OnDemand Includes 4 Months Access to Course Content - Special Offers Available Now!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #42

May 28, 2019

NSA's Tool Used in Ransomware Attacks; GA Voting Machine Case Moving Forward; IG Says EPA is Not Following Its Own Vulnerability Rules; NASA Cybersecurity Claims Continuous Diagnostics and Mitigation Implementation is Helpful


SANS NewsBites                 May 28, 2019                Vol. 21, Num. 042




  NSA's EternalBlue is Being Used in Ransomware Attacks

  GA Voting Machine Challenge Allowed to Move Forward

  Inspector General: EPA Not Following Agency Vulnerability Remediation Policy

  NASA Cybersecurity Enhanced by Continuous Diagnostics and Mitigation


  Legislators Want State Dept. and Intelligence Agencies to Help Prevent Sales of Offensive Cyber Tools to Some Foreign Governments

  Cryptopia Cryptocurrency Exchange Files for Bankruptcy After Theft

  Increased Scanning for BlueKeep RDP Flaw

  First American Mortgage Data Leak

  Philadelphia Court Systems Infected with Virus




-- SANSFIRE 2019 | Washington, DC | June 15-22 | https://www.sans.org/event/sansfire-2019

-- Security Operations Summit 2019 | New Orleans, LA | June 24-July 1 | https://www.sans.org/event/security-operations-summit-2019

-- SANS Cyber Defence Canberra 2019 | June 24-July 13 | https://www.sans.org/event/cyber-defence-canberra-2019

-- SANS Cyber Defence Japan 2019 | July 1-13 | https://www.sans.org/event/cyber-defence-japan-2019

-- SANS London July 2019 | July 8-13 | https://www.sans.org/event/london-july-2019

-- SANS Rocky Mountain 2019 | Denver, CO | July 15-20 | https://www.sans.org/event/rocky-mountain-2019

-- SANS San Francisco Summer 2019 | July 22-27 | https://www.sans.org/event/san-francisco-summer-2019

-- Pen Test Hackfest Europe 2019 | Berlin, DE | July 22-28 | https://www.sans.org/event/pentest-hackfest-eu-july-2019

-- DFIR Summit & Training 2019 | Austin, TX | July 25-August 1 | https://www.sans.org/event/digital-forensics-summit-2019

-- SANS OnDemand and vLive Training
Get a Free GIAC Certification Attempt or Take $350 Off your OnDemand or vLive course. Offer ends May 29.

-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/

Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap


*********************** Sponsored By AWS Marketplace *************************

AWS Education Series: Endpoints in the Cloud, Guidance for Evaluating

AWS Marketplace Endpoint Security Solutions. SANS instructor David Hazer

and Optiv's cloud security practice leader Joe Vadakkan discuss design

and architecture considerations, capabilities vs. needs, criteria points

and questions to ask providers during the live webcast on June 12, 2019,

2PM ET. http://www.sans.org/info/212975



 --NSA's EternalBlue is Being Used in Ransomware Attacks

(May 25 & 26, 2019)

The ransomware attack that has crippled the city of Baltimore's computer systems was fueled in part by a hacking tool developed by the National Security Agency (NSA). Dubbed EternalBlue by the NSA, the tool was stolen and leaked by a group known as Shadow Brokers in 2017. EternalBlue appears to have played a part in attacks against other cities' IT systems, as well as systems at hospitals, airports, and other industries. Former NSA employees speaking anonymously said that prior to its theft, the agency considered EternalBlue such a useful tool that it did not consider telling Microsoft about the flaws it exploited until EternalBlue was leaked online.   

Read more in:

NYT: In Baltimore and Beyond, a Stolen N.S.A. Tool Wreaks Havoc


CNET: Stolen NSA hacking tool now victimizing US cities, report says


The Hill: Hacking tool responsible for attacks on Baltimore, other cities developed by NSA: report



--GA Voting Machine Challenge Allowed to Move Forward

(May 21, 2019)

A US district judge in the state of Georgia has ruled that a lawsuit challenging Georgia's use of paperless touchscreen voting machines may move forward. The lawsuit seeks to have voters use hand-marked ballots instead. State attorneys had asked Judge Amy Totenberg to dismiss the lawsuit. In her order, Judge Totenberg noted that the request to dismiss "completely ignore[s] the reality faced by election officials across the country underscored by Plaintiffs' allegations that electronic voting systems are under unceasing attack."

