SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXI - Issue #67
August 27, 2019The Ransomware Epidemic: Two More Attacks Plus IT Manager Sues After Being Fired After Ransomware Attack
Three more stories in Top of the News this week reinforce the size of the ransomware epidemic. Short of a major breach and ransomware attack hitting your organization, the wave of articles showing that no site is immune is likely to be a powerful incentive for non-technical management to invest quickly and substantially in improving your enterprise cyber hygiene.
****************************************************************************
SANS NewsBites Aug. 27, 2019 Vol. 21, Num. 067
****************************************************************************
TOP OF THE NEWS
Lake City, Florida's Fired IT Manager is Suing the City in Aftermath of Ransomware Attack
New York School District Pays Ransom to Recover Data
UK Police Working with Eurofins Scientific to Clear Backlog After Ransomware Attack
REST OF THE WEEK'S NEWS
Training National Guard Cyber Units
Hostinger Resets Passwords for 14 Million Customers After Server Breach
Senators Have Questions for NHTSA About Internet-Connected Cars
Attackers Exploiting Flaws in WordPress Plugins
Los Angeles County Will Use Custom Voting System that Runs on Open Source Code
Apple Releases iOS Update to Fix Flaw Allowing Jailbreaks
INTERNET STORM CENTER TECH CORNER
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
-- SANS Network Security 2019 | Las Vegas, NV | September 9-16 | https://www.sans.org/event/network-security-2019
-- SANS London September 2019 | September 23-28 | https://www.sans.org/event/london-september-2019
-- SANS Northern VA Fall-Reston 2019 | September 30-October 5 | https://www.sans.org/event/northern-va-fall-reston-2019
-- SANS DFIR Europe Summit and Training 2019| Prague, CZ | September 30-October 6 | https://www.sans.org/event/dfir-prague-2019
-- SANS Tokyo Autumn 2019 | September 30-October 12 | https://www.sans.org/event/tokyo-autumn-2019
-- SANS Baltimore Fall 2019 | October 7-12 | https://www.sans.org/event/baltimore-fall-2019
-- SIEM Summit & Training 2019 | Chicago, IL | October 7-14 | https://www.sans.org/event/siem-summit-2019
-- SANS October Singapore 2019 | October 7-26 | https://www.sans.org/event/october-singapore-2019
-- Purple Team Summit & Training 2019 | Dallas, TX | October 21-28 | https://www.sans.org/event/purple-team-summit-2019
-- SANS OnDemand and vLive Training
Get free GIAC Cert Attempt or Take $350 off with OnDemand or vLive training through September 4.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
********************** Sponsored By AWS Marketplace **************************
Security information and event management plays an important role in collecting data on network assets and traffic. This webcast will provide guidance on key issues to consider when choosing SIEM or SOAR products for integration on the AWS platform and suggest a process for making such important decisions. Register for this webcast. http://www.sans.org/info/214020
*****************************************************************************
TOP OF THE NEWS
--Lake City, Florida's Fired IT Manager is Suing the City in Aftermath of Ransomware Attack
(August 22, 2019)
Lake City, Florida fired its IT manager Brian Hawkins after the government was hit with a ransomware attack in June. Lake City decided to pay $460,000 to regain access to its encrypted data. While the city manager blamed him for the breach, Hawkins maintains that he warned the city about the vulnerability several years ago and urged the city to purchase a cloud backup system. At the time, the city said the plan was too expensive, and instead opted for backups to be kept of the same server. Hawkins has filed a lawsuit against the city.
[Editor Comments]
[Murray] Hawkins's story is consistent with the experience of many of us. It is a case of "risk acceptance" by leadership. Any such risk acceptance, and its acknowledgement by the leadership, must be documented. If that was done in this instance, Hawkins will have a good case. In the absence of such documentation, his case may turn upon the honest recollection of that leadership of a decision made months ago. The three rules of risk management are document, document, document.
Read more in:
NYT: When Ransomware Cripples a City, Who's to Blame? This I.T. Chief Is Fighting Back
https://www.nytimes.com/2019/08/22/us/florida-ransomware-hacking-it.html
--New York School District Pays Ransom to Recover Data
(August 26, 2019)
The Rockville Center (NY) School District paid hackers $100,000 to regain access to data that were encrypted in a ransomware attack. The ransom is being covered by the district's cyber insurance policy. The insurance company helped arrange the ransom payment.
[Editor Comments]
[Murray] Ransomware attacks are breaches. Like fires, they have consequences that may go way beyond our available resources. They are the kinds of risk that we need insurance to cover. Some "ransomware" attack claims have been rejected. Be sure that you are covered and that your claim will be paid.
