Special Offer w/ OnDemand: Get an iPad (32 G), Galaxy Tab A, or Take $250 Off OnDemand Training thru Jan 27

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #21

March 13, 2020

Hackers Use Interactive COVID-19 Map to Spread Malware; Illinois Public Health Ransomware Attack; Cyberspace Solarium Commission Report


SANS NewsBites               March 13, 2020                Vol. 22, Num. 021




  Hackers Use Interactive COVID-19 Map to Spread Malware

  Illinois Public Health District Website Suffers Ransomware Attack

  Cyberspace Solarium Commission Report


  IoT Threat Report: Medical Imaging Devices are Running Outdated OSes

  Microsoft's Patch Tuesday

  Microsoft Patches Wormable Vulnerability in SMBv3 Protocol

  Necurs Botnet Takedown

  Hackers Spoofing HTTPS Domains to Skim Payment Card Data

  Deloitte: Ransomware Attacks Against Local Government Increasing in Frequency and Cost

  FBI Arrest Individual Suspected of Operating deer.io

  Avast Disables JavaScript Engine Over Security Concerns


*************************  Sponsored By SANS  ******************************

Cloud Security Summit & Training 2020 | Dallas, TX | May 27 - Jun 3. Join us for the 4th annual SANS Cloud Security Summit & Training, where you'll engage with and learn from prominent security practitioners as you explore new approaches, tools, and design models for a cloud-first world. http://www.sans.org/info/215795





In response to the global escalation of the COVID-19 outbreak, and to keep our community safe, SANS will not run any in-person training between now and June 1st. We are in the process of transitioning these live events to virtual formats when possible. Check https://www.sans.org/information-security-training/by-location/all for a schedule of courses you can complete online.

Any course you have or will purchase is protected by the SANS Training Guarantee. For more information, visit https://www.sans.org/training-guarantee or contact us: https://www.sans.org/about/contact/.

Travel-Free Training with SANS Online

SANS remains committed to providing you with:

-- The world's best cybersecurity training

-- Several battle-tested online platforms

-- The same Instructors, content, and learning results as live training

-- Hands-on labs and subject matter expert support

45 Courses are available now - no travel required. Learn More: sans.org/notravel

-- SANS 2020 - CyberCast | April 3-10 | https://www.sans.org/event/sans-2020

-- SANS Seattle Spring 2020 - CyberCast | March 23-28 | https://www.sans.org/event/seattle-spring-2020

-- SANS Philadelphia 2020 - CyberCast | March 30-April 4 | https://www.sans.org/event/philadelphia-2020

-- SANS Bethesda 2020 - CyberCast | April 14-19 | https://www.sans.org/event/bethesda-2020

-- SANS Minneapolis 2020 - CyberCast | April 14-19 | https://www.sans.org/event/minneapolis-2020

-- SANS Boston Spring 2020 - CyberCast | April 20-25 | https://www.sans.org/event/boston-spring-2020

-- SANS Pen Test Austin 2020 - CyberCast | April 27-May 2 | https://www.sans.org/event/pen-test-austin-2020

-- Cloud Security Summit & Training 2020 - CyberCast | May 27-June 3 | https://www.sans.org/event/cloud-security-summit-2020


-- View the full SANS course catalog and Cyber Security Skills Roadmap






--Hackers Use Interactive COVID-19 Map to Spread Malware

(March 10, 11, 12, & 13, 2020)

Hackers have weaponized a live COVID-19 map to spread the AZORult malware, which steals passwords, payment card information, cookies, and other sensitive data. In a related story, state-sponsored hackers are using COVID-19 information as a lure in phishing attacks.

[Editor Comments]

[Pescatore] By now, your company should have warned employees of the inevitable flood of malware and phishing attacks around the COVID-19 pandemic. Good to remind them it will happen again when things start to return to normal.

[Neely] Expect high quality social engineering attempts due to the plethora of information about COVID-19, and users' desire to keep up-to-date on the illness and its impacts.

Read more in:

KrebsOnSecurity: Live Coronavirus Map Used to Spread Malware


SC Magazine: Malicious coronavirus map hides AZORult info-stealing malware


Malwarebytes: Battling online coronavirus scams with facts


ZDNet: State-sponsored hackers are now using coronavirus lures to infect their targets



--Illinois Public Health District Website Suffers Ransomware Attack

(March 12, 2020)

The website of the Champaign-Urbana Public Health District (C-UPHD) in Illinois was hit with ransomware earlier this week. C-UPHD, which serves more than 200,000 people, including students at the University of Illinois's largest campus, has set up an alternate website while it works to restore its primary site.   

