SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXI - Issue #8
January 29, 2019Japanese Government to Hack Home IOT Devices; Users Urged to Delete WordPress Plug-in with Multiple Vulnerabilities
****************************************************************************
SANS NewsBites Jan. 29, 2018 Vol. 21, Num. 008
****************************************************************************
TOP OF THE NEWS
Japanese Government to Hack Home IOT Devices
Users Urged to Delete WordPress Plug-in with Multiple Vulnerabilities
REST OF THE WEEKS NEWS
Apple Plans to Release Fix for FaceTime Flaw Later This Week
DOJ Unseals Huawei Indictments
Tech Companies Need to Test Products for Abusability
Chrome Will Block Unintended Downloads
Attackers Targeting Unpatched Cisco Routers
Microsoft Exchange Privilege Elevation Vulnerability
Pear PHP Package Manager Compromised
Georgia Elections Official Asks for Funding for New Voting Machines
INTERNET STORM CENTER TECH CORNER
*****************************************************************************
CYBERSECURITY TRANIG UPDATE
-- SANS 2019 | Orlando, FL | April 1-8 | https://www.sans.org/event/sans-2019
-- SANS London February 2019 | February 11-16 | https://www.sans.org/event/london-february-2019
-- SANS Anaheim 2019 | February 11-16 | https://www.sans.org/event/anaheim-2019
-- SANS Secure Japan 2019 | Tokyo, Japan | February 18-March 2 | https://www.sans.org/event/secure-japan-2019
-- Open-Source Intelligence Summit & Training | Alexandria, VA | February 25-March 3 | https://www.sans.org/event/osint-summit-2019
-- SANS Baltimore Spring 2019 | March 2-9 | https://www.sans.org/event/baltimore-spring-2019
-- SANS London March 2019 | March 11-16 | https://www.sans.org/event/london-march-2019
-- SANS Secure Singapore 2019 | March 11-23 | https://www.sans.org/event/secure-singapore-2019
-- ICS Security Summit & Training 2019 | Orlando, FL | March 18-25 | https://www.sans.org/event/ics-security-summit-2019
-- SANS OnDemand and vLive Training
The SANS Training you want with the flexibility you need.
Get an iPad Mini, Samsung Galaxy Tab S2, or Take $300 Off with OnDemand or vLive. Offer Ends February 6.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
*************************** Sponsored By Splunk ****************************
Organizations need an agile security solution that combines the power of an analytics-driven platform while unlocking the benefits of AI and ML. 40% of 200 global executives believe the answer to this challenge is hidden in machine data. Download the Harvard Business Review Analytic Services Pulse Survey, "IT Security: A New Analytics-Driven Model" and discover how AI and ML can help optimize security operations. http://www.sans.org/info/210030
*****************************************************************************
TOP OF THE NEWS
--Japanese Government to Hack Home IOT Devices
(January 25 & 27, 2019)
A recently-passed amendment to a Japanese law will allow the government in that country to access peoples Internet of Things (IoT) devices to conduct a survey of unsecure IoT devices. The amendment allows employees of Japans National Institute of Information and Communications Technology (NICT) to access peoples devices using default passwords and password dictionaries and create a list of unsecure devices, which will be shared with authorities who can then alert consumers. The project is part of an effort to bolster cybersecurity prior to the 2020 Summer Olympic Games in Tokyo.
[Editor Comments]
[Pescatore] The way this is described makes it sound like the Japanese government is assuming that a major problem is users not configuring things correctly, vs. the things being built and sold without considering a due diligence level of security. This is kind of like testing the sandwich I bought at a fast food place and telling *me* it has e-coli vs. fining the restaurant that never put the mayonnaise in the refrigerator.
[Ullrich] This survey goes a step beyond what search engines like Shodan will do. The scan will actually try to log in to the devices. Currently, a device connected to the Internet will constantly be scanned for services like Telnet and SSH, and common username/passwords will be attempted. It is highly unlikely that this government-authorized scan will cause any damage that these unauthorized scans havent already caused. Owners of vulnerable devices will be notified and asked to improve their security. I find this an interesting experiment and hope it will help remove some of the problem devices.
