SANS NewsBites

Australia is Under State-Sponsored Cyberattack; 269 GB of US Law Enforcement Data Published

June 23, 2020  |  Volume XXII - Issue #50

Top of the News


2020-06-19

Prime Minister: Australia is Under State-Sponsored Cyberattack

At a press conference on Friday, June 19, Australian Prime Minister Scott Morrison warned that the country's public sector is under cyberattack from a state backed actor. The attacks have targeted organizations in a range of sectors including government, private industry, education, health and essential services, and operators of critical infrastructure. Morrison declined to identify the country he believes is responsible for the attacks. A technical advisory from the Australian Signals Directorate (ASD) describes the "tactics, techniques and procedures used to target multiple Australian networks."

Editor's Note

Two telling quotes from the ASD alert: (1) "The Australian Government is currently aware of, and responding to, a sustained targeting of Australian governments and companies by a sophisticated state-based actor" and (2) "ACSC Recommended Prioritised Mitigations ... Prompt patching of internet facing software, operating systems and devices. All exploits utilised by the actor in the course of this campaign were publicly known and had patches or mitigations available." The attacks were sophisticated, but basic security hygiene (patching) would have disabled those attacks. The ASD has shown data on how the "Top 4" basic security hygiene control alone mitigate 85% of sophisticated, targeted cyber attacks.

John Pescatore
John Pescatore

While attribution is a nice to have, ensuring sufficient security is in place for systems as well as recovery from attacks are critical activities. The ASD/ACSC advisory below provides prioritized mitigations, starting with patching and implementing MFA, followed by their essential 8 controls (https://www.cyber.gov.au/sites/default/files/2020-04/PROTECT%20-%20Essential%20Eight%20Explained%20%28April%202020%29.pdf). Those are common sense changes which will dramatically reduce the attack surface.

Lee Neely
Lee Neely

2020-06-22

Group Posts 269 GB of Data Stolen from US Law Enforcement Databases

A group calling itself Distributed Denial of Secrets has posted 269 gigabytes of police data online. According to a memo from the National Fusion Center Association obtained by Brian Krebs, the data were taken from state owned and operated law enforcement fusion centers, which serve to coordinate communications between state, local, federal, tribal, territorial, private law enforcement partners. The memo notes that "Preliminary analysis of the data contained in this leak suggests that Netsential, a web services company used by multiple fusion centers, law enforcement, and other government agencies across the United States, was the source of the compromise."

The Rest of the Week's News


2020-06-18

VMware Update for macOS


A denial-of-service vulnerability affecting VMware tools for macOS. Updates are available. The flaw is in the Host-Guest File System implementation. Users should update to VMware Tools for macOS 11.1.1.

Editor's Note

Check the version of VMware tools in your environment; you may need to download this version of VMware Tools explicitly even after using the built-in check for updates features.

Lee Neely
Lee Neely

2020-06-19

Australia's Lion Brewery Suffers Another Cyberattack

Australian beverage company Lion, which has been in the process of recovering from a June 8 ransomware attack, reportedly suffered a second cyberattack over the weekend. As a result, the company has shifted its focus from recovery to defense. The company is struggling to meet demands for its beer, dairy, and juice products.

Editor's Note

They are now confirming this was the REvil malware family whose operators are known for publishing exfiltrated data to ensure the ransom is paid. In this case about $800,000USD. Lion has implemented measures to prevent added attacks as well as analyzed what data was accessed to make the determination not to pay the ransom. The process is further complicated by a takeover bid from Chinese dairy giant Mengniu. When faced with multiple factors like this, management needs to determine what to prioritize and then support those decisions. In this case, the priority remains getting beverage production online with improved security posture, and hiring external security firms to support those goals as well as standing behind the decision not to pay ransom.

Lee Neely
Lee Neely

2020-06-19

Former FEMA IT Specialist Arrested for Allegedly Hacking University of Pittsburgh Medical Center

The US Department of Justice announced the arrest of Justin Sean Johnson, who was indicted on charges of conspiracy, wire fraud, and aggravated identity theft for his alleged role in a cyberattack against human resources databases at the University of Pittsburgh Medical Center in 2014. Johnson, who was formerly an information technology specialist at the Federal Emergency management Agency (FEMA), allegedly sold personally identifiable information stolen in that attack.

Editor's Note

In this case the UPMC HR system was not sufficiently protected from access to prevent a hacker exploiting bugs to access data. Protect information systems containing sensitive data though multi-factor authentication and by limiting direct access to APIs and databases to trusted systems, supported with monitoring to detect attempted unauthorized access and data exfiltration.

Lee Neely
Lee Neely

2020-06-19

Crozer-Keystone Health System Suffers Ransomware Attack


The Crozer-Keystone Health System in Philadelphia was recently the victim of a ransomware attack. Operators of the NetWalker ransomware claim to have stolen information from Crozer-Keystone and are threatening to publish it later this week. Crozer-Keystone has taken "necessary systems offline to prevent further risk," according to an emailed statement from a Crozer-Keystone spokesperson.

