Special Offer w/ OnDemand: Get an iPad (32 G), Galaxy Tab A, or Take $250 Off OnDemand Training thru Jan 27

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #54

July 12, 2019

Zero Trust Architecture for Military; Marine Cybersecurity Warning; Microsoft - Two Zero-Days and a Critical Flaw


SANS NewsBites                July 12, 2019                Vol. 21, Num. 054



  Defense Innovation Board Pushing Zero Trust Architecture for Military

  US Coast Guard Issues Marine Cybersecurity Warning and Advice

  Microsoft Patch Tuesday Includes Fixes for Two Zero-Days and a Critical Flaw in Windows DHCP Server


  FEC Says Campaigns Can Accept Discounted Cybersecurity Services

  Apple Pushed Out Update to Remove Zoom Web Server from Macs

  Unsealed Indictment Charges Software Engineer with Theft of Trade Secrets

  Mozilla Releases Firefox 68

  LA County Health Data Breached Through Contractor

  US Conference of Mayors Passes Resolution Not to Pay Ransomware Demands

  Vulnerability in Some GE Anesthesia Devices

  ICS Vulnerability Research Turns Up Critical Flaw in Siemens TIA Portal

  Astaroth Fileless Malware




-- SANS Network Security 2019 | Las Vegas, NV | September 9-16 | https://www.sans.org/event/network-security-2019

-- Pen Test Hackfest Europe 2019 | Berlin, DE | July 22-28 | https://www.sans.org/event/pentest-hackfest-eu-july-2019

-- DFIR Summit & Training 2019 | Austin, TX | July 25-August 1 | https://www.sans.org/event/digital-forensics-summit-2019

-- Supply Chain Cybersecurity Summit 2019 | Arlington, VA | August 12-19 | https://www.sans.org/event/supply-chain-cybersecurity-summit-2019

-- SANS Chicago 2019 | August 19-24 | https://www.sans.org/event/chicago-2019

-- SANS Virginia Beach 2019 | August 19-30 | https://www.sans.org/event/virginia-beach-2019

-- SANS London September 2019 | September 23-28 | https://www.sans.org/event/london-september-2019

-- SANS Tokyo Autumn 2019 | September 30-October 12 | https://www.sans.org/event/tokyo-autumn-2019

-- SANS October Singapore 2019 | October 7-26 | https://www.sans.org/event/october-singapore-2019

-- SANS OnDemand and vLive Training

Get an iPad Pro with Smart Keyboard, HP ProBook, or Take $350 Off through July 24 with OnDemand or vLive training.


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/

Single Course Training

-- Single Course Training

SANS Mentor | https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/


-- View the full SANS course catalog and Cyber Security Skills Roadmap



************************ Sponsored By AWS Marketplace ***********************

AWS Cloud Security Training Webcast: JumpStart Your Firewall Selection Process in AWS. Gain practical knowledge on how to evaluate and select effective cloud-based firewalls in the AWS Marketplace. Learn how to assess vendor system design, needs versus capabilities, business and technical operational considerations, and integration issues. July 17, 2 PM ET: http://www.sans.org/info/213415




--Defense Innovation Board Pushing Zero Trust Architecture for Military

(July 10, 2019)

The Pentagon's Defense Innovation Board (DIB) has approved a white paper that calls on the Department of Defense (DOD) to implement zero trust architecture (ZTA) for network access. The paper notes DOD's currently reliance perimeter-based cybersecurity and says that "Zero Trust Architecture (ZTA) can significantly offset vulnerabilities and threats across DoD networks by creating discrete, granular access rules for specific applications and services within a network."

[Editor Comments]

[Murray] Current architectures and policies have been proven to be too vulnerable in the face of the increasingly hostile environment. "Zero trust" must go beyond structured networks or end-to-end application layer encryption to include strong authentication, least privilege access control, privileged access management (PAM), and continuous monitoring and measurement.  

