Join us for the FREE Cyber Defense Forum | Live Online on October 9

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #70

September 4, 2020


US Supreme Court to Determine Limits on Computer Fraud And Abuse Act; DDoS is Back: European ISPs and Student Attacks Online School Platform


*****************************************************************************

SANS NewsBites              September 4, 2020               Vol. 22, Num. 070

*****************************************************************************


TOP OF THE NEWS


  US Supreme Court to Hear CFAA Case

  European ISPs Hit by DDoS Attacks

  Student Admits Launching DDoS Attacks Against Online School Platform


***************************  Sponsored By  Palo Alto Networks  ************************************

XSOAR Hands-On Workshop || September 16th, 11:00 AM CEST (5:00 AM EDT)
If you thought security operations was all fun and games, think again. Security analysts can often feel like theyre in a perpetual Pac-Man state, gobbling repetitive pellets and racing against time while malicious ghosts loom in the distance. Its time to level up your SOC skills with Cortex XSOAR  (an evolution of Demisto)!  Learn how to build automated playbooks to help you get the job done faster.
| http://www.sans.org/info/217525

*****************************************************************************


REST OF THE WEEKS NEWS


  Fix Available for One of Two Vulnerabilities in MAGMI Magento Plugin

  MIT CSAIL Researchers Develop Cyber Risk Platform

  Cisco Updates for Jabber Flaw Available

  WordPress File Manager Plugin Flaw is Being Actively Exploited

  Cyberattack on Norways Parliament Affected eMail Accounts

  CISA: Agencies Must Have Vulnerability Disclosure Policies

  National Guard Cyber Exercise Will be Entirely Virtual

  Five Eyes Countries Issue Joint Cybersecurity Advisory


INTERNET STORM CENTER TECH CORNER

 

*****************************************************************************

CYBERSECURITY TRAINING UPDATE

 

Popular OnDemand Courses


SEC401: Security Essentials Bootcamp Style

- https://www.sans.org/ondemand/course/security-essentials-bootcamp-style


SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling

- https://www.sans.org/ondemand/course/hacker-techniques-exploits-incident-handling


View all courses

- https://www.sans.org/cyber-security-courses/?focus-area=&training-format=ondemand


Upcoming Interactive Training Events


Oil & Gas Cybersecurity Summit & Training - Live Online (Oct 2-10, CDT)

- https://www.sans.org/event/oil-gas-cybersecurity-summit-2020/


SANS San Francisco Fall 2020 - Live Online (Oct 26-31, PDT)

- https://www.sans.org/event/san-francisco-fall-2020-live-online/


View complete event schedule

- https://www.sans.org/cyber-security-training-events/north-america

 

Free Resources

Tools, Posters, and more.

- https://www.sans.org/free

 

SANS OnDemand Special Offer

Get an iPad (32GB), Galaxy Tab A, or Take $250 Off with a qualifying OnDemand course.

- https://www.sans.org/ondemand/specials

 

*****************************************************************************

1) Earn 16 CPE Credits |  October 8-9, 2020 | Cyber Solutions Fest 2020 features 4 tracks including Cloud / DevSecOps / Threat Intel / Network Security.  Join our 4 of our most popular SANS instructors along with experts from the top solutions providers in the industry.  Exciting 2 day event featuring great content, numerous prize drawings, peer-to-peer chat rooms and much more. Register Now!
| http://www.sans.org/info/217530

2) Webcast | Thursday, September 10, 2020 at 1:00 PM EDT | Don't miss Matt Bromiley, SANS  & Anton Chuvakin, Chronicle as they present "Detecting Malicious Activity in Large Enterprises"
| http://www.sans.org/info/217535

3) Featured SANS On-Demand  Webinar | SANS Instructor Matt Bromiley and Fred Wilmot from Devo present "All for One, One for All: Bringing Data Together"
| http://www.sans.org/info/217540

*****************************************************************************

TOP OF THE NEWS  

 

--US Supreme Court to Hear CFAA Case

(September 4, 2020)

US Supreme Court will hear a case that could determine whether the 1986 Computer Fraud and Abuse Act (CFAA) is overly broad. The Electronic Privacy Information Center (EPIC) has filed an amicus brief on behalf of the plaintiff, a police officer who was convicted of violating the CFAA when he accessed a law enforcement database to obtain personal information for a third party. Voting app maker Voatz has submitted an amicus brief on behalf of the US government in the case, arguing that researchers who do not have permission to examine code for vulnerabilities should not be exempt from prosecution under CFAA.


