Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #51

June 28, 2019

Ransomware: Second Florida City Decides to Pay; Third Reveals Ransomware Infection; To Pay or Not to Pay?




****************************************************************************

SANS NewsBites                June 28, 2019                Vol. 21, Num. 051

****************************************************************************


TOP OF THE NEWS

 

  Second Florida City Decides to Pay Ransomware Demand, and a Third Reveals Ransomware Infection

  Ransomware: To Pay or Not to Pay?



REST OF THE WEEK'S NEWS       

 

  Vulnerabilities in Medtronic Insulin Pumps Prompt Recall and an FDA Warning

  NIST Publication on IoT Security

  Silex Malware Bricks Unsecure IoT Devices

  Cisco Releases Updates to Fix Data Center Network Manager Vulnerabilities

  Excel Power Query Feature Can Be Exploited to Infect Systems with Malware

  Researchers Demonstrate Emergency Alert System Spoofing

  Authorities in UK, Netherlands Arrest Six People in Connection with Cryptocurrency Typosquatting Scheme

  US Senate Report on Federal Cybersecurity


INTERNET STORM CENTER TECH CORNER


*****************************************************************************

CYBERSECURITY TRAINING UPDATE    



-- SANS Network Security 2019 | Las Vegas, NV | September 9-16 | https://www.sans.org/event/network-security-2019


-- SANS London July 2019 | July 8-13 | https://www.sans.org/event/london-july-2019


-- SANS Rocky Mountain 2019 | Denver, CO | July 15-20 | https://www.sans.org/event/rocky-mountain-2019


-- SANS San Francisco Summer 2019 | July 22-27 | https://www.sans.org/event/san-francisco-summer-2019


-- Pen Test Hackfest Europe 2019 | Berlin, DE | July 22-28 | https://www.sans.org/event/pentest-hackfest-eu-july-2019


-- DFIR Summit & Training 2019 | Austin, TX | July 25-August 1 | https://www.sans.org/event/digital-forensics-summit-2019


-- Supply Chain Cybersecurity Summit 2019 | Arlington, VA | August 12-19 | https://www.sans.org/event/supply-chain-cybersecurity-summit-2019


-- SANS Tokyo Autumn 2019 | September 30-October 12 | https://www.sans.org/event/tokyo-autumn-2019


-- SANS October Singapore 2019 | October 7-26 | https://www.sans.org/event/october-singapore-2019


-- SANS OnDemand and vLive Training

Get an iPad Mini, Surface Go, or Take $300 Off through July 10 with OnDemand or vLive training.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


Single Course Training

-- Single Course Training

SANS Mentor | https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap



*********** Sponsored By CYBERBIT Commercial Solutions  ***********


Understanding the SOAR ROI model. Security Orchestration, Automation ,and Response (SOAR) can reduce time-to-respond by up to 90% as well as analyst escalations. Download the Business Case for SOAR to understand the financial benefit of implementing SOAR. Download now http://www.sans.org/info/213500


*****************************************************************************

TOP OF THE NEWS  

 

--Second Florida City Decides to Pay Ransomware Demand, and a Third Reveals Ransomware Infection

(June 26, 2019)

On Monday, June 24, the administration of Lake City, Florida, voted to pay a demand of nearly US $500,000 in bitcoin to regain access to data that have been encrypted since June 10. The hackers reportedly contacted the city's insurance company and negotiated the payment of 42 bitcoins. The insurance company will pay all but $10,000 of the ransom. Lake City is the second Florida municipality to pay a large ransomware demand in less than two weeks.


[Editor Comments]


[Murray] If one has decided to assign the risk of "ransomware" to underwriters, one had better be sure that the underwriter will pay and that paying will get the data back.  

