Learn practical cyber security skills during SANS 2021 - Live Online. Choose from 30+ courses and three types of NetWars!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #89

November 10, 2020

Improperly Configured AWS S3 Bucket Exposes 10 Million Hotel Guest Records; Critical Flaws in WordPress Plugin; Australia to Expand Scope of Critical Infrastructure


SANS NewsBites                November 11, 2020             Vol. 22, Num. 089



  Improperly Configured AWS S3 Bucket Exposes 10 Million Hotel Guest Records

  Critical Flaws in Ultimate Member WordPress Plugin

  Australian Government Seeks to Expand Scope of Critical Infrastructure


  Older Versions of Android Will Have Trouble Accessing Sites with Let's Encrypt Certificates

  Laptop Manufacturer Compal Hit with Ransomware

  X-Cart eCommerce Platform Hit with Ransomware

  Gitpaste Worm Has at Least 12 Attack Modules

  UVM Cyberattack Impacts Chemotherapy, Mammograms

  Upcoming Chrome Feature Will Block JavaScript Redirects

  Zoom Agrees to Terms of FTC Settlement Over Misleading Security Claims


***********************  Sponsored By ExtraHop  ********************************

Webcast | Tune into our upcoming What Works webcast where SANS Director of Emerging Security Trends, John Pescatore interviews grand Canyon Education IT Security Engineer, David John Fernandez, to gain Fernandez's insight on what he went through in the business justification and deployment of ExtraHops Reveal(x) to increase visibility into network traffic to secure Grand Canyons use of cloud-based computing | November 24 @ 1:00 PM EST

| http://www.sans.org/info/218120



OnDemand and Live Online Training Special Offer

Best Offers of the Year! Get an 11" iPad Pro w/ Magic Keyboard, a Microsoft Surface Go 2 - 256 GB SSD, or Take $350 Off with ANY qualifying SANS Training Course through November 18.

- www.sans.org/specials/north-america/

New OnDemand Courses -- Available Now

SEC588: Cloud Penetration Testing

- https://www.sans.org/ondemand/course/cloud-penetration-testing

MGT525: IT Project Management, Effective Communication, and PMP(R) Exam Prep

- https://www.sans.org/ondemand/course/project-management-effective-communication

View all courses

- https://www.sans.org/cyber-security-courses/?focus-area=&training-format=ondemand

Live Online Training Events and Summits

Pen Test HackFest + Summit @Night

Nov 16-21 EST | 15 Courses | Core NetWars + Coin-A-Palooza

- https://www.sans.org/event/pen-test-hackfest-2020-live-online

SANS Cyber Defense Initiative(R) 2020 - Dec 14-19 EST

35+ Courses | Core, Cyber Defense, and DFIR NetWars

- https://www.sans.org/event/cyber-defense-initiative-2020-live-online

View complete event schedule

- https://www.sans.org/cyber-security-training-events/north-america


Free Resources

Tools, Posters, and more.

- https://www.sans.org/free




--Improperly Configured AWS S3 Bucket Exposes 10 Million Hotel Guest Records

(November 6 & 9, 2020)

A misconfigured AWS S3 bucket has exposed 24.4 GB of personal data belonging to millions of hotel guests. The issue affected a hotel reservation platform, Cloud Hospitality, that allows hotels to integrate their own systems with third-party online booking sites, such as Expedia and Hotels.com. The stored data include names, national ID numbers, and payment card information.

[Editor Comments]

[Pescatore] A great aid for avoiding these types of vulnerabilities: the Center for Internet Security has updated v1.3 benchmarks (configuration guidelines) for AWS S3, Office365 and the other commonly used cloud services that are constantly in the news with avoidable misconfigurations enabling incidents and exposures. https://www.cisecurity.org/blog/cis-benchmarks-september-2020-update/: CIS Benchmarks September 2020 Update

[Neely] While Amazon has implemented controls and warnings to limit creating or modifying an S3 bucket to be world accessible, it's still necessary to audit your configured storage to make sure permissions are appropriate for storage created prior to those controls or to find users accepting the warning and proceeding anyway. Amazon has published guidelines for auditing your AWS account and services for appropriate permissions as well as tools like CloudTrail and S3 bucket logging which allow you to monitor for inappropriate activity. See AWS security audit guidelines: https://docs.aws.amazon.com/general/latest/gr/aws-security-audit-guide.html: AWS security audit guidelines

Read more in:

Website Planet: Report: Hotel Reservation Platform Leaves Millions of People Exposed in Massive Data Breach


Threatpost: Millions of Hotel Guests Worldwide Caught Up in Mass Data Leak


Infosecurity Magazine: Hotel Booking Firm Leaks Data on Millions of Guests



--Critical Flaws in Ultimate Member WordPress Plugin

(November 9, 2020)

Three critical privilege elevation flaws in the Ultimate Member plugin for WordPress could be exploited to take over vulnerable websites. The plugin is installed on more than 100,000 sites. Website admins are urged to update to version 2.1.12 as soon as possible.    

