Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #11

February 7, 2020

Cybersecurity Dimensions of the Coronavirus and the Iowa Caucus Reporting App Problem



13,000 U.S. high school students are now discovering whether they have an aptitude for cybersecurity and computer science in the 2020 Girls Go CyberStart program.  See how your state is doing at providing opportunities for these young women at: https://www.girlsgocyberstart.org/leaderboard

And if you are a teacher or high school girl, just try it! at https://www.GirlsGoCyberStart.org

Last day for the 2020 program is next Friday February 14.




****************************************************************************

SANS NewsBites               February 7, 2020              Vol. 22, Num. 011

****************************************************************************

TOP OF THE NEWS  

 

  Coronavirus Cybersecurity Preparedness

  Iowa Caucus Reporting App Problems



REST OF THE WEEK'S NEWS

 

  Fixes Available for Five Flaws in Cisco Discovery Protocol

  FBI: DDoS Attack Targeted Voter Registration Website

  Critical RCE Flaw in OpenSMTPD Patched

  Health Share of Oregon Medicaid Data Compromised

  Cryptomining Malware Found on DOD Network

  NHS Missed Windows 10 Migration Target

  Coronavirus Concerns Prompt Companies to Pull Out of Tech Shows, Revise Sales Forecasts

  Fondren Orthopedic Patient Data Compromised

 

RANSOMWARE

 

  University of Maastricht Paid Ransom

  Baton Rouge Vocational School Ransomware Attack

  NIST Draft Ransomware Guidelines


INTERNET STORM CENTER TECH CORNER


************************  Sponsored By Splunk  *****************************


The Essential Guide to Security. Check out The Essential Guide to Security for 2020 to discover new security use cases as well as how to implement Splunk's security product suite for advanced security analytics, security automation and orchestration (SOAR), Security Information and Event Management (SIEM), MITRE ATT&CK, machine learning and more, all in one place to power your SOC. http://www.sans.org/info/215495

 

****************************************************************************

Cybersecurity Training Update

 

-- SANS 2020 | Orlando, FL | April 3-10 | https://www.sans.org/event/sans-2020


-- SANS Scottsdale 2020 | February 17-22 | https://www.sans.org/event/scottsdale-2020


-- Open-Source Intelligence Summit & Training 2020 | Alexandria, VA | February 18-24 | https://www.sans.org/event/osint-summit-2020


-- SANS Training at RSA Conference 2020 | San Francisco, CA | February 23-24 | https://www.sans.org/event/rsa-conference-2020


-- SANS Munich March 2020 | March 2-7 | https://www.sans.org/event/munich-march-2020


-- SANS Northern VA - Reston Spring 2020 | March 2-7 | https://www.sans.org/event/northern-va-spring-reston-2020


-- Blue Team Summit & Training 2020 | Louisville, KY | March 2-9 | https://www.sans.org/event/blue-team-summit-2020


-- ICS Security Summit & Training 2020 | Orlando, FL | March 2-9 | https://www.sans.org/event/ics-security-summit-2020


-- SANS London March 2020 | March 16-21 | https://www.sans.org/event/london-march-2020


-- SANS Secure Singapore 2020 | 16-28 March | https://www.sans.org/event/secure-singapore-2020


-- SANS Secure Canberra 2020 | March 23-28 | https://www.sans.org/event/secure-canberra-2020


-- SANS OnDemand and vLive Training

Get a free GIAC Certification Attempt or Take $350 Off through February 19 with OnDemand or vLive training.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


Single Course Training

-- Single Course Training

SANS Mentor | https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap

 

****************************************************************************

TOP OF THE NEWS   

 

--Coronavirus Cybersecurity Preparedness

The recent Coronavirus (2019-nCoV) outbreak has brought the topic of an epidemic or pandemic impacting businesses from the hypothetical to the possible. With 25,000 infections and counting, it would be a good time to consider the business and cyber impacts of an illness such as this. The primary risks fall into two categories: (1) fraud and other ways criminals take advantage of situations like this, such as fake donation sites, malware and fake news, and (2) business continuity preparedness measures such as remote access capacity review, understanding limitations of biometric authentication, supply chain considerations, emergency communication plan, and plans for business shutdown if appropriate. Read more in the SANS ISC diary: https://isc.sans.edu/forums/diary/Network+Security+Perspective+on+Coronavirus+Preparedness/25750/: Network Security Perspective on Coronavirus Preparedness


