SANS NewsBites

Ransomware's Expanding Footprint; Another Dangerous WordPress Vulnerability

May 29, 2020  |  Volume XXII - Issue #43

Top of the News


2020-05-27

Michigan State University Suffers Ransomware Attack

The computer network at Michigan State University (MSU) was hit with ransomware earlier this week. The ransomware operators, who used malware known as NetWalker, have given MSU one week to pay the ransom. The NetWalker operators have threatened to publish data stolen from MSU's network if the payment is not received within the given time frame. Researchers at Sophos investigating NetWalker found that the ransomware uses "tools include[ing] legitimate, publicly-available software (like TeamViewer), files cribbed from public code repositories (such as Github), and scripts (PowerShell) that appeared to have been created by the attackers themselves."

Editor's Note

Virginia Tech CISO and Senior SANS Instructor Randy Marchany detailed in a recent SANS webinar how his team has maintained security operations before and through the current situation and increase in ransomware attacks - you can view the recorded version and download the .pdf version with Randy's links from https://www.sans.org/webcasts/making-keeping-work-home-operations-safe-productive-114490: Making and Keeping Work at Home Operations Safe and Productive

John Pescatore
John Pescatore

2020-05-27

Microsoft Warns Users Over PonyFinal Ransomware

Microsoft Security Intelligence has warned organizations about Java-based ransomware known as PonyFinal. Microsoft says that "organizations should focus less on this payload and more on how it's delivered." PonyFinal gathers and exfiltrates information about systems it infects and waits for an opportune time to encrypt files.

Editor's Note

PonyFinal gains access via brute force attacks against system management servers rather than exploiting an endpoint or user clicking a malicious link. As such, securing system management services, including multi-factor authentication are the best mitigations. Verify access controls and monitoring on services which may have been exposed to the Internet to better support work from home.

Lee Neely
Lee Neely

The obvious, but still resisted, defense is strong authentication on those servers, on all servers. Enterprise failure to use strong authentication puts us all at risk.

William Hugh Murray
William Hugh Murray

2020-05-27

New Mexico County Government Suffers Ransomware Attack

Computers at the Rio Arriba County, New Mexico government were hit with ransomware. According to a news release, "nearly every county server that has files or databases on it has been affected in some way, including the County's backup servers." Officials discovered the situation on Tuesday, May 26.


2020-05-28

WordPress PageLayer Vulnerabilities

A pair of flaws in the PageLayer WordPress plugin could be exploited to take control of or even wipe vulnerable sites. Version 1.1.2 of PageLayer, which was released on May 6, addresses the issues. The plugin has more than 200,000 active installations. As of May 27, the updated version of the plugin had been downloaded 85,000 times; that number includes both updates and new installs.

Editor's Note

The Verizon DBIR reported that 43% of "breaches" involved web applications.

William Hugh Murray
William Hugh Murray

There are few more dangerous applications than content management systems like WordPress.

Alan Paller
Alan Paller

The Rest of the Week's News


2020-05-28

Russian Cyber Actor Group Sandworm is Exploiting Exim Flaw

A cybersecurity advisory from the US National Security Agency (NSA) warns that "Russian cyber actors ... have been exploiting a vulnerability in Exim Mail Transfer Agent (MTA) software since at least August 2019." The hacking group, known as Sandworm, has likely been exploiting the known vulnerability to gain purchase in targeted systems and move through networks. Sandworm is believed to have been involved in cyberattacks targeting Ukraine's power grid

Editor's Note

If you're running Exim servers, make sure that you're running version 4.92 or higher, and watch for connections from Sandworm-associated domains and address.

Lee Neely
Lee Neely

2020-05-27

Shadowserver Finds Funding From Multiple Sources After Cisco Withdraws Support

Earlier this year, security nonprofit Shadowserver learned that it was losing its main source of support. Cisco, which had been Shadowserver's primary source of funding for 15 years, announced in March that it would no longer fill that role. On Wednesday, May 27, Trend Micro announced that it will help fund Shadowserver over the next three years; other organizations have also stepped forward to help with funding. Shadowserver scans billions of IP addresses every day, provides activity reports to computer emergency response teams (CERTs) around the world, and helps track hackers and contain attacks.

Editor's Note

It's nice to have good news these days. Not only did Shadowserver have to find new funding sources, they also had to move out of Cisco's data centers. Good non-biased threat intel sources, such as Shadowserver, are key for effective make analysis and response.

Lee Neely
Lee Neely

Kudos to Trend Micro and others for supporting Shadowserver's efforts. In most areas of life we find a mix of private enterprise, government agencies, and non-profit/non-government organizations is an effective "triad" - same is true with cybersecurity.

John Pescatore
John Pescatore

This is very welcome news. I know from my involvement with IRISSCERT that the data we get from Shadowserver is invaluable.

