Special Offer w/ OnDemand: Get an iPad (32 G), Galaxy Tab A, or Take $250 Off OnDemand Training thru Jan 27

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #91

November 17, 2020

Nations Target COVID-19 Research; 250,000 Windows Systems Not Patched Against Critical Vulnerabilities

You can now become a SANS Cloud Ace, better prepared for your current role, and ready for a cutting-edge future in cloud security. Whether you are on a technical flight plan, or a managerial one, SANS Cloud Security curriculum has training to fit your needs.

Learn more about our Cloud Security Flight School And Educational Resources at sans.org/cloud-security


SANS NewsBites              November 17, 2020               Vol. 22, Num. 091



  State-Sponsored APTs Target COVID-19 Research

  Hundreds of Thousands of Windows Systems are Not Patched Against Known, Critical Vulnerabilities


  Capcom Says Ransomware Actors Stole Customer and Employee Data

  ICO Fines Ticketmaster UK Over 2018 Data Breach

  Hackney Council Struggling to Recover from Cyberattack

  Hackers Targeting South Korea's Supply Chain

  Recently-patched Intel Flaws Can be Exploited to Bypass Boot Guard

  CISA Warns of Vulnerability in BD Alaris Infusion Pumps

  Texas Driver's License Data Compromised

  US Mental Healthcare Provider Discloses Patient Data Breach


*************************  Sponsored By Snyk  **********************************

Webcast | Our upcoming webcast titled, "Who's Job Is It Anyway: Securing Infrastructure When It's Code" is a live discussion about how organizations can achieve better visibility of the threats, design effective countermeasures, and implement effective processes to improve the security posture of their deployments |  November 19 @ 3:30 PM EST

| http://www.sans.org/info/218185



OnDemand and Live Online Training Special Offer

Best Offers of the Year! Get an 11" iPad Pro w/ Magic Keyboard, a Microsoft Surface Go 2 - 256 GB SSD, or Take $350 Off with ANY qualifying SANS Training Course through November 18.

- www.sans.org/specials/north-america/

New & Updated Courses

MGT516: Managing Security Vulnerabilities: Enterprise and Cloud

- https://www.sans.org/cyber-security-courses/managing-enterprise-cloud-security-vulnerabilities/

SEC460: Enterprise and Cloud | Threat and Vulnerability Assessment

- https://www.sans.org/cyber-security-courses/enterprise-cloud-threat-vulnerability-assessment/

SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling

- https://www.sans.org/cyber-security-courses/hacker-techniques-exploits-incident-handling/

View all courses

- https://www.sans.org/cyber-security-courses/

Upcoming Live Online Events

SANS Cyber Defense Initiative(R) 2020 - Dec 14-19 EST

35+ Courses | Core, Cyber Defense, and DFIR NetWars

- https://www.sans.org/event/cyber-defense-initiative-2020-live-online/

Cyber Threat Intelligence Summit & Training

FREE Summit: Jan 21-22 | Courses: Jan 25-30

- https://www.sans.org/event/cyber-threat-intelligence-summit-2021/

View complete event schedule

- https://www.sans.org/cyber-security-training-events/north-america/


Free Resources

Tools, Posters, and more.

- https://www.sans.org/free/




--State-Sponsored APTs Target COVID-19 Research

(November 13, 2020)

Microsoft says that State-sponsored hackers operating on behalf of the Russian and North Korean governments have been targeting organizations involved in COVID-19 vaccine research and development. Microsoft found evidence of three hacking groups targeting a total of seven organizations in South Korea, India, France, Canada, and the US. (Please note that the WSJ story is behind a paywall.)

[Editor Comments]

[Neely] With the pressure to be first to market with an effective vaccine, countries are willing to reach that goal by any means necessary. Organizations working to create the drugs are in the crosshairs, in ways they are not prepared for or resourced to defend against. Microsoft is offering AccountGuard as a free service to healthcare organizations to help raise the bar on their email account security. (See https://www.microsoftaccountguard.com/healthcare/) It also includes notifications, direct links to Microsoft Customer Security and Trust team and security webinars and workshops, which should help focus limited resources as well as better prepare to protect systems without a significant time or cash outlay.

Read more in:

Ars Technica: Hackers sponsored by Russia and North Korea are targeting COVID-19 researchers


ZDNet: Microsoft says three APTs have targeted seven COVID-19 vaccine makers


WSJ: Covid-19 Vaccine Makers Face Russian, North Korean Cyberattacks, Microsoft Says (paywall)


Microsoft: Cyberattacks targeting health care must stop



--Hundreds of Thousands of Windows Systems are Not Patched Against Known, Critical Vulnerabilities

(November 17, 2020)

The Internet Storm Center has found that nearly 250,000 Windows systems have not been patched against the BlueKeep remote desktop protocol (RDP) vulnerability; BlueKeep was disclosed in spring 2019. More than 100,000 Windows systems remain unpatched against the SMBGhost vulnerability in the Server Message Block v3 protocol; SMBGhost was disclosed in March 2020.

