SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXI - Issue #55
July 16, 2019Bill Requires White House to Reveal Cyber-Related DOD Memos; Lake City Paid the Ransom, and Recovery is Slow; Majority of US Election Systems Running on Older OSes
****************************************************************************
SANS NewsBites July 16, 2019 Vol. 21, Num. 055
****************************************************************************
TOP OF THE NEWS
NDAA Provision Would Require White House to Reveal Cyber-Related DOD Memos
Lake City Paid the Ransom, and Recovery is Slow
Majority of US Election Systems Running on Older OSes
REST OF THE WEEK'S NEWS
FTC Commissioners Approve $5 Billion Facebook Settlement
German State Bans Office 365 in Schools Over Privacy Concerns
County in Indiana Pays Ransomware
Sea Turtle DNS Hijacking Campaign
Remote Code Execution Flaw in Ad Inserter WordPress Plug-in
Oracle Critical Patch Update for July
INTERNET STORM CENTER TECH CORNER
*********************** Sponsored By AWS Marketplace ***********************
JumpStart Guide for Cloud-Based Firewalls in AWS Learn how to assess business and operational needs against advanced prevention capabilities in AWS Marketplace firewall and threat prevention offerings, such as advanced threat prevention, IDS/IPS, anti-malware, logging, alerting, correlation and intelligence. July 17, 2 PM ET. http://www.sans.org/info/213420
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
-- SANS Network Security 2019 | Las Vegas, NV | September 9-16 | https://www.sans.org/event/network-security-2019
-- Supply Chain Cybersecurity Summit 2019 | Arlington, VA | August 12-19 | https://www.sans.org/event/supply-chain-cybersecurity-summit-2019
-- SANS Chicago 2019 | August 19-24 | https://www.sans.org/event/chicago-2019
-- SANS Virginia Beach 2019 | August 19-30 | https://www.sans.org/event/virginia-beach-2019
-- SANS London September 2019 | September 23-28 | https://www.sans.org/event/london-september-2019
-- SANS DFIR Europe Summit and Training 2019| Prague, CZ | September 30-October 6 | https://www.sans.org/event/dfir-prague-2019
-- Threat Hunting & Incident Response Summit 2019 | New Orleans, LA | September 30-October 7 | https://www.sans.org/event/threat-hunting-and-incident-response-summit-2019
-- SANS Tokyo Autumn 2019 | September 30-October 12 | https://www.sans.org/event/tokyo-autumn-2019
-- SANS October Singapore 2019 | October 7-26 | https://www.sans.org/event/october-singapore-2019
-- SANS OnDemand and vLive Training
Get an iPad Pro with Smart Keyboard, HP ProBook, or Take $350 Off through July 24 with OnDemand or vLive training.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
*****************************************************************************
TOP OF THE NEWS
--NDAA Provision Would Require White House to Reveal Cyber-Related DOD Memos
(July 10, 11, & 12, 2019)
The US House of Representatives has approved its version of the National Defense Authorization Act (NDAA), which includes a provision requiring the White House to share with legislators a classified directive (National Security Presidential Memorandum 13), issued nearly a year ago, that contains new rules for the Defense Department (DOD) to engage in offensive cyber activity against adversaries. The provision also requires that the White House turn over any other such documents related to DOD cyber operations. This is not the first time the issue has come up; in February, leaders of the House Armed Services Committee wrote to the president expressing their concern that the document has not been shared with legislators. (Please note that the WSJ story is behind a paywall.)
Read more in:
Cyberscoop: Congressional pressure builds for White House to share classified cyber authorizations
FCW: Langevin presses Trump for details on cyber ops
https://fcw.com/articles/2019/07/11/langevin-cyber-offense-trump.aspx
WSJ: Trump Administration Hasn't Briefed Congress on New Rules for Cyberattacks, Lawmakers Say (paywall)
--Lake City Paid the Ransom, and Recovery is Slow
(July 7, 2019)
Lake City, Florida paid a ransomware demand of more than US $460,000 to regain access to its files that were locked up in an attack that occurred in early June. The city paid a $10,000 deductible and its insurance company paid the balance. While Lake City's phone system and email are now working, a large quantity of scanned data have yet to be recovered. Once the city had the decryption key, they found it took 12 hours to recover one terabyte of data. Weeks after the ransom was paid, the city still does not have access to all its data. While the FBI recommends that ransomware demands not be paid, cities have been finding that the costs of restoring systems often far exceed the initial demand.
[Editor Comments]
[Neely] Restoration costs and time will vary greatly depending on how familiar the IT staff is with the recovery process, and the path chosen - clean vs. reimage v.s replacement systems, which is why it is critical to walk through the process and test it before it is needed. Budget for full DR tests, not just table top exercises, as they provide needed hands-on training. Regardless of recovery path chosen, remember to include business recovery time and costs to recover data that was not able to be restored due to timing of the backups or decryption failures.
