NewsBites Volume XXII - Issue #80 October 9, 2020

Top of the News

2020-10-08

SANS Bachelors Degree in Applied Cybersecurity

SANS Achieves Full College Status; Bachelors Degree in Applied Cybersecurity starts November 1. SANS (SANS.edu) is now licensed and accredited to grant bachelors degrees. Students will learn from the extraordinary practitioner-scholars on the SANS faculty, earn 8 GIAC certifications, and complete an internship at the Internet Storm Center. Costs are low because students will complete general education and basic computer science courses at low-cost community colleges, then shift to SANS Technology Institute. The recent CISO at a Federal Reserve District who regularly sends his experienced professionals to SANS training described the impact: Never before has it been such a safe bet to hire a graduate and expect them to make a meaningful contribution on day one. The first public information session is Thursday at noon Eastern. Register at https://register.gotowebinar.com/register/7453087257861416464

Editor's Note

I would have killed for an opportunity like this when I was in college. If you want to get a strong foundation for a career in Cybersecurity, this is an amazing curriculum. Also, the internship at the ISC provides experience responding to and analyzing incidents with extraordinary teammates.

Lee Neely

In a world of rapidly changing technology, it will be increasingly valuable to be able to demonstrate current skills. While a college education will continue to be valuable for living a life, certifications will be increasingly useful for making a living.

William Hugh Murray

DHS Acting Secretary Speaks About Election Security

US Department of Homeland Security (DHS) Acting Secretary Chad Wolf told an audience at the Cybersecurity and Infrastructure Security Agencys (CISA) Cyber Summit 2020 that DHS has not identified any threats that would prevent Americans from voting, or that would change vote tallies. He also noted that final election tallies may not be available on election night. Ninety-two percent of jurisdictions are using voting systems with auditable paper trails.

Ransomware Closes Schools in Massachusetts

Springfield (Massachusetts) Public Schools have been closed in the wake of a ransomware attack on its IT network. Students were told to shut down district-owned devices. The district has been teaching remotely since the start of the school year.

The Rest of the Week's News

2020-10-07

SEC Agrees to Settle Complaint Against Trader Who Used Stolen Data

The US Securities and Exchange Commission (SEC) has agreed to settle a complaint against Kyungja Cho, a trader who used information stolen in a hack of the SECs EDGAR filing system to conduct lucrative transactions. Settlement agreements must be reviewed and approved by SEC Commissioners before they become binding.

Wisepay Pulls Site Offline After Spoofing Attempt

Wisepay, a UK school payments company, took its website offline after it became aware that someone was attempting to spoof its card payment page. The website has been down for maintenance since Sunday, October 4; on Monday, the site displayed a down for maintenance message.

Editor's Note

The two reports give conflicting information: The Register piece says Wisepay has pulled its website offline after spotting a miscreant trying to spoof its card payment page. Generally, if you discover someone spoofing your site, you work to have that site taken down, you dont take down your own legitimate site! The BBC piece is even more confusing, saying Wisepay said a hack of its website meant an attacker was able to harvest payment details between 2 and 5 October via a spoof page. the hacker had managed to find a "backdoor" into the system's database and had modified one page. That seems to imply more than discovery of a spoofed site. Web site security essential security practices are well known. Dealing with spoofing sites usually needs to be part of a broader brand and fraud detection strategy with anti-phishing, strong email authentication, and the use of detection/take-down support services.

John Pescatore

Kraken Fileless Malware Exploits Windows Error Reporting

A fileless attack method, dubbed Kraken, hides itself in the Microsoft Windows Error Reporting (WER) service to evade detection. The malware is spreading through a phishing campaign; the messages purport to be information about a workers compensation claim.

Editor's Note

The phish uses an attached document relating to compensation applicability which includes a variant of the CactusTorch VBA macro module, which then loads a .Net compiled binary executed from vbscript. The code detects the use of a sandbox and uses a debugger to thwart analysis. The Malwarebytes writeup includes IOCs including URLs used.

