SANS NewsBites

Russian Man Arrested for Scheme to Infect Tesla Factory with Malware; DDOS on New Zealand Stock Exchange; Cyberespionage Campaign Exploits Autodesk

August 28, 2020  |  Volume XXII - Issue #68

Top of the News


2020-08-28

Russian Man Arrested in Connection with Scheme to Infect Tesla Factory Network with Malware

US law enforcement authorities have arrested and charged a Russian man for allegedly offering $1 million to an employee at Tesla's Sparks, Nevada factory in return for infecting the company's network with malware. The employee contacted the FBI. Egor Igorevich Kriuchkov was arrested earlier this week and charged with one count of conspiring to intentionally cause harm to a protected computer.

Editor's Note

The goal was to exfiltrate data from Tesla and threaten to release the data unless a $4 million ransom was paid. In this case, the employee reached out to the FBI after the first contact in 2016 and was able to work with them to record subsequent meetings, including negotiating the payment from $500,000 to $1 million. Make sure that your employees know what to do in a similar situation. Pre-establishing points of contact with local law enforcement facilitates the communication when an actual incident occurs.

Lee Neely
Lee Neely

This news item is meaningful at several levels. First is to lead to increasing the likelihood that an employee approached in the same way would respond in the right way. Also, while Tesla was a high visibility target, sophisticated ransomware attacks are not just going after the Teslas of the world any more than car thieves are only stealing Teslas. You can do an internet search on your industry and ransomware and find lists of examples to show management.

John Pescatore
John Pescatore

2020-08-28

New Zealand Stock Exchange Struck by DDoS Attack

The New Zealand stock exchange (NZX) has temporarily halted trading as it deals with the effects of a distributed denial-of-service (DDoS) attack that hit its network on Tuesday, August 25. The attack is likely the work of a group that has been launching DDoS attacks against other high-profile financial service organizations, including MoneyGram, Worldpay, Venmo, and PayPal. The group demands a ransom to be paid in bitcoin to stop the attacks.

Editor's Note

The exchange was hit by this attack for four days running, including today, and is faced with the choice of paying the ransom or continuing to implement sufficient DDoS protections. Unlike 25 years ago, disconnecting the Internet is no longer a viable option for most businesses. Assess and test your DDoS protections. Verify your outsourced and cloud services are also adequately protected. Verify your plan of action in the event the protections fail.

Lee Neely
Lee Neely

2020-08-26

Autodesk Vulnerability Exploited in Cyberespionage Campaign

Hackers launched a cyberespionage campaign against an international architecture and video production firm through a vulnerability in Autodesk 3D computer graphics software. The hackers managed to get someone at the company to download a malicious Autodesk plugin.

The Rest of the Week's News


2020-08-26

Fix Available for Pulse Secure VPN Vulnerability

A code execution vulnerability in Pulses Secure VPN could be exploited to take control of networks. While the exploit requires that the attacker have admin privileges, this can be accomplished by tricking a user with those privileges into clicking on a malicious link. Users are urged to update to version 9.1R8 of Pulse Connect Secure and Pulse Policy Secure.


2020-08-26

Medical Data Leaked on GitHub

Medical data belonging to as many as 200,000 people were exposed on GitHub. The information from clinics, hospitals, billing services, and other healthcare-related organizations was not leaked by hackers but was insufficiently protected due to faulty access control configuration and hardcoded credentials.


2020-08-27

Qbot Trojan Now Hijacking eMail Threads

A new variant of the Qbot Trojan is hijacking email threads, according to a report from Check Point. Qbot , which is also called Qakbot and Pinkslipbot, has been in use since at least 2008. It also is capable of stealing information, installing additional malware, and conducting fraudulent bank transactions.


2020-08-25

Microsoft Azure Sphere Bugs Patched

Researchers at Cisco Talos found four vulnerabilities in Microsoft's Azure Sphere: two of the flaws could lead to unsigned code execution, and two could be exploited to gain elevated privileges. Microsoft has released Azure Sphere 20.08, which addresses these vulnerabilities.


2020-08-25

Google Patches Flaw in Chrome Browser

Google has fixed a high-severity use-after-free vulnerability in its Chrome browser. The flaw exists because Chrome's Web Graphics Library (WebGL) component does not properly handle objects in memory. The vulnerability could be exploited to execute arbitrary code. The issue is fixed in Chrome 85, which has been released to the stable channel for Windows, Mac, and Linux.

