SANS Open-Source Intelligence (OSINT) Summit & Training offers immersive cyber security courses and a free Summit!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #66

August 21, 2020

Gmail Spoofing; FBI Warns of North Korean Attacks on Defense Contractors


*****************************************************************************

SANS NewsBites               August 21, 2020                Vol. 22, Num. 066

*****************************************************************************


TOP OF THE NEWS

 

  Google Fixes Gmail Spoofing Vulnerability

  CISA, FBI Warn of New North Korean Malware Used in Attacks on Defense Contractors



REST OF THE WEEK'S NEWS


  University of Utah Paid $457,000 to Ransomware Operators

  WannaRen Ransomware Operators Offer Key

  Upstate NY Medical Center Recovering From Cyberattack

  Hackers Used Canva Design Platform to Create Phishing eMails

  Cisco Issues Fix for Critical Flaw in Virtual Wide Area Application Services

  Microsoft Announces End-of-Support Dates for IE 11 and Edge Legacy

  Microsoft Releases Fixes for Flaws in Windows 8.1, Server 2012

  FritzFrog P2P Botnet

  Diebold and NCR Release Fixes for ATM Vulnerabilities


INTERNET STORM CENTER TECH CORNER

*******************  Sponsored By Dragos, Inc.  *****************************


Get the latest insights on threat activity groups from Sergio Caltagirone, Dragos VP of Threat Intelligence including how ICS threats are identified and which industries are most vulnerable. Attend the webinar to learn how to use activity groups to defend against threats.

| http://www.sans.org/info/217390


*****************************************************************************

CYBERSECURITY TRAINING UPDATE


SANS now offers THREE ways to complete a course:




OnDemand | Live Online | In-Person:


- https://www.sans.org/ondemand/


- https://www.sans.org/live-online


- https://www.sans.org/cyber-security-training-events/in-person/north-america



Keep your skills sharp with SANS Online Training:


.        The world's top cybersecurity courses


.        Taught by real world practitioners


.        Ideal preparation for more than 30 GIAC Certifications



SANS Training Special Offer: Get a GIAC Certification Attempt Included or Take $350 Off through September 2 for qualified OnDemand, Live Online, or In-Person Courses.


- https://www.sans.org/ondemand/specials


Top OnDemand Courses


SEC401: Security Essentials Bootcamp Style


- https://www.sans.org/ondemand/course/security-essentials-bootcamp-style


SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling


- https://www.sans.org/ondemand/course/hacker-techniques-exploits-incident-handling


SEC560: Network Penetration Testing and Ethical Hacking


- https://www.sans.org/ondemand/course/network-penetration-testing-ethical-hacking


______________________



Upcoming In-Person and Live Online Events:



Threat Hunting and Incident Response Summit & Training | September 10-19 | Live Online


- https://www.sans.org/event/threat-hunting-and-incident-response-summit-2020



SANS Network Security 2020 | September 20-25 | Live Online


- https://www.sans.org/event/network-security-2020



SANS Northern VA - Reston Fall 2020 | Sep 28-Oct 3 | Live Online


- https://www.sans.org/event/northern-va-reston-fall-2020




Oil & Gas Cybersecurity Summit | October 2-10 | Live Online


- https://www.sans.org/event/oil-gas-cybersecurity-summit-2020/




- SANS Cyber Defense Initiative(R) 2020 | Dec 14-19 | Washington, DC or Live Online


https://www.sans.org/event/cyber-defense-initiative-2020


______________________



Test drive a course: https://www.sans.org/course-preview



View the full SANS course catalog and skills roadmap.


- https://www.sans.org/cyber-security-courses


- https://www.sans.org/cyber-security-skills-roadmap


*****************************************************************************

TOP OF THE NEWS   

 

--Google Fixes Gmail Spoofing Vulnerability

(August 20, 2020)

Google has fixed a security issue affecting Gmail and G Suite that could have been exploited to spoof email messages and make them appear to be compliant with Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting, and Conformance (DMARC). Google was notified of the issue on April 3, 2020.


