homepage
Open menu

SANS NewsBites

More evidence cyber hygiene is failing during pandemic

September 15, 2020  |  Volume XXII - Issue #73

Top of the NewsThe Rest of the Week's NewsInternet Storm Center Tech Corner

Top of the News

2020-09-14

2,000 eCommerce Sites Running Magento were Hacked Over the Weekend

Nearly 2,000 ecommerce sites running on the Magento platform were compromised over the weekend. The attackers installed malicious code to log payment card data. Most of the hacked sites were running Magento version 1, which is no longer supported. Magento 1.x reached EOL at the end of June 2020.

Editor's Note

With an increased reliance on on-line purchases, users also need to take precautions, such as enabling alerts, and possibly authorization, for card-not-present transactions; rather than depending on merchants keeping their systems patched.

Lee Neely
Lee Neely

2020-09-12

Malvertising Sneaks Into Banner Ads on Adult Sites, Exploits Flaws in Flash and IE

Hackers have placed malicious banner ads on numerous adult websites. The ads redirect users to malicious sites that attempt to install malware through vulnerabilities in Adobe Flash and Internet Explorer.

Editor's Note

The current isolation and work from home activities have seen a spike in porn site use, which puts systems used for both personal and work purposes at higher risk for this attack. Providing users a secured virtual environment, rather than processing business data directly on their personal system, provides needed separations from compromise on these systems. Additionally, consider limiting or blocking the use of Internet Explorer and Adobe Flash accessing internet sites from corporate systems.

Lee Neely
Lee Neely

2020-09-14

Update Available for WordPress Email Subscribers & Newsletters Plugin Flaw

Developers of the Email Subscribers & Newsletters plugin for WordPress have released an updated version to fix a spoofing vulnerability. The plugin has more than 100,000 active installations. Users are urged to upgrade to version 4.5.6.

The Rest of the Week's News

2020-09-15

USPS OIG: Vulnerable Apps Could Have Exposed Data

According to a July 27, 2020, memorandum from the US Postal Service (USPS) Office of Inspector General, USPS has been using six applications that contained known vulnerabilities and which remained unpatched for years. The flaws in the apps could have been exploited to gain access to sensitive data. USPS has since addressed the security issues.

Editor's Note

Application security testing, utilizing both dynamic and static analysis and resolution of discovered issues, has to be baked into the CI-CD pipeline. The auditor should not be the first one to analyze your code for defects. If you are running regulated systems, in this case FISMA, the NIST risk management framework allows for a lot of local control and attestation of adherence to required standards as dictated by the system accreditation letter. Even so, those choices require both monitoring and regularly verified, documented adherence to requirements continue to use this lighter wait ongoing authorization.

Lee Neely
Lee Neely

The USPS IG audit appears to be the typical document review that found missing certification/accreditation documentation, vs. any active testing. That did find mention of the "... 12 vulnerabilities related to ***** labeled as catastrophic by the CISO" but assumes all the other apps that had C&A documentation did not have vulnerabilities. Last year SANS gave Interior a SANS Difference Makers Award to Jefferson Gilkeson, the Director of IT Audit at the Department for his implementation and championing of active testing by Inspectors General.

John Pescatore
John Pescatore

John Pescatore is correct to point to the work of Interior's Jefferson Gilkeson and his staff as the model for effective recruiting, skills development, and technical auditing that can be trusted. Gilkeson identified the skills and methods that are needed by professionals on an effective cybersecurity audit team and has shared his finding with audit leaders throughout government.

Alan Paller
Alan Paller

2020-09-14

Dept. of Veterans Affairs Breach Affects 46,000

A data breach affecting the US Department of Veterans Affairs (VA) Financial Service Center (FSC) compromised personal information belonging to 46,000 veterans. The malicious actors accessed a FSC application without authorization. FSC has taken the application offline.

Editor's Note

While the VA is offering credit monitoring to affected veterans, as well as guidance on how to protect their information, don't wait to find out if you're impacted. If you don't already have credit monitoring from the 2006 VA breach, now is the perfect time to get it.

Lee Neely
Lee Neely

2020-09-14

Fairfax County, Virginia, School System Suffers Ransomware Attack

The Fairfax County (Virginia) Public Schools (FCPS) is investigating a ransomware attack on "some of [its] technology systems." While the attack did not disrupt the district's remote learning program, FCPS is working with federal authorities and "cybersecurity consultants to investigate the nature, scope and extent of any possible data compromise."

Editor's Note

School systems and municipalities continue to be targets of extortion attacks in part because they have access to the (taxpayers') funds to pay but lack the necessary scale, resources, and organization to resist the attacks.

