Special Offer w/ OnDemand: Get an iPad (32 G), Galaxy Tab A, or Take $250 Off OnDemand Training thru Jan 27

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #52

July 2, 2019

Ransomware Hits State and Local Governments Hard; US Federal Agencies Move To Electronic Records; Microsoft Requires Multi-Factor Security for Cloud Providers


SANS NewsBites                July 2, 2019                Vol. 21, Num. 052




  Ransomware: Georgia Courts Hit; Lake City, FL, Fires IT Employee; Baltimore Allocates $10 Million for Expenses

  OMB: US Federal Agencies Must Move to Electronic Record Keeping by 2022

  Microsoft Will Require Multi-Factor Security for Cloud Solution Providers



  Reuters: Western Hackers Planted Espionage Malware in Russian Internet Search Company

  Some Huawei Restrictions Eased

  Women in Security

  July Android Update

  Bulgarian Man Arrested After Posting Software Vulnerability Demo on Facebook

  Former Equifax Exec Gets Prison Sentence for Insider Trading

  Recent BGP Hijacks and Leaks




-- SANS Network Security 2019 | Las Vegas, NV | September 9-16 | https://www.sans.org/event/network-security-2019

-- SANS Rocky Mountain 2019 | Denver, CO | July 15-20 | https://www.sans.org/event/rocky-mountain-2019

-- SANS San Francisco Summer 2019 | July 22-27 | https://www.sans.org/event/san-francisco-summer-2019

-- Pen Test Hackfest Europe 2019 | Berlin, DE | July 22-28 | https://www.sans.org/event/pentest-hackfest-eu-july-2019

-- DFIR Summit & Training 2019 | Austin, TX | July 25-August 1 | https://www.sans.org/event/digital-forensics-summit-2019

-- Supply Chain Cybersecurity Summit 2019 | Arlington, VA | August 12-19 | https://www.sans.org/event/supply-chain-cybersecurity-summit-2019

-- SANS London September 2019 | September 23-28 | https://www.sans.org/event/london-september-2019

-- SANS Tokyo Autumn 2019 | September 30-October 12 | https://www.sans.org/event/tokyo-autumn-2019

-- SANS October Singapore 2019 | October 7-26 | https://www.sans.org/event/october-singapore-2019

-- SANS OnDemand and vLive Training

Get an iPad Mini, Surface Go, or Take $300 Off through July 10 with OnDemand or vLive training.


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/

Single Course Training

-- Single Course Training

SANS Mentor | https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/


-- View the full SANS course catalog and Cyber Security Skills Roadmap



***************************  Sponsored By  VMRay  *******************************

Analyzing Ursnif's Behavior | In this blog post VMRay Sr. Threat Researcher Tamas Boczan analyzes the behavior of known banking trojan Ursnif and demonstrates how a malware sandbox can expedite the investigation process. https://www.sans.org/info/213555



--Ransomware Cases Becoming Public: Georgia Courts Hit; Lake City, FL, Fires IT Employee; Baltimore Allocates $10 Million for Expenses

(June 28 & July 1, 2019)

More ransomware stories are becoming public.

- Georgia: The Administrative Office of the Georgia Courts disclosed its systems were infected with ransomware.

- Lake City FL: Officials in Lake City, Florida, have fired an IT employee after the city's insurance paid nearly $500,000 in ransom to regain its data.

- Baltimore: Officials have authorized US $10 million to pay for expenses from a ransomware attack that hit the city in May. The attackers asked for $80,000 but the city chose not to pay on the advice of law enforcement.


[Editor Comments]

[Paller]  These are the tip of the iceberg.

Read more in:

Ars Technica: Ryuk, Ryuk, Ryuk: Georgia's courts hit by ransomware


Wired: Ransomware Hits Georgia Courts as Municipal Attacks Spread


ZDNet: Florida city fires IT employee after paying ransom demand last week


SC Magazine: Baltimore approves $10M for ransomware relief, expects $18M in damages



--OMB: US Federal Agencies Must Move to Electronic Record Keeping by 2022

(June 28 & July 1, 2019)

The US Office of Management and Budget (OMB) is directing federal agencies to convert to all digital records by the end of 2022. The National Archives and Records Administration (NARA) will accept only digital records as of January 1, 2023. A recent audit of NARA's electronic records management oversight found that the agency was "not effectively exercising its oversight authority... . As a result, permanent electronic records are still at a significant risk of loss and destruction."