[Editor Comments]


[Ullrich] Fraud and malware related to the Coronavirus is currently seen in Asia. Catastrophic events tend to be used for fraud as news focuses on them and in the US, impeachment and primaries have dominated the news. Expect more virus-related fraud as news media pay more attention to it. And please let us know if you see anything via our contact form: https://isc.sans.edu/contact.html


[Neely] The Coronavirus introduces an illness which does not yet have a cure, and is resulting in, sometimes unexpected, quarantine and other restrictions which can have a direct business impact. Johannes Ullrich does an excellent job of summarizing things to consider and revisit in your DR plans in the ISC diary entry.


Read more in:

CDC Preparedness Checklist: Business Pandemic Influenza Planning Checklist (PDF)

https://www.cdc.gov/flu/pandemic-resources/pdf/businesschecklist.pdf

Public Health England Response Plan: Pandemic Influenza Response Plan (PDF)

https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/344695/PI_Response_Plan_13_Aug.pdf

 
 

--Iowa Caucus Reporting App Problems

(February 4, 2020)

A buggy mobile app that was created for Iowa's Democratic presidential caucuses did not work as hoped. Some precinct leaders had trouble downloading and installing the app, which was designed to let Iowa's precincts report caucus tallies. The app appears to have recorded the data correctly, but reported only partial counts due to coding problem in the reporting function. Nevada State Democratic party says it will not use the app in its upcoming caucuses. (Please note that the WSJ story is behind a paywall.)


[Editor Comments]


[Pescatore] Think of the Iowa caucus primary as that troublesome business unit in your company that is considered a key performer by management and is allowed to do everything just a little bit differently than all the other business units. The security approach here was "rather than make sure this new app is thoroughly tested, we will only release it to the users at the last minute - that way hackers won't have time to hack it if there are vulnerabilities." Not only is that always a bad approach to security, it is absolutely the worst approach to take with that business unit that never follows all the policies and procedures everyone else does. This one will make a very good Harvard Business Review case study - next time a business unit is pressuring to subvert the time require to thoroughly test new stuff, just tell management "We will be at risk of an Iowa caucus implosion...."


[Neely] The issues underscore the need for usability and load testing before a wide scale deployment. The plan for the caucus included backup measures, including a number to call as a backup; unfortunately, the number was released widely and was overwhelmed, creating an intentional denial of service.


[Murray] Testing the app was necessary but not sufficient. The deployment of applications must be end-to-end and must include the training and participation of the end users.  


[Paller] Another connection between cybersecurity and the Iowa Caucus App is that many Americans, including very senior government policy makers and politicians, perceive the Iowa App debacle as a cybersecurity-related problem or at least something that cybersecurity people should have anticipated and solved. At the same time many software development organizations consider 5 to 15 minute cybersecurity awareness training as sufficient for their software development people.


Read more in:

The Verge: Election tech was supposed to clean up the Iowa caucus -- instead, it may have killed it

https://www.theverge.com/2020/2/4/21122337/iowa-caucus-app-bug-results-reporting-crash-election-tech-democrats

Wired: The Iowa Caucus Tech Meltdown Is a Warning

https://www.wired.com/story/iowa-democratic-caucus-app-tech-meltdown-warning/

WSJ: Iowa's Tally-by-App Experiment Fails (paywall)

https://www.wsj.com/articles/iowa-caucus-results-delayed-by-apparent-app-issue-11580801699


****************************  SPONSORED LINKS  ******************************


1) In the D.C area? Register for the Women in Cybersecurity Forum on April 24th. Free with discount code WICForum2020. http://www.sans.org/info/215480


2) Webcast February 12th at 1PM ET: STAR Webcast: Cyber Threats To Electric Industry - What You Need to Know. Register: http://www.sans.org/info/215485


3) Upcoming Webcast | Bringing IT and Security Together: How Microsoft is Reinventing Threat and Vulnerability Management. Register: http://www.sans.org/info/215490


********************************************

REST OF THE WEEK'S NEWS

 

--Fixes Available for Five Flaws in Cisco Discovery Protocol

(February 5 & 6, 2020)

Cisco has released fixes for five flaws in the Cisco Discovery Protocol (CDP) that could be exploited to execute code remotely or cause denial-of-service conditions. CPD is enabled by default in most Cisco products, which means there are millions of vulnerable devices that need patching.   


