SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXI - Issue #49
June 21, 2019Florida City Pays $600,000 Ransomware; Canada's Desjardins Breached; Oracle Flaw Being Actively Exploited
****************************************************************************
SANS NewsBites June 21, 2019 Vol. 21, Num. 049
****************************************************************************
TOP OF THE NEWS
Florida City Pays $600,000 Ransomware Demand
Desjardins Breach
Oracle WebLogic Flaw is Being Actively Exploited
REST OF THE WEEK'S NEWS
Phishing eMails Pretend to be National Cyber Awareness System Alerts
NIST Draft Guidance for Contractors on Securing CUI
Hacker Group May Have Hijacked Another Group's Infrastructure to Launch an Attack
Cisco Releases Fixes for Critical Flaws
Dell Releases Fix for Flaw in SupportAssist
Google Releases Encrypted Multi-Party Computation Tool
Wyden to NIST: Publish Guidance for Secure Data Sharing
Mozilla Releases Emergency Firefox Update. Twice.
MongoDB's Field Level Encryption
INTERNET STORM CENTER TECH CORNER
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
-- SANS Network Security 2019 | Las Vegas, NV | September 9-16 | https://www.sans.org/event/network-security-2019
-- SANS Cyber Defence Japan 2019 | July 1-13 | https://www.sans.org/event/cyber-defence-japan-2019
-- SANS London July 2019 | July 8-13 | https://www.sans.org/event/london-july-2019
-- SANS Rocky Mountain 2019 | Denver, CO | July 15-20 | https://www.sans.org/event/rocky-mountain-2019
-- SANS San Francisco Summer 2019 | July 22-27 | https://www.sans.org/event/san-francisco-summer-2019
-- Pen Test Hackfest Europe 2019 | Berlin, DE | July 22-28 | https://www.sans.org/event/pentest-hackfest-eu-july-2019
-- DFIR Summit & Training 2019 | Austin, TX | July 25-August 1 | https://www.sans.org/event/digital-forensics-summit-2019
-- Supply Chain Cybersecurity Summit 2019 | Arlington, VA | August 12-19 | https://www.sans.org/event/supply-chain-cybersecurity-summit-2019
-- SANS Tokyo Autumn 2019 | September 30-October 12 | https://www.sans.org/event/tokyo-autumn-2019
-- SANS OnDemand and vLive Training
Get an iPad, Samsung Galaxy Tab A, or Take $250 off through June 26 with OnDemand or vLive training.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
************************* Sponsored By IBM *******************************
"Modernize Your Security Platform to Prepare for the Latest Threats" Join this SANS Webinar to learn more about recent breaches, attacker targets and how security teams can prepare with expanded monitoring, analytics, expertise and automation. Register: http://www.sans.org/info/213320
*****************************************************************************
TOP OF THE NEWS
--Florida City Pays $600,000 Ransomware Demand
(June 19, 2019)
The city of Riviera Beach, Florida, will pay hackers nearly US $600,000 for a key that it hopes will allow it to regain access to information that was encrypted with ransomware in late May. The city council voted to pay the ransom of 65 bitcoin earlier this week. The city council's decision to pay the demand was based on advice from outside security consultants. Earlier this month, the city council authorized spending more than US $900,000 on new hardware to replace equipment that was damaged in the attack. The attack affected multiple city networks, including payroll, email, and emergency services.
[Editor Comments]
[Pescatore] For those of you working in state/local government, the recent Baltimore/Atlanta/Jackson County/Riviera Beach ransomware incidents are good data to use to convince management and councils that "pay me later" will always cost much more than "fix it now." A good tabletop exercise taking advantage of the publicity around these most recent attacks hitting small local governments will also help get past the "well, we are so small that no one would ever target us..." objections.
[Murray] The two most important measures for resisting these extortion attacks, "read-only/execute-only" or least privilege access control and safe data backup with fast recovery, take time to implement. In the face of successful attacks, such implementation is urgent.
[Honan] Paying the ransom perpetuates the problem, and there is no guarantee the data will be fully recovered.
[Neely] The decision to pay is non-trivial and difficult to second guess. Ransomware tactics are tending towards more complete system impact, which not only increases the likelihood of payment but also allows for a greater fee be demanded. Even if the city gets their data back, they still have to address mitigations to prevent recurrence, both human and technical.
