5 Days Left to Get an iPad mini, Surface Go 2, or Take $300 Off with OnDemand Training!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #75

September 22, 2020

NSA and FERC/NERC Issue Extremely Valuable Security Guides; CISA Emergency Directive on Windows



******************************************************************************

SANS NewsBites              September 22, 2020               Vol. 22, Num. 075

******************************************************************************


THE TOP OF THE NEWS


  NSA Cybersecurity Information Sheets

  FERC/NERC Report Looks at Electric Utility Cyber Incident Response

  CISA Emergency Directive on Windows Server Vulnerability



REST OF THE WEEK'S NEWS


  Researchers: Rampant Kitten Hacking Campaign Uses an Arsenal of Data-Stealing Malware

  Hijacking Flaw in Firefox for Android is Fixed in Version 79

  Internet Archive and Cloudflare Collaborate to Archive More Website Content

  Another Patch for Discount Rules for WooCommerce WordPress Plugin

  Jekyll Island Authority Systems Hit with Ransomware

  Ransomware Operators Stole Data from ArbiterSports


INTERNET STORM CENTER TECH CORNER


************************  Sponsored By Exabeam  ******************************


Thirty percent of data breaches involve internal actors, yet many organizations have difficulties detecting insider threats, because the threat actor is using a trusted identity and has legitimate access to its systems and data. Join Exabeam for this September 29th webinar, in order to learn actionable tips to get ahead of insiders. | http://www.sans.org/info/217700


******************************************************************************


CYBERSECURITY TRAINING UPDATE

 

New OnDemand Courses


SEC588: Cloud Penetration Testing

- https://www.sans.org/ondemand/course/cloud-penetration-testing


SEC760: Advanced Exploit Development for Penetration Testers

- https://www.sans.org/ondemand/course/advanced-exploit-development-penetration-testers


View all courses

- https://www.sans.org/cyber-security-courses/?focus-area=&training-format=ondemand


Live Online Training Events and Summits


Cyber Defense Forum & Training - Live Online

Free Forum: Oct 9 | Training: Oct 12-17, CDT

- https://www.sans.org/event/cyber-defense-summit-2020


SANS Rocky Mountain Fall - Live Online Nov 2-7 MT

17 Interactive Courses | Virtual NetWars

- https://www.sans.org/event/rocky-mountain-fall-2020-live-online


View complete event schedule

- https://www.sans.org/cyber-security-training-events/north-america

 

Free Resources

Tools, Posters, and more.

- https://www.sans.org/free

 

OnDemand Training Special Offer: Get an iPad mini, Surface Go, or Take $300 Off with qualified OnDemand courses through September 30.

- https://www.sans.org/ondemand/specials


******************************************************************************

TOP OF THE NEWS   


--NSA Cybersecurity Information Sheets

(September 21, 2020)

The US National Security Agency (NSA) has published two cybersecurity information sheets. The first, "Compromised Personal Network Indicators and Mitigations," is for government teleworkers; it "provides guidance to users who have received authorization to connect GFE (government furnished equipment) to personal networks." The second document, "Performing Out-of-Band Network Management," provides information for system admins on isolating management traffic from operational traffic.


[Editor Comments]


[Neely] There is information in the first document we can all leverage as we are all connecting assets to a personal or other non-company managed networks, providing IoCs and mitigations for home users, including aggressive measures if your home network is actively compromised. The second document not only outlines out-of-band management practices, it also provides alternatives for either physical or virtual separations, which help raise the bar on corporate IT devices and services.


[Honan] Excellent resources.


Read more in:

Security Week: NSA Issues Cybersecurity Guidance for Remote Workers, System Admins

https://www.securityweek.com/nsa-issues-cybersecurity-guidance-remote-workers-system-admins

Defense: Compromised Personal Network Indicators and Mitigations (PDF)

https://media.defense.gov/2020/Sep/17/2002499615/-1/-1/0/COMPROMISED_PERSONAL_NETWORK_INDICATORS_AND_MITIGATIONS_20200914_FINAL.PDF/COMPROMISED_PERSONAL_NETWORK_INDICATORS_AND_MITIGATIONS_20200914_FINAL.PDF