[Editor Comments]


[Neely] This is not the first CDP vulnerability; as such. the best mitigation is to disable it explicitly. A notable concern is the flaws can be used to access other VLANS, possibly allowing access to sensitive traffic such as VoIP or ICS.


[Murray] Cisco has joined Adobe and Microsoft among the infrastructure software providers with routine patches.


Read more in:

Wired: Cisco Flaws Put Millions of Workplace Devices at Risk

https://www.wired.com/story/cisco-cdp-flaws-enterprise-hacking/

Threatpost: Critical Cisco 'CDPwn' Protocol Flaws Explained: Podcast

https://threatpost.com/behind-cdpwn-discovering-critical-cisco-protocol-flaws/152530/

Bleeping Computer: Cisco Patches Critical CDP Flaws Affecting Millions of Devices

https://www.bleepingcomputer.com/news/security/cisco-patches-critical-cdp-flaws-affecting-millions-of-devices/

Duo: Cisco Fixes CDP Flaws in Routers, Switches

https://duo.com/decipher/cisco-fixes-cdp-flaws-in-routers-switches

SC Magazine: Five high-level flaws patched in Cisco Discovery Protocol

https://www.scmagazine.com/home/security-news/vulnerabilities/five-high-level-flaws-patched-in-cisco-discovery-protocol/

 
 

--FBI: DDoS Attack Targeted Voter Registration Website

(February 4 & 5, 2020)

The FBI issued a Private Industry Notification warning of "a state-level voter registration and voter information website received anomalous Domain Name System (DNS) server requests consistent with a Pseudo Random Subdomain (PRSD) attack." The website was not adversely affected by the attack because it had established rate-limiting on its DNS servers.


[Editor Comments]


[Pescatore] Some attention has been paid to the security of voting equipment, but very little paid to the complex "supply chain," from registration to voting to tallying to announcing results, etc. The business equivalent is the ordering app being very secure and having DDoS protection but the user sign-up app being vulnerable.


Read more in:

SC Magazine: FBI warns of DDoS attack on state-level voter registration website

https://www.scmagazine.com/home/security-news/fbi-warns-of-ddos-attack-on-state-level-voter-registration-website/

Bleeping Computer: FBI Warns of DDoS Attack on State Voter Registration Site

https://www.bleepingcomputer.com/news/security/fbi-warns-of-ddos-attack-on-state-voter-registration-site/

 
 

--Critical RCE Flaw in OpenSMTPD Patched

(February 4, 2020)

A critical flaw in OpenSMTPD version 6.6 could be exploited to allow remote code execution. The vulnerability is due to improperly sanitized user input that could allow local attackers to gain elevated privileges. Users are being urged to upgrade to OpenSMTPD version 6.6.2p1.


[Editor Comments]


[Ullrich] This is a "must patch now" vulnerability (emergency priority) for anybody using OpenBSD with OpenSMTPD. OpenSMTPD is not very popular, and as far as I can tell used only on OpenBSD systems. But OpenBSD, due to its reputation as a secure operating system, is often used for critical systems like security devices and firewalls. The vulnerability is trivial to exploit, and likely already exploited.


[Neely] Exploitation of this flaw harkens back to the Morris Worm. A properly crafted message can be sent which causes the message body to be executed with the privileges of the SMTP daemon. Vulnerable daemons can be detected by vulnerability scanners, the best mitigation is to apply the update.

 

[Murray] The modern "stack" makes it difficult to fully vet input at the application layer. It is essential that every layer also parse its input.  


