SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXI - Issue #31
April 19, 2019US Government Cyber Reskilling Academy Expanded; Oracle Patches 300 Vulnerabilities; Sea Turtle DNS Hijacking Campaign; Texas, California, Virginia, and Maryland Lead the Governors' Collegiate Cyber Talent Discovery Program
****************************************************************************
SANS NewsBites April 19, 2019 Vol. 21, Num. 031
****************************************************************************
TOP OF THE NEWS
US Government Cyber Reskilling Academy Classes Begin; Five Spots Added to Initial Cohort
Oracle Critical Patch Update Addresses Nearly 300 Vulnerabilities
Sea Turtle DNS Hijacking Campaign
Texas, California, Virginia, and Maryland Lead the Governors' Collegiate Cyber Talent Discovery Program
REST OF THE WEEK'S NEWS
Fortinet Agrees to Settle False Claims Act Charges
EU Commission Has No Evidence of Kaspersky Danger
High School Election Hack
Taj Mahal APT Framework Has Broad Range of Capabilities
Wipro Breach
Cisco Patches Include Fix for Critical Router Flaw
Former Student Destroys More than 60 Computers at College
Iranian OilRig Hacker Group Tools Leaked, Identities Exposed
Ransomware Knocked the Weather Channel Off the Air For an Hour
INTERNET STORM CENTER TECH CORNER
****************************************************************************
CYBERSECURITY TRAINING UPDATE
-- SANS Security West 2019 | San Diego, CA | May 9-16 | https://www.sans.org/event/security-west-2019
-- SANSFIRE 2019 | Washington, DC | June 15-22 | https://www.sans.org/event/sansfire-2019
-- SANS Amsterdam May 2019 | May 20-25 | https://www.sans.org/event/amsterdam-may-2019
-- SANS San Antonio 2019 | May 28-June 2 | https://www.sans.org/event/san-antonio-2019
-- SANS London June 2019 | June 3-8 | https://www.sans.org/event/london-june-2019
-- Enterprise Defense Summit & Training 2019 | Redondo Beach, CA | June 3-10 | https://www.sans.org/event/enterprise-defense-summit-2019
-- Security Operations Summit 2019 | New Orleans, LA | June 24-July 1 | https://www.sans.org/event/security-operations-summit-2019
-- SANS Cyber Defence Canberra 2019 | June 24-July 13 | https://www.sans.org/event/cyber-defence-canberra-2019
-- SANS Cyber Defence Japan 2019 | July 1-13 | https://www.sans.org/event/cyber-defence-japan-2019
-- SANS OnDemand and vLive Training
Get an iPad Mini, Surface Go, or Take $300 Off your OnDemand or vLive course. Offer ends May 1.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
********************** Sponsored By Palo Alto Networks **********************
Webcast April 23rd, 1 PM ET: Palo Alto Networks and SANS expert Matt Bromiley will discuss various automation tools to help keep your multi-cloud environments secure. Register: http://www.sans.org/info/211863
*****************************************************************************
TOP OF THE NEWS
--Cyber Reskilling Academy Classes Begin; Five Spots Added to Initial Cohort
(April 16, 2019)
The first class of the Federal Cyber Reskilling Academy took place on Monday, April 15. The size of the initial cohort was increased from 25 to 30 due to high interest in the program. More than 1,500 federal employees applied. The first group was limited to federal employees who do not currently hold a position in IT.
[Editor Comments]
[Paller] Early indications of extraordinary talent among the Reskilling Academy's never-before-working-in-IT employees is further proof (it was previously validated in the UK) that the Reskilling Academy's Cyber Aptitude Test reliably finds cyber talent in the non-IT workforce. Current estimates are 1% for elite talent and up to 3% for talent equal to current cybersecurity professionals. Those are large numbers. In a federal department with 240,000 employees like DHS, that would be more than 2,000 people with untapped talent, and most do not know they have that ability. In a business with 2,000 employees, it is 20. The training to move the talented people into operational cybersecurity roles takes less than 9 months, and they will work for reasonable salaries. They often have security clearances in enterprises where that is important.
Read more in:
FNN: Demand pushes CIO Council to increase class size of cyber reskilling academy
Nextgov: Class in Session for Federal Cyber Reskilling Academy
https://www.nextgov.com/cybersecurity/2019/04/class-session-federal-cyber-reskilling-academy/156348/
--Oracle Critical Patch Update Addresses Nearly 300 Vulnerabilities
(April 16, 17, & 18, 2019)
Among the 297 security issues fixed in Oracle's most recent quarterly critical patch update is a Java deserialization flaw in the Apache Commons FileUpload library that has been around for three years. The update was released on Wednesday, April 19.
