SANS Rocky Mountain Fall is Live Online! Join us Nov 2-7 MT for 17 interactive courses + NetWars. Save $300 thru 10/7.

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #41

May 22, 2020

Virtual Cyber Schools Open In U.K. and U.S.; Verizons 2020 Data Breach Report; Toll Group Ransomware Data Published on Dark Web



****************************************************************************

SANS NewsBites                 May 22, 2020                Vol. 22, Num. 041

****************************************************************************


TOP OF THE NEWS


  U.K. and U.S. Virtual Cyber Schools Open This Month

  Verizons 2020 Data Breach Investigations Report

  Data Stolen from The Toll Group Published on Dark Web


***************************  Sponsored By Chronicle ************************************

Get a free 15-minute SIEM TCO analysis report. Eventually, the cost isn't worth the effort. If keeping your legacy SIEM running is more than you can handle, unwind your SIEM costs with zero-management security analytics from Chronicle and let us ensure perfect fidelity, no matter how much data you generate. http://www.sans.org/info/216455" class=""> http://www.sans.org/info/216455

*****************************************************************************


REST OF THE NEWS


  US Legislators Push for Complete Phone Encryption Between House and Senate

  Facebook New Messenger Warnings are Based on Metadata

  Lawsuits Filed Against ADT Over Former Employee Spying On Customers

  EasyJet Data Breach

  Cisco Releases Update to Fix Deserialization Flaw in Cisco Unified CCX

  Adobe Releases Unscheduled Updates

  Info Leaked from 2019 Mitsubishi Breach May Include Missile Data

  Data Stolen from Fresenius Dialysis Facility Data Leaked


INTERNET STORM CENTER TECH CORNER


****************************************************************************

CYBERSECURITY TRAINING UPDATE


SANS Training is 100% Online, with two convenient ways to complete a course:


OnDemand  | Live Online

- https://www.sans.org/ondemand/

- https://www.sans.org/live-online


Keep your skills sharp with SANS Online Training:


        The worlds top cybersecurity courses

        Taught by real world practitioners

        Ideal preparation for more than 30 GIAC Certifications


Test drive a course: https://www.sans.org/course-preview


Choose a great promo offer* through May 27 with OnDemand or Live Online training

https://www.sans.org/online-security-training/specials/

 

Hot OnDemand Courses:


SEC401: Security Essentials Bootcamp Style | https://www.sans.org/ondemand/course/security-essentials-bootcamp-style


SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling | https://www.sans.org/ondemand/course/hacker-techniques-exploits-incident-handling


SEC560: Network Penetration Testing and Ethical Hacking | https://www.sans.org/ondemand/course/network-penetration-testing-ethical-hacking


______________________


Upcoming Live Online Events:

    

Pen Test Hackfest & Cyber Ranges Summit 2020 (Free Summit) | June 4-13

- https://www.sans.org/event/rockymountainhackfest-summit-2020


SANSFIRE 2020 | June 13-20

- https://www.sans.org/event/sansfire-2020


2-Day Firehose Training | June 29-30

- https://www.sans.org/event/2-day-firehose-training-jun29-2020


SANS Summer of Cyber: Week 1 | July 6-11

- https://www.sans.org/event/summer-of-cyber-jul-6


DFIR Summit & Training | July 16-25

- https://www.sans.org/event/digital-forensics-summit-2020


In Person Training:


SANS Network Security 2020 | Las Vegas, NV | September 20-27

- https://www.sans.org/event/network-security-2020

______________________


View the full SANS course catalog and skills roadmap.

- https://www.sans.org/courses

- https://www.sans.org/cyber-security-skills-roadmap


Any course you have or will purchase is protected by the SANS Training Guarantee.

- https://www.sans.org/training-guarantee.


****************************************************************************

TOP OF THE NEWS  

 

--U.K. and U.S. Virtual Cyber Schools Open This Month

(May 20, 2020)

Students ages 13-18 in the UK and the US have the opportunity to take part in a virtual cyber school that offers more than 200 cybersecurity challenges. The program is government sponsored: free for residents of the UK; students in the US can participate for US $100 a year. No background in computers expected or needed.  Kids observations: The most fun Ive ever had learning, and I had no idea I could be so good at computer science.  


