Final Week to Get a MacBook Air or Surface Pro 7 with 5 or 6 Day Training - Register Today!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #85

October 27, 2020

Ransomware Disables GA Elections Database; COVID Vaccine and US Government Targeted; Psychotherapy Patients Blackmailed after Breach

*****************************************************************************

SANS NewsBites                October 27, 2020              Vol. 22, Num. 085

*****************************************************************************

THE TOP OF THE NEWS


  Hackers Disable Georgia County Election Database with Ransomware

  CISA and FBI Warn Russian APT Actor is Targeting Government Networks

  Cyberattack Hits COVID Vaccine Maker

  Finnish Psychotherapy Patients are Being Blackmailed After Vastaamo Data Breach


REST OF THE WEEK'S NEWS


  US Treasury Sanctions Russian Research Institution Tied to Triton Malware

  Book Excerpt: SANDWORM: The Aurora Generator Test

  Botnet Exploits CMS Weaknesses

  Sopra Steria Confirms its Network was Hit with Ransomware

  Microsoft is Beginning to Nudge Users Away from Internet Explorer

  Louisiana Calls in National Guard to Help Fight Cyberattacks

  Former Century 21 Sysadmin Charged for Computer Tampering

  Exposed Irrigation System Networks


INTERNET STORM CENTER TECH CORNER

*****************  Sponsored By  Elasticsearch, Inc  *************************

Elastic Security, built by the creators of the ELK Stack, solves cybersecurity's core data and scale problems. Leading security teams use the free and open solution for SIEM, endpoint security, threat hunting, cloud monitoring, and more. And with a resource-based pricing model, the Elasticsearch-based technology isn't the only component that's highly scalable

| Learn more at: http://www.sans.org/info/218005

*****************************************************************************

CYBERSECURITY TRAINING UPDATE


New OnDemand Courses


SEC588: Cloud Penetration Testing

- https://www.sans.org/ondemand/course/cloud-penetration-testing


MGT525: IT Project Management, Effective Communication, and PMP(R) Exam Prep

- https://www.sans.org/ondemand/course/project-management-effective-communication


View all courses

- https://www.sans.org/cyber-security-courses/?focus-area=&training-format=ondemand


Live Online Training Events and Summits


Pen Test HackFest - Live Online

Nov 16-21 EST | 15 Courses | Core NetWars + Coin-A-Palooza

- https://www.sans.org/event/pen-test-hackfest-2020-live-online


SANS San Francisco Winter 2020 - Live Online

Nov 30-Dec 5 PST | 10 Courses | Virtual Core NetWars

- https://www.sans.org/event/san-francisco-winter-2020-live-online


View complete event schedule

- https://www.sans.org/cyber-security-training-events/north-america

 

Free Resources

Tools, Posters, and more.

- https://www.sans.org/free

 

OnDemand Training Special Offer: Get an iPad mini, Surface Go 2, or Take $300 Off with qualified OnDemand courses through October 28.

- www.sans.org/specials/north-america/


*****************************************************************************

TOP OF THE NEWS   

 

--Hackers Disable Georgia County Election Database with Ransomware

(October 23 & 24, 2020)

A ransomware attack earlier this month disabled a Hall County, Georgia, database that is used to verify voters' signatures on absentee ballots. While the attack did not affect the voting process, county employees have had to manually verify signatures from voter registration cards.    


[Editor Comments]


[Murray] It is verification of signatures that makes absentee voting secure. The signature must be used and validated twice: once when applying for the absentee ballot and once when submitting it. This is even more secure than in those jurisdictions that do not check a photo ID for in-person voting.  


Read more in:

Security Week: Report: Ransomware Disables Georgia County Election Database

https://www.securityweek.com/report-ransomware-disables-georgia-county-election-database

Threatpost: Georgia Election Data Hit in Ransomware Attack

https://threatpost.com/georgia-election-data-ransomware/160499/

Statescoop: Election-related system impacted by ransomware in Georgia county

https://statescoop.com/ransomware-election-system-hall-county-georgia/

GovInfosecurity: Ransomware Knocks Out Voter Database in Georgia

https://www.govinfosecurity.com/ransomware-knocks-out-voter-database-in-georgia-a-15235


 

--CISA and FBI Warn Russian APT Actor is Targeting Government Networks

(October 22 & 23, 2020)

In a joint cybersecurity advisory, the US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI warn that a Russian advanced persistent threat (APT) actor has targeted "US state, local, territorial, and tribal (SLTT) government networks, as well as aviation networks." The APT actor has "exfiltrated data from at least two victim servers."


