SANS NewsBites

Vulnerability in Teams (Zoom Competitor); Sophos XG Firewall Vulnerability; Water Treatment Plant Cyberattacks

April 28, 2020  |  Volume XXII - Issue #34

Top of the News


2020-04-27

Microsoft Fixes Vulnerability in Teams (a Zoom competitor)

Microsoft has fixed a subdomain takeover flaw in its Teams communication and collaboration platform that could have been exploited to take control of vulnerable accounts. A proof-of-concept exploit demonstrated that would-be attackers could take over accounts by tricking users into viewing a maliciously-crafted GIF.

Editor's Note

Teams is positioned to subsume Skype for Business as well as provide collaboration services. While collaboration is restricted to your Microsoft 365 tenant, meetings can include external, guest, participants which necessitated providing support for sharing images in the chat channel. The token needed for the attack to work is good for only an hour, but is renewed each time the GIF is viewed. Exploiting this weakness is difficult, due to the requirement for identifying a vulnerable Microsoft Teams subdomain. Microsoft claims to have secured those domains and added anti-exploitation measures.

Lee Neely
Lee Neely

2020-04-27

Sophos Fixes XG Firewall Vulnerability

Sophos has released a patch to fix an SQL injection vulnerability in its XG Firewall that was being actively exploited. Hackers were using the flaw to install a malicious payload, which then exfiltrated sensitive data. Sophos pushed out the hotfix to all supported versions of the XG Firewall that have enabled automatic hotfix installations.

Editor's Note

OWASP has documented how difficult it is to do complete input checking at the application layer because the developer usually cannot know the environment in which the application will run. Therefore, every layer in the stack must parse its own input. That said, SQL injection attacks exploit the failure of the application layer to check for SQL commands in the input.

William Hugh Murray
William Hugh Murray

2020-04-27

Israeli Government Warns Water Treatment Plants of Cyberattacks

Hackers have reportedly launched attacks against wastewater treatment facilities, pumping stations, and sewers in Israel. An alert from the Israeli National Cyber-Directorate (INCD) is urging employees at water and energy facilities in that country to change their passwords for all Internet connected systems. The Israeli government Water Authority and the country's Computer Emergency Response team have also released alerts.

The Rest of the Week's News


2020-04-27

Expired Certificate Causes Problems for Rabobank Android App Users in Australia

An expired security certificate prevented Australian Rabobank customers from accessing their bank accounts on Android mobile devices. The security certificate issue has been addressed and an updated version of the app has been released.

Editor's Note

SSL certificate management is easy if you use only one Certificate Authority, because most CA's provide tools to track the certificates you bought from them. However, it is very rare for larger organizations to have only one source of SSL certificates in use. So, discovery and expiry tracking are too often done, if done at all, in manually updated spreadsheets or via the "Oops" method as happened to Rabobank. Commercial certificate management products are available from vendors like Entrust DataCard, ManageEngine, SolarWinds, Venafi and others with free trial offers.

John Pescatore
John Pescatore

If you're embedding certificates in applications at the endpoint, such as a mobile device, particularly for customer-managed devices, the method for updating that certificate must be documented and verified. To offset the impacts of reduced staffing the Rabobank team has setup an email list (clienservicesAU@rabobank.com) for users to request help.

Lee Neely
Lee Neely

2020-04-27

Hupigon RAT Spear Phishing Campaign

A phishing campaign aiming to spread the Hupigon remote access Trojan (RAT) has been targeting users in multiple sectors, including faculty and students at US colleges and universities. In the past the Hupigon RAT has been linked to hackers working on behalf of China's government.


2020-04-27

Shade Ransomware Operators Stop Development, Release Decryption Keys

The operators responsible for ransomware known as Shade say they have stopped developing and distributing the malware. They have created a GitHub repository that includes decryption keys. Shade, also known as Troldesh, has been associated with Russian hackers.

Editor's Note

The Shade ransomware was often sold to others for use, but active use of that strain seems to have ended at the close of 2019. The decryption keys have been verified and may be incorporated into third-party decryption tools. The group also published instructions for decryption of files on systems still impacted by Shade.

Lee Neely
Lee Neely

2020-04-27

Hackers Stole Data From Chinese Firm Conducting COVID-19 Research

Hackers have stolen data from Huiying Medical, a Chinese company that is developing COVID-19 screening technology that uses artificial intelligence. Some of the stolen information has been offered for sale on the dark web. The compromised data include technology source code and reports.


2020-04-27

Ransomware Hits Hospital in Colorado

Parkview Medical Center in Pueblo, Colorado, was the victim of a ransomware attack last week. On Monday, April 27, the hospital's website said the facility was "currently experiencing a network outage."


2020-04-27

In Wake of Ransomware Attack, Hackers Post Information Stolen From Pharmaceutical Outsourcing Company

Hackers have published data taken from systems at Pennsylvania-based ExecuPharm. The company suffered a ransomware attack in mid-March.

Editor's Note

Add the CLOP ransomware group to the list of entities that will publish your data if they are not paid. There is no known decryption tool for the CLOP ransomware. ExecuPharm rebuilt their systems and implemented measures, including password resets, multi-factor authentication and updated endpoint protection to prevent recurrence, avoiding paying the ransom. Read the letter to the Vermont Attorney General for a description of the data exfiltrated.

Lee Neely
Lee Neely

2020-04-27

Ransomware Targets Architecture Firm

Systems at Zaha Hadid Architects (ZHA), a London-based firm, were the target of a ransomware attack last week. ZHA has brought in a cyber forensics team to investigate the incident. ZHA appears not to have paid the demanded ransom.


2020-04-27

No Fix Available for WordPress OneTone Theme Vulnerability

Hackers are exploiting an unpatched cross-site scripting issue in the OneTone WordPress theme to create backdoor admin accounts. The vulnerability was detected in September 2019; the developer did not release a fix. WordPress delisted the free version of the OneTone theme in October 2019.

Editor's Note

The OneTone theme plugin has not been updated since 2018. While replacing the theme of a web site can be painful, being compromised is even more painful. Plugins need to be on your software support watch list, and just like other layered products, replaced or removed when they reach end-of-life.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Malware Bazaar

https://isc.sans.edu/forums/diary/MALWARE+Bazaar/26052/


Powershell Payload Stored in a PSCredential Object

https://isc.sans.edu/forums/diary/Powershell+Payload+Stored+in+a+PSCredential+Object/26058/


CIRA Launches Canadian Shield

https://www.cira.ca/newsroom/canadian-shield/cira-launches-canadian-shield-provide-free-privacy-and-security-canadians


Microsoft Teams Account Takeover Bug

https://www.cyberark.com/threat-research-blog/beware-of-the-gif-account-takeover-vulnerability-in-microsoft-teams/


COVID-19 Tracing Protocols

https://github.com/DP-3T/documents

https://www.pepp-pt.org/content

https://www.apple.com/covid19/contacttracing/


Sophos XG Firewall SQL Injection Vulnerability Exploited

https://community.sophos.com/kb/en-us/135412


USB Drives Used to Spread Crypto Coin Mining Botnet

https://www.welivesecurity.com/2020/04/23/eset-discovery-monero-mining-botnet-disrupted/