Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #44

June 4, 2019

Patch BlueKeep Now!; Google's Confidential Mode by Default; Marine Corps Commandant Highlights Existential Cybersecurity Challenge




****************************************************************************

SANS NewsBites                 June 4, 2019                Vol. 21, Num. 044

****************************************************************************


TOP OF THE NEWS


  Microsoft: Patch Windows BlueKeep Flaw Now!

  Google's G-Suite Confidential Mode Will Soon Be Enabled by Default

  Marine Corps Commandant Highlights Existential Cybersecurity Challenge


REST OF THE WEEK'S NEWS       

 

  App Advertisement SDK Forces Apps to Open Scam Banner Ads

  Baltimore Cyber Assessment Notes Security Concerns Years before Ransomware Attack

  Eurofins Systems Infected with Ransomware

  IEEE Lifts Ban on Huawei Participation in Peer-Review Process

  Quest Diagnostics Discloses Data Breach

  Google Cloud Outage Resolved

  Loon Balloons Bring Internet to Peru 48 Hours After Earthquake


INTERNET STORM CENTER TECH CORNER

 

*****************************************************************************

CYBERSECURITY TRAINING UPDATE


-- SANSFIRE 2019 | Washington, DC | June 15-22 | https://www.sans.org/event/sansfire-2019


-- Security Operations Summit 2019 | New Orleans, LA | June 24-July 1 | https://www.sans.org/event/security-operations-summit-2019


-- SANS Cyber Defence Canberra 2019 | June 24-July 13 | https://www.sans.org/event/cyber-defence-canberra-2019


-- SANS Cyber Defence Japan 2019 | July 1-13 | https://www.sans.org/event/cyber-defence-japan-2019


-- SANS London July 2019 | July 8-13 | https://www.sans.org/event/london-july-2019


-- SANS Rocky Mountain 2019 | Denver, CO | July 15-20 | https://www.sans.org/event/rocky-mountain-2019


-- SANS San Francisco Summer 2019 | July 22-27 | https://www.sans.org/event/san-francisco-summer-2019


-- Pen Test Hackfest Europe 2019 | Berlin, DE | July 22-28 | https://www.sans.org/event/pentest-hackfest-eu-july-2019


-- DFIR Summit & Training 2019 | Austin, TX | July 25-August 1 | https://www.sans.org/event/digital-forensics-summit-2019


-- SANS OnDemand and vLive Training

Get an iPad Mini, ASUS Chromebook Flip, or Take $250 off through June 12 with OnDemand or vLive training.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


Single Course Training

-- Single Course Training

SANS Mentor | https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


*********************** Sponsored By Splunk ********************************


One Phish, Two Phish, Three Phish, Fraud Phish.  In this Seuss-inspired children's book, readers are taken on a colorful journey, discovering the many surprising ways fraud touches our everyday lives, including credit card scams, payroll fraud, financial aid swindles, healthcare deception, and wire transfer fraud, as well as phishing attacks, account takeovers, and more.  http://www.sans.org/info/213055


*****************************************************************************

TOP OF THE NEWS  

 

--Microsoft: Patch Windows BlueKeep Flaw Now!

(May 31 & June 3, 2019)

The Microsoft Security Response Center is strongly urging users affected by the Windows BlueKeep (CVE-2019-0708) bug to patch the flaw as soon as possible. The flaw, which lies in the Windows Remote Desktop Protocol (RDP), can be exploited without user interaction and could be used to spread self-replicating malware. More than 900,000 machines are not yet patched.  


[Editor Comments]


[Williams] This is a "patch now" vulnerability! I personally know of multiple individuals with reliable, weaponized exploits for the vuln. The real number of unpatched machines likely remains in the tens of millions, but the 900,000 number reflected in media reporting is just what is publicly accessible from the Internet. So far there hasn't been much attention paid to the restraint shown by researchers in this matter, but it's been significant. There would ordinarily be a rush to publish once you've developed a working exploit, but I don't know of anyone who has done so. This restraint won't stop an eventual worm from emerging when bad actors get code working, but every extra patching day before one emerges is significant.