Read more in:
ZDNet: Florida city pays $600,000 to ransomware gang to have its data back
https://www.zdnet.com/article/florida-city-pays-600000-to-ransomware-gang-to-have-its-data-back/
CNET: Florida city will pay hackers $600,000 to recover from ransomware attack
https://www.cnet.com/news/florida-city-will-pay-hackers-600000-to-recover-from-ransomware-attack/
Statescoop: Florida city pays hackers $600,000 after ransomware attack
https://statescoop.com/florida-city-pays-hackers-600000-after-ransomware-attack/
SC Magazine: Riviera Beach, Fla., pays $600,000 ransom payment
--Desjardins Breach
(June 20, 2019)
Desjardins, Canada's largest credit union, says that it has suffered a data security breach. An employee, who has since been fired, stole customer information from a Desjardins database and shared it with people outside the financial institution. The breach affected information belonging to 2.9 million members. The compromised data include names, social insurance numbers, email addresses, and details of banking habits. Desjardins has changed the procedure for authenticating customers' identities so that the stolen information cannot be used for that purpose.
[Editor Comments]
[Neely] Insider threat is the most difficult to prevent. The most common mitigations include two-person rules, in addition to digital surveillance; regular review of access permissions, including separation of duties to insure no one employee can exceed their authority.
Read more in:
Montreal Gazette: Desjardins: Rogue employee caused data breach for 2.9 million members
CBC: Personal data of 2.7 million people leaked from Desjardins
https://www.cbc.ca/news/canada/montreal/desjardins-data-breach-1.5183297
ZDNet: Desjardins, Canada's largest credit union, announces security breach
https://www.zdnet.com/article/desjardins-canadas-largest-credit-union-announces-security-breach/
Desjardins: Important message for our members - June 20, 2019 - 2:00 pm
https://www.desjardins.com/ca/personal-information/index.jsp
--Oracle WebLogic Flaw is Being Actively Exploited
(June 19, 2019)
A critical deserialization flaw in the XMLDecoder in Oracle's WebLogic Server Web Services is being actively exploited to hijack vulnerable systems The issue affects Oracle WebLogic Server versions 10.3.6.0.0, 12.1.3.0.0 and 12.2.1.3.0.
[Editor Comments]
[Ullrich] Luckily, there are only a few WebLogic servers exposed to the internet according to Shodan. But do not underestimate this vulnerability. You will likely see a lot of news about crypto miners being installed using this vulnerability. What you should be worried about is someone using this vulnerability against an internal WebLogic server as part of lateral movement after breaching a network.
Read more in:
Threatpost: Oracle Warns of New Actively-Exploited WebLogic Flaw
https://threatpost.com/oracle-warns-of-new-actively-exploited-weblogic-flaw/145829/
ZDNet: Oracle patches another actively-exploited WebLogic zero-day
https://www.zdnet.com/article/oracle-patches-another-actively-exploited-weblogic-zero-day/
The Register: Using Oracle WebLogic? Put down your coffee, drop out of Discord, grab this patch right now: Vuln under attack
https://www.theregister.co.uk/2019/06/19/oracle_weblogic_emergency/
Oracle: Oracle Security Alert Advisory - CVE-2019-2729
https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2729-5570780.html
**************************** SPONSORED LINKS ******************************
1) SANS Pen Test HackFest Summit - Our Call for Presentations is open! Submit a talk proposal: http://www.sans.org/info/213325
2) Keynotes announced for the inaugural SANS Supply Chain Cybersecurity Summit in Washington, DC! | Summit agenda: http://www.sans.org/info/213330
3) New to cybersecurity? Looking to improve Pentesting, Forensic or Cyber Defense skills? Level Up with SANS! http://www.sans.org/info/213335
*****************************************************************************
REST OF THE WEEK'S NEWS
--Phishing eMails Pretend to be National Cyber Awareness System Alerts
(June 18 & 20, 2019)
The US Department of Homeland Security's (DGS's) Cybersecurity and Infrastructure Security Agency (CISA) says that a phishing campaign is using spoofed return addresses that make it appear as if the messages are National Cyber Awareness System (NCAS) alerts. The messages urge recipients to click on attachments. CISA says that it never sends NCAS alerts with attachments.
Read more in:
SC Magazine: Phishing campaign impersonates email alerts from DHS
US-CERT: DHS Email Phishing Scam
https://www.us-cert.gov/ncas/current-activity/2019/06/18/DHS-Email-Phishing-Scam
--NIST Draft Guidance for Contractors on Securing CUI
(June 20, 2019)
The US National Institute of Standards and Technology (NIST) has released draft guidance for securing Controlled Unclassified Information (CUI) in non-federal systems. The document is a companion publication to a previous guidance document on the same subject. The new document provides guidance for CUI at risk from advanced persistent threats (APTs), and pertains particularly to the defense industrial base. The initial document includes 110 recommendations; the new document has an additional 33 recommendations. NIST is accepting comments on the draft document through July 19, 2019.
