SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXI - Issue #69
September 3, 2019Ransomware Attacks Continue to Target US Sites - Only One Known Solution
****************************************************************************
SANS NewsBites Sept. 3, 2019 Vol. 21, Num. 069
****************************************************************************
TOP OF THE NEWS
Ransomware Attacks Continue to Target US School Districts and Other Organizations
North Carolina Ransomware Attack Data
US States Taking Steps to Protect Voter Registries from Ransomware Attacks
REST OF THE WEEK'S NEWS
Charges Filed in Spam Case
Foxit Resets User Passwords After Breach
Google's Project Zero on iPhone Watering Hole Attacks
Twitter CEO's Account Hacked
Identity Credential Access Management for First Responders
DHS OIG: FEMA's Outdated IT Impeded 2017 Emergency Response Efforts
North Carolina Election Officials OK Bar Code Ballots
INTERNET STORM CENTER TECH CORNER
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
-- SANS Cyber Defense Initiative(R) 2019 | Washington, DC | December 10-17 | https://www.sans.org/event/cyber-defense-initiative-2019
-- SANS London September 2019 | September 23-28 | https://www.sans.org/event/london-september-2019
-- SANS Northern VA Fall-Reston 2019 | September 30-October 5 | https://www.sans.org/event/northern-va-fall-reston-2019
-- SANS DFIR Europe Summit and Training 2019| Prague, CZ | September 30-October 6 | https://www.sans.org/event/dfir-prague-2019
-- SANS Tokyo Autumn 2019 | September 30-October 12 | https://www.sans.org/event/tokyo-autumn-2019
-- SANS Baltimore Fall 2019 | October 7-12 | https://www.sans.org/event/baltimore-fall-2019
-- SIEM Summit & Training 2019 | Chicago, IL | October 7-14 | https://www.sans.org/event/siem-summit-2019
-- SANS October Singapore 2019 | October 7-26 | https://www.sans.org/event/october-singapore-2019
-- Purple Team Summit & Training 2019 | Dallas, TX | October 21-28 | https://www.sans.org/event/purple-team-summit-2019
-- SANS OnDemand and vLive Training
Get free GIAC Cert Attempt or Take $350 off with OnDemand or vLive training through September 4.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
************************** Sponsored By SANS ******************************
Event October 18th in Denver, CO: The SANS Cloud Security Operations Solutions Forum will focus on cloud security operations solutions that work, with a focus on providing specific technical advice directly from the vendor support engineers working in the field. Join Kenneth Hartman and representatives from Cisco, Microsoft and Swimlane for this free event. Register: http://www.sans.org/info/214085
*****************************************************************************
TOP OF THE NEWS
--Ransomware Attacks Continue to Target US School Districts and Other Organizations
(August 30, 2019)
Reports of ransomware attacks across the country: many of the victims are school districts; other organizations include a local newspaper, a hospice, and a county government. In all there gave been nearly 150 reported ransomware attacks across the US in 2019. The actual number is likely much higher.
[Editor Comments]
[Henry] There are multiple articles on ransomware contained in this issue, and these comments are relevant to each of them. We've responded to dozens of these attacks, many targeting state and local municipalities. In most cases, this type of attack can be prevented by employing fundamental security protocols, including patching, network segmentation, changing email procedures, and curtailing user privileges. Additionally, organizations can utilize more proactive hunting and behavioral analysis looking for anomalous activity. Finally, ensuring clean backups for recovery and restoration is an absolutely critical best-practice. As long as these attacks continue to be successful, adversaries will continue to use them, so organizational change is required to mitigate this activity.
[Neely] The attack of the Nampa ID school district occurred shortly after an exercise by local cyber security professionals to assess their ability to respond to such an incident. Lessons from that exercise were applied. Opportunities exist to creating mentoring and guidance between private sector professionals and educational institutions as well as between colleges and secondary school districts to help create response plans as well as leverage available resources for more rapid response.
Read more in:
Ars Technica: Rash of ransomware continues with 13 new victims--most of them schools
Edscoop: Ransomware 'halts everything' in Connecticut school district
https://edscoop.com/ransomware-halts-everything-in-connecticut-school-district/
--North Carolina Ransomware Attack Data
(August 30, 2019)
According to data provided by the North Carolina Department of Information Technology (DIT), there have already been more ransomware attacks against organizations in the state reported this year than in all of 2018. As of August 2019, seven attacks have been officially reported. North Carolina DIT's chief risk officer says that to her knowledge, no organizations in the state have paid a ransom. A recently-enacted bill requires county and municipal governments to report cybersecurity incidents.