 

Read more in:

NYT: Another Hacked Florida City Pays a Ransom, This Time for $460,000

https://www.nytimes.com/2019/06/27/us/lake-city-florida-ransom-cyberattack.html

SC Magazine: Second Florida city burned by ransomware and pays attackers

https://www.scmagazine.com/home/security-news/ransomware/second-florida-city-burned-by-ransomware-and-pays-attackers/

ZDNet: Second Florida city pays giant ransom to ransomware gang in a week

https://www.zdnet.com/article/second-florida-city-pays-giant-ransom-to-ransomware-gang-in-a-week/

Cyberscoop: Another Florida city is making a ransomware payment, worth nearly $500,000 this time

https://www.cyberscoop.com/ransomware-lake-city-florida-payment

 
 

--Ransomware: To Pay or Not to Pay?

(June 4, 23, & 27, 2019)

In a recent report, Forrester Research analysts argue that organizations should "recognize paying the ransom as a valid recovery path that should be explored in parallel with other recovery efforts to ensure that [they]'re making the best decision for [their] organization." In a separate story, the Editorial Board of the Washington Post argues that "taxpayer money should not be used to reward criminal enterprises," and proposes making it illegal to pay ransomware demands.


[Editor Comments]


[Pescatore] Forget ransomware for a second and think about the older form of ransom when a business executive is kidnapped, which was happening long before ransomware started. Many companies have Kidnapping/Ransom/Extortion insurance to cover that scenario. I doubt any state governments do and I'm pretty sure the policy language for those may exclude ransomware attempts. But the question about what to do about extortion is a business question, not a security question. That said, part of the business question is "can we self-insure?" - that is the essential question CEOs and boards ask about cybersecurity, too.


[Murray] I agree with John Pescatore that this is a business decision. So is the decision as to whether to accept the risk or to reduce it by implementing strong authentication, "least privilege" access control, end-to-end application layer security, Privileged Access Management (PAM), and secure backup with fast recovery. The cost of prevention, while optional, is efficient; it is almost always cheaper than the mandatory cost of remediation. That is why we call it "security."


[Neely] I agree with John & Bill. The question of can we self-insure - as well as are our practices commensurate with current mitigations; including strong authentication, incremental secure backups that can be restored readily, communication and service restoration plans, need an honest assessment, including validation, prior to making a decision. Additionally, don't assume payment will result in full data recovery.

 

Read more in:

ZDNet: Ransomware attacks: Why and when it makes sense to pay the ransom

https://www.zdnet.com/article/why-and-when-it-makes-sense-to-pay-the-ransom-in-ransomware-attacks/

Forrester: Unconventional Wisdom: Explore Paying The Ransom In Parallel With Other Recovery Options

https://go.forrester.com/blogs/unconventional-wisdom-explore-paying-the-ransom-in-parallel-with-other-recovery-options/

Washington Post: Hackers are taking cities hostage. Here's a way around it.

https://www.washingtonpost.com/opinions/hackers-are-taking-cities-hostage-heres-a-way-around-it/2019/06/23/f08b79ea-9459-11e9-aadb-74e6b2b46f6a_story.html


****************************  SPONSORED LINKS  ******************************


1) "Simplify Your Office 365 Migration." Valimail to discuss how to secure your O365 deployment against phishing attacks. Register: http://www.sans.org/info/213510


2) Make your security analytics more consumable. Register for "Leveraging Your SIEM to Implement Security Best Practices." http://www.sans.org/info/213525


3) What can you tell us about your threat hunting program? Take the survey for a chance to win a $400 Amazon gift card: http://www.sans.org/info/213520


*****************************************************************************

REST OF THE WEEK'S NEWS       

 

--Vulnerabilities in Medtronic Insulin Pumps Prompt Recall and an FDA Warning

(June 27, 2019)

Medtronic has recalled certain models of its MiniMed insulin pumps because of vulnerabilities that could be exploited by unauthorized users to alter dosages. The US Food and Drug Administration (FDA) has issued a warning to patients and health care providers urging that they switch to more secure models.