[Editor Comments]
[Neely] The purpose of NIST SP 800-171 and 800-171B is to help enumerate requirements for the protection of sensitive unclassified information for contractors not used to implementing FISMA systems. SP 800-171B is focused on critical programs and high value assets and augments the controls in SP 800-171. The guidance in 171B includes discussion as to what is desired with each control as well as references for additional guidance to aid understanding.
[Murray] "Controlled Unclassified" is a classification. The defense community has done us all a disservice and has distorted the language by trying to reserve "classified" to its own exclusive use.
Read more in:
NIST: NIST Updates SP 800-171 to Help Defend Sensitive Information from Cyberattack
MeriTalk: NIST Releases Draft Guidance for Sensitive Contractor-Held CUI
https://www.meritalk.com/articles/nist-releases-draft-guidance-for-contractor-held-cui/
CSRC: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
https://csrc.nist.gov/CSRC/media/Publications/sp/800-171b/draft/documents/sp800-171B-draft-ipd.pdf
--Hacker Group May Have Hijacked Another Group's Infrastructure to Launch an Attack
(June 20, 2019)
According to researchers at Symantec, a hacking group's latest efforts may have included taking over infrastructure that belongs to another hacking group to launch an attack against a Middle Eastern target. The Waterbug hacking group, also known as Turla, has targeted "governments and international organizations over the past eighteen months in a series of campaigns that have featured a rapidly evolving toolset and, in one notable instance, the apparent hijacking of another espionage group's infrastructure." In the attack, a variant of a hacking tool that" Symantec believes ... is unique to Waterbug" was downloaded onto a victim's computer via infrastructure known to belong to the Crambus (aka OilRig) hacking group.
Read more in:
Symantec: Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments
https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments
Ars Technica: Nation-sponsored hackers likely carried out hostile takeover of rival group's servers
Bleeping Computer: Turla Espionage Group Hacks OilRig APT Infrastructure
--Cisco Releases Fixes for Critical Flaws
(June 20, 2019)
Cisco has released fixes for 26 vulnerabilities, including three rated critical: an authentication bypass vulnerability in its Digital Networking Architecture (DNA) Center appliance (CVE-2019-1848); an insufficient authorization enforcement flaw in the CLI of Cisco SD-WAN Solution (CVE-2019-1625); and a remote command execution vulnerability in the management interface of some of its wireless routers (CVE-2019-1663).
Read more in:
SC Magazine: Cisco announced 26 vulnerabilities in over the last two days, three critical
ZDNet: Cisco critical-flaw warning: These two bugs in our data-center gear need patching now
Threatpost: Cisco DNA Center Critical Flaw Opens Access to Internal Services
https://threatpost.com/cisco-dna-center-critical-flaw/145849/
Cisco: Cisco DNA Center Authentication Bypass Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190619-dnac-bypass
Cisco: Cisco SD-WAN Solution Privilege Escalation Vulnerability
Cisco: Cisco RV110W, RV130W, and RV215W Routers Management Interface Remote Command Execution Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190227-rmi-cmd-ex
--Dell Releases Fix for Flaw in SupportAssist
(June 20, 2019)
Dell has released fixes for a security issue in its SupportAssist troubleshooting application that could be exploited to obtain administrative rights. Dell released the fix on May 28, but waited several weeks to release the advisory because PC Doctor, the supplier of the affected component, needed additional time to release its own advisory. SupportAssist is pre-installed on Dell computers.
Read more in:
The Register: Millions of Windows Dell PCs need patching: Give-me-admin security gremlin found lurking in bundled support tool
https://www.theregister.co.uk/2019/06/20/dell_supportassist_security_hole/
Cyberscoop: Dell quietly patched a security vulnerability that affected millions of users
https://www.cyberscoop.com/dell-supportassist-patch-security-vulnerability-microsoft-windows/
Dell: DSA-2019-084: Dell SupportAssist for Business PCs and Dell SupportAssist for Home PCs Security Update for PC Doctor Vulnerability
--Google Releases Encrypted Multi-Party Computation Tool
(June 19, 2019)
Google has rolled out its open-source Private Join and Compute (PJC) secure multi-party computation tool. PJC can be used in studies that require data sets containing sensitive information from two separate parties. PJC will allow two sets of data to be used in computations without exposing the data each set contains. The data are encrypted during the computation; all parties can see the result.
