SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XXII - Issue #4
January 14, 2020FLASH: Microsoft's Most Dangerous Flaw in Years; Immediate Patching Required. Plus: Exploit Now Available for Citrix Flaw; Ransomware Operators Publish Data Stolen from Victims
FLASH: Today's Microsoft Update corrects a severe flaw that may allow malware to bypass many end point protections. Install the update today. The error is deep in cryptographic and certificate functions in crytp32.dll and CryptoAPI. The concern is that it will allow attackers to mimic legitimate Microsoft applications, send infected (but apparently valid) software updates and possibly circumvent encrypted sessions on the system. We've scheduled a global webcast on Wednesday at noon EST to explain the problem and risks you averted by installing the patches immediately.
Alan
****************************************************************************
SANS NewsBites January 14, 2020 Vol. 22, Num. 004
****************************************************************************
TOP OF THE NEWS
What You Need to Know About the Crypt32.dll / CryptoAPI Flaw
Exploit Available for Citrix Flaw
Maze and Sodinokibi Ransomware Operators Publish Data Stolen from Victims
REST OF THE WEEK'S NEWS
Travelex Ransomware Attack Update
Voting Machine Vendors Testify at Congressional Committee Hearing
Legislators Urge FCC to Protect Consumers from SIM-Swapping
Cable Haunt Buffer Overflow Flaw Affects Millions of Cable Modems
India's Supreme Court Says Internet Service Suspension in Kashmir is Illegal
Texas School District Loses Millions in eMail Scam
Coding Education Should Be Integrated into K-8 Curriculum
US Dept. of the Interior Plans to Permanently Ground Drones That Contain Chinese Technology
Dixons Carphone Fined Over Data Breach
Albany, NY Airport Hit with Ransomware Through MSP
SIM-Swappers Are Escalating Their Tactics
INTERNET STORM CENTER TECH CORNER
*********************** Sponsored By Fortinet, Inc. *************************
Securing ICS Using the NIST Cybersecurity Framework and Fortinet: Best Practices for the Real World. SANS analysts Don Weber and Barbara Filkins will take a look at how to apply NIST cybersecurity framework (CSF) in ICS environments, assess risk and requirements, and develop a tiered approach to ICS security by using the specific application of Fortinet's services. Register: http://www.sans.org/info/215245
*****************************************************************************
CYBERSECURITY TRAINING UPDATE
-- SANS Security East 2020 | New Orleans, LA | February 1-8 | https://www.sans.org/event/security-east-2020
-- SANS Scottsdale 2020 | February 17-22 | https://www.sans.org/event/scottsdale-2020
-- Open-Source Intelligence Summit & Training 2020 | Alexandria, VA | February 18-24 | https://www.sans.org/event/osint-summit-2020
-- SANS Munich March 2020 | March 2-7 | https://www.sans.org/event/munich-march-2020
-- SANS Northern VA-Reston Spring 2020 | March 2-7 | https://www.sans.org/event/northern-va-spring-reston-2020
-- Blue Team Summit & Training 2020 | Louisville, KY | March 2-9 | https://www.sans.org/event/blue-team-summit-2020
-- ICS Security Summit & Training 2020 | Orlando, FL | March 2-9 | https://www.sans.org/event/ics-security-summit-2020
-- SANS London March 2020 | March 16-21 | https://www.sans.org/event/london-march-2020
-- SANS Secure Singapore 2020 | 16-28 March | https://www.sans.org/event/secure-singapore-2020
-- SANS Secure Canberra 2020 | March 23-28 | https://www.sans.org/event/secure-canberra-2020
-- SANS OnDemand and vLive Training
Get an iPad (32G), a Samsung Galaxy Tab A, or Take $250 Off through January 22 with OnDemand or vLive training.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
*****************************************************************************
TOP OF THE NEWS
--What You Need to Know About the Crypt32.dll / CryptoAPI Flaw
(January 14, 2019)
As part of today's "Patch Tuesday", Microsoft addressed a critical flaw in the Windows 10 and Windows Server 2016 version of crypt32.dll. Crypt32.dll implements the Windows CryptoAPI, which provides various cryptographic features used by software to verify digital signatures. This flaw was originally discovered by the NSA but has not been used in attacks yet. After you install the patches, sign up for this webcast featuring two of the most respected experts on sophisticated vulnerabilities and exploits. In this webcast, you will learn more about the nature of the vulnerability, how it could be exploited, and current recommendations to implement the patches as efficiently as possible.
