5 Days Left to Get an iPad mini, Surface Go 2, or Take $300 Off with OnDemand Training!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #78

October 2, 2020

Treasury Department Threatens To Prosecute Organizations that Pay Ransomware; Major Problem for Hospitals



Game Changer: Treasury's threat to prosecute organizations that pay ransomware demands is a game changer. See Top of the News


****************************************************************************

SANS NewsBites               October 2, 2020               Vol. 22, Num. 078

****************************************************************************


THE TOP OF THE NEWS


  US Treasury Advisory: Sanction Risks for Paying Ransomware Demands

  Universal Health Services Still Working on Restoring Systems After Ransomware Attack

  Lawrence General Hospital Investigating "Data Security Incident"



REST OF THE WEEK'S NEWS


  Pakistani Power Company Data Published Following Ransomware Demands

  Swatch Group Acknowledges Cyberattack

  Nikulin Sentenced

  North Korean Hackers Targeted UN Security Council Members in Phishing Attacks

  US 911 Emergency System Outage

  Unpatched Exchange Servers

  Zerologon Attacks Spike

  QNAP Warns of AgeLocker Ransomware Targeting its NAS Devices

  Blackbaud SEC Filing Discloses That Breach Compromised Bank Account Data


INTERNET STORM CENTER TECH CORNER

**************************  Sponsored By Chronicle. ********************************


New from Google Cloud, Chronicle Detect delivers advanced threat detection, built on the power of Google's infrastructure.  This solution includes a rules engine that operates at the speed of search, a powerful rules language optimized to describe complex threat behavior, and intelligence from Chronicle's elite threat research team. View our on demand launch event now.

| http://www.sans.org/info/217805

 

****************************************************************************

CYBERSECURITY TRAINING UPDATE


New OnDemand Courses


SEC588: Cloud Penetration Testing

- https://www.sans.org/ondemand/course/cloud-penetration-testing


SEC401: Security Essentials Bootcamp Style

- https://www.sans.org/ondemand/course/security-essentials-bootcamp-style


View all courses

- https://www.sans.org/cyber-security-courses/?focus-area=&training-format=ondemand


Live Online Training Events and Summits


SANS DFIRCON 2020 - Live Online

Nov 2-7 EST | 9 DFIR Courses | Virtual DFIR NetWars

- https://www.sans.org/event/dfircon-2020-live-online


Pen Test HackFest - Live Online

Nov 16-21 EST | 15 Courses | Summit @Night Bonus Sessions

- https://www.sans.org/event/pen-test-hackfest-2020-live-online


View complete event schedule

- https://www.sans.org/cyber-security-training-events/north-america

 

Free Resources

Tools, Posters, and more.

- https://www.sans.org/free

 

OnDemand Training Special Offer: Get an iPad (32 G), Galaxy Tab S5e, or Take $250 Off with qualified OnDemand courses through October 14.

- https://www.sans.org/ondemand/specials

 
 

****************************************************************************

TOP OF THE NEWS   

 

--US Treasury Advisory: Sanction Risks for Paying Ransomware Operators

(October 1, 2020)

According to a recent advisory from the US Treasury Department's Office of Foreign Assets Control, organizations that pay ransomware demands to certain groups could be fined if the recipients of the payments are under economic sanctions. The rule applies not only to the organizations that suffer the attacks, but also to the third-party companies they bring in to help manage the problem.  


[Editor Comments]


[Paller] This is a very big deal. It can give you the justification at the most senior levels of your organization to implement the CIS Critical Security Controls this year.


[Neely] OFAC rules and consequences around foreign transactions to sanctioned entities can be substantial. Develop a risk-based approach to support the payment decision now, as John enumerates, before it is needed, including consideration of sensitive data being released. Additionally, include reporting and cooperation with law enforcement in your response plan as this can mitigate the weight of any OFAC enforcement outcome.


