SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXI - Issue #83
October 22, 2019ICS Manufacturer Hit with Ransomware; Ransomware Targeting Office 365 Users - Plays Music While it Encrypts Your Files
****************************************************************************
SANS NewsBites Oct. 22, 2019 Vol. 21, Num. 083
****************************************************************************
TOP OF THE NEWS
Industrial Controls Systems Manufacturer Systems Hit with Ransomware
Ransomware Targeting Italian Office 365 Users - Set to Music
REST OF THE WEEK'S NEWS
Second Draft of DoD Cybersecurity Maturity Model Certification Coming in November
Air Force Upgrades SACCS from Floppy Disks
Girl Scouts of America Pilots Cybersecurity Challenge
Cybersecurity and Healthcare
FAA Drone ID Requirements
Microsoft Secured-Core PC Aims to Protect Computers from Firmware Attacks
NordVPN Confirms 2018 Breach
Autoclerk Database Exposed Online
INTERNET STORM CENTER TECH CORNER
****************************************************************************
CYBERSECURITY TRAINING UPDATE
-- SANS Cyber Defense Initiative(R) 2019 | Washington, DC | December 10-17 | https://www.sans.org/event/cyber-defense-initiative-2019
-- DFIRCON 2019 | Miami, FL | November 4-9 | https://www.sans.org/event/dfircon-miami-2019
-- Cloud & DevOps Security Summit 2019 | Denver, CO | November 4-11 | https://www.sans.org/event/cloud-devops-security-summit-2019
-- SANS Sydney 2019 | November 4-23 | https://www.sans.org/event/sydney-2019
-- SANS London November 2019 | November 11-16 | https://www.sans.org/event/london-november-2019
-- SANS Atlanta Fall 2019 | November 18-23 | https://www.sans.org/event/atlanta-fall-2019
-- Pen Test HackFest Summit 2019 | Washington, DC | November 18-25 | https://www.sans.org/event/pen-test-hackfest-2019
-- SANS Threat Hunting & IR Summit & Training | London, UK | January 13-19, 2020 | https://www.sans.org/event/threat-hunting-europe-2020
-- SANS Tokyo January 2020 | January 20-25 | https://www.sans.org/event/tokyo-january-2020
-- SANS OnDemand and vLive Training
Get an iPad Mini, an ASUS Chromebook Flip, or Take $250 Off through October 30 with OnDemand or vLive training.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
************************ Sponsored By Splunk *****************************
How to Uplevel Your Defenses With Security Analytics. If you don't have actionable insights to detect and respond to emerging and current threats, you're not reaping the rewards of modern security information event management (SIEM) technology. Download How to Uplevel Your Defenses With Security Analytics, and find out what you (and your SIEM) are missing and how to harden your defenses. http://www.sans.org/info/214535
****************************************************************************
TOP OF THE NEWS
---Industrial Controls Systems Manufacturer Systems Hit with Ransomware
(October 21, 2019)
German Automation tool manufacturer Pilz was hit with ransomware more than a week ago. According to the company's website, "all servers and PC workstations, including the company's communication, have been affected worldwide." Updates to the website note that email was restored in subsidiaries on October 18, and that the company was able to restore deliveries for certain areas as of October 21.
[Editor Comments]
[Paller] Consider the very real situation where your ICS vendor manages your power or other systems remotely. This is a wake-up call for ICS vendors to massively upgrade their own cyber hygiene.
Read more in:
ZDNet: Major German manufacturer still down a week after getting hit by ransomware
Pilz: Cyberangriff auf die Pilz GmbH & Co. KG (in German; scroll down for English)
https://www.pilz.com/message.html
--Ransomware Targeting Italian Office 365 Users - Set to Music
(October 18, 2019)
Office 365 users in Italy are being targeted by ransomware attacks. The malware makes its way onto machines through email messages that pretend to be invoices, resumes, or other business documents; the messages contain a .vbs file that encrypts files and downloads a malware loader. This particular attack has a quirk: the .vbs file also downloads and plays music while the victim's files are being encrypted.
[Editor Comments]
[Murray] E-mail and "browsing" should be isolated from mission critical applications.
