SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXI - Issue #90
November 15, 2019County Uses New Paper-Based Voting Machines; Ransomware Outcomes
****************************************************************************
SANS NewsBites Nov. 15, 2019 Vol. 21, Num. 090
****************************************************************************
TOP OF THE NEWS
Choctaw County, Mississippi Uses New Paper-Based Voting Machines
Indiana School District Recovering from Ransomware
Pemex Will Not Pay Ransomware Demand
REST OF THE WEEK'S NEWS
Brennan Center Report: A Framework for Election Vendor Oversight
Patch Tuesday: Microsoft, Adobe, and Intel
US-CERT Warning on Medtronic Surgery Equipment Security
Royal Canadian Mounted Police Charge Man in Connection with Remote Access Trojan
Alleged Online Criminal Marketplace Operator Extradited to US
InfoTrax Settles with FTC Over Security Failures
HHS Office for Civil Rights Investigating Google's Project Nightingale Medical Data Consolidation
INTERNET STORM CENTER TECH CORNER
****************************************************************************
CYBERSECURITY TRAINING UPDATE
-- SANS OnDemand and vLive Training
Get an 11" iPad Pro, a 12.3" Surface Pro, or Take $350 Off through December 4 with OnDemand or vLive training.
https://www.sans.org/online-security-training/specials/
-- SANS Cyber Defense Initiative(R) 2019 | Washington, DC | December 10-17 | https://www.sans.org/event/cyber-defense-initiative-2019
-- SANS Miami 2020 | January 13-18 | https://www.sans.org/event/miami-2020
-- SANS Threat Hunting & IR Summit & Training | London, UK | January 13-19, 2020 | https://www.sans.org/event/threat-hunting-europe-2020
-- SANS Tokyo January 2020 | January 20-25 | https://www.sans.org/event/tokyo-january-2020
-- SANS Amsterdam January 2020 | January 20-25 | https://www.sans.org/event/amsterdam-january-2020
-- Cyber Threat Intelligence Summit & Training | Arlington, VA | January 20-27 | https://www.sans.org/event/cyber-threat-intelligence-summit-2020
-- SANS Scottsdale 2020 | February 17-22 | https://www.sans.org/event/scottsdale-2020
-- Open-Source Intelligence Summit & Training 2020 | Alexandria, VA | February 18-24 | https://www.sans.org/event/osint-summit-2020
-- SANS Secure Singapore 2020 | 16-28 March | https://www.sans.org/event/secure-singapore-2020
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
************************** Sponsored By Eclypsium **************************
Mother of All Drivers - New Vulnerabilities In Windows Drivers. Research from firmware security leader Eclypsium reveals how Windows kernel security mode enables attacks and identifies vulnerable drivers that can provide attackers with near-limitless control over a victim device. Research report and webinar describe common design flaws and what to do about them. http://www.sans.org/info/214765
****************************************************************************
TOP OF THE NEWS
--Choctaw County, Mississippi Uses New Paper-Based Voting Machines
(November 12, 2019)
In a recent election, voters in Choctaw County, Mississippi used new machines from VotingWorks, a small, nonprofit organization that offers an inexpensive, easy to use, paper-based election system. VotingWorks' machines are not federally certified; Mississippi is one of a handful of US states that allows the use of voting machines that have not been federally certified. The process of federal certification is time consuming and expensive, creating roadblocks for innovation.
[Editor Comments]
[Pescatore] Lack of certification can be a barrier to cybersecurity innovation, too. We can't tell vendors "You need to jump this bar, unless you don't charge for your product." Has VotingWorks tried a GoFundMe campaign to fund certification, which would allow that software to be used by the 47 states that do require certification?
Read more in:
ProPublica: The Way America Votes Is Broken. In One Rural County, a Nonprofit Showed a Way Forward.
