Special Offer w/ OnDemand: Get an iPad (32 G), Galaxy Tab A, or Take $250 Off OnDemand Training thru Jan 27

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #34

April 28, 2020

Vulnerability in Teams (Zoom Competitor); Sophos XG Firewall Vulnerability; Water Treatment Plant Cyberattacks     

Even more SANS students are sharing their enthusiasm (and sometimes their surprise) at how well they are learning and how much they are enjoying the online learning experience at SANS. That's because we started 18 years ago and have been teaching 10,000 people online each year, continually improving our technology and technique.

From SEC504 "The Live Online training platform is a stable and great environment for people who don't have time to travel and attend events. I will recommend this platform to my management." - Muhiballah Mohammed, Cisco.

"SANS courses are a perfect blend between teaching processes/best practices and useful tools," and "All labs provide a great hands-on experience to test newly learned material." - John R., US Government


SANS NewsBites               April 28, 2020                Vol. 22, Num. 034



  Microsoft Fixes Vulnerability in Teams (A Zoom Competitor)

  Sophos Fixes XG Firewall Vulnerability

  Israeli Government Warns Water Treatment Plants of Cyberattacks



  Expired Certificate Causes Problems for Rabobank Android App Users in Australia

  Hupigon RAT Spear Phishing Campaign

  Shade Ransomware Operators Stop Development, Release Decryption Keys

  Hackers Stole Data From Chinese Firm Conducting  COVID-19 Research

  Ransomware Hits Hospital in Colorado

  In Wake of Ransomware Attack, Hackers Post Information Stolen From Pharmaceutical Outsourcing Company

  Ransomware Targets Architecture Firm

  No Fix Available for WordPress OneTone Theme Vulnerability


*********************  Sponsored By  Netskope  *****************************

Join Netskope's Cloud Security Workshop. Are you really ready to provide safe access to cloud services and keep pace with new threats? Register for Netskope's complimentary cloud security workshop! Take control over your web services. Get 5 CPE credits and hands-on experience with Next Gen Secure Web Gateway (SWG) and Zero Trust Network Access (ZTNA) solutions built for the cloud. https://www.sans.org/info/216215



SANS Training is 100% Online, with two convenient ways to complete a course:

OnDemand  | Live Online

- https://www.sans.org/ondemand/

- https://www.sans.org/live-online

Keep your skills sharp with SANS Online Training:

.        The world's top cybersecurity courses

.        Taught by real world practitioners

.        Ideal preparation for more than 30 GIAC Certifications

Test drive a course: https://www.sans.org/course-preview


Upcoming Live Online Events:


Instructor-Led Training | May 4-9

- https://www.sans.org/event/live-online-may4-2020

Security West 2020 | May 11-16

- https://www.sans.org/event/security-west-2020

2-Day Firehose Training | May 26-29

- https://www.sans.org/event/2-day-firehose-training-may27-2020

Cloud Security Summit & Training 2020 | May 26-June 5

- https://www.sans.org/event/cloud-security-summit-2020

Rocky Mountain Hackfest Summit & Training 2020 | June 4-13

- https://www.sans.org/event/rockymountainhackfest-summit-2020

SANSFIRE 2020 | June 13-20

- https://www.sans.org/event/sansfire-2020

2-Day Firehose Training | June 29-30

- https://www.sans.org/event/2-day-firehose-training-jun29-2020

In Person Training:

SANS Network Security 2020 | Las Vegas, NV | September 20-27

- https://www.sans.org/event/network-security-2020


View the full SANS course catalog and skills roadmap.

- https://www.sans.org/courses

- https://www.sans.org/cyber-security-skills-roadmap

Any course you have or will purchase is protected by the SANS Training Guarantee.

- https://www.sans.org/training-guarantee.





--Microsoft Fixes Vulnerability in Teams (a Zoom competitor)

(April 27, 2020)

Microsoft has fixed a subdomain takeover flaw in its Teams communication and collaboration platform that could have been exploited to take control of vulnerable accounts. A proof-of-concept exploit demonstrated that would-be attackers could take over accounts by tricking users into viewing a maliciously-crafted GIF.

[Editor Comments]

[Neely] Teams is positioned to subsume Skype for Business as well as provide collaboration services. While collaboration is restricted to your Microsoft 365 tenant, meetings can include external, guest, participants which necessitated providing support for sharing images in the chat channel. The token needed for the attack to work is good for only an hour, but is renewed each time the GIF is viewed. Exploiting this weakness is difficult, due to the requirement for identifying a vulnerable Microsoft Teams subdomain. Microsoft claims to have secured those domains and added anti-exploitation measures.

