Get unparalleled cyber security training from real-world practitioners in Boston. Save $200 thru 6/26.

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #45

June 7, 2019

"Sign In" with Apple Aims to Protect Users From Tracking; Hospital Pays $250,000 For False Cyber Claims; NSA Urges BlueKeep Patching





****************************************************************************

SANS NewsBites                 June 7, 2019                Vol. 21, Num. 045

****************************************************************************


TOP OF THE NEWS


  Sign In with Apple Aims to Protect Users From Tracking

  Hospital Will Pay $250,000 to Settle False Claims Act Violations

  NSA Urges BlueKeep Patching


REST OF THE WEEK'S NEWS       


  FEC Asks Company to Resubmit Request to Provide Discounted Cybersecurity Services to Campaigns

  Warrant Reveals Broad Scope of Australia's New National Security Law

  Exim Flaw "Trivially Exploitable"

  Prison Sentence for ATM Skimming Scheme

  TVA OIG Audit Finds eMail Security and Encryption Problems

  Medical Billing Payment Contractor Breach Also Affects LabCorp and Opko Health Patients

  Google Apps Found to Contain Insidious Adware

  No Eternal Blue in Baltimore Ransomware Attack


INTERNET STORM CENTER TECH CORNER


*****************************************************************************

CYBERSECURITY TRAINING UPDATE


-- SANSFIRE 2019 | Washington, DC | June 15-22 | https://www.sans.org/event/sansfire-2019


-- Security Operations Summit 2019 | New Orleans, LA | June 24-July 1 | https://www.sans.org/event/security-operations-summit-2019


-- SANS Cyber Defence Canberra 2019 | June 24-July 13 | https://www.sans.org/event/cyber-defence-canberra-2019


-- SANS Cyber Defence Japan 2019 | July 1-13 | https://www.sans.org/event/cyber-defence-japan-2019


-- SANS London July 2019 | July 8-13 | https://www.sans.org/event/london-july-2019


-- SANS Rocky Mountain 2019 | Denver, CO | July 15-20 | https://www.sans.org/event/rocky-mountain-2019


-- SANS San Francisco Summer 2019 | July 22-27 | https://www.sans.org/event/san-francisco-summer-2019


-- Pen Test Hackfest Europe 2019 | Berlin, DE | July 22-28 | https://www.sans.org/event/pentest-hackfest-eu-july-2019


-- DFIR Summit & Training 2019 | Austin, TX | July 25-August 1 | https://www.sans.org/event/digital-forensics-summit-2019


-- SANS OnDemand and vLive Training

Get an iPad Mini, ASUS Chromebook Flip, or Take $250 off through June 12 with OnDemand or vLive training.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


Single Course Training

-- Single Course Training

SANS Mentor | https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


*********************** Sponsored By Corelight  ****************************


Register for "Using Zeek/Bro To Discover Network TTPs of MITRE ATT&CK​" to get an Overview of the MITRE ATT&CK framework, and learn how Corelight addresses ATT&CK TTPs related to data exfiltration and C2s.  http://www.sans.org/info/213170


*****************************************************************************


TOP OF THE NEWS  

 

--Sign In with Apple Aims to Protect Users From Tracking

(June 4 & 5, 2019)

Apple has introduced a new privacy feature called Sign In with Apple, which will use AppleIDs rather than email addresses to verify credentials. All developers that use third-party sign-ins will be required to offer it as an option to users if they offer other third-party sign-ins, like Google and Facebook. Users who want to adopt the feature will be required to add two-factor authentication to their AppleID accounts. The feature is currently in limited beta.


[Editor Comments]


[Neely] Requiring strong authentication for applications needs to become SOP. One of the attractive features is integration with Touch ID and Face ID for this form of authentication. You will still need to use your password plus a one-time code on non-Apple devices to authenticate. Irrespective of your plans to use the feature, enable two-factor authentication, if you haven't already, on your AppleID account now. Apple plans to limit information shared by its identity provider (IDP), particularly email addresses, with applications to preserve privacy. Given that AppleIDs are email addresses, it's not clear how well that will go.