[Editor Comments]


[Neely] The first exploit takes advantage of an internal server which is trusted to relay email, which can potentially work on any email service. Make sure that your email relays are configured to relay email only from authorized services and verify which domains can send email on your behalf. Make sure you verify your SPF, DKIM, and DMARC settings are set and working as intended.


Read more in:

ZDNet: Google fixes major Gmail bug seven hours after exploit details go public

https://www.zdnet.com/article/google-fixes-major-gmail-bug-seven-hours-after-exploit-details-go-public/

Bleeping Computer: Google fixes Gmail bug allowing attackers to send spoofed emails

https://www.bleepingcomputer.com/news/security/google-fixes-gmail-bug-allowing-attackers-to-send-spoofed-emails/

ezh: The Confused Mailman: Sending SPF and DMARC passing mail as any Gmail or G Suite customer

https://ezh.es/blog/2020/08/the-confused-mailman-sending-spf-and-dmarc-passing-mail-as-any-gmail-or-g-suite-customer/


 

--CISA, FBI Warn of New North Korean Malware Used in Attacks on Defense Contractors

(August 19 & 20, 2020)

The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have released a joint malware analysis report regarding malware they say North Korean hackers have been using in attacks against US defense contractors. The BLINDINGSCAN trojan is capable of harvesting information about infected systems; reading, writing, and executing files; and deleting its tracks.


[Editor Comments]


[Neely] The exploit is delivered via Microsoft Word XML documents and two DLLs which install the Hidden Cobra RAT. The CISA report includes information on suggested response actions and mitigation techniques along with information on the HIDDEN COBRA actors. The U.S. Army has also published a report (https://www.documentcloud.org/documents/7038686-US-Army-report-on-North-Korean-military.html) that includes information used for response training that details military tactics, weapons arsenal, command structure, troop types, logistics, and electronic warfare capabilities used by the Korean People's Army (KPA).


Read more in:

Bleeping Computer: US govt exposes new North Korean BLINDINGCAN backdoor malware

https://www.bleepingcomputer.com/news/security/us-govt-exposes-new-north-korean-blindingcan-backdoor-malware/

ZDNet: CISA warns of BLINDINGCAN, a new strain of North Korean malware

https://www.zdnet.com/article/cisa-warns-of-blindingcan-a-new-strain-of-north-korean-malware/

Cyberscoop: FBI, DHS expose North Korean government malware used in fake job posting campaign

https://www.cyberscoop.com/north-korean-government-malware-hacking-fake-job-fbi-dhs/

SC Magazine: DHS and FBI warn of North Korean malware targeted at defense contractors

https://www.scmagazine.com/home/security-news/dhs-and-fbi-warn-of-north-korean-malware-targeted-at-defense-contractors/

CISA: MAR-10295134-1.v1 - North Korean Remote Access Trojan: BLINDINGCAN

https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a


******************************  SPONSORED LINKS  *******************************


1) Webcast | Join Google Cloud Security's Ansh Patnaik and Dr. Anton Chavakin, with SANS moderator Matt Bromiley for our upcoming webcast, "Rethinking Security Detection in an XDR World"  to learn more about the dimensions of modern security analytics that will enable you to fully unleash your XDR investment. | August 27 @ 12:30 PM EDT

| http://www.sans.org/info/217395


2) Webcast | Our upcoming webcast, "How to Improve Threat Detection and Hunting in the AWS Cloud Using the MITRE ATT&CK(R)  Matrix", chaired by SANS expert Dave Shackleford and Ross Warren from AWS Marketplace, will discuss the exercise of applying the MITRE ATT&CK Matrix to the AWS Cloud. | September 1 @ 3:30 PM EDT

| http://www.sans.org/info/217400


3) Webcast | In our upcoming educational SANS webinar, "Ask the IoT/OT Security Experts: Industrial Cyber Resilience Beyond Covid-19", security experts from MundiPharma, Saint Gobain and EWZ (Zurich electric utility) will discuss the following: 1) What cybersecurity teams learned during the initial response to Covid-19 2) How they implemented IoT/OT cybersecurity best practices without disrupting business operations 3) Recommendations for minimizing cyber attacks during this challenging time| September 3 @ 10:30 AM EDT

| http://www.sans.org/info/217405


*****************************************************************************

REST OF THE NEWS  

 

--University of Utah Paid $457,000 to Ransomware Operators

(August 20 & 21, 2020)

The University of Utah has revealed that it paid ransomware operators more than $450,000 to prevent stolen data from being leaked. The university was able to restore computer systems from backups. The attack occurred in mid-July.  


