SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXI - Issue #78
October 4, 2019More than 621 Ransomware Attacks in US So Far This Year; FBI Ransomware Warning; Hospitals Disabled by Ransomware; US, UK, and Australia Ask Facebook Delay Encryption Plans
****************************************************************************
SANS NewsBites Oct. 4, 2019 Vol. 21, Num. 078
****************************************************************************
TOP OF THE NEWS
More than 621 Ransomware Attacks in US So Far This Year
FBI Warning on Ransomware
Hospitals in US, Australia Hit with Ransomware
US, UK, and Australia Ask Facebook to Hold Off Encryption Plans for Messaging Services
REST OF THE WEEK'S NEWS
Dutch Police Take Down "Bulletproof" Hosting Operation
FBI Investigating 2018 Election Mobile Voting App Hack Attempt in West Virginia
CISA and FDA Warning on Medical Device Vulnerabilities
vBulletin Flaw Exploited to Steal Comodo Forums Data
Zero-Day Android Flaw is Being Exploited to Gain Control of Vulnerable Phones
Australian National University Shares Incident Report on 2018 Breach
INTERNET STORM CENTER TECH CORNER
****************************************************************************
CYBERSECURITY TRAINING UPDATE
-- SANS Cyber Defense Initiative(R) 2019 | Washington, DC | December 10-17 | https://www.sans.org/event/cyber-defense-initiative-2019
-- SANS Denver 2019 | October 14-19 | https://www.sans.org/event/denver-2019
-- SANS Amsterdam October 2019 | October 28-November 2 | https://www.sans.org/event/amsterdam-october-2019
-- DFIRCON 2019 | Miami, FL | November 4-9 | https://www.sans.org/event/dfircon-miami-2019
-- Cloud & DevOps Security Summit 2019 | Denver, CO | November 4-11 | https://www.sans.org/event/cloud-devops-security-summit-2019
-- SANS Sydney 2019 | November 4-23 | https://www.sans.org/event/sydney-2019
-- SANS London November 2019 | November 11-16 | https://www.sans.org/event/london-november-2019
-- Pen Test HackFest Summit 2019 | Washington, DC | November 18-25 | https://www.sans.org/event/pen-test-hackfest-2019
-- SANS Tokyo January 2020 | January 20-25 | https://www.sans.org/event/tokyo-january-2020
-- SANS OnDemand and vLive Training
Get a 7th gen 10.2" iPad, Samsung Galaxy Tab A, or Take $250 off through October 16 with OnDemand or vLive training.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
************************* Sponsored By SANS ******************************
Help the security community recognize unsung heroes of cybersecurity so that others can learn from their successes. Please nominate people and teams for the 2019 Security Difference Makers Awards. Winners/Recipients will be recognized on December 16th in Washington, DC. Send nominations to trends@sans.org. Deadline: October 18th. Full details on how to nominate at http://www.sans.org/info/214395
****************************************************************************
TOP OF THE NEWS
--More than 621 Ransomware Attacks in US So Far This Year
(October 1 & 3, 2019)
According to statistics from Emisoft, at least 621 organizations in the US, including state and local governments, school districts, health care services and other entities, have been hit with ransomware during the first nine months of 2019. Emisoft breaks the attacks down by sector and also notes trends, including a growing focus on attacking managed service providers (MSPs), which allow attackers to hit multiple customers; increasing ransom demands; and organizations with cyber insurance choosing to pay the ransom rather than restore systems on their own.
[Editor Comments]
[Neely] The report asserts that email, attachments, and RDP are the attack vectors of choice. While it is challenging to limit users opening attachments or clicking links in email, we can most definitely implement protection measures for RDP. Scans continue to find millions of RDP services directly exposed to the Internet, rather than behind an additional access control device.
[Murray] This is called criminal success on a grand scale. While it may not be possible to eliminate all successful "ransomware" attacks, safe backups can take the money out of it. We can expect these attacks to increase unless and until the profitability goes out of them.
Read more in:
Emisoft: State of Ransomware in the U.S.: 2019 Report for Q1 to Q3
https://blog.emsisoft.com/en/34193/state-of-ransomware-in-the-u-s-2019-report-for-q1-to-q3/
Infosecurity Magazine: Nearly 70 US Government Organizations Hit by Ransomware Since January
https://www.infosecurity-magazine.com/news/us-government-organizations-hit-by/
--FBI Warning on Ransomware
(October 2 & 3, 2019)
The FBI has issued a warning about "high-impact" ransomware attacks targeting businesses, state and local governments, and health care and other organizations. The agency notes that it "does not advocate paying a ransom" because there is no guarantee that the data will be restored and because it encourages the criminals to launch more attacks. However, the FBI urges organizations to report ransomware attacks to law enforcement whether or not they have paid a ransom.