Brian Honan
Brian Honan

2020-05-27

Germany Urges Users to Install iOS Updates; Apple Releases macOS Updates, Too

Germany's Federal Office for Information Security (Bundesamt fuer Sicherheit in der Informationstechnik, or BSI) is urging iOS users to install updates Apple released on May 20 to address a pair of zero-click vulnerabilities that are being actively exploited. The attacks have been occurring since at least January 2018. In a separate story, Apple has also released security updates for macOS and related software.

Editor's Note

Apple iOS updates are usually very low risk and users do not resist them; "urging" not required. 13.5 was an exception; it had a conflict with an iOS feature called "family sharing" in which one family member pays for all apps used by the family. The fix to this was to re-install the apps, which for many simply happened automagically.

William Hugh Murray
William Hugh Murray

iOS & iPadOS 13.5 and iOS 12.4.7 were released with fixes to the long standing email security flaw reported in NewsBites Volume 22, Number 33. iOS & iPadOS 13.5 include a number of features aimed at COVID-19, such as improvements in facial recognition when wearing a mask which focus on the user's eyes. Check the Apple Security Updates page for the other products updated: https://support.apple.com/en-us/HT201222

Lee Neely
Lee Neely

2020-05-25

Open Letter Calls on Governments to Work Together to Stop Cyberattacks Targeting Healthcare Organizations

In a joint statement, the International Committee of the Red Cross and the Cyber Peace Institute have called for governments to take steps to help prevent cyberattacks against healthcare organizations. The signatories of an open letter "call on the world's governments to take immediate and decisive action to stop all cyberattacks on hospitals, healthcare and medical research facilities, as well as on medical personnel and international public health organizations."


2020-05-27

SSH Maintainers Say SHA-1 Support Will be Discontinued

SSH developers OpenSSH and libssh plan to retire the SHA-1 hashing algorithm, as its vulnerability to being cracked increases. SHA-1 has been known to be vulnerable for 15 years, but the cost of attacks is falling. "It is now possible to perform chosen-prefix attacks against the SHA-1 algorithm for less than USD$50K."

Editor's Note

Phasing out SHA-1 hashing has taken much longer than expected. Seems like we've been removing SHA-1 hash support for 10 years. Generate new SSH keys, including host keys, using a stronger hash like SHA-2 before the library is retired and make sure that other less secure encryption algorithms are also disabled to both mitigate attacks and ensure operations continue after support is deprecated.

Lee Neely
Lee Neely

2020-05-28

Cisco Servers Breached Through SaltStack Vulnerabilities

Earlier this month, six Cisco servers that support its Virtual Internet Routing Lab Personal Edition (VIRL-PE) were compromised. The hackers exploited critical vulnerabilities in the Salt management framework. The breach occurred on May 7; Cisco remediated the issue the same day. Cisco disclosed the incident on Thursday, May 28.


2020-05-28

Israeli Government Official Says Water Systems Cyberattack Thwarted Last Month

An Israeli government official confirmed water systems in that country were recently the target of a cyberattack. Israel's National Cyber Directorate detected the attack as it was happening and managed to thwart it.


2020-05-26

Germany Warns of Russian Cyberthreats to Critical Infrastructure Operators

A memo sent from German intelligence and security agencies to operators of the country's critical infrastructure warns that a hacking group that may have ties to Russia's government has been targeting German power, energy, and water sector organizations. The hackers' goal appears to be to gain persistent access to IT networks, to steal information and gain access to operational technology (OT) networks.

Internet Storm Center Tech Corner

Where is SHA3?

https://isc.sans.edu/forums/diary/Seriously+SHA3+where+art+thou/26170/


Phishing With Google Cloud

https://isc.sans.edu/forums/diary/Frankensteins+phishing+using+Google+Cloud+Storage/26174/


Apple Updates

https://support.apple.com/en-us/HT201222


Google ZDI Releases Details Regarding Unpatched Windows Vulnerabilities

https://www.zerodayinitiative.com/advisories/ZDI-20-666/

https://www.zerodayinitiative.com/advisories/ZDI-20-665/

https://www.zerodayinitiative.com/advisories/ZDI-20-663/

https://www.zerodayinitiative.com/advisories/ZDI-20-662/

https://www.zerodayinitiative.com/advisories/ZDI-20-664/


Research into Phish Detection

https://medium.com/@curtbraz/these-arent-the-phish-you-re-looking-for-7374c3986af5


Trend Micro AntiVirus Blocked by Microsoft

https://billdemirkapi.me/How-to-use-Trend-Micro-Rootkit-Remover-to-Install-a-Rootkit/


Netgear Nighthawk Firmware Update Vulnerability

https://iot-lab-fh-ooe.github.io/netgear_update_vulnerability/


USBFuzz Finds Numerous USB Flaws

https://www.nebelwelt.net/files/20SEC3.pdf


Cisco Products Vulnerable to Saltstack Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-salt-2vx545AG


Another Nail in the Coffin for SHA-1

https://eprint.iacr.org/2020/014.pdf


STI Student: Andy Piazza; Qualifying Threat Actor Assessments

https://www.sans.org/reading-room/whitepapers/threatintelligence/paper/39585