Get a Free GIAC Certification Attempt or $350 Off with OnDemand and vLive Training!

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #15

February 22, 2019

Symantec and CrowdStrike Threat Reports; Governors National Scholarship Competition Deadlines Set for Students Interested in Cybersecurity Careers

****************************************************************************

SANS NewsBites                Feb. 22, 2018                Vol. 21, Num. 015

****************************************************************************


TOP OF THE NEWS

 

  Symantec 2019 Internet Security Threat Report

  CrowdStrike Global Threat Report

  Deadlines for Governors National Scholarship Competition Set for Students Interested in Cybersecurity Careers


REST OF THE WEEKS NEWS

 

  Old WinRAR Flaw Fixed

  Adobe Re-Patches Vulnerability in Reader and Acrobat  

  Microsoft Releases Advisory About Denial-of-Service Bug in IIS

  Website Admins Urged to Apply Updates to Fix Critical RCE Flaw in Drupal

  Nest Guard Has a Microphone for Google Assistant Functionality

  Facebook Adds Granular Location Data Sharing Option for Android

  Edges Secret Whitelist Let Sites Autorun Flash

  Mandatory Updates for Legacy Windows OSes

 

INTERNET STORM CENTER TECH CORNER


*****************************************************************************


-- SANS 2019 | Orlando, FL | April 1-8 | https://www.sans.org/event/sans-2019


-- SANS Baltimore Spring 2019 | March 2-9 | https://www.sans.org/event/baltimore-spring-2019


-- SANS London March 2019 | March 11-16 | https://www.sans.org/event/london-march-2019


-- SANS San Francisco Spring 2019 | March 11-16 | https://www.sans.org/event/san-francisco-spring-2019


-- SANS Secure Singapore 2019 | March 11-23 | https://www.sans.org/event/secure-singapore-2019


-- SANS Munich March 2019 | March 18-23 | https://www.sans.org/event/munich-march-2019


-- SANS Secure Canberra 2019 | March 18-23 | https://www.sans.org/event/secure-canberra-2019


-- ICS Security Summit & Training 2019 | Orlando, FL | March 18-25 | https://www.sans.org/event/ics-security-summit-2019


-- Blue Team Summit & Training 2019 | Louisville, KY | April 11-18 | https://www.sans.org/event/blue-team-summit-2019


-- SANS OnDemand and vLive Training

The SANS Training you want with the flexibility you need.

Get a 9.7" iPad, Samsung Galaxy Tab A or Take $250 Off with OnDemand or vLive training. Offer ends March 6.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


Single Course Training

-- Single Course Training

SANS Mentor | https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


***************************  Sponsored By Securonix    ************************************

 Today's security operations teams drown in data from security event management tools and platforms, yet investigators and threat hunters need better tools and capabilities to see behavioral trends and specific events in large environments. Is there a solution to this situation? Register to learn more: http://www.sans.org/info/210650


*****************************************************************************

TOP OF THE NEWS

 

--Symantec 2019 Internet Security Threat Report

(February 21, 2019)

Symantecs 2019 Internet Security Threat Report offers insights into global threat activity, cyber criminal trends, and attacker motivations. The report looks at formjacking, cryptojacking, targeted attacks, cloud security issues, the Internet of Things (IoT), and election interference.


[Editor Comments]


[Neely] This is the time of year when threat reports are released. These are an excellent source of data about new threats, new attacks, and trends to protect against. Read multiple reports to get a broad view of activities that should be on your radar.  


[Murray] Many of these are attacks, not threats (threats have both source and rate). Security people ought to be able to use threat, attack, vulnerability, consequences, and risk in a consistent and exclusive manner. Risk assessment is difficult enough without this added confusion of terminology.

 

Read more in:

Symantec: 2019 Internet Security Threat Report: Executive Summary

https://www.symantec.com/content/dam/symantec/docs/reports/istr-24-executive-summary-en.pdf

eWeek: Symantec Warns of Shifting Threat Landscape as Formjacking Risk Grows

https://www.eweek.com/security/symantec-warns-of-shifting-threat-landscape-as-formjacking-risk-grows

SC Magazine: Ransomware out, formjacking in as primary attack vectors

https://www.scmagazine.com/home/security-news/cybercrime/ransomware-out-formjacking-in-as-primary-attack-vectors/


 

--CrowdStrike Global Threat Report

(February 19 & 21, 2019)

CrowdStrikes annual Global Threat Report introduces a new metric of hacker sophistication: breakout speed, which is measured from hackers initial intrusion to the point at which they expand their access/presence in a system. The report also questions the efficacy of indictments against nation-state hackers, noting that in spite of some impressive indictments against several named nation-state actorstheir activities show no signs of diminishing.


