Join us for the FREE Cyber Defense Forum | Live Online on October 9

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #69

September 1, 2020


macOS Malware Snuck Through Apple's Vetting; Cisco Zero-day Actively Exploited; New Zealand Stock Exchange DDoS Attacks


*****************************************************************************

SANS NewsBites             September 1, 2020                Vol. 22, Num. 069

*****************************************************************************


TOP OF THE NEWS


  Shlayer Snuck Through Apple's Software Vetting Process

  Cisco Zero-day is Being Actively Exploited

  New Zealand Stock Exchange Hit With More DDoS Attacks




REST OF THE WEEK'S NEWS


  Former Cisco Employee Pleads Guilty to Damaging Company's Network

  Chinese Citizen Arrested, Charged with Theft of Trade Secrets

  Chinese Researcher Faces Charges for Allegedly Destroying Hard Drive Related to Investigation

  Slack Fixes RCE Flaw in Older Versions of Desktop App

  DoJ is Attempting to Seize Hackers' Cryptocurrency Accounts

  Hackers Exploiting Old Firmware Flaw in Unpatched QNAP NAS Devices

  New TLS/SSL Certificates Now Limited to 13-Month Validity Period


INTERNET STORM CENTER TECH CORNER

***********************  Sponsored By SANS  *********************************


Virtual Event|SANS ICS Solutions Forum will focus on the techniques and tools security teams can use to improve the identification, containment, and eradication of suspicious or malicious activities to improve response times and reduce recovery efforts."| Join SANS Chairman and Certified Instructor Don Weber as he hosts experts from Dragos, Armis, Dispel and Revolutionary Securtiy. | Earn 4 CPE Credits | October 1st @ 10:00 AM EDT | https://www.sans.org/webcasts/115400


*****************************************************************************

CYBERSECURITY TRAINING UPDATE

 

SANS now offers THREE ways to complete a course:


OnDemand | Live Online | In-Person:

- https://www.sans.org/ondemand/

- https://www.sans.org/live-online

- https://www.sans.org/cyber-security-training-events/in-person/north-america


Keep your skills sharp with SANS Online Training:

.        The world's top cybersecurity courses

.        Taught by real world practitioners

.        Ideal preparation for more than 30 GIAC Certifications


SANS Training Special Offer: Get a GIAC Certification Attempt Included or Take $350 Off through September 2 for qualified OnDemand, Live Online, or In-Person Courses.

- https://www.sans.org/north-america/specials


Top OnDemand Courses

SEC401: Security Essentials Bootcamp Style

- https://www.sans.org/ondemand/course/security-essentials-bootcamp-style

SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling

- https://www.sans.org/ondemand/course/hacker-techniques-exploits-incident-handling

SEC560: Network Penetration Testing and Ethical Hacking

- https://www.sans.org/ondemand/course/network-penetration-testing-ethical-hacking

______________________


Upcoming In-Person and Live Online Events:


Threat Hunting and Incident Response Summit & Training | September 10-19 | Live Online

- https://www.sans.org/event/threat-hunting-and-incident-response-summit-2020


SANS Network Security 2020 | September 20-25 | Live Online

- https://www.sans.org/event/network-security-2020


Oil & Gas Cybersecurity Summit | October 2-10 | Live Online

- https://www.sans.org/event/oil-gas-cybersecurity-summit-2020/


SANS Cyber Defense Initiative(R) 2020 | Dec 14-19 | Washington, DC or Live Online

- https://www.sans.org/event/cyber-defense-initiative-2020

______________________


Test drive a course: https://www.sans.org/course-preview


View the full SANS course catalog and skills roadmap.

- https://www.sans.org/cyber-security-courses

- https://www.sans.org/cyber-security-skills-roadmap

 

*****************************************************************************

TOP OF THE NEWS   

 

--Shlayer Snuck Through Apple's Software Vetting Process

(August 30 & 31, 2020)

Malware known as Shlayer managed to slip past Apple's software vetting process. Apple established an automated notarization process in February 2020; developers submit software to be notarized. If the software passes the checks, macOS Gatekeeper allows it to run.


