SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXI - Issue #43
May 31, 2019EternalBlue Accountability; WordPress Flaw Actively Exploited (Again)
****************************************************************************
SANS NewsBites May 31, 2019 Vol. 21, Num. 043
****************************************************************************
TOP OF THE NEWS
EternalBlue: Accountability and Responsibility
Known WordPress Flaw is Being Actively Exploited
REST OF THE WEEK'S NEWS
Digital Watermarks to Fight "Deepfakes"
GCHQ's Ghost User Proposal Meets with Opposition
Docker Race Condition Vulnerability
Prison Term for Selling Encrypted Phones to Criminals
Gatekeeper Bypass Flaw in macOS X
GitHub Acquires Dependabot to Help with Automated Updates
New Chrome Extension Policies Aim to Improve Security
Correction: Available Fixes for BlueKeep RDP Flaw (CVE-2019-0708)
INTERNET STORM CENTER TECH CORNER
************************* Sponsored By Sentryo ***************************
ICYMI: "Not sure that you need OT Cybersecurity? A Sentryo Assessment can quickly provide the data and guidance that you need." with Tim Conway, Michael Thompson, Bob Foley and Fayce Dair. Register: http://www.sans.org/info/213035
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
-- SANSFIRE 2019 | Washington, DC | June 15-22 | https://www.sans.org/event/sansfire-2019
-- Security Operations Summit 2019 | New Orleans, LA | June 24-July 1 | https://www.sans.org/event/security-operations-summit-2019
-- SANS Cyber Defence Canberra 2019 | June 24-July 13 | https://www.sans.org/event/cyber-defence-canberra-2019
-- SANS Cyber Defence Japan 2019 | July 1-13 | https://www.sans.org/event/cyber-defence-japan-2019
-- SANS London July 2019 | July 8-13 | https://www.sans.org/event/london-july-2019
-- SANS Rocky Mountain 2019 | Denver, CO | July 15-20 | https://www.sans.org/event/rocky-mountain-2019
-- SANS San Francisco Summer 2019 | July 22-27 | https://www.sans.org/event/san-francisco-summer-2019
-- Pen Test Hackfest Europe 2019 | Berlin, DE | July 22-28 | https://www.sans.org/event/pentest-hackfest-eu-july-2019
-- DFIR Summit & Training 2019 | Austin, TX | July 25-August 1 | https://www.sans.org/event/digital-forensics-summit-2019
-- SANS OnDemand and vLive Training
Get an iPad Mini, ASUS Chromebook Flip, or Take $250 off through June 12 with OnDemand or vLive training.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
*****************************************************************************
TOP OF THE NEWS
--EternalBlue: Accountability and Responsibility
(May 30, 2019)
The ransomware known as EternalBlue that has caused so many problems for the city of Baltimore was powered by an NSA hacking tool that was stolen and posted to the Internet. Senior NSA cybersecurity advisor Rob Joyce said that the city had ample time to bolster its cyber defenses against what has been a known threat with a patch available for more than two years. Some security experts agree with Joyce, while others say that the NSA's cybertool development needs more oversight. As the Axios article points out, the two are not mutually exclusive.
[Editor Comments]
[Henry] (Disclaimer - the conference Joyce spoke at was hosted by my employer.) I think there's truth to both points here. First, the exploit has been well-known for two years, and leaving systems unpatched after the fix was released is a serious violation of cybersecurity 101. Secondly, and perhaps more importantly, there need to be serious discussions about how nations and intelligence services globally define the norms by which network exploitation occurs. The fragility of the infrastructure and the effect on critical municipal and human services will have wide-ranging impact going forward. The deployment of tools which exploit and/or damage that infrastructure needs to be evaluated, government to government, in international forums to define the redlines of acceptability and create clear rules of engagement.
