SANS NewsBites

Brampton, Ontario First "Cyber Talent" City; Ransomware Hits Maryland Health and Argentine ISP; WordPress XSS Flaw

July 21, 2020  |  Volume XXII - Issue #57

Top of the News


2020-07-20

Brampton, Ontario Becomes The First "Cyber Talent" City (July 20, 2020)

Five hundred Brampton, Ontario, students are getting a head start on preparing for computer science and cybersecurity careers during COVID-19 through the Catalyst Cyber Camp, a public-private partnership of Rogers Communications, the City of Brampton, Ryerson, and Cybersecure Catalyst. This first-of-its-kind camp provides free, online programming to youth ages 13-18 in Brampton, Ontario, through the city and its community partners. Campers engage in up to 400 hours of cutting-edge games, activities, and puzzles of increasing complexity while learning how to solve security challenges, write computer programs, and find flaws in web sites. The students compete to collect points along the way and win prizes. Top performers will be recognized by city and business leaders for their success in the camp and learning new skills.


2020-07-20

Netwalker Ransomware Hits Maryland Health Services Organization

Computer systems/network at Lorien Health Services, an eldercare and nursing services organization in Maryland, was hit with Netwalker ransomware in June. The attackers stole and encrypted data. Lorien did not pay the ransom, and the malware's operators began posting the stolen data online. The compromised information includes names, Social Security numbers, and medical diagnoses and treatments. The incident affects close to 50,000 people.


2020-07-20

Sodinokibi Ransomware Operators Demand $7.5M from Argentinian ISP

Internet service provider Telecom Argentina's internal network was hit with Sodinokibi (REvil) ransomware on Saturday, July 18. The operators are demanding a payment of $7.5 million. The ransomware affected more than 18,000 workstations. The attack did not affect Internet connectivity, telephony, or cable, but some company websites have been unavailable since Saturday. Telecom Argentina has not issued a statement; employees have been sharing information about the incident on social media.


2020-07-17

WordPress All in One SEO Plugin Updated to Fix XSS Flaw

A cross-site scripting vulnerability in the All in One SEO Pack WordPress plug-in could be exploited to hijack websites. The plugin has been installed more than two million times. The developers have fixed the problem in All in One SEO Pack version 3.6.2.

Editor's Note

If you are relying on a WordPress application firewall, make sure it has the signature for exploiting this weakness. Don't forget to update the plugin. The core issue was a lack of input sanitization which permitted injection of HTML.

Lee Neely
Lee Neely

Web (and other) developers are responsible not only for the quality of all code that they write, but also for the quality of all code that they incorporate from other sources. This has proven to be particularly problematic for web site developers who use "WordPress plug-ins."

William Hugh Murray
William Hugh Murray

The Rest of the Week's News


2020-07-18

More Twitter Hack Details

Twitter has released more information about a hack that took over high profile accounts to use in a cryptocurrency scam. After the hackers managed to gain access to Twitter's internal system, they used Twitter's tech support tools to target 130 accounts. They changed passwords of 45 accounts and downloaded data from eight accounts.

Editor's Note

This is a good news hook to launch one or more tabletop exercises in your organization: (1) For CXO/Board: How would we handle our corporate Twitter (or Instagram or Facebook etc.) account being compromised through site compromise or our own compromise; and (2) How could someone compromise our high privilege system administrators and how quickly would we know and deal with it?

John Pescatore
John Pescatore

Multi-factor authentication, particularly for privileged users, is no longer optional. Historically, system administrators didn't embrace the same level of security as was required for end-users. With the current environment, including internet-facing services, this introduces an unacceptable level of risk. The culture change has to be led from the top.

Lee Neely
Lee Neely

2020-07-18

Emotet Botnet is Back

The Emotet botnet, which has been dormant since early February 2020, has re-emerged. On Friday, the botnet became active again, sending spam in an attempt to infect new users with the malware using malicious Word and Excel documents.


2020-07-17

Many F5 BIG-IP Network Devices Still Not Patched

Thousands of F5 BIG-IP network devices remain unpatched against a critical vulnerability that is being actively exploited. F5 released fixes late last month. In a July 3 tweet, US Cyber Command urged users to apply the fixes as soon as possible. Proof of concept exploits started appearing on July 5. Researchers say that as of July 15, there were roughly 8,000 installations that had not been updated.

Editor's Note

While a certain amount of caution is appropriate with changes to application entry points, these vulnerabilities are significant enough to warrant fast-tracking the process, particularly with internet-facing services.

Lee Neely
Lee Neely

Lack of critical patches on perimeter infrastructure software and appliances has been a steady drip, drip, drip of high risk over the past few months. Risk-based vulnerability prioritization should be pushing these to the top of the IT/networks op work queue.

John Pescatore
John Pescatore

2020-07-17

Magento Introducing Two-Factor Authentication Across its Platform

The Magento ecommerce platform has begun offering two-factor authentication. Adobe says that it is "supporting (and in some cases requiring) two-factor authentication (2FA) across multiple areas of the Magento ecosystem:" Magento.com accounts, Cloud Admin, and Magento Admin. 2FA is now an option for Magento.com accounts and will be an option for Cloud Admin with the release of Magento 2.4. In both instances, users must enable the feature as it will not be enabled by default. 2FA will be enabled by default in Magento Admin starting in version 2.4; it cannot be disabled.

