SANS Open-Source Intelligence (OSINT) Summit & Training offers immersive cyber security courses and a free Summit!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #62

August 7, 2020

FBI Warns on Windows 7; NSA on Mobile Devices Location Data; Canon and Lafayette (CO) Hit With Ransomware


****************************************************************************

SANS NewsBites               August 7, 2020                Vol. 22, Num. 062

****************************************************************************

TOP OF THE NEWS

 

    FBI Issues Warning on Windows 7 EOL

    NSA: Mobile Devices Expose Location Data

    Canon Hit With Ransomware

    Lafayette, Colorado, Paid Ransomware Demand



REST OF THE NEWS

 

    ES&S Releases New Vulnerability Disclosure Policy

    Twitter Fixes Flaw in Android App

    Trend Micro Report: ICS Protocol Gateway Vulnerabilities

    York, PA: Physical IT Attack Prompts City Hall Closure

    Capital One Fined $80M Over 2019 Breach

    Operation Skeleton Key Stole IP from Taiwanese Semiconductor Companies

    Intel Data Leaked Online


INTERNET STORM CENTER TECH CORNER


***********************  Sponsored By Analyst1  *******************************


Battle Through the Fog and Illuminate Truth | One Powerful Source. Infinite Actionable Insights. Analyst1, engineered by threat analysts, provides a single pane of glass to clarify malicious activities threatening your enterprise. Our intelligence enhances existing software to empower the focus of resources, resulting in swift action supported by insight.

| http://www.sans.org/info/217315

 

****************************************************************************

CYBERSECURITY TRA8NING UPDATE


Best Special Offers of the Year for OnDemand are Ending Soon:

Choose an iPad Pro with Apple Pencil, Surface Go 2, or Take $300 Off through August 19.

- https://www.sans.org/ondemand/specials


SANS now offers THREE ways to complete a course:


OnDemand | Live Online | In-Person:

- https://www.sans.org/ondemand/

- https://www.sans.org/live-online

- https://www.sans.org/cyber-security-training-events/in-person/north-america


Keep your skills sharp with SANS Online Training:

.        The world's top cybersecurity courses

.        Taught by real world practitioners

.        Ideal preparation for more than 30 GIAC Certifications


Top OnDemand Courses

SEC401: Security Essentials Bootcamp Style

- https://www.sans.org/ondemand/course/security-essentials-bootcamp-style

SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling

- https://www.sans.org/ondemand/course/hacker-techniques-exploits-incident-handling

SEC560: Network Penetration Testing and Ethical Hacking

- https://www.sans.org/ondemand/course/network-penetration-testing-ethical-hacking

______________________


Upcoming In-Person and Live Online Events:


SANS Baltimore Fall 2020 | September 8-13 | Baltimore, MD or Live Online

- https://www.sans.org/event/baltimore-fall-2020


Threat Hunting and Incident Response Summit & Training | September 10-19 | Live Online

- https://www.sans.org/event/threat-hunting-and-incident-response-summit-2020


SANS Network Security 2020 | September 20-25 | Las Vegas, NV or Live Online

- https://www.sans.org/event/network-security-2020


SANS Northern VA - Reston Fall 2020 | Sep 28-Oct 3 | Reston, VA or Live Online

- https://www.sans.org/event/northern-va-reston-fall-2020

______________________


Test drive a course: https://www.sans.org/course-preview


View the full SANS course catalog and skills roadmap.

- https://www.sans.org/cyber-security-courses

- https://www.sans.org/cyber-security-skills-roadmap


****************************************************************************

TOP OF THE NEWS   


--FBI Issues Warning on Windows 7 EOL

(August 3 & 5, 2020)

On Monday, August 3, the FBI sent out a private industry notification urging organizations to upgrade systems still running on Windows 7. Microsoft ended support for Windows 7 more than six months ago. Microsoft allows Windows 7 systems to upgrade to Windows 10 at no cost. However, older hardware may not have the capacity to support Windows 10, so an upgrade would necessitate purchasing new equipment.


[Editor Comments]


[Neely] Over the last five months, much of the corporate infrastructure has been operated remotely; new systems may have been made remotely accessible which were previously isolated; and lifecycle plans were placed on hold. The security posture of Windows 7 has not improved during this time. Make sure that you don't allow either direct internet access to Windows 7 systems or direct access to your corporate network, remotely or locally from them. Remote workers running Windows 7, not currently behind the corporate perimeter, should be at the top of the equipment replacement list.


