Ending Soon: Get a MacBook Air or Surface Pro 7 with 5 or 6 Day Training - Best Offers of the Year!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #71

September 8, 2020

A Global Flood of New Ransomware Attacks


SANS NewsBites              September 8, 2020               Vol. 22, Num. 071



  North Carolina School District Hit With Ransomware Last Month

  UK Universities Suffer Ransomware Attacks

  Chilean Bank Hit with Ransomware

  Netwalker Ransomware Infects Government Agency in Argentina

  Thanos Ransomware Variant Has MBR Overwrite Component


  Facebook's Third-Party Vulnerability Disclosure Policy

  WhatsApp Security Bug Disclosures

  Visa Warns of Baka JavaScript Skimmer

  Flash Support Ending at Year's End

  Tower Semiconductor Suffers Cyberattack

  Government Funded Mobile Phones in US Preloaded with Code that Uploads Adware


******************* Sponsored By AWS Marketplace  ***************************

How to strengthen your security posture in AWS.

Join SANS and AWS Marketplace to learn how to create and implement an effective continuous monitoring and assessment strategy. They will provide practical guidance that will help you secure your cloud control plane, identify misconfigurations, uncover security gaps, and enable you to better predict, prevent, and respond to events | Thursday, September 17th 11:00 pacific @ 2:00 EDT | http://www.sans.org/info/217545



Popular OnDemand Courses

SEC401: Security Essentials Bootcamp Style

- https://www.sans.org/ondemand/course/security-essentials-bootcamp-style

SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling

- https://www.sans.org/ondemand/course/hacker-techniques-exploits-incident-handling

View all courses

- https://www.sans.org/cyber-security-courses/?focus-area=&training-format=ondemand

Upcoming Interactive Training Events

Oil & Gas Cybersecurity Summit & Training - Live Online (Oct 2-10, CDT)

- https://www.sans.org/event/oil-gas-cybersecurity-summit-2020/

SANS San Francisco Fall 2020 - Live Online (Oct 26-31, PDT)

- https://www.sans.org/event/san-francisco-fall-2020-live-online

View complete event schedule

- https://www.sans.org/cyber-security-training-events/north-america

Free Resources

Tools, Posters, and more.

- https://www.sans.org/free

SANS OnDemand Special Offer

Get an iPad (32GB), Galaxy Tab A, or Take $250 Off with a qualifying OnDemand course.

- https://www.sans.org/ondemand/specials



--North Carolina School District Hit With Ransomware Last Month

(August 27 & September 4, 2020)

North Carolina's Haywood County School District was the target of a ransomware attack in August. The district shut down its network and paused remote learning due to the attack. Remote learning has resumed as on August 31, but some services remain unavailable. The operators of the SunCrypt ransomware also stole files from the school district's systems.

Read more in:

Bleeping Computer: SunCrypt Ransomware shuts down North Carolina school district


Citizen-Times: Haywood schools close for entire week due to cyber attack, which requires rebuilding of network



--UK Universities Suffer Ransomware Attacks

(September 1, 3, & 6, 2020)

Networks at two UK universities were recently hit with ransomware attacks. The attack on Northumbria University forced the school to reschedule exams and to close its campus while they restored their IT systems. Newcastle University said that it was the target of a cyberattack and expected recovery to take several weeks.

[Editor Comments]

[Murray] The attack surface for any enterprise includes all of its users. For a university, that is likely to include many naive users making it especially vulnerable to infection. The plan should include network isolation to resist spread of compromise from students to faculty and administration. It should include provision for rapid recovery of essential applications.  

Read more in:

BBC: Northumbria University hit by cyber attack


Infosecurity Magazine: Northumbria Uni Campus Closed After Serious Cyber-Attack


BBC: Newcastle University cyber attack 'to take weeks to fix'



--Chilean Bank Hit with Ransomware

(September 7, 2020)

Chile's BancoEstado has shut down all branches after ransomware infected the bank's network. The malware reportedly gained a foothold in the system through a backdoor installed by a malicious Office document. BancoEstado, one of the three largest banks in Chile, disclosed the incident over the weekend.

