OnDemand SME Support = Get Your Questions Answered! Get an iPad mini, Surface Go 2, of $300 Off Now

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #30

April 14, 2020

DHS Telework Security Guidance; Oracle Patches 405 Bugs



    

****************************************************************************

SANS NewsBites                April 14, 2020               Vol. 22, Num. 030

****************************************************************************


TOP OF THE NEWS


  CISA Releases Temporary Telework Security Guidance

  Oracle's Quarterly Critical Patch Update - 405 Bugs




REST OF THE WEEK'S NEWS

 

  Criminal Ransomware Group Publishes Data Stolen from Industrial Contractor

  San Francisco Airport Website Compromised to Steal Device Credentials

  Card Skimmers Target WooCommerce WordPress Plugin

  Police in Netherlands Take Down DDoS-for-Hire Sites, Arrest Alleged Attacker

  VMware Releases Fix for Critical Vulnerability in vCenter Server

  Zoom to Allow Paying Users to Choose Meeting Traffic Routing

  Dell Releases BIOS Attack Detector Tool

  Google Temporarily Re-enabling FTP in Chrome

  DESMI Acknowledges Cyber Attack


INTERNET STORM CENTER TECH CORNER


*******************  Sponsored By AWS Marketplace  **************************


Deploying Least Privilege and Micro-Segmentation in the AWS Cloud. Learn how to reduce risk and strengthen attack resistance by allowing only the minimum authority to perform tasks. Also learn how to use micro-segmentation to restrict east-west movement and more methods for architecting a granular security environment. Webcast Tuesday, April 14, 2 PM ET. http://www.sans.org/info/216090


*****************************************************************************

CYBERSECURITY TRAINING UPDATE


SANS Training is 100% Online, with two convenient ways to complete a course:


OnDemand  | Live Online

- https://www.sans.org/ondemand/

- https://www.sans.org/live-online


Keep your skills sharp with SANS Online Training:


.        The world's top cybersecurity courses

.        Taught by real world practitioners

.        Ideal preparation for more than 30 GIAC Certifications


Test drive a course: https://www.sans.org/course-preview

______________________


Upcoming Live Online Events:


Pen Test Austin 2020 | April 27-May 2

- https://www.sans.org/event/pen-test-austin-2020


Security West 2020 | May 11-16

- https://www.sans.org/event/security-west-2020


SANSFIRE 2020 | June 13-20

- https://www.sans.org/event/sansfire-2020


2-Day Firehose Training | June 29-30

- https://www.sans.org/event/2-day-firehose-training-jun29-2020


In Person Training:


SANS Network Security 2020 | Las Vegas, NV | September 20-27

- https://www.sans.org/event/network-security-2020

______________________


View the full SANS course catalog and skills roadmap.

- https://www.sans.org/courses

- https://www.sans.org/cyber-security-skills-roadmap


Any course you have or will purchase is protected by the SANS Training Guarantee.

- https://www.sans.org/training-guarantee.


 

*****************************************************************************

TOP OF THE NEWS   

 

--CISA Releases Temporary Telework Security Guidance

(April 8 & 10, 2020)

The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has issued temporary telework guidance "to help agencies leverage existing resources to secure their networks" as the number of federal employees working from home has increased. The Trusted Internet Connections 3.0 Interim Telework Guidance has five security objectives: manage tragic, protect traffic confidentiality, protect traffic integrity, ensure service resilience, and ensure effective response.


[Editor Comments]


[Neely] While this guidance is set to expire at the end of 2020, and is U.S. Government focused, it provides an approach to accessing cloud and on-premise services with sufficient visibility to ensure security and compliance requirements are met, irrespective of your industry or having a formal TIC.


[Pescatore] The Trusted Internet Connect 3.0 update is still in draft but added a lot of much-needed flexibility to make it clear how agencies can do remote user access and use cloud services and still stay secure and stay compliant. Between the Managed Trusted Internet Protocol Services (MTIPS) offered by TIC ISPs on the government EIS and other contracts, and the numerous FedRAMP certified cloud-based Security as a Service offerings, government agencies have both guidance and options to make long lasting improvements in both security and productivity for remote work forces.


