Ending Soon: Get a MacBook Air or Surface Pro 7 with 5 or 6 Day Training - Best Offers of the Year!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #56

July 17, 2020

UK, Canada, and US Say Russian Hackers Targeting Vaccine Research; Hackers Hijacked High-Profile Twitter Accounts; US Legislators Adding Solarium Report Recommendations to Bill


SANS NewsBites                July 17, 2020                Vol. 22, Num. 056



  UK, Canada, and US Say Russian Hackers are Targeting COVID-19 Vaccine Research

  Hackers Hijacked High-Profile Twitter Accounts And Used Them in Bitcoin Scam

  US Legislators Adding Solarium Report Recommendations to Defense Spending Bill


  Patch Tuesday: Cisco and Oracle

  Patch Tuesday Adobe

  Microsoft Patch Tuesday Addresses 120+ Vulnerabilities, Including Wormable Flaw (SIGRed)

  Apple Updates: iOS, macOS, and More

  Counterfeit Cisco Devices Caused Network Switch Failures

  IBM X-Force Found Iranian Threat Group Training Videos Online

  EU Court of Justice Invalidates Privacy Shield Data Sharing Agreement

  Identity Theft Resource Center: Data Breaches Decreasing

  Decommissioned Police Bodycams Purchased Online Contain Sensitive Data


**********************  Sponsored By Axonius  *******************************

The line between IT and Security is blurring. What was once a simple delineation between keeping information safe and providing the tools necessary to get work done is no longer clear. Download this white paper to learn why asset management -- once a pure IT play -- matters for cybersecurity, and how both IT and security teams can benefit from cybersecurity asset management. | White Paper: Why Does Asset Management Matter for Cybersecurity?

| http://www.sans.org/info/217045



Best Special Offers of the Year with OnDemand Cybersecurity Training

Get an 11" iPad Pro w/ Magic Keyboard, a Microsoft Surface Go 2 (256GB SSD), or Take $350 Off with your OnDemand registration through July 22.

- https://www.sans.org/ondemand/specials

SANS now offers THREE ways to complete a course:

OnDemand | Live Online | In-Person:

- https://www.sans.org/ondemand/

- https://www.sans.org/live-online

- https://www.sans.org/cyber-security-training-events/in-person/north-america

Keep your skills sharp with SANS Online Training:

.        The world's top cybersecurity courses

.        Taught by real world practitioners

.        Ideal preparation for more than 30 GIAC Certifications

Top OnDemand Courses

SEC401: Security Essentials Bootcamp Style

- https://www.sans.org/ondemand/course/security-essentials-bootcamp-style

SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling

- https://www.sans.org/ondemand/course/hacker-techniques-exploits-incident-handling

SEC560: Network Penetration Testing and Ethical Hacking

- https://www.sans.org/ondemand/course/network-penetration-testing-ethical-hacking


Upcoming In-Person and Live Online Events:

SANS Summer of Cyber | Jul 27-Aug 1 | Live Online

- https://www.sans.org/event/summer-of-cyber-jul-27


Instructor-Led Training | Aug 3-8 | Live Online

- https://www.sans.org/event/live-online-aug3-2020-mdt


SANS Reboot - NOVA 2020 | August 10-15 | Arlington, VA or Live Online

- https://www.sans.org/event/reboot-nova-2020

SANS Network Security 2020 | September 20-25 | Las Vegas, NV or Live Online

- https://www.sans.org/event/network-security-2020


Test drive a course: https://www.sans.org/course-preview

View the full SANS course catalog and skills roadmap.

- https://www.sans.org/cyber-security-courses

- https://www.sans.org/cyber-security-skills-roadmap




--UK, Canada, and US Say Russian Hackers are Targeting COVID-19 Vaccine Research

(July 16, 2020)

In a joint advisory, government officials from the UK, Canada, and the US said that hackers with ties to Russia have been targeting organizations conducting research on COVID-19 vaccines. Suggestions for mitigating the risk of attack include keeping devices and networks up-to-date; implementing multi-factor authentication; and preventing and detecting lateral movement in networks.

