SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXI - Issue #71
September 10, 2019Electric Grid Cybersecurity Event; Texas Ransomware; Apple Responds to Google's Reports of Malicious Websites Exploiting iOS Flaws
*****************************************************************************
SANS NewsBites Sept. 10, 2019 Vol. 21, Num. 071
*****************************************************************************
TOP OF THE NEWS
NERC Report on Grid Cybersecurity Event
Texas Ransomware Recovery Progress
Apple Responds to Google's Reports of Malicious Websites Exploiting iOS Flaws
REST OF THE WEEK'S NEWS
Regis University Breach Offers Learning Opportunity
Telegram Flaw Fixed
Paper Urges Focus on 5G Cybersecurity
DDoS Attack Affects Wikipedia in Europe
WordPress Update
Australian ISPs Ordered to Continue to Block Video of Christchurch Attack
INTERNET STORM CENTER TECH CORNER
********************************************
Cybersecurity Training Update
-- SANS Cyber Defense Initiative(R) 2019 | Washington, DC | December 10-17 | https://www.sans.org/event/cyber-defense-initiative-2019
-- SANS London September 2019 | September 23-28 | https://www.sans.org/event/london-september-2019
-- SANS Northern VA Fall-Reston 2019 | September 30-October 5 | https://www.sans.org/event/northern-va-fall-reston-2019
-- SANS DFIR Europe Summit and Training 2019| Prague, CZ | September 30-October 6 | https://www.sans.org/event/dfir-prague-2019
-- SANS Tokyo Autumn 2019 | September 30-October 12 | https://www.sans.org/event/tokyo-autumn-2019
-- SANS Baltimore Fall 2019 | October 7-12 | https://www.sans.org/event/baltimore-fall-2019
-- SANS October Singapore 2019 | October 7-26 | https://www.sans.org/event/october-singapore-2019
-- Cloud & DevOps Security Summit 2019 | Denver, CO | November 4-11 | https://www.sans.org/event/cloud-devops-security-summit-2019
-- Pen Test HackFest Summit 2019 | Washington, DC | November 18-25 | https://www.sans.org/event/pen-test-hackfest-2019
-- SANS OnDemand and vLive Training
Get an iPad, Samsung Galaxy Tab A, or Take $250 off through September 18 with OnDemand or vLive training.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
************************* Sponsored By Splunk *****************************
The Fundamental Guide to Building a Better Security Operation Center (SOC). Outdated security solutions struggle to stay ahead of advanced cyberthreats, making it hard to detect unknown or hidden threats. So what are companies who rely on dinosaur technology to do? They need to start building the next generation, modern SOC today. Download The Fundamental Guide to Building a Better Security Operation Center (SOC) today to learn how a security operation suite can move your SOC into the future. http://www.sans.org/info/214160
*****************************************************************************
TOP OF THE NEWS
--NERC Report on Grid Cybersecurity Event
(September 6 & 9, 2019)
A report from the North American Electric Reliability Corporation (NERC) examines a cybersecurity event that affected the US power grid earlier this year. On March 5, 2019, attackers caused firewalls at several sites to repeatedly reboot over a 10-hour period. Affected firewalls were found to be missing an available firmware update, and the rebooting issue stopped once the fixes were applied.
[Editor Comments]
[Pescatore] The two corrective actions were pretty much to reach basic security hygiene levels: (1) Monitor updates to critical system firmware and prioritize updates; and (2) utilize "firewall rules that restrict allowable traffic to the minimum required to operate the assets." All of the NERC Lessons Learned are direct pointers to the Critical Security Controls.
[Neely] The report highlights that even during the attack, the entity assessed the impact of the suggested fix and tested the fix on non-critical firewall to ensure the update would not negatively impact operational systems. Be sure your operational process includes not only keeping the systems updated in a timely fashion, verifying segmentation and access controls are in place, but also performing regression testing prior to implementing updates on operational or critical assets.
[Murray] Like Internet companies, electric utilities need to be held to higher standards, including, but not limited to, positive system and application version and content control, process to process isolation, strong authentication, and "least privilege" access.