[Honan] While companies should migrate to more modern operating systems, the reality is that some computers will remain on older platforms. This is due to dependencies in legacy applications, embedded operating systems in devices, or lack of budget. Your vulnerability management strategy should include how you manage the risks associated with outdated operating systems and software for which no patches or updates may be available. Things to consider should include enhanced monitoring, filtering of network traffic, segmenting vulnerable systems from other parts of your network, and updating both your incident response and business continuity plans.


Read more in:

ZDNet: FBI issues warning over Windows 7 end-of-life

https://www.zdnet.com/article/fbi-issues-warning-over-windows-7-end-of-life/

Document Cloud: Computer Network Infrastructure Vulnerable to Windows 7 End of Life Status, Increasing Potential for Cyber Attacks (PDF)

http://www.documentcloud.org/documents/7013778-FBI-PIN-alert-on-Windows-7-End-of-Life.html

Microsoft: Windows 7 support ended on January 14, 2020

https://support.microsoft.com/en-us/help/4057281/windows-7-support-ended-on-january-14-2020



--NSA: Mobile Devices Expose Location Data

(August 4 & 5, 2020)

The US National Security Agency (NSA) has released an advisory that enumerates ways in which mobile devices leak location data, often by design. The advisory includes suggestions for users to limit the ways they are tracked through their mobile devices. Recommendations include turning off services like find-my-phone, Wi-Fi, and Bluetooth when they are not needed.


[Editor Comments]


[Pescatore] Some location exposure will always be there if you carry a constantly-transmitting device with you all the time. But, Apple and Google on the phone OS side, the wireless carriers on the service side, and (probably most importantly) the FCC on the rules and enforcement side really need to change the priorities to put privacy first, exposure by exception as the norm. Where we are today is like when full SSN and credit card numbers used to be printed on every receipt and displayed everywhere - it doesn't have to happen.


[Neely] Ten years ago, keeping location services disabled was a reasonable option for users. Today, so many devices and mobile activities rely on or leverage location, for some users disabling these services is akin to going offline; NSA acknowledges these measures are impractical for most users. The advice is spot-on for not revealing a sensitive location or staff and should be assessed in those contexts. As John says, the protection measures around location services need to evolve to limit exposure and access to this information.


[Ullrich] Please remember to conduct your own risk assessment before following this guide. The recommendations are good, and it represents a very nice and concise guide to limit location data you leak. But some recommendations, like anti-theft features on the phone, may be better left enabled. It all depends on what you consider the greater risk.


Read more in:

Threatpost: NSA Warns Smartphones Leak Location Data

https://threatpost.com/nsa-warns-smartphones-leak-location-data/158040/

Ars Technica: Beware of find-my-phone, Wi-Fi, and Bluetooth, NSA tells mobile users

https://arstechnica.com/tech-policy/2020/08/beware-of-find-my-phone-wi-fi-and-bluetooth-nsa-tells-mobile-users/

The Register: NSA warns that mobile device location services constantly compromise snoops and soldiers

https://www.theregister.com/2020/08/05/nsa_location_data_guide/

Cyberscoop: Here's the NSA's advice for reducing the exposure of cellphone location data

https://www.cyberscoop.com/nsa-cellphone-location-data-guidance/

Defense: Limiting Location Data Exposure (PDF)

https://media.defense.gov/2020/Aug/04/2002469874/-1/-1/0/CSI_LIMITING_LOCATION_DATA_EXPOSURE_FINAL.PDF

 

--Canon Hit With Ransomware

(August 6, 2020)

Electronics company Canon was the victim of a ransomware attack, according to a leaked internal memo. The memo says that the attack affected Canon's US website, email, collaboration platforms and internal systems. Canon's image.canon cloud image and video storage site experienced an outage in late July. When the service came back online on August 4, Canon noted that some user photos and video were lost.


