Final Week to Get an iPad Mini, Chromebook Flip, or $250 Off with OnDemand and vLive Training!

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #27

April 5, 2019

25 States Launch Collegiate Cybersecurity Talent Search with $2.5 Million in Scholarships; Facebook Data Inadequately Protected; Home Routers in DNS Hijacking Campaign



 

****************************************************************************

SANS NewsBites                April 5, 2019                Vol. 21, Num. 027

****************************************************************************


TOP OF THE NEWS

 

  25 US State Governors Launch National Collegiate Cybersecurity Talent Search

  Facebook Data Collected by Third Party App Developers Was Inadequately Protected

  Home Routers Targeted in DNS Hijacking Campaign


REST OF THE WEEK'S NEWS


  Woman Who Allegedly Tried to Sneak Into Mar-a-Lago Arrested

  Apache Patches Critical HTTP Server Flaw

  New Jersey High School Students Arrested for Allegedly Deliberately Crashing School's WiFi

  Xiaomi Fixes SDK Interaction Problem in Pre-Installed Phone App

  Bayer Says Foreign Hackers Infiltrated Computers

  US Data Centers Hacked to Spread Malware

  Ohio Teen Faces Charges for Alleged Swatting

  Senator Introduces Bill to Punish CEOs for Security Breaches


INTERNET STORM CENTER TECH CORNER

 

*****************************************************************************

CYBERSECURITY TRAINING UPDATE


-- SANS Security West 2019 | San Diego, CA | May 9-16 | https://www.sans.org/event/security-west-2019


-- SANSFIRE 2019 | Washington, DC | June 15-22 | https://www.sans.org/event/sansfire-2019


-- Cloud Security Summit & Training 2019 | San Jose, CA | April 29-May 6 | https://www.sans.org/event/cloud-security-summit-2019


-- Pen Test Austin 2019 | April 29-May 4 | https://www.sans.org/event/pen-test-austin-2019


-- SANS Amsterdam May 2019 | May 20-25 | https://www.sans.org/event/amsterdam-may-2019


-- SANS London June 2019 | June 3-8 | https://www.sans.org/event/london-june-2019


-- Enterprise Defense Summit & Training 2019 | Redondo Beach, CA | June 3-10 | https://www.sans.org/event/enterprise-defense-summit-2019


-- SANS Cyber Defence Canberra 2019 | June 24-July 13 | https://www.sans.org/event/cyber-defence-canberra-2019


-- SANS Cyber Defence Japan 2019 | July 1-13 | https://www.sans.org/event/cyber-defence-japan-2019


-- SANS OnDemand and vLive Training

Get an iPad, Samsung Galaxy Tab A, or $250 Off with OnDemand or vLive training. Offer ends April 17.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


Single Course Training

-- Single Course Training

SANS Mentor | https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap



*************************  Sponsored By Authentic8  **************************


The browser connects the modern world but every click could mean a risk to your business. With Silo, users are always secure, compliant, and anonymous online.  Learn More:

http://www.sans.org/info/211670


*****************************************************************************

TOP OF THE NEWS

 

--25 US State Governors Launch U.S. National Collegiate Cybersecurity Talent Search

(April 5, 2019)

In the first three hours of the Governors Cyber Talent Search, 571 college students have registered. (See leader board, by state, at https://www.governorscyberskillsprogram.org/cft.) This program has a remarkable record of enabling students to discover whether they have the aptitude to succeed in cyber careers. $2.4 million in scholarships for SANS courses, as well as scholarships for other colleges, will be awarded to those who do well.

www.cyber-fasttrack.org


 

--Facebook Data Collected by Third Party App Developers Was Inadequately Protected

(April 3, 2019)

Two different data sets from two different app developers were left exposed on the Internet due to inadequately secured Amazon Web Services S3 buckets. One of the data sets has been secured, and the other has been taken down.


[Editor Comments]


[Pescatore] Amazon has a very simple checklist to follow to reach basic security hygiene levels on its services and there are open source tools like Cloudsploit to do free vulnerability scanning of those services.


[Neely] While Amazon has made configuration of open S3 buckets an action that requires multiple acknowledgements and steps, there remain a large number of open buckets yet to be discovered, so expect discoveries to continue for the future. It's easy to remind folks that security requirements need to flow down to data custodians, but verification is much harder.


