Learn real-world cyber security skills from active industry experts in Anaheim. Save $150 thru 12/18.

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #39

May 17, 2019

Microsoft Issues Extraordinary Patch - Including for XP; Executive Order for Banning Technologies; Lessons from Colorado's Ransomware Attack





****************************************************************************

SANS NewsBites                 May 17, 2019                Vol. 21, Num. 039

****************************************************************************


TOP OF THE NEWS


  Microsoft Patch Tuesday Includes Fixes for XP and Other Unsupported Systems

  Executive Order Gives Commerce Secretary Authority to Ban Use of Certain Technologies

  Lessons from Colorado's DOT Ransomware Attack


REST OF THE WEEK'S NEWS       

 

  Google Will Replace Misconfigured Bluetooth Low Energy Titan Security Keys

  New Class of Flaws Affects Intel Chips

  Microsoft Patch Tuesday

  International Effort Takes Down Cybercrime Group

  San Francisco Bans Facial Recognition

  Adobe Releases Critical Updates for Flash, Reader, Acrobat and Media Encoder

  Fighting Back Against IP Address Scams

  Some Ransomware Recovery Companies Have Been Paying the Ransom


INTERNET STORM CENTER TECH CORNER


*****************************************************************************

CYBERSECURITY TRAINING UPDATE


-- SANSFIRE 2019 | Washington, DC | June 15-22 | https://www.sans.org/event/sansfire-2019


-- SANS London June 2019 | June 3-8 | https://www.sans.org/event/london-june-2019


-- Enterprise Defense Summit & Training 2019 | Redondo Beach, CA | June 3-10 | https://www.sans.org/event/enterprise-defense-summit-2019


-- Security Operations Summit 2019 | New Orleans, LA | June 24-July 1 | https://www.sans.org/event/security-operations-summit-2019


-- SANS Cyber Defence Canberra 2019 | June 24-July 13 | https://www.sans.org/event/cyber-defence-canberra-2019


-- SANS Cyber Defence Japan 2019 | July 1-13 | https://www.sans.org/event/cyber-defence-japan-2019


-- SANS London July 2019 | July 8-13 | https://www.sans.org/event/london-july-2019


-- SANS Rocky Mountain 2019 | Denver, CO | July 15-20 | https://www.sans.org/event/rocky-mountain-2019


-- SANS San Francisco Summer 2019 | July 22-27 | https://www.sans.org/event/san-francisco-summer-2019


-- SANS OnDemand and vLive Training

Get a Free GIAC Certification Attempt or Take $350 Off your OnDemand or vLive course. Offer ends May 29.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


Single Course Training

-- Single Course Training

SANS Mentor | https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap



****************************  Sponsored By Ixia  *****************************


ICYMI:  "Increasing Visibility with Ixia's Vision ONE" - Visibility into network structures and endpoints is vital to security and intelligence operations. Ixia's Vision ONE is a device that enables organizations to gain visibility into threats and manage security operations within a single platform. Register:  http://www.sans.org/info/212820


*****************************************************************************


TOP OF THE NEWS

 

--Microsoft Patch Tuesday Includes Fixes for XP and Other Unsupported Systems

(May 14, 15, & 16, 2019)

Among the many fixes in Microsoft's Patch Tuesday for May are patches for a critical remote Desktop Services vulnerability in Windows XP and other systems that Microsoft no longer actively supports. The last time Microsoft released a fix for XP was two years ago, when WannaCry was making the rounds. Microsoft says that this vulnerability poses an equally serious threat. The flaw can be exploited by connecting to a vulnerable device over the Internet. Microsoft has also made fixes available for Windows 2003, Windows 7, and Windows Server 2008. The issue does not affect Windows 8 or Windows 10. An estimated 3.57 percent of Windows machines are still running Windows XP, which translates to tens of millions of machines, some of which are in systems at hospitals and industrial plants.


[Editor Comment]


[Neely] Per the Microsoft bulletin, there is no mitigation or workaround for this vulnerability. Even so, consider systems that offer RDP services directly to the Internet as the exploit can be triggered by anonymously sending a specially-crafted packet to the system.