Read more in:

SC Magazine: Critical flaw in OpenSMTPD found, patched

https://www.scmagazine.com/home/security-news/vulnerabilities/critical-flaw-in-opensmtpd-found-patched/

GitHub: OpenSMTPD 6.6.2p1 portable release

https://github.com/OpenSMTPD/OpenSMTPD/releases

 
 

--Health Share of Oregon Medicaid Data Compromised

(February 6, 2020)

A laptop stolen from a third-party vendor has exposed data belonging to patients of Health Share of Oregon, a Medicaid coordinated care organization. The compromised information includes names, dates of birth, Social Security numbers (SSNs) and Medicaid ID numbers.  


[Editor Comments]


[Murray] It has always been dangerous to store sensitive data on portable devices. The speed and ubiquity of the modern "cloud" (storage, connectivity, and software) makes it not only unnecessary but reckless to do so.

 

Read more in:

ZDNet: Health Share of Oregon discloses data breach, theft of member PII

https://www.zdnet.com/article/health-share-of-oregon-discloses-data-breach-theft-of-member-pii/

TechNadu: Health Share Oregon Announces Security Incident and Data Leak

https://www.technadu.com/health-share-oregon-security-incident-data-leak/91810/

 
 

--Cryptomining Malware Found on DOD Network

(February 5, 2020)

A researcher participating in a US Department of Defense (DOD) bug bounty program found that a SOS-related server was being used as part of a cryptocurrency mining botnet. He found cryptocurrency mining malware on a DOD-related server. The initial bug report was made regarding a misconfigured Jenkins automation server that could be accessed without credentials. DOD fixed that problem, but when the researcher who made the report looked at his findings more closely, he determined that the server had been compromised before he detected the misconfiguration issue.   


[Editor Comments]


[Neely] It is easy to focus on a single issue and miss other indications of compromise, particularly with pressure to return services to operational status rapidly. Regular scanning and monitoring for indicators can provide a backup for when this happens.

 

Read more in:

ZDNet: Bug hunter finds cryptocurrency-mining botnet on DOD network

https://www.zdnet.com/article/bug-hunter-finds-cryptocurrency-mining-botnet-on-dod-network/

 
 

--NHS Missed Windows 10 Migration Target

(February 5, 2020)

The UK's National Health Service (NHS) has about half a million computers that are still running Windows 7, despite the organization's plan to migrate all computers to Windows 10 by January 14, 2020. Microsoft ended support for Windows 7 last month.   


Read more in:

ZDNet: Windows 10 migration struggles: 500,000 NHS computers are still running Windows 7

https://www.zdnet.com/article/one-in-three-nhs-computers-is-still-running-outdated-windows-7-software/

 
 

--Coronavirus Concerns Prompt Companies to Pull Out of Tech Shows, Revise Sales Forecasts

(February 5, 2020)

LG has decided not to attend the Mobile World Congress (MWC) technology show in Barcelona due to concerns about coronavirus. ZTE has cancelled a planned press conference at the show, which opens on February 24, but still plans to host a booth. A Chinese company that manufacturers iPhones has cut its sales forecast due to the coronavirus outbreak.  


Read more in:

BBC: Coronavirus: LG pulls out of Mobile World Congress

https://www.bbc.com/news/technology-51384304

 
 

--Fondren Orthopedic Patient Data Compromised

(February 4 & 5, 2020)

A Texas orthopedic practice has started notifying its patients that a malware infection compromised their healthcare information. Fondren Orthopedic Group experienced a cybersecurity incident in November 2019. In a letter to its patients, Fondren said that the incident damaged medical records belonging to more than 34,000; some of the records are beyond recovery.


Read more in:

Health IT Security: Malware Destroys Data of 30,000 Fondren Orthopedic Patients

https://healthitsecurity.com/news/malware-destroys-data-of-30000-fondren-orthopedic-patients

SC Magazine: Malware attacks destroy Fondren Orthopedic Group patient records

https://www.scmagazine.com/home/security-news/data-breach/malware-attacks-destroy-fondren-orthopedic-group-patient-records/

Fondren: Notice of Data Incident

https://www.fondren.com/notice-of-data-incident.html

 

RANSOMWARE

 

--University of Maastricht Paid Ransom

(February 5, 2020)

The University of Maastricht in the Netherlands says that it paid a 30-bitcoin (US $292,000) ransom to regain access to its computer systems following a December 24, 2019 ransomware attack.


