SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXI - Issue #94
December 3, 2019Ransomware at Great Plains Health; Top 25 Cyber Weaknesses Updated
****************************************************************************
SANS NewsBites Dec. 3, 2019 Vol. 21, Num. 094
****************************************************************************
TOP OF THE NEWS
Great Plains Health Recovering From Ransomware
Common Weakness Enumeration List Updated
REST OF THE WEEK'S NEWS
Google Warns Users of Nation-State eMail Hacking
Sentara Hospitals Fined for Failing to Properly Report Breach to HHS
Piracy Sites Shutdown
Imminent Monitor RAT Operation Shut Down
CISA Wants US Government Agencies to Establish Vulnerability Disclosure Programs
Facebook and Twitter Warn of Malicious SDKs
California DMV Makes Millions Selling Drivers' Personally Identifiable Information
INTERNET STORM CENTER TECH CORNER
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
-- SANS OnDemand and vLive Training
Get an 11" iPad Pro, a 12.3" Surface Pro, or Take $350 Off through December 4 with OnDemand or vLive training.
https://www.sans.org/online-security-training/specials/
-- SANS Security East 2020 | New Orleans, LA | February 1-8 | https://www.sans.org/event/security-east-2020
-- SANS Miami 2020 | January 13-18 | https://www.sans.org/event/miami-2020
-- SANS Threat Hunting & IR Summit & Training | London, UK | January 13-19, 2020 | https://www.sans.org/event/threat-hunting-europe-2020
-- SANS Tokyo January 2020 | January 20-25 | https://www.sans.org/event/tokyo-january-2020
-- SANS Amsterdam January 2020 | January 20-25 | https://www.sans.org/event/amsterdam-january-2020
-- Cyber Threat Intelligence Summit & Training | Arlington, VA | January 20-27 | https://www.sans.org/event/cyber-threat-intelligence-summit-2020
-- SANS Scottsdale 2020 | February 17-22 | https://www.sans.org/event/scottsdale-2020
-- Open-Source Intelligence Summit & Training 2020 | Alexandria, VA | February 18-24 | https://www.sans.org/event/osint-summit-2020
-- SANS Secure Singapore 2020 | 16-28 March | https://www.sans.org/event/secure-singapore-2020
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
*************************** Sponsored By Splunk ***********************************
The Fundamental Guide to Building a Better Security Operation Center (SOC). Outdated security solutions struggle to stay ahead of advanced cyberthreats, making it hard to detect unknown or hidden threats. So what are companies who rely on dinosaur technology to do? They need to start building the next generation, modern SOC today. Download The Fundamental Guide to Building a Better Security Operation Center (SOC) today to learn how a security operation suite can move your SOC into the future. http://www.sans.org/info/214905
*************************************************************************************
TOP OF THE NEWS
--Great Plains Health Recovering From Ransomware
(November 27, 2019)
Great Plains Health (GPHealth) medical center is recovering from a ransomware attack. The attack occurred on Monday, November 25. The next day, GPHealth cancelled a large number of non-emergency appointments and procedures. GPHealth is based in North Platte, Nebraska.
[Editor Comments]
[Shpantzer] Speaking of HHS notifications, in the Sentara Hospitals story, the regulators want you to tell them all about your ransomware problems, even if you think it's just an integrity issue and not confidentiality. HHS put out specific ransomware guidance a few years ago. Yes, it's a breach:
https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf?language=es
Read more in:
Bleeping Computer: Ransomware Locks Medical Records at Great Plains Health
Health IT Security: Ransomware Attack Forces Great Plains Health to EHR Downtime
https://healthitsecurity.com/news/ransomware-attack-forces-great-plains-health-to-ehr-downtime
--Common Weakness Enumeration List Updated
(November 26 & 27, 2019)
The MITRE Corp has updated the Common Weakness Enumeration (CWE) list. According to MITRE, the CWE Top 25 is "a demonstrative list of the most widespread and critical weaknesses that can lead to serious vulnerabilities in software." Topping the revised list is "Improper Restriction of Operations within the Bounds of a Memory Buffer." Cross-site scripting errors is listed second. SQL injection vulnerabilities, which topped the previous version of the list, is now in sixth place. MITRE Corp. operates the Department of Homeland Security's (DHS's) Systems Engineering and Development Institute.
[Editor Comments]
[Murray] It is sad that we can enumerate our errors but not fix them. Part of the problem here is the von Neumann Architecture, part the languages we use, part that the programmer does not, or cannot, know the environment in which his program will run, and only a small part that it is a hard problem. However, a good craftsman does not blame his tools. If we insist upon using flawed tools for hard problems, we must train to compensate for them. Our tolerance for shoddy continues to be an embarrassment.
