Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #56

July 19, 2019

Android Apps Delay Upgrades to Extend Data Collection; Microsoft ElectionGuard; Governors Association Says States Need Cyber Disruption Response Plans



****************************************************************************

SANS NewsBites                July 19, 2019                Vol. 21, Num. 056

****************************************************************************

TOP OF THE NEWS

 

  Android Apps Delayed Upgrade to Prolong Data Collection

  Microsoft ElectionGuard Demo

  Governors Association Says States Need Cyber Disruption Response Plans



REST OF THE WEEK'S NEWS

      

  Galileo Satellite Outage

  New Dropbox File Manager App Pushed Out Inadvertently

  Alleged Malware Author Arrested in Holland

  Bulgarian Tax Data Breached

  800,000+ Have Not Patched BlueKeep

  Firmware Flaws Affect Supply Chain for Server Manufacturers

  Firefox to Label All HTTP Sites "Not Secure"


INTERNET STORM CENTER TECH CORNER


*************** Sponsored By Yokogawa Corporation of America ****************


Webcast: Is Your Plant Cyber Resilient? Next Steps to Achieving Safe and Secure Plant Operation. This webcast will highlight the key challenges companies in the process industry face in the era of OT/IT convergence and provide guidance on how they should take their next step in addressing cyber risk and achieving safe and secure operations. http://www.sans.org/info/213675


*****************************************************************************

CYBERSECURITY TRAINING UPDATE


-- SANS Network Security 2019 | Las Vegas, NV | September 9-16 | https://www.sans.org/event/network-security-2019


-- Supply Chain Cybersecurity Summit 2019 | Arlington, VA | August 12-19 | https://www.sans.org/event/supply-chain-cybersecurity-summit-2019


-- SANS Chicago 2019 | August 19-24 | https://www.sans.org/event/chicago-2019


-- SANS Virginia Beach 2019 | August 19-30 | https://www.sans.org/event/virginia-beach-2019


-- SANS London September 2019 | September 23-28 | https://www.sans.org/event/london-september-2019


-- SANS DFIR Europe Summit and Training 2019| Prague, CZ | September 30-October 6 | https://www.sans.org/event/dfir-prague-2019


-- Threat Hunting & Incident Response Summit 2019 | New Orleans, LA | September 30-October 7 | https://www.sans.org/event/threat-hunting-and-incident-response-summit-2019


-- SANS Tokyo Autumn 2019 | September 30-October 12 | https://www.sans.org/event/tokyo-autumn-2019


-- SANS October Singapore 2019 | October 7-26 | https://www.sans.org/event/october-singapore-2019


-- SANS OnDemand and vLive Training

Get an iPad Pro with Smart Keyboard, HP ProBook, or Take $350 Off through July 24 with OnDemand or vLive training.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


Single Course Training

-- Single Course Training

SANS Mentor | https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


********************************************

TOP OF THE NEWS  


 --Android Apps Delayed Upgrade to Prolong Data Collection

(July 16, 2019)

When Android 6 (Marshmallow) was released in October 2015, it included a change that allowed users to grant permissions on a per-permission basis rather than granting apps blanket permissions. Researchers at the University of Maryland found that some app developers delayed updating their apps to run on Android 6 so they could take advantage of more less restrictive permission controls. By declaring themselves "legacy apps," they were able to revert to the older permission mechanism. The developers who delayed upgrading their apps found that they began receiving negative reviews in the app store.  


[Editor Comments]


[Pescatore] Google Play and the Apple App Store greatly reduce the number of malicious apps that get downloaded by users (compared to the Windows world with no app store in use) but the bad guys writing malicious apps will obviously continue to innovate. Avast recently notified Google of 7 malicious apps it found had been published. Google and Apple haven't been very transparent on any innovation on their side to keep up, if not move ahead, of the bad guys. Case in point: the uproar around FaceApp is based on nothing other than the fact that FaceApps code was written in Russia - there is zero indication that of any actual other reasons to be worried about privacy. But, lack of ability to fully trust Google Play and the Apple App Store enables the overhype. The order that apps show up after a search in the stores is based on user ratings; it would be very powerful for those stores to have default ranking be based on some privacy score.