Read more in:

NCSC: Advisory: APT29 targets COVID-19 vaccine development (introduction)


NCSC: Advisory: APT29 targets COVID-19 vaccine development (full advisory: PDF)


Duo: Russian Attackers Target COVID-19 Vaccine Research


Vice: Russia Is Trying to Hack COVID-19 Vaccine Development


MeriTalk: U.S., UK, Canada Warn Against Russian-Led COVID R&D/Vaccine Attacks


The Register: FYI Russia is totally hacking the West's labs in search of COVID-19 vaccine files, say UK, US, Canada cyber-spies


Cyberscoop: Russian government hackers targeting coronavirus vaccine research, UK, US and Canada warn



--Hackers Hijacked High-Profile Twitter Accounts And Used Them in Bitcoin Scam

(July 15 & 16, 2020)

Hackers took over dozens of high-profile Twitter accounts and used them to tweet that if people sent then bitcoin, they would send back twice as much. They received $120,000 worth of the cryptocurrency before the scam was detected and shut down. Twitter says is believes that the hackers targeted Twitter employees in a "coordinated social engineering attack" to take control of the accounts.

[Editor Comments]

[Neely] The hijacked accounts had "Verified" status, which indicates that the account takeover was from the use of Twitter administrator accounts. Multifactor authentication for administrator accounts cannot be optional. Further, limiting where they can login from should be considered.

[Pescatore] Overall, Twitter has kept its infrastructure pretty secure over the  years, but this event would be a good hook for raising the "What security actions are needed if our company will continue to rely on social media in general, and Twitter in particular, as a reliable place for business communications functions?" issue to CXOs and Boards of Directors. The flood of disinformation on Twitter and Facebook and others is so high that the risk vs. business value needs to be consciously examined.

[Murray] After an earlier incident like this one, Twitter made a strong authentication option available to its users. These users are the ones for which use of strong authentication is strongly indicated.  

[Honan] This is a great example of why it is so important to have restrictions and fail-safes set into your systems for high privilege accounts. Applying the CIS Critical Security Controls for Effective Cyber Defense and in particular enhanced authentication, verification, and alerting on unusual behaviours are just some of the controls that should be considered to protect these accounts from themselves.

Read more in:

Reuters: Focus falls on bitcoin trail in race to identify Twitter hackers


Wired: A Twitter Hacking Spree Hits Elon Musk, Obama, Apple, and More


ZDNet: Twitter confirms internal tools used in bitcoin-promoting attack


Ars Technica: Twitter lost control of its internal systems to Bitcoin-scamming hackers



--US Legislators Adding Solarium Report Recommendations to Defense Spending Bill

(July 14, 2020)

Cybersecurity recommendations made in the Cyberspace Solarium Commission report, which was released earlier this year, are finding their way into markups of and proposed amendments to the FY 2021 US National Defense Authorization Act (NDAA). This month, the Cyberspace Solarium Commission staff released a list of 54 legislative proposals drawn from the report.

Read more in:

FCW: NDAA process is now loaded with Solarium cyber amendments


Solarium: Legislative Proposals


*****************************  SPONSORED LINKS  ******************************

1) Webcast and hands-on workshop | Join our incredible webcast and hands-on workshop, hosted by Palo Alto Networks as they present "XSOAR HANDS-ON WORKSHOP: Take Your SOC To The Next Level!"

| http://www.sans.org/info/217060

2) Webcast | Join Jake Williams as he presents this informative webcast "An Integrated Approach to Embedding Security into DevOps" | July 22 @ 2:30 GMT


3) Webcast | Waterfall Security hosts our upcoming webcast, "Eight Common OT / Industrial Firewall Mistakes" to discuss how to eliminate the potential for online attacks as a result of misconfiguration.

| http://www.sans.org/info/217065




--Patch Tuesday: Cisco and Oracle

(July 15 & 16, 2020)

Cisco has released fixes for more than 30 vulnerabilities in a variety of products, five of which are rated critical. The critical flaws include two remote code execution vulnerabilities, authentication bypass, privilege elevation, default credential. Oracle's Critical Patch Update for July 2020 includes nearly 450 fixes for vulnerabilities in multiple products.

