Ending Soon: Get a MacBook Air or Surface Pro 7 with 5 or 6 Day Training - Best Offers of the Year!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #73

September 15, 2020

More evidence cyber hygiene is failing during pandemic


SANS Annual Security Awareness Report. This free resource helps you benchmark your awareness program against others and make data-driven decisions on how to best manage your human risk. Complete this anonymized, 10-minute survey (https://survey.sans.org/jfe/form/SV_0DjA8AXKRKANu97) before Oct 13. You will receive a pre-release copy of the completed report and have a chance to win an iPad or a free pass to the SANS Security Awareness Summit. https://www.sans.org/event/security-awareness-summit-2020


*****************************************************************************

SANS NewsBites              September 15, 2020              Vol. 22, Num. 073

*****************************************************************************


THE TOP OF THE NEWS (Don't Let Hygiene Lag During the Pandemic)


  2,000 eCommerce Sites Running Magento were Hacked Over the Weekend

  Malvertising Sneaks Into Banner Ads on Adult Sites, Exploits Flaws in Flash and IE

  Update Available for WordPress Email Subscribers & Newsletters Plugin Flaw



REST OF THE WEEK'S NEWS


  USPS OIG: Vulnerable Apps Could Have Exposed Data

  Dept. of Veterans Affairs Breach Affects 46,000

  Fairfax County, Virginia, School System Suffers Ransomware Attack

  Artech Information Systems Hit with Ransomware Last January

  Tutanota's DDoS Defense Prevented Users From Accessing Accounts

  CISA and FBI Alert Warns of China's State-Sponsored Hackers

  IRS Seeks Technology to Help it Trace Cryptocurrency

  Researchers and Tech Companies Respond to Voatz's CFAA Supreme Court Amicus Brief

  FBI Warns Financial Institutions of Credential Stuffing Attacks


INTERNET STORM CENTER TECH CORNER

************************  Sponsored By Exabeam  ******************************


Data breaches involving internal actors account for 30 percent of data breaches. Yet for many organizations, detecting insider threats is difficult because the threat actor is using a trusted identity and has legitimate access to its systems and data. For actionable tips to get ahead of insiders, join Exabeam for this September 29th webinar. | http://www.sans.org/info/217620

 

*****************************************************************************

CYBERSECURITY TRAINING UPDATE


Popular OnDemand Courses


SEC401: Security Essentials Bootcamp Style


- https://www.sans.org/ondemand/course/security-essentials-bootcamp-style


SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling


- https://www.sans.org/ondemand/course/hacker-techniques-exploits-incident-handling


View all courses


- https://www.sans.org/cyber-security-courses/?focus-area=&training-format=ondemand


Upcoming Interactive Training Events


Oil & Gas Cybersecurity Summit & Training - Live Online (Oct 2-10, CDT)


- https://www.sans.org/event/oil-gas-cybersecurity-summit-2020/


SANS San Francisco Fall 2020 - Live Online (Oct 26-31, PDT)


- https://www.sans.org/event/san-francisco-fall-2020-live-online


View complete event schedule


- https://www.sans.org/cyber-security-training-events/north-america


Free Resources


Tools, Posters, and more.


- https://www.sans.org/free


SANS OnDemand Special Offer


Get an iPad (32GB), Galaxy Tab A, or Take $250 Off with a qualifying OnDemand course.


- https://www.sans.org/ondemand/specials


*****************************************************************************

TOP OF THE NEWS (Don't Let Hygiene Lag During the Pandemic)  

 

--2,000 eCommerce Sites Running Magento were Hacked Over the Weekend

(September 14, 2020)

Nearly 2,000 ecommerce sites running on the Magento platform were compromised over the weekend. The attackers installed malicious code to log payment card data. Most of the hacked sites were running Magento version 1, which is no longer supported. Magento 1.x reached EOL at the end of June 2020.


[Editor Comments]


[Neely] With an increased reliance on on-line purchases, users also need to take precautions, such as enabling alerts, and possibly authorization, for card-not-present transactions; rather than depending on merchants keeping their systems patched.  


