SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXI - Issue #73
September 17, 2019Three More Public Victims of the Ransomware Epidemic: Connecticut School District, Baltimore, Albany x 2
****************************************************************************
SANS NewsBites Sept. 17, 2019 Vol. 21, Num. 073
****************************************************************************
TOP OF THE NEWS
Connecticut School District Hit with Second Ransomware Attack
Baltimore Lost Data in Ransomware Attack
Albany Ransomware Clean-up Costs
REST OF THE WEEK'S NEWS
US Consumer Financial Protection Bureau Proposed Rule Would Require Consumers to Click on Links from Unfamiliar eMail Addresses
Who is Responsible for Internet Architecture Security?
US Treasury Sanctions North Korean Hackers
Court: Scraping Data from Public Sites Does Not Violate CFAA
Pen Test Gone Wrong
Israeli Police Arrest Digital Surveillance Company Executives
Someone is Fraudulently Buying Certificates and Reselling Them
Brokerage Ordered to Pay $1.5 Million in Sanctions After Breach
UK Environmental Agencies Lost More than 500 Devices
INTERNET STORM CENTER TECH CORNER
********************************************
Cybersecurity Training Update
-- SANS Cyber Defense Initiative(R) 2019 | Washington, DC | December 10-17 | https://www.sans.org/event/cyber-defense-initiative-2019
-- SANS Northern VA Fall-Reston 2019 | September 30-October 5 | https://www.sans.org/event/northern-va-fall-reston-2019
-- SANS DFIR Europe Summit and Training 2019| Prague, CZ | September 30-October 6 | https://www.sans.org/event/dfir-prague-2019
-- SANS Tokyo Autumn 2019 | September 30-October 12 | https://www.sans.org/event/tokyo-autumn-2019
-- SANS Baltimore Fall 2019 | October 7-12 | https://www.sans.org/event/baltimore-fall-2019
-- SANS October Singapore 2019 | October 7-26 | https://www.sans.org/event/october-singapore-2019
-- SANS Amsterdam October 2019 | October 28-November 2 | https://www.sans.org/event/amsterdam-october-2019
-- Cloud & DevOps Security Summit 2019 | Denver, CO | November 4-11 | https://www.sans.org/event/cloud-devops-security-summit-2019
-- Pen Test HackFest Summit 2019 | Washington, DC | November 18-25 | https://www.sans.org/event/pen-test-hackfest-2019
-- SANS OnDemand and vLive Training
Get an iPad, Samsung Galaxy Tab A, or Take $250 off through September 18 with OnDemand or vLive training.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/courses
https://www.sans.org/cyber-security-skills-roadmap
*********** Sponsored By AWS Marketplace ***********
Securing App Pipelines in AWS. SANS senior instructor Dave Shackleford and AWS solutions architect Nam Le explain ways to improve and automate security across the continuous integration/continuous deployment (CI/CD) pipeline. Learn how to manage secrets and privileged access, secure APIs and serverless applications, and find solutions on AWS Marketplace. Sept. 26, 2 PM ET. http://www.sans.org/info/214230
****************************************************
TOP OF THE NEWS
--Connecticut School District Hit with Second Ransomware Attack
(September 13, 2019)
Wolcott Public Schools is recovering from yet another ransomware attack. The Western Connecticut school district was hit with a ransomware attack in June of this year. The attackers demanded a ransom of $12,000; it has not been paid. When suspicious activity was noted on September 4, the school district shut down its entire system as a precautionary measure.
Read more in:
Edscoop: Wolcott, Conn., school district hit by second ransomware attack
https://edscoop.com/wolcott-conn-school-district-hit-by-second-ransomware-attack/
Courant: Wolcott Public Schools go offline once again following a possible second ransomware attack
https://www.courant.com/news/connecticut/hc-news-wolcott-schools-hacked-computer-systems-20190911-abpqgqwhdzc45p4k36d22k6wce-story.html
--Baltimore Lost Data in Ransomware Attack
(September 11, 2019)
Baltimore's city auditor said that, due to the ransomware attack that hit city systems in May of this year, the city's information technology department lost performance data, which was stored locally and was not backed up. This is the first admission of lost data related to this attack.
