Oct 29 Practice New Skills with 4 Months of Free Core NetWars Continuous - Special Offer Ends 11/4!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #22

March 17, 2020

A positive surprise: SANS students are saying they like the new CyberCast live-on-line training as well as (and in a few cases, better than) in-person training.


SANS NewsBites               March 17, 2020                Vol. 22, Num. 022



Top of The News


- COVID-19 Spear Phishing eMails Used to Spread Malware

- Malicious COVID-19 Android App is Ransomware

- Czech Hospital Conducting COVID-19 Testing Hit With Cyberattack

- US Dept. of Health and Human Services Fended Off Cyberattack

- SANS Security Awareness Work-from-Home Deployment Kit Released


The Rest of the Week's News


- ShadowServer is Losing its Funding

- New Voatz Audit Finds Severe Flaws

- WordPress Auto-Update Feature

- Fixes Available for Popup Builder WordPress Vulnerabilities

- Slack Flaw Fixed

- Europol and European Law Enforcement Arrest Alleged SIM-Swappers

- ENTSO-E Breach: More Details

- Crypto-Currency Scams


Internet Storm Center Tech Corner



Cybersecurity Training Update


In response to the global escalation of the COVID-19 outbreak, and to keep our community safe, SANS will not run any in-person training between now and June 1st. We are in the process of transitioning these live events to virtual formats when possible. Check https://www.sans.org/information-security-training/by-location/all for a schedule of courses you can complete online.

Any course you have or will purchase is protected by the SANS Training Guarantee. For more information, visit https://www.sans.org/training-guarantee or contact us: https://www.sans.org/about/contact/.Travel-Free Training with SANS Online

SANS remains committed to providing you with:

.      The world's best cybersecurity training

.      Several battle-tested online platforms

.      The same Instructors, content, and learning results as live training

.      Hands-on labs and subject matter expert support

45 Courses are available now - no travel required. Learn More: sans.org/notravel

-- SANS 2020 - CyberCast | April 3-10 | https://www.sans.org/event/sans-2020-- SANS Seattle Spring 2020 - CyberCast | March 23-28 | https://www.sans.org/event/seattle-spring-2020

-- SANS Philadelphia 2020 - CyberCast | March 30-April 4 | https://www.sans.org/event/philadelphia-2020

-- SANS Bethesda 2020 - CyberCast | April 14-19 | https://www.sans.org/event/bethesda-2020

-- SANS Minneapolis 2020 - CyberCast | April 14-19 | https://www.sans.org/event/minneapolis-2020

-- SANS Boston Spring 2020 - CyberCast | April 20-25 | https://www.sans.org/event/boston-spring-2020

-- SANS Pen Test Austin 2020 - CyberCast | April 27-May 2 | https://www.sans.org/event/pen-test-austin-2020

-- Cloud Security Summit & Training 2020 - CyberCast | May 27-June 3 | https://www.sans.org/event/cloud-security-summit-2020


-- View the full SANS course catalog and Cyber Security Skills Roadmap





Free technical content sponsored by Netskope


Join Netskope's Cloud Security Workshop. Are you really ready to provide safe access to cloud services and keep pace with new threats? Register for Netskope's complimentary cloud security workshop! Take control over your web services. Get 5 CPE credits and hands-on experience with Next Gen Secure Web Gateway (SWG) and Zero Trust Network Access (ZTNA) solutions built for the cloud.



Top of the News


COVID-19 Spear Phishing eMails Used to Spread Malware

(March 13, 2020)

An APT group has been sending spear phishing emails that claim to contain information about COVID-19. The messages, which target users in Mongolia, maliciously crafted Rich Text Format (RTF) document attachments that are used to infect computers with a remote access Trojan (RAT).


Read more in:

- https://threatpost.com/coronavirus-apt-attack-malware/153697/


Malicious COVID-19 Android App is Ransomware

(March 13 & 16, 2020)

An Android app that purports to track confirmed cases of COVID-19 actually locks up the phone and demands $100 in bitcoin to unlock it. If victims do not pay within 48 hours, the malware says it will erase all the data on the phone. A password to unlock frozen devices has been obtained.


Editor's Note



This app will also set a lock on your device if one is not already configured. The DomainTools researchers have reverse engineered the decryption key for the "CovidLock" app and are preparing to release it. Note that financially motivated threat actors are leveraging the COVID-19 crisis for profit. Users need to be careful installing offered mobile applications, particularly from unofficial app stores, expect some apps to make it into the legitimate app stores as well.