Read more in:

Wired: 'Sign In with Apple' Protects You in Ways Google and Facebook Don't

https://www.wired.com/story/sign-in-with-apple-sso-google-facebook/

CNET: Sign In with Apple will come to every iPhone app: How the new privacy login tool works

https://www.cnet.com/how-to/sign-in-with-apple-will-come-to-every-iphone-app-how-the-new-privacy-login-tool-works/

Threatpost: Is 'Sign in with Apple' Marketing Spin or Privacy Magic? Experts Weigh In

https://threatpost.com/is-sign-in-with-apple-marketing-spin-or-privacy-magic-experts-weigh-in/145341/

 

--Hospital Will Pay $250,000 to Settle False Claims Act Violations

(May 31 & June 5, 2019)

A Kansas hospital will pay US $250,000 to settle allegations that it violated the False Claims Act. Coffey Health System received more than US $3 million in incentive payments through the HITECH Act's Meaningful Use Program for its use of electronic health records (EHRs). The program required that participating healthcare facilities conduct security risk analyses; Coffey Health Systems falsely claimed that it had done this in 2012 and 2013. The issue was disclosed by whistleblowers.


Read more in:

GovInfoSecurity: Hospital to Pay $250,000 After Alleged False HITECH Claims

https://www.govinfosecurity.com/hospital-to-pay-250000-after-alleged-false-hitech-claims-a-12569

Justice: Kansas Hospital Agrees to Pay $250,000 To Settle False Claims Act Allegations

https://www.justice.gov/usao-ks/pr/kansas-hospital-agrees-pay-250000-settle-false-claims-act-allegations

HIPAA Journal: Coffey Health System Agrees to $250,000 Settlement to Resolve Alleged Violations of False Claims and HITECH Acts

https://www.hipaajournal.com/coffey-health-system-agrees-to-250000-settlement-to-resolve-alleged-violations-of-false-claims-and-hitech-acts/



--NSA Urges BlueKeep Patching

(June 5, 2019)

The National Security Agency (NSA) has added its voice to the growing, urgent call for Microsoft Windows administrators to patch their systems against CVE-2019-0708, known as the "BlueKeep" vulnerability, that affects the Remote Desktop protocol (RDP). The flaw is reportedly wormable, meaning that it could be exploited to spread malware across the Internet without user interaction. The NSA recommends that "to increase resilience against this threat while large networks patch and upgrade," organizations can block TCP Port 33898 at firewalls, enable network level authentication, and disable desktop services if they are not necessary.


Read more in:

NSA: NSA Cybersecurity Advisory: Patch Remote Desktop Services on Legacy Versions of Windows

https://www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional-resources/csa-bluekeep_20190604.pdf

DUO: NSA Joins Chorus Urging Speedy Patching for Bluekeep

https://duo.com/decipher/nsa-joins-chorus-urging-speedy-patching-for-bluekeep

Nextgov: NSA Issues Warning to Patch Legacy Windows Systems Over 'Wormable' Threat

https://www.nextgov.com/cybersecurity/2019/06/nsa-issues-warning-patch-legacy-windows-systems-over-wormable-threat/157518/

SC Magazine: NSA urges admins to patch BlueKeep vulnerability

https://www.scmagazine.com/home/security-news/vulnerabilities/nsa-urges-admins-to-patch-bluekeep-vulnerability/


****************************  SPONSORED LINKS  ******************************


1) Don't Miss "Authentication: It's All About the User Experience" with Matt Bromiley and Hormazd Romer.  http://www.sans.org/info/213175


2) Infoblox webinar "DDI data - a Critical Enabler of SOAR" with Srikrupa Srivatsan and Dave Shackleford.  Register:   http://www.sans.org/info/213180


3) VMRay Webcast "Hitting the Silent Alarm on Banking Trojans" with Jake Williams, Rohan Viegas, Tamas Boczan.  Register: http://www.sans.org/info/213185


*****************************************************************************

REST OF THE WEEK'S NEWS       


--FEC Asks Company to Resubmit Request to Provide Discounted Cybersecurity Services to Campaigns

(June 4, 5, & 6, 2019)

Last month, the US Federal Elections Commission (FEC) granted the non-profit organization Defending Digital Campaigns permission to provide US campaigns with discounted cybersecurity tools to help protect election-related data. However, this week, FEC lawyers recommended against granting a request from Area 1 to provide discounted cybersecurity services to campaigns. The New York Times notes that "federal laws prohibit corporations from offering free or discounted cybersecurity services to federal candidates. The same law also blocks political parties from offering candidates cybersecurity assistance because it is considered an 'in-kind donation.'" At a public hearing on Thursday, June 6, the FEC questioned Area 1 and then requested that Area 1 refile its request with a simpler explanation of how it would determine which campaigns were eligible for its discounted services.


