homepage
Open menu

SANS NewsBites

Tesla Hack To Steal Model X; GoDaddy's Inadvertent CryptoMining Error; VMWare Critical Flaws

November 24, 2020  |  Volume XXII– Issue #93

Top of the NewsThe Rest of the Week's NewsInternet Storm Center Tech Corner

Top of the News

2020-11-23

GoDaddy Employees Tricked Into Changing DNS Settings for Cryptocurrency Domains

Attackers used social engineering to trick employees at domain name registrar GoDaddy into transferring control of several cryptocurrency-related domains. The bad actors managed to gain access to some Liquid.com customer data. NiceHash noticed traffic was being redirected. The company froze customer accounts for 24 hours while it ensured that the domain settings were returned to normal.

Editor's Note

Your organisation's domain name is a key asset and should be appropriately protected. Ask your registrar about getting a registry lock or domain lock service for your domain to make unauthorized changes more difficult.

Brian Honan
Brian Honan

2020-11-23

Tesla Bluetooth Vulnerability Could be Exploited to Steal Model X Vehicles

The keyless entry system for Tesla Model X automobiles is vulnerable to a Bluetooth attack that could be exploited to steal a Model X. The attack involves a flaw in the firmware update process for Tesla Model X key fobs. Telsa will start pushing out over-the-air updates for the affected key fobs this week.

Editor's Note

This attack leverages vulnerabilities in the key fob firmware update, the target vehicle's VIN, as well as the use of an electronic control unit salvaged from another Model X to accomplish, making the attack rig a bit bulky. Updates are being released for both the in-vehicle systems and the key fob firmware.

Lee Neely
Lee Neely

Keyless entry on cars is, to me, like digital watches - what seems like a cool use of technology turns out to be a downgrade in capabilities and safety. There is a good reason why ATM machines still require a physical card to be inserted, not just a PIN entered.

John Pescatore
John Pescatore

Keyless entry systems are all about the eternal trade-off between convenience and security. For security, prefer keyless entry based upon mobiles to those based on tokens or "fobs."

William Hugh Murray
William Hugh Murray

2020-11-23

VMware Working on Fixes for Critical Privilege Elevation Vulnerability

A critical privilege elevation vulnerability in six VMware products could be exploited to "execute commands with unrestricted privileges on the underlying operating system." VMware has released workarounds as a temporary solution until patches are available.

Editor's Note

Apply the workaround ONLY to the specifically-identified product versions. While the workaround is in place, configurator-managed settings changes will not be possible without first reverting the fix. Additionally, the fix disables most of the system diagnostics dashboard. Subscribe to VMware's security announcement mailing list to be notified when the patches are released. https://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

Lee Neely
Lee Neely

2020-11-20

VMware Issues Patches for ESXi Hypervisor Vulnerabilities

VMware has released fixes for multiple flaws affecting its ESXi hypervisor. A critical use -after-free vulnerability could be exploited "to execute code as the virtual machine's VMX process running on the host." An important privilege elevation vulnerability affects the way some system calls are managed. Both of the vulnerabilities were discovered during the Tianfu Cup Hacking Challenge earlier this month.

Editor's Note

The flaw impacts both ESXi and Workstation, including Fusion. Where patches are not yet available, the vulnerability can be mitigated by removing XHCI (USB 3.x) controller from the virtual machines.

Lee Neely
Lee Neely

The Rest of the Week's News

2020-11-23

Ransomware Attack Against Managed.com Affects Local Governments

The ransomware attack against the network of hosting provider Managed.com has affected local governments in the US. The company took down its web hosting services after becoming aware of the attack last week. That action has rendered some Managed.com client websites unavailable. The affected organizations include some local governments in Indiana, North Carolina, and Oregon. The website of the Arizona Judicial Branch has also been affected.

Editor's Note

Managed.com contained the attack by shutting off hosting services. Standing up alternative sites and services to mitigate the shutdown requires access to backups of the initial sites. Store those backups with a separate service provider to mitigate the risk of failed restoration because the service is offline. Include procedures for service providers being offline in your COOP plans.

Lee Neely
Lee Neely

2020-11-23

Brazilian Superior Electoral Court System Recovers from Ransomware Attack

Brazil's Superior Electoral Court has its IT systems fully operational following a ransomware attack that hit on November 3. The court was operating "with limited functionality" before November 20. The incident is being called "the worst-ever" cyberattack suffered by a Brazilian government department.

