homepage
Open menu

SANS NewsBites

Health Care Cyber Attacks Skyrocketing; Many SAP and Zoom Installations Need Immediate Patching

July 14, 2020  |  Volume XXII - Issue #55

Top of the NewsThe Rest of the Week's NewsInternet Storm Center Tech Corner

Top of the News

2020-07-12

Cyber Attacks Against Health Care Facilities Skyrocketing During COVID Pandemic

Attacks against hospitals and other healthcare providers have increased during the pandemic as more employees switched to working from home and medical facilities were cash-strapped and stretched thin because of COVID-19. IBM reported a 6,000 percent increase in spam attacks leveraging COVID-19 on information technology system between March and April; many of the targeted systems are at health care facilities.

2020-07-14

SAP Patches Critical Flaw - Severity 10 - Patch Now

SAP has released a fix for a critical vulnerability in the SAP NetWeaver Application Server Java component LM Configuration Wizard. The flaw could be remotely exploited to create user accounts with maximum privileges on vulnerable systems.

Editor's Note

The vulnerability has been given a severity rating of 10. Apply the available mitigations, and verify the security configuration of your SAP instance, including applying patches to the OS and other layered products, while the patches are regression tested in your non-production environment.

Lee Neely
Lee Neely

In the best of times, business apps usually have longer "time-to-patch" because of shorter change windows and enhanced QA testing requirements. Supporting work from home with IT operations teams that have to work remotely, as well, seems to have degraded the time to patch IT servers in general. At a minimum, the recommended workaround (disabling the LM Configuration Wizard) should be prioritized.

John Pescatore
John Pescatore

2020-07-13

Zoom Releases Fix for RCE Flaw Affecting Older Versions of Windows

Zoom has released an update to address a remote code execution vulnerability that affects the Zoom client running on Windows 7 and on older versions of Windows. Zoom released version 5.1.3 of the Zoom client on July 10. Zoom released additional updates on Sunday, July 12 to address "minor bug fixes" and implement "new and enhanced features" for phone and web users.

Editor's Note

Update your Zoom clients now. Even with this fix, these older unsupported operating systems should not be used for Internet activities.

Lee Neely
Lee Neely

The Rest of the Week's News

2020-07-11

Amazon Walks Back its TikTok Ban; Wells Fargo Imposes One

Amazon said that an email sent to employees last week banning them from using TikTok on mobile devices that connect to corporate email "was sent in error." The message told the employees to remove the app from those devices or risk losing access to work email on those devices. TikTok has come under scrutiny by US legislators and administration officials because it is owned by a Chinese company and some are concerned that the app could be used to spy on people. Late last year, the US Department of Defense told personnel to delete TikTok from government-issued phones. Wells Fargo has also told its employees to delete the app from company-owned devices.

Editor's Note

A risk assessment of using TikTok on corporate devices is appropriate. If you decide the risk is unacceptable, use your MDM to remove and monitor for installation after users are notified. Consider sharing the risk assessment with users to build support and understanding.

Lee Neely
Lee Neely

Researchers have identified other apps that access data copied into the clipboard similar to TikTok and have similar privacy and security concerns. This is why having a robust Mobile Device Management (MDM) solution that sandboxes or containerizes corporate apps and data from other apps on the device is so important.

Brian Honan
Brian Honan

2020-07-10

Conti Ransomware Can Encrypt Files Very Quickly

Researchers from Carbon Black have detected Conti, a new strain of ransomware that appears to share some code with Ryuk. Conti is a human operated ransomware, meaning that its operators control it rather than allowing it to execute automatically. One of Conti's notable features is that it uses 32 simultaneous CPU threads to encrypt data.

2020-07-13

Secret Service Cyber Fraud Task Force

The US Secret Service has merged two existing units to create the Cyber Fraud Task Force. In a July 9 press release, the Secret Service said, "In today's environment, no longer can investigators effectively pursue a financial or cybercrime investigation without understanding both the financial and internet sectors, as well as the technologies and institutions that power each industry," prompting the decision to unify the Electronic Crimes Task Forces (ECTFs) and Financial Crimes Task Forces (FCTFs).

2020-07-10

Mozilla Will Reduce TLS Certificates' Lifespan to 398 Days

Mozilla has announced its intent to reduce the lifespan of TLS certificates it deems valid from 825 days (about 27.5 months) to 398 days (just over 13 months). As of September 1, 2020, Mozilla will consider new TLS certificates with expiration dates further out than 398 days as invalid. Earlier this year, Apple announced it will require certificates issued after September 1, 2020 to have lifespans of 398 days or less. Mozilla and Apple plan to make this change regardless of any decision reached by the CA/B Forum.

Editor's Note

This move was first proposed by Apple. Now all major browsers are following and all certificates issued after September 1st are affected. Your existing certificates will be fine for now. The real effect of this is that you will have to automate certificate renewal and deployment. The "ACME" protocol used by Letsencrypt is a good candidate, and Letsencrypt is a good solution for publicly used certificates. For internal certificates, consider setting up your own internal "ACME" support for your internal certificate authority.

