Learn from real-world practitioners in real-time during SANS San Diego Fall Live Online. Save $300 thru 10/21.

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #24

March 24, 2020

Surge In COVID-19 Related Malware; Windows 0-day is Being Actively Exploited




****************************************************************************

SANS NewsBites               March 24, 2020                Vol. 22, Num. 024

****************************************************************************


TOP OF THE NEWS  


  COVID-19 Related Malware

  Windows 0-day is Being Actively Exploited



REST OF THE WEEK'S NEWS


  Hackers Steal Data from Clinical Medical Research Organization

  South Carolina Fire Department Computers Infected with Ransomware

  Finastra Systems Infected with Ransomware

  Countries Are Using Geolocation and Facial Recognition to Track COVID-19

  Google and Microsoft Pausing Major Version Updates for Chrome and Edge Browsers

  Firefox Enables TLS 1.0 and 1.1 Again to Aid Access to COVID-19 Information

  NIST Draft Document on Cybersecurity and Enterprise Risk Management

  Medical Device Maker Discloses Phishing Attack


INTERNET STORM CENTER TECH CORNER


**********************  Sponsored By  Splunk  *******************************


How to Uplevel Your Defenses With Security Analytics. If you don't have actionable insights to detect and respond to emerging and current threats, you're not reaping the rewards of modern security information event management (SIEM) technology. Download How to Uplevel Your Defenses With Security Analytics, and find out what you (and your SIEM) are missing and how to harden your defenses. http://www.sans.org/info/215895


*****************************************************************************

CYBERSECURITY TRAINING UPDATE


Keep your skills sharp, train online with SANS OnDemand:


* The world's top cybersecurity training

* Flexible self-paced format you can take anytime, anywhere

* A battle-tested training platform including 4 months of access

* Hands-on labs and GIAC-certified SME support


Start your OnDemand training now: 45 Courses | No Travel Required

- https://www.sans.org/ondemand/


SANS Network Security 2020 | Las Vegas, NV | September 20-27

- https://www.sans.org/event/network-security-2020


View the full SANS course catalog and skills roadmap.

- https://www.sans.org/courses

- https://www.sans.org/cyber-security-skills-roadmap


Any course you have or will purchase is protected by the SANS Training Guarantee.

- https://www.sans.org/training-guarantee.

 
 

*****************************************************************************

TOP OF THE NEWS   

 

--COVID-19 Related Malware

(March 20 & 23, 2020)

The FBI has issued a warning of an increase in COVID-19-related fraud schemes. The announcement urges people to be alert to phony messages from the Centers for Disease Control (CDC), phishing emails, and offers of phony COVID-19 treatment. There have been reports of phony email messages that pretend to be from head of World Health Organization and actually place keystroke logger on users' computers, and of a fake COVID-19 vaccine website that tries to steal payment card and other personal data.


[Editor Comments]


[Neely] Also warn users to be on the alert for phishing campaigns, particularly targeting the elderly, around the pending US financial relief package. These campaigns promise extra social security, investment schemes or COVID-19 relief payments in exchange for bank account information. Also beware of pay-in-advance offers to help victims with services.


Read more in:

IC3: FBI Sees Rise in Fraud Schemes Related to the Coronavirus (COVID-19) Pandemic

https://www.ic3.gov/media/2020/200320.aspx

ZDNet: WHO chief emails claiming to offer coronavirus drug advice plant keyloggers on your PC

https://www.zdnet.com/article/who-chief-emails-claiming-to-offer-coronavirus-drug-advice-plant-keyloggers-on-your-pc/

Threatpost: Revamped HawkEye Keylogger Swoops in on Coronavirus Fears

https://threatpost.com/revamped-hawkeye-keylogger-coronavirus-fears/154013/

Threatpost: Fake Coronavirus 'Vaccine' Website Busted in DoJ Takedown

https://threatpost.com/fake-coronavirus-vaccine-website-busted-in-doj-takedown/154031/

