homepage
Open menu

SANS NewsBites

Surging Ransomware Cases: Healthcare, Energy, and Toll Group (Again); New WordPress Vulnerabilities Put Websites at Risk

May 8, 2020  |  Volume XXII - Issue #37

Top of the NewsThe Rest of the Week's NewsInternet Storm Center Tech Corner

Top of the News

2020-05-06

Snake Ransomware Hits Major European Healthcare Company's Systems

IT systems belonging to Fresenius, a European healthcare conglomerate, were hit with ransomware earlier this month. The ransomware used in the attack has been identified as Snake, which has recently been used in attacks against a variety of large businesses.

Editor's Note

The healthcare industry is a target of choice for extortion attacks. Within the industry, attacks succeed against targets of opportunity. Healthcare enterprises should raise the cost to their attackers high enough not to be targets of opportunity. "Targets of opportunity" are, almost by definition, on the flat part of the security cost curve where one can get a significant reduction in the cost of losses for every dollar spent.

William Hugh Murray
William Hugh Murray

2020-05-06

Toll Group Systems Infected with Ransomware Again

IT systems belonging to Australian transportation and logistics company Toll Group have been hit with ransomware for the second time since the beginning of the year. On Tuesday, May 5, Toll acknowledged that they "took the precautionary step yesterday of shutting down certain IT systems after [they] detected unusual activity on some of [their] servers." The ransomware used in the attack has been identified as Nefilim. The ransomware used in the attack earlier this year was identified as MailTo, also known as Netwalker.

Editor's Note

The tricky part here is the second attack was delivered through vulnerable RDP servers while the first used phishing emails, indicating that while one vector was hardened the other was missed. If you must offer RDP services, follow best practice guides for securing them, including use of multi-factor authentication, secure gateways and restrictions on which accounts can use RDP. Make sure that incident response procedures include validation of your entire security posture not just the vector exploited.

Lee Neely
Lee Neely

2020-05-05

Ransomware Strikes Taiwan Energy Company

Taiwan's state-owned energy company, CPC Corp., has reportedly been hit with ransomware. The attack did not disrupt CPC's energy production, but some customers had trouble using CPC payment cards to buy fuel.

2020-05-05

Hackers Take Aim at Cross-Site Scripting Flaws in WordPress Sites

The Wordfence Threat Intelligence Team has observed a significant increase in attempted attacks targeting cross-site scripting (XSS) vulnerabilities in WordPress sites over the past 10 days. The number of these attacks is 30 times what Wordfence normally sees. The attacks are likely the work of a single hacking group.

Editor's Note

These attacks are targeting five WordPress plugins: Easy2Map, Total Donations (both of which are discontinued), Blog Designer, WP GDPR Compliance, and the Newspaper Theme, which have updates. Removal of the discontinued plugins is the best mitigation. Note that while Wordfence offers a security plugin for WordPress that both monitors and will perform automated updates of plugins, removal of discontinued plugins is still manual.

Lee Neely
Lee Neely

There is hard data showing the most frequently exploited vulnerability in government agencies and, by extension in smaller organizations and not-for-profits is WordPress (because of the carelessness of the developers of the plug-ins) and the other content management systems. Allowing people to deploy WordPress-based websites may well be seen as actionable negligence unless additional mitigating controls are implemented.

Alan Paller
Alan Paller

The Rest of the Week's News

2020-05-06

GitHub Code-Scanning Tools for Open-Source Projects

GitHub is offering its automated code-scanning tools to open-source projects at no cost. The GitHub Advanced Security Suite includes the Semmle code scanning tool, which GitHub acquired last fall, as well as tools that can scan repositories for data that should not be exposed, like passwords and private keys.

Editor's Note

Even before Microsoft acquired GitHub back in 2018, Microsoft had been using Semmle on Windows code. The pricing for GitHub Advanced Security doesn't seem to be public yet. One of the news items says scanning will be free of charge, a good thing.

John Pescatore
John Pescatore

2020-05-05

Several Thousand Salt Servers Remain Unpatched

Over the past few weeks, hackers have been exploiting vulnerabilities in unpatched versions of the Salt configuration management tool. While many servers have been patched against the exploit, there are still several thousand that remain vulnerable. Organizations that have been breached include DigiCert, LineageOS, Ghost, and Algolia. Users are urged to patch their systems as soon as possible.

Editor's Note

In addition to patching SaltStack, be sure to follow the Salt hardening guide, which recommends restricting who can login, use SSH Keys with a passphrase and not making the Salt server internet accessible. Salt Hardening Guide: https://docs.saltstack.com/en/master/topics/hardening.html: Hardening Salt

Lee Neely
Lee Neely

2020-05-07

NYC Department of Education Approves Improved Zoom Platform

The New York City Department of Education has approved a specially tailored Zoom platform to use for remote learning. Last month, the NYC Department of Education banned the use of Zoom due to privacy concerns. In a statement, the NYC Schools Chancellor said that "Zoom has addressed vulnerabilities over the last few weeks and effective immediately, our community can safely use the Department of Education licensed Zoom account for remote learning."

Editor's Note

Properly configured and set up, Zoom was probably always sufficiently secure for K-12 instruction. In an abundance of caution and in response to reports about exploitation of Zoom, the NYC Department of Education "banned" its use. It is to the credit of Zoom and the Department that the ban has now been lifted. Zoom is "free" for educational institutions and represents a major contribution in the response to school closures.

