Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #75

September 24, 2019

Ransomware Tally: 2019 Year to Date; and more Ransomware: Florida School District Votes to Negotiate; Ransomware Insurance Encourages More Attacks?




****************************************************************************

SANS NewsBites               Sept. 24, 2019                Vol. 21, Num. 075

****************************************************************************

TOP OF THE NEWS

 

  Ransomware Tally: 2019 Year to Date

  Florida School District Votes to Negotiate with Ransomware Hackers

  Do Ransomware Insurance Payouts Encourage More Attacks?

 

REST OF THE WEEK'S NEWS        

 

US Senate Panel Approves $250 Million for Election Security

  CISA's Chris Krebs: These Areas of Risk Are Where States Need Election Security Funds

  Colorado Will Remove QR Codes From Ballots

  Microsoft: Free Windows 7 Support Through 2020 for Election Systems

  Voting Machine Makers to Issue RFI on Vulnerability Disclosure Program

  NSA is Using AI to Determine if Satellites Have Been Hacked

  Huawei Suspended from International Trade Group Because of New US Export Rules

  Louisiana Governor's Emergency Declaration Helped Ransomware Response

  Microsoft Releases Emergency Patch for Critical Internet Explorer Flaw


INTERNET STORM CENTER TECH CORNER


*****************************************************************************

Cybersecurity Training Update

 

-- SANS Cyber Defense Initiative(R) 2019 | Washington, DC | December 10-17 | https://www.sans.org/event/cyber-defense-initiative-2019


-- SANS Baltimore Fall 2019 | October 7-12 | https://www.sans.org/event/baltimore-fall-2019


-- SANS October Singapore 2019 | October 7-26 | https://www.sans.org/event/october-singapore-2019


-- SANS Denver 2019 | October 14-19 | https://www.sans.org/event/denver-2019


-- SANS Amsterdam October 2019 | October 28-November 2 | https://www.sans.org/event/amsterdam-october-2019


-- Cloud & DevOps Security Summit 2019 | Denver, CO | November 4-11 | https://www.sans.org/event/cloud-devops-security-summit-2019


-- SANS Sydney 2019 | November 4-23 | https://www.sans.org/event/sydney-2019


-- SANS London November 2019 | November 11-16 | https://www.sans.org/event/london-november-2019


-- Pen Test HackFest Summit 2019 | Washington, DC | November 18-25 | https://www.sans.org/event/pen-test-hackfest-2019


-- SANS OnDemand and vLive Training

Get an iPad Mini, Surface Go, or Take $300 Off through October 2 with your OnDemand or vLive course.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


Single Course Training

-- Single Course Training

SANS Mentor | https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


*************************  Sponsored By Splunk   ****************************


The Fundamental Guide to Building a Better Security Operation Center (SOC). Outdated security solutions struggle to stay ahead of advanced cyberthreats, making it hard to detect unknown or hidden threats. So what are companies who rely on dinosaur technology to do? They need to start building the next generation, modern SOC today. Download The Fundamental Guide to Building a Better Security Operation Center (SOC) today to learn how a security operation suite can move your SOC into the future. http://www.sans.org/info/214295


*****************************************************************************

TOP OF THE NEWS   

 --Ransomware Tally: 2019 Year to Date

(September 20, 2019)

Since the beginning of this calendar year, 49 US school districts, colleges, and universities have reported ransomware infections. The education sector is second in number of reported ransomware attacks only to municipalities, of which there have been 70 so far this year. Healthcare is third with 27 reported incidents. The data are from cloud security company Armor.     


[Editor Comments]


[Paller/Honan] This list cannot include the myriad commercial organizations that have been hit by ransomware and have not gone public.


Read more in:

Armor: Armor Identifies 10 New Ransomware Victims in the Past 9 Days, All of them Educational Institutions

https://www.armor.com/threat-intelligence/armor-identifies-10-new-ransomware-victims-in-the-past-9-days/

Dark Reading: Ransomware Strikes 49 School Districts & Colleges in 2019

https://www.darkreading.com/threat-intelligence/ransomware-strikes-49-school-districts-and-colleges-in-2019/d/d-id/1335872

 
 

--Florida School District Votes to Negotiate with Ransomware Hackers

(September 18 & 20, 2019)

A Florida school district has voted to allow its insurance company to negotiate with hackers to settle a ransomware demand. The Wakulla County School Board last week voted unanimously to negotiate rather than try to recover the data on their own. The payment will be covered by the insurance company. The attack occurred in early September; the school board disclosed the incident publicly on September 10.