Webcast URL: https://sans.org/cryptoapi-nb
Speaker: Jake Williams, CEO Rendition InfoSec
Hosted by: Johannes Ullrich, Director of SANS Internet t Center and Dean of Research at SANS Technology Institute
--Exploit Available for Citrix Flaw
(January 10, 11, & 13, 2020)
Code is now available for exploiting an as-yet unpatched patch traversal flaw in Citrix Application Delivery Controller (ADC) and Gateway. The vulnerability can be exploited to remotely execute code. Citrix has published mitigations to help protect users from attacks. The company says that fixes for various versions will be rolled out between January 20 and the end of the month.
[Editor Comments]
[Neely] Implement the published mitigations immediately, (https://support.citrix.com/article/CTX267679: Mitigation Steps for CVE-2019-19781) and plan to test and install the updates as they are released. While the mitigations are not a 100% fix, they do reduce the attack surface.
Read more in:
GovInfosecurity: Severe Citrix Flaw: Proof-of-Concept Exploit Code Released
https://www.govinfosecurity.com/severe-citrix-flaw-proof-of-concept-exploit-code-released-a-13600
ZDNet: Proof-of-concept code published for Citrix bug as attacks intensify
https://www.zdnet.com/article/proof-of-concept-code-published-for-citrix-bug-as-attacks-intensify/
Cyberscoop: Experts urge organizations to address festering critical Citrix flaw
https://www.cyberscoop.com/citrix-vulnerability-patch-exploit/
Infosecurity Magazine: Citrix Admins Urged to Act as PoC Exploits Surface
https://www.infosecurity-magazine.com/news/citrix-admins-urged-action-poc/
Ars Technica: Citrix bug dropped just before Christmas now getting attacked
Threatpost: Unpatched Citrix Flaw Now Has PoC Exploits
https://threatpost.com/unpatched-citrix-flaw-exploits/151748/
--Maze and Sodinokibi Ransomware Operators Publish Data Stolen from Victims
(January 10, 11, & 13, 2020)
In December, operators of Maze ransomware posted data they claimed was taken from Southwire, a US wire and cable manufacturer, during a cyberattack. That website was taken down after Southwire filed a lawsuit. The Maze ransomware operators have now posted an additional 14 GB of data they allegedly took from Southwire, and said they would keep posting data until the company paid the ransom. The new website also lists the names of organizations the attackers claim to have infected with ransomware and that have not paid. Following the lead of the Maze attackers, operators of the Sodinokibi ransomware have begun publishing data belonging to organizations that have not paid the demanded ransom.
[Editor Comments]
[Neely] The question of payment becomes more complex with active release of data in exchange for non-payment. Ensuring your DLP and unauthorized exfiltration protections are functioning is a good first step to reducing the data that could be used this way. This also raises the question of will the ransomware operators retain a copy of the data if paid.
Read more in:
Cyware: Maze ransomware operators once again take to the internet to publish a list of victim organizations
Bleeping Computer: Sodinokibi Ransomware Publishes Stolen Data for the First Time
Bleeping Computer: Maze Ransomware Publishes 14GB of Stolen Southwire Files
**************************** SPONSORED LINKS ******************************
1) Download How to Uplevel Your Defenses With Security Analytics, and find out what you (and your SIEM) are missing. http://www.sans.org/info/215250
2) Blue Team Summit & Training 2020 | Louisville, KY | Mar 2-9. http://www.sans.org/info/215255
3) Webcast January 22nd at 1 PM ET: Protecting your Cloud Native & Kubernetes Environments from Exposure and Breach with Cisco Stealthwatch Cloud. http://www.sans.org/info/215260
*****************************************************************************
REST OF THE NEWS
--Travelex Ransomware Attack Update
(January 13, 2020)
Foreign currency exchange company Travelex was hit with a ransomware attack on December 31, 2019. The company's website and mobile app were both affected. Travelex now says that some of its internal systems have been restored, although it has not said when it expects to restore customer services. The attackers behind the ransomware have threatened to post data they said they've taken from Travelex systems if the company does not pay the #4.6m (US $6m) ransom.