Read more in:
Googleblog: Helping organizations do more without collecting more data
Wired: Google Turns to Retro Cryptography to Keep Data Sets Private
https://www.wired.com/story/google-private-join-compute-database-encryption/
The Register: Google takes the PIS out of advertising: New algo securely analyzes shared encrypted data sets without leaking contents
https://www.theregister.co.uk/2019/06/19/google_pis_encryption/
ZDNet: Google open sources Private Join and Compute, a tool for sharing confidential data sets
--Wyden to NIST: Publish Guidance for Secure Data Sharing
(June 19, 2019)
US Senator Ron Wyden (D-Oregon) wants the National Institute of Standards and Technology (NIST) to develop and publish guidance to help "individuals and organizations... securely share sensitive data over the Internet. Wyden notes that government agencies often send sensitive data in emailed .zip files and other unsecure methods.
[Editor Comments]
[Ullrich] It would be nice to have a standard to point to. But the standard has to be reasonably easy to use and enforce. Otherwise, "Layer 8" (human) problems will render it meaningless. Coming up with a good standard will not be easy.
Read more in:
Cyberscoop: How secure is that .zip file? One senator is urging NIST to weigh in
https://www.cyberscoop.com/zip-files-encryption-security-wyden-nist/
The Register: If Uncle Sam could quit using insecure .zip files to swap info across the 'net, that would be great, says Silicon Ron Wyden
https://www.theregister.co.uk/2019/06/19/ron_wyden_nist_zip_files/
Wyden: Letter to NIST Director
--Mozilla Releases Emergency Firefox Update. Twice.
(June 18 & 20, 2019)
Mozilla has released emergency updates for Firefox twice this week to address flaws that are being actively exploited. The first update (MFSA2019-18), fixed a critical type confusion flaw in Array.pop. The second update update (MFSA2019-19) fixes a sandbox escape vulnerability. Users should update to Firefox 67.0.4 and Firefox ESR 60.7.2.
[Editor Comments]
[Neely] Now that you've just finished pushing out 67.0.3 & ESR 60.7.1, which mitigates the threat of exploits using both flaws, you need to go back and push out 67.0.4 and ESR 60.7.2 to fully mitigate the problem. Note that the new update to the 8.5.2 Tor Browser only includes the fix for CVE-2019-11707.
Read more in:
ZDNet: Mozilla fixes second Firefox zero-day exploited in the wild
https://www.zdnet.com/article/mozilla-fixes-second-firefox-zero-day-exploited-in-the-wild/
Mozilla: Security vulnerabilities fixed in Firefox 67.0.4 and Firefox ESR 60.7.2
https://www.mozilla.org/en-US/security/advisories/mfsa2019-19/
Mozilla: Security vulnerabilities fixed in Firefox 67.0.3 and Firefox ESR 60.7.1
https://www.mozilla.org/en-US/security/advisories/mfsa2019-18/
--MongoDB's Field Level Encryption
(June 18, 2019)
The MongoDB development team has been working for two years to improve its encryption to reduce breaches, and they have done it by moving from server-side encryption to client-side encryption. The feature called Field Level Encryption, will display encrypted fields as ciphertext on the server; viewing the actual data requires access through the client application and with the necessary keys.
[Editor Comments]
[Murray] "Field level encryptions," or any small object encryption, is harder than it looks. Think about how you might encrypt a single bit. Adding it to an existing database is even harder. Lotus Notes has done it well but as part of the original design.
Read more in:
Duo: MongoDB Moves Encryption Out of the Server
https://duo.com/decipher/mongodb-moves-encryption-out-of-the-server
Wired: A Plan To Stop Breaches With Dead Simple Database Encryption
https://www.wired.com/story/field-level-encryption-databases-mongobd/
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
Critical Patch For WebLogic
Exim Exploits Against Other Mail Servers
https://isc.sans.edu/forums/diary/Quick+Detect+Exim+Return+of+the+Wizard+Attack/25052/
Critical Firefox Updates
https://www.mozilla.org/en-US/security/advisories/mfsa2019-19/
https://www.mozilla.org/en-US/security/advisories/mfsa2019-18/#CVE-2019-11707
Bitdefender Releases GandCrab Decryptor
Updates for Dell Support Assistant
Critical Cisco Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190227-rmi-cmd-ex
LoudMiner Comes with VM
https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/
Google Launches New Deceptive Site Protections in Chrome
https://blog.chromium.org/2019/06/new-chrome-protections-from-deception.html
STI Student Dave Todd: Overcoming the Compliance Challenges in Biometrics
https://www.sans.org/reading-room/whitepapers/legal/paper/38970
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
