SANS NewsBites

NB: Microsoft: Russian Hackers are Targeting US Presidential Campaigns; Zoom Will Offer Two-Factor Authentication; Irish Data Protection Commission Will Order Facebook to Stop Sending EU User Data to US

September 11, 2020  |  Volume XXII - Issue #72

Top of the News


2020-09-10

Microsoft: Russian Hackers are Targeting US Presidential Campaigns

In a blog post, Microsoft writes that it "has detected cyberattacks targeting people and organizations involved in the upcoming presidential election." Microsoft has seen malicious activity from hacking groups operating from Russia, China, and Iran. The attacks are targeting "candidates and campaign staffers, but also those they consult on key issues."

Editor's Note

People on this target list had best be using strong authentication.

William Hugh Murray
William Hugh Murray

2020-09-10

Zoom Will Offer Two-Factor Authentication to All Users

Zoom has announced plans to roll out two-factor authentication (2FA) to all users. There will be several 2FA options for users to choose from: authentication apps like Google Authenticator, Microsoft Authenticator, and FreeOTP, or a code from Zoom sent via SMS or a phone call.

Editor's Note

Rolling out 2FA has been announced by many other large players before but has never been followed by incenting/encouraging users to move away from re-usable passwords. Zoom's position in the current consumer and business online conferencing stampede could be a game changer if they take that second step.

John Pescatore
John Pescatore

A welcome move from Zoom; should be replicated by all service providers.

Brian Honan
Brian Honan

2020-09-10

Irish Data Protection Commission Will Order Facebook to Stop Sending EU User Data to US

Facebook has received a preliminary order to stop sending European Union (EU) user data to the US. Facebook has until mid-September to respond to the order from the Irish Data Protection Commission. The order grew out of a July 2020 ruling from the Court of Justice of the European Union (CJEU) that invalidated Privacy Shield, the current EU-US data transfer agreement because the protections it offered against US Surveillance laws were found to be inadequate to protect the rights of EU data subjects. The CJEU ruling left in place Standard Contractual Clauses (SCC), which provide for data transfers between EU and non-EU countries. The Irish Data Protection Commission believes that the SCC provisions are not sufficient and is therefore asking Facebook to stop data transfers. (Please note that the WSJ story is behind a paywall.)

Editor's Note

Facebook's CEO needs to learn from Bill Gates' 2002 "Security is Job 1" direction change at Microsoft, and more recently from Zoom CEO Eric Yuan's similar (but much faster!) epiphany and subsequent security focus in April of this year. The increasing demand for privacy and data rights is coming from consumers, not just regulatory bodies. Getting data protection and stronger user authentication built into products and services meets that demand while greatly raising the bar against attackers.

John Pescatore
John Pescatore

This has major ramifications for all companies transferring personal data of EU data subjects to the US, and potentially for the transferring of personal data of EU data subjects to the United Kingdom in the event of a no deal Brexit. The core of the issue is that the EU does not believe that US privacy laws and mechanisms are robust enough to protect the privacy rights of EU data subjects against US surveillance laws and abuse of that personal data by US corporates. Privacy comes at a price which for too long has been borne by the individual. This move sends a clear message to governments and companies that they too have a responsibility to protect the privacy of individuals.

Brian Honan
Brian Honan

The Rest of the Week's News


2020-09-10

School Openings Delayed Due to Ransomware and Other Digital Disruptions

School districts in Connecticut, North Carolina, Nevada, and other US states have been hit with ransomware, interrupting plans for both online and in-person classes. In some districts, online classes have been interrupted by Zoom-bombing and distributed denial-of-service (DDoS) attacks. Hartford (Connecticut) Public Schools, which are resuming both in-person and remote classes, postponed the first day of school after suffering a ransomware attack.


2020-09-08

Pakistani Power Company Hit with Ransomware

Systems at K-Electric, the company that provides electricity to Karachi, Pakistan, were infected with Netwalker ransomware. The attack disrupted billing and online services. The attack reportedly occurred on September 7.