[Editor Comments]
[Neely] Ransomware attacks are not going away; they remain economically viable attacks. The IC3 article has a good set of protections and best practices to not only facilitate recovery but also limit the impacts of ransomware. Don't overlook the key point that mitigations need to be tested/verified regularly. If you've never attempted to rebuild a user system or application from your backups, now is a good time to go through that exercise to learn the nuances of your particular solution and implement improvements identified before you have an incident.
[Honan] I would encourage companies to refer to the www.nomoreransom.org website sponsored by Europol for guidelines on how to prevent infections by ransomware and for decryption keys to known ransomware strains.
Read more in:
IC3: High-Impact Ransomware Attacks Threaten U.S. Businesses and Organizations
https://www.ic3.gov/media/2019/191002.aspx
ZDNet: FBI's new ransomware warning: Don't pay up, but if you do, tell us about it
Bleeping Computer: FBI Warns U.S. Organizations About High Impact Ransomware
The Hill: FBI issues alert warning of potential 'high-impact' ransomware attacks
--Hospitals in US, Australia Hit with Ransomware
(October 1 & 2, 2019)
Hospitals in the US and Australia were the victims of ransomware attacks earlier this week. Three DCH Health Systems hospitals in Alabama have been forced to turn away all but the most critically ill patients after their systems became infected with ransomware. In Australia, the government of Victoria said that seven hospitals and healthcare facilities have been affected by ransomware attacks, which resulted in the cancellation of some elective surgeries and appointments.
Read more in:
SC Magazine: Ransomware attack forces DCH Health Systems to turn away patients
BBC: US hospitals turn away patients as ransomware strikes
https://www.bbc.com/news/technology-49905226
ZDNet: Some Victorian hospitals are offline after ransomware hit
https://www.zdnet.com/article/some-victorian-hospitals-are-offline-after-ransomware-hit/
Ars Technica: Ransomware forces 3 hospitals to turn away all but the most critical patients
Infosecurity Magazine: 10 Hospitals Held to Ransom by Cyber-Criminals
https://www.infosecurity-magazine.com/news/10-hospitals-held-to-ransom-by/
DCH System: Patient and Community Information Regarding Attack on DCH Computer System
--US, UK, and Australia Ask Facebook to Hold Off Encryption Plans for Messaging Services
(October 3, 2019)
In a letter to be published on Friday, October 4, the US Attorney general and his counterparts in Australia and the UK have asked Facebook to put on hold its plans to add end-to-end encryption to all its messaging services unless it provides a means for "law enforcement to obtain lawful access to content in a readable and usable format." (Please note that the WSJ story is behind a paywall.)
[Editor Comments]
[Neely] Back in 2016, Facebook Messenger added the ability (Secret Conversations) to make messages private, and is now working to also reduce the amount of permanent content. Protecting user information not only impacts law enforcement, but also those that would use the information for nefarious purposes. We cannot shun social media services for not providing privacy controls and then ask them to not add additional protections for their users.
[Pescatore, Honan] In the never ending tension between security/privacy and intelligence/law enforcement access, we pretty much know that increasing the security of businesses and consumers is needed very badly and encryption and strong authentication are key components to achieving that. Law enforcement's ability to seize (and auction off) bitcoins has pretty much proven they still have access even when encryption is in use - mainly because strong authentication is *not* in use and obtaining digital files legally is still feasible. Bulk collection by intelligence agencies is a different story, but leaving communications open to friendly countries mean they are also available to unfriendly countries.
Read more in:
Justice: Open Letter: Facebook's "Privacy First" Proposals
https://www.justice.gov/opa/press-release/file/1207081/download
Justice: Attorney General Barr Signs Letter to Facebook From US, UK, and Australian Leaders Regarding Use of End-To-End Encryption (press release)
Washington Post: U.S., allies ask Facebook not to expand encryption on its services
WSJ: Attorney General Calls on Facebook to Limit Message-Encryption Plans (paywall)
CNET: Governments calls on Facebook to pause encryption efforts
https://www.cnet.com/news/governments-calls-on-facebook-to-pause-encryption-efforts/
**************************** SPONSORED LINKS ******************************
1) ICYMI Webcast: ExtraHop Reveal(x) Expands Attack Investigations to Cover All Vectors. View here http://www.sans.org/info/214400
2) Cyber Investigations and Security Posture Management Working Together. Speakers from SANS, AWS Marketplace and Barracuda Networks explain CyberSecurity Posture Management (CSPM) can enhance cyber investigations in AWS environments. In this webcast, learn how to select data sources, investigation tools and use CSPM in your cyber investigative processes. October 9, 2 PM ET. http://www.sans.org/info/214405
3) What steps is your organization taking to manage the risks associated with workforce transformation? Take this survey http://www.sans.org/info/214410
*****************************************************************************
REST OF THE WEEK'S NEWS
--Dutch Police Take Down "Bulletproof" Hosting Operation
(October 2 & 3, 2019)
Law enforcement authorities in the Netherlands have shut down a "bulletproof" hosting provider. "Bulletproof" indicates the hosting provider ignores abuse reports and takedown requests and looks the other way while criminals run operations on the servers. Authorities seized five servers and arrested two people.
