homepage
Open menu

SANS NewsBites

Ransomware IS the Story

October 6, 2020  |  Volume XXII - Issue #79

Top of the NewsThe Rest of the Week's NewsInternet Storm Center Tech Corner

Top of the News

2020-10-05

Europol: Ransomware Attacks are Going Unreported

According to a report from Europol, many ransomware attacks are not reported to police. In some cases, organizations targeted by ransomware bring in "private sector security firms" to manage the response to the attack. The Internet Organised Crime Threat Assessment 2020 "provides a unique law enforcement focused assessment of emerging challenges and key developments in the area of cybercrime."

Editor's Note

However an enterprise elects to deal with a compromise resulting in extortion demands, and even though most will never be investigated by law enforcement, they should all be reported via the Internet Crime Complaint Center (IC3). This is about intelligence, not law enforcement. It is essential that we measure the threat rate, sources, and methods.

William Hugh Murray
William Hugh Murray

2020-10-03

Ransomware Attack Affects Software Used in COVID Treatment Clinical Trials

A ransomware attack affecting eResearchTechnology (ERT) has impacted clinical trials of potential COVID treatments. ERT sells software that is used in clinical trials. The attack did not affect the patients participating in the trials, but organizations using the software were unable to access their digital data and resorted to recording information with pen and paper.

Editor's Note

COVID related activities remain a target of ransomware operators. With the intense pressure to deliver a cure, your support for your users to help them continue to make good choices is critical, both through training and technical countermeasures. Also watch for attempts to exfiltrate data, including IP related to the security measures being developed to counter the threat. Verify externally facing and collaboration services remain securely configured and monitor for unauthorized access.

Lee Neely
Lee Neely

2020-10-03

NJ Hospital Paid Ransom to Stop More Data from Being Leaked

A hospital in New Jersey paid ransomware operators $670,000 to not publish data they had stolen during a ransomware attack that took place in early September. University Hospital New Jersey (UHNJ) in Newark, NJ, paid the demanded ransom after the ransomware actors published 48,000 documents they had stolen in September. The ransomware operators agreed to provide UHNJ with a decryption key, a security report, the stolen data, and a promise not to attack the hospital again.

Editor's Note

Note that the breach of this enterprise and the exfiltration of this data took time measured in days, not minutes or hours. Enterprises should have measures in place to detect breaches and remedy them in hours, not days.

William Hugh Murray
William Hugh Murray

Read more in

The Rest of the Week's News

2020-09-28

Microsoft Provides More Information About Last Week's Office 365 Outage

According to a preliminary report from Microsoft, last week's Office 365 outage was caused by an improperly deployed Azure Active Directory (AD) service update. The September 28 outage prevented users from accessing Microsoft apps and services for several hours.

Editor's Note

Most Azure services have an SLA of 99.9% availability but with many limitations, specific definitions, and other contractual language. Service levels that don't meet the terms enable your company to claim credits, but they generally don't happen automatically. Bottom line is that cloud SLAs do not really cover outage costs and continuity plans have to be in place (and periodically tested) for all critical cloud services.

John Pescatore
John Pescatore

As John says, make sure you understand the SLA for your cloud and outsourced service providers. Monitor services to ensure the service levels are met and provide evidence for requesting credits or other compensation. Also keep an eye on costs associated with service monitoring to make sure they don't exceed actual returns.

Lee Neely
Lee Neely

Changes to such systems should be applied at a measured rate and in such a way that they can be easily backed off if they cause a problem.

William Hugh Murray
William Hugh Murray

2020-10-01

FBI: Chinese Hackers Targeting Users with US Government Security Clearances

The FBI is warning that hackers with ties to China's government are targeting individuals with US government security clearances through social media sites. The document's resources include a list of indicators that you are being targeted and suggestions of steps to take to protect yourself.

Editor's Note

Foreign agents targeting cleared individuals is nothing new; making the indicators and steps readily available is a nice assist from the FBI. They are valuable whether or not you have a security clearance. If you have a social media presence, as most of us do, reviewing account settings and ensuring you're only connecting with known or legitimate contacts needs to be SOP.

Lee Neely
Lee Neely

2020-10-02

Telstra Apologizes for Inadvertent BGP Hijacking

Australian telecommunications company Telstra has apologized for a technical error that caused some traffic bound for the ProtonMail encrypted mail service to be diverted through Telstra's servers. The inadvertent Border Gateway Protocol (BGP) hijacking occurred when "a technical error early on Wednesday morning (AEST) [caused] approximately 500 IPv4 prefixes [to be] incorrectly advertised as Telstra's." Once Telstra realized what was happening, they fixed the problem.

Editor's Note

While movement to a standard like RPKI which would cause changes to routing to be verified before problems arise is needed, according to the NIST RPKI monitor, only about 23% of unique IPV4 Prefix/Origin pairs are using it. https://rpki-monitor.antd.nist.gov/

Lee Neely
Lee Neely

2020-10-04

Visa Security Alert: New Malware Samples Found in Point-of-Sale Terminal Compromises

According to a Security Alert from Visa, the company's Payment Fraud Department "analyzed malware samples recovered from the independent compromises of two North American merchants." The attackers targeted the point-of-sale (POS) systems of the two unnamed companies. The incidents occurred earlier this year; both victims are in the hospitality industry.

