SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXI - Issue #82
October 18, 2019Baltimore, Ransomware and Cyber Insurance; Reuters: US Cyberattack Against Iran; 2018 Olympics Cyberattack
****************************************************************************
SANS NewsBites Oct. 18, 2019 Vol. 21, Num. 082
****************************************************************************
TOP OF THE NEWS
Baltimore Will Purchase Cyber Insurance (Is It Worth The Money?)
Reuters: US Launched Secret Cyberattack Against Iran
2018 Olympics Cyberattack Book Excerpt
REST OF THE WEEK'S NEWS
Cozy Bear Hackers Targeting European Ministries
Amazon's Echo and Kindle Vulnerable to KRACK
New Kubernetes Builds Address Two Vulnerabilities
Cryptomining Detected on System at European Airport
Malware Hidden in .WAV Files
Adobe Updates for Acrobat, Reader, and Experience Manager
Symantec Issues Update to Fix Fatal Windows Error Problem
INTERNET STORM CENTER TECH CORNER
****************************************************************************
CYBERSECURITY TRAINING UPDATE
-- SANS Cyber Defense Initiative(R) 2019 | Washington, DC | December 10-17 | https://www.sans.org/event/cyber-defense-initiative-2019
-- SANS Amsterdam October 2019 | October 28-November 2 | https://www.sans.org/event/amsterdam-october-2019
-- DFIRCON 2019 | Miami, FL | November 4-9 | https://www.sans.org/event/dfircon-miami-2019
-- Cloud & DevOps Security Summit 2019 | Denver, CO | November 4-11 | https://www.sans.org/event/cloud-devops-security-summit-2019
-- SANS Sydney 2019 | November 4-23 | https://www.sans.org/event/sydney-2019
-- SANS London November 2019 | November 11-16 | https://www.sans.org/event/london-november-2019
-- SANS Atlanta Fall 2019 | November 18-23 | https://www.sans.org/event/atlanta-fall-2019
-- Pen Test HackFest Summit 2019 | Washington, DC | November 18-25 | https://www.sans.org/event/pen-test-hackfest-2019
-- SANS Tokyo January 2020 | January 20-25 | https://www.sans.org/event/tokyo-january-2020
-- SANS OnDemand and vLive Training
Get an iPad Mini, an ASUS Chromebook Flip, or Take $250 Off through October 30 with OnDemand or vLive training.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
******************* Sponsored By VIAVI Solutions ***********************
Converged Threat and Performance Management - Listen to Your Network! In this webcast, VIAVI Solutions' Ward Cobleigh and SANS John Pescatore will discuss potential data sources that you've already invested in and deployed that contain untapped veins of information that will help you find and resolve threats and performance problems. Register for this webcast: http://www.sans.org/info/214515
****************************************************************************
TOP OF THE NEWS
--Baltimore Will Purchase Cyber Insurance
(October 16, 2019)
The city of Baltimore, Maryland plans to buy $20 million in cyber insurance after its network was disabled by ransomware in May. At the time, the city chose not to pay the ransom and to date, the recovery costs and lost revenue are estimated to be $18 million. The city plans to purchase two policies from two different companies. The coverage includes cyber incident response, business interruption loss; and network extortion, and digital data recovery. (Please note that the WSJ story is behind a paywall.)
[Editor Comments]
[Pescatore] The GovTech story provides more detail on the coverage areas, but none of the pieces lists the terms and exclusions - important for the Baltimore lawyers *and* security team to review those. Let's take a look at the math: The Baltimore City 2019 budget shows $22M of direct spending by the IT department. I couldn't find any data on the cybersecurity budget, but 5-6% of the IT spend is on the high end for local agencies - let's use 6%. That means that in 2019 Baltimore would have spent something like $1.2M on cybersecurity as part of central IT services. They will now spend $835,000 per year on $18M of insurance (after deductibles), and *still* have to fund upgrades to mitigate the lapses in basic security hygiene that enabled the ransomware outages. Two common exclusions in cyber insurance policies are: "failure to assure that the computer system was reasonably protected" and "a pre-existing condition that a reasonably knowledgeable person would have been aware of." If Baltimore had spent the $835K on insurance *before* the ransomware attack, and those common clauses were in the policy, the claims would likely have been disputed by the company and perhaps never paid. We will never know what would have happened if they had proactively spent a similar amount on doing the upgrades that had been recommended to reach basic security hygiene levels.