Read more in:

ZDNet: Chilean bank shuts down all branches following ransomware attack



--Netwalker Ransomware Infects Government Agency in Argentina

(September 6, 2020)

Argentina's immigration agency has been hit with Netwalker ransomware. The attack temporarily prevented border crossings into and from the country. The attack may be the first reported ransomware attack against a government agency that has had a significant operational impact.

Read more in:

Bleeping Computer: Netwalker ransomware hits Argentinian government, demands $4 million


--Thanos Ransomware Variant Has MBR Overwrite Component

(September 4, 2020)

Researchers at Palo Alto Networks say that ransomware known as Thanos was used in attacks against systems at two state-run organizations in the Middle East and North Africa earlier this summer. The malware was configured to overwrite the master boot record. In these two cases, the overwrite did not work because of an error in the code.   

Read more in:

Unit42: Thanos Ransomware: Destructive Variant Targeting State-Run Organizations in the Middle East and North Africa


Cyberscoop: Ransomware hits two state-run organizations in the Middle East and North Africa


****************************  SPONSORED LINKS  ******************************

1) Earn 16 CPE Credits |  October 8-9, 2020 | Cyber Solutions Fest 2020 features 4 tracks including Cloud / DevSecOps / Threat Intel / Network Security.  Join our 4 of our most popular SANS instructors along with experts from the top solutions providers in the industry.  Exciting 2 day event featuring great content, numerous prize drawings, peer-to-peer chat rooms and much more. Register Now! | http://www.sans.org/info/217550

2) Webcast | Tuesday, September 15, 2020 @ 3:30 PM EDT |  Join Mark Bristow, SANS Instructor & Branch Chief for Cyber Defense Operations at the Department of Homeland Security as he discussed "ICS Security and Asset Identification" with Del Rodillas, Director of OT and Xu Zuo, VP Products (IOT Security) at Palo Alto Networks. | http://www.sans.org/info/217555

3) Don't miss this free SANS webcast where Dave Shackleford will be presenting "Mitigate Access Risk by Enforcing Least Privilege in Cloud Infrastructure" | Wednesday, September 16, 2020 at 1:00 PM EDT | http://www.sans.org/info/217565




--Facebook's Third-Party Vulnerability Disclosure Policy

(September 3 & 4, 2020)

Facebook now has a vulnerability disclosure policy that lays out how the company will disclose security flaws it finds in third-party products. According to the policy, third-party companies will have 21 days to acknowledge Facebook's initial report and then 90 days to remediate the issue. If the company misses either one of the deadlines, Facebook may disclose the flaw publicly. Facebook also notes that if there are mitigating circumstances - a flaw that is being actively exploited, for example - the disclosure timeline may differ.

[Editor Comments]

[Ullrich] Looks like 3 months / 90 days is becoming the standard for vulnerability disclosures. This can be hard to meet for some complex bugs, but should be doable for most vulnerabilities.

[Pescatore] Facebook has done a good job in recent years of essentially implementing an "App Store" to drive higher levels of security into third-party apps. Facebook has a managed bug bounty program that has some coverage of third-party apps in addition to Facebook's own software and sites. Third-party apps that access user data must undergo yearly pen testing and code review by qualified assessors. The "disinformation" problem on the content side of Facebook brings in an entirely different set of problems, but on the code security side Facebook seems to be doing the right things.

Read more in:

The Register: Facebook to blab bugs it finds if it thinks code owners aren't fixing fast enough


SC Magazine: Facebook announces new details on how it will disclose bugs found in third-party products


Threatpost: Facebook Debuts Third-Party Vulnerability Disclosure Policy


Facebook: Facebook's Vulnerability Disclosure Policy



--WhatsApp Security Bug Disclosures

(September 4, 2020)

WhatsApp has launched a dedicated security advisory page in an effort to be more transparent about flaws in its app. The page discloses six vulnerabilities in WhatsApp that have been patched this year.

Read more in:

Threatpost: WhatsApp Discloses 6 Bugs via Dedicated Security Site


WhatsApp: WhatsApp Security Advisories



--Visa Warns of Baka JavaScript Skimmer

(September 5 & 7, 2020)

Visa's Payment Fraud Disruption (PFD) group has issued a warning about JavaScript skimming malware that has features to help it evade detection, including functionality that allows it to remove itself from memory. PFD first detected Baka in February 2020.  

