SANS NewsBites
November 6, 2020 | Volume XXII - Issue #88
2020-11-05
Governors from Texas, North Dakota, Alabama, New Jersey, Utah, Idaho, Maryland, and Virginia announced CyberStart America - enabling all high school students in their states to discover whether they have an aptitude to excel in cybersecurity and to win millions in college scholarships.
2020-11-05
Vermont's governor has called in the state's Army National Guard's Combined Cyber Response Team to help the University of Vermont Health Network respond to a ransomware attack that affected six area hospitals.
Finding skilled help to help recovery efforts can be challenging and expensive; leveraging existing trained response teams like this, particularly with hospital and other community services, should be investigated prior to needing them. Identify and verify where you can get help, now, before you're dealing with a significant incident such as ransomware.
Infosecurity Magazine: National Guard to Help Vermont Health Network After Cyber-Attack
Security Week: Guard Cyber Team to Help Respond to Hospitals Cyberattack
2020-11-05
The computer network of Brazil's Superior Court of Justice was the victim of a ransomware attack earlier this week. The country's Secretariat for Information and Communication Technology (STI) is working to recover affected systems. A Brazilian journalist said that other Brazilian government agencies are offline.
Bleeping Computer: Brazil's court system under massive RansomExx ransomware attack
2020-11-04
Toy manufacturer Mattel has disclosed that its network was hit with a ransomware attack in late July. The company revealed the information in a form 10-Q filing with the US Securities and Exchange Commission (SEC).
2020-11-05
Italian beverage company Campari Group disclosed that ransomware infiltrated its network on Sunday, November 1. The company said that it isolated affected systems and temporarily suspended IT services, and that it plans to wipe and restore affected systems.
2020-11-05
A company that operates private prisons says it was the victim of a ransomware attack. GEO Group says that attackers may have stolen data during the incident, which occurred in August 19, 2020. The company's 120 facilities include several US immigration and Customs Enforcement (ICE) detention centers. The information was disclosed in a form 8-K filing with the US Securities and Exchange Commission (SEC).
2020-11-04
Google has fixed vulnerabilities in its Chrome Browser that are being actively exploited. Users of the Chrome browser for Windows, macOS, and Linux should update to Chrome version 86.0.4240.183; users of Chrome for Android should update to Chrome version 86.0.4240.185.
Chrome is a popular target this month. The weakness in the Android version allows for sandbox escape and OS level code execution. It is also being leveraged to exploit other system weaknesses such as the Windows Kernel Cryptography Driver vulnerability. Long story short, push the updates now.
The Register: If you're an update laggard, buck up: Chrome zero-days are being exploited in the wild
ZDNet: After two zero-days in Chrome desktop, Google patches a third zero-day in the Android version
Ars Technica: Google fixes two more Chrome zero-days that were under active exploit
Threatpost: Two Chrome Browser Updates Plug Holes Actively Targeted by Exploits
2020-11-04
Adobe has released updates to address a total of 14 security issues in Reader and Acrobat. Four of the vulnerabilities are rated critical; they could be exploited to allow "arbitrary code execution in the context of the current user." The updates also remove the Embed Flash and Insert Media options from the PDFMaker menu.
Adobe categorizes the updates as priority 2, products which have been historically targeted and the vulnerabilities have no known exploits. Given that the exploits enable arbitrary code and JavaScript execution, as well as privilege escalation, inclusion with your November patch cycle is the latest you'll want to deploy the updates. Sooner is better
Threatpost: Adobe Warns Windows, MacOS Users of Critical Acrobat and Reader Flaws
ZDNet: Adobe kills Flash in Acrobat and Reader - pushes out these critical security bug fixes
The Register: Was that November's Patch Tuesday? Already? Oh, no, it's just Adobe issuing 14 emergency security fixes
Adobe: Security Updates Available for Adobe Acrobat and Reader | APSB20-67
Adobe: Reader & Acrobat November 2020 Release (DC Continuous, Acrobat 2020 & Acrobat 2017)
Adobe: What's new in Acrobat DC
2020-11-05
A Bitcoin wallet was mysteriously relieved of 1 billion USD worth of the cryptocurrency on November 3. The action was revealed to be the work of the US Department of Justice (DoJ). The funds in the wallet were linked to Silk Road, the darknet marketplace that was shut down in 2013. The funds appear to have been stolen from Silk Road prior to the founder's trial and sentencing. The person who stole the funds, identified only as Individual X, has signed a Consent and Agreement to Forfeiture. Silk Road's founder is currently serving two life sentences in prison.