Read more in:

attheu: University of Utah update on data security incident

https://attheu.utah.edu/facultystaff/university-of-utah-update-on-data-security-incident/

ZDNet: University of Utah pays $457,000 to ransomware gang

https://www.zdnet.com/article/university-of-utah-pays-457000-to-ransomware-gang/

 
 

--WannaRen Ransomware Operators Offer Key

(August 19, 2020)

A ransomware group responsible for spreading WannaRen ransomware earlier this year has offered up the malware's decryption key. WannaRen infected tens of thousands of computers belonging to Chinese and Taiwanese companies and home users. WannaRen uses the EternalBlue exploit, which WannaCry operators used in May 2017. Within a week, the malware spread more widely than the operators had intended, so they contacted a cybersecurity company and offered the master decryption key.


Read more in:

ZDNet: WannaRen ransomware author contacts security firm to share decryption key

https://www.zdnet.com/article/wannaren-ransomware-author-contacts-security-firm-to-share-decryption-key/


 

--Upstate NY Medical Center Recovering From Cyberattack

(August 20, 2020)

Samaritan Medical Center in Watertown, New York, is recovering from an unspecified cyberattack that occurred in late July. The attack prevented medical care providers from accessing patients' electronic medical records. The payroll and accounting systems were affected as well. The facility has continued to care for patients.


Read more in:

Cyberscoop: Weeks after malware disruption, New York hospital is getting back online

https://www.cyberscoop.com/samaritan-medical-center-new-york-malware-recovery/


 

--Hackers Used Canva Design Platform to Create Phishing eMails

(August 18, 2020)

Hackers hijacked Australian design platform Canva and used it to create graphics to lend legitimacy to phishing campaigns. More than 4,200 phishing emails have been generated through Canva since February 2020.


Read more in:

SC Magazine: Hackers hijack design platform to go phishing

https://www.scmagazine.com/home/security-news/phishing/hackers-hijack-design-platform-to-go-phishing/

 
 

--Cisco Issues Fix for Critical Flaw in Virtual Wide Area Application Services

(August 19 & 20, 2020)

On Wednesday, August 19, Cisco released a fix for a critical vulnerability in its Virtual Wide Area Application Services (vWAAS). The flaw could be exploited to obtain administrator privileges without authentication. Cisco also released two high-severity advisories that address vulnerabilities in Cisco Video Surveillance 8000 Series IP cameras and Cisco Smart Software Manager On-Prem (SSM On-Prem), and 21 medium severity advisories.


Read more in:

Threatpost: Cisco Critical Flaw Patched in WAN Software Solution

https://threatpost.com/cisco-critical-flaw-patched-in-wan-software-solution/158485/

ZDNet: Cisco bug warning: Critical static password flaw in network appliances needs patching

https://www.zdnet.com/article/cisco-bug-warning-critical-static-password-flaw-in-network-appliances-needs-patching/

Cisco: Cisco vWAAS for Cisco ENCS 5400-W Series and CSP 5000-W Series Default Credentials Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-waas-encsw-cspw-cred-hZzL29A7

Cisco: Cisco Security Advisories

https://tools.cisco.com/security/center/publicationListing.x?product=Cisco&sort=-day_sir&offset=20#~Vulnerabilities

 
 

--Microsoft Announces End-of-Support Dates for IE 11 and Edge Legacy

(August 19, 2020)

In a blog post on Monday, August 17, Microsoft announced that is it phasing out support for Internet Explorer 11 (IE 11). The Microsoft Teams web app will stop supporting IE 11 as of November 20, 2020; Microsoft 365 apps and services will end support for IE 11 as of August 17, 2021. Microsoft also announced that it will be ending support for Edge Legacy as of March 9, 2021.


