SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXI - Issue #68
August 30, 2019Google Android - Millions of Malicious Downloads; Ransomware Hits Remote Backups; Cisco Critical IOS XE Flaw
****************************************************************************
SANS NewsBites Aug. 30, 2019 Vol. 21, Num. 068
****************************************************************************
TOP OF THE NEWS
Google Play App with Millions of Downloads Delivering Malware
Ransomware Hits Remote Backup System for US Dentist Offices
Cisco Patches Critical IOS XE Flaw
REST OF THE WEEK'S NEWS
US Cyberattack Against Iran Targeted Systems Used to Plan Attacks on Oil Tankers
Paige Thompson Indictment Includes Allegation of Cryptojacking
Apple Says Storage of Siri Recordings Will Now be Opt-in
Google Urges Chrome Users to Install Update That Fixes Flaw in Blink
Authorities Remove Cryptomining Malware from 850,000 Computers
AWS Will Scan for Misconfigurations
INTERNET STORM CENTER TECH CORNER
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
Is it "Safe" To Require TLS 1.2 for Email
https://isc.sans.edu/forums/diary/Is+it+Safe+to+Require+TLS+12+for+EMail/25270/
Malware Samples Compiling Their Next Stage On Premise
https://isc.sans.edu/forums/diary/Malware+Samples+Compiling+Their+Next+Stage+on+Premise/25278/
Open Redirect: A Small But Very Common Vulnerability
LYCEUM Threat Group Targeting Middle East
https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign
Android Trojan Infects Tens of Thousands of Devices in 4 Months
CamScanner Malicious Download Component
https://securelist.com/dropper-in-google-play/92496/
Cisco REST API Container for IOS XE Authentication Bypass
Ares ADB Botnet
https://www.wootcloud.com/blogs/ars_botnet.html
French Authorities Shut Down Coinminer Botnet
CERT-Bund Attempts to Notify Users of Vulnerable Home Automation Systems (German)
https://www.heise.de/security/meldung/CERT-Bund-warnt-vor-offenen-Smarthome-Systemen-4509977.html
*********************** Sponsored By Panorays ****************************
Webcast September 10th at 1 PM ET: Supply chain attacks are on the rise and the high financial impact of these attacks has increased CEO, board of directors, and regulatory and auditors attention to supply chain security. This webcast will provide recommendations on key processes, skills and technologies required for an effective supply chain program. http://www.sans.org/info/214065
*****************************************************************************
TOP OF THE NEWS
--Google Play App with Millions of Downloads Delivering Malware
(August 28, 2019)
Google has removed an app from the Google Play Store after it was found to be delivering malware. The CanScanner PDF creator app has been available since 2010 and has been downloaded more than 100 million times.
[Editor Comments]
[Murray] At a minimum, Android users that have downloaded this app should do a factory reset. In addition to restoring the programming to a known (safe?) state, this will "erase" all data. Before recovering this data from backup, users should at least consider the risk that this might re-contaminate the device. Users of sensitive applications in hostile environments should consider whether or not the cost and convenience of Android are worth accepting this class of risk.
Read more in:
ZDNet: Android Google Play app with 100 million downloads starts to deliver malware
The Register: Android PDF app with just 100m downloads caught sneaking malware into mobes
https://www.theregister.co.uk/2019/08/28/camscanner_android_malware/
--Ransomware Hits Remote Backup System for US Dentist Offices
(August 29, 2019)
As many as 400 US dental practices found that they were unable to access their online encrypted records following a ransomware attack that hit PerCSoft, a cloud management provider for a remote data backup service. Sources are reporting that PerCSoft paid the ransom and that 80-100 of the affected practices are now able to access their files.
[Editor Comments]
[Murray] The risk of "ransomware" attacks requires that we examine our back-up strategy to ensure that the back-up itself is safe from ransomware and that we can recover an entire network, not just a few files, in hours to days. "Mission critical" data should be stored on enterprise servers, not on systems connected to the public networks. Consider a "least privilege" access control policy.
