SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXI - Issue #70
September 6, 2019Twitter Suspends SMS Tweeting; New Bedford, MA, Refuses to Pay $5.3 Million Ransom; Classes Cancelled Due to Ransomware Attack
****************************************************************************
SANS NewsBites Sept. 6, 2019 Vol. 21, Num. 070
****************************************************************************
TOP OF THE NEWS
Twitter Temporarily Suspends Tweeting via SMS
New Bedford, MA, Refuses to Pay $5.3 Million in Ransomware Attack
Classes Cancelled Due to Ransomware Attack
REST OF THE WEEK'S NEWS
States Collecting Large Amounts of Real-ID Data
NSA's Cybersecurity Directorate Will Step Up Digital Threat Information Sharing
MANRS Observatory
DOD Seeks Feedback on Draft Contractor Cybersecurity Certification Document
Man Admits to Creating Botnets, Using Them to Launch DDoS Attacks
Supermicro Baseboard Management Controller Flaws Fixed
Report: Dutch Intelligence Recruited Mole to Help Plant Stuxnet
NewsBites Reader Survey: We are considering changes to NewsBites
INTERNET STORM CENTER TECH CORNER
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
-- SANS Cyber Defense Initiative(R) 2019 | Washington, DC | December 10-17 | https://www.sans.org/event/cyber-defense-initiative-2019
-- SANS London September 2019 | September 23-28 | https://www.sans.org/event/london-september-2019
-- SANS Northern VA Fall-Reston 2019 | September 30-October 5 | https://www.sans.org/event/northern-va-fall-reston-2019
-- SANS DFIR Europe Summit and Training 2019| Prague, CZ | September 30-October 6 | https://www.sans.org/event/dfir-prague-2019
-- SANS Tokyo Autumn 2019 | September 30-October 12 | https://www.sans.org/event/tokyo-autumn-2019
-- SANS Baltimore Fall 2019 | October 7-12 | https://www.sans.org/event/baltimore-fall-2019
-- SIEM Summit & Training 2019 | Chicago, IL | October 7-14 | https://www.sans.org/event/siem-summit-2019
-- SANS October Singapore 2019 | October 7-26 | https://www.sans.org/event/october-singapore-2019
-- Purple Team Summit & Training 2019 | Dallas, TX | October 21-28 | https://www.sans.org/event/purple-team-summit-2019
-- SANS OnDemand and vLive Training
Get an iPad, Samsung Galaxy Tab A, or Take $250 off through September 18 with OnDemand or vLive training.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
******************** Sponsored By Fidelis Cybersecurity ********************
Webcast 13th September 1:00 PM ET: Join Fidelis experts to learn strategies you can adopt to build a 21st Century Cyber Workforce leveraging threat hunting; AI; Data science and automation. http://www.sans.org/info/214135
*****************************************************************************
TOP OF THE NEWS
--Twitter Temporarily Suspends Tweeting via SMS
(September 4, 2019)
Twitter has temporarily disabled the ability to tweet via SMS after hackers hijacked CEO Jack Dorsey's account and used it to tweet offensive messages. The hackers tool control of Dorsey's account by SIM swapping.
[Editor Comments]
[Ullrich, Honan] Twitter has enabled SMS Tweeting in some geographic areas with limited internet access. It is sad that it took until Twitter's CEO was hit by an attack for Twitter to respond. SMS "caller id" is not a sufficient authentication mechanism and should be used only for entertainment/low-security value functions. Twitter is right in saying that this a problem that they cannot fix and something that carriers need to address.
[Murray] "SIM swapping" attacks are expensive, rely upon procedural failures, and do not scale well. However, they represent a limitation of possession of the mobile as an authenticator. If one is celebrated, notorious, powerful, or pecunious, one should be aware that it is the SIM and the associated number, not the mobile, that one really relies upon.
