homepage
Open menu

SANS NewsBites

Virtual Cyber Schools Open In U.K. and U.S.; Verizons 2020 Data Breach Report; Toll Group Ransomware Data Published on Dark Web

May 22, 2020  |  Volume XXII - Issue #41

Top of the NewsThe Rest of the Week's NewsInternet Storm Center Tech Corner

Top of the News

2020-05-20

U.K. and U.S. Virtual Cyber Schools Open This Month

Students ages 13-18 in the UK and the US have the opportunity to take part in a virtual cyber school that offers more than 200 cybersecurity challenges. The program is government sponsored: free for residents of the UK; students in the US can participate for US $100 a year. No background in computers expected or needed. Kids observations: The most fun Ive ever had learning, and I had no idea I could be so good at computer science.

Editor's Note

Great opportunity to take advantage of current crazy times and get your kids or your companys employees kids into the cybersecurity skills pipeline. The gaming aspect is very coolmuch like in the makers movement, the fact that the technology is really a tool vs. the entire focus attracts and holds types of kids who had no interest in computers or networks for technologys sake.

John Pescatore
John Pescatore

My 13 year-old-self would love this type of opportunity. My present-day-self is thinking of all the friends and family who ask how their kids can get started in cyber security and sending this to them. If they object to the cost, Ill suggest they also look to the SANS Holiday Hack Challenge web site for some fun challenges, reminding them the past solutions are published if they want a hint.

Lee Neely
Lee Neely

2020-05-19

Verizons 2020 Data Breach Investigations Report

Some takeaways from Verizons 2020 Data Breach Investigations Report: Eighty-six percent of breaches in 2019 were financially motivated, compared with 71 percent in 2018; 70 percent of breaches were caused by outsiders; and 27 percent of incidents were attributed to ransomware. The information in the report is derived from more than 150,000 security incidents experienced by Verizon clients as well as by other organizations in data shared by partners, law enforcement agencies, CSIRTs, and security firms.

Editor's Note

The Verizon DBIR is always a good synopsis of incidents and trends to watch for. The report also notes that unsecured or misconfigured cloud data storage opens the doors of small businesses to attacks previously faced only by larger organizations. The report also shows a trend in breaches related to configuration errors catching up with socially engineered ones.

Lee Neely
Lee Neely

This is one of the most valuable reports a security professional can read. The report will give you valuable insights into how to defend your systems and networks. It also gives you good data points when dealing with security vendors to ask them how their product would deal with the breaches and issues raised in the report.

Brian Honan
Brian Honan

The DBIR continues to be a valuable source of open source intelligence. Be sure to read the disclaimers.

William Hugh Murray
William Hugh Murray

2020-05-21

Data Stolen from The Toll Group Published on Dark Web

Data stolen from Australian transportation and logistics company The Toll Group have been published to the dark web. The data were taken from a corporate server during an April ransomware attack. Toll has not paid the ransom and has shut down its IT systems to contain the malware. The company was the victim of a ransomware attack in January as well.

Editor's Note

When the decision was made not to pay the ransom and recover systems, The Toll Group identified the server and data they believed had been exfiltrated. They are now faced with the challenge of validating the scope and depth of data published to determine appropriate response actions, including deciding whether it is worth paying ransom to prevent additional disclosures.

Lee Neely
Lee Neely

The Rest of the Week's News

2020-05-19

US Legislators Push for Complete Phone Encryption Between House and Senate

US legislators want to ensure that phone communications between the House and the Senate are protected by encryption. Currently, most internal calls in both chambers are encrypted. In a letter dated May 19, 2020, legislators ask the Senate Sergeant at Arms and the House Chief Administrative Officer to take immediate action to encrypt, in bulk, all internal calls and other electronic communications between the Senate, House and other components of the legislative branch.

Editor's Note

Not a bad idea for protecting corporate secrets, too. VoIP phones make the encryption within the system practical, without having to invest in formal COMSEC equipment, provided you have the infrastructure to manage the certificates. The challenge is more and more communications also happen over mobile devices necessitating either a smartphone client on the device, or training users to have sensitive conversations only over the secure phone system. Even with encryption, situational awareness is important to prevent eavesdropping.

Lee Neely
Lee Neely

2020-05-21

Facebook New Messenger Warnings are Based on Metadata

Governments have criticized Facebook's plans to implement end-to-end encryption for all its apps because they say it allows criminals to escape detection. Facebook is debuting tools that use metadata analysis to generate warnings in its Messenger app when messages appear to come from scammers, child abusers, or other criminals.

2020-05-15

Lawsuits Filed Against ADT Over Former Employee Spying On Customers

ADT Security Services is facing lawsuits over the companys alleged intentional and negligent tortious acts in providing security services to its customers with remote-viewing capabilities. ADT has admitted that an ADT technician created admin accounts for himself on customers systems and then abused that privilege to spy on them. More than 200 customer accounts were compromised; the activity went on for seven years before it was detected. The scheme was uncovered when a customer in Texas reported an unknown email address as an admin user on their system. ADT conducted an internal investigation and determined that the issue was with one of their employees. ADT fired the individual, reported them to the police, and contacted all affected customers.

