsoft Windows RDP "Bluekeep" Vulnerability (CVE-2019-0708) [now with pcaps]

John Pescatore

Having users connect to a VPN or other security gateway first, which they then use to access a RDP session, protects the RDP server from direct attacks. Exposing port 3389 to the Internet creates a highly attractive target. Additionally ensure that strong (e.g. multi-factor) authentication is required before access is granted to prevent use of discovered credentials. Follow security best practice guides. Implement monitoring and alerting for awareness of unexpected activities. Whether or not you can change your implementation, verify that your security monitoring and controls implemented are working.

Lee Neely

Connect to applications, not "desktops." Prefer end-to-end application layer encryption. Prefer the production of work product on enterprise owned and managed systems; employee owned computers should be used only for the remote operation of enterprise applications.

William Hugh Murray

The Rest of the Week's News

2020-04-07

Suspected Malicious Domains Suspended

UK domain name registry Nominet has suspended the registration of about 600 websites due to concerns that they may be designed to spread COVID-19 misinformation or to sell phony products. Rather than waiting until a domain has been reported as malicious, Nominet is scrutinizing websites with names that contain COVID-19-related strings. Nominet does this with the help of its Domain Watch initiative, which uses both automated and manual checking for suspicious domains.

Editor's Note

Help us at SANS Internet Storm Center find some of the scams and phishing sites trying to take advantage of COVID19. We improved our "domain classifier". It now includes screen shots of the sites so you don't have to visit them. To help, go to https://isc.sans.edu/covidclassifier.html. Several domains identified by volunteers have already been shut down.

Johannes Ullrich

All the registries should be more aggressive and proactive now - kudos to Nominet. Settings in web security gateways should be moved up in aggressiveness and frequency of updates. The OpenDNS (now part of Cisco) Family Shield or Home DNS-based web blocking services are still free, as are similar home-based capabilities from CleanBrowsing.org, Cloudflare and many major security vendors.

John Pescatore

According to SpyCloud researchers, over 136,000 COVID-19 themed domains have popped up since December 2019. Many are merely placeholder domains for future uses. As few as 22% of these domains use HTTPS. https://spycloud.com/resource/covid19-domain-dataset/

Lee Neely

Travelex Paid Ransomware Demand in January 2020

According to a report in the Wall Street Journal, London-based currency exchange Travelex paid a 285 bitcoin (the equivalent of $2.3 million at the time of the payment) ransom to regain access to its systems after a ransomware attack earlier this year. (Please note that the WSJ story is behind a paywall.

Hammersmith Sending Breach Notifications in Wake of Ransomware Attack

UK-based Hammersmith Medicines Research has begun notifying individuals that their personal information was stolen/compromised in a ransomware attack. The hackers published the stolen data on their website, which has since been taken down. Hammersmith is slated to test potential COVID-19 vaccines.

Microsoft Buys Corp.com Domain

Microsoft has agreed to buy the Corp.com domain to keep it out of the hands of potential criminals. The issue is namespace collision, a situation where domain names intended to be used exclusively on an internal company network end up overlapping with domains that can resolve normally on the open Internet.

Visa: Upgrade Magento

Visa is encouraging online retailers to migrate to the Magento 2.x ecommerce platform before Adobe ends support for Magento 1.x in June 2020. Visa warns that sites that have not migrated to Magento 2.x by the June cutoff date risk exposing payment card information to breaches and will no longer be PCI compliant.

Editor's Note

Adobe's Magento has a history of multiple critical vulnerabilities that are exploited by attackers to steal credit card numbers. Magento 2 was released a few years ago, and support for Magento 1 will end in July. Adobe has given its Magento customers plenty of warning to switch over to Magento 2.

Johannes Ullrich

Malicious Website Spoofs Malwarebytes, Spreads Malware

Malicious actors set up a phony Malwarebytes website that attempts to infect visitors' computers with information stealing malware known as Raccoon. Malwarebytes's Threat Intelligence Team examined the phony site's source code, noting "that someone stole the content from our original site but added something extra.

xHelper Android Trojan is Persistent

Android malware known as xHelper is proving difficult to get rid of. It spreads by posing as smartphone clean up and speed enhancing apps in unofficial apps stores, affecting Android 6 and 7 devices in Russia, Europe, and parts of Asia. xHelper stays on devices even after it has been deleted and the factory settings have been restored.

Editor's Note

The best protection is to only install apps from the official App Store. Do not enable third party app stores or side-loading of applications. Keep device hardware and software updated to ensure current protections are in place on your device. You should be running Android 9 or higher. This application obtains root privileges and mounts the root file system read-write so it can be written to persistent storage outside the user area, thus surviving a device reset.

Lee Neely

Firefox and Chrome Browser Updates

Mozilla and Google have released a second sent up updates for their Firefox and Chrome browsers. The Firefox updates include fixes for six security issues, three high risk and three moderate risk. Users are urged to update to Firefox 75 and Firefox ESR 68.7. Google's update for Chrome addresses 32 security issues. Chrome 81 was originally scheduled to be released on March 17, but was delayed until April 7.

Editor's Note

The new ESR 68.7 introduces features to use the client certificate store on the Mac and exclude domains from the Trusted Recursive Resolver (TRR) using DNS over HTTPS. Using OS Certificate stores is a win over having to provision certificates to both the OS and the provisioned browser and avoids inconsistencies in trust.

Lee Neely

Bisq Cryptocurrency Exchange Temporarily Halts Trading After Theft

The Bisq cryptocurrency exchange temporarily stopped trading after hackers exploited a critical vulnerability and stole $250,000 in Bitcoin and Monero from users. A network update had introduced a flaw that allowed the thieves to direct funds to wallets they controlled. The incident was detected the evening of Tuesday, April 7; trading resumed the following day.

SEC Settles EDGAR Hack Complaint Against Two Traders

The US Securities and Exchange Commission has settled a complaint against two traders who accessed the SEC's EDGAR electronic filing system and viewed corporate earnings information before it became public. David Kwon and Igor Sabodakha used that information to make trades. Kwon and Sabodakha have agreed to repay their profits and pre-judgment interest from the illegal trades. Sabodakha has also agreed to pay a civil penalty. (Please note that the WSJ story is behind a paywall.)