5 Days Left to Get an iPad mini, Surface Go 2, or Take $300 Off with OnDemand Training!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #76

September 25, 2020

Eye-Opening Anatomy of US Federal Hacking Incident Plus Growing Cyber Law Enforcement Efforts


******************************************************************************

SANS NewsBites               September 25, 2020              Vol. 22, Num. 076

******************************************************************************


THE TOP OF THE NEWS


  CISA: Federal Agency Hacked, Data Exfiltrated

  Operation DisrupTor Nets 179 Arrests

  Polish Hacker Gang Shut Down

  Contractor Sentenced for Using Employers System to Mine Cryptocurrency



REST OF THE WEEK'S NEWS


  Cisco Patches Vulnerabilities in IOS XE

  British Pilots Not Satisfied with Proposed MCAS Software Fixes for Boeing 737 Max

  Microsoft: ZeroLogon is Being Actively Exploited; Patch Now

  Microsoft Updates Security Update Guide

  Ransomware: US School Districts Targeted

  Ransomware: Tyler Technologies

  Texas County eMail Hacked


INTERNET STORM CENTER TECH CORNER


*********************  Sponsored By Chronicle  ******************************


This week we launched Chronicle Detect, a threat detection solution built on the power of Google's infrastructure.  It includes a rules engine that operates at the speed of search, a powerful rules language optimized to describe complex threat behavior, and intelligence from Chronicle's elite threat research team.  Read our blog to learn more.

| http://www.sans.org/info/217745

 

******************************************************************************

CYBERSECURITY TRAINING UPDATE


New OnDemand Courses


SEC588: Cloud Penetration Testing


- https://www.sans.org/ondemand/course/cloud-penetration-testing


SEC760: Advanced Exploit Development for Penetration Testers


- https://www.sans.org/ondemand/course/advanced-exploit-development-penetration-testers


View all courses


- https://www.sans.org/cyber-security-courses/?focus-area=&training-format=ondemand


Live Online Training Events and Summits


Cyber Defense Forum & Training - Live Online


Free Forum: Oct 9 | Training: Oct 12-17, CDT


- https://www.sans.org/event/cyber-defense-summit-2020


SANS Rocky Mountain Fall - Live Online Nov 2-7 MT


17 Interactive Courses | Virtual NetWars


- https://www.sans.org/event/rocky-mountain-fall-2020-live-online


View complete event schedule


- https://www.sans.org/cyber-security-training-events/north-america


Free Resources


Tools, Posters, and more.


- https://www.sans.org/free


OnDemand Training Special Offer: Get an iPad mini, Surface Go, or Take $300 Off with qualified OnDemand courses through September 30.


- https://www.sans.org/ondemand/specials


******************************************************************************

TOP OF THE NEWS   

 

--CISA: Federal Agency Hacked, Data Exfiltrated

(September 24, 2020)

The US Cybersecurity and Infrastructure Security Agency (CISA) has published an analysis report detailing a cyberattack against a federal agency's enterprise network. The threat actor gained access to the unnamed agency's system and exfiltrated data. The report provides information about the methods used to gain access to the network. The breach was detected through EINSTEIN, CISA's intrusion detection system. The threat actor was able to gain persistent network access through reverse Socket Secure proxies.


[Editor Comments]


[Pescatore] This is the first time I've seen DHS/CISA put out a detailed public report on how an attack against a government agency succeeded. This one starts off with a litany of basic security hygiene failures: the attackers started out with admin credentials, admin accounts didn't seem to require 2FA for remote access, if a firewall was in place it seemed to have allowed everything not explicitly denied policies, VPN patches were not applied, etc. The details on the steps the attackers took show a number of "Living off the Land" techniques that Ed Skoudis detailed in his SANS "Most Dangerous New Attacks" keynote panel talk at this year's RSA.


[Neely] This is an excellent write-up of how the system was compromised and how the attacker adjusted to available resources to continue to penetrate and exploit the system. This also re-enforces the need for 2FA on internet accessible services, epically email and remote access (e.g. VPN). Take a look at your network and make sure that not only strong authentication is required, but also patches are applied.  