[Editor Comments]
[Neely] With the broad scope of products involved, it will be easy to overlook products in your enterprise. While deploying the Java patch, also sweep for old unsupported, less secure Java installations and remove them.
[Murray] Products and systems with large porous attack surfaces should be hidden from the public networks.
Read more in:
The Register: Oracle splats 300 vulns in MySQL, Database, Fusion, etc, pours fresh brew of Java SE terms
https://www.theregister.co.uk/2019/04/16/oracle_bug_fixes/
ZDNet: Oracle security warning: Customers told to patch ASAP to swat 297 bugs
https://www.zdnet.com/article/oracle-security-warning-customers-told-to-patch-asap-to-swat-297-bugs/
eWeek: Oracle Patches Three Year-Old Java Deserialization Flaw in April Update
Oracle: Critical Patch Update Advisory - April 2019
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
--Sea Turtle DNS Hijacking Campaign
(April 17, 2019)
A report from Cisco's Talos security group says a cyber threat campaign it has dubbed Sea Turtle has targeted 40 organizations through DNS hijacking. In some cases, they were able to compromise country code top level domains. Talos says that Sea Turtle appears to have been targeting "primarily national security organizations in the Middle East and North Africa."
[Editor Comments]
[Pescatore] Great talks on DNS hijacking and other active threats by Ed Skoudis, Johannes Ullrich and Heather Mahalik at the SANS Threat Keynote at the recent RSA conference. SANS has produced a paper summarizing their insights, along with other data, with a webinar available live and recorded at https://www.sans.org/webcasts/top-attacks-threat-report-110540: SANS Top New Attacks and Threat Report
Read more in:
Talos: DNS Hijacking Abuses Trust In Core Internet Service
https://blog.talosintelligence.com/2019/04/seaturtle.html
Wired: Cyberspies Hijacked the Internet Domains of Entire Countries
https://www.wired.com/story/sea-turtle-dns-hijacking/
Ars Technica: The wave of domain hijackings besetting the Internet is worse than we thought
Threatpost: State-Sponsored DNS Hijacking Infiltrates 40 Firms Globally
https://threatpost.com/dns-hijacking-campaign-40-firms-globally/143870/
The Register: Insane in the domain: Sea Turtle hackers pwn DNS orgs to dash web surfers on the rocks of phishing pages
https://www.theregister.co.uk/2019/04/17/sea_turtle_dns/
Cyberscoop: Ongoing state-sponsored DNS hijacking campaign has compromised 40 entities
https://www.cyberscoop.com/ongoing-state-sponsored-dns-hijacking-campaign-compromised-40-entities/
--Texas, California, Virginia, and Maryland Lead the Governors' Collegiate Cyber Talent Discovery Program
(April 19, 2019)
6,600 college students in 1,000 colleges in 27 states are playing CyberStart Assess to compete for $2.5 million in scholarships and advanced SANS training. The state rankings are posted at https://www.governorscyberskillsprogram.org/cft
Collegiate rankings will be made public next week.
Information and sign-up at www.cyber-fasttrack.org
**************************** SPONSORED LINKS ******************************
1) Webcast, April 24th, 1 PM ET: SANS expert Serge Borso to review Ixia's Vision ONE(TM) platform and how it can provide enhanced #security for your organization. http://www.sans.org/info/211868
2) Register to be one of the first to experience MGT516: Managing Security Vulnerabilities: Enterprise and Cloud - a new SANS course developed for CISOs, cybersecurity managers, and aspiring information security leaders. Learn More: http://www.sans.org/info/211873
3) Don't Miss "A Better Way to Answer the Question 'Are We Secure?" Register: http://www.sans.org/info/211878
*****************************************************************************
REST OF THE WEEK'S NEWS
--Fortinet Agrees to Settle False Claims Act Charges
(April 16 & 17, 2019)
Cybersecurity company Fortinet has agreed to pay the US government 400,000 USD and to give the US Marine Corps nearly 150,000 USD worth of equipment to settle charges that the company for violations of the False Claims Act. Fortinet sold Chinese-made equipment to the US government after altering labels on some products to make them appear to be in compliance with the Trade Agreements Act. The fraudulent activity began in January 2009 and continued through fall of 2016. The case was initially brought as a whistleblower lawsuit; the government stepped in and took over the case.
[Editor Comments]
[Neely] Detecting supply chain fraud is difficult. If the whistleblower hadn't reported, it's doubtful this would have been discovered. The tough part is replacing deployed fraudulent equipment expeditiously.