William Hugh Murray
William Hugh Murray

2020-09-11

Artech Information Systems Hit with Ransomware Last January

Artech Information Systems has disclosed that its systems were targeted in a ransomware attack in January 2020. While investigating reports of unusual activity on a user account, Artech discovered ransomware on several of its systems. The company brought in a third-party forensic investigation firm, which "determined that an unauthorized actor had access to certain Artech systems between January 5, 2020 and January 8, 2020." The compromised systems contained sensitive information, including health and financial data.

Editor's Note

If your incident response in itself causes a Denial-of-Service (in this case an "overreacting IP block") then you inadvertently help your attackers achieve their goals. Incident response plans and procedures should be regularly tested and simulated to ensure your processes respond to an attack work as expected.

Brian Honan
Brian Honan

2020-09-14

Tutanota's DDoS Defense Prevented Users From Accessing Accounts

Tutanota, a company that offers an encrypted email service, has apologized to its users for unintentionally shutting them out of their accounts while the company dealt with a distributed denial-of-service (DDoS) attack. Tutanota experienced DDoS attacks on at least five occasions in the past month.

2020-09-11

CISA and FBI Alert Warns of China's State-Sponsored Hackers

The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have issued a joint alert warning that cyber threat actors affiliated with China's Ministry of State Security (MSS) have been targeting US government agencies. According to the alert, the Chinese hackers are exploiting vulnerabilities in Microsoft Exchange Server, F5 Big-IP, Pulse Secure VPN, and Citrix VPN. Patches are available for the flaws.

Editor's Note

Keeping services such as these updated and secured has to be a basic part of your Cyber Hygiene. A bulletin such as this can be leveraged to start the conversation about overall protections, particularly on boundary control devices. Don't limit the conversation to only the services identified; be sure to examine your overall process.

Lee Neely
Lee Neely

There is a common thread between this item and the item on Magento vulnerabilities being exploited - these are well-known vulnerabilities with existing patches or new versions. The "state-sponsored" in the headline is click-bait - the attacks are easily avoided by basic security hygiene. I'd like to see a follow-up article on what percentage of these attacks succeed.

John Pescatore
John Pescatore

2020-09-14

IRS Seeks Technology to Help it Trace Cryptocurrency

The US Internal Revenue Service (IRS) is seeking proposals that will allow the agency to trace cryptocurrency transactions as part of its investigations into money laundering and other cybercrimes. The deadline for proposals is Wednesday, September 16.

Editor's Note

The good news is that the distributed ledger retains all the transaction data and the blockchain preserves and protects it. The bad news is that the amount of activity, some generated for this purpose, obscures the information. What is needed are tools and services to analyze the data so as to provide transparency and accountability. Some tools and services are already in use.

William Hugh Murray
William Hugh Murray

2020-09-14

Researchers and Tech Companies Respond to Voatz's CFAA Supreme Court Amicus Brief

Nearly 70 individuals and organizations in the cybersecurity community have signed a letter criticizing the argument put forth in an amicus brief submitted to the US Supreme Court regarding a case that could have wide-reading implications for security research. Voatz's brief argues that the Computer Fraud and Abuse Act (CFAA) should not protect security researchers who do not have explicit permission to examine code for vulnerabilities. The signatories say that "As representatives of the security community, including pioneers of coordinated vulnerability disclosure, bug bounties, and election security, it is our opinion that Voatz's brief to the Court fundamentally misrepresents widely accepted practices in security research and vulnerability disclosure, and that the broad interpretation of the CFAA threatens security research activities at a national level."

2020-09-14

FBI Warns Financial Institutions of Credential Stuffing Attacks

An FBI warning sent to US organizations in the financial sector warns of an increase in credential stuffing attacks targeting their institutions. Suggested mitigations include advising customers and employees to use unique passwords for accounts and to change Internet login page responses so that they do not indicate if just one component of the login is correct.

Editor's Note

Multi-factor authentication is also a win here. Many financial institutions offer security questions as part of the authentication process; users have to be careful to choose questions and answers which cannot be readily derived via OSINT. Use of security questions or one-time-passwords in conjunction with a memorized secret (PIN or Passcode) reduces the likelihood of a successful attack. If your FI doesn't offer multi-factor authentication, ask them how they are protecting accounts from an attack like this before enabling on-line account access.

Lee Neely
Lee Neely

Financial institutions should offer their customers Strong Authentication options and encourage their use. (Customers can use password managers and biometrics to reduce any inconvenience.)

William Hugh Murray
William Hugh Murray

Internet Storm Center Tech Corner