[Editor Comments]

[Ullrich] Organizations have let JavaScript sprawl and are now struggling to control it. You need to know what JavaScript is supposed to be running on your site and monitor and verify that nothing else is running. Use content security policy and sub-resource integrity to assist in preventing unauthorized JavaScript from running.

[Murray] This massive vulnerability is the result of the brands' decision to continue to publish the Primary Account Number in the clear and of merchants to accept them. https://whmurray.blogspot.com/2019/08/recommendations-on-retail-payment.html

Read more in:

Visa: 'Baka' JavaScript Skimmer Identified (PDF)


Bleeping Computer: Visa warns of new Baka credit card JavaScript skimmer


Infosecurity Magazine: Visa: New Baka Skimmer Designed to Avoid Detection


Portswigger: Baka credit card skimmer bundles stealth, anti-detection capabilities, warns Visa



--Flash Support Ending at Year's End

(September 4, 2020)

Microsoft has confirmed that its browsers will no longer support Adobe Flash Player after December 31, 2020. As of January 1, 2021, Adobe Flash Player will be disabled by default and versions of Flash older than the June 2020 release will be blocked. Adobe will stop updating and distributing Flash at the end of the year.

[Editor Comments]

[Ullrich] There's not much time and lots to do. At this point, you should have an inventory of all the in-house Flash applications that you will have to convert to HTML5 in the next 3 months. If not, you will end up having to maintain special virtual machines like the ones you keep around for old IPMI admin interfaces that require out-of-date versions of Java.

[Pescatore] The end of Flash support has been talked about since July 2017 when Adobe issued a December 31 EOL for Flash. In the "Internet Things That Went Away and No one Missed Them," Flash and the blinking URL tag are high on the list.

[Murray] It is now more than a decade since Steve Jobs wrote his now famous Thoughts on Flash. More recently Bob Burroughs asserted that in addition to the problems Jobs noted in Thoughts, he was also concerned that Adobe would be a "less than reliable" partner in addressing security issues. While iOS users have managed well without Flash, it has taken the rest of the world a very long time to rid itself of this troublesome software. It is hard to believe that its value has exceeded the cost of its risk and continuing security maintenance. Jobs' decision has saved Apple customers much of that cost. He should be remembered for consistently putting quality and security ahead of generality, flexibility, and popularity. My hero.

[Northcutt] And that might just be the best piece of news in all of 2020.

Read more in:

blogs.windows: Update on Adobe Flash Player End of Support


Adobe: Update for Enterprise Customers Using Adobe Flash Player


Bleeping Computer: Microsoft to finally kill Adobe Flash support by January 2021



--Tower Semiconductor Suffers Cyberattack

(September 6, 2020)

Systems at Israeli chipmaker Tower Semiconductor were hit with a cyberattack. The company has temporarily shut down some servers and some manufacturing operations.

Read more in:

Reuters: Israel's Tower Semi halts some operations after cyber attack



--Government Funded Mobile Phones in US Preloaded with Code that Uploads Adware

(September 7, 2020)

Some mobile phones provided to low-income users under the US government's Lifeline program are preloaded with malware. A device examined by a researcher at Malwarebytes was found to contain code that uploads aggressive adware that displays pop-up ads that cover the phone's screen, obstructing their use. The apps that upload the adware cannot be removed from the phone without rendering it unusable.

[Editor Comments]

[Pescatore] A classic supply chain security failure. The FCC says this is illegal, but it doesn't seem like the non-profit USAC that administers the Lifeline program for the FCC had a process in place to prevent this type of thing from happening. The program has issued a lot of waivers to make sure service was not interrupted to low-income users, so understandable if the desire to provide services trumped full privacy/security checking of devices but more transparency on that side of the process is needed.

Read more in:

CNET: Phones for low-income users hacked before they're turned on, research finds





A Blast From The Past: XXEncoded VB 6.0 Trojan



Office: About OLE and ZIP Files



Go XSS Vulnerability



"Baka" JavaScript Skimmer (PDF)




The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create