[Editor Comments]


[Pescatore] The cost of the products is probably the least of the obstacles to presidential campaign security - the lack of cybersecurity skills to implement and operate an effective cybersecurity program is the major deficiency. Thus, I don't think the campaign staffs will benefit from having every security vendor out there bombarding them with "use our software or services for free" offers. The Defending Digital Campaigns non-profit comes out of the Belfer Center for Science and International Affairs at Harvard Kennedy School, which after the 2016 presidential elections set up the Defending Digital Democracy Project, led by former campaign managers of Republican and Democratic presidential campaigns *and* bringing in a strong (and growing) set of security advisors. The DDC approach starts with "campaign cybersecurity playbooks" and has the DDC acting as the system integrator to partner with vendors who donate both product *and skilled staff* to provide both campaign teams with a level playing field for a high level of security. I think our national election systems should be equally protected across all states and the candidate campaign infrastructures should be equally protected across all candidates.


Read more in:

NYT: Election Rules Are an Obstacle to Cybersecurity of Presidential Campaigns

https://www.nytimes.com/2019/06/06/technology/ftc-rules-cyberattacks.html

Wired: A Push to Protect Political Campaigns From Hackers Hits a Snag

https://www.wired.com/story/fec-campaign-law-cybersecurity-limits/

FEC: June 6, 2019 open meeting (2:00 PM)

https://www.fec.gov/updates/june-6-2019-open-meeting/

 

--Warrant Reveals Broad Scope of Australia's New National Security Law

(June 6, 2019)

A warrant executed by the Australian Federal Police (AFP) on the Australian Broadcasting Corporation's (ABC's) computer systems allows the AFP to "add, copy, delete, or alter" data in the computers. The new powers come from Australia's Telecommunications and Other Legislation Amendment (Assistance and Access) Act of 2018. The Acting AFP Commissioner says that the intent of those powers is to allow law enforcement to move data around during the warrant's execution.


Read more in:

ZDNet: Huge scope of Australia's new national security laws reveals itself

https://www.zdnet.com/article/huge-scope-of-australias-new-national-security-laws-reveals-itself/

 

--Exim Flaw "Trivially Exploitable"

(June 5, 2019)

A critical flaw in the Exim mail transfer agent (MTA) could be exploited to locally, and in certain cases remotely, execute code on vulnerable devices. Exim is running on 57 percent of all email servers. The vulnerability affects Exim versions 4.87 through 4.91. The issue is fixed in version 4.92.  


[Editor Comments]


[Williams] A local attacker can trivially elevate privileges. While most mail servers don't allow users shell access, those that do should consider this a "drop everything" patch. Those in that situation who don't patch in the next 24-48 hours should assume breach. On the other hand, the remote path for exploitation identified by the researchers requires the connection to the mail server to be established for seven days. While a faster path might be discovered, this flaw doesn't appear to offer immediate remote code execution.


Read more in:

Duo: Odd Bug Haunts Exim Mail Agent

https://duo.com/decipher/odd-bug-haunts-exim-mail-agent

ZDNet: New RCE vulnerability impacts nearly half of the internet's email servers

https://www.zdnet.com/article/new-rce-vulnerability-impacts-nearly-half-of-the-internets-email-servers/

Open wall: Qualys Security Advisory

https://www.openwall.com/lists/oss-security/2019/06/05/4

 

--Prison Sentence for ATM Skimming Scheme

(June 3 & 4, 2019)

Bogdan Viorel Rusu has been sentenced to more than five years in prison for his role in an ATM card-skimming scheme. Rusu and/or his co-conspirators installed skimmers on ATMs in several northeastern US states and used the pilfered information to steal money from bank accounts. Rusu, who is from Romania, received the sentence in federal court in Massachusetts.