[Editor Comments]

[Ullrich] Before anybody blames the pandemic for this, going back to the "early day" of Code Red and SQL Slammer, the result has been the same: most systems get patched in 30 days. The rest never get patched. Some organizations care, others do not. Many of these systems are essentially abandoned from any meaningful maintenance and are waiting to die a slow dead of ransomware and hardware neglect, lonely and forgotten in some server closet. We are not talking about hard-to-patch IoT devices for which it can be difficult to even find updates. These are for the most part Windows and Linux systems. Microsoft has provided more and better tools to make patching easier, more reliable, and less risky. Same for all major Linux distributions. But if organizations do not care to learn about these new tools, and just do what they always did (= nothing), we will end up with the equivalent of loaded unsecured shotguns scattered over the Internet waiting to be picked up and used by a random kid walking past them.

[Neely] With everyone working remotely, patching those systems is challenging but is a solvable problem. Options to increase success include providing update services which can be reached without VPN by authorized systems, notifying users when to leave systems connected during patch windows, rather than patching while working and allowing the VPN to connect prior to login to mitigate risks of cached credential loss.

[Pescatore] Lots of indication that IT operations have been consumed with keeping Work from Home up and running and patching performance has declined even at organizations that had strong SLAs pre-pandemic.


Read more in:

ISC: Heartbleed, BlueKeep and other vulnerabilities that didn't disappear just because we don't talk about them anymore


ZDNet: More than 245,000 Windows systems still remain vulnerable to BlueKeep RDP bug


*******************************  SPONSORED LINKS  ********************************   

1) Webcast | Tune in to our upcoming webcast, "What Works in Maintaining Deep Security and Enabling Detection and Response Across Data Center and Cloud Apps"  to gain insight into the business justification for advanced network detection and response (NDR) capabilities and the key evaluation factors that resulted in the election and deployment of ExtraHop's Reveal(x) platform. | November 24 @ 1:00 PM EST

| http://www.sans.org/info/218190

2) Webcast | With Zero Trust, we always assume breach.  In our upcoming webcast, "Assume Breach! How to implement Zero Trust" you will learn how to face challenging threats with speed and velocity, making you the hero in your organization! | December 1 @ 1:00 PM EST

| http://www.sans.org/info/218195

3) Webcast | SANS Director of Emerging Security Trends, John Pescatore hosts our upcoming webcasts titled, "The failures of static DLP and how to protect against tomorrow's email breaches" | December 2 @ 12:00 PM EST




--Capcom Says Ransomware Actors Stole Customer and Employee Data

(November 16, 2020)

Video game publisher Capcom has disclosed that the attackers behind a ransomware attack on the company's network stole customer and employee data as well as sensitive company information. The attack occurred on November 2. The breach affects as many as 350,000 people.

[Editor Comments]

[Neely] Data stolen includes both customer and employee PII. Beware of password reset actions attempting to use this data. The Ragnar Locker group is seeking ransom for both the decryption key and for not publishing the data. If you've used the password from your Capcom account anywhere else, change it now to something unique for each service.

Read more in:

The Register: Street Fighter maker says soz after ransomware hadoukens servers leaving 350,000 folks' data at risk of compromise


Bleeping Computer: Capcom confirms data breach after gamers' data stolen in cyberattack



--ICO Fines Ticketmaster UK Over 2018 Data Breach

(November 13, 2020)

The UK Information Commissioner's Office (ICO) has fined the Ticketmaster's UK division 1.25 million GBP (1.65 million USD) for a breach that affected 9.4 million individuals. The ICO found that Ticketmaster "failed to put appropriate security measures in place to prevent a cyber-attack on a chat-bot installed on its online payment page." The breach affected UK customers who made purchases between February and June 2018.

[Editor Comments]

[Honan] This is the second fine in recent weeks that the ICO has issued in relation to insecure implementations on a company's website; the other company is British Airways. Of note with this fine is the ICO not only highlighted the failure of Ticketmaster to properly assess the risks associated with the installation of the chat-bot onto its website, but also its failure to "Identify the source of suggested fraudulent activity in a timely manner." https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/11/ico-fines-ticketmaster-uk-limited-125million-for-failing-to-protect-customers-payment-details/: ICO fines Ticketmaster UK Limited #1.25million for failing to protect customers' payment details.

Read more in:

The Register: Ticketmaster cops #1.25m ICO fine for 2018 Magecart breach, blames someone else and vows to appeal


Threatpost: Ticketmaster Scores Hefty Fine Over 2018 Data Breach



--Hackney Council Struggling to Recover from Cyberattack

(November 16, 2020)

London's Hackney Council, which experienced "an advanced, criminal cyberattack" in mid-October, says it could be months before all services are restored. The Hackney Council websites notes that its "services are currently significantly disrupted and you may experience difficulty contacting us or using our services."

[Editor Comments]

[Neely] A full restoration from backup can be painful and involved. Verify that your backups and restoration procedures are sufficient for a full-service restoration, including interdependencies. Practice service restoration, including rebuilding and operating services on fresh hardware or instances. Verify these are accurate and functional annually. Make sure that you don't overlook processes performed locally on end-user systems.

