SANS NewsBites

8,300 Attend Virtual ICS Conference; US Executive Order on Grid Security; Hackers Infected Android Devices Through MDM Server

May 5, 2020  |  Volume XXII - Issue #36

Top of the News


2020-05-04

8,300 Cybersecurity Professionals Attend Virtual ICS Conference

Last week, 8,300 ICS cybersecurity professionals attended a virtual conference and NetWars competition hosted by SANS and Dragos. The NetWars CTF was limited to the first 1,000 and every virtual seat filled up. The program, designed to provide timely, actionable information in support the ICS community along with a fun simulated ICS environment where they can practice and hone their skills, included the most dangerous current threats and hands-on demonstrations, as well as helping operators understand the thinking behind the new White House Executive Order (see the next story). Most remarkable was the demonstration of a "controller-in-the-middle" attack that had not previously been seen. All SANS alumni will have complete access to presentation recordings as well as a downloadable CTF solution package.

https://www.sans.org/webcasts/disc-ics-virtual-conference-114285: DISC - SANS ICS Virtual Conference


2020-05-04

-US Executive Order on Grid Security

A White House executive order declares "a national emergency with respect to the threat to the United States bulk-power system" and takes steps to ban the US power grid from acquiring or installing using equipment "in which any foreign country or a national thereof has any interest."


2020-04-29

Hackers Infected Company's Android Devices Through its MDM Server

A banking Trojan has infected more than 75 percent of a multinational conglomerate's Android devices. A new variant of the Cerberus malware was placed on the mobile devices by compromising the unnamed company's Mobile Device Manager (MDM) server.

Editor's Note

Every end-point security agent has a server somewhere behind it whether it is on premises or in the cloud. If that server is compromised, the security agent turns from a beneficial rootkit to a malicious rootkit. Basic security hygiene for all servers and vigilance on all admin accounts for those servers or cloud services has to be high priority.

John Pescatore
John Pescatore

Conventional wisdom says that any system used to configure your infrastructure should live on a dedicated management network. But mobile device management (MDM) has to interact with devices on the internet and can be difficult to segregate. Many of these systems are also cloud based, which typically leaves only strong authentication and the often-misplaced trust in vendors as your last remaining security controls.

Johannes Ullrich
Johannes Ullrich

The Rest of the Week's News


2020-05-01

Hackers Exploit SaltStack Vulnerabilities to Breach Servers at Ghost, LineageOS, and Others

Hackers have exploited recently patched vulnerabilities in the Salt management framework to gain unauthorized access to Salt servers belonging to LineageOS, the Ghost blogging platform, and other organizations. Ghost developers noted that the malware drove up CPU usage, which is how they knew something was wrong. SaltStack has released patches to fix the flaws; companies running Salt servers are urged to apply the patches as soon as possible or ensure that they are behind a firewall.

Editor's Note

If you are reading this and you still have an unpatched SaltStack in your environment: Call your IR team (no need to patch first). Now stop reading. For the rest of you still with me: A system used to manage your entire infrastructure should not be exposed to the internet. The idea of a central system like this is that you will be able to spend resources to adequately secure and monitor it. This isn't easy. But at least you have to do it only once (vs. having many configuration management systems). Yes, these systems have to interact with cloud components. But I am sure with all the money you are saving by moving to the cloud, there was plenty left to actually secure it (read last sentence with sarcasm).

Johannes Ullrich
Johannes Ullrich

2020-05-01

Mozilla is Developing a Firefox eMail Alias Service

Mozilla is developing an email alias service for its Firefox browser. Firefox Private Relay will be an addon. It will allow users to easily generate email aliases they can use to register new accounts, subscribe to newsletters, or conduct other business where they do not want to expose their email addresses. Private Relay is currently in closed beta testing; a public beta is expected later this year.

Editor's Note

After reading about this I applied for the beta. I spend about 15 minutes every Saturday unsubscribing from the useless emails that found my account. Some are even cheeky enough to say, things like "Wanting to make sure you got my last email", now click and it will take whoever sold my email out at the same time; what is not to like?

Stephen Northcutt
Stephen Northcutt

Apple has a similar service for users who don't want to use their real email address when registering with apps downloaded from the Apple App Store. This is one of those "put all of your eggs in one basket and really, really trust that basket - or watch it very, very closely" kind of scenarios. The Firefox browser has an 8% market share, so it is not going to have a large impact. A simple, more universal approach is just to have a "burner" freemail address you use with all apps and web sites that require an email address.

John Pescatore
John Pescatore

2020-04-30

Oracle Says WebLogic Server Vulnerability Patched in April is Being Used in Attacks

Oracle is urging users to apply patches it released last month as part of its quarterly Critical Patch Update. Oracle says it has learned that several of the patched flaws are being actively exploited. One of those, CVE-2020-2883, is a critical remote code execution flaw in WebLogic Server.

