SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #12
February 11, 2020GAO Says Election Security Strategy Not Finalized; State Election Officials More Accepting of Federal Help
Bring Your Team To SANS 2020 in Orlando. Keep your team ahead of advanced threats with SANS New Team-Based Training: Blue Team and Red Team Dynamic Workshop (TBT570). In this six-day course, student teams participate in a dynamic, highly interactive learning exercise defending an enterprise environment under attack in real time. You and your team will come away from this workshop with the skills to defend your organization from all types of malicious adversaries. View the course description and register for SANS 2020 at www.sans.org/course/blue-team-red-team-workshop.
****************************************************************************
SANS NewsBites February 11, 2020 Vol. 22, Num. 012
****************************************************************************
TOP OF THE NEWS
GAO Report Finds CISA's Election Security Strategy Has Not Been Finalized
State Election Officials More Accepting of Federal Help
REST OF THE WEEK'S NEWS
Maryland Jurisdictions Will Not Use Problematic Reporting Network in Upcoming Elections
Iowa Caucus Reporting App Security Examined
Chrome Will Block Unsecure Downloads
Firefox Will Take Step Toward Blocking TLS 1.0 and 1.1
Google's February Android Updates Include Fix for Critical Bluetooth Vulnerability
New Emotet Variant Can Spread Through Wi-Fi Networks
US DOJ Announces Charges Against Alleged Chinese Hackers in Equifax Case
Minebridge Backdoor Used in Attacks Against Financial Sector Firms
Abandoned Driver Code Lets Hackers Disarm Security Software
Rockdale County, GA Ransomware Attack Affects Water Department
Having Backups May Not Be Sufficient for Ransomware Recovery
INTERNET STORM CENTER TECH CORNER
*************************** Sponsored By VMRay ****************************
Analyzing ZeroCleare's Behavior | VMRay Sr. Threat Researcher Tamas Boczan provides an in-depth behavioral analysis of ZeroCleare, a wiper targeting Middle Eastern energy and industrial sectors, attributed to Iran-based nation-state adversaries. http://www.sans.org/info/215500
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
-- SANS 2020 | Orlando, FL | April 3-10 | https://www.sans.org/event/sans-2020
-- SANS Training at RSA Conference 2020 | San Francisco, CA | February 23-24 | https://www.sans.org/event/rsa-conference-2020
-- SANS Munich March 2020 | March 2-7 | https://www.sans.org/event/munich-march-2020
-- SANS Northern VA - Reston Spring 2020 | March 2-7 | https://www.sans.org/event/northern-va-spring-reston-2020
-- Blue Team Summit & Training 2020 | Louisville, KY | March 2-9 | https://www.sans.org/event/blue-team-summit-2020
-- ICS Security Summit & Training 2020 | Orlando, FL | March 2-9 | https://www.sans.org/event/ics-security-summit-2020
-- SANS London March 2020 | March 16-21 | https://www.sans.org/event/london-march-2020
-- SANS San Francisco Spring 2020 | March 16-27 | https://www.sans.org/event/san-francisco-spring-2020
-- SANS Secure Singapore 2020 | 16-28 March | https://www.sans.org/event/secure-singapore-2020
-- SANS Secure Canberra 2020 | March 23-28 | https://www.sans.org/event/secure-canberra-2020
-- SANS OnDemand and vLive Training
Get a free GIAC Certification Attempt or Take $350 Off through February 19 with OnDemand or vLive training.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
*****************************************************************************
TOP OF THE NEWS
--GAO Report Finds CISA's Election Security Strategy Has Not Been Finalized
(February 6 & 7, 2020)
In January 2017, the US Department of Homeland Security (DHS) designated state and local election infrastructure used in federal elections as a component of the country's overall critical infrastructure. The designation allows DHS to provide state and local election officials with help to protect assets, which include voter registration databases and voting equipment. A report from the Government Accountability Office (GAO) found that DHS's Cybersecurity and Infrastructure Security Agency (CISA) "has not yet completed its strategic and operations plans to help state and local officials safeguard the 2020 elections or documented how it will address prior challenges." The report urges CISA to finalize its strategic plan.
[Editor Comments]
[Neely] While not the end of the world, there is no time for local agencies to implement strategic measures prior to the election. CISA needs to quickly publish prioritized tactical guidance that can be implemented through the rest of this election year.
[Pescatore] This is not that damning a report, but with the primaries underway and the Presidential election less than 9 months away, I'd say no more time for strategic plans: the focus should be on prioritizing which fires to put out first.
