DFIRCON - Live Online: The ALL Digital Forensics, Threat Hunting and Incident Response Training Event. Save $300 thru 10/7.

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #57

July 23, 2019

Equifax Will Pay As Much as $700 Million to Settle Investigations; ODNI Creates Election Security Position; Cyber Weapons Changing Modern Warfare and Statecraft


SANS NewsBites                July 23, 2019                Vol. 21, Num. 057




  Equifax Will Pay As Much as $700 Million to Settle Investigations

  ODNI Creates Election Security Position

  Cyber Weapons Are Changing Modern Warfare and Statecraft



  Kazakh Government Intercepting All HTTPS Traffic

  NSA Contractor Who Took Home Classified Documents is Sentenced

  Cyber Command Cyber Flag Simulated Seaport Attack

  University Systems Breached Through Known ERP Vulnerability

  Chrome 76 Will Close Loophole that Sites Use to Detect Users Browsing in Incognito Mode

  iNSYNQ Cloud Accounting Services Hit with Ransomware Attack

  Washington Post: Huawei Helped North Korea Build Wireless Network

  Former Siemens Contractor Pleads Guilty in Logic Bomb Case





-- SANS Network Security 2019 | Las Vegas, NV | September 9-16 | https://www.sans.org/event/network-security-2019

-- Supply Chain Cybersecurity Summit 2019 | Arlington, VA | August 12-19 | https://www.sans.org/event/supply-chain-cybersecurity-summit-2019

-- SANS Chicago 2019 | August 19-24 | https://www.sans.org/event/chicago-2019

-- SANS Virginia Beach 2019 | August 19-30 | https://www.sans.org/event/virginia-beach-2019

-- SANS London September 2019 | September 23-28 | https://www.sans.org/event/london-september-2019

-- SANS DFIR Europe Summit and Training 2019| Prague, CZ | September 30-October 6 | https://www.sans.org/event/dfir-prague-2019

-- Threat Hunting & Incident Response Summit 2019 | New Orleans, LA | September 30-October 7 | https://www.sans.org/event/threat-hunting-and-incident-response-summit-2019

-- SANS Tokyo Autumn 2019 | September 30-October 12 | https://www.sans.org/event/tokyo-autumn-2019

-- SANS October Singapore 2019 | October 7-26 | https://www.sans.org/event/october-singapore-2019

-- SANS OnDemand and vLive Training

Get an iPad Pro with Smart Keyboard, HP ProBook, or Take $350 Off through July 24 with OnDemand or vLive training.


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/

Single Course Training

-- Single Course Training

SANS Mentor | https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/


-- View the full SANS course catalog and Cyber Security Skills Roadmap




Free technical content sponsored by Splunk


5 Key Ways CISOs Can Accelerate the Business. In a new report conducted by Forrester, CISOs are encouraged to align security with the enterprise, as well as juggle key innovations and manage the skills gap. Download your copy of 5 Key Ways CISOs Can Accelerate the Business and discover how to embed security into your business strategy.





--Equifax Will Pay As Much as $700 Million to Settle Investigations

(July 19 & 22, 2019)


Equifax will pay as much as US $700 million to settle state and federal investigations as well as consumer claims related to the 2017 data breach that exposed personal information of 147 million individuals. The terms of an agreement the company signed on Monday, July 22, requires it to pay at least $575 million to states, the Consumer Financial Protection Bureau, and a credit monitoring fund. The company has agreed to pay an additional $125 million to that fund if necessary. (Please note that the WSJ story is behind a paywall.)


Editor's Note


The settlement assumes only about 7 million people will sign up for the credit monitoring offers. The ability to sign up for the services (Free Credit Monitoring, Reimbursement, and Help with ongoing Identity Theft issues) will not be available until a court approves the settlement. Proactive options to prevent future exposures include freezing your credit and reviewing your free credit report annually.


Target and Equifax have suffered financial loss, fines and other penalties, and a disruptive change in top management while eBay and OPM have hardly suffered a slap on the risk. This is not the way the system should work. That said, "Hope is not a strategy." Be certain that all risk acceptances are well understood by business management and documented.

Read more in:

- https://www.ftc.gov/system/files/documents/cases/172_3203_equifax_proposed_order_7-22-19.pdf

- https://krebsonsecurity.com/2019/07/what-you-should-know-about-the-equifax-data-breach-settlement/

- https://www.wsj.com/articles/equifax-to-pay-around-700-million-to-resolve-data-breach-probes-11563577702

- https://www.nytimes.com/2019/07/19/business/equifax-data-breach-settlement.html

- https://www.zdnet.com/article/equifax-regulators-close-to-signing-700m-deal-to-settle-data-breach-case/


--ODNI Creates Election Security Position

(July 19, 2019)


The US Office of the Director of National Intelligence (ODNI) has created an Election Threats Executive position as well as an Election Executive and Leadership Board. The person who holds the new position "will serve as the DNI's principal adviser on threats to elections and matters related to election security, '... [and] will coordinate and integrate all election security activities, initiatives, and programs across the IC." The board will include designated senior executive leads for election security from across the intelligence community and relevant federal agencies.