--Indiana School District Recovering from Ransomware
(November 14, 2019)
A school district in Indiana is working on restoring its IT systems after a ransomware attack earlier this week. The Penn-Harris-Madison School Corp. notified families and staff of the incident on Tuesday, November 12. A spokesperson for Penn-Harris-Madison said that the IT staff shut down servers and began "scrubbing" on Tuesday, and on Wednesday, began bringing servers online. Staff members were notified that all files and data were backed up, but that complete restoration would take time.
Read more in:
GovTech: Indiana School District Restoring Computers After Ransomware
https://www.govtech.com/security/Indiana-School-District-Restoring-Computers-After-Ransomware.html
--Pemex Will Not Pay Ransomware Demand
(November 13, 2019)
Mexico's energy minister said that the state-owned oil company Pemex will not pay a ransom demanded by cyberattackers. The attack appears to have targeted corporate rather than operational systems.
[Editor Comments]
[Neely] Pemex reverted to manual methods for payments during the system recovery. Kudos to them for isolating affected systems to stop lateral movement and exercising their DR plan rather than paying the ransom. The hardest part will be assurance of eradication and sufficient measures to prevent recurrence.
Read more in:
SC Magazine: Pemex claims victory over cyberattack; $4.9 million ransom reportedly demanded
GovInfosecurity: Ransomware: Mexican Oil Firm Reportedly Refuses to Pay Up
https://www.govinfosecurity.com/ransomware-mexican-oil-firm-reportedly-refuses-to-pay-up-a-13404
Reuters: Mexico's Pemex won't pay ransom after cyberattack: energy minister
**************************** SPONSORED LINKS ******************************
1) Part 1 of a 3 Webcast Series: Outperform the Adversary with Tactical Decision-making and Rapid Response. Register: http://www.sans.org/info/214770
2) See how you can maximize threat hunting efficiency with automated queries in this upcoming webcast: http://www.sans.org/info/214775
3) Webcast November 20th at 10:30 AM ET: Threat Intelligence Driven Detect and Response Operations. Register: http://www.sans.org/info/214780
*****************************************************************************
REST OF THE WEEK'S NEWS
--Brennan Center Report: A Framework for Election Vendor Oversight
(November 12 & 13, 2019)
A report from New York University Law School's Brennan Center for Justice notes that "more than 80 percent of voting systems in use today are under the purview of three vendors," yet those vendors "receive little or no federal review." The report proposes a framework for federal election oversight that includes independent oversight by a revamped Election Assistance Commission (EAC); issuance of vendor best practices from a "reconstituted" EAC Technical Guidelines Development Committee that includes members with cybersecurity expertise; vendor certification; ongoing review; and enforcement of guidelines.
[Editor Comments]
[Pescatore] The report gives equal coverage to voluntary mechanisms that would not require federal legislative action. Since "timely federal legislative action" is largely an oxymoron, I'd like to see the National Association of Secretaries of State take action to have all the state secretaries (who oversee elections) agree to voluntary procurement requirements to drive those election vendors to first reach basic levels of security hygiene and then to move to critical infrastructure levels of security.
Read more in:
The Hill: Brennan Center calls for certification of companies that make voting equipment
GovInfosecurity: Report Calls for Enforcing Voting Machine Standards
https://www.govinfosecurity.com/report-calls-for-enforcing-voting-machine-standards-a-13403
Brennan Center: A Framework for Election Vendor Oversight (PDF)
https://www.brennancenter.org/sites/default/files/2019-11/2019_10_ElectionVendors.pdf
--Patch Tuesday: Microsoft, Adobe, and Intel
(November 12 & 14, 2019)
On Tuesday, November 12, Microsoft released fixes for 4 security issues in Windows and related software. One of the flaws, a scripting engine memory corruption vulnerability in Internet Explorer, is being actively exploited. Adobe issued fixes for vulnerabilities in Animate, Illustrator, and other creative software products. Intel has announced that it will now release updates on the second Tuesday of the month as well; its inaugural scheduled release addresses 77 vulnerabilities.