Read more in:
ZDNet: Japanese government plans to hack into citizens' IoT devices
https://www.zdnet.com/article/japanese-government-plans-to-hack-into-citizens-iot-devices/
NHK: Govt. to access home devices in security survey
https://www3.nhk.or.jp/nhkworld/en/news/20190125_44/
--Users Urged to Delete WordPress Plug-in with Multiple Vulnerabilities
(January 25 & 28, 2019)
Hackers are exploiting several critical vulnerabilities in what appears to be an abandoned WordPress plug-in. The flaws can be exploited to gain administrative rights on affected websites. The Total Donations plug-in allows non-profit organizations to accept donations. Attempts to reach the plug-ins developers have been unsuccessful and suggest that the project has been abandoned. Researchers at Wordfence, which uncovered the issues, are urging users to delete the Total Donations plug-in.
[Editor Comments]
[Paller] Content management systems like WordPress, and their plug-ins, have been the most commonly attacked software on servers for at least two years. Their convenience lulls millions of unsuspecting organizations to rely on them. Is it time for them to be liable for the losses they are enabling? That wouldnt need litigation; just smartly written contracts.
[Neely] In addition to site takeover, exploiting the plugin also allows changes to a sites recurring donations, abuse mailing lists associated with donors, and access to the Stripe payment system API. Additionally, the plugin no longer operates properly on certain browsers and has compatibility issues with PHP 7.1. Fortunately there are other equivalent donation pluginsdisable, migrate and delete immediately.
Read more in:
Wordfence: WordPress Sites Compromised via Zero-Day Vulnerabilities in Total Donations Plugin
Threatpost: WordPress Users Urged to Delete Zero-Day-Ridden Plugin
https://threatpost.com/wordpress-users-urged-to-delete-zero-day-ridden-plugin/141209/
**************************** SPONSORED LINKS ******************************
1) Attention Decision Makers of Every level: Gain a foothold on the first opportunity to narrow the vendor field. http://www.sans.org/info/210035
2) The 14th Annual ICS Security Summit: Orlando, Florida - Mar 18-19. http://www.sans.org/info/210040
3) Don't Miss "Modern AppSec Tools for Modern AppSec Problems: A Practical Introduction to the Next-Gen WAF" Register: http://www.sans.org/info/210050
*****************************************************************************
REST OF THE WEEKS NEWS
--Apple Plans to Release Fix for FaceTime Flaw Later This Week
(January 28 & 29, 2019)
Apple says it plans to make a fix available for a bug in FaceTime that allows a caller to eavesdrop on the person being called before they accept the call. In some cases, an iPhone could also allow the caller to view the calls intended recipient. Apple has temporarily disabled FaceTimes group call feature in iOS and macOS.
[Editor Comments]
[Ullrich] Until a fix is released, you may want to disable FaceTime. Note that this will affect not just Phones, but it will also affect iPads and Macs supporting FaceTime. You should still see the incoming call ring.
[Neely] Securing the group calling features in FaceTime, released in iOS 12.1, has been challenging for Apple. This is expected to be a server side fix rather than another device update. As the group calling is disabled on the sever side, this cant be exploited until the fix is released. If youve disabled FaceTime on devices, test before re-enabling FaceTime on devices.
[Honan] Apple has disabled the Group FaceTime function to mitigate this issue until a more permanent software fix is found. Credit to Apple for their Incident Response team having the authority to disable a key function in their production environment to mitigate the potential harm to its customers. Remember to ensure your IR processes have escalation paths to the right people to authorise a similar action for your business should it be subject to a major breach or vulnerability.
Read more in:
SC Magazine: FaceTime bug lets callers eavesdrop on recipients
https://www.scmagazine.com/home/security-news/facetime-bug-lets-callers-eavesdrop-on-recipients/
BBC: Apple rushes to fix FaceTime 'eavesdropping' bug
https://www.bbc.com/news/technology-47037846
The Verge: Apple disables Group FaceTime following major security flaw
--DOJ Unseals Huawei Indictments
(January 28, 2019)
The US Department of Justice (DOJ) has unsealed two indictments against Huawei. The first is a 13-count indictment against Huawei and the companys chief financial officer (CFO), alleging bank fraud and conspiracy to commit bank fraud, wire fraud and conspiracy to commit wire fraud, violations of the International Emergency Economic Powers Act (IEEPA) and conspiracy to violate IEEPA, and conspiracy to commit money laundering for allegedly violating trade sanctions against Iran and other actions. The second is a 10-count indictment against Huawei alleging theft of trade secrets conspiracy, attempted theft of trade secrets, seven counts of wire fraud, and one count of obstruction of justice for allegedly conspiring to steal trade secrets from T-Mobile.