Read more in:

Technet: A Reminder to Update Your Systems to Prevent a Worm

https://blogs.technet.microsoft.com/msrc/2019/05/30/a-reminder-to-update-your-systems-to-prevent-a-worm/

Wired: With a Worm Looming, The Bluekeep Bug Isn't Getting Patched Fast Enough

https://www.wired.com/story/microsoft-bluekeep-patched-too-slow/

ZDNet: Microsoft issues second warning about patching BlueKeep as PoC code goes public

https://www.zdnet.com/article/microsoft-issues-second-warning-about-patching-bluekeep-as-poc-code-goes-public/

Ars Technica: Microsoft practically begs Windows users to fix wormable BlueKeep flaw

https://arstechnica.com/information-technology/2019/05/microsoft-says-its-confident-an-exploit-exists-for-wormable-bluekeep-flaw/

Dark Reading: Microsoft Urges Businesses to Patch 'BlueKeep' Flaw

https://www.darkreading.com/threat-intelligence/microsoft-urges-businesses-to-patch-bluekeep-flaw/d/d-id/1334862

 
 

--Google's G-Suite Confidential Mode Will Soon Be Enabled by Default

(May 29 & 31, 2019)

Starting later this month, Google will enable confidential mode by default in its G Suite. The feature prevents users from forwarding, copying, or printing messages, and allows senders to set an expiration dates for their messages. Confidential mode has been available in beta for several months. Admins will have the ability to disable the feature if they choose to.


[Editor Comments]


[Pescatore] Microsoft built Information Rights Management into the Office Suite years ago with similar functionality, but it was Active Directory-centric, required lots of different licenses and it got near zero adoption. Google's approach is a lot less complex, would be great to see Google focus on privacy as a way to gain market share against Microsoft Office.


[Williams] Is this a substitute for DLP? While confidential mode is an excellent tool for limiting the unintentional release of sensitive data beyond the intended recipient, it's certainly not foolproof and is trivial to bypass (like all DLP). As to the question of "does this replace DLP?," the answer seems to be no. DLP performs many functions, including logging and mapping the flow of sensitive data in and out of a network that confidential mode simply does not.


[Neely] Transparent or frictionless security measures, enabled by default, like this, work because they require no added steps or configuration, but remain in place only if they don't get in the way - causing users to disable the capability.


Read more in:

Duo: Google Turning On Confidential Mode by Default in G Suite

https://duo.com/decipher/google-turning-on-confidential-mode-by-default-in-g-suite

G Suite Updates: Gmail confidential mode launching on by default on June 25, 2019

https://gsuiteupdates.googleblog.com/2019/05/gmail-confidential-mode-launching-on-by.html

 
 

--Marine Corps Commandant Highlights Existential Cybersecurity Challenge

(June 4, 2019)

"I believe that whoever can maintain their network and deny the other person theirs may win the whole thing without having to fight," said Marine Corps Commandant and member of the Joint Chiefs of Staff, Gen. Bob Neller, in commenting on the long term strategic threat from China and Russia.


[Editor Comments]


[Paller] In a gathering of senior military officers discussing that very challenge, one noted, "In the next war, our tanks and planes will be people." Several other participants reinforced that characterization of cyberskills as the differentiating factor between winners and losers in cyber warfare because only people with extraordinary skill scan continue to innovate while under attack. The stark preparation gap between American college students their counterparts in Russia and China does not appear to be closing. That helps explain why military leaders have been so supportive of the 2019 Cyber FastTrack program that engaged more than 10,000 college students in assessing and advancing their hands-on, practical preparation for critical roles in cybersecurity and will likely grow to more than 30,000 college students next year.


Read more in:

NPR: The Marines' Top General Talks About A Changing Corps

https://www.npr.org/2019/06/04/729300525/the-marines-top-general-talks-about-a-changing-corps


****************************  SPONSORED LINKS  ******************************


1) Security Inside the Perimeter

Learn how to protect critical workloads and applications inside your data center.  Read the white papaer:  http://www.sans.org/info/213065


2) How do your threat hunting efforts stack up with your peers? Take the SANS 2019 Threat Hunting Survey - and enter to win a $400 Amazon gift card! http://www.sans.org/info/213070


3) Don't miss "SIEM as Alexa - How Natural Language Processing Can Transform Your Cyber Security Experience"  Register:  http://www.sans.org/info/213075


*****************************************************************************

REST OF THE WEEK'S NEWS       

 

--App Advertisement SDK Forces Apps to Open Scam Banner Ads

(June 4, 2019)

App developers say that some of their programs that are available through the Windows Store are opening tech support scam advertisement banner ads without any user interaction. The issue affects apps that use the Advertising Software Development Kit to display ads.


Read more in:

The Register: Devs slam Microsoft for injecting tech-support scam ads into their Windows Store apps

https://www.theregister.co.uk/2019/06/04/scareware_ads_windows_store/

MSDN: Ad banner opens browser tab without user input!

https://social.msdn.microsoft.com/Forums/en-US/2e0adc26-4c75-4945-88c0-aceecf1cecfd/ad-banner-opens-browser-tab-without-user-input

 
 

--Baltimore Cyber Assessment Notes Security Concerns Years Before Ransomware Attack

(May 30 & 31, 2019)

A risk assessment of Baltimore's network infrastructure called the city's computer systems "a natural target for hackers and a path for more attacks in the system." The assessment noted that the systems the city was using were outdated, not backed up, and vulnerable to attacks. The assessment obtained by the Baltimore Sun was not dated, but information included in the report suggests it was created before September 2017.