[Editor Comments]

[Pescatore] I think even the voting machine companies have come around to the need for a physical record of voting actions. States should think of the old machines the way they had to think about asbestos insulation and lead paint - yes, expensive to replace the stuff you bought before you knew it was toxic but can you really stand up and tell the public "It's OK, you're safe?"

[Neely] Replacing existing vulnerable electronic voting systems on an expedited timeline may be more economical than the lawsuit and associated efforts needed to regain voter confidence, both of which will consume resources otherwise needed to implement a secure voting solution.

Read more in:

NYT: Judge Won't Toss Suit Challenging Georgia Voting Machines



--Inspector General: EPA Not Following Agency Vulnerability Remediation Policy

(May 23 & 24, 2019)

The US Environmental Protection Agency's (EPA) tool for managing cybersecurity vulnerabilities is not being used by some offices of EPA, according to the agency inspector general. Despite the existence of an automated tool to log, manage, and track vulnerabilities, some agency components have developed their own plans and processes to track and manage cybersecurity issues. One EPA infosecurity person said their office tracks issues in a spreadsheet, managing their own vulnerability remediation to avoid oversight from the agency. The IG also found that the system that holds the plans has its own vulnerabilities, including inadequate access controls that allow unauthorized users to change audit logs.    

[Editor Comments]

[Pescatore] This one is kind of a rat's nest of systemic problems, but one thing stands out to me: the "we don't have enough staff" excuse was trotted out yet the IG interviews found at least one group was not entering vulnerabilities into the official tracking system in order to prevent "external parties within the EPA from having oversight of their office's remediation activities." Badly broken processes and poor governance seem to drive "let's throw more people and budget at it" responses, with predictably bad results.

[Neely] While the EPA is expecting to leverage CDM to provide better visibility into system status and remediation efforts, they will also need to address groups that wish to avoid oversight. When the centralized system management is disruptive to a specific program, these concerns have to be addressed and suitable processes implemented, such as adjusted scanning and patching windows before enterprise oversight will be embraced.

Read more in:

MeriTalk: EPA Failing to Monitor for Cyber Weaknesses, IG Says


Nextgov: EPA Cybersecurity Weaknesses Are Going Untracked and Unpatched


EPA: Insufficient Practices for Managing Known Security Weaknesses and System Settings Weaken EPA's Ability to Combat Cyber Threats



--NASA Cybersecurity Enhanced by Continuous Diagnostics and Mitigation

(May 22, 2019)

A NASA official says that implementing the Department of Homeland Security's Continuous Diagnostics and Management (CDM) program has helped the agency a lot, noting that "We know more now than we did three years ago about what's on NASA's network," which has improved the agency's response to cyber risks.

[Editor Comments]

[Pescatore] This news item is short on metrics, and knowing more about what is on the network doesn't by itself improve security, but CDM adoption moving agencies to 72 hour visibility and vulnerability assessment cycles is the needed foundation for change and improvement in risk reduction - ideally by avoiding the common vulnerabilities and more rapid mitigation of the unavoidable ones.

[Paller] CDM adoption is a claim that many agencies are making, and yet they are not using the data to mitigate their security flaws. CDM can be a powerful tool, but most federal agencies see it as pretty charts and compliance with DHS requirements while continuing to (mis)manage security without the benefit of reliable data.

[Neely] The CDM program provides visibility to hardware, software, and vulnerability information across the agency. The difficult part is to capture mitigations, such as segmentation that isolates systems that cannot be hardened, so their status is listed with an appropriately adjusted indication of risk. At this time OT and Cloud are out of scope for CDM. Expect requirements for cloud to emerge as monitoring capabilities mature.