Read more in:

The Hill: Illinois public health agency website taken down by hackers


The Register: Fresh virus misery for Illinois: Public health agency taken down by... web ransomware. Great timing, scumbags



--Cyberspace Solarium Commission Report

(March 11, 2020)

The US Cyberspace Solarium Commission's report, mandated by the 2019 National Defense Authorization Act, "advocates a new strategic approach to cybersecurity: layered cyber deterrence." The report makes more than 80 recommendations, which are organized under six pillars: reform the U.S. government's structure and organization for cyberspace, strengthen norms and non-military tools, promote national resilience, reshape the cyber ecosystem, operationalize cybersecurity collaboration with the private sector, and preserve and employ the military instrument of national power.

[Editor Comments]

[Murray] We need a revolution; what we are doing is not working. We need to raise the cost of attack tenfold in 2020, a hundredfold in the next five years. We know what to do; we lack the will.  

Read more in:

FNN: Cyberspace Solarium Commission seeks to restore cyber coordinator roles


LawFare Blog: The Cyberspace Solarium Commission Report: A Lawfare Series


Fifth Domain: Congressional report outlines new American cyber strategy


Nextgov: Solarium Cyber Report Recommends New Government Structures, Major Policy Overhauls


Duo: Commission Outlines Ways to Overhaul Federal Cybersecurity


Solarium: Report


Google Drive: Cyberspace Solarium Commission Final Report: Executive Summary


Google Drive: Cyberspace Solarium Commission Report: Full Report


****************************  SPONSORED LINKS  ******************************

1) Webcast March 19th at 3:30PM ET: Join this webcast to see a demonstration and deconstruction of a full-stack attack. http://www.sans.org/info/215800

2) 2020 SANS SOC Skills Survey | Take this survey and enter to win a $400 Amazon gift card! http://www.sans.org/info/215805

3) Live Simulcast | Join Robert M. Lee and industry experts for the Cyber Threat Intelligence Solutions Forum. http://www.sans.org/info/215810




--IoT Threat Report: Medical Imaging Devices are Running Outdated OSes

(March 10 & 11, 2020)

A report from Palo Alto Networks found that 83 percent of medical imaging devices in the US are running outdated operating systems. This marks a 56 percent increase over two years, which can be attributed in part to Microsoft's end of support for Window 7 in January 2020. The report "analyzed 1.2 million IoT devices in thousands of physical locations across enterprise IT and healthcare organizations in the United States." The researchers also found that 98 percent of traffic sent by IoT devices is unencrypted.   

Read more in:

Unit42.PaloAltoNetworks: 2020 Unit 42 IoT Threat Report


Wired: Most Medical Imaging Devices Run Outdated Operating Systems


The Register: The Internet of Things is a security nightmare reveals latest real-world analysis: unencrypted traffic, network crossover, vulnerable OSes


Threatpost: More Than Half of IoT Devices Vulnerable to Severe Attacks


ZDNet: How poor IoT security is allowing this 12-year-old malware to make a comeback



--Microsoft's Patch Tuesday

(March 10, 2020)

Microsoft's monthly security update for March 2020 addresses 115 security issues, 26 of which are rated critical. None of the vulnerabilities is currently being actively exploited.   

[Editor Comments]

[Pescatore] A monthly patch day from Microsoft is beginning to sound very outdated, kinda like "telephone dial." Imagine if the health care recommendation to prevent infection of open wounds was "on every second Tuesday of the month, apply protective covering..." Somehow businesses and IT manage to live through faster patching for phones, tablets and browsers, cloud apps and just about everything else, but Windows still has Vulnerability Tuesday?

[Neely] While patch Tuesday is familiar and convenient for scheduling, and more vendors scheduling releases to this cadence is welcomed, the volume of fixes of late warrants a shorter interval between patch releases; particularly for endpoints.

Read more in:

KrebsOnSecurity: Microsoft Patch Tuesday, March 2020 Edition


ZDNet: Microsoft March 2020 PatchTuesday fixes 115 vulnerabilities


Threatpost: Microsoft Patches 26 Critical Bugs in Big March Update



--Microsoft Patches Wormable Vulnerability in SMBv3 Protocol

(March 12, 2020)

Microsoft has released a fix for a critical remote code execution flaw in the Microsoft Server Message Block 3.1.1 (SMBv3) protocol. Details of the vulnerability were inadvertently released online earlier this week. The vulnerability could be exploited to execute code remotely and spread to other vulnerable machines with no user interaction. The issue affects 32- and 64-bit Windows 10 versions 1903 and 1909 and Windows Server 2019 versions 1903 and 1909.

