homepage
Open menu

SANS NewsBites

Eye-Opening Anatomy of US Federal Hacking Incident Plus Growing Cyber Law Enforcement Efforts

September 25, 2020  |  Volume XXII - Issue #76

Top of the NewsThe Rest of the Week's NewsInternet Storm Center Tech Corner

Top of the News

2020-09-24

CISA: Federal Agency Hacked, Data Exfiltrated

The US Cybersecurity and Infrastructure Security Agency (CISA) has published an analysis report detailing a cyberattack against a federal agency's enterprise network. The threat actor gained access to the unnamed agency's system and exfiltrated data. The report provides information about the methods used to gain access to the network. The breach was detected through EINSTEIN, CISA's intrusion detection system. The threat actor was able to gain persistent network access through reverse Socket Secure proxies.

Editor's Note

This is the first time I've seen DHS/CISA put out a detailed public report on how an attack against a government agency succeeded. This one starts off with a litany of basic security hygiene failures: the attackers started out with admin credentials, admin accounts didn't seem to require 2FA for remote access, if a firewall was in place it seemed to have allowed everything not explicitly denied policies, VPN patches were not applied, etc. The details on the steps the attackers took show a number of "Living off the Land" techniques that Ed Skoudis detailed in his SANS "Most Dangerous New Attacks" keynote panel talk at this year's RSA.

John Pescatore
John Pescatore

This is an excellent write-up of how the system was compromised and how the attacker adjusted to available resources to continue to penetrate and exploit the system. This also re-enforces the need for 2FA on internet accessible services, epically email and remote access (e.g. VPN). Take a look at your network and make sure that not only strong authentication is required, but also patches are applied.

Lee Neely
Lee Neely

2020-09-22

Operation DisrupTor Nets 179 Arrests

Authorities in six countries have arrested a total of 179 people in connection with Dark Web activity. The enforcement effort, known as Operation DisrupTor, also seized 500 kilograms of drugs and confiscated $6.5 million in cash and cryptocurrency. Suspects were arrested in the US, Germany, the Netherlands, the UK, Austria, and Sweden.

Editor's Note

Authorities are getting better at these actions, and while the Dark Web will bounce back, the intervals between enforcement activities will continue to shrink.

Lee Neely
Lee Neely

2020-09-24

Polish Hacker Gang Shut Down

Authorities in Poland have shut down a hacking groups that has allegedly been involved in a variety of cybercrimes. Four people have been arrested and another four are under investigation. The group's alleged activities include spreading ransomware, other malware, SIM swapping, and bank fraud.

2020-09-22

Contractor Sentenced for Using Employers System to Mine Cryptocurrency

A man in Australia has been sentenced for using his former employer's systems to mine cryptocurrency. The man worked as an IT contractor at Australia's Commonwealth Scientific and Industrial Research Organisation (CSIRO). His responsibilities included data archiving and software support. The man altered data to use the computers to mine AU$9,400 (US$6,800) in cryptocurrency, while costing the company AU$76,000 (US$55,000) in computing time. The unnamed man received a 15-month non-custodial sentence.

Editor's Note

It is essential that employees not be granted any privilege that cannot be withdrawn upon termination. Consider hardware token based strong authentication everywhere.

William Hugh Murray
William Hugh Murray

The Rest of the Week's News

2020-09-24

Cisco Patches Vulnerabilities in IOS XE

On Thursday, September 24, Cisco released fixes for numerous security issues affecting Cisco IOS XE software. The vulnerabilities addressed could be exploited to cause denial-of-service conditions, overwrite files, and launch input validation attacks.

2020-09-23

British Pilots Not Satisfied with Proposed MCAS Software Fixes for Boeing 737 Max

The British Airline Pilots' Association (BALPA) says it is not satisfied with proposed fixes to Boeing Manoeuvring Characteristics Augmentation System (MCAS) software for the 737 Max aircraft. BALPA detailed the issue in public comments submitted to a US Federal Aviation Administration (FAA) notice of proposed rulemaking (NPRM). The NPRM proposes fixes and procedures for pilots to follow if a problem arises. BALPA warned that a proposed workaround for an MCAS failure could lead to a crash.

Editor's Note

The objections are around the viability of the manual-override scenarios. One example is that the override of the automatic trim system requires both pilots to adjust their trim wheels in unison. When designing procedures to circumvent faulty or failed automation in OT systems, one should consider both the practicality and safety of the work-around.

