homepage
Open menu

SANS NewsBites

DHS Telework Security Guidance; Oracle Patches 405 Bugs

April 14, 2020  |  Volume XXII - Issue #30

Top of the NewsThe Rest of the Week's NewsInternet Storm Center Tech Corner

Top of the News

2020-04-10

CISA Releases Temporary Telework Security Guidance

The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has issued temporary telework guidance "to help agencies leverage existing resources to secure their networks" as the number of federal employees working from home has increased. The Trusted Internet Connections 3.0 Interim Telework Guidance has five security objectives: manage tragic, protect traffic confidentiality, protect traffic integrity, ensure service resilience, and ensure effective response.

Editor's Note

While this guidance is set to expire at the end of 2020, and is U.S. Government focused, it provides an approach to accessing cloud and on-premise services with sufficient visibility to ensure security and compliance requirements are met, irrespective of your industry or having a formal TIC.

Lee Neely
Lee Neely

The Trusted Internet Connect 3.0 update is still in draft but added a lot of much-needed flexibility to make it clear how agencies can do remote user access and use cloud services and still stay secure and stay compliant. Between the Managed Trusted Internet Protocol Services (MTIPS) offered by TIC ISPs on the government EIS and other contracts, and the numerous FedRAMP certified cloud-based Security as a Service offerings, government agencies have both guidance and options to make long lasting improvements in both security and productivity for remote work forces.

John Pescatore
John Pescatore

2020-04-13

Oracle's Quarterly Critical Patch Update - 405 Bugs

Oracle will release its quarterly Critical Patch Update on Tuesday, April 14. It addresses more than 400 vulnerabilities in a range of products. Of those, 286 are remotely exploitable.

Editor's Note

This update offers another chance to validate your ability to regression test and patch remotely, including teleworker systems. With the current enhanced remote-work state, regression testing is emphasized as in-person assistance for remediation is more complicated, if not impossible. Postponing updates is sub-optimal as we are seeing increases in malfeasance by those taking advantage of the current situation.

Lee Neely
Lee Neely

The Rest of the Week's News

2020-04-10

Criminal Ransomware Group Publishes Data Stolen from Industrial Contractor

Cybercriminals have posted data stolen from Visser Precision, a company that manufactures parts for the aerospace, automotive, industrial, and manufacturing industries. Visser's systems were infected with ransomware earlier this year, but the company did not pay the ransom. The leaked data belong to a number of companies, including Tesla, Boeing, Lockheed Martin, and SpaceX.

2020-04-10

San Francisco Airport Website Compromised to Steal Device Credentials

Two San Francisco International Airport websites were infected with data-stealing malware last month. The hackers may have obtained the login credentials for devices belonging to some people who used the sites while they were infected. Users potentially affected by the malware are those who accessed the sites from outside the airport network using Internet Explorer on a Windows device or on a device not maintained by the airport. The malicious code has been removed from the sites, and the airport forced a reset for email and network passwords on March 23.

Editor's Note

Travelers should be aware that airports are targets of miscreants and vulnerabilities for the traveler. Airport (WiFi) networks, websites, and (USB 5v) power should be used with caution. Prefer cellular broadband and battery power.

William Hugh Murray
William Hugh Murray

2020-04-10

Card Skimmers Target WooCommerce WordPress Plugin

Cybercriminals have been using JavaScript malware to skim payment card details from websites running a WordPress plugin called WooCommerce. In a separate story, the prevalence of online card skimming is rising, likely due to the increase in online shopping related to COVID-19. Data collected by Malwarebytes shows a 26 percent increase in inline card skimming between February and March of this year.

Editor's Note

Judicious review of third-party applications, including plugins for your content management site, is prudent. Payment card processing plugins remain a popular target, particularly with the current world crisis. Beyond keeping plugins updated, make sure that your site and servers are also secured to prevent alternate avenues of attack. Remove unused administrative accounts, ensure strong authentication is used on active accounts, uninstall unused plugins.

Lee Neely
Lee Neely

This is only one more of many vulnerabilities in WordPress plugins. Most WordPress plugins come without any measure or warranty of quality and should be used only with risk assessment, scrutiny, and maintenance.

William Hugh Murray
William Hugh Murray

Because of the problems Murray and Neely point out, along with the fact that most WordPress users have no IT or cybersecurity expertise, WordPress and its content management system competitors have been the primary vector by which important organizations (including large numbers of city and state agencies and major non-profits) have been compromised.