Read more in:

ZDNet: Permission-greedy apps delayed Android 6 upgrade so they could harvest more user data

https://www.zdnet.com/article/permission-greedy-apps-delayed-android-6-upgrade-so-they-could-harvest-more-user-data/

 

 --Microsoft ElectionGuard Demo

(July 17 & 18, 2019)

Earlier this week, Microsoft began demonstrating its ElectionGuard voting verification technology. Microsoft plans to release ElectionGuard source code on GitHub later this year. In a blog post, Microsoft notes that cyberattacks sponsored by nation-states are on the rise. Over the past year, Microsoft has notified nearly 10,000 customers that they were being targeted by such attacks. The majority of the attacks were against enterprise customers.   


Read more in:

ZDNet: Microsoft demos ElectionGuard technology for securing electronic voting machines

https://www.zdnet.com/article/microsoft-demos-electionguard-technology-for-securing-electronic-voting-machines/

Microsoft: New cyberthreats require new ways to protect democracy

https://blogs.microsoft.com/on-the-issues/2019/07/17/new-cyberthreats-require-new-ways-to-protect-democracy/

SC Magazine: Microsoft demos vote verification tool, warns of ongoing foreign meddling

https://www.scmagazine.com/home/security-news/microsoft-demos-vote-verification-tool-warns-of-ongoing-foreign-meddling/

The Register: Microsoft demos end-to-end voting verification system ElectionGuard, code will be on GitHub

https://www.theregister.co.uk/2019/07/18/microsoft_demos_electionguard_system_will_publish_code_on_github/

Ars Technica: Microsoft warns 10,000 customers they're targeted by nation-sponsored hackers

https://arstechnica.com/tech-policy/2019/07/microsoft-warns-10000-customers-theyre-targeted-by-nation-sponsored-hackers/

Cyberscoop: 10,000 Microsoft customers targeted by nation-state attacks in the last year

https://www.cyberscoop.com/microsoft-nation-state-attacks-iran-north-korea-russia/


 

--Governors Association Says States Need Cyber Disruption Response Plans

(July 16, 2019)

The US National Governors Association (NGA) has published an issue brief that urges states to develop cyber disruption response plans. The paper looks at plans that are being developed and tested by states; so far, 15 states have made their plans public, and several more have opted not to share theirs. The "plans detail the agencies that must respond to an incident, their roles and responsibilities (R&Rs), and how they will coordinate resources. " The paper also examines how the plans work with the U.S. Department of Homeland Security (DHS) National Cyber Incident Response Plan (NCIRP), and concludes with recommendations for developing and revising cyber disruption response plans.


[Editor Comments]


[Murray] One of the lessons that we should take away from "ransomware" attacks is that traditional "backup and recovery" plans do not provide the essential resilience that is required in today's hostile environment and high dependence. "Resilience" must be our new objective. "A plan is not a document which one takes out and reads while sitting in the ashes. It is a capability, the ability to do something in its presence that one cannot do in its absence."  --Robert H. Courtney, Jr.


Read more in:

NGA: State Cyber Disruption Response Plans (PDF)

https://www.nga.org/wp-content/uploads/2019/04/IssueBrief_MG.pdf

GCN: A blueprint for cyber disruption response

https://gcn.com/articles/2019/07/16/nga-report-cyber-disruption-response.aspx

Statescoop: States need cyber disruption response plans, NGA says

https://statescoop.com/state-cyber-disruption-response-plans-nga-report/


****************************  SPONSORED LINKS  ******************************


1) ICYMI: Learn the benefits of a Zero Trust security model to protect critical customer information. http://www.sans.org/info/213680


2) SANS wants your input on the effectiveness of your security testing program! Take this quick poll: http://www.sans.org/info/213685


3) July 30th at 1 PM ET "URL Filtering Best Practices - Making Your Web Security Policy Work for You." Sign up for this webcast: http://www.sans.org/info/213690


*****************************************************************************

REST OF THE WEEK'S NEWS

      

 --Galileo Satellite Outage

(July 18, 2019)

Europe's Galileo satellite navigation system is mostly recovered from an outage that began on July 11. The cause of the outage is not clear, nor is the reason it took a week to fix. The outage affected nearly all Galileo services; just the "Search and Rescue" feature remained operational. Galileo was launched in 2016 with an eye to becoming an alternative to other navigation systems from the US, Russia, and China. The devices that use Galileo are programmed to fall back on GPS if Galileo does not work.  