[Editor Comments]
[Neely] The city won't know the full scope of lost data until recovery efforts are complete. Lost data will include not only files not backed up, but also, transactions that cannot be rolled forward or recreated. Beyond reviewing your IT assets to ensure appropriate backups are in place regularly, also document and revalidate areas where the risk of data loss has been accepted.
[Honan] I would encourage anyone with responsibility in their organisation to take these examples of ransomware attacks as a template to run a desktop exercise in their company to identify and determine how well your organisation could cope in a similar situation
Read more in:
Baltimore Sun: Baltimore acknowledges for first time that data was destroyed in ransomware attack
https://www.baltimoresun.com/politics/bs-md-ci-data-lost-20190911-i6feniyk5nd3pereznpdxwsf7a-story.html
--Albany Ransomware Clean-up Costs
(September 13, 2019)
The amount of money the city of Albany, New York, spent on recovery efforts after a ransomware attack in March is unclear. A request made under New York state's Freedom of Information Law for information about certain costs was met with a document breaking down costs for hardware and software investments, credit monitoring services, and professional services, which totaled just over $160,000. The mayor has said publicly that the city has spent more than $300,000, but has not provided a breakdown of those costs. The city has not disclosed the amount the attackers demanded.
Read more in:
WNYT: Albany spent over $300K recovering from cyberattack
https://wnyt.com/news/albany-spent-over-300k-recovering-from-cyberattack/5491067/
**************************** SPONSORED LINKS ******************************
1) Download The Fundamental Guide to Building a Better Security Operation Center (SOC) today to learn how a security operation suite can move your SOC into the future. http://www.sans.org/info/214235
2) Webcast September 23rd at 1 PM ET: Elevating Enterprise Security with Fidelis Cybersecurity: Endpoint Security Capabilities. Register: http://www.sans.org/info/214240
3) What steps is your organization taking to manage the risks associated with workforce transformation? Take this survey: http://www.sans.org/info/214245
*****************************************************************************
REST OF THE WEEK'S NEWS
--US Consumer Financial Protection Bureau Proposed Rule Would Require Consumers to Click on Links from Unfamiliar eMail Addresses
(August 9, 12, & 23, 2019)
The US Consumer Financial Protection Bureau has proposed a rule that would require people to click on links in unfamiliar email messages. The rule would allow debt collectors to send a "validation notice," the initial contact that debt collectors are required to send, via email or text message, requiring that the recipient click on a link provided to see the notice. A recent court case could spell troubles for the proposed rule. In August, a US federal appeals court ruled that email does not qualify as "communication" as defined by the Fair Debt Collection Practices Act.
[Editor Comments]
[Murray] Here was me thinking that clicking on "links in unfamiliar email messages" often resulted in system compromise. This seems to be a case in which the solution to one problem aggravates another.
[Neely] Currently debt collectors are required to validate/disclose the debt via mail, and must obtain prior consent from the consumer for electronic communications. Collectors argue they want to use secure email and document delivery platforms to speed and improve the process. They also claim debtors don't want an email that indicates debit collection in the sender or subject. We educate users not to click links or attachments from unknown senders. Even with needed transparency, out-of-band verification and consent to use electronic processes, many debtors are disinclined to respond by the time their issues are turned over to a collection agency.
Read more in:
Wired: The Consumer Bureau's Reckless Plan for Debt Collection
https://www.wired.com/story/the-consumer-bureaus-reckless-plan-for-debt-collection/
ACA International: Appeals Court Affirms District Court Decision on Email and the FDCPA
https://www.acainternational.org/news/appeals-court-affirms-district-court-decision-on-email-and-the-fdcpa
Media: US Court of Appeals for the Seventh Circuit: Lavallee v. Med-1 Solutions LLC (PDF)
http://media.ca7.uscourts.gov/cgi-bin/rssExec.pl?Submit=Display&Path=Y2019/D08-08/C:17-3244:J:Sykes:aut:T:fnOp:N:2381328:S:0
--Who is Responsible for Internet Architecture Security?