2020-11-23

South Korean Retailer E-Land Suffers Ransomware Attack

E-Land, a South Korean retail company, has temporarily suspended operations at 23 of its NC Department Stores and NewCore Outlet stores in the wake of a ransomware attack. The ransomware was activated on systems at E-Land headquarters on November 22.

2020-11-21

Manchester United Says Cyberattack is Disrupting IT Systems

On Friday, November 20, the Manchester United football club has disclosed that its network experienced a cyberattack that is causing "ongoing IT disruption." The incident is under investigation. Manchester United said "All critical systems required for matches to take place" over the weekend were operational.

Editor's Note

Of late, attacks of this nature turn out to be ransomware. Improved technical measures and supporting procedures were implemented and tested to prepare for this type of incident. The current trend for cyber attacks includes capitalizing on human weaknesses via social engineering. Studies have found that awareness training fades after a few months; support technical protections with refresher training at least bi-annually.

Lee Neely
Lee Neely

2020-11-23

Romanian Police Arrest Malware Purveyors

Police in Romania have arrested two individuals in connection with three online services that are designed to help malware evade detection by antivirus software. The investigators also took down relevant servers in Romania, Norway, and the US.

Editor's Note

Congratulations to all those involved in this operation. It is heartening to see the increasing numbers of successful international operations against cybercriminals.

Brian Honan
Brian Honan

2020-11-20

Google Plans to Add End-to-End Encryption to Android Messaging App

Google plans to begin beta-testing end-to-end encryption (E2EE) for its Android Messaging App. The feature will be rolled out to one-on-one Rich Communication Services (RCS) conversations. Google has been touting the RCS text-messaging standard as an alternative to SMS.

Editor's Note

To use RCS you need to be using the latest version of Google's Messages App with the chat features enabled. RCS uses WiFi or cellular data for message delivery, rather than SMS. Encryption keys exist only on the endpoints, so decryption on servers or relay points is not possible.

Lee Neely
Lee Neely

Device-to-device encryption may look end-to-end to Google but should not be relied upon for sensitive applications in hostile environments.

William Hugh Murray
William Hugh Murray

2020-11-20

Cryptocurrency and Criminal Finances Conference

Europol hosted the fourth Global Conference on Criminal Finances and Cryptocurrencies, which was held virtually. There were more than 2,000 participants, representing "law enforcement and judicial authorities, financial intelligence units, international organisations and the private sector." Presentations included "case examples to exchange knowledge and best practices on investigations related to cryptocurrency facilitated crime and subsequent money-laundering activities."

2020-11-20

OMB Directs Agencies to Prepare for IPv6-only Infrastructure

A memo from the US Office of Management and Budget (OMB) directs federal agencies to take steps to prepare for the transition to IPv6. Agencies have 45 days to create IPv6 integrated project teams that will "govern and enforce IPv6 efforts." Within 180 days, agencies must establish and publish on their websites their own IPv4 policies. They are also required to conduct at least one pilot of an IPv6-only operational system and to develop an IPv6 implementation plan prior to the end of FY 2021.

Editor's Note

This memo rescinds M-05-22, Transition Planning for IPv6, August 2005 and Transition to IPv6, September 2010. The 2010 requirements to upgrade public/external facing services to IPv6 by FY end 2012 as well as upgrade client applications which communicate with public Internet servers, including their supporting networks, to IPv6 by FY end 2014 remain. OMB expects agencies who have not already met those requirements to do so as soon as possible. Before jumping into an upgrade, understand the change in network security introduced by IPv6. Align thinking to consider all IPv6 addresses to be public IP space.

Lee Neely
Lee Neely

Internet Storm Center Tech Corner

Quick Tip: Cobalt Strike Beacon Analysis

https://isc.sans.edu/forums/diary/Quick+Tip+Cobalt+Strike+Beacon+Analysis/26818/


Updates for VMWare ESXi; Fusion and Workstation

https://www.vmware.com/security/advisories/VMSA-2020-0026.html


IBM DB2 Vulnerability

https://www.ibm.com/support/pages/node/6370025 (CVE-2020-4701)

https://www.ibm.com/support/pages/node/6370023 (CVE-2020-4739)


Fortinet SSL VPN Exploit Used to Collect Credentials

https://twitter.com/Bank_Security/status/1329426020647243778


GoDaddy Social Engineering Used to Compromise Bitcoin Exchange Domains

https://blog.liquid.com/security-incident-november-13-2020


Spoofed FBI Domains

https://www.ic3.gov/Media/Y2020/PSA201123