Read more in:
ZDNet: Twitter disables SMS-to-tweet feature after its CEO got hacked last week
CNET: Twitter temporarily shuts down ability to tweet via SMS
https://www.cnet.com/news/twitter-temporarily-shuts-down-ability-to-tweet-via-sms/
--New Bedford, MA, Refuses to Pay $5.3 Million in Ransomware Attack
(September 5, 2019)
After the city of New Bedford, Massachusetts was hit with a ransomware attack in July, the attackers asked for a ransom of $5.3 million. The city offered $400,000, which would have been covered by its insurance company, but attackers rebuffed the offer. Rather than negotiate, New Bedford officials decided to recover the city's data systems from backups. The attack affected just a small percentage of the city's computers as most were still turned off for the US holiday the previous day.
[Editor Comments]
[Ullrich] Municipalities have been a huge target for ransomware recently because some victims have paid the demands encouraging additional attacks. So it is a bit sad that the city offered any money, but good in the end that the payment didn't happen.
[Neely] Relying on a successful recovery by paying the demand is of some risk, negotiating an alternate settlement even more so. These decisions may be detached from cyber or system input. Having backups and confidence that you can rebuild systems from them is an important safety net.
[Murray] Recent reports from a security practice that specializes in remediating "ransomware" attacks, has convinced me that "safe" backup trumps "fast recovery." "You will be happy to see the FedEx truck."
Read more in:
Dark Reading: Attackers Hit Ceiling in Ransomware Demands
Statescoop: Ransomware demanded $5.3M from Massachusetts city in July attack
https://statescoop.com/ransomware-demanded-5-3m-from-massachusetts-city-in-july-attack/
Threatpost: $5.3M Ransomware Demand: Massachusetts City Says No Thanks
https://threatpost.com/ransomware-demand-massachusetts-city-no-thanks/148034/
--Classes Cancelled Due to Ransomware Attack
(September 5, 2019)
A ransomware attack that affected systems at the Flagstaff (Arizona) Unified School District has resulted in cancelled classes. The attack occurred on September 4; classes were cancelled on September 5.
Read more in:
Ars Technica: Back to school: With latest attack, ransomware cancels classes in Flagstaff
Edscoop: Ransomware shuts down classes, childcare centers in Flagstaff, Arizona
https://edscoop.com/ransomware-shuts-down-classes-childcare-centers-in-flagstaff-arizona/
**************************** SPONSORED LINKS ******************************
1) Webcast September 10th at 1 PM ET: Learn key processes, skills and technologies required for an effective supply chain security program. Register: http://www.sans.org/info/214140
2) Join us at SANS SIEM Summit | Chicago, IL | Oct 7-8. http://www.sans.org/info/214145
3) Security Insights New Blog | Create an Action Plan for Insider Threat. View here: http://www.sans.org/info/214150
*****************************************************************************
REST OF THE WEEK'S NEWS
--States Collecting Large Amounts of Real-ID Data
(September 5, 2019)
The Real-ID program requires that applicants for Real-ID-compliant driver's licenses and other identification provide documents like birth certificates, passports, bank statements, and Social Security cards that are scanned and retained by the issuing states. States will need to take extra precautions to protect the treasure trove of valuable personal information from data thieves.
[Editor Comments]
[Pescatore] Since (in the US anyway) driving records are essentially public information that is accessible by just about everyone, Motor Vehicle departments do have to treat the Real ID info much differently than they do much of the other data they collect and store. Of course, this is like the bulge of a mouse moving through a snake: TSA and DHS may have much bigger budgets than most DMVs, but they also need to make sure this information is protected.
[Murray] I confess that I was not aware that my documents were scanned and retained but I am not surprised. However, I have more confidence in my DMV than in OPM. Real-ID is working well and the procedures used in my state are more reliable than those used for passports. The next step is to move to digital credentials; easier to use, arbitrarily difficult to counterfeit, can be checked both manually and automatically, and easily reconciled with the issuer at the point and time of use.
Read more in:
GCN: Real-ID data surge raises real dangers
https://gcn.com/articles/2019/09/05/real-id-secure-data.aspx
--NSA's Cybersecurity Directorate Will Step Up Digital Threat Information Sharing
(September 5, 2019)
Anne Neuberger, director of the National Security Agency's (NSA's) new cybersecurity directorate, says they plan to improve cyberthreat information sharing with its government and private sector partners. The directorate "is charged with preventing and eradicating threats to National Security Systems and the Defense Industrial Base," according to the NSA. The directorate is scheduled to begin operations October 1, 2019.
