SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXI - Issue #92
November 22, 2019Cybersecurity Book of the Year; 3 Ransomware Tales
****************************************************************************
SANS NewsBites Nov. 22, 2019 Vol. 21, Num. 092
****************************************************************************
TOP OF THE NEWS
The Best Cybersecurity Book of 2019: Sandworm: A New Era of CyberWar
Texas School District Pays Ransomware Demand
Veterinary Practices Hit with Ransomware
French Hospital's Computers Infected with Ransomware
REST OF THE WEEK'S NEWS
DHS and VotingWorks Release Open Source Post Election Audit Tool
Critical Flaws in Oracle E-Business Suite
New Russian Law Requires Devices Sold Have Russian Software Pre-Installed
Microsoft Patches Windows UAC Flaw
Cleveland Federal Reserve President: Do a Better Job of Sharing Threat Information
NeverQuest Banking Malware Developer Sentenced to Prison
INTERNET STORM CENTER TECH CORNER
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
-- SANS OnDemand and vLive Training
Get an 11" iPad Pro, a 12.3" Surface Pro, or Take $350 Off through December 4 with OnDemand or vLive training.
https://www.sans.org/online-security-training/specials/
-- SANS Cyber Defense Initiative(R) 2019 | Washington, DC | December 10-17 | https://www.sans.org/event/cyber-defense-initiative-2019
-- SANS Miami 2020 | January 13-18 | https://www.sans.org/event/miami-2020
-- SANS Threat Hunting & IR Summit & Training | London, UK | January 13-19, 2020 | https://www.sans.org/event/threat-hunting-europe-2020
-- SANS Tokyo January 2020 | January 20-25 | https://www.sans.org/event/tokyo-january-2020
-- SANS Amsterdam January 2020 | January 20-25 | https://www.sans.org/event/amsterdam-january-2020
-- Cyber Threat Intelligence Summit & Training | Arlington, VA | January 20-27 | https://www.sans.org/event/cyber-threat-intelligence-summit-2020
-- SANS Scottsdale 2020 | February 17-22 | https://www.sans.org/event/scottsdale-2020
-- Open-Source Intelligence Summit & Training 2020 | Alexandria, VA | February 18-24 | https://www.sans.org/event/osint-summit-2020
-- SANS Secure Singapore 2020 | 16-28 March | https://www.sans.org/event/secure-singapore-2020
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
************************ Sponsored By Yubico ******************************
Go Passwordless: Imagine a world where users no longer need to set, forget and reset multiple passwords. Passwords are known as the weakest link for enterprise security and the #1 IT support cost. The world is about to change with the introduction of passwordless authentication. Download the whitepaper to learn how. http://www.sans.org/info/214830
*****************************************************************************
TOP OF THE NEWS
--The Best Cybersecurity Book of 2019: Sandworm: A New Era of CyberWar
(Nov. 22, 2019)
Sandworm answers the questions security people need answered about how the most damaging cyber attacks of the past three years happened, who was at fault, and perhaps most importantly, what did the victims not do that would have protected them. What makes it this year's "best book" is the way it takes the reader inside discussions with the people who actually discovered and deciphered the attacks as well as discussions with the victims. Written by one of America's "10 Top Cyber Journalists," Andy Greenberg, Sandworm is an in-person tour of the battlefield with face to face discussions with each of the people you would want to talk to. Just amazing!
Read more in:
Cyberscoop: 'Sandworm' book review: To understand cyberwar, you must understand Ukraine
https://www.cyberscoop.com/sandworm-book-review-andy-greenberg-ukraine-cyberwar/
LA Times: Review: 'Sandworm' is an essential guide to a shadowy world
Amazon: Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers
https://www.amazon.com/Sandworm-Cyberwar-Kremlins-Dangerous-Hackers/dp/0385544405/
--Texas School District Pays Ransomware Demand
(November 18, 2019)
The Port Neches-Groves Independent School District in Texas has paid an undisclosed sum in Bitcoin to regain access to their files that were encrypted by ransomware. The district's director of information services said that as of Monday, November 18, staff had regained access to nearly all files.
Read more in:
Beaumont Enterprise: PN-G pays ransom to regain access to district files
--Veterinary Practices Hit with Ransomware
(November 19 & 20, 2019)
A ransomware attack affected computers at California-based National Veterinary Associates (NVA), causing problems at roughly 400 of the company's veterinary practices and animal boarding facilities around the world. NVA discovered the attack on October 27 and hired two companies to help with the recovery. The attack affected patient records, payment systems, and office management software. The company did not say if it paid the ransom.