Lee Neely

UHS is Restoring Networks After Cyberattack

Universal Health Services is restoring services to facilities affected by a cyberattack that began on September 27. According to an October 5 statement from UHS, the UHS IT Network has been restored and applications are in the process of being reconnected.

Editor's Note

Contingency plans should include the ability to restore critical applications in hours, not days. Not all applications are "critical."

William Hugh Murray

US Seizes Domains Associated with Disinformation Campaigns

The US Department of Justice (DoJ) has announced the takedown of 92 domains owned by Irans Islamic Revolutionary Guard Corps (IRGC); several of the domains have been used to spread propaganda in the US. All 92 of the domains were being used in violation of sanctions against Iran and against IRGC.

Editor's Note

We now live in a world where many governments, including our own, engage in active propaganda programs, some open, many covert. The Internet lowers the cost and improves the effectiveness. Social media often serves to amplify the messages and hide the source. While "takedowns" are useful, we all need to become more critical and skillful consumers of information. Indeed, in a world where all information is at our fingertips, critical thinking skills become the purpose and essence of education. See Carl Sagan's "BS" detector kit for useful tools.

William Hugh Murray

Boom! Mobile Acknowledges Skimming

A page on the Boom! Mobile telecommunications company website has been infected with malware that steals payment card information and sends it to a server controlled by criminals. Boom! Mobile is urging customers who made purchases between September 30 and October 5, 2020, to take the necessary precautions with their credit card company. Boom!s shopping cart provider said that the malware has been removed.

Editor's Note

This is another instance of threat actors leveraging web skimmers (aka "sniffers") to target card-not-present (CNP) data. Additionally, this is a reminder to keep all components updated. In this instance, the site was reportedly using PHP 5.6.40, a version that hasnt been supported since January 2019.

Lee Neely

The use of credit and debit card numbers in e-commerce remains risky. Merchants can protect themselves and their customers, and improve convenience and reduce abandoned transactions, by offering check-out proxies like PayPal, Apple Pay, Click to Pay, and their competitors. Consumers should prefer the use of such proxies for payments. On sites that do not offer access to proxies, consumers should consider the use of one-time or one-merchant tokens, available from such free services as Privacy.com.

William Hugh Murray

Cisco Security Updates Include Fixes for Three High Severity Flaws

Cisco has made fixes available to address three high-severity vulnerabilities affecting the Cisco Discovery Protocol implementation for Cisco Video Surveillance 8000 Series IP Cameras, Webex Teams for Windows, and the Cisco Identity Services Engine. Cisco has also released security updates to address 11 medium security vulnerabilities in a variety of products.

Editor's Note

There are no workarounds for these vulnerabilities, and the updates are free. If you are not on a service contract, or cannot obtain them from your Cisco reseller, you will need to contact the Cisco TAC to get them.

Lee Neely

Adobe Creative Cloud Outage

An outage is preventing Adobe Creative Cloud users from logging in or accessing stored data and applications to which they subscribe. The problem began at about 9:30am EST. Adobe acknowledged the issue on the status.adobe.com page but has not offered details.

Editor's Note

The issues have been resolved. Use the All option on the status page to see status of current and past incidents as well as planned maintenance information. With increased reliance on cloud services, its important to have status and event data incorporated in your SOC or SIEM. To get alerts on outages/events, set up Events subscriptions in your Adobe account.

Lee Neely

Azure App Services Flaws

A pair of security flaws in Azure App Services could be exploited to take control of vulnerable administrative servers. Microsoft was notified of the flaws in July and has fixed the issues.

Editor's Note

The Intezer writeup below does a good job of describing not only the two vulnerabilities discovered but also mitigations that limited their exploitability. Of note, use caution with hard coding of credentials, particularly root logins, and verify that your Docker containers are truly running as non-root users.