SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXI - Issue #58
July 26, 2019Ransomware Hits Electric Power Provider and 3 Louisiana School Districts; VPN Flaws Affect Widely Used Products
****************************************************************************
SANS NewsBites July 26, 2019 Vol. 21, Num. 058
****************************************************************************
TOP OF THE NEWS
Ransomware Attack Hits Electric Power Provider in Johannesburg
Three Louisiana School Districts Suffer Ransomware Infections, Governor Declares State of Emergency
VPN Flaws Affect Widely Used Products
REST OF THE WEEK'S NEWS
BlueKeep Exploit Instructions Posted Online; Exploit Included in Company's Pen-Test Toolkit
Vulnerability in VLC Module
Prison Sentence for Man Who Hacked iCloud Accounts
Google Bans Dark Matter Certificates
NSA to Create Cybersecurity Directorate to Improve Cyber Defense
Man Arrested for Allegedly Trying to Launder Cryptocurrency Obtained Through Narcotics Trafficking
Facebook to Pay $5 Billion Penalty
INTERNET STORM CENTER TECH CORNER
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
-- SANS Network Security 2019 | Las Vegas, NV | September 9-16 | https://www.sans.org/event/network-security-2019
-- Supply Chain Cybersecurity Summit 2019 | Arlington, VA | August 12-19 | https://www.sans.org/event/supply-chain-cybersecurity-summit-2019
-- SANS Chicago 2019 | August 19-24 | https://www.sans.org/event/chicago-2019
-- SANS Virginia Beach 2019 | August 19-30 | https://www.sans.org/event/virginia-beach-2019
-- SANS London September 2019 | September 23-28 | https://www.sans.org/event/london-september-2019
-- SANS DFIR Europe Summit and Training 2019| Prague, CZ | September 30-October 6 | https://www.sans.org/event/dfir-prague-2019
-- Threat Hunting & Incident Response Summit 2019 | New Orleans, LA | September 30-October 7 | https://www.sans.org/event/threat-hunting-and-incident-response-summit-2019
-- SANS Tokyo Autumn 2019 | September 30-October 12 | https://www.sans.org/event/tokyo-autumn-2019
-- SANS October Singapore 2019 | October 7-26 | https://www.sans.org/event/october-singapore-2019
-- SANS OnDemand and vLive Training
Get an 11" iPad Pro, Surface Pro, or Take $350 Off through August 7 with OnDemand or vLive training.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
****************** Sponsored By Amazon Web Services, Inc. *******************
JumpStart Guide to Cloud-Based Firewalls in AWS: This webcast provides guidance on the key issues to consider when choosing next-generation firewall/threat prevention solutions for integration on the AWS platform and suggests a process for making that important decision. Register: http://www.sans.org/info/213765
*****************************************************************************
TOP OF THE NEWS
--Ransomware Attack Hits Electric Power Provider in Johannesburg
(July 25, 2019)
A ransomware attack that hit systems at City Power, a pre-paid electric power company in Johannesburg, South Africa, has left some residents there without electricity. The attack has affected City Power's database, internal networks, website, and web apps. City Power is owned by the city of Johannesburg.
Read more in:
News24: Joburg prepaid electricity users left in the dark as City Power crippled by computer virus
ZDNet: Ransomware incident leaves some Johannesburg residents without electricity
Dark Reading: Johannesburg Ransomware Attack Leaves Residents in the Dark
The Register: South Africans shivering after ransomware infection knackers power grid for Johannesburg
https://www.theregister.co.uk/2019/07/25/johannesburg_ransomware_utility/
--Three Louisiana School Districts Suffer Ransomware Infections, Governor Declares State of Emergency
(July 25, 2019)
Louisiana's governor has declared a state of emergency after three school districts there were hit with ransomware attacks. The declaration makes certain state resources, the Louisiana National Guard and the Office of Technology Services, available to the affected school districts. This is believed to be just the second time a US governor has declared a state of emergency related to a cyberattack. In early 2018, Colorado's governor declared a state of emergency when systems at the Colorado Department of Transportation were infected with ransomware.
