SANS NewsBites

U.K. Launches Virtual Cyber School, Students Become Cyber Protection Agents; Ransomware Targeting Healthcare and Cited in SEC Filings

May 1, 2020  |  Volume XXII - Issue #35

Top of the News


2020-05-01

U.K. Launches Virtual Cyber School

The UK Government is inviting all high school students in England, Scotland, Wales, and Northern Ireland to join a virtual cyber security school as part of plans to make sure the country develops the next generation of professional cyber defenders. At a time when schools remain closed to most children, the online initiative aims to inspire future talent to work in the cyber security sector and give students a variety of extracurricular activities they can do from the safety of their homes. By becoming gamified "cyber protection agents," teens learn how to crack codes, fix security flaws and dissect criminals' digital trails while progressing through the game as a cyber agent. This will help them develop important skills needed for future jobs, particularly in cyber security.

Editor's Note

This program also will enable the UK to identify and nurture elite cyber talent early, just as the Israeli government identifies and supports young cyber talent who are then guided into its world-class national cyber programs. Talented students spend hundreds of hours demonstrating their high aptitude for success in cybersecurity and honing their cyber skills.

Alan Paller
Alan Paller

2020-04-28

Ransomware Groups Targeting Healthcare Organizations

Research from Microsoft shows that ransomware groups are increasingly targeting healthcare organizations and other critical industries. Several of the groups gained access to targeted systems months before they launched the attacks.

Editor's Note

The Microsoft blog entry starts off with a useful checklist of the patch vulnerabilities (and misconfigurations) being exploited: CVE-2019-11510, CVE-2019-0604, CVE-2020-0688 and CVE-2020-10189. Especially if you are in healthcare, good to check those - they include vulnerabilities in security perimeter equipment. Johannes Ullrich of SANS covered this area in his portion of the SANS Threat panel at the RSA conference, and SANS just published a white paper with more detail on that and other current attack trends emphasizing ransomware - available at https://www.sans.org/webcasts/top-attacks-threat-report-112665.

John Pescatore
John Pescatore

2020-04-30

Ransomware Mentioned More Frequently in SEC Filings

More than 1,000 US Securities and Exchange Commission (SEC) filings over the past year have listed ransomware as a potential risk factor. Reasons for the increased mentions of ransomware include 2018 SEC guidance asking that companies be more forthcoming about the cybersecurity risks they face; ransomware groups targeting organizations rather than individuals; and significant increases in the amount of money the ransomware groups are demanding.

Editor's Note

SEC filings are getting to be like drug commercials on TV - more time spent on the risks than on the benefits! The first time I remember ransomware being mentioned in an SEC filing was after the FedEx TNT Express business unit suffered a $300M outage due to NotPetya back in 2017. Now, it is just part of a long litany of risks. The National Association of Corporate Directors reports that about 1/3 SEC filings have already included mention of Coronavirus impact.

John Pescatore
John Pescatore

The Rest of the Week's News


2020-04-28

Contact Tracing Technology Raise Concerns

Several groups have expressed concerns about privacy issues in contact tracing apps, which are being developed to let people know if they have come in contact with someone who has COVID-19. The Electronic Frontier Foundation (EFF) is concerned that COVID-19 contact tracing technology being developed by Apple and Google could be used by malicious actors to gather private information. In the UK, scientists and researchers have signed a joint statement expressing concerns about the NHS's plans to use a content tracing app, saying that the technology should be analyzed by experts in privacy and security. And in Australia, security experts who examined the COVIDSafe app say that it presents privacy and security issues.

Editor's Note

Any app used for something as critical as infection contract tracing needs to be bulletproof - written with security as a top priority and thoroughly reviewed and tested by experts. But there will need to be some individual privacy tradeoffs accepted to make gains in reopening economies while limiting new outbreaks.

John Pescatore
John Pescatore

A Washington Post study found that 3 of 5 Americans say they are unwilling or unable to use the infection alert system under development by Apple and Google, which may impede or undermine the mission of these applications. Without verifiable claims of proper privacy and security handling, wide-spread adoption may be impossible. https://www.washingtonpost.com/technology/2020/04/29/most-americans-are-not-willing-or-able-use-an-app-tracking-coronavirus-infections-thats-problem-big-techs-plan-slow-pandemic/.

Lee Neely
Lee Neely

When people are concerned for the health of their families, they make compromises on other priorities. If using a tracing app will allow them to keep their families safe, my guess is that a vast majority of people will accept some lessening of their privacy.

Alan Paller
Alan Paller

2020-04-28

Adobe Releases Fixes for Vulnerabilities in Magento, Illustrator, and Bridge

Adobe had fixed a total of 35 vulnerabilities in its Magento, Illustrator, and Bridge products. Twenty-five of the flaws are rated critical; some of these could be exploited to allow remote code execution. These updates were released outside of Adobe's scheduled monthly updates.


2020-04-29

Estonian Internal Security Service Report Discloses eMail Compromise

According to a recently published report from the Estonian Internal Security Service, hackers hijacked "a small number of [Mail.ee] email accounts belonging to persons of interest to a foreign country." The incident occurred last year, and the vulnerability the hackers exploited at Mail.ee has been fixed.


2020-04-28

Microsoft Warns of Malware in Pirated Movie Files

Bootlegged movies on some torrent sites have been found to contain malware, according to a warning from Microsoft. The attack appears to be primarily targeting users in Spain, Mexico, and South America. The malware tries to install cryptocurrency mining software on infected devices.

Editor's Note

Explaining the down-side of pirated movie sites can be very challenging for older or financially limited friends and family members looking for home entertainment. The risk of malware causing harm that costs them more in the long run than a legitimate streaming service may be a sufficient enticement. You may need to hand-hold users through the process to ensure they are no longer accessing sources of pirated content.