Alan Paller
Alan Paller

2020-04-10

Police in Netherlands Take Down DDoS-for-Hire Sites, Arrest Alleged Attacker

Police in the Netherlands have arrested a man in connection with distributed denial-of-service (DDoS) attacks against government websites there last month. Police also took down 15 DDoS-for-hire (also known as stresser or booter) websites over the course of one week.

Editor's Note

Good to see take-downs of malicious web sites and "attacks as a service" sites now, when everyone is much more dependent on online services. Even better to see ISPs turn on "cleaner pipe" services for free during these times.

John Pescatore
John Pescatore

2020-04-13

VMware Releases Fix for Critical Vulnerability in vCenter Server

VMware has released a fix for a critical vulnerability in its VMware vCenter Server. The flaw has been given a CVSS rating of 10.0. The flaw, which lies in VMware's Directory Service (vmdir), could be exploited to bypass authentication measures and gain access to sensitive information.

Editor's Note

Read the VMware security advisory for specifics on applicability of the vulnerability. The fix is to update affected 6.7 installations to 6.7u3f.

Lee Neely
Lee Neely

2020-04-14

Zoom to Allow Paying Users to Choose Meeting Traffic Routing

Staring Saturday, April 18, users who pay for the Zoom videoconferencing platform will be able to choose which data center regions their meeting traffic travels through. Users will not be able to opt out of their default data center region, which is where their account is provisioned. Zoom's current data center regions are the United States, Canada, Europe, India, Australia, China, Latin America, and Japan/Hong Kong.

Editor's Note

There was once a myth that "cloud makes location obsolete." It has never been true. For many reasons, location of data centers still matters. All the major enterprise-class Software as a Service and Infrastructure as a Service providers have offered data center location selection (not always for free). It is good to see Zoom listening to enterprise needs and following suit. Zoom also continues to release security improvements - important to keep up with them and ratchet up the safety of your use of Zoom.

John Pescatore
John Pescatore

Zoom is not the only video teleconference (VTC) service which routes through distributed data centers. While the primary focus for VTCs should be secure meeting configuration, if you are covering information with location or export controls, the region needs to be appropriate to avoid penalties.

Lee Neely
Lee Neely

The leakage of video conferencing traffic in the network is a potential risk, but for most applications and environments, this risk does not compare to the risk of improper settings and misuse.

William Hugh Murray
William Hugh Murray

2020-04-13

Dell Releases BIOS Attack Detector Tool

Dell has debuted a tool that can detect attempts to modify a device's BIOS component. The SafeBIOS Events & Indicators of Attack tool will allow admins to isolate computers that may have been compromised.

2020-04-13

Google Temporarily Re-enabling FTP in Chrome

Google has decided to re-enable support for FTP in Chrome on the stable channel so users will not run into difficulties accessing information during the COVID-19 crisis. Google disabled support for FTP in Chrome 81, which was released to the stable channel less than a week ago.

Editor's Note

FTP has been broken and a vulnerability for a generation. It is an orphan. There is hardly anything legitimate that is not available via an alternate service. Its inclusion in already porous browsers is one more reason to prefer application-specific clients.

William Hugh Murray
William Hugh Murray

2020-04-13

DESMI Acknowledges Cyber Attack

A Danish company that manufactures pumps for a variety of industries was hit with a cyberattack last week. All IT systems at DESMI were shut down and are now in the process of being restored with the help of third party experts. DESMI has reported the incident to authorities and police.

Internet Storm Center Tech Corner

Dynamic Analysis Technique to Get Decrypted KPOT Malware

https://isc.sans.edu/forums/diary/Reader+Analysis+Dynamic+analysis+technique+to+get+decrypted+KPOT+Malware/26010/


Comparing the Same Phishing Campaign 3 Months Apart

https://isc.sans.edu/forums/diary/Look+at+the+same+phishing+campaign+3+months+apart/26018/


VMWare vCenter Server Vulnerability

https://www.vmware.com/security/advisories/VMSA-2020-0006.html


Sodinokibi Ransomware Switching to Monero

https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-to-stop-taking-bitcoin-to-hide-money-trail/


Setting 3D Printers On Fire

https://www.coalfire.com/The-Coalfire-Blog/April-2020/With-IoT-Common-Devices-Pose-New-Threats


Junos OS: vMX Default Credentials

https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10998


Malware Impersonates Security Researchers

https://www.bleepingcomputer.com/news/security/new-wiper-malware-impersonates-security-researchers-as-prank/