Read more in:

Bleeping Computer: Canon confirms ransomware attack in internal memo

https://www.bleepingcomputer.com/news/security/canon-confirms-ransomware-attack-in-internal-memo/

The Register: Canon not firing on all cylinders: Fledgling cloud loses people's pics'n'vids, then 'Maze ransomware' hits

https://www.theregister.com/2020/08/06/canon_cloud_down/

Bleeping Computer: Suspicious Canon outage leads to image.canon data loss

https://www.bleepingcomputer.com/news/technology/suspicious-canon-outage-leads-to-imagecanon-data-loss/

Threatpost: Canon Admits Ransomware Attack in Employee Note, Report

https://threatpost.com/canon-ransomware-attack-employee-note/158157/

 

--Lafayette, Colorado, Paid Ransomware Demand

(August 4 & 5, 2020)

The city of Lafayette, Colorado, paid $45,000 to regain access to encrypted data following a ransomware attack. The July 27 attack caused city email, phones, online payments, and reservations to be temporarily unavailable.


Read more in:

Daily Camera: Cyberattack causes Lafayette computer outage; officials pay $45,000 ransom

https://www.dailycamera.com/2020/08/04/cyberattack-causes-lafayette-computer-outage-officials-pay-45000-ransom/

Security Week: Colorado City Pays $45,000 Ransom After Cyber-Attack

https://www.securityweek.com/colorado-city-pays-45000-ransom-after-cyber-attack

City of Lafayette: Cyberattack causes City computer outage

https://cityoflafayette.com/civicalerts.aspx?AID=5729


*******************************  SPONSORED LINKS  ********************************


1) SANS Survey | Take the SANS Cloud Security Survey for an opportunity to win a $150 Amazon gift card | This survey is designed to summarize data in three generalized areas including demographics, cloud architecture, and cloud security. The primary goal of this survey is to better understand if security professionals feel cloud-native security tooling is equivalent to industry-leading security tools, and the decisions behind adoption. | Results will be shared during a webcast on December 15 @ 1:00 PM EST

http://www.sans.org/info/217255


2) Webcast | Mark your calendars for our webcast that will be hosted by SANS Analyst, Serge Borso titled "Securing the Future of Work: How to Achieve Complete Malware and Phishing Protection"  | August 19 @ 2:00 PM EDT

| http://www.sans.org/info/217260


3) Webcast |  Join us for an informative webcast hosted by SANS Instructor, Matt Bromiley as he presents "All for One, One for All: Bringing Data Together with Devo" In this webcast, SANS instructor Matt Bromiley reviews Security Operations as an intuitive solution that empowers analysts to put their data to use. | August 19 @ 12:00 PM EDT

http://www.sans.org/info/217265


****************************************************************************

REST OF THE NEWS


--ES&S Releases New Vulnerability Disclosure Policy

(August 5 & 6, 2020)

Voting machine manufacturer Electronic Systems and Software (ES&S) has announced a new vulnerability disclosure policy in an effort to improve the security of its products. The "policy applies to all digital assets owned and operated by ES&S, including corporate IT networks and public facing websites. (Please note that the WSJ story is behind a paywall.)


[Editor Comments]


[Neely] To reach the point where their systems are trusted requires an appropriate vulnerability disclosure model, devices that are resistant to attacks and sufficient transparency around the security to permit informed decisions related to product selection. Partnering with a company like Synack that has experience with vulnerability disclosure and bug bounties is important to successfully implement that model.


[Ullrich] Election security is tricky. The goal is not just to secure the process, but also to be transparent so the public trusts the results. Opening up the vulnerability discovery process and working with the community may improve the public perception of election security.


[Pescatore] This is a good first step for an organization that has long denied there were problems, but ES&S has definitely not yet earned the trust for anyone to believe that the broad terms in the policy (like "Work in good faith with you...", "Strive to keep you informed" , "Work to remediate discovered vulnerabilities in a timely manner", etc.) will be translated into timely action. ES&S did announce they are working with Synack on a managed bug bounty bug program (a good thing) but I would have really liked to see ES&S CEO Tom Burt do what then Microsoft CEO Bill Gates did in 2002, and what Zoom CEO Eric Yuan did this year when both companies were rocked by severe vulnerabilities in their companies' products: declare security is job 1, stop feature/functionality additions, and put the entire focus on a security push. As the old saying goes, the fish really does swim the way the head is pointed.