Read more in:
ZDNet: Cyber-security incident at US power grid entity linked to unpatched firewalls
E&E News: Report reveals play-by-play of first U.S. grid cyberattack
https://www.eenews.net/stories/1061111289
NERC: Lesson Learned: Risks Posed by Firewall Firmware Vulnerabilities
https://www.eenews.net/assets/2019/09/06/document_ew_02.pdf
--Texas Ransomware Recovery Progress
(September 5 & 7, 2019)
None of the 22 municipalities in Texas, that were recently hit with a coordinated ransomware attack in mid-August, have paid the demand. The Texas Department of Information Resources says that at least half of the municipalities have recovered their data. Some restored their systems from backups; others rebuilt them from scratch.
Read more in:
ZDNet: No municipality paid ransoms in 'coordinated ransomware attack' that hit Texas
NYT: Texas Says Half of Agencies Hit by Ransomware Have Recovered
https://www.nytimes.com/aponline/2019/09/05/us/ap-us-cyber-attacks-texas.html
--Apple Responds to Google's Reports of Malicious Websites Exploiting iOS Flaws
(September 6, 2019)
A week after Google reported that vulnerabilities in iOS were being exploited to infect iPhones when they visited maliciously-crafted sites, Apple has spoken out. While Apple has acknowledged the attacks that were targeting China's Uyghur Muslim community, they took issue with the way the Google characterized the attacks. Apple disputed the length of time that Google said the malicious websites were active and pointed out that Google's report came six months after the iOS security issues had been fixed. Apple also said the attacks were narrowly focused, rather than widespread as Google suggested they were.
[Editor Comments]
[Neely] Part of the operation of these exploits is to obtain privileges on the targeted device to secure access to information that is otherwise encrypted by the transmitting applications such as Signal or iMessage. While Apple challenges the claims of duration and scope of the attacks, keeping your devices updated and using caution while browsing, irrespective of platform, remain critical. Don't assume a targeted attack won't impact your device if accessed.
Read more in:
Apple: A message about iOS security
https://www.apple.com/newsroom/2019/09/a-message-about-ios-security/
Wired: Apple Finally Breaks Its Silence on iOS Hacking Campaign
https://www.wired.com/story/ios-hacks-apple-response/
**************************** SPONSORED LINKS ******************************
1) ICYMI Webcast: Learn how Infoblox BloxOne Threat Defense can give you the edge to address the changing threat environment. http://www.sans.org/info/214165
2) Join us at SANS SIEM Summit | Chicago, IL | Oct 7-8. http://www.sans.org/info/214170
3) Webcast September 17th at 1 PM ET: Elevating Enterprise Security with Fidelis Cybersecurity: Network and Deception. Register: http://www.sans.org/info/214175
*****************************************************************************
REST OF THE WEEK'S NEWS
--Regis University Breach Offers Learning Opportunity
(September 6, 2019)
Faculty at Denver's Regis University are planning to use a recent malware attack against the school's systems as a teaching opportunity. Once the incident has been addressed, the university plans to hold an invitational conference to discuss lessons learned from the attack.
Read more in:
Denver Post: Who'll benefit from the Regis University cyberattack? The Denver school's cybersecurity students.
https://www.denverpost.com/2019/09/06/regis-university-cybersecurity-attack-student/
--Telegram Flaw Fixed
(September 9, 2019)
Telegram has released an updated version of its encrypted messaging app to address a security issue that could let message recipients view images and files even after a sender has deleted them. The feature allowing senders to delete sensitive messages from recipients' phones was initially added in March, but it was found not to work properly. Users should update to Telegram version 5.11.
Read more in:
The Register: That Telegram feature that let you delete your private messages on recipients' phones? It didn't work properly
https://www.theregister.co.uk/2019/09/09/telegram_messaging_bug/
Bleeping Computer: Telegram Fixes Privacy Bug Caused by Improperly Deleted Messages
--Paper Urges Focus on 5G Cybersecurity
(September 3, 2019)
In a paper published by the Brookings Institute, former Federal Communications Commission (FCC) chair Tom Wheeler and former FCC Chief of Public Safety and Homeland Security David Simpson argue for an increased focus on 5G network cybersecurity. The paper notes that "5G is the conversion to a mostly all-software network." The authors offer two "key steps" to bolster 5G security: holding companies responsible for cybersecurity, and the development of a "cyber regulatory paradigm" to encourage the government and industry to cooperate to address 5G security issues.