[Editor Comments]


[Neely] Even if you're not a US Government or APT target, the advisory offers good guidance on comprehensive account resets and network defenses. Review the Network Defense in Depth guidance for information on perimeter protections, monitoring, and user education to identify any gaps in your current practices.


Read more in:

US-CERT CISA: Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets

https://us-cert.cisa.gov/ncas/alerts/aa20-296a

Duo: Energetic Bear Attackers Targeting US Government Agencies

https://duo.com/decipher/energetic-bear-attackers-targeting-us-government-agencies

Bleeping Computer: Russian state hackers stole data from US government networks

https://www.bleepingcomputer.com/news/security/russian-state-hackers-stole-data-from-us-government-networks/

Cyberscoop: Russia-linked group that breached US state and local IT draws official accusation from feds

https://www.cyberscoop.com/temp-isotope-russia-cisa-election-security/

NYT: Russians Who Pose Election Threat Have Hacked Nuclear Plants and Power Grid

https://www.nytimes.com/2020/10/23/us/politics/energetic-bear-russian-hackers.html

Axios: FBI: Russian hacking group stole data after targeting local governments

https://www.axios.com/russia-hacking-elections-local-governments-9b929246-d5e1-4149-b272-a2adad28c484.html

The Hill: DHS, FBI say Russian hackers targeting US state and local systems

https://thehill.com/policy/cybersecurity/522368-dhs-fbi-say-russian-hackers-targeting-us-state-and-local-systems



--Cyberattack Hits COVID Vaccine Maker

(October 23, 2020)

A company that is manufacturing a COVID-19 vaccine for Russia has shut down operations in five countries following a cyberattack against its network. Dr. Reddy's is based in India and is about to enter Phase 2 human trials of the vaccine, which has been given the nickname Sputinik V. Dr. Reddy's has also isolated its data centers.


[Editor Comments]


[Neely] It is likely the attack was targeting the IP behind the vaccine to give competition a leg up. Dr. Reddy's took immediate action to isolate their systems to remediate and prevent further harm. A side effect is their production of generic drugs in the US may be impacted causing some shortages. The lesson here is to verify security, particularly around key assets, in a scenario such as producing the COVID-19 vaccine which pushes the business to rapidly implement services, possibly leaving security behind.


Read more in:

Threatpost: COVID-19 Vaccine-Maker Hit with Cyberattack, Data Breach

https://threatpost.com/covid-19-vaccine-cyberattack-data-breach/160495/


 

--Finnish Psychotherapy Patients are Being Blackmailed After Vastaamo Data Breach

(October 25 & 26, 2020)

Patients of Finland's Vastaamo psychotherapy clinic are reporting that they are being contacted with blackmail demands. Last week, Vastaamo disclosed a data breach compromised patient data. The hackers have reportedly posted some patient information on the dark web; patients who have been contacted by the hackers say they have been asked to pay 200 EUR (236 USD) to prevent their information from being exposed.


Read more in:

Helsinki Times: Hacking may have compromised privacy of thousands of psychotherapy clients in Finland

https://www.helsinkitimes.fi/finland/finland-news/domestic/18203-data-break-in-compromises-privacy-of-thousands-of-psychotherapy-clients-in-finland.html

Threatpost: Vastaamo Breach: Hackers Blackmailing Psychotherapy Patients

https://threatpost.com/vastaamo-hackers-blackmailing-therapy-patients/160536/

Security Week: Finland Shocked by Therapy Center Hacking, Client Blackmail

https://www.securityweek.com/finland-shocked-therapy-center-hacking-client-blackmail