Read more in:
DOJ: Acting Attorney General Matthew Whitaker Announces National Security Related Criminal Charges Against Chinese Telecommunications Conglomerate Huawei
DOJ: Chinese Telecommunications Conglomerate Huawei and Huawei CFO Wanzhou Meng Charged With Financial Fraud
DOJ: Chinese Telecommunications Device Manufacturer and its U.S. Affiliate Indicted for Theft of Trade Secrets, Wire Fraud, and Obstruction Of Justice
ZDNet: United States unseals charges against Huawei and its CFO
https://www.zdnet.com/article/united-states-unseals-charges-against-huawei-and-its-cfo/
Washington Post: Justice Dept. charges Huawei with fraud, ratcheting up U.S.-China tensions
NYT: Huawei and Top Executive Face Criminal Charges in the U.S.
https://www.nytimes.com/2019/01/28/us/politics/meng-wanzhou-huawei-iran.html
--Tech Companies Need to Test Products for Abusability
(January 28, 2019)
Ashkan Soltani, former chief technologist at the US Federal Trade Commission (FTC), was scheduled to give a talk on Monday, January 28 at the USENIX Enigma conference about the need for tech companies to take the abusability of their products as seriously as they now take security. Abusability means the potential for exploiting a technology to cause damage to people or the planet. While some large companies have counter-abuse teams, they are largely reactive. Soltani would like the approach to become proactive. Soltani suggests tech firms consult those who make it their job to foresee the unintended consequence of technology: academics, futurists, and even science fiction authors.
[Editor Comments]
[Pescatore] First, Id rather see the focus be on safety, both short term and long term, vs. create new terms. Second, the track record on academics, futurists and even science fiction writers in the aggregate (as measure by % false positives + % false negatives) is not stellar, or we would all be flying around with jetpacks and using Segways instead of driving
[Henry] This is a very interesting concept raised by Soltani, and I see the opportunity for engineers and manufacturers to take this perspective during the research and design phase of the product cycle. I can see too where this could become overly burdensome if carried too far. What is the abusability for a truck used by a madman to drive through a crowded pedestrian walk? What is the abusability of a steak knife when a jilted partner stabs a spouse? While assessing abusability seems to have some value during development, presenting some opportunity to build in controls, there will always be a balance between security and functionality and well never protect against every abuse (meaning assessing abusability should not unnecessarily curtail innovation).
[Murray] Companies need to test, full stop. Quality should be part of the requirements statement and test data should be part of the specification. The code must be written in such a way, simple, structured, and documented, as to facilitate effective testing.
Read more in:
Wired: Security Isn't Enough. Silicon Valley Needs 'Abusability' Testing
https://www.wired.com/story/abusability-testing-ashkan-soltani/
--Chrome Will Block Unintended Downloads
(January 24, 26, & 28, 2019)
When version 73 of Googles Chrome browser is released this spring, it will include a feature to help prevent drive-by downloads. Until the feature is added to Chrome, users can prevent JavaScript and embedded active content from running. Firefox and Internet Explorer have already added functionality to prevent unwanted downloads.
[Editor Comments]
[Pescatore] Microsoft and Mozilla have done this for a few years in their browsers. Good to see Google add this level of safetyI think the browser industry has been really slow to put safety ahead of (or even equal to) advertising support in their priority lists, which is kind of like the hair dryer industry building in shampoo dispensers to blow dryers instead of ground fault interruption breakers
Read more in:
ZDNet: Google Chrome to add drive-by-download protection
https://www.zdnet.com/article/google-chrome-to-add-drive-by-download-protection/
Softpedia: Future Google Chrome Security Update Will Block Drive-By-Downloads
Bleeping Computer: Google Chrome Adding Malicious Drive-By-Downloads Protection
--Attackers Targeting Unpatched Cisco Routers
(January 27 & 28, 2019)
Last week Cisco released fixes to address two vulnerabilities in its Small Business RV320 and RV325 Dual Gigabit WAN VPN routers. The command injection and information disclosure flaws affect the routers web management interface. Just days later, active scanning for unpatched devices has been detected.
[Editor Comments]
[Neely] These are small business and home office class rather than enterprise devices. While the fix is to patch the devices, updating the firmware requires connecting a USB device with new firmware rather than an automated download/install process, which makes the process more resource intensive. Owners need to consider that the exploit has been published and the devices are discoverable on Shodan when considering the risks of not patching.