[Editor Comments]
[Honan] Today is the 3rd anniversary of the launch of the No More Ransom initiative by Europol. In the past three years NoMoreRansom has helped over 200,000 victims, prevented criminals from earning US$108,000,000 and covers over 100 ransomware families.
Read more in:
Louisiana: State of Emergency - Cybersecurity Incident
Statescoop: Louisiana declares emergency over cyberattacks targeting schools
https://statescoop.com/louisiana-declares-emergency-over-cyberattacks-targeting-schools/
SC Magazine: Louisiana declares state of emergency after cyberattacks hit three school districts
ZDNet: Louisiana governor declares state emergency after local ransomware outbreak
--VPN Flaws Affect Widely Used Products
(July 23, 2019)
Critical flaws in popular virtual private networks (VPNs) could be exploited to gain access to corporate networks and steal data. The flaws are easily remotely exploitable; they affect VPNs from Palo Alto Networks, Pulse Secure, and Fortinet. All three have released advisories and updates to address the issues. Devcore researchers plan to discuss their findings about the flaws at the Black Hat security conference next month.
[Editor Comments]
[Pescatore] This is a good reminder about the importance of a complete and accurate software inventory. Patches for this vulnerability have been out for a while but often tools or components like VPN software are overlooked.
[Neely] While the patches have been out for a bit, scans found many devices online still running the vulnerable code. Make sure that your boundary protections, including VPN, Firewalls, IDS/IPS are in your maintenance schedule with priority for updates. You may need to acquire non-production units to satisfy regression testing requirements.
Read more in:
TechCrunch: Flaws in widely used corporate VPNs put company secrets at risk
https://techcrunch.com/2019/07/23/corporate-vpn-flaws-risk/
ZDNet: Critical flaw in Palo Alto VPN solution impacts Uber, other enterprises may be at risk
https://www.zdnet.com/article/uber-hit-by-critical-vulnerability-in-palo-alto-vpn-solution/
NIST: CVE-2019-11510 Detail
https://nvd.nist.gov/vuln/detail/CVE-2019-11510
Palo Alto: Advisory (CVE-2019-1579)
https://securityadvisories.paloaltonetworks.com/Home/Detail/158
Fortiguard: FortiOS system file leak through SSL VPN via specially crafted HTTP resource requests
https://fortiguard.com/psirt/FG-IR-18-384
Pulse Secure: SA44101 - 2019-04: Out-of-Cycle Advisory: Multiple vulnerabilities resolved in Pulse Connect Secure / Pulse Policy Secure 9.0RX
https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44101
**************************** SPONSORED LINKS ******************************
1) Incident Response Panel Discussion: SANS expert Matt Bromiley, DomainTools and ExtraHop to discuss key themes from the SANS 2019 IR Survey. http://www.sans.org/info/213750
2) Survey: What challenges do you face with implementing endpoint security in your organization? Take this survey. http://www.sans.org/info/213745
3) Webcast July 29th at 1 PM ET: Is Your Plant Cyber Resilient? Next Steps to Achieving Safe and Secure Plant Operation. http://www.sans.org/info/213760
*****************************************************************************
REST OF THE WEEK'S NEWS
--BlueKeep Exploit Instructions Posted Online; Exploit Included in Company's Pen-Test Toolkit
(July 22, 24, & 25, 2019)
Information posted to Github offers directions for exploiting the BlueKeep vulnerability, and a US security company says it is including a BlueKeep exploit in its pen-testing toolkit. Several weeks ago, cybersecurity firm BitSight estimated that more than 800,000 Windows machines had yet to be patched against BlueKeep. The issue affects Windows XP, Vista, Windows 7, Server 2003, and Server 2008. Microsoft released patches in mid-May.
[Editor Comments]
[Murray/Paller] There is something about the weeks leading up DefCon that turns security researchers into digital terrorists.
