SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXI - Issue #17
March 1, 2019US Cyber Command Blocked Russian Trolls During 2018 Elections; 2019 X-Force Threat Intelligence Report: Cybercriminals Changing Priorities
****************************************************************************
SANS NewsBites March 1, 2019 Vol. 21, Num. 017
****************************************************************************
TOP OF THE NEWS
US Cyber Command Blocked Russian Trolls During 2018 Elections
2019 IBM X-Force Threat Intelligence Index
REST OF THE WEEKS NEWS
Cisco Flaws Patched
Drupal Admins Urged to Patch for Flaw That is Being Actively Exploited
Cobalt Strike Flaw Exposes IP Addresses of Malicious Command-and-Control Servers
Man Pleads Guilty in Booter/Stresser Case
What Would It Take to Make a Congressional Office of Technology Assessment Work?
DoDs Accelerated Cyber Specialist Hiring Program Needs More Staff
Adobe Will Retire Shockwave in April
TSA Oversees Pipeline Security
INTERNET STORM CENTER TECH CORNER
*****************************************************************************
Cybersecurity Training Update
-- SANS 2019 | Orlando, FL | April 1-8 | https://www.sans.org/event/sans-2019
-- SANS San Francisco Spring 2019 | March 11-16 | https://www.sans.org/event/san-francisco-spring-2019
-- SANS Secure Singapore 2019 | March 11-23 | https://www.sans.org/event/secure-singapore-2019
-- SANS Munich March 2019 | March 18-23 | https://www.sans.org/event/munich-march-2019
-- SANS Secure Canberra 2019 | March 18-23 | https://www.sans.org/event/secure-canberra-2019
-- ICS Security Summit & Training 2019 | Orlando, FL | March 18-25 | https://www.sans.org/event/ics-security-summit-2019
-- SANS London April 2019 | April 8-13 | https://www.sans.org/event/london-april-2019
-- Blue Team Summit & Training 2019 | Louisville, KY | April 11-18 | https://www.sans.org/event/blue-team-summit-2019
-- SANS Security West 2019 | San Diego, CA | May 9-16 | https://www.sans.org/event/security-west-2019
-- SANS OnDemand and vLive Training
The SANS Training you want with the flexibility you need.
Get a 9.7" iPad, Samsung Galaxy Tab A or Take $250 Off with OnDemand or vLive training. Offer ends March 6.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
*************************** Sponsored By Atomicorp ***********************
OSSEC Con2019, March 20-21. The Future of OSSEC: Security and Compliance for Cloud, On-Premise and Hybrid Environments You will learn about the latest features, 2019 roadmap, public and private cloud deployments and the power of global threat intelligence. FREE attendance for SANS subscribers.
*****************************************************************************
TOP OF THE NEWS
--US Cyber Command Blocked Russian Trolls During 2018 Elections
(February 26, 27, & 28, 2019)
The US Cyber Command (USCYBERCOM) is responsible for having blocked the activity of a notorious Russian troll operation during the 2018 mid-term elections. The activity took place from mid-October through mid-November of 2018 and included blocking the Russian Internet Research Agencys Internet access on the day of the election. The US Department of Homeland Security provided support to USCYBERCOM in this initiative.
[Editor Comments]
[Williams] There aren't a lot of places where military cyber action makes sense outside of assistance to kinetic operations. This is one of those places. The Russians almost certainly had a plan to disrupt the midterm elections. On the days they needed to execute that plan, they were disrupted from doing so. Any level of disruption in this particular case is a success from a CYBERCOM standpoint. That was the good part. Here's the bad part: we can't do this reliably again. Next time, they'll have a decentralized plan with multiple Internet points of presence that will be much harder to disrupt. But even if the Russians can't be fully disrupted on the days surrounding the 2020 elections, this operation has already increased the Russians' costs to mount their operations. That itself is a win. Anyone with a tested disaster recovery plan knows they aren't free.