Read more in:

media.defense.gov: The Road to Zero Trust (Security) (PDF)


Fedscoop: Defense Innovation Board wants to help DOD understand zero trust



--US Coast Guard Issues Marine Cybersecurity Warning and Advice

(July 8 & 9, 2019)

An incident earlier this year led the US Coast Guard to issue a Marine Safety Alert that offers providing advice for implementing cybersecurity protocols. In February, the Coast Guard led an interagency team in an investigation of "a significant cyber incident" affecting the shipboard network of a deep draft vessel. The recommendations in the alert include segmenting networks; eliminating generic access credentials for multiple individuals; enforcing least privilege access; and regular patching.

[Editor Comments]

[Northcutt] Interesting story. The advice sounds good with the exception of the thought that anti-virus can detect targeted malware. It appears the most significant threat access vector is USB: "This incident revealed that it is common practice for cargo data to be transferred at the pier, via USB drive." These ships are going to keep needing the cargo data and USB drives are cost effective. Expect this practice to continue, and attackers will look for an external way to influence what is actually on that USB drive.


Read more in:

DCO: Cyber Incident Exposes Potential Vulnerabilities Onboard Commercial Vessels (PDF)


Dark Reading: Coast Guard Warns Shipping Firms of Maritime Cyberattacks


Cyberscoop: After 'significant' malware attack, U.S. Coast Guard issues maritime security advisory


Bleeping Computer: U.S. Coast Guard Issues Safety Alert Following Cyber Incident



--Microsoft Patch Tuesday Includes Fixes for Two Zero-Days and a Critical Flaw in Windows DHCP Server

(July 9, 2019)

On Tuesday, July 9, Microsoft released software updates to address nearly 80 vulnerabilities in a range of products. Fifteen of the flaws have been rated critical. Arguably one of the most severe of these is a memory corruption vulnerability in Windows DHCP server; the issue affects most supported versions of Windows Server. Two of the flaws fixed in the update are being actively exploited, and four others were disclosed before the fixes were made available.

Read more in:

KrebsOnSecurity: Patch Tuesday Lowdown, July 2019 Edition


Dark Reading: Microsoft Patches Zero-Day Vulnerabilities Under Active Attack


MSRC: Security Update Summary


SC Magazine: Microsoft's Patch Tuesday addresses two actively exploited zero-days


****************************  SPONSORED LINKS  ******************************

1) These are the 5 key ways CISOs align security with the enterprise to accelerate the business. Read the report now. http://www.sans.org/info/213620

2) Register for the Webcast "Speaking the Language of the Board" with Unisys CISO Mathew Newfield: http://www.sans.org/info/213625

3) Poll: How effective is your security controls testing? Tell us your experience by taking this brief poll http://www.sans.org/info/213630




--FEC Says Campaigns Can Accept Discounted Cybersecurity Services

(July 11, 2019)

The US Federal Election Commission (FEC) has ruled that political campaigns may use discounted cybersecurity services with certain stipulations. Campaign finance law bars corporate contributions to campaigns. The FEC ruled that the cybersecurity services are not considered an in-kind contribution as long as the companies providing the discounted services also offer them to non-political organizations.

Read more in:

KrebsOnSecurity: FEC: Campaigns Can Use Discounted Cybersecurity Services





--Apple Pushed Out Update to Remove Zoom Web Server from Macs

(July 8 & 11, 2019)

On Wednesday, July 10, Apple pushed out a silent update to remove a local web server that had been surreptitiously installed by the Zoom web conferencing app from Macs. The local web server remained on machines even when users uninstalled the Zoom client. Zoom has also issued an update that lets users remove both the application and the web server.

[Editor Comments]

[Neely] Apple created the remove update after Zoom had released an updated client. Users with the updated client would not have seen it disappear (Version 4.4.5392.0709). While Gatekeeper taking action without permission is a bit disconcerting, the feature is intended to rapidly address vulnerabilities. The benefits of Gatekeeper actively protecting systems outweigh disabling it.