Read more in:
GAO: ELECTION SECURITY: DHS Plans Are Urgently Needed to Address Identified Challenges Before the 2020 Elections
https://www.gao.gov/products/GAO-20-267
Cyberscoop: GAO: CISA's 'nationwide strategy' on election security should be enacted as soon as possible
https://www.cyberscoop.com/election-security-cisa-gao-report/
--State Election Officials More Accepting of Federal Help
(February 7, 2020)
US State election officials are more willing to accept help from the Department of Homeland Security's (DHS's) Cybersecurity and Infrastructure Security Agency (CISA) than they were in the past. Officials were initially resistant to having their election systems designated as critical infrastructure, but have come to see that information and support provided by CISA can help them proactively secure their election infrastructure. CISA director Christopher Krebs said that two conference calls in January regarding potential cyberthreats from Iranian hackers had 1,700 and 5,900 dial-ins, respectively.
Read more in:
Fifth Domain: Once wary of feds, state election leaders now welcome help
**************************** SPONSORED LINKS ******************************
1) Webcast February 19th at 1 PM ET: Real-World Implementation of Deception Technologies. Register: http://www.sans.org/info/215505
2) In the D.C. area? Join us at the SANS Women in Cybersecurity Forum on April 24th. Free with code WICFORUM2020. http://www.sans.org/info/215510
3) Don't miss this upcoming webcast: Threat Actor Analysis and Strategic Security Investments. Register: http://www.sans.org/info/215515
*****************************************************************************
REST OF THE WEEK'S NEWS
--Maryland Jurisdictions Will Not Use Problematic Reporting Network in Upcoming Elections
(February 5 & 7, 2020)
During a special district primary in Maryland last week, a network designed to send voter information to state officials was shut down because it was causing delays at polling places. Elections officials say they will not require jurisdictions to use the network in the upcoming primary election in April or in the November general election.
Read more in:
Baltimore Sun: Maryland drops plan to make largest counties share data with state over wireless network on Election Day
Baltimore Sun: Maryland elections officials shut down network to transmit voter data during special primary because of delays
--Iowa Caucus Reporting App Security Examined
(February 5, 2020)
Pro Publica asked security firm Veracode to review code in the caucus tally reporting app used in Iowa last week. The company found security issues it deemed "elementary." The flaws could be exploited to intercept and alter data, including passwords and vote tallies.
[Editor Comments]
[Pescatore] The app vendor's CEO says the reporting app "...underwent multiple, rigorous tests by a third party" but Veracode says the flaws they found were "elementary." The standard advice for mission-sensitive software is require the vendor to show evidence of third-party testing of the software - important to have
full transparency about the qualifications of who did the testing.
Read more in:
Pro Publica: The Iowa Caucuses App Had Another Problem: It Could Have Been Hacked
--Chrome Will Block Unsecure Downloads
(February 6, 7, & 10, 2020)
Over the course of 2020, Google's Chrome browser will block all HTTP downloads started on HTTPS pages, also known as mixed content. Chrome 81, scheduled for release in March 2020, will print console warnings about mixed content. Over the following months, in Chrome 82 through Chrome 85, the browser will warn about and then block mixed content downloads of executables, archives, disk images, images, audio, video, and text. Chrome, 86, scheduled for release in October 2020, will block all mixed content downloads.
[Editor Comments]
[Neely] When we first started using HTTPS, the overhead was such that we limited it to secure operations only. Now current software and hardware make the overhead negligible and all content should be delivered over secure connections.
[Pescatore] Google has a lot of resources, and applying them to make the Chrome browser more restrictive on unsecure downloads is a good thing. However, I'd really like to see more Google posts about improvements in pre-release security and privacy testing of apps in Google Play. Google's Vulnerability Reward Program bug bounty payouts almost doubled from 2018 to 2019, which is kind of like a restaurant saying, "Our volunteer food testers removed twice as many glass shards from our food!" Google's Play Protect was ranked at or the near the bottom of malware detection by AV-TEST in 2019 - it would be good to see many fewer glass shards in published apps.
Read more in:
Google Blog: Protecting users from insecure downloads in Google Chrome
https://security.googleblog.com/2020/02/protecting-users-from-insecure_6.html
The Register: Google Chrome to block file downloads - from .exe to .txt - over HTTP by default this year. And we're OK with this
https://www.theregister.co.uk/2020/02/07/google_chrome_blocking/
Portswigger: Chrome to start blocking insecure HTTP file downloads on HTTPS sites
--Firefox Will Take Step Toward Blocking TLS 1.0 and 1.1
(February 10, 2020)
Starting in March 2020, Firefox users will need to intentionally allow connections to websites using TLS 1.0 or 1.1. When users attempt to connect to websites that support only lower versions of TLS, they will see a "Secure Connection Failed" message that offers an option to override and continue to the site.