 

Read more in:

Wired: Voting Machine Makers Are Finally Playing Nice With Hackers

https://www.wired.com/story/voting-machine-makers-hackers-ess/

The Register: US voting hardware maker's shock discovery: Security improves when you actually work with the community

https://www.theregister.com/2020/08/06/black_hat_ess_bugs/

Threatpost: Black Hat 2020: In a Turnaround, Voting Machine Vendor Embraces Ethical Hackers

https://threatpost.com/black-hat-voting-machine-vendor-embraces-hackers/158085/

WSJ: Hackers Get Green Light to Test Election Voting Systems (paywall)

https://www.wsj.com/articles/hackers-get-green-light-to-test-u-s-voting-systems-11596628099

 
 

--Twitter Fixes Flaw in Android App

(August 5, 2020)

Twitter has fixed a vulnerability in its app for Android devices. The flaw could be exploited to access others' direct messages and other private information. The high-severity flaw lies in a security issue in the Android OS versions 8 and 9.  


[Editor Comments]


[Murray] Consider policies and controls that isolate social networking, browsing, and e-mail applications from mission critical ones.


Read more in:

Threatpost: Twitter Fixes High-Severity Flaw Affecting Android Users

https://threatpost.com/twitter-fixes-high-severity-flaw-affecting-android-users/158060/

Bleeping Computer: Twitter for Android vulnerability gave access to direct messages

https://www.bleepingcomputer.com/news/security/twitter-for-android-vulnerability-gave-access-to-direct-messages/

 

--Trend Micro Report: ICS Protocol Gateway Vulnerabilities

(August 5, 2020)

Researchers at Trend Micro discovered vulnerabilities in protocol gateways, which translate communications between devices used at industrial plants. The most critical of the flaws could be exploited to disable temperature monitoring sensors; the vendor does not plan to release a patch as it considers the product "end-of-life." Other security issues they found include weak encryption implementation and "specific scenarios wherein an attacker could exploit vulnerabilities in the translation function to issue stealth commands that can sabotage the operational process."


[Editor Comments]


[Neely] It is important to understand and track the lifecycle of all the ICS components, particularly those with security functions such as gateways or protocol translators, to keep them updated. Additionally, consider further segmentation of the environment to insulate the system from inappropriate access and achieve defense in depth.


Read more in:

Trend Micro: Lost in Translation: When Industrial Protocol Translation goes Wrong

https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/lost-in-translation-when-industrial-protocol-translation-goes-wrong

Trend Micro: Lost in Translation: When Industrial Protocol Translation Goes Wrong (PDF)

https://documents.trendmicro.com/assets/white_papers/wp-lost-in-translation-when-industrial-protocol-translation-goes-wrong.pdf

Cyberscoop: Researchers uncover vulnerabilities in devices used at industrial facilities

https://www.cyberscoop.com/trend-micro-industrial-protocol-gateways-black-hat/

 

--York, PA: Physical IT Attack Prompts City Hall Closure

(August 6, 2020)

The York, Pennsylvania, city hall has been closed following a physical attack on IT infrastructure there. On Wednesday evening, August 5, a press release noted that "access to ALL city landline phone numbers are down. Additionally, access to city files and services are limited. Some web services may be unavailable as our staff works to repair the damage." Emergency services and other critical operations are functioning.


[Editor Comments]


[Neely] Have you verified that your physical protection measures are resistant to attack? Check for improperly configured single-factor security measures, such as strike plates on electronic locks that don't properly fit the latch, allowing them to be opened with a hook or credit card; motion-based lock releases located above doors that can be triggered externally; or horizontal door levers that can be triggered by sliding a hook under the door. Most importantly, make sure that doors and closets with IT assets are, in fact, kept locked.


Read more in:

Gov Tech: York, Pa., City Hall Closes After Attack on IT Infrastructure

https://www.govtech.com/security/York-Pa-City-Hall-Closes-After-Attack-on-IT-Infrastructure.html

 

--Capital One Fined $80M Over 2019 Breach

(August 6, 2020)

The US Office of the Comptroller of the Currency (OCC) has announced that it is imposing an $80 million fine on Capital One for "the bank's failure to establish effective risk assessment processes prior to migrating significant information technology operations to the public cloud environment and the bank's failure to correct the deficiencies in a timely manner." In 2019, a data breach compromised information belonging to more than 100 million Capital One customers. OCC is an independent bureau of the Department of the Treasury.