[Editor Comments]


[Neely] Allowing an experienced third-party, such as your insurance company, to negotiate and pay the ransom on your behalf is prudent and should be one aspect of your response plan which includes validated backup, recovery, communication and manual processes. For systems you're accepting the risk of compromise without recovery, a validated business resumption plan needs to be vetted both with IT and with senior management.


Read more in:

The Wakulla News: School district set to negotiate with hackers

https://www.thewakullanews.com/content/school-district-set-negotiate-hackers

SC Magazine: Wakulla County school board elects to negotiate with ransomware hackers

https://www.scmagazine.com/home/security-news/ransomware/wakulla-county-school-board-elects-to-negotiate-with-ransomware-hackers/



--Do Ransomware Insurance Payouts Encourage More Attacks?

(September 13 & 20, 2019)

Some cybersecurity professionals are concerned that the frequency of payouts covered by insurance will encourage hackers to increase ransomware attacks against organizations likely to have such coverage. Last summer, La Porte County, Indiana paid a ransom, $100,000 of which was covered by its insurance company, leaving the county on the hook for $32,000. The county's insurance company initially sent lawyers and cybersecurity experts to help, but they were unsuccessful. New Bedford, Massachusetts countered a $5.3 million demand with an offer of $400,000; the hackers never responded. That city's insurance company will help with data recovery and security improvements. In a separate story, a California insurance company is offering low-cost ransomware insurance, which raises concerns that if hackers know they can get a payout of up to $50,000 from these entities, small businesses and individuals will increasingly be targeted.


[Editor Comments]


[Honan] I am firmly in the no-pay camp and fear the willingness of insurance firms to pay these ransoms will only fuel the cyber crime economy for these criminals. If insurance companies want to go this route then they should develop dedicated and separate products for cyber-extortion coverage similar to the existing insurance policies to cover kidnap and ransom demands of staff. This will highlight to those looking for that insurance the associated costs and risks which in turn should make them decide how best to deal with those risks.


Read more in:

NYT: Payouts From Insurance Policies May Fuel Ransomware Attacks

https://www.nytimes.com/aponline/2019/09/20/us/ap-us-ransomware-insurance.html

The Register: Consumer ransomware insurance? You could be painting a target on us all for avaricious crims

https://www.theregister.co.uk/2019/09/13/california_ransomware_insurance_50k_payout/


****************************  SPONSORED LINKS  ******************************


1) Webcast September 26th at 1 PM ET: Speaking the Language of the Board with Unisys CISO Mat Newfield. http://www.sans.org/info/214300


2) What steps is your organization taking to manage the risks associated with workforce transformation? Take the survey. http://www.sans.org/info/214305


3) Upcoming Webcast: A Principal Control Engineer's Perspective on Defending Energy Utilities from IoT/ICS Attacks. Register http://www.sans.org/info/214310


*****************************************************************************

REST OF THE WEEK'S NEWS


--US Senate Panel Approves $250 Million for Election Security

(September 19, 2019)

A US Senate panel has approved an amendment to the 2020 financial services and general government funding bill to provide $250 million in additional funds for state elections systems security. The current version of the amendment does not specify how the funds may be spent; some legislators have suggested providing oversight to ensure that the funds are spent responsibly.   


[Editor Comments]


[Neely] Having guidance as to how the money may, or may not, be spent is critical for the inevitable follow-up audit. Also, criteria for equitable distribution of funds will need to be established. There is no shortage of areas states can invest in to improve election security, and the advice from Chris Krebs (below) is a good start for prioritizing those efforts.


Read more in:

Washington Post: Key Senate panel approves $250 million for election security

https://www.washingtonpost.com/politics/key-senate-panel-approves-250-million-for-election-security/2019/09/19/f84f7564-db49-11e9-a1a5-162b8a9c9ca2_story.html

CNET: McConnell backs $250M in election security funding after long resistance

https://www.cnet.com/news/sen-mcconnell-backs-250m-in-election-security-funding/

The Hill: Senate committee approves $250 million for state election security efforts

https://thehill.com/policy/cybersecurity/462176-senate-committee-approves-250-million-for-state-election-security


 

--CISA's Chris Krebs: These Areas of Risk Are Where States Need Election Security Funds

(September 20, 2019)

Speaking at the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) National Cybersecurity Summit, CISA Director Christopher Krebs said that there are three risk areas where states need additional funding to improve election security. First, states need to address immediate risks by moving to paper ballot back-ups. Second, states need consistent funding to budget for ongoing security issues. And third, there needs to be an innovation fund to pilot programs to protect election infrastructure.


[Editor Comments]


[Neely] States could also look to the recent lessons learned relating to voting security to re-assess the lifecycle of election system components. Components with unsupported hardware or software make ongoing support and security challenging and could lead to remediation costs that exceed lifecycle replacement costs.