Lee Neely
Lee Neely

Good to use this one to remind those working at home that if they or anyone in their house is trying to save $5 to $20 a month by going to the pirated video sites (often with dodgy domain extensions) then every computer on their home network is at risk of compromise. Paying for a few months of streaming services while everyone is stuck at home will be way less expensive in the long run.

John Pescatore
John Pescatore

2020-04-27

Fix Available for WordPress Real-Time Search and Replace Plugin Vulnerability

A cross-site request forgery vulnerability in the WordPress Real-Time Find and Replace plugin could be exploited "to inject a new administrative user account, steal session cookies, or redirect users to a malicious site." The flaw allows attackers to replace code on vulnerable websites. The issue was detected earlier this month and the developer has addressed the vulnerability; users are urged to update to Real-Time Find and Replace version 4.0.2.

Editor's Note

Plugin issues will continue. Beyond keeping them updated, assessing their value add, versus the risk of compromise should be performed at least annually. Retired and unused plugins should be uninstalled, not just disabled. to leave no trace of potentially exploitable code.

Lee Neely
Lee Neely

2020-04-30

Updates Available to Address Flaws in Word Press Remote Learning Plugins

Researchers have found critical flaws in three WordPress plugins used for online learning: LearnPress, LearnDash, and LifterLMS. The vulnerabilities could be exploited to change grades, steal information, cheat on exams, or elevate privileges. There are updated versions for all three plugins that address the flaws.


2020-04-27

Twitter Eliminates SMS Services in Most Countries

Twitter has switched off Twitter via SMS service in most countries around the world due to security concerns. Twitter has also purged millions of dormant accounts that had been created over SMS. Twitter temporarily eliminated the ability to tweet via text last fall after CEO Jack Dorsey's account was hijacked. Twitter is still using SMS for two-factor authentication and account verification.

Editor's Note

The security of out-of-band mechanisms, such as the distribution of one-time-passwords via SMS and e-mail, relies in part upon the control exercised by those who provision addresses and phone numbers and those who maintain account profiles. The success of so-called "SIM-swapping" attacks suggest that those people are no less vulnerable to "social engineering" than those who click on the bait in "phishing" messages. All security mechanisms should be relied upon only in the context of their limitations.

William Hugh Murray
William Hugh Murray

2020-04-22

Switzerland's GovCERT Warns of Phishing Schemes Targeting Domain Owners

Switzerland's Computer Emergency Response Team (GovCERT) has issued a warning about phishing attacks targeting webmasters and domain owners. GovCERT has seen an uptick in the attacks since the beginning of April. The phishing emails have been written in German or French. Users and hosting providers are urged to enable two-factor authentication as well as other steps to protect their accounts.

Editor's Note

We know that some of the worst security is practiced by administrators. They are likely to have too much privilege and are more likely than most to share IDs and passwords. In addition to strong authentication, Privileged Access Management systems and multi-party controls are indicated.

William Hugh Murray
William Hugh Murray

2020-04-30

CISA Updates Office 365 Security Best Practices to Address Telework Concerns

The US Department of Homeland Security's (DHS's) Cybersecurity and Infrastructure Security Agency (CISA) has updated its security best practices for Microsoft Office 365. The update specifically addresses configuration issues that arise from migrating to cloud-based collaboration.

Editor's Note

Many organizations have implemented cloud-based services quickly in response to the pandemic. Guides like this should be leveraged to make sure that you have implemented minimum security settings. Tyler Robinson from NISOS suggested I also share NSA's recently published guide for safely selecting and using collaboration services https://media.defense.gov/2020/Apr/24/2002288653/-1/-1/0/CSI-SELECTING-AND-USING-COLLABORATION-SERVICES-SECURELY-SHORT-FINAL.PDF: Selecting and Safely Using Collaboration Services for Telework (PDF)

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Agent Tesla Delivered by the Same Phishing Campaign for Over a Year

https://isc.sans.edu/forums/diary/Agent+Tesla+delivered+by+the+same+phishing+campaign+for+over+a+year/26062/


Privacy Preserving Protocols to Trace Covid19 Exposure

https://isc.sans.edu/forums/diary/Privacy+Preserving+Protocols+to+Trace+Covid19+Exposure/26066/


Collecting IOCs from IMAP Folder

https://isc.sans.edu/forums/diary/Collecting+IOCs+from+IMAP+Folder/26070/


Attack Traffic on TCP Port 9673

https://isc.sans.edu/forums/diary/Attack+traffic+on+TCP+port+9673/26074/


Google Chrome Update

https://chromereleases.googleblog.com/2020/04/stable-channel-update-for-desktop_27.html

https://docs.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security



Updated Version of Sysmon

https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon

https://techcommunity.microsoft.com/t5/sysinternals-blog/sysmon-v11-0-livekd-v5-63-process-explorer-v16-32-coreinfo-v3-5/ba-p/1345153



Microsoft Guidance For Ransomware Response

https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/



Adobe Security Patches

https://helpx.adobe.com/security.html



VMWare ESXi Patch

https://www.vmware.com/security/advisories/VMSA-2020-0008.html



Shade Ransomware Keys Released

https://github.com/shade-team/keys/blob/master/README.md



Exploiting the Exploiters

https://medium.com/@curtbraz/exploiting-the-exploiters-46fd0d620fd8



Saltstack Authorization Bypass

https://labs.f-secure.com/advisories/saltstack-authorization-bypass



Mac Sandbox Escape

https://lapcatsoftware.com/articles/sandbox-escape.html