SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXI - Issue #87
November 5, 2019Legislation for Election Security and Local Government Cybersecurity; Canadians Launch National Cyber Manpower Program
****************************************************************************
SANS NewsBites Nov. 5, 2019 Vol. 21, Num. 087
****************************************************************************
TOP OF THE NEWS
Push for U.S. Election Security Legislation
Proposed Legislation to Improve Local Government Cybersecurity in US
Canadian Public-Private Partnership Launches National Cyber Manpower Program
REST OF THE WEEK'S NEWS
Web Registrar Account Information Breached
Google Releases Update to Fix Chrome 0-day
Hackers Using BlueKeep to Install Cryptominer
Mozilla Phasing Out Support for Sideloading Extensions in Firefox
Gafgyt Variant Infecting Routers
RCE Flaws in rConfig
Application Guard for Microsoft Office 365 Pro Plus
Ransomware Affects Two Spanish Companies
INTERNET STORM CENTER TECH CORNER
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
-- SANS OnDemand and vLive Training
Get an 11" iPad Pro with Smart Keyboard, an HP ProBook, or Take $350 Off through November 13 with OnDemand or vLive training.
https://www.sans.org/online-security-training/specials/
-- SANS Cyber Defense Initiative(R) 2019 | Washington, DC | December 10-17 | https://www.sans.org/event/cyber-defense-initiative-2019
-- SANS Atlanta Fall 2019 | November 18-23 | https://www.sans.org/event/atlanta-fall-2019
-- Pen Test HackFest Summit 2019 | Washington, DC | November 18-25 | https://www.sans.org/event/pen-test-hackfest-2019
-- SANS Miami 2020 | January 13-18 | https://www.sans.org/event/miami-2020
-- SANS Threat Hunting & IR Summit & Training | London, UK | January 13-19, 2020 | https://www.sans.org/event/threat-hunting-europe-2020
-- SANS Tokyo January 2020 | January 20-25 | https://www.sans.org/event/tokyo-january-2020
-- SANS Amsterdam January 2020 | January 20-25 | https://www.sans.org/event/amsterdam-january-2020
-- Cyber Threat Intelligence Summit & Training | Arlington, VA | January 20-27 | https://www.sans.org/event/cyber-threat-intelligence-summit-2020
-- SANS Secure Singapore 2020 | 16-28 March | https://www.sans.org/event/secure-singapore-2020
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
*************************** Sponsored By Splunk *****************************
The SIEM Buyer's Guide for 2020. In 2020, security information event management (SIEM) solutions will be far more than an information platform, expanding to include compliance reporting and logs from firewalls and other devices, as well as User and Entity Behavior Analytics (UEBA) -- now considered an essential capability by Gartner. Download The SIEM Buyer's Guide for 2020 to learn the ROI benefits of adopting a modern SIEM solution. http://www.sans.org/info/214665
*****************************************************************************
TOP OF THE NEWS
--Push for U.S. Election Security Legislation
(November 1, 2019)
Nearly 100 current and former US legislators and government officials from both major political parties have signed a letter urging current senators to take action on several bills aimed at protecting elections from foreign interference. The letter also says that "Congress should ensure that states and counties have the additional financial support they need to address election vulnerabilities."
[Editor Comments]
[Pescatore] The US still doesn't have national data privacy laws because of a decade of inaction by Congress, regardless of which party was in control. An alternative idea to pushing the federal legislation rock uphill for another decade: local voters and cybersecurity activist groups in each state should contact their representatives and demand election security increases in their own state. Most of the progress we have seen (and there has been plenty) has come from governors and state secretaries that are responsible for election systems in their state.
Read more in:
GovInfosecurity: Call for Action: Election Security a 'National Emergency'
https://www.govinfosecurity.com/call-for-action-election-security-national-emergency-a-13340
Issue One: Letter to US Senators
--Proposed Legislation to Improve Local Government Cybersecurity in US
(October 30 & 31, 2019)
A bi-partisan group of US senators has introduced legislation that would direct the Department of Homeland Security (DHS) to make resources available to help local governments switch their email and websites to the .gov domain.
Read more in:
The Hill: Senators introduce bill to strengthen cybersecurity of local governments
SC Magazine: Bipartisan bill would have local governments use .gov to strengthen cybersecurity defenses
--Canadian Public-Private Partnership Launches National Cyber Manpower Program
(October 31, 2019)
Rogers Cybersecure Catalyst at Ryerson University has launched Canada's first large-scale cybersecurity talent development program. The Accelerated Cybersecurity Training Program will provide learners from diverse backgrounds the technical skills and certifications they need to launch careers in cybersecurity. Applications for cohorts starting in February 2020 and April 2020 are now open; candidates can apply to program streams for women, new Canadians, or displaced workers. The Program is a partnership of the Government of Canada, Rogers Communications, Royal Bank of Canada, and the City of Brampton.
