SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXI - Issue #24
March 26, 2019Backdoor Delivered In ASUS Update; EU Council Protocol for Responding to Cyberattacks; 4,790 High School Girls Competing in US National Cyber Talent Search
****************************************************************************
SANS NewsBites March 26, 2019 Vol. 21, Num. 024
****************************************************************************
TOP OF THE NEWS
Hackers Hijacked ASUS Live Update Utility to Install Backdoors
EU Council Adopts Protocol for Responding to Major Cyberattacks
4,790 High School Girls Competing, and Discovering Their Talent and Their Love for Cyber Security Careers
REST OF THE WEEK'S NEWS
End of Windows 7 Support is 10 Months Out
DOD Plans Secure Cloud Project for Small Contractors
Apple Updates
US Department of Energy to Fund New Institute Focusing on Cybersecurity in Energy Manufacturing
FEMA Unnecessarily Shared Sensitive Data with Contractor
Why Students Are Not Interested in Government Cyber Jobs
Companies Will Order New Computers After Ransomware Attack
Orange County, NC Ransomware Infection: Isolate, Restore, Repeat
Cities Take Emergency Warning Systems Offline After Tornado Sirens Hacked
Australian Signals Directorate Publishes Vulnerability Disclosure Process
INTERNET STORM CENTER TECH CORNER
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
-- SANS Security West 2019 | San Diego, CA | May 9-16 | https://www.sans.org/event/security-west-2019
-- SANSFIRE 2019 | Washington, DC | June 15-22 | https://www.sans.org/event/sansfire-2019
-- SANS London April 2019 | April 8-13 | https://www.sans.org/event/london-april-2019
-- Blue Team Summit & Training 2019 | Louisville, KY | April 11-18 | https://www.sans.org/event/blue-team-summit-2019
-- Cloud Security Summit & Training 2019 | San Jose, CA | April 29-May 6 | https://www.sans.org/event/cloud-security-summit-2019
-- Pen Test Austin 2019 | April 29-May 4 | https://www.sans.org/event/pen-test-austin-2019
-- SANS Amsterdam May 2019 | May 20-25 | https://www.sans.org/event/amsterdam-may-2019
-- SANS Cyber Defence Canberra 2019 | June 24-July 13 | https://www.sans.org/event/cyber-defence-canberra-2019
-- SANS Cyber Defence Japan 2019 | July 1-13 | https://www.sans.org/event/cyber-defence-japan-2019
-- SANS OnDemand and vLive Training
Get a GIAC Certification Attempt Included or take $350 Off your OnDemand or vLive course. Offer ends April 3.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
*****************************************************************************
*************************** Sponsored By Splunk ************************************
Since the inception of SIEM technology over a decade ago, SIEM solutions
have become more of an information platform, with enterprise demands for
better security driving much of the SIEM market. Download your
complimentary copy of "7 SIEM Trends to Watch in 2019," and discover
some of the many exciting features on the horizon.
http://www.sans.org/info/211185
*****************************************************************************
TOP OF THE NEWS
--Hackers Hijacked ASUS Live Update Utility to Install Backdoors
(March 25, 2019)
Hackers hijacked the ASUS Live Update Utility to install backdoors on some computers. Although as many as 500,000 machines may have been compromised, the attackers appear to have been interested in just a fraction of those; they appear to have searched for specific MAC addresses of about 600 machines. If they found a MAC address they were looking for, they installed more malware in the machine through the backdoor. ASUS Live Update Utility comes pre-installed on most new ASUS computers. Kaspersky Lab detected the attack in January and notified ASUS. Kaspersky has created a tool that lets users check whether their machine is on the targeted list (see ISCTC below).
[Editor Comments]
[Neely] ASUS has released a diagnostics tool for users, and Kaspersky Lab has a tool to check whether your device has one of the targeted MAC addresses. The concern here is that attackers were able to deliver trojanized updates that were signed with legitimate ASUS certificates and hosted from the ASUS live update servers.
[Murray] It is industry practice to ship poor quality early and patch late. To ease the burden of patching, vendors include or add "update utilities." These update capabilities are often poorly designed, increase the attack surface, and introduce new vulnerabilities. "The solution becomes the problem."
Read more in:
Motherboard: Hackers Hijacked ASUS Software Updates to Install Backdoors on Thousands of Computers
SecureList: Operation ShadowHammer
https://securelist.com/operation-shadowhammer/89992/
Threatpost: Some ASUS Updates Drop Backdoors on PCs in 'Operation ShadowHammer'
https://threatpost.com/asus-pc-backdoors-shadowhammer/143129/
Wired: Hack Brief: How to Check Your Computer for ASUS Update Malware
https://www.wired.com/story/asus-software-update-hack/
--EU Council Adopts Protocol for Responding to Major Cyberattacks
(March 22, 2019)
The Council of the European Union has adopted an EU Law Enforcement Emergency Response Protocol to help EU member countries better respond to large scale cyberattacks, like NotPetya and WannaCry. The protocol is "a tool to support the EU law enforcement authorities in providing immediate response to major cross-border cyber-attacks through rapid assessment, the secure and timely sharing of critical information and effective coordination of the international aspects of their investigations."