[Editor Comments]


[Neely] The tricky part is connecting the two halves of this story. The officer was convicted after tracing a phony license plate in exchange for money, under the CFAA, rather than other laws he is alleged to have violated. As such, the subject of authorized use is being scrutinized, as it is not currently defined in the CFAA. The risk is that the current interpretation would make it a crime to violate any web sites terms of service, allowing the service owner to decide who goes to prison for what offense, which is control Voatz wishes to maintain. The downside of that approach is that security researchers could also run afoul of the law. Irrespective of how this comes down, make sure you have verified authorization to research the security of any given service before doing so.


[Murray] "Examining code" is research; attacking live systems is rogue hacking. If accessing law enforcement databases for third parties is found not to be a crime, then it is one more example of why the CFAA needs to be re-written. The CFAA was written long before so many systems were attached to the public networks and most abuse was by otherwise "authorized" personnel.  


Read more in:

EPIC: Van Buren v. United States

https://epic.org/amicus/cfaa/van-buren/

The Register: Surprise! Voting app maker roasted by computer boffins for poor security now begs US courts to limit flaw finding

https://www.theregister.com/2020/09/04/voatz_supreme_court/

 

--European ISPs Hit by DDoS Attacks

(September 3, 2020)

Multiple European Internet service providers (ISPs) were hit with distributed denial-of-service (DDoS) attacks last week. The attacks affected ISPs in France, Belgium, and the Netherlands. Some experts have suggested that last weeks CenturyLink outage in the US may have been triggered by a DDoS attack; two separate analysis reports say that the CenturyLink outage was due to a problem with a tool commonly used while mitigating DDoS attacks.


Read more in:

ZDNet: European ISPs report mysterious wave of DDoS attacks

https://www.zdnet.com/article/european-isps-report-mysterious-wave-of-ddos-attacks/


 

--Student Admits Launching DDoS Attacks Against Online School Platform

(September 3, 2020)

A Florida high school student has been arrested for orchestrating distributed denial-of-service (DDoS) attacks against the Miami-Dade schools online learning platform. The attacks disrupted teachers and students access to virtual classrooms. The 16-year-old has been charged with felony computer use in an attempt to defraud and misdemeanor interference with an educational institution.


[Editor Comments]


[Neely] The student attacked the My School Online platform. While Comcast added DDOS protections, they were not able to fully stop the attacks. Teachers were able to pivot to alternate options such as Zoom and MS Teams. Services such as Zoom and Teams have anti-DDOS protections; it would be prudent for educators to ensure their e-learning platform is similarly protected, as well as having a verified contingency plan for their system being off-line or otherwise unavailable.


Read more in:

Edscoop: Miami high school student charged in DDoS attacks against school district

https://edscoop.com/miami-dade-schools-ddos-attack-student-charged/

NBC News: Miami-Dade Public Schools' remote learning platform endures days of cyberattacks

https://www.nbcnews.com/news/us-news/miami-dade-public-schools-remote-learning-platform-endures-days-cyberattacks-n1239129


*****************************************************************************

REST OF THE NEWS   

 

--Fix Available for One of Two Vulnerabilities in MAGMI Magento Plugin

(September 1 & 2, 2020)

Two vulnerabilities in the Magento Mass Import (MAGMI) plugin could be exploited to allow remote code execution. An authentication bypass vulnerability exists because MAGMI versions 0.7.23 and older allow default ... credentials to be used in the event a database connection fails. The issue has been fixed in MAGMI v.0.7.24. A cross-site forgery vulnerability exists because of a lack of CSRF tokens. There is not yet a fix for this issue. The flaws were detected by researchers at Tenable.