(September 10 & 11, 2019)
Witnesses at a September 10 House Armed Services Committee Hearing on Securing the Nation's Internet Architecture included Jeanette Manfra, Assistant Director for Cybersecurity at the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency; Diane Rinaldo, Acting Assistant Secretary and Administrator at the Department of Commerce's National telecommunications and Information Administration; and Ed Wilson. Deputy Assistant Secretary for Cyber Policy at the Department of Defense's Office of the Undersecretary of Defense for Policy. Committee Chairman Jim Langevin (D-Rhode Island) noted that while various agencies have laid claim to distinct aspects of cyber policy, there is no single entity that has responsibility for the security of Internet architecture and said, "I'm very worried that by carving out discrete lanes in the road, there are seams left unaddressed in the middle, and I'm concerned that internet architecture security is one of those seam issues."
Read more in:
FCW: Who defends the Internet?
https://fcw.com/articles/2019/09/11/internet-architecture-johnson.aspx
Armed Services: IETC & Oversight Committee Joint Hearing: Securing the Nation's Internet Architecture
https://armedservices.house.gov/2019/9/securing-the-nation-s-internet-architecture
--US Treasury Sanctions North Korean Hackers
(September 13, 2019)
The US Department of the Treasury's Office of Foreign Assets Control (OFAC) has placed three North Korean hacking groups on a sanctions list. OFAC says the groups are controlled by North Korea's government, and that one of them is responsible for the 2017 WannaCry attack and the 2014 attack against Sony Pictures. The sanctions will make it easier for OFAC to seize any of the groups' assets that are in US financial institutions.
[Editor Comments]
[Neely] While these sanctions make it far simpler and faster for OFAC to seize assets, these North Korean groups have targets well beyond the US. Downsizing US activities may not have a large impact on their viability. Equivalent actions in other target countries are also needed.
Read more in:
Treasury: Treasury Sanctions North Korean State-Sponsored Malicious Cyber Groups
https://home.treasury.gov/index.php/news/press-releases/sm774
Treasury: ?North Korea Designations; Global Magnitsky Designation
https://www.treasury.gov/resource-center/sanctions/OFAC-Enforcement/Pages/20190913.aspx
NYT: US Treasury Sanctions 3 North Korean Hacking Groups
https://www.nytimes.com/aponline/2019/09/13/business/ap-us-united-states-north-korea-hacking.html
SC Magazine: U.S. sanctions North Korea hacking groups, says attacks funded missile program
https://www.scmagazine.com/home/security-news/apts-cyberespionage/u-s-sanctions-north-korea-hacking-groups-says-attacks-funded-missile-program/
Ars Technica: Meet the three North Korean hacking groups funding the country's weapons programs
https://arstechnica.com/tech-policy/2019/09/us-sanctions-north-korean-hackers-for-wannacry-and-dozens-of-other-attacks/
Cyberscoop: North Korean government hackers sanctioned by U.S. Treasury
https://www.cyberscoop.com/lazarus-group-us-treasury-sanctions-north-korea/
Fifth Domain: WannaCry hackers face sanctions from Treasury Department
https://www.fifthdomain.com/civilian/2019/09/13/wannacry-hackers-face-sanctions-from-treasury-department/
--Court: Scraping Data from Public Sites Does Not Violate CFAA
(September 9, 2019)
The Ninth US Circuit Court of Appeals has upheld a lower court ruling that a company that scrapes data from public LinkedIn accounts is not in violation of the Computer Fraud and Abuse Act. LinkedIn sent a cease and desist order to HiQ, which was scraping data from the public profiles for its data analytics services, in 2017. HiQ sued, seeking a ruling that not only said the activity did not violate CFAA, but also prohibiting LinkedIn from interfering in its activity. The court found in HiQ's favor in 2017, and the Appeals Court agreed with that ruling, noting that the CFAA does not apply to data that are publicly available.