Read more in:

Nextgov: NASA Official Credits DHS' Cyber Tools with Transforming Its Cyber Stance


****************************  SPONSORED LINKS  ******************************

1)  ICYMI: "Increasing Visibility with Ixia's Vision ONE" with Serge

Borso and Taran Singh. Register: http://www.sans.org/info/212980

2) ICYMI: "New Year, Same Magecart: The Continuation of Web-based Supply

Chain Attacks" get it here: http://www.sans.org/info/212985

3) SURVEY: How is your organization responding to the threats that

matter? Take this SANS survey and enter for a chance to win a $400

Amazon gift card:






--Legislators Want State Dept. and Intelligence Agencies to Help Prevent Sales of Offensive Cyber Tools to Some Foreign Governments

(May 20, 2019)

US legislators have asked the Secretary of State and the Director of National Intelligence to help stop private companies from making offensive cyber tools available to foreign governments "for uses that do not comport with US law or values." A letter signed by 10 members of the House of Representatives references a "press account" about a US company that used former NSA employees to help "develop technical capabilities" for the United Arab Emirates (UAE); those capabilities were then reportedly used to conduct surveillance on "foreign journalists, political dissidents, and US citizens."

Read more in:

Reuters: U.S. lawmakers call on spy chief to rein in spread of hacking tools


Malinowski: Letter to Secretary Pompeo and Director Coats



--Cryptopia Cryptocurrency Exchange Files for Bankruptcy After Theft

(May 24 & 27, 2019)

New Zealand-based cryptocurrency exchange Cryptopia has filed for bankruptcy protection in the US after hackers stole US $16 million worth of cryptocurrency earlier this year. Shareholders decided to close the company in March. Cryptopia reportedly still has millions of dollars in assets that liquidators are trying to distribute to the correct account holders, but the information necessary to determine how much each account holder is owed is on servers run by a company that is terminating its business relationship with Cryptopia and demanding US $2 million before it will allow access to the data.

Read more in:

Bloomberg: New Zealand Crypto Firm Hacked to Death, Seeks U.S. Bankruptcy


CryptoNews: Cryptopia's Liquidator Rushes to Protect Users Data in Arizona


Grant Thornton: Order Granting Emergency Motion for Provisional Relief



--Increased Scanning for BlueKeep RDP Flaw

(May 26, 2019)

Over the weekend, a threat intelligence company detected increased scanning for Windows systems that have not patched the BlueKeep remote Desktop protocol (RDP) vulnerability. Microsoft released fixes for the flaw on Tuesday, May 14 as part of its month security update. In a nod to the severity of the issue, the company released fixes for Windows XP, Vista, and other operating systems that are no longer actively supported. Users have been urged to upgrade as soon as possible as the flaw could be exploited to create wormable exploits.   

[Editor Comments]

[Neely] While there are still no published exploits for this flaw, security companies have successfully developed exploits. Long story short: patch now and disable unneeded RDP.

[Murray] As a rule, it is more important to patch thoroughly than urgently. There are exceptions.

Read more in:

ZDNet: Intense scanning activity detected for BlueKeep RDP flaw



--First American Mortgage Data Leak

(May 24 & 27, 2019)

First America Mortgage Corp., a real estate title insurance company, has acknowledged that 885 million files were inadvertently exposed due to a flaw in the company's document transfer system. The affected documents date as far back as 2003. The documents contain bank account numbers, tax and mortgage records, and other sensitive information.   

[Editor Comments]

[Murray] Save your CEO's job. Ensure that you do not store privileges, capabilities, or sensitive data in the clear in URLs.  

Read more in:

KrebsOnSecurity: First American Financial Corp. Leaked Hundreds of Millions of Title Insurance Records


Reuters: First American says product defect could have caused customer data exposure


Axios: First American mortgage data exposure leaked 885 million files



--Philadelphia Court Systems Infected with Virus

(May 23, 2019)

According to a spokesperson for the city of Philadelphia, "The First Judicial District has experienced a virus intrusion on a limited number of computers." Websites and some electronic services related to the city's court system have been unavailable since early last week. Staff members have been unable to access email, although the incident has not disrupted the court's schedule.  

Read more in:

Philly: Computer virus prompts city to shut down court websites, programs





Customizing NMAP Service Detection


MacOS GateKeeper Bypass


Fortinet FortiOS SSL VPN Vulnerabilities



The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create