Join us for the FREE Cyber Defense Forum | Live Online on October 9

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #72

September 11, 2020

NB: Microsoft: Russian Hackers are Targeting US Presidential Campaigns; Zoom Will Offer Two-Factor Authentication; Irish Data Protection Commission Will Order Facebook to Stop Sending EU User Data to US


*****************************************************************************

SANS NewsBites             September 11, 2020               Vol. 22, Num. 072

*****************************************************************************


THE TOP OF THE NEWS


  Microsoft: Russian Hackers are Targeting US Presidential Campaigns

  Zoom Will Offer Two-Factor Authentication to All Users

  Irish Data Protection Commission Will Order Facebook to Stop Sending EU User Data to US



REST OF THE WEEK'S NEWS


  School Openings Delayed Due to Ransomware and Other Digital Disruptions

  Pakistani Power Company Hit with Ransomware

  Equinix Internal Systems Hit with Ransomware

  Microsoft Patch Tuesday

  Adobe Patch Tuesday

  CodeMeter Vulnerabilities

  Bluetooth Vulnerability


INTERNET STORM CENTER TECH CORNER


******************  Sponsored By AWS Marketplace  ***************************


"How to strengthen your security posture in AWS.

Join SANS and AWS Marketplace to learn how to create and implement an effective continuous monitoring and assessment strategy. They will provide practical guidance that will help you secure your cloud control plane, identify misconfigurations, uncover security gaps, and enable you to better predict, prevent, and respond to events."

| http://www.sans.org/info/217575


*****************************************************************************

CYBERSECURITY TRAINING UPDATE


Popular OnDemand Courses


SEC401: Security Essentials Bootcamp Style


- https://www.sans.org/ondemand/course/security-essentials-bootcamp-style


SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling


- https://www.sans.org/ondemand/course/hacker-techniques-exploits-incident-handling


View all courses


- https://www.sans.org/cyber-security-courses/?focus-area=&training-format=ondemand


Upcoming Interactive Training Events


Oil & Gas Cybersecurity Summit & Training - Live Online (Oct 2-10, CDT)


- https://www.sans.org/event/oil-gas-cybersecurity-summit-2020/


SANS San Francisco Fall 2020 - Live Online (Oct 26-31, PDT)


- https://www.sans.org/event/san-francisco-fall-2020-live-online/


View complete event schedule


- https://www.sans.org/cyber-security-training-events/north-america


Free Resources


Tools, Posters, and more.


- https://www.sans.org/free


SANS OnDemand Special Offer


Get an iPad (32GB), Galaxy Tab A, or Take $250 Off with a qualifying OnDemand course.


- https://www.sans.org/ondemand/specials


*****************************************************************************

TOP OF THE NEWS   

 

--Microsoft: Russian Hackers are Targeting US Presidential Campaigns

(September 10, 2020)

In a blog post, Microsoft writes that it "has detected cyberattacks targeting people and organizations involved in the upcoming presidential election." Microsoft has seen malicious activity from hacking groups operating from Russia, China, and Iran. The attacks are targeting "candidates and campaign staffers, but also those they consult on key issues."


[Editor Comments]


[Murray] People on this target list had best be using strong authentication.


Read more in:

Microsoft: New cyberattacks targeting U.S. elections

https://blogs.microsoft.com/on-the-issues/2020/09/10/cyberattacks-us-elections-trump-biden/

Wired: Russia's Fancy Bear Hackers Are Hitting US Campaign Targets Again

https://www.wired.com/story/russias-fancy-bear-hackers-are-hitting-us-campaign-targets-again/

Threatpost: Microsoft Warns of Cyberattacks on Trump, Biden Election Campaigns

https://threatpost.com/microsoft-cyberattacks-trump-biden-election-campaigns/159143/

ZDNet: Microsoft confirms Chinese, Iranian, and Russian cyber-attacks on Biden and Trump campaigns

https://www.zdnet.com/article/microsoft-confirms-chinese-iranian-and-russian-cyber-attacks-on-biden-and-trump-campaigns/

 
 

--Zoom Will Offer Two-Factor Authentication to All Users

(September 10, 2020)

Zoom has announced plans to roll out two-factor authentication (2FA) to all users. There will be several 2FA options for users to choose from: authentication apps like Google Authenticator, Microsoft Authenticator, and FreeOTP, or a code from Zoom sent via SMS or a phone call.


[Editor Comments]


[Pescatore] Rolling out 2FA has been announced by many other large players before but has never been followed by incenting/encouraging users to move away from re-usable passwords. Zoom's position in the current consumer and business online conferencing stampede could be a game changer if they take that second step.


