Ending Soon: Get a MacBook Air or Surface Pro 7 with 5 or 6 Day Training - Best Offers of the Year!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #49

June 19, 2020

Zoom Encryption For All; Millions of IoT and Home Devices At Risk; Fake LinkedIn Identities and Phony Job New Attack Vector


SANS NewsBites                June 19, 2020                Vol. 22, Num. 049



  Zoom Will Make End-to-End Encryption Available to Everyone

  Ripple20 Vulnerabilities Affect Millions of IoT Devices

  Hackers Used Fake LinkedIn Identities and Phony Job To Infiltrate European Defense Companies



  Microsoft Releases Out-of-Cycle Windows 10 Cumulative Update to Address Printing Problems

  Adobe Releases Out-of-Cycle Updates to Fix 18 Critical Flaws

  US House Subcommittee Hearing on Financial Sector Cyberattacks

  Senator Asks DNI Why the Intelligence Community Has Not Adopted Stronger Cybersecurity Practices

  T-Mobile Outage Resolved

  Netgear Router Vulnerability

  NSA is Piloting Secure DNS for DIB

  Amazon Web Services Mitigated a 2.3 Tbps DDoS Attack in February

  Akamai Resolved 1.44 Tbps DDoS Against Website

  Cognizant Discloses What Information Ransomware Operators Stole


***********************  Sponsored By Enzoic  ********************************

Screen For Commonly Used and Compromised Password. Enzoic's Real-Time Continuous Password Monitoring in Active Directory. Get the industry's first Active Directory plugin that helps organizations prevent ongoing use of compromised passwords and aids with NIST 800-63b compliance. | https://www.sans.org/info/216760



SANS Training is 100% Online, with two

convenient ways to complete a course:

OnDemand  | Live Online

- https://www.sans.org/ondemand/

- https://www.sans.org/live-online

Keep your skills sharp with SANS Online Training:

.        The world's top cybersecurity courses

.        Taught by real world practitioners

.        Ideal preparation for more than 30 GIAC Certifications

Take advantage of the current promotional offer

Get a Free GIAC Certification Attempt or Take $350 Off with OnDemand or Live Online Training through June 24



Top OnDemand Courses

SEC401: Security Essentials Bootcamp Style

- https://www.sans.org/ondemand/course/security-essentials-bootcamp-style

SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling

- https://www.sans.org/ondemand/course/hacker-techniques-exploits-incident-handling

SEC560: Network Penetration Testing and Ethical Hacking

- https://www.sans.org/ondemand/course/network-penetration-testing-ethical-hacking


Upcoming In Person and Live Online Events:


2-Day Firehose Training | June 29-30 | Live Online

- https://www.sans.org/event/2-day-firehose-training-jun29-2020

SANS Summer of Cyber | July 6-17 | Live Online

- https://www.sans.org/event/summer-of-cyber-jul-6

DFIR Summit & Training (Free Summit) | July 16-25 | Live Online

- https://www.sans.org/event/digital-forensics-summit-2020

SANS Network Security 2020 | September 20-25 | Las Vegas, NV or Live Online

- https://www.sans.org/event/network-security-2020


Test drive a course: https://www.sans.org/course-preview

View the full SANS course catalog and skills roadmap.

- https://www.sans.org/cyber-security-courses

- https://www.sans.org/cyber-security-skills-roadmap




--Zoom Will Make End-to-End Encryption Available to Everyone

(June 17, 2020)

Zoom now says that it will provide end-to-end encryption (E2EE) for all users. Previously, the company had planned to provide the feature only to paying users. The feature will be off by default; meeting administrators must enable it when setting up each meeting. The feature is opt-in because it may not work with every piece of technology. Non-paying users must provide a piece of identifying information to have the feature enabled. A beta of the feature will begin next month.  

[Editor Comments]

[Neely] Be aware of the impacts of enabling E2EE before enabling it to make sure that users will be able to participate in your meeting. Zoom's white paper on their E2EE implantation (https://github.com/zoom/zoom-e2e-whitepaper/blob/master/zoom_e2e.pdf) documents meeting UI changes as well as key management and verification. UI changes include: participants cannot join before the host, participants must run the official Zoom client; browsers, legacy Zoom enabled devices and PSTN dial-ins are disabled.

Read more in:

Zoom: End-to-End Encryption Update


Wired: Zoom Reverses Course and Promises End-to-End Encryption for All Users


The Register: Zoom will offer proper end-to-end encryption to free vid-chat accounts - not just paid-up bods - once you verify your phone number...