[Editor Comments]

[Neely] This is a busy patch week. The trick is getting all these patches installed remotely, with systems which remain on-premise and user systems being remote. Making patch services available to off-site trusted devices without requiring a VPN can increase success and provide for automating patches for those remote systems. Remember that some on-premise systems may need human intervention to reboot after patching, which requires planning and communication.

[Ullrich] Pay attention to the backdoor ("Static Default Credential") Cisco removed from the VPN for its small business RV110W devices. This could be used to obtain unauthorized access to a network protected by the device.

[Murray]  Much of the responsibility for and cost of quality of our infrastructure has shifted from the developers to the users. This multiplies the cost and reduces the effectiveness in proportion to the popularity of the product.

Read more in:

The Register: Finally done with all those Patch Tuesday updates? Think again! Here's 33 Cisco bug fixes, with five criticals


Dark Reading: 'Patch ASAP': Cisco Issues Updates for Routers, VPN Firewall


Bleeping Computer: Cisco fixes critical pre-auth flaws allowing router takeover


Cisco: Cisco Security Advisories


Oracle: Oracle Critical Patch Update Advisory - July 2020



--Patch Tuesday Adobe

(July 14, 2020)

On Tuesday, July 14, Adobe released fixes for a total of 13 vulnerabilities affecting five different products: Download Manager, ColdFusion, Genuine Service, Media Encoder and the Creative Cloud Desktop Application. Four of the vulnerabilities are rated critical; the other nine are rated important. The critical flaws are a Symlink vulnerability in Creative Cloud; two out-of-bounds write vulnerabilities in Media Encoder; and a command injection vulnerability in Download Manager.

Read more in:

SC Magazine: Patch Tuesday: Adobe eliminates four critical bugs


Threatpost: Adobe Discloses Critical Code-Execution Bugs in July Update


Bleeping Computer: Adobe fixes critical bugs in Creative Cloud, Media Encoder


Adobe: Security Bulletins and Advisories



--Microsoft Patch Tuesday Addresses 120+ Vulnerabilities, Including Wormable Flaw (SIGRed)

(July 14 & 15, 2020)

On Tuesday, July 14, Microsoft released fixes for more than 120 vulnerabilities across its product line; 18 of the vulnerabilities are rated critical.  One of the critical flaws is a "wormable" remote code execution flaw which can spread from machine to machine with no human interaction. Check Point detected the flaw and reported it to Microsoft in May. SIGRed, as Check Point named the flaw, affects Windows DNS servers and can be exploited by sending a malicious request to a vulnerable Windows DNS server. The flaw has been present in Windows DNS Server for 17 years. It has been given a CVSS base score of 10.

[Editor Comments]

[Ullrich] Expect working exploits for CVE-2020-1350 ("SigRed" Microsoft DNS Server Vulnerability) soon, maybe today. So far, only a DoS exploit has been made public. Of course, this vulnerability caught the most attention out of all of the issues patched. Another interesting vulnerability was patched in Outlook. Sadly, this patch caused a lot of problems for Outlook users, and some had to remove it.

[Neely] The DNS flaw was highlighted in CISA Emergency Directive 20-03 (https://us-cert.cisa.gov/ncas/current-activity/2020/07/16/cisa-releases-emergency-directive-critical-microsoft-vulnerability), which urges immediate patching. If you cannot patch immediately, apply the registry fix mitigation to Windows servers running DNS services immediately while completing your regression testing. Note, per Binding Operational Directive 19-0 (https://cyber.dhs.gov/bod/19-02/), Federal Agencies have 15 days to apply this patch.

[Pescatore] Another reminder that IT operations patching performance may have suffered during the transition to working from home. The rise in infection rate in areas of the US and the world may cause more degradation. Worth checking and pushing tighter levels of mitigation if IT ops has been unable to meet patching SLAs or norms.

Read more in:

KrebsOnSecurity: 'Wormable' Flaw Leads July Microsoft Patches


ZDNet: Microsoft July 2020 Patch Tuesday fixes 123 vulnerabilities


Threatpost: Microsoft Tackles 123 Fixes for July Patch Tuesday


Bleeping Computer: Microsoft July 2020 Patch Tuesday: 123 vulnerabilities, 18 Critical!