Read more in:

CISA: TRUSTED INTERNET CONNECTIONS 3.0 INTERIM TELEWORK GUIDANCE (PDF)

https://www.cisa.gov/sites/default/files/publications/CISA-TIC-TIC%203.0%20Interim%20Telework%20Guidance-2020.04.08.pdf

Fifth Domain: DHS releases new network security guidance for telework

https://www.fifthdomain.com/civilian/dhs/2020/04/08/dhs-releases-new-network-security-guidance-for-telework/

FCW: CISA looks to help secure federal telework

https://fcw.com/articles/2020/04/08/tic-telework-guide-johnson.aspx

FNN: Path for agencies to more easily use cloud services paved by TIC pilots

https://federalnewsnetwork.com/ask-the-cio/2020/04/path-for-agencies-to-more-easily-use-cloud-services-paved-by-tic-pilots/

Nextgov: CISA Offers Ways to Lessen Lag for Teleworkers Without Sacrificing Security

https://www.nextgov.com/cybersecurity/2020/04/cisa-offers-ways-lessen-lag-teleworkers-without-sacrificing-security/164470/



--Oracle's Quarterly Critical Patch Update - 405 Bugs

(April 13, 2020)

Oracle will release its quarterly Critical Patch Update on Tuesday, April 14. It addresses more than 400 vulnerabilities in a range of products. Of those, 286 are remotely exploitable.  


[Editor Comments]


[Neely] This update offers another chance to validate your ability to regression test and patch remotely, including teleworker systems. With the current enhanced remote-work state, regression testing is emphasized as in-person assistance for remediation is more complicated, if not impossible. Postponing updates is sub-optimal as we are seeing increases in malfeasance by those taking advantage of the current situation.


Read more in:

Threatpost: Oracle Tackles a Massive 405 Bugs for Its April Quarterly Patch Update

https://threatpost.com/oracle-tackles-405-bugs-for-april-quarterly-patch-update/154737/

Oracle: Oracle Critical Patch Update Pre-Release Announcement - April 2020

https://www.oracle.com/security-alerts/cpuapr2020.html


****************************  SPONSORED LINKS  ******************************


1) Download Splunk's IT Security Predictions 2020 to learn how to best protect your organization, and your data, against a fast-approaching future. http://www.sans.org/info/216095


2) Rocky Mountain Hackfest Summit & Training 2020 - SANS Live Online | June 1-8. http://www.sans.org/info/216100


3) Webcast April 22nd at 10:30AM ET: Securing the Shift to Cloud-based Business Operations. Register: http://www.sans.org/info/216105


*****************************************************************************

REST OF THE WEEK'S NEWS  

 

--Criminal Ransomware Group Publishes Data Stolen from Industrial Contractor

(April 10, 2020)

Cybercriminals have posted data stolen from Visser Precision, a company that manufactures parts for the aerospace, automotive, industrial, and manufacturing industries. Visser's systems were infected with ransomware earlier this year, but the company did not pay the ransom. The leaked data belong to a number of companies, including Tesla, Boeing, Lockheed Martin, and SpaceX.  


Read more in:

The Register: Ransomware scumbags leak Boeing, Lockheed Martin, SpaceX documents after contractor refuses to pay

https://www.theregister.co.uk/2020/04/10/lockheed_martin_spacex_ransomware_leak/

 
 

--San Francisco Airport Website Compromised to Steal Device Credentials

(April 10, 2020)

Two San Francisco International Airport websites were infected with data-stealing malware last month. The hackers may have obtained the login credentials for devices belonging to some people who used the sites while they were infected. Users potentially affected by the malware are those who accessed the sites from outside the airport network using Internet Explorer on a Windows device or on a device not maintained by the airport. The malicious code has been removed from the sites, and the airport forced a reset for email and network passwords on March 23.


[Editor Comments]


[Murray] Travelers should be aware that airports are targets of miscreants and vulnerabilities for the traveler. Airport (WiFi) networks, websites, and (USB 5v) power should be used with caution. Prefer cellular broadband and battery power.  


Read more in:

Document Cloud: Notice of Data Breach

https://www.documentcloud.org/documents/6834642-SFO-Notice-of-Data-Breach.html

SC Magazine: San Francisco airport websites hacked to swipe personal device credentials

https://www.scmagazine.com/home/security-news/cybercrime/san-francisco-airport-websites-compromised-to-swipe-credentials/

Threatpost: SFO Websites Hacked: Airport Discloses Data Breach

https://threatpost.com/sfo-websites-hacked-airport-discloses-data-breach/154709/

Bleeping Computer: San Francisco Intl Airport discloses data breach after hack

https://www.bleepingcomputer.com/news/security/san-francisco-intl-airport-discloses-data-breach-after-hack/

 
 

--Card Skimmers Target WooCommerce WordPress Plugin

(April 8 & 10, 2020)

Cybercriminals have been using JavaScript malware to skim payment card details from websites running a WordPress plugin called WooCommerce. In a separate story, the prevalence of online card skimming is rising, likely due to the increase in online shopping related to COVID-19. Data collected by Malwarebytes shows a 26 percent increase in inline card skimming between February and March of this year.