Read more in:

Fifth Domain: New report questions effectiveness of cyber indictments

https://www.fifthdomain.com/industry/2019/02/21/new-report-questions-effectiveness-of-cyber-indictments/

Wired: Russian Hackers Go From Foothold to Full-On Breach in 19 Minutes

https://www.wired.com/story/russian-hackers-speed-intrusion-breach/



--Deadlines for Governors National Scholarship Competition Set for Students Interested in Cybersecurity Careers

(February 22, 2019)

Seventeen governors are providing students in their states with reliable pathways to cybersecurity talent discovery and development, and for college students, direct access to advanced training, internships, and jobs.  More than $2.8 million in prizes and scholarships are available for students and their schools.  In the UK many of the most talented students did not have any idea they would be good at cybersecurity. If you know students who might like to work in the field, tell them to give it a try even if they dont think they would be good.  

High School Program (Girls Go CyberStart): https://girlsgocyberstart.org    Deadline: March 20

College Program (Cyber Fast-Track): https://cyber-fasttrack.org             Deadline: April 5


*****************************************************************************

REST OF THE WEEKS NEWS     

 

--Old WinRAR Flaw Fixed

(February 20 & 21, 2019)

A code execution flaw in the WinRAR file compression tool now has a fix. The path-traversal vulnerability could be exploited to hijack vulnerable systems. The issue affects every version of Win RAR released over the last 19 years. The flaw was found by researchers at CheckPoint.   


[Editor Comments]


[Ullrich] Vulnerabilities affecting older software like this are still fetching top dollar from companies buying them. This software is often a blind spot in software asset control and can go unpatched for years (decades?).


[Neely] Products that included the library now have to create updated distributions. If youre still using WinRAR, update now. If not, this is a good time to uninstall those packages. 19 years ago DEP and ASLR protections were not available. While Windows XP service pack 3 introduced DEP and ASLR in 2008, the WinRAR library hadnt been updated since 2006.


Read more in:

Threatpost: 19-Year-Old WinRAR Flaw Plagues 500 Million Users

https://threatpost.com/winrar-flaw-500-million-users/142080/

ZDNet: WinRAR versions released in the last 19 years impacted by severe security flaw

https://www.zdnet.com/article/winrar-versions-released-in-the-last-19-years-impacted-by-severe-security-flaw/

CheckPoint: Extracting a 19 Year Old Code Execution from WinRAR

https://research.checkpoint.com/extracting-code-execution-from-winrar/

 
 

--Adobe Re-Patches Vulnerability in Reader and Acrobat  

(February 21, 2019)

A week after releasing a fix for a critical vulnerability in Adobe Reader and Acrobat, Adobe has issued a patch for a flaw in that fix. The initial patch, issued on Tuesday, February 12, was intended to address a boundary condition error that could leak data, but was found to be insufficient.   


[Editor Comments]


[Ullrich] Exploitation of these flaws is pretty straightforward, and may leak NTLM hashes. Make sure you block port 445 outbound. Adobes software is probably not the last time we have seen this flaw and it could show up in any software that includes external resources like images from remote locations.


[Murray] Unlike Flash, the use of Acrobat is not completely optional. Even if one prefers other products for processing PDFs, one will find oneself returning to Acrobat for some uses.  


Read more in:

Threatpost: Adobe Re-Patches Critical Acrobat Reader Flaw

https://threatpost.com/adobe-re-patches-critical-acrobat-reader-flaw/142098/

Bleeping Computer: Adobe Patches Critical Information Disclosure Flaw in Reader, Again

https://www.bleepingcomputer.com/news/security/adobe-patches-critical-information-disclosure-flaw-in-reader-again/

The Register: WTF PDF: If at first you don't succeed, you may be Adobe re-patching its Acrobat, Reader patches

https://www.theregister.co.uk/2019/02/21/adobe_reader_acrobat_flash/

 
 

--Microsoft Releases Advisory About Denial-of-Service Bug in IIS

(February 21, 2019)

Microsoft has published an advisory warning of a problem in Internet Information Services (IIS) that could consume up to 100 percent of CPU resources. The issue affects IIS servers shipped with Windows 10 and Windows Server 2016. The problem occurs when IIS tries to process malicious HTTP/2 requests. To fix the problem, Microsoft has added the ability to define thresholds on the number of HTTP/2 SETTINGS included in a request. These thresholds must be defined by the IIS administrator; they are not preset by Microsoft.  


[Editor Comments]


[Ullrich] This patch is a bit hidden among Microsofts non-security updates. But it is very much a security update and likely not difficult to exploit. Microsoft did not offer any other mitigations but patching.