[Honan] A welcome move from Zoom; should be replicated by all service providers.


Read more in:

Zoom: Secure Your Zoom Account with Two-Factor Authentication

https://blog.zoom.us/secure-your-zoom-account-with-two-factor-authentication/

Dark Reading: Zoom Brings Two-Factor Authentication to All Users

https://www.darkreading.com/application-security/zoom-brings-two-factor-authentication-to-all-users/d/d-id/1338885


 

--Irish Data Protection Commission Will Order Facebook to Stop Sending EU User Data to US

(September 9 & 10, 2020)

Facebook has received a preliminary order to stop sending European Union (EU) user data to the US. Facebook has until mid-September to respond to the order from the Irish Data Protection Commission. The order grew out of a July 2020 ruling from the Court of Justice of the European Union (CJEU) that invalidated Privacy Shield, the current EU-US data transfer agreement because the protections it offered against US Surveillance laws were found to be inadequate to protect the rights of EU data subjects. The CJEU ruling left in place Standard Contractual Clauses (SCC), which provide for data transfers between EU and non-EU countries. The Irish Data Protection Commission believes that the SCC provisions are not sufficient and is therefore asking Facebook to stop data transfers. (Please note that the WSJ story is behind a paywall.)


[Editor Comments]


[Pescatore] Facebook's CEO needs to learn from Bill Gates' 2002 "Security is Job 1" direction change at Microsoft, and more recently from Zoom CEO Eric Yuan's similar (but much faster!) epiphany and subsequent security focus in April of this year. The increasing demand for privacy and data rights is coming from consumers, not just regulatory bodies. Getting data protection and stronger user authentication built into products and services meets that demand while greatly raising the bar against attackers.


[Honan] This has major ramifications for all companies transferring personal data of EU data subjects to the US, and potentially for the transferring of personal data of EU data subjects to the United Kingdom in the event of a no deal Brexit. The core of the issue is that the EU does not believe that US privacy laws and mechanisms are robust enough to protect the privacy rights of EU data subjects against US surveillance laws and abuse of that personal data by US corporates. Privacy comes at a price which for too long has been borne by the individual. This move sends a clear message to governments and companies that they too have a responsibility to protect the privacy of individuals.


Read more in:

WSJ: Ireland to Order Facebook to Stop Sending User Data to U.S. (paywall)

https://www.wsj.com/articles/ireland-to-order-facebook-to-stop-sending-user-data-to-u-s-11599671980

Politico.EU: Facebook to stop moving data from EU to US: 5 things you need to know

https://www.politico.eu/article/facebook-data-ireland-privacy/

The Register: Ireland unfriends Facebook: Oh Zucky Boy, the pipes, the pipes are closing...from glen to US, and through the EU-side

https://www.theregister.com/2020/09/10/facebook_ireland/

ZDNet: Privacy concerns prompt Irish regulators to ask Facebook to stop sending EU user data to the US

https://www.zdnet.com/article/irish-regulators-demand-facebook-stops-sending-european-user-data-to-the-us/

FB: Securing the Long Term Stability of Cross-Border Data Flows

https://about.fb.com/news/2020/09/securing-the-long-term-stability-of-cross-border-data-flows/


****************************  SPONSORED LINKS  ******************************


1) Earn 16 CPE Credits |  October 8-9, 2020 | Cyber Solutions Fest 2020 features 4 tracks including Cloud / DevSecOps / Threat Intel / Network Security.  Join our 4 of our most popular SANS instructors along with experts from the top solutions providers in the industry.  Exciting 2 day event featuring great content, numerous prize drawings, peer-to-peer chat rooms and much more. Register Now!

| http://www.sans.org/info/217580


2) DTEX Insider Threat Kill Chain: Learn the 5 Steps Present in Almost all Insider Attacks| Get the whitepaper now!

| http://www.sans.org/info/217605


3) Webinar | Thursday, September 24th @ 3:30PM BST (10:30AM EDT) | SANS on Elastic Security: Discover the integration of endpoint security into the new Elastic Agent.  Featuring  John Pescatore, SANS Director of Emerging Trends, along with industry experts Mike Nichols & James Spiteri from Elastic Security. | http://www.sans.org/info/217610


*****************************************************************************

REST OF THE NEWS    

 

--School Openings Delayed Due to Ransomware and Other Digital Disruptions

(September 9 & 10, 2020)

School districts in Connecticut, North Carolina, Nevada, and other US states have been hit with ransomware, interrupting plans for both online and in-person classes. In some districts, online classes have been interrupted by Zoom-bombing and distributed denial-of-service (DDoS) attacks. Hartford (Connecticut) Public Schools, which are resuming both in-person and remote classes, postponed the first day of school after suffering a ransomware attack.