Read more in:

- https://www.cyberscoop.com/coronavirus-app-locked-phones/

- https://www.scmagazine.com/home/security-news/news-archive/coronavirus/password-found-to-rescue-victims-of-malicious-covid-19-tracker-app/

- https://www.scmagazine.com/home/security-news/news-archive/coronavirus/coronavirus-tracking-app-locks-up-android-phones-for-ransom/


Czech Hospital Conducting COVID-19 Testing Hit With Cyberattack

(March 13 & 14, 2020)

A Czech hospital that is one of the centers for COVID-19 testing in that country was the target of a cyberattack on Friday, March 13. Details of the breach have not been disclosed, but the hospital's entire IT system was shut down and all surgeries have been canceled. Two of the hospital's branches were also affected.


Read more in:

- https://www.zdnet.com/article/czech-hospital-hit-by-cyber-attack-while-in-the-midst-of-a-covid-19-outbreak/

- https://www.bleepingcomputer.com/news/security/covid-19-testing-center-hit-by-cyberattack/


US Dept. of Health and Human Services Fended Off Cyberattack

(March 16, 2020)

The US Department of Health and Human Services (HHS) noted increased network scanning over the weekend. While it appears to have been an attempt to launch a distributed denial-of-service attack (DDoS), the agency's systems were not significantly affected.


Editor's Note



Expect increased attacks in the name of COVID-19, particularly against businesses involved in testing and treatment; it's similar to other efforts to shortcut development by exfiltrating other's intellectual property or research. Verify your defenses, including monitoring and alerting capabilities, with an eye to operational impacts of increased numbers of remote workers, possibly even your SOC. Be prepared to alter your definition of normal due to modified working arrangements.


Read more in:

- https://www.cyberscoop.com/hhs-cyberattack-coronavirus-ddos/

- https://www.bloomberg.com/news/articles/2020-03-16/u-s-health-agency-suffers-cyber-attack-during-covid-19-response

- https://www.zdnet.com/article/hhs-targeted-by-hackers-as-it-responds-to-novel-coronavirus-covid-19-pandemic/

- https://www.bleepingcomputer.com/news/security/us-health-department-site-hit-with-ddos-cyber-attack/

- https://thehill.com/policy/cybersecurity/487756-top-us-health-agency-suffers-cyberattack-report


SANS Security Awareness Work-from-Home Deployment Kit Released

(March 17, 2020)

Organizations worldwide are implementing work-from-home policies. At SANS, we want to do whatever we can to ensure companies and their security teams have the information and resources they need to create a secure remote workforce. We have made public a Securely Working From Home Deployment Kit to enable organizations to quickly train and secure their remote workforce. Full download and information can be found here: https://www.sans.org/security-awareness-training/sans-security-awareness-work-home-deployment-kit.


The SANS Security Awareness Work-from-Home Deployment Kit includes:


- A strategic planning guide to which risks to focus on, and how to effectively train on those risks

- A communications template to engage your workforce

- Training materials (in multiple languages): Security Awareness Videos, Important Checklists & Fact Sheets, Podcasts and audio files, Posters & Newsletters, and Digital Signage


Lance Spitzner will be hosting webcasts to walk you through all the key concepts of the SANS Security Awareness Work-from-Home Deployment Kit.


- Tuesday, March 17th at 5:30 PM EDT (21:30 UTC) Register here: https://www.sans.org/webcasts/113875

- Wednesday, March 18th at 8:00 AM EDT (12:00 UTC) Register here: https://www.sans.org/webcasts/deployment-kit-securing-workforce-home-114035



Sponsored Links


Download Splunk's IT Security Predictions 2020 to learn how to best protect your organization, and your data, against a fast-approaching future. https://www.sans.org/info/215830


Start making threat intelligence more approachable by tuning in for this webcast on March 18th at 1PM ET: https://www.sans.org/info/215835


Webcast March 20th at 3:30PM ET: Learn how to leverage osquery for incident response and threat hunting. https://www.sans.org/info/215840


The Rest of the Week's News


ShadowServer is Losing its Funding

(March 16, 2020)

Cisco has withdrawn its funding from the all-volunteer non-profit organization Shadowserver.org. ShadowServer "help[s] Internet service providers (ISPs) identify and quarantine malware infections and botnets," and serves Computer Emergency Response Teams (CERTs) around the world, providing daily network reports. The organization needs to migrate operations to a new data center by mid-May.