Read more in:

MSRC: CVE-2020-0796 | Windows SMBv3 Client/Server Remote Code Execution Vulnerability


Microsoft: March 12, 2020--KB4551762 (OS Builds 18362.720 and 18363.720)


Duo: Microsoft Releases Emergency Fix For SMBv3 Flaw


ZDNet: Microsoft patches SMBv3 wormable bug that leaked earlier this week


Ars Technica: Microsoft delivers emergency patch to fix wormable Windows 10 flaw



--Necurs Botnet Takedown

(March 10 & 11, 2020)

Working alongside partners in 35 countries, Microsoft has helped to take down the infrastructure that supported the Necurs botnet, which had been used to spread malware. Necurs comprises more than 9 million computers worldwide. On March 5, 2020, a federal judge in New York gave Microsoft the authority to take control of the computers in the US that are supporting Necurs. Microsoft then analyzed the Necurs algorithm for generating new domains, predicted six million of these potentially harmful domains, and reported them to the associated registry so they could be blocked and prevented from being used by the Necurs operators.        

Read more in:

Microsoft: New action to disrupt world's largest online criminal network


The Register: Microsoft nukes 9 million-strong Necurs botnet after unpicking domain name-generating algorithm


ZDNet: Microsoft orchestrates coordinated takedown of Necurs botnet


Threatpost: Necurs Botnet in Crosshairs of Global Takedown Offensive


Cyberscoop: Microsoft strikes back at Necurs botnet by preemptively disabling hacking tools


Duo: Microsoft Disrupts Necurs Botnet



--Hackers Spoofing HTTPS Domains to Skim Payment Card Data

(March 11, 2020)

Hackers inserted malicious code into a website belonging to a US meat delivery service. The code, which includes a malicious domain, allowed the hackers to intercept customers' payment information. While the malicious domain has been removed from the company's website, it has been detected on other companies' sites.

Read more in:

KrebsOnSecuruty: Crafty Web Skimming Domain Spoofs "https"



--Deloitte: Ransomware Attacks Against Local Government Increasing in Frequency and Cost

(March 11, 2020)

According to a study from Deloitte, ransomware attacks targeting state and local government systems have grown more sophisticated and have become more frequent. The study says that in 2019, there were 163 reported ransomware attacks against local governments; at least $1.8 million in ransom was paid, and millions more spent on recovery efforts. In 2018, there were 55 reported attacks and less than $60,000 in ransom paid.

[Editor Comments]

[Neely] Part of the issue is these organizations may not have the resources to implement the mitigations needed, particularly differential backups, to aid with recovery as well as mitigations to prevent re-infection. While cyber insurance helps with the ransom payment, the funding for mitigations must be separately obtained, and are reliant on support during the already contested budget negotiation and funding cycle.

Read more in:

Dark Reading: Ransomware Increasingly Targeting Small Governments


Statescoop: Study: Governments struggle against more frequent and sophisticated ransomware



--FBI Arrest Individual Suspected of Operating deer.io

(March 10 & 12, 2020)

US federal law enforcement agents have arrested Kirill Victorovitch Firsov for allegedly operating deer.io, an online forum where cybercriminals could buy and sell stolen account credentials. Firsov is scheduled to be arraigned later this week.   

Read more in:

KrebsOnSecurity: FBI Arrests Alleged Owner of Deer.io, a Top Broker of Stolen Accounts


Cyberscoop: FBI arrests alleged operator of a Russian hosting service meant for scammers


GovInfosecurity: FBI Arrests Suspected Admin of Russian Cybercrime Market


KrebsOnSecurity: Indictment (PDF)



--Avast Disables JavaScript Engine Over Security Concerns

(March 11 & 13, 2020)

Avast has disabled the JavaScript engine in its antivirus product after it was found to contain a remote code execution vulnerability. Researchers at Google Project Zero say that the emulator, which checks JavaScript code tor malware before it is allowed to execute, "is unsandboxed and has poor mitigation coverage."

[Editor Comments]

[Neely] Timely disablement of the emulator was a good call on Avast's part. Other endpoint protections will continue to provide protections; even so, consider enablement of JavaScript only for trusted sites.

Read more in:

The Register: Avast pulls plug on insecure JavaScript engine in its security software suite


ZDNet: Avast disables JavaScript engine in its antivirus following major bug


GitHub: Avast Antivirus JavaScript Interpreter






Microsoft Patch Tuesday



Mystery SMB3 Flaw Update


Microsoft Releases Patch for Windows SMBv3 Compression Vulnerability CVE-2020-0796


Agent Tesla Spread by Fake Canon EOS Notification Email


COVID19 Malware


Hancitor Distributed Through Coronavirus-Themed Malspam


Avast Removes Vulnerable JavaScript Emulator from Products


Checkra1n Exploit Works Against T2 Equipped Macs



The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create