Read more in:

ZDNet: CISA says a hacker breached a federal agency

https://www.zdnet.com/article/cisa-says-a-hacker-breached-a-federal-agency/

US-CERT CISA: Analysis Report (AR20-268A) | Federal Agency Compromised by Malicious Cyber Actor

https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a



--Operation DisrupTor Nets 179 Arrests

(September 22, 2020)

Authorities in six countries have arrested a total of 179 people in connection with Dark Web activity. The enforcement effort, known as Operation DisrupTor, also seized 500 kilograms of drugs and confiscated $6.5 million in cash and cryptocurrency. Suspects were arrested in the US, Germany, the Netherlands, the UK, Austria, and Sweden.


[Editor Comments]


[Neely] Authorities are getting better at these actions, and while the Dark Web will bounce back, the intervals between enforcement activities will continue to shrink.


Read more in:

Wired: 179 Arrested in Massive Global Dark Web Takedown

https://www.wired.com/story/operation-disruptor-179-arrested-global-dark-web-takedown/

Europol: International Sting Against Dark Web Vendors Leads to 179 Arrests

https://www.europol.europa.eu/newsroom/news/international-sting-against-dark-web-vendors-leads-to-179-arrests

 
 

--Polish Hacker Gang Shut Down

(September 24, 2020)

Authorities in Poland have shut down a hacking groups that has allegedly been involved in a variety of cybercrimes. Four people have been arrested and another four are under investigation. The group's alleged activities include spreading ransomware, other malware, SIM swapping, and bank fraud.


Read more in:

ZDNet: Polish police shut down hacker super-group involved in bomb threats, ransomware, SIM swapping

https://www.zdnet.com/article/polish-police-shut-down-hacker-super-group-involved-in-bomb-threats-ransomware-sim-swapping/

Europol: 4 Hackers Arrested in Poland in Nation-Wide Action Against Cybercrime

https://www.europol.europa.eu/newsroom/news/4-hackers-arrested-in-poland-in-nation-wide-action-against-cybercrime


 

--Contractor Sentenced for Using Employers System to Mine Cryptocurrency

(September 22, 2020)

A man in Australia has been sentenced for using his former employer's systems to mine cryptocurrency. The man worked as an IT contractor at Australia's Commonwealth Scientific and Industrial Research Organisation (CSIRO). His responsibilities included data archiving and software support. The man altered data to use the computers to mine AU$9,400 (US$6,800) in cryptocurrency, while costing the company AU$76,000 (US$55,000) in computing time. The unnamed man received a 15-month non-custodial sentence.


[Editor Comments]


[Murray] It is essential that employees not be granted any privilege that cannot be withdrawn upon termination. Consider hardware token based strong authentication everywhere.


Read more in:

The Register: Contractor convicted of pinching supercomputer cycles to mine cryptocurrency

https://www.theregister.com/2020/09/22/contractor_convicted_of_pinching_supercomputer/


*****************************  SPONSORED LINKS  ******************************


1) DTEX Insider Threat Kill Chain: Learn the 5 Steps Present in Almost all Insider Attacks| Get the whitepaper now!

| http://www.sans.org/info/217730


2) Live Hacking Session | Join us for "Hacking the Security Footprint of Open Source Dependencies" |  September 30 @ 10:30 AM EDT

| http://www.sans.org/info/217735


3) Webcast | Join us for "More than a Buzzword: How to Deliver on the Promise of Machine Learning," an upcoming webcast chaired by SANS Analyst Jake Williams. This webcast will discuss how you can get value from machine learning in real world cloud security deployments. | September 30 @ 1:00 PM EDT

| http://www.sans.org/info/217740


******************************************************************************

REST OF THE NEWS    


--Cisco Patches Vulnerabilities in IOS XE

(September 24, 2020)

On Thursday, September 24, Cisco released fixes for numerous security issues affecting Cisco IOS XE software. The vulnerabilities addressed could be exploited to cause denial-of-service conditions, overwrite files, and launch input validation attacks.


Read more in:

Threatpost: Cisco Patch-Palooza Tackles 29 High-Severity Bugs

https://threatpost.com/cisco-patches-bugs/159537/

Cisco: Cisco Security Advisories

https://tools.cisco.com/security/center/publicationListing.x?product=Cisco&sort=-day_sir&limit=50#~Vulnerabilities

 
 

--British Pilots Not Satisfied with Proposed MCAS Software Fixes for Boeing 737 Max

(September 23, 2020)

The British Airline Pilots' Association (BALPA) says it is not satisfied with proposed fixes to Boeing Manoeuvring Characteristics Augmentation System (MCAS) software for the 737 Max aircraft. BALPA detailed the issue in public comments submitted to a US Federal Aviation Administration (FAA) notice of proposed rulemaking (NPRM). The NPRM proposes fixes and procedures for pilots to follow if a problem arises. BALPA warned that a proposed workaround for an MCAS failure could lead to a crash.