Read more in:
KrebsOnSecurity: Ransomware Bites 400 Veterinary Hospitals
https://krebsonsecurity.com/2019/11/ransomware-bites-400-veterinary-hospitals/
Threatpost: 400 Vet Locations Nipped by Ryuk Ransomware
https://threatpost.com/400-vet-locations-ryuk-ransomware/150443/
--French Hospital's Computers Infected with Ransomware
(November 21, 2019)
A hospital in Rouen, France, was the victim of a ransomware attack that occurred on Friday, November 15. While the 6,000 computers were unavailable, healthcare providers at Centre Hospitalier Universitaire (CHU) resorted to pen and paper. CHU said that the incident has caused "very long delays in care." According to Le Monde, France's cybercrime agency ANSSI helped contain the effects of the attack and helped with the recovery.
Read more in:
BBC: Rouen hospital turns to pen and paper after cyber-attack
https://www.bbc.com/news/technology-50503841
The Register: Bon sang! French hospital contracts 6,000 PC-locking ransomware infection
https://www.theregister.co.uk/2019/11/21/french_hospital_rouen_ransomware/
Infosecurity Magazine: French Hospital Crippled by Ransomware
https://www.infosecurity-magazine.com/news/french-hospital-crippled-by/
Le Monde: Frappe par une cyberattaque massive, le CHU de Rouen force de tourner sans ordinateurs (in French)
**************************** SPONSORED LINKS ******************************
1) ICYMI Webcast: Maximizing Threat Hunting Efficiency with Automated Queries. View here: http://www.sans.org/info/214835
2) Join us at SANS Cyber Threat Intelligence Summit | Arlington, VA | Jan 20-21: http://www.sans.org/info/214850
3) Webcast November 26th at 1 PM ET: Learn the reality of using a move to cloud to finally transform your security. http://www.sans.org/info/214860
*****************************************************************************
REST OF THE WEEK'S NEWS
--DHS and VotingWorks Release Open Source Post Election Audit Tool
(November 21, 2019)
The US Department of Homeland Security's (DHS's) Cybersecurity and Infrastructure Security Agency (CISA) and VotingWorks have made an open source post election risk-limiting audit tool available on GitHub. Arlo, as the tool is named, "helps election officials complete a statistically valid audit of vote tabulation processes by comparing the votes marked on a random sample of original paper ballots with the electronically recorded votes for those same ballots."
Read more in:
voting.works: Risk-Limiting Audits with Arlo
https://voting.works/risk-limiting-audits/
github: votingworks/arlo
https://github.com/votingworks/arlo
ZDNet: CISA and VotingWorks release open source post-election auditing tool
https://www.zdnet.com/article/cisa-and-votingworks-release-open-source-post-election-auditing-tool/
--Critical Flaws in Oracle E-Business Suite
(November 19 & 20, 2019)
A pair of critical vulnerabilities in Oracle's E-Business Suite (EBS) could be exploited to print checks and conduct electronic funds transfers. Oracle released fixes for the flaws in its April 2019 Critical Patch Update. The Onapsis researchers that found the flaws and reported them to Oracle in December 2018 estimate that about half of Oracle EBS customers have not yet applied the fixes.
[Editor Comments]
[Neely] Regression testing of changes to ERP systems is important, and it takes a lot of maturity to roll updates quickly. Due to the critical nature of the flaws, expedited testing is warranted; mitigate some of the risks by actively watching application logs for unauthorized transactions.
Read more in:
Dark Reading: Patch 'Easily Exploitable' Oracle EBS Flaws ASAP: Onapsis
Bleeping Computer: Thousands of Enterprises At Risk Due to Oracle EBS Critical Flaws
Onapsis: Oracle PAYDAY Attacks Put Thousands of Global Organizations at Risk of Financial Fraud and Theft
https://www.onapsis.com/blog/oracle-payday-vulnerabilities
Oracle: Oracle Critical Patch Update Advisory - April 2019
https://www.oracle.com/security-alerts/cpuapr2019.html
--New Russian Law Requires Devices Sold Have Russian Software Pre-Installed
(November 21, 2019)
Russia's parliament has passed a law that would prohibit the sale of certain electronic devices that do not have Russian software pre-installed. The law affects smartphones, computers, and smart TVs. Devices made in other countries may be sold with their own software, but the Russian software must be installed as well. While the law has been touted as promoting Russian software and making devices easier to use in that country, some are concerned that the law will increase surveillance.