Read more in:

Threatpost: Magecart Attack Impacts More Than 10K Online Shoppers

https://threatpost.com/magecart-campaign-10k-online-shoppers/159216/

Bleeping Computer: Magento stores hit by largest automated hacking attack since 2015

https://www.bleepingcomputer.com/news/security/magento-stores-hit-by-largest-automated-hacking-attack-since-2015/

ZDNet: Magento online stores hacked in largest campaign to date

https://www.zdnet.com/article/magento-online-stores-hacked-in-largest-campaign-to-date/

 
 

--Malvertising Sneaks Into Banner Ads on Adult Sites, Exploits Flaws in Flash and IE

(September 11 & 12, 2020)                                             

Hackers have placed malicious banner ads on numerous adult websites. The ads redirect users to malicious sites that attempt to install malware through vulnerabilities in Adobe Flash and Internet Explorer.


[Editor Comments]


[Neely] The current isolation and work from home activities have seen a spike in porn site use, which puts systems used for both personal and work purposes at higher risk for this attack. Providing users a secured virtual environment, rather than processing business data directly on their personal system, provides needed separations from compromise on these systems. Additionally, consider limiting or blocking the use of Internet Explorer and Adobe Flash accessing internet sites from corporate systems.


Read more in:

ZDNet: Porn site users targeted with malicious ads redirecting to exploit kits, malware

https://www.zdnet.com/article/porn-site-users-targeted-with-malicious-ads-redirecting-to-exploit-kits-malware/

Ars Technica: Porn surfers have a dirty secret. They're using Internet Explorer

https://arstechnica.com/information-technology/2020/09/ads-that-install-malware-see-a-resurgence-on-porn-sites/


--Update Available for WordPress Email Subscribers & Newsletters Plugin Flaw

(September 11 & 14, 2020)

Developers of the Email Subscribers & Newsletters plugin for WordPress have released an updated version to fix a spoofing vulnerability. The plugin has more than 100,000 active installations. Users are urged to upgrade to version 4.5.6.


Read more in:

Portswigger: Vulnerability in WordPress email marketing plugin patched

https://portswigger.net/daily-swig/vulnerability-in-wordpress-email-marketing-plugin-patched

Threatpost: WordPress Plugin Flaw Allows Attackers to Forge Emails

https://threatpost.com/wordpress-plugin-flaw/159172/

Tenable: Unauthenticated email forgery/spoofing in WordPress Email Subscribers plugin

https://www.tenable.com/security/research/tra-2020-53


*****************************  SPONSORED LINKS  *****************************


1) Webcast | September 17th @ 2:00 pm EDT | This webinar is dedicated to teaching security practitioners, cloud architects and senior security leadership how to strengthen and maintain their security posture in the cloud.  Join Dave Shackleford, SANS and Nam Le, AWS as they discuss ways security teams can leverage automated means of continually assessing cloud network traffic, user activity, and configuration of systems and services running within the cloud environment. | http://www.sans.org/info/217455


2) Webcast | September 23 @ 10:30 AM ET | Power! Unlimited Power! Understanding the Techniques of Malicious Kernel-Mode Code.  Tune into our upcoming Webcast, hosted by SANS Senior Instructor Jake Williams and VMRay's Tamas Boczan. Register today! | http://www.sans.org/info/217625


3) Webinar | Thursday, September 24th @ 3:30PM BST (10:30AM EDT) | SANS on Elastic Security: Discover the integration of endpoint security into the new Elastic Agent.  Featuring  John Pescatore, SANS Director of Emerging Trends, along with industry experts Mike Nichols & James Spiteri from Elastic Security. | http://www.sans.org/info/217630


*****************************************************************************

REST OF THE NEWS    

 

--USPS OIG: Vulnerable Apps Could Have Exposed Data

(September 11, 2020)

According to a July 27, 2020, memorandum from the US Postal Service (USPS) Office of Inspector General, USPS has been using six applications that contained known vulnerabilities and which remained unpatched for years. The flaws in the apps could have been exploited to gain access to sensitive data. USPS has since addressed the security issues.


[Editor Comments]


[Neely] Application security testing, utilizing both dynamic and static analysis and resolution of discovered issues, has to be baked into the CI-CD pipeline. The auditor should not be the first one to analyze your code for defects. If you are running regulated systems, in this case FISMA, the NIST risk management framework allows for a lot of local control and attestation of adherence to required standards as dictated by the system accreditation letter. Even so, those choices require both monitoring and regularly verified, documented adherence to requirements continue to use this lighter wait ongoing authorization.