Read more in:

Medtronic: MiniMed(TM) 508 and MiniMed(TM) Paradigm(TM) Series Insulin Pumps (PDF)

https://www.medtronic.com/content/dam/medtronic-com/us-en/corporate/documents/Medtronic_Security_Bulletin_Diabetes_Paradigm_062719_FINAL.pdf

US-CERT: Medtronic MiniMed 508 and Paradigm Series Insulin Pumps

https://www.us-cert.gov/ics/advisories/icsma-19-178-01

FDA: Certain Medtronic MiniMed Insulin Pumps Have Potential Cybersecurity Risks: FDA Safety Communication

https://www.fda.gov/medical-devices/safety-communications/certain-medtronic-minimed-insulin-pumps-have-potential-cybersecurity-risks-fda-safety-communication

FDA: FDA warns patients and health care providers about potential cybersecurity concerns with certain Medtronic insulin pumps

https://www.fda.gov/news-events/press-announcements/fda-warns-patients-and-health-care-providers-about-potential-cybersecurity-concerns-certain

The Hill: FDA warns of dangerous cyber vulnerabilities on Medtronic insulin pumps

https://thehill.com/policy/technology/450732-fda-warns-of-health-hazard-cyber-vulnerabilities-on-medtronic-insulin-pumps

 
 

--NIST Publication on IoT Security

(June 27, 2019)

The US National Institute of Standards and Technology (NIST) has published a paper that aims "to help federal agencies and other organizations better understand and manage the cybersecurity and privacy risks associated with their individual IoT devices throughout the devices' lifecycles." The paper, Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks, is the foundational publication for what will be a series of publications that offer more specific aspects of managing IoT security.  


[Editor Comments]


[Neely] This document identifies areas of concern for IoT security, the challenges, and how the relevant controls in the RMF would need adjustment for these devices. While there are many issues, the paper groups them for relevance and understanding to support a risk based approach for securing IoT. The appendix of desired privacy and cybersecurity capabilities and examples will be released as a separate publication.


Read more in:

Cyberscoop: Need more evidence that IoT security is a big deal? Here's what NIST has to say

https://www.cyberscoop.com/iot-security-guidance-nist/

CSRC: Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks (abstract)

https://csrc.nist.gov/publications/detail/nistir/8228/final

NVLpubs: Considerations for Managing Internet of Things (IoT) Cybersecurity and Privacy Risks (PDF)

https://nvlpubs.nist.gov/nistpubs/ir/2019/NIST.IR.8228.pdf

 
 

--Silex Malware Bricks Unsecure IoT Devices

(June 26 & 27, 2019)

Malware that is being called Silex searches out poorly-secured Internet of Things (IoT) devices running on Unix or Linux and renders them unusable. According to Silex's alleged creator, the malware's purpose is to prevent the unsecure devices from being hijacked by less scrupulous people to be used in a botnet. Silex has bricked at least 4,000 IoT devices before its command and control server was shut down earlier this week.


[Editor Comments]


[Murray] Perhaps the most significant risk in the IoT space is that vulnerable devices will be taken over and used in brute force attacks. That said, it is arrogant for this author to assert that taking all of them down, without regard to their application, is justified by that risk.


[Neely] The author's model of bricking your device before someone else uses it for maleficence is neither comforting nor welcome. Silex is using default credentials to obtain access, which can't always be changed with IoT devices. In addition to changing the credentials you can, limit access to those devices to only the services they need to operate and keep the firmware updated.

 

Read more in:

Duo: The Curious Case of Silexbot

https://duo.com/decipher/the-curious-case-of-silexbot

Threatpost: Thousands of IoT Devices Bricked By Silex Malware

https://threatpost.com/thousands-of-iot-devices-bricked-by-silex-malware/146065/

Bleeping Computer: New Silex Malware Trashes IoT Devices Using Default Passwords

https://www.bleepingcomputer.com/news/security/new-silex-malware-trashes-iot-devices-using-default-passwords/

 
 

--Cisco Releases Updates to Fix Data Center Network Manager Vulnerabilities

(June 26 & 27, 2019)

Cisco has released emergency updates to address four flaws in its Data Center Network Manager software. Two of the flaws are rated critical and could be exploited to take control of vulnerable systems. The critical flaws are an arbitrary file upload vulnerability (CVE-2019-1620) and an authentication bypass vulnerability in the DCNM management interface (CVE-2019-1619).