[Editor Comments]


[Pescatore] Great opportunity to take advantage of current crazy times and get your kids or your companys employees kids into the cybersecurity skills pipeline. The gaming aspect is very coolmuch like in the makers movement, the fact that the technology is really a tool vs. the entire focus attracts and holds types of kids who had no interest in computers or networks for technologys sake.


[Neely] My 13 year-old-self would love this type of opportunity. My present-day-self is thinking of all the friends and family who ask how their kids can get started in cyber security and sending this to them. If they object to the cost, Ill suggest they also look to the SANS Holiday Hack Challenge web site for some fun challenges, reminding them the past solutions are published if they want a hint.


Read more in:

CNN: Virtual cybersecurity school teaches kids to fix security flaws and hunt down hackers

https://www.cnn.com/2020/05/20/tech/virtual-cyber-security-school/index.html

Gov.uk: New virtual cyber school gives teens chance to try out as cyber security agents from home

https://www.gov.uk/government/news/new-virtual-cyber-school-gives-teens-chance-to-try-out-as-cyber-security-agents-from-home

U.K. Cyber-School: Cyber Discovery Virtual Cyber School

https://cyber-school.joincyberdiscovery.com/

U.S. Sign-ups: https://cyberstart.com


 

--Verizons 2020 Data Breach Investigations Report

(May 19, 2020)

Some takeaways from Verizons 2020 Data Breach Investigations Report: Eighty-six percent of breaches in 2019 were financially motivated, compared with 71 percent in 2018; 70 percent of breaches were caused by outsiders; and 27 percent of incidents were attributed to ransomware. The information in the report is derived from more than 150,000 security incidents experienced by Verizon clients as well as by other organizations in data shared by partners, law enforcement agencies, CSIRTs, and security firms.


[Editor Comments]


[Neely] The Verizon DBIR is always a good synopsis of incidents and trends to watch for. The report also notes that unsecured or misconfigured cloud data storage opens the doors of small businesses to attacks previously faced only by larger organizations. The report also shows a trend in breaches related to configuration errors catching up with socially engineered ones.


[Honan] This is one of the most valuable reports a security professional can read. The report will give you valuable insights into how to defend your systems and networks. It also gives you good data points when dealing with security vendors to ask them how their product would deal with the breaches and issues raised in the report.


[Murray] The DBIR continues to be a valuable source of open source intelligence. Be sure to read the disclaimers.


Read more in:

Verizon: 2020 Data Breach Investigations Report

https://enterprise.verizon.com/resources/reports/dbir/

SC Magazine: Six need-to-know takeaways from the Verizon breach report

https://www.scmagazine.com/home/security-news/data-breach/six-need-to-know-takeaways-from-the-verizon-breach-report/

ZDNet: Verizon's data breach report highlights how unsecured cloud storage opens door to attacks

https://www.zdnet.com/article/verizons-data-breach-report-highlights-how-unsecured-cloud-storage-opens-door-to-attacks/

Threatpost: Verizon Data Breach Report: DoS Skyrockets, Espionage Dips

https://threatpost.com/verizon-data-breach-report-dos-skyrockets-espionage-dips/155843/

Cyberscoop: Money is still the main motivating factor for hackers, Verizon report finds

https://www.cyberscoop.com/verizon-dbir-report-hacking-2020/


 

--Data Stolen from The Toll Group Published on Dark Web

(May 21, 2020)

Data stolen from Australian transportation and logistics company The Toll Group have been published to the dark web. The data were taken from a corporate server during an April ransomware attack. Toll has not paid the ransom and has shut down its IT systems to contain the malware. The company was the victim of a ransomware attack in January as well. 


[Editor Comments]


[Neely] When the decision was made not to pay the ransom and recover systems, The Toll Group identified the server and data they believed had been exfiltrated. They are now faced with the challenge of validating the scope and depth of data published to determine appropriate response actions, including deciding whether it is worth paying ransom to prevent additional disclosures.