[Editor Comments]
[Neely] The DIT and Department of Public Security have formed a group which works with the National Guard, DHS, FBI, SBI and Secret Service to share information, prevent attacks, and coordinate response, which should give their county and municipal agencies a leg up in preventing and responding to future attacks.
Read more in:
GovTech: North Carolina Braces Against Wave of Ransomware Attacks
https://www.govtech.com/security/North-Carolina-Braces-Against-Wave-of-Ransomware-Attacks.html
--US States Taking Steps to Protect Voter Registries from Ransomware Attacks
(September 1, 2019)
In the wake of the recent increase in reported ransomware attacks, officials in states around the US are concerned that hackers could target voter registry systems with the malware. The US Department of Homeland Security's (DHS's) Cybersecurity Infrastructure Security Agency (CISA) is working with state governments to help them protect these systems from ransomware. Some states are taking steps to protect these systems. For example, Illinois is making its voter registration database accessible only from a closed fiber optic network. Some states have also begun segmenting systems to help contain ransomware attacks if they do occur.
[Editor Comments]
[Murray] Restrict "write" access. Replicate these database servers off-line.
Read more in:
CNET: States brace for ransomware assaults on voter registries
https://www.cnet.com/news/states-prepare-for-ransomware-attacks-on-voter-registries/
**************************** SPONSORED LINKS ******************************
1) Take the SANS 2019 Endpoint Survey and enter for a chance to win a $400 Amazon gift card: http://www.sans.org/info/214090
2) Webcast Tuesday September 10th at 1 PM ET: Success Patterns for Supply Chain Security. Sign up: http://www.sans.org/info/214095
3) ICYMI Webcast: Strengthen and optimize your security posture from the foundation up with BloxOne(TM) Threat Defense. http://www.sans.org/info/214100
*****************************************************************************
REST OF THE WEEK'S NEWS
--Charges Filed in Spam Case
(September 2, 2019)
Four people have been charged with conspiracy, wire fraud, and electronic mail fraud for allegedly hijacking Internet protocol (IP) addresses and using them in spam campaigns. The four people worked for Adconion Direct, an email advertising company. The indictment alleges that the defendants sought blocks of registered but inactive IP addresses, and that they then sent forged letters to Hostwinds, an Internet hosting company, claiming they had been authorized by the registrants to use those addresses. The addresses were then allegedly used to send spam.
Read more in:
KrebsOnSecurity: Feds Allege Adconion Employees Hijacked IP Addresses for Spamming
--Foxit Resets User Passwords After Breach
(August 30 & September 2, 2019)
Foxit Software customers were forced to reset their passwords after a data breach that compromised customers' email addresses, passwords, users' names, phone numbers, company names and IP addresses. More than 325,000 customer accounts were affected. Foxit has not said when the breach occurred.
[Editor Comments]
[Murray] Unfortunately, "breach transparency" sets one up for "punish the victim." Target was transparent and severely punished with law suits. eBay, a much worse breach, said "change your passwords" and, except for a little loss of business and a few stock sales, was not punished at all.
Read more in:
Foxit Software: Cybersecurity Advisory Notice
https://www.foxitsoftware.com/support/security-advisories.php
GovInfosecurity: Foxit Software Breach Exposes Account Data
https://www.govinfosecurity.com/foxit-software-breach-exposes-account-data-a-13006
Bleeping Computer: Foxit Software Discloses Data Breach Exposing User Passwords
Infosecurity Magazine: PDF Reader Biz Breached: Foxit Forces Password Reset
https://www.infosecurity-magazine.com/news/biz-breached-foxit-forces-password/
--Google's Project Zero on iPhone Watering Hole Attacks
(August 29, 30, & 31, 2019)
Google's Project Zero has described a watering hole attack targeting iPhones that leveraged more than a dozen vulnerabilities in Apple's iOS to target the devices. When users visited the maliciously-crafted websites, the attacks infected their iPhones with monitoring malware.
[Editor Comments]
[Neely] While the exploited vulnerabilities are largely fixed, some in February with iOS 12.1.4, for the most complete protection install iOS 12.4.1. While iOS is not immune to vulnerabilities, Apple's long (five year) device support allows older devices to be updated with current security fixes. With iOS 13 expected in September, devices older than the iPhone 6 and 2013 iPad Air will fall outside that range and need to be replaced.