Read more in:
The Register: Cyber-sec biz Fortinet coughs up $545,000 after 'flogging' rebadged Chinese kit to Uncle Sam - but why so low? We may be able to explain
https://www.theregister.co.uk/2019/04/17/doj_fortinet_case/
Cyberscoop: Fortinet settles charges of selling intentionally mislabeled Chinese-made tech to U.S. military
https://www.cyberscoop.com/fortinet-legal-settlement-china-us-military/
Justice: Sunnyvale-Based Network Security Company Agrees To Pay $545,000 To Resolve False Claims Act Allegations
Court Listener: The United States of America, Ex Rel. Yuxin "Jay" Fang, Plaintiffs, V. Fortinet Inc., & Arrow Enterprise Computing Solutions Inc., Defendant. (January 2016)
https://www.courtlistener.com/recap/gov.uscourts.cand.295003/gov.uscourts.cand.295003.1.0.pdf
--EU Commission Has No Evidence of Kaspersky Danger
(April 16 & 17, 2019)
The EU Commission says it has no evidence that it "is not in possession of any evidence regarding potential issues related to the use of Kaspersky Lab products." The statement is in a reply to a series of questions posed by a European Parliament member who wanted to know if the Commission had any evidence that Kaspersky software was dangerous or malicious.
Read more in:
SC Magazine: European Commission: No evidence Kaspersky software is malicious
ZDNet: EU: No evidence of Kaspersky spying despite 'confirmed malicious' classification
EuroParl: Designating programmes and companies as 'dangerous' from the point of view of cyber defence
http://www.europarl.europa.eu/doceo/document/P-8-2019-001206_EN.pdf
EuroParl: Answer given by Ms Gabriel on behalf of the European Commission
http://www.europarl.europa.eu/doceo/document/P-8-2019-001206-ASW_EN.pdf
--High School Election Hack
(April 12 & 16, 2019)
A candidate in a Berkeley (California) High School election was disqualified after he cast hundreds of fraudulent votes for himself in the school's first foray into online elections. The scheme was detected when a school official noticed a peculiar surge in voting just before the end of the election. An investigation revealed that the candidate had access to a list of student names and ID numbers, which he used to break into the students' school-issued email accounts and from there cast the phony votes. The email accounts' default passwords included students' ID numbers.
[Editor Comments]
[Neely] Kudos for detecting the fraudulent voting, and this underscores the risks of using derivable default passwords. It would be preferable to have an account activation and verification process.
Read more in:
SC Magazine: Student hacks online school government election
SF Chronicle: Student council presidential election hacked by candidate
--Taj Mahal APT Framework Has Broad Range of Capabilities
(April 16, 2019)
The Taj Mahal advanced persistent threat (APT) framework comprises 80 modules, including one that can steal specific files from a USB stick when it is plugged into an infected computer. Kaspersky found the operation buried deep inside a network of a diplomatic entity in an unnamed country in Central Asia. The group operated for at least five years undetected. The Taj Mahal code base does not resemble that of any other known cyber espionage group. Taj Mahal is the name of the file that is used to exfiltrate data.
Read more in:
Dark Reading: Decoding a 'New' Elite Cyber Espionage Team
SecureList: Project TajMahal - a sophisticated new APT framework
https://securelist.com/project-tajmahal/90240/
--Wipro Breach
(April 15, 17, & 18, 2019)
Multiple sources have reported a breach at Wipro, one of India's largest IT outsourcing companies. The company's networks were hacked and being used to attack Wipro customers. Wipro has been less than forthcoming about acknowledging the extent of the breach. Wipro's services are used by many US companies.
Read more in:
KrebsOnSecurity: Wipro Intruders Targeted Other Major IT Firms
https://krebsonsecurity.com/2019/04/wipro-intruders-targeted-other-major-it-firms/
KrebsOnSecurity: How Not to Acknowledge a Data Breach
https://krebsonsecurity.com/2019/04/how-not-to-acknowledge-a-data-breach/
KrebsOnSecurity: Experts: Breach at IT Outsourcing Giant Wipro
https://krebsonsecurity.com/2019/04/experts-breach-at-it-outsourcing-giant-wipro/
--Cisco Patches Include Fix for Critical Router Flaw
(April 18, 2019)
Cisco has released fixes for 29 security issues in a several different products. In a security advisory, the company warns of a critical flaw affecting its ASR 9000 Series Aggregation Services Routers running Cisco IOS XR 64-bit Software. The vulnerability is remotely exploitable and could be used to gain unauthenticated access to vulnerable devices and to cause denial of service conditions. The flaw exists in sysadmin virtual machine. Cisco has fixed the issue in Cisco IOS XR 64-bit Software Release 6.5.3 and 7.0.1.