[Editor Comments]

[Neely] The updated plugin was released October 29th. The vulnerability is characterized as easy to exploit, involves leveraging the plugin's not sanitizing input such that a user could change the meta data which defines their role. The free Wordfence firewall rule will not be available until November 22nd.

Read more in:

Wordfence: Critical Privilege Escalation Vulnerabilities Affect 100K Sites Using Ultimate Member Plugin


Threatpost: Ultimate Member Plugin for WordPress Allows Site Takeover



--Australian Government Seeks to Expand Scope of Critical Infrastructure

(November 9, 2020)

A proposed amendment to Australia's Security of Critical Infrastructure Act 2018 would expand the definition of critical infrastructure to comprise additional sectors, including communications, financial services and markets, data storage and processing, defence industry, higher education and research, energy, food and grocery, healthcare and medical, space technology, transport, and water and sewerage. The Act currently imposes security requirements on organizations in the gas, electricity, water, and maritime port sectors.

[Editor Comments]

[Neely] The exposure draft clearly defines the scope and impacts related to the new categories, for systems, information and location, as well as legal basis of penalties for non-compliance. What is missing is a standard for securing and assessing those systems such as Australia's Essential Eight, a series of baseline mitigation strategies which, when implemented, makes it much harder for adversaries to compromise systems.

[Pescatore] Australia's 2018 Critical Infrastructure Act was mainly about requiring the original sectors to provide information to the Australian government, and establishing the legal authority of the government to issue directions to owners/operators of systems in those sectors. There was no mention of standards or raising the bar for cybersecurity in Australia. The proposed amendment is also very light on standards but there is a goal of "...setting clear security standards and creating a level playing field in the Australian market." A quick movement towards making the "Australian Essential Eight" practices be required would be very valuable, but the amendment is more aimed at a long term process.

Read more in:

ZDNet: Australia's critical infrastructure definition to span communications, data storage, space


Home Affairs: Security Legislation Amendment (Critical Infrastructure) Bill 2020 | Explanatory Document (PDF)





--Older Versions of Android Will Have Trouble Accessing Sites with Let's Encrypt Certificates

(November 6 & 9, 2020)

Starting next September, devices running older versions of the Android operating system may experience trouble accessing websites secured with Let's Encrypt root certificates. The Let's Encrypt root certificate was initially cross-signed by IdenTrust (DST Root X3). That certificate will expire on September 1, 2021. Let's Encrypt now has its own trusted  root certificate (ISRG Root X1). Devices running Android versions older than 7.1.1 will need to be updated to trust that root certificate.

[Editor Comments]

[Neely] Approximately 1/3 of Android devices are still running Android 7.1.1, which was released in December 2016. The current Let's Encrypt root certificate can be added to the device, manually or via MDM. Alternately, users can install Firefox which has its own root certificate store. The best option is to replace devices still running Android 7, which is unsupported, with those that can run Android 11.   

Read more in:

Security Week: Let's Encrypt Warns Some Android Users of Compatibility Issues


ZDNet: Older Android phones will start failing on some secure websites in 2021


The Register: Let's Encrypt warns about a third of Android devices will from next year stumble over sites that use its certs


--Laptop Manufacturer Compal Hit with Ransomware

(November 9, 2020)

Compal, a company that manufactures laptops for Apple, Acer, Dell, HP and other companies, was hit with a ransomware attack over the weekend. Compal detected the incident on Sunday, November 8. According to a company statement, the incident affected the internal office network, not the production network.

[Editor Comments]

[Neely] Segmenting office and production/OT networks is a key defense, as are supply chain security measures such as cryptographic validation of firmware at the end of assembly and verification processes on media or files transferred to the production network to prevent or detect the introduction of malware.

[Murray] While network engineers are rewarded for flat networks (maximum bandwidth and minimum latency between any two points in the network), security engineers recognize that network structure and segmentation are essential to resisting lateral malware spread within the enterprise. At a minimum, highly vulnerable user activities (e.g., e-mail, browsing) should be isolated from "production."

Read more in:

The Register: Laptop mega-manufacturer Compal hit by DoppelPaymer ransomware - same one that hit German hospital


ZDNet: Compal, the second-largest laptop manufacturer in the world, hit by ransomware


Bleeping Computer: Laptop maker Compal hit by ransomware, $17 million demanded



--X-Cart eCommerce Platform Hit with Ransomware

(November 2 & 9, 2020)

eCommerce platform X-Cart was hit with a ransomware attack in late October. The attack took down stores hosted on X-Cart. Some stores were completely unavailable, while others reported trouble sending email alerts. An executive for Seller Labs, which acquired X-Cart a year ago, says they did not pay a ransom to regain access to their systems.

[Editor Comments]

[Neely] The attack affected only their shared server offering. While systems were recovered by restoration from backup, some customers will experience data loss relating to transactions that happened between the backup and restore date. Customers should review email or other transaction logs not contained on the X-Cart platform to identify gaps. Watch for a follow-up class-action lawsuit, particularly if the attack is related to the RCE vulnerability X-Cart had purportedly fixed previously.

