SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXI - Issue #80
October 11, 2019AIG Says Policies Do Not Cover Criminal Acts, Asks Court to Dismiss Lawsuit; NSA Warns of VPN Vulnerabilities; Mississippi Auditor Finds State Agencies Not Complying with Cybersecurity Law
An important first story this week explaining why buying cyber insurance is a waste of money. The funds would be far better spent on cyber hygiene.
****************************************************************************
SANS NewsBites Oct. 11, 2019 Vol. 21, Num. 080
****************************************************************************
TOP OF THE NEWS
AIG Says Policies Do Not Cover Criminal Acts, Asks Court to Dismiss Lawsuit
NSA Warns of VPN Vulnerabilities
Mississippi Auditor Finds State Agencies Not Complying with Cybersecurity Law
REST OF THE WEEK'S NEWS
Twitter Admits It Inadvertently Used Info Gathered for 2FA to Send Targeted Ads
Microsoft Patch Tuesday
Attackers Exploit Flaw in iTunes and iCloud for Windows to Spread Ransomware
Attor Malware is Being Used to Spy on Diplomats and Governments
Man Indicted for Allegedly Impersonating Game Developer and Using AWS Resources for Cryptomining
Amnesty International Report: Pegasus Spyware Used to Track Moroccan Human Rights Defenders
INTERNET STORM CENTER TECH CORNER
****************************************************************************
CYBERSECURITY TRAINING UPDATE
-- SANS Cyber Defense Initiative(R) 2019 | Washington, DC | December 10-17 | https://www.sans.org/event/cyber-defense-initiative-2019
-- SANS Amsterdam October 2019 | October 28-November 2 | https://www.sans.org/event/amsterdam-october-2019
-- DFIRCON 2019 | Miami, FL | November 4-9 | https://www.sans.org/event/dfircon-miami-2019
-- Cloud & DevOps Security Summit 2019 | Denver, CO | November 4-11 | https://www.sans.org/event/cloud-devops-security-summit-2019
-- SANS Sydney 2019 | November 4-23 | https://www.sans.org/event/sydney-2019
-- SANS London November 2019 | November 11-16 | https://www.sans.org/event/london-november-2019
-- SANS Atlanta Fall 2019 | November 18-23 | https://www.sans.org/event/atlanta-fall-2019
-- Pen Test HackFest Summit 2019 | Washington, DC | November 18-25 | https://www.sans.org/event/pen-test-hackfest-2019
-- SANS Tokyo January 2020 | January 20-25 | https://www.sans.org/event/tokyo-january-2020
-- SANS OnDemand and vLive Training
Get a 7th gen 10.2" iPad, Samsung Galaxy Tab A, or Take $250 off through October 16 with OnDemand or vLive training.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
******************* Sponsored By Aqua Security Inc. **********************
Pivotal Platform - Getting Started with Native Runtime Protection for PAS. Users of the Pivotal Application Service (PAS) are in need of a full lifecycle security solution for PAS workloads. This webcast will present a comprehensive solution for protecting PAS applications. Tuesday, October 15th at 1 PM ET: http://www.sans.org/info/214455
****************************************************************************
TOP OF THE NEWS
--AIG Says Policies Do Not Cover Criminal Acts, Asks Court to Dismiss Lawsuit
(October 8, 2019)
AIG is asking a US federal court in New York to dismiss a lawsuit brought by a technology company seeking reimbursement for losses under an AIG cyber insurance policy. The company, SS&C Technologies, lost nearly $6 million when employees were tricked into making fraudulent funds transfers. AIG maintains that its cyber insurance policies do not cover criminal acts.
[Editor Comments]
[Pescatore] I'm pretty sure that cyber insurance policies are mostly benefitting lawyers, vs. actually reducing the financial exposure of any company that is breached. In this case the policy language pretty clearly says "AIG will defend you in lawsuits but not pay for any costs of a criminal attack." If you don't pay for flood insurance, your home owners' policy doesn't pay off in a flood - someone has to actually read the contractual terms of these policies. Many are so narrowly worded that is it very rare that any payoff ever exceeds the cost of the premiums plus deductibles - self-insuring would be less expensive - especially is "self-insuring" meant spending to reach basic security hygiene levels.