[Editor Comments]

[Pescatore] The OIG report seemed to neglect integrity - making sure that electronic records aren't altered without authorization/tracking, etc. This is very similar to voting - loss of votes is one part of the problem, the digital record of the vote being changed from what the physical action of voting actual caused is an even bigger issue.

[Neely] Converting paper to digital records requires processes to determine what constitutes a permanent record, then capture of the data currently on the paper as well as supporting meta-data to give them context, and finally storing them in read-only formats that can be read into the future, such as PDF-A. Management commitment to not only the conversion project but also implementing processes to capture current records in digital format is critical for ongoing success.

Read more in:

White House: Transition to Electronic Records


MeriTalk: OMB Directs Agencies to Make All Records Electronic


Fedscoop: OMB issues guidance on NARA's transition to electronic record keeping


Oversight.gov: Audit of NARA's Oversight of Electronic Records Management in the Federal Government



--Microsoft Will Require Multi-Factor Security for Cloud Solution Providers

(June 24 & 28, 2019)

Microsoft has updated its Partner Security Requirements. The company will require all Cloud Solution Providers (CSPs) that help organizations manage their Office365 accounts to use multi-factor authentication. When Office365 licenses are purchased from a reseller partner, that partner must have administrative privileges to help set it up. Customers have the option of removing that initial admin account after set-up. Some organizations use a CSP to get better pricing that they would if they purchased the licenses directly from Microsoft and they may not be aware that the CSP retains the administrative account.

[Editor Comments]

[Pescatore] Since the vast majority of compromises of major cloud services are through phished credentials, good move by Microsoft. Enterprises should make sure their internal and external admins of cloud services are using strong authentication, as well.

[Murray] "Multi-factor" is not synonymous with "strong." All strong authentication is multi-factor but not all multi-factor is strong. "At least two forms of evidence, at least one of which is resistant to replay." Fraudulent credential reuse is the problem we must address.

[Neely] Whether you hire a third party to setup your cloud service, or purchase it through a third party, be cognizant of the access/privileges retained and how that access is managed. In some cases, such as a third party reseller, that access cannot be removed and that needs to be factored into your risk equation. Requiring multi-factor-authentication makes account compromise harder, and is an important mitigation; having a clear understanding of third party access and how to track, limit, log those actions is equally important for securing your services.

Read more in:

Microsoft: Partner Security Requirements


KrebsOnSecurity: Microsoft to Require Multi-Factor Authentication for Cloud Solution Providers


****************************  SPONSORED LINKS  ******************************

1) "Managed Security Services for OT Networks - Simplifying Your OT Security Journey." Register for Radiflow's upcoming webcast: https://www.sans.org/info/213530

2) Make your security analytics more consumable with Rapid7. "Leveraging Your SIEM to Implement Security Best Practices." https://www.sans.org/info/213535

3) Unisys to discuss challenges CISOs face with translating technical cyber risks into the language of business. https://www.sans.org/info/213540



--Reuters: Western Hackers Planted Espionage Malware in Russian Internet Search Company

(June 27, 2019)

According to a report from Reuters, hackers working on behalf of a Western country infiltrated Yandex, a Russian Internet search company in late fall 2018. The hackers allegedly planted malware in an operation designed to spy on user accounts. The malware is used by a group of countries known as the Five Eyes: the US, the UK, Canada, Australia, and New Zealand. A Yandex spokesperson said the intrusion "was detected at a very early stage ... [and] was fully neutralized before any damage was done."

Read more in:

Reuters: Exclusive: Western intelligence hacked 'Russia's Google' Yandex to spy on accounts - sources


CNET: Russian internet giant Yandex reportedly hacked by Western intelligence agency



--Some Huawei Restrictions Eased

(July 1, 2019)

The White House now says it will allow US companies to sell certain technological components to Huawei as long as the parts do not pose significant national security concerns. The walking back of the Huawei ban was announced over the weekend. An administration official says that the change is not a "general amnesty."

Read more in:

NYT: What Trump's Huawei Reversal Means for the Future of 5G


CNET: Trump official: Eased Huawei restrictions only apply to widely available products


MeriTalk: Trump Reverses Course on Some Huawei Restrictions


Axios: Trump to allow U.S. companies to sell some parts to Huawei



--Women in Security

(July 1, 2019)

Six new articles in SC Magazine's Women in Security section offer profiles of women in cybersecurity: Power Players, Women to Watch, Women of Influence, Honorable Mention, Veterans, and Advocates.