[Editor Comments]
[Neely] Browsers negotiate to the highest common denominator which can mask the presence of less secure connection options. Make sure you're regularly scanning the encryption settings on your web servers to ensure older, less secure connections are disabled, or monitored and documented where enabled. Monitoring may show the need to support older less secure operating systems and browsers may not be as significant as thought, or worth the risk.
Read more in:
Mozilla: It's the Boot for TLS 1.0 and TLS 1.1
https://hacks.mozilla.org/2020/02/its-the-boot-for-tls-1-0-and-tls-1-1/
The Register: These truly are the end times for TLS 1.0, 1.1: Firefox hopes to 'eradicate' weak HTTPS standard by blocking it
https://www.theregister.co.uk/2020/02/10/tls_10_11_firefox_complete_eradication/
--Google's February Android Updates Include Fix for Critical Bluetooth Vulnerability
(February 5, 7, & 10, 2020)
Google has published its February security updates for Android. In all, the updates address 25 security issues. One of the flaws addressed in the updates is a critical vulnerability affecting Bluetooth in Android Oreo (8.0 and 8.1) and Pie (9.0) that could be exploited to allow remote code execution with no user interaction. The issue is also present Android 10, but the effects are somewhat less severe: exploitation could crash vulnerable devices, but would not allow code execution.
[Editor Comments]
[Murray] One trusts geeks to be able to operate Android safely, even with late availability of patches. It is important to keep Android out of the hands of children, the elderly, and the otherwise naive.
Read more in:
Android: Android Security Bulletin--February 2020
https://source.android.com/security/bulletin/2020-02-01.html
Duo: Serious Bluetooth Flaw Fixed in Android Update
https://duo.com/decipher/serious-bluetooth-flaw-fixed-in-android-update
The Register: Android owners - you'll want to get these latest security patches, especially for this nasty Bluetooth hijack flaw
https://www.theregister.co.uk/2020/02/07/android_bluetooth_flaw/
SC Magazine: Google patches Bluetooth vulnerability impacting most Android devices
--New Emotet Variant Can Spread Through Wi-Fi Networks
(February 7 & 10, 2020)
A recently-detected variant of Emotet malware has the ability to spread from infected devices to nearby unsecured Wi-Fi networks. From there, it can attempt to infect connected devices. When Emotet first appeared more than five years ago, it was a banking Trojan. Over the years, it has gained the ability to install a variety of malware on infected devices.
[Editor Comments]
[Honan] The Japanese CERT, JP-CERT, has a great write up on this malware at https://www.jpcert.or.jp/english/at/2019/at190044.html: [Updated] Alert Regarding Emotet Malware Infection and they have also released a tool to check for Emotet called EmoCheck; it can be downloaded from the JP-CERT GIT Repository https://github.com/JPCERTCC/EmoCheck/releases: JPCERTCC / EmoCheck
Read more in:
Threatpost: Emotet Now Hacks Nearby Wi-Fi Networks to Spread Like a Worm
https://threatpost.com/emotet-now-hacks-nearby-wi-fi-networks-to-spread-like-a-worm/152725/
Bleeping Computer: Emotet Hacks Nearby Wi-Fi Networks to Spread to New Victims
The Register: Game over, LAN, game over! Windows software nasty Emotet spotted spreading via brute-forced Wi-Fi networks
https://www.theregister.co.uk/2020/02/10/emotet_spreads_over_wifi/
--US DOJ Announces Charges Against Alleged Chinese Hackers in Equifax Case
(February 10, 2020)
A US federal grand jury has returned an indictment charging four members of China's People's Liberation Army (PLA) with breaking into Equifax computer systems and stealing data. The breach occurred in 2017 and compromised personal data belonging to nearly 150 million US citizens.