Defense: Performing Out-of-Band Network Management (PDF)

https://media.defense.gov/2020/Sep/17/2002499616/-1/-1/0/PERFORMING_OUT_OF_BAND_NETWORK_MANAGEMENT20200911.PDF/PERFORMING_OUT_OF_BAND_NETWORK_MANAGEMENT20200911.PDF


 

--FERC/NERC Report Looks at Electric Utility Cyber Incident Response

(September 21, 2020)                                           

A report from the U.S. Federal Energy Regulatory Commission (FERC) and the North American Electricity Reliability Corporation (NERC) outlines best practices for cybersecurity incident response. The report is based on information gleaned from cybersecurity incident response plans of eight US utilities.


[Editor Comments]


[Neely, Murray, Honan] This is a great source of best practices and successes. Leverage this report to see if you've missed anything, as well as a source for solutions you may not have derived on your own, possibly facilitating that "ah ha!" moment.


[Pescatore] Good to see FERC/NERC highlighting common successful practices across very individual security programs of the eight utilities interviewed. There is no shortage of information about failures in security - finding out how others have overcome the barriers to higher levels of security is what is needed. During my years at Gartner, Case Study research notes were among the highest page views of all Gartner documents and here at SANS the What Works program continues that approach. The value is not in "I never thought of doing that," it is in the "Oh, that is how they were able to do that."


Read more in:

Security Week: FERC, NERC Conduct Study on Cyber Incident Response at Electric Utilities

https://www.securityweek.com/ferc-nerc-conduct-study-cyber-incident-response-electric-utilities

Smart Energy: Cybersecurity incident response - best practices from the US

https://www.smart-energy.com/industry-sectors/cybersecurity/cybersecurity-incident-response-best-practices-from-the-us/

CMSA FERC: Cyber Planning for Response and Recovery Study (CYPRES) (PDF)

https://cms.ferc.gov/sites/default/files/2020-09/FERC%26NERC_CYPRES_Report.pdf

 
 

--CISA Emergency Directive on Windows Server Vulnerability

(September 18, 20, & 21, 2020)

On Friday, September 18, the US's Cybersecurity and Infrastructure Security Agency (CISA) issued an Emergency Directive ordering federal agencies to patch a critical vulnerability in Windows Server for which Microsoft issued a fix in August. The flaw lies in an Active Directory authentication component called Microsoft Windows Netlogon Remote Protocol (MS-NRPC). Agencies have been directed to "update all Windows Servers with the domain controller role by 11:59 PM EDT, Monday, September 21, 2020." The privilege elevation vulnerability has been given a CVSS score of 10.


[Editor Comments]


[Neely] The flaw can be leveraged for an unauthenticated attacker to obtain administrative privileges on your domain controller. Double check that you applied the update to all your Domain Controllers. The fix applies to Windows Server 2008 or later. Next, build a plan for the required post-patch activities prior to the Q1 2021 DC enforcement phase to avoid devices losing access: https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc


[Murray] We are at the point where most enterprises should apply Windows patches by default. The risk of not doing so now exceeds that of applying without testing for their impact on applications.  


Read more in:

ZDNet: US govt orders federal agencies to patch dangerous Zerologon bug by Monday

https://www.zdnet.com/article/us-govt-orders-federal-agencies-to-patch-dangerous-zerologon-bug-by-monday/

FCW: CISA orders agencies to patch dire Window flaw

https://fcw.com/articles/2020/09/21/cisa-windows-flaw-federal-networks.aspx

The Register: US Cybersecurity agency issues super-rare Emergency Directive to patch Windows Server flaw ASAP

https://www.theregister.com/2020/09/21/cisa_zerologon_emergency_directive/

Cyberscoop: CISA orders agencies to quickly patch critical Netlogon bug

https://www.cyberscoop.com/cisa-netlogon-microsoft-vulnerability-emergency/

SC Magazine: Critical Zerologon bug uses weak cryptography to spoof network users

https://www.scmagazine.com/home/security-news/vulnerabilities/critical-zerologon-bug-uses-weak-cryptography-to-spoof-network-users/