[Honan] The insurance company AIG noted that the second most frequent reason for paying out a claim against a cyber insurance policy is ransomware (https://www.aig.co.uk/insights/claims-intelligence-cyber-report-2019: Cyber Claims: GDPR and business email compromise drive greater frequencies). For insurers it may make financial sense to pay the ransom rather than paying the costs of recovery. However, this approach motivates criminals to launch more ransomware attacks and in turn creates more victims.
Read more in:
SC Magazine: Rockville Center School District pays $100,000 ransom
--UK Police Working with Eurofins Scientific to Clear Backlog After Ransomware Attack
(August 20, 2019)
In the wake of the June 2019 ransomware attack that targeted the forensic analysis firm Eurofins Scientific, the UK's National Police Chiefs' Council (NPCC) chose to suspend its work with the company. Several weeks ago, NPCC decided that police may once again use Eurofins, but the delay has caused a backlog of 20,000 forensic samples. NPCC expects the backlog to be cleared within two months. Eurofins paid the attackers to regain access to its encrypted data. The company is based in Luxembourg; the attack affected branches in the UK and other countries. The attack is still under investigation.
Read more in:
BBC: Eurofins Scientific: Cyber-attack leads to backlog of 20,000 forensic samples
https://www.bbc.com/news/uk-49361260
GovInfosecurity: UK Police Investigations Still Affected by Ransomware Attack
https://www.govinfosecurity.com/uk-police-investigations-still-affected-by-ransomware-attack-a-12936
**************************** SPONSORED LINKS ******************************
1) Webcast August 29th at 1 PM ET: BloxOne(TM) Threat Defense: Strengthening and Optimizing Your Security Posture from the Foundation Up. http://www.sans.org/info/214025
2) Take the SANS 2019 Endpoint Survey and enter for a chance to win a $400 Amazon gift card! http://www.sans.org/info/214030
3) Webcast: See how you can identify which files are malicious and learn effective ways to counter them. http://www.sans.org/info/214035
*****************************************************************************
REST OF THE WEEK'S NEWS
--Training National Guard Cyber Units
(August 23 & 26, 2019)
Members of the US National Guard (a military force) are increasingly being called in to aid organizations with recovery from cyberattacks, including ransomware. In Louisiana and in Texas, which both recently experienced multiple, simultaneous ransomware attacks, the governors called in the National Guard "almost immediately," according to Air Force Gen. Joseph Lengyel, who oversees the National Guard across the country. Lengyel also noted that having enough National Guard members who are able to help recover from cyberattacks is "an expanding problem set we have to deal with," and that policies and training need to be standardized across all National Guard cyber units.
[Editor Comments]
[Murray] The US armed forces have vast experience in, and methods for, identifying talent and training personnel to perform complex tasks. They will apply that experience and those methods here.
Read more in:
Statescoop: Ransomware threat raises National Guard's role in state cybersecurity
https://statescoop.com/ransomware-cybersecurity-state-government-national-guard-role/
FNN: Local government cyber attacks cause National Guard cyber units to look inward
--Hostinger Resets Passwords for 14 Million Customers After Server Breach
(August 25 & 26, 2019)
Hostinger, a web hosting provider and Internet domain registrar, says that a hacker accessed an internal sAPI server, compromising personal information, including hashed passwords, of more than 14 million customers. The company says it has reset all affected passwords. Hostinger was alerted to the breach on Friday, August 23. Customers are also being urged "not to use the same passwords on multiple service providers across the web."
[Editor Comments]
[Neely] By taking a conservative proactive approach, Hostinger is limiting the exposure of the breach. Hostinger also published a status page and a blog of their actions to date for increased transparency. This is an excellent opportunity to setup a password manager if you haven't already.
Read more in:
Threatpost: Hostinger Data Breach: 14M Customer Passwords, Personal Data at Risk
https://threatpost.com/hostinger-data-breach-14m-passwords/147681/
ZDNet: Hostinger resets customer passwords after security incident
https://www.zdnet.com/article/hostinger-resets-customer-passwords-after-security-incident/
Cyberscoop: A hacker accessed a Hostinger database containing information on 14 million customers
https://www.cyberscoop.com/hostinger-data-breach-passwords/
Status Page: Security incident Report
https://statuspage.hostinger.com/incidents/ljvxkp5w3s22
Hostinger: Security Incident: What You Need To Know
https://www.hostinger.com/blog/security-incident-what-you-need-to-know
--Senators Have Questions for NHTSA About Internet-Connected Cars
(August 22 & 26, 2019)
US Senators Edward Markey (D-Massachusetts) and Richard Blumenthal (D-Connecticut) have written a letter to the National Highway Traffic Safety Administration (NHTSA) asking about potential cybersecurity problems in Internet-connected vehicles. In the letter, the Senators note that they "are concerned that consumers are purchasing internet-connected vehicles without sufficient safety warnings and write to inquire about NHTSA's knowledge of any cyber vulnerabilities, as well as what actions NHTSA is taking to address these issues." The concerns arise from a report from the Consumer Watchdog group that suggests that investors and shareholders have been alerted to possible cybersecurity concerns about Internet connected cars but that these concerns have not been shared with the general public.