[Pescatore] The USPS IG audit appears to be the typical document review that found missing certification/accreditation documentation, vs. any active testing. That did find mention of the "... 12 vulnerabilities related to ***** labeled as catastrophic by the CISO" but assumes all the other apps that had C&A documentation did not have vulnerabilities. Last year SANS gave Interior a SANS Difference Makers Award to Jefferson Gilkeson, the Director of IT Audit at the Department for his implementation and championing of active testing by Inspectors General.


[Paller] John Pescatore is correct to point to the work of Interior's Jefferson Gilkeson and his staff as the model for effective recruiting, skills development, and technical auditing that can be trusted. Gilkeson identified the skills and methods that are needed by professionals on an effective cybersecurity audit team and has shared his finding with audit leaders throughout government.


Read more in:

Vice: Postal Service Used Apps That Had 'Catastrophic' Vulnerabilities for Years

https://www.vice.com/en_us/article/akzpd5/postal-service-used-apps-that-had-catastrophic-vulnerabilities-for-years

Cyberscoop: Postal Service left vulnerable IT applications unaddressed for years, inspector general finds

https://www.cyberscoop.com/postal-service-inspector-general-cyber-vulnerabilities/

USPSOIG: Management Alert - Risks Associated with Information Technology Applications (Report Number 20-251-R20) (PDF)

https://www.uspsoig.gov/sites/default/files/document-library-files/2020/20-251-R20.pdf

 
 

--Dept. of Veterans Affairs Breach Affects 46,000

(September 14, 2020)

A data breach affecting the US Department of Veterans Affairs (VA) Financial Service Center (FSC) compromised personal information belonging to 46,000 veterans. The malicious actors accessed a FSC application without authorization. FSC has taken the application offline.


[Editor Comments]


[Neely] While the VA is offering credit monitoring to affected veterans, as well as guidance on how to protect their information, don't wait to find out if you're impacted. If you don't already have credit monitoring from the 2006 VA breach, now is the perfect time to get it.


Read more in:

VA: VA notifies Veterans of compromised personal information

https://www.va.gov/opa/pressrel/pressrelease.cfm?id=5519

FCW: VA reports data breach affecting 46,000 veterans

https://fcw.com/articles/2020/09/14/veterans-affairs-breach-choice-billing.aspx

Fedscoop: Personal information of 46,000 veterans was compromised in breach

https://www.fedscoop.com/veterans-data-breach-va-hack/

The Hill: VA hit by data breach impacting 46,000 veterans

https://thehill.com/policy/cybersecurity/516331-veterans-affairs-hit-by-data-breach-impacting-46000-veterans

Nextgov: 46,000 Veterans' Data Exposed In Financial Services Center Breach

https://www.nextgov.com/cybersecurity/2020/09/46000-veterans-data-exposed-financial-services-center-breach/168446/

 

--Fairfax County, Virginia, School System Suffers Ransomware Attack

(September 11,12, & 14, 2020)

The Fairfax County (Virginia) Public Schools (FCPS) is investigating a ransomware attack on "some of [its] technology systems." While the attack did not disrupt the district's remote learning program, FCPS is working with federal authorities and "cybersecurity consultants to investigate the nature, scope and extent of any possible data compromise."


[Editor Comments]


[Murray] School systems and municipalities continue to be targets of extortion attacks in part because they have access to the (taxpayers') funds to pay but lack the necessary scale, resources, and organization to resist the attacks.  


Read more in:

FCPS: Ransomware Investigation Update

https://www.fcps.edu/blog/ransomware-investigation-update

Dark Reading: Virginia's Largest School System Hit With Ransomware

https://www.darkreading.com/attacks-breaches/virginias-largest-school-system-hit-with-ransomware/d/d-id/1338906

NBC Washington: Hackers Break Into FCPS Network, Hold Info for Ransom

https://www.nbcwashington.com/news/local/hackers-break-into-fcps-network-hold-personal-info-for-ransom/2416279/

Bleeping Computer: Fairfax County schools hit by Maze ransomware, student data leaked

https://www.bleepingcomputer.com/news/security/fairfax-county-schools-hit-by-maze-ransomware-student-data-leaked/

 
 

--Artech Information Systems Hit with Ransomware Last January

(September 11, 2020)

Artech Information Systems has disclosed that its systems were targeted in a ransomware attack in January 2020. While investigating reports of unusual activity on a user account, Artech discovered ransomware on several of its systems. The company brought in a third-party forensic investigation firm, which "determined that an unauthorized actor had access to certain Artech systems between January 5, 2020 and January 8, 2020." The compromised systems contained sensitive information, including health and financial data.