Read more in:

SC Magazine: Women in Security



--July Android Update

(July 1, 2019)

Google has released the Android Security Update for July. In all, there are fixes for 33 CVE-listed vulnerabilities; of those, nine are rated critical. The 2019-07-01 patch level addresses 12 security issues, while the 2019-07-5 patch level addresses an additional 21 issues.

[Editor Comments]

[Neely] Make sure that you understand the patching process for your devices. There is typically a delay before the patch is available for non-Google devices, and even for devices with update support it can take 30 days to get through both the hardware vendor and mobile operator QA and regression testing.

Read more in:

Android: Android Security Bulletin--July 2019


The Register: July is here - and so are the latest Android security fixes. Plenty of critical updates for all


Bleeping Computer: July Android Security Update Fixes Four Critical RCE Flaws



--Bulgarian Man Arrested After Posting Software Vulnerability Demo on Facebook

(June 30, 2019)

Authorities in Bulgaria have arrested an individual after he demonstrated a vulnerability in software used in local government web portals. In a video that he posted to Facebook, the man demonstrated the vulnerability by downloading personally identifiable information belonging to more than 235,000 people who live in the province of Stara Zagora. The software in question is used to allow residents to register their children for kindergarten. Stara Zagora officials have taken down the software on that province's portal, but the same software is used by other local governments in Bulgaria.

[Editor Comments]

[Neely] Having permission to find and disclose vulnerabilities is a good first step when researching systems. Responsible disclosure includes making sure you won't get arrested or sued for releasing the information. Publicly disclosing the vulnerability, exploit code, and a how-to video is going to be unwelcome in almost any context.

Read more in:

ZDNet: Bulgarian IT expert arrested after demoing vulnerability in kindergarten software



--Former Equifax Exec Gets Prison Sentence for Insider Trading

(June 28, 2019)

A former Equifax executive has been sentenced to four months in prison for insider trading related to his knowledge of the company's 2017 data breach prior to its public disclosure. Jun Ying sold his Equifax stock for a gain of $480,000, avoiding a loss of $117,000. He has been ordered to pay $117,000 in restitution and $55,000 in fines. Ying is the second Equifax employee to be sentenced to insider trading stemming from the breach.

[Editor Comments]

[Pescatore] The Equifax breach was enabled by the Equifax IT organization's failure to patch an Apache Struts vulnerability. The US CIO in charge of that organization then took advantage of the breach to do the illegal insider trading. I think there is still an FTC investigation report to come that may point out other systemic problems.

[Neely] Watch for more legislation intended to hold top executives at companies accountable for actions, such as the decision not to patch which resulted in the breach, to make sure they have skin in the game.

Read more in:

GovInfosecurity: Ex-Equifax CIO Gets 4-Month Prison Term for Insider Trading



--Recent BGP Hijacks and Leaks

(June 28, 2019)

This article explains what the Border Gateway Protocol (BGP) is, how it functions, why it presents security problems, and what is being done to make the process more trustworthy. BGP's origins date back 30 years, and it has not changed much in the past 25 years. Over the last few years, incidents that include cryptocurrency thefts, a Google Cloud outage, and mysteriously rerouted Internet traffic can be traced to issues with BGP. While some instances of misrouted Internet traffic are honest mistakes, there are also incidents in which the traffic has been deliberately manipulated.  

[Editor Comments]

[Guest Editor Donald Smith] The article is wrong about BGP not changing. The IETF IDR and SIDR working groups have been doing updates to various elements of BGP about once a  month. BGP-SEC which could address some of these issues shows "complete" in 2017.

https://datatracker.ietf.org/doc/rfc8205/: BGPsec Protocol Specification

Lastly, the author doesn't explain BGP well at all.

[Murray and Paller] Richard Clarke, a director on the National Security staff, called out this vulnerability during the Clinton Administration.

Read more in:

Wired: The Infrastructure Mess Causing Countless Internet Outages





Collecting Hashes of Running Processes and Verifying Them with VirusTotal Domain-Wide


Maldoc Payloads in User Forms


Mozilla Server Side TLS Guide Updates


SKS Keyserver DoS Attack


QR Code Phishing


Zyxel Vulnerabilities


AMD SEV DH Key Recovery


Card Enrollment Service Fraud



The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create