NewsBites Volume XXII - Issue #51 June 26,2020

Top of the News

2020-06-25

Microsoft: Patch Exchange Servers Now

In a recent blog post, the Microsoft Defender ATP Research Team describes a recent increase in attacks targeting Microsoft Exchange servers. The attacks exploit a critical flaw in the Internet Information Service (IIS) component of Exchange servers. Fixes for the vulnerability have been available since February 2020.

Editor's Note

While the initial attacks leveraged client access to reach your Exchange server, the new focus leverages a flaw in the servers' IIS component to launch a web shell. Additionally, once accessed, misconfigured servers allowed for credential harvesting. Two actions are needed. First, patch your servers. Second, review the security configuration. Microsoft has published security guides for Exchange and CIS (www.cisecurity.org) has configuration guides which can also be leveraged.

Lee Neely

Three weeks ago Rapid7 pointed out the high percentage of unpatched Exchange servers, and we ran a NewsBites item. We also did a NewsBites drilldown on this issue with a general reminder to double check that server patching is still actually happening while your IT staff is largely consumed with supporting Work at Home. https://www.sans.org/blog/newsbites-drilldown-for-the-week-ending-5-june-2020/

John Pescatore

Lion Breweries are Operational Again After Ransomware Attack

Australian beverage company Lion says that all of its breweries are up and running, and that its dairy and juice facilities are operational. Lion suffered a ransomware attack earlier this month.

Editor's Note

With all the ransomware attacks reported, it's nice to have news about recovery. Although Lion is still finishing up the IT cleanup and may have some disruptions related to that process, the restoration of service to their customers will make this transparent. As Australia remains an active target for ransomware attacks, Lion's mitigations to prevent recurrence will continue to be tested.

Lee Neely

Maze Ransomware Operators Say They Stole Data From LG Electronics Network

Operators of the Maze ransomware claim they have stolen proprietary data from LG Electronics. They also claim to have encrypted the company's network. As of Thursday afternoon, June 25, LG has not commented.

Sodinokibi/REvil Ransomware Group Scanning Compromised Networks for POS Systems

Researchers at Symantec have detected a Sodinokibi/REvil ransomware campaign that in some cases, also scans infected networks for point-of-sale (POS) software. It is unclear whether the Sodinokibi/REvil operators are seeking to encrypt POS systems or if they are looking to steal payment card data.

Editor's Note

The Symantec blog post provides insight into the TTPs used for distribution, control, and exploitation as well as IOCs that should be used to consider mitigations which can reduce the chances of success for an attempted introduction of REvil. The Sodiokibi operators have demonstrated that no matter what data they access, they are prepared to leverage it to ensure payment. Compromised card data, in sufficient volume, is still marketable commodity independent of any business specific data.

Lee Neely

Once your systems are breached there are multiple ways for the perpetrators to monetize the breach. While one may be able to assign part of the risk to insurance underwriters, it is usually more efficient to resist the breach, and all the risk, in the first place.

William Hugh Murray

The Rest of the Week's News

2020-06-24

Google Will Enable Auto-Delete for User Data by Default on New Accounts

New Google accounts will now "automatically and continuously" delete user data after 18 months by default. Last year, Google introduced an opt-in data deletion feature; users could choose to have their data deleted after three months or after 18 months. If users already have the feature enabled, their setting will not be changed.

Editor's Note

Existing accounts have three settings: Forever, 18 Months and 3 Months. These settings will not be changed. You can review your settings on the myactivity.google.com page under Activity Controls. This page also allows you to see what activity is tracked and manually delete it. Take a moment and review your settings as well as educate yourself on what's being tracked.

Lee Neely

One may also delete more recent activity, including third-party cookies, on a one-time basis. This can be useful in stopping nuisance ads based upon recent activity. (I recently googled an MIT project whose name was also the name of a popular dog food. I do not have a dog.)

William Hugh Murray

Legislators Introduce Bill Requiring Breakable Encryption

Three US senators have introduced a bill that would compel technology companies to help law enforcement by helping them obtain access to encrypted data on their networks when the request is accompanied by a warrant. The bill would apply to both data at rest and data in motion. The bill would not apply to products and services sold and operated outside the US.

Editor's Note

This bill is looking to amend the Communications Assistance to Law Enforcement Act (CALEA) which was passed back in 1994 to require digital switch makers and telecoms service providers to support targeted surveillance of a particular connection in a digital stream of voice data. That was a much simpler issue than this bill addresses in trying to extend the model to all consumer devices, operating systems, and cloud services. I've commented on various bills like this in the past - any data analysis shows an order of magnitude more digital crime has succeeded because data was NOT encrypted than the amount of damage from law enforcement being impeded by the user of strong encryption.

John Pescatore

Our colleague, David Kennedy at Verizon, cautions us not to even consider legislative proposals until they at least get a committee hearing. Related to "signal-to-noise."

William Hugh Murray

Cyberbunker Analysis

Last September, German police raided a cold-war era nuclear bunker outside of Frankfurt. The facility was being used by "Cyberbunker," a criminal organization that provided hosting services for various illegal purposes. A few months ago, the Internet Storm Center was able to access the Cyberbunker's IP address space. SANS.edu graduate student Karim Lalji's analysis found evidence of various illegal activities including several botnets with thousands of hosts trying to reach command-and-control servers months after law enforcement took them down.

Akamai Mitigated Massive Packet-per-Second Based DDoS Attack

In a June 25, 2020 blog post, Akamai writes that it "mitigated the largest packet per second (pps) distributed denial-of-service (DDoS) attack ever recorded on the Akamai platform." The 809 million packets-per-second attack targeted an unnamed European bank on June 21. The blog also draws a distinction between DDoS attacks measured in bits per second (bps), which aim "to overwhelm the inbound internet pipeline," and attacks measured in packets per second (pps), which "are largely designed to overwhelm network gear and/or applications in the customer's data center or cloud environment."

Lucifer Malware Exploits Multiple Known Windows Vulnerabilities

Malware that has been dubbed Lucifer exploits a number of known high and critical severity Windows vulnerabilities, some dating back several years. The malware is multi-faceted: once it infects computers, it uses their resources for cryptomining or for launching distributed denial-of-service attacks.

Ripple20

The 19 vulnerabilities in the Treck TCP/IP stack, known collectively as Ripple20, affect millions of IoT devices. The health care industry appears to have significantly more affected devices than other sectors, according to information from Forescout. The Bleeping Computer article includes a list of vendors with products that are confirmed to be affected by Ripple20.

Editor's Note

Medical devices comprise a large share of users of the flawed Treck software. You will find a NewsBites drilldown on the issue at https://www.sans.org/blog/newsbites-drilldown-for-the-week-ending-19-june-2020/.

John Pescatore

Suzette Kent is Leaving Government Service

US Federal CIO Suzette Kent has announced that she will leave her government position next month. Kent has served as Federal CIO since January 2018.

Prison Sentence for Botnet Creator

Kenneth Currin Schuchman has been sentenced to 13 months in prison for his role in the creation of numerous Internet-of-Things (IoT)-based botnets. Schuchman had earlier pleaded guilty to violating the Computer Fraud and Abuse Act (CFAA). Two accomplices have been charged with conspiracy to commit fraud in connection with the scheme.