Read more in:

CyberArk: Beware of the GIF: Account Takeover Vulnerability in Microsoft Teams


Infosecurity Magazine: Microsoft Teams Funny GIFs Vulnerability Mended


Silicon Angle: Microsoft fixes wormlike account hijacking exploit in Teams


Threatpost: Single Malicious GIF Opened Microsoft Teams to Nasty Attack


Bleeping Computer: Microsoft Teams patched against image-based account takeover


The Register: We could have pwned Microsoft Teams with a GIF, claims Israeli infosec outfit


Cyberscoop: Researchers used a GIF to prove they could access Microsoft Teams user data


Security Week: Microsoft Teams Vulnerability Exposed Organizations to Attacks



--Sophos Fixes XG Firewall Vulnerability

(April 26 & 27, 2020)

Sophos has released a patch to fix an SQL injection vulnerability in its XG Firewall that was being actively exploited. Hackers were using the flaw to install a malicious payload, which then exfiltrated sensitive data. Sophos pushed out the hotfix to all supported versions of the XG Firewall that have enabled automatic hotfix installations.

[Editor Comments]

[Murray] OWASP has documented how difficult it is to do complete input checking at the application layer because the developer usually cannot know the environment in which the application will run. Therefore, every layer in the stack must parse its own input. That said, SQL injection attacks exploit the failure of the application layer to check for SQL commands in the input.  

Read more in:

Sophos: Fixing SQL injection vulnerability and malicious code execution in XG Firewall/SFOS


Portswigger: Sophos XG Firewall zero-day vulnerability gets patched


Threatpost: Hackers Mount Zero-Day Attacks on Sophos Firewalls


Ars Technica: Attackers exploit 0-day code-execution flaw in the Sophos firewall


ZDNet: Hackers are exploiting a Sophos firewall zero-day


Bleeping Computer: Hackers exploit zero-day in Sophos XG Firewall, fix released



--Israeli Government Warns Water Treatment Plants of Cyberattacks

(April 27, 2020)

Hackers have reportedly launched attacks against wastewater treatment facilities, pumping stations, and sewers in Israel. An alert from the Israeli National Cyber-Directorate (INCD) is urging employees at water and energy facilities in that country to change their passwords for all Internet connected systems. The Israeli government Water Authority and the country's Computer Emergency Response team have also released alerts.

Read more in:

ZDNet: Israel government tells water treatment companies to change passwords


SC Magazine: Israeli cyber defenders warn of attacks on water supply


*****************************  SPONSORED LINKS  ******************************

1) Rocky Mountain Hackfest Summit & Training 2020 - SANS Live Online | June 4-13. https://www.sans.org/info/216220

2) Webcast April 30th at 10:30AM ET: Using Visibility and Analytics to Secure and Optimize Today's Networks. https://www.sans.org/info/216225

3) Don't miss this upcoming webcast: The New Normal: How Employees Stay Secure and Productive While Working-from-Home. https://www.sans.org/info/216230



 --Expired Certificate Causes Problems for Rabobank Android App Users in Australia

(April 27, 2020)

An expired security certificate prevented Australian Rabobank customers from accessing their bank accounts on Android mobile devices. The security certificate issue has been addressed and an updated version of the app has been released.  

[Editor Comments]

[Pescatore] SSL certificate management is easy if you use only one Certificate Authority, because most CA's provide tools to track the certificates you bought from them. However, it is very rare for larger organizations to have only one source of SSL certificates in use. So, discovery and expiry tracking are too often done, if done at all, in manually updated spreadsheets or via the "Oops" method as happened to Rabobank. Commercial certificate management products are available from vendors like Entrust DataCard, ManageEngine, SolarWinds, Venafi and others with free trial offers.

[Neely] If you're embedding certificates in applications at the endpoint, such as a mobile device, particularly for customer-managed devices, the method for updating that certificate must be documented and verified. To offset the impacts of reduced staffing the Rabobank team has setup an email list (clienservicesAU@rabobank.com) for users to request help.

Read more in:

The Register: Rabobank security cert expires and gives its Australian Android app a case of internet-blindness



--Hupigon RAT Spear Phishing Campaign

(April 24 & 27, 2020)

A phishing campaign aiming to spread the Hupigon remote access Trojan (RAT) has been targeting users in multiple sectors, including faculty and students at US colleges and universities. In the past the Hupigon RAT has been linked to hackers working on behalf of China's government.

