SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXI - Issue #72
September 13, 2019Russia's Attack on Ukrainian Power Grid's Goal: Long-Term Physical Damage; Ransomware: New Targets and Baltimore CIO on Indefinite Leave
*****************************************************************************
SANS NewsBites Sept. 13, 2019 Vol. 21, Num. 072
*****************************************************************************
TOP OF THE NEWS
Dragos: Russia's Attack on Ukrainian Power Grid Sought to Cause Long-Term Physical Damage
Ransomware Actors Are Targeting Managed Service Providers
Baltimore CIO on Indefinite Leave Following Ransomware Attack
REST OF THE WEEK'S NEWS
Huawei CEO Ready to Share 5G Technology with a Buyer
GAO: DOD Has Not Met Federal Source Code Policy Requirement
FIN7 Administrator Enters Guilty Plea
281 Alleged Business Email Compromise Scammers Arrested Worldwide
Google and Firefox to Test DNS-Over-HTTPS
Adobe Updates Include Fixes for Critical Flash Flaws
Microsoft Patch Tuesday
Menstrual Cycle Tracking Apps Found to be Sharing Data with Facebook
Voting Machine Manufacturers Give DHS Access to Engineering Info
INTERNET STORM CENTER TECH CORNER
*****************************************************************************
Cybersecurity Training Update
-- SANS Cyber Defense Initiative(R) 2019 | Washington, DC | December 10-17 | https://www.sans.org/event/cyber-defense-initiative-2019
-- SANS London September 2019 | September 23-28 | https://www.sans.org/event/london-september-2019
-- SANS Northern VA Fall-Reston 2019 | September 30-October 5 | https://www.sans.org/event/northern-va-fall-reston-2019
-- SANS DFIR Europe Summit and Training 2019| Prague, CZ | September 30-October 6 | https://www.sans.org/event/dfir-prague-2019
-- SANS Tokyo Autumn 2019 | September 30-October 12 | https://www.sans.org/event/tokyo-autumn-2019
-- SANS Baltimore Fall 2019 | October 7-12 | https://www.sans.org/event/baltimore-fall-2019
-- SANS October Singapore 2019 | October 7-26 | https://www.sans.org/event/october-singapore-2019
-- Cloud & DevOps Security Summit 2019 | Denver, CO | November 4-11 | https://www.sans.org/event/cloud-devops-security-summit-2019
-- Pen Test HackFest Summit 2019 | Washington, DC | November 18-25 | https://www.sans.org/event/pen-test-hackfest-2019
-- SANS OnDemand and vLive Training
Get an iPad, Samsung Galaxy Tab A, or Take $250 off through September 18 with OnDemand or vLive training.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
******************** Sponsored By Fidelis Cybersecurity ********************
Elevating Enterprise Security with Fidelis Cybersecurity: Endpoint Security Capabilities. In this upcoming webcast, SANS Analyst Matt Bromiley will review the Fidelis Cybersecurity Elevate Platform and its variety of features, including behavioral monitoring, built-in threat hunting capabilities, threat intelligence and scanning and more. http://www.sans.org/info/214210
*****************************************************************************
TOP OF THE NEWS
--Dragos: Russia's Attack on Ukrainian Power Grid Sought to Cause Long-Term Physical Damage
(September 12, 2019)
Researchers from Dragos have constructed a timeline of the December 2016 Russian attack on Ukraine's Ukrenergo national grid operator. They have concluded that the attackers "sought to create the preconditions for a possible physically-destructive event when the victim restored operations." The attack did cause a temporary blackout, but did not achieve its intended objective of "a far more significant and long-lasting effect: physical degradation or destruction of transmission equipment, with the desire to produce impacts lasting months instead of hours."
[Editor Comments]
[Murray] Compromise of the Power Grid may take place early but may be exploited only during other conflict. Positive and restrictive system and application content and version control is an essential protective measure for what is an existential risk. Change should be minimal and stability and resilience the goal.
Read more in:
Dragos: CRASHOVERRIDE: Reassessing the 2016 Ukraine Electric Power Event as a Protection-Focused Attack
https://dragos.com/wp-content/uploads/CRASHOVERRIDE.pdf
Wired: New Clues Show How Russia's Grid Hackers Aimed for Physical Destruction
https://www.wired.com/story/russia-ukraine-cyberattack-power-grid-blackout-destruction/
--Ransomware Actors Are Targeting Managed Service Providers
(September 12, 2019)
Some small businesses and municipalities outsource their IT needs to managed service providers because it is more cost efficient than hiring full-time IT staff of their own. Attackers have begun targeting managed service providers with ransomware, which allows then to affect multiple organizations with a single attack.