[Murray] This tool has permanently contaminated "cyberspace." It makes the environment in which we must all work more hostile than it needed to be. Because the environment cannot be de-contaminated, we must all patch the vulnerability that it exploits. NSA must take some responsibility for the secure use of its tools, its "methods."
[Neely] Assigning accountability for EternalBlue doesn't offset the need for active cyber hygiene. As learned with Baltimore, and Equifax, etc. unmitigated vulnerabilities will be exploited. Also, when tools like EternalBlue are used against our adversaries, they learn from that to develop equivalent capabilities, possibly making containment of that capability untenable.
Read more in:
Nextgov: NSA Deflects Blame for Baltimore Ransomware Attack
https://www.nextgov.com/cybersecurity/2019/05/nsa-deflects-blame-baltimore-ransomware-attack/157376/
Axios: NSA's rogue hacking tool sparks debate
--Known WordPress Flaw is Being Actively Exploited
(May 29, 2019)
Hackers are actively exploiting a known vulnerability in a WordPress plugin to display malicious pop-ups and redirect site visitors to malicious websites. A fix for the cross-site scripting flaw in WP Live Chat Support was released two weeks ago.
[Editor Comments]
[Paller] The most often exploited, dangerous, and damaging packages employed on websites are content management systems, and WordPress (WP) seems to appear most often in discussions of content management systems that are putting your data and users at risk. Using a web site developer who relies on WP and does not have documented, tested controls in place to protect your data and users against the WP flaws is likely to be considered the definition of negligence at some point in the near future.
Read more in:
Ars Technica: Hackers actively exploit WordPress plugin flaw to send visitors to bad sites
**************************** SPONSORED LINKS ******************************
1) ICYMI: "New Year, Same Magecart: The Continuation of Web-based Supply Chain Attacks" get it here: http://www.sans.org/info/213040
2) Don't Miss "Lessons From the Front Lines of AppSec: Analysis of real-world attacks from 2019 and best practices for dealing with them" Register: http://www.sans.org/info/213045
3) Today's reality is that a security breach is not a matter of IF, but a matter of WHEN. Register for "How SOC Superheroes Win" http://www.sans.org/info/213050
*****************************************************************************
REST OF THE WEEK'S NEWS
--Digital Watermarks to Fight "Deepfakes"
(May 28, 2019)
Researchers at New York University's (NYU's) Tandon School of Engineering are developing technology to detect altered photographs known as "deepfakes," which are often used to spread disinformation. The researchers propose an "approach [that] aims to exploit neural imaging processors" to place watermarks in the code of photos; the watermarks could be checked by forensic analysts for indicators of alteration.
[Editor Comments]
[Pescatore, Murray, Neely] Digital signatures and watermarks require an end-to-end infrastructure to make authentication and integrity verification possible without giving a false sense of security. Today, support for such services at the transport level is starting to happen as standards like DMARC and DNSSEC increase penetration but having reliable and secure watermarking on the device level is not realistic any time soon.
Read more in:
Arxiv: Neural Imaging Pipelines - the Scourge or Hope of Forensics?
https://arxiv.org/pdf/1902.10707.pdf
Wired: To Fight Deepfakes, Researchers Built a Smarter Camera
https://www.wired.com/story/detect-deepfakes-camera-watermark/
--GCHQ's Ghost User Proposal Meets with Opposition
(May 22 & 30, 2019)
In an open letter to Britain's GCHQ, a group of civil society organizations, tech companies and trade associations, and security and policy experts has made clear that they are opposed to the intelligence agency's "ghost user" plan, which would "silently add... a law enforcement participant to a group chat or call." The letter is a response to a proposal published late last year. While the letter supports the overall proposal's principles, it notes that not only would such a plan "undermine the GCHQ principles on user trust and transparency set forth in the" proposal, but it would also pose added security risks.