[Editor Comments]


[Pescatore] Apple has been clear from the start that notarization does not equal application testing. Pretty much like in the real world where notary publics don't actually quiz you to make sure you really are you, they just check a few documents and notarize that the documents you showed them match the identity you are claiming. Apps do get tested for inclusion in the app store - you can limit Macs to only allowing apps to be downloaded from the App Store. That app testing has been pretty good but not perfect either. The MacOS layers of protection do lower the malware risk significantly, but Macs used for business purposes should also have malware protection installed.


[Neely] Shawn Geddis, Security and Certifications Engineer at Apple, briefed me on application notarization last year. He explained that notarized applications are checked for malicious components and that the developer ID is confirmed; what is provided back to the developer is the Notarization for that App. Notarization is not App Review, nor is source code shared with Apple. The Application is then distributed by the developer through whatever means necessary to all of its users. Notarized Applications are verified and allowed to run on macOS because it can be attested that they do not contain identifiable malicious components. This is an extension of what has been taking place with gatekeeper data within macOS for some time. Even so, as John states, it is still a good idea to have additional anti-malware protections for defense in depth.


[Murray] Notarization speaks to attribution, not quality, not motive or intent.  


Read more in:

Objective-See: Apple Approved Malware | malicious code ...now notarized!? #2020

https://objective-see.com/blog/blog_0x4E.html

Wired: Apple Accidentally Approved Malware to Run on MacOS

https://www.wired.com/story/apple-approved-malware-macos-notarization-shlayer/

Threatpost: Apple Accidentally Notarizes Shlayer Malware Used in Adware Campaign

https://threatpost.com/apple-accidentally-notarizes-shlayer-malware/158818/

Bleeping Computer: Malware authors trick Apple into trusting malicious Shlayer apps

https://www.bleepingcomputer.com/news/security/malware-authors-trick-apple-into-trusting-malicious-shlayer-apps/

 
 

--Cisco Zero-day is Being Actively Exploited

(August 31, 2020)

Cisco has issued an advisory warning of a vulnerability in its IOS XR software that is being actively exploited. Cisco has not yet released a fix for the flaw, which "is due to insufficient queue management for Internet Group Management Protocol (IGMP) packets." The vulnerability can be exploited "to cause memory exhaustion, resulting in instability of other processes."


Read more in:

Ars Technica: Attackers are trying to exploit a high-severity zeroday in Cisco gear

https://arstechnica.com/information-technology/2020/08/attackers-are-trying-to-exploit-a-high-severity-zeroday-in-cisco-gear/

ZDNet: Cisco warns of actively exploited IOS XR zero-day

https://www.zdnet.com/article/cisco-warns-of-actively-exploited-ios-xr-zero-day/

Bleeping Computer: Cisco warns of actively exploited bug in carrier-grade routers

https://www.bleepingcomputer.com/news/security/cisco-warns-of-actively-exploited-bug-in-carrier-grade-routers/

Duo: Cisco Warns of Exploits Against IOS XR Flaw

https://duo.com/decipher/cisco-warns-of-exploits-against-ios-xr-flaw

Cisco: Cisco IOS XR Software DVMRP Memory Exhaustion Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-dvmrp-memexh-dSmpdvfz



--New Zealand Stock Exchange Hit With More DDoS Attacks

(August 30 & 31, 2020)

The New Zealand Stock Exchange (NZX), which suspended trading last week due to distributed denial-of-service (DDoS) attack, was hit with a new round of attacks on Monday, August 31. NZX was able to resume trading after moving to a contingency plan.