Wired: The Feds Seized $1 Billion in Stolen Silk Road Bitcoins
Vice: U.S. Feds Seized Nearly $1 Billion in Bitcoin from Wallet Linked to Silk Road
Ars Technica: The feds just seized Silk Road's $1 billion stash of bitcoin
Bleeping Computer: US govt behind $1 billion Bitcoin transfer of Silk Road funds
2020-11-05
Video game developer Capcom has disclosed that some of its networks were hit with a cyberattack on November 2. In a press release, Capcom said "it has halted some operations of its internal networks." The attack appears to have affected Capcom's email system as well; a notice on the company's website says that it is currently "unable to reply to inquiries and/or to fulfill requests for documents."
2020-11-05
Massachusetts has voted to extend the state's automotive right-to-repair law to connected car platforms and telematics. The initial right to repair automotive law passed in 2013 and took effect in 2018. It requires that all vehicles sold in Massachusetts have a "non-proprietary vehicle interface device" to allow repair businesses to access mechanical data. The newly passed ballot initiative will allow car owners and independent repair businesses access to wireless vehicle maintenance and repair information.
Car manufacturers having proprietary interfaces to car telematics in no way guarantees a higher level of security - nor does having an open common access platform. The real issue is the societal decision about market competition for diagnostic and repair services and then the security level has to enable that. This reminds me of the old debate: "Proprietary code is safer than open source code because attackers can't see the code" vs. "Open source code is safer than proprietary code because of all the eyes looking at it." The real answer has always been "code written and tested with security and safety as a key focus/requirement by developers and testers skilled in security is the only software that will be safe and secure."
Of note is the trend that almost every new car sold in 2020 included a cellular modem to allow for remote monitoring and data collection, promising a more proactive maintenance/service notification and tracking experience for consumers. And while some manufacturers are working to monetize that information, a big concern about providing access to the online interface by third-parties is that it also has the ability to send commands to vehicle components for maintenance, diagnostics and repair, which heightens the need to get security right quickly.
2020-11-05
A critical vulnerability in the Welcart eCommerce WordPress plugin could be exploited to inject a PHP Object. The plugin's publisher was notified of the issue earlier this month and released an updated version, Welcart eCommerce 1.9.36, on October 20.
The exploit uses vulnerabilities resolved in last week's WordPress emergency 5.5.2/5.5.3 update. Verify both updates were automatically installed on your WordPress system. The free version of Wordfence will get a firewall rule to block attempted exploits on November 8th.
2020-11-05
Apple has updated its mobile and desktop operating systems to fix three security flaws that are being actively exploited. The three vulnerabilities were detected by Google's Project Zero, which gives developers just seven days to fix flaws that are being exploited in the wild. Users are urged to update their devices to iOS 14.2 and macOS 10.15.7. Updates are also available for iPadOS, watchOS, and for older iPhones.
The vulnerabilities were severe enough to warrant updates to iOS 12, and watchOS 6, which are for older unsupported devices. If, after updating to iOS 14.2 you have applications that die on startup, you can use the "Offload App" option under the device storage setting, followed by Reinstall App on that same screen to reinstall the application without losing data or settings.
INTERNET STORM CENTER TECH CORNER
Attackers Exploiting WebLogic Servers to Install Cobalt Strike
Did You Spot "Invoke-Expression" ?
https://isc.sans.edu/forums/diary/Did+You+Spot+InvokeExpression/26762/
New SaltStack Vulnerabilities
https://www.saltstack.com/blog/on-november-3-2020-saltstack-publicly-disclosed-three-new-cves/
Adobe Releases Acrobat/Reader Update
https://helpx.adobe.com/security/products/acrobat/apsb20-67.html
Malicious Twilio NPM Package
https://www.npmjs.com/advisories/1574
GitHub Workflow Injection Vulnerabilities
Cisco AnyConnect Security Mobility Client
Google Chrome Root CA Policy
https://www.chromium.org/Home/chromium-security/root-ca-policy
Android November 2020 Security Bulletin
https://source.android.com/security/bulletin/2020-11-01
Apple Security Updates
https://support.apple.com/en-us/HT201222
Corporate VoIP Phone System Attacks
Mark Lucas: Replacing WINS in an Open Environment with Policy Managed DNS Servers