[Paller] The reason cyber insurance doesn't pay in most cases and is written, as John Pescatore points out, to avoid paying, is that cyber insurance policies cannot be sold to reinsurers. Without reinsurance there is no substantial insurance market. Reinsurers won't buy useful cyber policies. Why? Because, as opposed to fire insurance where a fire in one city would not accompany a fire in another city, cyber attacks can hit ALL policy holders at once. That simultaneous risk across all policy holders makes cyber re-insurance a non-starter.
Read more in:
Cyberscoop: AIG says its cyber insurance plans don't cover criminal acts; wants lawsuit tossed
https://www.cyberscoop.com/aig-cyber-insurance-lawsuit-bec/
--NSA Warns of VPN Vulnerabilities
(October 2, 7, & 10, 2019)
The US National Security Agency (NSA) has issued a Cybersecurity Advisory urging admins to patch a group of vulnerabilities that affect virtual private networks (VPNs). The flaws have recently been exploited by "multiple nation state Advanced Persistent Threat actors" in targeted attacks. The UK's National Cyber Security Centre has also issued an alert about the vulnerabilities. The flaws have been known for several months; the CERT Coordination Center at Carnegie Mellon University issued a vulnerability note in April.
[Editor Comments]
[Neely] If you suspect compromise, beyond updating to the latest versions of the VPN software, update credentials if you're using static passwords. Even better, move to mutual certificate-based authentication or multi-factor authentication. Consider moving away from proprietary SSLVPN/TLSVPN implementations or moving to TLS 1.2 or better for connections. Read the NSA advisory for additional VPN security controls.
Read more in:
The Register: American intelligence follows British lead in warning of serious VPN vulnerabilities
https://www.theregister.co.uk/2019/10/10/nsa_ncsc_vpn_warnings/
Defense: Mitigating Recent VPN Vulnerabilities
NCSC: Vulnerabilities exploited in VPN products used worldwide
https://www.ncsc.gov.uk/news/alert-vpn-vulnerabilities
CERT: VPN applications insecurely store session cookies (April 2019)
https://www.kb.cert.org/vuls/id/192371/
--Mississippi Auditor Finds State Agencies Not Complying with Cybersecurity Law
(October 9 & 10, 2019)
A report from the Mississippi State Auditor found "that Mississippi government institutions are not in compliance with the Mississippi Enterprise Security Program and industry standard cyber security practices." More than 40 percent of the 125 state organizations that connect to the state's computer network did not respond to the survey. Of those that did respond, 38 percent say they do not encrypt sensitive data, and 11 percent said that they have not established security policies or a disaster recovery plan.
[Editor Comments]
[Pescatore] The percentages that don't encrypt or don't have policies or are less than 75% compliant aren't really all that far from averages across the states. However, the fact that 54 agencies did not even reply to the audit data call is like looking at a car you want to buy and you find out that black tape has been put over the "Check Engine" light - a deal breaker. The Governor's office and the Mississippi Secretary of State (responsible for election in MS) should be disconnecting those 54 agencies until real risk assessments are completed.
[Neely] Resources are needed to aid the state agencies in deploying mechanisms to achieve required cyber hygiene. The inconsistent or missing responses demonstrate that continuous monitoring, rather than reliance on survey responses, is essential.