[Editor Comments]
[Paller] With three very large employers of cybersecurity talent - Rogers Communications, Royal Bank of Canada, and the Canadian Government -- actively engaged, and with the graduates required to prove their technical mastery of skills employers need, this program may become the model for nation-scale cyber manpower development.
Read more in:
Ryerson: The Accelerated Cybersecurity Training Program
https://www.ryerson.ca/cybersecure-catalyst/training-program/
SANS: SANS Institute Partners with Rogers Cybersecure Catalyst at Ryerson University to Deliver Cybersecurity Training to Women, New Canadians and Displaced Workers
https://www.sans.org/press/announcement/2019/10/31/1
Newswire: Le SANS Institute s'associe a Rogers Cybersecure Catalyst de l'Universite Ryerson pour offrir une formation en cybersecurite aux femmes, aux nouveaux Canadiens et aux travailleurs deplaces
**************************** SPONSORED LINKS ******************************
1) Webcast November 6th at 3:30 PM ET: Evaluating Network Traffic Analysis Systems - Requirements and Challenges. http://www.sans.org/info/214670
2) Survey: Take our SANS 2020 Women in Cybersecurity Survey and enter to win a $400 Amazon gift card. http://www.sans.org/info/214675
3) Webcast: Walk away with tangible next steps for governing Salesforce including access management, compliance reporting and more. http://www.sans.org/info/214680
*****************************************************************************
REST OF THE WEEK'S NEWS
--Web Registrar Account Information Breached
(November 1 & 4, 2019)
Internet registrar Web.com and two of its subsidiaries, Network Solutions and Register.com, have acknowledged that a data breach in August compromised customer account information. The companies did not learn of the breach until mid-October. In all, an estimated 22 million accounts are affected. Customers are being notified through email and on the companies' websites.
[Editor Comments]
[Neely] Many long standing domains are still registered through Network Solutions. Verify which registrars you're using for registered domains. Change account credentials, enable multi-factor authentication, and make sure your records match your registrar. Be on the lookout for fake offers to help re-register, renew or otherwise mange domains.
Read more in:
GovInfosecurity: Trio of Web Registrars Disclose 22 Million Accounts Breached
https://www.govinfosecurity.com/trio-web-registrars-disclose-22-million-accounts-breached-a-13332
Infosecurity Magazine: Global Registrar Web.com Suffers Major Breach
https://www.infosecurity-magazine.com/news/global-registrar-webcom-suffers/
--Google Releases Update to Fix Chrome 0-day
(October 31, November 1 & 4, 2019)
Google has updated Chrome to version 78.0.3904.87 to address two vulnerabilities, one of which is being actively exploited to spread malware. The flaw that is being exploited (CVE-2019-13720) is a use-after-free vulnerability in audio; the other (CVE-2019-13721) is a use-after-free vulnerability in PDFium.
[Editor Comments]
[Neely] The update is available today for Mac, Windows and Linux and can be manually deployed. It will be available for automatic updates in the coming weeks. Because the vulnerability is being actively exploited, this calls for nominal regression testing and rapid deployment rather than waiting.
Read more in:
Chrome Releases: Stable Channel Update for Desktop
https://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_31.html
ZDNet: On Halloween night, Google discloses Chrome zero-day exploited in the wild
Bleeping Computer: Chrome Zero-Day Bug with Exploit in the Wild Gets A Patch
SC Magazine: Google patches Chrome flaw used in mysterious WizardOpium exploit attack
https://www.scmagazine.com/home/network-security/google-chrome-update-amends-37-vulnerabilities/
--Hackers Using BlueKeep to Install Cryptominer
(November 2 & 3, 2019)
Hackers are using BlueKeep to break into unprotected computers and install a cryptocurrency miner. BlueKeep exploits a vulnerability in Microsoft's Remote Desktop Protocol (RDP); fixes for the flaw were released in May. When BlueKeep was first disclosed, there was concern that it could be exploited on the level of WannaCry.
Read more in:
ZDNet: BlueKeep attacks are happening, but it's not a worm
https://www.zdnet.com/article/bluekeep-attacks-are-happening-but-its-not-a-worm/
Wired: The First BlueKeep Mass Hacking Is Finally Here--but Don't Panic
https://www.wired.com/story/bluekeep-hacking-cryptocurrency-mining/
Threatpost: BlueKeep Attacks Have Arrived, Are Initially Underwhelming
https://threatpost.com/bluekeep-attacks-have-arrived-are-initially-underwhelming/149829/
--Mozilla Phasing Out Support for Sideloading Extensions in Firefox
(October 31 & November 1, 2019)
Mozilla plans to end support for sideloading extensions in its Firefox browser. The feature which is designed to allow desktop app developers to distribute Firefox extensions with their apps. In a blog post, Mozilla notes that "sideloaded extensions frequently cause issues for users since they did not explicitly choose to install them and are unable to remove them from the Add-ons Manager." When Firefox 73 is released in February 2020, the browser will read sideloaded files and will copy them to users' individual profiles. Firefox 74, scheduled to be released in Match 2020, will not support sideloading.