William Hugh Murray
William Hugh Murray

2020-05-07

Zoom Acquires Keybase in Effort to Improve Security Issues

Video conferencing platform company Zoom has acquired security company Keybase, which will help Zoom implement stronger encryption. The improved encryption service will be available to paid versions of Zoom.

Editor's Note

Zoom is following the path many other fast growth tech startups (like Microsoft, Salesforce and Google) followed when they were forced by customers to realize security is critical. Zoom is continuing to live up to its CEO's promise to focus on security and encryption (and especially key management) - something that is easy to do badly and complex to do right - especially at scale. Keybase has been around for 6 years, was early to sign up for bug bounty programs to make sure vulnerabilities in their code were exposed and fixed, and also paid for a professional audit of their product and made the results public - all good signs.

John Pescatore
John Pescatore

Keybase focuses on key management which essential for getting end-to-end encryption right, which will help address concerns over Zoom's current security implementation. There are no plans to eliminate the existing functions of Keybase; there are new products planned and updates to Zoom to leverage Keybase's services. The current ZoomBot client will allow a Zoom meeting to be started from your Keybase client.

Lee Neely
Lee Neely

2020-05-07

Cisco Updates Include Fixes for a Dozen High Severity Flaws Affecting ASA and Firepower Software

Cisco has released fixes for a total of 34 security issues in a range of products. Twelve of the vulnerabilities are rated high severity; they affect Cisco Adaptive Security Appliance (ASA) software and Firepower Threat Defense (FTD) software.

2020-05-05

German Authorities Charge Alleged Bundestag Hacker

Authorities in Germany have issued an arrest warrant for an individual who allegedly hacked the internal network of the German Parliament (Bundestag) five years ago. Dmitriy Sergeyevich Badin allegedly conducted the attacks as part of a cyberespionage campaign on behalf of the Russian military. Badin, who remains at large, is also wanted in the US in connection with cyberattacks against the Democratic National Committee and the World Anti-Doping Agency.

2020-05-05

InfinityBlack Hacking Group Operations Dismantled

Law enforcement authorities in Poland and Switzerland, with help from Europol, and Eurojust, have dismantled the InfinityBlack hacking group's operations. Five people were arrested in Poland late last month. Police seized electronic equipment, external hard drives, and hardware cryptocurrency wallets; they also shut down platforms that held databases with more than 170 million entries. The group sold stolen user credentials with a particular focus on loyalty reward account credentials.

2020-05-07

Firefox Update Fixes 11 Vulnerabilities

Mozilla has released updates for Firefox and Firefox ESR to address a total of 11 security issues. Three of the flaws are rated critical. The most recent versions of the browsers are Firefox 76 and Firefox ESR 68.8.

Editor's Note

Isolate browsing (and e-mail) from sensitive applications. Prefer purpose-built clients to browsers.

William Hugh Murray
William Hugh Murray

2020-05-07

Vulnerabilities in Schneider Electric Products

Security flaws in Schneider's SoMachine Basic v1.6 and Schneider Electric M221, firmware version 1.6.2.0, Programmable Logic Controller (PLC) can be exploited to take control of vulnerable systems. The flaws can be used to intercept, modify, and resend commands between the engineering software and the PLC. Schneider has made a fix available for SoMachine Basic v1.6 and is working on a fix for the second issue.

Editor's Note

For most applications and environments, prefer to attach PLCs only to private networks.

William Hugh Murray
William Hugh Murray

Internet Storm Center Tech Corner

Do Cloud Security Features Replace Personnel Security Capabilities?

https://isc.sans.edu/forums/diary/Cloud+Security+Features+Dont+Replace+the+Need+for+Personnel+Security+Capabilities/26088/


Keeping an Eye on Malicious Files' Life Time

https://isc.sans.edu/forums/diary/Keeping+an+Eye+on+Malicious+Files+Life+Time/26092/


Scanning With NMAP NSE Scripts

https://isc.sans.edu/forums/diary/Scanning+with+nmaps+NSE+scripts/26096/


Citrix ShareFile Storage Zones Controller Update

https://support.citrix.com/article/CTX269106


Android Update

https://source.android.com/security/bulletin/2020-05-01


Firefox Update

https://www.mozilla.org/en-US/firefox/76.0/releasenotes/


Dell OS Recovery Image Insecure Inherited Permissions

https://www.dell.com/support/article/de-de/sln321036/dsa-2020-059-dell-os-recovery-image-insecure-inherited-permissions-vulnerability?lang=en


WordPress Update

https://wordpress.org/support/wordpress-version/version-5-4-1/#security-updates


Fake Crypto Wallet Chrome Extensions

https://www.theregister.co.uk/2020/05/06/chrome_malicious_extensions/


Favicon Hides Credit Card Skimmer

https://blog.malwarebytes.com/threat-analysis/2020/05/credit-card-skimmer-masquerades-as-favicon/


WebEx Phishing

https://abnormalsecurity.com/blog/abnormal-attack-stories-cisco-webex-phishing/


iOS Psychic Paper Vulnerability

https://siguza.github.io/psychicpaper/


World Password Day

https://www.microsoft.com/security/blog/2020/05/07/protect-accounts-smarter-ways-sign-in-world-passwordless-day

https://tails.boum.org/news/version_4.6/index.en.html


Cisco Kerberos Bypass

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-asa-kerberos-bypass-96Gghe2sS