Last Day to Get an iPad mini, Surface Go 2, or Take $300 Off with OnDemand Training - Register Today!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #17

February 28, 2020

ICS Cybersecurity Year in Review; GAO: Critical Infrastructure Cyber Framework; Hackers Actively Scanning for Microsoft Exchange Server Vulnerability; US Collegiate CTF Competition with Large Scholarships and Direct Connection to Jobs Announced at RSA



****************************************************************************

SANS NewsBites               February 28, 2020             Vol. 22, Num. 017

****************************************************************************

TOP OF THE NEWS  

 

  RSA Keynote: ICS Cybersecurity Year in Review: Major Concerns

  GAO: Critical Infrastructure Must Adopt NIST Cyber Framework

  Hackers Actively Scanning for Microsoft Exchange Server Vulnerability

  US Collegiate CTF Competition with Large Scholarships and Direct Connection to Jobs Announced at RSA

 

REST OF THE WEEK'S NEWS

 

  Fixes Available for Kr00k Vulnerability in Cypress and Broadcom Chips

  Criminal Cases Dropped After Evidence Lost in Ransomware Attack

  New Mexico School District Hit with Ransomware Again

  Bretagne Telecom Ransomware Attack

  Chrome Update Addresses 0-day and Other Vulnerabilities

  Zyxel Flaw Affects Firewall Products

  Australian Telcos Will Need to Employ Multi-Factor Authentication Before Porting Mobile Phone Numbers

  Firefox Begins Rolling Out DNS Over HTTPS by Default in US

  Clearview AI Client List Stolen


INTERNET STORM CENTER TECH CORNER


*********************  Sponsored By Dragos, Inc.  **************************


Join the Dragos 2019 ICS Year in Review webinar on March 5 for recommendations to improve your cybersecurity defenses. The report authors will summarize their conclusions from real-world threat hunts, incident response and vulnerability assessments. Hear what the state of the ICS cyberthreat landscape is and the public threat activity groups Dragos tracks. http://www.sans.org/info/215675

 

****************************************************************************

CYBERSECURITY TRAINING UPDATE


-- SANS 2020 | Orlando, FL | April 3-10 | https://www.sans.org/event/sans-2020


-- SANS Security West 2020 |San Diego, CA | May 6-13 | https://www.sans.org/event/security-west-2020


-- SANS London March 2020 | March 16-21 | https://www.sans.org/event/london-march-2020


-- SANS San Francisco Spring 2020 | March 16-27 | https://www.sans.org/event/san-francisco-spring-2020


-- SANS Secure Singapore 2020 | 16-28 March | https://www.sans.org/event/secure-singapore-2020


-- SANS Secure Canberra 2020 | March 23-28 | https://www.sans.org/event/secure-canberra-2020


-- SANS London April 2020 | April 20-25 | https://www.sans.org/event/london-april-2020


-- Cloud Security Summit & Training 2020 | Frisco, TX | May 27-June 3 | https://www.sans.org/event/cloud-security-summit-2020


-- Rocky Mountain Hackfest Summit & Training 2020 | Denver,CO | June 1-8 | https://www.sans.org/event/rockymountainhackfest-summit-2020


-- SANS OnDemand and vLive Training

Get an iPad (32G), a Samsung Galaxy Tab A, or Take $250 Off through March 4 with OnDemand or vLive training.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


Single Course Training

-- Single Course Training

SANS Mentor | https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


*****************************************************************************

TOP OF THE NEWS   

 

--RSA Keynote: ICS Cybersecurity Year in Review: Major Concerns

(February 28, 2020)

In an extraordinary keynote address at RSA 2020 yesterday, Rob Lee provided an authoritative review of the attacks and status of defenses in ICS security. His full (50 minute) keynote is on YouTube (see url below). The data are fascinating and provocative. One interesting insight: the vendors of ICS systems (OEMs) are failing to make basic security fixes, resulting in 91% of ICS systems having "common hardware issues beyond the asset owners' purview."


