SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXI - Issue #39
May 17, 2019Microsoft Issues Extraordinary Patch - Including for XP; Executive Order for Banning Technologies; Lessons from Colorado's Ransomware Attack
****************************************************************************
SANS NewsBites May 17, 2019 Vol. 21, Num. 039
****************************************************************************
TOP OF THE NEWS
Microsoft Patch Tuesday Includes Fixes for XP and Other Unsupported Systems
Executive Order Gives Commerce Secretary Authority to Ban Use of Certain Technologies
Lessons from Colorado's DOT Ransomware Attack
REST OF THE WEEK'S NEWS
Google Will Replace Misconfigured Bluetooth Low Energy Titan Security Keys
New Class of Flaws Affects Intel Chips
Microsoft Patch Tuesday
International Effort Takes Down Cybercrime Group
San Francisco Bans Facial Recognition
Adobe Releases Critical Updates for Flash, Reader, Acrobat and Media Encoder
Fighting Back Against IP Address Scams
Some Ransomware Recovery Companies Have Been Paying the Ransom
INTERNET STORM CENTER TECH CORNER
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
-- SANSFIRE 2019 | Washington, DC | June 15-22 | https://www.sans.org/event/sansfire-2019
-- SANS London June 2019 | June 3-8 | https://www.sans.org/event/london-june-2019
-- Enterprise Defense Summit & Training 2019 | Redondo Beach, CA | June 3-10 | https://www.sans.org/event/enterprise-defense-summit-2019
-- Security Operations Summit 2019 | New Orleans, LA | June 24-July 1 | https://www.sans.org/event/security-operations-summit-2019
-- SANS Cyber Defence Canberra 2019 | June 24-July 13 | https://www.sans.org/event/cyber-defence-canberra-2019
-- SANS Cyber Defence Japan 2019 | July 1-13 | https://www.sans.org/event/cyber-defence-japan-2019
-- SANS London July 2019 | July 8-13 | https://www.sans.org/event/london-july-2019
-- SANS Rocky Mountain 2019 | Denver, CO | July 15-20 | https://www.sans.org/event/rocky-mountain-2019
-- SANS San Francisco Summer 2019 | July 22-27 | https://www.sans.org/event/san-francisco-summer-2019
-- SANS OnDemand and vLive Training
Get a Free GIAC Certification Attempt or Take $350 Off your OnDemand or vLive course. Offer ends May 29.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
**************************** Sponsored By Ixia *****************************
ICYMI: "Increasing Visibility with Ixia's Vision ONE" - Visibility into network structures and endpoints is vital to security and intelligence operations. Ixia's Vision ONE is a device that enables organizations to gain visibility into threats and manage security operations within a single platform. Register: http://www.sans.org/info/212820
*****************************************************************************
TOP OF THE NEWS
--Microsoft Patch Tuesday Includes Fixes for XP and Other Unsupported Systems
(May 14, 15, & 16, 2019)
Among the many fixes in Microsoft's Patch Tuesday for May are patches for a critical remote Desktop Services vulnerability in Windows XP and other systems that Microsoft no longer actively supports. The last time Microsoft released a fix for XP was two years ago, when WannaCry was making the rounds. Microsoft says that this vulnerability poses an equally serious threat. The flaw can be exploited by connecting to a vulnerable device over the Internet. Microsoft has also made fixes available for Windows 2003, Windows 7, and Windows Server 2008. The issue does not affect Windows 8 or Windows 10. An estimated 3.57 percent of Windows machines are still running Windows XP, which translates to tens of millions of machines, some of which are in systems at hospitals and industrial plants.
[Editor Comment]
[Neely] Per the Microsoft bulletin, there is no mitigation or workaround for this vulnerability. Even so, consider systems that offer RDP services directly to the Internet as the exploit can be triggered by anonymously sending a specially-crafted packet to the system.
[Honan] If Microsoft are taking the threat relating to this vulnerability seriously enough to issue a patch for Windows XP, then that should be the warning you need to treat this seriously and apply those patches.
