Join us for the FREE Cyber Defense Forum | Live Online on October 9

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #67

August 25, 2020


Uber CSO Indicted for Breach Coverup;  CISA 5G Strategy; iOS SDK Malicious Code


****************************************************************************

SANS NewsBites               August 25, 2020               Vol. 22, Num. 067

****************************************************************************


TOP OF THE NEWS


  Former Uber CSO Indicted for Covering Up 2016 Breach

  CISA Releases 5G Security Strategy

  Malicious Code Found in Mintegral iOS SDK



REST OF THE WEEK'S NEWS

 

  Canpar Express Hit with Ransomware       

  FBI and CISA Release "Vishing" Warning

  Zoom Outages Fixed

  Flaw in WooCommerce NAB Transact Extension

  Freepik Data Breach Affects 8.3M Users

  MITRE Active Defense Framework

  Fix Available for BIND 9 Denial-of-Service Issue


INTERNET STORM CENTER TECH CORNER

*******************  Sponsored By AWS Marketplace  *************************


Webcast | August 27th @ 2:00 pm EDT | This webinar is dedicated to teaching sophisticated security practitioners, cloud architects and senior security leadership how to:

Gain visibility and operations at scale;

Onboard diverse data sources to eliminate blind spots;

Quickly surface threats and accelerate responses;

Leverage AWS services and AWS Marketplace solutions achieve your goals.

Join Dave Shackleford, SANS and Chris Chapman, AWS for this informative session.


| http://www.sans.org/info/217410


****************************************************************************

CYBERSECURITY TRAINING UPDATE


SANS now offers THREE ways to complete a course:




OnDemand | Live Online | In-Person:


- https://www.sans.org/ondemand/


- https://www.sans.org/live-online


- https://www.sans.org/cyber-security-training-events/in-person/north-america




Keep your skills sharp with SANS Online Training:


.        The world's top cybersecurity courses


.        Taught by real world practitioners


.        Ideal preparation for more than 30 GIAC Certifications




SANS Training Special Offer: Get a GIAC Certification Attempt Included or Take $350 Off through September 2 for qualified OnDemand, Live Online, or In-Person Courses.


- https://www.sans.org/ondemand/specials




Top OnDemand Courses


SEC401: Security Essentials Bootcamp Style


- https://www.sans.org/ondemand/course/security-essentials-bootcamp-style


SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling


- https://www.sans.org/ondemand/course/hacker-techniques-exploits-incident-handling


SEC560: Network Penetration Testing and Ethical Hacking


- https://www.sans.org/ondemand/course/network-penetration-testing-ethical-hacking


______________________




Upcoming In-Person and Live Online Events:




Threat Hunting and Incident Response Summit & Training | September 10-19 | Live Online


- https://www.sans.org/event/threat-hunting-and-incident-response-summit-2020




SANS Network Security 2020 | September 20-25 | Live Online


- https://www.sans.org/event/network-security-2020




SANS Northern VA - Reston Fall 2020 | Sep 28-Oct 3 | Live Online


- https://www.sans.org/event/northern-va-reston-fall-2020




Oil & Gas Cybersecurity Summit | October 2-10 | Live Online


- https://www.sans.org/event/oil-gas-cybersecurity-summit-2020/




SANS Cyber Defense Initiative(R) 2020 | Dec 14-19 | Washington, DC or Live Online


- https://www.sans.org/event/cyber-defense-initiative-2020


______________________




Test drive a course: https://www.sans.org/course-preview




View the full SANS course catalog and skills roadmap.


- https://www.sans.org/cyber-security-courses


- https://www.sans.org/cyber-security-skills-roadmap

 

****************************************************************************

TOP OF THE NEWS   

 

--Former Uber CSO Indicted for Covering Up 2016 Breach

(August 20 & 21, 2020)

Former Uber CSO Joseph Sullivan has been indicted for allegedly covering up a 2016 data breach at the company. The breach compromised personal data belonging to 57 million Uber drivers and passengers; the information included Uber drivers driver's license numbers. Sullivan allegedly failed to disclose the breach while the FTC was investigating a 2014 breach at the company.   


[Editor Comments]


[Paller] There is a more subtle lesson here than the need to follow the rules. As security becomes more core to enterprise success, security practitioners will increasingly be caught up in decisions involving CEOs and attorneys. When the CEO believes that he does not need to follow the rules, the resulting culture of criminality corrupts good people by implicitly or explicitly threatening their high-paid jobs if they don't "go along." The bottom line: if you work for an executive who expects his/her people to break the rules, get out quickly.


[Pescatore] Over the past several years, Uber has become the poster child for dysfunctional management in many areas - not surprising to see security management being accused of being part of the problem. This is a good cautionary tale to use with CXOs, legal counsel, and boards to illustrate the high risks of trying to downplay or hide incidents.  