[Editor Comments]
[Neely] Unlike home IoT, the consequence of compromise in a vehicle can be far greater, and while consumers are aware of maintenance requirements, they don't currently expect to have to secure the vehicle technology. The average consumer is going to rely on the manufacturer to provide a secure vehicle and use all the provided connectivity.
Read more in:
MeriTalk: Senators Press NHTSA on Connected Vehicle Cyber Disclosures
https://www.meritalk.com/articles/senators-press-nhtsa-on-connected-vehicle-cyber-disclosures/
Nextgov: Senators Question Traffic Safety Agency About Cyber Dangers Posed by Internet-Connected Cars
Markey: Letter to NHTSA Deputy Administrator
https://www.markey.senate.gov/imo/media/doc/NHTSA%20Ford%20Cybersecurity%20Risk%20Disclosure.pdf
--Attackers Exploiting Flaws in WordPress Plugins
(August 23, 2019)
Researchers say that attackers are exploiting flaws in several WordPress plug-ins to redirect traffic to potentially dangerous sites. Attackers began exploiting the flaws at the end of July. Updates addressing the vulnerabilities are available for all affected plug-ins.
[Editor Comments]
[Neely] Using a service that keeps plugins automatically updated, or at least proactively notifies you of updates, is a good fix here.
Read more in:
Threatpost: WordPress Plugins Exploited in Ongoing Attack, Researchers Warn
https://threatpost.com/wordpress-plugins-exploited-in-ongoing-attack-researchers-warn/147671/
--Los Angeles County Will Use Custom Voting System that Runs on Open Source Code
(August 20, 2019)
Voters in Los Angeles County (California) will soon be casting their ballots on new, custom machines that have been designed to accommodate voters with various disabilities as well as allowing voters to choose one of 13 different languages. The machines will be tested in some locations in November 2019 for local elections and will then be used for all Los Angeles County voters for the March 2020 primary election. The machines will generate a printed, marked ballot. Critics say that the most secure way to vote is with hand-marked ballots. Los Angeles also plans to make the code that the machines run on open source so other voting jurisdictions can use it and modify it to fit their needs.
Read more in:
Washington Post: New Los Angeles County voting system highlights trade-offs between security and accessibility
--Apple Releases iOS Update to Fix Flaw Allowing Jailbreaks
(August 26, 2019)
Apple has released an update for its mobile operating system to fix a use-after-free vulnerability that could be exploited to jailbreak iPhones. The issue was initially fixed in May, with iOS 12.3, but a more recent update, iOS 12.4, released in July, inadvertently undid that fix.
[Editor Comments]
[Neely] Apple also released macOS 10.14.6 Supplemental Update and tvOS update 12.4.1 to address CVE-2019-8605.
[Murray] Effective version content control is necessary to avoid grief. While it is true that "jail breaking" at scale would weaken the iOS eco-system, this vulnerability would not, by itself, have resulted in such wide-spread jail breaking. This prompt fix demonstrates Apple's commitment to the community is ahead of, even at the expense of, those few who want both iOS products and the kind of generality, flexibility, and risk that they accept on personal computers. Android was invented, at least in part, for those who object to Apple's security strategy.
Read more in:
Vice: Apple Just Released an Emergency Patch for the iPhone
https://www.vice.com/en_us/article/d3av8m/apple-emergency-patch-iphone
Threatpost: Apple Fixes iOS Flaw That Opened iPhones to Jailbreaks
https://threatpost.com/apple-fixes-ios-flaw-that-opened-iphones-to-jailbreaks/147717/
Ars Technica: iOS vulnerability that let you jailbreak your iPhone is once again dead
Apple: About the security content of iOS 12.4.1
https://support.apple.com/en-us/HT210549
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
Simple Mimikatz And RDPWrapper Dropper
https://isc.sans.edu/forums/diary/Simple+Mimikatz+RDPWrapper+Dropper/25262/
Malware Impersonating IRS
Instagram Phishing with 2FA Codes
https://nakedsecurity.sophos.com/2019/08/23/instagram-phishing-uses-2fa-as-a-lure/
GitHub Adding WebAuthn Support
Lenovo Solution Center Privilege Escalation
https://www.pentestpartners.com/security-blog/privesc-in-lenovo-solution-centre-10-minutes-later/
Apple Patches Jailbreak Vulnerability
https://support.apple.com/en-us/HT210549
Scanning for Pulse Secure VPN Endpoints
https://badpackets.net/over-14500-pulse-secure-vpn-endpoints-vulnerable-to-cve-2019-11510/
Emotet is Back
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