GovInfosecurity: COVID-19 Phishing Schemes Escalate; FBI Issues Warning

https://www.govinfosecurity.com/covid-19-phishing-schemes-escalate-fbi-issues-warning-a-13998

SC Magazine: FBI warns of COVID-19 phishing scams promising stimulus checks, vaccines

https://www.scmagazine.com/home/security-news/cybercrime/fbi-warns-of-covid-19-phishing-scams-promising-stimulus-checks-vaccines/

Portswigger: Coronavirus fraud: DoJ takes action against website claiming to offer Covid-19 vaccine

https://portswigger.net/daily-swig/coronavirus-fraud-doj-takes-action-against-website-claiming-to-offer-covid-19-vaccine

ISC: More COVID-19 Themed Malware

https://isc.sans.edu/forums/diary/More+COVID19+Themed+Malware/25930/

ISC: COVID-19 Themed Multistage Malware

https://isc.sans.edu/forums/diary/COVID19+Themed+Multistage+Malware/25922/

GitHub: parthdmaniar / coronavirus-covid-19-SARS-CoV-2-IoCs

https://github.com/parthdmaniar/coronavirus-covid-19-SARS-CoV-2-IoCs



--Windows 0-day is Being Actively Exploited

(March 23, 2020)

Microsoft warns of limited attacks that could leverage two as-yet unpatched vulnerabilities in the Adobe Type Manager Library resulting in remote code execution. For supported versions of Windows 10, this can result in code execution within an AppContainer with limited privileges and capabilities. Microsoft has not yet released a patch, and offers a choice of three fixes: disabling preview and details pane in Windows Explorer, disabling the WebClient service, and renaming ATMFD.DLL. Enhanced Security Configuration, which is on by default in Windows Servers, does not mitigate the problem.

 

[Editor Comments]

 

[Neely]  While the impact of attack is lowest on supported versions of Windows 10, there is a chance the attackers are also capable of executing a sandbox escape. Be sure to read the caveats with each of the fixes before rolling one out. The second workaround, disabling the WebClient service, will block attacks attackers are most likely to use, and impacts web distributed authoring and versioning as well as stopping, and blocking starting of, any services based on WebClient.


[Ullrich] There is no public exploit right now, but targeted attacks are taking advantage of this vulnerability. Microsoft's initial advisory caused some confusion as the DLL mentioned is not present on newer versions of Windows 10, and Microsoft clarified this in the 1.1 version of the advisory released last night.   

https://isc.sans.edu/forums/diary/Windows+Zeroday+Actively+Exploited+Type+1+Font+Parsing+Remote+Code+Execution+Vulnerability/25936/: Windows Zeroday Actively Exploited: Type 1 Font Parsing Remote Code Execution Vulnerability

 

Read more in:

MSRC: ADV200006 | Type 1 Font Parsing Remote Code Execution Vulnerability

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv200006#march-23-flaw

Threatpost: Microsoft Warns of Critical Windows Zero-Day Flaws

https://threatpost.com/microsoft-warns-of-critical-windows-zero-day-flaws/154040/

Duo: Unpatched Windows Flaws Under Active Attack

https://duo.com/decipher/unpatched-windows-flaws-under-active-attack

ZDNet: Microsoft warns of Windows zero-day exploited in the wild

https://www.zdnet.com/article/microsoft-warns-of-windows-zero-day-exploited-in-the-wild/

The Register: It's 2020 and hackers are still hijacking Windows PCs by exploiting font parser security holes. No patch, either

https://www.theregister.co.uk/2020/03/23/microsoft_issues_red_alert/

Ars Technica: Windows code-execution zeroday is under active exploit, Microsoft warns

https://arstechnica.com/information-technology/2020/03/attackers-exploit-windows-zeroday-that-can-execute-malicious-code/


****************************  SPONSORED LINKS  ******************************


1) Don't miss this upcoming webcast | Keeping Network Inspection Visibility in the Age of TLS 1.3: What To Do When The Network Goes Dark. http://www.sans.org/info/215900


