SANS NewsBites

Zoom Encryption For All; Millions of IoT and Home Devices At Risk; Fake LinkedIn Identities and Phony Job New Attack Vector

June 19, 2020  |  Volume XXII - Issue #49

Top of the News


2020-06-17

Zoom Will Make End-to-End Encryption Available to Everyone

Zoom now says that it will provide end-to-end encryption (E2EE) for all users. Previously, the company had planned to provide the feature only to paying users. The feature will be off by default; meeting administrators must enable it when setting up each meeting. The feature is opt-in because it may not work with every piece of technology. Non-paying users must provide a piece of identifying information to have the feature enabled. A beta of the feature will begin next month.

Editor's Note

Be aware of the impacts of enabling E2EE before enabling it to make sure that users will be able to participate in your meeting. Zoom's white paper on their E2EE implantation (https://github.com/zoom/zoom-e2e-whitepaper/blob/master/zoom_e2e.pdf) documents meeting UI changes as well as key management and verification. UI changes include: participants cannot join before the host, participants must run the official Zoom client; browsers, legacy Zoom enabled devices and PSTN dial-ins are disabled.

Lee Neely
Lee Neely

2020-06-16

Ripple20 Vulnerabilities Affect Millions of IoT Devices


Researchers from JSOF, an Israeli security company, have discovered a group of vulnerabilities that affect millions of Internet of Things (IoT) devices. Ripple20 is "a series of zero-day vulnerabilities in a widely used low-level TCP/IP software library developed by Treck, Inc." At least four of the flaws have CVSS base scored over 9.0. In March, Treck issued an updated version of the library that addresses the flaws. However, tracking down all vulnerable devices is difficult at best, and there are likely situations in which devices cannot be

Editor's Note

This flaw will keep us busy for the foreseeable future. The Treck IP Stack is used in millions of devices made by an unknown number of manufacturers. As an end user, you likely have no idea that this IP stack is used in your equipment. Identifying these devices and patching them will take years.

Johannes Ullrich
Johannes Ullrich

Cisco, Intel and HP/Samsung have issued alerts around their products that are or may be at risk. This isn't just an obscure IoT device risk issue, though it is a huge issue there. There are 19 CVEs; in order to mitigate or patch, discovery of vulnerable devices with the Treck stack is key. Some discovery and Network Access Control vendors have released scripts and signatures to detect use of the vulnerable stack. Treck recommends reviewing those CVEs and if you have questions about a device, contact them via email at security@treck.com.

John Pescatore
John Pescatore

2020-06-17

Hackers Used Fake LinkedIn Identities and Phony Job To Infiltrate European Defense Companies


Hackers on LinkedIn pretended to be corporate recruiters on LinkedIn working for US defense contractors. They sent phony job offers to employees at European defense companies and managed to gain access to systems at two of those companies in late 2019. The hackers sent documents that contained malicious code through LinkedIn's private messaging feature.

The Rest of the Week's News


2020-06-16

Microsoft Releases Out-of-Cycle Windows 10 Cumulative Update to Address Printing Problems


On Tuesday, June 16, Microsoft released cumulative updates for Windows 10 that address an issue introduced by updates released the week before. Users reported that after installing the June 9 updates, they were unable to print. The optional, out-of-cycle cumulative updates will not install automatically. Microsoft recommends that only users who have experienced printer problems with the earlier updates install the new updates.

Editor's Note

Put this in the if it isn't broken don't fix it category. Deploy this fix to systems only if they are experiencing printer problems after last week's update. You may not discover those problems until workers return on-site and attempt to print.

Lee Neely
Lee Neely

2020-06-17

Adobe Releases Out-of-Cycle Updates to Fix 18 Critical Flaws


Adobe has released out-of-cycle updates to address 18 critical vulnerabilities in six products. Five of the vulnerabilities are in Illustrator, and another five are in After Effects. The other patches address flaws in Premiere Pro, Premiere Rush, Audition, and campaign Classic. Adobe patched four critical vulnerabilities in Flash Player a week ago.