[Editor Comments]
[Neely] Indications are that Travelex was hit by REvil/Sodinokibi ransomware, and the Sodinokibi operators are now publishing files where payment is not received. (See Maze and Sodinokibi story above.) Travelex has to weigh the options, including negotiating a lower ransom, versus the impact of having that data released. It will also be interesting to see if there are any GDPR (or CCPA) actions as a result of ransomware related data releases.
Read more in:
ZDNet: Two weeks after ransomware attack, Travelex says some systems are now back online
BBC: Travelex: Travel money services still down after cyber-attack
https://www.bbc.com/news/business-51097470
--Voting Machine Vendors Testify at Congressional Committee Hearing
(January 9 & 10, 2020)
CEOs of three major US voting machine manufacturers told lawmakers that they would be amenable to federal regulations requiring them to disclose company ownership, sources of voting machine components, and how they manage cyberattacks. Executives from Election Systems and Software, Dominion Voting Systems, and Hart InterCivic answered questions at a January 9 House Administration Committee hearing.
[Editor Comments]
[Murray] It is sad that we must regulate in order to get vendors to do what they believe their competitors should do. However, this is the source of much regulation. As Franklin Roosevelt said, "Make me do it (the right thing)."
Read more in:
FCW: Voting machine vendors say they're open to new mandates
https://fcw.com/articles/2020/01/09/voting-vendors-hearing-mandates.aspx
The Hill: Voting machine vendors to testify on election security
https://thehill.com/policy/technology/477455-voting-machine-vendors-to-testify-on-election-security
MeriTalk: Election Security Vendors Feel Positive, but Experts Remain Cautious on Election Security
GovTech: Voting Machine Makers Open to Congressional Oversight
https://www.govtech.com/security/Voting-Machine-Makers-Open-to-Congressional-Oversight.html
--Legislators Urge FCC to Protect Consumers from SIM-Swapping
(January 9 & 10, 2020)
US legislators have written to Federal Communications Commission (FCC), urging them to take steps to protect consumers from SIM-swapping. The letter notes that while some carriers have adopted policies that make SIM-swapping more difficult, "implementation of these additional security measures by wireless carriers in the US is still spotty and consumers are unlikely to find out about the availability of these obscure, optional security features until it is too late."
[Editor Comments]
[Neely] It may take a while for the FCC to take the risks of unauthorized SIM swapping seriously, just as it took them a while to take the issues around robocalling seriously. In the interim, making sure that you enable the available security from your carrier, such as an account passcode, and/or PIN is critical. Additionally, enable two-factor using mechanisms other than SMS messages on email and other accounts so a swapped SIM cannot be used to recover or access those accounts.
[Murray] In addition to the phone number, carriers also have an e-mail address, and a postal address. No changes to any of these should be implemented until a confirmation has been acknowledged by one of the other two. It is reckless not to do this kind of "out of band confirmation," and carriers should be liable for the failure to do so.
Read more in:
KrebsOnSecurity: Lawmakers Prod FCC to Act on SIM Swapping
https://krebsonsecurity.com/2020/01/senators-prod-fcc-to-act-on-sim-swapping/
Vice: SIM-Swapping Indictments Pile Up as Congress Begs the FCC to Do More
Nextgov: Lawmakers Ask FCC to Protect Consumers from Phone Hijackers
Wyden: Letter to FCC Chair (PDF)
https://www.wyden.senate.gov/imo/media/doc/010920%20SIM%20Swap%20Scam%20Letter%20to%20FTC.pdf
--Cable Haunt Buffer Overflow Flaw Affects Millions of Cable Modems
(January 10 & 13, 2020)
A critical buffer overflow flaw in a Broadcom chip used in millions of cable modems could be exploited to take control of vulnerable devices. The vulnerability, which has been named Cable Haunt, lies in the chip's spectrum analyzer component.