Read more in:

ZDNet: Ransomware hits e-commerce platform X-Cart


Portswigger: X-Cart customers recovering from ransomware attack that led to widespread e-commerce site outages



--Gitpaste Worm Has at Least 12 Attack Modules

(November 6 & 9, 2020)

Malware recently detected by researchers at Juniper Threat Labs targets Linux-based x86 servers and Linux IoT devices. The worm, dubbed Gitpaste, stores code in GitHub and Pastebin. It has at least a dozen attack modules. Gitpaste appears to be adding infected devices to a botnet. Once a system is compromised, a shell script is installed, and that begins downloading and executing the malware's other components.

Read more in:

Juniper: Gitpaste-12: a new worming botnet with reverse shell capability spreading via GitHub and Pastebin


ZDNet: This new malware wants to add your Linux servers and IoT devices to its botnet


Threatpost: Gitpaste-12 Worm Targets Linux Servers, IoT Devices



--UVM Cyberattack Impacts Chemotherapy, Mammograms

(November 9, 2020)

Problems caused by a cyberattack that hit the University of Vermont (UVM) Health Network in late October have reduced the number of patients they can currently provide with chemotherapy treatments. UVM Health Network has been unable to administer mammograms, ultrasounds, and related screenings. In addition, 300 staff members have been furloughed or reassigned.

[Editor Comments]

Read more in:

Threatpost: Cyberattack on UVM Health Network Impedes Chemotherapy Appointments



--Upcoming Chrome Feature Will Block JavaScript Redirects

(November 9, 2020)

Google will introduce a new feature to Chrome to help prevent a link that opens in a new tab from executing JavaScript. A security flaw in an attribute that tells the browser to open a link in a new tab allows the new page to redirect users to a URL that is different from the one they clicked on. The change to fix this issue has been made in Chrome Canary and is expected to  be included in Chrome 88 when it is released in January 2021.

[Editor Comments]

[Neely] This is characterized as a "tab napping" attack. The issue occurs when a URL includes target="_blank" without the rel="noopener" attribute. The bug fix makes that the default behavior. This behavior was added to Safari in 2018, and will be added to Chromium and is a change in the HTML standard. Note that the behavior can be restored if the attribute rel="opener" is specified.  

Read more in:

bugs.chromium: Issue 898942: Anchor target=_blank should imply rel=noopener


Bleeping Computer: Google Chrome to block JavaScript redirects on web page URL clicks



--Zoom Agrees to Terms of FTC Settlement Over Misleading Security Claims

(November 9, 2020)

Zoom and the US Federal Trade Commission (FTC) have reached a settlement over charges that the company misled users about the encryption it offered. The original complaint alleged that Zoom misled its users when it claimed to offer "end-to-end 256-bit encryption." According to the terms of the settlement, "Zoom has agreed to a requirement to establish and implement a comprehensive security program, a prohibition on privacy and security misrepresentations, and other detailed and specific relief to protect its user base."

[Editor Comments]

[Neely] It is a good idea to trust but verify vendor security claims. Understand the impacts and limitations of the security measure, rather than reading the marketing term chosen. For example, there are application limitations when using end-to-end encryption with VTC products like Zoom, which preclude joining before the host, cloud-based recording or use of the web-based applications to participate in the meeting. Understand where and how the system has been secured, so you can make a risk-based decision about what data you do, or do not, want transmitted using that service.

Read more in:

Cyberscoop: Zoom settles charges with FTC over deceptive security practices


The Register: Zoom strong-armed by US watchdog to beef up security after boasting of end-to-end encryption that didn't exist


ZDNet: Zoom settles FTC charges for misleading users about security features


FTC: FTC Requires Zoom to Enhance its Security Practices as Part of Settlement


FTC: Agreement Containing Consent Order (PDF)


*******************************  SPONSORED LINKS  ********************************  

1) Webcast | Join SANS Instructor, Matt Bromiley and Infoblox cybersecurity expert, Bob Hansmann for our upcoming webcast, "Supercharge IR with DDI Visibility" to learn how to enhance and supercharge your incident response process with tips you can implement right away | November 18 @ 12:00 PM EST

| http://www.sans.org/info/218125

2) Webcast | We invite you to join our upcoming Ask the Expert Session hosted by Axonius Director of Security, Daniel Trauner during our webcast titled, "What's This Thing? Solving Asset Management for Security Ops" | November 17 @ 2:00 PM EST

| http://www.sans.org/info/218130

3) On-Demand Webcast | Visit our archived webcast, "Small businesses deserve big protection" to learn how to get powerful protection against todays biggest threats with Cisco Umbrella, a cloud-delivered security service that is simple and cost-effective for a team of any size to deploy, use, and manage, with no hardware to maintain or upgrade

| http://www.sans.org/info/218140




Cryptojacking Targeting WebLogic TCP/7001


Extracting VBA Code From Maldocs


How Attackers Brush Up Their Malicious Scripts


Let's Encrypt May No Longer Be Recognized by Older Android Versions


Fake Microsoft Teams Updates Lead to Cobalt Strike Deployment


Linux Kernel to Remove set_fs()


BigIP Vulnerability


RansomEXX Trojan Attacks Linux Systems


More NPM Malware Found


The Internet is Getting Safer: Fall 2020 RPKI Update



The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create