Read more in:

Document Cloud: Notice of Data Event

https://www.documentcloud.org/documents/7206968-2020-9-4-Artech-Web-Notice-BleepinComputer.html

Bleeping Computer: US staffing firm Artech discloses ransomware attack, data breach

https://www.bleepingcomputer.com/news/security/us-staffing-firm-artech-discloses-ransomware-attack-data-breach/


 

--Tutanota's DDoS Defense Prevented Users From Accessing Accounts

(September 14, 2020)

Tutanota, a company that offers an encrypted email service, has apologized to its users for unintentionally shutting them out of their accounts while the company dealt with a distributed denial-of-service (DDoS) attack. Tutanota experienced DDoS attacks on at least five occasions in the past month.


[Editor Comments]


[Honan] If your incident response in itself causes a Denial-of-Service (in this case an "overreacting IP block") then you inadvertently help your attackers achieve their goals. Incident response plans and procedures should be regularly tested and simulated to ensure your processes respond to an attack work as expected.

 

Read more in:

The Register: Sorry we shut you out, says Tutanota: Encrypted email service weathers latest of ongoing DDoS storms

https://www.theregister.com/2020/09/14/tutanota_ddos_storms_ongoing/

 
 

--CISA and FBI Alert Warns of China's State-Sponsored Hackers

(September 11, 2020)

The US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have issued a joint alert warning that cyber threat actors affiliated with China's Ministry of State Security (MSS) have been targeting US government agencies. According to the alert, the Chinese hackers are exploiting vulnerabilities in Microsoft Exchange Server, F5 Big-IP, Pulse Secure VPN, and Citrix VPN. Patches are available for the flaws.   


[Editor Comments]


[Neely] Keeping services such as these updated and secured has to be a basic part of your Cyber Hygiene. A bulletin such as this can be leveraged to start the conversation about overall protections, particularly on boundary control devices. Don't limit the conversation to only the services identified; be sure to examine your overall process.


[Pescatore] There is a common thread between this item and the item on Magento vulnerabilities being exploited - these are well-known vulnerabilities with existing patches or new versions. The "state-sponsored" in the headline is click-bait - the attacks are easily avoided by basic security hygiene. I'd like to see a follow-up article on what percentage of these attacks succeed.


Read more in:

The Register: What do F5, Citrix, Pulse Secure all have in common? China exploiting their flaws to hack govt, biz - Feds

https://www.theregister.com/2020/09/14/chinas_hackers_f5_citrix/

ZDNet: CISA: Chinese state hackers are exploiting F5, Citrix, Pulse Secure, and Exchange bugs

https://www.zdnet.com/article/cisa-chinese-state-hackers-are-exploiting-f5-citrix-pulse-secure-and-exchange-bugs/

US-CERT: Alert (AA20-258A) | Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity

https://us-cert.cisa.gov/ncas/alerts/aa20-258a

 
 

--IRS Seeks Technology to Help it Trace Cryptocurrency

(September 9, 11, & 14, 2020)

The US Internal Revenue Service (IRS) is seeking proposals that will allow the agency to trace cryptocurrency transactions as part of its investigations into money laundering and other cybercrimes. The deadline for proposals is Wednesday, September 16.


[Editor Comments]


[Murray] The good news is that the distributed ledger retains all the transaction data and the blockchain preserves and protects it. The bad news is that the amount of activity, some generated for this purpose, obscures the information. What is needed are tools and services to analyze the data so as to provide transparency and accountability. Some tools and services are already in use.  