Read more in:
Washington Post: U.S. Cyber Command operation disrupted Internet access of Russian troll factory on day of 2018 midterms
eWeek: U.S. Cyber-Warriors Disrupt Russian Election Attacks
https://www.eweek.com/security/u.s.-cyber-warriors-disrupt-russian-election-attacks
Ars Technica: Report: US Cyber Command took Russian trolls offline during midterms
The Hill: US cyber operation blocked internet for Russian troll farm on Election Day 2018: report
--2019 IBM X-Force Threat Intelligence Index
(February 26, 2019)
According to the 2019 IBM X-Force Threat Intelligence Index, cybercriminals are moving away from ransomware and instead turning to cryptojacking and business email compromise (BEC) to make money. The index also noted that attackers are increasingly using non-malicious tools including PowerShell and PsExec to evade detection.
[Editor Comments]
[Neely] Social Engineering will always be a challenging threat vector to mitigate and our adversaries know this. Continued diligence and user awareness, updated as the TTPs (Tactics, Techniques and Procedures) change, is the best mitigation. While file-less malware is becoming more prevalent and requires new detection and mitigation approaches, dont retire existing measures without ensuring you still have protection from prior attack vectors.
Read more in:
The Register: Who needs malware? IBM says most hackers just PowerShell through boxes now, leaving little in the way of footprints
https://www.theregister.co.uk/2019/02/26/malware_ibm_powershell/
eWeek: Ransomware Attacks Decline as Cryptojacking Grows, IBM X-Force Reports
https://www.eweek.com/security/ransomware-attacks-decline-as-cryptojacking-grows-ibm-x-force-reports
IBM: IBM X-Force Report: Ransomware Doesn't Pay in 2018 as Cybercriminals Turn to Cryptojacking for Profit
**************************** SPONSORED LINKS ******************************
1) Are you involved with operational technology and ICS? SANS wants to hear from you! Take 10 minutes to complete the State of OT/ICS Cybersecurity Survey and enter to win a $400 Amazon gift card. http://www.sans.org/info/210835
2) What does it take to establish a successful security operations program? Take the 2019 SANS SOC Survey and enter for a chance to win a $400 Amazon gift card. http://www.sans.org/info/210840
3) Check out the SANS Blog Page: http://www.sans.org/info/210850
*****************************************************************************
REST OF THE WEEKS NEWS
--Cisco Flaws Patched
(February 28, 2019)
Cisco is urging users of its wireless VPN and firewall routers to install updates to fix a critical vulnerability that could allow attackers to gain elevated privileges on unpatched systems. The security issue is due to the improper validation of user-supplied data in the web-based management interface. Cisco also released a fix for a privilege elevation flaw affecting the WebEx Meetings platform.
[Editor Comments]
[Neely] If you have Cisco RV110W, RV130W or RV215W Wireless-N VPN routers, patch them. The risk can be mitigated by disabling remote management, but this may not be practical for centralized management. Cisco also released a patch for WebEx Meetings Desktop and WebEx Productivity Tools for Windows, vulnerability CVE-2019-1674, which allows for arbitrary code execution as a privileged user. WebEx shops will want to deploy quickly to mitigate the risk.
Read more in:
ZDNet: Cisco: Patch routers now against massive 9.8/10-severity security hole
https://www.zdnet.com/article/cisco-patch-routers-now-against-massive-9-810-severity-security-hole/
SC Magazine: Cisco patches two code execution vulnerabilities
Threatpost: Cisco Fixes Critical Flaw in Wireless VPN, Firewall Routers
https://threatpost.com/cisco-fixes-critical-flaw-in-wireless-vpn-firewall-routers/142284/
Threatpost: Cisco Patches High-Severity Webex Vulnerability For Third Time
https://threatpost.com/cisco-patches-high-severity-webex-vulnerability-for-third-time/142243/
Bleeping Computer: Cisco Fixes Critical RCE Vulnerability in RV110W, RV130W, and RV215W Routers
--Drupal Admins Urged to Patch for Flaw That is Being Actively Exploited
(February 27, 2019)
A critical flaw in Drupal CMS that was disclosed on February 20 is now being actively exploited. Admins are urged to apply the updates. Attackers are taking advantage of the flaw to deliver cryptominers and other malware. The issue can lead to arbitrary PHP code execution. Researchers from Imperva found that the immediate mitigations suggested in Drupals February 20, 2019 advisory do not fully protect against attacks.