[Editor Comments]
[Neely] This is an excellent opportunity to get timely threat information. The biggest challenge for the NSA will be the rapid declassification of current activities while retaining actionable information for partners.
[Murray] Liaison between the DoD and the Defense Industrial Base is well established and maintained. NSA can well use this relationship to share intelligence with those who can act on it with limited risk that it will leak to others.
Read more in:
Nextgov: NSA Cyber Chief Wants to Share Digital Threats Early and Often
Fifth Domain: NSA looks to 'up its game' in cyber defense
https://www.fifthdomain.com/civilian/2019/09/05/nsa-looks-to-up-its-game-in-cyber-defense/
NSA: FAQ: NSA/CSS Cybersecurity Directorate
--MANRS Observatory
(September 5, 2019)
The Mutually Agreed Norms for Routing Security (MANRS) global initiative has launched the MANRS Observatory, which tracks how well networks are abiding by routing security standards.
[Editor Comments]
[Ullrich] This is a valuable effort to collect some of the existing data about routing security in one place and to establish some metrics to measure the progress (or lack of progress) in getting network providers to comply with best practices. The 60% compliance with anti-spoofing is probably particularly sad.
Read more in:
Ars Technica: A project aims to help ISPs mind their routing security manners
Observatory: State of Routing Security
https://observatory.manrs.org/#/overview
--DOD Seeks Feedback on Draft Contractor Cybersecurity Certification Document
(September 5, 2019)
The US Department of Defense (DoD) has released a new draft of its Cybersecurity Maturity Model Certification (CMMC). The document aims to help contractors handling the cybersecurity requirements they will need to meet. DoD is accepting feedback on CMMC v0.4 through September 25, 2019 at 5PM EDT.
[Editor Comments]
[Pescatore] (Warning to younger readers, I'm going to skew ancient here.) I was working at a government contractor doing classified work when DoD began to require programmers to use ADA on software development projects, and began requiring bidders to get SEI Software CMM assessments. In the 30 years since then, maturity models have gone mainstream, and assessments and certifications are big business (Carnegie Mellon spun off CMM to the CMMI Institute in 2013, ISACA bought it in 2016), but from a security perspective I can't really point to software security improvements (or even quality overall) that were really driven by attempts to move to higher levels of maturity - heck, level 3-4 software vendors were happily building in buffer overflow vulnerabilities for 20 years after becoming "mature!" For DoD supply chain security improvements, since Level3 is essentially "meet all 800-53 requirements" it really doesn't change much, unless maturity level becomes an evaluation criterion, which would be a bad idea. It leads to an increase score vs. increase security mentality, and we've already seen that since the US Federal government FISMA assessments moved to a maturity level focus.
[Neely] Bridging between federal and private cyber requirements can be challenging and is essential for both parties to ensure that information is properly protected consistent with all relevant regulatory and reporting requirements. This will make partnerships easier. Read and provide input if you feel it falls short.
Read more in:
FNN: DoD unveils new cybersecurity certification model for contractors
Fedscoop: DOD issues draft of new contractor cyber standards
https://www.fedscoop.com/dod-contractors-cybersecurity-standards-draft/
ACQ.OSD: Cybersecurity Maturity Model Certification
https://www.acq.osd.mil/cmmc/docs/cmmc-draft-model-30aug19.pdf
--Man Admits to Creating Botnets, Using Them to Launch DDoS Attacks
(September 4 & 5, 2019)
In a plea agreement submitted in a US federal court in Alaska, Kenneth Currin Schuchman has admitted that he and two co-conspirators operated multiple botnets and used them to offer distributed denial-of-service (DDoS) attacks for sale. The botnets used the power of more than 800,000 compromised Internet of Things (IoT) devices. In his plea agreement, Schuchman also admitted that while he was on pre-trial release, he created another botnet and launched a swatting attack against one of his co-conspirators.