Read more in:
Technet: Prevent a worm by updating Remote Desktop Services (CVE-2019-0708)
Wired: Microsoft's First Windows XP Patch in Years is a Very Bad Sign
https://www.wired.com/story/microsoft-windows-xp-patch-very-bad-sign/
BBC: Global virus fear prompts update for old Windows
https://www.bbc.com/news/technology-48295227
Dark Reading: Microsoft Patches Wormable Vuln in Windows 7, 2003, XP, Server 2008
Ars Technica: Microsoft warns wormable Windows bug could lead to another WannaCry
The Register: Microsoft emits free remote-desktop security patches for WinXP to Server 2008 to avoid another WannaCry
https://www.theregister.co.uk/2019/05/15/may_patch_tuesday/
--Executive Order Gives Commerce Secretary Authority to Ban Use of Certain Technologies
(May 16, 2019)
The White House has used an executive order to declare a national emergency that grants the Secretary of Commerce the authority to prohibit American companies from purchasing certain companies' communications technologies. The order also gives the Commerce Secretary the authority to establish an enforcement framework.
Read more in:
SC Magazine: Trump national emergency on info security allows ban on Huawei
ZDNet: Trump signs executive order banning US telcos from buying or using foreign gear
Cyberscoop: White House executive order sets path for ban on Huawei
https://www.cyberscoop.com/white-house-executive-order-huawei-telecom-technology/
MeriTalk: White House EO Creates Fed Authority To Ban Foreign Communications Gear
White House: Executive Order on Securing the Information and Communications Technology and Services Supply Chain
--Lessons from Colorado's DOT Ransomware Attack
(May 15, 2019)
Ten days after Colorado's Department of Transportation was hit with SamSam ransomware in February 2018, the governor declared the incident a disaster, allowing the state to bring in help from the National Guard and from other states and to create a unified command structure to help establish recovery priorities. It was the first time a cyberattack had been declared a disaster.
[Editor Comments]
[Neely] This highlights a need for updating disaster plans as well an effective path to obtaining needed resources, paving the way for other states to better respond to future incidents.
Read more in:
Statescoop: What Colorado learned from treating a cyberattack like a disaster
https://statescoop.com/what-colorado-learned-from-treating-a-cyberattack-like-a-disaster/
**************************** SPONSORED LINKS ******************************
1) ICYMI: "New Year, Same Magecart: The Continuation of Web-based Supply Chain Attacks" get it here: http://www.sans.org/info/212830
2) Attend the inaugural SANS Enterprise Defense Summit in Redondo Beach, CA - June 3-4
http://www.sans.org/info/212835
3) How is your organization responding to the threats that matter? Take this SANS survey and enter for a chance to win a $400 Amazon gift card: http://www.sans.org/info/212840
*****************************************************************************
REST OF THE WEEK'S NEWS
--Google Will Replace Misconfigured Bluetooth Low Energy Titan Security Keys
(May 15, 2019)
A misconfiguration in the Bluetooth Low Energy version of Google's Titan Security Key could be exploited to communicate with the key or with the device to which the key is paired. An attacker would need to be within 30 feet of the targeted device. Google will replace affected devices at no cost.
Read more in:
Google Security Blog: Advisory: Security Issue with Bluetooth Low Energy (BLE) Titan Security Keys
https://security.googleblog.com/2019/05/titan-keys-update.html
Wired: Google Will Replace Titan Security Key Over a Bluetooth Flaw
https://www.wired.com/story/google-titan-security-key-recall-ble/
The Register: Titan-ic disaster: Bluetooth blunder sinks Google's 2FA keys, free replacements offered
https://www.theregister.co.uk/2019/05/15/google_titan_bluetooth_key_security_flaw/
ZDNet: Google to replace faulty Titan security keys
https://www.zdnet.com/article/google-to-replace-faulty-titan-security-keys/
Ars Technica: Google warns Bluetooth Titan security keys can be hijacked by nearby hackers
Threatpost: Google Titan Security Key Recalled After Bluetooth Pairing Bug
https://threatpost.com/google-titan-security-key-recalled/144786/
--New Class of Flaws Affects Intel Chips
(May 14 & 15, 2019)
Intel has disclosed a new class of speculative execution side-channel attacks affecting its processors. The attacks differ from Meltdown and Spectre and their variants because they could leak data from CPU buffers. Intel calls the flaws Microarchitectural Data Sampling, or MDS. The flaws have been addressed at the hardware level in more recent released of Intel products, and Intel has released microcode and hypervisor updates.
