One Week Only! Get an iPad Air with Smart Keyboard, Surface Go, or $300 Off with OnDemand & vLive!

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #17

March 1, 2019

US Cyber Command Blocked Russian Trolls During 2018 Elections; 2019 X-Force Threat Intelligence Report: Cybercriminals Changing Priorities




****************************************************************************

SANS NewsBites                March 1, 2019                Vol. 21, Num. 017

****************************************************************************


TOP OF THE NEWS


  US Cyber Command Blocked Russian Trolls During 2018 Elections

  2019 IBM X-Force Threat Intelligence Index


REST OF THE WEEKS NEWS


  Cisco Flaws Patched

  Drupal Admins Urged to Patch for Flaw That is Being Actively Exploited

  Cobalt Strike Flaw Exposes IP Addresses of Malicious Command-and-Control Servers

  Man Pleads Guilty in Booter/Stresser Case

  What Would It Take to Make a Congressional Office of Technology Assessment Work?

  DoDs Accelerated Cyber Specialist Hiring Program Needs More Staff

  Adobe Will Retire Shockwave in April

  TSA Oversees Pipeline Security


INTERNET STORM CENTER TECH CORNER


*****************************************************************************

Cybersecurity Training Update


-- SANS 2019 | Orlando, FL | April 1-8 | https://www.sans.org/event/sans-2019


-- SANS San Francisco Spring 2019 | March 11-16 | https://www.sans.org/event/san-francisco-spring-2019


-- SANS Secure Singapore 2019 | March 11-23 | https://www.sans.org/event/secure-singapore-2019


-- SANS Munich March 2019 | March 18-23 | https://www.sans.org/event/munich-march-2019


-- SANS Secure Canberra 2019 | March 18-23 | https://www.sans.org/event/secure-canberra-2019


-- ICS Security Summit & Training 2019 | Orlando, FL | March 18-25 | https://www.sans.org/event/ics-security-summit-2019


-- SANS London April 2019 | April 8-13 | https://www.sans.org/event/london-april-2019


-- Blue Team Summit & Training 2019 | Louisville, KY | April 11-18 | https://www.sans.org/event/blue-team-summit-2019


-- SANS Security West 2019 | San Diego, CA | May 9-16 | https://www.sans.org/event/security-west-2019


-- SANS OnDemand and vLive Training

The SANS Training you want with the flexibility you need.

Get a 9.7" iPad, Samsung Galaxy Tab A or Take $250 Off with OnDemand or vLive training. Offer ends March 6.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


Single Course Training

-- Single Course Training

SANS Mentor | https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap



***************************  Sponsored By  Atomicorp  ***********************


OSSEC Con2019, March 20-21. The Future of OSSEC: Security and Compliance for Cloud, On-Premise and Hybrid Environments You will learn about the latest features, 2019 roadmap, public and private cloud deployments and the power of global threat intelligence. FREE attendance for SANS subscribers.


*****************************************************************************


TOP OF THE NEWS

 

--US Cyber Command Blocked Russian Trolls During 2018 Elections

(February 26, 27, & 28, 2019)

The US Cyber Command (USCYBERCOM) is responsible for having blocked the activity of a notorious Russian troll operation during the 2018 mid-term elections. The activity took place from mid-October through mid-November of 2018 and included blocking the Russian Internet Research Agencys Internet access on the day of the election. The US Department of Homeland Security provided support to USCYBERCOM in this initiative.


[Editor Comments]


[Williams] There aren't a lot of places where military cyber action makes sense outside of assistance to kinetic operations. This is one of those places. The Russians almost certainly had a plan to disrupt the midterm elections. On the days they needed to execute that plan, they were disrupted from doing so. Any level of disruption in this particular case is a success from a CYBERCOM standpoint. That was the good part. Here's the bad part: we can't do this reliably again. Next time, they'll have a decentralized plan with multiple Internet points of presence that will be much harder to disrupt. But even if the Russians can't be fully disrupted on the days surrounding the 2020 elections, this operation has already increased the Russians' costs to mount their operations. That itself is a win. Anyone with a tested disaster recovery plan knows they aren't free.