[Pescatore] This is consistent with the FBI's updated guidance on dealing with ransomware, which came out in Oct 2019: "... the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers. Regardless of whether you or your organization have decided to pay the ransom, the FBI urges you to report ransomware incidents to law enforcement." The reminder that payments to sanctioned entities may incur fines was added here. However, the Treasury advisory still says "...OFAC encourages financial institutions and other companies to implement a risk-based compliance program to mitigate exposure to sanctions-related violations," and points to a May 2019 compliance framework requiring demonstration of (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training - essentially security hygiene: Bottom line: prevention of ransomware will always end up costing less than incurring or paying off successful attacks.


[Murray] Ransomware attacks must be resisted, not merely mitigated.  They constitute a risk that must be reduced, not simply assigned to underwriters.  


Read more in:

KrebsOnSecurity: Ransomware Victims That Pay Up Could Incur Steep Fines from Uncle Sam

https://krebsonsecurity.com/2020/10/ransomware-victims-that-pay-up-could-incur-steep-fines-from-uncle-sam/

Ars Technica: Paying ransomware demands could land you in hot water with the feds

https://arstechnica.com/tech-policy/2020/10/paying-ransomware-demands-could-land-you-in-hot-water-with-the-feds/

Bleeping Computer: US govt warns of sanction risks for facilitating ransomware payments

https://www.bleepingcomputer.com/news/security/us-govt-warns-of-sanction-risks-for-facilitating-ransomware-payments/

Dark Reading: US Treasury Warns of Sanctions Violations for Paying Ransomware Attackers

https://www.darkreading.com/risk/us-treasury-warns-of-sanctions-violations-for-paying-ransomware-attackers/d/d-id/1339066

Security Week: Treasury Department Warns Ransomware Payment Facilitators of Legal Implications

https://www.securityweek.com/treasury-department-warns-ransomware-payment-facilitators-legal-implications

Cyberscoop: Helping to pay off ransomware hackers could draw big penalties from the feds

https://www.cyberscoop.com/ransomware-payments-treasury-ofac-notice/

Treasury: Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments (PDF)

https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf



--Universal Health Services Still Working on Restoring Systems After Ransomware Attack

(October 1, 2020)

As of Thursday, October 1, Universal Health Services (UHS) is still "work[ing] through an IT network security issue caused my malware." The attack began over the weekend; UHS shut down its network to prevent the malware from spreading further. While UHS has facilities in the UK and the US, the issue affects only US facilities.


[Editor Comments]


[Neely] Hospitals are faced with challenging usability/security trade-offs, which include bearing the cost of security mitigations. Doctors and care givers don't want emergency care inhibited by an inability to login to a computer and order services rapidly. They need access to hundreds of hospital systems. Proximity cards coupled with added authentication to sensitive services are becoming more common, and the retrofit, both funding and implementing, without creating service disruptions is a huge challenge. Consider UHS's cost to recover, including loss of life of redirected patients, as an example when considering the ROI of increased security measures.  


Read more in:

USHINC: Statement from Universal Health Services

https://www.uhsinc.com/statement-from-universal-health-services/

Reuters: Universal Health Services says its network is 'still down': spokeswoman

https://www.reuters.com/article/us-universal-health-cyber/universal-health-services-says-its-network-is-still-down-spokeswoman-idUSKBN26M6QT



--Lawrence General Hospital Investigating "Data Security Incident"

(October 1, 2020)

Lawrence General Hospital (LGH) in Massachusetts is working with a third-party forensic organization to investigate a "data security incident" that took place in mid-September. During the incident, LGH took its systems offline to secure its data. The hospital was able to continue to care for patients, but those arriving by ambulance were diverted to other facilities for approximately 36 hours.


[Editor Comments]


[Murray] Critical systems, e.g., patient care systems, should be isolated from vulnerable systems running e-mail and browsers. That said, the report suggests that the hospital had plans in place to maintain critical care in the face of a breach. "A plan is a capability, the ability to do something in its presence that one cannot do in its absence. It is not a document that one takes out and reads while sitting in the ashes." -Robert H. Courtney, Jr.