Editor's Note

One should not say "2FA" (two factor authentication) when one means "strong authentication," defined as "at least two forms of evidence, at least one of which is resistant to replay."

William Hugh Murray
William Hugh Murray

2020-07-20

UK's COVID-19 Test and Trace Program Did Not Complete Required Privacy Assessment Prior to Launch

The UK's Department of Health has admitted that it launched its COVID-19 test and tracing effort without conducting a Data Protection Impact Assessment (DPIA) as required by the general data protection regulation (GDPR). The Open Rights Group, a digital rights organization, says that the acknowledgment means the program "has been operating unlawfully since its launch on 28th May 2020." The organization that runs the test and trace program says it is working to complete the DPAI.

Editor's Note

Rushing out the system and doing the paperwork later doesn't work without documented support from those who authorize and regulate your system. Even when you pick this path, you're going to need a minimum level of security and risk mitigation coupled with a clear, documented plan with milestones and delivery dates or you'll run afoul of the consequences relating to non-compliance.

Lee Neely
Lee Neely

2020-07-20

Cloudflare DNS Failure Caused Problems Last Week

Cloudflare says that a network outage on Friday, July 17 was caused by an error in a router configuration update. When the problematic update was applied, "a router on [Cloudflare's] global backbone announced bad routes and caused some portions of the network to not be available." The outage lasted less than half an hour and affected only certain geographic areas.

Editor's Note

This is an internet "choke point" that is easily overlooked. Cloudflare handles a large percentage of DNS traffic internet-wide, and also acts as the end point for many HTTP connections. Between the three large cloud providers, and a few load balancing/filtering services, the Internet of today is a lot more concentrated and vulnerable than it should be. A next, worse, outage could be caused by cross-dependencies between these remaining hosting providers.

Johannes Ullrich
Johannes Ullrich

From the school of good intentions, the change made was intended to alleviate congestion which routed all their traffic to Atlanta effectively DOSing the router. Cloudflare has changed its BGB preferences and prefix limits to prevent recurrence. Even so, having a second set of eyes to review a change like this can help locate errors before they go live.

Lee Neely
Lee Neely

2020-07-20

Cyberattacks Targeted Two Israeli Water Management Facilities in June

Israel's Water Authority said that two more of its water management facilities were targeted by cyberattacks in June. Another attack targeting Israeli water treatment systems was reported in April. The Israel National Cyber-Directorate have issued an alert, urging water treatment facilities to change passwords for Internet-connected equipment, and recommending that they take systems offline if they cannot change passwords.

Editor's Note

Strong authentication, not "passwords," is essential for infrastructure controls that are connected to the public networks.

William Hugh Murray
William Hugh Murray

2021-01-29

Hacking Suspect Extradited to US from Cyprus

A 21-year-old individual from Cyprus has been extradited to the US to face charges of conspiracy to commit wire fraud, wire fraud, conspiracy to commit computer fraud and identity theft, and extortion related to a protected computer. Joshua Polloso Epifaniou allegedly hacked into websites, stole data, and threatened to leak the data if he did not receive payment. He arraignment was scheduled for Monday, July 20, 2020.


2020-07-20

Microsoft Sets TLS Deprecation Date for Office 365

Microsoft will no longer support Transport Layer Security (TLS) 1.0 and 1.1 in Office 365 after October 15, 2020. Microsoft initially intended to make the change sooner but pushed back the cutoff date due to COVID-19.

Editor's Note

This change was initially scheduled for June. With the current work environment, it likely fell off your IT radar. Pay attention to legacy operating systems and browsers that don't support TLS 1.2. If they can't support TLS 1.2, using them to access Internet sites, including O365, may be inappropriate. If these systems are being used to augment work-from-home capabilities, start planning for upgrades now before their access is cutoff.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

#SigRed Update

https://isc.sans.edu/forums/diary/Hunting+for+SigRed+Exploitation/26362/


Cloudflare Outage

https://blog.cloudflare.com/cloudflare-outage-on-july-17-2020/


Exploitation of ZeroShell Routers

https://isc.sans.edu/forums/diary/Scanning+Activity+for+ZeroShell+Unauthenticated+Access/26368/


Zone.Identifier: A Coupe of Observations

https://isc.sans.edu/forums/diary/ZoneIdentifier+A+Coupe+Of+Observations/26366/


Forgotten tcpdump Options

https://showmethepackets.com/index.php/2020/07/18/a-few-forgotten-tcpdump-options/


Zoom Phishing

https://blog.checkpoint.com/2020/07/16/fixing-the-zoom-vanity-clause-check-point-and-zoom-collaborate-to-fix-vanity-url-issue/


Sextortion Follow the Money Wrap-up

https://isc.sans.edu/forums/diary/Sextortion+Update+The+Final+Final+Chapter/26334/


"BadPower" USB-C Charger Firmware Weakness

https://www.forbes.com/sites/zakdoffman/2020/07/20/hackers-can-now-trick-usb-chargers-to-destroy-your-devicesthis-is-how-it-works/


Microsoft Office TLS 1.x Phaseout

https://docs.microsoft.com/en-us/microsoft-365/compliance/prepare-tls-1.2-in-office-365?view=o365-worldwide