[Editor Comments]
[Pescatore] Crack houses and stolen car "chop" shops routinely get shut down for aiding and abetting crimes; good to see the same logic applied to hosting providers.
[Honan] Well done! There are now five physical servers in the hands of law enforcement which should provide a wealth of evidence, data, and intelligence for future law enforcement operations.
Read more in:
The Register: Huygens if true: Dutch police break up bulletproof hosting outfit and kill Mirai botnet
https://www.theregister.co.uk/2019/10/03/dutch_cops_bust_mirai/
ZDNet: Dutch police take down hornets' nest of DDoS botnets
https://www.zdnet.com/article/dutch-police-take-down-hornets-nest-of-ddos-botnets/
Politie: Servers botnet offline (in Dutch)
https://www.politie.nl/nieuws/2019/oktober/2/11-servers-botnet-offline.html
--FBI Investigating 2018 Election Mobile Voting App Hack Attempt in West Virginia
(October 2, 2019)
The FBI is investigating reports that someone attempted to hack the Voatz mobile app that the state used in the 2018 election to allow voters living overseas to cast their ballots. The US Attorney for West Virginia says that the attack does not appear to have been successful. Voatz was used to cast 144 ballots in West Virginia's 2018 election.
[Editor Comments]
[Murray] Digital natives are likely to expect that they be able to vote the same way that they bank. This is particularly true for absentee voting. Whatever can be done safely on paper in a double envelope can be done electronically. Mobile apps are the safest way to do that. Those who project all the problems of personal computers, general purpose operating systems, browsers, and web applications onto electronic voting, pat themselves on the back, and then walk away, are not serving us well.
Read more in:
The Register: FBI called in to investigate 2018 Mountain State mobile voting system hacking
https://www.theregister.co.uk/2019/10/02/west_virginia_election_hacking/
Statescoop: Hacking attempt reported against West Virginia's mobile voting app
https://statescoop.com/voatz-voting-app-west-virginia-fbi-hacking-attempt/
--CISA and FDA Warning on Medical Device Vulnerabilities
(October 1 & 3, 2019)
The US Department of Homeland Security's (DHS's) Cybersecurity and Infrastructure Security Agency (CISA) and the Food and Drug Administration (FDA) have issued advisories warning of security flaws in certain medical devices that could be exploited to allow remote code execution. Researchers at Armis have identified 11 vulnerabilities in the Interpeak IPnet TCP/IP stack, which was developed more than a decade ago.
[Editor Comments]
[Neely] While Windriver has patches for impacted versions of VxWorks, fixes for some of the CVEs require code changes so updating specific implementations depends on the vendor specific plans for remediation. In the interim, mitigate the risks by segmenting these systems and only providing remote access over a secure VPN when needed.
[Murray] The medical device industry's track record on security does not inspire trust, but these vulnerabilities inspire more fear than real risk. While the consequence of a successful attack seems severe, the attack does not scale, and the therapeutic value of these devices will almost always trump the risk that they might be abused or misused.
Read more in:
US-CERT: ICS Advisory (ICSA-19-274-01) Interpeak IPnet TCP/IP Stack
https://www.us-cert.gov/ics/advisories/icsa-19-274-01
FDA: URGENT/11 Cybersecurity Vulnerabilities in a Widely-Used Third-Party Software Component May Introduce Risks During Use of Certain Medical Devices: FDA Safety Communication
Armis: URGENT/11 Presses Further, Affecting Additional RTOSs - Highlights Risks on Medical Devices
https://www.armis.com/resources/iot-security-blog/urgent-11-update/
Wired: Decades-Old Code Is Putting Millions of Critical Devices at Risk
https://www.wired.com/story/urgent-11-ipnet-vulnerable-devices/
Infosecurity Magazine: FDA Issues Cybersecurity Warning for Medical Devices
https://www.infosecurity-magazine.com/news/fda-issues-cybersecurity-warning/
--vBulletin Flaw Exploited to Steal Comodo Forums Data
(October 1, 2019)
Account information belonging to 170,000 Comodo Forums users has reportedly been offered for sale on the dark web. Comodo has posted a security notice about the incident, noting that an attacker exploited a recently disclosed vulnerability in vBulletin software to gain access to user account information.