Cyberscoop: Data breach at Finnish psychotherapy center takes a darker turn with extortion attempts

https://www.cyberscoop.com/finnish-psychotherapy-data-breach-vastaamo/

BBC: Therapy patients blackmailed for cash after clinic data breach

https://www.bbc.com/news/technology-54692120


*****************************  SPONSORED LINKS  *******************************  


1) Webcast | Our upcoming webcast, "Small businesses deserve big protection"  teaches you how to get powerful protection against todays biggest threats using Cisco Umbrella, a cloud-delivered security service that's simple and cost-effective for a team of any size to deploy, use, and manage, with no hardware to maintain or upgrade | October 29 @ 10:30 AM EDT

| http://www.sans.org/info/218010


2) Webcast | Join the incredibly knowledgeable Jake Williams as he chairs, "Doing More with Less: Detection and Response Planning for 2021" | November 3 @ 10:30 AM EST

| http://www.sans.org/info/218015


3) Webcast | Our upcoming webcast, "Are you protected from a resurgence of APT29?" will teach you how to operationalize MITRE ATT&CK framework and leverage it to validate your controls against threat groups | November 3 @ 1:00 PM EST

| http://www.sans.org/info/218020

 

*****************************************************************************

THE REST OF THE WEEK'S NEWS

 

--US Treasury Sanctions Russian Research Institution Tied to Triton Malware

(October 23 & 24, 2020)

The US Department of the Treasury's Office of Foreign Assets Control (OFAC) has sanctioned "a Russian government research institution that is connected to the destructive Triton malware." The State Research Center of the Russian Federation FGUP Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM or TsNIIKhM) supported threat actors' use of Triton, which has been described as "the most dangerous threat activity publicly known."


Read more in:

Treasury: Treasury Sanctions Russian Government Research Institution Connected to the Triton Malware

https://home.treasury.gov/news/press-releases/sm1162

Wired: The US Sanctions Russians for Potentially 'Fatal' Triton Malware

https://www.wired.com/story/russia-sanctions-triton-malware/

ZDNet: US Treasury sanctions Russian research institute behind Triton malware

https://www.zdnet.com/article/us-treasury-sanctions-russian-research-institute-behind-triton-malware/

Ars Technica: Hackers behind life-threatening attack on chemical-maker are sanctioned

https://arstechnica.com/information-technology/2020/10/us-sanctions-russian-hackers-who-hit-chemical-maker-with-dangerous-malware/

SC Magazine: Treasury sanctions Russian research institute for Triton attack

https://www.scmagazine.com/home/security-news/apts-cyberespionage/treasury-sanctions-russian-research-institute-for-triton-attack/

Threatpost: U.S. Levies Sanctions Against Russian Research Institution Linked to Triton Malware

https://threatpost.com/us-sanctions-russian-triton-malware/160518/

Cyberscoop: US sanctions Russian government institution in connection with Trisis malware

https://www.cyberscoop.com/us-sanctions-russia-trisis-malware/

 
 

--Book Excerpt: SANDWORM: The Aurora Generator Test

(October 23, 2020)

In an excerpt from Andy Greenberg's book, "SANDWORM: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers," Michael Assante's 2007 Aurora demonstration proves the danger hackers could pose to the power grid by manipulating protective relays.


[Editor Comments]


[Neely] Much has been learned since 2007 about the importance of segregating OT, not only from the Internet but also other systems which don't need to interact with it. Additionally, as we pass the ten-year anniversary of Stuxnet, we are reminded of the importance of OPSEC, that providing too much information about your OT to adversaries, e.g. PR photos with recognizable components in view, can be leveraged against you.


Read more in:

Wired: How 30 Lines of Code Blew Up a 27-Ton Generator

https://www.wired.com/story/how-30-lines-of-code-blew-up-27-ton-generator/

 
 

--Botnet Exploits CMS Weaknesses

(October 22 & 26, 2020)

Researchers from Imperva have detected a botnet that is exploiting vulnerabilities in various content management systems (CMS) to infect websites. The botnet, which has been given the nickname KashmirBlack, is being used for cryptomining and spam. It uses Dropbox for its command-and-control infrastructure and stores files on GitHub and Pastebin. Hundreds of thousands of sites are believed to have been infected since late 2019.