Read more in:
KrebsOnSecurity: Patch Tuesday, November 2019 Edition
https://krebsonsecurity.com/2019/11/patch-tuesday-november-2019-edition/
The Register: This November, give thanks for only having one exploited Microsoft flaw for Patch Tues. And four Hyper-V escapes
https://www.theregister.co.uk/2019/11/12/november_2019_patch_tuesday/
Threatpost: Microsoft Patches RCE Bug Actively Under Attack
https://threatpost.com/microsoft-patches-rce-bug/150136/
MSRC: Security Update Summary
https://portal.msrc.microsoft.com/en-us/security-guidance/summary
Adobe: Security Bulletins and Advisories
https://helpx.adobe.com/security.html
Intel: IPAS: November 2019 Intel Platform Update (IPU)
https://blogs.intel.com/technology/2019/11/ipas-november-2019-intel-platform-update-ipu/
--US-CERT Warning on Medtronic Surgery Equipment Security
(November 7 & 14, 2019)
US-CERT has issued an advisory warning of security flaws in Medtronic Valleylab FT10 and FX8 Energy Platforms as well as Valleylab Exchange Client. The security issues include hardcoded credentials, a reversible one-way hash, and improper input validation. Medtronic has made fixes available for the FT10 Platform; fixes for the FX8 platform are expected to be available early next year.
Read more in:
Dark Reading: US-CERT Warns of Remotely Exploitable Bugs in Medical Devices
US-CERT: ICS Medical Advisory (ICSMA-19-311-02) Medtronic Valleylab FT10 and FX8
https://www.us-cert.gov/ics/advisories/icsma-19-311-02
--Royal Canadian Mounted Police Charge Man in Connection with Remote Access Trojan
(November 12 & 13, 2019)
Authorities in Canada have charged John Paul Revesz with allegedly operating a malware scheme. Revesz maintained that the product in question, Orcus RAT, is a Remote Administration Tool, useful for sysadmin remote management, but evidence suggests that the way Orcus RAT was marketed is more in line with it being a Remote Access Trojan.
Read more in:
KrebsOnSecurity: Orcus RAT Author Charged in Malware Scheme
https://krebsonsecurity.com/2019/11/orcus-rat-author-charged-in-malware-scheme/
--Alleged Online Criminal Marketplace Operator Extradited to US
(November 12 & 13, 2019)
Aleksei Yurievich Burkov appeared in federal court in Virginia on Tuesday, November 12, to face charges enumerated in a 2016 indictment. They include conspiracy to commit access device fraud, conspiracy to commit wire fraud, computer intrusion, and identity theft for his alleged role in running two websites that facilitated payment card fraud and other illegal activity. Burkov, a Russian citizen, was arrested in Israel nearly four years ago. His extradition was approved in 2017, and his appeals were recently denied.
Read more in:
Justice: Russian National Extradited for Running Online Criminal Marketplace
https://www.justice.gov/usao-edva/pr/russian-national-extradited-running-online-criminal-marketplace
Wired: Russia Fails to Stop Alleged Hacker From Facing US Charges
https://www.wired.com/story/aleksei-burkov-russia-hacking-extradition/
The Register: Russian bloke charged in US with running $20 million stolen card-as-a-service online souk
https://www.theregister.co.uk/2019/11/13/russian_charged_cardplanet/
SC Magazine: Russian who allegedly ran illegal Cardplanet site extradited to U.S.
Ars Technica: Russian man charged with running money-back-guaranteed criminal marketplace
--InfoTrax Settles with FTC Over Security Failures
(November 12 & 13, 2019)
A Utah company has settled a US Federal Trade Commission (FTC) complaint over its failure to adequately protect customer data. InfoTrax Systems failed to detect numerous intrusions over a 22-month period; the company was unaware that its systems had been breached until in 2016 when it learned that one of its servers had maxed out its storage capacity. The intruder had created a data archive file that grew with each intrusion until it used up all the remaining disk space. InfoTrax has agreed to a settlement that calls for it "to implement a comprehensive data security program."