[Honan] Good IT operations, which includes robust backup systems and business continuity planning, are essential in the defence against many threats, including ransomware. The sum of US $460,000, plus the cost of downtime incurred and other professional services engaged in the recovery, would no doubt have been a better investment in better IT rather than funding criminal activity. We should use these examples to educate senior management as to why paying for robust IT is not a cost but rather an investment.
Read more in:
NYT: A City Paid a Hefty Ransom to Hackers. But Its Pains Are Far From Over.
https://www.nytimes.com/2019/07/07/us/florida-ransom-hack.html
--Majority of US Election Systems Running on Older OSes
(July 13 & 15, 2019)
Analysis from the Associated Press (AP) found that the majority of election jurisdictions in the US are using Windows 7 or older operating systems. Microsoft plans to discontinue support for Windows 7 in January 2020. (The company will continue to provide updates for a fee through 2023.) Just one of the three major election technology companies expects to have a system certified for Windows 10 by fall 2019.
[Editor Comments]
[Pescatore] There are millions of single purpose appliances in use that are going to be running on Windows 7 for years. While vendors will surely push for new equipment to be procured, badly written new software running on Windows 10 isn't necessarily more secure than reviewed and tested software running on Windows 7. Some states (like Washington state) are ahead of the curve and will test new systems in the 2019 elections, but many others will have to work to force vendors to pay for Windows 7 support licenses.
[Neely] This is not as simple as just updating to Windows 10. The upgraded systems need to pass a federal certification which takes over a year and has significant cost. Unfortunately, some of these systems are from companies that are out of business, so the only option is to purchase a replacement, likely ahead of the planned lifecycle date. With operating systems that cannot be updated, reduce risks by isolation and increased monitoring to protect the older systems from inappropriate access attempts.
Read more in:
AP News: AP Exclusive: New election systems use vulnerable software
https://www.apnews.com/e5e070c31f3c497fa9e6875f426ccde1
MeriTalk: Most Election Systems Run on Outdated Systems, AP Reports
https://www.meritalk.com/articles/most-election-systems-run-on-outdated-systems-ap-reports/
The Hill: Thousands of election systems running software that will soon be outdated: report
**************************** SPONSORED LINKS ******************************
1) Webcast "Modernize Your Security Platform to Prepare for the Latest Threats." Register for this webcast here: http://www.sans.org/info/213645
2) SANS would like your input on the effectiveness of your security testing program! Share your thoughts here in our quick poll: http://www.sans.org/info/213640
3) July 29th at 1 PM ET: Sign up for the webcast "Is Your Plant Cyber Resilient? Next Steps to Achieving Safe and Secure Plant Operation." http://www.sans.org/info/213650
*****************************************************************************
REST OF THE WEEK'S NEWS
--FTC Commissioners Approve $5 Billion Facebook Settlement
(July 12, 2019)
The US Federal Trade Commission (FTC) has voted to approve a settlement with Facebook that fines the company US $5 billion over privacy issues related to the Cambridge Analytica scandal. The investigation centered on whether the fact that the information was obtained by CA violated a 2012 consent decree with the FTC under which Facebook promised to better secure user data. The matter is now in the hands of the Justice Department's civil division to be finalized. There are likely additional terms to the settlement but they have not been made public. (Please note that the WSJ story is behind a paywall.)
[Editor Comments]
[Pescatore] Numbers to use when briefing the CEO and board, especially on supply chain risks: Since this action was triggered by Facebook allowing Cambridge Analytica to compromise the privacy of 87M Facebook user accounts, this works out to about $57.5 per account compromised. Facebook's other costs of dealing with this incident probably bring the total cost up to the $100/record range. In their 1Q19 financial report, Facebook had estimated the FTC fine would be in the $3-5B range, so this was at the high end of that. Facebook reported $2.5B of profit in 1Q19, so the fine wipes out all of that and likely most of 2Q profit.
[Murray] It is unlikely that a "mere" $5B fine will be sufficient to reform Facebook's behavior. This suggests that the problem is one of scale. A legislative remedy may be necessary.
Read more in:
WSJ: FTC Approves Roughly $5 Billion Facebook Settlement (paywall)
https://www.wsj.com/articles/ftc-approves-roughly-5-billion-facebook-settlement-11562960538
SC Magazine: Facebook to pony up $5 billion in FTC settlement
Ars Technica: Facebook's FTC fine will be $5 billion--or one month's worth of revenue
--German State Bans Office 365 in Schools Over Privacy Concerns
(July 12, 2019)
The German state of Hesse has banned the use of Microsoft Office 365 in its schools, citing privacy concerns. The Hessian data protection commissioner wrote that using the cloud suite could expose student and teacher information to US officials. Microsoft Office 365 sends telemetry data to the US; those data have been found to contain all sorts of information, from system diagnostics to sentences lifted from documents.
[Editor Comments]
[Neely] Core here is understanding where your data is and who can access it with cloud or outsourced services. While storage of content/data is often reviewed fully, sending of telemetry or other usage data, intended to help resolve stability and performance issues, typically is a user level decision to enable (Microsoft Telemetry cannot be disabled) and contains more information than expected. Where technical controls cannot manage the setting, user training is necessary backed by policy.