[Editor Comments]


[Murray] Notice that fallback to GPS makes Galileo applications more robust. One hopes that in the future more GPS appliances for sensitive applications include fallback to Galileo.  


Read more in:

Wired: Europe's Weeklong Satellite Outage is Over--But Still Serves as a Warning

https://www.wired.com/story/galileo-satellite-outage-gps/

 
 

--New Dropbox File Manager App Pushed Out Inadvertently

(July 18, 2019)

Some Dropbox users have reported that the company has quietly installed a new file manager app on their systems. When Dropbox's New Desktop Experience was introduced earlier this year, it was available only as a deliberate download through Early Access. Dropbox says that the recent surprise updates were pushed out in error and that they are "working to revert this change."


Read more in:

Ars Technica: Dropbox silently installs new file manager app on users' systems

https://arstechnica.com/gadgets/2019/07/dropbox-silently-installs-new-file-manager-app-on-users-systems/

ZDNet: Dropbox announces new integrations with audio, video and transcription tools

https://www.zdnet.com/article/dropbox-announces-new-integrations-with-audio-video-and-transcription-tools/

TechSpot: Dropbox mistakenly installed a new desktop app on user devices without notice

https://www.techspot.com/news/81025-dropbox-mistakenly-installed-new-desktop-app-user-devices.html

 
 

--Alleged Malware Author Arrested in Holland

(July 17 & 18, 2019)

Police in the Netherlands have arrested a man for allegedly creating and distributing malware toolkits. The suspect "was found in possession of data concerning dozens of credit cards and manuals on carding... [as well as] access credentials for thousands of websites" according to a police statement.


[Editor Comments]


[Murray] Note that the malicious code exploits escape mechanisms in document processing software. These mechanism are often enabled by default, whether or not they are needed.  


Read more in:

OM.NL: Man from Utrecht arrested for producing and distributing malware

https://www.om.nl/@106323/man-from-utrecht

Infosecurity Magazine: Dutch Police Nab Macro Malware Suspect

https://www.infosecurity-magazine.com/news/dutch-police-nab-macro-malware/

SC Magazine: Dutch police, McAfee nail macro toolkit-builder, 'Rubella'

https://www.scmagazine.com/home/security-news/cybercrime/dutch-police-mcafee-nail-macro-toolkit-builder-rubella/

The Register: Dutch cops collar fella accused of crafting and flogging Office macro nasties to cyber-crooks

https://www.theregister.co.uk/2019/07/18/dutch_cops_malware_arrest/

 

 --Bulgarian Tax Data Breached

(July 16, 17, & 18, 2019)

Authorities in Bulgaria have arrested a man in connection with the theft of millions of records from the databases at the country's tax agency. The incident affects nearly every adult in Bulgaria. The initial breach is believed to have taken place in June; it was disclosed on Monday, July 15. The tax agency could be fined up to [euro]20 million (US $22.5 million) for the breach.


Read more in:

Reuters: 'Wizard' cybersecurity expert charged with record hack of Bulgarian tax agency

https://www.reuters.com/article/us-bulgaria-cybersecurity/wizard-cybersecurity-expert-charged-with-record-hack-of-bulgarian-tax-agency-idUSKCN1UC0GF

The Register: Bulgaria hack: 20-year-old infosec whizz cuffed after 'adult population's' finance deets nicked

https://www.theregister.co.uk/2019/07/18/bulgaria_financial_hack_arrest_5m_records_accessed/

NYT: 5 Million Bulgarians Have Their Personal Data Stolen in Hack

https://www.nytimes.com/2019/07/17/world/europe/bulgaria-hack-cyberattack.html

 
 

--800,000+ Have Not Patched BlueKeep

(July 17 & 18, 2019)

More than 800,000 systems running older versions of Windows have not yet been patched against the BlueKeep vulnerability, according to researchers. BlueKeep exists in Microsoft's Remote Desktop Protocol (RDP) and can be exploited to execute code remotely. The issue affects older versions of Windows, and is serious enough for Microsoft to have released fixes for versions of Windows that they no longer support.