[Editor Comments]


[Neely] Judicious review of third-party applications, including plugins for your content management site, is prudent. Payment card processing plugins remain a popular target, particularly with the current world crisis. Beyond keeping plugins updated, make sure that your site and servers are also secured to prevent alternate avenues of attack. Remove unused administrative accounts, ensure strong authentication is used on active accounts, uninstall unused plugins.


[Murray] This is only one more of many vulnerabilities in WordPress plugins. Most WordPress plugins come without any measure or warranty of quality and should be used only with risk assessment, scrutiny, and maintenance.


[Paller]  Because of the problems Murray and Neely point out, along with the fact that most WordPress users have no IT or cybersecurity expertise, WordPress and its content management system competitors have been the primary vector by which important organizations (including large numbers of city and state agencies and major non-profits) have been compromised.


Read more in:

Threatpost: WooCommerce Falls to Fresh Card-Skimmer Malware

https://threatpost.com/woocommerce-card-skimmer-malware/154699/

SC Magazine: WordPress WooCommerce sites targeted by credit card skimmers

https://www.scmagazine.com/home/security-news/cybercrime/wordpress-woocommerce-sites-targeted-by-credit-card-skimmers/

SC Magazine: Coronavirus-driven online shopping driving more payment card skimming

https://www.scmagazine.com/home/security-news/news-archive/coronavirus/coronavirus-driven-online-shopping-driving-more-payment-card-skimming/

Malwarebytes: Online credit card skimming increased by 26 percent in March

https://blog.malwarebytes.com/cybercrime/2020/04/online-credit-card-skimming-increases-by-26-in-march/

 
 

--Police in Netherlands Take Down DDoS-for-Hire Sites, Arrest Alleged Attacker

(April 10, 2020)

Police in the Netherlands have arrested a man in connection with distributed denial-of-service (DDoS) attacks against government websites there last month. Police also took down 15 DDoS-for-hire (also known as stresser or booter) websites over the course of one week.  


[Editor Comments]


[Pescatore] Good to see take-downs of malicious web sites and "attacks as a service" sites now, when everyone is much more dependent on online services. Even better to see ISPs turn on "cleaner pipe" services for free during these times.


Read more in:

ZDNet: Dutch police take down 15 DDoS services in a week

https://www.zdnet.com/article/dutch-police-take-down-15-ddos-services-in-a-week/

Bleeping Computer: Dutch police arrests suspect behind DDoS attacks on government sites

https://www.bleepingcomputer.com/news/security/dutch-police-arrests-suspect-behind-ddos-attacks-on-government-sites/

Politie: Police arrests suspect for DDoS attack on Dutch government website

https://www.politie.nl/nieuws/2020/april/10/03-police-arrests-suspect-for-ddos-attack-on-dutch-government-website.html

 
 

--VMware Releases Fix for Critical Vulnerability in vCenter Server

(April 10 & 13, 2020)

VMware has released a fix for a critical vulnerability in its VMware vCenter Server. The flaw has been given a CVSS rating of 10.0. The flaw, which lies in VMware's Directory Service (vmdir), could be exploited to bypass authentication measures and gain access to sensitive information.  


[Editor Comments]


[Neely] Read the VMware security advisory for specifics on applicability of the vulnerability. The fix is to update affected 6.7 installations to 6.7u3f.


Read more in:

SC Magazine: VMware issues 10.0 CVSS rating on vCenter Server vulnerability

https://www.scmagazine.com/home/security-news/vulnerabilities/vmware-issues-10-0-cvss-rating-on-vcenter-server-vulnerability/

Threatpost: Critical VMware Bug Opens Up Corporate Treasure to Hackers

https://threatpost.com/critical-vmware-bug-corporate-treasure-hackers/154682/

Bleeping Computer: VMWare releases fix for critical vCenter Server vulnerability

https://www.bleepingcomputer.com/news/security/vmware-releases-fix-for-critical-vcenter-server-vulnerability/

VMware: VMware Security Advisories | VMSA-2020-0006

https://www.vmware.com/security/advisories/VMSA-2020-0006.html

US-CERT: VMware Releases Security Updates for VMware Directory Service

https://www.us-cert.gov/ncas/current-activity/2020/04/10/vmware-releases-security-updates-vmware-directory-service

 
 

--Zoom to Allow Paying Users to Choose Meeting Traffic Routing

(April 14, 2020)

Staring Saturday, April 18, users who pay for the Zoom videoconferencing platform will be able to choose which data center regions their meeting traffic travels through. Users will not be able to opt out of their default data center region, which is where their account is provisioned. Zoom's current data center regions are the United States, Canada, Europe, India, Australia, China, Latin America, and Japan/Hong Kong.


