40+ Cyber Security Courses at SANSFIRE in Washington DC! Save up to $350 thru 4/24.

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #29

April 12, 2019

Election Systems in All 50 States Targeted in 2016; Ottawa Hit by Business eMail Fraud


 

****************************************************************************

SANS NewsBites               April 12, 2019                Vol. 21, Num. 029

****************************************************************************


TOP OF THE NEWS


  Hackers Targeted Election Systems in All 50 States in 2016

  City of Ottawa, Canada Was Hit by Business eMail Fraud


REST OF THE WEEK'S NEWS


  Triton Malware Used in Another Attack

  Patch Tuesday

  Google Wants to Block Risky File Downloads in Chrome

  Julian Assange Arrested in London; US Unseals Conspiracy Charge

  Verizon Patches FiOS Routers

  IRS Needs Cybersecurity Talent Now

  Bill Would Help Fund State and Local Government Cybersecurity

  National Guard Members Participating in Cyber Shield 19 Exercise

  Flaw in WordPress Yuzo Related Posts Plugin is Being Actively Exploited


INTERNET STORM CENTER TECH CORNER


*****************************************************************************

CYBERSECURITY TRAINING UPDATE


-- SANS Security West 2019 | San Diego, CA | May 9-16 | https://www.sans.org/event/security-west-2019


-- SANSFIRE 2019 | Washington, DC | June 15-22 | https://www.sans.org/event/sansfire-2019


-- Cloud Security Summit & Training 2019 | San Jose, CA | April 29-May 6 | https://www.sans.org/event/cloud-security-summit-2019


-- Pen Test Austin 2019 | April 29-May 4 | https://www.sans.org/event/pen-test-austin-2019


-- SANS Amsterdam May 2019 | May 20-25 | https://www.sans.org/event/amsterdam-may-2019


-- SANS London June 2019 | June 3-8 | https://www.sans.org/event/london-june-2019


-- Enterprise Defense Summit & Training 2019 | Redondo Beach, CA | June 3-10 | https://www.sans.org/event/enterprise-defense-summit-2019


-- SANS Cyber Defence Canberra 2019 | June 24-July 13 | https://www.sans.org/event/cyber-defence-canberra-2019


-- SANS Cyber Defence Japan 2019 | July 1-13 | https://www.sans.org/event/cyber-defence-japan-2019


-- SANS OnDemand and vLive Training

Get an iPad, Samsung Galaxy Tab A, or $250 Off with OnDemand or vLive training. Offer ends April 17.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


Single Course Training

-- Single Course Training

SANS Mentor | https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


************************ Sponsored By Authentic8 ****************************


The browser connects the modern world but every click could mean a risk to your business. With Silo, users are always secure, compliant, and anonymous online.  http://www.sans.org/info/211756


*****************************************************************************


TOP OF THE NEWS

 

--Hackers Targeted Election Systems in All 50 States in 2016

(April 10, 2019)

A Joint Intelligence Bulletin issued by the US Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) to state and local authorities said that hackers targeted election systems in all 50 states during the 2016 election cycle. The bulletin says that "the FBI and DHS assess that Russian government cyber actors probably conducted research and reconnaissance against all US states' election networks leading up to the 2016 Presidential elections."


Read more in:

Ars Technica: DHS, FBI say election systems in all 50 states were targeted in 2016

https://arstechnica.com/information-technology/2019/04/dhs-fbi-say-election-systems-in-50-states-were-targeted-in-2016/


 

--City of Ottawa, Canada Was Hit by Business eMail Fraud

(April 9, 2019)

In July 2018, the city treasurer of Ottawa, Canada wired nearly US$100,000 (CAD$ 130,000) to scammers in an instance of business email fraud. In a report to the city council, Ottawa auditor general said that city financial staff failed to follow money transfer rules. The report also noted several other problems that helped make the theft possible, including the lack of formal written wire transfer payment rules.


[Editor Comments]


[Pescatore] This is a good item to use as the basis of a tabletop exercise for your management team and/or Board of Directors. It highlights how targeted attacks can be, how easily unauthenticated email can be spoofed and how frequently prudent manual or form-driven processes are routinely bypassed to get things done quickly. Getting their backing to enable and require DMARC can raise the bar against spoofing significantly.