[Neely] Sullivan reportedly received an email from the hacker informing him of the 2016 breach and, rather than report the breach, paid the attackers $100,000 USD in bitcoin via a bug bounty program and had attackers sign a non-disclosure agreement (NDA) asserting no data was stolen or stored.


[Murray] The specific criminal charge is "obstruction of justice." This may be the first time that a failure to disclose a breach has been treated as a crime rather than a tort.  


Read more in:

Wired: A Former Uber Exec's Indictment Is a Warning Shot

https://www.wired.com/story/uber-exec-joe-sullivan-data-breach-indictment/

NYT: Former Uber Security Chief Charged With Concealing Hack

https://www.nytimes.com/2020/08/20/technology/joe-sullivan-uber-charged-hack.html

Threatpost: Former Uber CSO Charged With Paying 'Hush Money' in 2016 Breach Cover-Up

https://threatpost.com/former-uber-cso-charged-with-paying-hush-money-in-2016-breach-cover-up/158540/

Justice: Former Chief Security Officer For Uber Charged With Obstruction Of Justice

https://www.justice.gov/usao-ndca/pr/former-chief-security-officer-uber-charged-obstruction-justice


 

--CISA Releases 5G Security Strategy

(August 24, 2020)

On Monday, August 24, the US Cybersecurity and Infrastructure Security Agency (CISA) released a strategy to defend 5G networks against threats. The strategy "establishes five strategic initiatives that seek to advance the deployment of a secure and resilient 5G infrastructure."


[Editor Comments]


[Neely] CISA is moving to raise awareness and reduce risks through these initiatives. By leveraging existing and new partnerships, they hope to maximize the capabilities and security of 5G. They include policy, including security, supply chain, partnerships, innovation and sharing of risk management information, which will result in a foundation that should be leveraged to reach these goals.


[Murray] Much of the discussion of 5G networks, led by the carriers, has focused on the high speed and low latency of the communication services they offer. However, this defensive  strategy is about the "nodes," the devices and their applications, in the network rather than merely the "links." These are the responsibility of the developers and managers of the applications, not the carriers.  


Read more in:

The Hill: Federal cyber agency releases strategy to secure 5G networks

https://thehill.com/policy/cybersecurity/513449-federal-cyber-agency-releases-strategy-to-secure-us-5g-networks

CISA: CISA 5G Strategy|Ensuring the Security and Resilience of 5G Infrastructure In Our Nation (PDF)

https://www.cisa.gov/sites/default/files/publications/cisa_5g_strategy_508.pdf

 
 

--Malicious Code Found in Mintegral iOS SDK

(August 24, 2020)

A report from Snyk describes malicious code it detected in an iOS software development kit (SDK) that has been used in more than 1,200 apps; the vulnerable apps have been downloaded a collective total of more than 300 million times. The Mintegral iOS SDK collects user data and steals clicks from ads commits advertising attribution fraud.   


[Editor Comments]


[Neely] By using method swizzling, the Mintegral SDK captures advertising activities, registering them as accesses to their advertising, in addition to the legitimate ad accessed. As the last registered click gets the attribution, their second registration wins, and they get the revenue. While the debate about the SDK also being used to capture privacy information continues, the new iOS 14 privacy disclosure prompts should allow users to identify the behavior and make informed choices.  


[Murray] Apparently, the appeal of the Mintegral SDK is that it produces apps for both iOS and other environments, which, of course, the Apple SDK does not do. However, Mintegral denies any "fraud or invasion of privacy," claims that it uses an Apple API, and cites an Apple e-mail that states that Apple does not have evidence that Mintegral has "harmed users." Users should read the statements from Apple in the last two paragraphs of the ZDNet report.


Read more in:

Snyk: SourMint Malicious SDK

https://snyk.io/research/sour-mint-malicious-sdk/

ZDNet: Report claims a popular iOS SDK is stealing click revenue from other ad networks

https://www.zdnet.com/article/report-claims-a-popular-ios-sdk-is-stealing-click-revenue-from-other-ad-networks/

Dark Reading: Large Ad Network Collects Private Activity Data, Reroutes Clicks

https://www.darkreading.com/mobile/large-ad-network-collects-private-activity-data-reroutes-clicks/d/d-id/1338733


***************************  SPONSORED LINKS  ******************************


1) Threat Hunting Summer Camp | Earn 2 CPE Credits While Building Your Threat Hunting Skills

| http://www.sans.org/info/217415


2) Webcast |  Join NetEnrich and IBM for an outcome-driven look at the new approach regarding SOC-aaS in our upcoming webcast,  "To build or not to build: Can SOC-aaS bridge your security skills gap?" | August 27 @ 1:00 PM EDT

| http://www.sans.org/info/217420


3) Webcast | Tune into our upcoming webcast, "Making the Digital Transformation: Re-evaluating your Security - How Automated Static Analysis Solves the Next Gen Security Challenges" | August 27 @ 10:30 AM EDT

| http://www.sans.org/info/217425


****************************************************************************

REST OF THE NEWS   

 

--Canpar Express Hit with Ransomware       

(August 22 & 24, 2020)

The internal computer systems at Canadian delivery company Canpar Express were infected with ransomware last week. Customers complained of delayed deliveries. On Monday, August 24, files that appear to have been taken from Canpar systems were leaked on the dark web.