Read more in:
InfoSecurity Magazine: Italians Rocked by Ransomware
https://www.infosecurity-magazine.com/news/italians-rocked-by-ransomware/
**************************** SPONSORED LINKS ******************************
1) Webcast October 22nd at 1 PM ET: Converged Threat and Performance Management - Listen to Your Network! http://www.sans.org/info/214540
2) In the Boston area? Attend the Dark Web Solutions Forum On November 15th for free with discount code DarkWeb2019. http://www.sans.org/info/214545
3) Learn key considerations when choosing solutions to improve your organization's security posture. http://www.sans.org/info/214550
*****************************************************************************
REST OF THE WEEK'S NEWS
--Second Draft of DoD Cybersecurity Maturity Model Certification Coming in November
(October 18 & 21, 2019)
The first public draft of the US Department of Defense's (DoD's) Cybersecurity Maturity Model Certification, which establishes cybersecurity standards for government contractors, has received more than 2,000 comments since it was released on August 30, 2019. The second draft is expected to be released for comment in early November. The official version is expected to be released in January 2020.
Read more in:
Nextgov: Pentagon Receives 2,000 Comments on Vendor Cyber Certification Program
Fedscoop: Fresh draft of DOD contractor cybersecurity standards coming next month
https://www.fedscoop.com/draft-dod-contractor-cyber-standards/
ACQ.OSD: Cybersecurity Maturity Model Certification (CMMD)
https://www.acq.osd.mil/cmmc/docs/cmmc-draft-model-30aug19.pdf
--Air Force Upgrades SACCS from Floppy Disks
(October 17 & 18, 2019)
The US Air Force has finally phased out the use of 8-inch floppy disks used in its Strategic Automated Command and Control System (SACCS), which is used to relay messages regarding US nuclear capability. Instead, the facility moved to a "highly-secure solid state digital storage solution" earlier this year.
[Editor Comments]
[Neely] I haven't used an 8" floppy in at least 25 years. Note that they have only replaced the floppy disks with newer storage; the 1976 era IBM Series/1 systems are still in place. While this system is a model of control systems designed for a long life, keeping a system this old operational requires technicians skilled in repairing and understanding technology that has no spare parts. Including the ability to service long-lived systems has to be part of the lifecycle management and your risk register.
[Murray] This may be the poster child for legacy systems.
Read more in:
C4isrnet: The US nuclear forces' Dr. Strangelove-era messaging system finally got rid of its floppy disks
ZDNet: US stopped using floppy disks to manage nuclear weapons arsenal
https://www.zdnet.com/article/us-stopped-using-floppy-disks-to-manage-nuclear-weapons-arsenal/
Ars Technica: Air Force finally retires 8-inch floppies from missile launch control system
--Girl Scouts of America Pilots Cybersecurity Challenge
(October 18, 2019)
The Girl Scouts of America's (GSA's) Girl Scouts Cyber Challenge took place on Saturday, October 19. More than 3,000 scouts signed up to participate. The challenge was piloted at councils in 10 states. It it is deemed successful the next challenge will be expanded to include all 111 councils.
[Editor Comments]
[Pescatore] Nice to see the progress in the two years since we all commented on this being a very valuable initiative.
[Neely/Murray] This is exciting; applause to GSA and Raytheon for providing this opportunity. Building these skills aligns with our shortage of cybersecurity workers. Efforts like these will not only spark interest but also help raise the skills of students entering into training and education programs.
[Murray] We now have degree programs at all levels as well as established hands-on training programs. We should encourage and support programs like this Girl Scout program to fill the pipeline into higher education and industry training.
Read more in:
InfoSecurity Magazine: Girl Scouts of USA Launch First National Cybersecurity Challenge
https://www.infosecurity-magazine.com/news/us-girl-scouts-launch/
--Cybersecurity and Healthcare
(October 17, 2019)
The Do No Harm 2.0 report from New America, a Washington, DC-based think tank, "aim[s] to highlight the need to mitigate the risks to patient safety created by the growing integration of information technology and operational technology into healthcare, and to propose ways to mitigate that risk." The report makes 17 policy recommendations, including holding the board of directors responsible for healthcare privacy and security and strengthening FDA requirements for medical device security to ensure security is baked in.
Read more in:
New America: Do No Harm 2.0
https://www.newamerica.org/cybersecurity-initiative/reports/do-no-harm-20/
Meritalk: New America Releases Report on Health Cyber Risks
https://www.meritalk.com/articles/new-america-releases-report-on-health-cyber-risks/
--FAA Drone ID Requirements
(October 20, 2019)
The FAA is scheduled to issue a rulemaking statement requiring drones to emit a signal indicating aircraft and ownership information. This is a critical step for integration of unmanned aircraft into the National Airspace System. Remote identification is considered essential for beyond visual line of sight operations, which many drones support.
[Editor Comments]
[Neely] While law enforcement want information to provide ownership information when dealing with reckless or unlawful operators, the topics that need to be worked out include what information should be transmitted; how it should be collected and safeguarded and weather unlawful operators would bother to transmit accurate information, if any.