Read more in:
OSA.MS.GOV: Mississippi Government Offices Potentially Putting Taxpayer Data and Privacy At Risk
http://www.osa.ms.gov/documents/Special_Reports/2019%20Cyber%20Security%20Report.pdf
GovTech: Mississippi Audit: Agencies Not Complying with Cybersecurity Law
Statescoop: Mississippi audit finds 'disregard' for cybersecurity across state
https://statescoop.com/mississippi-audit-finds-disregard-for-cybersecurity-across-state/
**************************** SPONSORED LINKS ******************************
1) Are you in the Denver area? Attend the SANS Cloud Security Solutions Forum on October 18: http://www.sans.org/info/214460
2) Webcast: How to Inject Security Into Your Software Development Life Cycle. October 15th at 10:30 AM ET: http://www.sans.org/info/214465
3) Take the SANS 2020 Cyber Threat Intelligence Survey and enter to win a $400 Amazon gift card. http://www.sans.org/info/214470
*****************************************************************************
REST OF THE WEEK'S NEWS
--Twitter Admits It Inadvertently Used Info Gathered for 2FA to Send Targeted Ads
(October 8 & 9, 2019)
Twitter has admitted that it "inadvertently" used email addresses and phone numbers collected for two-factor authentication (2FA) to send targeted advertisements to users. Twitter claims that the data were unintentionally matched with targeted advertising lists. Twitter users are required to provide a valid phone number is they want to use 2FA, even if they do not use the phone number for that purpose.
[Editor Comments]
[Pescatore] This is one that should be investigated by the FTC and others for large financial fines, if not criminal action. Failure to protect user authentication information is bad; failure to do so when that data is part of "strong authentication" and selling that data has to be just flat out illegal. If I "inadvertently" steal a car and sell it, I should go to jail.
Read more in:
Wired: Never Trust a Platform to Put Privacy Ahead of Profit
https://www.wired.com/story/twitter-two-factor-advertising/
The Register: Twitter: No, really, we're very sorry we sold your security info for a boatload of cash
https://www.theregister.co.uk/2019/10/09/twitter_data_leak/
Ars Technica: Twitter transgression proves why its flawed 2FA system is such a privacy trap
Threatpost: Twitter Uses Phone Numbers, Emails to Sell Ads
https://threatpost.com/twitter-uses-phone-numbers-emails-to-sell-ads/149014/
--Microsoft Patch Tuesday
(October 8 & 9, 2019)
Microsoft has issued fixes for nearly 60 security issues in Windows and related software as part of its regular patch Tuesday release. Eight of the issues addressed in the updates are rated critical.
Read more in:
Bleeping Computer: Microsoft's October 2019 Patch Tuesday Fixes 59 Vulnerabilities
SC Magazine: Microsoft repairs 59 software bugs on a 'quiet' Patch Tuesday
KrebsOnSecurity: Patch Tuesday Lowdown, October 2019 Edition
https://krebsonsecurity.com/2019/10/patch-tuesday-lowdown-october-2019-edition/
MSRC: Security Update Summary
https://portal.msrc.microsoft.com/en-us/security-guidance/summary
--Attackers Exploit Flaw in iTunes and iCloud for Windows to Spread Ransomware
(October 10, 2019)
Attackers are exploiting a zero-day vulnerability in iTunes and iCloud for Windows to spread BitPaymer ransomware. Apple released a fix for the issue earlier this week. The issue as an "unquoted service path" that affects the Bonjour component of iTunes and iCloud for Windows. The flaw is fixed in iTunes 12.10.1 for Windows and in iCloud for Windows 7.14.
[Editor Comments]
[Neely] While you can either update to the new iTunes and iCloud for windows applications or uninstall the Bonjour component, the update is automated while removing the component is manual.
Read more in:
Threatpost: Apple iTunes Bug Actively Exploited in BitPaymer/iEncrypt Campaign
https://threatpost.com/apple-itunes-bug-bitpaymer-iencrypt/149075/
ZDNet: Ransomware gang uses iTunes zero-day
https://www.zdnet.com/article/ransomware-gang-uses-itunes-zero-day/
Bleeping Computer: Apple Software Update Zero-Day Used by BitPaymer Ransomware
SC Magazine: BitPaymer ransomware attackers exploit Apple flaw to bypass detection
Ars Technica: Attackers exploit an iTunes zeroday to install ransomware
Dark Reading: iTunes Zero-Day Exploited to Deliver BitPaymer
https://www.darkreading.com/endpoint/itunes-zero-day-exploited-to-deliver-bitpaymer/d/d-id/1336065
--Attor Malware is Being Used to Spy on Diplomats and Governments
(October 10, 2019)
Espionage malware called Attor is being actively used in attacks on diplomats and government officials in Eastern Europe. Attor was discovered last year, but has been in use since 2013. The malware appears to target Russian-speaking users.