Read more in:

ZDNet: Capital One fined $80 million for 2019 hack

https://www.zdnet.com/article/capital-one-fined-80-million-for-2019-hack/

Cyberscoop: US financial regulator fines Capital One $80 million over data breach

https://www.cyberscoop.com/capital-one-breach-penalty-occ/

OCC: OCC Assesses $80 Million Civil Money Penalty Against Capital One

https://www.occ.treas.gov/news-issuances/news-releases/2020/nr-occ-2020-101.html



--Operation Skeleton Key Stole IP from Taiwanese Semiconductor Companies

(August 6, 2020)

Researchers from Taiwanese cybersecurity firm CyCraft say they have found evidence that hackers believed to have ties to China have stolen intellectual property from seven Taiwanese semiconductor companies. The stolen data include source code, software development kits, and chip designs.


Read more in:

Wired: Chinese Hackers Have Pillaged Taiwan's Semiconductor Industry

https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/

ZDNet: Black Hat: Hackers are using skeleton keys to target chip vendors

https://www.zdnet.com/article/black-hat-hackers-are-now-using-cobalt-strike-and-skeleton-keys-to-target-semiconductor-firms/

 

--Intel Data Leaked Online

(August 6, 2020)

Intel is investigating the leak of 20GB of its internal documents online. The documents include source code, schematics, and other intellectual property that belongs to the chip maker. An Intel spokesperson said that the leaked documents include data that is shared with partners and customers under non-disclosure agreements (NDAs).


[Editor Comments]


[Neely] Recently, we've been getting distracted by stories of leaked data with a corresponding ransom demand, which could result in the data no longer being available on line. This time, core information is available which could be used to develop new bios/firmware hacks which will be difficult to mitigate. The hack was successful not only because an unprotected share on their CDN was used, but also because confidential files within that storage had easy-to-guess passwords, such as Intel123. Verify that the security on your CDN is equivalent to or better than your systems, and when using passwords to protect files, use long passphrases that are resistant to cracking or guessing attempts. If user selectable encryption is available, use strong options such as AES to thwart brute force access methods.


Read more in:

Ars Technica: More than 20GB of Intel source code and proprietary data dumped online

https://arstechnica.com/information-technology/2020/08/intel-is-investigating-the-leak-of-20gb-of-its-source-code-and-private-data/

ZDNet: Intel investigating breach after 20GB of internal documents leak online

https://www.zdnet.com/article/intel-investigating-breach-after-20gb-of-internal-documents-leak-online/

The Register: Intel NDA blueprints - 20GB of source code, schematics, specs, docs - spill onto web from partners-only vault

https://www.theregister.com/2020/08/06/intel_nda_source_code_leak/

 

****************************************************************************


INTERNET STORM CENTER TECH CORNER


A Reminder to Patch CVE-2020-3452. Active Exploitation Seen

https://isc.sans.edu/forums/diary/Reminder+Patch+Cisco+ASA+FTD+Devices+CVE20203452+Exploitation+Continues/26426/

 

Internet Choke Points: Concentration of Authoritative Name Servers

https://isc.sans.edu/forums/diary/Internet+Choke+Points+Concentration+of+Authoritative+Name+Servers/26428/

 

FTCode Ransomware Resurfaces

https://isc.sans.edu/forums/diary/A+Fork+of+the+FTCode+Powershell+Ransomware/26434/

 

Malware Analysis Quiz

https://isc.sans.edu/forums/diary/Traffic+Analysis+Quiz+Whats+the+Malware+From+This+Infection/26430/

 

Possible New iOS Jailbreak Affecting Secure Enclave

https://twitter.com/SparkZheng/status/1286599007834271744

 

August Android Patches Released

https://source.android.com/security/bulletin/2020-08-01

 

Exploiting CVE-2020-9854 on MacOS

https://objective-see.com/blog/blog_0x4D.html

 

iOS OAuth2 Vulnerability

https://www.computest.nl/en/knowledge-platform/blog/vulnerability-new-touchid-feature-iCloud-accounts-at-risk-breached/

 

Limiting Location Data Exposure

https://media.defense.gov/2020/Aug/04/2002469874/-1/-1/0/CSI_LIMITING_LOCATION_DATA_EXPOSURE_FINAL.PDF

 

Microsoft Anti-Malware Flagging Host File Manipulation

https://www.bleepingcomputer.com/news/microsoft/windows-10-hosts-file-blocking-telemetry-is-now-flagged-as-a-risk/

 

Reviving Older Printer Vulnerability

https://www.blackhat.com/us-20/briefings/schedule/#a-decade-after-stuxnets-printer-vulnerability-printing-is-still-the-stairway-to-heaven-19685

 
 

****************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create