Learn real-world cyber security skills from active industry experts in Anaheim. Save $150 thru 12/18.

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #39

May 17, 2019

Microsoft Issues Extraordinary Patch - Including for XP; Executive Order for Banning Technologies; Lessons from Colorado's Ransomware Attack


SANS NewsBites                 May 17, 2019                Vol. 21, Num. 039



  Microsoft Patch Tuesday Includes Fixes for XP and Other Unsupported Systems

  Executive Order Gives Commerce Secretary Authority to Ban Use of Certain Technologies

  Lessons from Colorado's DOT Ransomware Attack



  Google Will Replace Misconfigured Bluetooth Low Energy Titan Security Keys

  New Class of Flaws Affects Intel Chips

  Microsoft Patch Tuesday

  International Effort Takes Down Cybercrime Group

  San Francisco Bans Facial Recognition

  Adobe Releases Critical Updates for Flash, Reader, Acrobat and Media Encoder

  Fighting Back Against IP Address Scams

  Some Ransomware Recovery Companies Have Been Paying the Ransom




-- SANSFIRE 2019 | Washington, DC | June 15-22 | https://www.sans.org/event/sansfire-2019

-- SANS London June 2019 | June 3-8 | https://www.sans.org/event/london-june-2019

-- Enterprise Defense Summit & Training 2019 | Redondo Beach, CA | June 3-10 | https://www.sans.org/event/enterprise-defense-summit-2019

-- Security Operations Summit 2019 | New Orleans, LA | June 24-July 1 | https://www.sans.org/event/security-operations-summit-2019

-- SANS Cyber Defence Canberra 2019 | June 24-July 13 | https://www.sans.org/event/cyber-defence-canberra-2019

-- SANS Cyber Defence Japan 2019 | July 1-13 | https://www.sans.org/event/cyber-defence-japan-2019

-- SANS London July 2019 | July 8-13 | https://www.sans.org/event/london-july-2019

-- SANS Rocky Mountain 2019 | Denver, CO | July 15-20 | https://www.sans.org/event/rocky-mountain-2019

-- SANS San Francisco Summer 2019 | July 22-27 | https://www.sans.org/event/san-francisco-summer-2019

-- SANS OnDemand and vLive Training

Get a Free GIAC Certification Attempt or Take $350 Off your OnDemand or vLive course. Offer ends May 29.


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/

Single Course Training

-- Single Course Training

SANS Mentor | https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/


-- View the full SANS course catalog and Cyber Security Skills Roadmap



****************************  Sponsored By Ixia  *****************************

ICYMI:  "Increasing Visibility with Ixia's Vision ONE" - Visibility into network structures and endpoints is vital to security and intelligence operations. Ixia's Vision ONE is a device that enables organizations to gain visibility into threats and manage security operations within a single platform. Register:  http://www.sans.org/info/212820




--Microsoft Patch Tuesday Includes Fixes for XP and Other Unsupported Systems

(May 14, 15, & 16, 2019)

Among the many fixes in Microsoft's Patch Tuesday for May are patches for a critical remote Desktop Services vulnerability in Windows XP and other systems that Microsoft no longer actively supports. The last time Microsoft released a fix for XP was two years ago, when WannaCry was making the rounds. Microsoft says that this vulnerability poses an equally serious threat. The flaw can be exploited by connecting to a vulnerable device over the Internet. Microsoft has also made fixes available for Windows 2003, Windows 7, and Windows Server 2008. The issue does not affect Windows 8 or Windows 10. An estimated 3.57 percent of Windows machines are still running Windows XP, which translates to tens of millions of machines, some of which are in systems at hospitals and industrial plants.

[Editor Comment]

[Neely] Per the Microsoft bulletin, there is no mitigation or workaround for this vulnerability. Even so, consider systems that offer RDP services directly to the Internet as the exploit can be triggered by anonymously sending a specially-crafted packet to the system.


[Honan] If Microsoft are taking the threat relating to this vulnerability seriously enough to issue a patch for Windows XP, then that should be the warning you need to treat this seriously and apply those patches.

Read more in:

Technet: Prevent a worm by updating Remote Desktop Services (CVE-2019-0708)


Wired: Microsoft's First Windows XP Patch in Years is a Very Bad Sign


BBC: Global virus fear prompts update for old Windows


Dark Reading: Microsoft Patches Wormable Vuln in Windows 7, 2003, XP, Server 2008


Ars Technica: Microsoft warns wormable Windows bug could lead to another WannaCry


The Register: Microsoft emits free remote-desktop security patches for WinXP to Server 2008 to avoid another WannaCry



--Executive Order Gives Commerce Secretary Authority to Ban Use of Certain Technologies

(May 16, 2019)

The White House has used an executive order to declare a national emergency that grants the Secretary of Commerce the authority to prohibit American companies from purchasing certain companies' communications technologies. The order also gives the Commerce Secretary the authority to establish an enforcement framework.  