 

[Honan] If Microsoft are taking the threat relating to this vulnerability seriously enough to issue a patch for Windows XP, then that should be the warning you need to treat this seriously and apply those patches.


Read more in:

Technet: Prevent a worm by updating Remote Desktop Services (CVE-2019-0708)

https://blogs.technet.microsoft.com/msrc/2019/05/14/prevent-a-worm-by-updating-remote-desktop-services-cve-2019-0708/

Wired: Microsoft's First Windows XP Patch in Years is a Very Bad Sign

https://www.wired.com/story/microsoft-windows-xp-patch-very-bad-sign/

BBC: Global virus fear prompts update for old Windows

https://www.bbc.com/news/technology-48295227

Dark Reading: Microsoft Patches Wormable Vuln in Windows 7, 2003, XP, Server 2008

https://www.darkreading.com/endpoint/microsoft-patches-wormable-vuln-in-windows-7-2003-xp-server-2008/d/d-id/1334709

Ars Technica: Microsoft warns wormable Windows bug could lead to another WannaCry

https://arstechnica.com/information-technology/2019/05/microsoft-warns-wormable-windows-bug-could-lead-to-another-wannacry/

The Register: Microsoft emits free remote-desktop security patches for WinXP to Server 2008 to avoid another WannaCry

https://www.theregister.co.uk/2019/05/15/may_patch_tuesday/


 

--Executive Order Gives Commerce Secretary Authority to Ban Use of Certain Technologies

(May 16, 2019)

The White House has used an executive order to declare a national emergency that grants the Secretary of Commerce the authority to prohibit American companies from purchasing certain companies' communications technologies. The order also gives the Commerce Secretary the authority to establish an enforcement framework.  


Read more in:

SC Magazine: Trump national emergency on info security allows ban on Huawei

https://www.scmagazine.com/home/security-news/apts-cyberespionage/trump-national-emergency-on-info-security-allows-ban-on-huawei/

ZDNet: Trump signs executive order banning US telcos from buying or using foreign gear

https://www.zdnet.com/article/trump-signs-executive-order-banning-us-telcos-from-buying-or-using-foreign-gear/

Cyberscoop: White House executive order sets path for ban on Huawei

https://www.cyberscoop.com/white-house-executive-order-huawei-telecom-technology/

MeriTalk: White House EO Creates Fed Authority To Ban Foreign Communications Gear

https://www.meritalk.com/articles/white-house-eo-creates-fed-authority-to-ban-foreign-communications-gear/

White House: Executive Order on Securing the Information and Communications Technology and Services Supply Chain

https://www.whitehouse.gov/presidential-actions/executive-order-securing-information-communications-technology-services-supply-chain/


 

--Lessons from Colorado's DOT Ransomware Attack

(May 15, 2019)

Ten days after Colorado's Department of Transportation was hit with SamSam ransomware in February 2018, the governor declared the incident a disaster, allowing the state to bring in help from the National Guard and from other states and to create a unified command structure to help establish recovery priorities. It was the first time a cyberattack had been declared a disaster.


[Editor Comments]


[Neely] This highlights a need for updating disaster plans as well an effective path to obtaining needed resources, paving the way for other states to better respond to future incidents.


Read more in:

Statescoop: What Colorado learned from treating a cyberattack like a disaster

https://statescoop.com/what-colorado-learned-from-treating-a-cyberattack-like-a-disaster/


****************************  SPONSORED LINKS  ******************************


1) ICYMI: "New Year, Same Magecart: The Continuation of Web-based Supply Chain Attacks" get it here: http://www.sans.org/info/212830


2) Attend the inaugural SANS Enterprise Defense Summit in Redondo Beach, CA -  June 3-4

http://www.sans.org/info/212835


3) How is your organization responding to the threats that matter? Take this SANS survey and enter for a chance to win a $400 Amazon gift card: http://www.sans.org/info/212840


*****************************************************************************

REST OF THE WEEK'S NEWS  

     

--Google Will Replace Misconfigured Bluetooth Low Energy Titan Security Keys

(May 15, 2019)

A misconfiguration in the Bluetooth Low Energy version of Google's Titan Security Key could be exploited to communicate with the key or with the device to which the key is paired. An attacker would need to be within 30 feet of the targeted device. Google will replace affected devices at no cost.