[Editor Comments]
[Pescatore] Attackers have long targeted service providers; see the recent Wipro breach, or the Click2Gov breach that impacted more than 40 cities in 2018. Attackers go up and down your supply chain, or what is more realistically your supply "web." SANS just published a white paper and did a webinar on Supply Chain security: https://www.sans.org/webcasts/success-patterns-supply-chain-security-111280: Success Patterns for Supply Chain Security
Read more in:
ProPublica: The New Target That Enables Ransomware Hackers to Paralyze Dozens of Towns and Businesses at Once
--Baltimore CIO on Indefinite Leave Following Ransomware Attack
(September 10 & 11, 2019)
Baltimore (Maryland) CIO Frank Johnson is on indefinite leave. Johnson faced substantial criticism following the May 2019 ransomware attack. City officials noted a lack of transparency and communication in the wake of the attack and said that Johnson had not drawn up a continuity of operations plan for such an incident. The city is still cleaning up and recovering from the estimated $18m in revenue lost and recovery costs. The May attack was the second ransomware attack to hit Baltimore systems while Johnson was CIO.
[Editor Comments]
[Paller] In a surprisingly large number of organizations, the ransomware epidemic has brought about a shift from compliance to continuous hygiene. Having a "clean bill of health" from a cybersecurity consultant no longer works. Senior executives know that those reports were neither comprehensive nor continuous nor sufficient to reflect adequate CISO performance. Cybersecurity hygiene is dull. It's never ending. But building the partnership between security and IT operations staff that keeps every machine clean enough to withstand the low-powered attacks is the pathway to senior management support, even after something bad happens.
[Neely] The takeaway here is that this wave of ransomware attacks is making IT disaster preparedness even more important. IT organizations need to not only have a verified recovery plan, but also communication and backup procedures to bridge the gaps while services are offline. Involving senior management is also critical for support and transparency.
[Murray] Concur. And I would add that all accepted residual risk must be scrupulously documented.
Read more in:
Baltimore Brew: Frank Johnson, Baltimore's IT chief during the ransomware attack, goes on leave
Statescoop: Baltimore CIO, criticized for ransomware response, on leave
https://statescoop.com/baltimore-cio-on-leave-ransomware/
GovTech: Baltimore CIO, Who Managed Ransomware Response, on Leave
https://www.govtech.com/people/Baltimore-CIO-Who-Managed-Ransomware-Response-on-Leave.html
**************************** SPONSORED LINKS ******************************
1) In the Denver area? Attend the SANS Cloud Security Operations Solutions Forum on Friday, October 18th. http://www.sans.org/info/214215
2) Survey | Give your input and experience around managing risks associated with workforce transformation. http://www.sans.org/info/214220
3) Webcast September 19th at 10:30 AM ET: Micro-Segmentation for Network Security - Strategy to Execution. Register: http://www.sans.org/info/214225
*****************************************************************************
REST OF THE WEEK'S NEWS
--Huawei CEO Ready to Share 5G Technology with a Buyer
(September 12, 2019)
Huawei founder and CEO Ren Zhengfei says that he is ready to share the company's 5G technology with a Western buyer, granting them access to Huawei's 5G patents, licenses, code, technical blueprints, and production information. The buyer would be able to edit the source code. Ren says his goal is to "create a balanced situation between China, the US and Europe," adding that "a balanced distribution of interests is conducive to Huawei's survival."
[Editor Comments]
[Neely] This could result in what is effectively a third-party review of Huawei's solutions. As they are paying for the access, it's not clear the review would be unbiased. While the review of the code and design information for 5G components sounds great on paper, it is not clear they could discover and/or remediate issues while meeting market demand for rapid delivery of 5G products.
[Murray] We need a national strategy to balance the deployment of 5G against its security.
Read more in:
South China Morning Post: Huawei's Ren Zhengfei ready to sell 5G tech to a Western buyer to help create rival, level playing field
BBC: Huawei chief offers to share 5G know-how for a fee
https://www.bbc.com/news/technology-49673144
CNET: Huawei's founder is ready to share company's 5G tech with a Western buyer
https://www.cnet.com/news/huaweis-founder-is-ready-to-share-companys-5g-tech-to-western-buyer/
--GAO: DOD Has Not Met Federal Source Code Policy Requirement
(September 11 & 12, 2019)
A 2016 memo from the US Office of Management and Budget (OMB) "requires agencies, when commissioning new custom software, to release at least 20 percent of new custom-developed code as Open Source Software (OSS) for three years." The FY 2018 National Defense Authorization Act required the Defense Department (DOD) to adopt the policy. According to a report from the Government Accountability Office (GAO), DOD has not met the requirement.
[Editor Comments]
[Neely] The trick with releasing the code is the processes for releasing information to the public aren't aligned with current agile development practices, typically requiring a manual review of items before publication. Additionally, agencies are used to custom license agreements and are not yet comfortable using existing licenses, such as GPL, without modification. The code.gov site was created to help agencies navigate this process. While some applications are available through the forge.mil site, you need a CAC or PIV card for access. A significant challenge for the DOD is meeting the 20% requirement while excluding code related to weapons or national security systems.