[Editor Comments]
[Neely] Getting the cyber security right on 5G is critical and will take international partnerships to establish and maintain. As 5G networks are being deployed already, backing up to modify the security settings may become problematic. The challenge is expected to be aggravated by the connection of IoT devices which themselves are not secure necessitating requirements for endpoints in addition to the network itself.
Read more in:
The Hill: Former FCC chairman argues for need to focus on cybersecurity of 5G networks
Brookings: Why 5G requires new approaches to cybersecurity
https://www.brookings.edu/research/why-5g-requires-new-approaches-to-cybersecurity/
--DDoS Attack Affects Wikipedia in Europe
(September 9, 2019)
A distributed denial-of-service (DDoS) attack against Wikipedia affected the website's accessibility in some European countries and in parts of the US over the weekend. As of Monday, September 9, affected versions of the site were working.
[Editor Comments]
[Murray] Wikipedia is a noble achievement and deserves to be treated with the reverence due high art. Those who desecrate it should be ostracized.
Read more in:
The Register: What a bunch of DoSers: Wikipedia says it was walloped by 'bad faith' actors over weekend
https://www.theregister.co.uk/2019/09/09/wiki_ddos_attack/
SC Magazine: Wikipedia knocked offline by DDoS attack
https://www.scmagazine.com/home/security-news/cyberattack/wikileaks-knocked-offline-by-ddos-attack/
--WordPress Update
(September 9, 2019)
WordPress developers have released an update for the content management system that includes 29 fixes and enhancements. Among the security issues addressed are flaws that could be exploited through cross-site scripting.
Read more in:
WordPress: WordPress 5.2.3 Security and Maintenance Release
https://wordpress.org/news/2019/09/wordpress-5-2-3-security-and-maintenance-release/
SC Magazine: WordPress update fixes assortment of XSS flaws
--Australian ISPs Ordered to Continue to Block Video of Christchurch Attack
(September 8, 2019)
Australian Internet service providers (ISPs) must continue to block eight unnamed websites that host video of the Christchurch (New Zealand) terrorist attack. The direction comes from Australia's eSafety Commissioner.
[Editor Comments]
[Pescatore] 18 countries, but not the US, and the major Internet technology companies like Amazon, Facebook, Google, Microsoft, Qwant, Twitter, and YouTube signed on to the "Christchurch Call" for voluntary guidelines to limit terrorist abuse of the Internet. Filtering content is a sensitive issue, but the technology companies have already learned that they need to remove content that glorifies violence and terrorist actions. In most regions outside the US, the ISPs have also learned that filtering known malicious content like malware is both a necessity and an obligation vs. something to lobby against.
[Neely] The objective of the Christchurch Call was to thwart actions by terrorists and violent extremists using the internet to further their causes. While there is a slippery slope towards censorship, working the issues sooner than later to find the right balance will help keep the focus appropriate and tune the supporting processes. The United States is noticeably absent from participating in these actions.
[Murray] Measures such as this must be exceptional, demonstrably necessary, short of the full coercive power of the state, and with as much accountability, transparency, and criticism as possible.
Read more in:
ZDNet: Australian eSafety Commissioner directs ISPs to keep Christchurch attack blocks
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
Unidentified Scanning Activity Likely Associated with Mirai/Successors
https://isc.sans.edu/forums/diary/Unidentified+Scanning+Activity/25304/
Firefox to Enable DNS over HTTPs by Default in September
https://blog.mozilla.org/futurereleases/2019/09/06/whats-next-in-making-dns-over-https-the-default/
PsiXBot Uses DoH
Telegram Fixes Privacy Bug
https://www.inputzero.io/2019/09/telegram-privacy-fails-again.html
Bluekeep Exploit Now in Metasploit
https://blog.rapid7.com/2019/09/06/initial-metasploit-exploit-module-for-bluekeep-cve-2019-0708/
How to Remove Gmail Calendar Spam
https://support.google.com/calendar/answer/6084018?co=GENIE.Platform%3DDesktop&hl=en
Exim SNI TLS Vulnerability
https://exim.org/static/doc/security/CVE-2019-15846.txt
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