[Editor Comments]


[Neely] Network architecture and application reachability are key to survival of DDOS attacks. NYSE and other major exchanges are believed to be able to withstand a similar attack because of network segmentation and lack of internet facing trading applications. See https://www.scmagazine.com/home/security-news/nyse-not-susceptible-to-takedown-like-new-zealand-exchange/


[Honan] We are seeing a return by criminals to extortion-based DDoS attacks. If you are running business critical systems online you need to ensure you have appropriate DDoS protections in place the same way that you ensure you have redundant power to your Data Centre.


Read more in:

NZ Herald: NZX shifts to Akamai - says trading continues despite site being down again

https://www.nzherald.co.nz/business/news/article.cfm?c_id=3&objectid=12360753

NZ Herald: NZX business as usual, despite cyber attacks

https://www.nzherald.co.nz/business/news/article.cfm?c_id=3&objectid=12360758

Reuters: New Zealand bourse website hit by fresh cyberattack, but keeps trading

https://www.reuters.com/article/us-nzx-cyber/new-zealand-bourse-website-hit-by-fresh-cyberattack-but-keeps-trading-idUSKBN25R004


****************************  SPONSORED LINKS  ******************************


1) Webcast | Join SANS instructor, Matt Bromiley as he present, "SOAR Pitfall Avoidance" to learn specific examples of where companies have gone wrong with SOAR and where it has been done correctly. | September 17 @ 1:00 PM EDT

| http://www.sans.org/info/217485


2) September 15 @ 2:00 PM EDT | Learn how to: "Secure Common Web-Framework Stacks" during this webcast hosted by Doug Britton, CTO of RunSafe Security. | http://www.sans.org/info/217490


3) Webcast | Don't miss this presentation by Dave Shackleford titled, "Mitigate Access Risk by Enforcing Least Privilege in Cloud Infrastructure".  Dave will be joined  by Ermatic to demonstrate practical use cases for reducing some of the most common access risks. | September 16 @ 1:00 PM EDT

| http://www.sans.org/info/217495


*****************************************************************************

REST OF THE NEWS    

 

--Former Cisco Employee Pleads Guilty to Damaging Company's Network

(August 26, 27, & 28, 2020)

A former Cisco employee has pleaded guilty to intentionally accessing a protected computer without authorization and recklessly causing damage. Sudhish Kasaba Ramesh resigned his position at Cisco in April 2018; five months later, he accessed Cisco's AWS-hosted cloud infrastructure and "deployed code" that resulted in the deletion of more than 450 virtual machines for Cisco's WebEx Teams application.


[Editor comments]


[Neely] Separation processes must include verified disablement of accounts. Monitor those accounts for unauthorized access, and delete them when the data and functions have been reassigned; give yourself a hard time limit to ensure this happens. Audit/review your accounts against your active user list regularly.


[Pescatore] The key question, of course, is why the employee could still access his privileged account five months after he left Cisco. Cloud accounts often evade the direct connection from the HR app to Active Directory that would remove access upon termination. A good audit should always show percentage of "ghost" accounts left active - good idea to do some targeted auditing of cloud service admin accounts.


[Honan] This incident exemplifies why in an era of companies employing on-premise and cloud-based platforms it is critical to have a coherent Identify and Access Management strategy in place with appropriate access management systems to support that strategy. In light of the current pandemic and the many changes made to systems to enable businesses to support, a thorough review of how the "new normal" impacts on the Joiner, Mover, and Leavers processes is indicated.


[Murray] Control of privileged users is difficult. One should not grant a privilege that one cannot withdraw. Prefer strong authentication using a hardware token that one can disable or reclaim upon separation. However, resisting backdoors will require supervision, layered security, multi-party controls, and Privileged Access Management software. It remains a problem that for privileged users, where accountability is the ultimate control, we are most likely to tolerate sharing of IDs and credentials.


