Become more effective at your job with hands-on cyber security training in Anaheim. Save $300 thru 11/27.

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #50

June 25, 2019

US Cyberattacks Against Iran; Iranian "Wiper" Cyberattacks Against US; Phone Carrier Data Theft Blamed on Chinese



****************************************************************************

SANS NewsBites                June 25, 2019                Vol. 21, Num. 050

****************************************************************************


TOP OF THE NEWS


  US Launched Cyberattacks Against Iran's Military

  DHS Warns of Iranian "Wiper" Cyberattacks Against US Systems; Analysts Report Phishing Attempts

  Phone Carrier Metadata Theft Likely the Work of Chinese Hackers


REST OF THE WEEK'S NEWS       


  New Jersey High School Teams Compete at Girls Go CyberStart Nationals

  Another BPG Route Leak Causes Verizon and Cloudflare Outages

  US Tech "Entity List" Grows

  Minnesota Police Officer Awarded $585,000 in Data Privacy Violation Case

  NASA OIG Report on Jet Propulsion Lab Security Controls

  State AGs Demand Election Security Help


INTERNET STORM CENTER TECH CORNER

 

*****************************************************************************

CYBERSECURITY TRAINING UPDATE


SANS NewsBites Default Training Update for Tuesday, June 25, 2019 (NB 21.050)


-- SANS Network Security 2019 | Las Vegas, NV | September 9-16 | https://www.sans.org/event/network-security-2019


-- SANS London July 2019 | July 8-13 | https://www.sans.org/event/london-july-2019


-- SANS Rocky Mountain 2019 | Denver, CO | July 15-20 | https://www.sans.org/event/rocky-mountain-2019


-- SANS San Francisco Summer 2019 | July 22-27 | https://www.sans.org/event/san-francisco-summer-2019


-- Pen Test Hackfest Europe 2019 | Berlin, DE | July 22-28 | https://www.sans.org/event/pentest-hackfest-eu-july-2019


-- DFIR Summit & Training 2019 | Austin, TX | July 25-August 1 | https://www.sans.org/event/digital-forensics-summit-2019


-- Supply Chain Cybersecurity Summit 2019 | Arlington, VA | August 12-19 | https://www.sans.org/event/supply-chain-cybersecurity-summit-2019


-- SANS Tokyo Autumn 2019 | September 30-October 12 | https://www.sans.org/event/tokyo-autumn-2019


-- SANS October Singapore 2019 | October 7-26 | https://www.sans.org/event/october-singapore-2019


-- SANS OnDemand and vLive Training

Get an iPad, Samsung Galaxy Tab A, or Take $250 off through June 26 with OnDemand or vLive training.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


Single Course Training

-- Single Course Training

SANS Mentor | https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


******************** Sponsored By AWS Marketplace **************************


AWS Education Series: How can endpoint security solutions be integrated in the cloud? SANS analyst Thomas Banasik and AWS solutions architect David Aiken describe how to deploy single-pane-of-glass visibility with integrated EDR, UBA, DLP, threat intelligence and machine learning. Live webcast: June 27, 2 PM EDT. http://www.sans.org/info/213085


*****************************************************************************

TOP OF THE NEWS  

 

--US Launched Cyberattacks Against Iran's Military

(June 22, 23, & 24, 2019)

The US reportedly launched cyberattacks against Iranian military computer networks last week, disabling systems that are used to control rocket and missile launchers. The action was taken by US Cyber Command with direct executive approval.


Read more in:

ZDNet: US launches cyber-attack aimed at Iranian rocket and missile systems

https://www.zdnet.com/article/us-launches-cyber-attack-aimed-at-iranian-rocket-and-missile-systems/

Washington Post: Trump approved cyber-strikes against Iran's missile systems

https://www.washingtonpost.com/world/national-security/with-trumps-approval-pentagon-launched-cyber-strikes-against-iran/2019/06/22/250d3740-950d-11e9-b570-6416efdc0803_story.html

The Hill: US cyber forces struck Iranian military: report

https://thehill.com/policy/cybersecurity/449908-us-cyber-forces-struck-iranian-military-report

 
 

--DHS Warns of Iranian "Wiper" Cyberattacks Against US Systems; Analysts Report Phishing Attempts

(June 20 & 24, 2019)

Over the weekend, the Department of Homeland Security's (DHS's) Cybersecurity and Infrastructure Security Agency (CISA) issued a statement warning that Iranian "regime actors and proxies" are launching "wiper" cyberattacks against US government and industry targets. CISA director Christopher Krebs urged organizations to implement multi-factor authentication to help guard systems from being accessed through brute force attacks and to take other steps to improve their security posture. In a related story, analysts from Crowdstrike, Dragos, and FireEye have seen recent phishing campaigns targeting US organizations; the attacks are believed to be the work of hackers operating on behalf of Iran's government.


