homepage
Open menu

SANS NewsBites

Ransomware Succeeding; AirGaps Failing

May 19, 2020  |  Volume XXII - Issue #40

Top of the NewsThe Rest of the Week's NewsInternet Storm Center Tech Corner

Top of the News

2020-05-18

Texas Department of Transportation Hit With Ransomware

Computer systems at the Texas Department of Transportation (TxDOT) were hit with ransomware. The agency detected unauthorized network access on Thursday, May 14, and determined that they were experiencing a ransomware incident. TxDOT is the second Texas state agency to suffer a ransomware attack this month; on May 8, computers at the Texas Court System were infected with ransomware.

Editor's Note

Back in August 2019 more than 20 Texas state and local agencies were hit with ransomware. At the time, Texas Governor Abbott was quoted as "stressing the importance of public and private sectors alike practicing 'good cyber hygiene.'" Obviously, some continued failings in basic security hygiene that require investigation and rapid application of lessons that should have been learned from last year's incidents.

John Pescatore
John Pescatore

2020-05-15

Four Arrests in Ransomware Plot Against Romanian Hospitals

Four people have been arrested in connection with a plan to target public health organizations in Romania with ransomware. The plan appeared to be to send spoofed email messages that appeared to come from government officials and to contain COVID-19 information, but which actually would lead to ransomware infections. Three of the suspects were arrested in Romania; the fourth was arrested in Moldova.

2020-05-12

Hackers are Using Malware Designed to Target Airgapped Networks

Hackers have targeted airgapped networks that belong to Taiwan's and the Philippines's militaries. The hackers, who are believed to be working on behalf of China's government, used malware called USBferry, "a USB malware that performs different commands on specific targets, maintains stealth in environments, and steals critical data through USB storage." According to Trend Micro, the hacking group has been using the malware since 2014.

Editor's Note

As Ed Skoudis says: Airgaps are just high latency network links. This malware takes advantage of USB drives to bridge airgaps. Also note that some of the more obscure methods to bridge airgaps that make the news from time to time are more of a curiosity and probably work better to generate headlines and clickbait vs. actual exploits.

Johannes Ullrich
Johannes Ullrich

This malware uses USB removable media to spread and collect data. Judicious use of a USB kiosk or other scanner or one-way link to sanitize media or data transferred between environments can stop or mitigate risks to the air-gapped systems.

Lee Neely
Lee Neely

The Rest of the Week's News

2020-05-18

The FBI Cracked iPhone Encryption Without Apple's Help

The FBI has unlocked two iPhones that belonged to a man who shot 11 people at a Florida Naval Air Station in December 2019. The FBI initially asked for Apple's help unlocking the devices. FBI Director Christopher Wray criticized Apple for not helping, saying that their refusal delayed the investigation. Apple says it responded immediately, providing DOJ with gigabytes of data from cloud backups.

Editor's Note

Although the devices in question, an iPhone 5 and iPhone 7, had security weaknesses which could have been used to access the device, the trick is maintaining forensic integrity of the device while obtaining access as well as not triggering a device wipe. While the FBI continues to seek a general use way to access recovered devices, they were able to develop a technique to access these devices which they claim was specific to this situation.

Lee Neely
Lee Neely

2020-05-14

BlueScope Steel Cyber Incident

Australia's BlueScope Steel Ltd has disclosed that a cyber incident disrupted some of its manufacturing and sales operations in Australia. The incident also caused minor disruptions in Asia, New Zealand, and the US. In a message to investors, BlueScope said it had reverted to manual operations in some impacted areas. A BlueSteel official said the company is working with external providers to restore its systems.

2020-05-11

European Supercomputers are Shut Down After Cryptomining Malware Infections

Supercomputers throughout the Europe are shut down to allow investigations after hackers targeted them to hijack their CPU power to mine cryptocurrency. The attackers are moving from one system to another with compromised SSH credentials. The incident has affected super computers in UK, Germany, Switzerland, and Spain.

Editor's Note

Primary access is via compromised SSH credentials, but there is also some evidence of compromised SSH binaries. Multi-factor authentication is a key tool to protect access to valuable resources. HPC relies on exhaustive configuration management to guarantee smooth operation, which should also include identifying and replacing unauthorized binaries or configuration files.