2020-06-17

US House Subcommittee Hearing on Financial Sector Cyberattacks


Witnesses told the US House Subcommittee on National Security, International Development, and Monetary Policy that the US financial sector experienced a 238 percent increase in cyberattacks during the first five months of 2020. VMware's head of cybersecurity strategy Tom Kellerman noted that 90 percent of US financial sector employees are working from home, which makes their systems more vulnerable to attacks.

2020-06-16

Senator Asks DNI Why the Intelligence Community Has Not Adopted Stronger Cybersecurity Practices


US Senator Ron Wyden (D-Oregon) has asked the Director of National Intelligence (DNI) why the intelligence community has not followed a CISA directive "to implement multi-factor authentication to protect their .gov domain names"; why its DMARC implementation is lagging; why the Intelligence community's classified computer network for top secret information does not use multi-factor authentication; and whether they intend to adopt IG's cybersecurity recommendations. Wyden appended a redacted version of a 2017 CIA WikiLeaks Task Force report, which found "day-to-day security practices had become woefully lax." Users were sharing admin passwords; there were no controls for using removable USB drives; and they did not use network segmentation to limit access to tools.

Editor's Note

Implementing broad changes while still meeting mission objectives takes leadership and support from the top, particularly if delivered as an unfunded mandate, and particularly for culture-changing initiatives such as security awareness and corresponding culture changes. If management doesn't "walk the talk" the staff won't either. The security measures suggested, such as DMARC, MFA and USB Security, are worth consideration irrespective of your business sector.

Lee Neely
Lee Neely

Some form of strong authentication is now mandatory for most applications in most enterprises, let alone for privileged users in intelligence agencies. It is ironic that sharing of IDs and passwords remains common among administrative users, those users where "accountability" is the primary control. Most enterprises, let alone intelligence agencies, should be using Privileged Access Management systems (the Israelis offer a very good one.) It was through abuse of administrative privileges that Edward Snowden was able to ravage NSA systems.

William Hugh Murray
William Hugh Murray

2020-06-16

T-Mobile Outage Resolved


A T-Mobile network outage on Monday, June 15, caused problems across the US. Federal Communications Chairperson Ajit Pai called the incident "unacceptable" and said, "the FCC is launching an investigation." The problems are believed to stem from network configuration changes gone awry. Rumors that the issue was due to a distributed denial-of-service (DDoS) attack were refuted. The issue was resolved by 1am ET on Tuesday, June 16.

2020-06-18

Netgear Router Vulnerability


A vulnerability in Netgear routers could be exploited to bypass the authentication process and gain access to other devices on the network. The flaw lies in the web server component in the firmware used in 79 Netgear router models. Netgear says it is working on a fix.

Editor's Note

The flaw is in the web server used to manage the router. The only mitigation is to limit access to that service to trusted systems. Make sure internet-based management is disabled, if possible, implement firewall rules to restrict which systems can manage the devices, and consider changing the admin password so systems with cached or stored credentials cannot connect easily. Netgear hopes to release updated firmware by the end of June.

Lee Neely
Lee Neely

The cost of the first repair that one makes will be high; subsequent ones much lower. Therefore, enterprises will repair; SOHO users may find it cheaper and easier to replace.

William Hugh Murray
William Hugh Murray

2020-06-18

NSA is Piloting Secure DNS for DIB


The US National Security Agency (NSA) is piloting a secure DNS service for some of its defense industrial base (DIB) companies. Anne Neuberger, the NSA's Director of Cybersecurity, noted that the pilot is based on NSA analysis that found "using secure DNS would reduce the ability for 92 percent of malware attacks both from command and control perspective deploying malware on a given network." Neuberger said that the results of the pilot, which has been running for about six weeks, "have been very, very successful."

