homepage
Open menu

SANS NewsBites

Ransomware Deploys Virtual Machine; Coronavirus Phishing Scheme Using Excel; Majority of Apps Contain Flaws via Open-Source Libraries

May 26, 2020  |  Volume XXII - Issue #42

Top of the NewsThe Rest of the Week's NewsInternet Storm Center Tech Corner

Top of the News

2020-05-22

Ransomware Deploys Virtual Machine to Evade Detection

Researchers from Sophos found that the RagnarLocker ransomware group is installing the Oracle VirtualBox app to run virtual machines (VMs) on targeted computers. The attackers use the VM to execute the ransomware and evade detection. The RagnarLocker operators choose their targets carefully, focusing exclusively on corporate and government networks

Editor's Note

The targets chosen are more likely to be running VirtualBox, so its presence alone is not necessarily a red flag. This attack installs an unsigned SunxVM VirtualBox MSI from 2009, which should trigger endpoint defenses. Unplanned disabling of backup and remote management utilities also merits follow-up. As this group is also known for exfiltrating data, expect threats of data disclosure to accompany ransom demands.

Lee Neely
Lee Neely

2020-05-18

Microsoft Warns of Coronavirus-Related Phishing Scheme Using Malicious Excel Files

The Microsoft Security Intelligence Team has warned of a "massive campaign" that tries to install NetSupport Manager, a legitimate remote access tool, on users' computers. The phishing campaign pretends to be from Johns Hopkins Center and claims to contain a World Health Organization coronavirus-related situation report. The scheme tries to get users to open email attachments that contain malicious Excel macros.

Editor's Note

This attack is spoofing an email from the Johns Hopkins Center providing an update on the Coronavirus-related deaths in the United States, with an attached Excel file titled 'covid_usa_nyt_8072.xls.' Additionally, Microsoft has announced they are making some of their COVID-19 related threat intelligence open-source to help customers better protect themselves by providing the community a more complete view of attackers' tactics, techniques, and procedures (TTPs). Information is being provided via threat intelligence sharing feeds for Azure Sentinel Customers, and for the public on GitHub. See: https://www.microsoft.com/security/blog/2020/05/14/open-sourcing-covid-threat-intelligence/

Lee Neely
Lee Neely

2020-05-25

Majority of Apps Contain Flaws via Open-Source Libraries

Open source libraries are ubiquitous; they help developers create apps more quickly. According to the State of Software Security Open Source Edition report from Veracode, 70 percent of apps is use today have at least one vulnerability that exists because of an open source library. The four most common types of vulnerabilities found in open source libraries are access control issues, cross-site scripting, sensitive data exposure, and injection.

Editor's Note

The Veracode paper breaks down flaws by language type, with PHP having the most flaws including, at least, a Proof of Concept (Poc) exploit. This introduces the burden of not only monitoring and updating your Open-Source libraries but also integrating these releases with current software lifecycle update processes. The good news is the majority of identified open-source flaws are addressed in small updates unlikely to break applications, reducing the risk and difficulty of remaining current.

Lee Neely
Lee Neely

Good reminder that open source software is just as likely to have vulnerabilities in it as commercial software. A key takeaway from the Veracode report: "Fixing most library-introduced flaws in most applications can be accomplished with only a minor version update. Major library upgrades are not usually required!"

John Pescatore
John Pescatore

The Rest of the Week's News

2020-05-22

EasyJet Breach Exposed Travelers' Itineraries

The data compromised in the EasyJet breach that was disclosed last week is now believed to include travelers' itineraries for trips booked between October 17, 2019 and March 4, 2020. The hackers had access to EasyJet data between October 2019 and January 2020. A law firm in the UK has filed a class action claim against EasyJet, under Article 82 of the General Data Protection Regulation (GDPR).

2020-05-22

Companies Ask Congress to Block Warrantless Access to Browsing Data and Searches

Seven Internet companies have joined voices to ask Congress to prohibit the collection of browsing and Internet searches without a warrant. The US House of Representatives is scheduled to vote on the USA FREEDOM Reauthorization Act of 2020 this week. Late last week, US Representatives Zoe Lofgren (D-California) and Warren Davidson (R-Ohio) said they would introduce an amendment to the reauthorization legislation that is expected to be very similar to an amendment that failed to pass the Senate by just one vote.