Read more in:
KrebsOnSecurity: Ransomware Bites Dental Data Backup Firm
https://krebsonsecurity.com/2019/08/ransomware-bites-dental-data-backup-firm/
ZDNet: Ransomware hits hundreds of dentist offices in the US
https://www.zdnet.com/article/ransomware-hits-hundreds-of-dentist-offices-in-the-us/
--Cisco Patches Critical IOS XE Flaw
(August 29, 2019)
Cisco has issued updates to fix a critical remote authentication bypass flaw in its IOS XE operating system. The vulnerability could be exploited to bypass logins on unpatched IOS XE devices.
[Editor Comments]
[Murray] While applying this patch, take the opportunity to consider strong authentication and end-2-end application layer encryption for these devices.
Read more in:
ZDNet: Patch now: Cisco IOS XE routers exposed to rare 10/10-severity security flaw
Threatpost: Critical Cisco VM Bug Allows Remote Takeover of Routers
https://threatpost.com/critical-cisco-bug-remote-takeover-routers/147826/
**************************** SPONSORED LINKS ******************************
1) ICYMI Webcast: BloxOne(TM) Threat Defense: Strengthening and Optimizing Your Security Posture from the Foundation Up. http://www.sans.org/info/214070
2) What challenges do you face with implementing endpoint security in your organization? http://www.sans.org/info/214075
3) Webcast: Matt Bromiley to review the Fidelis Elevate platform and its ability to provide insight into network traffic, threats and more. http://www.sans.org/info/214080
*****************************************************************************
REST OF THE WEEK'S NEWS
--US Cyberattack Against Iran Targeted Systems Used to Plan Attacks on Oil Tankers
(August 28 & 29, 2019)
Earlier this year, US government operatives launched a cyberattack against crucial Iranian computer systems that the country uses to plan attacks against oil tankers in the Persian Gulf. The attack was launched after Iran shot down a US drone earlier in June.
Read more in:
NYT: U.S. Cyberattack Hurt Iran's Ability to Target Oil Tankers, Officials Say
https://www.nytimes.com/2019/08/28/us/politics/us-iran-cyber-attack.html
SC Magazine: U.S. cyberattack crippled Iran's efforts to attack ships in Persian Gulf
Ars Technica: US hack attack hobbles Iran's ability to target oil tankers, NYT says
--Paige Thompson Indictment Includes Allegation of Cryptojacking
(August 28 & 29, 2019)
The indictment against Paige Thompson, who allegedly accessed stored data at more than 30 organizations, including Capital One, also alleges that she used her access to the systems to mine for cryptocurrency. Thompson is being charged with one count of computer fraud and abuse and one count of wire fraud.
Read more in:
Infosecurity Magazine: Alleged Capital One Hacker Also Accused of Crypto-Jacking
https://www.infosecurity-magazine.com/news/alleged-capital-one-hacker-accused/
Cyberscoop: Indictment of Capital One suspect alleges breaches of 30 companies, cryptojacking
https://www.cyberscoop.com/capital-one-hack-charges-cryptojacking/
Justice: Former Seattle Tech Worker Indicted on Federal Charges for Wire Fraud and Computer Data Theft
--Apple Says Storage of Siri Recordings Will Now be Opt-in
(August 28, 2019)
Apple has announced changes to its "quality evaluation process" for Siri; the company will no longer store recordings of Siri requests unless users have expressly opted in. In the past, Apple has stored Siri recordings by default. Until a month ago, about 0.2 percent of the recordings have been listened to by humans to determine Siri's effectiveness. That practice was temporarily suspended in July, but will resume once users have been given the chance to opt in to having their recording saved and reviewed by humans.
[Editor Comments]
[Murray] Seems like an appropriate balance between user privacy and the need to tweak the AI. One assumes that Apple understands their responsibility to effectively restrict access to this data and destroy it when it is no longer useful. (All that said, I will not opt in.)