Read more in:

ZDNet: Toll's stolen data finds itself on the 'dark web'

https://www.zdnet.com/article/tolls-stolen-data-finds-itself-on-the-dark-web/


*****************************  SPONSORED LINKS  ******************************

1) DFIR Summit Solutions Track | July 17th  at 9AM ET | Join Lodrina Cherne and guest speakers for this free virtual event! http://www.sans.org/info/216460" class="">http://www.sans.org/info/216460


2) Take the SANS 2020 Enterprise Cloud Incident Response Survey! Survey closes June 15th. http://www.sans.org/info/216465" class="">http://www.sans.org/info/216465


3) Webcast May 28th at 10:30AM ET | How Dangerous File Uploads Disrupt Business-Critical Web & Mobile Apps. Register: http://www.sans.org/info/216470" class="">http://www.sans.org/info/216470


****************************************************************************

The REST OF THE WEEKS NEWS 


--US Legislators Push for Complete Phone Encryption Between House and Senate

(May 19, 2020)

US legislators want to ensure that phone communications between the House and the Senate are protected by encryption. Currently, most internal calls in both chambers are encrypted. In a letter dated May 19, 2020, legislators ask the Senate Sergeant at Arms and the House Chief Administrative Officer to take immediate action to encrypt, in bulk, all internal calls and other electronic communications between the Senate, House and other components of the legislative branch.


[Editor Comments]


[Neely] Not a bad idea for protecting corporate secrets, too. VoIP phones make the encryption within the system practical, without having to invest in formal COMSEC equipment, provided you have the infrastructure to manage the certificates. The challenge is more and more communications also happen over mobile devices necessitating either a smartphone client on the device, or training users to have sensitive conversations only over the secure phone system. Even with encryption, situational awareness is important to prevent eavesdropping.


Read more in:

FCW: Lawmakers want more complete phone encryption on Capitol Hill

https://fcw.com/articles/2020/05/19/house-senate-wyden-phone-encryption.aspx

The Verge: Calls between the House and Senate should be encrypted, lawmakers say

https://www.theverge.com/2020/5/19/21262751/senate-house-ron-wyden-encryption-voip-calls-capitol-hill

Wyden: Letter to Senate Sergeant at Arms and House Chief Administrative Officer (PDF)

https://www.wyden.senate.gov/imo/media/doc/051920%20Letter%20to%20Secure%20US%20Capitol%20Phone%20Networks.pdf

 
 

--Facebook New Messenger Warnings are Based on Metadata

(May 21, 2020)

Governments have criticized Facebooks plans to implement end-to-end encryption for all its apps because they say it allows criminals to escape detection. Facebook is debuting tools that use metadata analysis to generate warnings in its Messenger app when messages appear to come from scammers, child abusers, or other criminals.


Read more in:

Wired: Facebook Messenger Adds Safety AlertsEven in Encrypted Chats

https://www.wired.com/story/facebook-messenger-safety-alerts-encryption/

 
 

--Lawsuits Filed Against ADT Over Former Employee Spying On Customers

(May 15 & 19, 2020)

ADT Security Services is facing lawsuits over the companys alleged intentional and negligent tortious acts in providing security services to its customers with remote-viewing capabilities. ADT has admitted that an ADT technician created admin accounts for himself on customers systems and then abused that privilege to spy on them. More than 200 customer accounts were compromised; the activity went on for seven years before it was detected. The scheme was uncovered when a customer in Texas reported an unknown email address as an admin user on their system. ADT conducted an internal investigation and determined that the issue was with one of their employees. ADT fired the individual, reported them to the police, and contacted all affected customers. 


[Editor Comments]


[Neely] Have a clear understanding of what the remote monitoring service can and cannot do. Review accounts with access to your home systems regularly. Even so, the service provider may still have legitimate access to your system for emergency response. If you must have cameras in your home, make sure that privacy needs are considered, including where images can be accessed and stored. Make sure that electronic locks are not the only access control on outer doors so you can prevent them from being unsecured when desired.


[Honan] Quis custodiet ipsos custodes? (Who will guard the guards themselves?)A great example of why people need to check the security settings of all devices installed in their homes and businesses. Trusting default settings or relying on third parties to set up devices securely can lead to security and/or privacy breaches. Always, review settings on devices to ensure they are secure.


