Interactive Courses + Cyber Defense NetWars Available During SANS Scottsdale: Virtual Edition 2021. Save $300 thru 1/27.

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #92

November 20, 2020

IoT Law to Set Standards Mandatory for Government Purchase; Cisco Webex Flaws Could be Exploited to Join Meetings Surreptitiously; Bad Actors Scanning WordPress Sites; COVID-19 Response Organizations Hit by Cyberattacks


*****************************************************************************

SANS NewsBites              November 20, 2020               Vol. 22, Num. 092

*****************************************************************************

THE TOP OF THE NEWS


  Internet of Things Security Bill To Establish Security Standards Mandatory for Government

  Cisco Webex Flaws Could be Exploited to Join Meetings Surreptitiously

  Bad Actors Scanning for Vulnerable WordPress Sites

  Organizations Involved in COVID-19 Response Hit by Cyberattacks


REST OF THE WEEK'S NEWS


  CISA Director Krebs Fired

  Firefox 83 has HTTPS-Only Mode Feature

  Mozilla Seeks Input Before Rolling Out DNS-over-HTTP to All Firefox Users

  Firefox Says Goodbye to Flash in January

  Industrial Control System Vulnerabilities

  Managed.com Hit with Ransomware


INTERNET STORM CENTER TECH CORNER


************************  Sponsored By Lookout  *********************************


Introducing the world's first mobile Endpoint Detection and Response - Today's cyberattackers utilize sophisticated methods over many days or weeks to execute a data breach. Organizations must adapt to keep their sensitive data safe. Aaron Cockerill, Chief Strategy Officer at Lookout discusses how businesses are now able to conduct their own threat hunting. Listen now.

| http://www.sans.org/info/218225


*****************************************************************************

CYBERSECURITY TRAINING UPDATE


OnDemand and Live Online Training Special Offer

Best offers of the year! Get the latest MacBook Air, a Microsoft Surface Pro 7, or take $350 Off with ANY qualifying SANS Training Course through December 9.

- www.sans.org/specials/north-america/


New & Updated Courses


MGT516: Managing Security Vulnerabilities: Enterprise and Cloud

- https://www.sans.org/cyber-security-courses/managing-enterprise-cloud-security-vulnerabilities/


SEC460: Enterprise and Cloud | Threat and Vulnerability Assessment

- https://www.sans.org/cyber-security-courses/enterprise-cloud-threat-vulnerability-assessment/


SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling

- https://www.sans.org/cyber-security-courses/hacker-techniques-exploits-incident-handling/


View all courses

- https://www.sans.org/cyber-security-courses/


Upcoming Live Online Events


SANS Cyber Defense Initiative(R) 2020 - Dec 14-19 EST

35+ Courses | Core, Cyber Defense, and DFIR NetWars

- https://www.sans.org/event/cyber-defense-initiative-2020-live-online/


Cyber Threat Intelligence Summit & Training

FREE Summit: Jan 21-22 | Courses: Jan 25-30

- https://www.sans.org/event/cyber-threat-intelligence-summit-2021/


View complete event schedule

- https://www.sans.org/cyber-security-training-events/north-america/

 

Free Resources

Tools, Posters, and more.

- https://www.sans.org/free/


*****************************************************************************

TOP OF THE NEWS   

 

--Internet of Things Security Bill To Establish Security Standards Mandatory for Government

(November 18 & 19, 2020)

The US Senate has unanimously passed the IoT Cybersecurity Improvement Act. The bill will require that Internet of Things (IoT) devices purchased by the federal government meet certain cybersecurity standards which will be set by the National Institute of Standards and Technology (NIST). Agencies will also need to establish vulnerability disclosure processes for IoT devices. The House of Representatives passed the bill in September.


[Editor Comments]


[Neely] While not yet law, having standards for IoT security will give us a baseline to hold manufacturers accountable, as well as aid in measuring the security, and possible certification, of current and future devices. Note that USG agencies will not be permitted to purchase devices not compliant with the standards once established.