Read more in:

Threatpost: Ex-Cisco Employee Pleads Guilty to Deleting 16K Webex Teams Accounts

https://threatpost.com/ex-cisco-employee-pleads-guilty-to-deleting-16k-webex-teams-accounts/158748/

ZDNet: Former engineer pleads guilty to Cisco network damage, causing Webex Teams account chaos

https://www.zdnet.com/article/former-cisco-engineer-pleads-guilty-to-network-damage-wiping-16000-webex-teams-accounts/

Bleeping Computer: Cisco engineer resigns then nukes 16k WebEx accounts, 456 VMs

https://www.bleepingcomputer.com/news/security/cisco-engineer-resigns-then-nukes-16k-webex-accounts-456-vms/

Justice: San Jose Man Pleads Guilty To Damaging Cisco's Network

https://www.justice.gov/usao-ndca/pr/san-jose-man-pleads-guilty-damaging-cisco-s-network

 
 

--Chinese Citizen Arrested, Charged with Theft of Trade Secrets

(August 28, 2020)

US federal authorities have arrested a Chinese citizen on charges of "accessing a computer without authorization, or exceeding authorization to obtain information from a protected computer and theft of trade secrets." Haizhou Hu has been conducting research at the University of Virginia. Hu allegedly stole research simulation code.


Read more in:

Justice: University of Virginia Researcher Charged with Theft of Trade Secrets and Computer Intrusion

https://www.justice.gov/usao-wdva/pr/university-virginia-researcher-charged-theft-trade-secrets-and-computer-intrusion

 
 

--Chinese Researcher Faces Charges for Allegedly Destroying Hard Drive Related to Investigation

(August 28 & 31, 2020)

A Chinese citizen conducting research at the University of California, Los Angeles (UCLA) is facing charges for allegedly destroying evidence related to an investigation into illegal transfer of US technology to China. Guan Lei allegedly threw a hard drive into a dumpster near his home before attempting to board a flight to China. When Guan refused to allow authorities to search his computer, he was not permitted to board the flight.


Read more in:

ZDNet: Chinese researcher charged with destroying evidence relating to illegal transfer of US tech

https://www.zdnet.com/article/chinese-ucla-researcher-charged-with-destroying-evidence-relating-to-illegal-transfer-of-us-tech/

Justice: Chinese National Charged with Destroying Hard Drive During FBI Investigation into the Possible Transfer of Sensitive Software to China

https://www.justice.gov/usao-cdca/pr/chinese-national-charged-destroying-hard-drive-during-fbi-investigation-possible

 
 

--Slack Fixes RCE Flaw in Older Versions of Desktop App

(August 30 & 31, 2020)

Slack has fixed an HTML code injection vulnerability affecting older desktop versions of the collaboration app. The flaw could be exploited to take control of the app, allowing access to private channels, passwords, and other sensitive information. A bug-hunter found the vulnerability and reported it to Slack in January 2020. The issue, which affected version 4.2 and 4.32 of the desktop app for Linux, macOS, and Windows, was fixed in March.


[Editor Comments]


[Neely] The current work environment has seen a spike in collaboration apps such as Slack and Discord. Make sure the clients are part of your enterprise patching program. The current version of the Slack desktop app is 4.8.0 which was released July 23rd. Also review and provide guidance regarding use of these services for business purposes to ensure your information is properly protected.


Read more in:

Threatpost: Critical Slack Bug Allows Access to Private Channels, Conversations

https://threatpost.com/critical-slack-bug-access-private-channels-conversations/158795/

Bleeping Computer: Slack pays stingy $1,750 reward for a desktop hijack vulnerability

https://www.bleepingcomputer.com/news/security/slack-pays-stingy-1-750-reward-for-a-desktop-hijack-vulnerability/

The Register: Critical vuln that lets miscreants hijack people's computers via Slack *sucks in air* We'll give you $1,750 for it

https://www.theregister.com/2020/08/31/slack_app_electron_bug_squashed/

 
 

--DoJ is Attempting to Seize Hackers' Cryptocurrency Accounts

(August 27 & 28, 2020)

The US Department of Justice has filed a civil forfeiture complaint seeking to obtain control of 280 cryptocurrency accounts it alleges are being used by North Korean hackers to launder stolen funds. The complaint describes two 2019 attacks in which North Korean hackers allegedly targeted cryptocurrency exchanges.