2) Rocky Mountain Hackfest Summit & Training 2020 - SANS CyberCast | June 1-8. http://www.sans.org/info/215905


3) See how Infoblox BloxOne Threat Defense can help address the changing threat environment and optimize your security from the foundation up. http://www.sans.org/info/215910


*****************************************************************************

REST OF THE WEEK'S NEWS

 

--Hackers Steal Data from Clinical Medical Research Organization

(March 22 & 23, 2020)

Earlier this month, a UK clinical medical research company detected and stopped a ransomware attack launched against its systems. Hammersmith Medicines Research (HMR) has conducted trials of various vaccines and drugs, and is planning to begin trials for a potential COVID-19 vaccine. The attackers stole data from Hammersmith, including sensitive information about people who participated in other clinical trials. The data include medical questionnaires, and passport and driver's license numbers. The group responsible for the ransomware attack has begun posting the stolen information in an attempt to get Hammersmith to pay a ransom.    


[Editor Comments]


[Murray] When one's networks, systems, applications, and data are compromised, there are many ways for the attackers to monetize the compromise.


Read more in:

SC Magazine: Maze ransomware attackers extort vaccine testing facility

https://www.scmagazine.com/home/security-news/ransomware/maze-ransomware-attackers-extort-vaccine-testing-facility/

Silicon Angle: Hackers leak data from medical company set to carry out COVID-19 vaccine trials

https://siliconangle.com/2020/03/22/data-leaked-medical-company-set-carry-covid-19-vaccine-trials/

Forbes: COVID-19 Vaccine Test Center Hit By Cyber Attack, Stolen Data Posted Online

https://www.forbes.com/sites/daveywinder/2020/03/23/covid-19-vaccine-test-center-hit-by-cyber-attack-stolen-data-posted-online/#22048e1b18e5

 
 

--South Carolina Fire Department Computers Infected with Ransomware

(March 20, 2020)

Computers belonging to the Bluffton Township (South Carolina) Fire Department became infected with ransomware in mid-March. The attack did not affect the department's ability to respond to emergency calls.  


[Editor Comments]


[Murray] By this time, most large enterprises should be both resistant to and resilient in the face of "ransomware" attacks. However, many of the measures that they have put in place may be beyond the capabilities of many small and medium size enterprises (SME). That may be why SMEs are being targeted and successfully attacked. They must look to their vendors and contractors.


Read more in:

GovTech: South Carolina Fire Department Servers Disabled by Hacker

https://www.govtech.com/security/South-Carolina-Fire-Department-Servers-Disabled-by-Hacker.html


 

--Finastra Systems Infected with Ransomware

(March 20 & 23, 2020)

UK financial technology company Finastra has disclosed that earlier this month, the company's "IT security and risk teams actively detected... that a bad-actor was attempting to introduce malware into [their] network in what appears to have been a common ransomware attack." Finastra took its servers offline in an effort to contain the infection.


Read more in:

Finastra: Statement from Tom Kilroy, Chief Operating Officer

https://www.finastra.com/statement-coo-finastra

KrebsOnSecurity: Security Breach Disrupts Fintech Firm Finastra

https://krebsonsecurity.com/2020/03/security-breach-disrupts-fintech-firm-finastra/

ZDNet: Fintech company Finastra hit by ransomware

https://www.zdnet.com/article/fintech-company-finastra-hit-by-ransomware/

Bleeping Computer: UK Fintech Firm Finastra Hit By Ransomware, Shuts Down Servers

https://www.bleepingcomputer.com/news/security/uk-fintech-firm-finastra-hit-by-ransomware-shuts-down-servers/

 
 

--Countries Are Using Geolocation and Facial Recognition to Track COVID-19

(March 17, 19, 20, & 23, 2020)

Governments in several countries are using technologies like geolocation and facial recognition to track the spread of COVID-19. In the UK, health officials plan to test a new app that will let people know if they have been in contact with someone who has tested positive for COVID-19. In China, the government has created a system called Health Code, which assigns each individual a color to identify them as infected, quarantined, or healthy. In Hong Kong, people who have tested positive for COVID-19 or who have been quarantined are given an electronic bracelet, the latest version of which includes geofencing technology. South Korea has been using CCTV images, payment card records, and mobile phone data, which allows them to retrace the steps of people who test positive for the virus. Israel and the US are also considering surveillance methods. (Please note that the WSJ story is behind a paywall.)