YouTube: The Industrial Cyberthreat Landscape: 2019 Year in Review

https://www.youtube.com/watch?v=yIFf27yL-p4

Dragos: Robert M. Lee of Dragos to Deliver Keynote at RSA Conference 2020

https://dragos.com/media/robert-m-lee-of-dragos-to-deliver-keynote-at-rsa-conference-2020/


 

--GAO: Critical Infrastructure Must Adopt NIST Cyber Framework

(February 26, 2020)

According to a report from the Government Accountability Office (GAO), federal agencies that have the lead in protecting critical infrastructure sectors (sector specific agencies, or SSAs) have for the most part not taken adequate steps to ensure that the sectors they oversee have adopted the National Institute of Standards and Security's (NIST's) Framework for Improving Critical Infrastructure Cybersecurity. There are nine SSAs overseeing 16 critical infrastructure sectors. Two SSAs have developed strategies for determining framework adoption in their designated sectors; two others have taken steps toward developing methods. Most of the SSAs have encouraged their sectors to adopt the framework. GAO recommends that NIST develop time frames for completing initiatives, and that the SSAs gather and report in improvements made from framework adoption.


[Editor Comments]


[Murray] This is urgent. While the SANS Top Twenty are more applicable to the scale of many enterprises, the NIST Cyber Framework is essential for large enterprises that are part of the economic or national security infrastructures.


Read more in:

GAO: CRITICAL INFRASTRUCTURE PROTECTION | Additional Actions Needed to Identify Framework Adoption and Resulting Improvements (PDF)

https://www.gao.gov/assets/710/704808.pdf

MeriTalk: Critical Infrastructure Agencies Must Fully Adopt NIST Cyber Framework, GAO Says

https://www.meritalk.com/articles/critical-infrastructure-agencies-must-fully-adopt-nist-cyber-framework-gao-says/

 
 

--Hackers Actively Scanning for Microsoft Exchange Server Vulnerability

(February 26 & 27, 2020)

Attackers are scanning for systems that have not been patched against the Microsoft Exchange Server remote code execution vulnerability that was fixed in Microsoft's February Patch Tuesday release.  


Read more in:

Bleeping Computer: Hackers Scanning for Vulnerable Microsoft Exchange Servers, Patch Now!

https://www.bleepingcomputer.com/news/security/hackers-scanning-for-vulnerable-microsoft-exchange-servers-patch-now/

Portswigger: Microsoft Exchange Server admins urged to treat crypto key flaw as 'critical'

https://portswigger.net/daily-swig/microsoft-exchange-server-admins-urged-to-treat-crypto-key-flaw-as-critical

MSRC: CVE-2020-0688 | Microsoft Exchange Validation Key Remote Code Execution Vulnerability

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688

 
 

--US Collegiate CFT Competition with Large Scholarships and Direct Connection To Jobs Announced at RSA

(February 26, 2020)

College students who hope to qualify for internships and jobs in cybersecurity are now eligible for the Cyber FastTrack Capture the Flag (CTF) leading to $2.2 million in scholarships (including several SANS classes and GIAC certifications) and direct internships and jobs with employers seeking top talent. Open to all college students in the U.S. Deadline to register March 22. Actual competition March 26-27.

More information: https://cyber-fasttrack.org


[Editor Comments]


[Paller] As of this morning, 2,035 students form 464 US colleges have signed up for the first 2020 CTF. Cyber FastTrack is the only way for college students to discover how their skills stack up. Three Cyber FastTrack CTFs are scheduled for 2020 so students can keep moving up the leaderboard.