[Editor Comments]


[Pescatore] All too often, IT organizations use the "We can't patch anything until we can patch everything" excuse. Imagine if fleet managers said, "We won't replace worn out brakes on any of our trucks until we can replace them on all trucks." The FedEx and Maersk Not Petya incidents with their publicly disclosed huge costs, and the Baltimore incident for state/local agencies, are good headlines to use to fight for: "For these critical systems, critical patches will happen even if we can't patch everything else."


[Neely] A report of issues without follow up actions on management's radar is of little value. Remaining secure requires not only infrastructure patching at all layers but also an active system lifecycle process. As John says, don't wait for one solution to address everything. Implement in phases organized by solvable problems such as OS and common applications, iterating until you have full coverage, including verification so you can measure progress.


[Murray] If one elects to accept a risk, one had better be certain that it is well documented that is what one is doing. While the documentation may be prepared by security staff, it must be signed by business management.  



Read more in:

Baltimore Sun: Baltimore's risk assessment called a pair of aged city computer systems a 'natural target for hackers'

https://www.baltimoresun.com/maryland/baltimore-city/bs-md-ci-old-servers-20190530-story.html

Statescoop: Report: Risk assessment called Baltimore 'natural target' for cyberattack

https://statescoop.com/baltimore-cyberattack-risk-assessment-natural-target/

 
 

--Eurofins Systems Infected with Ransomware

(June 3, 2019)

Eurofins Scientific, a Luxembourg-based laboratory testing company, has acknowledged that its systems became infected with ransomware over the weekend. IT staff have taken some servers offline to mitigate the infection.


[Editor Comments]


[Neely] While recent ransomware conversations have focused on whether to pay and having separated incremental backups, don't forget to have the conversations about the ability to restore those backups and what happens when the backups are no longer viable.


Read more in:

Reuters: Eurofins Scientific detects ransomware in some of its IT systems

https://www.reuters.com/article/us-eurofins-scient-cyber/eurofins-scientific-detects-ransomware-in-some-of-its-it-systems-idUSKCN1T40QH

The Register: Pharma-testing biz Eurofins Scientific says it fell victim to 'new version' of malware

https://www.theregister.co.uk/2019/06/03/eurofins_scientific_malware_breach/

 
 

--IEEE Lifts Ban on Huawei Participation in Peer-Review Process

(June 3, 2019)

The Institute of Electrical and Electronics Engineers (IEEE) has reversed its decision to bar people with ties to Huawei from peer-reviewing academic papers. IEEE initially said it would not allow Huawei workers to participate in peer review and editorial activity because of the US government ban on the use of company products; that decision "was motivated solely by our desire to protect our volunteers and our members from legal risk." IEEE said that over the weekend, it learned from the Department of Commerce that it could reverses the ban.


[Editor Comments]


[Murray] Huawei is a political football; do not get caught in the scrum.


Read more in:

ZDNet: No ban: IEEE gives Huawei employees the all-clear

https://www.zdnet.com/article/no-ban-ieee-gives-huawei-employees-the-all-clear/

CNET: Huawei ban revoked by science publisher IEEE

https://www.cnet.com/news/huawei-ban-revoked-by-science-publisher-ieee/

Tech Crunch: Science publisher IEEE lifts ban on Huawei reviewers

https://techcrunch.com/2019/06/02/ieee-lifts-huawei-curbs/

The Register: IEEE says it may have gone about things the wrong Huawei, lifts ban after US govt clearance

https://www.theregister.co.uk/2019/06/03/ieee_uturns_huawei_sanctions/

 
 

--Quest Diagnostics Discloses Data Breach

(June 3, 2019)

Quest Diagnostics, a medical testing company, has disclosed that an "unauthorized user" gained access to sensitive personal information of nearly 12 million patients through a third-party billing service, the American Medical Collection Agency. The breach was disclosed in a company filing with the US Securities and Exchange Commission (SEC).


[Editor Comments]


[Neely] Unlike the Quest breach in 2016, this was a breach of billing data, not medical test data. In this case, AMCA's payment collection page was compromised. Quest immediately stopped sending information to AMCA upon notification. While the breach is to AMCA, the responsibility lies with Quest for needed compensatory actions.