[Honan] From a corporate security point of view, Apple's ability to silently remove a third party app from your system(s) should raise some concerns. The usefulness of such a feature is not in dispute, but there should be at least some way of alerting people that is has happened, allowing people to grant permission to proceed with the action, that it is auditable and traceable, and that organisations have the ability to turn the feature off.

Read more in:

Medium: Zoom Zero Day: 4+ Million Webcams & maybe an RCE? Just get them to visit your website!


Duo: Apple Removes Zoom Web Server from Macs


Threatpost: Apple Issues Silent Update Removing Zoom's Hidden Server


Ars Technica: Silent Mac update nukes dangerous webserver installed by Zoom


Wired: Zoom Will Fix the Flaw That Let Hackers Hijack Webcams


Vice: Zoom Vulnerability Lets Hackers Hijack Your Webcam


Axios: Apple pushes update to remove Zoom's Web server



--Unsealed Indictment Charges Software Engineer with Theft of Trade Secrets

(July 12, 2019)

A December 2017 indictment unsealed earlier this week reveals that Xudong "William" Yao has been charged with theft of trade secrets. Yao worked as a software engineer at an unnamed Illinois company that manufactures trains. He started work in August 2014 and less than a month later, he allegedly downloaded thousands of files containing proprietary and trade secret information related to the company's control system software code. Yao also allegedly began negotiating for a job with a company in China. He was fired from the Illinois company in February 2015 for reasons not related to the case and left he the US in November 2015. Yao is believed to still be in China.   

Read more in:

The Register: Train maker's coder goes loco, choo-choo-chooses to flee to China with top-secret code - allegedly


Bloomberg: Chinese Engineer Accused of Stealing U.S. Train Maker's Secrets


Regmedia: Superseding Indictment



--Mozilla Releases Firefox 68

(July 9 & 10, 2019)

Mozilla has updated Firefox to version 68 and Firefox Extended Support Release to version 60.8. In all, the newest versions of the browser address 21 security issues, including an issue that was causing problems between antivirus products and HTTPS site certificates. Firefox 68 also has a new feature that lets users report extensions that appear to be security threats.

[Editor Comments]

[Neely] Version 68 also adds fingerprinting and cryptominer blocking to the strict setting for content blocking, making it easier to enable. Version 68 of also actively prompts users to use Firefox sync to carry bookmark and plugin choices forward through updates.

Read more in:

Bleeping Computer: Mozilla Firefox 68 Released With Security and Extension Enhancements


SC Magazine: Mozilla's latest Firefox releases fix 21 bugs


ZDNet: Firefox 68 is out: New dark reader view, better extensions, enterprise IT controls


Mozilla: See what's new in Firefox! 68.0



---LA County Health Data Breached Through Contractor

(July 10, 2019)

An employee at a contractor that provides eligibility and billing services for the Los Angeles (California) County Department of Health Services fell prey to a phishing attack earlier this year. The incident compromised personal health information belonging to nearly 15,000 patients. While the data are encrypted, the compromised email account included encryption keys.

Read more in:

SC Magazine: L.A. County Health Services Department contractor breach leaks patient data


Nemadji: Notice of Data Security Incident



--US Conference of Mayors Passes Resolution Not to Pay Ransomware Demands

(July 10, 2019)

The US Conference of Mayors has passed a resolution stating that it "stands united against paying ransoms in the event of an IT security breach." Baltimore Mayor Jack Young said that paying ransoms encourages the perpetrators and others to launch more attacks.

[Editor Comments]

[Neely] The ability to not pay ransomware is dependent on being prepared to recover from an incident. Develop and test an incident response plan, fill any gaps in security tools, backups, and training to ensure readiness to respond.