[Editor Comments]
[Murray] Many, not to say most, of our vulnerabilities result from the failure of input validation in the absence of more fundamental protections (e.g., finite-state operating systems, symbolic-only addressing, strongly typed objects, process to process isolation, application-only systems, and restrictive access control policies.)
Read more in:
The Register: Friendly reminder to Drupal admins: Secure your sh!t before latest RCE-holes get you
https://www.theregister.co.uk/2019/02/27/drupal_rce_exploits_seen_wild/
SC Magazine: Highly critical Drupal flaw being exploited in the wild
Imperva: Latest Drupal RCE Flaw Used by Cryptocurrency Miners and Other Attackers
Drupal: Drupal core - Highly critical - Remote Code Execution - SA-CORE-2019-003
https://www.drupal.org/sa-core-2019-003
--Cobalt Strike Flaw Exposes IP Addresses of Malicious Command-and-Control Servers
(February 28, 2019)
Cobalt Strike, a legitimate pen testing tool, has also been used by cyber criminals to host their command-and-control servers. A flaw in the tool can be exploited to determine the IP addresses of those servers. The flaw has been fixed in legitimate copies of Cobalt Strike, but as cyber criminals are often working with unregistered copies of software, the flaw could remain unpatched in those copies for some time.
[Editor Comments]
[Williams] This flaw has been an open secret in the community for some time. There are ways to uniquely track many common penetration testing tools but the information is not widely shared, because releasing the information makes it inherently less valuable. Organizations have to decide whether keeping bad guys off their systems or attempting to help the rest of the community is the priority. On careful examination, most leadership teams decides that the community loses out.
Read more in:
ZDNet: Vulnerability exposes location of thousands of malware C&C servers
https://www.zdnet.com/article/vulnerability-exposes-location-of-thousands-of-malware-c-c-servers/
--Man Pleads Guilty in Booter/Stresser Case
(February 27 & 28, 2019)
A man from Illinois has pleaded guilty to conspiracy to cause damage to Internet-connected computers for his role in a scheme that offered booter and stresser services. Sergiy Usatyuk and a co-conspirator developed, controlled, and operated several of these services, which are used to launch distributed denial-of-service (DDoS) attacks.
Read more in:
KrebsOnSecurity: Booter Boss Interviewed in 2014 Pleads Guilty
https://krebsonsecurity.com/2019/02/booter-boss-interviewed-in-2014-pleads-guilty/
Cyberscoop: 20-year-old pleads guilty to DDoS-for-hire scheme that netted $550,000
https://www.cyberscoop.com/ddos-sergiy-usatyuk-guilty-plea/
Justice: Former Operator of Illegal Booter Services Pleads Guilty to Conspiracy to Commit Computer Damage and Abuse
--What Would It Take to Make a Congressional Office of Technology Assessment Work?
(February 27, 2019)
After the Congressional Office of Technology Assessment (OTA) was shuttered in 1995 due to budget constraints, the burden of conducting research into highly technical and complex issues fell to legislative staff members. Advocates and former legislative staffers were invited by Representative Mark Takano (D-California), who sponsored a recent unsuccessful effort to revive OTA, to discuss what would be necessary to bring the office back and make it effective.
[Editor Comments]
[Pescatore, Neely] The Congressional Research Service, under the Library of Congress, has continued to be funded and has over 600 employees. CRS has not been active enough in technology or cybersecurity; but, rather than (re)establishing yet another agency, CRS could be funded to increase staffing in their Resources, Sciences and Industry division to focus more analysis on policy-related technology issues.