Read more in:
newamericadotorg: Open Letter to GCHQ
The Register: We ain't afraid of no 'ghost user': Infosec world tells GCHQ to GTFO over privacy-busting proposals
https://www.theregister.co.uk/2019/05/30/tech_hits_back_at_gchq_ghost_user_privacy_buster/
ZDNet: Apple and WhatsApp fight proposal to let spies tap encrypted comms
https://www.zdnet.com/article/apple-and-whatsapp-fight-proposal-to-let-spies-tap-encrypted-comms/
--Docker Race Condition Vulnerability
(May 28, 29, & 30, 2019)
An unpatched race condition in all versions of Docker software could be exploited to gain read-write access to the host file system. The flaw, a time of check to time of use (TOCTOU) condition is not remotely exploitable.
[Editor Comments]
[Murray] "TOCTOU" (somewhat more descriptive than "race condition") means relying upon a checked but unbound condition (e.g. length or content of a field, address), one which might have been altered after the check but before the reliance or use. It is a vulnerability in multi-user systems that many developers are not trained on or aware of.
Read more in:
Seclists: CVE-2018-15664: docker (all versions) is vulnerable to a symlink-race attack
https://seclists.org/oss-sec/2019/q2/131
The Register: Contain yourself, Docker: Race-condition bug puts host machines at risk... sometimes, ish
https://www.theregister.co.uk/2019/05/29/docker_race_condition/
SC Magazine: Docker race condition flaw could grant attackers root access to host file system
Dark Reading: Docker Vulnerability Opens Servers to Container Code
GovInfoSecurity: Researcher Describes Docker Vulnerability
https://www.govinfosecurity.com/researcher-describes-docker-vulnerability-a-12535
Duo: Docker Bug Allows Root Access to Host File System
https://duo.com/decipher/docker-bug-allows-root-access-to-host-file-system
--Prison Term for Selling Encrypted Phones to Criminals
(May 28 & 29, 2019)
Vincent Ramos, the CEO of a company that sold encrypted BlackBerry phones to criminals has been sentenced to nine years in prison. For more than 10 years, Phantom Secure knowingly sold PGP-encrypted BlackBerrys to criminal groups in the US, Mexico, and Australia. The phones allowed the criminals to encrypt their communications and remotely wipe the devices if they were seized by authorities.
[Editor Comments]
[Pescatore] This is a pretty clear-cut case of a company and CEO purposely targeting and supporting illegal use of their products, not just selling secure products that bad guys happened to use. It doesn't set any precedent that will impact legitimate vendors of secure technology who follow standard "know your customer" norms.
Read more in:
ZDNet: CEO who sold encrypted phones to criminal gangs gets nine years in prison
Justice: Chief Executive of Communications Company Sentenced to Prison for Providing Encryption Services and Devices to Criminal Organizations
--Gatekeeper Bypass Flaw in macOS X
(May 28 & 29, 2019)
A vulnerability in Apple's macOS Gatekeeper feature could be exploited to execute arbitrary code. The Gatekeeper security feature aims to prevent untrusted apps from running; it requires apps to have valid signatures; users can also choose settings to allow only apps from the official app store to run. There is currently no fix available for the vulnerability.
[Editor Comments]
[Neely] Disabling automount,the prime mitigation, should be assessed for impact prior to implementing across the enterprise. Gatekeeper should not be the only threat mitigation on Mac Endpoints.
Read more in:
Threatpost: Gatekeeper Bug in MacOS Mojave Allows Malware to Execute
https://threatpost.com/gatekeeper-bug-in-macos-mojave-allows-malware-to-execute/145124/
Duo: Researcher Finds Mac Gatekeeper Bypass
https://duo.com/decipher/researcher-finds-mac-gatekeeper-bypass
SC Magazine: Bypass vulnerability in MacOS X GateKeeper
--GitHub Acquires Dependabot to Help with Automated Updates
(May 23 & 29, 2019)
Within a week of acquiring Dependabot, GitHub has put the tool to work to "monitor... dependencies for known security vulnerabilities and automatically open pull requests to update them to the minimum required version." The feature is currently in beta.