Read more in:
CWE Mitre: 2019 CWE Top 25 Most Dangerous Software Errors
https://cwe.mitre.org/top25/archive/2019/2019_cwe_top25.html
DHS: Snapshot: Top 25 Most Dangerous Software Errors
Dark Reading: SQL Injection Errors No Longer the Top Software Security Issue
Bleeping Computer: Top 25 Most Dangerous Vulnerabilities Refreshed After 8 Years
**************************** SPONSORED LINKS ******************************
1) Upcoming Webcast | Learn how to streamline investigations between individuals, teams and organizations all from a single workspace: http://www.sans.org/info/214910
2) Join us at SANS Cyber Threat Intelligence Summit | Arlington, VA | Jan 20-21: http://www.sans.org/info/214915
3) Webcast December 5th at 10:30 AM ET: Outmaneuver attackers with deceptive countermeasures in this upcoming webcast: http://www.sans.org/info/214920
*****************************************************************************
REST OF THE WEEK'S NEWS
--Google Warns Users of Nation-State eMail Hacking
(November 26, 27, & 28, 2019)
In a three-month period earlier this year, Google notified more than 12,000 users that their accounts were being targeted in phishing attacks conducted by government-backer hackers. The majority of alerts were sent to users in South Korea, Pakistan, Vietnam, and the US.
[Editor Comments]
[Pescatore] SANS instructor Heather Mahalik did a great talk at the SANS keynote threat panel at the RSA conference on how much information many users expose to cloud-based email providers such as Gmail, and common ways attackers use social media paths to trick users into exposing password reset info. Heather gave great advice to give to executives. You can see a summary with links in the white paper at https://www.sans.org/reading-room/whitepapers/analyst/top-attacks-threat-report-38908 (PDF)
Read more in:
Forbes: Google Warns 12,000 People They Were Hit By Government Hackers--Here's What To Do If You're A Target
The Register: Google caught a Russian state hacker crew uploading badness to the Play Store
https://www.theregister.co.uk/2019/11/28/google_12000_warnings_phishing_sandworm/
ZDNet: In just three months, Google sent 12k warnings about government-backed attacks
--Sentara Hospitals Fined for Failing to Properly Report Breach to HHS
(December 2, 2019)
Virginia-based Sentara Hospitals has agreed to a $2.2 million settlement with the Office for Civil Rights (OCR) at the U.S Department of Health and Human Services (HHS) over violations of the Health Insurance Portability and Accountability ACT (HIPAA). OCR launched its investigation after learning that Sentara had mailed nearly 600 patients' personal health information to the wrong addresses. Sentara has also agreed to "a corrective action plan."
[Editor Comments]
[Pescatore] The fine works out to about $3,600 per record exposed, a really scary number that will be good ammunition for getting senior management attention. In 2019, HHS has issued 7 fines averaging just under $2M each - the size of the fines is more related to large process deficiencies than to size of breach. The average profit margin in healthcare is in the 5% range, meaning that a $2M fine essentially cancels out $40M in revenue! That is a better number to use when trying to justify the spending needed to reach basic security hygiene levels.
Read more in:
HHS: OCR Secures $2.175 Million HIPAA Settlement After Hospitals Failed to Properly Notify HHS of a Breach of Unsecured Protected Health Information
https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/sentara/index.html
Infosecurity Magazine: US Hospitals Fined $2.175M for "Refusal to Properly Report" Data Breach
https://www.infosecurity-magazine.com/news/sentara-hospitals-fined-2175m-over/
GovInfosecurity: Sentara Hospitals' HIPAA Settlement: Why $2.2 Million?
https://www.govinfosecurity.com/sentara-hospitals-hipaa-settlement-22-million-a-13463
--Piracy Sites Shutdown
(December 2, 2019)
Europol, working with law enforcement teams from 18 countries, has shut down more than 30,000 Internet domains names for trafficking in pirated digital content and counterfeit products and pharmaceuticals. Officials have also seized physical property, frozen at least [euro]150,000 (US $165,000) in several bank accounts, and arrested three individuals in connection with the investigation.
Read more in:
Europol: 30,506 Internet Domain Names Shut Down For Intellectual Property Infringement
Bleeping Computer: Over 30,500 Online Piracy Sites Shut Down in Global Operation
The Register: Europol wipes out 30,000+ piracy sites, three suspects cuffed to walk the legal plank
https://www.theregister.co.uk/2019/12/02/europol_30000_piracy_sites/
--Imminent Monitor RAT Operation Shut Down
(November 29, 30, & December 2, 2019)
Law enforcement officials from multiple countries cooperated to take down the infrastructure supporting a malware operation known as Imminent Monitor, a remote access Trojan (RAT) that has been sold online since 2013. The investigation was led by the Australian Federal Police and aided by authorities in Belgium, New Zealand, the UK, the US, and other countries.
[Editor Comments]
[Honan] Well done to all involved in this takedown. A timely reminder that international cooperation is key to tackling the scourge of online crime. It is also a good time to highlight again the No More Ransom website supported by Europol which distributes the known decryption keys for ransomware strains. You can access it for free at http://www.nomoreransom.org
Read more in:
AFP: The Rat Trap: international cybercrime investigation shuts down insidious malware operation
Europol: International Crackdown On Rat Spyware Which Takes Total Control of Victims' PCs
ZDNet: Authorities take down 'Imminent Monitor' RAT malware operation
https://www.zdnet.com/article/authorities-take-down-imminent-monitor-rat-malware-operation/
Threatpost: Authorities Break Up Imminent Monitor Spyware Organization
https://threatpost.com/authorities-imminent-monitor-spyware-organization/150731/
Bleeping Computer: Law Enforcement Shuts Down Imminent Monitor Malware, Makes Arrests
SC Magazine: Law enforcement delivers knockout blow to Imminent Monitor RAT network
--CISA Wants US Government Agencies to Establish Vulnerability Disclosure Programs
(November 27, 29, & December 2, 2019)
The US Department of Homeland Security's (DHS's) Cybersecurity and Infrastructure Security Agency (CISA) has issued a draft binding operational directive (B20-01) that would require civilian agencies to establish vulnerability disclosure programs, as well as a plan for managing security issues that are reported. CISA is accepting comments on the draft document through December 27, 2019.