[Editor Comments]


[Neely] Microsoft is encouraging users to move to the new Microsoft Edge, aka Chromium Edge, which includes an IE emulation mode, which will help some legacy apps work. IE 11 emulation mode will not be able to access Microsoft 365 apps and Teams, after the dates above, because the user agent string identifies the browser as IE 11. Legacy plugins, such as Silverlight, won't work in the new Edge browser, so you may have to provide a sandboxed or virtual legacy browser for those apps which still require it.


Read more in:

Tech Community: Microsoft 365 apps say farewell to Internet Explorer 11 and Windows 10 sunsets Microsoft Edge Legacy

https://techcommunity.microsoft.com/t5/microsoft-365-blog/microsoft-365-apps-say-farewell-to-internet-explorer-11-and/ba-p/1591666

Ars Technica: Microsoft takes one more step toward the death of Internet Explorer

https://arstechnica.com/gadgets/2020/08/microsoft-takes-one-more-step-towards-the-death-of-internet-explorer/

 
 

--Microsoft Releases Fixes for Flaws in Windows 8.1, Server 2012

(August 20, 2020)

Microsoft has released an unscheduled security update to address two high-severity vulnerabilities in Windows 8.1 and Windows Server 2012. Both issues are elevation-of-privilege vulnerabilities that exist in the Windows Remote Access service. The flaws were first disclosed on August 11 in Microsoft's scheduled Patch Tuesday release, but those patches excluded fixes for Windows 8.1 and Server 2012.


[Editor Comments]


[Neely] For now, there is neither a published exploit nor exploitation in the wild. There is no workaround other than applying the patch. Updates for these vulnerabilities were included in updates for other operating systems you're already deploying. While mainstream support for Windows 8.1 and Server 2008 ended in late 2018, and you can obtain extended support to 2023, it is time to upgrade or replace these systems with more current products such as Windows 10/Server 2019.


Read more in:

Threatpost: Microsoft Out-of-Band Security Update Fixes Windows Remote Access Flaws

https://threatpost.com/microsoft-out-of-band-security-update-windows-remote-access-flaws/158511/

Microsoft: Security update for Windows 8.1, RT 8.1, and Server 2012 R2: August 19, 2020

https://support.microsoft.com/en-us/help/4578013/security-update-for-windows-8-1-rt-8-1-and-server-2012-r2

 

--FritzFrog P2P Botnet

(August 19 & 20, 2020)

A peer-to-peer (P2P) botnet dubbed FritzFrog has launched attacks against more than 500 SSH servers at government agencies and private companies over the past eight months. FritzFrog installs backdoors and cryptominers on servers it infects.


Read more in:

ZDNet: New FritzFrog P2P botnet has breached at least 500 enterprise, government servers

https://www.zdnet.com/article/new-fritzfrog-p2p-botnet-has-breached-at-least-500-enterprise-government-servers/

Threatpost: FritzFrog Botnet Attacks Millions of SSH Servers

https://threatpost.com/fritzfrog-botnet-millions-ssh-servers/158489/

HealthITSecurity: Brute-Force P2P Botnet Targeting SSH Servers of Medical Centers, Banks

https://healthitsecurity.com/news/brute-force-p2p-botnet-targeting-ssh-servers-of-medical-centers-banks

Guardicore: Fritzfrog: A New Generation of Peer-to-Peer Botnets

https://www.guardicore.com/2020/08/fritzfrog-p2p-botnet-infects-ssh-servers/

 

--Diebold and NCR Release Fixes for ATM Vulnerabilities

(August 20, 2020)

Security flaws in ATMs made by Diebold Nixdorf and NCR could be exploited to modify the amount of currency being deposited to a payment card. Known as "deposit forgery" attacks. Vulnerability notes from Carnegie Mellon University's CERT Coordination Center say that the problem is due to the fact that the affected machines "do not encrypt, authenticate, or verify the integrity of messages between [Diebold's cash and check deposit module (CCDM) and NCR's bunch note accepter (BNA)] and the host computer."