Read more in:

SC Magazine: U.S. mayors resolve to no longer pay ransomware attackers


Statescoop: Mayors pass resolution against paying ransomware ransoms



--Vulnerability in Some GE Anesthesia Devices

(July 8, 9, & 10, 2019)

Research company CyberMDX found that authentication weaknesses in certain GE anesthesia devices used in hospitals could be exploited to gain remote control of the machines, potentially allowing hackers to alter gas composition parameters and silence alarms. The issues affect the GE Aestiva and GE Aespire devices, models 7100 and 7900. US Department of Homeland Security's (DHS's) ICS-CERT and GE Healthcare have both issued advisories. The ICS-CERT advisory notes that "a vulnerability exists where serial devices are connected via an added unsecured terminal server to a TCP/IP network configuration, which could allow an attacker to remotely modify device configuration and silence alarms." A GE spokesperson says that the issues are network issues and that GE "generally recommend[s] that anesthesia devices not be connected to a network. The scenario described in the report requires hospitals to use the equipment in ways that it should not be used."

[Editor Comments]

[Murray] While some appliances, including medical devices, (e.g., cameras) are intended to be connected to public networks, others (e.g., baby-monitors, these medical devices) are not. Connecting the latter to the Internet will always be dangerous, either to the application (e.g., baby monitors, medical devices) or the network (e.g., baby monitors.) (While cameras are intended to be connected to the public networks many are not properly designed for the purpose and represent a risk to those networks.)

Read more in:

CyberMDX: CyberMDX Research Team Discovers Medical Device Vulnerability in GE Anesthesia and Respiratory Devices


ZDNet: Vulnerabilities found in GE anesthesia machines


BBC: Anaesthetic devices 'vulnerable to hackers'


Threatpost: Bug in Anesthesia Respirators Allows Cyber-Tampering


GovInfosecurity: Certain Anesthesia Devices Have Vulnerabilities: Researchers


US-CERT: ICS Medical Advisory (ICSMA-19-190-01) GE Aestiva and Aespire Anesthesia


GE Healthcare: ICS advisory regarding GE anesthesia devices



--ICS Vulnerability Research Turns Up Critical Flaw in Siemens TIA Portal

(July 8, 9, & 10, 2019)

Tenable Research has found a critical flaw in Siemens TIA Portal, also known as STEP 7, that could be exploited to gain administrative privileges. The issue affects Siemens SIMATIC STEP 7 v.15.1; Siemens has released an update to fix the issue. Tenable found the Siemens vulnerability while researching top industrial control system vendors; they found a dozen critical flaws in ICS products from four different vendors.

[Editor Comments]

[Murray] These portals represent the primary attack surface in cyber espionage and warfare.  

Read more in:

Medium: Nuclear Meltdown with Critical ICS Vulnerabilities


Siemens: SSA-721298: Missing Authentication Vulnerability in TIA Administrator

(TIA Portal)


Tenable: Tenable Research Discloses Critical Vulnerability in Siemens STEP 7 (CVE-2019-10915)


GovInfosecurity: Researchers Disclose Vulnerability in Siemens' ICS Software


The Register: Remember Stuxnet? You'll endure its hated-by-critics sequel if you don't patch your holey Siemens industrial kit



--Astaroth Fileless Malware

(July 8 & 9, 2019)

Researchers from Microsoft have detected a fileless malware campaign that uses legitimate services to deliver its payload. Dubbed Astaroth, the malware was detected while looking into a recent spike in the use of the Windows Management Instrumentation Command-line (WMIC) tool.

Read more in:

Microsoft: Dismantling a fileless campaign: Microsoft Defender ATP next-gen protection exposes Astaroth attack


Infosecurity Magazine: Microsoft Warns of Fileless Astaroth Attacks


SC Magazine: What fresh hell is this? Fileless malware campaign spread Astaroth backdoor last spring





MSFT Patch Tuesday


Samba Project Disabling SMBv1 By Default


Analysis of a Recent AZORult Sample


Adobe Updates


Zoom Vulnerability


Apple Deletes Zoom Web Server


Apple Disables Walkie Talkie App


eChOraix Ransomware


GnuPG Will No Longer Import Signatures From Keyservers


Windows PXE Devices May Fail to Boot After Recent Update


Sean Goodwin: Attackers Inside the Walls: Detecting Malicious Activity



The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create