Read more in:

Wired: In Latest Facebook Data Exposure, History Repeats Itself

https://www.wired.com/story/facebook-apps-540-million-records/

GovInfoSecurity: Millions of Facebook Records Found Unsecured on AWS

https://www.govinfosecurity.com/millions-facebook-records-found-unsecured-on-aws-a-12337

UpGuard: Losing Face: Two More Cases of Third-Party Facebook App Data Exposure

https://www.upguard.com/breaches/facebook-user-data-leak

 
 

--Home Routers Targeted in DNS Hijacking Campaign

(April 4, 2019)

For the past several months, hackers have been breaking into home routers and changing DNS settings to hijack traffic and reroute users to malicious websites. Most of the targeted devices are D-Link routers. There have been three waves of attacks in late December 2018, early February 20919, and late March 2019. Users should make sure they are running the most recent versions of firmware.


[Editor Comments]


[Neely] Newer home routers include automatic firmware update options which should be enabled. Even so, understand your device lifecycle. Firmware updates are only going to be available for a few years, so they need to be replaced every four to five years. An advantage of replacement is inclusion of support for new network and security capabilities.

 

[Murray] The home router is the wall that protects the home network from the hostile traffic on the public networks. It is key to both home and network security. Its configuration, and its default settings, are crucial. D-Link routers are very popular. Google is your friend; query "How to configure D-Link router?" Start with changing the default "admin" password.



Read more in:

ZDNet: Hacker group has been hijacking DNS traffic on D-Link routers for three months

https://www.zdnet.com/article/hacker-group-has-been-hijacking-dns-traffic-on-d-link-routers-for-three-months/

Ars Technica: Ongoing DNS hijackings target unpatched consumer routers

https://arstechnica.com/information-technology/2019/04/ongoing-dns-hijackings-target-unpatched-consumer-routers/

Bad Packets: Ongoing DNS hijacking campaign targeting consumer routers

https://badpackets.net/ongoing-dns-hijacking-campaign-targeting-consumer-routers/


****************************  SPONSORED LINKS  ******************************


1) Ixia's Vision ONE is a device that enables organizations to gain visibility into threats and manage security operations within a single platform. Learn More: http://www.sans.org/info/211675


2) Register for this webcast to learn how to take back control of your DNS traffic and prevent threats. http://www.sans.org/info/211680


3) What challenges do you face with incidents and breaches? Take the 2019 SANS Integrated Incident Response Survey and enter for a chance to win a $400 Amazon gift card. http://www.sans.org/info/211685

 

*****************************************************************************

REST OF THE WEEK'S NEWS      

 

--Woman Who Allegedly Tried to Sneak Into Mar-a-Lago Arrested

(April 2 & 3, 2019)

A woman with a Chinese passport was arrested last weekend for allegedly trying to gain access to the Mar-a-Lago country club. The suspect was allegedly carrying several cell phones, a laptop, an external storage drive and a USB drive containing malware. Yujing Zhang was arrested after she tried to sneak into a party at the Florida resort, which belongs to the US president.


[Editor Comments]


[Pescatore] I worked for the US Secret Service back in the 1980s. Protecting the President is a unique issue, but, these news items do have some nuggets to use in convincing CEOs and Directors that foreign governments use tactics like this to try to compromise the top levels of industrial targets, too. Many (I think most, these days) large companies pay attention to this when executives go on international travel, but it's good to remind them that they are targets of physical compromises at their homes (or on vacation), too.


[Henry] This is a prime example of the intersection of physical and cybersecurity. Focusing on the information environment is prudent and logical, though we can't ignore physical access to devices. Adversaries will try to remotely access your enterprise. They may also try to get someone hired into your company to gain access, co-opt an existing employee in your company to gain access, or physically compromise hardware through close access. Security needs to be holistic and "360 degrees"; it requires a whole of organization response, and a comprehensive and in-depth proactive evaluation program.


Read more in:

Ars Technica: Woman from China, with malware in tow, illegally entered Trump's Mar-a-Lago

https://arstechnica.com/tech-policy/2019/04/woman-from-china-carrying-malware-on-thumb-drive-illegally-entered-trump-resort/

Wired: Mar-a-Lago's Security Problems Go Way Beyond a Thumb Drive

https://www.wired.com/story/trump-mar-a-lago-security-problems/

The Register: Mystery of the Chinese woman who allegedly tried to sneak into Trump's Mar-a-Lago with a USB stick of malware

https://www.theregister.co.uk/2019/04/02/trump_china_malware_usb_stick/

 
 

--Apache Patches Critical HTTP Server Flaw

(April 3 & 4, 2019)

Apache has released an updated version of Apache HTTP Server to address a critical flaw that could be exploited to gain root control of vulnerable systems. The privilege elevation issue occurs when the server resets. Users are urged to upgrade to Apache HTTP Server version 2.4.39 or later.