Read more in:
Europol: Law Enforcement Agencies Across the EU Prepare for Major Cross-Border Cyber-Attacks
GovInfoSecurity: EU Seeks Better Coordination to Battle Next Big Cyberattack
https://www.govinfosecurity.com/eu-seeks-better-coordination-to-battle-next-big-cyberattack-a-12228
--4,790 High School Girls Competing, and Discovering Their Talent and Their Love for Cyber Security Careers
(March 26, 2019)
Nearly 5,000 girls are already participating in the first 6 days and there are 17 days to go in the U.S. national cybersecurity talent search. Texas, Connecticut, New Jersey, Nevada, North Carolina Virginia, Maryland, Indiana, Iowa, and Georgia are leading the national women's cyber talent search. Leading smaller states are Delaware, Wyoming, North Dakota, Hawaii, and Vermont. Mountain and Midwest states are showing very high talent levels relative to the coasts. High scoring girls in 130 schools have already earned full licenses to the CyberStart Game for the boys and girls in their schools. 400 college scholarships will be awarded. The college program with $2.5 million in additional scholarships, including for advanced SANS training, begins next Wednesday April 5. Quote from one of the girls in note to the Governor of Delaware: "Thank you for allowing girls in our state to have this exposure that we are not receiving in school. You have motivated me to pursue cybersecurity as a possible career and believe that I actually have a chance to succeed."
Leaderboard: https://www.governorscyberskillsprogram.org/ggcs
High School Program: GirlsGoCyberStart.Org
College Program: Cyber-FastTrack.Org
*****************************************************************************
1) Don't miss "Building a Zero Trust Model in the Cloud with
Microsegmentation" sponsored by Unisys. Learn More:
http://www.sans.org/info/211190
2) How are cyber attackers able to get to the data? And why are so few
organizations able to stop them? More: http://www.sans.org/info/211195
3) SANS wants to hear from you! Take 10 minutes to complete the State of
OT/ICS Cybersecurity Survey and enter for a chance to win a $400 Amazon
gift card. http://www.sans.org/info/211200
*****************************************************************************
REST OF THE WEEK'S NEWS
--End of Windows 7 Support is 10 Months Out
(March 25, 2019)
Starting on April 18, 2019, users running Windows 7 will start seeing pop-ups reminding them that support for the aging operating system will end in mid-January 2020. Reasons users may have for not upgrading to Windows 10 include concern about applications not working and computers that cannot run Windows 10. Users with an enterprise license can arrange continues support for some business Windows 7 installations, and users with embedded Windows 7 may have different lifecycle dates.
[Editor Comments]
[Neely] Upgrading to Windows 10 is a fairly smooth operation provided you're not running embedded systems or applications that will not run in Windows 10 even with compatibility mode. Sometimes application compatibility is resolved by uninstalling before upgrading then performing a clean install on the upgraded system. Having experienced IT support to help you resolve any post-update issue is key, particularly for small businesses with on-demand IT staff.
[Murray] Microsoft is doing a better job of maintaining operating system compatibility across applications. Developers must do their part to maintain application compatibility across operating systems. If one violates the API or exploits special knowledge about what is on the other side of the interface, one reduces the portability of one's product. This may be a big price to pay, too clever by half, for a small improvement in performance or function.
Read more in:
eWeek: Microsoft Issues the Update to Announce the End of Windows 7 Updates
https://www.eweek.com/security/microsoft-issues-the-update-to-announce-the-end-of-windows-7-updates
support.microsoft: Windows 7 support will end on January 14, 2020
https://support.microsoft.com/en-us/help/4057281/windows-7-support-will-end-on-january-14-2020
--DOD Plans Secure Cloud Project for Small Contractors
(March 25, 2019)
The US Defense Department (DOD) plans to build a secure cloud to help its smaller contractors that may not have the means to bring adequate security to their systems on their own. The Defense Industrial Base (DIB) Secure Cloud Managed Services Pilot will store the data the contractors work with so the contractors don't have to store it themselves.
[Editor Comments]
[Honan] This is a clever move to help secure the supply chain. However, as with all centralised storage solutions, I hope the DoD implement tools to prevent copies of the data being downloaded to more insecure devices. No point having data secure in one location if that security is undermined by simply copying the data to an insecure network or device.