2020-05-19

eBay is Conducting Port Scans on Site Visitors' Computers

When users visit the eBay website, it conducts a local port scan on their computers. The site scans 14 ports in all ; The scan is conducted by a check.js script. It scans 14 ports associated with remote access and support tools. eBay scans Windows machines; the scans do not occur when users running Linux visit the site.

Editor's Note

This has come up before with financial institutions scanning customers PCs trying to protect customers with compromised PCs from fraud, usually from the login page but not always. In general, in the US and in EU at least, it has been ruled to be legal and not violate various Computer Misuse Acts. But, generally accepted practice is to at least notify, if not obtain permission, for doing this kind of thing. If your organization is asking for advice on doing this kind of thing, best to involve legal counsel.

John Pescatore
John Pescatore

While this is intended as an anti-fraud measure to make sure that a user's system is secure, the user is not granting permission for this activity, which is concerning with current privacy regulations. As the scan is run via a JavaScript, your local firewall is not going to block it. It can be blocked with browser extensions like NoScript and uBlock Origin, or by using a browser which is not targeted, such as Brave.

Lee Neely
Lee Neely

2020-05-23

Hackers Leak Data Stolen From Banco de Costa Rica After Alleged Cyberattack

Malicious cyber actors claim to have launched a cyberattack against the Banco de Costa Rica and have begun publishing data stolen from the banks' servers. The attackers say they plan to release more information taken from bank systems every week. Banco de Costa Rica has denied that it suffered an attack. The first set of data published appears to be payment card information that belong to Banco de Costa Rica customers.

Editor's Note

Payment card data is still too easy to monetize, now more so in "card not present" transactions. Online merchants should prefer check-out proxies (e.g. PayPal, Apple Pay, Click-to-Pay) to processing payments themselves. Telephone merchants should separate order taking from payment taking.

William Hugh Murray
William Hugh Murray

2020-05-22

DHS's CISA Bolstering Cybersecurity Protections for Organizations Conducting Coronavirus Research

In a webinar last week, US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) assistant director Bryan Ware said that hackers working on behalf of China and other foreign governments have been targeting organizations conducting research into COVID-19 vaccines. CISA has "stepped up" cybersecurity protections for the Department of Health and Human Services (HHS) and the Centers for Disease Control and Prevention (CDC). CISA is also working closely with pharmaceutical companies and other research organizations to keep their Internet-connected devices secure.

Editor's Note

The environment in which most of us work is dramatically more hostile than it was two years ago but our security is not much better, sometimes even worse. Keep doing the same thing, expect worse results.

William Hugh Murray
William Hugh Murray

2020-05-22

National Guard Deployed in Maryland for COVID Aid Also Helping with Cybersecurity

More than two months ago, Maryland's governor called in the National Guard to help with the coronavirus pandemic. The Guard has been providing help with tests and screening and has also been conducting cybersecurity assessments of state data repositories.

2020-05-22

Zoom E2E Encryption Whitepaper

Zoom has published a whitepaper that "proposes major security and privacy upgrades for" the company through an "incrementally-deployable four-phase roadmap." The paper details how the four phases - Client Key Management, Identity, Transparency Tree, and Real-Time Security - will be implemented.

Editor's Note

This paper also lays out the current meeting security mechanisms and differentiates between meeting access control features, such as a meeting password, and securing the meeting content, which may use a symmetric key. Take note of where connectors are required to extend encryption to certain devices and the limitations of those connections.

Lee Neely
Lee Neely

I did a webinar with Zoom Head of Product Security Randy Barr, and he gave details on what Zoom has done to date to address needed security improvements and what is on the roadmap for the rest of their first 90 day plan. Encryption gets the press attention but the increase in focus on application security and proactive pen testing, and getting input from industry CISOs are the more important initiatives. Webinar recording available at https://www.sans.org/webcasts/zooming-safely-securely-interviews-zooms-head-product-security-115500

John Pescatore
John Pescatore

"Zoom bombing" notwithstanding, most users have more risk in their operating systems, browsers, readers, etc. than in any application. Zoom remains more vulnerable to meeting host decisions than to attacks on its crypto. Zoom is rapidly approaching "enterprise grade." However, for most system code, that still involves a reservoir of known and unknown vulnerabilities. When using any conferencing application, prefer device specific purpose-built clients to historically porous browsers.

William Hugh Murray
William Hugh Murray

Internet Storm Center Tech Corner