****************************  SPONSORED LINKS  ******************************


1) Join Robert M. Lee on March 27 in D.C. for the SANS Cyber Threat Intelligence Solutions Forum. Free with code CTIForum2020: http://www.sans.org/info/215680


2) Webcast: Learn various approaches to security testing and the latest innovations that can support modern software development. Register: http://www.sans.org/info/215685


3) Take the SANS Threat Hunting Effectiveness Survey and enter to win a $400 Amazon gift card: http://www.sans.org/info/215690


***************************************************************************

REST OF THE WEEK'S NEWS

 

--Fixes Available for Kr00k Vulnerability in Cypress and Broadcom Chips

(February 26 & 27, 2020)

A flaw in Wi-Fi chips from Cypress Semiconductor and Broadcom could be exploited to decrypt data sent over Wi-Fi networks. The affected chips are used in a range of devices, including iPhones, iPads, Amazon Echos and Kindles, Android devices, and certain Wi-Fi routers. The vulnerability, dubbed Kr00k lies in the way the chips manage network interruptions: devices could be forced to use encryption keys that are simply a string of zeroes. Most manufacturers have developed fixes for the issue, but it is not known how widely they have been applied.


Read more in:

Ars Technica: Flaw in billions of Wi-Fi devices left communications open to eavesdropping

https://arstechnica.com/information-technology/2020/02/flaw-in-billions-of-wi-fi-devices-left-communications-open-to-eavesdroppng/

Dark Reading: Kr00k Wi-Fi Vulnerability Affected a Billion Devices

https://www.darkreading.com/vulnerabilities---threats/kr00k-wi-fi-vulnerability-affected-a-billion-devices/d/d-id/1337151

ZDNet: New Kr00k vulnerability lets attackers decrypt WiFi packets

https://www.zdnet.com/article/new-kr00k-vulnerability-lets-attackers-decrypt-wifi-packets/

Bleeping Computer: Kr00k Bug in Broadcom, Cypress WiFi Chips Leaks Sensitive Info

https://www.bleepingcomputer.com/news/security/kr00k-bug-in-broadcom-cypress-wifi-chips-leaks-sensitive-info/

Threatpost: Billions of Devices Open to Wi-Fi Eavesdropping Attacks

https://threatpost.com/billions-of-devices-wifi-encryption-hack/153267/

Bleeping Computer: Cisco Working on Patches for New Kr00k WiFi Vulnerability

https://www.bleepingcomputer.com/news/security/cisco-working-on-patches-for-new-kr00k-wifi-vulnerability/

ZDNet: Cisco patches incoming to address Kr00k vulnerability impacting routers, firewall products

https://www.zdnet.com/article/cisco-says-patches-incoming-to-address-new-kr00k-vulnerability-impacting-routers-firewall-products/

 
 

--Criminal Cases Dropped After Evidence Lost in Ransomware Attack

(February 26, 2020)

US federal prosecutors dropped 11 narcotics cases against after crucial evidence was lost in a ransomware attack on a Florida police department's network. The Stuart police department experienced a ransomware attack in April 2019. Some data were recovered, but evidence in the cases was lost. Other jurisdictions around the country have also reported losing evidence in ransomware attacks.


[Editor Comments]


[Neely] Forensic evidence needs to be stored in a read-only fashion, with accompanying digital signatures to indicate tampering, or better still, the keep the master copy off-line.


Read more in:

ZDNet: Six suspected drug dealers went free after police lost evidence in ransomware attack

https://www.zdnet.com/article/six-suspected-drug-dealers-went-free-after-police-lost-evidence-in-ransomware-attack/

 
 

--New Mexico School District Hit with Ransomware Again

(February 26, 2020)

The Gadsden Independent School District in Las Cruces, New Mexico has been hit with ransomware for the second time in seven months. The district reported that its internet and communications systems were offline. It is not clear if the most recent infection is new or a recurrence of the July attack.  


[Editor Comments]


[Neely] The conversation has focused on paying the ransom or not, and in this case the school district has the ability to recover without paying the ransom. The daunting issue of preventing recurrence remains for everyone impacted by ransomware. Technical countermeasures, exercises to reinforce user training, build the foundation.