Read more in:

Ars Technica: Serious Apache server bug gives root to baddies in shared host environments

https://arstechnica.com/information-technology/2019/04/serious-apache-server-bug-gives-root-to-baddies-in-shared-host-environments/

SC Magazine: Critical vulnerability in Apache HTTP Server patched

https://www.scmagazine.com/home/security-news/vulnerabilities/critical-vulnerability-in-apache-http-server-patched/

The Register: A patchy Apache a-patchin: HTTP server gets fix for worrying root access hole

https://www.theregister.co.uk/2019/04/03/apache_server_fix/

US CERT (CISA): Apache Releases Security Update for Apache HTTP Server

https://www.us-cert.gov/ncas/current-activity/2019/04/04/Apache-Releases-Security-Update-Apache-HTTP-Server

httpd.apache: Apache HTTP Server 2.4 vulnerabilities/Fixed in Apache httpd 2.4.39

https://httpd.apache.org/security/vulnerabilities_24.html

 
 

--New Jersey High School Students Arrested for Allegedly Deliberately Crashing School's WiFi

(April 3, 2019)

Two New Jersey high school students have been arrested and charged with committing computer criminal activity and conspiracy to commit computer criminal activity for allegedly disrupting their school's WiFi. The disruption prevented teachers from giving tests or teaching lessons that required Internet.


[Editor Comments]


[Neely] Network security in education remains a challenge of balancing service availability and security. When introducing internet dependent activities, it is necessary to have provisions for delivering content in the event of a service disruption as education funding is generally insufficient to cover a true high availability solution.


[Murray] This is tragic. After we teach high school freshman that what they put on the public networks may follow them to the grave, we need to teach them that what they may see as a "prank," the law may treat as an attack on the infrastructure.


Read more in:

SC Magazine: Freshmen hack high school WiFi to avoid a test

https://www.scmagazine.com/home/security-news/mobile-security/freshmen-hack-high-school-wifi-to-avoid-a-test/

New York CBS Local: Police: Secaucus High School Freshmen Hacked School's Wi-Fi, Made Life Difficult For Teachers For Week

https://newyork.cbslocal.com/2019/04/02/police-secaucus-high-school-freshmen-hacked-schools-wi-fi-made-life-difficult-for-teachers-for-week/

 
 

--Xiaomi Fixes SDK Interaction Problem in Pre-Installed Phone App

(April 4, 2019)

Xiaomi has released a fix for a vulnerability in an app that comes pre-installed on the company's mobile phones. Guard Provider is the default security app for Xiaomi phones. The flaw could be exploited to conduct man-in-the middle attacks. The app has three different anti-virus brands built in that users can choose from as default. Each has a different software development kit (SDK); interactions between two of the SDKs led to the vulnerability.


Read more in:

ZDNet: Vulnerability found in Xiaomi phones' pre-installed security app

https://www.zdnet.com/article/vulnerability-found-in-xiaomi-phones-pre-installed-security-app/

Threatpost: This Preinstalled Mobile Security App Delivered Vulnerabilities, Not Protection

https://threatpost.com/this-preinstalled-mobile-security-app-delivered-vulnerabilities-not-protection/143468/

 
 

--Bayer Says Foreign Hackers Infiltrated Computers

(April 4, 2019)

German pharmaceutical company Bayer says that hackers placed malware in its computer system. Bayer detected the infection in 2018, monitored the intruders' activity, and then removed the malware from its systems. Bayer says the attackers used malware known as WINNTI, which has been linked to the Wicked Panda Chinese hacking group.  


Read more in:

Reuters: Bayer contains cyber attack it says bore Chinese hallmarks

https://www.reuters.com/article/us-bayer-cyber/bayer-contains-cyber-attack-it-says-bore-chinese-hallmarks-idUSKCN1RG0NN

Cyberscoop: German drug giant Bayer blames Chinese hacking group Wicked Panda for breach: report

https://www.cyberscoop.com/bayer-breach-china-wicked-panda/

 
 

--US Data Centers Hacked to Spread Malware

(April 4, 2019)

Hackers have been using US data centers to spread malware, including Dridex and GandCrab. The campaign, which is believed to have involved 10 different families of malware, has been active since at least May 2018. The operation appears to be the work of the Necurs botnet operators. The malware involved was used to steal funds from banks around the world.  


[Editor Comments]


[Pescatore] Risk rating services, like BitSight and SecurityScorecard, have pointed out many cloud or hosting services that have high levels of traffic from known malware command and control sights. However, it is often not easy to tell whether that is because legitimate customers have been compromised or bad guys are directly paying for hosted services. Physical storage rental places have been used by criminal enterprises for many years in the physical world, too.