2020-09-10

Equinix Internal Systems Hit with Ransomware

Data colocation center company Equinix has acknowledged that its internal systems were hit with ransomware. In a blog post, Equinix writes, "Note that as most customers operate their own equipment within Equinix data centers, this incident has had no impact on their operations or the data on their equipment at Equinix."

Editor's Note

It is prudent to include a scenario in your incident response and business continuity planning on how your organisation will react when one of your providers is impacted by ransomware.

Brian Honan
Brian Honan

2020-09-10

Microsoft Patch Tuesday

Microsoft's monthly security update release for September includes fixes for 129 security issues. Twenty-three of the vulnerabilities are considered critical. One of the more worrisome flaws patched earlier this week is a memory corruption issue in Microsoft Exchange that could be exploited simply by sending a maliciously-crafted email.

Editor's Note

This is the fourth month in a row where the number of security issues addressed by Microsoft has exceeded a hundred. This is more evidence, if any more was needed, that, while patching remains mandatory, it is a very expensive and tardy way to achieve quality. One cannot patch one's way to security. One must reduce one's attack surface. One place to start might be hiding operating systems from public, or even large enterprise, networks.

William Hugh Murray
William Hugh Murray

2020-09-08

Adobe Patch Tuesday

On Tuesday, September 8, Adobe released fixes for vulnerabilities in Experience Manager, Framemaker, and InDesign. Nine of the 11 vulnerabilities fixed in Experience Manager could be exploited to execute arbitrary JavaScript in the browser. The two fixes for Framemaker could be exploited to allow arbitrary code execution, as could the five memory corruption flaws fixed in InDesign.


2020-09-09

CodeMeter Vulnerabilities

US-CERT has released an industrial control systems (ICS) advisory warning of multiple vulnerabilities affecting Wibu-Systems CodeMeter. The flaws could be exploited "to alter and forge a license file, cause a denial-of-service condition, potentially attain remote code execution, read heap data, and prevent normal operation of third-party software dependent on the CodeMeter."


2020-09-10

Bluetooth Vulnerability

A high-severity flaw in the pairing process for Bluetooth implementations 4.0 - 5.0 could be exploited to snoop on vulnerable devices. Devices that use the pairing process, known as Cross-Transport Key Derivation (CTKD) in implementations supporting pairing and encryption with both Bluetooth BR/EDR and LE in Bluetooth Specifications 4.2 through 5.0, are vulnerable to key overwrite. Attackers would need to be within wireless range of targeted devices.

Editor's Note

While Bluetooth vulnerabilities are interesting, even when not alarming, attacks against them do not scale well.

William Hugh Murray
William Hugh Murray

Internet Storm Center Tech Corner

Microsoft Patch Tuesday

https://isc.sans.edu/forums/diary/Microsoft+September+2020+Patch+Tuesday/26544/


Adobe Security Bulletins

https://helpx.adobe.com/security.html


Intel Patches

https://www.intel.com/content/www/us/en/security-center/default.html


MacOS 11 Network Traffic

https://isc.sans.edu/forums/diary/A+First+Look+at+macOS+11+Big+Sur+Network+Traffic+New+Now+with+more+GREASE/26548/


Recent Dridex Activity

https://isc.sans.edu/forums/diary/Recent+Dridex+activity/26550/


Azure Offers Automatic Windows VM Patching

https://azure.microsoft.com/en-us/updates/automatic-vm-guest-patching-now-in-preview/


WeaveScope Used to Attack Docker Infrastructure

https://www.intezer.com/blog/cloud-workload-protection/attackers-abusing-legitimate-cloud-monitoring-tools-to-conduct-cyber-attacks/


Zoom Bombings and Zoom 2FA

https://arxiv.org/abs/2009.03822

https://blog.zoom.us/secure-your-zoom-account-with-two-factor-authentication/


AMD Server CPUs May Be Locked to Particular Motherboard

https://www.servethehome.com/amd-psb-vendor-locks-epyc-cpus-for-enhanced-security-at-a-cost/


BLURtooth Vulnerability

https://www.bluetooth.com/learn-about-bluetooth/bluetooth-technology/bluetooth-security/blurtooth/