[Editor Comments]
[Neely] A fix was released on September 25th for vBulletin versions 5.5.2, 5.5.3, & 5.5.4. Older versions need to update to one of these supported versions. Other options include taking the forum offline, implementing a web application firewall, or applying the fix from Cylance's Nick Cano which disables an unsecure eval operation.
Read more in:
Comodo: Important Security Notice About Comodo Forums Accounts
Bleeping Computer: Comodo Forums Breached, Data of Over 170,000 Users Up for Grabs
The Register: vBulletin zero-day KOs Comodo user forums - that's 245,000 accounts at risk of compromise
https://www.theregister.co.uk/2019/10/01/comodo_vbulletin_0day_failure_to_patch/
SC Magazine: Attacker breaches Comodo forums by exploiting vBulletin flaw
--Zero-Day Android Flaw is Being Exploited to Gain Control of Vulnerable Phones
(October 3, 2019)
Attackers are actively exploiting an unpatched local privilege escalation vulnerability in the Android operating system to take control of mobile phones. The issue affects numerous phones that run Android. The flaw will be fixed for Pixel with Android's October security updates.
Read more in:
Ars Technica: Attackers exploit 0day vulnerability that gives full control of Android phones
Chromium: Issue 1942: Android: Use-After-Free in Binder driver
https://bugs.chromium.org/p/project-zero/issues/detail?id=1942
--Australian National University Shares Incident Report on 2018 Breach
(October 2, 2019)
An attack on IT systems at Australian National University (ANU) in 2018 has been described as "a diamond heist." The attackers, who have not yet been identified, went after very specific personal information of current and former students and employees. The breach occurred in late 2018, was discovered in May 2019 and disclosed two weeks later. ANU has been lauded for releasing its breach report, which has been described as "honest, technical, detailed, and full of good advice for protecting data." In a foreword to the incident report, ANU Vice-Chancellor and President Professor Brian P. Schmidt writes "I have made this report public because it contains valuable lessons not just for ANU, but for all Australian organisations who are increasingly likely to be the target of cyber attacks."
[Editor Comments]
[Honan] Valuable lessons that can be applied to all organisations.
Read more in:
Image Depot: ANU: Incident Report on the Breach of the Australian National University's Administrative Systems
https://imagedepot.anu.edu.au/scapa/Website/SCAPA190209_Public_report_web_2.pdf
ZDNet: ANU incident report on massive data breach is a must-read
https://www.zdnet.com/article/anu-incident-report-on-massive-data-breach-a-must-read/
Reuters: Hackers targeted personal data held at top Australian university: report
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
Latest Emotet News
https://isc.sans.edu/forums/diary/A+recent+example+of+Emotet+malspam/25378/
Lost Files Ransomware is Back With New Ruse
https://isc.sans.edu/forums/diary/LostFiles+Ransomware/25382/
Lukasz Cyra: Pass the Hash in Windows 10
https://www.sans.org/reading-room/whitepapers/testing/paper/39170
SANS Ouch! Newsletter
https://www.sans.org/security-awareness-training/resources/four-simple-steps-staying-secure
PDF Encryption Flaw
https://web-in-security.blogspot.com/2019/09/pdfex-major-security-flaws-in-pdf.html
XPdf and Foxit Updates
https://www.foxitsoftware.com/support/security-bulletins.php
https://forum.xpdfreader.com/viewtopic.php?f=3&t=41885
Windows 7 Security Updates Beyond 2020
ODT Documents Used to Distribute Malware
https://blog.talosintelligence.com/2019/09/odt-malware-twist.html
eFax Malspam (in German)
https://www.heise.de/security/meldung/Achtung-Angebliches-eFax-birgt-Trojaner-4544386.html
tcpdump vulnerabilities
https://www.tcpdump.org/tcpdump-changes.txt
TLS Manipulating Malware
https://securelist.com/compfun-successor-reductor/93633/
Office 365 Idle Timeout
https://docs.microsoft.com/en-us/sharepoint/sign-out-inactive-users
https://www.microsoft.com/en-us/microsoft-365/roadmap?filters=&searchterms=55183
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
