OnDemand Includes 4 Months Access to Course Content - Special Offers Available Now!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #40

May 19, 2020

Ransomware Succeeding; AirGaps Failing


SANS NewsBites                 May 19, 2020                Vol. 22, Num. 040



  Texas Department of Transportation Hit With Ransomware

  Four Arrests in Ransomware Plot Against Romanian Hospitals

  Hackers are Using Malware Designed to Target Airgapped Networks



  The FBI Cracked iPhone Encryption Without Apple's Help

  BlueScope Steel Cyber Incident

  European Supercomputers are Shut Down After Cryptomining Malware Infections

  Chrome is Testing a Feature That Will Stop Ads From Consuming Too Many Resources

  WP Product Review Lite Plugin Vulnerability

  US Department of Commerce Rule Places More Restrictions on Huawei

  Bill Would Have US Dept. of Commerce Establish Cybersecurity Grand Challenges


**********************  Sponsored By Splunk  ********************************

Forrester Study: The Total Economic Impact(TM) of Splunk for Security Operations. Evaluating Splunk for your ML-driven security operations? Through interviews, data collection and financial analysis, Forrester's study found that Splunk reduced resources dedicated to security audits and other compliance reporting by 50%, in addition to decreasing the cost of a breach by 37%. Read on to discover the potential ROI that your organization can realize. http://www.sans.org/info/216415



SANS Training is 100% Online, with two convenient ways to complete a course:

OnDemand  | Live Online

- https://www.sans.org/ondemand/

- https://www.sans.org/live-online

Keep your skills sharp with SANS Online Training:

.        The world's top cybersecurity courses

.        Taught by real world practitioners

.        Ideal preparation for more than 30 GIAC Certifications

Test drive a course: https://www.sans.org/course-preview

Choose a great promo offer* through May 27 with OnDemand or Live Online training:

*    Get a 10.2" iPad (32G) with Smart Keyboard

*    Train-From-Home Tech Package: Apple TV 4K (64G) with AirPods Pro

*    Take $300 Off

*Restrictions apply, see Terms & Conditions online



Hot OnDemand Courses:

SEC401: Security Essentials Bootcamp Style | https://www.sans.org/ondemand/course/security-essentials-bootcamp-style

SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling | https://www.sans.org/ondemand/course/hacker-techniques-exploits-incident-handling

SEC560: Network Penetration Testing and Ethical Hacking | https://www.sans.org/ondemand/course/network-penetration-testing-ethical-hacking

FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics | https://www.sans.org/ondemand/course/advanced-incident-response-threat-hunting-training


Upcoming Live Online Events:


2-Day Firehose Training | May 26-29

- https://www.sans.org/event/2-day-firehose-training-may27-2020

Cloud Security Summit & Training 2020 | May 26-June 5

- https://www.sans.org/event/cloud-security-summit-2020

Pen Test Hackfest & Cyber Ranges Summit 2020 (Free Summit) | June 4-13

- https://www.sans.org/event/rockymountainhackfest-summit-2020

SANSFIRE 2020 | June 13-20

- https://www.sans.org/event/sansfire-2020

2-Day Firehose Training | June 29-30

- https://www.sans.org/event/2-day-firehose-training-jun29-2020

SANS Summer Surge: Wave 1 | July 6-11

- https://www.sans.org/event/sans-surge-summer-series-wave-1

In Person Training:

SANS Network Security 2020 | Las Vegas, NV | September 20-27

- https://www.sans.org/event/network-security-2020


View the full SANS course catalog and skills roadmap.

- https://www.sans.org/courses

- https://www.sans.org/cyber-security-skills-roadmap

Any course you have or will purchase is protected by the SANS Training Guarantee.

- https://www.sans.org/training-guarantee.




--Texas Department of Transportation Hit With Ransomware

(May 18, 2020)

Computer systems at the Texas Department of Transportation (TxDOT) were hit with ransomware. The agency detected unauthorized network access on Thursday, May 14, and determined that they were experiencing a ransomware incident. TxDOT is the second Texas state agency to suffer a ransomware attack this month; on May 8, computers at the Texas Court System were infected with ransomware.

[Editor Comments]

[Pescatore] Back in August 2019 more than 20 Texas state and local agencies were hit with ransomware. At the time, Texas Governor Abbott was quoted as "stressing the importance of public and private sectors alike practicing 'good cyber hygiene.'" Obviously, some continued failings in basic security hygiene that require investigation and rapid application of lessons that should have been learned from last year's incidents.

Read more in:

Bleeping Computer: Ransomware attack impacts Texas Department of Transportation


GovTech: Cyberattack Disrupts Texas Department of Transportation



--Four Arrests in Ransomware Plot Against Romanian Hospitals

(May 15 & 18, 2020)

Four people have been arrested in connection with a plan to target public health organizations in Romania with ransomware. The plan appeared to be to send spoofed email messages that appeared to come from government officials and to contain COVID-19 information, but which actually would lead to ransomware infections. Three of the suspects were arrested in Romania; the fourth was arrested in Moldova.