[Editor Comments]
[Neely] While information openly published can't be recalled once captured, it's a still good idea to check what information you are publicly sharing on the Web. Not just from LinkedIn and other social media sites, but also sites related to personal and professional associations. Then take steps to update or remove unwanted information from those sites, ultimately keeping the desired data at the top of data collecting sites cache.
Read more in:
Ars Technica: Web scraping doesn't violate anti-hacking law, appeals court rules
https://arstechnica.com/tech-policy/2019/09/web-scraping-doesnt-violate-anti-hacking-law-appeals-court-rules/
CDN: United States Court Of Appeals For The Ninth Circuit: HiQ Labs, Inc. v. LinkedIn Corporation (PDF)
http://cdn.ca9.uscourts.gov/datastore/opinions/2019/09/09/17-16783.pdf
--Pen Test Gone Wrong
(September 13 & 16, 2019)
Two employees of a company that was hired to test the security of electronic court records in Dallas County, Iowa, were arrested on burglary charges for physically breaking into the Dallas County Courthouse in the early hours of Wednesday, September 11. The officials who hired the company did not inform county officials of the penetration testing efforts. In a statement, Iowa's state court administration (SCA) said it had hired Coalfire, a "cybersecurity advisor", "to attempt unauthorized access to court records through various means to learn of any potential vulnerabilities. SCA did not intend, or anticipate, those efforts to include the forced entry into a building."
[Editor Comments]
[Skoudis] Of course, it's absolutely vital to have a detailed scope document and rules of engagement before beginning any penetration test. The scope should clearly cover every aspect of the test, including networks, hosts, social engineering, wireless, and ESPECIALLY any physical elements associated with the project. That said, given the high level of experience of the pen test company involved here, as well as the local players, I suspect that local politics may be involved in this particular situation.
[Neely] In addition to Ed's comments, having both your point of contact and employer apprised and aware of tester activities to provide needed support is crucial.
Read more in:
Ars Technica: Check the scope: Pen-testers nabbed, jailed in Iowa courthouse break-in attempt
https://arstechnica.com/information-technology/2019/09/check-the-scope-pen-testers-nabbed-jailed-in-iowa-courthouse-break-in-attempt/
Des Moines Register: Men arrested for breaking into Dallas County Courthouse after judicial branch hires them to test 'vulnerability' of court records
https://www.desmoinesregister.com/story/news/crime-and-courts/2019/09/11/men-arrested-burglary-dallas-county-iowa-courthouse-hired-judicial-branch-test-security-ia-crime/2292295001/
ZDNet: Pen test goes pear-shaped: cybersecurity firm staff arrested over courthouse burglary
https://www.zdnet.com/article/pen-test-goes-pear-shaped-cybersecurity-firm-employees-arrested-over-courthouse-burglary/
Infosecurity Magazine: Cybersecurity Firm Employees Charged with Burglary of Courthouse Client
https://www.infosecurity-magazine.com/news/cybersecurity-firm-employees/
--Israeli Police Arrest Digital Surveillance Company Executives
(September 16, 2019)
Police in Israel have arrested several people who hold high-ranking positions at subsidiaries of Ability, a company that makes and sells tools for intercepting mobile device communications to law enforcement agencies around the world. The company's export license was suspended in March of this year; there is speculation that the arrests came in response to the company continuing to sell its products outside the country.
Read more in:
ZDNet: Israeli police arrest execs from vendor of mobile surveillance tech
https://www.zdnet.com/article/israeli-police-arrest-execs-from-vendor-of-mobile-surveillance-tech/
Infosecurity Magazine: Israeli Cops Arrest Cyber Surveillance Vendor's Employees
https://www.infosecurity-magazine.com/news/israeli-cops-arrest-cyber/
--Someone is Fraudulently Buying Certificates and Reselling Them
(September 16, 2019)
Researchers have found evidence that criminals impersonating legitimate entities have been buying digital certificates and reselling them on the black market. Some of the fraudulently obtained certificates have been used to spread malware.