[Murray] Many small enterprises, including small municipalities, often lack the resources to create effective plans to cope with breaches. While outside services may be helpful, any effective plan will require the participation and training of those responsible for implementing the plan.

Read more in:

ZDNet: Cyber-attack disruption could last for months, says council


Hackney.gov.uk: Service status



--Hackers Targeting South Korea's Supply Chain

(November 16, 2020)

Researchers at ESET have found that a hacking group with ties to North Korea's government has been using stolen certificates to launch supply chain attacks in South Korea. In South Korea, Internet users are often required to install security software to allow them to visit government and banking websites. To facilitate these downloads, many users have an integration installation program known as WIZVERA VeraPort installed on their computers. ESET researchers say, "the attackers [are likely replacing] the software to be delivered to WIZVERA VeraPort users from a legitimate but compromised website."

Read more in:

welivesecurity: Lazarus supplyx1Echain attack in South Korea


ZDNet: Lazarus malware strikes South Korean supply chains


Threatpost: Hacked Security Software Used in Novel South Korean Supply-Chain Attack


Security Week: Lazarus Group Targets South Korea via Supply Chain Attack



--Recently-patched Intel Flaws Can be Exploited to Bypass Boot Guard

(November 14, 2020)

Several recently-patched vulnerabilities affecting Intel products could be exploited to override the Boot Guard protection, which is designed to prevent unauthorized code from running during the boot process. Attackers could install malicious firmware or obtain decrypted files from the targeted computer. The exploit requires that the attacker have physical access to vulnerable computers.

[Editor Comments]

[Neely] As these exploits require physical access, your servers aren't the target as much as all those systems now running at home. Make sure that your threat model not only includes protections for mitigations for system on travel, in cars, etc. but also those in homes, or being delivered to users, particularly where the system configuration is completed externally. Consider disabling sleep mode for hibernate to mitigate vulnerabilities which access encryption keys in memory.

Read more in:

Ars Technica: Hackers can use just-fixed Intel bugs to install malicious firmware on PCs



--CISA Warns of Vulnerability in BD Alaris Infusion Pumps

(November 13, 2020)

An alert from the US Cybersecurity and Infrastructure Security Agency (CISA) describes an improper network session authentication vulnerability in the BD Alaris 8015 PC Unit and BD Alaris Systems Manager. The flaw could be exploited to cause denial-of-service conditions. CISA's alert urges organizations using these products to employ mitigations provided by the manufacturer.

[Editor Comments]

[Neely] Exploitation involves accessing the network associated with the devices and vulnerable services. Mitigations include regularly patching the servers and segmenting services utilizing firewalls and ACLs so only authorized devices able to interoperate.

Read more in:

MedTechDive: BD's Alaris infusion pumps flagged for cybersecurity vulnerability


Health IT Security: BD Discloses Alaris Medical Device Vulnerability, Poses DoS Attack Risk


US-CERT CISA: ICS Medical Advisory (ICSMA-20-317-01) | BD Alaris 8015 PC Unit and BD Alaris Systems Manager



--Texas Driver's License Data Compromised

(November 14, 2020)

A data breach affecting systems at an insurance software company has compromised driver's license information belonging to more than  27 million Texas residents. The company, Vertafore, "determined that, at some point between March 11 and August 1 of this year, there was potential unauthorized access to the three data files." Vertafore

disclosed the breach on November 10. Intruders accessed the system sometime between March 11 and August 1. The incident was detected in mid-August. The statement suggests that the data were compromised because the three data files were stored in an unsecured external storage service.

[Editor Comments]

[Neely] Vertafore is offering a year of credit monitoring and repair to affected individuals, which is a good start. If you are affected and don't already have that service, sign up, and expect to keep it long term. While passing verification of security requirements to external providers is not new, the consequence of error is much higher with Internet-facing systems they use, particularly as those systems may have third-party services which also need to follow those requirements. Remember to regularly verify controls are in place and working beyond the initial acquisition and acceptance testing phases, including breach notification and indemnity agreements.

Read more in:

The Hill: Software vendor says data breach exposed nearly 28 million Texas driver's license records


GovInfosecurity: Data of 27 Million Texas Drivers Compromised in Breach


Vertafore: Vertafore Statement Regarding Data Event



--US Mental Healthcare Provider Discloses Patient Data Breach

(November 13, 2020)

People Incorporated, a Minnesota-based mental health services provider, has disclosed that several employee email accounts were accessed by an unauthorized third party earlier this year.  According to a statement from the company, "the accessed email accounts contained the personal and protected health information of certain patients, including their names, dates of birth, addresses, treatment information, insurance information, and medical record number." The incident affected approximately 27,500 individuals.

Read more in:

Portswigger: US mental health provider admits email breach exposed patient data





Oledump Removed Macro Indicator


Old Worm But New Obfuscation Technique


Old Vulnerabilities Don't Die


MacOS OCSP Disaster


Citrix Virtual Apps and Desktops Security Update


Zoom Security Improvements


Firefox File Read Vulnerability Details


VoltPillager: Hardware-based fault injection attacks against Intel SGX Enclaves using the SVID voltage scaling interface (PDF)



The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create