Editor's Note

Have a clear understanding of what the remote monitoring service can and cannot do. Review accounts with access to your home systems regularly. Even so, the service provider may still have legitimate access to your system for emergency response. If you must have cameras in your home, make sure that privacy needs are considered, including where images can be accessed and stored. Make sure that electronic locks are not the only access control on outer doors so you can prevent them from being unsecured when desired.

Lee Neely
Lee Neely

Quis custodiet ipsos custodes? (Who will guard the guards themselves?)A great example of why people need to check the security settings of all devices installed in their homes and businesses. Trusting default settings or relying on third parties to set up devices securely can lead to security and/or privacy breaches. Always, review settings on devices to ensure they are secure.

Brian Honan
Brian Honan

Supervision and multi-party controls are indicated to resist insider abuse and misuse. Privileged Access Management software should be considered to provide accountability for privileged users.

William Hugh Murray
William Hugh Murray

2020-05-19

EasyJet Data Breach

UK-based EasyJet has disclosed a breach that compromised information, including email addresses and travel details, belonging to 9 million customers. For a small subset of customers, payment card information was also compromised. EasyJet has reported the incident to the UK Information Commissioners Office (ICO) and to the National Cyber Security Centre.

Editor's Note

As an accommodation to frequent travelers, airlines and hotel chains offer them the option of storing a credit card number for convenience with future bookings. There have been enough successful attacks in the travel industry to make the risk of doing so obvious and significant. Frequent travelers can limit this risk by using tokens from Privacy.com that can only be used by that airline or hotel chain.

William Hugh Murray
William Hugh Murray

2020-05-21

Cisco Releases Update to Fix Deserialization Flaw in Cisco Unified CCX

Cisco has released updates to fix a critical deserialization flaw in the Java Remote Interface of its Unified Contact Center Express (CCX). The vulnerability could be exploited to install malware on unpatched devices.

2020-05-19

Adobe Releases Unscheduled Updates

Adobe has released updates to address a critical vulnerability in Adobe Character Animator. The issue affects Character Animator 2020 versions 3.2 and earlier. The buffer overflow vulnerability could be exploited to allow arbitrary code execution. Adobe has also released fixes for vulnerabilities in its Premiere Rush, Audition, and Premiere Pro products.

2020-05-20

Info Leaked from 2019 Mitsubishi Breach May Include Missile Data

Japans Defense Ministry is investigating the leak of information about a prototype missile. The data are believed to have been compromised during a cyberattack against systems at Mitsubishi Electric Corp. in late June 2019; the incident was not disclosed until January 2020. The attack exploited a then-zero-day vulnerability in Trend Micro OfficeScan antivirus software.

Editor's Note

Am I the only one thinking that I would be able to buy a missile equipped vehicle in the future? The exploited zero-day vulnerability in the Trend Micro AV product has since been patched. Attribution is still tricky, although initial indications point to the Tick group which has previously targeted Japanese and South Korean technology and defense industries.

Lee Neely
Lee Neely

2020-05-20

Data Stolen from Fresenius Dialysis Facility Data Leaked

Fresenius Medical Care says that some patient data from dialysis facilities in Serbia has been posted to the Internet. The data include personally identifiable patient information. Fresenius was the target of a ransomware attack earlier this year.

Internet Storm Center Tech Corner

Spike of Scans for Port 62234

https://isc.sans.edu/forums/diary/What+is+up+on+Port+62234/26144/


IcedID Malware Update

https://isc.sans.edu/forums/diary/Microsoft+Word+document+with+malicious+macro+pushes+IcedID+Bokbot/26146/


Malware Triage with FLOSS: API Calls Based Behavior

https://isc.sans.edu/forums/diary/Malware+Triage+with+FLOSS+API+Calls+Based+Behavior/26156/


Cisco Patches

https://tools.cisco.com/security/center/publicationListing.x

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-info-disclose-9eJtycMB


Google Chrome 83 Released

https://chromereleases.googleblog.com/


QNAP Vulnerability Details Released

https://medium.com/bugbountywriteup/qnap-pre-auth-root-rce-affecting-450k-devices-on-the-internet-d55488d28a05


ISC YouTube Channel

https://www.youtube.com/channel/UCfbOsqPmWg1H_34hTjKEW2A


NXNSAttack DNS Amplification

https://cyber-security-group.cs.tau.ac.il/

https://en.blog.nic.cz/2020/05/19/nxnsattack-upgrade-resolvers-to-stop-new-kind-of-random-subdomain-attack/


Adobe Updates

https://helpx.adobe.com/security.html


Verizon Breach Report

https://enterprise.verizon.com/resources/reports/dbir/


Apple Updates

https://support.apple.com/en-us/HT201222


Sophos Firewall Vulnerability Exploit

https://news.sophos.com/en-us/2020/05/21/asnarok2/