SANS Live Training is Available In-Person OR Live Online! Explore Upcoming Events.

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #25

March 27, 2020

Help Us Classify COVID-19 Related Domains; DNS-Hijacking Attacks Against Routers; US Senator Urges Vendors to Make Sure Network Connectivity Products Are Secure



Help Us Classify COVID-19 Related Domains

 

These last couple of weeks, criminals have been using COVID-19 for everything from selling fake cures to phishing. Every day, several thousand domains are registered for COVID-19 related keywords. We are trying to identify the worst, and classify the domains into different risk categories. If you have some time this weekend, please help us out by checking out some of these domains. To participate, see https://isc.sans.edu/covidclassifier.html . The domain data is based on a feed provided by Domaintools and we will make the results of this effort public for download as soon as we have a "critical mass" of responses.


****************************************************************************

SANS NewsBites               March 27, 2020                Vol. 22, Num. 025

****************************************************************************


TOP OF THE NEWS


  Hackers Launching DNS-Hijacking Attacks Against Routers

  US Senator Urges Vendors to Make Sure Network Connectivity Products Are Secure




REST OF THE WEEK'S NEWS

 

  Apple Updates

  Adobe Creative Cloud Flaw Patch

  DEER.IO Platform Shut Down

  HPE Firmware Fix for Flaw That Could Brick Some Solid State Drives

  Google Resumes Chrome Releases

  Chinese Hackers Targeting Wide Range of Industries

  Google Threat Analysis Group

  Electronics Manufacturer Hit with Ransomware


INTERNET STORM CENTER TECH CORNER

 

*******************  Sponsored By Dragos, Inc.  ****************************


Dragos webinar: Ransomware in an Industrial World, led by ICS Instructor Jason Christopher, April 2nd. Ransomware has become a common method of profit for cybercriminals and a major cause of disruption with the power to attack all industries. Join the webinar for insights about recent attacks and learn how to manage cyber risk. Register: http://www.sans.org/info/215950


*****************************************************************************

CYBERSECURITY TRAINING UPDATE


Keep your skills sharp, train online with SANS OnDemand:


* The world's top cybersecurity training

* Flexible self-paced format you can take anytime, anywhere

* A battle-tested training platform including 4 months of access

* Hands-on labs and GIAC-certified SME support


Start your OnDemand training now: 45 Courses | No Travel Required

- https://www.sans.org/ondemand/


SANS Network Security 2020 | Las Vegas, NV | September 20-27

- https://www.sans.org/event/network-security-2020


View the full SANS course catalog and skills roadmap.

- https://www.sans.org/courses

- https://www.sans.org/cyber-security-skills-roadmap


Any course you have or will purchase is protected by the SANS Training Guarantee.

- https://www.sans.org/training-guarantee.



*****************************************************************************

TOP OF THE NEWS   

 

--Hackers Launching DNS-Hijacking Attacks Against Routers

(March 23, 25, & 26, 2020)

Hackers are launching DNS-hijacking attacks against D-Link and Linksys routers, redirecting users to malicious sites advertising phony Coronavirus apps. If users download the apps, their devices become infected with information-stealing malware. The hackers are using brute force attacks to obtain routers' admin passwords.


[Editor Comments]


[Neely] The best mitigation is to use a strong device password and disable remote management so the router cannot be accessed remotely. Consider setting up a separate DNS server on your network, pointing to your selected authoritative DNS servers. Configuring all endpoints to point to root DNS servers will likely exhaust the NAT tables in your routers. Lastly, most home routers can be configured to forward logs for analysis or alerting; that necessitates monitoring the average home user is not prepared for. Also enable automatic firmware updates.


[Murray] Many of these routers are in SOHO applications where they are installed but not "managed." As more of us work remotely, these devices become attractive targets. When installing them, it is important to change the default passwords. Since these devices do not implement strong authentication, this is an application where strong passwords are indicated.


Read more in:

Bitdefender: New Router DNS Hijacking Attacks Abuse Bitbucket to Host Infostealer

https://labs.bitdefender.com/2020/03/new-router-dns-hijacking-attacks-abuse-bitbucket-to-host-infostealer/

ZDNet: D-Link and Linksys routers hacked to point users to coronavirus-themed malware

https://www.zdnet.com/article/d-link-and-linksys-routers-hacked-to-point-users-to-coronavirus-themed-malware/

Ars Technica: New attack on home routers sends users to spoofed sites that push malware

https://arstechnica.com/information-technology/2020/03/new-attack-on-home-routers-sends-users-to-spoofed-sites-that-push-malware/

Threatpost: Hackers Hijack Routers to Spread Malware Via Coronavirus Apps

https://threatpost.com/hackers-hijack-routers-to-spread-malware-via-coronavirus-apps/154170/