Read more in:

MSRC: ADV190005 | Guidance to adjust HTTP/2 SETTINGS frames

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190005

The Register: Welcome to the sunlit uplands of HTTP/2, where a naughty request can send Microsoft's IIS into a spin

https://www.theregister.co.uk/2019/02/21/http2_iis_microsoft/

ZDNet: Microsoft publishes security alert on IIS bug that causes 100% CPU usage spikes

https://www.zdnet.com/article/microsoft-publishes-security-alert-on-iis-bug-that-causes-100-cpu-usage-spikes/

Bleeping Computer: Windows Servers Vulnerable to IIS Resource Exhaustion DoS Attacks

https://www.bleepingcomputer.com/news/security/windows-servers-vulnerable-to-iis-resource-exhaustion-dos-attacks/

 
 

--Website Admins Urged to Apply Updates to Fix Critical RCE Flaw in Drupal

(February 20 & 21, 2019)

The Drupal project has disclosed a critical remote code execution flaw in the Drupal core content management system (CMS), urging website admins to install updates to fix the problem. Drupal warned admins a day before the patch was released. Sites are vulnerable if the Drupal 8 core RESTful Web Services (rest) module is enabled and allows PATCH or POST requests, or if another Web-services module is enabled, such as JSON:API in Drupal 8, or Services or RESTful Web Services in Drupal 7. Admins are advised to upgrade to Drupal 8.6.10 or 8.5.11.


Read more in:

Drupal: Critical Release - PSA-2019-02-19 (advance warning)

https://www.drupal.org/psa-2019-02-19

Drupal: Drupal core - Highly critical - Remote Code Execution - SA-CORE-2019-003

https://www.drupal.org/sa-core-2019-003

ZDNet: Drupal critical flaw: Patch this remote code execution bug urgently, websites warned

https://www.zdnet.com/article/drupal-critical-flaw-patch-this-remote-code-execution-bug-urgently-websites-warned/

The Register: No RESTful the wicked: If your website runs Drupal, you need to check for security updatesunless you enjoy being hacked

https://www.theregister.co.uk/2019/02/20/drupal_cve_2019_6340/

Threatpost: Highly Critical Drupal RCE Flaw Affects Millions of Websites

https://threatpost.com/critical-drupal-rce-flaw/142091/

Bleeping Computer: Drupal Fixes Highly Critical Vulnerability

https://www.bleepingcomputer.com/news/security/drupal-fixes-highly-critical-vulnerability/

Ars Technica: Millions of websites threatened by highly critical code-execution bug in Drupal

https://arstechnica.com/information-technology/2019/02/millions-of-websites-threatened-by-highly-critical-code-execution-bug-in-drupal/

 
 

--Nest Guard Has a Microphone for Google Assistant Functionality

(February 20 & 21, 2019)

Earlier this month, Google announced that it will introduce Google Assistant functionality in its Nest Secure home security system. Until the announcement, users had not been made aware that Nest Secure devices contained a microphone. Google said that the failure to disclose this fact was an oversight. The Google Assistant feature is opt-in, meaning the microphone is not turned on by default.


[Editor Comments]


[Neely] The microphone was never intended to be a secret. It is needed to support voice commands and is accompanied by a small speaker as well. As with other voice-controlled services, commands are not solely processed on the device. Activate the microphone only after evaluating the risk that it will be continuously listening and forwarding information to Google for interpretation.


Read more in:

ZDNet: Google says 'hidden' microphone in Nest product never intended to be a secret

https://www.zdnet.com/article/google-says-secret-microphones-in-nest-home-products-an-error/

Ars Technica: Users alarmed by undisclosed microphone in Nest Security System

https://arstechnica.com/gadgets/2019/02/googles-nest-security-system-shipped-with-a-secret-microphone/

 
 

--Facebook Adds Granular Location Data Sharing Option for Android

(February 20, 2019)

Facebook has introduced new controls for Android devices which will let users limit location information they allow Facebook to collect. Location information sharing on Android is generally all or nothing. iOS has more granular options, letting users choose to share their location data always, only when the app is open, or never. Facebook is giving Android users the option of more granular control over when they share their location information with the social network.