[Paller] Cyber insurance is a very poor substitute for effective cyber hygiene especially with exclusion clauses that make many (most) policies worth less than the paper they are written on.
[Neely] Purchasing Cyber Insurance needs to be a core decision point in your DR preparation, including diversity of providers. Baltimore as well as other cities hit by ransomware, as well as their recovery experiences, provide current information as a case studies for deciding which impacts to consider as well as how much insurance to obtain.
Read more in:
SC Magazine: Baltimore belatedly buys cyberinsurance
https://www.scmagazine.com/home/security-news/data-breach/baltimore-belatedly-buys-cyberinsurance/
GovTech: Baltimore Authorizes Purchase of $20M Cyberinsurance Policy
https://www.govtech.com/security/Baltimore-Authorizes-Purchase-of-20M-Cyberinsurance-Policy.html
WSJ: Baltimore to Buy $20 Million in Insurance in Case of Another Cyber Attack (paywall)
--Reuters: US Launched Secret Cyberattack Against Iran
(October 15 & 16, 2019)
Two US officials told Reuters that the US conducted a cyberattack against Iran following the September 14 attacks on Saudi oil facilities. The unnamed officials said that the attack targeted physical hardware as part of an effort to limit Iran's ability to spread propaganda. Iran's Minister of Communications and Information Technology denies that any such attack occurred.
Read more in:
Reuters: Exclusive: U.S. carried out secret cyber strike on Iran in wake of Saudi oil attack: officials
Ars Technica: US claims cyber strike on Iran after attack on Saudi oil facility
CNET: US launched cyberattack against Iran after Saudi oil strike, says report
https://www.cnet.com/news/us-launched-cyberattack-against-iran-after-saudi-oil-strike-says-report/
Infosecurity Magazine: US Ordered Secret Cyber-Strike on Iran: Report
https://www.infosecurity-magazine.com/news/us-ordered-secret-cyberstrike-on/
--2018 Olympics Cyberattack Book Excerpt
(October 17, 2019)
An excerpt from Andy Greenberg's forthcoming book, Sandworm, describes the cyberattack that hit the network at the 2018 Winter Olympic Games in Pyeongchang, South Korea just as the opening ceremony started. What at first appeared to be some bugs that a tech partner hadn't yet worked out were found to be an early manifestation of the attack that prevented tickets from being printed and brought down RFID security gates and WiFi.
Read more in:
Wired: The Untold Story of the 2018 Olympics Cyberattack, the Most Deceptive Hack in History
https://www.wired.com/story/untold-story-2018-olympics-destroyer-cyberattack/
**************************** SPONSORED LINKS ******************************
What steps is your organization taking to manage the risks associated with workforce transformation? Take this survey: http://www.sans.org/info/214520
Register for the 2019 Dark Web Solutions Forum in Boston on November 15th. Free with discount code DarkWeb2019. http://www.sans.org/info/214525
Webcast November 7th at 1 PM ET: Increase your visibility into network traffic with ExtraHop Reveal(X). http://www.sans.org/info/214530
*****************************************************************************
REST OF THE WEEK'S NEWS
--Cozy Bear Hackers Targeting European Ministries
(October 17, 2019)
Researchers from ESET says that the Cozy Bear hacking group has been quietly targeting European government agencies for the past several years. Cozy Bear, also known by the names APT 29 and the Dukes, is believed to have Russian ties and was one of the hacking groups involved in breaching the US Democratic National Committee (DNC) prior to the 2016 US presidential election. ESTET says that Cozy Bear's activity in Europe dates back to before 2016.
[Editor Comments]
[Neely] In addition to Operation Ghost, Cozy Bear appears to be installing the CobaltStrike BEACON backdoor through spear phishing baited with a legitimate US Department of State document. They leverage Twitter, Imgur and Redit for C&C communications; for example, an algorithmically generated Twitter handle is used to download encrypted URLs.
Read more in:
WeLiveSecurity: Operation Ghost: The Dukes aren't back - they never left
https://www.welivesecurity.com/2019/10/17/operation-ghost-dukes-never-left/
Wired: Stealthy Russian Hacker Group Resurfaces With Clever New Tricks
https://www.wired.com/story/cozy-bear-dukes-russian-hackers-new-tricks/
ZDNet: Cybersecurity warning: This sophisticated Russian hacking group is back in action again
Dark Reading: Cozy Bear Emerges from Hibernation to Hack EU Ministries
Bleeping Computer: Cozy Bear Russian Hackers Spotted After Staying Undetected for Years
--Amazon's Echo and Kindle Vulnerable to KRACK
(October 17, 2019)
Older versions of Amazon's Echo and Kindle e-reader were both found to have WPA/WPA2 protocol vulnerabilities that could be exploited by Key Reinstallation Attacks, or KRACK attacks. Amazon was informed of the issue in October 2018 and early January 2019, the company released firmware updates for both Echo and Kindle to fix the flaws.