 

[Northcutt] Here is the backstory on the summit: https://www.us-cert.gov/event/2019-cisa-cybersecurity-summit


Read more in:

Fifth Domain: Here are 3 areas where states need more money for election security

https://www.fifthdomain.com/civilian/dhs/2019/09/20/here-are-3-areas-where-states-need-more-money-for-election-security/


 

--Colorado Will Remove QR Codes From Ballots

(September 16 & 20, 2019)

The state of Colorado will remove QR (quick response) matrix bar codes from ballots, becoming "the first state to require voting systems to tabulate all ballots using only human-verifiable information." When Colorado voters vote at a polling place, they use a device that prints out a paper ballot which includes a list of their voting choices as well as a QR code that represents an encoded version of those choices. Voters have no way to be sure that the QR codes contain the correct information. The Colorado initiative requires that all ballots be tabulated using the actual filled-in ovals rather than the QR code.   


[Editor Comments]


[Neely] Colorado doesn't allow vote counting and marking computers to be connected to the Internet, has safeguards to catch ballot manipulations and has other security practices that raise the bar on election security which other states could use as best practices.

 

Read more in:

sos.state.co: Colorado Secretary of State Takes Action to Increase Cyber Security, Announces Initiative to Remove QR Codes from Ballots

https://www.sos.state.co.us/pubs/newsRoom/pressReleases/2019/PR20190916QRCodes.html

GovTech: Colorado the First State to Remove Bar Codes from Ballots

https://www.govtech.com/civic/Colorado-the-First-State-to-Remove-Bar-Codes-from-Ballots.html

The Hill: Colorado cites cybersecurity concerns in banning QR codes on ballots

https://thehill.com/policy/cybersecurity/461619-colorado-cites-cybersecurity-concerns-in-banning-qr-codes-on-ballots

 
 

--Microsoft: Free Windows 7 Support Through 2020 for Election Systems

(September 20, 2019)

Microsoft will provide free support for Windows 7 systems that are used in federally certified voting systems through the end of the November 2020 US presidential election. The free support for election systems running in Windows 7 will be available to other countries holding national elections as well. Microsoft is scheduled to end support for Windows 7 in January 2020, with an option for users to pay for additional updates through January 2023.  


[Editor Comments]


[Neely] Providing support for the systems used to cast ballots as well as for those used in the correlation and tabulation of results will not only help provide access to security patches, but also help the existing systems remain certified. Unlike a desktop system, patches and updates must be carefully tested to ensure they are not disruptive. This also provides a little more breathing room for acquisition and implementation of voting systems built to newer security standards.


Read more in:

Microsoft: Extending free Windows 7 security updates to voting systems

https://blogs.microsoft.com/on-the-issues/2019/09/20/extending-free-windows-7-security-updates-to-voting-systems/

Cyberscoop: Microsoft will offer free Windows 7 support for election officials through 2020

https://www.cyberscoop.com/microsoft-windows-7-elections-2020/

 

---Voting Machine Makers to Issue RFI on Vulnerability Disclosure Program

(September 19 & 23, 2019)

Makers of voting machines in the US plan to release a request for information (RFI) this week, seeking proposals for creating a vulnerability disclosure program to improve election security.


Read more in:

SC Magazine: Voting equipment vendors seek info on vulnerability disclosure program

https://www.scmagazine.com/home/security-news/government-and-defense/election-coverage/voting-equipment-vendors-seek-info-on-vulnerability-disclosure-program/

Cyberscoop: What would a vulnerability disclosure program look like for voting equipment? Expect an RFI soon

https://www.cyberscoop.com/vulnerability-disclosure-voting-vendors-elections-rfi/

 
 

--NSA is Using AI to Determine if Satellites Have Been Hacked

(September 17 & 23, 2019)

The National Security Agency (NSA) is running AI tests to see if they can determine whether a satellite has been hacked. Hacking an orbiting satellite requires attackers to gain control of the systems operating the antenna that communicates with the satellite or spoof the ground control system so the satellite listens to the hackers instead. In a separate story, the US Air Force said it will hold a "hack an orbiting satellite" event at next year's DefCon in Las Vegas. Participation will be determined prior to the event. The Air Force will release a call for submissions sometime this fall. Researchers whose pitches are selected will be allowed to test them against a flat-sat test build; the five deemed most promising will be selected to participate in the event at Defcon 2020.