Read more in:

FCW: Senate passes IoT cybersecurity bill

https://fcw.com/articles/2020/11/18/iot-cyber-bill-passes-senate.aspx

Threatpost: IoT Cybersecurity Improvement Act Passed, Heads to President's Desk

https://threatpost.com/iot-cybersecurity-improvement-act-passed/161396/

govtrack: H.R. 1668: IoT Cybersecurity Improvement Act of 2020

https://www.govtrack.us/congress/bills/116/hr1668/text

 

--Cisco Webex Flaws Could be Exploited to Join Meetings Surreptitiously

(November 18 & 19, 2020)

Three vulnerabilities in Cisco's Webex video conferencing application could be exploited to join meetings as ghost users, able to listen in without the knowledge of other meeting participants or the host. An attacker could exploit one of the flaws to access the names, email addresses, and IP addresses of meeting participants. Another flaw could be exploited to remain in a meeting even after being dismissed by the host. Cisco has released updates to address the vulnerabilities.


[Editor Comments]


[Pescatore] In the 2020 SANS Top New Attacks and Threat Report, Johannes Ullrich pointed out the risk of vulnerabilities in the numerous "Persistent and Promiscuous Web Agents" in use for applications such as Webex, Zoom and others. The Center for Internet Security recently released a good security guide for videoconferencing systems at https://www.cisecurity.org/white-papers/videoconferencing-security-guide/


[Neely] Cisco patched their cloud based servers. You need to patch or update on premise Cisco Webex Meetings Server 3.0M3 Security Patch 4 and earlier; 4.0MR3 Security Patch 3 and earlier as well as mobile versions prior to 40.10.9.  


Read more in:

ZDNet: Cisco Webex bugs allow attackers to join meetings as ghost users

https://www.zdnet.com/article/cisco-webex-bugs-allow-attackers-to-join-meetings-as-ghost-users/

Ars Technica: Cisco rolls out fix for Webex flaws that let hackers eavesdrop on meetings

https://arstechnica.com/information-technology/2020/11/cisco-rolls-out-fix-for-webex-flaws-that-lets-hackers-eavesdrop-on-meetings/

Dark Reading: Cisco Webex Vulns Let 'Ghost' Attendees Spy on Meetings

https://www.darkreading.com/threat-intelligence/cisco-webex-vulns-let-ghost-attendees-spy-on-meetings/d/d-id/1339485

Threatpost: Cisco Webex 'Ghost' Flaw Opens Meetings to Snooping

https://threatpost.com/cisco-webex-flaw-snooping/161355/

Bleeping Computer: Cisco fixes WebEx bugs allowing 'ghost' attackers in meetings

https://www.bleepingcomputer.com/news/security/cisco-fixes-webex-bugs-allowing-ghost-attackers-in-meetings/

Security Week: Cisco Webex Vulnerability Allows Ghost Access to Meetings

https://www.securityweek.com/cisco-webex-vulnerability-allows-ghost-access-meetings

Cisco: Cisco Webex Meetings and Cisco Webex Meetings Server Ghost Join Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-auth-token-3vg57A5r

Cisco: Cisco Webex Meetings and Cisco Webex Meetings Server Unauthorized Audio Information Exposure Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-info-leak-PhpzB3sG

Cisco: Cisco Webex Meetings and Cisco Webex Meetings Server Information Disclosure Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webex-infodisc-4tvQzn4

 
 

--Bad Actors Scanning for Vulnerable WordPress Sites

(November 17 & 18, 2020)

Hackers appear to be scanning for WordPress sites that use Epsilon Framework-based themes. Multiple function injection vulnerabilities could be exploited together to execute code remotely and to take over vulnerable websites. Users are urged to update to a fixed version of the theme(s) they use, if they are available. Themes built with Epsilon Framework are used on at least 150,000 sites.


[Editor Comments]


[Neely] While the attacks appear to be probing, intel-gathering attacks at this time, don't wait for that information to be leveraged. The Wordfence site below lists the specific vulnerable theme versions. If there is not an update for your Theme, and switching themes is impractical, add an application firewall to block the attacks.