Check Point: SIGRed - this is not just another vulnerability- Patch now to stop the next cyber pandemic


MSRC: CVE-2020-1350 | Windows DNS Server Remote Code Execution Vulnerability


Wired: Hack Brief: Microsoft Warns of a 17-Year-Old 'Wormable' Bug


Duo: Wormable Flaw in Windows DNS Server Can Take Over IT Networks


Ars Technica: Microsoft urges patching severe-impact, wormable server vulnerability


Dark Reading: Microsoft Patches Wormable RCE Flaw in Windows DNS Servers


Threatpost: Critical DNS Bug Opens Windows Servers to Infrastructure Hijacking


Bleeping Computer: Microsoft patches critical wormable SigRed bug in Windows DNS Server



 --Apple Updates: iOS, macOS, and More

(July 15 & 16, 2020)

On Wednesday, July 15, Apple released updates for numerous products, including iOS (13.6), iPadOS (13.6), macOS (10.15.6), Safari (13.1.2), tvOS (13.4.8), and watchOS (6.2.8).

[Editor Comments]

[Neely] The patches include updates for iOS 12.4.8 and watchOS 5.3.8 which contain no CVE entries. The updates to Kernel, Audio, WebKit and Safari occur across the updates with CVE entries, and as such need to be rolled out with your other patch Tuesday updates.

Read more in:

Ars Technica: Apple releases iOS and iPadOS 13.6, macOS 10.15.6, and watchOS 6.2.8


The Register: This week of never-ending security updates continue. Now Apple emits dozens of fixes for iOS, macOS, etc


Support.apple: Apple security updates



--Counterfeit Cisco Devices Caused Network Switch Failures

(July 16, 2020)

An F-Secure investigation into network switch failures at an unnamed IT company found that the problem was caused by counterfeit Cisco devices. The failure occurred after a software upgrade in fall 2019.

[Editor Comments]

[Ullrich] Be careful where you buy equipment. This isn't a new issue. Counterfeit equipment has also been responsible for datacenter fires in the past due to substandard power supplies. Here is an example from 2008: https://www.zdnet.com/article/cisco-partners-sell-fake-routers-to-us-military/: Cisco partners sell fake routers to US military.

[Pescatore] Back in 2008, the FBI operation "Cisco Raider" found over 3,500 counterfeit Cisco devices sold to US government, industry and power plants. The procurement side of supply chain security obviously failed again. Good item to prompt a review of internal procurement controls to prevent this and important to blacklist any integrator or channel supplier that is found to have sold counterfeit gear.

[Neely] These counterfeit devices did not include any discoverable backdoors, indicating these were financially motivated replacements that were very difficult to differentiate from genuine products. The F-Secure analysis provides insight into the steps taken to ensure the fake devices would run the genuine Cisco firmware, including how integrity checks were bypassed. Make sure that your suppliers have adequate controls to assure genuine products are delivered as well as understanding the response plan if a counterfeit device is discovered.

[Murray] The first article is about forensics, the second about "counterfeiting" of Cisco devices. It ends with four recommendations the most important of which is "Source all your devices from authorized resellers," to which I would add "expect to pay market prices."

Read more in:

Labs.F-Secure: The Fake Cisco


SC Magazine: Fake Cisco switches provoked network failures



--IBM X-Force Found Iranian Threat Group Training Videos Online

(July 16, 2020)

IBM's X-Force Incident Response Intelligence Services (IRIS) discovered a server that contained video files of an Iranian threat group's operations. The server contained 40 gigabytes of data. The videos include evidence of stealing data from a US Navy officer and a Greek naval officer.