Bleeping Computer: Hackers Hijack Routers' DNS to Spread Malicious COVID-19 Apps

https://www.bleepingcomputer.com/news/security/hackers-hijack-routers-dns-to-spread-malicious-covid-19-apps/

Cyberscoop: Hackers are messing with routers' DNS settings as telework surges around the world

https://www.cyberscoop.com/dns-hijacking-covid-19-oski-bitdefender-telework/

 
 

--US Senator Urges Vendors to Make Sure Network Connectivity Products Are Secure

(March 25, 2020)

US Senator Mark Warner (D-Virginia) wants tech vendors to bolster the security of their products. In letters to Google, Netgear, and others, Warner writes that he is seeking their "assistance to ensure that the wireless access points, routers, modems, mesh network systems, and related connectivity products that your firm manufactures remain secure as unprecedented numbers of Americans rely on remote access for work and education as part of COVID-19 social distancing efforts."


[Editor Comments]


[Pescatore] The cynical side of me says most vendors have word processing template automated responses to these letters "urging" them to do something, especially when related legislation never sees the light of day. The glass half full side of me says that most vendors want to sell quality products and have seen that out-of-the-box security is a key part of security. The realistic side says if we buy junk, someone will sell us junk - for business systems, make sure security requirements are in all procurement evaluation criteria. For consumer products used by work-at-home employees, give them guidance on how to change defaults and take advantage of the free SANS resources for secure telework. https://www.sans.org/security-awareness-training/sans-security-awareness-work-home-deployment-kit


[Neely] It is challenging to have users secure devices after the fact, so having devices that, out of the box, require the user set a strong password, include automatic updates and disabled remote administration out of the box, raises the bar. Make sure that home router security best practice advice is included in your home/remote worker guidance.


Read more in:

Warner: Letter about cybersecurity of network connectivity products (PDF)

https://www.warner.senate.gov/public/_cache/files/7/8/7839119c-5deb-4410-8b77-bf84803d2b20/D78F89C00B8BD2127D5F2B8E786571B9.letter-covid19-internet-google.pdf

Fifth Domain: One senator wants vendors to ensure their internet connectivity devices are secure

https://www.fifthdomain.com/congress/capitol-hill/2020/03/25/one-senator-wants-vendors-to-ensure-their-internet-connectivity-devices-are-secure/

The Hill: Senator sounds alarm on cyber threats to internet connectivity during coronavirus crisis

https://thehill.com/policy/cybersecurity/489480-senator-sounds-alarm-on-cyber-threats-to-internet-connectivity-during

MeriTalk: Sen. Warner Urges Stronger Networking Device Security

https://www.meritalk.com/articles/sen-warner-urges-stronger-networking-device-security/


********************************  SPONSORED LINKS  *********************************


1) Did you miss this webcast? 7 Techniques for Ramping Your DevSecOps Program Quickly. View here: http://www.sans.org/info/215955


2) Free CTF Events: Brand new NetWars challenges are available for free for the entire community. http://www.sans.org/info/215960


3) Webcast: Examine the next generation of explainable threat intelligence and take a fresh look at machine learning classification. Register: http://www.sans.org/info/215965


*************************************************************************************

REST OF THE WEEK'S NEWS

 

--Apple Updates

(March 25 & 26, 2020)

Apple has released updates for iOS, macOS, Safari, watchOS, tvOS, and other products. iOS 13.4 includes fixes for 30 security issues, and the macOS update includes fixes for 26 issues.  


[Editor Comments]


[Neely] Make sure the automatic update option is configured on your Apple devices both for the OS and applications. Then, also periodically check for alerts, asking your permission to install updates. iPadOS 13.4 adds support for Apple's Magic Mouse and Trackpad. iOS and iPadOS 13.4 Mail now always show the move/delete/reply/compose buttons.


[Murray] While the default setting for iOS devices is Automatic Updates "Off," the conservative setting is "On." (Go to Settings, General, Software Update, Automatic Updates, On.)


Read more in:

The Register: Stuck inside with nothing to do? Apple fires out security fixes for iOS, macOS, wrist-puters... and something weird called iTunes for Windows

https://www.theregister.co.uk/2020/03/25/apple_patch_update/

SC Magazine: Apple releases more than 30 security patches

https://www.scmagazine.com/home/security-news/vulnerabilities/apple-releases-more-than-30-security-patches/

 
 

--Adobe Creative Cloud Flaw Patch

(March 24, 2020)

Adobe has released a patch for a critical flaw in its Creative Cloud Desktop Application for Windows PCs. The vulnerability, a time-of-check-to-time-of-use race condition, could be exploited to delete files from computers. Users should update to Creative Cloud for Windows version 5.1 or later.