Read more in:

Google Security Blog: Advisory: Security Issue with Bluetooth Low Energy (BLE) Titan Security Keys

https://security.googleblog.com/2019/05/titan-keys-update.html

Wired: Google Will Replace Titan Security Key Over a Bluetooth Flaw

https://www.wired.com/story/google-titan-security-key-recall-ble/

The Register: Titan-ic disaster: Bluetooth blunder sinks Google's 2FA keys, free replacements offered

https://www.theregister.co.uk/2019/05/15/google_titan_bluetooth_key_security_flaw/

ZDNet: Google to replace faulty Titan security keys

https://www.zdnet.com/article/google-to-replace-faulty-titan-security-keys/

Ars Technica: Google warns Bluetooth Titan security keys can be hijacked by nearby hackers

https://arstechnica.com/information-technology/2019/05/google-warns-bluetooth-titan-security-keys-can-be-hijacked-by-nearby-hackers/

Threatpost: Google Titan Security Key Recalled After Bluetooth Pairing Bug

https://threatpost.com/google-titan-security-key-recalled/144786/

 
 

--New Class of Flaws Affects Intel Chips

(May 14 & 15, 2019)

Intel has disclosed a new class of speculative execution side-channel attacks affecting its processors. The attacks differ from Meltdown and Spectre and their variants because they could leak data from CPU buffers. Intel calls the flaws Microarchitectural Data Sampling, or MDS. The flaws have been addressed at the hardware level in more recent released of Intel products, and Intel has released microcode and hypervisor updates.


[Editor Comments]


[Neely] As researchers assess other ways speculative execution can be abused, expect more MDS family types of flaws. These are currently low risk due to the degree of difficulty to exploit. Beware of attention getting names, and accompanying icons, like ZombieLoad, that shift focus from the true risk to the headlines.


Read more in:

Wired: Meltdown Redux: Intel Flaw Lets Hackers Siphon Secrets from Millions of PCs

https://www.wired.com/story/intel-mds-attack-speculative-execution-buffer/

Ars Technica: New speculative execution bug leaks data from Intel chips' internal buffers

https://arstechnica.com/gadgets/2019/05/new-speculative-execution-bug-leaks-data-from-intel-chips-internal-buffers/

Dark Reading: New Intel Vulnerabilities Bring Fresh CPU Attack Dangers

https://www.darkreading.com/vulnerabilities---threats/new-intel-vulnerabilities-bring-fresh-cpu-attack-dangers-/d/d-id/1334728

Cyberscoop: After Meltdown and Spectre, meet a new set of Intel chip flaws

https://www.cyberscoop.com/intel-chip-flaws-zombieland-ridl-fallout/

Threatpost: Intel CPUs Impacted By New Class of Spectre-Like Attacks

https://threatpost.com/intel-cpus-impacted-by-new-class-of-spectre-like-attacks/144728/

Bleeping Computer: New RIDL and Fallout Attacks Impact All Modern Intel CPUs

https://www.bleepingcomputer.com/news/security/new-ridl-and-fallout-attacks-impact-all-modern-intel-cpus/

 
 

--Microsoft Patch Tuesday

(May 14 & 15, 2019)

Microsoft's monthly security update for May includes fixes for nearly 80 vulnerabilities, 19 of which are rated critical. One of the flaws, a privilege elevation issue in the Windows Error Reporting service, is already being exploited in the wild. Microsoft has also released an advisory explaining its mitigation plan for the MDS attack issues that Intel disclosed earlier this week.  


[Editor Comments]


[Neely] The mitigations for MDS attacks will require both firmware and OS changes. The firmware updates are not available yet. When released, test for system impact before rolling across the enterprise.