[Editor Comments]
[Neely] While the attack requires close proximity and some effort, having the patch is still a really good idea. Make sure the updates applied, particularly to Kindle devices where the update process is more manual.
[Murray] These vulnerabilities are low risk. While there are lots of these devices, the vulnerabilities were limited to the earliest versions. Their presence in enterprise networks is sparse. The attacks are expensive, limited to the range of WiFi, and do not scale.
Read more in:
SC Magazine: Unpatched Amazon Echo and Kindle devices prone to KRACK attacks
Bleeping Computer: Millions of Amazon Echo and Kindle Devices Affected by WiFi Bug
--New Kubernetes Builds Address Two Vulnerabilities
(October 16 & 17, 2019)
New Kubernetes builds have been released to address a pair of vulnerabilities. Users are urged to upgrade to Kubernetes builds 1.14.8, 1.15.5 or 1.16.2. One of the vulnerabilities lies in the way the Go language handles certain HTTP headers and can be exploited to bypass authentication controls. The second flaw is a denial-of-service vulnerability in the API server.
[Editor Comments]
[Neely] While the base flaws are in how Go parses the HTTP headers, and the YAML parsing library, Kubernetes released fixes to their build rather than waiting for a change to the language or parser. Beyond updating Kubernetes, review user privileges and use of guest/anonymous users to insure they are needed. CVE-2019-16276 allows exploitation of a parsing deficiency for user impersonation, while CVE-2019-11253 allows for the YAML bomb attack which chews up resources.
Read more in:
Threatpost: Dangerous Kubernetes Bugs Allow Authentication Bypass, DoS
https://threatpost.com/kubernetes-bugs-authentication-bypass-dos/149265/
Duo: HTTP Request Smuggling Bug in Go Affects Kubernetes
https://duo.com/decipher/http-request-smuggling-bug-in-go-affects-kubernetes
Palo Alto Networks blog: Analysis of Two Newly Patched Kubernetes Vulnerabilities
https://blog.paloaltonetworks.com/2019/10/cloud-kubernetes-vulnerabilities/
GitHub: kubernetes/CHANGELOG.md
https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG.md
GitHub: CVE-2019-11253: Kubernetes API Server JSON/YAML parsing vulnerable to resource exhaustion attack
https://github.com/kubernetes/kubernetes/issues/83253
GitHub: net/http: invalid headers are normalized, allowing request smuggling
https://github.com/golang/go/issues/34540
--Cryptomining Detected on System at European Airport
(October 16 & 17, 2019)
Cryptomining malware has been found on the network of an unnamed major European international airport. More than half of the airport's workstations were infected. The Cyberbit researchers who found the malware say that most standard anti-virus products would not have detected it.
Read more in:
Bleeping Computer: European Airport Systems Infected With Monero-Mining Malware
ZDNet: Cyberbit discovers international airport riddled with Bitcoin-mining malware
Cyberbit: Cryptocurrency Miners Now Using Evasive Tactics to Exploit Airport Resources
https://www.cyberbit.com/blog/endpoint-security/cryptocurrency-miners-exploit-airport-resources/
--Malware Hidden in .WAV Files
(October 16, 2019)
Researchers have detected a campaign in which attackers are using steganography to hide malware in .WAV files. The malware being spread includes backdoors and cryptominers.
[Editor Comments]
[Pescatore] According to CBS, in 2018 the majority of US residents said they *never* listened to podcasts, while in 2019 2/3 said they *do* occasionally listen to them and 23% do so more than once per week! Those podcast audio files are easy targets for this type of malware.
Read more in:
Threatpost: .WAVs Hide Malware in Their Depths in Innovative Campaign
https://threatpost.com/wavs-hide-malware/149240/
Bleeping Computer: Attackers Hide Backdoors and Cryptominers in WAV Audio Files
threatvector.cylance: Malicious Payloads - Hiding Beneath the WAV
https://threatvector.cylance.com/en_us/home/malicious-payloads-hiding-beneath-the-wav.html
--Adobe Updates for Acrobat, Reader, and Experience Manager
(October 15, 2019)
Adobe has released updates to address 67 vulnerabilities in Reader and Acrobat, 45 of which are rated critical. Adobe also released fixed for a dozen vulnerabilities in Experience Manager. In addition, Cisco Talos added 76 new rules for Snort.