Read more in:

SC Magazine: Trump national emergency on info security allows ban on Huawei


ZDNet: Trump signs executive order banning US telcos from buying or using foreign gear


Cyberscoop: White House executive order sets path for ban on Huawei


MeriTalk: White House EO Creates Fed Authority To Ban Foreign Communications Gear


White House: Executive Order on Securing the Information and Communications Technology and Services Supply Chain



--Lessons from Colorado's DOT Ransomware Attack

(May 15, 2019)

Ten days after Colorado's Department of Transportation was hit with SamSam ransomware in February 2018, the governor declared the incident a disaster, allowing the state to bring in help from the National Guard and from other states and to create a unified command structure to help establish recovery priorities. It was the first time a cyberattack had been declared a disaster.

[Editor Comments]

[Neely] This highlights a need for updating disaster plans as well an effective path to obtaining needed resources, paving the way for other states to better respond to future incidents.

Read more in:

Statescoop: What Colorado learned from treating a cyberattack like a disaster


****************************  SPONSORED LINKS  ******************************

1) ICYMI: "New Year, Same Magecart: The Continuation of Web-based Supply Chain Attacks" get it here: http://www.sans.org/info/212830

2) Attend the inaugural SANS Enterprise Defense Summit in Redondo Beach, CA -  June 3-4


3) How is your organization responding to the threats that matter? Take this SANS survey and enter for a chance to win a $400 Amazon gift card: http://www.sans.org/info/212840




--Google Will Replace Misconfigured Bluetooth Low Energy Titan Security Keys

(May 15, 2019)

A misconfiguration in the Bluetooth Low Energy version of Google's Titan Security Key could be exploited to communicate with the key or with the device to which the key is paired. An attacker would need to be within 30 feet of the targeted device. Google will replace affected devices at no cost.

Read more in:

Google Security Blog: Advisory: Security Issue with Bluetooth Low Energy (BLE) Titan Security Keys


Wired: Google Will Replace Titan Security Key Over a Bluetooth Flaw


The Register: Titan-ic disaster: Bluetooth blunder sinks Google's 2FA keys, free replacements offered


ZDNet: Google to replace faulty Titan security keys


Ars Technica: Google warns Bluetooth Titan security keys can be hijacked by nearby hackers


Threatpost: Google Titan Security Key Recalled After Bluetooth Pairing Bug



--New Class of Flaws Affects Intel Chips

(May 14 & 15, 2019)

Intel has disclosed a new class of speculative execution side-channel attacks affecting its processors. The attacks differ from Meltdown and Spectre and their variants because they could leak data from CPU buffers. Intel calls the flaws Microarchitectural Data Sampling, or MDS. The flaws have been addressed at the hardware level in more recent released of Intel products, and Intel has released microcode and hypervisor updates.

[Editor Comments]

[Neely] As researchers assess other ways speculative execution can be abused, expect more MDS family types of flaws. These are currently low risk due to the degree of difficulty to exploit. Beware of attention getting names, and accompanying icons, like ZombieLoad, that shift focus from the true risk to the headlines.

Read more in:

Wired: Meltdown Redux: Intel Flaw Lets Hackers Siphon Secrets from Millions of PCs


Ars Technica: New speculative execution bug leaks data from Intel chips' internal buffers


Dark Reading: New Intel Vulnerabilities Bring Fresh CPU Attack Dangers


Cyberscoop: After Meltdown and Spectre, meet a new set of Intel chip flaws


Threatpost: Intel CPUs Impacted By New Class of Spectre-Like Attacks


Bleeping Computer: New RIDL and Fallout Attacks Impact All Modern Intel CPUs



--Microsoft Patch Tuesday

(May 14 & 15, 2019)

Microsoft's monthly security update for May includes fixes for nearly 80 vulnerabilities, 19 of which are rated critical. One of the flaws, a privilege elevation issue in the Windows Error Reporting service, is already being exploited in the wild. Microsoft has also released an advisory explaining its mitigation plan for the MDS attack issues that Intel disclosed earlier this week.  

[Editor Comments]

[Neely] The mitigations for MDS attacks will require both firmware and OS changes. The firmware updates are not available yet. When released, test for system impact before rolling across the enterprise.