Read more in:

- https://www.dni.gov/index.php/newsroom/press-releases/item/2023-director-of-national-intelligence-daniel-r-coats-establishes-intelligence-community-election-threats-executive

- https://fcw.com/articles/2019/07/19/odni-election-security.aspx


--Cyber Weapons Are Changing Modern Warfare and Statecraft

(July 18, 2019)


The U.S. National Security Advisor, John Bolton, has made cyberwarfare an integral part of statecraft. This past September, the Department of Defense issued a strategic plan that not only confirmed the existence of cyber weapons but declared its commitment to using them "to advance U.S. interests" and "defend forward."

Read more in:

- https://www.newyorker.com/tech/annals-of-technology/how-cyber-weapons-are-changing-the-landscape-of-modern-warfare

****************************  SPONSORED LINKS  ******************************

1) Webcast August 2nd at 1 PM ET: Matt Bromiley, DomainTools and ExtraHop to highlight key takeaways from the results of the SANS 2019 Incident Response Survey: http://www.sans.org/info/213700

2) SANS 2019 Endpoint Survey: What challenges do you face with implementing endpoint security in your organization? Take the survey: http://www.sans.org/info/213705

3) ICYMI: "Addressing Consumer Safety Concerns With Zero Trust Security." View this webcast: http://www.sans.org/info/213710




--Kazakh Government Intercepting All HTTPS Traffic

(July 18, 2019)


Ministry officials in Kazakhstan say that the government's new practice of intercepting all HTTPS traffic that moves within the country's borders is "aimed at enhancing the protection of citizens, government bodies and private companies from ... cyber threats." ISPs in the country have begun forcing all users to install a government root certificate that allows government agencies to decrypt their traffic, examine it, re-encrypt it with their certificate, and send it on its way. Citizens who have not installed the government's certificate report being unable to access the Internet.


Editor's Note


The legislation supporting this was passed in December in 2015; implementation was delayed by lawsuits. Marketed as being a safety measure for consumers, the certificates are distributed over insecure channels, which makes it hard to ensure you're getting the genuine certificates, nor do instructions include information on risks of installing the incorrect certificates.

Read more in:

- https://www.zdnet.com/article/kazakhstan-government-is-now-intercepting-all-https-traffic/

- https://thehackernews.com/2019/07/kazakhstan-https-security-certificate.html


--NSA Contractor Who Took Home Classified Documents is Sentenced

(July 19, 2019)

Harold T. Martin, a former NSA contractor, has been sentenced to nine years in prison for stealing as much as 50 terabytes of classified documents over a period of nearly 20 years. The government's investigation of Martin did not find that he had committed treason.

Editor's Notes


The human element, carrying work in and out of a secure facility, particularly when they have a regularly (every 5 years) verified security clearance, is the hardest piece to secure. While NSA may implement increased entry/exit security, the active clearance, and supporting process, is supposed to reduce these human factor risks. While it seems short, the nine-year sentence is aligned with the crime he pled guilty to (plea deal) and there is little to support claims that he distributed the documents, except for his reaching to Kaspersky employees with hints of having information to share.

Read more in:

- https://www.nytimes.com/2019/07/19/us/politics/hal-martin-nsa-sentence.html

- https://www.theregister.co.uk/2019/07/19/nsa_hoarder_jailed/

- https://www.cyberscoop.com/hal-martin-sentence-nsa-shadow-brokers/

- https://www.fifthdomain.com/federal-oversight/doj-fbi/2019/07/19/ex-nsa-contractor-sentenced-to-9-years-for-stolen-documents/

--Cyber Command Cyber Flag Simulated Seaport Attack

(July 17, 2019)

The scenario for this year's US Cyber Command "Cyber Flag" cyberattack simulation was an attack on a seaport. The attack prevented the seaport's ability to move cargo. The exercise involved 20 teams made up of members of the Cyber Mission Force, Marine Corps personnel and National Guard from Georgia, Nebraska, Texas, and Pennsylvania. Cyber Protection Teams added a focus on hunting for adversaries to its usual tasks of cybersecurity and mission protection.

Read more in:

- https://www.cyberscoop.com/us-cyber-command-simulated-seaport-cyberattack-test-digital-readiness/

--University Systems Breached Through Known ERP Vulnerability

(July 17, 19, & 22, 2019)

The US Department of Education says that systems at 62 colleges and universities have been compromised through an improper authentication vulnerability in Ellucian Enterprise Resource Planning (ERP) software. In a technology Security Alert, the Office of Federal Student Aid writes that a vulnerability affecting certain versions of Ellucian Banner Web Tailor and Banner Enterprise Identity Services has been exploited at the schools to create thousands of fake student accounts, some of which have been used to conduct criminal activity. The vulnerability was first detected late last year and Ellucian developed a fix several months ago.