Read more in:

GovTech: Massachusetts Hospital Investigates 'Data Security Incident'

https://www.govtech.com/security/Massachusetts-Hospital-Investigates-Data-Security-Incident.html


*******************************  SPONSORED LINKS  ********************************


1) DTEX Insider Threat Kill Chain: Learn the 5 Steps Present in Almost all Insider Attacks| Get the whitepaper now!

| http://www.sans.org/info/217790


2) On-Demand Webcast | Joins Jake Williams and he presents "Power! Unlimited Power! Understanding the Techniques of Malicious Kernel-Mode Code"

| http://www.sans.org/info/217795


3) Wednesday, October 07, 2020 @ 3:30 PM EDT | Join Dave Shackleford, Phil Roth, Mark Dufresne as they present "Free and open hunting and protection with Elastic Endpoint"

| http://www.sans.org/info/217800


****************************************************************************


THE REST OF THE WEEK'S NEWS


--Pakistani Power Company Data Published Following Ransomware Attack

(October 1, 2020)

Ransomware operators have published data stolen from Pakistan's K-Electric power company. K-Electric suffered a ransomware attack last month and did not pay the $3.85 million demanded as ransom. The September 7th attack disrupted the company's billing services but did not interrupt power supply.


[Editor Comments]


[Murray] Systems must be breached before "Ransomware" can be used. Extortion is only one possible consequence of such breaches. The most efficient strategy is to resist the breach, to raise the cost of attack to the point that it removes one from the target population. "One does not need to outrun the bear."


Read more in:

Bleeping Computer: Hackers leak files stolen in Pakistan's K-Electric ransomware attack

https://www.bleepingcomputer.com/news/security/hackers-leak-files-stolen-in-pakistans-k-electric-ransomware-attack/



--Swatch Group Acknowledges Cyberattack

(September 29 & October 1, 2020)

Swatch Group, the Swiss company that makes the eponymous watches, says that its network was hit with a cyberattack over the weekend. Once the company detected the attack, it shut down IT systems to prevent further damage. Swatch group did not provide details about the nature of the attack.


Read more in:

Bleeping Computer: Swiss watchmaker Swatch shuts down IT systems to stop cyberattack

https://www.bleepingcomputer.com/news/security/swiss-watchmaker-swatch-shuts-down-it-systems-to-stop-cyberattack/

Infosecurity Magazine: Swatch Group Hit by Likely Ransomware Attack

https://www.infosecurity-magazine.com/news/swatch-group-hit-by-likely/

 
 

--Nikulin Sentenced

(September 30 & October 1, 2020)

A judge in California has sentenced Yevgeniy Nikulin to more than seven years in prison for his role in hacking into and stealing data from LinkedIn, Dropbox, and Formspring. He will be credited for time served following his arrest.


Read more in:

The Register: Russian hacker, described as 'brilliant' by judge, gets seven years in a US clink for raiding LinkedIn, Dropbox

https://www.theregister.com/2020/09/30/linkedin_hacker_prison/

Dark Reading: Russian National Sentenced to 7+ Years for Hacking US Tech Firms

https://www.darkreading.com/threat-intelligence/russian-national-sentenced-to-7+-years-for-hacking-us-tech-firms/d/d-id/1339060

Justice: Russian Hacker Sentenced to Over 7 Years in Prison for Hacking into Three Bay Area Tech Companies

https://www.justice.gov/usao-ndca/pr/russian-hacker-sentenced-over-7-years-prison-hacking-three-bay-area-tech-companies

 
 

--North Korean Hackers Targeted UN Security Council Members in Phishing Attacks

(September 30, 2020)

According to a report from the United Nations (UN), a hacking group with alleged ties to North Korea's government has been launching phishing attacks against UN Security Council members earlier this year. At least 28 individuals have been targeted.