Editor's Note



FluTrackers.com started up around the same time ShadowServer did. FluTrackers enables infectious disease experts to share data about outbreaks and treatments, regardless of whether governments or for-profit companies wanted that information to get out. It put out one of the first early warnings that something was happening in China. I'm sure other security companies will help replace the lost Cisco funding - this kind of model is an important component of the mix of government, commercial and crowd-sourced tools to use against cybersecurity risks.


Read more in:

- https://krebsonsecurity.com/2020/03/the-webs-bot-containment-unit-needs-your-help/

- https://www.wired.com/story/shadowserver-cisco-internet-cybersecurity/

- https://www.shadowserver.org/what-we-do/


New Voatz Audit Finds Severe Flaws

(March 13 & 16, 2020)

A new audit of the Voatz mobile voting app conducted by Trail of Bits found 16 "severe" security issues. Unlike previous audits, this audit had access to the Voatz Core Server and backend software. Trail of Bits confirmed the vulnerabilities found by researchers at the Massachusetts Institute of Technology (MIT) and found additional flaws.


Editor's Note



One of the hard parts of audits is moving through the process of acceptance to validation and remediation. While the Trail of Bits audit confirms vulnerabilities from the MIT researchers, the acceptance of and rapid response to their findings shows the advantage of a self-selected audit.



It is much easier to secure a purpose-built app running on a single user device than to secure a server running on a general purpose operating system. As ever, election fraud is far more likely in the tabulating and reporting steps than in vote recording. While not all of the problems identified by Trail of Bits have yet been addressed, most appear to be implementation shortcomings rather than fundamental vulnerabilities.


Read more in:

- https://statescoop.com/audit-finds-severe-vulnerabilities-voatz-mobile-voting-app/

- https://blog.trailofbits.com/2020/03/13/our-full-report-on-the-voatz-mobile-voting-platform/


WordPress Auto-Update Feature

(March 16, 2020)

WordPress developers plan to add an auto-update feature to plugins and themes. The WordPress core has had an auto-update mechanism for minor updates since October 2013, with the release of WordPress version 3.7. Users must still manually update between major versions of WordPress core.


Editor's Note



This is slated to release with WordPress core version 5.5 scheduled to be released in August. Version 5.4 was just released this March. The feature will include the ability to select which plugins are auto-updated and when updates will happen.


Read more in:

- https://www.zdnet.com/article/wordpress-to-add-auto-update-feature-for-themes-and-plugins/


Fixes Available for Popup Builder WordPress Vulnerabilities

(March 13, 2020)

Two flaws in the Popup Builder WordPress plugin have been fixed. One of the vulnerabilities is rated high severity; it could be exploited to inject JavaScript into a popup. Users are advised to upgrade to Popup Builder version 3.64.1.


Read more in:

- https://threatpost.com/wordpress-plugin-bug-popup-builder/153715/


Slack Flaw Fixed

(March 13 & 16, 2020)

Slack has fixed a vulnerability in its messaging platform that could have been exploited to take control of accounts. Slack learned of the flaw in November 2019 though its bug bounty program. Slack fixed the issue within 24 hours of being notified; the report was disclosed to the public last week.


Editor's Note



This fix was a server side fix. Even so, make sure that users with the desktop or mobile app have updated to the current versions - 4.3.2 Linux, 4.3.3 Mac, 4.3.4 Win, 20.03.20 iOS and Android.


Read more in:

- https://www.zdnet.com/article/slack-vulnerability-allowed-session-hijacking-account-takeovers/

- https://www.bleepingcomputer.com/news/security/slack-bug-allowed-automating-account-takeover-attacks/

- https://hackerone.com/reports/737140


Europol and European Law Enforcement Arrest Alleged SIM-Swappers

(March 13, 2020)

Europol, along with law enforcement authorities in Spain, Romania, and Austria, have arrested a total of 26 people in connection with two SIM-swapping operations. A SIM-swapping group in Spain stole more than [euro]3 million ($3.35 million), and a group in Austria and Romania stole [euro]500,000 ($559,000).


Editor's Note



All security measures have limitations. It is important to recognize those limitations and compensate accordingly. If a subscriber loses service on their mobile, they should contact their service provider immediately. While service providers are anxious to respond courteously and promptly to provisioning requests from subscribers, it is essential to do so securely. Provisioning requests should be authenticated in and out of band before acting on them. Out-of-band confirmation is one of our most efficient fraud resistance tools.


