Oct 29 Practice New Skills with 4 Months of Free Core NetWars Continuous - Special Offer Ends 11/4!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #23

March 20, 2020


SANS NewsBites               March 20, 2020                Vol. 22, Num. 023



Top of The News


- Hackers Use COVID-19 Tracking Map to Hide Spyware

- Food Delivery Service in Germany Targeted with DDoS Attack

- Mandiant Ransomware Research Shows Window of Opportunity For Defenders


The Rest of the Week's News


- Social Media Turning to AI for Moderators

- Four-Year Sentence for Role in Chinese Espionage Operation

- Adobe Patches 29 Critical Flaws

- Cisco Releases Fixes for SD-WAN Vulnerabilities

- Mozilla Eliminating Support for FTP in Firefox

- Chrome and Chrome OS Releases Paused

- Rogers Communications Notifies Customers of Data Breach

- Local Governments in France are Being Hit With Pysa Ransomware

- Information Sharing and Analysis Organization for Political Campaigns


Internet Storm Center Tech Corner



Cybersecurity Training Update


Community Note: SANS and GIAC have all hands on deck right now to create as many immediately useful online resources and challenges for you as possible, so that you can keep your cybersecurity skills sharp while working from home. Watch your email, sans.org, and of course your bi-weekly NewsBites for exciting announcements, like this one:


Cyber FastTrack is a free CTF you can play for fun, or to apply for a scholarship. The deadline to register for the March 26-27 Cyber FastTrack challenge (featuring a $22k scholarship prize for U.S. college students) is this Sunday, March 22. Learn more: https://cyber-fasttrack.org.

Cybersecurity Training Update

Keep your skills sharp, train online with SANS OnDemand:

.      The world's top cybersecurity training

.      Flexible self-paced format you can take anytime, anywhere

.      A battle-tested training platform including 4 months of access

.      Hands-on labs and GIAC-certified SME support


Start your OnDemand training now: 45 Courses | No travel required




-- SANS 2020 - CyberCast | April 3-10 | https://www.sans.org/event/sans-2020

-- SANSFIRE 2020 | Washington, DC | June 13-20 | https://www.sans.org/event/sansfire-2020


-- SANS Network Security 2020 | Las Vegas, NV | September 20-27 | https://www.sans.org/event/network-security-2020

-- View the full SANS course catalog and Cyber Security Skills Roadmap



Any course you have or will purchase is protected by the SANS Training Guarantee. To learn more, visit www.sans.org/training-guarantee.



Free technical content sponsored by Fidelis Cybersecurity


Elevating Enterprise Security with Fidelis Cybersecurity: Endpoint Security Capabilities. SANS Matt Bromiley continues to examine Fidelis Cybersecurity Elevate platform in part two of this webcast series, focusing on features such as behavioral monitoring, built-in threat hunting capabilities, and threat intelligence and scanning designed to make analysts' lives easier.




Top of the News


Hackers Use COVID-19 Tracking Map to Hide Spyware

(March 18, 2020)

Hackers have weaponized a legitimate COVID-19 tracking map to deliver spyware. Known as SpyMax, the malware can exfiltrate logs for texts and phone calls, and allows the attackers to activate microphones and cameras. The malware appears to be being used to spy on people in Libya.


Editor's Note



With workers out of the office, the normal resources which protect them from malware are reduced or absent. Consider providing references to vetted sources of information, web sites or mobile apps, as part of your COVID-19 communication campaign.


Read more in:

- https://www.cyberscoop.com/covid-19-spyware-libya-lookout-johns-hopkins-map

- https://www.scmagazine.com/home/security-news/mobile-security/spyware-disguised-as-covid-19-tracker-app-actually-keeps-track-of-users/


Food Delivery Service in Germany Targeted with DDoS Attack

(March 19, 2020)

Hackers have launched a distributed denial-of-service (DDoS) attack against the website of a food delivery service in Germany. The hackers demanded a ransom of 2 bitcoins to stop the attack. Lieferando.de, the German branch of Takeaway.com, is back online; it is not clear if they paid the ransom.