[Editor Comments]


[Murray] That the vulnerability is a TOCTU may be interesting to some, and a caution to developers (to bind conditions that they rely on), it is not relevant to the simple fix for this specific incidence. Update.  


Read more in:

ZDNet: Adobe to Windows 10 users: Use this fix for critical file-deletion bug in Creative Cloud app

https://www.zdnet.com/article/adobe-to-windows-10-users-use-this-fix-for-critical-file-deletion-bug-in-creative-cloud-app/

The Register: Adobe debuts disk-cleaning tool cleverly disguised as an arbitrary file deletion bug in Creative Cloud on Windows

https://www.theregister.co.uk/2020/03/24/adobe_cc_deletion_bug/

Adobe: Security update available for Creative Cloud Desktop Application | APSB20-11

https://helpx.adobe.com/security/products/creative-cloud/apsb20-11.html

 
 

--DEER.IO Platform Shut Down

(March 26, 2020)

The FBI has seized the DEER.IO website and shut down the hacker platform. Earlier this month, DEER.IO's alleged administrator, Kirill Victorovich Firsov, was arrested and charged with unauthorized solicitation of access devices.


Read more in:

Justice: FBI Takes Down a Russian-Based Hacker Platform; Arrests Suspected Russian Site Administrator

https://www.justice.gov/usao-sdca/pr/fbi-takes-down-russian-based-hacker-platform-arrests-suspected-russian-site

SC Magazine: DEER.IO caught in FBI's headlights; cybercrime platform gets shut down

https://www.scmagazine.com/home/security-news/legal-security-news/deer-io-caught-in-fbis-headlights-cybercrime-platform-gets-shut-down/

 
 

--HPE Firmware Fix for Flaw That Could Brick Some Solid State Drives

(March 20 & 24, 2020)

Hewlett Packard Enterprise has released firmware updates for some of its Serial-Attached SCSI solid state drives. The update addresses a flaw that causes the drives to fail after 40,000 hours (roughly four-and-a-half years) of operation. HPE addressed a similar issue in November 2019.


[Editor Comments]


[Neely] The update in November addressed drives failing after 32,768 hours (3.78 years). HPE has also released detection scripts to determine if you have affected drives. The update can be performed online, without a reboot, but is suggested during low I/O intervals. Check the HPE alert for caveats.


Read more in:

HPE: Bulletin: HPE SAS Solid State Drives - Critical Firmware Upgrade Required for Certain HPE SAS Solid State Drive Models to Prevent Drive Failure at 40,000 Hours of Operation

https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00097382en_us

ZDNet: HPE says firmware bug will brick some SSDs starting in October this year

https://www.zdnet.com/article/hpe-says-firmware-bug-will-brick-some-ssds-starting-october-this-year/

Bleeping Computer: HPE Warns of New Bug That Kills SSD Drives After 40,000 Hours

https://www.bleepingcomputer.com/news/hardware/hpe-warns-of-new-bug-that-kills-ssd-drives-after-40-000-hours/

 
 

--Google Resumes Chrome Releases

(March 26, 2020)

Google is resuming Chrome and Chrome OS releases "with an adjusted schedule." (Last week, Google announced it was pausing releases for the browser and operating system due to altered work schedules.) Chrome 81, which had been scheduled for release on March 1, will now be released on April 7. Google has cancelled Chrome 82; Chrome 83 is scheduled to be released to the stable channel on May 19.  


Read more in:

Google: Chrome and Chrome OS release updates

https://chromereleases.googleblog.com/2020/03/chrome-and-chrome-os-release-updates.html

Chromium Dash: Schedule

https://chromiumdash.appspot.com/schedule

ZDNet: Google to resume Chrome updates it paused last week due to COVID-19

https://www.zdnet.com/article/google-to-resume-chrome-updates-it-paused-last-week-due-to-covid-19/

Bleeping Computer: Google Resumes Chrome Releases on an Adjusted Schedule

https://www.bleepingcomputer.com/news/google/google-resumes-chrome-releases-on-an-adjusted-schedule/

 
 

--Chinese Hackers Targeting Wide Range of Industries

(March 25, 2020)

Researchers from FireEye say that APT41, a hacking group with ties to China's government, has been launching cyberattacks against a range of industries, including health care organizations, the military, and oil and gas companies. Between January 20 and March 11 of this year, APT41 launched cyberattacks against more than 75 organizations around the world, exploiting flaws in Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine Desktop Central.


[Editor Comments]


[Pescatore] This is a good news item to show management to emphasize the need both for making sure remote work is being done securely, and that IT operations keeps up with critical patches during these turbulent times.