[Editor Comments]
[Neely] As researchers assess other ways speculative execution can be abused, expect more MDS family types of flaws. These are currently low risk due to the degree of difficulty to exploit. Beware of attention getting names, and accompanying icons, like ZombieLoad, that shift focus from the true risk to the headlines.
Read more in:
Wired: Meltdown Redux: Intel Flaw Lets Hackers Siphon Secrets from Millions of PCs
https://www.wired.com/story/intel-mds-attack-speculative-execution-buffer/
Ars Technica: New speculative execution bug leaks data from Intel chips' internal buffers
Dark Reading: New Intel Vulnerabilities Bring Fresh CPU Attack Dangers
Cyberscoop: After Meltdown and Spectre, meet a new set of Intel chip flaws
https://www.cyberscoop.com/intel-chip-flaws-zombieland-ridl-fallout/
Threatpost: Intel CPUs Impacted By New Class of Spectre-Like Attacks
https://threatpost.com/intel-cpus-impacted-by-new-class-of-spectre-like-attacks/144728/
Bleeping Computer: New RIDL and Fallout Attacks Impact All Modern Intel CPUs
--Microsoft Patch Tuesday
(May 14 & 15, 2019)
Microsoft's monthly security update for May includes fixes for nearly 80 vulnerabilities, 19 of which are rated critical. One of the flaws, a privilege elevation issue in the Windows Error Reporting service, is already being exploited in the wild. Microsoft has also released an advisory explaining its mitigation plan for the MDS attack issues that Intel disclosed earlier this week.
[Editor Comments]
[Neely] The mitigations for MDS attacks will require both firmware and OS changes. The firmware updates are not available yet. When released, test for system impact before rolling across the enterprise.
Read more in:
MSRC: Release Notes: May 2019 Security Updates
KrebsOnSecurity: Microsoft Patches 'Wormable' Flaw in Windows XP, 7 and Windows 2003
SC Magazine: Microsoft's May Patch Tuesday covers ZombieLoad, WER vulnerabilities
ZDNet: Microsoft May 2019 Patch Tuesday arrives with fix for Windows zero-day, MDS attacks
--International Effort Takes Down Cybercrime Group
(May 16, 2019)
Law enforcement authorities in Bulgaria, Germany, Georgia, Moldova, Ukraine, and the US, along with Europol, worked together to take down a cybercrime group that reportedly attempted to steal US $100 million from businesses and financial institutions. Five members of the group have been arrested; another five remain at large. US federal grand jury returned a criminal indictment charging 10 individuals with various offenses. A Europol statement says that the operation "exemplified the concept of "'cybercrime as a service.'"
[Editor Comments]
[Honan] This is a good example of how criminals cooperate across borders. On the flip side, it is great to see that effective international cooperation works for those on the side of good, as well.
Read more in:
ZDNet: Cybercrime group that used malware to steal $100 million from online banking accounts shut down
Wired: Global Takedown Shows the Anatomy of a Modern Cybercriminal Supply Chain
https://www.wired.com/story/goznym-takedown-cybercrime-supply-chain/
Threatpost: Cybercrime Gang Behind GozNym Banking Malware Dismantled
https://threatpost.com/cybercrime-gang-behind-goznym-banking-malware-dismantled/144795/
Europol: GozNym Malware: Cybercriminal Network Dismantled in International Operation
--San Francisco Bans Facial Recognition
(May 14 & 15, 2019)
The City of San Francisco, California's Board of Supervisors has approved an ordinance that prohibits law enforcement and other city agencies from using facial recognition technology on city residents. The ordinance notes that "the propensity for facial recognition technology to endanger civil rights and civil liberties substantially outweighs its purported benefits." The ordinance also requires that law enforcement disclose what kinds of surveillance they are using.
Read more in:
CNET: San Francisco becomes first city to bar police from using facial recognition
ZDNet: San Francisco bans police from using facial recognition tech on residents
https://www.zdnet.com/article/san-francisco-bans-facial-recognition-tech-being-used-on-residents/
MeriTalk: San Francisco Bars Police, Agencies from Using Facial Recognition Tech
SF Gov: Administrative Code - Acquisition of Surveillance Technology
https://sfgov.legistar.com/View.ashx?M=F&ID=7012636&GUID=7864F4B2-4121-4379-B6AD-8F406C2F6547
--Adobe Releases Critical Updates for Flash, Reader, Acrobat and Media Encoder
(May 15, 2019)
On Tuesday, May 14, Adobe released updates to address critical security issues in Flash, Reader, Acrobat, and Adobe Media Encoder. In all, Adobe issued fixes for 87 vulnerabilities; eighty-four of the flaws affect Adobe Reader and Acrobat.