[Pescatore] Warning, will skew old here - you might want to skip to the next comment or item. Back in 1982 while working at the US Secret Service I did an investigation into how to protect against attacks by radio-controlled airplanes. That was pre-GPS, 5G, remote video - the ability for drones to be used maliciously beyond line of sight is exponentially higher today. Having Identify Friend or Foe technology built-in is going to be a necessary requirement but dealing with drones that are declared "foes" is a very complex topic.
Read more in:
AV Web: ID Requirements For Drones Coming Soon
https://www.avweb.com/aviation-news/id-requirements-for-drones-coming-soon/
--Microsoft Secured-Core PC Aims to Protect Computers from Firmware Attacks
(October 21, 2019)
Working in partnership with its manufacturers, Microsoft is developing a feature to protect PCs from firmware attacks. Secured-Core PC changes the way the machines boot up so it can detect anomalies before they take root in PCs. It takes away firmware's role in determining software integrity on boot up and shifts the integrity checks to new CPUs.
[Editor Comments]
[Murray] Apple has demonstrated how to do this, at least in closed systems. It is an important tactic in securing the "supply chain."
Read more in:
Microsoft: Microsoft and partners design new device security requirements to protect against targeted firmware attacks
Wired: Microsoft's New Plan to Defend the Code Deep Within PCs
https://www.wired.com/story/microsoft-secured-core-pc/
Dark Reading: Microsoft Aims to Block Firmware Attacks with New Secured-Core PCs
--NordVPN Confirms 2018 Breach
(October 21, 2019)
NordVPN has acknowledged that one of its data centers was breached in March 2018. The attacker accessed a server at a data center in Finland through an unsecured remote management system. In a blog post about the incident, NordVPN writes, "The attacker gained access to the server by exploiting an insecure remote management system left by the datacenter provider while we were unaware that such a system existed."
[Editor Comments]
[Neely] Although the breach occurred in March 2018 and all involved servers have been "shredded", the breach included an expired TLS private key. Nord delayed notification to allow time to take and verify steps to prevent recurrence. In today's marketplace more rapid communication and transparency is needed to support claims of security, particularly for a service such as a VPN. If you are a NordVPN user, you may want to refresh your chosen VPN server to make sure current secure servers are used.
[Murray] This is called a "back door." These are sometimes the result of error but are often sponsored by nation state actors or criminal enterprises.
Read more in:
NordVPN: Why the NordVPN network is safe after a third-party provider breach
https://nordvpn.com/blog/official-response-datacenter-breach/
Tech Crunch: NordVPN confirms it was hacked
https://techcrunch.com/2019/10/21/nordvpn-confirms-it-was-hacked/
CNET: Popular VPN service NordVPN confirms data center breach
https://www.cnet.com/news/popular-vpn-service-nordvpn-confirms-datacenter-breach/
ZDNet: NordVPN confirms data center breach
https://www.zdnet.com/article/nordvpn-confirms-data-center-breach/
--Autoclerk Database Exposed Online
(October 21, 2019)
A Elasticsearch database belonging to the Autoclerk reservations management system was left unprotected on the Internet. The database contains data related to more than 100,000 bookings. The compromised information includes unencrypted login credentials and travel arrangements. Among the affected booking entities are government contractors responsible for arranging travel for government and military personnel.
[Editor Comments]
[Murray] The Verizon Data Breach Incident Report suggests that "orphan data" is a cause of data leakage.
Read more in:
Threatpost: U.S. Government, Military Personnel Data Leaked By Autoclerk
https://threatpost.com/government-military-personnel-data-leaked/149386/
ZDNet: Open database leaked 179GB in customer, US government, and military records
SC Magazine: Leaky Autoclerk database exposes info on travelers, including military and gov't personnel
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
Attacks Against NVMS-9000 DVR Web Vulnerability
https://isc.sans.edu/forums/diary/Scanning+Activity+for+NVMS9000+Digital+Video+Recorder/25434/
DNS over TLS Scans
https://isc.sans.edu/forums/diary/Whats+up+with+TCP+853+DNS+over+TLS/25438/
Pixel 4 Face Unlock Works with Eyes Shut
https://www.bbc.com/news/technology-50085630
Samsung Galaxy S10 Fingerprint Unlock Bug
https://www.bbc.com/news/technology-50080586
Alexa/Google Home Phishing
https://srlabs.de/bites/smart-spies/
Trend Micro Bypass
Realtek Linux Wifi Driver Buffer Overflow
https://twitter.com/nicowaisman/status/1184864519316758535
NordVPN and Others Compromised
https://techcrunch.com/2019/10/21/nordvpn-confirms-it-was-hacked/
https://twitter.com/hexdefined/status/1186106695073726466
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create