Read more in:


MSRC: Release Notes: May 2019 Security Updates

https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/e5989c8b-7046-e911-a98e-000d3a33a34d

KrebsOnSecurity: Microsoft Patches 'Wormable' Flaw in Windows XP, 7 and Windows 2003

https://krebsonsecurity.com/2019/05/microsoft-patches-wormable-flaw-in-windows-xp-7-and-windows-2003/

SC Magazine: Microsoft's May Patch Tuesday covers ZombieLoad, WER vulnerabilities

https://www.scmagazine.com/home/security-news/vulnerabilities/microsofts-may-patch-tuesday-covers-zombieload-wer-vulnerabilities/

ZDNet: Microsoft May 2019 Patch Tuesday arrives with fix for Windows zero-day, MDS attacks

https://www.zdnet.com/article/microsoft-may-2019-patch-tuesday-arrives-with-fix-for-windows-zero-day-mds-attacks/

 
 

--International Effort Takes Down Cybercrime Group

(May 16, 2019)

Law enforcement authorities in Bulgaria, Germany, Georgia, Moldova, Ukraine, and the US, along with Europol, worked together to take down a cybercrime group that reportedly attempted to steal US $100 million from businesses and financial institutions. Five members of the group have been arrested; another five remain at large. US federal grand jury returned a criminal indictment charging 10 individuals with various offenses. A Europol statement says that the operation "exemplified the concept of "'cybercrime as a service.'"


[Editor Comments]


[Honan] This is a good example of how criminals cooperate across borders. On the flip side, it is great to see that effective international cooperation works for those on the side of good, as well.  


Read more in:

ZDNet: Cybercrime group that used malware to steal $100 million from online banking accounts shut down

https://www.zdnet.com/article/cybercrime-group-that-used-malware-to-steal-100-million-from-online-banking-accounts-shut-down/

Wired: Global Takedown Shows the Anatomy of a Modern Cybercriminal Supply Chain

https://www.wired.com/story/goznym-takedown-cybercrime-supply-chain/

Threatpost: Cybercrime Gang Behind GozNym Banking Malware Dismantled

https://threatpost.com/cybercrime-gang-behind-goznym-banking-malware-dismantled/144795/

Europol: GozNym Malware: Cybercriminal Network Dismantled in International Operation

https://www.europol.europa.eu/newsroom/news/goznym-malware-cybercriminal-network-dismantled-in-international-operation

 
 

--San Francisco Bans Facial Recognition

(May 14 & 15, 2019)

The City of San Francisco, California's Board of Supervisors has approved an ordinance that prohibits law enforcement and other city agencies from using facial recognition technology on city residents. The ordinance notes that "the propensity for facial recognition technology to endanger civil rights and civil liberties substantially outweighs its purported benefits." The ordinance also requires that law enforcement disclose what kinds of surveillance they are using.


Read more in:

CNET: San Francisco becomes first city to bar police from using facial recognition

https://www.cnet.com/news/san-francisco-becomes-first-city-to-bar-police-from-using-facial-recognition/

ZDNet: San Francisco bans police from using facial recognition tech on residents

https://www.zdnet.com/article/san-francisco-bans-facial-recognition-tech-being-used-on-residents/

MeriTalk: San Francisco Bars Police, Agencies from Using Facial Recognition Tech

https://www.meritalk.com/articles/san-francisco-bars-police-agencies-from-using-facial-recognition-tech/

SF Gov: Administrative Code - Acquisition of Surveillance Technology

https://sfgov.legistar.com/View.ashx?M=F&ID=7012636&GUID=7864F4B2-4121-4379-B6AD-8F406C2F6547

 
 

--Adobe Releases Critical Updates for Flash, Reader, Acrobat and Media Encoder

(May 15, 2019)

On Tuesday, May 14, Adobe released updates to address critical security issues in Flash, Reader, Acrobat, and Adobe Media Encoder. In all, Adobe issued fixes for 87 vulnerabilities; eighty-four of the flaws affect Adobe Reader and Acrobat.