Read more in:
Google Project Zero: A very deep dive into iOS Exploit chains found in the wild
https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html
Wired: Mysterious iOS Attack Changes Everything We Know About iPhone Hacking
https://www.wired.com/story/ios-attack-watering-hole-project-zero/
The Register: Google security crew sheds light on long-running super-stealthy iOS spyware operation
https://www.theregister.co.uk/2019/08/30/google_iphone_exploit_chain/
SC Magazine: Watering-hole attack campaign designed to infect iOS users via exploit chains
Ars Technica: Armed with iOS 0days, hackers indiscriminately infected iPhones for two years
Cyberscoop: Google's Project Zero details 'indiscriminate' hacking campaign against thousands of iPhones
https://www.cyberscoop.com/iphone-hack-google-project-zero/
Vice: Google Says Malicious Websites Have Been Quietly Hacking iPhones for Years
https://www.vice.com/en_us/article/bjwne5/malicious-websites-hacked-iphones-for-years
--Twitter CEO's Account Hacked
(August 30 & September 2, 2019)
Hackers used a SIM swapping attack to take control of the Twitter account of the company's CEO Jack Dorsey. The hackers had control of the account for about 20 minutes, during which they tweeted several offensive messages.
[Editor Comments]
[Pescatore] High profile executives should be encouraged to at least tie a PIN to their cellphone account to make SIM swapping less likely to succeed. Stronger forms are better (authenticator apps, security key/token etc.) but adding a PIN certainly doesn't get in their way of using ATM machines, low pain solution.
[Neely] Basic measures, such as having a PIN on your cellular account to prevent SIM swapping or other account takeover actions should be SOP, both with business and personal accounts. This becomes increasingly important where your number is used for account recovery or two-factor authentication, either via SMS or phone call.
[Murray] Failure to receive calls or messages that you are expecting is an indication of this attack. Service providers should confirm changes to the old address, and, if available to the customer's e-mail.
Read more in:
Wired: How Twitter CEO Jack Dorsey's Account Was Hacked
https://www.wired.com/story/jack-dorsey-twitter-hacked/
SC Magazine: Twitter CEO's account hacked in SIM-swapping scheme
https://www.scmagazine.com/home/security-news/twitter-ceos-account-hacked-in-sim-swapping-scheme/
Twitter: Twitter Comms
https://twitter.com/TwitterComms/status/1167591003143847936
---Identity Credential Access Management for First Responders
(August 30, 2019)
Identity Credential Access Management allows first responders to verify their identities and devices quickly, allowing them to access and share information when they are working outside their home jurisdictions.
Read more in:
GCN: ID validation on the fly for emergency response
https://gcn.com/articles/2019/08/30/responders-dynamic-icam.aspx
--DHS OIG: FEMA's Outdated IT Impeded 2017 Emergency Response Efforts
(August 30, 2019)
A report from the US Department of Homeland Security's (DHS's) Office of Inspector General (OIG) found that the Federal Emergency Management Agency (FEMA) "has not established an IT strategic plan, architecture, or governance framework to facilitate day-to-day management of its aging IT systems and equipment." The deficiencies, which can be attributed in part to the agency's CIO's "limited authority to manage IT agency-wide," contributed to FEMA's difficulties in responding effectively to emergency situations in 2017.
Read more in:
Oversight.gov: FEMA's Longstanding IT Deficiencies Hindered 2017 Response and Recovery Operations
https://www.oversight.gov/sites/default/files/oig-reports/OIG-19-58-Aug19.pdf
MeriTalk: FEMA's Legacy IT Hindered 2017 Emergency Response, Fixes Underway
https://www.meritalk.com/articles/femas-legacy-it-hindered-2017-emergency-response-fixes-underway/
--North Carolina Election Officials OK Bar Code Ballots
(August 23, 2019)
North Carolina's State Board of Elections has certified a bar code ballot system for use in elections starting with the 2020 primaries. Critics of the system say that voters cannot be sure that their votes have been encoded accurately within the bar code.
[Editor Comments]
[Neely] Electronic voting machines with paper receipts have been emphasized recently but the receipts need to be easily verifiable by the voter, not just the tallying systems. If the voters do not trust the electronic system, adoption will be an uphill battle.
[Murray] Concerned voters should scan the code with their iPhones. That said, the issue is the encoding and recording of the result; is it transparent and auditable? Historically election fraud has been in the tabulating and reporting steps, not in recording.
Read more in:
NYT: North Carolina Allows Bar Code Ballots Despite Voter Outcry
https://www.nytimes.com/aponline/2019/08/23/us/ap-us-election-security-north-carolina.html
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
Malware Installs Node.js
https://isc.sans.edu/forums/diary/Malware+Dropping+a+Local+Nodejs+Instance/25284/
iOS Exploits in the Wild
https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html
Twitter CEO's Twitter Account Hijacked
https://twitter.com/TwitterComms/status/1167528672523210752
Dovecot and PigeonHole Vulnerability
https://www.openwall.com/lists/oss-security/2019/08/28/3
Cloudflare Workers Spreading Malware
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create