[Editor Comments]


[Neely] The Kimsucky group targets individuals throughout their career, repeatedly using spear-phishing attacks in attempts to gain credentials or install malware, which then allows them to pivot through the accessed systems. Regularly training and supporting user awareness will keep users sharp, and encouraging reporting will aid your incident responders.


Read more in:

ZDNet: North Korea has tried to hack 11 officials of the UN Security Council

https://www.zdnet.com/article/north-korea-has-tried-to-hack-11-officials-of-the-un-security-council/

 
 

--US 911 Emergency System Outage

(September 29, 2020)

An outage affecting the 911 emergency system availability in more than a dozen US states on Monday, September 28 appears not to be related to a Microsoft outage the same day, as some had speculated. Instead, the issues are likely due to an issue with Intrado, a company that provides 911 and emergency communications infrastructure, systems, and services or with Lumen, its service provider.


Read more in:

KrebsOnSecurity: Who's Behind Monday's 14-State 911 Outage?

https://krebsonsecurity.com/2020/09/whos-behind-mondays-14-state-911-outage/

 
 

--Unpatched Exchange Servers

(September 29 & 30, 2020)

Nearly 250,000 Internet-facing Microsoft Exchange Servers remain unpatched against a critical remote code execution flaw in the Exchange Control Panel component. Microsoft released a fix for the issue nearly eight months ago. In March, the US Cybersecurity and Infrastructure Security Agency (CISA) and the NSA both urged organizations to patch the vulnerability as it was already being exploited in the wild.


[Editor Comments]


[Neely] I remember not having time to patch, and not wanting to update a fully functioning server or service because it was working perfectly. Today, patching and monitoring security settings is a mortgage that must be borne with insourced services, and is a cost which may be overlooked when considering outsourcing ROI. It may be helpful to have policies around patch application and security setting validation, so staff know what is required and that these actions are important to management as well.


[Murray] Poor quality in popular products puts the entire infrastructure at risk. Tens of thousands of instances are likely to go unpatched. Enterprises large enough to be running an Exchange Server should have a planned and routine program for patching, but such programs are unlikely to ever be universal.  


Read more in:

Threatpost: Microsoft Exchange Servers Still Open to Actively Exploited Flaw

https://threatpost.com/microsoft-exchange-exploited-flaw/159669/

Bleeping Computer: Over 247K Exchange servers unpatched for actively exploited flaw

https://www.bleepingcomputer.com/news/security/over-247k-exchange-servers-unpatched-for-actively-exploited-flaw/

MSRC: CVE-2020-0688 | Microsoft Exchange Validation Key Remote Code Execution Vulnerability

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688

 
 

--Zerologon Attacks Spike

(September 29, 2020)

Cisco Talos has noted a significant increase in attempts to exploit the Zerologon vulnerability. The privilege elevation flaw can be exploited to take control of Active Directory identity services. Microsoft has released updated instructions for patching the vulnerability.


[Editor Comments]


[Neely] The Microsoft guidance below makes the update and mitigation process easier to follow. If you are using Windows Server 2008 R2 SP1, you need an Extended Security Update (ESU) license to successfully install any update that addresses this issue. Better still, replace these with Server 2016 or higher, which will also give you access to updated security and user management options in Active Directory.


Read more in:

Talos Intelligence: Microsoft Netlogon exploitation continues to rise

https://blog.talosintelligence.com/2020/09/netlogon-rises.html

Threatpost: Zerologon Attacks Against Microsoft DCs Snowball in a Week

https://threatpost.com/zerologon-attacks-microsoft-dcs-snowball/159656/

Gov Infosecurity: Microsoft Issues Updated Patching Directions for 'Zerologon'

https://www.govinfosecurity.com/microsoft-issues-updated-patching-directions-for-zerologon-a-15090

Microsoft: How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472

https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc

 

--QNAP Warns of AgeLocker Ransomware Targeting its NAS Devices

(September 25 & 30, 2020)

An advisory from QNAP warns of ransomware attacks targeting its network attached storage (NAS) devices. Dubbed AgeLocker, the ransomware exploits a vulnerability in older versions of the Photo Station app. The advisory includes update instructions to secure vulnerable devices.