Read more in:

Threatpost: Cisco Warns of Critical Flaws in Data Center Network Manager

https://threatpost.com/cisco-warns-of-critical-flaws-in-data-center-network-manager/146050/

ZDNet: New Cisco critical bugs: 9.8/10-severity Nexus security flaws need urgent update

https://www.zdnet.com/article/new-cisco-critical-bugs-9-810-severity-nexus-security-flaws-need-urgent-update/

Cisco: Cisco Data Center Network Manager Arbitrary File Upload and Remote Code Execution Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-codex

Cisco: Cisco Data Center Network Manager Authentication Bypass Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass

 
 

---Excel Power Query Feature Can Be Exploited to Infect Systems with Malware

(June 24 & 27, 2019)

Researchers have developed proof-of-concept code that exploits a legitimate feature in Microsoft Office's Excel to place malware on systems remotely. The Power Query feature allows users to embed external data sources in Excel spreadsheets. The exploit launches a Dynamic Data Exchange (DDE) attack.


[Editor Comments]


[Murray] Escape mechanisms in applications have been problematic for generations, best illustrated by the "debug" feature in sendmail. Both Microsoft and IBM have done a good job of providing controls over their use. However, many are enabled by default.

 

Read more in:

Mimecast: Exploit Using Microsoft Excel Power Query for Remote DDE Execution Discovered

https://www.mimecast.com/blog/2019/06/exploit-using-microsoft-excel-power-query-for-remote-dde-execution-discovered/

Dark Reading: New Exploit for Microsoft Excel Power Query

https://www.darkreading.com/attacks-breaches/new-exploit-for-microsoft-excel-power-query-/d/d-id/1335083

Threatpost: New Microsoft Excel Attack Vector Surfaces

https://threatpost.com/microsoft-excel-attack-vector/146062/

Wired: How Hackers Turn Microsoft Excel's Own Features Against It

https://www.wired.com/story/microsoft-excel-hacking-power-query-macros/

ZDNet: Microsoft Excel Power Query feature can be abused for malware distribution

https://www.zdnet.com/article/microsoft-excel-power-query-feature-can-be-abused-for-malware-distribution/


 

--Researchers Demonstrate Emergency Alert System Spoofing

(June 26, 2019)

Researchers from the University of Colorado, Boulder, demonstrated how the Wireless Emergency Alert (WEA) system could be hijacked to send phony messages. In simulated attacks using a "pirate" cell tower built with readily available hardware and open source software, the researchers were able to send phony alerts 90 percent of the time. While the message transmission from the government to cell tower is secure, the transmission from the cell tower to the end user is not.


[Editor Comments]


[Neely] The exploit relies on the phone trusting a local fake cell tower, and that the messages sent are unsigned. Mitigate the risk some by disabling cellular roaming where you don't need it. Adding infrastructure to support signing and verification of these messages, while a more complete solution, is a daunting task and may exclude notifications for users with older devices.


Read more in:


Vice: Researchers Demonstrate How U.S. Emergency Alert System Can Be Hijacked and Weaponized

https://www.vice.com/en_us/article/evy75j/researchers-demonstrate-how-us-emergency-alert-system-can-be-hijacked-and-weaponized

 
 

--Authorities in UK, Netherlands Arrest Six People in Connection with Cryptocurrency Typosquatting Scheme

(June 26, 2019)

Six people have been arrested in the UK and the Netherlands in connection with a typosquatting cryptocurrency scam that stole [euro]24 million (US $ 27.3 million) in bitcoin. The arrests were the culmination of a joint operation between law enforcement agencies in both countries and Europol. The suspects allegedly purchased domains with names that were nearly identical to legitimate cryptocurrency trading sites. When visitor to the sites failed to spot the subtle differences between the legitimate and fraudulent sites and entered their account access credentials, the alleged thieves used the information to steal their funds.