Read more in:

Wordfence: Large-Scale Attacks Target Epsilon Framework Themes

https://www.wordfence.com/blog/2020/11/large-scale-attacks-target-epsilon-framework-themes/

Threatpost: Widespread Scans Underway for RCE Bugs in WordPress Websites

https://threatpost.com/widespread-scans-rce-bugs-wordpress-websites/161374/

Bleeping Computer: Hackers are actively probing millions of WordPress sites

https://www.bleepingcomputer.com/news/security/hackers-are-actively-probing-millions-of-wordpress-sites/


 

--Organizations Involved in COVID-19 Response Hit by Cyberattacks

(November 18 & 19, 2020)

Two companies with ties to COVID-19 research and treatment were recently targeted by cyberattacks. Americold, an Atlanta-based company that provides cold storage for food distributors and is planning to be involved with COVID vaccine storage has disclosed that its network was hit with a cyberattack earlier this month. The disclosure was made in a US Securities and Exchange Commission (SEC) filing. Miltenyi Biotec, a biotechnology company based in Germany, was hit with a cyberattack that affected some operational processes; Miltenyi supplies research companies with antigens for use in developing COVID-19 treatments.


Read more in:

Health IT Security: Hackers Hit COVID-19 Biotech Firm, Cold Storage Giant with Cyberattacks

https://healthitsecurity.com/news/hackers-hit-covid-19-biotech-firm-cold-storage-giant-with-cyberattacks

Threatpost: Food-Supply Giant Americold Admits Cyberattack

https://threatpost.com/food-supply-americold-cyberattack/161402/

Miltenyi Biotec: Customer Service and Technical Support Contacts

https://www.miltenyibiotec.com/US-en/about-us/customer-technical-support-1.html


*******************************  SPONSORED LINKS  ********************************


1) Virtual Event | Looking for practical guidance on security in the AWS Cloud? Join SANS instructors and other cloud security leaders as they share tactics, techniques, and procedures for operating effectively and securely in the cloud. This virtual event is based on the recently released book Practical Guide for Security in the AWS Cloud. | December 11 @ 10:30 AM EST

| http://www.sans.org/info/218230


2) Webcast | An upcoming webcast, "5 things you need to know to future-proof your data security today" chaired by cybersecurity expert, John Pescatore, is designed to teach you the steps to build an intelligent roadmap for protecting your business and reduce the risk of data breaches by gaining better control over your IT environment | December 3 @ 1:00 PM EST

| http://www.sans.org/info/218235


3) Webcast | Tune in to our upcoming webcast, "What Works in Maintaining Deep Security and Enabling Detection and Response Across Data Center and Cloud Apps"  to gain insight into the business justification for advanced network detection and response (NDR) capabilities and the key evaluation factors that resulted in the election and deployment of ExtraHop's Reveal(x) platform. | November 24 @ 1:00 PM EST

| http://www.sans.org/info/218240


*****************************************************************************

THE REST OF THE WEEK'S NEWS

 

--CISA Director Krebs Fired

(November 17 & 18, 2020)

Cybersecurity and Infrastructure Security Agency (CISA) Director Christopher Krebs has been fired. The decision to fire Krebs has met with condemnation from legislators and from cybersecurity experts.


[Editor Comments]


[Neely] Under Krebs' leadership, the CISA raised the bar on cyber security alerting and partnerships with public and private sector entities. It's hoped his model will continue in his absence.


[Murray] Security professionals must take care not to give unwarranted comfort nor to raise unnecessary alarm. They are often called upon to speak truth to power and they must be willing to put their jobs on the line for their credibility. Let Christopher Krebs be our example and our hero.


[Honan] This dismissal has long-term ramifications for global cybersecurity. Many relationships at an international level are based on the individuals in various organisations and the personal relationships and trust they build with their peers elsewhere. The dismissal of Mr. Krebs sends a message to the US's international partners that building those personal relationships and the trust that comes with it can be quickly undermined by a political decision.