Editor's Note


The flaw was detected in December 2019, and the patch was released in May, often a busy time for colleges; which when coupled with a CVE rating of 8.1, makes it harder to insist the patch be applied rapidly.  If you have Ellucian systems, patch now. Rather than debating the validity of Ellucian's claims that admission portals are being exploited by botnets, adding reCAPTCHA capabilities to those portals will greatly hinder that activity, and should also be addressed now.

Read more in:

- https://edscoop.com/ellucian-banner-cyberattacks-62-universities/

- https://www.zdnet.com/article/hackers-breach-62-us-colleges-by-exploiting-erp-vulnerability/

- https://www.infosecurity-magazine.com/news/over-60-us-colleges-compromised-by/

- https://ifap.ed.gov/eannouncements/071719ITSecurAlertExploitationEllucianBannerSysVulnerability.html

- https://raw.githubusercontent.com/JoshuaMulliken/CVE-2019-8978/master/README.txt

- https://nvd.nist.gov/vuln/detail/CVE-2019-8978


--Chrome 76 Will Close Loophole that Sites Use to Detect Users Browsing in Incognito Mode

(July 18 & 19, 2019)

Chrome 76, which is currently in beta, will prevent websites from detecting when a user is browsing in Incognito Mode. Some sites currently do not allow users to read content if they are using privacy modes. The sites have been using a loophole in the FileSystem API that allowed them to detect whether users are in Incognito Mode. Currently, the Chrome FileSystem API is disabled in Incognito Mode. Sites are able to check for the availability of this API and, if it is not detected, assume that users are in Incognito Mode. Chrome 76 modifies the FileSystem API "to remedy this method of Incognito Mode detection."

Editor's Note


Mozilla also is working to eliminate other mechanisms, beyond the FileSystem API call, used to detect Incognito Mode. Even so, sites are working to find other ways to keep paywalls and other revenue generating mechanisms in place as Incognito browsing is often used to circumvent these capabilities. If you find a site valuable and use it frequently, you may want to just subscribe to it.

Read more in:

- https://www.blog.google/outreach-initiatives/google-news-initiative/protecting-private-browsing-chrome/

- https://arstechnica.com/information-technology/2019/07/chrome-76-prevents-nyt-and-other-news-sites-from-detecting-incognito-mode/


--iNSYNQ Cloud Accounting Services Hit with Ransomware Attack

(July 19, 2019)

iNSYNQ, a cloud-hosting company that specializes in accounting software and services, suffered a ransomware attack a week ago. The company took its network offline once it realized what was happening. iNSYNQ customers have been unable to access their data. An iNSYNQ status report on Monday, July 22 says that they have "started to restore customer desktops."

Editor's Note


A salutary reminder that even though your data may be in the cloud it still needs to be backed up.

Read more in:

- https://www.insynq.com/support/#status

- https://krebsonsecurity.com/2019/07/quickbooks-cloud-hosting-firm-insynq-hit-in-ransomware-attack/

- https://www.bleepingcomputer.com/news/security/insynq-cloud-hosting-provider-hit-by-ransomware-attack/


--Washington Post: Huawei Helped North Korea Build Wireless Network

(July 22, 2019)

According to documents obtained by the Washington Post, Huawei helped North Korea build a commercial wireless network. The documents indicate that over a period of eight years, Huawei worked on the wireless project and others in North Korea with Panda International Information Technology Co. Ltd., a Chinese state-owned company. The documents were provided to the Washington Post by a former Huawei employee.

Editor's Note

Read more in:

- https://www.washingtonpost.com/world/national-security/leaked-documents-reveal-huaweis-secret-operations-to-build-north-koreas-wireless-network/2019/07/22/583430fe-8d12-11e9-adf3-f70f78c156e8_story.html


--Former Siemens Contractor Pleads Guilty in Logic Bomb Case

(July 19 & 22, 2019)

A former Siemens contractor has pleaded guilty to intentional damage to a protected computer for planting logic bombs. David Tinley's work for Siemens included creating spreadsheets that contained custom scripts to helped automate inventory and order management. After several years, the scripts began to crash, and Siemens would call in Tinley to fix the problem. It turned out that he had deliberately written the script to malfunction at a certain point so he could continue to have work with the company.

Editor's Note


Many office productivity tools have scripting and macro languages built into them. It is important that we extend the principles of secure software development to these platforms and include code reviews, source code management, and robust testing for key systems that rely on such macros and scripts.

Read more in:

- https://www.zdnet.com/article/siemens-contractor-pleads-guilty-to-planting-logic-bomb-in-company-spreadsheets/

- https://www.justice.gov/usao-wdpa/pr/siemens-contract-employee-intentionally-damaged-computers-planting-logic-bombs-programs




PHP Malware


Analyzing Compressed PowerShell Scripts


PaloAlto GlobalProtect PreAuth RCE


ProFTPd Permission Bypass Vulnerability


Fortinet Vulnerability


Drupal Vulnerabilities


iNSYNQ Breach



The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create