Read more in:

Nextgov: IRS Wants to Be Able to Trace 'Untraceable' Digital Currencies

https://www.nextgov.com/emerging-tech/2020/09/irs-wants-be-able-trace-untraceable-digital-currencies/168305/

ZDNet: IRS offers grants for software to trace privacy-focused cryptocurrency trades

https://www.zdnet.com/article/irs-offers-grants-to-contractors-able-to-trace-cryptocurrency-transactions-across-the-blockchain/

GovInfosecurity: IRS Seeks Fresh Ways to Trace Cryptocurrency Transactions

https://www.govinfosecurity.com/irs-seeks-fresh-ways-to-trace-cryptocurrency-transactions-a-14992

Beta.sam: Pilot IRS Cryptocurrency Tracing

https://beta.sam.gov/opp/3b7875d5236b47f6a77f64c19251af60/view?index=opp

 
 

--Researchers and Tech Companies Respond to Voatz's CFAA Supreme Court Amicus Brief

(September 14, 2020)

Nearly 70 individuals and organizations in the cybersecurity community have signed a letter criticizing the argument put forth in an amicus brief submitted to the US Supreme Court regarding a case that could have wide-reading implications for security research. Voatz's brief argues that the Computer Fraud and Abuse Act (CFAA) should not protect security researchers who do not have explicit permission to examine code for vulnerabilities. The signatories say that "As representatives of the security community, including pioneers of coordinated vulnerability disclosure, bug bounties, and election security, it is our opinion that Voatz's brief to the Court fundamentally misrepresents widely accepted practices in security research and vulnerability disclosure, and that the broad interpretation of the CFAA threatens security research activities at a national level."


Read more in:

Dark Reading: Researchers, Companies Slam Mobile Voting Firm Voatz for 'Bad Faith' Attacks

https://www.darkreading.com/vulnerabilities---threats/researchers-companies-slam-mobile-voting-firm-voatz-for-bad-faith-attacks-/d/d-id/1338915

Cyberscoop: Security researchers slam Voatz brief to the Supreme Court on anti-hacking law

https://www.cyberscoop.com/voatz-supreme-court-cfaa-security-research/

Infosecurity Magazine: Cybersecurity Leaders Oppose Voatz

https://www.infosecurity-magazine.com/news/cybersecurity-leaders-oppose-voatz/

Disclose: Response to Voatz's Supreme Court Amicus Brief

https://disclose.io/voatz-response-letter/

 
 

--FBI Warns Financial Institutions of Credential Stuffing Attacks

(September 14, 2020)

An FBI warning sent to US organizations in the financial sector warns of an increase in credential stuffing attacks targeting their institutions. Suggested mitigations include advising customers and employees to use unique passwords for accounts and to change Internet login page responses so that they do not indicate if just one component of the login is correct.


[Editor Comments]


[Neely] Multi-factor authentication is also a win here. Many financial institutions offer security questions as part of the authentication process; users have to be careful to choose questions and answers which cannot be readily derived via OSINT. Use of security questions or one-time-passwords in conjunction with a memorized secret (PIN or Passcode) reduces the likelihood of a successful attack. If your FI doesn't offer multi-factor authentication, ask them how they are protecting accounts from an attack like this before enabling on-line account access.


[Murray] Financial institutions should offer their customers Strong Authentication options and encourage their use. (Customers can use password managers and biometrics to reduce any inconvenience.)  


Read more in:

ZDNet: FBI says credential stuffing attacks are behind some recent bank hacks

https://www.zdnet.com/article/fbi-says-credential-stuffing-attacks-are-behind-some-recent-bank-hacks/

Document Cloud: Private Industry Notification: Cyber Actors Conduct Credential Stuffing Attacks Against US Financial Sector

https://www.documentcloud.org/documents/7208239-FBI-PIN-on-credential-stuffing-attacks.html

 

*****************************************************************************


INTERNET STORM CENTER TECH CORNER


Pillaging and Protecting the Clipboard

https://isc.sans.edu/forums/diary/Whats+in+Your+Clipboard+Pillaging+and+Protecting+the+Clipboard/26556/


Not Everything About ".well-known" is Well Known

https://isc.sans.edu/forums/diary/Not+Everything+About+wellknown+is+Well+Known/26564/


Critical Vulnerability in PANOS

https://security.paloaltonetworks.com/CVE-2020-2040


Linux VoIP Softswitch Malware

https://www.welivesecurity.com/2020/09/10/who-callin-cdrthief-linux-voip-softswitches/


CVE-2020-1472 Zerologon Privilege Escalation Vulnerability

https://www.secura.com/blog/zero-logon


BLE Lock Vulnerable to Replay Attack

https://www.pentestpartners.com/security-blog/360lock-smart-lock-review/


Mobile Iron Exploit Released

https://blog.orange.tw/2020/09/how-i-hacked-facebook-again-mobileiron-mdm-rce.html



*****************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create