Read more in:

FireEye: This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits

https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html

Threatpost: Chinese Hackers Exploit Cisco, Citrix Flaws in Massive Espionage Campaign

https://threatpost.com/chinese-hackers-exploit-cisco-citrix-espionage/154133/

Bleeping Computer: Chinese Hackers Use Cisco, Citrix, Zoho Exploits In Targeted Attacks

https://www.bleepingcomputer.com/news/security/chinese-hackers-use-cisco-citrix-zoho-exploits-in-targeted-attacks/

The Hill: Experts report recent increase in Chinese group's cyberattacks

https://thehill.com/policy/cybersecurity/489531-experts-discover-recent-increase-in-chinese-cyberattacks

Nextgov: Chinese Hackers Attacked Foreign Health Care, Military, Oil Networks as Coronavirus Hit China

https://www.nextgov.com/cybersecurity/2020/03/chinese-hackers-attacked-foreign-health-care-military-oil-networks-coronavirus-hit-china/164095/

 
 

--Google Threat Analysis Group

(March 26, 2020)

In 2019, Google's Threat Analysis Group warned nearly 40,000 users that their accounts were being targeted by state-backed hackers. The attackers focus mostly on accounts belonging to "geopolitical rivals, government officials, journalists, dissidents and activists."


[Editor Comments]


[Neely] This is part of Google's free advanced protection program, which requires two security keys, or an iPhone or Android, and forces two-factor authentication. Make sure that users recognize alerts from Google as legitimate.


Read more in:

Google Blog: Identifying vulnerabilities and protecting you from phishing

https://blog.google/technology/safety-security/threat-analysis-group/identifying-vulnerabilities-and-protecting-you-phishing/

Wired: An Elite Spy Group Used 5 Zero-Days to Hack North Koreans

https://www.wired.com/story/north-korea-hacking-zero-days-google/

Cyberscoop: Google catches North Korean, Iranian hackers impersonating journalists in phishing efforts

https://www.cyberscoop.com/google-phishing-warning-hacking-campaign-iran-north-korea/

Ars Technica: Google sent users 40,000 warnings of nation-state hack attacks in 2019

https://arstechnica.com/information-technology/2020/03/google-sent-users-40000-warnings-of-nation-state-hack-attacks-in-2019/

 
 

--Electronics Manufacturer Hit with Ransomware

(March 26, 2020)

Systems at a Connecticut-based electronics manufacturer were hit with ransomware earlier this month. Kimchuk, which makes products for medical equipment, telecommunications companies, the energy grid, and the military, did not pay the ransom. The attackers have published information stolen from the company. The practice of releasing stolen information is growing; the groups responsible for several different families of ransomware have created websites expressly for the purpose of posting stolen data.  


[Editor Comments]


[Murray] Both resistance to breaches and resilience are necessary but the former addresses more risks. In security, measures that operate early usually trumps late.  


Read more in:

TechCrunch: Medical and military contractor Kimchuk hit by data-stealing ransomware

https://techcrunch.com/2020/03/26/kimchuk-medical-military-ransomware/

Bleeping Computer: Three More Ransomware Families Create Sites to Leak Stolen Data

https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/

 

*****************************************************************************

INTERNET STORM CENTER TECH CORNER


Updated Microsoft Advisory 200006

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/adv200006


Very Large Sample as an Obfuscation Technique

https://isc.sans.edu/forums/diary/Very+Large+Sample+as+Evasion+Technique/25948/


Dridex Update

https://isc.sans.edu/forums/diary/Recent+Dridex+activity/25944/


COVID-19 Ransom

https://twitter.com/johullrich/status/1242983197555789824


Free COVID-19 Domain List

https://www.domaintools.com/resources/blog/free-covid-19-threat-list-domain-risk-assessments-for-coronavirus-threats


Memcached Denial of Service Vulnerability

https://github.com/memcached/memcached/issues/629


Adobe Creative Cloud Desktop Application Patches

https://helpx.adobe.com/security/products/creative-cloud/apsb20-11.html


Apple Security Patches

https://support.apple.com/en-us/HT201222


Microsoft Pausing Cumulative Updates Starting May

https://docs.microsoft.com/en-us/windows/release-information/windows-message-center#405


OpenWRT Vulnerability Fixed

https://thehackernews.com/2020/03/openwrt-rce-vulnerability.html


HP Enterprise SSD Firmware Bug

https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=a00097382en_us


Fake Google Chrome Update

https://news.drweb.com/show/?i=13746&lng=en


TrickBot Pushing a 2FA Bypass App in Germany

https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/


iOS VPN Bypass

https://protonvpn.com/blog/apple-ios-vulnerability-disclosure/


Linux Rubber Ducky Protection

https://opensource.googleblog.com/2020/03/usb-keystroke-injection-protection.html


******************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create