 

Read more in:

Washington Post: U.S. Cyber Command operation disrupted Internet access of Russian troll factory on day of 2018 midterms

https://www.washingtonpost.com/world/national-security/us-cyber-command-operation-disrupted-internet-access-of-russian-troll-factory-on-day-of-2018-midterms/2019/02/26/1827fc9e-36d6-11e9-af5b-b51b7ff322e9_story.html

eWeek: U.S. Cyber-Warriors Disrupt Russian Election Attacks

https://www.eweek.com/security/u.s.-cyber-warriors-disrupt-russian-election-attacks

Ars Technica: Report: US Cyber Command took Russian trolls offline during midterms

https://arstechnica.com/information-technology/2019/02/report-us-cyber-command-took-russian-trolls-offline-during-midterms/

The Hill: US cyber operation blocked internet for Russian troll farm on Election Day 2018: report

https://thehill.com/policy/cybersecurity/431614-us-cyber-operation-blocked-internet-for-russian-troll-farm-on-election

 

--2019 IBM X-Force Threat Intelligence Index

(February 26, 2019)

According to the 2019 IBM X-Force Threat Intelligence Index, cybercriminals are moving away from ransomware and instead turning to cryptojacking and business email compromise (BEC) to make money. The index also noted that attackers are increasingly using non-malicious tools including PowerShell and PsExec to evade detection.


[Editor Comments]


[Neely] Social Engineering will always be a challenging threat vector to mitigate and our adversaries know this. Continued diligence and user awareness, updated as the TTPs (Tactics, Techniques and Procedures) change, is the best mitigation. While file-less malware is becoming more prevalent and requires new detection and mitigation approaches, dont retire existing measures without ensuring you still have protection from prior attack vectors.


Read more in:

The Register: Who needs malware? IBM says most hackers just PowerShell through boxes now, leaving little in the way of footprints

https://www.theregister.co.uk/2019/02/26/malware_ibm_powershell/

eWeek: Ransomware Attacks Decline as Cryptojacking Grows, IBM X-Force Reports

https://www.eweek.com/security/ransomware-attacks-decline-as-cryptojacking-grows-ibm-x-force-reports

IBM: IBM X-Force Report: Ransomware Doesn't Pay in 2018 as Cybercriminals Turn to Cryptojacking for Profit

https://newsroom.ibm.com/2019-02-26-IBM-X-Force-Report-Ransomware-Doesnt-Pay-in-2018-as-Cybercriminals-Turn-to-Cryptojacking-for-Profit


****************************  SPONSORED LINKS  ******************************


1) Are you involved with operational technology and ICS? SANS wants to hear from you! Take 10 minutes to complete the State of OT/ICS Cybersecurity Survey and enter to win a $400 Amazon gift card. http://www.sans.org/info/210835


2) What does it take to establish a successful security operations program? Take the 2019 SANS SOC Survey and enter for a chance to win a $400 Amazon gift card. http://www.sans.org/info/210840


3) Check out the SANS Blog Page: http://www.sans.org/info/210850

 

*****************************************************************************

REST OF THE WEEKS NEWS     

 

--Cisco Flaws Patched

(February 28, 2019)

Cisco is urging users of its wireless VPN and firewall routers to install updates to fix a critical vulnerability that could allow attackers to gain elevated privileges on unpatched systems. The security issue is due to the improper validation of user-supplied data in the web-based management interface. Cisco also released a fix for a privilege elevation flaw affecting the WebEx Meetings platform.


[Editor Comments]


[Neely] If you have Cisco RV110W, RV130W or RV215W Wireless-N VPN routers, patch them. The risk can be mitigated by disabling remote management, but this may not be practical for centralized management. Cisco also released a patch for WebEx Meetings Desktop and WebEx Productivity Tools for Windows, vulnerability CVE-2019-1674, which allows for arbitrary code execution as a privileged user. WebEx shops will want to deploy quickly to mitigate the risk.


Read more in:

ZDNet: Cisco: Patch routers now against massive 9.8/10-severity security hole

https://www.zdnet.com/article/cisco-patch-routers-now-against-massive-9-810-severity-security-hole/

SC Magazine: Cisco patches two code execution vulnerabilities

https://www.scmagazine.com/home/security-news/vulnerabilities/cisco-patches-two-code-execution-vulnerabilities/

Threatpost: Cisco Fixes Critical Flaw in Wireless VPN, Firewall Routers

https://threatpost.com/cisco-fixes-critical-flaw-in-wireless-vpn-firewall-routers/142284/

Threatpost: Cisco Patches High-Severity Webex Vulnerability For Third Time

https://threatpost.com/cisco-patches-high-severity-webex-vulnerability-for-third-time/142243/

Bleeping Computer: Cisco Fixes Critical RCE Vulnerability in RV110W, RV130W, and RV215W Routers

https://www.bleepingcomputer.com/news/security/cisco-fixes-critical-rce-vulnerability-in-rv110w-rv130w-and-rv215w-routers/

 
 

--Drupal Admins Urged to Patch for Flaw That is Being Actively Exploited

(February 27, 2019)

A critical flaw in Drupal CMS that was disclosed on February 20 is now being actively exploited. Admins are urged to apply the updates. Attackers are taking advantage of the flaw to deliver cryptominers and other malware. The issue can lead to arbitrary PHP code execution. Researchers from Imperva found that the immediate mitigations suggested in Drupals February 20, 2019 advisory do not fully protect against attacks.