[Editor Comments]


[Murray] It is in the nature of the blockchain that the evidence never goes away. The use of digital currency does not necessarily confer the anonymity that one might expect. However, it is in the nature of digital currency that attribution may be difficult and the activity may be convoluted and obscure. There are software and services for analysis that improve transparency and accountability.


Read more in:

Threatpost: DoJ Aims to Seize 280 Cryptocurrency Accounts Used by Hackers

https://threatpost.com/doj-aims-to-seize-280-cryptocurrency-accounts-used-by-hackers/158757/

Bleeping Computer: US wants to seize cryptocurrency stolen by North Korean hackers

https://www.bleepingcomputer.com/news/security/us-wants-to-seize-cryptocurrency-stolen-by-north-korean-hackers/

Justice: United States Files Complaint to Forfeit 280 Cryptocurrency Accounts Tied to Hacks of Two Exchanges by North Korean Actors

https://www.justice.gov/opa/pr/united-states-files-complaint-forfeit-280-cryptocurrency-accounts-tied-hacks-two-exchanges

 
 

--Hackers Exploiting Old Firmware Flaw in Unpatched QNAP NAS Devices

(August 31, 2020)

Researchers at Qihoo say that hackers are scanning for QNAP network attached storage (NAS) devices that are running outdated versions of QNAP firmware. When the hackers find QNAP NAS devices running vulnerable versions of the firmware, they exploit a flaw to install a backdoor on the device. The vulnerability was addressed in a QNAP firmware update in July 2017.


[Editor Comments]


[Murray] It bears repeating that storage should not be directly attached to the the public networks. Think LOCAL Area Networks (LANs) and VLANS.


Read more in:

Bleeping Computer: Hackers are backdooring QNAP NAS devices with 3-year old RCE bug

https://www.bleepingcomputer.com/news/security/hackers-are-backdooring-qnap-nas-devices-with-3-year-old-rce-bug/

 
 

--New TLS/SSL Certificates Now Limited to 13-Month Validity Period

(August 30, 2020)

As of Tuesday, September 1, 2020, all new TLS/SSL certificates issued will be valid for no more than 397 days (roughly 13 months). The new rule does not affect existing certificates with longer validity periods.


[Editor Comments]


[Neely] Where possible, use automation to keep your certificates updated so the update interval is not critical. Consider scanning and alerting for certificates nearing expiration to support manual updates as well as verify automation.


Read more in:

Bleeping Computer: You have two days left to purchase 2-year TLS/SSL certificates

https://www.bleepingcomputer.com/news/technology/you-have-two-days-left-to-purchase-2-year-tls-ssl-certificates/

 

*****************************************************************************

 

INTERNET STORM CENTER TECH CORNER


Finding The Original Maldoc

https://isc.sans.edu/forums/diary/Finding+The+Original+Maldoc/26520/

 

CenturyLink Outage

https://blog.cloudflare.com/analysis-of-todays-centurylink-level-3-outage/

 

Pulse Connect Secure RCE Patch

https://www.gosecure.net/blog/2020/08/26/forget-your-perimeter-rce-in-pulse-connect-secure/

 

Cisco IOS XR Bug Exploited

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-dvmrp-memexh-dSmpdvfz

 

Slack Remote Code Execution

https://hackerone.com/reports/783877

 

Apple Approved Malware

https://objective-see.com/blog/blog_0x4E.html

 

New Zealand Stock Market Denial of Service Attack

https://www.theregister.com/2020/08/27/nzx_ddos_third_day/

 

*****************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create