Read more in:

Tenable: MAGMI Multiple Vulnerabilties

https://www.tenable.com/security/research/tra-2020-51

Tenable: CVE-2020-5776

https://www.tenable.com/cve/CVE-2020-5776

Tenable: CVE-2020-5777

https://www.tenable.com/cve/CVE-2020-5777

SC Magazine: Attackers could exploit flaws in MAGMI Magento plugin to hijack admin sessions

https://www.scmagazine.com/home/security-news/attackers-could-exploit-flaws-in-magmi-magento-plugin-to-hijack-admin-sessions/

Threatpost: Magento Sites Vulnerable to RCE Stemming From Magmi Plugin Flaws

https://threatpost.com/magento-sites-vulnerable-to-rce-stemming-from-magmi-plugin-flaws/158864/

Bleeping Computer: Magento plugin Magmi vulnerable to hijacking admin sessions

https://www.bleepingcomputer.com/news/security/magento-plugin-magmi-vulnerable-to-hijacking-admin-sessions/

 
 

--MIT CSAIL Researchers Develop Cyber Risk Platform

(September 3, 2020)

Researchers at MITs Computer Science and Artificial Intelligence Lab (CSAIL) have developed a [cryptographic] platform for securely measuring cyber risk. Dubbed SCRAM (Secure Cyber Risk Aggregation and Measurement), the platform allows organizations to assess their risk without exposing sensitive data.


[Editor Comments]


[Northcutt] For 16 years I have been hearing how important it is to share data and I agree. But the idea of a cryptographic front end to ensure there are no OPSEC leaks is misguided. Five or six pieces of information would be enough to identify most corporations. What is truly needed is a trustworthy information broker.


Read more in:

Assets.pubpub: SCRAM: A Platform for Securely Measuring Cyber Risk (PDF)

https://assets.pubpub.org/6konmefn/21597242874854.pdf

ZDNet: MIT SCRAM: a new analysis platform for prioritizing enterprise security investments

https://www.zdnet.com/article/mit-scram-a-new-analysis-platform-for-prioritizing-enterprise-security-investments/

 
 

--Cisco Updates for Jabber Flaw Available

(September 2 & 3, 2020)

Cisco has released fixes for a critical vulnerability affecting Jabber for Windows. The flaw, which is due to improper validation of message contents, affects multiple versions of the desktop collaboration application. The vulnerability can be exploited with no user interaction to remotely execute code with privileges of the targeted user. The issue does not affect Jabber for macOS or for mobile platforms.


Read more in:

ZDNet: Patch now: Cisco warns Jabber IM client for Windows has a critical flaw

https://www.zdnet.com/article/cisco-warns-jabber-im-client-for-windows-has-a-critical-flaw/

Threatpost: Attackers Can Exploit Critical Cisco Jabber Flaw With One Message

https://threatpost.com/attackers-can-exploit-critical-cisco-jabber-flaw-with-one-message/158942/

Bleeping Computer: Cisco fixes critical code execution bug in Jabber for Windows

https://www.bleepingcomputer.com/news/security/cisco-fixes-critical-code-execution-bug-in-jabber-for-windows/

Cisco: Cisco Jabber for Windows Message Handling Arbitrary Code Execution Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-jabber-UyTKCPGg

 

--WordPress File Manager Plugin Flaw is Being Actively Exploited

(September 1 & 3, 2020)

Developers of the File Manager plugin for WordPress have released an updated version to address a vulnerability that affects File Manager versions 6.0 through 6.8. Users are urged to update to version 6.9. The flaw could be exploited to allow unauthenticated users to execute commands and upload malicious files on a target site. File Manager has been installed more than 700,000 times.


[Editor Comments]


[Neely] Now that youre running Wordpress 5.5, enable auto-updates for your plugins. To validate the fix is in place, make sure lib/php/connector.minimal.php is no longer present. Consider uninstalling utility plugins, like File Manager, when not in use, to remove possible exploit paths. The Wordfence article below includes IOCs and an explanation of the vulnerability.