Read more in:
GAO: DOD Needs to Fully Implement Program for Piloting Open Source Software
https://www.gao.gov/assets/710/701285.pdf
Obama White House: August 2016 - Federal Source Code Policy: Achieving Efficiency, Transparency, and Innovation through Reusable and Open Source Software
https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2016/m_16_21.pdf
Nextgov: The Pentagon Needs to Make More Software Open Source, Watchdog Says
Fifth Domain: Why can't the Pentagon use more open source code?
https://www.fifthdomain.com/civilian/omb/2019/09/11/why-cant-the-pentagon-use-more-open-source-code/
--FIN7 Administrator Enters Guilty Plea
(September 11, 2019)
In a US district court in Washington state, Fedir Hladyr pleaded guilty to wire fraud and conspiracy to commit computer hacking. Hladyr is from Ukraine and was arrested in Germany in January 2018. He is alleged to have served as administrator for the FIN7 hacking group, which is believed to have stolen data pertaining to millions of payment card accounts.
Read more in:
Cyberscoop: FIN7's IT admin pleads guilty for role in billion-dollar cybercrime crew
https://www.cyberscoop.com/fin7-fedir-hladyr-guilty-carbanak/
--281 Alleged Business Email Compromise Scammers Arrested Worldwide
(September 10, 11, & 12, 2019)
Nearly 300 people in 10 countries have been arrested in connection with a money transfer scheme that has stolen millions from both organizations and individuals. Seventy-four people were arrested in the US, 167 people were arrested in Nigeria, and 18 people were arrested in Turkey. Others were arrested in Ghana, Kenya, France, Italy, Japan, Malaysia, and the UK.
Read more in:
Justice: 281 Arrested Worldwide in Coordinated International Enforcement Operation Targeting Hundreds of Individuals in Business Email Compromise Schemes
Wired: 281 Alleged Email Scammers Arrested in Massive Global Sweep
https://www.wired.com/story/email-scammer-global-takedown/
The Register: Required: Massive email fraud bust. Tired: Cops who did the paperwork. Expired: 281 suspected con men's freedom
https://www.theregister.co.uk/2019/09/10/rewired_bec_criminal_takedown/
BBC: Arrests in 10 countries over money-transfer scams
https://www.bbc.com/news/technology-49674663
--Google and Firefox to Test DNS-Over-HTTPS
(September 6, 10 & 11, 2019)
Google will begin testing the DNS-over-HTTPS (DoH) protocol starting with Chrome 78, which is scheduled to be released in October. Mozilla has also announced plans to introduce the protocol in Firefox gradually starting later this month.
[Editor Comments]
[Pescatore] Both DNS over TLS and DoH address the long-standing DNS "last mile" vulnerability but have different tradeoffs between privacy and enterprise visibility into network communications. Johannes Ullrich of SANS has summarized the issues nicely at https://isc.sans.edu/presentations/BSidesJAX_WhatIsWrongWithDNS.pdf
[Neely] The initial versions of DoH will permit opt-out and claim to respect enterprise DNS configuration, falling back to traditional DNS (DoH uses port 853.) The browsers will be pre-configured by the providers with a list of DoH servers which will be updated over time. While protecting the privacy of DNS requests can be a win, particularly when on untrusted networks, implementing one DNS solution at the browser level with a separate DNS solution at the OS layer could be technically challenging. Using a holistic solution, such as a device VPN or OS level DoH would provide more comprehensive protection versus just securing the browser's queries.
Read more in:
The Register: Rolling in DoH: Chrome 78 to experiment with DNS-over-HTTPS - hot on the heels of Firefox
https://www.theregister.co.uk/2019/09/10/chrome_78_dnsoverhttps/
ZDNet: Google to run DNS-over-HTTPS (DoH) experiment in Chrome
https://www.zdnet.com/article/google-to-run-dns-over-https-doh-experiment-in-chrome/
Mozilla: What's next in making Encrypted DNS-over-HTTPS the Default
https://blog.mozilla.org/futurereleases/2019/09/06/whats-next-in-making-dns-over-https-the-default/
Chromium: DNS over HTTPS (aka DoH)
https://www.chromium.org/developers/dns-over-https
--Adobe Updates Include Fixes for Critical Flash Flaws
(September 10 & 11, 2019)
On Tuesday, September 10, Adobe released updates to address two critical flaws in Flash Player and an important flaw in Adobe Application Manager. The two Flash vulnerabilities - a use after free flaw and a same origin method execution issue - could both be exploited to allow arbitrary code execution. Flash users are urged to update to version 32.0.0.255. The flaw affecting Adobe Application Manager is a DLL hijacking issue and could be exploited to allow arbitrary code execution.