Read more in:

Cyberscoop: Nevada data center used to distribute Dridex, GandCrab malware right under the FBI's nose

https://www.cyberscoop.com/necurs-botnet-nevada-data-center-bromium/

Dark Reading: Threat Group Employs Amazon-Style Fulfillment Model to Distribute Malware

https://www.darkreading.com/attacks-breaches/threat-group-employs-amazon-style-fulfillment-model-to-distribute-malware/d/d-id/1334345

Bromium: Mapping Out a Malware Distribution Network

https://www.bromium.com/mapping-malware-distribution-network/

 
 

--Ohio Teen Faces Charges for Alleged Swatting

(April 4, 2019)

A teenager in Ohio has been charged in connection with dozens of phony emergency calls. The unnamed individual has been charged with 40 felonies and 33 misdemeanors. The investigation leading to the charges was prompted by a call made to law enforcement authorities in Putnam County, New York.


Read more in:

Ars Technica: Teenager hit with 73 counts for "swatting" calls

https://arstechnica.com/tech-policy/2019/04/teenager-hit-with-73-counts-for-swatting-calls/

Putnam Sheriff: Swatting Incident in Putnam County Leads to Arrest of a 17-Year-Old in Ohio on 73 Criminal Charges

https://www.putnamsheriff.com/news/swatting-incident-putnam-county-leads-arrest-17-year-old-ohio-73-criminal-charges

 
 

--Senator Introduces Bill to Punish CEOs for Security Breaches

(April 2, 2019)

US Senator Elizabeth Warren has introduced a bill that would punish executives when their companies experience security breaches due to negligence. The Corporate Executive Accountability Act would impose prison sentences of up to a year for first offenses; CEOs who repeatedly preside over organizations that experience such breaches would face longer sentences. The penalty would apply only to companies that have been convicted of violating the law or have settled claims with regulators, and whose annual revenue exceeds US $1 billion.


[Editor Comments]


[Murray] Punish "negligence," not "breaches." If one is going to punish negligence, one should do so without regard to breaches. The executives involved in breaches, including "CEOs," are being punished; they are losing their jobs and their reputations. No need to "pile on."  


Read more in:

Ars Technica: Elizabeth Warren wants jail time for CEOs in Equifax-style breaches

https://arstechnica.com/tech-policy/2019/04/elizabeth-warren-wants-to-jail-negligent-ceos-in-some-data-breaches/

 

INTERNET STORM CENTER TECH CORNER

 

Compromised LaCie Drive Spread Fake AntiVirus

https://isc.sans.edu/forums/diary/Fake+AV+is+Back+LaCie+Network+Drives+Used+to+Spread+Malware/24802/


Security Awareness Newsletter: Making Passwords Simple

https://www.sans.org/security-awareness-training/resources/making-passwords-simple


Unpatched SOP Vulnerability in Internet Explorer/Edge

https://thehackernews.com/2019/03/microsoft-edge-ie-zero-days.html


Vulnerable SmartWatches "Defaced"

https://api.heise.de/svc/embetty/tweet/1112326532939374593-images-0

https://www.heise.de/newsticker/meldung/Vidimensio-Smartwatches-Der-Sicherheits-Alptraum-geht-weiter-4359967.html


Verizon Users Phished for Credentials

https://blog.lookout.com/mobile-phishing-verizon


Large Leak of Facebook User Data via 3rd Party App

https://www.upguard.com/breaches/facebook-user-data-leak


Ghidra Tips for IDA users: Automatic Comments for API Call Parameters

https://isc.sans.edu/forums/diary/A+few+Ghidra+tips+for+IDA+users+part+0+automatic+comments+for+API+call+parameters/24806/


Arbitrary Command Execution in PostgreSQL

https://medium.com/greenwolf-security/authenticated-arbitrary-command-execution-on-postgresql-9-3-latest-cd18945914d5


New Waves of Scans Detected By An Old Rule

https://isc.sans.edu/forums/diary/New+Waves+of+Scans+Detected+by+an+Old+Rule/24812/


Xiaomi GuardApp Vulnerable to Man in the Middle

https://blog.checkpoint.com/2019/04/04/xiaomi-vulnerability-when-security-is-not-what-it-seems/


Xwo Web Scanner Hunting for MongoDB

https://www.alienvault.com/blogs/labs-research/xwo-a-python-based-bot-scanner


Apache Fixes Privilege Escalation Flaw

https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2019-0211


IRS Themed Phishing Emails

https://www.proofpoint.com/us/threat-insight/post/tax-themed-email-campaigns-target-2019-filers



******************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.


Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create