Editor's Note

Just as in last week's DHS/CISA alert about a compromised government agency, this Visa alert starts out with "Legitimate user accounts, including an administrator account, were compromised as part of this phishing attack and were used by the threat actors to login to the merchant's environment." Administrator accounts that don't require more than a reusable password are the gaping wound that is continually causing high rates of damage to entire businesses. And they are easily treatable.

John Pescatore
John Pescatore

"Card-not-present" fraud will likely continue as long as the brands and issuers continue to publish Primary Account Numbers in the clear, merchants continue to accept them, and consumers tolerate these unsafe practices. With exceptions, the European Banking Authority is now requiring "multi-factor" authentication for "card-not-present" transactions. The preferred implementations for meeting this requirement use one-time passwords sent out-of-band (e.g., SMS, e-mail). Merchants should prefer check-out proxies like PayPal, Apple Pay, Click to Pay, and their competitors and brands and issuers should encourage their use. Consumers should prefer merchants who provide access to these proxies and, in their absence, consider the use of one-time or one-merchant tokens, from, for example, Privacy.com.

William Hugh Murray
William Hugh Murray

2020-10-04

Ttint Botnet Exploits Unpatched Flaws in Tenda Routers

A pair of zero-day vulnerabilities in Tenda routers are being exploited to spread a variant of the Mirai Internet of Things (IoT) botnet called Ttint. Ttint is capable of launching distributed denial-of-service (DDoS) attacks as well as spreading remote access trojans (RATs) and spyware.

2020-10-05

WordPress: Vulnerabilities Fixed in Post Grid and Team Showcase Plugins

Developers of the Post Grid and Team Showcase WordPress plugins have released updated version to address two high severity security issues - a cross-site scripting flaw and a PHP object-injection issue - that affect both plugins. Users are urged to update to Post Grid version 2.0.73 and Team Showcase version 1.22.16.

Editor's Note

The developer was notified of the vulnerabilities on September 16th and had released patches the next day. Free Wordfence users will have firewall rules to prevent exploitation October 16th; don't wait to verify that you've already deployed the updates.

Lee Neely
Lee Neely

"Cross-site scripting" describes an attack, not a "flaw." The vulnerability is "incomplete parameter checking" at the application layer. While complete parameter checking in the modern "stack" is difficult, it is easiest and necessary at the application layer. However, in this case, the problem is aggravated by the failure to limit and compensate for the use of WordPress plugins; one imports the vulnerability. These plugins come with no representations of quality and historically have been problematic. They should be used sparingly and the risk should be compensated for.

William Hugh Murray
William Hugh Murray

2020-10-05

International Maritime Organization Hit by Cyberattack

The United Nations agency for regulating international shipping, the International Maritime Organization (IMO), experienced a cyberattack at the end of September. The agency's Global Integrated Shipping Information Systems (GISIS) database, document repository IMODOCS, and its Virtual Publications service were temporarily unavailable. According to an IMO statement, "The interruption of web-based services was caused by a sophisticated cyber-attack against the Organization's IT systems that overcame robust security measures in place."

2020-10-05

"Technical Issue" Delays Reporting of COVID Test Results in England

Public Health England (PHE) has acknowledged that a "technical issue" caused nearly 16,000 cases of COVID from being reported between September 25 and October 2. PHE aggregates test result data from both public and private entities and publishes daily statistics. While the people who tested positive received their results in a timely manner, the error delayed contact-tracing efforts. PHE has not confirmed the source of the problem; reports in several news sources suggest that it was due to limits on the size of Excel files.

Editor's Note

The number of data elements required for COVID reporting, and the protection of that data, quickly exceeds what you can manage in Excel, which was likely selected as a fast path to capture and report data in the midst of a crisis. The hard part will be qualifying an application, verifying its security and moving reporting to APIs rather than uploaded Excel files, all without introducing further delays. While this is the same process we use to convert a manual process to an enterprise one, and the pandemic changes the priority, care must be taken to ensure the data is properly handled and recorded to prevent data loss, disclosure, or other legal entanglements.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Analysis of a Phishing Kit

https://isc.sans.edu/forums/diary/Analysis+of+a+Phishing+Kit/26634/


Hoaxcalls Botnet Scanning for Huawei Home Gateway

https://isc.sans.edu/forums/diary/Scanning+for+SOHO+Routers/26638/


Obfuscation and Repetition

https://isc.sans.edu/forums/diary/Obfuscation+and+Repetition/26648/


SQL Server Cumulative Update 8

https://support.microsoft.com/en-us/help/4577194/cumulative-update-8-for-sql-server-2019


Telstra Accidentally Reroutes Proton Mail Traffic

https://protonmail.com/blog/bgp-hijacking-september-2020/


"Raccine" Ransomware Vaccine

https://github.com/Neo23x0/Raccine


Compromised UEFI Payload Found

https://securelist.com/mosaicregressor/98849/


Privilege Escalation Flaw in All AntiVirus Products

https://www.cyberark.com/resources/threat-research-blog/anti-virus-vulnerabilities-who-s-guarding-the-watch-tower


Rapid7 SMTP "NICER" Report

https://blog.rapid7.com/2020/10/02/nicer-protocol-deep-dive-internet-exposure-of-smtp/