Read more in:

Imperva: CrimeOps of the KashmirBlack Botnet - Part II

https://www.imperva.com/blog/crimeops-of-the-kashmirblack-botnet-part-ii/

ZDNet: KashmirBlack botnet behind attacks on CMSs like WordPress, Joomla, Drupal, others

https://www.zdnet.com/article/kashmirblack-botnet-behind-attacks-on-cmss-like-wordpress-joomla-drupal-others/

Dark Reading: Botnet Infects Hundreds of Thousands of Websites

https://www.darkreading.com/attacks-breaches/botnet-infects-hundreds-of-thousands-of-websites/d/d-id/1339258

Infosecurity Magazine: KashmirBlack Botnet Uses DevOps to Stay Agile

https://www.infosecurity-magazine.com/news/kashmirblack-botnet-uses-devops-to/

 
 

--Sopra Steria Confirms its Network was Hit with Ransomware

(October 26, 2020)

Sopra Steria, the French IT service company, has acknowledged the cyberattack that hit its network last week was actually a ransomware attack. The company says the infection was kept to "a limited part" of its IT systems. Sopra Steria predicts "it will take a few weeks for a return to normal."


[Editor Comments]


[Neely] The claim is this is a never before seen strain of Ryuk which was activated after systems were infected, a couple of days previously, with either TrickBot or BazarLoader. The signature for the new version of Ryuk has been released for incorporation into detection tools. Even with an interval of a couple of days, assume data has been exfiltrated and fully analyze your logs to determine what systems have been accessed. In this case, Sopra Steria seems to have avoided customer data loss; others may not be so lucky.


[Murray] Lessons include system-to-system isolation to resist lateral spread of ransomware, and the ability to restore mission-critical applications in hours.


Read more in:

Bleeping Computer: Sopra Steria confirms being hit by Ryuk ransomware attack

https://www.bleepingcomputer.com/news/security/sopra-steria-confirms-being-hit-by-ryuk-ransomware-attack/

Infosecurity Magazine: Sopra Steria Hit by New Ryuk Variant

https://www.infosecurity-magazine.com/news/sopra-steria-hit-by-new-ryuk/

Sopra Banking: Sopra Steria Group: Cyberattack information update

https://www.soprabanking.com/news/sopra-steria-group-cyberattack-information-update/

 
 

--Microsoft is Beginning to Nudge Users Away from Internet Explorer

(October 19, 25, & 26, 2020)

When users browsing in Internet Explorer attempt to access a website that is not IE-compatible, the site will launch in Microsoft Edge. Users will be notified that the site is not compatible with IE, and will be prompted to update to Edge, migrating their settings from IE. Microsoft plans to disable support for Internet Explorer in certain services starting in mid-November.


[Editor Comments]


[Neely] If you have apps that require IE, or IE-specific plugins such as Silverlight, consider using an isolated hosted business (IE) browser only for use with those applications, while moving your systems to newer browsers such as Chrome, Firefox or Chromium Edge.


Read more in:

Bleeping Computer: Microsoft begins to finally kill off Internet Explorer

https://www.bleepingcomputer.com/news/microsoft/microsoft-begins-to-finally-kill-off-internet-explorer/

Threatpost: Microsoft IE Browser Death March Hastens

https://threatpost.com/ie-browser-death-march/160571/

Microsoft: Redirection from Internet Explorer to Microsoft Edge for compatibility with modern web sites

https://docs.microsoft.com/en-us/deployedge/edge-learnmore-neededge

 
 

--Louisiana Calls in National Guard to Help Fight Cyberattacks

(October 23, 2020)

Officials in Louisiana have called in the state's National Guard to help handle cyberattacks against government systems. Multiple local government systems in Louisiana have reportedly been infected with a remote access Trojan (RAT) that has previously been linked to hackers with ties to North Korea's government.