[Editor Comments]
[Pescatore] This is a complex issue. Back in 1999, China started trying to mandate use of Chinese encryption software and standards in everything and largely backed off. It has now focused on a "Multi Level Procurement Standard" that only imposes domestic Intellectual Property requirements on use cases with higher levels of impact, similar to what the US calls Critical Infrastructure Systems. The US more recently has simply issued bans on software and hardware from Chinese and Russian suppliers for government use, regardless of criticality, while the UK has taken more of a required testing approach. There are no examples of positive outcomes when governments require software from their own countries get installed on commercial products.
[Neely] As John says, this is complicated and will change over time. Expect trade restrictions and interplay with their ISP restrictions to come into play to force the issue.
Read more in:
BBC: Russia bans sale of gadgets without Russian-made software
https://www.bbc.com/news/world-europe-50507849
--Microsoft Patches Windows UAC Flaw
(November 19 & 20, 2019)
As part of its monthly security update for November, Microsoft last week released a fix for a vulnerability in the User Account Control (UAC) feature in Windows Secure Desktop. UAC is a security feature designed to help prevent unauthorized operating system changes. The flaw could be exploited to gain elevated privileges.
Read more in:
Threatpost: High-Severity Windows UAC Flaw Enables Privilege Escalation
https://threatpost.com/windows-uac-flaw-privilege-escalation/150463/
Zero Day Initiative: Thanksgiving Treat: Easy-as-Pie Windows 7 Secure Desktop Escalation of Privilege
--Cleveland Federal Reserve President: Do a Better Job of Sharing Threat Information
(November 21, 2019)
Cleveland Federal Reserve President Loretta Mester said that financial organizations need to undergo tests to see how they handle cyberattacks, noting that "Such a test could help evaluate the financial system's plans for data and core systems recovery and its reliance on third parties to implement that plan." Mester also said that financial organizations, regulators, and government agencies need to do a better job of collaborating and sharing threat information. Mester spoke at a conference on financial stability hosted by the Cleveland Federal Reserve.
Read more in:
Reuters: Cleveland Fed's Mester urges regulators to be more agile on cybersecurity risks
--NeverQuest Banking Malware Developer Sentenced to Prison
(November 21, 2019)
A US District Count Judge has sentenced Stanislav Lisov to four years in prison for his role in creating NeverQuest, malware designed to steal funds from bank accounts. Lisov admitted that he stole more than $880,000 using NeverQuest.
Read more in:
Cyberscoop: NeverQuest banking malware administrator sentenced to 4 years
https://www.cyberscoop.com/neverquest-stanislav-lisov-sentenced/
******************************************************************************
INTERNET STORM CENTER TECH CORNER
JAWS DVR Bot
https://isc.sans.edu/forums/diary/Cheap+Chinese+JAWS+of+DVR+Exploitability+on+Port+60001/25530/
Latest Hancitor Malspam Update
Tianfu Cup
Microsoft Access Hotfix
https://support.microsoft.com/en-us/help/4484198/november-18-2019-update-for-office-2016-kb4484198
Windows 10 DNS over HTTPS
Android Camera Permission Mixup
https://www.checkmarx.com/blog/how-attackers-could-hijack-your-android-camera
NSA Publishes Guide About the Risks of Inspecting TLS (PDF)
Oracle Payday Vulnerabilities Exploited
https://www.onapsis.com/blog/oracle-payday-vulnerabilities
Google Chrome Update
https://chromereleases.googleblog.com/2019/11/stable-channel-update-for-desktop_18.html
Unbound Command Execution Vulnerability
https://nlnetlabs.nl/projects/unbound/security-advisories/#vulnerability-in-ipsec-module
Weaknesses in Memory Encryption Solutions
https://arxiv.org/abs/1908.11680
GetMonero Wallet Compromised
https://web.getmonero.org/2019/11/19/warning-compromised-binaries.html
RIPlace Ransomware Detection Bypass
Microsoft Office Remote Content Triggers in Preview Pane
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