Read more in:

Dark Reading: Ransomware Attacks Disrupt School Reopenings

https://www.darkreading.com/attacks-breaches/ransomware-attacks-disrupt-school-reopenings/d/d-id/1338877

Threatpost: Ransomware And Zoom-Bombing: Cyberattacks Disrupt Back-to-School Plans

https://threatpost.com/ransomware-zoom-cyberattacks-school/159093/

Hartford Schools: HPS Opening Postponed: Tuesday Sept 8

https://www.hartfordschools.org/hps-opening-postponed-tuesday-sept-8/

ZDNet: City of Hartford postpones first day of school after ransomware attack

https://www.zdnet.com/article/city-of-hartford-postpones-first-day-of-school-after-ransomware-attack/

NBC Connecticut: Classes Begin in Hartford After Ransomware Attack Postponed First Day of School

https://www.nbcconnecticut.com/news/local/back-to-school/classes-begin-in-hartford-after-ransomware-attack-postponed-first-day-of-school/2330060/


 

--Pakistani Power Company Hit with Ransomware

(September 8, 2020)

Systems at K-Electric, the company that provides electricity to Karachi, Pakistan, were infected with Netwalker ransomware. The attack disrupted billing and online services. The attack reportedly occurred on September 7.  


Read more in:

Bleeping Computer: Netwalker ransomware hits Pakistan's largest private power utility

https://www.bleepingcomputer.com/news/security/netwalker-ransomware-hits-pakistans-largest-private-power-utility/

 
 

--Equinix Internal Systems Hit with Ransomware

(September 9 & 10, 2020)

Data colocation center company Equinix has acknowledged that its internal systems were hit with ransomware. In a blog post, Equinix writes, "Note that as most customers operate their own equipment within Equinix data centers, this incident has had no impact on their operations or the data on their equipment at Equinix."  


[Editor Comments]


[Honan] It is prudent to include a scenario in your incident response and business continuity planning on how your organisation will react when one of your providers is impacted by ransomware.


Read more in:

ZDNet: Data center giant Equinix discloses ransomware incident

https://www.zdnet.com/article/data-center-giant-equinix-discloses-ransomware-incident/

Bleeping Computer: Equinix data center giant hit by Netwalker Ransomware, $4.5M ransom

https://www.bleepingcomputer.com/news/security/equinix-data-center-giant-hit-by-netwalker-ransomware-45m-ransom/

Equinox: Equinix Statement on Security Incident

https://blog.equinix.com/blog/2020/09/09/equinix-statement-on-security-incident/

 
 

--Microsoft Patch Tuesday

(September 8 & 10, 2020)

Microsoft's monthly security update release for September includes fixes for 129 security issues. Twenty-three of the vulnerabilities are considered critical. One of the more worrisome flaws patched earlier this week is a memory corruption issue in Microsoft Exchange that could be exploited simply by sending a maliciously-crafted email.


[Editor Comments]


[Murray] This is the fourth month in a row where the number of security issues addressed by Microsoft has exceeded a hundred. This is more evidence, if any more was needed, that, while patching remains mandatory, it is a very expensive and tardy way to achieve quality. One cannot patch one's way to security. One must reduce one's attack surface. One place to start might be hiding operating systems from public, or even large enterprise, networks.  


Read more in:

The Register: Enjoyed the US Labor Day weekend? Because it's September 2020 and Exchange Server can be pwned via email

https://www.theregister.com/2020/09/08/patch_tuesday_september/

SC Magazine: Microsoft fixes 129 flaws, 23 critical, in massive Patch Tuesday

https://www.scmagazine.com/home/patch-management/microsoft-fixes-129-flaws-23-critical-in-massive-patch-tuesday/

KrebsOnSecurity: Microsoft Patch Tuesday, Sept. 2020 Edition

https://krebsonsecurity.com/2020/09/microsoft-patch-tuesday-sept-2020-edition/

Threatpost: Microsoft's Patch Tuesday Packed with Critical RCE Bugs

https://threatpost.com/microsofts-patch-tuesday-critical-rce-bugs/159044/

MSRC: Security Update Summary

https://portal.msrc.microsoft.com/en-us/security-guidance/summary

 
 

--Adobe Patch Tuesday

(September 8, 2020)

On Tuesday, September 8, Adobe released fixes for vulnerabilities in Experience Manager, Framemaker, and InDesign. Nine of the 11 vulnerabilities fixed in Experience Manager could be exploited to execute arbitrary JavaScript in the browser. The two fixes for Framemaker could be exploited to allow arbitrary code execution, as could the five memory corruption flaws fixed in InDesign.


