Take your cyber security skills to the next level with SANS training in Miami! Save $300 thru 11/20.

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #38

May 14, 2019

WhatsApp Flaw Exploited to Infect Phones with Spyware; Loyalty Program Fraud; Cyber FastTrack Results



****************************************************************************

SANS NewsBites                 May 14, 2019                Vol. 21, Num. 038

****************************************************************************

TOP OF THE NEWS


  WhatsApp Vulnerability Exploited to Place Spyware on Phones

  Loyalty Program Fraud Increasing

  Cyber FastTrack Qualification Round Results Announced


REST OF THE WEEK'S NEWS       


  US Legislators Introduce Election Security Act

  Congressional Cybersecurity Training Resolution

  DHS, FBI Warn of Electricfish Malware Being Used by North Korean Hackers

  DOD Legislative Proposal to Add New IT Officials

  Charges Filed in Connection with SIM-Swapping Operation

  Wolters Kluwer Outage Prompts IRS to Extend Filing Deadline

  Training Officials in Supply Chain Security

  Cisco Router Flaw


INTERNET STORM CENTER TECH CORNER


*****************************************************************************

CYBERSECURITY TRAINING UPDATE


-- SANSFIRE 2019 | Washington, DC | June 15-22 | https://www.sans.org/event/sansfire-2019


-- SANS London June 2019 | June 3-8 | https://www.sans.org/event/london-june-2019


-- Enterprise Defense Summit & Training 2019 | Redondo Beach, CA | June 3-10 | https://www.sans.org/event/enterprise-defense-summit-2019


-- Security Operations Summit 2019 | New Orleans, LA | June 24-July 1 | https://www.sans.org/event/security-operations-summit-2019


-- SANS Cyber Defence Canberra 2019 | June 24-July 13 | https://www.sans.org/event/cyber-defence-canberra-2019


-- SANS Cyber Defence Japan 2019 | July 1-13 | https://www.sans.org/event/cyber-defence-japan-2019


-- SANS London July 2019 | July 8-13 | https://www.sans.org/event/london-july-2019


-- SANS Rocky Mountain 2019 | Denver, CO | July 15-20 | https://www.sans.org/event/rocky-mountain-2019


-- SANS San Francisco Summer 2019 | July 22-27 | https://www.sans.org/event/san-francisco-summer-2019


-- SANS OnDemand and vLive Training

Get an iPad, Samsung Galaxy Tab A, or $250 Off with OnDemand or vLive training. Offer ends May 15.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


Single Course Training

-- Single Course Training

SANS Mentor | https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


********************* Sponsored By Amazon Web Services, Inc. ************************


AWS Webcast Series Part V: How to Build a Data Protection Strategy in AWS. Join SANS instructor Dave Shackleford and AWS solutions architect David Aiken as they share tips on how to securely migrate data protection policies, processes and tools through the AWS Marketplace. Tuesday, May 21, 2 PM EDT. http://www.sans.org/info/212655


**************************************************************************************

TOP OF THE NEWS

 

--WhatsApp Vulnerability Exploited to Place Spyware on Phones

(May 13 & 14, 2019)

A vulnerability in WhatsApp is being actively exploited to install spyware on mobile phones. The attackers infected targeted devices by calling them; users did not even have to answer the call. A WhatsApp representative said that the flaw, a buffer overflow vulnerability in the WhatsApp VOIP stack, was addresses in a server-side update on Friday, May 10. A fix for end-users was released on Monday, May 13.


[Neely] The vulnerability affects both Android and iOS devices. If you're actively using the WhatsApp, update to the updated version; otherwise, uninstall it.


Read more in:

Ars Technica: WhatsApp vulnerability exploited to infect phones with Israeli spyware

https://arstechnica.com/information-technology/2019/05/whatsapp-vulnerability-exploited-to-infect-phones-with-israeli-spyware/

The Register: It's 2019 and a WhatsApp call can hack a phone: Zero-day exploit infects mobes with spyware

https://www.theregister.co.uk/2019/05/14/whatsapp_zero_day/

 
 

--Loyalty Program Fraud Increasing

(May 11, 2019)

Hackers are targeting loyalty program accounts both for the points they contain and the personal data they gather. Some hackers use the information to gain access to other accounts. Others steal and use or sell the points online. Some of the companies offering loyalty programs have begun implementing stronger security measures, like multi-factor authentication.   


Read more in:

NYT: Why Rewards for Loyal Spenders Are 'a Honey Pot for Hackers'

https://www.nytimes.com/2019/05/11/business/rewards-loyalty-program-fraud-security.html


 

--Cyber FastTrack Qualification Round Results Announced

(May 13, 2019)

The total number of U.S. college students who participated in Cyber FastTrack to discover their aptitude for high-end cybersecurity careers: 13,289 from 1,290 colleges (50% came from 67 colleges). The number of women who participated: 4,217 or 32% of all players. The number of students who completed enough challenges to be selected as Quarter Finalists: approximately 2,400 or 18% of all participants, and the number of students who completed at least some of the extreme challenges: 882 or 6.6% of all participants. We have good data from the UK that students who perform at this level in CyberStart Assess have the potential to become elite cyber talent as long as they are encouraged and supported along their pathways.