Read more in:
The Register: With more hints dropped online on how to exploit BlueKeep, you've patched that Windows RDP flaw, right?
https://www.theregister.co.uk/2019/07/24/bluekeep_code_release/
Ars Technica: Chances of destructive BlueKeep exploit rise with new explainer posted online
ZDNet: US company selling weaponized BlueKeep exploit
https://www.zdnet.com/article/us-company-selling-weaponized-bluekeep-exploit/
--Vulnerability in Third-Party Library Was Fixed in VLC 16 Months Ago
(July 23 & 24, 2019)
A critical heap buffer overflow flaw that was initially reported to affect VideoLAN's VLC media player actually affects a third-party library. VLC developers say that their product is not vulnerable and that that "the issue is in a 3rd party library, called libebml, which was fixed more than 16 months ago. VLC since version 3.0.3 has the correct version shipped."
Read more in:
Twitter: VideoLAN: VLC in not vulnerable
https://twitter.com/videolan/status/1153963312981389312
Bleeping Computer: Keep Calm, Carry On. VLC Not Affected by Critical Vulnerability
The Register: Dodgy vids can hijack PCs via VLC security flaw, US, Germany warn. Software's makers not app-y with that claim
https://www.theregister.co.uk/2019/07/23/remote_code_flaw_vlc/
--Prison Sentence for Man Who Hacked iCloud Accounts
(July 18, 19, & 23, 2019)
A US District Court Judge in Georgia sentenced Kwamaine Jerell Ford to 37 months in prison for breaking into Apple accounts that belonged to well-known professional athletes and rappers. Ford spent more than US $300,000 using financial information he obtained from the accounts. He was convicted in charges of computer fraud and aggravated identity theft.
Read more in:
SC Magazine: Georgia man sentenced to prison for hacking iClouds of athletes and musicians
The Register: In the cooler for the next three years: Hacker of iCloud accounts used by athletes and rappers
https://www.theregister.co.uk/2019/07/19/hacker_icloud_jailed_thee_years/
Justice: Georgia man who hacked professional athletes and musicians sentenced to prison
--Google Bans Dark Matter Certificates
(July 23, 2019)
Google has joined Mozilla in banning DarkMatter root certificates. Mozilla banned the certificates from Firefox at the beginning of July, citing concerns that DarkMatter might abuse the privilege of being on the Firefox certificate whitelist. DarkMatter is a cybersecurity vendor based in the United Arab Emirates (UAE). The organization has reportedly carried out surveillance operations targeting journalists, governments, and human rights activists.
Read more in:
ZDNet: Google bans DarkMatter certificates from Chrome and Android
https://www.zdnet.com/article/google-bans-darkmatter-certificates-from-chrome-and-android/
--NSA to Create Cybersecurity Directorate to Improve Cyber Defense
(July 23, 2019)
The US National Security Agency (NSAA) will establish a cybersecurity directorate later this year. The creation of the directorate will allow the NSA to share information obtained by signals intelligence with other government agencies and with private sector organizations. The directorate is scheduled to become operational on October 1, 2019. (Please note that the WSJ story is behind a paywall.)
[Editor Comments]
[Neely] The initiative includes reorganization of their web pages to create a one-stop-shop for vulnerability information, uploading malware samples to VirtusTotal, and posting their own research and threat warnings. They expect to incorporate lessons learned from other agencies' efforts and from the private sector.
Read more in:
WSJ: NSA Forms Cybersecurity Directorate Under More Assertive U.S. Effort (paywall)
Cyberscoop: NSA to establish new Cybersecurity Directorate to boost defense
https://www.cyberscoop.com/nsa-cybersecurity-directorate/
--Man Arrested for Allegedly Trying to Launder Cryptocurrency Obtained Through Narcotics Trafficking
(July 18 & 23, 2019)
US federal authorities have arrested an Ohio man for allegedly attempting to launder US $19 million in cryptocurrency that he earned from drug deals on the now defunct Silk Road dark web market. Haney has ben charged with one count of concealment money laundering and one count of engaging in a financial transaction in criminally derived property. Haney allegedly moved the bitcoin proceeds to a cryptocurrency exchange and claimed that he obtained the funds through cryptomining. However, authorities say they can trace the blockchain transactions back to the Silk Road. When Haney converted the cryptocurrency to cash, federal agents seized the funds and arrested him.