Editor's Note



Ransomware still depends on social engineering, and the current situation is ripe for users making mistakes which could enable an attack. Encourage workers to focus on deliberate operations - taking an intentional, thoughtful and careful approach to ensure work is conducted safely and securely. A measured approach with regular management check-in, only performing tasks when sufficient staff are available to execute them securely and safely.


Read more in:

- https://www.bleepingcomputer.com/news/security/food-delivery-service-in-germany-under-ddos-attack/

- https://www.tripwire.com/state-of-security/security-data-protection/food-delivery-website-in-germany-targeted-by-ddos-attackers/

- https://www.darkreading.com/attacks-breaches/ddos-attack-targets-german-food-delivery-service/d/d-id/1337359


Mandiant Ransomware Research Shows Window of Opportunity For Defenders

(March 16 & 18, 2020)

According to researchers from Mandiant, most ransomware does not deploy until at least three days after attackers have gained their initial foothold in a system. In some cases, the dwell time was much longer. Mandiant looked at "dozens of ransomware incident response investigations from 2017 to 2019." The researchers also found that most ransomware infections occur at night or on weekends. The blog post notes that "there is often a window of time between the first malicious action and ransomware deployment. If network defenders can detect and remediate the initial compromise quickly, it is possible to avoid the significant damage and cost of a ransomware infection."


Read more in:

- https://www.fireeye.com/blog/threat-research/2020/03/they-come-in-the-night-ransomware-deployment-trends.html

- https://www.bleepingcomputer.com/news/security/most-ransomware-gets-executed-three-days-after-initial-breach/

- https://www.zdnet.com/article/most-ransomware-attacks-take-place-during-the-night-or-the-weekend/


Sponsored Links


Webcast | Learn 7 DevOps-friendly techniques that will help you seamlessly incorporate security into your program. Register: https://www.sans.org/info/215880


Webcast March 25th | "Keeping Network Inspection Visibility in the Age of TLS 1.3: What To Do When The Network Goes Dark." Learn more: https://www.sans.org/info/215885


What's the best way to introduce a DevSecOps Program? Tune in for the webcast on March 26th: https://www.sans.org/info/215890


The Rest of the Week's News


Social Media Turning to AI for Moderators

(March 17 & 18, 2020)

Earlier this week, Facebook users began noticing that their COVID-19-related posts were being taken down. They received notifications from Facebook which said the posts violated community standards. Facebook says the issue was due to a bug in its anti-spam filter. Facebook's content moderators had been sent home; they cannot work from home due to privacy agreements. Twitter and YouTube have also said they are sending home their content monitors. Some researchers are concerned that with content moderators absent, much of the decision-making regarding permissible posts will be left to automated systems.


Editor's Note



Increased reliance on automation is a natural side effect of orders sending employees home. Oversight of that automation, particularly if new, is critical to correct missteps. When regulations prohibit remote oversight of that automation, evaluation of criticality of those jobs needs to be re-evaluated.



In the US, the Department of Health and Human Services put out a "Notification of Enforcement Discretion for telehealth remote communications" during the COVID-19 emergency - basically saying remote working using common sense security precautions that may not be fully compliant will not be penalized. Using public-facing social media is still prohibited. While companies should not race into remote working without taking precautions, security should be the issue - not compliance. SANS has released a free secure telework support package at www.sans.org


: SANS Security Awareness Work-from-Home Deployment Kit.



My FB post that was taken down just got put back 30 minutes ago with a blanket apology note that did mention SPAM. My post was related to COVID, (many, but not all of my FB friends' deleted posts were on the subject), and I notice FB now has their own COVID-19 page, so they may be trying filters to limit misinformation since they have been thoroughly bashed by Congress for that in the past.


Read more in:

- https://www.wired.com/story/coronavirus-social-media-automated-content-moderation/

- https://www.scmagazine.com/home/security-news/bug-leads-facebook-to-mark-covid-19-posts-as-spam/

- https://www.zdnet.com/article/was-your-facebook-post-on-the-coronavirus-deleted-this-is-why/


Four-Year Sentence for Role in Chinese Espionage Operation

(March 17 & 19, 2020)

A US federal district judge in California has sentenced Xuehua Edward Peng to 48 months in prison for acting as an agent of the People's Republic of China (PRC). Peng, who is a US citizen, participated in several "dead-drops," a scheme to exchange money for information in which the two parties involved do not meet. Peng hid money in designated places and returned later to retrieve Secure Digital (SD) cards containing classified US information. Peng brought the SD cards to China, where he delivered them to a PRC official.