[Editor Comments]


[Murray] Many, not to say most, of our vulnerabilities result from the failure of input validation in the absence of more fundamental protections (e.g., finite-state operating systems, symbolic-only addressing, strongly typed objects, process to process isolation, application-only systems, and restrictive access control policies.)


Read more in:

The Register: Friendly reminder to Drupal admins: Secure your sh!t before latest RCE-holes get you

https://www.theregister.co.uk/2019/02/27/drupal_rce_exploits_seen_wild/

SC Magazine: Highly critical Drupal flaw being exploited in the wild

https://www.scmagazine.com/home/security-news/cybercriminals-are-actively-exploiting-a-highly-critical-drupal-bug-to-deliver-cryptocurrency-miners-and-other-malicious-payloads/

Imperva: Latest Drupal RCE Flaw Used by Cryptocurrency Miners and Other Attackers

https://www.imperva.com/blog/latest-drupal-rce-flaw-used-by-cryptocurrency-miners-and-other-attackers/

Drupal: Drupal core - Highly critical - Remote Code Execution - SA-CORE-2019-003

https://www.drupal.org/sa-core-2019-003

 
 

--Cobalt Strike Flaw Exposes IP Addresses of Malicious Command-and-Control Servers

(February 28, 2019)

Cobalt Strike, a legitimate pen testing tool, has also been used by cyber criminals to host their command-and-control servers. A flaw in the tool can be exploited to determine the IP addresses of those servers. The flaw has been fixed in legitimate copies of Cobalt Strike, but as cyber criminals are often working with unregistered copies of software, the flaw could remain unpatched in those copies for some time. 


[Editor Comments]


[Williams] This flaw has been an open secret in the community for some time. There are ways to uniquely track many common penetration testing tools but the information is not widely shared, because releasing the information makes it inherently less valuable. Organizations have to decide whether keeping bad guys off their systems or attempting to help the rest of the community is the priority. On careful examination, most leadership teams decides that the community loses out.


Read more in:

ZDNet: Vulnerability exposes location of thousands of malware C&C servers

https://www.zdnet.com/article/vulnerability-exposes-location-of-thousands-of-malware-c-c-servers/

 
 

--Man Pleads Guilty in Booter/Stresser Case

(February 27 & 28, 2019)

A man from Illinois has pleaded guilty to conspiracy to cause damage to Internet-connected computers for his role in a scheme that offered booter and stresser services. Sergiy Usatyuk and a co-conspirator developed, controlled, and operated several of these services, which are used to launch distributed denial-of-service (DDoS) attacks.


Read more in:

KrebsOnSecurity: Booter Boss Interviewed in 2014 Pleads Guilty

https://krebsonsecurity.com/2019/02/booter-boss-interviewed-in-2014-pleads-guilty/

Cyberscoop: 20-year-old pleads guilty to DDoS-for-hire scheme that netted $550,000

https://www.cyberscoop.com/ddos-sergiy-usatyuk-guilty-plea/

Justice: Former Operator of Illegal Booter Services Pleads Guilty to Conspiracy to Commit Computer Damage and Abuse

https://www.justice.gov/opa/pr/former-operator-illegal-booter-services-pleads-guilty-conspiracy-commit-computer-damage-and

 
 

--What Would It Take to Make a Congressional Office of Technology Assessment Work?

(February 27, 2019)

After the Congressional Office of Technology Assessment (OTA) was shuttered in 1995 due to budget constraints, the burden of conducting research into highly technical and complex issues fell to legislative staff members. Advocates and former legislative staffers were invited by Representative Mark Takano (D-California), who sponsored a recent unsuccessful effort to revive OTA, to discuss what would be necessary to bring the office back and make it effective. 


[Editor Comments]


[Pescatore, Neely] The Congressional Research Service, under the Library of Congress, has continued to be funded and has over 600 employees. CRS has not been active enough in technology or cybersecurity; but, rather than (re)establishing yet another agency, CRS could be funded to increase staffing in their Resources, Sciences and Industry division to focus more analysis on policy-related technology issues.