[Editor Comments]


[Pescatore] There seems to be pretty clear agreement in the experienced medical community about the right steps to take, and investigating the contacts by newly discovered infections is pretty important. Doing that quickly and accurately, not just quickly, is key. Any untested technology use that generates high rates of false positives or false negatives will be counterproductive - just as we've seen in security.


Read more in:

qz: Hong Kong is using tracker wristbands to geofence people under coronavirus quarantine

https://qz.com/1822215/hong-kong-uses-tracking-wristbands-for-coronavirus-quarantine/

The Register: It's time to track people's smartphones to ensure they self-isolate during this global pandemic, says WHO boffin

https://www.theregister.co.uk/2020/03/23/track_phones_coronavirus_who/

ZDNet: US, Israel, South Korea, and China look at intrusive surveillance solutions for tracking COVID-19

https://www.zdnet.com/article/us-israel-south-korea-and-china-look-at-intrusive-surveillance-solutions-for-tracking-covid-19/

NYT: Translating a Surveillance Tool into a Virus Tracker for Democracies

https://www.nytimes.com/2020/03/19/us/coronavirus-location-tracking.html

WSJ: To Track Virus, Governments Weigh Surveillance Tools That Push Privacy Limits (paywall)

https://www.wsj.com/articles/to-track-virus-governments-weigh-surveillance-tools-that-push-privacy-limits-11584479841

 
 

--Google and Microsoft Pausing Major Version Updates for Chrome and Edge Browsers

(March 20, 21, 22, & 23, 2020)

Last week, Google announced that it was pausing major releases of its Chrome browser because of COVID-19-related adjusted work schedules. Google will release new versions of Chrome 80 (which is the current stable version) to address security issues. Microsoft has now announced that it, too, is pausing the release of major versions of its Edge browser, which is based on Chromium.


[Editor Comments]


[Ullrich] With most employees working from home, some companies have decided to delay patching to reduce the risks of home users getting "cut off". That may not be sensible because software makers will focus on patching security flaws and not on new features that may increase tech support traffic. Firefox also reverted a change that would have disabled TLS 1.0/1.1 to avoid problems with some government sites that still require these older TLS versions (see next story).


[Neely] We're all learning the impacts of increased telework coupled by reduced availability of those that are caring for those impacted by the illness, such as having children home from school or being a caretaker for one who is ill. With the uncertainty, it may still be too soon to re-baseline projects; instead, take a flexible approach and focus on prioritizing deliverables.  


Read more in:

Windows: Update on Stable channel releases for Microsoft Edge

https://blogs.windows.com/msedgedev/2020/03/20/update-stable-channel-releases/

CNET: Google Chrome, Microsoft Edge 'pause' updates because of coronavirus

https://www.cnet.com/news/google-pauses-chrome-updates-because-of-coronavirus-disruptions/

ZDNet: Microsoft pauses Edge releases amid coronavirus outbreak

https://www.zdnet.com/article/microsoft-pauses-edge-releases-amid-coronavirus-outbreak/

Bleeping Computer: Microsoft Pauses New Edge Browser Versions Due to Coronavirus

https://www.bleepingcomputer.com/news/microsoft/microsoft-pauses-new-edge-browser-versions-due-to-coronavirus/

Bleeping Computer: Google to Abandon Chrome 82 Development Due to Release Delays

https://www.bleepingcomputer.com/news/google/google-to-abandon-chrome-82-development-due-to-release-delays/

 
 

--Firefox Enables TLS 1.0 and 1.1 Again to Aid Access to COVID-19 Information

(March 20, 2020)

Mozilla has reverted to allowing TLS 1.0 and 1.1 to enable users to access COVID-19 information on government websites that have not yet made the switch to TLS 1.2 or 1.3. Earlier this month, Mozilla announced it was ending support for TLS 1.0 and 1.1 with the release of Firefox 74 on March 10.  