[Editor Comments]


[Neely] In addition to implementing multi-factor authentication (MFA), make sure that legacy protocols that don't support MFA are either disabled or tightly restricted. Additionally awareness reminders, including spam/phishing reporting processes, would be timely.


[Honan] We are witnessing an historic era in cyber security where nation states look to punish each other using cyber-attacks rather than traditional physical strikes. These are high stake games being played over the networks and infrastructure we all rely on and ultimately we all could become victims of. To paraphrase an old quote "Cyberwar is the failure of diplomacy."


[Murray] These so-called "wiper" attacks exploit the same vulnerabilities as "ransomware." However, they are targeted, not opportunistic, and are more likely to be exploited in times of other conflict, rather than immediately after the compromise. We continue to manage as though Sony and Saudi Aramco were anomalous events. It is time for strong authentication, least privilege access control, and end-to-end application layer encryption.  


Read more in:

MeriTalk: CISA Issues Statement on Iranian Cybersecurity Threats

https://www.meritalk.com/articles/cisa-issues-statement-on-iranian-cybersecurity-threats/

Ars Technica: DHS cyber director warns of surge in Iranian "wiper" hack attacks

https://arstechnica.com/information-technology/2019/06/dhs-cyber-director-warns-of-surge-in-iranian-wiper-hack-attacks/

Threatpost: Iran Targeting U.S. With Destructive Wipers, Warns DHS

https://threatpost.com/iran-targeting-u-s-with-destructive-wipers-warns-dhs/145950/

Wired: Iranian Hackers Launch a New US-Targeted Campaign as Tensions Mount

https://www.wired.com/story/iran-hackers-us-phishing-tensions/

 
 

 --Phone Carrier Metadata Theft Likely the Work of Chinese Hackers

(June 24, 2019)

Researchers from Cybereason say that hackers that appear to be based in China have stolen metadata from at least 10 mobile phone service providers. The attack appears to be highly targeted; at one of the breached carriers, the hackers stole data related to just 20 specific individuals. The affected providers targeted in the attacks include companies in Asia, Africa, the Middle East, and Europe, but not North America. (Please note that the WSJ story is behind a paywall.)


Read more in:

Wired: A Likely Chinese Hacker Crew Targeted 10 Phone Carriers to Steal Metadata

https://www.wired.com/story/chinese-hackers-carrier-metadata/

WSJ: Global Telecom Carriers Attacked by Suspected Chinese Hackers (paywall)

https://www.wsj.com/articles/global-telecom-carriers-attacked-by-suspected-chinese-hackers-11561428003

Cyberscoop: Chinese spies have been sucking up call records at multinational telecoms, researchers say

https://www.cyberscoop.com/china-telecom-hacking-cybereason/


****************************  SPONSORED LINKS  ******************************


1) SANS Pen Test HackFest Summit - Our Call for Presentations is open! Submit a talk proposal: http://www.sans.org/info/213395


2) Keynotes announced for the inaugural SANS Supply Chain Cybersecurity Summit in Washington, DC!  Summit agenda:  http://www.sans.org/info/213400


3) New to cybersecurity? Looking to improve Pentesting, Forensic or Cyber Defense skills? Level Up with SANS! http://www.sans.org/info/213405


*****************************************************************************

REST OF THE WEEK'S NEWS       

 

--New Jersey High School Teams Compete at Girls Go CyberStart Nationals

(June 21, 2019)

New Jersey saw 13 of its Girls Go CyberStart high school teams advance to the National Competition that was held earlier this month. The New Jersey teams comprised 11 percent of those invited to the national competition. One team member said she "recommend[s] that other girls give Girls Go CyberStart a shot. It's interesting, fun, requires a lot of collaboration between team members, and really boosts your confidence as you solve different levels of challenges."  


[Editor Comments]


[Neely] That 13 of 120 teams from 27 states advancing to the finals were from New Jersey shows an amazing commitment to STEM and cyber security education. Currently the competition is only available in 27 states. The girls are organized into clubs which have advisors. CyberSecurity professionals associated with the school the club is affiliated with can be advisors.