Read more in:

ZDNet: Adobe security update released for critical Flash, Acrobat, Reader bugs

https://www.zdnet.com/article/adobe-security-updates-released-for-critical-flash-acrobat-reader-bugs/

Threatpost: Adobe Addresses Critical Adobe Flash Player, Acrobat Reader Flaws

https://threatpost.com/adobe-flash-acrobat-reader-flaws/144716/

Adobe: Security bulletin for Adobe Acrobat and Reader | APSB19-18

https://helpx.adobe.com/security/products/acrobat/apsb19-18.html

Adobe: Security Bulletin for Adobe Flash Player | APSB19-26

https://helpx.adobe.com/security/products/flash-player/apsb19-26.html

Adobe: Security Updates Available for Adobe Media Encoder | APSB19-29

https://helpx.adobe.com/security/products/media-encoder/apsb19-29.html

 
 

--Fighting Back Against IP Address Scams

(May 15, 2019)

The American Registry for Internet Numbers (ARIN) revoked more than 750,000 IPv4 addresses that had been fraudulently obtained and in many cases, resold to spammers. The entity identified as having fraudulently obtained and resold the IPv4 addresses has been charged in federal court with twenty counts of wire fraud and has been ordered to pay ARIN USA $350,000 for its legal fees.


Read more in:

KrebsOnSecurity: A Tough Week for IP Address Scammers

https://krebsonsecurity.com/2019/05/a-tough-week-for-ip-address-scammers/

Bleeping Computer: Over 757K Fraudulently Obtained IPv4 Addresses Revoked by ARIN

https://www.bleepingcomputer.com/news/security/over-757k-fraudulently-obtained-ipv4-addresses-revoked-by-arin/

ARIN: Interim Award of Arbitrator (PDF)

https://www.arin.net/vault/about_us/corp_docs/20190506_arbitration_award_and_order.pdf

Justice: Charleston Man and Business Indicted in Federal Court in Over $9M Fraud

https://www.justice.gov/usao-sc/pr/charleston-man-and-business-indicted-federal-court-over-9m-fraud

 
 

--Some Ransomware Recovery Companies Have Been Paying the Ransom

(May 15, 2019)

At least two companies that advertise data recovery services for ransomware victims have actually been paying the ransom. The companies often charge their clients high fees in excess of the cost of the ransom. While there are companies that openly pay ransom - often they help victims who are unfamiliar with dealing in cryptocurrency - it is not clear that other companies were forthright with their clients about their methods.


Read more in:

Pro Publica: The Trade Secret: Firms That Promised High-Tech Ransomware Solutions Almost Always Just Pay the Hackers

https://features.propublica.org/ransomware/ransomware-attack-data-recovery-firms-paying-hackers/

 
 

INTERNET STORM CENTER TECH CORNER


Microsoft Patch Tuesday

https://isc.sans.edu/forums/diary/Microsoft+May+2019+Patch+Tuesday/24934/


The Risk of Authenticated Vulnerability Scans

https://isc.sans.edu/forums/diary/The+Risk+of+Authenticated+Vulnerability+Scans/24942/


New Intel CPU Vulnerabilities

https://cpu.fail/


Apple Updates

https://support.apple.com/en-us/HT201222


Forbes Website Infected by Magecart

https://twitter.com/bad_packets/status/1128517905765683201


Malware Randomizes TLS Ciphers

https://blogs.akamai.com/sitr/2019/05/bots-tampering-with-tls-to-avoid-detection.html


Google Recalls Titan Security Keys

https://security.googleblog.com/2019/05/titan-keys-update.html


SAMBA Update

https://www.samba.org/samba/security/CVE-2018-16860.html


SAP Patches

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=520259032


ARIN Revokes about 735,000 IP Addresses

https://www.arin.net/vault/about_us/media/releases/20190513.html


Instrument Landing Systems Spoofing (PDF)

https://aanjhan.com/assets/ils_usenix2019.pdf


More Cisco Patches (Prime Infrastructure, EPN Manager)

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190515-pi-rce


Broken Trustseal

https://twitter.com/gwillem/status/1127890329175244800

https://twitter.com/bestoftheweb/status/1128036593208524800



******************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.


Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create