[Murray] Supervision and multi-party controls are indicated to resist insider abuse and misuse. Privileged Access Management software should be considered to provide accountability for privileged users.  


Read more in:

The Register: Rogue ADT tech spied on hundreds of customers in their homes via CCTVincluding me, says teen girl

https://www.theregister.co.uk/2020/05/19/adt_spying_lawsuit/

ADT: ADT Internal Investigation Reveals Improper Behavior By Former Dallas-Based Employee

https://www.adt.com/adt-privacy-notice

Regmedia: Class Action Complaint and Demand for Jury Trial (PDF)

https://regmedia.co.uk/2020/05/19/adt-spycam-lawsuit.pdf

Regmedia: Class Action Complaint and Demand for Jury Trial (PDF)

https://regmedia.co.uk/2020/05/19/adt-second-spy-lawsuit.pdf

 
 

--EasyJet Data Breach

(May 19, 2020)

UK-based EasyJet has disclosed a breach that compromised information, including email addresses and travel details, belonging to 9 million customers. For a small subset of customers, payment card information was also compromised. EasyJet has reported the incident to the UK Information Commissioners Office (ICO) and to the National Cyber Security Centre.


[Editor Comments]


[Murray] As an accommodation to frequent travelers, airlines and hotel chains offer them the option of storing a credit card number for convenience with future bookings. There have been enough successful attacks in the travel industry to make the risk of doing so obvious and significant. Frequent travelers can limit this risk by using tokens from Privacy.com that can only be used by that airline or hotel chain.  


Read more in:

The Register: Easyjet hacked: 9 million people's data accessed plus 2,200 folks' credit card details grabbed

https://www.theregister.co.uk/2020/05/19/easyjet_hack_9million_2000_credit_cards/

SC Magazine: British airline easyJet breached, data of 9 million customers compromised

https://www.scmagazine.com/home/security-news/british-airline-easyjet-breached-data-of-9-million-customers-compromised/

ZDNet: EasyJet hack: 9 million customers hit and 2,000 credit cards exposed

https://www.zdnet.com/article/easyjet-hack-9-million-customers-hit-and-2000-credit-cards-exposed/

Threatpost: EasyJet Hackers Take Off with Travel Details for 9M Customers

https://threatpost.com/easyjet-hackers-travel-details-9m-customers/155894/

Bleeping Computer: EasyJet hacked: data breach affects 9 million customers

https://www.bleepingcomputer.com/news/security/easyjet-hacked-data-breach-affects-9-million-customers/

 
 

--Cisco Releases Update to Fix Deserialization Flaw in Cisco Unified CCX

(May 21, 2020)

Cisco has released updates to fix a critical deserialization flaw in the Java Remote Interface of its Unified Contact Center Express (CCX). The vulnerability could be exploited to install malware on unpatched devices.


Read more in:

ZDNet: Cisco: Critical Java flaw strikes 'call center in a box', patch urgently

https://www.zdnet.com/article/cisco-critical-java-flaw-strikes-call-center-in-a-box-patch-urgently/

Threatpost: Critical Cisco Bug in Unified CCX Allows Remote Code Execution

https://threatpost.com/critical-cisco-rce-flaw-unified-ccx/155980/

Cisco: Cisco Unified Contact Center Express Remote Code Execution Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-uccx-rce-GMSC6RKN

 
 

--Adobe Releases Unscheduled Updates

(May 19 & 20, 2020)

Adobe has released updates to address a critical vulnerability in Adobe Character Animator. The issue affects Character Animator 2020 versions 3.2 and earlier. The buffer overflow vulnerability could be exploited to allow arbitrary code execution. Adobe has also released fixes for vulnerabilities in its Premiere Rush, Audition, and Premiere Pro products.