Read more in:
FNN: DoD testing secure cloud to help small contractors protect data
https://federalnewsnetwork.com/defense-news/2019/03/dod-will-test-secure-cloud/
--Apple Updates
(March 25, 2019)
Apple has released iOS 12.2, which includes fixes for more than 50 security issues. One of the more serious vulnerabilities is a ReplayKit API flaw that could be exploited by a malicious app to access a device's microphone without the user's permission. There is also a remote code execution flaw in Geo Services, and an iOS kernel vulnerability that could be exploited to corrupt kernel memory or cause a crash. Apple has also released updates for macOS.
[Editor Comments]
[Neely] Apple released multiple updates including iOS 12.2, Mojave 10.14.4, updates for 10.12.6 and 10.13.6, tvOS 12.2, Xcode 10.2, Safari 12.1, iCloud for Windows 7.11, and iTunes 12.9.4 for Windows. In addition to the iOS fixes, Windows updates target privilege escalation flaws, Safari updates focus on arbitrary code execution and macOS updates focus on privilege escalation and inappropriate kernel access. Start testing now for deployment with your next patch cycle. Apple devices with automatic updates will download and apply these updates within seven days. iOS devices must be plugged in and on Wi-Fi for automatic updates.
[Murray] The Apple iOS security strategy continues to be effective. While they continue to identify and fix vulnerabilities and increase the attack surface, we have not experienced the kind of compromises at scale that we have seen in von Neumann Architecture personal computers. Users should prefer iOS systems, prefer apps to browsers, and install only those apps that they really use. As an industry, we should be looking for other alternative architectures and security strategies. While it may be too late to ever replace von Neumann systems, it will never be too late to apply alternative systems to our most sensitive data and hostile environments.
Read more in:
The Register: Huge news from Apple: No, not mags, games or TV - more than 50 security bugs to patch
https://www.theregister.co.uk/2019/03/26/apple_patches_bugs/
Ars Technica: Apple releases iOS 12.2 with support for News+ service, new AirPods [Updated]
Apple: About the security content of iOS 12.2
https://support.apple.com/en-us/HT209599
Apple: About the security content of macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra
https://support.apple.com/en-us/HT209600
--US Department of Energy to Fund New Institute Focusing on Cybersecurity in Energy Manufacturing
(March 26, 2019)
The U.S. Department of Energy is launching a well-funded initiative to identify ways of integrating security into SCADA and other industrial control systems used in the energy industry. Concept papers are due in May, and full proposals are due in August.
[Editor Comments]
[Paller] The program name includes Energy Efficiency which may turn off some cybersecurity people. This is an area that needs innovation
Read more in:
Energy: DOE Announces $70 Million for Cybersecurity Institute for Energy Efficient Manufacturing
EERE Exchange: DE-FOA-0001960: CLEAN ENERGY MANUFACTURING INNOVATION INSTITUTE: CYBERSECURITY IN ENERGY EFFICIENT MANUFACTURING
https://eere-exchange.energy.gov/Default.aspx#FoaIddfdeec54-a32a-4113-bd78-04aa84185034
---FEMA Unnecessarily Shared Sensitive Data with Contractor
(March 22, 23, & 25, 2019)
The US Federal Emergency Management Agency (FEMA) has exposed sensitive, personally identifiable information of 2.3 million people affected by hurricanes Harvey, Irma, and Maria, and the 2017 California wildfires. FEMA shared the data with a contractor; the data included information the contractor did not need and the contractor did not notify FEMA that it was receiving more information than the transfer agreement specified. In addition, the contractor's system was not adequately secured. The leak affects people who signed up with FEMA's Transitional Sheltering Assistance program to receive temporary housing.
Read more in:
Wired: Hack Brief: FEMA Leaked the Data of 2.3 Million Disaster Survivors
https://www.wired.com/story/fema-leaked-the-data-2-million-disaster-survivors/
The Register: Uncle Sam's disaster agency FEMA creates disaster of its own: 2.3 million survivors' personal records spilled
https://www.theregister.co.uk/2019/03/23/fema_data_loss/
ZDNet: FEMA 'unnecessarily' shared data of 2.3 million disaster victims with contractor
Cyberscoop: FEMA exposed personal data on 2.3 million disaster survivors, violated privacy law, IG finds
Threatpost: FEMA Exposes PII for Millions of Hurricane, Wildfire Survivors
https://threatpost.com/fema-exposes-pii-hurricane-wildfire-survivors/143119/
OIG DHS: Management Alert - FEMA Did Not Safeguard Disaster Survivors' Sensitive Personally Identifiable Information (REDACTED)
https://www.oig.dhs.gov/sites/default/files/assets/2019-03/OIG-19-32-Mar19.pdf
--Why Students Are Not Interested in Government Cyber Jobs
(March 22, 2019)
US Cyber Challenge (USCC) chief technologist Doug Logan said that the top reasons participants say they do not want to work for the federal government is that they perceive it to be boring, that they cannot find job descriptions that match their capabilities, and that the application and hiring process is too long and burdensome. Some may be amenable to working for the government if it were easier to move back and forth between the public and private sector.