[Editor Comments]
[Neely] This points out the risk of the intersection of cryptocurrency and traditional currency when reporting the source of funds. The conversion to cash was a visible transaction which allegedly allowed DHS to trace the Bitcoin blockchain back to its origin. Kudos to DHS for developing this capability, and a reminder of the importance of good operational security.
Read more in:
Justice: U.S. Attorney Announces Arrest And Money Laundering Charges Against Dark Web Narcotics Trafficker
Justice: United States of America v. Hugh Brian Haney (PDF)
https://www.justice.gov/usao-sdny/press-release/file/1184386/download
CNBC: This Ohio man is accused of trying to launder $19 million of bitcoin from the dark web
https://www.cnbc.com/2019/07/23/man-accused-of-laundering-millions-in-bitcoin-from-silk-road.html
Yahoo: Silk Road drug dealer caught allegedly trying to wash $19 million bitcoin
https://finance.yahoo.com/amphtml/news/silk-road-drug-dealer-caught-122416173.html
--Facebook to Pay $5 Billion Penalty
(July 24 & 25, 2019)
At a press conference on Wednesday, July 24, the US Federal Trade Commission announced that Facebook will pay a $5 billion penalty for violating consumer privacy. The FTC does not find anyone personally responsible for the violations, nor does it impose significant changes to the way Facebook collects data.
[Editor Comments]
[Pescatore] A lot of the political and press reaction was that the fine was too low, because it is "only" about 8% of Facebook's revenue run rate. That is twice as much as the European GDPR compliance regime allows and is definitely a board-level attention getter. It is also not the end of the impact on Facebook, and other tech companies, as both the political and market forces in the US are starting to move more towards requiring the "opt-in/informed consent" model that Europe has long used, vs. the "trick the user into not opting-out" model long in use in the US.
[Neely] The focus here is on changes to privacy data gathering and consent processes rather than the amount of the fine. As privacy legislation continues to evolve, active rather than passive consent, with the right to rescind, must become SOP.
Read more in:
Ars Technica: FTC fines Facebook $5 billion, imposes new privacy oversight
ZDNet: FTC hits Facebook with record $5 billion fine for user privacy violations
SC Magazine: FTC levies historic fine on Facebook for privacy violations
FTC: FTC Imposes $5 Billion Penalty and Sweeping New Privacy Restrictions on Facebook
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
TLS Configuration
https://isc.sans.edu/forums/diary/Verifying+SSLTLS+configuration+part+1/25162/
https://www.sans.org/webcasts/beast-poodle-celebrating-sweet32-111400
May People Be Considered As IOC?
https://isc.sans.edu/forums/diary/May+People+Be+Considered+as+IOC/25166/
When Users Attack: Users and Admins Thwarting Security Controls
Apple Updates Everything
https://support.apple.com/en-us/HT201222
QNAP/Synology Update Security Advise
https://www.qnap.com/en-us/security-advisory/nas-201907-11
https://www.facebook.com/synologydeutschland/photos/a.1594837477441905/2417134061878905/
Darkmatter Intermediate Certificate Trust Removed From Google Chrome
https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/7-oKhDBLetQ
Johannesburg Power Outages Due To Ransomware
https://twitter.com/CityofJoburgZA
https://www.theregister.co.uk/2019/07/25/johannesburg_ransomware_infection/
Elasticsearch Vulnerabilities used to install DDoS Bot
VLC not Vulnerable to libebml Vulnerability
https://threader.app/thread/1153963312981389312
New Bluekeep Writeup
https://github.com/0xeb-bp/bluekeep
Immunity's Canvas Now Includes BlueKeep Exploit
https://twitter.com/Immunityinc/status/1153752470130221057
Cryptominer With BlueKeep Scanner
https://www.intezer.com/blog-watching-the-watchbog-new-bluekeep-scanner-and-linux-exploits/
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create