Read more in:

Facebook: Improving Location Settings on Android

https://newsroom.fb.com/news/2019/02/location-settings-android/

Wired: Android Users: Check This Facebook Location Privacy Setting ASAP

https://www.wired.com/story/android-facebook-location-privacy-setting/

ZDNet: Facebook's new location controls on Android will let users disable background collection

https://www.zdnet.com/article/facebooks-new-location-controls-on-android-will-let-users-disable-background-collection/

 
 

--Edges Secret Whitelist Let Sites Autorun Flash

(February 20, 2019)

A hidden whitelist file in Microsofts Edge browser let designated sites load Flash content without user confirmation, despite the browsers click-to-run policy. A Google Project Zero researcher found the list and filed a bug report with Microsoft in November 2018. Some of the sites on the list had cross-site scripting bugs. Microsoft trimmed the list with Februarys Patch Tuesday release; the list used to contain 58 entries, but after the list was no longer a secret, the list has shrunk to just two Facebook domains.


[Editor Comments]


[Ullrich] The original whitelist was pretty long, and aside from the security implications does represent a breach of trust between software vendor and consumer. Leaving Facebook as the sole trusted site in the patched version of the list doesnt exactly help Microsoft to recover this lost trust.


Read more in:

ZDNet: Microsoft Edge lets Facebook run Flash code behind users' backs

https://www.zdnet.com/article/microsoft-edge-lets-facebook-run-flash-code-behind-users-backs/

Ars Technica: Microsoft culls secret Flash whitelist after Google points out its insecurity

https://arstechnica.com/gadgets/2019/02/microsoft-culls-secret-flash-whitelist-after-google-points-out-its-insecurity/

Bleeping Computer: Microsoft Edge Secret Whitelist Allows Facebook to Autorun Flash

https://www.bleepingcomputer.com/news/security/microsoft-edge-secret-whitelist-allows-facebook-to-autorun-flash/

 
 

--Mandatory Updates for Legacy Windows OSes

(February 19, 2019)

Users running Windows 7 and Windows Server 2008 must have installed updates to support SHA-2 code signing by July 2019 if they want to continue to receive updates from Microsoft.


[Editor Comments]


[Neely] While Windows 7 and Server 2008 extended support end January 14, 2020, to continue receiving updates the systems must be patched to support SHA-2 signed updates. This is a good opportunity to schedule upgrading to newer operating systems before July 2019.


Read more in:

Computerworld: Microsoft delays Windows 7's update-signing deadline to July

https://www.computerworld.com/article/3341394/microsoft-windows/microsoft-delays-windows-7s-update-signing-deadline-to-july.html

Ars Technica: Mandatory update coming to Windows 7, 2008 to kill off weak update hashes

https://arstechnica.com/gadgets/2019/02/mandatory-update-coming-to-windows-7-2008-to-kill-off-weak-update-hashes/

Threatpost: Microsoft to Kill Updates for Legacy OS Using SHA-1

https://threatpost.com/microsoft-updates-os-sha-1/142000/

 

*****************************************************************************

Sponsored Links:

1) "The State of Kubernetes Security" Presented by the authors of the bestselling OReilly Book. Register: http://www.sans.org/info/210655

2) SURVEY: Are you involved with operational technology and ICS? SANS wants to hear from you! Take 10 minutes to complete the State of OT/ICS Cybersecurity Survey and enter to win a $400 Amazon gift card. http://www.sans.org/info/210660

3) Have you checked out the SANS Blog site? http://www.sans.org/info/210665

*****************************************************************************

INTERNET STORM CENTER TECH CORNER


Russian Malspam Pushing Shade/Troldesh Ransomware

https://isc.sans.edu/forums/diary/More+Russian+language+malspam+pushing+Shade+Troldesh+ransomware/24668/


Bitdefender Releases GandCrab Decrypter

https://labs.bitdefender.com/2019/02/new-gandcrab-v5-1-decryptor-available-now/


Bank Infrastructure Used in Phishing Attacks (in Russian with translation option)

https://www.group-ib.ru/blog/incident


SHA-2 Patch For Windows 7/2008 R2 SP1

https://support.microsoft.com/en-us/help/4472027/2019-sha-2-code-signing-support-requirement-for-windows-and-wsus


Microsoft Edge Whitelists Facebook to Run Flash

https://bugs.chromium.org/p/project-zero/issues/detail?id=1722


MikroTik Unauthenticated Proxy

https://medium.com/tenable-techblog/mikrotik-firewall-nat-bypass-b8d46398bf24


Password Manager Vulnerabilities

https://www.securityevaluators.com/casestudies/password-manager-hacking/


Adobe Re-Patches Reader/Acrobat Data Leakage Bug

https://helpx.adobe.com/security/products/acrobat/apsb19-13.html


Microsoft Releases Fix for DoS Vulnerability in IIS

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190005


Drupal Fixes Remote Code Execution Vulnerability

https://www.drupal.org/sa-core-2019-003


Linux Kernel Code Execution Vulnerability

https://nvd.nist.gov/vuln/detail/CVE-2019-8912



******************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.


Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create