[Editor Comments]


[Neely] The objections are around the viability of the manual-override scenarios. One example is that the override of the automatic trim system requires both pilots to adjust their trim wheels in unison. When designing procedures to circumvent faulty or failed automation in OT systems, one should consider both the practicality and safety of the work-around.


Read more in:

The Register: Proposed US fix for Boeing 737 Max software woes does not address Ethiopian crash scenario, UK pilot union warns

https://www.theregister.com/2020/09/23/boeing_737_max_faa_balpa/

 
 

--Microsoft: ZeroLogon is Being Actively Exploited; Patch Now

(September 23 & 24, 2020)

Microsoft is urging users to patch vulnerable systems against the ZeroLogon flaw, which is being actively exploited to. The vulnerability lies in Microsoft's Netlogon protocol. It can be exploited to bypass authentication measures to obtain domain level admin access in networks. Last week, CISA issued an Emergency Directive instructing agencies to apply the patch by midnight on Monday, September 21.


[Editor Comments]


[Neely] The patch was released in August. The time for regression testing is over; apply the patch NOW - then focus on identifying systems and services not using secure-RPC to bind to AD and fix them before February 9th, when your DCs will be in enforcement mode, regardless of the registry key setting. Look for event IDs 5827, 5828 and 5829 which indicate unsecure connections.


Read more in:

Twitter: Microsoft Security Intelligence

https://twitter.com/MsftSecIntel/status/1308941504707063808

Dark Reading: Microsoft Warns of Attackers Now Exploiting 'Zerologon' Flaw

https://www.darkreading.com/risk/microsoft-warns-of-attackers-now-exploiting-zerologon-flaw/d/d-id/1339004

Threatpost: Zerologon Patches Roll Out Beyond Microsoft

https://threatpost.com/zerologon-patches-beyond-microsoft/159513/

KrebsOnSecurity: Microsoft: Attackers Exploiting 'ZeroLogon' Windows Flaw

https://krebsonsecurity.com/2020/09/microsoft-attackers-exploiting-zerologon-windows-flaw/

Bleeping Computer: Microsoft: Hackers using Zerologon exploits in attacks, patch now!

https://www.bleepingcomputer.com/news/microsoft/microsoft-hackers-using-zerologon-exploits-in-attacks-patch-now/

The Register: You know that Microsoft ZeroLogon bug you've been dragging your feet on? It's getting pwned in the wild now

https://www.theregister.com/2020/09/24/microsoft_zerologon_in_wild/

Ars Technica: One of this year's most severe Windows bugs is now under active exploit

https://arstechnica.com/information-technology/2020/09/one-of-this-years-most-severe-windows-bugs-is-now-under-active-exploit/

 
 

--Microsoft Updates Security Update Guide

(September 21 & 22, 2020)

Microsoft has updated its Security Update Guide, which contains information about all of the security updates Microsoft releases. Microsoft says that the "new version will provide a more intuitive user experience to help protect our customers regardless of what Microsoft products or services they use in their environment." It is now easier to generate a list of all CVEs from Patch Tuesday, and the display can be personalized.


[Editor Comments]


[Neely] It is now it simper to enumerate the issues resolved as well as track their corresponding release notes and KB articles which should make analysis and research faster and easier. Given the size and complexity of current updates, this simplification is needed.


Read more in:

MSRC: New and improved Security Update Guide!

https://msrc-blog.microsoft.com/2020/09/21/new-and-improved-security-update-guide/

MSRC: Security Update Guide

https://msrc.microsoft.com/update-guide

Threatpost: Microsoft Overhauls Patch Tuesday Security Update Guide

https://threatpost.com/microsoft-overhauls-security-update-guide/159449/

 
 

--Ransomware: US School Districts Targeted

(September 22, 2020)

Networks belonging to at least 16 school districts in the US have been hot with ransomware in the past few months. In some of the districts, the attacks pushed back the first day of school; in others, classes were cancelled for a day or more. Having a functioning IT system is especially crucial to school districts as so many are holding classes remotely.