Read more in:
Duo: GitHub Brings Automated Fixes with Dependabot
https://duo.com/decipher/github-brings-automated-fixes-with-dependabot
The Register: GitHub slurps open-source bug zapping automator Dependabot, chucks cash at devs
--New Chrome Extension Policies Aim to Improve Security
(May 30, 2019)
Google has introduced new security policies for Chrome extensions. The extensions will be permitted to access only data that are necessary to implement the extension's features. Google is also expanding the requirement for the extensions to have privacy policies; previously, extensions that use personal and sensitive data had to have a posted security policy and manage the information securely. Now the requirement also applies to "extensions that handle user-provided content and personal communications." Google has also introduced new security and privacy rules for the Google Drive API and third-party apps.
[Editor Comments]
[Pescatore] I'm going to wait for Google to produce data to see if this has any meaningful difference. Strategies that reduce 98% of the problem often just mean the bad guys focus on the openings that still enable the 2% - which is still a big number when there are 180,000 extensions in use. Plus, posting security policies doesn't improve anything unless Google Play is actively testing to make sure those policies are being enforced.
[Neely] Adding capabilities to keep extensions operating within limits aligns with Google's aims to raise the assurance around browsing with improved controls at the browser. Even so, it's a good idea to keep an eye on deployed extensions, enabling only those that are needed, and uninstalling those no longer used. If possible, limit installation to approved extensions only.
Read more in:
Wired: Google is Finally Making Chrome Extensions More Secure
https://www.wired.com/story/google-chrome-extensions-security-changes/
ZDNet: Google takes a stance against permission-grabbing Chrome extensions
https://www.zdnet.com/article/google-takes-a-stance-against-permission-grabbing-chrome-extensions/
Google: Update on Project Strobe: New policies for Chrome and Drive
https://blog.google/technology/safety-security/update-project-strobe-new-policies-chrome-and-drive/
CNET: Google holds firm on Chrome changes that may break ad blockers
https://www.cnet.com/news/google-holds-firm-on-chrome-changes-that-may-break-ad-blockers/
--Correction: Available Fixes for BlueKeep RDP Flaw (CVE-2019-0708)
(May 31, 2019)
In the Tuesday's edition of NewsBites, we indicated that a patch for the BlueKeep Windows Remote Desktop Protocol vulnerability was available for Vista. There is currently no official Microsoft patch for the RDP flaw for Vista; we apologize for the error.
******************************************************************************
INTERNET STORM CENTER TECH CORNER
Office Document And Base64 Encoded PowerShell Script
https://isc.sans.edu/forums/diary/Office+Document+BASE64+PowerShell/24976/
https://0xdf.gitlab.io/2019/05/21/malware-analysis-unnamed-emotet-doc.html
Behavioural Malware Analysis With Microsoft Attack Surface Analyzer
https://isc.sans.edu/forums/diary/Behavioural+Malware+Analysis+with+Microsoft+ASA/24980/
Analyzing Shell Code with scdbg
https://isc.sans.edu/forums/diary/Analyzing+First+Stage+Shellcode/24984/
Enumeration of BlueKeep Vulnerable Hosts
https://blog.erratasec.com/2019/05/almost-one-million-vulnerable-to.html
Exposed Docker Containers Uses for Cryptocoin Mining
DHCP Client Vulnerability Analysis
Office File Deleting Phishing Emails
Docker Symlink Race Attack
https://seclists.org/oss-sec/2019/q2/131
Nansh0u Campaign Using Signed Rootkit
https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
GitHub Automating Security Patches
https://help.github.com/en/articles/configuring-automated-security-fixes
Mozilla Objecting to Web Packaging
https://docs.google.com/document/d/1ha00dSGKmjoEh2mRiG8FIA5sJ1KihTuZe-AXX1r8P-8/preview#
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