Editor's Note

A PoC exploit was released the day after the patch. Oracle only discovering now that this vulnerability is being actively exploited is a bit late. If you haven't patched yet, your first call should be your incident response team. Unless they are quite skilled, they will find a crypto coin miner, and call it a day, leaving the actual compromise undetected. You may want to read up on ransomware as this is probably what will hit you next.

Johannes Ullrich
Johannes Ullrich

The failure to "patch" in a timely manner demonstrates that the strategy of placing responsibility for the quality of software on the end user is not merely expensive but ineffective.

William Hugh Murray
William Hugh Murray

2020-04-29

WordPress Ninja Forms Update Available to Fix Cross-Site Request Forgery Flaw

A vulnerability in the Ninja Forms WordPress plug in could be exploited to create new admin accounts and take control of unpatched websites. Ninja Forms has released an updated version of the plugin, 3.4.24.2, that fixes the flaw. Ninja Forms is installed on more than one million websites.


2020-05-04

Contact Tracing Apps: India, Singapore, UK

In parts of India where COVID-19 is spreading, people are being required to use a contact tracing app called Aarogya Setu. Starting May 12, Singapore's "SmartEntry" system will require smartphone check-ins at all businesses. The system will log names, phone numbers, national ID numbers, and the time individuals enter and exit a business. In the UK, healthcare workers and local government officials on the Isle of Wight will be able to download a test version of the NHS's contact tracing app, which was developed by NHS's digital unit, NHSX.

Editor's Note

As they say for cryptography: Do not roll your own. Researchers have developed a number of contact tracing protocols that carefully weigh the value of the data vs. the privacy of the participants. Apple and Google are working on an API to implement these protocols in their devices. Contact tracing applications will not work if early implementations are not using these protocols and destroy the public's trust in contact tracing. Trust matters. These applications will work only if a majority of users turn them on. An overview of some of the proposed contact tracing protocols can be found here: https://isc.sans.edu/forums/diary/Privacy+Preserving+Protocols+to+Trace+Covid19+Exposure/26066/

Johannes Ullrich
Johannes Ullrich

2020-04-29

Downloader Bundles Malware with Older Version of Zoom

Users urged to be vigilant about the source when downloading Zoom software. Researchers at Trend Micro has detected a campaign that bundles shady Zoom downloads with the RevCode WebMonitor remote access Trojan (RAT).


2020-05-03

Cyberthieves Targeting COVID-19 Research at UK Universities

The UK's National Cyber Security Centre (NCSC) has warned that foreign hackers are targeting British universities and research facilities in an effort to steal COVID-19-related research. None of the attacks appears to have been successful.


2020-05-01

Phishing eMails Look Like Microsoft Teams Alerts

A recently detected phishing campaign uses messages that pretend to be Microsoft Teams notifications. The emails attempt to get users to divulge their Office365 credentials. The campaign is especially worrisome as people working from home are likely to be expecting to receive such notifications.


2020-04-30

CISA Reminds Agency CIOs to Use Approved DNS Resolution Service

The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has sent a memo to federal agency CIOs reminding them that they are required to use the EINSTEIN 3 Accelerated DNS resolution service for devices connected to federal networks. The reminder comes while many federal employees are working from home and may attempt to connect to government networks through unsupported DNS encryption services. CISA is also planning to notify agencies of DNS traffic anomalies.

Editor's Note

In the April 10th NewsBites, I pointed to several good choices of DNS services to recommend to home workers. The CISA memo recommends many of the same ones: Cisco (OpenDNS), Cloudflare, Google and Quad9.

John Pescatore
John Pescatore

2020-05-01

North Dakota Broadband Service Provider Hit With Ransomware

Dakota Carrier Network (DCN), a consortium of more than a dozen broadband companies, was the victim of a ransomware attack. DCN CEO said the attack was detected early in the morning of Sunday, April 26. The company "quickly shut everything down and restored all of [its] data from the most recent tape backup, which was Friday, April 24." The hackers have posted information stolen from DCN to a website.


2020-05-01

NGA Selects Seven States for Cybersecurity Policy Development Program

The US National Governors Association (NGA) has selected seven states to be the 2020 cohort for its cybersecurity policy development program. Colorado, Michigan, Mississippi, New York, Oregon, Pennsylvania, and Tennessee will receive guidance to help them "create strategic plans to address statewide cybersecurity governance, critical infrastructure cybersecurity, statewide cyber disruption response planning, cybersecurity workforce development and state-local partnerships in cybersecurity."

Internet Storm Center Tech Corner