Read more in:

- https://www.justice.gov/usao-ndca/pr/hayward-resident-sentenced-four-years-acting-agent-people-s-republic-china

- https://www.theregister.co.uk/2020/03/19/sd_card_spy_china/


Adobe Patches 29 Critical Flaws

(March 18, 2020)

Adobe has issued fixes for more than 40 security issues in Acrobat, Reader, Photoshop, ColdFusion, Genuine Integrity Service, Experience Manager, and Bridge. Twenty-nine of the vulnerabilities are rated critical.


Editor's Note



In addition to pushing these updates to your traditional targets, verify that your systems that are now working remotely are both monitored and updated. In the past, it may have been an acceptable risk to wait for updates on remote systems until they reconnected to the corporate network. With the current crisis, that interval is undefined; you should look to patching them in place.


Read more in:

- https://www.theregister.co.uk/2020/03/18/adobe_trend_micro_patches/

- https://www.scmagazine.com/home/security-news/vulnerabilities/adobe-patches-41-vulnerabilities-22-in-photoshop/

- https://www.zdnet.com/article/windows-10-or-mac-user-patch-adobe-reader-and-acrobat-now-to-fix-9-critical-security-flaws/

- https://threatpost.com/critical-adobe-photoshop-acrobat-reader-flaws/153902/

- https://helpx.adobe.com/security/products/acrobat/apsb20-13.html

- https://helpx.adobe.com/security/products/photoshop/apsb20-14.html

- https://helpx.adobe.com/security/products/integrity_service/apsb20-12.html


Cisco Releases Fixes for SD-WAN Vulnerabilities

(March 18 & 19, 2020)

Cisco has released updates to address three vulnerabilities in its software-defined networking for wide-area network (SD-WAN) Solutions software. All three flaws have been rated high severity. The issues affect a range of Cisco products that are running SD-WAN software that is older than the current version: Release 19.2.2.


Read more in:

- https://www.zdnet.com/article/cisco-tackles-root-privilege-vulnerability-in-sd-wan-software/

- https://threatpost.com/cisco-warns-of-high-severity-sd-wan-flaws/153942/

- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwclici-cvrQpH9v

- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwanbo-QKcABnS2

- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-sdwpresc-ySJGvE9


Mozilla Eliminating Support for FTP in Firefox

(March 19, 2020)

Mozilla says that it plans to eliminate support for the FTP protocol in Firefox by the start of 2021. Support for FTP will initially be disabled in Firefox 77, which is scheduled for release in June 2020. Users who want to view and download files over FTP will be able to re-enable support through the Firefox about:config page. However, Mozilla plans to completely eliminate support for FTP by the start of 2021.


Editor's Note



While there are extensions to secure FTP, it is fundamentally an unsecure protocol. Delivery of files over HTTPS is a technically viable alternative. If you retain FTP capabilities, identify the specific use cases and regularly check for alternatives.



While low profile and often "legacy" or "orphan," FTP servers continue to be a source of leakage of data. Enterprises should replace FTP servers in favor of SFTP and HTML.


Read more in:

- https://www.zdnet.com/article/firefox-to-remove-support-for-the-ftp-protocol/


Chrome and Chrome OS Releases Paused

(March 18, 2020)

Google has paused the upcoming releases of its Chrome browser and Chrome OS. Google says that the reason for the delay is adjusted work schedules due to the Coronavirus. Chrome 81 was scheduled to be released on Tuesday March 17. In its blog statement, Google notes that it will "continue to prioritize any updates related to security, which will be included in Chrome 80."


Read more in:

- https://chromereleases.googleblog.com/2020/03/upcoming-chrome-and-chrome-os-releases.html

- https://www.zdnet.com/article/google-pauses-chrome-and-chrome-os-releases-due-to-coronavirus-outbreak/


Rogers Communications Notifies Customers of Data Breach

(March 19, 2020)

Canadian telecomm company Rogers Communications has begun notifying customers that their personal information was compromised. In late February, Rogers learned that an external service provider had exposed a customer database to the Internet.