Read more in:

The Register: It could be Rotterdam or anywhere, Wiltshire or in Bath: Euro cops cuff 6 for cybersquatting, allegedly nicking [euro]24m in Bitcoin

https://www.theregister.co.uk/2019/06/26/euro_cops_slaps_cuffs_on_six_bods_for_cryptofraud/

SC Magazine: Six arrested in European heist that netted $27.3M in cryptocurrency

https://www.scmagazine.com/home/security-news/cybercrime/six-people-in-the-u-k-and-netherlands-were-arrested-on-charges-stemming-from-a-e24-million-cryptocurrency-theft/

ZDNet: Arrests made in UK, Netherlands over [euro]24 million Bitcoin heist

https://www.zdnet.com/article/arrests-made-in-uk-netherlands-over-eur24-million-bitcoin-heist/

Europol: 6 Arrested in the UK and Netherlands in [euro]24 Million Cryptocurrency Theft

https://www.europol.europa.eu/newsroom/news/6-arrested-in-uk-and-netherlands-in-%E2%82%AC24-million-cryptocurrency-theft

 
 

--US Senate Report on Federal Cybersecurity

(June 26, 2019)

A US Senate report published earlier this week examined the cyber security compliance of eight federal agencies as documented in 10 years' worth of reports from their respective Inspectors General. The report investigated compliance at the Department of Homeland Security (DHS) as well as at seven agencies that the Office of Management and Budget (OMB) rated lowest on cybersecurity. The report concluded that "the federal government remains unprepared to confront the dynamic cyberthreats of today."


[Editor Comments]


[Neely] Too often the agency CIO doesn't have the sufficient authority and budget to effectively implement needed cyber security, let alone replacement of legacy systems. While projects like CDM have included budget provisions for licensing and implementation assistance, there still needs to be consistent communication of how these projects enable mission objectives and support for resources not funded by the project budget to ensure any success in adoption. While some efforts promise to reduce the burden of data calls through new automation, the multi-year transition impact needs to be included in the conversation.


Read more in:

The Register: Stop us if you've heard this one: US government staff wildly oblivious to basic computer, info security safeguards

https://www.theregister.co.uk/2019/06/26/government_security_failures_report/

ZDNet: Report shows failures at eight US agencies in following cyber-security protocols

https://www.zdnet.com/article/report-shows-failures-at-eight-us-agencies-in-following-cyber-security-protocols/

Cyberscoop: Senate investigation finds agencies 'unprepared' to protect Americans' data

https://www.cyberscoop.com/senate-investigation-data-protection-opm-breach/

Portman.Senate: Federal Cybersecurity: America's Data at Risk (PDF)

https://www.portman.senate.gov/sites/default/files/2019-06/2019.06.25-PSI%20Report%20Final%20UPDATE.pdf

 

*****************************************************************************

INTERNET STORM CENTER TECH CORNER


Rig Exploit Kit Installs Pitou.B. Trojan

https://isc.sans.edu/forums/diary/Rig+Exploit+Kit+sends+PitouB+Trojan/25068/


AWS VPC Traffic Mirroring

https://aws.amazon.com/blogs/aws/new-vpc-traffic-mirroring


Elastic SIEM App

https://www.elastic.co/blog/introducing-elastic-siem


New Brickerbot (Silex) Sightings

https://twitter.com/_larry0/status/1143532888538984448


Supply Chain Attacks Against Telco Providers

https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers


GreenFlash Sundown Malvertising Campaign

https://blog.malwarebytes.com/threat-analysis/2019/06/greenflash-sundown-exploit-kit-expands-via-large-malvertising-campaign/


National Emergency Alerts Potentially Vulnerable to Attack

https://www.colorado.edu/today/2019/06/11/emergency-alerts


TrackThis Demonstrates How Advertisers Track You

https://trackthis.link


Geoff Parker: Automating Phish Reporting Response

http://www.sans.org/reading-room/whitepapers/email/automating-response-phish-reporting-39000


******************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.


Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create