[Editor Comments]
[Ullrich] Digitally signed malware and malicious websites with valid TLS certificates are normal at this point. Some security awareness training has associated signed software with harmless/valid software. But certificates do not attest to the software being not malicious. Thresholds to obtain certificates are low. As a best case, certificates identify the author of the software.
Read more in:
Threatpost: New Threat Actor Fraudulently Buys Digital Certificates to Spread Malware
https://threatpost.com/threat-actor-buys-digital-certs-spreads-malware/148345/
Reversing Labs: Digital Certificates - Models for Trust and Targets for Misuse
https://blog.reversinglabs.com/blog/digital-certificates-impersonated-executives-as-certificate-identity-fronts
--Brokerage Ordered to Pay $1.5 Million in Sanctions After Breach
(September 12 & 13, 2019)
A Chicago futures brokerage will pay $1.5 million in sanctions after thieves breached its email system, accessed customer accounts, and stole $1 million from one of those accounts. A February 2018 phishing attack against Phillip Capital Inc. successfully targeted the firm's IT department. The US Commodity Futures Trading Commission (CFTC) imposed the sanction in an order, designating $500,000 as a penalty, and $1 million as restitution. The CFTC found that Phillip Capital "failed to disclose the cyber breach to its customers in a timely manner ... [and] failed to supervise its employees with respect to cybersecurity policy and procedures."
Read more in:
CFTC: CFTC Orders Registrant to Pay $1.5 Million for Violations Related to Cyber Breach
https://www.cftc.gov/PressRoom/PressReleases/8008-19
Reuters: Chicago brokerage to pay $1.5 million for cyber attack lapses: U.S. CFTC
https://www.reuters.com/article/us-usa-cftc-cyber/chicago-brokerage-to-pay-1-5-million-for-cyber-attack-lapses-u-s-cftc-idUSKCN1VY25X
--UK Environmental Agencies Lost More than 500 Devices
(September 16, 2019)
Information obtained through Freedom of Information requests revealed that two UK government agencies that focus on environmental issues cannot account for 540 mobile digital devices over the past three financial years. More than three-quarters of the lost devices are phones. In all, 94 laptops and 21 tablet computers have also been reported missing.
[Editor Comments]
[Neely] Make sure that mobile devices are configured to minimize risk of data loss if they are misplaced, stolen or otherwise missing. Finding devices by tracking emissions while in vehicles or other locations is becoming a popular technique used by thieves. Implementing full-device encryption, robust authentication, remote locating and wiping capabilities can protect against data loss, also investigate replacing sleep mode with hibernate to both clear memory and reduce device emissions. Support these actions with clear policy and education so users know what is expected to protect these devices.
Read more in:
Infosecurity Magazine: UK's Environmental Agencies Lose Hundreds of Devices
https://www.infosecurity-magazine.com/news/uks-environmental-agencies-lose/
****************************************************************************
INTERNET STORM CENTER TECH CORNER
Rig Exploit Kit Delivering VBScript
https://isc.sans.edu/forums/diary/Rig+Exploit+Kit+Delivering+VBScript/25318/
Encrypted Sextortion
https://isc.sans.edu/forums/diary/Encrypted+Sextortion+PDFs/25324/
LastPass Password Leak
https://bugs.chromium.org/p/project-zero/issues/detail?id=1930
Microsoft Extends EoL For Exchange Server 2010
https://techcommunity.microsoft.com/t5/Exchange-Team-Blog/Microsoft-Extending-End-of-Support-for-Exchange-Server-2010-to/ba-p/753591
iOS Lock Screen Unlock Vulnerability
https://www.theregister.co.uk/2019/09/12/apples_ios_lock_workaround/
SimJacker
https://www.adaptivemobile.com/blog/simjacker-next-generation-spying-over-mobile
Pen-testers Arrested During Physical Access Pen-test
https://arstechnica.com/information-technology/2019/09/check-the-scope-pen-testers-nabbed-jailed-in-iowa-courthouse-break-in-attempt/
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