Read more in:

Edscoop: Ryuk ransomware shuts down New Mexico school district a second time

https://edscoop.com/ryuk-ransomware-shuts-down-new-mexico-school-district-second-time/

 
 

--Bretagne Telecom Ransomware Attack

(February 26, 2020)

French cloud services provider Bretagne Telecom was hit with a ransomware attack in early January 2020. The company did not pay a ransom and was able to restore its systems from backups. Bretagne Telecom's CEO said the attackers exploited a Citrix vulnerability for which a patch was not yet available. The attackers did steal some data from Bretagne Telecom, which they uploaded to a website.  


Read more in:

Bleeping Computer: DoppelPaymer Hacked Bretagne Telecom Using the Citrix ADC Flaw

https://www.bleepingcomputer.com/news/security/doppelpaymer-hacked-bretagne-t-l-com-using-the-citrix-adc-flaw/

 
 

--Chrome Update Addresses 0-day and Other Vulnerabilities

(February 24 & 25, 2020)

Google's latest update for the Chrome browser includes fixes for three security issues, one of which is already being actively exploited. All three flaws have been rated high severity. Chrome 80.0.3987.122 is available for Windows, macOS, and Linux.


[Editor Comments]


[Neely] These flaws are being actively exploited; rapid updates are prudent. I was pleased to find my IT department was already pushing this update when I returned from travel this week.


Read more in:

Chrome Releases: Stable Channel Update for Desktop

https://chromereleases.googleblog.com/2020/02/stable-channel-update-for-desktop_24.html?m=1

The Register: Mind the gap: Google patches holes in Chrome - exploit already out there for one of them after duo spot code fix

https://www.theregister.co.uk/2020/02/25/google_chrome_security_bugs/

SC Magazine: Google issues Chrome update patching possible zero day

https://www.scmagazine.com/home/security-news/vulnerabilities/google-issues-chrome-update-patching-possible-zero-day/

ZDNet: Chrome 80 update cripples top cybercrime marketplace

https://www.zdnet.com/article/chrome-80-update-cripples-top-cybercrime-marketplace/

ZDNet: Google patches Chrome zero-day under active attacks

https://www.zdnet.com/article/google-patches-chrome-zero-day-under-active-attacks/

 
 

--Zyxel Flaw Affects Firewall Products

(February 26, 2020)

A recently disclosed flaw in some Zyxel Network Attached Storage (NAS) products has been found to also affect certain Zyxel firewall products. Zyxel became aware of the vulnerability several weeks ago after a security expert discovered that an exploit for the vulnerability was being sold on a cybercrime forum.


Read more in:

CERT: ZyXEL pre-authentication command injection in weblogin.cgi

https://www.kb.cert.org/vuls/id/498544/

KrebsOnSecurity: Zyxel 0day Affects its Firewall Products, Too

https://krebsonsecurity.com/2020/02/zyxel-0day-affects-its-firewall-products-too/

Zyxel: Zyxel security advisory for the remote code execution vulnerability of NAS and firewall products (updated advisory)

https://www.zyxel.com/support/remote-code-execution-vulnerability-of-NAS-products.shtml

 
 

--Australian Telcos Will Need to Employ Multi-Factor Authentication Before Porting Mobile Phone Numbers

(February 27, 2020)

Telecommunications companies in Australia will have to actively obtain approval from customers before porting a mobile phone number to a new provider. The Australian Communications and Media Authority (ACMA) said the process will require multi-factor authentication, but did not provide additional details. The Australian Communications Consumer Action Network (ACCAN) wants the ACMA to require "highly secure" methods of authentication.


[Editor Comments]


[Pescatore] In the US, all mobile carriers give an option to add a PIN onto the phone porting process, which is better than the default security questions used. This should be a minimum recommendation on all executive mobile phones; going to 2FA is even better.