Lee Neely
Lee Neely

2020-05-14

Chrome is Testing a Feature That Will Stop Ads From Consuming Too Many Resources

Chrome is testing a feature that will block ads that consume large quantities of computer resources. In the Chromium blog, Chrome Product manager Marshall Vale writes, "a fraction of a percent of ads consume a disproportionate share of device resources, such as battery and network data, without the user knowing about it." The feature "will limit the resources a display ad can use before the user interacts with the ad," and display an error message when the ad reaches the consumption limit. The feature is expected to be introduced on the stable version of Chrome toward the end of August.

Editor's Note

You can enable this feature today with chrome://flags/#enable-heavy-ad-intervention. This approach uses resource consumption as opposed to Firefox's anti-crypomining prevention which relies on blocking known bad domains. Either approach should help keep browser resource use in check.

Lee Neely
Lee Neely

In a recent SANS webinar (https://www.sans.org/webcasts/making-keeping-work-home-operations-safe-productive-114490: Making and Keeping Work at Home Operations Safe and Productive), Virginia Tech University CISO and SANS Senior Instructor Randy Marchany commented that the dependence on the internet during the pandemic has shown that in many ways internet access has become as important a utility as water, electricity, etc. Browser vendors are building security and viewing controls into browsers for advertising-laden services, while ISPs who charge for access are doing very little about equal access to and secure delivery of digital services needed by school children, small businesses, etc.

John Pescatore
John Pescatore

2020-05-15

WP Product Review Lite Plugin Vulnerability

A critical flaw in the WP Product Review Lite plugin could be exploited to take control of vulnerable WordPress websites. The issue has been fixed in WP Product Review Lite version 3.7.6, which was released on May 14. Users are urged to upgrade as soon as possible. The plugin is installed on at least 40,000 WordPress sites.

Editor's Note

WordPress has a hardening guide (https://wordpress.org/support/article/hardening-wordpress/: Hardening WordPress) which includes links to additional resources for consideration. In addition to updating this plugin, verify that your plugins are as expected and configurations are as intended.

Lee Neely
Lee Neely

Warnings about vulnerabilities in WordPress plugins are becoming as routine as "patch Tuesday." While patching is mandatory, it should now be obvious that we cannot patch our way to security. Since we cannot hide WordPress plugins, we best use them sparingly.

William Hugh Murray
William Hugh Murray

2020-05-15

US Department of Commerce Rule Places More Restrictions on Huawei

The US Department of Commerce's Bureau of Industry and Security (BIS) has issued an interim final rule amending an existing rule that aims to prevent Huawei from using US technology in its semiconductor design and production. Foreign companies that use certain US technology will be required to obtain a license before selling it to Huawei. The amended rule will take effect in September 2020. Comments on the document will be accepted through July 14, 2020.

2020-05-15

Bill Would Have US Dept. of Commerce Establish Cybersecurity Grand Challenges

A trio of US Senators has introduced the Cyber Leap Act of 2020, which directs the Department of Commerce to create competitions to solve cybersecurity grand challenges, such as making it more expensive for criminals to conduct cyberattacks, improving federal agencies' response to cyberattacks, and re-imagining digital identity to improve security. The idea of establishing cybersecurity grand challenges grew out of the November 2018 "Cybersecurity Moonshot" report from the National Security Telecommunications Advisory Committee.

Internet Storm Center Tech Corner

OWA Scans

https://isc.sans.edu/forums/diary/Scanning+for+Outlook+Web+Access+OWA+Microsoft+Exchange+Control+Panel+ECP/26132/


Edison iOS E-Mail Client Leaks Data

https://www.theverge.com/2020/5/16/21260967/edison-mail-update-ios-security-bug


Antivirus & Multiple Detections

https://isc.sans.edu/forums/diary/Antivirus+Multiple+Detections/26134/


COMpfun Malware Uses Status Codes to Communicate

https://securelist.com/compfun-http-status-based-trojan/96874/


PAN OS Patches

https://securityaffairs.co/wordpress/103265/security/palo-alto-networks-pan-os-flaws.html


MagicPairing Vulnerabilities

https://arxiv.org/pdf/2005.07255.pdf


BIAS: Bluetooth Impersonation AttackS

https://francozappa.github.io/about-bias/


Office 365 Returning Search Results from Other Organizations

https://www.theregister.co.uk/2020/05/18/microsoft_office_365_internal_search_mixup/