Read more in:

Threatpost: Ransomware Gang Arrested for Spreading Locky to Hospitals


ZDNet: Hackers preparing to launch ransomware attacks against hospitals arrested in Romania


Bleeping Computer: Wannabe ransomware operators arrested before hospital attacks


Cyberscoop: Romanian police bust hackers allegedly plotting ransomware attacks on hospitals


Infosecurity Magazine: Police Catch Suspects Planning #COVID19 Hospital Ransomware



--Hackers are Using Malware Designed to Target Airgapped Networks

(May 12 & 15, 2020)

Hackers have targeted airgapped networks that belong to Taiwan's and the Philippines's militaries. The hackers, who are believed to be working on behalf of China's government, used malware called USBferry, "a USB malware that performs different commands on specific targets, maintains stealth in environments, and steals critical data through USB storage." According to Trend Micro, the hacking group has been using the malware since 2014.

[Editor Comments]

[Ullrich] As Ed Skoudis says: Airgaps are just high latency network links. This malware takes advantage of USB drives to bridge airgaps. Also note that some of the more obscure methods to bridge airgaps that make the news from time to time are more of a curiosity and probably work better to generate headlines and clickbait vs. actual exploits.

[Neely] This malware uses USB removable media to spread and collect data. Judicious use of a USB kiosk or other scanner or one-way link to sanitize media or data transferred between environments can stop or mitigate risks to the air-gapped systems.

Read more in:

Trend Micro: Tropic Trooper's Back: USBferry Attack Targets Air-gapped Environments


ZDNet: Hackers target the air-gapped networks of the Taiwanese and Philippine military


*****************************  SPONSORED LINKS  ******************************

1) Pen Test HackFest & Cyber Ranges Summit | June 4-13. http://www.sans.org/info/216420

2) Survey | Firewalls in the Modern Enterprise. Take the survey. http://www.sans.org/info/216425

3) Webcast May 21st | SOAR is Not a Product: Steps to Achieve Meaningful and Measurable Cyber Defense with a Proper SOAR Strategy. Register: http://www.sans.org/info/216430





--The FBI Cracked iPhone Encryption Without Apple's Help

(May 18, 2020)

The FBI has unlocked two iPhones that belonged to a man who shot 11 people at a Florida Naval Air Station in December 2019. The FBI initially asked for Apple's help unlocking the devices. FBI Director Christopher Wray criticized Apple for not helping, saying that their refusal delayed the investigation. Apple says it responded immediately, providing DOJ with gigabytes of data from cloud backups.

[Editor Comments]

[Neely] Although the devices in question, an iPhone 5 and iPhone 7, had security weaknesses which could have been used to access the device, the trick is maintaining forensic integrity of the device while obtaining access as well as not triggering a device wipe. While the FBI continues to seek a general use way to access recovered devices, they were able to develop a technique to access these devices which they claim was specific to this situation.

Read more in:

Wired: The FBI Backs Down Against Apple--Again


ZDNet: FBI criticizes Apple for not helping crack Pensacola shooter's iPhones


Cyberscoop: US officials say they've cracked Pensacola shooter's iPhones, blast Apple



--BlueScope Steel Cyber Incident

(May 14, 15, & 18, 2020)

Australia's BlueScope Steel Ltd has disclosed that a cyber incident disrupted some of its manufacturing and sales operations in Australia. The incident also caused minor disruptions in Asia, New Zealand, and the US. In a message to investors, BlueScope said it had reverted to manual operations in some impacted areas. A BlueSteel official said the company is working with external providers to restore its systems.

Read more in:

Secure.weblink: BlueScope Response to Cyber Incident


SMH: BlueScope Steel says cyber 'incident' causing disruptions


ZDNet: BlueScope reports cyber incident affecting Australian operations


Reuters: Australia's BlueScope Steel says cyber 'incident' causing disruptions



--European Supercomputers are Shut Down After Cryptomining Malware Infections

(May 11, 16, 17, & 18, 2020)

Supercomputers throughout the Europe are shut down to allow investigations after hackers targeted them to hijack their CPU power to mine cryptocurrency. The attackers are moving from one system to another with compromised SSH credentials. The incident has affected super computers in UK, Germany, Switzerland, and Spain.

[Editor Comments]

[Neely] Primary access is via compromised SSH credentials, but there is also some evidence of compromised SSH binaries. Multi-factor authentication is a key tool to protect access to valuable resources. HPC relies on exhaustive configuration management to guarantee smooth operation, which should also include identifying and replacing unauthorized binaries or configuration files.