Read more in:

Bleeping Computer: Romanian ATM Skimmer Gets Over 5 Years of Jail Time

https://www.bleepingcomputer.com/news/security/romanian-atm-skimmer-gets-over-5-years-of-jail-time/

Justice: Romanian National Sentenced for Multi-State ATM Card Skimming Scheme

https://www.justice.gov/opa/pr/romanian-national-sentenced-multi-state-atm-card-skimming-scheme

 

--TVA OIG Audit Finds eMail Security and Encryption Problems

(June 5, 2019)

A report from the Tennessee Valley Authority (TVA) inspector general found that 115 of 116 registered internet domains on which it tested for email security requirements set by the Office of Management and Budget (OMB) failed to meet those requirements. The auditors also found inadequate encryption on 20 of 55 TVA websites tested. A TVA official accepted the findings and said the agency will work to correct the deficiencies.


[Editor Comments]


[Neely] The root of the problem appears to be that TVA didn't have a full inventory of domains or web servers. The domains they were tracking were compliant. Processes for domain registration and web site creation need to be integrated with IT inventory processes supported by regular discovery scans, to include domain registrar checking.


Read more in:

OIG: Request for Management decision -- Audit 2018-15607 -- Enhanced E-Mail and Web Security Compliance

https://oig.tva.gov/reports/19rpts/2018-15607.pdf

TimesFreePress: Audit says TVA fails to comply with new federal cyber security measures

https://www.timesfreepress.com/news/breakingnews/story/2019/jun/04/audit-says-tva-fails-comply-new-federal-cyber-security-measures/496013/

InfoSecurity Magazine: Tennessee Valley Authority Isn't Compliant with Federal Directives

https://www.infosecurity-magazine.com/news/tva-noncompliant-with-federal-1/

 

--Medical Billing Payment Contractor Breach Also Affects LabCorp and Opko Health Patients

(June 4, 5, & 6, 2019)

Two additional companies have disclosed that their patients' data were compromised in a data breach at medical billing contractor American Medical Collection Agency (AMCA). Earlier this week, the breach was acknowledged to have compromised information of close to 12 million Quest Diagnostic patients. In a Securities and Exchange Commission (SEC) filing, LabCorp disclosed that the breach affected 7.7 million of its patients, including payment card information of about 200,000 of patients who paid their bills through the AMCA website. On Thursday, June 6, Opko Health revealed that AMCA informed them that data of 422,600 of its patients were also compromised.


[Editor Comments]


[Neely] Expect all businesses using AMCA collection services, which also goes by the name "Retrieval-Masters Credit Bureau" to be impacted by the breach. Even so, disclosure and reparation responsibilities lie with the organization that hired their services, such as Opko, not AMCA.


[Murray] At a minimum, third party processors that want your business should provide you with a list of the security features, properties, and functions that they provide and what they expect you to do with them. Failing that, one must create such documentation and get the third party to agree to it. Only then can one conclude that the result is safe for the intended application and environment.  


Read more in:

Reuters: Opko Health says over 400,000 customers likely affected by data breach

https://www.reuters.com/article/us-opko-health-cyber/opko-health-says-over-400000-customers-likely-affected-by-data-breach-idUSKCN1T71UL

SC Magazine: 7.7 million LabCorp patients affected by same breach that impacted Quest Diagnostics

https://www.scmagazine.com/home/security-news/data-breach/7-7-million-labcorp-patients-affected-by-same-breach-that-impacted-quest-diagnostics/

CNET: Collections firm breach exposes data on 7.7M LabCorp customers

https://www.cnet.com/news/collections-firm-breach-exposes-data-on-7-7m-labcorp-customers/

DarkReading: Healthcare Breach Expands to 19.6 Million Patient Accounts

https://www.darkreading.com/informationweek-home/healthcare-breach-expands-to-196-million-patient-accounts/d/d-id/1334889

KrebsOnSecurity: LabCorp: 7.7 Million Consumers Hit in Collections Firm Breach

https://krebsonsecurity.com/2019/06/labcorp-7-7m-consumers-hit-in-collections-firm-breach/