[Editor Comments]


[Murray] At this late stage in the game, continued vulnerability to ransomware is reckless. Resist corruption of your programs and data using "least privilege" access control and lateral compromises within the enterprise using strong authentication, structured networks, and end-to-end application-layer encryption.  


Read more in:

Freightwaves: Files from TFI's Canpar leak after ransomware attack

https://www.freightwaves.com/news/files-from-tfis-canpar-leak-after-ransomware-attack

montreal.ctvnews: Customers complain of delays after ransomware attack on delivery company Canpar Express

https://montreal.ctvnews.ca/customers-complain-of-delays-after-ransomware-attack-on-delivery-company-canpar-express-1.5074228

The Register: Canadian shipping company Canpar gets an unwanted delivery - ransomware

https://www.theregister.com/2020/08/24/in_brief_security/

 
 

--FBI and CISA Release "Vishing" Warning

(August 18, 20, & 21, 2020)

The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) has issued a joint advisory warning of an increase in the threat of voice phishing, or "vishing," attacks targeting people working from home during the pandemic. The attackers call their targeted victims and, pretending to be IT desk employees, tell them they need to use a different VPN login page. They then direct the victims to specially-crafted pages that harvested their VPN credentials. The advisory offers mitigation advice for organizations and end-users.


[Editor Comments]


[Neely] This is not the upgraded VPN you're looking for. Part of the trick here is they are calling users' cell numbers with a caller ID that maps to a corporate number. As the users are remote, your VoIP firewall can't intervene. Another component is processes enacted to eliminate in-person validation are being exploited. A prime target here is new-hires. When doing remote validation, make sure to include a video component, comparing the photo on government issued ID to the worker. Other mitigations include watching for look-alike domains, restricting VPN access to known (ideally managed) good devices, and restricting login times.


Read more in:

FCW: Voice phishing attacks on the rise, CISA, FBI warn

https://fcw.com/articles/2020/08/21/johnson-vishing-cisa-fbi.aspx

KrebsOnSecurity: FBI, CISA Echo Warnings on 'Vishing' Threat

https://krebsonsecurity.com/2020/08/fbi-cisa-echo-warnings-on-vishing-threat/

KrebsOnSecurity: Cyber Criminals Take Advantage of Increased Telework Through Vishing Campaign (PDF)

https://krebsonsecurity.com/wp-content/uploads/2020/08/fbi-cisa-vishing.pdf

Wired: The Attack That Broke Twitter Is Hitting Dozens of Companies

https://www.wired.com/story/phone-spear-phishing-twitter-crime-wave/

KrebsOnSecurity: Voice Phishers Targeting Corporate VPNs

https://krebsonsecurity.com/2020/08/voice-phishers-targeting-corporate-vpns/

 
 

--Zoom Outages Fixed

(August 24, 2020)

Video communications company Zoom experienced outages on Monday, August 24. The majority of the outages affected users in the UK and on the East Coast of the US. The issues were resolved shortly after 1:00pm ET (5:00pm UTC.)


[Editor Comments]


[Neely] Zoom has a service status page (https://status.zoom.us) which has information about updates as well as service interruptions, including past issues. Consider subscribing to their email updates for a more active notification. The total outage was about 4.5 hours, with the majority of users back online after about 2 hours.


Read more in:

ZDNet: Zoom outage fix deployed: Videoconferencing services being restored now

https://www.zdnet.com/article/zoom-outage-fix-deployed-videoconferencing-services-being-restored-now/

The Verge: Zoom is working again, even if you're not

https://www.theverge.com/2020/8/24/21398900/zoom-down-outages-us-uk-meetings-webinars

Bleeping Computer: Zoom went down and schools got a digital snow day

https://www.bleepingcomputer.com/news/technology/zoom-went-down-and-schools-got-a-digital-snow-day/

The Hill: Zoom reports widespread outages impacting schools, hearings

https://thehill.com/policy/technology/513381-zoom-reports-widespread-outages-impacting-schools-hearings

 
 

--Flaw in WooCommerce NAB Transact Extension

(August 20 & 24, 2020)

A critical payment bypass vulnerability in the WooCommerce NAB Transact extension could be exploited to make it appear to vendors that orders have been paid in full. The NAB extension, which is from National Australia Bank, lets online vendors process payment card transactions within their websites. Users are urged to upgrade to version 2.1.2.