[Editor Comments]
[Neely] Attor is very modular, leverages TOR as well as the old AT commands for GSM modem fingerprinting. It injects itself in specific Russian social media related processes, and the DLLs are encrypted at rest.
Read more in:
Info Security Magazine: Researchers Discover Spy Platform with GSM Fingerprinting
https://www.infosecurity-magazine.com/news/researchers-discover-spy-platform/
Bleeping Computer: New Malware Spies on Diplomats, High-Profile Government Targets
ZDNet: New espionage malware found targeting Russian-speaking users in Eastern Europe
Threatpost: Sophisticated Spy Kit Targets Russians with Rare GSM Plugin
https://threatpost.com/sophisticated-spy-kit-russians-gsm-plugin/149095/
--Man Indicted for Allegedly Impersonating Game Developer and Using AWS Resources for Cryptomining
(October 10, 2019)
A man from Singapore has been indicted in US federal court in Seattle for allegedly assuming the identity of a prominent US developer and opening multiple AWS accounts. He then allegedly used the processing power associated with those accounts to mine cryptocurrency. Ho Jun Jia, also known as Matthew Ho, faces charges of wire fraud, access device fraud, and aggravated identity theft.
Read more in:
Threatpost: Cryptomining Crook Steals Game Developer's Identity to Carry Out Dirty Work
https://threatpost.com/cryptomining-crook-steals-game-developers-identity/149099/
ZDNet: Man charged for running crypto mining scam under the guise of game development
Justice: Indictment (PDF)
https://www.justice.gov/usao-wdwa/press-release/file/1207986/download
Justice: Citizen of Singapore indicted in scheme to steal cloud computing power for cryptocurrency mining
--Amnesty International Report: Pegasus Spyware Used to Track Moroccan Human Rights Defenders
(October 10, 2019)
A report from Amnesty International details "targeted digital attacks against two prominent Moroccan Human Rights Defenders (HRDs) using NSO Group's Pegasus spyware." The individuals' devices were targeted through maliciously crafted SMS messages and through network injection attacks. The Pegasus malware used in the attacks is a product from NSO Group.
Read more in:
Amnesty: Morocco: Human Rights Defenders Targeted with NSO Group's Spyware
Cyberscoop: NSO Group's Pegasus spyware detected in attacks against Moroccan journalist, activist
https://www.cyberscoop.com/morocco-spyware-nso-group-pegasus/
Vice: Human Rights Activist Allegedly Targeted With NSO Malware Says His Life Is 'Hellish'
Reuters: Spies hacked Moroccan activists amid crackdown on protests: researchers
******************************************************************************
INTERNET STORM CENTER TECH CORNER
Microsoft Patch Tuesday
https://isc.sans.edu/forums/diary/Microsoft+October+2019+Patch+Tuesday/25396/
Mining Live Networks for OUI Data Oddness
https://isc.sans.edu/forums/diary/Mining+Live+Networks+for+OUI+Data+Oddness/25404/
What Data Does Vidar Malware Steal
https://isc.sans.edu/forums/diary/What+data+does+Vidar+malware+steal+from+an+infected+host/25398/
Android Update
https://source.android.com/security/bulletin/2019-10-01
vBulletin Update
NTLM MIC Bypass
https://www.preempt.com/blog/drop-the-mic-2-active-directory-open-to-more-ntlm-attacks/
Threats on Google Play
https://news.drweb.com/show/review/?i=13446#google
iTerm2 Vulnerability
https://groups.google.com/forum/#!topic/iterm2-discuss/57k_AuLdQa4
Apple Updater Exploited in Bitpaymer Campaign
https://blog.morphisec.com/apple-zero-day-exploited-in-bitpaymer-campaign
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