[Murray] One can only wonder whatever happened to multi-party controls and out-of-band confirmation. Management should prefer such controls to trying to fix human gullibility.


Read more in:

IT World Canada: How the city of Ottawa was stung by email fraud

https://www.itworldcanada.com/article/how-the-city-of-ottawa-was-stung-by-email-fraud/416840

CTV News: Ottawa city treasurer transfers $130K of taxpayer funds to email fraudsters

https://www.ctvnews.ca/canada/ottawa-city-treasurer-transfers-130k-of-taxpayer-funds-to-email-fraudsters-1.4371900


****************************  SPONSORED LINKS  ******************************


1) Join Sonrai Security CTO Sandy Bird for Webcast: Why Identity & Data Access Is the New "Perimeter" For Securing Data in The Cloud http://www.sans.org/info/211761


2) Webcast April 18th, 1PM ET: VMware to introduce their service-defined #firewall. See how it can protect your modern applications, featuring SANS expert John Pescatore. Register for webcast:  http://www.sans.org/info/211766


3) What challenges do you face with incidents and breaches? Take the 2019 SANS Integrated Incident Response Survey and enter for a chance to win a $400 Amazon gift card. http://www.sans.org/info/211771


*****************************************************************************

REST OF THE WEEK'S NEWS      

 

--Triton Malware Used in Another Attack

(April 10, 2019)

Triton malware was first detected when it was used against a petrochemical plant in Saudi Arabia in 2017. The malware is particularly threatening because it has the ability to disable safety systems that are designed to shut down processes in the event of an accident. FireEye says it has investigated a second incident in which Triton was used to target an industrial control system at a different unnamed company in the Middle East. Triton, also known as Trisis, is so named because it is designed to target Triconex safety instrumented systems (SIS) controllers, which are made by Schneider Electric.  


Read more in:

Threatpost: SAS 2019: Triton ICS Malware Hits A Second Victim

https://threatpost.com/triton-ics-malware-second-victim/143658/

Wired: A Peek Into the Toolkit of the Dangerous 'Triton' Hackers

https://www.wired.com/story/triton-hacker-toolkit-fireeye/

Dark Reading: Triton/Trisis Attacks Another Victim

https://www.darkreading.com/vulnerabilities---threats/triton-trisis-attacks-another-victim/d/d-id/1334388

ZDNet: Triton hackers return with new, covert industrial attack

https://www.zdnet.com/article/triton-hackers-return-with-new-industrial-attack/

Ars Technica: Mysterious safety-tampering malware infects a second critical infrastructure site

https://arstechnica.com/information-technology/2019/04/mysterious-safety-tampering-malware-infects-a-2nd-critical-infrastructure-site/

 
 

--Patch Tuesday

(April 9 & 11, 2019)

Microsoft's patch Tuesday release includes fixes for more than 70 vulnerabilities across a range of its products. The issues fixed include two privilege elevation flaws that are being exploited in the wild.  Microsoft has blocked some updates for users of Sophos and Avast products after reports that the updates were causing serious problems. Adobe's security updates include fixes for flaws in Flash Player and Adobe Reader and Acrobat.


Read more in:

KrebsOnSecurity: Patch Tuesday Lowdown, April 2019 Edition

https://krebsonsecurity.com/2019/04/patch-tuesday-lowdown-april-2019-edition/

ZDNet: Microsoft's April Patch Tuesday comes with fixes for two Windows zero-days

https://www.zdnet.com/article/microsofts-april-patch-tuesday-comes-with-fixes-for-two-windows-zero-days/

ZDNet: Adobe patch update squashes critical code execution bugs

https://www.zdnet.com/article/adobe-patch-update-squashes-critical-code-execution-bugs/

The Register: Patch blues-day: Microsoft yanks code after some PCs are rendered super secure (and unbootable) following update

https://www.theregister.co.uk/2019/04/11/microsoft_sophos/

ZDNet: Windows 7 problems: Microsoft blocks April updates to systems at risk of freezing

https://www.zdnet.com/article/windows-7-problems-microsoft-blocks-april-updates-to-systems-at-risk-of-freezing/

Bleeping Computer: Microsoft's April 2019 Updates are Causing Windows to Freeze

https://www.bleepingcomputer.com/news/microsoft/microsofts-april-2019-updates-are-causing-windows-to-freeze/