Read more in:
FCW: What students think of government cyber jobs
https://fcw.com/articles/2019/03/22/what-students-think-of-government-cyber-jobs.aspx
--Companies Will Order New Computers After Ransomware Attack
(March 22, 2019)
Two American chemical companies were recently hit with the same strain of ransomware that affected Norsk Hydro. Hexion and Momentive became infected with the LockerGoga ransomware on March 12, 2019; both companies plan to purchase new computers. In a separate, related story, Norsk says it does not plan to pay the ransom and has begun the process of restoring its systems from backups.
Read more in:
Motherboard: Ransomware Forces Two Chemical Companies to Order 'Hundreds of New Computers'
ZDNet: Norsk Hydro will not pay ransom demand and will restore from backups
https://www.zdnet.com/article/norsk-hydro-will-not-pay-ransom-demand-and-will-restore-from-backups/
--Orange County, NC Ransomware Infection: Isolate, Restore, Repeat
(March 21, 2019)
Orange County, North Carolina has been hit with ransomware three times in the past six years. The most recent incident was detected on Monday, March 18, 2019. It affected systems at libraries, the planning board, and the county sheriff's department. By Wednesday, the IT department had isolated the malware and was restoring the more than 100 affected computers.
[Editor Comments]
[Neely] While the IT staff seems to have a handle on isolation and recovery, the local government agency appears to exhibit the symptoms observed in areas where there is not sufficient budget to implement a robust cyber program, including user awareness training and technical mitigations. While elected officials may face an uphill battle to obtain that funding, affected agencies must relay the urgent need for support to prevent recurrence.
Read more in:
GovInfoSecurity: North Carolina County Suffers Repeat Ransomware Infections
https://www.govinfosecurity.com/north-carolina-county-suffers-repeat-ransomware-infections-a-12217
--Cities Take Emergency Warning Systems Offline After Tornado Sirens Hacked
(March 18, 2019)
After a hacker set off tornado warning sirens in two Texas cities, they took their emergency warning system offline, just a day before the predicted onset of severe weather. The hacker made sirens go off a total of 30 times between 2:30 and 4:00 am in DeSoto and Lancaster, Texas.
[Editor Comments]
[Neely] While not connected to the April 2017 hack of the Dallas tornado sirens, which was initiated by sending forged activation messages over the air, Dallas added encryption to the radio signals for their sirens. However, these sirens do not include that protection. Other sites using the ATI warning systems will need to retrofit their sirens to mitigate this threat vector.
Read more in:
ZDNet: Hacked tornado sirens taken offline in two Texas cities ahead of major storm
--Australian Signals Directorate Publishes Vulnerability Disclosure Process
(March 18, 2019)
Following the lead of the US's NSA and the UK's GCHQ, the Australian Signals Directorate (ASD) published its vulnerabilities disclosure process. In its statement of principles, ASD writes that its "starting position is simple: when we find a weakness, we disclose it." It goes on to say that "Occasionally, however, a security weakness will present a novel opportunity to obtain foreign intelligence that will help protect Australians. In these circumstances, the national interest might be better served by not disclosing the vulnerability."
Read more in:
ASD: Responsible Release Principles for Cyber Security Vulnerabilities
https://www.asd.gov.au/publications/Responsible-Release-Principles-for-Cyber-Security-
Vulnerabilities.pdf
SecurityWeek: Australia's Intelligence Agency Publishes its Vulnerability Disclosure Process
INTERNET STORM CENTER TECH CORNER
Reversing Malware Written In Golang
https://isc.sans.edu/forums/diary/Introduction+to+analysing+Go+binaries/24770/
More "VelvetSweatshop" Maldocs
https://isc.sans.edu/forums/diary/VelvetSweatshop+Maldocs/24772/
Reading QR Codes in Python
https://isc.sans.edu/forums/diary/Decoding+QR+Codes+with+Python/24774/
Java Card Vulnerabilities
https://seclists.org/fulldisclosure/2019/Mar/35
Telegram Unsend Feature
https://techcrunch.com/2019/03/25/going-going-gone/
F5 Big IP Updates
https://support.f5.com/csp/article/K14812883
Norwegian Nokia Phones Sent Data to China (Article in Norwegian)
https://nrkbeta.no/2019/03/21/norske-telefoner-sendte-personopplysninger-til-kina/
Pwn2Own Contest: Firefox, Safari, Edge and others fall
https://www.zdnet.com/article/tesla-car-hacked-at-pwn2own-contest/
ASUS Live Update "ShadowHammer" Backdoor
https://www.kaspersky.com/blog/shadow-hammer-teaser
https://shadowhammer.kaspersky.com/
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