Read more in:

Threatpost: U.S. Universities Hit With 'Adult Dating' Spear-Phishing Attack


Bleeping Computer: US universities targeted with malware used by state-backed actors



--Shade Ransomware Operators Stop Development, Release Decryption Keys

(April 27, 2020)

The operators responsible for ransomware known as Shade say they have stopped developing and distributing the malware. They have created a GitHub repository that includes decryption keys. Shade, also known as Troldesh, has been associated with Russian hackers.

[Editor Comments]

[Neely] The Shade ransomware was often sold to others for use, but active use of that strain seems to have ended at the close of 2019. The decryption keys have been verified and may be incorporated into third-party decryption tools. The group also published instructions for decryption of files on systems still impacted by Shade.

Read more in:

Bleeping Computer: Shade Ransomware shuts down, releases 750K decryption keys


ZDNet: Shade (Troldesh) ransomware shuts down and releases decryption keys


DUO: Shade Ransomware Decryption Keys Published



--Hackers Stole Data From Chinese Firm Conducting  COVID-19 Research

(April 27, 2020)

Hackers have stolen data from Huiying Medical, a Chinese company that is developing COVID-19 screening technology that uses artificial intelligence. Some of the stolen information has been offered for sale on the dark web. The compromised data include technology source code and reports.

Read more in:

Forbes: Chinese 'Frontline' COVID-19 Research Firm Reported Hacked: Data Now On Dark Web


TechNadu: Chinese Firm Researching Coronavirus Detection Got Hacked and the Data Is on the Dark Web


Medium: Huiying Medical Breached; Source Code for AI-assisted COVID-19 Detection, and Experimental Data of COVID-19 on Sale



--Ransomware Hits Hospital in Colorado

(April 27, 2020)

Parkview Medical Center in Pueblo, Colorado, was the victim of a ransomware attack last week. On Monday, April 27, the hospital's website said the facility was "currently experiencing a network outage."

Read more in:

SC Magazine: Cyberattack strikes down Colorado's Parkview Medical Center


Gov Infosecurity: Colorado Hospital Latest Cyberattack Victim Amid COVID-19



--In Wake of Ransomware Attack, Hackers Post Information Stolen From Pharmaceutical Outsourcing Company

(April 27, 2020)

Hackers have published data taken from systems at Pennsylvania-based ExecuPharm. The company suffered a ransomware attack in mid-March.

[Editor Comments]

[Neely] Add the CLOP ransomware group to the list of entities that will publish your data if they are not paid. There is no known decryption tool for the CLOP ransomware. ExecuPharm rebuilt their systems and implemented measures, including password resets, multi-factor authentication and updated endpoint protection to prevent recurrence, avoiding paying the ransom. Read the letter to the Vermont Attorney General for a description of the data exfiltrated.

Read more in:

Tech Crunch: Hackers publish ExecuPharm internal data after ransomware attack


Silicon Angle: Data stolen from outsourcing group ExecuPharm published after ransomware attack


AGO.vermont: ExecuPharm Inc Notice of Data Breach to Consumers



--Ransomware Targets Architecture Firm

(April 27, 2020)

Systems at Zaha Hadid Architects (ZHA), a London-based firm, were the target of a ransomware attack last week. ZHA has brought in a cyber forensics team to investigate the incident. ZHA appears not to have paid the demanded ransom.

Read more in:

Archinect: Zaha Hadid Architects hit with ransomware attack



--No Fix Available for WordPress OneTone Theme Vulnerability

(April 28, 2020)

Hackers are exploiting an unpatched cross-site scripting issue in the OneTone WordPress theme to create backdoor admin accounts. The vulnerability was detected in September 2019; the developer did not release a fix. WordPress delisted the free version of the OneTone theme in October 2019.

[Editor Comments]

[Neely] The OneTone theme plugin has not been updated since 2018. While replacing the theme of a web site can be painful, being compromised is even more painful. Plugins need to be on your software support watch list, and just like other layered products, replaced or removed when they reach end-of-life.

Read more in:

ZDNet: Hackers are creating backdoor accounts and cookie files on WordPress sites running OneTone






Malware Bazaar



Powershell Payload Stored in a PSCredential Object



CIRA Launches Canadian Shield



Microsoft Teams Account Takeover Bug



COVID-19 Tracing Protocols





Sophos XG Firewall SQL Injection Vulnerability Exploited



USB Drives Used to Spread Crypto Coin Mining Botnet




The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create