[Editor Comments]
[Neely] Use the Creative Cloud application to check for updates on all your installed Adobe products. Adobe recommends updating to the latest version of the affected products even if the installed version is not listed as vulnerable. The Adobe flaws center around web application security fixes (CSRF, XSS, XML injection).
[Murray] Keep in mind that this rate of discovery is not diminishing: suggests a reservoir of vulnerabilities. While most require special knowledge to exploit, most users open at least one pdf a day. Acrobat, like browsers and e-mail, should be restricted and isolated from mission critical applications.
Read more in:
The Register: Sure is quiet from Adobe. No security fixes this month? Great job. Oh no, wait, what's that stampede sound...
https://www.theregister.co.uk/2019/10/15/adobe_snort_patch/
Bleeping Computer: Adobe Fixes 45 Critical Vulnerabilities in Acrobat and Reader
Adobe: Security updates available for Adobe Experience Manager | APSB19-48
https://helpx.adobe.com/security/products/experience-manager/apsb19-48.html
Adobe: Security updates available for Adobe Acrobat and Reader | APSB19-49
https://helpx.adobe.com/security/products/acrobat/apsb19-49.html
Snort: Talos Rules 2019-10-15
https://snort.org/advisories/talos-rules-2019-10-15
--Symantec Issues Update to Fix Fatal Windows Error Problem
(October 15 & 16, 2019)
Symantec has released a new update for its Endpoint Protection Client software to fix a problem that was causing a Blue Screen of Death error on some Windows machines. The problem was reported after users installed the October 14 Intrusion Protection signature. Symantec recommends that users "download latest Intrusion Prevention signature 2019/10/14 r62, or rollback to an earlier known good content revision to prevent the BSOD situation."
[Editor Comments]
[Neely] The rub here is that endpoint protection is reliant on kernel modules which can result in operating system stability challenges. Those modules are needed to have an appropriate level of visibility and privileges to detect and respond to issues. What is needed is a model where the kernel is read only and protection services operate without impacting it.
Read more in:
Symantec: BAD_POOL_CALLER (c2) or KERNEL_MODE_HEAP_CORRUPTION (13A) occurs after running LiveUpdate
https://support.symantec.com/us/en/article.TECH256643.html
Softpedia: Symantec Causes Windows BSOD Party with Bad Antivirus Update
Bleeping Computer: Symantec Fixes Bad IPS Definitions That Cause a Windows BSOD
The Register: Ye olde Blue Screen of Death is back - this time, a bad Symantec update is to blame
https://www.theregister.co.uk/2019/10/15/blue_screen_of_death_symantec/
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
Phishing E-Mail Spoofing SPF Protected Domain
https://isc.sans.edu/forums/diary/Phishing+email+spoofing+SPFenabled+domain/25426/
Adobe Updates
https://helpx.adobe.com/security.html
Symantec BSOD
https://support.symantec.com/us/en/article.TECH256643.html
OSX/Shlayer Bypasses Gatekeeper/XProtect
https://blog.confiant.com/osx-shlayer-new-shurprise-unveiling-osx-tarmac-f965a32de887
Fake iOS Jailbreak Leads to Click Fraud
https://blog.talosintelligence.com/2019/10/checkrain-click-fraud.html
Oracle CPU
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
VMWare Cloud Foundation and VMware Harbor Container Registry Patch
https://www.vmware.com/security/advisories/VMSA-2019-0016.html
Jackson-Databind Vulnerability
https://github.com/FasterXML/jackson-databind/issues/2387
Wordpress Update
https://wordpress.org/news/2019/10/wordpress-5-2-4-security-release/
Cryptominers Hiding in WAV Files
https://threatvector.cylance.com/en_us/home/malicious-payloads-hiding-beneath-the-wav.html
Purchased Domain Arrives with Paypal Accounts Linked to it
https://www.theregister.co.uk/2019/10/17/paypal_account_domain/
Typosquatting Attacks Affect 2020 Presidential Election
STI Student Christopher Hurless: Exploring Osquery, Fleet, and Elastic Stack as an Open-source solution to Endpoint Detection and Response
https://www.sans.org/reading-room/whitepapers/detection/paper/39165
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create