Read more in:

Portswigger: Virtual shoplifting: Critical flaw found in WooCommerce extension NAB Transact

https://portswigger.net/daily-swig/virtual-shoplifting-critical-flaw-found-in-woocommerce-extension-nab-transact

Seclists: Payment bypass in WordPress - WooCommerce - NAB Transact plugin disclosure

https://seclists.org/fulldisclosure/2020/Aug/13

 
 

--Freepik Data Breach Affects 8.3M Users

(August 21, 2020)

Hackers used an SQL injection attack to steal email addresses and password hashes belonging to 8.3 million Freepik and Flaticon users. Freepik is a website that offers free photos and design graphics.


[Editor Comments]


[Neely] Make sure that your apps are sanitizing input, separate from your WAF. Regular web application scanning can be used to ensure this remains implemented as well as reveal issues prior to an attacker doing so. Ideally scan with and without the WAF to verify its operation, as well.


[Murray] Checking inputs is difficult but essential, particularly in public facing applications. That said, the detection and elimination of SQL commands should be the "low hanging fruit."


Read more in:

Freepik: Statement on Security Incident at Freepik Company

https://www.freepik.com/blog/statement-on-security-incident-at-freepik-company/

ZDNet: Free photos, graphics site Freepik discloses data breach impacting 8.3M users

https://www.zdnet.com/article/free-photos-graphics-site-freepik-discloses-data-breach-impacting-8-3m-users/

Bleeping Computer: Freepik data breach: Hackers stole 8.3M records via SQL injection

https://www.bleepingcomputer.com/news/security/freepik-data-breach-hackers-stole-83m-records-via-sql-injection/

 
 

--MITRE Active Defense Framework

(August 24, 2020)

MITRE's Shield active cyber defense framework is designed to help organizations "engage... an active cyber defense." The Shield Active Defense Matrix cross-references tactics - what defenders want to accomplish - with techniques for achieving those tactics.


Read more in:

Dark Reading: MITRE Releases 'Shield' Active Defense Framework

https://www.darkreading.com/attacks-breaches/mitre-releases-shield-active-defense-framework-/d/d-id/1338741

MITRE: Shields Up: A Good Cyber Defense is an Active Defense

https://www.mitre.org/publications/project-stories/shields-up-a-good-cyber-defense-is-an-active-defense

Shield.mitre: Active Defense Matrix

https://shield.mitre.org/matrix/

 
 

--Fix Available for BIND 9 Denial-of-Service Issue

(August 24, 2020)

A security flaw affecting BIND name server versions 9.16.1 through 9.17.1 could be exploited to cause denial-of-service conditions on vulnerable devices. Updated versions of BIND address this buffer overflow vulnerability as well as several less severe flaws.  


Read more in:

Duo: Serious DoS Bug Patched in BIND 9

https://duo.com/decipher/serious-dos-bug-patched-in-bind-9

ISC: CVE-2020-8620: A specially crafted large TCP payload can trigger an assertion failure in tcpdns.c

https://kb.isc.org/v1/docs/cve-2020-8620

Talos Intelligence: Internet Systems Consortium's BIND TCP Receive Buffer Length Assertion Check Denial of Service Vulnerability

https://talosintelligence.com/vulnerability_reports/TALOS-2020-1100

 

****************************************************************************


INTERNET STORM CENTER TECH CORNER


A Word of Caution: Helping Cyber Stalking Victims

https://isc.sans.edu/forums/diary/A+Word+of+Caution+Helping+Out+People+Being+Stalked+Online/26422/


RDP and Telnet Scans

https://isc.sans.edu/forums/diary/Remote+Desktop+TCP3389+and+Telnet+TCP23+What+might+they+have+in+Common/26492/


Tracking a Malware Campaign Through VT

https://isc.sans.edu/forums/diary/Tracking+A+Malware+Campaign+Through+VT/26498/


Thales Cinterion Input Validation Vulnerability

https://www.thalesgroup.com/en/markets/digital-identity-and-security/iot/resources/security-updates-cinterion-iot-modules


RDP Remains a Top Target

https://www.group-ib.com/media/iran-cybercriminals/


Google Drive File Extension Spoofing

https://thehackernews.com/2020/08/google-drive-file-versions.html


Zoom Outage

https://www.cnn.com/2020/08/24/us/zoom-outage-worldwide-trnd/index.html


Microsoft Introduces Application Guard

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/install-app-guard?view=o365-worldwide


Safari File Sharing Bug

https://blog.redteam.pl/2020/08/stealing-local-files-using-safari-web.html

 

****************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create