Read more in:

- https://www.bleepingcomputer.com/news/security/rogers-data-breach-exposed-customer-info-in-unsecured-database/

- https://www.rogers.com/support/10022020


Local Governments in France are Being Hit With Pysa Ransomware

(March 19, 2020)

France's Computer Emergency Response Team (CERT) has issued an alert about ransomware targeting networks of local governments. The attackers are using a new variant of the Mespinoza ransomware, which is also known as Pysa. The alert describes how the attacks operate and indicators of infection; it also provides recommendations to help organizations minimize the effect of the ransomware.


Read more in:

- https://www.zdnet.com/article/france-warns-of-new-ransomware-gang-targeting-local-governments/

- https://www.cert.ssi.gouv.fr/cti/CERTFR-2020-CTI-002/


Information Sharing and Analysis Organization for Political Campaigns

(March 19, 2020)

The US now has a Political Campaign Information Sharing and Analysis Organization (PC-ISAO). Established earlier this month by US CyberDome, PC-ISAO "facilitate[s] fully anonymous cyber threat information sharing, ...provide[s] technical information in formats that are easy to read, ... [and] also facilitate[s] connections amongst members on cybersecurity challenges."


Read more in:

- https://www.infosecurity-magazine.com/news/us-launches-first-pc-isao/

- https://uscyberdome.com/isao/


Internet Storm Center Tech Corner


A Quick Summary of Current Reflective DNS DDoS Attacks


Trickbot gtag red5 distributed as DLL File


COVID-19 Themed Multistage Malware


Is Cryptojacking Dead after Coinhive Shutdown?


Adobe Patches


TrendMicro Update


More VMWare Updates


EnigmaSpark Malware


Recent Ransomware Trends


Cisco SD-WAN Patches


0Patch Selling Patches for Windows 7


LDAPFragger: Bypassing network restrictions using LDAP attributes




The Editorial Board of SANS NewsBites

Alan Paller: https://www.sans.org/newsletters/newsbites/editorial-board#alan-paller

Brian Honan: https://www.sans.org/newsletters/newsbites/editorial-board#brian-honan

David Hoelzer: https://www.sans.org/newsletters/newsbites/editorial-board#david=hoelzer

David Turley: https://www.sans.org/newsletters/newsbites/editorial-board#david-turley

Dr. Eric Cole: https://www.sans.org/newsletters/newsbites/editorial-board#eric-cole

Ed Skoudis: https://www.sans.org/newsletters/newsbites/editorial-board#ed-skoudis

Eric Cornelius: https://www.sans.org/newsletters/newsbites/editorial-board#eric-cornelius

Gal Shpantzer: https://www.sans.org/newsletters/newsbites/editorial-board#gal-shpantzer

Jake Williams: https://www.sans.org/newsletters/newsbites/editorial-board#jake-williams

Dr. Johannes Ullrich: https://www.sans.org/newsletters/newsbites/editorial-board#johannes-ullrich

John Pescatore: https://www.sans.org/newsletters/newsbites/editorial-board#john-pescatore

Lee Neely: https://www.sans.org/newsletters/newsbites/editorial-board#lee-neely

Mark Weatherford: https://www.sans.org/newsletters/newsbites/editorial-board#mark-weatherford

Rob Lee: https://www.sans.org/newsletters/newsbites/editorial-board#rob-lee

Sean McBride: https://www.sans.org/newsletters/newsbites/editorial-board#sean-mcbride

Shawn Henry: https://www.sans.org/newsletters/newsbites/editorial-board#shawn-henry

Stephen Northcutt: https://www.sans.org/newsletters/newsbites/editorial-board#stephen-northcutt

Suzanne Vautrinot: https://www.sans.org/newsletters/newsbites/editorial-board#suzanne-vautrinot

Tom Liston: https://www.sans.org/newsletters/newsbites/editorial-board#tom-liston

William Hugh Murray: https://www.sans.org/newsletters/newsbites/editorial-board#william-hugh-murray

To create a SANS Portal Account visit: https://www.sans.org/account/create