Editor's Note

The use-after-free read vulnerability has been verified in Chrome 81.0.4044.138 (Stable), 84.0.4136.5 (Dev) and 84.0.4143.7 (Canary). Additionally the Chrome 85 update includes a number of other fixes including a fix for CVE-202-6558: Insufficient Policy Enforcement on iOS, which is also a high-severity vulnerability. The Chrome 85 is now available for Mac, Windows, Linux and iOS systems. The Mac and Windows version include the new Profile Guided Optimization which is speeds page loads about 10% by prioritizing most common tasks.

Lee Neely
Lee Neely

2020-08-26

US Government Agencies Warn of North Korean Hackers Targeting ATMs

The US Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury, the FBU, and US Cyber Command have issued a joint technical alert regarding an automated teller machine (ATM) cash-out scheme that is being conducted by actors working on behalf of the North Korean government. According to the alert, the group has been stealing large sums of money through the cash-out schemes and fraudulent international funds transfers.

Editor's Note

The CISA FASTCash alert diagrams the process used to obtain funds. The starts with phishing, which results in loading a malicious application which installs a DLL which is used to hook API calls and send modified send and pay messages, which effectively allow an attacker to withdraw more funds than are available through an ATM. Mitigation requires user awareness, such as monthly phishing campaigns. Provide users with a mechanism that not only makes it simple to report, such as an Outlook plugin, but also respond to the reports rapidly, particularly acknowledging legitimate reports, to support and motivate use.

Lee Neely
Lee Neely

2020-08-24

DARPA's Hardened Hardware Standing Up to Bug Bounty Program

The US Defense Advanced Research Projects Agency's (DARPA) bug bounty program, Find Exploits to Thwart Tampering (FETT), began in July and runs through September. The program is designed to find bugs in DARPA's System Security Integrated Through Hardware and Firmware (SSITH) program. To date, no bugs have been found.

Editor's Note

As we have learned from various hardware-based protections built into CPUs, it usually takes longer to find weaknesses, but good to see this lack of immediate success. Probably more importantly, quite often operational realities rarely support running the hardware-based protections at the most stringent levels. Good news here is improvements in hardware-based security can definitely raise the bar on some forms of attack but they don't change the need for basic security hygiene levels of protection.

John Pescatore
John Pescatore

The issue is not whether or not one can build a tamper resistant system by integrating hardware and software. IBM did that with what is now the iSeries decades ago. Apple has done pretty well with iOS. The issue is to build one that is convenient to use, will run legacy applications, is user programmable, and is sufficiently general and flexible to be attractive to the market. Note that both IBM and Apple started from "tamper resistant" but then, for the market, layered on pseudo generality and flexibility.

William Hugh Murray
William Hugh Murray

Internet Storm Center Tech Corner

Keep an Eye on LOLBins

https://isc.sans.edu/forums/diary/Keep+An+Eye+on+LOLBins/26502/


Malicious Excel Sheet with a NULL VT Score

https://isc.sans.edu/forums/diary/Malicious+Excel+Sheet+with+a+NULL+VT+Score/26506/


A Reminder about Security.txt

https://isc.sans.edu/forums/diary/Securitytxt+one+small+file+for+an+admin+one+giant+help+to+a+security+researcher/26510/


Malicious iOS Adnetwork SDK

https://snyk.io/research/sour-mint-malicious-sdk/


Apache Update

https://httpd.apache.org/security/vulnerabilities_24.html


DNS Queries to Root Name Servers

https://blog.apnic.net/2020/08/21/chromiums-impact-on-root-dns-traffic/

https://www.zdnet.com/article/chromium-dns-hijacking-detection-accused-of-being-around-half-of-all-root-queries/


Google Chrome User-Agent Client Hints

https://web.dev/user-agent-client-hints/


APT Attack Uses Autodesk Plugin (PDF)

https://www.bitdefender.com/files/News/CaseStudies/study/365/Bitdefender-PR-Whitepaper-APTHackers-creat4740-en-EN-GenericUse.pdf


Firefox Update

https://www.mozilla.org/en-US/security/advisories/mfsa2020-36/


Arrest in Insider Attack (download)

https://www.justice.gov/opa/press-release/file/1308766/download


Microsoft Extends Windows 10 1803 Deadline

https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet


LemonDuck Adding New Tricks

https://news.sophos.com/en-us/2020/08/25/lemon_duck-cryptominer-targets-cloud-apps-linux/