[Editor Comments]
[Neely] Being revisited by an intruder after detection, which happened at least twice in this case, is not the best way to find gaps in your security program. Verification that configured monitoring triggers a response that is acted upon should be performed regularly. Fortunately for InfoTrax, the settlement doesn't include a fine as often happens in with FTC complaints.
[Pescatore] The FTC continues to quietly go after egregious violators, but often ends up with these types of settlements. I think it is time for something like a GAO report that looks into the track record of companies that agreed "to implement a comprehensive data security program." Seems like there have been some high-profile backsliding; we should have an accounting of the real-world effectiveness of those agreements.
Read more in:
FTC: Utah Company Settles FTC Allegations it Failed to Safeguard Consumer Data
Ars Technica: Breach affecting 1 million was caught only after hacker maxed out target's storage
ZDNet: Company discovered it was hacked after a server ran out of free space
https://www.zdnet.com/article/company-discovered-it-was-hacked-after-a-server-ran-out-of-free-space/
FTC: Decision and Order In the Matter of Infotrax Systems, L.C., A Limited Liability Company, and Mark Rawlins
https://www.ftc.gov/system/files/documents/cases/162_3130_infotrax_order_clean.pdf
FTC: Complaint In the Matter of Infotrax Systems, L.C., A Limited Liability Company, and Mark Rawlins (2016)
https://www.ftc.gov/system/files/documents/cases/162_3130_infotrax_complaint_clean.pdf
--HHS Office for Civil Rights Investigating Google's Project Nightingale Medical Data Consolidation
(November 13, 2019)
The Office for Civil Rights in the US Department of Health and Human Services has launched an investigation into "Project Nightingale," a joint effort between Ascension, a non-profit healthcare system with more than 50 million patients in 23 states, and Google. The plan calls for Google to analyze Ascension patient data to provide improved patient care. Ascension did not notify patients or doctors before it started sharing the data with Google. Prior to Project Nightingale, Ascension patient information resided in 40 data centers in dozens of states. (Please note that the WSJ story is behind a paywall.)
[Editor Comments]
[Neely] The HIPAA paperwork you sign at your doctor's office or hospital acknowledges that they are allowed to share data with other entities only to help with their health care functions, which covers this sort of data sharing. Healthcare data custodians have the burden of assurance that the data shared is only used for the intended purposes. The HHS Health Information Privacy Site has guides and reference material that be leveraged to develop controls needed to properly protect PHI data. https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html: Security Rule Guidance Material
Read more in:
WSJ: Google's 'Project Nightingale' Triggers Federal Inquiry (paywall)
Ars Technica: Google: You can trust us with the medical data you didn't know we already had [Updated]
Threatpost: Google's Plan to Crunch Health Data on Millions of Patients Draws Fire
https://threatpost.com/googles-plan-to-crunch-health-data-on-millions-of-patients-draws-fire/150172/
ZDNet: Google's plan to collect health data on millions of Americans faces federal inquiry
******************************************************************************
INTERNET STORM CENTER TECH CORNER
Microsoft Patch Tuesday
https://isc.sans.edu/forums/diary/November+2019+Microsoft+Patch+Tuesday/25516/
Adobe Update
https://helpx.adobe.com/security.html
Lokibot Update (November 2019)
https://isc.sans.edu/forums/diary/An+example+of+malspam+pushing+Lokibot+malware+November+2019/25518/
Facebook Camera Bug
https://www.cnet.com/news/facebook-bug-has-camera-activated-while-people-are-using-the-app
McAfee Anti Virus Bypass and Persistence
Some Packet-Fu with Zeek
https://isc.sans.edu/forums/diary/Some+packetfu+with+Zeek+previously+known+as+bro/25510/
Zombieload 2.0 Vulnerability
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