[Editor Comments]
[Pescatore] Forcing extensions to be downloaded through an "Extension Store" like the Chrome Store or Mozilla's AMO portal follow the model of Google Play and the Apple Store "gigantic whitelist" that has worked very well on cell phones and tablets. Allowing random web sites to download random executables to Windows PCs is pretty much the equivalent to eating random food scraps out of random dumpsters.
[Neely] Extensions are migrating to the user profile where they will be both visible and can be explicitly enabled. Ultimately expect an App Store approach of vetted extensions would be desirable for security and assurance.
[Murray] Browsers are feature rich and this makes them vulnerable. Wherever possible they should be isolated from mission critical applications.
Read more in:
Mozilla: Mozilla Add-ons Blog: Upcoming changes to extension sideloading
https://blog.mozilla.org/addons/2019/10/31/firefox-to-discontinue-sideloaded-extensions/
ZDNet: Mozilla to stop supporting sideloaded extensions in Firefox
https://www.zdnet.com/article/mozilla-to-stop-supporting-sideloaded-extensions-in-firefox/
--Gafgyt Variant Infecting Routers
(October 31, 2019)
A variant of the Gafgyt malware infects wireless routers from Realtek, Huawei, and Zyxel. Gafgyt, which was initially detected in 2014, has been used to infect Internet of Things (IoT) devices to create botnets that are used in distributed denial-of-service (DDoS) attacks.
[Editor Comments]
[Murray] The reports seem to suggest that these attacks are part of a meta-game of gamers against gamers. However, routers are routers and should be patched or replaced.
Read more in:
Dark Reading: 32,000+ WiFi Routers Potentially Exposed to New Gafgyt Variant
ZDNet: This aggressive IoT malware is forcing Wi-Fi routers to join its botnet army
--RCE Flaws in rConfig
(November 4, 2019)
Two vulnerabilities have been detected in the rConfig network configuration management utility. Both can be exploited to remotely execute code. One of the flaws is a critical vulnerability that can be exploited to execute commands through GET requests without authentication. Both flaws reportedly affect all versions of rConfig.
Read more in:
ISC: rConfig Install Directory Remote Code Execution Vulnerability Exploited
Threatpost: Critical Remote Code Execution Flaw Found in Open Source rConfig Utility
https://threatpost.com/critical-rce-flaw-in-rconfig/149847/
--Application Guard for Microsoft Office 365 Pro Plus
(November 4, 2019)
Microsoft is adding a feature to Office 365 ProPlus that will allow users to open attachments in virtualized containers to protect their computers from malware. Microsoft Office Application Guard is similar to the Windows Defender Application Guard feature in Microsoft Edge for Windows 10.
[Editor Comments]
[Honan] Kudos to Microsoft for their efforts in protecting end users. Too often we rely on perimeter security and security awareness training to protect our systems. However, companies should not rely on users to be the last line of defence by not clicking on an attachment. Similar to automobiles we need to design our systems to be as resilient as possible and to protect the user in the event they make a mistake.
[Murray] Process-to-process isolation is a fundamental security mechanism. The current operation of the desktop as a single process presents an attack surface so large as to all but defy defense. Rendering foreign objects is particularly dangerous and isolating the process that does it is useful. However, one might well prefer an operating system like iOS where all applications are isolated from one another, from the file system, and the operating system, and where all inter-process communication is mediated.
Read more in:
Bleeping Computer: Office 365 to Prevent Malicious Docs From Infecting Windows
--Ransomware Affects Two Spanish Companies
(November 4, 2019)
Two companies in Spain were hit by ransomware on Monday, November 4. Both companies have instructed employees to shut off their computers and have disconnected their networks from the Internet. The affected companies are IT consultancy and managed service provider Everis, and Spain's largest radio network, Cadena SER. Spanish authorities reacted to the reports of the ransomware quickly; Spain was one of the first countries to experience Wanna Cry infections in the spring of 2017.
Read more in:
Ars Technica: Spanish companies' networks shut down as result of ransomware
ZDNet: Ransomware hits Spanish companies sparking WannaCry panic
https://www.zdnet.com/article/ransomware-hits-spanish-companies-sparking-wannacry-panic/
Bleeping Computer: Ransomware Attacks Hit Everis and Spain's Largest Radio Network
******************************************************************************
INTERNET STORM CENTER TECH CORNER
Critical Google Chrome Update Fixes Exploited Vulnerability
https://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_31.html
BlueKeep Vulnerability Mass Exploited to Install Crypto Coin Miner
https://www.kryptoslogic.com/blog/2019/11/bluekeep-cve-2019-0708-exploitation-spotted-in-the-wild/
rConfig Vulnerabilities
Clam AV Vulnerability
https://twitter.com/hackerfantastic/status/1190685521153937408
Xcode Vulnerability
https://support.apple.com/en-is/HT210729
MikroTik DNS Cache Poisoning
https://blog.mikrotik.com/security/dns-cache-poisoning-vulnerability.html
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create