Read more in:

MSRC: Release Notes: May 2019 Security Updates


KrebsOnSecurity: Microsoft Patches 'Wormable' Flaw in Windows XP, 7 and Windows 2003


SC Magazine: Microsoft's May Patch Tuesday covers ZombieLoad, WER vulnerabilities


ZDNet: Microsoft May 2019 Patch Tuesday arrives with fix for Windows zero-day, MDS attacks



--International Effort Takes Down Cybercrime Group

(May 16, 2019)

Law enforcement authorities in Bulgaria, Germany, Georgia, Moldova, Ukraine, and the US, along with Europol, worked together to take down a cybercrime group that reportedly attempted to steal US $100 million from businesses and financial institutions. Five members of the group have been arrested; another five remain at large. US federal grand jury returned a criminal indictment charging 10 individuals with various offenses. A Europol statement says that the operation "exemplified the concept of "'cybercrime as a service.'"

[Editor Comments]

[Honan] This is a good example of how criminals cooperate across borders. On the flip side, it is great to see that effective international cooperation works for those on the side of good, as well.  

Read more in:

ZDNet: Cybercrime group that used malware to steal $100 million from online banking accounts shut down


Wired: Global Takedown Shows the Anatomy of a Modern Cybercriminal Supply Chain


Threatpost: Cybercrime Gang Behind GozNym Banking Malware Dismantled


Europol: GozNym Malware: Cybercriminal Network Dismantled in International Operation



--San Francisco Bans Facial Recognition

(May 14 & 15, 2019)

The City of San Francisco, California's Board of Supervisors has approved an ordinance that prohibits law enforcement and other city agencies from using facial recognition technology on city residents. The ordinance notes that "the propensity for facial recognition technology to endanger civil rights and civil liberties substantially outweighs its purported benefits." The ordinance also requires that law enforcement disclose what kinds of surveillance they are using.

Read more in:

CNET: San Francisco becomes first city to bar police from using facial recognition


ZDNet: San Francisco bans police from using facial recognition tech on residents


MeriTalk: San Francisco Bars Police, Agencies from Using Facial Recognition Tech


SF Gov: Administrative Code - Acquisition of Surveillance Technology



--Adobe Releases Critical Updates for Flash, Reader, Acrobat and Media Encoder

(May 15, 2019)

On Tuesday, May 14, Adobe released updates to address critical security issues in Flash, Reader, Acrobat, and Adobe Media Encoder. In all, Adobe issued fixes for 87 vulnerabilities; eighty-four of the flaws affect Adobe Reader and Acrobat.

Read more in:

ZDNet: Adobe security update released for critical Flash, Acrobat, Reader bugs


Threatpost: Adobe Addresses Critical Adobe Flash Player, Acrobat Reader Flaws


Adobe: Security bulletin for Adobe Acrobat and Reader | APSB19-18


Adobe: Security Bulletin for Adobe Flash Player | APSB19-26


Adobe: Security Updates Available for Adobe Media Encoder | APSB19-29



--Fighting Back Against IP Address Scams

(May 15, 2019)

The American Registry for Internet Numbers (ARIN) revoked more than 750,000 IPv4 addresses that had been fraudulently obtained and in many cases, resold to spammers. The entity identified as having fraudulently obtained and resold the IPv4 addresses has been charged in federal court with twenty counts of wire fraud and has been ordered to pay ARIN USA $350,000 for its legal fees.

Read more in:

KrebsOnSecurity: A Tough Week for IP Address Scammers


Bleeping Computer: Over 757K Fraudulently Obtained IPv4 Addresses Revoked by ARIN


ARIN: Interim Award of Arbitrator (PDF)


Justice: Charleston Man and Business Indicted in Federal Court in Over $9M Fraud



--Some Ransomware Recovery Companies Have Been Paying the Ransom

(May 15, 2019)

At least two companies that advertise data recovery services for ransomware victims have actually been paying the ransom. The companies often charge their clients high fees in excess of the cost of the ransom. While there are companies that openly pay ransom - often they help victims who are unfamiliar with dealing in cryptocurrency - it is not clear that other companies were forthright with their clients about their methods.

Read more in:

Pro Publica: The Trade Secret: Firms That Promised High-Tech Ransomware Solutions Almost Always Just Pay the Hackers




Microsoft Patch Tuesday


The Risk of Authenticated Vulnerability Scans


New Intel CPU Vulnerabilities


Apple Updates


Forbes Website Infected by Magecart


Malware Randomizes TLS Ciphers


Google Recalls Titan Security Keys


SAMBA Update


SAP Patches


ARIN Revokes about 735,000 IP Addresses


Instrument Landing Systems Spoofing (PDF)


More Cisco Patches (Prime Infrastructure, EPN Manager)


Broken Trustseal




The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create