Read more in:

Pew Trusts: Cybercriminals Strike Schools Amid Pandemic

https://www.pewtrusts.org/en/research-and-analysis/blogs/stateline/2020/09/22/cybercriminals-strike-schools-amid-pandemic

 
 

--Ransomware: Tyler Technologies

(September 23, 2020)

Systems at Tyler Technologies, a company that provides software and IT services to state and local governments across the US, has been hit with what appears to be a ransomware attack. The company has not specified the nature of the attack, but the details that have emerged are consistent with a system beset with ransomware. In an email to clients, Tyler's CIO wrote, that after discovering "that an unauthorized intruder had disrupted access to some of our internal systems, ...out of an abundance of caution, we shut down points of access to external systems and immediately began investigating and remediating the problem."  


[Editor Comments]


[Neely] Some Tyler customers have severed connections to services provided by Tyler to mitigate risks of malware being introduced to their systems, which is a fairly standard protection measure. Ransomware attacks and activities continue to be active and aggressive. Many attacks now start with data exfiltration, so triggering on unexpected data transfers may be a good canary in the coal mine. With more remote users than ever, regular UAT is needed to keep users sharp and on the lookout for possible problems. In a recent German study, the research team found that while the participants were able to correctly identify phishing emails even after four months following the initial training, this was not the case after six months and beyond, with a new training being recommended.



Read more in:

KrebsOnSecurity: Govt. Services Firm Tyler Technologies Hit in Apparent Ransomware Attack

https://krebsonsecurity.com/2020/09/govt-services-firm-tyler-technologies-hit-in-apparent-ransomware-attack/

Bleeping Computer: Government software provider Tyler Technologies hit by ransomware

https://www.bleepingcomputer.com/news/security/government-software-provider-tyler-technologies-hit-by-ransomware/

Statescoop: Tyler Technologies reports apparent cyberattack

https://statescoop.com/tyler-technologies-reports-apparent-cyberattack/

GovTech: Tyler Technologies' Internal Systems Hit by Ransomware

https://www.govtech.com/biz/Tyler-Technologies-Internal-Systems-Hit-by-Ransomware.html

 
 

--Texas County eMail Hacked

(September 24, 2020)

The Hamilton County (Texas) email system suffered a malware attack. Individuals who emailed the county clerk received maliciously-crafted replies that included an attached file and a password to open the file. The attachments contained malware. The county had not implemented two-factor authentication (2FA) or DMARC for its email system email.


Read more in:


Pro Publica: Foreign Hackers Cripple Texas County's Email System, Raising Election Security Concerns

https://www.propublica.org/article/foreign-hackers-cripple-texas-countys-email-system-raising-election-security-concerns

 

******************************************************************************

INTERNET STORM CENTER TECH CORNER


Dynamic Malicious Word Document

https://isc.sans.edu/forums/diary/Malicious+Word+Document+with+Dynamic+Content/26590/

 

Party in Ibiza with PowerShell

https://isc.sans.edu/forums/diary/Party+in+Ibiza+with+PowerShell/26594/

 

Citrix ADC Updates

https://support.citrix.com/article/CTX281474

 

Firefox Version 81 Released

https://www.mozilla.org/en-US/firefox/81.0/releasenotes/

 

Simple Scan Drops Ransomware Risk

https://www.accesswire.com/607018/Corvus-Updates-Scan-Technology-with-RDP-Detection-Slashes-Ransomware-Claims-by-65

 

Old Versions of SAMBA Affected by ZeroLogon Vulnerability

https://www.samba.org/samba/security/CVE-2020-1472.html

 

iOS 14 Jailbreak

https://checkra.in/news/2020/09/iOS-14-announcement

 

Google Chrome Update

https://chromereleases.googleblog.com/2020/09/stable-channel-update-for-desktop_21.html

 

QNAP Devices Hit by AgeLocker Ransomware

https://www.bleepingcomputer.com/news/security/agelocker-ransomware-targets-qnap-nas-devices-steals-data/

 

Microsoft Tracking Zerologon Exploits

https://twitter.com/MsftSecIntel/status/1308941504707063808

 

Apple Patches

https://support.apple.com/en-us/HT201222

 

Instagram for Android Vulnerability

https://blog.checkpoint.com/2020/09/24/instahack-how-researchers-were-able-to-take-over-the-instagram-app-using-a-malicious-image/

 

******************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create