Read more in:
Justice: Chinese Military Personnel Charged with Computer Fraud, Economic Espionage and Wire Fraud for Hacking into Credit Reporting Agency Equifax
Washington Post: U.S. charges four members of Chinese military in connection with 2017 Equifax hack
Wired: How 4 Chinese Hackers Allegedly Took Down Equifax
https://www.wired.com/story/equifax-hack-china/
The Verge: Equifax was hacked by Chinese military officers, federal prosecutors say
https://www.theverge.com/2020/2/10/21131362/doj-justice-barr-china-equifax-breach
Axios: Justice Department indicts 4 Chinese military members for Equifax breach
https://www.axios.com/equifax-breach-china-indictments-2fcebd40-7144-4955-97b1-f2aba4cf3ea7.html
--Minebridge Backdoor Used in Attacks Against Financial Sector Firms
(February 6 & 7, 2020)
A report from FireEye says that since the beginning of 2020, phishing campaigns attempting to spread the Minebridge backdoor have been targeting organizations in the financial sector. The messages contain malicious attachments; if they are opened, macros attempt to install Minebridge. If it is successfully installed on a system, Minebridge can be used to deliver additional malware.
Read more in:
FireEye: STOMP 2 DIS: Brilliance in the (Visual) Basics
GovInfosecurity: Financial Firms Targeted With New Type of Backdoor: Report
https://www.govinfosecurity.com/financial-firms-targeted-new-type-backdoor-report-a-13699
Threatpost: U.S. Finance Sector Hit with Targeted Backdoor Campaign
https://threatpost.com/us-finance-sector-targeted-backdoor-campaign/152634/
--Abandoned Driver Code Lets Hackers Disarm Security Software
(February 6, 7, & 11, 2020)
Ransomware actors are exploiting a known but unpatched vulnerability in an old and no longer supported Gigabyte motherboard driver to take control of Windows computers and disable security software. The attackers load a driver of their own that kills processes and files related to security products and allows the ransomware to encrypt data without being detected or thwarted.
Read more in:
Sophos: Living off another land: Ransomware borrows vulnerable driver to remove security software
Softpedia: Hackers Use Vulnerable Windows Driver to Turn Off the Antivirus
Ars Technica: Windows trust in abandoned code lets ransomware burrow deep into targeted machines
The Register: Forgotten motherboard driver turns out to be perfect for slipping Windows ransomware past antivirus checks
https://www.theregister.co.uk/2020/02/11/forgotten_gigabte_driver_robbinhood/
Dark Reading: RobbinHood Kills Security Processes Before Dropping Ransomware
--Rockdale County, GA Ransomware Attack Affects Water Department
(February 7, 2020)
Rockdale County, Georgia, is recovering from a ransomware attack that hit its municipal computer systems. County officials have shut down nine servers to contain the infection. The attack has affected the county's water department and water billing services. Rockdale County was also the target of a ransomware attack in 2017; the county was able to decrypt infected servers at that time.
Read more in:
WSBTV: Metro county shuts down 9 servers after ransomware attack on water department
--Having Backups May Not Be Sufficient for Ransomware Recovery
(February 7, 2020)
While victims of ransomware attacks have successfully restored systems from backups, the ransomware threat landscape is changing. Some attackers now steal data before files are encrypted and upload them if the victims refuse to pay the ransom.
[Editor Comments]
[Neely] Good isolated differential backups remain necessary for recovery. The tactics have changed to add exfiltration to the attack and has been seen with Maze, Sodinokbi and Chimera. Some mitigation can come through the use of DLP solutions. The consequences of publishing need to be added to the ransom payment decision process, along with an assessment of likely of future payment demands.
[Murray] If your system is compromised, it is compromised. "Ransomware" is only a way to exploit that. These attacks will continue until the cost of attack exceeds the value of success and the risk of punishment goes up. Only the cost of attack and value of success are in our hands. We must increase the cost of attack roughly ten fold in 2020. Strong authentication, least privilege access control, restrictive policy, end-to-end application layer encryption, and mean time to detection of breaches in hours to days. We must ensure the survivability of our data and its timely recovery. Get on with what we can do.
Read more in:
Ars Technica: Why you can't bank on backups to fight ransomware anymore
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
Sandbox Detection Tricks and Nice Obfuscation in a Single VBScript
Paypal Phish is Asking for Everything
Emotet Spreads via Wifi
https://www.binarydefense.com/emotet-evolves-with-new-wi-fi-spreader/
Dell SupportAssist Client Uncontrolled Search Patch Vulnerability
Exploit Available for sudo pwfeedback bug
https://dylankatz.com/Analysis-of-CVE-2019-18634/
xiongmail/hisilicon Vulnerability
https://censys.io/blog/probing-the-xiongmai-hisilicon-soc-vulnerability
Insecure Docker Registries
https://unit42.paloaltonetworks.com/leaked-docker-code/
Lock My PC Used By Support Scammers
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create