MSRC: Security Update Summary

https://portal.msrc.microsoft.com/en-us/security-guidance/summary

Adobe: Updates available for Adobe Flash Player | APSB19-19

https://helpx.adobe.com/security/products/flash-player/apsb19-19.html

Adobe: Security updates available for Adobe Acrobat and Reader | APSB19-17

https://helpx.adobe.com/security/products/acrobat/apsb19-17.html

 
 

--Google Wants to Block Risky File Downloads in Chrome

(April 10, 2019)

Google is considering blocking some risky file downloads in future versions of its Chrome browser. Specifically, Google wants to block certain executable and archive downloads that are delivered over an HTTP connection initiated from an HTTPS website. The file types that would be blocked include exe, dmg, crx, zip, gzip, rar, tar, and bzip.


[Editor Comments]


[Pescatore] Go for it, Google and Mozilla! The vast, vast majority of mobile phone and tablet users can't download any executables *and they don't miss it at all!!*  If I had a time machine, I'd go back to about 1993 and tell Bill Gates and Marc Andreessen "When you start making it easy to connect Windows users to the Internet, don't allow any executables to be download through browsers! Nothing good will come of it! Much bad will!!


Read more in:

ZDNet: Google Chrome engineers want to block some HTTP file downloads

https://www.zdnet.com/article/google-chrome-engineers-want-to-block-some-http-file-downloads/

Bleeping Computer: Google Wants To Block Potentially Risky Non-Secure Downloads

https://www.bleepingcomputer.com/news/security/google-wants-to-block-potentially-risky-non-secure-downloads/

 
 

--Julian Assange Arrested in London; US Unseals Conspiracy Charge

(April 11, 2019)

WikiLeaks founder Julian Assange was arrested in London on Thursday, April 11, after the Ecuadorian government suspended his citizenship and evicted him from its UK embassy. According to a press release from the US Justice Department, Assange "was arrested today in the United Kingdom pursuant to the U.S./UK Extradition Treaty, in connection with a federal charge of conspiracy to commit computer intrusion for agreeing to break a password to a classified U.S. government computer." (Please note that the WSJ story is behind a paywall.)


Read more in:

NYT: Julian Assange Arrested in London as U.S. Unseals Hacking Conspiracy Indictment

https://www.nytimes.com/2019/04/11/world/europe/julian-assange-wikileaks-ecuador-embassy.html

Motherboard: Julian Assange's Charges Are Centered on Hacking, Not Publishing Classified Information

https://motherboard.vice.com/en_us/article/mb8qyn/julian-assange-charged-with-hacking-conspiracy-not-publishing

Ars Technica: Julian Assange arrested, charged with conspiracy to hack US computers

https://arstechnica.com/tech-policy/2019/04/british-police-arrest-julian-assange-on-behalf-of-the-us-government/

Justice: WikiLeaks Founder Charged in Computer Hacking Conspiracy

https://www.justice.gov/usao-edva/pr/wikileaks-founder-charged-computer-hacking-conspiracy

WSJ: WikiLeaks Founder Julian Assange Arrested, Charged With Computer Hacking Conspiracy (paywall)

https://www.wsj.com/articles/julian-assange-arrested-in-london-11554976241

 
 

--Verizon Patches FiOS Routers

(April 9 & 10, 2019)

Verizon has pushed out a firmware update for its FiOS Quantum Gateway routers to fix three flaws. The vulnerabilities could allow an attacker to gain unauthorized access to an unpatched router and from there, make their way onto a user's network. Users who have this router can check the settings to make sure they have the latest firmware.


Read more in:

eWeek: Tenable Discloses Verizon Fios Router Vulnerabilities

https://www.eweek.com/security/tenable-discloses-verizon-fios-router-vulnerabilities

Engadget: Verizon patches FiOS routers to fix three security flaws

https://www.engadget.com/2019/04/10/verizon-patches-fios-routers-to-fix-three-security-flaws/

 
 

--IRS Needs Cybersecurity Talent Now

(April 9 & 10, 2019)

The US Internal Revenue Service (IRS) has requested $290 million for its fiscal year (FY) 2020 budget. The agency plans to modernize its IT systems and its workforce. IRS Commissioner Chuck Rettig also wants authority to fast track hiring for cybersecurity positions and offer them salaries above the current pay scale.