[Editor Comments]


[Pescatore] This attack requires physical access to succeed, but it's important to note that the Diebold Nixdorf and NCR products were built assuming they would be used on trusted networks and "do not encrypt, authenticate, or verify the integrity of messages". This is all too common a flaw in "operational technology" that was designed with the assumption that only good guys would have access to the network on which the OT device was deployed. Detailed code review by security experts will often point this out; simple external vulnerability scanning will usually not. There are very few scenarios anymore where sensitive traffic over any network should not at least have integrity controls, if not encryption.


[Neely] Operational Technology, such as ATMs, often depends on physical rather than logical security protections; the lock on the door coupled with segmented or isolated networks and often do not include appropriate protections for a traffic across the corporate backbone or the Internet. Even worse, the purpose-built systems may not have the capacity to add encryption or integrity checks, which means you need to implement external controls.


[Murray] It is ironic that the first public use of cryptography was for ATMs. The Data Encryption Standard (DES) was developed from the LUCIFER implementation used in early ATMs.  



Read more in:

ZDNet: ATM makers Diebold and NCR deploy fixes for 'deposit forgery' attacks

https://www.zdnet.com/article/atm-makers-diebold-and-ncr-deploy-fixes-for-deposit-forgery-attacks/

CERT: Diebold Nixdorf ProCash 2100xe USB ATM does not adequately secure communications between CCDM and host

https://kb.cert.org/vuls/id/221785

CERT: NCR SelfServ ATM BNA contains multiple vulnerabilities

https://kb.cert.org/vuls/id/815655

 

*****************************************************************************

INTERNET STORM CENTER TECH CORNER


Using APIs to Track Attackers

https://isc.sans.edu/forums/diary/Using+APIs+to+Track+Attackers/26472/

 

Example of a Word Document Delivering Qakbot

https://isc.sans.edu/forums/diary/Example+of+Word+Document+Delivering+Qakbot/26482/

 

Office 365 Mail Forwarding Rules (and other Mail Rules too)

https://isc.sans.edu/forums/diary/Office+365+Mail+Forwarding+Rules+and+other+Mail+Rules+too/26484/

 

Jenkins Security Advisory

https://www.jenkins.io/security/advisory/2020-08-17/

 

Chrome Will Warn of Insecure Forms

https://blog.chromium.org/2020/08/protecting-google-chrome-users-from.html

 

Cryptojacking Worm Steals AWS Credentials

https://www.helpnetsecurity.com/2020/08/18/worm-steals-aws-credentials/

 

PGP/SMime Implementation Weaknesses (PDF)

https://www.nds.ruhr-uni-bochum.de/media/nds/veroeffentlichungen/2020/08/15/mailto-paper.pdf

 

Reminder: September 1st Certificate Expiration Change

https://www.ssl.com/blogs/398-day-browser-limit-for-ssl-tls-certificates-begins-september-1-2020/


Windows 8.1 / 2012 Special Patch

https://support.microsoft.com/en-us/help/4578013/security-update-for-windows-8-1-rt-8-1-and-server-2012-r2

 

Fileless Cryptomining Worm

https://www.helpnetsecurity.com/2020/08/19/fileless-worm-p2p-botnet/

 

Spoofing GMail/GSuite Customers

https://ezh.es/blog/2020/08/the-confused-mailman-sending-spf-and-dmarc-passing-mail-as-any-gmail-or-g-suite-customer/

 

Microsoft Updates DisableAntiSpyware Registry Key

https://docs.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/security-malware-windows-defender-disableantispyware

 

Acoustic Based Physical Key Inference (PDF)

https://www.comp.nus.edu.sg/~junhan/papers/SpiKey_HotMobile20_CamReady.pdf

 

*****************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create