SC Magazine: Zoom will extend optional end-to-end encryption to free users


ZDNet: Zoom backtracks and plans to offer end-to-end encryption to all users


Ars Technica: Amid pressure, Zoom will end-to-end encrypt all calls, free or paid


Infosecurity Magazine: Petitions Demand Zoom Changes End-to-End Encryption Stance



--Ripple20 Vulnerabilities Affect Millions of IoT Devices

(June 16, 2020)

Researchers from JSOF, an Israeli security company, have discovered a group of vulnerabilities that affect millions of Internet of Things (IoT) devices. Ripple20 is "a series of zero-day vulnerabilities in a widely used low-level TCP/IP software library developed by Treck, Inc." At least four of the flaws have CVSS base scored over 9.0. In March, Treck issued an updated version of the library that addresses the flaws. However, tracking down all vulnerable devices is difficult at best, and there are likely situations in which devices cannot be patched at all.

[Editor Comments]

[Ullrich] This flaw will keep us busy for the foreseeable future. The Treck IP Stack is used in millions of devices made by an unknown number of manufacturers. As an end user, you likely have no idea that this IP stack is used in your equipment. Identifying these devices and patching them will take years.


[Pescatore] Cisco, Intel and HP/Samsung have issued alerts around their products that are or may be at risk. This isn't just an obscure IoT device risk issue, though it is a huge issue there. There are 19 CVEs; in order to mitigate or patch, discovery of vulnerable devices with the Treck stack is key. Some discovery and Network Access Control vendors have released scripts and signatures to detect use of the vulnerable stack. Treck recommends reviewing those CVEs and if you have questions about a device, contact them via email at security@treck.com.

Read more in:

JSOF: Ripple20 | 19 Zero-Day Vulnerabilities Amplified by the Supply Chain


Wired: A Legion of Bugs Puts Hundreds of Millions of IoT Devices at Risk


ZDNet: Ripple20 vulnerabilities will haunt the IoT landscape for years to come


Dark Reading: 'Ripple20' Bugs Plague Enterprise, Industrial & Medical IoT Devices


Bleeping Computer: Ripple20 vulnerabilities affect IoT devices across all industries



--Hackers Used Fake LinkedIn Identities and Phony Job To Infiltrate European Defense Companies

(June 17, 2020)

Hackers on LinkedIn pretended to be corporate recruiters on LinkedIn working for US defense contractors. They sent phony job offers to employees at European defense companies and managed to gain access to systems at two of those companies in late 2019. The hackers sent documents that contained malicious code through LinkedIn's private messaging feature.

[Editor Comments]

Read more in:

Cyberscoop: How spies used LinkedIn to hack European defense companies


Reuters: Cyber spies use LinkedIn to hack European defence firms


****************************  SPONSORED LINKS  ******************************

1) Webcast | Join Gary Golomb as he hosts this upcoming webcast, "The New Rootkit: How Malicious Chrome Extensions Enabled a Global Surveillance Campaign" | June 24, 2020 @ 2:00 pm EDT | https://www.sans.org/info/216755

2) Free Virtual Event | Zero Trust Forum | August 28, 2020 | Is Zero Trust just a marketing buzzword or a truly innovative strategy? Is Zero Trust truly attainable? If so, how do you get started and what tools and technologies are available? Join SANS instructor Ismael Valenzuela, co-author of Security 530: Defensible Security Architecture and Engineering, and some of the top security professionals as they share their experience on how to implement Zero Trust strategies. | https://www.sans.org/info/216765

3) Webcast | Expert professionals Alex Kirk, John Gamble and Matt Bromiley dive into "The Power of Fusing Network Alerts and Evidence with Open-Source Suricata and Zeek (Bro)" | June 25, 2020 @ 12:00pm EDT | https://www.sans.org/info/216770




--Microsoft Releases Out-of-Cycle Windows 10 Cumulative Update to Address  Printing Problems

(June 16, 2020)

On Tuesday, June 16, Microsoft released cumulative updates for Windows 10 that address an issue introduced by updates released the week before. Users reported that after installing the June 9 updates, they were unable to print. The optional, out-of-cycle cumulative updates will not install automatically. Microsoft recommends that only users who have experienced printer problems with the earlier updates install the new updates.

[Editor Comments]

[Neely] Put this in the if it isn't broken don't fix it category. Deploy this fix to systems only if they are experiencing printer problems after last week's update. You may not discover those problems until workers return on-site and attempt to print.

more in:

Bleeping Computer: Windows 10 out-of-band updates released to fix printing issues


Microsoft: Out-of-band update for an issue in which certain printers may be unable to print after installing updates



--Adobe Releases Out-of-Cycle Updates to Fix 18 Critical Flaws

(June 16 & 17, 2020)

Adobe has released out-of-cycle updates to address 18 critical vulnerabilities in six products. Five of the vulnerabilities are in Illustrator, and another five are in After Effects. The other patches address flaws in Premiere Pro, Premiere Rush, Audition, and campaign Classic. Adobe patched four critical vulnerabilities in Flash Player a week ago.