****************************  SPONSORED LINKS  ******************************


1) Download the whitepaper, Take Your SIEM to the Cloud, to discover the flexibility a cloud-based SIEM can provide. http://www.sans.org/info/212790


2) Learn the benefits and use cases of passwordless authentication in this whitepaper.  http://www.sans.org/info/212795


3) ICYMI: "New Year, Same Magecart: The Continuation of Web-based Supply Chain Attacks" get it here: http://www.sans.org/info/212800


*****************************************************************************

REST OF THE WEEK'S NEWS       

 

--US Legislators Introduce Election Security Act

(May 10 & 13, 2019)

Legislators in the US House of Representatives have introduced the Election Security Act, which would require the president to establish a "national strategy for protecting democratic institutions." It would also establish security standards for voting system vendors to abide by cybersecurity standards and would require that states use paper ballots.


Read more in:

SC Magazine: Election Security Act seeks to shore up infrastructure, give states funds to protect against election cyberattacks, influence

https://www.scmagazine.com/home/security-news/government-and-defense/election-coverage/election-security-act-seeks-to-shore-up-infrastructure-give-states-funds-to-protect-against-election-cyberattacks-influence/

The Hill: House Dems reintroduce bill to protect elections from cyberattacks

https://thehill.com/policy/cybersecurity/443168-house-dems-reintroduce-bill-to-protect-elections-from-cyber-attacks

 

 --Congressional Cybersecurity Training Resolution

(May 10, 2019)

A resolution introduced in the US House of Representatives would require its members and employees to undergo annual information security training. The training would be carried out by the chief administrative officer of the House Chief Administrative Officer.


[Neely] NIST SP 800-53 already requires federal information systems to have training requirements and to implement training which includes addressing insider threat issues for systems using the moderate baseline which is required to protect sensitive unclassified information. While 800-53 allows the training interval to be set, some organizations are already performing training quarterly, or even monthly; by comparison, annual training seems a bit low considering the current risks for federal information systems and users.



Read more in:

The Hill: Lawmakers offer measure requiring cyber, IT training for House

https://thehill.com/policy/cybersecurity/443152-lawmakers-offer-measure-requiring-cyber-it-training-for-house

Kathleen Rice: Congressional Cybersecurity Training Resolution of 2019

https://kathleenrice.house.gov/uploadedfiles/cyber_training_res_2019.pdf

 
 

--DHS, FBI Warn of Electricfish Malware Being Used by North Korean Hackers

(May 9 & 10, 2019)

The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have issued a joint warning about malware which they are calling Electricfish. The malware is believed to be being used by an advanced persistent threat group with ties to North Korea's government. Electricfish uses "a custom protocol that allows traffic to be funneled between a source and a destination Internet Protocol (IP) address" to steal data and evade detection.


[Neely] The data exfiltration tool has been referred to as Fullhouse, and is a command line TCP tunneling command line utility that supports proxy NTLM authentication.


Read more in:

Gov Info Security: Feds Warn of 'Electricfish' Malware Linked to North Korea

https://www.govinfosecurity.com/feds-warn-electricfish-malware-linked-to-north-korea-a-12469

US-CERT: MAR-10135536-21 - North Korean Tunneling Tool: ELECTRICFISH

https://www.us-cert.gov/ncas/analysis-reports/AR19-129A

 
 

--DOD Legislative Proposal to Add New IT Officials

(May 8, 2019)

A legislative proposal from the US Defense Department (DOD) would give the Army, the Navy, and the Air Force discretion to add a fifth assistant secretary in charge of information technology. The appointee would undergo Senate confirmation. The Navy is particularly eager to add the new position because military networks are experiencing an onslaught of attacks from foreign adversaries.  


[Neely] This new position will effectively be governing Information Management strategy and cyber security, bringing those functions together to provide a cohesive plan and coordinated response, as well as provide a dedicated resource for tracking issues rather than having this be added workload on an officer's already full plate.



Read more in:

FNN: DoD proposal would establish new Senate-confirmed IT officials for Army, Navy, Air Force

https://federalnewsnetwork.com/defense-main/2019/05/dod-proposal-would-establish-new-senate-confirmed-it-officials-for-army-navy-air-force/

 
 

--Charges Filed in Connection with SIM-Swapping Operation

(May 10 & 13, 2019)

The US Department of Justice (DOJ) has charged nine people in connection with a SIM-swapping operation that stole more than US $2.4 million in cryptocurrency. The nine individuals have been charged with wire fraud. Three of the nine are former employees of mobile phone providers; they face additional charges. The group also allegedly extorted payment from people whose social media accounts they had hijacked.