Read more in:

Threatpost: Firing of CISA Chief Christopher Krebs Widely Condemned

https://threatpost.com/firing-of-krebs-condemned/161338/

KrebsOnSecurity: Trump Fires Security Chief Christopher Krebs

https://krebsonsecurity.com/2020/11/trump-fires-security-chief-christopher-krebs/

Wired: Firing Christopher Krebs Crosses a Line--Even for Trump

https://www.wired.com/story/trump-fires-christopher-krebs-cisa/

Ars Technica: "Krebs has been terminated": Trump fires cybersecurity chief on Twitter

https://arstechnica.com/tech-policy/2020/11/trump-fires-cybersecurity-chief-for-debunking-election-fraud-claims/

SC Magazine: Trump fires DHS cyber official, widely credited for repairing fractured relations with industry

https://www.scmagazine.com/home/security-news/trump-fires-dhs-cyber-official-widely-credited-for-repairing-fractured-relations-with-industry/

SC Magazine: 'We can't do this every four years': Critical infrastructure rattled by Krebs DHS departure

https://www.scmagazine.com/home/security-news/government-and-defense/we-cant-do-this-every-four-years-critical-infrastructure-rattled-by-krebs-dhs-departure/

Cyberscoop: Trump fires CISA chief Chris Krebs, who guarded the 2020 election from interference and domestic misinformation

https://www.cyberscoop.com/trump-chris-krebs-2020-election-security-twitter/

 
 

--Firefox 83 has HTTPS-Only Mode Feature

(November 17 & 18, 2020)

Firefox 83 has a new mode that connects only to HTTPS sites; users will be asked to approve connections to unsecure websites. The feature is disabled by default. Mozilla released Firefox 83 to the stable channel earlier this week.


Read more in:

Mozilla: Firefox 83 introduces HTTPS-Only Mode

https://blog.mozilla.org/security/2020/11/17/firefox-83-introduces-https-only-mode/

ZDNet: Firefox 83 released with 'HTTPS-Only Mode' that only loads HTTPS sites

https://www.zdnet.com/article/firefox-83-released-with-https-only-mode-that-only-loads-https-sites/

Bleeping Computer: Firefox 83 boosts security with HTTPS-Only mode, zero-day fix

https://www.bleepingcomputer.com/news/software/firefox-83-boosts-security-with-https-only-mode-zero-day-fix/

Security Week: Mozilla Boosts Security in Firefox With HTTPS-Only Mode

https://www.securityweek.com/mozilla-boosts-security-firefox-https-only-mode

 
 

--Mozilla Seeks Input Before Rolling Out DNS-over-HTTP to All Firefox Users

(November 19, 2020)

Mozilla plans to rollout the DNS-over-HTTPS (DoH) protocol for Firefox for all users worldwide, but is asking companies, governments, and Internet service providers (ISPs) for their input. The public comment period runs through January 4, 2021.


[Editor Comments]


[Neely] It would be better to roll out DNS over TLS as specified by RFC 7858, providing secure DNS for all system services, not just the browser, to avoid inconsistencies between the browser and host-based resolvers as well as support existing investment in enterprise DNS architecture.


Read more in:

Mozilla: Mozilla DNS over HTTPS (DoH) and Trusted Recursive Resolver (TRR) Comment Period: Help us enhance security and privacy online

https://blog.mozilla.org/netpolicy/2020/11/18/doh-comment-period-2020

ZDNet: Fearing drama, Mozilla opens public consultation before worldwide Firefox DoH rollout

https://www.zdnet.com/article/fearing-drama-mozilla-opens-public-consultation-before-worldwide-firefox-doh-rollout/

SC Magazine: In an unusual move, Mozilla asks for public comment about browser privacy feature

https://www.scmagazine.com/home/security-news/in-an-unusual-move-mozilla-asks-for-public-comment-about-global-browser-privacy-setting/

 
 

--Firefox Says Goodbye to Flash in January

(November 18, 2020)

Mozilla has announced that it will end support for Flash in Firefox as of January 26, 2021. With the release of Firefox 85, "there will be no setting to re-enable Flash support."


[Editor Comments]


[Neely] Develop and test your strategy to uninstall and disable Flash now. Leverage browsers no longer supporting Flash, Microsoft's Flash removal "patch" as well as verification to ensure it's truly disabled.