Read more in:

Ars Technica: Hackers are exploiting a critical flaw affecting >350,000 WordPress sites

https://arstechnica.com/information-technology/2020/09/hackers-are-exploiting-a-critical-flaw-affecting-350000-wordpress-sites/

ZDNet: WordPress File Manager plugin flaw causing website hijack exploited in the wild

https://www.zdnet.com/article/wordpress-file-manager-bug-causing-full-website-takeover-exploited-in-the-wild/

Wordfence: 700,000 WordPress Users Affected by Zero-Day Vulnerability in File Manager Plugin

https://www.wordfence.com/blog/2020/09/700000-wordpress-users-affected-by-zero-day-vulnerability-in-file-manager-plugin/

 
 

--Cyberattack on Norways Parliament Affected eMail Accounts

(September 1, 2020)

Authorities in Norway are investigating a significant cyberattack that compromised the email accounts of several members and employees of Stortinget, the countrys parliament. Stortinget administrator Marianne Andreassen said the attackers downloaded data.


[Editor Comments]


[Neely, Honan] It has to become standard operating procedure to enable multi-factor authentication for internet facing services. Also consider using email message encryption options, such as OME, S/MIME or PGP to encrypt sensitive information to protect it even if downloaded. Check your email provider for records retention capabilities to preserve information, creating a long-term archive, irrespective of malicious actions, such as deleting the mailbox.


Read more in:

ZDNet: Norwegian Parliament discloses cyber-attack on internal email system

https://www.zdnet.com/article/norwegian-parliament-discloses-cyber-attack-on-internal-email-system/

Cyberscoop: Norway is investigating a cyberattack on its parliament

https://www.cyberscoop.com/norway-parliament-cyberattack/

NYT: Norway's Parliament Says It Was Hit by 'Significant' Cyber Attack

https://www.nytimes.com/reuters/2020/09/01/world/europe/01reuters-norway-parliament.html

 
 

--CISA: Agencies Must Have Vulnerability Disclosure Policies

(September 2, 2020)

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued a binding operational directive (BOD) that requires federal government agencies to establish vulnerability disclosure policies. The Office of Management and Budget (OMB) has issued a memorandum supporting the BOD and establishing deadlines for implementation.


[Editor Comments]


[Neely] Having a defined place to report discovered vulnerabilities, with clear definition of remuneration, scoped systems, and how to remain within authorized testing scope is excellent. The intent is for agency policies to align with the DOJ Vulnerability Disclosure Framework (https://www.justice.gov/criminal-ccips/page/file/983996/download), which also provides guidance on implementation and administration of a policy. While allowing anyone to conduct testing without constraint feels like open-season on internet-facing systems, our adversaries dont get permission before finding and exploiting vulnerabilities. To support increased testing activities, agencies will need to ensure they have visibility to all internet-facing service logs and alerts, including cloud-based services. Those data must feed to centralized logging, SIEM and/or SOAR platforms to support automated detection, correlation and response of activities.


Read more in:

Cyberscoop: CISA orders agencies to set up vulnerability disclosure programs

https://www.cyberscoop.com/cisa-vulnerability-disclosure-directive-omb/

Threatpost: U.S. Agencies Must Adopt Vulnerability-Disclosure Policies by March 2021

https://threatpost.com/u-s-agencies-vulnerability-disclosure-policies-march-2021/158913/

MeriTalk: OMB Issues Final Vulnerability Disclosure Policies Guidance for Agencies

https://www.meritalk.com/articles/omb-issues-final-vulnerability-disclosure-policies-guidance-for-agencies/

Nextgov: OMB Starts Clock on Agencies Implementing Policies to Welcome Public Security Research

https://www.nextgov.com/cybersecurity/2020/09/omb-starts-clock-agencies-implementing-policies-welcome-public-security-research/168199/

Whitehouse: Memorandum: Improving Vulnerability Identification, Management, and Remediation (PDF)

https://www.whitehouse.gov/wp-content/uploads/2020/09/M-20-32.pdf

cyber.DHS: Binding Operational Directive 20-01 | Develop and Publish a Vulnerability Disclosure Policy

https://cyber.dhs.gov/bod/20-01/

 

--National Guard Cyber Exercise Will be Entirely Virtual

(September 2 & 3, 2020)

The US National Guards annual cyber exercise, Cyber Shield, will be entirely online this year. The event will take place over a two-week period later this month. Cyber Shield exercise director George Battistelli says this years exercise will focus on information operations.