Read more in:

Vice: AT&T and Verizon Employees Charged With Helping SIM Swapping Criminal Ring

https://www.vice.com/en_us/article/d3n3am/att-and-verizon-employees-charged-sim-swapping-criminal-ring

ZDNet: SIM hijacking ring which stole millions in cryptocurrency dismantled by feds

https://www.zdnet.com/article/sim-swapping-ring-which-stole-millions-dismantled-by-feds/

KrebsOnSecurity: Nine Charged in Alleged SIM Swapping Ring

https://krebsonsecurity.com/2019/05/nine-charged-in-alleged-sim-swapping-ring/

 

---Wolters Kluwer Outage Prompts IRS to Extend Filing Deadline

(May 13, 2019)

The US Internal Revenue Service (IRS) extended the filing deadline for certain tax returns following the unavailability of Wolters Kluwer's cloud accounting software services for several days last week. (Some organizations normally have a May 15 tax filing deadline.) The problems reportedly stemmed from a malware attack, although specific details have not been disclosed. Many Wolters Kluwer services are now available, and the company is working with a third-party forensics team to unearth the "root cause" of the attack.  


Read more in:

Graham Cluley: IRS extends tax filing deadline following attack on Wolters Kluwer CCH cloud accounting service

https://www.grahamcluley.com/irs-extends-tax-filing-deadline-following-attack-on-wolters-kluwer-cch-cloud-accounting-service/

Accounting Today: Offline and in the dark: Inside the CCH outage

https://www.accountingtoday.com/articles/a-massive-accounting-hack-kept-clients-offline-and-in-the-dark

 
 

--Training Officials in Supply Chain Security

(May 10, 2019)

A bill introduced in the US Senate would provide threat detection training to agency officials responsible for supply chain risk management. The Supply Chain Counterintelligence Training Act would require the Office of Management and Budget, the Office of the Director of National Intelligence, the Department of Homeland Security, and the General Services Administration to collaborate on the training program.  


[Neely] The problem with supply chain attacks is that they can completely bypass our perimeter security measures, and they can be highly targeted, if you remember the ASUS incident. Further, the problem exists not only with in-house IT, but also with business partner IT, such as cloud service providers, as those systems process your information. Training, such as this legislation seeks to create, on what to look for, access to timely threat analysis and integration into the procurement processes is critical to supply chain security.


Read more in:

FedScoop: Potential supply-chain threats prompt Senate bill on training acquisition officials

https://www.fedscoop.com/supply-chain-threats-prompt-senate-legislation-training-acquisition-officials/

 
 

--Cisco Router Flaw

(May 13, 2019)

A security issue affecting certain Cisco routers can be remotely exploited to hide spyware deep inside vulnerable devices. The flaw, dubbed Thrangrycat, affects the Trust Anchor module hardware security chip. An attacker would need to be able to log into a targeted device with administrator privileges to successfully exploit the flaw.


[Murray] This would probably not be a problem but for the number of privileged users and the absence of accountability.



[Neely] There are no current reports of exploitation. The mitigation is to apply the relevant patch to affected Cisco products. Read the Cisco advisory to identify impacted products and needed firmware updates: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190513-secureboot


Read more in:

ZDNet: Thrangrycat flaw lets attackers plant persistent backdoors on Cisco gear

https://www.zdnet.com/article/thrangrycat-flaw-lets-attackers-plant-persistent-backdoors-on-cisco-gear/

Wired: A Cisco Router Bug Has Massive Global Implications

https://www.wired.com/story/cisco-router-bug-secure-boot-trust-anchor/

The Register: It's 2019 so now security vulnerabilities are branded using emojis: Meet (Thrangrycat), a Cisco router secure boot flaw

https://www.theregister.co.uk/2019/05/13/cisco_thrangrycat_vulnerability/

Threatpost: Pair of Cisco Bugs, One Unpatched, Affect Millions of Devices

https://threatpost.com/cisco-bugs-unpatched-millions-devices/144692/

 

INTERNET STORM CENTER TECH CORNER


DSSuite - A Docker Container with Didier's Tools

https://isc.sans.edu/forums/diary/DSSuite+A+Docker+Container+with+Didiers+Tools/24926/


Sqlite3 Vulnerability

https://www.talosintelligence.com/vulnerability_reports/TALOS-2019-0777


NVIDIA Updates

https://nvidia.custhelp.com/app/answers/detail/a_id/4797


Windows 10 FIDO2 Certified

https://fidoalliance.org/microsoft-achieves-fido2-certification-for-windows-hello/


Google May Remove ADB Backup/Restore from Future Android Versions

https://www.xda-developers.com/adb-backup-and-restore-depreciated/


Linksys Unauthenticated Information Leak

https://badpackets.net/over-25000-linksys-smart-wi-fi-routers-vulnerable-to-sensitive-information-disclosure-flaw/


Linux Remote Code Execution When Closing TCP Sockets

https://github.com/torvalds/linux/commit/cb66ddd156203daefb8d71158036b27b0e2caf63


WhatsApp Buffer Overflow Exploited to Install Spyware

https://www.facebook.com/security/advisories/cve-2019-3568


Cisco Vulnerabilities Lead to Trust Anchor Module Exploit

https://thrangrycat.com/


******************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.


Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create