Read more in:
The Register: Newb admits he ran Satori botnet that turned thousands of hacked devices into a 100Gbps+ DDoS-for-hire cannon
https://www.theregister.co.uk/2019/09/05/satori_plea_deal/
ZDNet: Author of multiple IoT botnets pleads guilty
https://www.zdnet.com/article/author-of-multiple-iot-botnets-pleads-guilty/
Ars Technica: IoT botnet creator cops plea to hacking more than 800,000 devices
Regmedia: Plea Agreement
https://regmedia.co.uk/2019/09/04/schuchmanpleadeal.pdf
--Supermicro Baseboard Management Controller Flaws Fixed
(September 3 & 5, 2019)
Supermicro has released updates to address vulnerabilities in its baseboard management controller software. The issues lie in the BMC/IMPI Virtual Media function and could be exploited to bypass authentication and allow attackers to "interact with the host system as a raw USB device."
[Editor Comments]
[Ullrich] Baseboard Management Controllers or any similar administrative tools should never be exposed to the outside, and access needs to be tightly controlled. Even without any published flaws, there are several weak configurations that can be used to compromise a system via these tools; a compromise will be very difficult to recover from.
Read more in:
SC Magazine: Supermicro fixes BMC software flaws that expose servers to virtual USB attacks
Cyberscoop: Supermicro BMCs were susceptible to remote attacks, according to firmware security startup
--Report: Dutch Intelligence Recruited Mole to Help Plant Stuxnet
(September 2 & 4, 2019)
Sources who have spoken with Yahoo News say that the US and Israel were able to get the Stuxnet malware onto computers at Iran's Natanz uranium enrichment facility by using an Iranian engineer recruited by Dutch intelligence. The mole reportedly helped developers who were creating the code and helped get the malware onto systems at the Natanz plant.
Read more in:
Yahoo: Revealed: How a secret Dutch mole aided the U.S.-Israeli Stuxnet cyberattack on Iran
Infosecurity Magazine: Dutch Insider Deployed Stuxnet: Report
https://www.infosecurity-magazine.com/news/dutch-insider-deployed-stuxnet/
SC Magazine: Report: Dutch agency recruited Iranian mole to help U.S. and Israel plant Stuxnet virus
--NewsBites Survey
We are considering changes to NewsBites and would like your input. Take our 3 minute survey to tell us what you think.
NewsBites Survey: http://www.sans.org/info/214155
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
Tricky Link Retrieves Trick Bot
https://isc.sans.edu/forums/diary/Guest+Diary+Tricky+LNK+points+to+TrickBot/25290/
Encrypted Resume Malicious Word Documents
Private IP Addresses in Virustotal Samples
https://isc.sans.edu/forums/diary/Private+IP+Addresses+in+Malware+Samples/25298/
Scams Via Social Media
https://www.sans.org/security-awareness-training/resources/scamming-you-through-social-media
Supermicro Virtual USB Vulnerability
https://eclypsium.com/2019/09/03/usbanywhere-bmc-vulnerability-opens-servers-to-remote-attack/
Android Security Updates
https://source.android.com/security/bulletin/2019-09-01.html
Twitter Suspends SMS Posting
https://twitter.com/TwitterSupport
Facebook Free Basics Key Used to Sign Unrelated Android Apps
Android SMS Phishing Attacks
ReCaptcha Broken Again (PDF)
https://regmedia.co.uk/2019/08/29/recaptchapaper.pdf
Samba Security Patch
https://www.samba.org/samba/security/CVE-2019-10197.html
Exim Vulnerability
https://seclists.org/oss-sec/2019/q3/192
Attackers Simulate CEOs Voice To Trigger Money Transfer
https://www.scmagazineuk.com/ai-mimics-ceo-voice-scam-uk-energy-firm-200k/article/1595277
Cisco Releases Guides to Investigate Compromised Devices
https://tools.cisco.com/security/center/tacticalresources.x
https://tools.cisco.com/security/center/resources/asa_forensic_investigation
https://tools.cisco.com/security/center/resources/ftd_forensic_investigation
https://tools.cisco.com/security/center/resources/ios_forensic_investigation
https://tools.cisco.com/security/center/resources/iosxe_forensic_guide
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