Read more in:

- https://www.zdnet.com/article/europol-tackles-massive-sim-swap-hacking-rings/

- https://www.bleepingcomputer.com/news/security/europol-dismantles-sim-swap-criminal-groups-that-stole-millions/

- https://www.cyberscoop.com/sim-swapping-spain-europol-austria/


ENTSO-E Breach: More Details

(January 23 & March 13, 2020)

More details are emerging about the data breach at the European Network of Transmission System Operators for Electricity (ENTSO-E). Hackers appear to have had access to ENTSO-E's IT network for several weeks. According to analysis from Recorded Future that was published in January, a remote access Trojan (RAT) "command and control (C2) server [was found to be] communicating with a mail server for a European energy sector organization from late November 2019 until at least January 5, 2020."


Read more in:

- https://www.cyberscoop.com/europe-grid-pupy-rat/

- https://www.recordedfuture.com/pupyrat-malware-analysis/


Crypto-Currency Scams

(March 9, 10, & 13, 2020)

Nigerians have reportedly lost hundreds of millions of Naira after being targeted in crypto-currency Ponzi schemes by firms that claim to speculate on cryptocurrency price movements. The scammers are capitalizing on weak regulations for crypto-currency as well as the fast moving technology that drives it. The Better Business Bureau started tracking crypto currency in 2018. The BBB now lists cryptocurrency as the second riskiest scam. 14% of crypto scam victims are in Nigeria, 11% in Indonesia, 9% in U.S. and 8% in Vietnam.


Editor's Note



Beware of scams that offer high return on investment, particularly cryptocurrency. Lack of regulation and oversight make cryptocurrency attractive for this purpose. The current economic turmoil increases users' likelihood of falling for of these scams.


Read more in:

- https://guardian.ng/technology/authorities-helpless-as-crypto-currency-scams-rock-nigeria/

- https://www.cryptopolitan.com/riskiest-business-in-the-world-cryptocurrency-stand-2nd/

- https://decrypt.co/21763/cryptocurrency-is-deemed-the-second-riskiest-scam


Internet Storm Center Tech Corner


Phishing PDFs With Incremental Updates


VPN Access and Active Monitoring


Capturing Invalid Ethernet Frames


Desktop.ini as a post-exploitation tool


SANS Security Awareness Deployment Kit for Securing Your Workforce at Home


Cookiethief Android Cookie Stealing Malware


VMware Workstation/Fusion Update


Blackwater Malware Abuses Cloudflare Workers


tcpdump Heap Based Buffer Over-Read


Slack Account Takevoer Bug




The Editorial Board of SANS NewsBites

Alan Paller: https://www.sans.org/newsletters/newsbites/editorial-board#alan-paller

Brian Honan: https://www.sans.org/newsletters/newsbites/editorial-board#brian-honan

David Hoelzer: https://www.sans.org/newsletters/newsbites/editorial-board#david=hoelzer

David Turley: https://www.sans.org/newsletters/newsbites/editorial-board#david-turley

Dr. Eric Cole: https://www.sans.org/newsletters/newsbites/editorial-board#eric-cole

Ed Skoudis: https://www.sans.org/newsletters/newsbites/editorial-board#ed-skoudis

Eric Cornelius: https://www.sans.org/newsletters/newsbites/editorial-board#eric-cornelius

Gal Shpantzer: https://www.sans.org/newsletters/newsbites/editorial-board#gal-shpantzer

Jake Williams: https://www.sans.org/newsletters/newsbites/editorial-board#jake-williams

Dr. Johannes Ullrich: https://www.sans.org/newsletters/newsbites/editorial-board#johannes-ullrich

John Pescatore: https://www.sans.org/newsletters/newsbites/editorial-board#john-pescatore

Lee Neely: https://www.sans.org/newsletters/newsbites/editorial-board#lee-neely

Mark Weatherford: https://www.sans.org/newsletters/newsbites/editorial-board#mark-weatherford

Rob Lee: https://www.sans.org/newsletters/newsbites/editorial-board#rob-lee

Sean McBride: https://www.sans.org/newsletters/newsbites/editorial-board#sean-mcbride

Shawn Henry: https://www.sans.org/newsletters/newsbites/editorial-board#shawn-henry

Stephen Northcutt: https://www.sans.org/newsletters/newsbites/editorial-board#stephen-northcutt

Suzanne Vautrinot: https://www.sans.org/newsletters/newsbites/editorial-board#suzanne-vautrinot

Tom Liston: https://www.sans.org/newsletters/newsbites/editorial-board#tom-liston

William Hugh Murray: https://www.sans.org/newsletters/newsbites/editorial-board#william-hugh-murray

To create a SANS Portal Account visit: https://www.sans.org/account/create