Read more in:

DUO: Supercomputer Sites Still Struggling After Attacks


BBC: Europe's supercomputers hijacked by attackers for crypto mining


Bleeping Computer: European supercomputers hacked in mysterious cyberattacks


ZDNet: Supercomputers hacked across Europe to mine cryptocurrency


Infosecurity Magazine: Crypto-Miners Take Out Supercomputers Working on #COVID19



--Chrome is Testing a Feature That Will Stop Ads From Consuming Too Many Resources

(May 14, 2020)

Chrome is testing a feature that will block ads that consume large quantities of computer resources. In the Chromium blog, Chrome Product manager Marshall Vale writes, "a fraction of a percent of ads consume a disproportionate share of device resources, such as battery and network data, without the user knowing about it." The feature "will limit the resources a display ad can use before the user interacts with the ad," and display an error message when the ad reaches the consumption limit. The feature is expected to be introduced on the stable version of Chrome toward the end of August.

[Editor Comments]

[Neely] You can enable this feature today with chrome://flags/#enable-heavy-ad-intervention. This approach uses resource consumption as opposed to  Firefox's anti-crypomining prevention which relies on blocking known bad domains. Either approach should help keep browser resource use in check.

[Pescatore] In a recent SANS webinar (https://www.sans.org/webcasts/making-keeping-work-home-operations-safe-productive-114490: Making and Keeping Work at Home Operations Safe and Productive), Virginia Tech University CISO and SANS Senior Instructor Randy Marchany commented that the dependence on the internet during the pandemic has shown that in many ways internet access has become as important a utility as water, electricity, etc. Browser vendors are building security and viewing controls into browsers for advertising-laden services, while ISPs who charge for access are doing very little about equal access to and secure delivery of digital services needed by school children, small businesses, etc.

Read more in:

Chromium: Protecting against resource-heavy ads in Chrome


Ars Technica: Chrome will soon block resource-draining ads. Here's how to turn it on now



--WP Product Review Lite Plugin Vulnerability

(May 15, 2020)

A critical flaw in the WP Product Review Lite plugin could be exploited to take control of vulnerable WordPress websites. The issue has been fixed in WP Product Review Lite version 3.7.6, which was released on May 14. Users are urged to upgrade as soon as possible. The plugin is installed on at least 40,000 WordPress sites.

[Editor Comments]

[Neely] WordPress has a hardening guide (https://wordpress.org/support/article/hardening-wordpress/: Hardening WordPress) which includes links to additional resources for consideration. In addition to updating this plugin, verify that your plugins are as expected and configurations are as intended.

[Murray] Warnings about vulnerabilities in WordPress plugins are becoming as routine as "patch Tuesday." While patching is mandatory, it should now be obvious that we cannot patch our way to security. Since we cannot hide WordPress plugins, we best use them sparingly.

Read more in:

Bleeping Computer: Critical WordPress plugin bug allows for automated takeovers



--US Department of Commerce Rule Places More Restrictions on Huawei

(May 15 & 18, 2020)

The US Department of Commerce's Bureau of Industry and Security (BIS) has issued an interim final rule amending an existing rule that aims to prevent Huawei from using US technology in its semiconductor design and production. Foreign companies that use certain US technology will be required to obtain a license before selling it to Huawei. The amended rule will take effect in September 2020. Comments on the document will be accepted through July 14, 2020.

Read more in:

MeriTalk: DoC Restricts Huawei's Use of U.S. Tech in Semiconductor Production


Cyberscoop: US Commerce Department tightens screws on Huawei export controls


FCW: U.S squeezes Huawei on chip design


NYT: U.S. Delivers Another Blow to Huawei With New Tech Restrictions


Federal Register: Export Administration Regulations: Amendments to General Prohibition Three (Foreign-Produced Direct Product Rule) and the Entity List



--Bill Would Have US Dept. of Commerce Establish Cybersecurity Grand Challenges

(May 15, 2020)

A trio of US Senators has introduced the Cyber Leap Act of 2020, which directs the Department of Commerce to create competitions to solve cybersecurity grand challenges, such as making it more expensive for criminals to conduct cyberattacks, improving federal agencies' response to cyberattacks, and re-imagining digital identity to improve security. The idea of establishing cybersecurity grand challenges grew out of the November 2018 "Cybersecurity Moonshot" report from the National Security Telecommunications Advisory Committee.

Read more in:

Fifth Domain: Senators introduce bill to create more cyber grand challenges


Nextgov: Bill Proposes to Incentivize Cybersecurity Innovations With Cash Prizes


Commerce.senate: Cyber Leap Act of 2020 (PDF)


CISA: NSTAC Report to the President on a Cybersecurity Moonshot November 14, 2018 (PDF)





OWA Scans



Edison iOS E-Mail Client Leaks Data



Antivirus & Multiple Detections



COMpfun Malware Uses Status Codes to Communicate



PAN OS Patches



MagicPairing Vulnerabilities



BIAS: Bluetooth Impersonation AttackS



Office 365 Returning Search Results from Other Organizations



The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create