Read more in:

Threatpost: Adobe Patches 18 Critical Flaws in Out-Of-Cycle Update


SC Magazine: Adobe fixes 18 critical vulnerabilities on heels of largest-ever Microsoft Patch Tuesday


The Register: You. Yeah you, in the beret. Drop that media file right now unless you've patched Illustrator or After Effects



--US House Subcommittee Hearing on Financial Sector Cyberattacks

(June 17, 2020)

Witnesses told the US House Subcommittee on National Security, International Development, and Monetary Policy that the US financial sector experienced a 238 percent increase in cyberattacks during the first five months of 2020. VMware's head of cybersecurity strategy Tom Kellerman noted that 90 percent of US financial sector employees are working from home, which makes their systems more vulnerable to attacks.

Read more in:

SC Magazine: Cyberattackers raising stakes in financial sector, security experts tell House subcommittee


House: Hearing: Cybercriminals and Fraudsters: How Bad Actors Are Exploiting the Financial System During the COVID-19 Pandemic


--Senator Asks DNI Why the Intelligence Community Has Not Adopted Stronger Cybersecurity Practices

(June 16, 2020)

US Senator Ron Wyden (D-Oregon) has asked the Director of National Intelligence (DNI) why the intelligence community has not followed a CISA directive "to implement multi-factor authentication to protect their .gov domain names"; why its DMARC implementation is lagging; why the Intelligence community's classified computer network for top secret information does not use multi-factor authentication; and whether they intend to adopt IG's cybersecurity recommendations. Wyden appended a redacted version of a 2017 CIA WikiLeaks Task Force report, which found "day-to-day security practices had become woefully lax." Users were sharing admin passwords; there were no controls for using removable USB drives; and they did not use network segmentation to limit access to tools.

[Editor Comments]

[Neely] Implementing broad changes while still meeting mission objectives takes leadership and support from the top, particularly if delivered as an unfunded mandate, and particularly for culture-changing initiatives such as security awareness and corresponding culture changes. If management doesn't "walk the talk" the staff won't either. The security measures suggested, such as DMARC, MFA and USB Security, are worth consideration irrespective of your business sector.

[Murray] Some form of strong authentication is now mandatory for most applications in most enterprises, let alone for privileged users in intelligence agencies. It is ironic that sharing of IDs and passwords remains common among administrative users, those users where "accountability" is the primary control. Most enterprises, let alone intelligence agencies, should be using Privileged Access Management systems (the Israelis offer a very good one.) It was through abuse of administrative privileges that Edward Snowden was able to ravage NSA systems.     

Read more in:

Cyberscoop: Wyden seeks details on spies' data protection after scathing CIA audit on Vault 7 leaks


KrebsOnSecurity: When Security Takes a Backseat to Productivity


Ars Technica: Multiple "CIA failures" led to theft of agency's top-secret hacking tools


FCW: Report: Lax cybersecurity at CIA unit led to Vault 7 leaks


The Register: If you're despairing at staff sharing admin passwords, look on the bright side. That's CIA-grade security


Senate: Wyden June 16, 2020, Letter to US Director of National Intelligence and Redacted Report (PDF)



--T-Mobile Outage Resolved

(June 16, 2020)

A T-Mobile network outage on Monday, June 15, caused problems across the US. Federal Communications Chairperson Ajit Pai called the incident "unacceptable" and said, "the FCC is launching an investigation." The problems are believed to stem from network configuration changes gone awry. Rumors that the issue was due to a distributed denial-of-service (DDoS) attack were refuted. The issue was resolved by 1am ET on Tuesday, June 16.

Read more in:

Ars Technica: T-Mobile's outage yesterday was so big that even Ajit Pai is mad


Cyberscoop: No, that wasn't a DDoS attack, just a cellular outage


Vice: T-Mobile Outage Causes Unfounded Panic About a DDoS Attack That Didn't Happen



--Netgear Router Vulnerability

(June 18, 2020)

A vulnerability in Netgear routers could be exploited to bypass the authentication process and gain access to other devices on the network. The flaw lies in the web server component in the firmware used in 79 Netgear router models. Netgear says it is working on a fix.

[Editor Comments]

[Neely] The flaw is in the web server used to manage the router. The only mitigation is to limit access to that service to trusted systems. Make sure internet-based management is disabled, if possible, implement firewall rules to restrict which systems can manage the devices, and consider changing the admin password so systems with cached or stored credentials cannot connect easily. Netgear hopes to release updated firmware by the end of June.

[Murray] The cost of the first repair that one makes will be high; subsequent ones much lower. Therefore, enterprises will repair; SOHO users may find it cheaper and easier to replace.