Read more in:

Threatpost: Adobe Patches Critical RCE Flaw in Character Animator App

https://threatpost.com/adobe-patches-critical-rce-flaw-character-animator/155882/

ZDNet: Adobe issues out-of-band patch to fix remote code execution flaw in animation software

https://www.zdnet.com/article/adobe-issues-out-of-band-patch-to-fix-remote-code-execution-flaw-in-animation-software/

Bleeping Computer: Adobe releases critical out-of-band security update

https://www.bleepingcomputer.com/news/security/adobe-releases-critical-out-of-band-security-update/

Adobe: Security Updates Available for Adobe Character Animator | APSB20-25

https://helpx.adobe.com/security/products/character_animator/apsb20-25.html

Adobe: Recent bulletins and advisories

https://helpx.adobe.com/security.html

 
 

--Info Leaked from 2019 Mitsubishi Breach May Include Missile Data

(May 20 & 21, 2020)

Japans Defense Ministry is investigating the leak of information about a prototype missile. The data are believed to have been compromised during a cyberattack against systems at Mitsubishi Electric Corp. in late June 2019; the incident was not disclosed until January 2020. The attack exploited a then-zero-day vulnerability in Trend Micro OfficeScan antivirus software.


[Editor Comments]


[Neely] Am I the only one thinking that I would be able to buy a missile equipped vehicle in the future? The exploited zero-day vulnerability in the Trend Micro AV product has since been patched. Attribution is still tricky, although initial indications point to the Tick group which has previously targeted Japanese and South Korean technology and defense industries.


Read more in:

ZDNet: Japan investigates potential leak of prototype missile data in Mitsubishi hack

https://www.zdnet.com/article/japan-investigates-potential-leak-of-prototype-missile-design-in-mitsubishi-hack/

ZDNet: Trend Micro antivirus zero-day used in Mitsubishi Electric hack (January 2020)

https://www.zdnet.com/article/trend-micro-antivirus-zero-day-used-in-mitsubishi-electric-hack/

Fifth Domain: Japan suspects missile data leak in Mitsubishi cyberattack

https://www.fifthdomain.com/international/2020/05/20/japan-suspects-missile-data-leak-in-mitsubishi-cyberattack/



--Data Stolen from Fresenius Dialysis Facility Data Leaked

(May 20 & 21, 2020)

Fresenius Medical Care says that some patient data from dialysis facilities in Serbia has been posted to the Internet. The data include personally identifiable patient information. Fresenius was the target of a ransomware attack earlier this year.


Read more in:

Bleeping Computer: Snake ransomware leaks patient data from Fresenius Medical Care

https://www.bleepingcomputer.com/news/security/snake-ransomware-leaks-patient-data-from-fresenius-medical-care/

Reuters: Germany's Fresenius Medical Care confirms data leak in Serbia after hacker attack

https://www.reuters.com/article/us-fresenius-care-cyber/germanys-fresenius-medical-care-confirms-data-leak-in-serbia-after-hacker-attack-idUSKBN22X1DL

 
 

****************************************************************************

INTERNET STORM CENTER TECH CORNER


Spike of Scans for Port 62234

https://isc.sans.edu/forums/diary/What+is+up+on+Port+62234/26144/


IcedID Malware Update

https://isc.sans.edu/forums/diary/Microsoft+Word+document+with+malicious+macro+pushes+IcedID+Bokbot/26146/


Malware Triage with FLOSS: API Calls Based Behavior

https://isc.sans.edu/forums/diary/Malware+Triage+with+FLOSS+API+Calls+Based+Behavior/26156/


Cisco Patches

https://tools.cisco.com/security/center/publicationListing.x

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-asaftd-info-disclose-9eJtycMB


Google Chrome 83 Released

https://chromereleases.googleblog.com/


QNAP Vulnerability Details Released

https://medium.com/bugbountywriteup/qnap-pre-auth-root-rce-affecting-450k-devices-on-the-internet-d55488d28a05


ISC YouTube Channel

https://www.youtube.com/channel/UCfbOsqPmWg1H_34hTjKEW2A


NXNSAttack DNS Amplification

https://cyber-security-group.cs.tau.ac.il/

https://en.blog.nic.cz/2020/05/19/nxnsattack-upgrade-resolvers-to-stop-new-kind-of-random-subdomain-attack/


Adobe Updates

https://helpx.adobe.com/security.html


Verizon Breach Report

https://enterprise.verizon.com/resources/reports/dbir/


Apple Updates

https://support.apple.com/en-us/HT201222


Sophos Firewall Vulnerability Exploit

https://news.sophos.com/en-us/2020/05/21/asnarok2/

 

******************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create