Read more in:

SC Magazine: Adobe releases update to patch critical flaws that could leave networks, data vulnerable

https://www.scmagazine.com/home/patch-management/adobe-patches-for-critical-flaws-should-be-applied-right-away/

Threatpost: Critical Adobe Flaws Allow Attackers to Run JavaScript in Browsers

https://threatpost.com/critical-adobe-flaws-attackers-javascript-browsers/159026/

Bleeping Computer: Adobe fixes critical vulnerabilities in InDesign and Framemaker

https://www.bleepingcomputer.com/news/security/adobe-fixes-critical-vulnerabilities-in-indesign-and-framemaker/

Adobe: Security Bulletins and Advisories

https://helpx.adobe.com/security.html

 
 

--CodeMeter Vulnerabilities

(September 9, 2020)

US-CERT has released an industrial control systems (ICS) advisory warning of multiple vulnerabilities affecting Wibu-Systems CodeMeter. The flaws could be exploited "to alter and forge a license file, cause a denial-of-service condition, potentially attain remote code execution, read heap data, and prevent normal operation of third-party software dependent on the CodeMeter."


Read more in:

Threatpost: Critical Flaws in 3rd-Party Code Allow Takeover of Industrial Control Systems

https://threatpost.com/severe-industrial-bugs-takeover-critical-systems/159068/

US-CERT-CISA: ICS Advisory (ICSA-20-203-01) | Wibu-Systems CodeMeter

https://us-cert.cisa.gov/ics/advisories/icsa-20-203-01



--Bluetooth Vulnerability

(September 10, 2020)

A high-severity flaw in the pairing process for Bluetooth implementations 4.0 - 5.0 could be exploited to snoop on vulnerable devices. Devices that use the pairing process, known as Cross-Transport Key Derivation (CTKD) in implementations supporting pairing and encryption with both Bluetooth BR/EDR and LE in Bluetooth Specifications 4.2 through 5.0, are vulnerable to key overwrite. Attackers would need to be within wireless range of targeted devices.


[Editor Comments]


[Murray] While Bluetooth vulnerabilities are interesting, even when not alarming, attacks against them do not scale well.  


Read more in:

Threatpost: Bluetooth Bug Opens Devices to Man-in-the-Middle Attacks

https://threatpost.com/bluetooth-bug-mitm-attacks/159124/

KB.CERT: Devices supporting Bluetooth BR/EDR and LE using CTKD are vulnerable to key overwrite

https://kb.cert.org/vuls/id/589825

Bluetooth: Bluetooth SIG Statement Regarding the Exploiting Cross-Transport Key Derivation in Bluetooth Classic and Bluetooth Low Energy Vulnerability (BLURtooth)

https://www.bluetooth.com/learn-about-bluetooth/bluetooth-technology/bluetooth-security/blurtooth/

 
 

*****************************************************************************

INTERNET STORM CENTER TECH CORNER


Microsoft Patch Tuesday

https://isc.sans.edu/forums/diary/Microsoft+September+2020+Patch+Tuesday/26544/


Adobe Security Bulletins

https://helpx.adobe.com/security.html


Intel Patches

https://www.intel.com/content/www/us/en/security-center/default.html


MacOS 11 Network Traffic

https://isc.sans.edu/forums/diary/A+First+Look+at+macOS+11+Big+Sur+Network+Traffic+New+Now+with+more+GREASE/26548/


Recent Dridex Activity

https://isc.sans.edu/forums/diary/Recent+Dridex+activity/26550/


Azure Offers Automatic Windows VM Patching

https://azure.microsoft.com/en-us/updates/automatic-vm-guest-patching-now-in-preview/


WeaveScope Used to Attack Docker Infrastructure

https://www.intezer.com/blog/cloud-workload-protection/attackers-abusing-legitimate-cloud-monitoring-tools-to-conduct-cyber-attacks/


Zoom Bombings and Zoom 2FA

https://arxiv.org/abs/2009.03822

https://blog.zoom.us/secure-your-zoom-account-with-two-factor-authentication/


AMD Server CPUs May Be Locked to Particular Motherboard

https://www.servethehome.com/amd-psb-vendor-locks-epyc-cpus-for-enhanced-security-at-a-cost/


BLURtooth Vulnerability

https://www.bluetooth.com/learn-about-bluetooth/bluetooth-technology/bluetooth-security/blurtooth/

 

*****************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create