[Editor Comments]
[Neely] This vulnerability has to be exploited from the consumer interface to the device, which is why it relies on the user accessing a site with malicious JavaScript. Even so, it is a very complex attack to execute. The best mitigations are to ensure the firmware on your cable modem is updated and that the default password has been changed, irrespective of who owns or manages the device.
[Murray] This is a pervasive vulnerability but expensive to exploit. The report suggests that the exploit must originate from the inside, the IP side, rather than the service, the DOCSIM, side. Most SOHO users will not be vulnerable. Enterprise users that are targets of organized crime and nation states and that are likely to have compromised systems on their networks should have a goal of identifying and removing these modems in months. One might well wish that these so-called "researchers" had waited to publish until they had identified indicators of compromise. One suspects that they did not do so because they have identified a vulnerability but no compromises.
Read more in:
Cyware: Newly discovered 'Cable Haunt' flaw exposes nearly 200 million Broadcom-based modem cables to MITM attacks
Threatpost: 'Cable Haunt' Bug Plagues Millions of Home Modems
https://threatpost.com/cable-haunt-remote-code-execution/151756/
The Register: Hundreds of millions of Broadcom-based cable modems at risk of remote hijacking, eggheads fear
https://www.theregister.co.uk/2020/01/10/broadcom_cable_haunt_vulnerability/
ZDNet: Hundreds of millions of cable modems are vulnerable to new Cable Haunt vulnerability
Infosecurity Magazine: Hundreds of Millions of Broadcom Modems "Haunted" by New Bug
https://www.infosecurity-magazine.com/news/hundreds-millions-broadcom-modems/
--India's Supreme Court Says Internet Service Suspension in Kashmir is Illegal
(January 10 & 13, 2020)
The Supreme Court of India has found that the government's five-month blackout of Internet services in Kashmir violates India's telecommunications laws. The Indian government also shut down mobile phone and landline services in the area. The court has given the government a week to review its policies.
[Editor Comments]
[Murray] This is a political issue, not a security one. It is now clear that the Internet is a powerful tool for organizing resistance to tyranny, or even incompetence. It is equally clear that regimes will attempt to restrict its use when they feel threatened.
Read more in:
ZDNet: India ordered to review suspension of internet services in Kashmir
https://www.zdnet.com/article/india-ordered-to-review-suspension-of-internet-services-in-kashmir/
Ars Technica: Indian Supreme Court finds 150-day Internet blackout in Kashmir illegal
--Texas School District Loses Millions in eMail Scam
(January 13, 2019)
The Manor Independent School District, near Austin, TX, lost $2.3 million in an email scam. The funds were sent in three separate transactions in November and December 2019.
[Editor Comments]
[Neely] Analysis suggests that legitimate looking emails were sent requesting payment to altered accounts. Out-of-band verification of payment information, particularly when the accounts don't match what you have on-file, whether updated or new, is critical.
Read more in:
Threatpost: Scammers Dupe Texas School District Out of $2.3M
https://threatpost.com/scammers-dupe-texas-school-district-out-of-2-3m/151773/
The Register: Someone needs to go back to school: Texas district fleeced for $2.3m after staff fall for devious phishing email
https://www.theregister.co.uk/2020/01/13/texas_school_phished/
Tripwire: Texas School District Lost $2.3M to Phishing Email Scam
--Coding Education Should Be Integrated into K-8 Curriculum
(January 10, 2020)
An educational technology specialist said that coding education should be integrated across the K-8 school curriculum rather than taught as a standalone subject. Students are likely to develop better problem-solving and design skills if they have an application for coding outside of the computer science lab.
[Editor Comments]
[Murray] While it is good for people to know how to code, our problem is not a shortage of coders but one of quality code. Currently we have too much porous code written by amateurs.
Read more in:
Edscoop: K-8 coding education should be integrated for best outcomes
https://edscoop.com/k8-coding-education-integrated-core-standards/
--US Dept. of the Interior Plans to Permanently Ground Drones That Contain Chinese Technology
(January 12 & 13, 2020)
According to a report in the Financial Times, the US Department of the Interior plans to permanently ground more than 800 drones. The decision is due to concerns that some of the drones' components were developed in China and that the Chinese government could possibly access the data the drones gather. The Interior Department uses drones to monitor fires, track natural resources, and map terrain. The drones were taken out of service in October 2019 pending the results of a program review.