[Editor Comments]


[Neely] To make sure you have support for older TLS enabled, go to settings:config and check the value of security.tls.version.fallback-limit. 1 for TLS 1.0, 2 for TLS 1.1, 3 for TLS 1.2 and 4 for TLS 1.3. This setting applies to Firefox 74 and ESR 68.6.


Read more in:

Mozilla: 74.0: Changed

https://www.mozilla.org/en-US/firefox/74.0/releasenotes/

Bleeping Computer: Firefox Reenables Insecure TLS to Improve Access to COVID19 Info

https://www.bleepingcomputer.com/news/security/firefox-reenables-insecure-tls-to-improve-access-to-covid19-info/

 
 

--NIST Draft Document on Cybersecurity and Enterprise Risk Management

(March 20, 2020)

The US National Institute of Standards and Technology (NIST) is seeking public comment on a draft report, NIST-Interagency Report 8286 | Integrating Cybersecurity and Enterprise Risk Management. NIST will accept comments through April 20, 2020.


[Editor Comments]


[Neely] This document attempts to create a bridge between Enterprise Risk Management and Cybersecurity Risk Management. One of the challenges is a consistent message relating to cyber risks and how they translate into costs for the organization so that the resulting risk registers are appropriately factored into ERM.


Read more in:

NIST: Integrating Cybersecurity and Enterprise Risk Management (ERM) (PDF)

https://nvlpubs.nist.gov/nistpubs/ir/2020/NIST.IR.8286-draft.pdf

Fifth Domain: NIST asks for public comments on new cybersecurity risk management document

https://www.fifthdomain.com/civilian/2020/03/20/nist-asks-for-public-comments-on-new-cybersecurity-risk-management-document/

 
 

--Medical Device Maker Discloses Phishing Attack

(March 23, 2020)

Insulin pump manufacturer Tandem Diabetes has disclosed a phishing attack. On its website, Tandem noted that "a limited number of Tandem employee email accounts may have been accessed by an unauthorized user between January 17, 2020 and January 20, 2020." The affected accounts contained customer information, including names, contact information, clinical data related to diabetes therapy, and in some cases, Social Security numbers.


Read more in:

Tandem Diabetes: Notice of Email Security Incident

https://www.tandemdiabetes.com/support-update/substitute-notice

Portswigger: Healthcare data breach: Medical device manufacturer discloses phishing attack

https://portswigger.net/daily-swig/healthcare-data-breach-medical-device-manufacturer-discloses-phishing-attack

 
 

******************************************************************************

INTERNET STORM CENTER TECH CORNER

 

More Covid19 Malware

https://isc.sans.edu/forums/diary/More+COVID19+Themed+Malware/25930/


Covid-19 Malware Summary

https://github.com/parthdmaniar/coronavirus-covid-19-SARS-CoV-2-IoCs


Windows Font Parsing 0-Day

https://isc.sans.edu/forums/diary/Windows+Zeroday+Actively+Exploited+Type+1+Font+Parsing+Remote+Code+Execution+Vulnerability/25936/


Working Exploit for the Kr00k WiFi Exploit

https://hexway.io/research/r00kie-kr00kie/


ZDI Pwn2Own Results

https://www.zerodayinitiative.com/blog/2020/3/17/welcome-to-pwn2own-2020-the-schedule-and-live-results


Firefox Turns TLS 1.0/1.1 Back on

https://www.mozilla.org/en-US/firefox/74.0/releasenotes/



******************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create