Read more in:

Security Intelligence: New Research Exposes Iranian Threat Group Operations


Wired: Iranian Spies Accidentally Leaked Videos of Themselves Hacking


ZDNet: Iranian cyberspies leave training videos exposed online


Cyberscoop: Iran-linked hackers steal sensitive data from U.S. Navy member, researchers say



 --EU Court of Justice Invalidates Privacy Shield Data Sharing Agreement

(July 16, 2020)

The European Union Court of Justice has ruled that Privacy Shield, the EU/US data sharing agreement, is invalid. The court said that the agreement did not adequately protect EU residents' data when it is sent to the US, and as such, violates EU privacy law. Privacy Shield was created in 2016, after the Safe Harbor agreement was deemed inadequate and the establishment of Standard Contractual Clauses (SCC), which are still valid.

[Editor Comments]

[Pescatore] This is a complex issue; make sure your legal counsel is aware of the change. The most immediate pressure will be on companies defined as "Electronic Communication Service Providers" under 50 US 1881. That will be pressure for additional safeguards beyond what might have been defined in existing Standard Contractual Clauses and increased demand for EU citizen data only being stored in EU-located data centers that are under EU regulations and not subject to US mandated surveillance.

[Honan] At the core of this decision was the lack of assurances that could be demonstrated to the ECJ that personal data belonging to those in the EU would not be subjected to US surveillance laws when transferred to the US. This will have implications for many cloud based companies and for US companies operating in the EU who need to transfer personal data back to the US. While the court has deemed the Standard Contractual Clauses as an alternative to relying on Privacy Shield, this could change and more stringent legal agreements put in place. Of note is the statement from the office of the Irish Data Protection Commission (who brought the case to the ECJ) which says "This is an issue that will require further and careful examination, not least because assessments will need to be made on a case by case basis". So watch this space.

Read more in:

Curia: The Court of Justice invalidates Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield (PDF)


Wired: The European Court of Justice has ruled that Privacy Shield is invalid


Washington Post: Top E.U. court ruling throws transatlantic digital commerce into disarray over privacy concerns


ZDNet: European court strikes down EU-US Privacy Shield user data exchange agreement as invalid


The Register: Privacy Shield binned after EU court rules transatlantic data protection arrangements 'inadequate'


Infosecurity Magazine: EU Court of Justice Deems Privacy Shield Unlawful



 --Identity Theft Resource Center: Data Breaches Decreasing

(July 16, 2020)

The Identity Theft Resource Center says that data breaches have decreased during the first quarter of 2020. The organization compiled data from publicly reported breaches in the US during the first three months of 2020.

[Editor Comments]

[Pescatore] I've used the ITRC data for years - one important caveat is that most ransomware attacks have not been considered "breaches" in the past and are often not reported formally or at all. That is starting to change, but many state and local organizations that tightened up controls around sensitive databases to prevent breaches were impacted by ransomware. The main point is to make sure you have basic security hygiene in place before you address attack specific controls.

Read more in:

ID Theft Center: Identity Theft Resource Center Sees a Data Breach Decrease in First Quarter of 2020



--Decommissioned Police Bodycams Purchased Online Contain Sensitive Data

(July 8 & 13, 2020)

A used bodycam purchased on eBay yielded unencrypted video of US military police officers at work. Other decommissioned bodycams purchased online have turned up similar data.

[Editor Comments]

[Neely] Just about every piece of electronic gear contains persistent storage. Decommissioning, repair, warranty returns, and upgrade activities need to include processes for analyzing what is stored and enact device wipe or media removal where appropriate. NIST SP 800-88 has a lot of information and clearing processes, including validation, which can be leveraged. In some cases, where a wipe cannot be assured, working with a recycler that can shred or otherwise destroy the device can make sure that's done properly and avoid the consequences of inadvertent data loss.

Read more in:

Vice: Hackers Are Finding Footage on Police Body Cams They Bought on eBay


GCN: Security researcher finds unencrypted video on bodycam from Fort Huachuca






MSFT Patch Tuesday



MSFT DNS Server Vulnerability







Outlook Crashes After Patch Tuesday Updates



Adobe Patches



Oracle Quarterly Critical Patch Update



Cisco Backdoors



Twitter Compromise



Apple Updates



SAP PoC Exploit Code Published




SANS.edu Student: Aaron Elyard: KITT


KITT: https://github.com/intrepidtechie/KITT-O365-Tool



The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create