[Honan] At the core of this issue for the German officials is the lack of transparency and accountability for EU citizen's data held by US companies and subject to the US Cloud Act. Legislation which enables better cooperation between law enforcement is always welcome. However, it is crucial that the individual rights are adequately protected.
Read more in:
Ars Technica: Office 365 declared illegal in German schools due to privacy risks
ZDNet: Microsoft Office 365: Banned in German schools over privacy fears
https://www.zdnet.com/article/microsoft-office-365-banned-in-german-schools-over-privacy-fears/
--County in Indiana Pays Ransomware
(July 9 & 14, 2019)
La Porte County, Indiana has paid a ransomware demand of US $130,000. The initial infection occurred on July 6; the La Porte County IT department was able to limit the malware's spread to seven percent of county laptops. However, the ransomware did affect two domain controllers, which prevented servers from accessing network services. A local news source reported that the ransomware infected the county's backup servers. The county's insurance paid approximately US $100,000 of the ransom.
Read more in:
The News Dispatch: Malware attack on county computers
https://www.thenewsdispatch.com/news/article_d9809e48-7e8d-52d5-9d08-5d6c1adab2a2.html
WSBT: La Porte County pays $130,000 in Bitcoin as ransom to hackers
https://wsbt.com/news/local/la-porte-county-pays-130000-in-bitcoin-as-ransom-to-hackers
Bleeping Computer: La Porte County Pays $130,000 Ransom To Ryuk Ransomware
--Sea Turtle DNS Hijacking Campaign
(July 9, 10, 11, 12, & 15, 2019)
Researchers from Talos have found that the group of hackers responsible for the Sea Turtle DNS hijacking campaign "are redoubling their efforts with new infrastructure." Talos says it has "moderate confidence that the threat actors behind Sea Turtle have been using another DNS hijacking technique." The new campaign is focused on military and government targets in the Middle East. Talos first wrote about Sea Turtle in April 2019.
Read more in:
Talos Intelligence: Sea Turtle keeps on swimming, finds new victims, DNS hijacking techniques
https://blog.talosintelligence.com/2019/07/sea-turtle-keeps-on-swimming.html
Talos Intelligence: DNS Hijacking Abuses Trust In Core Internet Service (April 2019)
https://blog.talosintelligence.com/2019/04/seaturtle.html
Infosecurity Magazine: Sea Turtle DNS Hijackers Go After More Victims
https://www.infosecurity-magazine.com/news/sea-turtle-dns-hijackers/
GovInfosecurity: 'Sea Turtle' DNS Hijackers Expand Reach
https://www.govinfosecurity.com/sea-turtle-dns-hijackers-expand-reach-a-12780
The Register: Sea Turtle hackers head to the Mediterranean, snag Greece's TLD registrar as a souvenir
https://www.theregister.co.uk/2019/07/11/sea_turtle_greece_tld/
SC Magazine: Sea Turtle DNS hijackers linked to breach of Greece's ccTLD organization
--Remote Code Execution Flaw in Ad Inserter WordPress Plug-in
(July 15, 2019)
A critical flaw in the Ad Inserter WordPress plug-in can be exploited to execute PHP code remotely. One day after learning of the vulnerability, the plug-in's developer released an updated version, 2.4.22, that addresses the issue.
Read more in:
Bleeping Computer: Critical Bug in WordPress Plugin Lets Hackers Execute Code
--Oracle Critical Patch Update for July
(July 15, 2019)
Oracle will release its Critical Patch Update for July on Tuesday, July 16. The update will include fixes for 322 vulnerabilities in numerous products.
Read more in:
Oracle: Oracle Critical Patch Update Pre-Release Announcement - July 2019
https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
Infosecurity Magazine: Oracle to Release Critical Patch Update
https://www.infosecurity-magazine.com/news/oracle-to-release-critical-patch/
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
isodump.py and Malicious ISO Files
https://isc.sans.edu/forums/diary/isodumppy+and+Malicious+ISO+Files/25134/
Scrapy Vulnerabilities
iOS URL Scheme Susceptible to Hijacking
https://blog.trendmicro.com/trendlabs-security-intelligence/ios-url-scheme-susceptible-to-hijacking/
Magecart Targets S3 Buckets
https://www.riskiq.com/blog/labs/magecart-amazon-s3-buckets/
Atlassian Jira Vulnerability
https://confluence.atlassian.com/jira/jira-security-advisory-2019-07-10-973486595.html
Atlassian Crowd Vulnerability Details
https://www.corben.io/atlassian-crowd-rce/
Microsoft to Detect Phishing in Forms
https://www.microsoft.com/en-us/microsoft-365/roadmap?filters=&searchterms=52927
Tracking Anonymized Bluetooth Devices (PDF)
https://petsymposium.org/2019/files/papers/issue3/popets-2019-0036.pdf
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create