Read more in:
Nextgov: Former Staffers: Revive Congress' Office of Technology Assessment Right or Dont Bother
--DoDs Accelerated Cyber Specialist Hiring Program Needs More Staff
(February 26, 2019)
Although the US Department of Defense (DoD) has the authority to fast track the hiring of cyber specialists through the Cyber Excepted Service program, it lacks sufficient staff to recruit the number of employees DOD needs. DOD deputy principal cyber advisor Marines Corps Brig. Gen. Dennis Crall told members of a House Armed Services subcommittee that the program needs 10 people to recruit and train the cyber specialists. Crall also noted that the security clearance process is slowing down the hiring process.
[Editor Comments]
[Neely] Obtaining a top secret clearance takes about two years, and can be expedited to one. This waiting period makes organizations face the difficult challenge of finding unclassified work for new cyber specialists and effectively integrating them into the team. A clearance is also critical for recruiters and trainers who must understand all aspects of the job.
[Northcutt] I think that after the extended government shutdown it will be several years before the US government has any real success in attracting skilled cyber talent.
Read more in:
FCW: Why the cyber fast track is stalled at DOD
https://fcw.com/articles/2019/02/26/dod-it-oversight-williams.aspx
--Adobe Will Retire Shockwave in April
(February 26, 2019)
Adobe is notifying enterprise customers that it plans to retire Shockwave later this year. Shockwave, which was first released in 1995, will no longer be available for download after April 8, 2019. Adobe is recommending that Shockwave users switch to HTML5, WebAssembly, or WebGL. It has been more than a year-and-a-half since Adobe announced its intent to retire Flash by 2020. Major browsers have already begun phasing out support for Flash.
Read more in:
Bleeping Computer: Adobe Sends Emails About Retirement of Shockwave on April 9th
--TSA Oversees Pipeline Security
(February 26, 2019)
The US Transportation Security Administration (TSA) is responsible for the physical and cyber security of US pipelines. Sonya Proctor, TSAs director of the Surface Division for the Office of Security Policy and Industry Engagement told members of the House Homeland Security Committee that the five TSA employees who oversee the pipelines have pipeline expertise, but not cybersecurity expertise, and that they work with Cybersecurity and Infrastructure Security Agency (CISA) for assessments and guidance. A December 2018 report from the Government Accountability Office (GAO) made recommendations to address weaknesses in TSAs Pipeline Security Program Management.
Read more in:
FCW: TSA's pipeline security team has five employees
https://fcw.com/articles/2019/02/26/tsa-pipeline-hearing-johnson.aspx
GAO: Critical Infrastructure Protection: Actions Needed to Address Significant Weaknesses in TSAs Pipeline Security Program Management
https://www.gao.gov/assets/700/696123.pdf
******************************************************************************
INTERNET STORM CENTER TECH CORNER
Thunderbolt "Thunderclap" Vulnerabilities
https://thunderclap.io/thunderclap-paper-ndss2019.pdf
Altering Signed PDF Documents
https://www.pdf-insecurity.org/
NVIDIA Patches
https://nvidia.custhelp.com/app/answers/detail/a_id/4772
Coinhive Shutting Down
https://coinhive.com/blog/en/discontinuation-of-coinhive
Azure Blob Storage Phishing
https://www.edgewave.com/phishing/feeling-blue-about-phishing/
Old 2014 Elasticsearch Vulnerability Exploited
https://blog.talosintelligence.com/2019/02/cisco-talos-honeypot-analysis-reveals.html
Latest Drupal Vulnerability Exploited
F5 Big IP Patches
https://support.f5.com/csp/article/K91026261
Emotet Backend Analysis
https://maxkersten.nl/binary-analysis-course/malware-analysis/emotet-droppers/
Kaspersky vs. Chromecast
MageCart Updates
https://www.riskiq.com/research/inside-magecart/
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