GovInfoSecurity: 7.7 Million LabCorp Patients Added to AMCA Breach Tally

https://www.govinfosecurity.com/77-million-labcorp-patients-added-to-amca-breach-tally-a-12573

SEC: Form 8-K: Laboratory Corporation of America Holdings

https://www.sec.gov/Archives/edgar/data/920148/000119312519165091/d757830d8k.htm

 

--Google Apps Found to Contain Insidious Adware

(June 4, 2019)

Adware found in nearly 240 Android apps in the Google Play store delivers out-of-app ads, displaying them on devices' lock screens and launching audio and video advertisements even when a device is asleep. The problematic apps are all from a single publisher, and the adware was well-hidden within each. The affected apps have been either removed from the Google Play store or updated to clean versions.


[Editor Comments]


[Neely] Watch for updates to clean versions or Play Protect to uninstall banned applications. The application publisher, CooTek, has disabled/removed the module in their SDK, which was both encrypted and had the decryption key obfuscated to avoid detection; even so, use caution unless you have a known good version of one of their apps.


Read more in:

Ars Technica: 238 Google Play apps with >440 million installs made phones nearly unusable

https://arstechnica.com/information-technology/2019/06/238-google-play-apps-with-440-million-installs-made-phones-nearly-unusable/

Dark Reading: Adware Hidden in Android Apps Downloaded More Than 440 Million Times

https://www.darkreading.com/attacks-breaches/adware-hidden-in-android-apps-downloaded-more-than-440-million-times/d/d-id/1334877

 

--No Eternal Blue in Baltimore Ransomware Attack

(June 3 & 4, 2019)

It now appears that the Eternal Blue hacking tool was not used in the ransomware attack that took down IT systems at the city of Baltimore. Eternal Blue is part of a trove of stolen NSA hacking tools leaked to the Internet in 2017. Although the tool could possibly have been used to propagate the "Robbinhood" ransomware used in the Baltimore attack, it is unlikely, according to a malware analyst.


[Editor Comments]


[Williams] Unless Baltimore had significant security instrumentation on their network (and there's no indication of that), then there's no way to say for sure whether EternalBlue was used.


Read more in:

KrebsOnSecurity: Report: No 'Eternal Blue' Exploit Found in Baltimore City Ransomware

https://krebsonsecurity.com/2019/06/report-no-eternal-blue-exploit-found-in-baltimore-city-ransomware/

Cyberscoop: Sen. Van Hollen: Government sees no EternalBlue in Baltimore ransomware attack

https://www.cyberscoop.com/sen-van-hollen-government-sees-no-eternalblue-baltimore-ransomware-attack/



*****************************************************************************

INTERNET STORM CENTER TECH CORNER


GoldBrute Botnet Brute Forcing RDP

https://isc.sans.edu/forums/diary/GoldBrute+Botnet+Brute+Forcing+15+Million+RDP+Servers/25002/


Exim Vulnerability

https://isc.sans.edu/forums/diary/Time+is+partially+on+our+side+the+new+Exim+vulnerability/25008/


Vulnerability in Notepad

https://threatpost.com/researcher-exploits-microsofts-notepad-to-pop-a-shell/145242/


Vulnerability in vim/neovim

https://github.com/numirias/security/blob/master/doc/2019-06-04_ace-vim-neovim.md


RDP Session Hijack Vulnerability

https://kb.cert.org/vuls/id/576688/


Android Monthly Update

https://source.android.com/security/bulletin/2019-06-01


Google Chrome Updates

https://chromereleases.googleblog.com/2019/06/stable-channel-update-for-desktop.html


MacOS Malware Injects Bing Ads

https://www.airoav.com/mitm-proxy-a-new-search-hijack-method-on-mojave/


Kubernetes Vulnerability

https://github.com/kubernetes/kubernetes/issues/78308


Vulnerabilities in Phishing Kits

https://blogs.akamai.com/sitr/2019/06/identifying-vulnerabilities-in-phishing-kits.html


iOS App Developers Disabling TLS

https://www.wandera.com/mobile-security/ios-app-developer-security-shortcuts/

 

******************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.


Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create