Read more in:

Grimm: SOHO Device Exploitation


Zero Day Initiative: (0Day) NETGEAR R6700 httpd Firmware Upload Stack-based Buffer Overflow Remote Code Execution Vulnerability


ZDNet: Unpatched vulnerability identified in 79 Netgear router models


Bleeping Computer: 79 Netgear router models risk full takeover due to unpatched bug


Cyberscoop: Netgear moves to plug vulnerability in routers after researchers find zero-day



--NSA is Piloting Secure DNS for DIB

(June 18, 2020)

The US National Security Agency (NSA) is piloting a secure DNS service for some of its defense industrial base (DIB) companies. Anne Neuberger, the NSA's Director of Cybersecurity, noted that the pilot is based on NSA analysis that found "using secure DNS would reduce the ability for 92 percent of malware attacks both from command and control perspective deploying malware on a given network." Neuberger said that the results of the pilot, which has been running for about six weeks, "have been very, very successful."

[Editor Comments]

[Ullrich] The article is a bit short on details, but this appears not to be another attempt to revive DNSSEC. Instead, it likely refers to a filtered DNS services (sometimes called DNS Firewalling) like that offered by companies like Threatstop and OpenDNS/Cisco. This type of service has been shown to be effective and easy and cheap to deploy. Having them specifically "tuned" for this user base could indeed be a good way to better protect participating companies.

Read more in:

MeriTalk: NSA Pilot Providing Secure DNS Services to DIB


Nextgov: NSA Piloting Secure Domain Name System Service for Defense Contractors



--Amazon Web Services Mitigated a 2.3 Tbps DDoS Attack in February

(June 17 & 18, 2020)

Amazon Web Services (AWS) Shield service disclosed that it fended off a massive distributed denial-of-service (DDoS) attack earlier this year. The incident is described in the AWS Shield Threat Landscape Report - Q1 2020. The report does not identify the customer but does note that (the attack lasted three days and had a volume of 2.3 Tbps.

Read more in:

AWS Shield TLR: AWS Shield Threat Landscape Report - Q1 2020 (PDF)


ZDNet: AWS said it mitigated a 2.3 Tbps DDoS attack, the largest ever


BBC: Amazon 'thwarts largest ever DDoS cyber-attack'


Silicon Angle: AWS mitigated a record-breaking 2.3 Tbps DDoS attack in February



--Akamai Resolved 1.44 Tbps DDoS Against Website

(June 17, 2020)

Akamai said it resolved a 1.44 Tbps / 385 million packets per second distributed denial-of-service (DoS) attack against an unnamed website earlier this month. The attack is the largest Akamai has seen. The attack lasted 90 minutes.  

[Editor Comments]

[Ullrich] During the T-Mobile outage, there was unfounded speculation that a DDoS attack may have caused the outages. Many people don't understand that large DDoS attacks have become a "new normal" for internet service providers. This story, as well as the AWS DDoS story, show how companies have learned to deal with these "new normal" attacks.

Read more in:

DUO: Unnamed Web Host Hit with DDoS Attack



--Cognizant Discloses What Information Ransomware Operators Stole

(June 18, 2020)

Cognizant Technology Solutions has disclosed additional details about the Maze ransomware infection it experienced in April 2020. The ransomware operators appear to have stolen information related to corporate credit cards as well as some personnel records.

Read more in:

The Register: Nothing fills you with confidence in an IT contractor more than hearing its staff personal records were stolen by ransomware hackers. Right, Cognizant?


OAG: Notice of Data Breach - Personal Information (PDF)


OAG: Notice of Data Breach - Corporate Credit Card (PDF)




Broken Phishing Accidentally Exploiting Outlook Bug

ISC Handler Jan Kopriva discovered that Microsoft Outlook may under certain circumstances re-write links in emails as they are forwarded. This could be used to trick a user into forwarding an email that they consider harmless. But in specially crafted emails, Outlook can be tricked to rewrite links and replace them with malicious links as the email is forwarded.


Webcast: https://www.sans.org/webcasts/sansatmic-catch-release-phishing-techniques-good-guys-115430

Sextortion to the Next Level


Odd Protest Spam (Scam?) Targeting Atlanta Police Foundation


T-Mobile Outage Due to Configuration Error


Vulnerability Analysis of 2500 Docker Hub Images


Zoom Publishes End-to-End Encryption Whitepaper


Treck IP Stack Contains Multiple Vulnerabilities


Linux ACPI Bug Defeats UEFI Secure Boot


Cisco Updates

Treck IP Stack: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-treck-ip-stack-JyBQ5GyC

All Advisories: https://tools.cisco.com/security/center/publicationListing.x

Netgear httpd Firmware Upload Stack-based Buffer Overflow RCE Vulnerability


Tech Tuesday Workshop




The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create