Read more in:

Tripwire: University of Maastricht Paid 30 Bitcoins to Ransomware Attackers

https://www.tripwire.com/state-of-security/security-data-protection/university-of-maastricht-paid-30-bitcoins-to-ransomware-attackers/

Reuters: University of Maastricht says it paid hackers 200,000-euro ransom

https://www.reuters.com/article/us-cybercrime-netherlands-university/university-of-maastricht-says-it-paid-hackers-200000-euro-ransom-idUSKBN1ZZ2HH

 
 

--Baton Rouge Vocational School Ransomware Attack

(February 3 & 5, 2020)

The computer system at ITI Technical College in Baton Rouge, Louisiana was hit with a ransomware attack in late January. The college's vice president said that the school did not plan to pay the ransom. IT staff has isolated affected systems and bringing cleared elements back online gradually.


Read more in:

WAFB: ITI Technical College latest victim of ransomware attacks

https://www.wafb.com/2020/02/03/iti-technical-college-latest-victim-ransomware-attacks/

GovTech: Cyberattack Disrupts Baton Rouge, La., College Ahead of Finals

https://www.govtech.com/security/Cyberattack-Disrupts-Baton-Rouge-La-College-Ahead-of-Finals.html

 
 

--NIST Draft Ransomware Guidelines

(February 3, 2020)

The US National Institute of Standards and Technology (NIST) has published two draft practice guidelines regarding ransomware. NIST is accepting public comments on Data Integrity: Identifying and Protecting Assets Against Ransomware and Other Destructive Events, and Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events through February 26, 2020.


[Editor Comments]


[Murray] The time allowed for public comment on NIST publications seems to be disproportionate to their size and importance. Few of us are sitting around with time on our hands just waiting to work full time for a month on their latest effort. We should admit that we are only giving lip-service to the idea of "public comment."  

 

Read more in:

GovInfosecurity: NIST Drafts Guidelines for Coping With Ransomware

https://www.govinfosecurity.com/nist-drafts-guidelines-for-coping-ransomware-a-13679

NCCOE: Data Integrity: Identifying and Protecting Assets Against Ransomware and Other Destructive Events

https://www.nccoe.nist.gov/projects/building-blocks/data-integrity/identify-protect

NCCOE: Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events

https://www.nccoe.nist.gov/projects/building-blocks/data-integrity/detect-respond

 

INTERNET STORM CENTER TECH CORNER


Fake Browser Updates Installing NetSupport RAT

https://isc.sans.edu/forums/diary/Fake+browser+update+pages+are+still+a+thing/25774/


Google Chrome 80 Released

https://www.chromium.org/updates/same-site

https://chromereleases.googleblog.com/2020/02/stable-channel-update-for-desktop.html


Critical Bluetooth Vulnerability in Android (CVE-2020-0022)

https://insinuator.net/2020/02/critical-bluetooth-vulnerability-in-android-cve-2020-0022/


HiSilicon DVR Backdoor

https://habr.com/en/post/486856/


Google Android Update

https://source.android.com/security/bulletin/2020-02-01#Google-Play-system-updates


5 Cisco Vulnerabilities

https://www.armis.com/cdpwn/


Wacom Tablets Reports Application Details to Google

https://robertheaton.com/2020/02/05/wacom-drawing-tablets-track-name-of-every-application-you-open/


Bitbucket Delivers Malware

https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware


File Read Vulnerability in WhatsApp

https://chromereleases.googleblog.com/2020/02/stable-channel-update-for-desktop.html


Realtek HD Audio Driver Package DLL Preloading

https://safebreach.com/Post/Realtek-HD-Audio-Driver-Package-DLL-Preloading-and-Potential-Abuses-CVE-2019-19705


******************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create