Read more in:

Jerseys Best: Girls Go CyberStart competition proves NJ high schoolers are leading the pack in cybersecurity

https://www.jerseysbest.com/girls-go-cyberstart-competition-proves-nj-high-schoolers-are-leading-the-pack-in-cybersecurity/

 

--Another BPG Route Leak Causes Verizon and Cloudflare Outages

(June 24, 2019)

On Monday, June 24, Verizon accepted an erroneous network configuration from a small ISP in Pennsylvania, which sent traffic that was supposed to go to such Internet giants as Cloudflare, Amazon, and Facebook to be routed through a Pittsburgh steel manufacturer's network. Network engineers say the problem was caused by automated networking software.


[Editor Comments]


[Neely] As the volume of interconnected networks continues to escalate, errors in routing, deliberately or accidentally introduced have much larger consequences. Reducing the likelihood of BGP errors not only requires added technical controls, such as filtering and anti-spoofing, to insure the accuracy of route updates but also coordination and global validation where network operators cooperate to remove or flag suspicious BGP updates.


[Murray] While we continue to focus on malice, avoidable error still does the most damage. Many insider risks are the result of errors that go unobserved and uncorrected. "The dummies have it, hands down, now and forever."


Read more in:

Cloudflare: Cloudflare System Status: Route Leak Impacting Cloudflare - Incident Report for Cloudflare

https://www.cloudflarestatus.com/incidents/46z55mdhg0t5

The Register: BGP super-blunder: How Verizon today sparked a 'cascading catastrophic failure' that knackered Cloudflare, Amazon, etc

https://www.theregister.co.uk/2019/06/24/verizon_bgp_misconfiguration_cloudflare/

Slate: How A Small ISP in Pennsylvania Tanked a Big Chunk of the Web on Monday

https://slate.com/technology/2019/06/verizon-dqe-outage-internet-cloudflare-reddit-aws.html

Washington Post: Customers report Verizon, Cloudflare disruptions

https://www.washingtonpost.com/technology/2019/06/24/verizon-amazon-web-services-outages-reported-throughout-northeastern-us

 

--US Tech "Entity List" Grows

(June 21, 22, & 24, 2019)

The US Department of Commerce has added five Chinese organizations to its "entity list," which means that they cannot buy technology components from US companies without first obtaining a waiver. The "entities," four technology companies and one institute, "have been determined by the U.S. Government to be acting contrary to the national security or foreign policy interests of the United States."


Read more in:

NYT: U.S. Blacklists More Chinese Tech Companies Over National Security Concerns

https://www.nytimes.com/2019/06/21/us/politics/us-china-trade-blacklist.html

Infosecurity Magazine: US Adds AMD Joint Venture to Entity List

https://www.infosecurity-magazine.com/news/us-adds-amd-joint-venture-to-1/

The Hill: Commerce Department blacklists five Chinese tech groups due to national security concerns

https://thehill.com/policy/cybersecurity/449777-commerce-department-blacklists-five-chinese-tech-groups-due-to-national

 
 

--Minnesota Police Officer Awarded $585,000 in Data Privacy Violation Case

(June 21, 2019)

A jury has awarded a Minneapolis, Minnesota police officer US $585,000 in a case involving violations of the state's Driver's Privacy Protection Act. In 2013, Amy Krekelberg learned that her DMV records had been accessed nearly 1,000 times over a 10-year period. Krekelberg, who was never under investigation, sued the city and two police officers who had accessed her information. Minneapolis city attorney Susan L. Segal said that in the past, officers had been encouraged to learn how the DMV database worked by looking up friends and family members. The rules have since changed and officers are now required to enter a reason for searching DMV records.


[Editor Comments]


[Neely] Broad access to records, particularly with permissions granted by the US-PATRIOT act, need to be moderated by requiring probable cause. While exercising searches are needed to learn how to use these resources to find necessary corroborating for cases, practice searches need to be performed with permission. Want to know is not need to know; the need to access the information must be genuine. Additionally, having records of those access that can be requested by the public is necessary to verify the searches are authorized.

 

[Honan] Another story to show the "nothing to hide, nothing to fear brigade" on how the misuse and abuse of personal data can impact on an individual.