[Editor Comments]
[Neely] When analysis determines a supply chain weakness, in this case the DJI produced drones represent an unacceptable level of risk, you have two choices - replace the items with trusted ones, or repair the weakness. Analysis has to be made on a case-by-case basis. While the cost of new drones is large, the cost of retrofit, to the point where you're assured the devices are acceptable, is typically much higher and can be more error prone, void warrantees or support agreements, and have long-term cost/impacts.
Read more in:
The Hill: Interior planning to halt use of drones over concerns about Chinese tech: report
Digital Trends: U.S. may call a halt to its civilian drone program over security fears
--Dixons Carphone Fined Over Data Breach
(January 9 & 13, 2020)
The UK Information Commissioner's Office (ICO) has fined Dixons Carphone #500,000 (US $650,000) for failing to adequately protect customer data. The company's point-of-sale system was compromised between July 2017 and April 2018, exposing personal information of as many as 14 million customers.
[Editor Comments]
[Honan] It is worth reading the actual report from the ICO itself to see what issues, such as a WordPress installation from 2009, no anti-virus installed on servers, encryption keys stored in plain text, and several other issues, that led to the issuance of this fine. https://ico.org.uk/media/action-weve-taken/mpns/2172972/carphone-warehouse-mpn-20180110.pdf: Supervisory Powers of the Information Commissioner | Monetary Penalty Notice
Read more in:
The Register: Dixons fined #500,000 by ICO for crap security that exposed 5.6 million customers' payment cards
Edinburgh News: Dixons Carphone fined #500,000 over serious data breach that put 14 million customers at risk
--Albany, NY Airport Hit with Ransomware Through MSP
(January 10, 2020)
Administrative servers at Albany (New York) International Airport became infected with ransomware in December 2019. The malware made its way onto the system through the airport's managed service provider (MSP). The ransomware also infected the airport's backup servers, and the airport has "severed its relationship with" the MSP. The airport said that it paid an undisclosed amount of ransom to regain access to its data.
[Editor Comments]
[Murray] Strong authentication, end-to-end application layer encryption, least privilege access control, privilege access management software, safe backup and fast recovery, et. al. can increase the cost of ransomware attacks by an order of magnitude.
Read more in:
Bleeping Computer: Sodinokibi Ransomware Hits New York Airport Systems
https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-hits-new-york-airport-systems/
--SIM-Swappers Are Escalating Their Tactics
(January 10, 2020)
Some SIM-swappers are bypassing the social engineering techniques they have used in the past and are now breaking into telecommunications companies' systems to facilitate the swapping. The attackers manipulate telecommunications company employees into installing Remote Desktop Protocol (RDP) software, and then using the access to port phone numbers.
Read more in:
Vice: Hackers Are Breaking Directly Into Telecom Companies to Take Over Customer Phone Numbers
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
Citrix ADC Vulnerability Actively Exploited. Assume vulnerable systems are compromised.
Updated Citrix Advisory: https://support.citrix.com/article/CTX267027
Exploit Activity Summary: https://isc.sans.edu/forums/diary/Citrix+ADC+Exploits+are+Public+and+Heavily+Used+Attempts+to+Install+Backdoor/25700/
Vulnerability Scanner: https://github.com/trustedsec/cve-2019-19781/
Special Webcast: https://i5c.us/citrix
YouTube Walk Through of the vulnerability: https://youtu.be/msslpqyf98c
Upcoming Critical MSFT Patch
https://krebsonsecurity.com/2020/01/cryptic-rumblings-ahead-of-first-2020-patch-tuesday/
SIM Swapping is Easy
https://www.issms2fasecure.com/assets/sim_swaps-01-10-2020.pdf
Google Open Sources wombat dressing room npm publication proxy
https://opensource.googleblog.com/2020/01/wombat-dressing-room-npm-publication_10.html
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