[Editor Comments]
[Pescatore] Large technology companies in private industry went through this over a decade ago, and the results were overwhelmingly positive. It would be good to see CISA provide a strawman vulnerability disclosure policy as a starting point for the all the departments and agencies.
[Neely] The guidance on the BOD 20-01 web site includes all the aspects needed as well as timelines; providing a sample policy would help agencies meet the deliverables, as well as avoiding "wrong-rock" iterations. The directive includes additional FISMA reporting requirements associated with the disclosure program starting in FY21. While well intended, not every agency has the resources or process maturity to meet the tracking, verification, response and reporting requirements.
Read more in:
CISA: Improving Vulnerability Disclosure Together (blog)
https://www.cisa.gov/blog/2019/11/27/improving-vulnerability-disclosure-together
cyber.dhs: Binding Operational Directive 20-01 | November 27, 2019 (draft) | Develop and Publish a Vulnerability Disclosure Policy
https://cyber.dhs.gov/bod/20-01/
Dark Reading: DHS to Require Federal Agencies to Set Vulnerability Disclosure Policies
Threatpost: CISA Pushing U.S. Agencies to Adopt Vulnerability Disclosure Policies
https://threatpost.com/cisa-us-agencies-vulnerability-disclosure-policies/150718/
Cyberscoop: DHS issues draft order to require vulnerability disclosure policies at civilian agencies
https://www.cyberscoop.com/cisa-vulnerability-disclosure-order/
--Facebook and Twitter Warn of Malicious SDKs
(November 26 & 27, 2019)
Twitter and Facebook have warned of certain malicious software development kits (SDKs) that could be used to steal users' personal information. The SDKs in question are maintained by MobiBurn and oneAudience.
[Editor Comments]
[Neely] These SDKs are being leveraged by data aggregators and have been seen on Android vs iOS. Use caution with granting excess permissions on Android applications.
Read more in:
SC Magazine: Facebook, Twitter ban malicious SDK that removed member info
ZDNet: Two third-party SDKs allowed secret harvesting of Twitter and Facebook user data
Threatpost: SDKs Misused to Scrape Twitter, Facebook Account Info
https://threatpost.com/sdks-scrape-personal-info-twitter-facebook/150686/
Twitter: Keeping your account safe from malicious activity
https://help.twitter.com/en/sdk-issue
--California DMV Makes Millions Selling Drivers' Personally Identifiable Information
(November 25, 2019)
According to documents obtained through a public records act request, the California Department of Motor Vehicles (DMV) has been making millions of dollars a year selling drivers' personal information. Customers paying for the information include data brokers, credit reporting agencies, and private investigators. The data include names, addresses, and car registration information, all of which drivers must provide to get a license. The practice of DMVs selling driver data is not unique to California.
[Editor Comments]
[Murray] No, it is not unique to California but is usually governed by law. Where it is not, it is because the legislature chooses to look the other way.
Read more in:
Vice: The California DMV Is Making $50M a Year Selling Drivers' Personal Information
INTERNET STORM CENTER TECH CORNER
Agent Tesla Malware Sample Analysis
https://isc.sans.edu/forums/diary/Finding+an+Agent+Tesla+malware+sample/25554/
Search With SauronEye
https://isc.sans.edu/forums/diary/ISC+Snapshot+Search+with+SauronEye/25558/
Increased Scans on Port 26
https://isc.sans.edu/forums/diary/Next+up+whats+up+with+TCP+port+26/25564/
Recent Ursnif Malspam
https://isc.sans.edu/forums/diary/Ursnif+infection+with+Dridex/25566/
Playing with Phishing
https://isc.sans.edu/forums/diary/Lessons+learned+from+playing+a+willing+phish/25552/
Splunk Y2K20 Patch
https://docs.splunk.com/Documentation/Splunk/8.0.0/ReleaseNotes/FixDatetimexml2020
Google TAG Quarterly Summary
Windows 7 Extended Security Updates
QNAP Patches Photo Station
https://www.qnap.com/en/security-advisory/nas-201911-25
HPE SSD Drives will Stop Working in 3 years
https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-a00092491en_us
Malicious Android SDK Captures Social Media Data
https://help.twitter.com/en/sdk-issue
Kaspersky API Exposed to Websites
https://palant.de/2019/11/26/internal-kaspersky-api-exposed-to-websites/
Malicious Ad Statistics
https://www.confiant.com/Demand-Quality-Report-Q3-2019
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