[Editor Comments]


[Murray] Storage devices should not be visible to the public networks. Who knew that they were running "older versions of the Photo Station app," much less that they posed a vulnerability to the enterprise? Patching is necessary but not sufficient. One should consider removing or hiding potentially vulnerable, but not mission critical, applications from the public networks.  


Read more in:

Bleeping Computer: QNAP warns customers of recent wave of ransomware attacks

https://www.bleepingcomputer.com/news/security/qnap-warns-customers-of-recent-wave-of-ransomware-attacks/

QNAP: AgeLocker Ransomware

https://www.qnap.com/en-us/security-advisory/qsa-20-06

 
 

--Blackbaud SEC Filing Discloses That Breach Compromised Bank Account Data

(September 30 & October 1, 2020)

Months after disclosing a ransomware attack that compromised data belonging to many clients, customer relationship management (CRM) software provider Blackbaud is now acknowledging that the attackers may have accessed more than just names and email addresses. Bank account information may have been compromised. The additional information came to light in an 8-K filing Blackbaud made with the US Securities and Exchange Commission (SEC) on September 29. The attack occurred in May. Blackbaud paid a ransom demand after the attackers said they destroyed the purloined data.


[Editor Comments]


[Neely] Transparency and full disclosure is required. The question is, do you trust that the attackers really destroyed the purloined data? Rather than second guess the company's payment decision, or the destruction of the data, be proactive and keep your credit monitoring updated, including responding to any alerts sent.


Read more in:

Bleeping Computer: Blackbaud: Ransomware gang had access to banking info and passwords

https://www.bleepingcomputer.com/news/security/blackbaud-ransomware-gang-had-access-to-banking-info-and-passwords/

Gov Infosecurity: Blackbaud: Hackers May Have Accessed Banking Details

https://www.govinfosecurity.com/blackbaud-hackers-may-have-accessed-banking-details-a-15098

The Register: Cloud biz Blackbaud admits ransomware crims may have captured folks' bank info, months after saying that everything's fine

https://www.theregister.com/2020/10/01/blackbaud_ransomeware_data/

RegMedia: FORM 8-K |Blackbaud (PDF)

https://regmedia.co.uk/2020/10/01/blackbaud8k.pdf

 

****************************************************************************

INTERNET STORM CENTER TECH CORNER


Managing Remote Access for Contractors and Partners

https://isc.sans.edu/forums/diary/Managing+Remote+Access+for+Partners+Contractors/26614/


Scans for FPURL.xml: Reconnaissance or Not?

https://isc.sans.edu/forums/diary/Scans+for+FPURLxml+Reconnaissance+or+Not/26622/


Making Sense of Azure AD Activity Logs

https://isc.sans.edu/forums/diary/Making+sense+of+Azure+AD+AAD+activity+logs/26626/


IOCs Turning into IOOIs

https://isc.sans.edu/forums/diary/IOCs+turning+into+IOOIs/26624/


HP Device Manager Backdoor

https://support.hp.com/us-en/document/c06921908

https://www.theregister.com/2020/09/30/hp_device_manager_backdoor_database_account/


Updated Windows ZeroLogon Advisory

https://support.microsoft.com/en-us/help/4557222/how-to-manage-the-changes-in-netlogon-secure-channel-connections-assoc


Cisco Patching Exploited DoS Vulnerabilities

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxr-dvmrp-memexh-dSmpdvfz


FoxIT PDF Reader Update

https://www.foxitsoftware.com/support/security-bulletins.html


KensingtonWorks RCE

https://robertheaton.com/another-rce-in-kensingtonworks/


Apple Security Patch Pulled

https://mrmacintosh.com/mojave-2020-005-security-update-causing-major-problems-updated


Have I Been EMOTET Service

https://www.haveibeenemotet.com/

 

****************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create