Read more in:

Nextgov: Former Staffers: Revive Congress' Office of Technology Assessment Right or Dont Bother

https://www.nextgov.com/emerging-tech/2019/02/former-staffers-revive-congess-office-technology-assessment-right-or-dont-bother/155193/

 
 

--DoDs Accelerated Cyber Specialist Hiring Program Needs More Staff

(February 26, 2019)

Although the US Department of Defense (DoD) has the authority to fast track the hiring of cyber specialists through the Cyber Excepted Service program, it lacks sufficient staff to recruit the number of employees DOD needs. DOD deputy principal cyber advisor Marines Corps Brig. Gen. Dennis Crall told members of a House Armed Services subcommittee that the program needs 10 people to recruit and train the cyber specialists. Crall also noted that the security clearance process is slowing down the hiring process.


[Editor Comments]


[Neely] Obtaining a top secret clearance takes about two years, and can be expedited to one. This waiting period makes organizations face the difficult challenge of finding unclassified work for new cyber specialists and effectively integrating them into the team. A clearance is also critical for recruiters and trainers who must understand all aspects of the job.


[Northcutt] I think that after the extended government shutdown it will be several years before the US government has any real success in attracting skilled cyber talent.


Read more in:

FCW: Why the cyber fast track is stalled at DOD

https://fcw.com/articles/2019/02/26/dod-it-oversight-williams.aspx

 
 

--Adobe Will Retire Shockwave in April

(February 26, 2019)

Adobe is notifying enterprise customers that it plans to retire Shockwave later this year. Shockwave, which was first released in 1995, will no longer be available for download after April 8, 2019. Adobe is recommending that Shockwave users switch to HTML5, WebAssembly, or WebGL. It has been more than a year-and-a-half since Adobe announced its intent to retire Flash by 2020. Major browsers have already begun phasing out support for Flash.


Read more in:

Bleeping Computer: Adobe Sends Emails About Retirement of Shockwave on April 9th

https://www.bleepingcomputer.com/news/software/adobe-sends-emails-about-retirement-of-shockwave-on-april-9th/

 
 

--TSA Oversees Pipeline Security

(February 26, 2019)

The US Transportation Security Administration (TSA) is responsible for the physical and cyber security of US pipelines. Sonya Proctor, TSAs director of the Surface Division for the Office of Security Policy and Industry Engagement told members of the House Homeland Security Committee that the five TSA employees who oversee the pipelines have pipeline expertise, but not cybersecurity expertise, and that they work with Cybersecurity and Infrastructure Security Agency (CISA) for assessments and guidance. A December 2018 report from the Government Accountability Office (GAO) made recommendations to address weaknesses in TSAs Pipeline Security Program Management.


Read more in:

FCW: TSA's pipeline security team has five employees

https://fcw.com/articles/2019/02/26/tsa-pipeline-hearing-johnson.aspx

GAO: Critical Infrastructure Protection: Actions Needed to Address Significant Weaknesses in TSAs Pipeline Security Program Management

https://www.gao.gov/assets/700/696123.pdf

 

******************************************************************************

INTERNET STORM CENTER TECH CORNER


Thunderbolt "Thunderclap" Vulnerabilities

https://thunderclap.io/thunderclap-paper-ndss2019.pdf


Altering Signed PDF Documents

https://www.pdf-insecurity.org/


NVIDIA Patches

https://nvidia.custhelp.com/app/answers/detail/a_id/4772


Coinhive Shutting Down

https://coinhive.com/blog/en/discontinuation-of-coinhive


Azure Blob Storage Phishing

https://www.edgewave.com/phishing/feeling-blue-about-phishing/


Old 2014 Elasticsearch Vulnerability Exploited

https://blog.talosintelligence.com/2019/02/cisco-talos-honeypot-analysis-reveals.html


Latest Drupal Vulnerability Exploited

https://www.imperva.com/blog/latest-drupal-rce-flaw-used-by-cryptocurrency-miners-and-other-attackers/


F5 Big IP Patches

https://support.f5.com/csp/article/K91026261


Emotet Backend Analysis

https://maxkersten.nl/binary-analysis-course/malware-analysis/emotet-droppers/


Kaspersky vs. Chromecast

https://www.bleepingcomputer.com/news/security/kaspersky-av-having-certificate-conflicts-with-google-chromecast/


MageCart Updates

https://www.riskiq.com/research/inside-magecart/



******************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.


Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create