Read more in:

Politico: Cyberattacks hit Louisiana government offices as worries rise about election hacking

https://www.politico.com/news/2020/10/23/cyberattacks-louisiana-election-431825

Threatpost: Louisiana Calls Out National Guard to Fight Ransomware Surge

https://threatpost.com/louisiana-national-guard-ransomware/160508/

Reuters: Exclusive: National Guard called in to thwart cyberattack in Louisiana weeks before election

https://www.reuters.com/article/us-usa-election-cyber-louisiana-exclusiv/exclusive-national-guard-called-in-to-thwart-cyberattack-in-louisiana-weeks-before-election-idUSKBN27823F

 
 

--Former Century 21 Sysadmin Charged for Computer Tampering

(October 21 & 23, 2020)

A former systems administrator for the Century 21 department store has been indicted on several charges, including computer tampering and computer trespass. Prior to resigning from his position in November 2019, Hector Navarro allegedly stole employee data and created a superuser account that he used to access the system after he had left the company. Navarro allegedly deleted data to prevent people hired to replace him from accessing the network.


[Editor Comments]


[Neely] Verification of all active accounts, particularly those not centrally managed, must be a regular activity - even more so on boundary protection devices. Additionally, make sure that you're monitoring privileged operations on those devices to include account creation and detect actions from previously unknown accounts.


[Murray] It is essential to grant only those privileges that one can effectively withdraw upon termination. That includes the ability to terminate any accounts that the privileged user has created.


Read more in:

Infosecurity Magazine: Systems Admin Arrested for Hacking Former Employer

https://www.infosecurity-magazine.com/news/systems-admin-arrested-for-hacking/

Manhattan DA: D.A. Vance: Former Century 21 Employee Charged with Computer Tampering, Larceny For Breach of Company Data

https://www.manhattanda.org/d-a-vance-former-century-21-employee-charged-with-computer-tampering-larceny-for-breach-of-company-data/

 
 

--Exposed Irrigation System Networks

(October 26, 2020)

An Israeli security company found more than 100 smart irrigation systems were left unprotected on the Internet. The vulnerable CC PRO systems were installed with the factory default settings unchanged, which means that the default account does not require a password. From there, malicious actors could access the system's control panel and change settings and delete other users from the system. The company notified CERT Israel of the situation, which contacted affected companies as well as Motorola, the manufacturer, and shared information with CERTs in other countries. The number of exposed systems is falling.


[Editor Comments]


[Pescatore] In 2018, the International Society of Automation produced ISA/IEC 62443-4-1-2018 that focused on building security into industrial control systems. That same year a group of Israeli researchers presented a paper on vulnerabilities in connected irrigation systems at DEFCON. Since irrigation systems (and many other "smart systems") bring electricity into close proximity to water (and moving machinery into close proximity to living things) there have long been electrical code standards for safe installation of those systems. This is a good item to show to a COO around the cybersecurity aspect of safety of these systems.


Read more in:

ZDNet: Over 100 irrigation systems left exposed online without a password

https://www.zdnet.com/article/over-100-irrigation-systems-left-exposed-online-without-a-password/

 

*****************************************************************************

INTERNET STORM CENTER TECH CORNER


An Alternative to Shodan: Censys

https://isc.sans.edu/forums/diary/An+Alternative+to+Shodan+Censys+with+UserAgent+CensysInspect11/26718/


Sooty: SOC Analyst's All-in-One Tool

https://isc.sans.edu/forums/diary/Sooty+SOC+Analysts+AllinOne+Tool/26714/


Excel 4 Macros: "Abnormal Sheet Visibility"

https://isc.sans.edu/forums/diary/Excel+4+Macros+Abnormal+Sheet+Visibility/26726/


Adversarial ML Threat Matrix

https://github.com/mitre/advmlthreatmatrix


Samsung S20 RCE

https://labs.f-secure.com/blog/samsung-s20-rce-via-samsung-galaxy-store-app/


VMWare Advisory

https://www.vmware.com/security/advisories/VMSA-2020-0023.html


HP Printer Applications Certificate Revoked

https://eclecticlight.co/2020/10/23/why-have-my-hp-printers-stopped-working-how-to-check-their-software-signature/


Link Previews and Privacy

https://www.mysk.blog/2020/10/25/link-previews/


******************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create