Read more in:

Tech Crunch: Quest Diagnostics says 11.9 million patients affected by data breach

https://techcrunch.com/2019/06/03/quest-diagnostics-breach/

The Hill: Quest Diagnostics says personal data of almost 12 million customers has been breached

https://thehill.com/policy/cybersecurity/446623-quest-diagnostics-says-personal-data-of-almost-12-million-customers-has

SEC: Quest Diagnostics Incorporated SEC Filing June 3, 2019

https://www.sec.gov/Archives/edgar/data/1022079/000094787119000415/ss138857_8k.htm


 

--Google Cloud Outage Resolved

(June 2, 2019)

A Google Cloud outage on Sunday, June 2, rendered Google and other services that rely on Google Cloud unavailable for several hours. The outages affected users in North America and Europe. The outage even reportedly affected the tools that Google engineers use to communicate with each other about outages. The origin of the problems is believed to be an outage at Level 3, which is an ISP in the US that provides connectivity and other services for Google data centers. Google said the issue was resolved on Sunday evening as of 7:00pm ET (US). Google plans to "provide a detailed report of this incident once [they] have completed [their] internal investigation."


[Editor Comments]


[Pescatore] An interesting twist on this one: "... also took down internal tools Google engineers were using to communicate among each other about the outage, making recovery efforts even more difficult." If you are using chat tools or other cloud-based systems as part of operations or incident response, cloud outages can impact you even if the business systems stay up and running - you need backup plans or playbooks for that scenario.


[Murray] One of the lessons of the All Souls Worm (1988) was to keep one's phone list on paper. Today network recovery should be based in part on out-of-band capabilities; think mobiles and cellular.  


Read more in:

ZDNet: Google Cloud goes down, taking YouTube, Gmail, Snapchat, and others with it

https://www.zdnet.com/article/google-cloud-goes-down-taking-youtube-gmail-snapchat-and-others-with-it/

Bleeping Computer: Google Outage in Eastern U.S. Affecting Gmail, YouTube, and More

https://www.bleepingcomputer.com/news/google/google-outage-in-eastern-us-affecting-gmail-youtube-and-more/

Axios: Google outage caused YouTube, Gmail disruptions in parts of U.S.

https://www.axios.com/google-cloud-outages-youtube-cb641ba5-a578-4c0c-9211-cae8f47cb81a.html

 
 

--Loon Balloons Bring Internet to Peru 48 Hours After Earthquake

(May 31, 2019)

On Sunday, May 26, a magnitude 8.0 earthquake hit a remote part of north central Peru. Within 48 hours, Loon, which is owned by Google parent company Alphabet, sent balloons to provide Internet service. Loon also sent Internet-providing balloons to Puerto Rico after Hurricane Maria in 2017. At that time, it took Loon roughly four weeks to begin providing Internet service. Loon uses its balloons "to expand Internet connectivity to rural areas, fill coverage gaps, and improve network resilience in the event of a disaster."          


[Editor Comments]


[Neely] Google has been working to provide a balloon based service to deliver internet service to remote areas for a number of years. This use case has the promise of providing similar functionality to portable cell towers. The challenge remains on not only rapid delivery of equipment but also having an adequate internet source to provide viable service.


Read more in:

Washington Post: To restore Internet access after a massive earthquake, the Peruvian government turned to balloons

https://www.washingtonpost.com/technology/2019/05/31/restore-internet-access-after-massive-earthquake-peruvian-government-turned-balloons/

Company/Projects/Loon: Expanding Internet connectivity with stratospheric balloons

https://x.company/projects/loon/

 
 

INTERNET STORM CENTER TECH CORNER


Google Outage

https://status.cloud.google.com/incident/compute/19003


Major Vulnerability in Siemens LOGO Controllers

https://cert-portal.siemens.com/productcert/pdf/ssa-542701.pdf


Exposing TOR Users Via Cache Poisoning

https://blog.duszynski.eu/tor-ip-disclosure-through-http-301-cache-poisoning/


nginx njs Vulnerability

https://github.com/nginx/njs/issues/131


Bypassing macOS Synthetic Click Protection

https://www.wired.com/story/apple-macos-bug-synthetic-clicks/


Intel Microcode Updates for Older Windows 10 Versions

https://support.microsoft.com/en-us/help/4494454/kb4494454-intel-microcode-updates


Fake AntiVirus Adds in Microsoft Games

https://answers.microsoft.com/en-us/windows/forum/all/malvertising-attack-on-microsoft-games/ced7ab87-7e0e-422b-97b7-fbfaed2b68a0


GandGrab Shutting Down

https://www.zdnet.com/article/gandcrab-ransomware-operation-says-its-shutting-down/


 

******************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.


Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create