Read more in:
ZDNet: Adobe Flash, Application Manager patch update squashes critical code execution bugs
Threatpost: Adobe Fixes Critical Flash Player Code Execution Flaws
https://threatpost.com/adobe-critical-flash-player-code-execution-flaws/148169/
Adobe: Security Bulletin for Adobe Flash Player | APSB19-46
https://helpx.adobe.com/security/products/flash-player/apsb19-46.html
Adobe: Security Updates Available for Adobe Application Manager | APSB19-45
https://helpx.adobe.com/security/products/application_manager/apsb19-45.html
--Microsoft Patch Tuesday
(September 10, 2019)
On Tuesday, September 10, Microsoft released updates to address 80 security issues. Seventeen of the flaws are rated critical; two of the critical flaws are being actively exploited. Both are elevation of privilege issues; they affect he Windows Common Log File System (CLFS) Driver and the Winsock IFS Driver. Microsoft has also patched four critical security issues in its Remote Desktop protocol.
Read more in:
Dark Reading: Two Zero-Days Fixed in Microsoft Patch Rollout
https://www.darkreading.com/risk/two-zero-days-fixed-in-microsoft-patch-rollout/d/d-id/1335776
KrebsOnSecurity: Patch Tuesday, September 2019 Edition
https://krebsonsecurity.com/2019/09/patch-tuesday-september-2019-edition/
Threatpost: Microsoft Addresses Two Zero-Days Under Active Attack
https://threatpost.com/microsoft-addresses-two-zero-days-under-active-attack/148185/
MSRC: Security Update Summary
https://portal.msrc.microsoft.com/en-us/security-guidance/summary
--Menstrual Cycle Tracking Apps Found to be Sharing Data with Facebook
(September 10, 2019)
Some smartphone applications that track users' menstrual cycles are sharing sensitive personal health information with Facebook. Earlier this year, the Wall Street Journal tested a number of popular apps and found that many, including several health-related apps, were sharing information with Facebook. At that time, a Facebook spokesperson said that some of the data sharing appeared to violate Facebook's business terms and that it would tell the identified apps not to send them the personal information. (Please note that the WSJ story is behind a paywall.)
[Editor Comments]
[Neely] Having applications that correlate health information and create a large dataset to predict outcomes has become a practical reality. What has to be considered carefully is what is done with the personal health information behind that analysis. Verify where the data is shared: is it anonymized and can it be recovered or deleted?
Read more in:
ITPro: Period tracker apps share deeply personal data with Facebook
https://www.itpro.co.uk/security/34367/period-tracker-apps-share-deeply-personal-data-with-facebook
WSJ: You Give Apps Sensitive Personal Information. Then They Tell Facebook. (paywall)
--Voting Machine Manufacturers Give DHS Access to Engineering Info
(September 5, 2019)
Voting machine and election systems manufacturers are giving the US Department of Homeland Security (DHS) access to their engineering details ahead of the 2020 election. Speaking at an Intelligence and National Security and Summit last week, Jeanette Manfra, Assistant Director for DHS's Cybersecurity and Infrastructure Security Agency (CISA), said that the manufacturers are providing the information voluntarily.
[Editor Comments]
[Murray] It is difficult to meet all three requirements: transparency, a secret ballot, and a guarantee that all ballots are counted at the same time. However, this is transparency that does not offend any of those requirements.
Read more in:
Bloomberg: Voting Machine Makers Give U.S. Access in Fight Against Hackers
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
Microsoft Patch Tuesday
https://isc.sans.edu/forums/diary/Microsoft+September+2019+Patch+Tuesday/25310/
Adobe Patches
https://helpx.adobe.com/security.html
How to Block DNS over HTTPs in Firefox via BIND
https://isc.sans.edu/forums/diary/Blocking+Firefox+DoH+with+Bind/25316/
Comba / DLink Router Vulnerabilities
European Payment Services Directive Confusion Abused by Scams
https://www.infosecurity-magazine.com/news/phishers-use-sca-checks-trick/
Intel SSH Side Channel Vulnerability
https://www.vusec.net/projects/netcat/
https://www.cs.vu.nl/~herbertb/download/papers/netcat_sp20.pdf
Chrome to Introduce DNS over HTTPs in October (Chrome 78).
https://blog.chromium.org/2019/09/experimenting-with-same-provider-dns.html
Disabling DNS over HTTPs in Firefox
https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https
Virtual Disk Files May Bypass AV Software
https://insights.sei.cmu.edu/cert/2019/09/the-dangers-of-vhd-and-vhdx-files.html
Google Chrome 77
https://chromium.googlesource.com/chromium/src/+log/77.0.3865.75?pretty=fuller&n=10000
*****************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create