Cyber.DHS: Mitigate Netlogon Elevation of Privilege Vulnerability from August 2020 Patch Tuesday

https://cyber.dhs.gov/ed/20-04/

MSRC: CVE-2020-1472 | Netlogon Elevation of Privilege Vulnerability

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472


*****************************  SPONSORED LINKS  ******************************

 

1) Webinar | Thursday, September 24th @ 3:30PM BST (10:30AM EDT) | SANS on Elastic Security: Discover the integration of endpoint security into the new Elastic Agent.  Featuring  John Pescatore, SANS Director of Emerging Trends, along with industry experts Mike Nichols & James Spiteri from Elastic Security.

| http://www.sans.org/info/217690


2) Survey | Now Open: SANS 2021 CTI Survey. Take this survey and enter for a chance to win a $250 Amazon gift card.

| http://www.sans.org/info/217695


3) DTEX Insider Threat Kill Chain: Learn the 5 Steps Present in Almost all Insider Attacks| Get the whitepaper now!

| http://www.sans.org/info/217705


******************************************************************************

REST OF THE NEWS    

 

--Researchers: Rampant Kitten Hacking Campaign Uses an Arsenal of Data-Stealing Malware

(September 18 & 21, 2020)

Researchers at Check Point have detected a long-standing surveillance campaign used by Iranian entities to target dissidents and expatriates. Dubbed Rampant Kitten, the campaign employs malware to steal information, including two-factor authentication (2FA) SMS codes, take screenshots, and record sounds near infected devices.


[Editor Comments]


[Murray] The CheckPoint blog notes that most of the targets of this campaign are "Iranian Nationals" (and a few neighbors), those seen as opponents of the regime. While the blog did point to tools (including CheckPoint products) useful for resisting this campaign, this editor was unable to find indicators of compromise (IOCs). The investigation is of interest, but this campaign does not represent a risk for most of our readers.


Read more in:

Check Point: RampantKitten: An Iranian Surveillance Operation unraveled

https://blog.checkpoint.com/2020/09/18/rampantkitten-an-iranian-surveillance-operation-unraveled/

Ars Technica: Telegram messages are a focus in newly uncovered hack campaign from Iran

https://arstechnica.com/information-technology/2020/09/telegram-messages-are-a-focus-in-newly-uncovered-hack-campaign-from-iran/

ZDNet: Iranian hacker group developed Android malware to steal 2FA SMS codes

https://www.zdnet.com/article/iranian-hacker-group-developed-android-malware-to-steal-2fa-sms-codes/

Threatpost: Android Malware Bypasses 2FA And Targets Telegram, Gmail Passwords

https://threatpost.com/android-2fa-telegram-gmail/159384/

 
 

--Hijacking Flaw in Firefox for Android is Fixed in Version 79

(September 18 & 21, 2020)

Firefox for Android users are urged to update their apps to version 79 or newer to protect the browser from being hijacked. An attacker on the same Wi-Fi network as someone running a vulnerable version of Firefox for Android could cause a new browser window to open. The issue lies in the browser's Simple Service Discovery Protocol (SSDP) engine.


Read more in:

ZDNet: Firefox bug lets you hijack nearby mobile browsers via WiFi

https://www.zdnet.com/article/firefox-bug-lets-you-hijack-nearby-mobile-browsers-via-wifi/

Threatpost: Firefox for Android Bug Allows 'Epic Rick-Rolling'

https://threatpost.com/firefox-android-bug-rick-rolling/159397/

 
 

--Internet Archive and Cloudflare Collaborate to Archive More Website Content

(September 17 & 18, 2020)

A partnership between the Internet Archive and Cloudflare will automatically archive content of websites that use Cloudflare's Always Online service. The Always Online feature serves cached static versions of websites when the sites are experiencing downtime. The partnership will help increase the number of sites the Internet Archive's Wayback Machine archives.


Read more in:

Wired: The Wayback Machine and Cloudflare Want to Backstop the Web

https://www.wired.com/story/cloudflare-internet-archive-wayback-machine/

Ars Technica: Wayback Machine and Cloudflare team up to archive more of the Web

https://arstechnica.com/information-technology/2020/09/wayback-machine-and-cloudflare-team-up-to-archive-more-of-the-web/

 
 

--Another Patch for Discount Rules for WooCommerce WordPress Plugin

(September 17 & 18, 2020)

The developers of the Discount Rules for WooCommerce WordPress plugin have released an update to address a pair of high-severity cross-site scripting vulnerabilities. This is the third time that updates have been issued to address the flaws; two earlier versions did not sufficiently fix the problem. Users are urged to update to version 2.2.1.  