[Editor Comments]


[Pescatore] There was once a myth that "cloud makes location obsolete." It has never been true. For many reasons, location of data centers still matters. All the major enterprise-class Software as a Service and Infrastructure as a Service providers have offered data center location selection (not always for free). It is good to see Zoom listening to enterprise needs and following suit. Zoom also continues to release security improvements - important to keep up with them and ratchet up the safety of your use of Zoom.


[Neely] Zoom is not the only video teleconference (VTC) service which routes through distributed data centers. While the primary focus for VTCs should be secure meeting configuration, if you are covering information with location or export controls, the region needs to be appropriate to avoid penalties.


[Murray] The leakage of video conferencing traffic in the network is a potential risk, but for most applications and environments, this risk does not compare to the risk of improper settings and misuse.


Read more in:

Zoom: Coming April 18: Control Your Zoom Data Routing

https://blog.zoom.us/wordpress/2020/04/13/coming-april-18-control-your-zoom-data-routing/

ZDNet: Paying Zoom customers to choose which data centre regions route their traffic

https://www.zdnet.com/article/paying-zoom-customers-to-choose-which-data-centre-regions-route-their-traffic/

 
 

--Dell Releases BIOS Attack Detector Tool

(April 10 & 13, 2020)

Dell has debuted a tool that can detect attempts to modify a device's BIOS component. The SafeBIOS Events & Indicators of Attack tool will allow admins to isolate computers that may have been compromised.  


Read more in:

Dark Reading: Dell Releases Security Tool to Defend PCs from BIOS Attacks

https://www.darkreading.com/endpoint/dell-releases-security-tool-to-defend-pcs-from-bios-attacks/d/d-id/1337553

ZDNet: Dell releases new tool to detect BIOS attacks

https://www.zdnet.com/article/dell-releases-new-tool-to-detect-bios-attacks/

DellEMC: Dell Technologies Bolsters PC Security for Today's Remote Workers

https://blog.dellemc.com/en-us/dell-technologies-bolsters-pc-security-todays-remote-workers/

 
 

--Google Temporarily Re-enabling FTP in Chrome

(April 9 & 13, 2020)

Google has decided to re-enable support for FTP in Chrome on the stable channel so users will not run into difficulties accessing information during the COVID-19 crisis. Google disabled support for FTP in Chrome 81, which was released to the stable channel less than a week ago.


[Editor Comments]


[Murray] FTP has been broken and a vulnerability for a generation. It is an orphan. There is hardly anything legitimate that is not available via an alternate service. Its inclusion in already porous browsers is one more reason to prefer application-specific clients.


Read more in:

Chrome Status: Deprecate FTP support (deprecated)

https://www.chromestatus.com/feature/6246151319715840

Bleeping Computer: Google reenables FTP support in Chrome due to pandemic

https://www.bleepingcomputer.com/news/google/google-reenables-ftp-support-in-chrome-due-to-pandemic/

 
 

--DESMI Acknowledges Cyber Attack

(April 13, 2020)

A Danish company that manufactures pumps for a variety of industries was hit with a cyberattack last week. All IT systems at DESMI were shut down and are now in the process of being restored with the help of third party experts. DESMI has reported the incident to authorities and police.


Read more in:

DESMI: DESMI hit by Cyber attack

https://www.desmi.com/news-(3)/desmi-hit-by-cyber-attack.aspx

Security Affairs: Danish pump maker DESMI reveals cyber attack

https://securityaffairs.co/wordpress/101495/hacking/desmi-discloses-cyber-attack.html

 

******************************************************************************

INTERNET STORM CENTER TECH CORNER


Dynamic Analysis Technique to Get Decrypted KPOT Malware

https://isc.sans.edu/forums/diary/Reader+Analysis+Dynamic+analysis+technique+to+get+decrypted+KPOT+Malware/26010/


Comparing the Same Phishing Campaign 3 Months Apart

https://isc.sans.edu/forums/diary/Look+at+the+same+phishing+campaign+3+months+apart/26018/


VMWare vCenter Server Vulnerability

https://www.vmware.com/security/advisories/VMSA-2020-0006.html


Sodinokibi Ransomware Switching to Monero

https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-to-stop-taking-bitcoin-to-hide-money-trail/


Setting 3D Printers On Fire

https://www.coalfire.com/The-Coalfire-Blog/April-2020/With-IoT-Common-Devices-Pose-New-Threats


Junos OS: vMX Default Credentials

https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10998


Malware Impersonates Security Researchers

https://www.bleepingcomputer.com/news/security/new-wiper-malware-impersonates-security-researchers-as-prank/


 

******************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create.