Read more in:
Threatpost: Cisco Patches Critical Flaw In ASR 9000 Routers
https://threatpost.com/cisco-patch-asr-9000-routers/143895/
ZDNet: Cisco warns over critical router flaw
https://www.zdnet.com/article/cisco-warns-over-critical-router-flaw/
Cisco: Cisco IOS XR 64-Bit Software for Cisco ASR 9000 Series Aggregation Services Routers Network Isolation Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190417-asr9k-exr
SC Magazine: Cisco patches 29 vulnerabilities including one being actively exploited in Sea Turtle campaign
--Former Student Destroys More than 60 Computers at College
(April 16 & 18, 2019)
A former student of the College of St. Rose in Albany, New York used a USB stick to cause irreparable damage to 66 computers on campus. Vishwanath Akuthota bought the "USB Killer" device online. The incident occurred on February 14, 2019; Akuthota was arrested on February 22. Akuthota pleaded guilty to charges of causing damage to computers and has agreed to pay more than 58,000 USD in restitution.
[Editor Comments]
[Neely] This is a case of a determined insider, one of the hardest use cases to mitigate. Unfortunately, there is not an easy fix for exposed USB ports to mitigate this risk. USB-C offers some electrical isolation that reduces this risk, but for older ports, the best bet is a cover or other mechanism to limit unauthorized access to those ports.
Read more in:
Gizmodo: Student Fried $58,000-Worth of College Computers Using 'USB Killer' Device
https://gizmodo.com/student-fried-58-000-worth-of-college-computers-using-1834138506
ZDNet: Former student destroys 59 university computers using USB Killer device
Justice: Former Student Pleads Guilty to Destroying Computers at The College of St. Rose
--Iranian OilRig Hacker Group Tools Leaked, Identities Exposed
(April 17 & 18, 2019)
Someone is exposing hacking data and tools of the OilRig Iranian hacking group. Among the leaked information are IP addresses of servers used by Iranian intelligence and the identities of alleged OilRig members. OilRig, also known as APT34, is believed to be operating on behalf of the Iranian government.
Read more in:
Wired: A Mystery Agent is Doxing Iran's Hackers and Dumping Their Code
https://www.wired.com/story/iran-hackers-oilrig-read-my-lips/
Cyberscoop: How companies - and the hackers themselves - could respond to the OilRig leak
https://www.cyberscoop.com/oilrig-leak-iran-telegram-helix-kitten/
ZDNet: Source code of Iranian cyber-espionage tools leaked on Telegram
https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/
--Ransomware Knocked the Weather Channel Off the Air For an Hour
(April 18, 2019)
The Weather Channel live broadcast was knocked off the air on Thursday, April 18 by a ransomware attack. For an hour and a half on Thursday morning, the channel showed a taped program instead of its normal live weather coverage. In a Twitter post, the Weather Channel wrote that it was "able to restore live programming quickly through backup mechanisms." The FBI is investigating. (Please note that the WSJ story is behind a paywall.)
Read more in:
Engadget: Ransomware interrupted a 'The Weather Channel' morning show
https://www.engadget.com/2019/04/18/the-weather-channel-ransomware/
Threatpost: Weather Channel Knocked Off-Air in Dangerous Precedent
https://threatpost.com/weather-channel-off-air-hack/143936/
The Hill: Weather Channel hit with 'malicious' software attack, briefly knocked off air
WSJ: Computer Attack Knocks Weather Channel Off the Air (paywall)
https://www.wsj.com/articles/weather-channel-knocked-off-air-for-over-an-hour-11555611840
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
Malware Delivered As a UDF .img file
https://isc.sans.edu/forums/diary/Malware+Sample+Delivered+Through+UDF+Image/24854/
Oracle April 2019 Critical Patch Update
https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
WiPro Breached Via Phishing Attacks
https://krebsonsecurity.com/2019/04/experts-breach-at-it-outsourcing-giant-wipro/
DNS Hijacking by Sea Turtle
https://blog.talosintelligence.com/2019/04/seaturtle.html
Broadcom Wifi Driver Vulnerabilities
https://www.kb.cert.org/vuls/id/166939/
PoC Exploit for Windows 10 DHCP Client Vulnerability CVE-2019-0726 (Russian)
https://habr.com/ru/company/pt/blog/448378/
IDA and Ghidra Part 2 (Strings And Parameters)
NamPoHyu Virus Infects Samba Servers
Increased Attacks on Confluence (German)
https://twitter.com/DFNCERT/status/1118468599230943233
Facebook Stored Passwords in Plain Text
https://newsroom.fb.com/news/2019/03/keeping-passwords-secure/
Windows 8 Live Tiles Domain Takeover (German)
Iranian State Sponsored Malware and Data Leaked
https://misterch0c.blogspot.com/2019/04/apt34-oilrig-leak.html
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create