Read more in:

Mozilla: Ending Firefox support for Flash

https://blog.mozilla.org/futurereleases/2020/11/17/ending-firefox-support-for-flash/

ZDNet: Firefox support for Flash ends on January 26

https://www.zdnet.com/article/firefox-support-for-flash-ends-on-january-26/

 
 

--Industrial Control System Vulnerabilities

(November 17, 2020)

Four industrial control system (ICS) vendors have recently disclosed vulnerabilities in their products. Real Time Automation disclosed a stack overflow flaw in its 499ES ENIP stack protocol. Paradox disclosed two vulnerabilities in its IP150 Internet Module. Schneider Electric disclosed nine security issues in its Interactive Graphical SCADA System, and Sensormatic Electronics disclosed a vulnerability in the American Dynamics victor Web Client and Software House C*CURE Web Client.


Read more in:

Threatpost: Multiple Industrial Control System Vendors Warn of Critical Bugs

https://threatpost.com/ics-vendors-warn-critical-bugs/161333/

 
 

--Managed.com Hit with Ransomware

(November 17 & 18, 2020)

Hosting provider Managed.com was hit with a ransomware attack that began earlier this week. The company has taken down all its servers to contend with the incident. The attack affected Managed.com's public facing hosting systems; some customers' sites were encrypted.


[Editor Comments]


[Neely] Make sure you have backups of hosted services, ideally stored at a separate service, as hosting services have become a new attack target with the goal that once the hosting provider's systems are compromised, manipulation or disruption client services will result. Other hosting providers attacked include Equinix, CyrusOne, Cognizant, X-Cart, A2 Hosting, SmarterASP.Net, Dataresolution.net and Internet Nayana.


[Honan] A classic example of why you need to include external providers in your Business Continuity Planning. Just because you outsource something to a third party, it does not mean it is no longer your responsibility.


[Murray] Consider Tripwire's Configuration Manager.


Read more in:

ZDNet: Ransomware attack forces web hosting provider Managed.com to take servers offline

https://www.zdnet.com/article/web-hosting-provider-managed-shuts-down-after-ransomware-attack/

Bleeping Computer: REvil ransomware hits Managed.com hosting provider, 500K ransom

https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-managedcom-hosting-provider-500k-ransom/

 

*****************************************************************************

 INTERNET STORM CENTER TECH CORNER


When Security Controls Lead to Security Issues

https://isc.sans.edu/forums/diary/When+Security+Controls+Lead+to+Security+Issues/26804/


PowerShell Dropper Delivering Formbook

https://isc.sans.edu/forums/diary/PowerShell+Dropper+Delivering+Formbook/26806/


Google Chrome Update

https://chromereleases.googleblog.com/2020/11/stable-channel-update-for-desktop_17.html


Firefox 83 HTTPS Only Mode

https://blog.mozilla.org/security/2020/11/17/firefox-83-introduces-https-only-mode/


OOB Windows Kerberos Update

https://docs.microsoft.com/en-us/windows/release-information/windows-message-center


Cisco WebEx Patch Fixes "Ghost Users"

https://securityintelligence.com/posts/ibm-works-with-cisco-exorcise-ghosts-webex-meetings/


Apple Binaries Used to Bypass 3rd Party Security Products on MacOS 11

https://twitter.com/patrickwardle/status/1327726496203476992


Apple Improving Privacy on App Certificate Checks

https://support.apple.com/en-us/HT202491


Cisco Security Manager Vulnerabilities

https://gist.github.com/Frycos/8bf5c125d720b3504b4f28a1126e509e

https://tools.cisco.com/security/center/publicationListing.x


Ransomware Flooding Printers

https://twitter.com/Irlenys/status/1327784305465188353


Google Leading the Way in Phishing

https://www.armorblox.com/blog/ok-google-build-me-a-phishing-campaign


Identifying Malicious Servers With JARM

https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a


Daniel Behrens: Industrial Traffic Collection: Understanding the Implications of Deploying Visibility Without Impacting Production

https://www.sans.org/reading-room/whitepapers/ICS/industrial-traffic-collection-understanding-implications-deploying-visibility-impacting-production-39810


*****************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create