Read more in:

Nextgov: The NSA Is Running a Satellite Hacking Experiment

https://www.nextgov.com/cybersecurity/2019/09/nsa-running-satellite-hacking-experiment/160057/

Wired: The Air Force Will Let Hackers Try to Hijack an Orbiting Satellite

https://www.wired.com/story/air-force-defcon-satellite-hacking/


 

--Huawei Suspended from International Trade Group Because of New US Export Rules

(September 17, 18, & 20, 2019)

Huawei has been suspended from the international group known as the Forum of Incident Response and Security Teams, or "FIRST." The group was established in the 1990s to encourage international cooperation to address cybersecurity issues. Huawei's exclusion means the company will not have access to information that could help it address security concerns in a timely manner. The decision to oust Huawei appears to have been made based on legal advice regarding recent changes to US export rules, according to a memo seen by the Wall Street Journal. The memo indicates that the suspension is temporary and that the group is working with US officials to allow Huawei to rejoin FIRST. The current US administration has been urging other NATO countries not to use Huawei components in their 5G networks, but they have declined. (Please note that the WSJ story is behind a paywall.)


Read more in:

WSJ: Huawei Suspended From Global Forum Aimed at Combating Cybersecurity Breaches (paywall)

https://www.wsj.com/articles/huawei-suspended-from-global-forum-aimed-at-combating-cyber-security-breaches-11568805324

FIRST: Statement regarding Huawei's suspension from the Forum of Incident Response and Security Teams (FIRST)

https://www.first.org/newsroom/releases/20190918

Cyberscoop: U.S. Secretary of Defense urges NATO allies to block Chinese-built 5G tech

https://www.cyberscoop.com/u-s-secretary-defense-urges-nato-allies-block-chinese-built-5g-tech/

CSM: Facing US ban, Huawei looks to spread 5G products

https://www.csmonitor.com/Technology/2019/0917/Facing-US-ban-Huawei-looks-to-spread-5G-products



---Louisiana Governor's Emergency Declaration Helped Ransomware Response

(September 20, 2019)

When Louisiana school districts were hit with ransomware attacks earlier this year, Governor John Bel Edwards's declaration of an emergency set in motion a coordinated response that limited the scope of the attacks. In all, 12 school districts were targeted. Five districts suffered encrypted data; seven managed to unplug their machines before their data were encrypted. The response, coordinated in large part by the Governor's Office of Homeland Security and Emergency Preparedness (GOHSEP) involved the state IT Department, Office of Technology Services (OTS), National Guard, and State Police. Edwards has made cybersecurity a priority in Louisiana. Two years ago, he established the state's Cybersecurity Commission, a public-private partnership that works with OTS and other entities when a cyberattack occurs.


Read more in:

GovTech: How Louisiana Responded to Its Recent Ransomware Attacks

https://www.govtech.com/pcio/How-Louisiana-Responded-to-Its-Recent-Ransomware-Attacks.html



---Microsoft Releases Emergency Patch for Critical Internet Explorer Flaw

(September 23, 2019)

On Monday, September 23, Microsoft released an emergency patch to address a critical vulnerability in Internet Explorer (IE) that is being actively exploited. The scripting-engine memory-corruption flaw can be exploited to allow remote code execution. At the same time, Microsoft released a fix for a critical flaw in Microsoft Defender.  


Read more in:

The Register: Nine words to ruin your Monday: Emergency Internet Explorer patch amid in-the-wild attacks

https://www.theregister.co.uk/2019/09/23/microsoft_internet_explorer_cve_2019_1367/

ZDNet: Microsoft releases out-of-band security update to fix IE zero-day & Defender bug

https://www.zdnet.com/article/microsoft-releases-out-of-band-security-update-to-fix-ie-zero-day-defender-bug/

MSRC: CVE-2019-1367 | Scripting Engine Memory Corruption Vulnerability

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1367

MSRC: CVE-2019-1255 | Microsoft Defender Denial of Service Vulnerability

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1255



*****************************************************************************

INTERNET STORM CENTER TECH CORNER


Popular Android Selfie Apps Act as Adware

https://www.wandera.com/mobile-security/google-play-adware/


Wireshark Update

https://www.wireshark.org/docs/relnotes/wireshark-3.0.5.html


Harbor Privilege Escalation

https://unit42.paloaltonetworks.com/critical-vulnerability-in-harbor-enables-privilege-escalation-from-zero-to-admin-cve-2019-16097/


Cloudflare Adding "Bot Fight" Option

https://blog.cloudflare.com/cleaning-up-bad-bots/


iOS Bluetooth Access Feature

https://www.theverge.com/2019/9/19/20867286/ios-13-bluetooth-permission-privacy-feature-apps


Forcepoint VPN Update

https://support.forcepoint.com/KBArticle?id=000017525

Microsoft Releases Special Patch for Exploited Vulnerability in Internet Explorer

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1367



******************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Kathy Bradford is the Managing Editor of NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create