Read more in:
Threatpost: Active Scans Target Vulnerable Cisco Routers for Remote Code-Execution
https://threatpost.com/scans-cisco-routers-code-execution/141218/
Bleeping Computer: Hackers Targeting Cisco RV320/RV325 Routers Using New Exploits
Cisco: Cisco Small Business RV320 and RV325 Routers Command Injection Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-inject
Cisco: Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info
--Microsoft Exchange Privilege Elevation Vulnerability
(January 25, 2019)
A privilege elevation flaw in Microsoft Exchange could be exploited to allow any user with a mailbox to gain Domain Admin privileges. The flaw is the result of three issues: high default Exchange permissions; NTLM vulnerability to relay attacks; and automatic authentication in Exchange. Microsoft has thus far not commented specifically on the vulnerability.
[Editor Comments]
[Ullrich] This is a classic case of how different vulnerabilities and misconfigurations, that by themselves do not look all that terribly bad, can be combined to cause significant damage. Do not get fooled into thinking that you are secure because the exploit requires credentials. Any set of credentials from any of your Exchange users (not just admins) will work. This issue could easily be used by an attacker who already has some access to your network to elevate privileges. See also the related writeup in the ISC Storm Center Tech Corner section below: Relaying Exchanges NTLM authentication to domain admin (and more).
[Neely] This can be mitigated by a registry change on your Exchange servers. Per Microsoft advisory November 13, 2018 for CVE-2018-8581, remove the DisableLoopbackChecks value in HKLMSYSTEMCurrentControlSetControlLsa registry key.
[Honan] While the media attention is focused mostly on the FaceTime bug this bug will have bigger impacts on businesses. The ISC Storm Center blog on has some suggested mitigations (see below).
Read more in:
The Register: You're an admin! You're an admin! You're all admins, thanks to this Microsoft Exchange zero-day and exploit
https://www.theregister.co.uk/2019/01/25/microsoft_exchange_domain_admin_eop/
SystemTek: Microsoft Exchange Domain Escalation Vulnerability
https://www.systemtek.co.uk/2019/01/microsoft-exchange-domain-escalation-vulnerability/
--Pear PHP Package Manager Compromised
(January 23, 2019)
The PEAR (PHP Extension and Application Repository) webserver is down because the main package manager was replaced with a malicious version. Most of the PEAR website has been disabled until a clean site is rebuilt. Users who installed PEAR PHP within the past six months could have the infected file.
[Editor Comments]
[Neely] The malicious package manager attempts to spawn a reverse shell to 104.131.154.154. An updated version of PEAR v1.10.10 was released to address the issue while the investigation completes. Consider using Composer/Pickle as an alternative package manager.
[Williams] This is yet another example of a serious supply chain attack targeting the distribution and installation chain. This has the potential to impact very large numbers of users and will be very difficult to detect. I posted some thoughts on this supply chain compromise at https://blog.renditioninfosec.com/2019/01/php-pear-backdoor-discovered-2/
Read more in:
Ars Technica: If you installed PEAR PHP in the last 6 months, you may be infected
PearPHP: PEAR server is down
--Georgia Elections Official Asks for Funding for New Voting Machines
(January 23, 2019)
Georgia Secretary of State Brad Raffensperger is seeking US $150 million to replace the states outdated electronic voting machines. The devices currently in use do not provide a paper trail. Raffensperger said that he believes the best option is a system that uses touchscreens and prints a marked ballot. Experts and voting rights advocates have said that hand-marked paper ballots that are scanned provide better security. The hand-marked ballot system is also one-third the price of the ballot printing system. Raffensperger hopes to have new machines operational across the state in time for the 2020 elections.
Read more in:
NYT: Georgia Official Seeks to Replace Criticized Voting Machines
https://www.nytimes.com/aponline/2019/01/23/us/ap-us-voting-machines-georgia.html
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
Relaying Exchange's NTLM Authentication to Become Domain Admin
FaceTime Bug Allows Users to Receive Audio Before Call is Accepted
https://9to5mac.com/2019/01/28/facetime-bug-hear-audio/
Cisco RV320/325 Router Vulnerability Exploited
https://github.com/0x27/CiscoRV320Dump
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-inject
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info
Packet Challenge
https://johannes.homepc.org/packet9.txt
HTTP Signed Exchanges
https://wicg.github.io/webpackage/draft-yasskin-http-origin-signed-responses.html
BGP Experiments Disrupt Routers
https://mailman.nanog.org/pipermail/nanog/2019-January/098761.html
AZORult Fake (signed) Google Update
https://blog.minerva-labs.com/azorult-now-as-a-signed-google-update
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