Lee Neely
Lee Neely

2020-09-23

Microsoft: ZeroLogon is Being Actively Exploited; Patch Now

Microsoft is urging users to patch vulnerable systems against the ZeroLogon flaw, which is being actively exploited to. The vulnerability lies in Microsoft's Netlogon protocol. It can be exploited to bypass authentication measures to obtain domain level admin access in networks. Last week, CISA issued an Emergency Directive instructing agencies to apply the patch by midnight on Monday, September 21.

Editor's Note

The patch was released in August. The time for regression testing is over; apply the patch NOW - then focus on identifying systems and services not using secure-RPC to bind to AD and fix them before February 9th, when your DCs will be in enforcement mode, regardless of the registry key setting. Look for event IDs 5827, 5828 and 5829 which indicate unsecure connections.

Lee Neely
Lee Neely

2020-09-21

Microsoft Updates Security Update Guide

Microsoft has updated its Security Update Guide, which contains information about all of the security updates Microsoft releases. Microsoft says that the "new version will provide a more intuitive user experience to help protect our customers regardless of what Microsoft products or services they use in their environment." It is now easier to generate a list of all CVEs from Patch Tuesday, and the display can be personalized.

Editor's Note

It is now it simper to enumerate the issues resolved as well as track their corresponding release notes and KB articles which should make analysis and research faster and easier. Given the size and complexity of current updates, this simplification is needed.

Lee Neely
Lee Neely

2020-09-22

Ransomware: US School Districts Targeted

Networks belonging to at least 16 school districts in the US have been hot with ransomware in the past few months. In some of the districts, the attacks pushed back the first day of school; in others, classes were cancelled for a day or more. Having a functioning IT system is especially crucial to school districts as so many are holding classes remotely.

2020-09-23

Ransomware: Tyler Technologies

Systems at Tyler Technologies, a company that provides software and IT services to state and local governments across the US, has been hit with what appears to be a ransomware attack. The company has not specified the nature of the attack, but the details that have emerged are consistent with a system beset with ransomware. In an email to clients, Tyler's CIO wrote, that after discovering "that an unauthorized intruder had disrupted access to some of our internal systems, ...out of an abundance of caution, we shut down points of access to external systems and immediately began investigating and remediating the problem."

Editor's Note

Some Tyler customers have severed connections to services provided by Tyler to mitigate risks of malware being introduced to their systems, which is a fairly standard protection measure. Ransomware attacks and activities continue to be active and aggressive. Many attacks now start with data exfiltration, so triggering on unexpected data transfers may be a good canary in the coal mine. With more remote users than ever, regular UAT is needed to keep users sharp and on the lookout for possible problems. In a recent German study, the research team found that while the participants were able to correctly identify phishing emails even after four months following the initial training, this was not the case after six months and beyond, with a new training being recommended.

Lee Neely
Lee Neely

2020-09-24

Texas County eMail Hacked

The Hamilton County (Texas) email system suffered a malware attack. Individuals who emailed the county clerk received maliciously-crafted replies that included an attached file and a password to open the file. The attachments contained malware. The county had not implemented two-factor authentication (2FA) or DMARC for its email system email.

Internet Storm Center Tech Corner

Dynamic Malicious Word Document

https://isc.sans.edu/forums/diary/Malicious+Word+Document+with+Dynamic+Content/26590/


Party in Ibiza with PowerShell

https://isc.sans.edu/forums/diary/Party+in+Ibiza+with+PowerShell/26594/


Citrix ADC Updates

https://support.citrix.com/article/CTX281474


Firefox Version 81 Released

https://www.mozilla.org/en-US/firefox/81.0/releasenotes/


Simple Scan Drops Ransomware Risk

https://www.accesswire.com/607018/Corvus-Updates-Scan-Technology-with-RDP-Detection-Slashes-Ransomware-Claims-by-65


Old Versions of SAMBA Affected by ZeroLogon Vulnerability

https://www.samba.org/samba/security/CVE-2020-1472.html


iOS 14 Jailbreak

https://checkra.in/news/2020/09/iOS-14-announcement


Google Chrome Update

https://chromereleases.googleblog.com/2020/09/stable-channel-update-for-desktop_21.html


QNAP Devices Hit by AgeLocker Ransomware

https://www.bleepingcomputer.com/news/security/agelocker-ransomware-targets-qnap-nas-devices-steals-data/


Microsoft Tracking Zerologon Exploits

https://twitter.com/MsftSecIntel/status/1308941504707063808


Apple Patches

https://support.apple.com/en-us/HT201222


Instagram for Android Vulnerability

https://blog.checkpoint.com/2020/09/24/instahack-how-researchers-were-able-to-take-over-the-instagram-app-using-a-malicious-image/