Editor's Note

Most enterprises, including all municipalities and healthcare institutions, should, by now, have measures in place to resist breaches and mitigate damage to their data and applications. Failure to do so is at best negligent, probably reckless.

William Hugh Murray
William Hugh Murray

2020-06-22

Open Letter to Congress Urges it to Save the Open Technology Fund After Head of USAGM is Replaced


Nearly 400 organizations and more than 2,300 individuals have signed a letter asking Congress to preserve funding for the Open Technology Fund. OTF has received funding from the US Agency for Global Media (USAGM) since 2012. Last week, the current administration replaced the head of USAGM and fired heads of associated non-profits that USAGM sponsors. OTF's CEO resigned last week; in her resignation letter, Libby Liu wrote that she had "become aware of lobbying efforts to convince the new USAGM CEO to interfere with the current FY2020 OTF funding stream and redirect some of our resources to a few closed-source circumvention tools."

2020-06-22

Flash End-of-Life is December 31, 2020

Adobe is recommending that users uninstall Flash by the end of this calendar year. Adobe announced in July 2017 that Flash's planned EOL will be December 31, 2020. After that date, Adobe will no longer distribute or issue updates for the software. "Users will be prompted by Adobe to uninstall Flash Player on their machines later this year and Flash-based content will be blocked from running in Adobe Flash Player after the EOL Date."


2020-06-22

Former Defense Intelligence Agency Analyst Sentenced to Prison for Leaking Data


A former analyst for the US Defense Intelligence Agency (DIA) has been sentenced to two-and-a-half years in prison for leaking data to journalists. In February 2020, Henry Kyle Frese pleaded guilty to willful transmission of Top Secret national defense information. Frese was employed at DIA from February 2018 through October 2019 as a counter-terrorism analyst.

2020-06-22

US Government Websites Will be Accessible Through HTTPS Only After September 1

Starting September 1, 2020, new US government websites (.gov) will be available only through HTTPS. The entire .gov top level domain (TLD) will eventually be pre-loaded, which means that site visitors will automatically have a secure connection when they visit a .gov website.

Editor's Note

This will apply to new .gov domains. Existing domains have been converting to HSTS since May 2017, and can submit themselves to the HSTS preload list. For .gov domain holders, GSA hosts a DotGov HSTS listserv (dotgovhttps@listserv.gsa.gov) for comments, questions and feedback. Users of that mailing list must subscribe from a .gov email address.

Lee Neely
Lee Neely

2020-06-22

NSO Group Spyware Used to Track Moroccan Journalist, Says Amnesty International


An Amnesty International investigation revealed evidence that spyware made by NSO Group was used to target Moroccan journalist and activist Omar Radi between January 2019 and January 2020. Attacks against Radi's phone to install the Pegasus spyware occurred on at least three dates. One of the attacks occurred just three days after "NSO Group publicly committed to abide by the UN Guiding Principles on Business and Human Rights."

Internet Storm Center Tech Corner

Cyberbunker 2.0: Analysis of the Remnants of a Bullet Proof Hosting Provider


In September last year, German police raided a cold-war era nuclear bunker used by "Cyberbunker," a criminal organization that provided hosting services for various illegal purposes. A few months ago, the Internet Storm Center was able to access the Cyberbunker's IP address space. One of our SANS.edu graduate students, Karim Lalji, analyzed it. He found evidence of various illegal activities including several botnets with thousands of hosts trying to reach command-and-control servers months after law enforcement took them down. One of the lessons learned is how long it takes victims to realize that systems are infected. Some phishing sites hosted on Cyberbunker are still receiving hits today.


Full post: https://isc.sans.edu/forums/diary/Cyberbunker+20+Analysis+of+the+Remnants+of+a+Bullet+Proof+Hosting+Provider/26266/


Sigma Rules! The Generic Signature Format for SIEM Systems

https://isc.sans.edu/forums/diary/Sigma+rules+The+generic+signature+format+for+SIEM+systems/26258/


Pi Zero Honeypot

https://isc.sans.edu/forums/diary/Pi+Zero+HoneyPot/26260/


Comparing Office Documents with WinMerge

https://isc.sans.edu/forums/diary/Comparing+Office+Documents+with+WinMerge/26268/


Ransomware Operators Lurk on Your Network

https://www.bleepingcomputer.com/news/security/ransomware-operators-lurk-on-your-network-after-their-attack/


Discord Modified to Steal Accounts

https://www.bleepingcomputer.com/news/security/discord-modified-to-steal-accounts-by-new-nitrohack-malware/


Remote Code Execution Vulnerability in Bitdefender

https://palant.info/2020/06/22/exploiting-bitdefender-antivirus-rce-from-any-website/


Google Analytics Used to Exfiltrate Data

https://www.perimeterx.com/tech-blog/2020/bypassing-csp-exflitrate-data/


VMWare Tools and Microsoft Office Updates for macOS

https://www.vmware.com/security/advisories/VMSA-2020-0014.html

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-1225

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-1226

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-1229