Johannes Ullrich
Johannes Ullrich

Certificates issued before September 1st will still work with the longer lifetime. The challenges here are both implementing new processes to update certificates more frequently as well as making sure you're being issued certificates with a shortened lifetime. If your issuer and platform doesn't support an automated update, you'll want to include annual updates in your service management system.

Lee Neely
Lee Neely

Keep in mind that "certificates" are information, meta-data, about the keys. It is the security of the keys, not the certificates, that is important.

William Hugh Murray
William Hugh Murray

2020-07-13

Amnesty International Loses Bid to Revoke NSO Export License

An Israeli court has denied Amnesty International's petition to revoke the export license of NSO Group, which sells surveillance software. Amnesty International filed the lawsuit in 2019, alleging that NSO group's Pegasus software had been used against an Amnesty International employee.

2020-07-13

Nikulin Found Guilty of Breaking Into LinkedIn, DropBox, and Formspring

A federal jury in California has found Russian citizen Yevgeniy Nikulin guilty of breaking into computers that belonged to social networking companies, installing malware on those computers, stealing employees' access credentials, and selling that information. Nikulin was arrested in the Czech Republic in 2016 and held there for over a year before being extradited to the US. Sentencing is scheduled for September 29, 2020.

2020-07-13

US Dept. of Energy Report: DOE's Office of Science Lacks Sufficient Peripheral Device Security

A report from the US Department of Energy Office of Inspector General warns that DOE's Office of Science does not have adequate security for peripheral devices. The IG reviewed four DoE field sites. Among the reasons given site officials for the lack of security are that DoE's security standards are "technically not feasible or extremely difficult to implement," and that they are expensive to implement and hinder collaboration.

Editor's Note

The most effective method of conveying new security measures is tying them to real threats and mission impact as well as understanding the culture of the intended audience. DoE's Science labs are focused on external collaboration and publishing scientific discoveries, often strongly aligned with colleges and universities and as such perceive a different risk with these peripherals.

Lee Neely
Lee Neely

Convenience trumps security. These so-called "peripherals" often include von Neumann architecture computers with all the capabilities and vulnerabilities that that implies.

William Hugh Murray
William Hugh Murray

2020-07-13

Belgian Bank Closes Down Older ATMs After Jackpotting Attacks

Two Argenta ATMs in Belgium were hit with jackpotting attacks over the weekend. These were older machines that were scheduled to be replaced. ATMs belonging to the same bank were hit with jackpotting attacks in late June as well. Argenta's Christine Vermylen told The Brussels Times, "We have decided to shut down the 143 devices of this type now, pending the installation of new devices later this year. We are looking into whether that operation can be speeded up."

Editor's Note

Physical protection is a key factor in ATM security here. Logical access, which is necessary for a Jackpotting attack, is most often gained via the USB port. As such, in-wall units are much harder to compromise than the free standing devices in convenience stores and malls. While newer ATMs have implemented additional security to resist this sort of attack, older units often have no upgrade option and must be replaced. The tricky part is balancing the risk of compromise with the budgeted lifecycle replacement date as well having units delivered on schedule.

Lee Neely
Lee Neely

Jackpotting kicked up in 2018, generally requiring physical access inside ATM machines. ATM machines that are easy for criminals to enter seem like immediate candidates for disconnecting or replacing in any event. It is kinda like if the bank vault had screen windows. There is always the financial equation of hanging on to vulnerable technology long enough to write off the full depreciation. Target learned in 2013 that doing so without some form of mitigation or enhanced monitoring will end up with incident costs that swamp the depreciation write off.

John Pescatore
John Pescatore

2020-07-13

Ukrainian Police Arrest Alleged Government Database Hacker

Police in Ukraine have arrested an individual who is suspected of breaking into government databases, stealing information, and then selling it. The suspect allegedly accessed 50 Ukrainian government databases by "hacking passwords to e-mail accounts, messengers, [and] social media accounts" of government employees.

Editor's Note

Given the prolific reuse of passwords across personal and corporate websites and systems, implementing multi-factor authentication for corporate systems is fast becoming a basic necessity.

Brian Honan
Brian Honan

2020-07-08

EFF Files Amicus Brief in Supreme Court Case Involving CFAA

The Electronic Frontier Foundation (EFF) has filed an amicus brief on behalf of cybersecurity researchers and companies urging the US Supreme Court to narrow the scope of the Computer Fraud and Abuse Act (CFAA). Specifically, the EFF urges the Supreme Court to decide that accessing computers in ways that violate terms of service does not violate the CFAA. The brief was filed in reference to Nathan Van Buren v. United States.

Editor's Note

The CFAA is the poster child for well-intended legislation that has outlived its effectiveness. It was drafted in an era when computers were scarce and most access was by employees. It is overdue for revision. That said, "research" must not be permitted to become a cover for rogue hacking. If it is not supervised, or at least collaborative, it is not research.

William Hugh Murray
William Hugh Murray

Internet Storm Center Tech Corner