Read more in:

Wired: Minnesota Cop Awarded $585K After Colleagues Snooped on Her DMV Data

https://www.wired.com/story/minnesota-police-dmv-database-abuse/

 

--NASA OIG Report on Jet Propulsion Lab Security Controls

(June 19 & 24, 2019)

A report from the NASA Office of Inspector General (OIG) found "multiple IT security control weaknesses" at NASA's Jet Propulsion Laboratory (JPL). While JPL has been managed by Caltech since 1959,  NASA is ultimately responsible "for ensuring Agency data and systems at JPL are secure from hackers or other forms of unauthorized access." Among the cyber incidents the report mentions is an attack that was discovered in April 2018 in which 500 MB of data from a major missions system was stolen. The intruders made their way into JPL systems through an unauthorized Raspberry Pi device connected to the JPL network.


[Editor Comments]


[Neely] JPL is already struggling with cyber security of existing mission systems, such as adding encryption to long range low power transmissions mixed with the need to provide seamless access to mission data to partners and the public. The report notes that the network has unregistered or unauthorized devices and insufficient segmentation, indicating current process may be too onerous and requirements not well defined. Using automated tools to handle device detection and registration may be more successful than adjusting the current processes. JPL is also hindered by inadequate flow down of requirements from NASA which are needed to achieve parity in the security implementation and operations.


[Murray] The open TCP/IP standard contributed to the growth of the Internet. That does not imply that modern enterprise networks should be open as to device connection. We do not add so many devices so often that authorization and provisioning steps would be onerous.  


Read more in:

SC Magazine: NASA takes Caltech's JPL to task over cybersecurity issues

https://www.scmagazine.com/home/network-security/nasa-takes-caltechs-jpl-to-task-over-cybersecurity-issues/

Threatpost: Feds: Cyberattack on NASA's JPL Threatened Mission-Control Data

https://threatpost.com/feds-hackers-mission-control-data-nasa-jpl/145842/

OIG.NASA: Cybersecurity Management and Oversight at the Jet Propulsion Laboratory (PDF)

https://oig.nasa.gov/docs/IG-19-022.pdf

 
 

--State AGs Demand Election Security Help

(June 18 & 19, 2019)

Attorneys general from 22 US states have asked Congress to offer more grants, equipment standards, and other kinds of election security support to local officials. A coalition of the attorneys general sent letters with the requests to the chair people and ranking members of the Senate Appropriations Committee and the Senate Rules Committee.


[Editor Comments]


[Northcutt] They probably aren't going to get much help. One powerful politician, Senator Majority Leader Mitch McConnell, feels like we have done enough to prepare for the 2020 elections:

https://www.pbs.org/newshour/politics/how-the-u-s-is-trying-to-improve-election-security-ahead-of-2020: How the U.S. is trying to improve election security ahead of 2020

https://www.nytimes.com/2019/06/07/us/politics/election-security-mitch-mcconnell.html: New Election Security Bills Face a One-Man Roadblock: Mitch McConnell

https://thehill.com/homenews/senate/449810-gop-senators-divided-over-approach-to-election-security: GOP senators divided over approach to election security


Read more in:

The Hill: State attorneys general demand that Congress take action on election security

https://thehill.com/policy/cybersecurity/449099-state-attorneys-general-demand-that-congress-take-action-on-election

GovInfoSecurity: 22 State Attorneys General Seek Election Security Help

https://www.govinfosecurity.com/22-state-attorneys-general-seek-election-security-help-a-12663

 

*****************************************************************************

INTERNET STORM CENTER TECH CORNER


Cloudflare Outage

https://blog.cloudflare.com/how-verizon-and-a-bgp-optimizer-knocked-large-parts-of-the-internet-offline-today/

https://isc.sans.edu/forums/diary/Extensive+BGP+Issues+Affecting+Cloudflare+and+possibly+others/25064/


WeTransfer Misdirects Files

https://betanews.com/2019/06/21/wetransfer-fail/


Jenkins Pillage

https://dolosgroup.io/blog/2019/6/20/pillaging-the-jenkins-treasure-chest


SSH Will Start Encrypting Secret Keys in Memory

https://marc.info/?l=openbsd-cvs&m=156109087822676&w=2


Bluekeep Patchrate at 83.4%

https://twitter.com/RavivTamir/status/1141788586922119168


Android ADB/SSH Botnet

https://www.bleepingcomputer.com/news/security/botnet-uses-ssh-and-adb-to-create-android-cryptomining-army/


******************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.


Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create