[Editor Comments]


[Neely] There were three separate updates to the rules as incremental fixes were quickly released, rather than delaying to only release the comprehensive fix; make sure you have the latest which fully addresses the problem. Initial exploits were possible as a parameter could be changed to move to the less secure v1 code base, either by request manipulation or CSRF. Both exploit paths are closed. If you're relying on the free Wordfence firewall, rules were released September 19th and 20th. Rules for the paid version were released 30 days previously.


[Murray] It is now routine to identify vulnerabilities in WordPress Plug-ins. Many of these remain unpatched, in part because the decision to include the plug-in was made casually, at a low-level of management, and was not documented. Said another way, no one is responsible for knowing what plug-ins are in use, much less for patching them. If you are using WordPress, identify and minimize the plug-ins that are in place, and monitor announcements about those that you continue to use.


Read more in:

Threatpost: Stubborn WooCommerce Plugin Bugs Gets Third Patch

https://threatpost.com/woocommerce-plugin-bug-allows-site-takeover/159364/

Wordfence: High-Severity Vulnerabilities Patched in Discount Rules for WooCommerce

https://www.wordfence.com/blog/2020/09/high-severity-vulnerabilities-patched-in-discount-rules-for-woocommerce/

 
 

--Jekyll Island Authority Systems Hit with Ransomware

(September 16, 2020)

The Jekyll Island Authority (JIA) has acknowledged that its network was hit with a ransomware attack last week. (Jekyll Island is located off the coast of the US state of Georgia.) The JIA executive director said, "All of our computer systems ... were impacted, and it's a very serious situation." JIA employed a third-party IT services provider that is working on restoring JIA systems.


Read more in:

GovTech: Jekyll Island Authority Targeted by Ransomware Attack

https://www.govtech.com/security/Jekyll-Island-Authority-Targeted-by-Ransomware-Attack.html

 
 

--Ransomware Operators Stole Data from ArbiterSports

(September 21, 2020)

ArbiterSports has acknowledged that its network suffered a ransomware attack in July. According to its website, "ArbiterSports provides a complete suite of tools and technology that caters to the needs of Assigners, Coordinators, Business Offices, Game officials and Athletic or Federal Program Directors." The company said that the attackers stole data belonging to 540,000 users. Although ArbiterSports paid the demanded ransom and the hackers said they deleted the stolen files, there is no guarantee that the information is not still in their possession.


Read more in:

ZDNet: Details of 540,000 sports referees taken in failed ransomware attack

https://www.zdnet.com/article/details-of-540000-sports-referees-taken-in-failed-ransomware-attack/

 
 

******************************************************************************

INTERNET STORM CENTER TECH CORNER

 

A Mix of Python and VBA in a Malicious Word Document

https://isc.sans.edu/forums/diary/A+Mix+of+Python+VBA+in+a+Malicious+Word+Document/26578/


Salesforce Phish

https://isc.sans.edu/forums/diary/Analysis+of+a+Salesforce+Phishing+Emails/26582/


Slightly Broken Overlay Phishing

https://isc.sans.edu/forums/diary/Slightly+broken+overlay+phishing/26586/


Google App Engine Used in Phishing Attacks

https://medium.com/@marcelx/attackers-are-abusing-googles-app-engine-to-circumvent-enterprise-security-solutions-again-eda8345d531d


Sysmon Adds Clipboard Monitoring

https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon


Windows Defender No Longer Able to Download Files

https://www.bleepingcomputer.com/news/microsoft/microsoft-removes-windows-defender-ability-after-security-concerns/


MacOS Code Injection via Third Party Frameworks

https://www.trustedsec.com/blog/macos-injection-via-third-party-frameworks


Snort/ClamAV Cobalt Strike Detection

https://blog.talosintelligence.com/2020/09/coverage-strikes-back-cobalt-strike-paper.html



******************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create