Read more in:

ZDNet: ACMA mandates stronger identity checks when porting Australian mobile numbers

https://www.zdnet.com/article/acma-mandates-stronger-identity-checks-when-porting-australian-mobile-numbers/

 
 

--Firefox Begins Rolling Out DNS Over HTTPS by Default in US

(February 25 & 26, 2020)

On Tuesday, February 25, Mozilla announced that "Firefox began the rollout of encrypted DNS over HTTPS (DoH) by default for US-based users." Firefox users outside the US can enable DoH by choice in their Network Settings. While Cloudflare is the default encrypted-DNS service in Firefox, users can manually switch to NextDNS or another service of their choice.


Read more in:

Mozilla: Firefox continues push to bring DNS over HTTPS by default for US users

https://blog.mozilla.org/blog/2020/02/25/firefox-continues-push-to-bring-dns-over-https-by-default-for-us-users/

Ars Technica: Firefox turns encrypted DNS on by default to thwart snooping ISPs

https://arstechnica.com/information-technology/2020/02/firefox-turns-encrypted-dns-on-by-default-to-thwart-snooping-isps/

ZDNet: Mozilla enables DOH by default for all Firefox users in the US

https://www.zdnet.com/article/mozilla-enables-doh-by-default-for-all-firefox-users-in-the-us/

ZDNet: Here's how to enable DoH in each browser, ISPs be damned

https://www.zdnet.com/article/dns-over-https-will-eventually-roll-out-in-all-major-browsers-despite-isp-opposition/

 
 

--Clearview AI Client List Stolen

(February 26, 2020)

Facial recognition software company Clearview AI has disclosed that someone gained unauthorized access to its client list, which includes law enforcement agencies. Clearview did not share details of the breach, although the company did say that its servers were not breached. Clearview has made headlines recently for scraping billions of images from social media.   


Read more in:

Daily Beast: Facial-Recognition Company That Works With Law Enforcement Says Entire Client List Was Stolen

https://www.thedailybeast.com/clearview-ai-facial-recognition-company-that-works-with-law-enforcement-says-entire-client-list-was-stolen

Silicon Angle: Customer data stolen in data breach of facial recognition company Clearview AI

https://siliconangle.com/2020/02/26/customer-data-stolen-data-breach-facial-recognition-company-clearview-ai/

Vice: Clearview AI Reports Breach of Customer List

https://www.vice.com/en_us/article/bvgyqa/clearview-ai-customer-list-data-breach-hacked

 

******************************************************************************

INTERNET STORM CENTER TECH CORNER


Fraudulent Paypal Charges (links in German)

https://twitter.com/iblueconnection/status/1232259071602044928

https://www.heise.de/security/meldung/Google-Pay-Luecke-in-virtuellen-Kreditkarten-erlaubt-unberechtigte-Abbuchungen-4667527.html

https://stadt-bremerhaven.de/google-pay-virtuelle-paypal-kreditkarten-weisen-sicherheitsluecken-auf/


Chrome Update

https://chromereleases.googleblog.com/2020/02/stable-channel-update-for-desktop_24.html


Microsoft Public Preview for Azure AD Hybrid Environments

https://techcommunity.microsoft.com/t5/azure-active-directory-identity/public-preview-of-azure-ad-support-for-fido2-security-keys-in/ba-p/1187929


Comparing Information Leakage from Different Browsers

https://www.scss.tcd.ie/Doug.Leith/pubs/browser_privacy.pdf


Kr00k WiFi Attack

https://www.eset.com/int/kr00k/


Impersonating LTE Users

https://imp4gt-attacks.net/


Zyxel RCE Vulnerability

https://www.kb.cert.org/vuls/id/498544/


Ultrasonic Triggers for Cellphone Assistants.

https://source.wustl.edu/2020/02/surfing-attack-hacks-siri-google-with-ultrasonic-waves/


Cloud Snooper Attack

https://news.sophos.com/en-us/2020/02/25/cloud-snooper-attack-bypasses-firewall-security-measures/


******************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create