Read more in:

FNN: IRS commissioner looks for hiring authority to onboard IT talent in weeks, not months

https://federalnewsnetwork.com/hiring-retention/2019/04/irs-commissioner-looks-for-hiring-authority-to-onboard-it-talent-in-weeks-not-months/

FNN: IRS commissioner: Aging workforce 'lost an entire generation' to hiring freeze

https://federalnewsnetwork.com/workforce/2019/04/irs-commissioner-aging-workforce-lost-an-entire-generation-to-hiring-freeze/

 
 

--Bill Would Help Fund State and Local Government Cybersecurity

(April 9, 2019)

A bill introduced in the US Senate would require the Department of Homeland Security (DHS) to fund cybersecurity enhancements for state and local governments. If enacted, the Cyber Resiliency Act would allow states to receive up to two grants to develop cyber resiliency plans. If the plan is approved by the DHS Secretary, the states can apply for another two grants for implementation; funds from those grants could be given to local and tribal governments. A companion bill has been introduced in the house.


Read more in:

Nextgov: Lawmakers Want to Fund Cyber Upgrades for State and Local Governments

https://www.nextgov.com/cybersecurity/2019/04/lawmakers-want-fund-cyber-upgrades-state-and-local-governments/156196/

Scribd: Cyber Resiliency Act (PDF)

https://www.scribd.com/document/405089202/Cyber-Resiliency-Act

 
 

--National Guard Members Participating in Cyber Shield 19 Exercise

(April 10, 2019)

US National Guard members from 40 states are participating in Cyber Shield, an annual extended cyber event response exercise. The National Guard members work alongside private industry partners. A National Guard Bureau official said, "The purpose [of the exercise] is to develop and train internal defensive measures, incident response, coordinate train and assist activities," This year's exercise, Cyber Shield 19, runs through April 20.


Read more in:

Fifth Domain: The National Guard decodes how to beat encrypted attacks

https://www.fifthdomain.com/dod/2019/04/10/the-national-guard-decodes-how-to-beat-encrypted-attacks/

 
 

--Flaw in WordPress Yuzo Related Posts Plugin is Being Actively Exploited

(April 11, 2019)

WordPress is urging users to uninstall the Yuzo Related Posts plugin because a flaw in the plugin is being actively exploited in cross-site scripting attacks. WordPress removed Yuzo Related Posts from its plugin directory at the end of March after an unpatched vulnerability was disclosed.


Read more in:

WordPress: Uninstall before you get hacked!

https://wordpress.org/support/topic/immportant-uninstall-before-you-get-hacked/

Threatpost: WordPress Urges Users to Uninstall Yuzo Plugin After Flaw Exploited

https://threatpost.com/wordpress-urges-users-to-uninstall-yuzo-plugin-after-flaw-exploited/143710/


 

INTERNET STORM CENTER TECH CORNER


Microsoft and Adobe Patches

https://isc.sans.edu/forums/diary/Microsoft+April+2019+Patch+Tuesday/24826/

https://helpx.adobe.com/security.html


Fake "Food Poisoning" emails in Germany (in German)

https://www.polizei-praevention.de/aktuelles/erneut-mails-mit-schadsoftware-gegen-gewerbetreibende-im-umlauf.html


Uniden Commercial IP Camera Site Hosting Malware

https://twitter.com/JayTHL/status/1116200014630596609


GMail Will Be Supporting MTA-STS and SMTP TLS Reporting

https://tools.ietf.org/html/rfc8461

https://tools.ietf.org/html/rfc8460

https://www.zdnet.com/article/gmail-becomes-first-major-email-provider-to-support-mta-sts-and-tls-reporting/


Vulnerability in Apache Axis

https://rhinosecuritylabs.com/application-security/cve-2019-0227-expired-domain-rce-apache-axis/


Golang DLL Injection Vulnerability

https://www.openwall.com/lists/oss-security/2019/04/09/1


WPA3 Dragonblood Vulnerability

http://papers.mathyvanhoef.com/dragonblood.pdf


North Korean Trojan: HOPLIGHT

https://www.us-cert.gov/ncas/analysis-reports/AR19-100A


Gaza Cybergang Group1 "SneakyPastes"

https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/


Juniper Patch Fixes Static Password in Junos OS

https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10923&actp=METADATA



******************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.


Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create