[Editor Comments]


[Neely] This has been a year of learning how to work closely together while physically separated. Learning is more difficult as ad-hoc teamwork and coaching, such as looking over a teammate's shoulder to help, requires advance planning and technology configuration. The lessons learned from these activities should be leveraged to help teams be better prepared for remote collaboration and assistance scenarios as well as greater self-reliance and sufficiency.


Read more in:

c4isrnet: National Guard cyber exercise to increase focus on information operations

https://www.c4isrnet.com/cyber/2020/09/02/national-guard-cyber-exercise-to-increase-focus-on-information-operations/

FCW: National Guard plans all-virtual cyber exercise

https://fcw.com/articles/2020/09/03/williams-guard-cyber-shield-virtual.aspx

 
 

--Five Eyes Countries Issue Joint Cybersecurity Advisory

(September 1, 2020)

A joint advisory from cybersecurity authorities in Australia, Canada, New Zealand, the UK, and the US highlights technical approaches to uncovering malicious activity and includes mitigation steps according to best practices. The purpose of [the] report is to enhance incident response among partners and network administrators along with serving as a playbook for incident investigation.


Read more in:

MeriTalk: Five Eyes Nations Release Joint Cybersecurity Advisory

https://www.meritalk.com/articles/five-eyes-nations-release-joint-cybersecurity-advisory/

Nextgov: CISA, International Counterparts Highlight Mistakes Organizations Make After a Cyber Intrusion

https://www.nextgov.com/cybersecurity/2020/09/cisa-international-counterparts-highlight-mistakes-organizations-make-after-cyber-intrusion/168159/

US-CERT CISA: Alert (AA20-245A) Technical Approaches to Uncovering and Remediating Malicious Activity

https://us-cert.cisa.gov/ncas/alerts/aa20-245a

US-CERT CISA: Joint Cybersecurity Advisory: Technical Approaches to Uncovering and Remediating Malicious Activity (PDF)

https://us-cert.cisa.gov/sites/default/files/publications/AA20-245A-Joint_CSA-Technical_Approaches_to_Uncovering_Malicious_Activity_508.pdf

 
 

*****************************************************************************

INTERNET STORM CENTER TECH CORNER


Exposed Domain Controllers Used in DDoS Attacks

https://isc.sans.edu/forums/diary/Exposed+Windows+Domain+Controllers+Used+in+CLDAP+DDoS+Attacks/26526/


Python and Risky Windows API Calls

https://isc.sans.edu/forums/diary/Python+and+Risky+Windows+API+Calls/26530/


Sandbox Evasion Using NTP

https://isc.sans.edu/forums/diary/Sandbox+Evasion+Using+NTP/26534/


Microsoft Reviving SHA-1

https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-microsoft-edge-version-85/ba-p/1618585


Trend Micro Updating Anti Malware Products

https://success.trendmicro.com/solution/000263632


QNAP Updates

https://www.qnap.com/en/release-notes/qts/4.3.6.1411/20200825

https://www.qnap.com/en/release-notes/qts/4.4.3.1400/20200817


iOS 13.7 Update

https://support.apple.com/en-us/HT201222


Cisco Jabber Update

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-jabber-UyTKCPGg


Cisco Jabber Vulnerability Followup

https://watchcom.no/nyheter/nyhetsarkiv/uncovers-cisco-jabber-vulnerabilities/


MoFi Router Vulnerabilities

https://www.criticalstart.com/critical-vulnerabilities-discovered-in-mofi-routers/


Android DNS over HTTPS

https://blog.chromium.org/2020/09/a-safer-and-more-private-browsing.html


Public Voter Data Sold as "Breach"

https://www.cyberscoop.com/russia-hack-michigan-voter-data-kommersant/


*****************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create