Read more in:

Dark Reading: 800K Systems Still Vulnerable to BlueKeep

https://www.darkreading.com/vulnerabilities---threats/800k-systems-still-vulnerable-to-bluekeep/d/d-id/1335286

Cyberscoop: More than 805,000 systems are still exposed to BlueKeep, study finds

https://www.cyberscoop.com/bluekeep-patching-study-bitsight/

Threatpost: Wormable BlueKeep Bug Still Threatens Legions of Windows Systems

https://threatpost.com/805k-windows-systems-open-bluekeep/146529/

GovInfosecurity: Despite BlueKeep Warnings, Many Organizations Fail to Patch

https://www.govinfosecurity.com/despite-bluekeep-warnings-many-organizations-fail-to-patch-a-12795

Wired: Why Microsoft's Bluekeep Bug Hasn't Wreaked Havoc--Yet

https://www.wired.com/story/bluekeep-worm-windows/

 
 

--Firmware Flaws Affect Supply Chain for Server Manufacturers

(June 16 & 17, 2019)

A supply chain security issue affects seven server manufacturers. The two vulnerabilities in baseboard management controller (BMC) firmware could be exploited to execute arbitrary code. They persist even after an operating system reinstallation, and can brick affected servers. The firmware, which is from a company called Vertiv, is used in Gigabyte motherboards.    


Read more in:

Cyberscoop: This firmware flaw was bad enough, but then researchers looked at the supply chain

https://www.cyberscoop.com/lenovo-firmware-flaw-eclypsium-research/

Threatpost: Firmware Bugs Plague Server Supply Chain, 7 Vendors Impacted

https://threatpost.com/firmware-bugs-plague-supply-chain/146519/

 
 

--Firefox to Label All HTTP Sites "Not Secure"

(July 16, 2019)

Later this year, Firefox will begin labeling all HTTP websites as "not secure." The change is slated for Firefox 70, which is due out in October. Firefox currently displays a "not secure" warning for sites that contain forms or login fields.


Read more in:

ZDNet: Firefox follows in Chrome's footsteps and will mark all HTTP pages as 'not secure'

https://www.zdnet.com/article/firefox-follows-in-chromes-footsteps-and-will-mark-all-http-pages-as-not-secure/


 

INTERNET STORM CENTER TECH CORNER


Analysis of DNS TXT Records

https://isc.sans.edu/forums/diary/Analyzis+of+DNS+TXT+Records/25142/


802.1x Tips

https://isc.sans.edu/forums/diary/The+Other+Side+of+Critical+Control+1+8021x+Wired+Network+Access+Controls/25146/


Zoom/Apple Patches Additional Software

https://www.theverge.com/2019/7/16/20696529/apple-mac-silent-update-zoom-ringcentral-zhumu-vulnerabilty-patched


Lenovo/IOMega NAS API Vulnerability

https://www.theregister.co.uk/2019/07/16/iomega_nas_boxes/


FBI Releases GandGrab Master Keys

https://www.documentcloud.org/documents/6199678-GandCrab-Master-Decryption-Keys-FLASH.html


Amadeus Vulnerability Allows Access to Boarding Passes

https://www.7elements.co.uk/resources/technical-advisories/insecure-direct-object-reference-within-amadeus-check-in-application/


Android Media File Jacking

https://www.symantec.com/blogs/expert-perspectives/symantec-mobile-threat-defense-attackers-can-manipulate-your-whatsapp-and-telegram-media


Evil Gnome Linux Malware

https://www.intezer.com/blog-evilgnome-rare-malware-spying-on-linux-desktop-users/


New American Express Phishing Attacks

https://cofense.com/phishing-attacker-takes-american-express-victims-credentials/


Kazakhstan TLS Interception

https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/wnuKAhACo3E/cpsvHgcuDwAJ


BEC Trends (PDF)

https://www.fincen.gov/sites/default/files/shared/FinCEN_Financial_Trend_Analysis_FINAL_508.pdf


Cylance Weakness

https://skylightcyber.com/2019/07/18/cylance-i-kill-you/

 

******************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.


Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create