Read more in:
ZDNet: Adobe security update released for critical Flash, Acrobat, Reader bugs
Threatpost: Adobe Addresses Critical Adobe Flash Player, Acrobat Reader Flaws
https://threatpost.com/adobe-flash-acrobat-reader-flaws/144716/
Adobe: Security bulletin for Adobe Acrobat and Reader | APSB19-18
https://helpx.adobe.com/security/products/acrobat/apsb19-18.html
Adobe: Security Bulletin for Adobe Flash Player | APSB19-26
https://helpx.adobe.com/security/products/flash-player/apsb19-26.html
Adobe: Security Updates Available for Adobe Media Encoder | APSB19-29
https://helpx.adobe.com/security/products/media-encoder/apsb19-29.html
--Fighting Back Against IP Address Scams
(May 15, 2019)
The American Registry for Internet Numbers (ARIN) revoked more than 750,000 IPv4 addresses that had been fraudulently obtained and in many cases, resold to spammers. The entity identified as having fraudulently obtained and resold the IPv4 addresses has been charged in federal court with twenty counts of wire fraud and has been ordered to pay ARIN USA $350,000 for its legal fees.
Read more in:
KrebsOnSecurity: A Tough Week for IP Address Scammers
https://krebsonsecurity.com/2019/05/a-tough-week-for-ip-address-scammers/
Bleeping Computer: Over 757K Fraudulently Obtained IPv4 Addresses Revoked by ARIN
ARIN: Interim Award of Arbitrator (PDF)
https://www.arin.net/vault/about_us/corp_docs/20190506_arbitration_award_and_order.pdf
Justice: Charleston Man and Business Indicted in Federal Court in Over $9M Fraud
https://www.justice.gov/usao-sc/pr/charleston-man-and-business-indicted-federal-court-over-9m-fraud
--Some Ransomware Recovery Companies Have Been Paying the Ransom
(May 15, 2019)
At least two companies that advertise data recovery services for ransomware victims have actually been paying the ransom. The companies often charge their clients high fees in excess of the cost of the ransom. While there are companies that openly pay ransom - often they help victims who are unfamiliar with dealing in cryptocurrency - it is not clear that other companies were forthright with their clients about their methods.
Read more in:
Pro Publica: The Trade Secret: Firms That Promised High-Tech Ransomware Solutions Almost Always Just Pay the Hackers
https://features.propublica.org/ransomware/ransomware-attack-data-recovery-firms-paying-hackers/
INTERNET STORM CENTER TECH CORNER
Microsoft Patch Tuesday
https://isc.sans.edu/forums/diary/Microsoft+May+2019+Patch+Tuesday/24934/
The Risk of Authenticated Vulnerability Scans
https://isc.sans.edu/forums/diary/The+Risk+of+Authenticated+Vulnerability+Scans/24942/
New Intel CPU Vulnerabilities
Apple Updates
https://support.apple.com/en-us/HT201222
Forbes Website Infected by Magecart
https://twitter.com/bad_packets/status/1128517905765683201
Malware Randomizes TLS Ciphers
https://blogs.akamai.com/sitr/2019/05/bots-tampering-with-tls-to-avoid-detection.html
Google Recalls Titan Security Keys
https://security.googleblog.com/2019/05/titan-keys-update.html
SAMBA Update
https://www.samba.org/samba/security/CVE-2018-16860.html
SAP Patches
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=520259032
ARIN Revokes about 735,000 IP Addresses
https://www.arin.net/vault/about_us/media/releases/20190513.html
Instrument Landing Systems Spoofing (PDF)
https://aanjhan.com/assets/ils_usenix2019.pdf
More Cisco Patches (Prime Infrastructure, EPN Manager)
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-pi-rce
Broken Trustseal
https://twitter.com/gwillem/status/1127890329175244800
https://twitter.com/bestoftheweb/status/1128036593208524800
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