Editor's Note

The article is a bit short on details, but this appears not to be another attempt to revive DNSSEC. Instead, it likely refers to a filtered DNS services (sometimes called DNS Firewalling) like that offered by companies like Threatstop and OpenDNS/Cisco. This type of service has been shown to be effective and easy and cheap to deploy. Having them specifically "tuned" for this user base could indeed be a good way to better protect participating companies.

Johannes Ullrich
Johannes Ullrich

2020-06-18

Amazon Web Services Mitigated a 2.3 Tbps DDoS Attack in February


Amazon Web Services (AWS) Shield service disclosed that it fended off a massive distributed denial-of-service (DDoS) attack earlier this year. The incident is described in the AWS Shield Threat Landscape Report - Q1 2020. The report does not identify the customer but does note that (the attack lasted three days and had a volume of 2.3 Tbps.

2020-06-17

Akamai Resolved 1.44 Tbps DDoS Against Website


Akamai said it resolved a 1.44 Tbps / 385 million packets per second distributed denial-of-service (DoS) attack against an unnamed website earlier this month. The attack is the largest Akamai has seen. The attack lasted 90 minutes.

Editor's Note

During the T-Mobile outage, there was unfounded speculation that a DDoS attack may have caused the outages. Many people don't understand that large DDoS attacks have become a "new normal" for internet service providers. This story, as well as the AWS DDoS story, show how companies have learned to deal with these "new normal" attacks.

Johannes Ullrich
Johannes Ullrich

2020-06-18

Cognizant Discloses What Information Ransomware Operators Stole


Cognizant Technology Solutions has disclosed additional details about the Maze ransomware infection it experienced in April 2020. The ransomware operators appear to have stolen information related to corporate credit cards as well as some personnel records.

Internet Storm Center Tech Corner

Broken Phishing Accidentally Exploiting Outlook Bug


ISC Handler Jan Kopriva discovered that Microsoft Outlook may under certain circumstances re-write links in emails as they are forwarded. This could be used to trick a user into forwarding an email that they consider harmless. But in specially crafted emails, Outlook can be tricked to rewrite links and replace them with malicious links as the email is forwarded.

https://isc.sans.edu/forums/diary/Broken+phishing+accidentally+exploiting+Outlook+zeroday/26254/

Webcast: https://www.sans.org/webcasts/sansatmic-catch-release-phishing-techniques-good-guys-115430


Sextortion to the Next Level

https://isc.sans.edu/forums/diary/Sextortion+to+The+Next+Level/26244/


Odd Protest Spam (Scam?) Targeting Atlanta Police Foundation

https://isc.sans.edu/forums/diary/Odd+Protest+Spam+Scam+Targeting+Atlanta+Police+Foundation/26248/


T-Mobile Outage Due to Configuration Error

https://www.scmagazine.com/home/security-news/outages-draw-speculation-of-ddos-attack-on-u-s-but-reality-likely-more-boring/


Vulnerability Analysis of 2500 Docker Hub Images

https://arxiv.org/pdf/2006.02932.pdf


Zoom Publishes End-to-End Encryption Whitepaper

https://github.com/zoom/zoom-e2e-whitepaper


Treck IP Stack Contains Multiple Vulnerabilities

https://www.kb.cert.org/vuls/id/257161


Linux ACPI Bug Defeats UEFI Secure Boot

https://git.zx2c4.com/american-unsigned-language/tree/american-unsigned-language-2.sh


Cisco Updates

Treck IP Stack: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-treck-ip-stack-JyBQ5GyC

All Advisories: https://tools.cisco.com/security/center/publicationListing.x


Netgear httpd Firmware Upload Stack-based Buffer Overflow RCE Vulnerability

https://blog.grimm-co.com/2020/06/soho-device-exploitation.html


Tech Tuesday Workshop

https://www.sans.org/webcasts/tech-tuesday-workshop-collaborating-scale-contribute-profit-internet-storm-center-115935