Read more in:
Threatpost: Apple Updates Privacy Policies After Siri Audio Recording Backlash
https://threatpost.com/apple-updates-privacy-policies-after-siri-audio-recording-backlash/147780/
Apple: Improving Siri's privacy protections
https://www.apple.com/newsroom/2019/08/improving-siris-privacy-protections/
--Google Urges Chrome Users to Install Update That Fixes Flaw in Blink
(August 28, 2019)
A flaw in the Blink open source browser engine used in Google's Chrome browser could be exploited to execute arbitrary code, access sensitive data, circumvent security, and create denial-of-service conditions. Users are urged to update to Chrome version 76.0.3809.132 for Windows, Mac, and Linux.
Read more in:
Threatpost: Google Squashes High-Severity Blink Browser Engine Flaw
https://threatpost.com/google-high-severity-blink-browser-engine-flaw/147770/
Chrome Releases: Stable Channel Update for Desktop
https://chromereleases.googleblog.com/2019/08/stable-channel-update-for-desktop_26.html
--Authorities Remove Cryptomining Malware from 850,000 Computers
(August 28, 2019)
With help from an antivirus company, law enforcement authorities in France took down a command-and-control server that was being used to spread cryptomining malware. In all, more than 850,000 computers had been compromised. After they had control of the server, authorities removed the malware from the computers.
Read more in:
SC Magazine: Authorities free 850,000 machines from grasp of Retadup worm
ZDNet: Avast and French police take over malware botnet and disinfect 850,000 computers
Threatpost: Dangerous Cryptomining Worm Racks Up 850K Infections, Self-Destructs
https://threatpost.com/cryptomining-worm-infections-self-destructs/147767/
Vice: Cops Hijack Botnet, Remotely Wipe Malware From 850,000 Computers
--AWS Will Scan for Misconfigurations
(August 27, 2019)
Earlier this month, US Senator Ron Wyden (D-Oregon) asked Amazon to explain "how default configuration settings for Amazon's cloud computing products may have contributed to recent data breaches." In the letter, Wyden asked specifically about details related to the Capital One breach, and about whether Amazon has provided guidance for its AWS customers regarding configuration. AWS says it plans to scan the public IP space for misconfigurations like the one that was allegedly exploited by Paige Thompson to steal information from Capital One; to increase its efforts to help customers set up restrictive permissions; and to increase efforts to make anomaly detection services more widely available.
[Editor Comments]
[Pescatore] Nice of AWS and other cloud service providers to do this, but you don't expect Dell or HP to scan the servers you buy. The same vulnerability management and other basic security hygiene functions should be routinely extended to all IaaS use.
[Murray] In the absence of knowing the "application and environment," it is often difficult to know what the safe defaults are, but we should strive for "safe out of the box." Moreover, we should "over control" new applications. It is easy to relax controls if we find that we do not need them. However, if the application is "out of control," all the tightening in the world may not bring it back.
Read more in:
GCN: AWS to scan for misconfigurations
https://gcn.com/articles/2019/08/27/aws-misconfiguration-scans.aspx
Wyden: Letter to Amazon
Wyden: Amazon Response
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
Is it "Safe" To Require TLS 1.2 for Email
https://isc.sans.edu/forums/diary/Is+it+Safe+to+Require+TLS+12+for+EMail/25270/
Malware Samples Compiling Their Next Stage On Premise
https://isc.sans.edu/forums/diary/Malware+Samples+Compiling+Their+Next+Stage+on+Premise/25278/
Open Redirect: A Small But Very Common Vulnerability
LYCEUM Threat Group Targeting Middle East
https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign
Android Trojan Infects Tens of Thousands of Devices in 4 Months
CamScanner Malicious Download Component
https://securelist.com/dropper-in-google-play/92496/
Cisco REST API Container for IOS XE Authentication Bypass
Ares ADB Botnet
https://www.wootcloud.com/blogs/ars_botnet.html
French Authorities Shut Down Coinminer Botnet
CERT-Bund Attempts to Notify Users of Vulnerable Home Automation Systems (German)
https://www.heise.de/security/meldung/CERT-Bund-warnt-vor-offenen-Smarthome-Systemen-4509977.html
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
