One Week Only! Get an iPad Air with Smart Keyboard, Surface Go, or $300 Off with OnDemand & vLive!

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #61

August 6, 2019

Spearphishing US Utilities with LookBack RAT; More Vulnerabilities in Wireless; Bill: Amend Homeland Security Act to Include CDM




****************************************************************************

SANS NewsBites                 Aug. 6, 2019                Vol. 21, Num. 061

****************************************************************************


TOP OF THE NEWS


  Spearphishing Campaign Targets US Utility Companies with LookBack RAT

  More Vulnerabilities in WPA3 Security Standard

  Bill Would Amend Homeland Security Act to Include CDM


REST OF THE WEEK'S NEWS      

 

  Microsoft Disabling VBScript in Internet Explorer 11

  CafePress Announces Password Reset After February Breach is Revealed

  Most Project Zero-Reported Flaws Fixed Within 90 Days

  US Representative Will Hurd Won't Seek Re-election

  Phishing Scammer Facing Prison Time

  Fix for New Vulnerability in Boeing 737 Max Flight Control System Will Also Improve MCAS

  Apple and Google Contractors to Stop Listening to Digital Assistant Recordings


INTERNET STORM CENTER TECH CORNER

 

*****************************************************************************

CYBERSECURITY TRAINING UPDATE


-- SANS Network Security 2019 | Las Vegas, NV | September 9-16 | https://www.sans.org/event/network-security-2019


-- SANS Chicago 2019 | August 19-24 | https://www.sans.org/event/chicago-2019


-- SANS Virginia Beach 2019 | August 19-30 | https://www.sans.org/event/virginia-beach-2019


-- SANS London September 2019 | September 23-28 | https://www.sans.org/event/london-september-2019


-- SANS DFIR Europe Summit and Training 2019| Prague, CZ | September 30-October 6 | https://www.sans.org/event/dfir-prague-2019


-- Threat Hunting & Incident Response Summit 2019 | New Orleans, LA | September 30-October 7 | https://www.sans.org/event/threat-hunting-and-incident-response-summit-2019


-- SANS Tokyo Autumn 2019 | September 30-October 12 | https://www.sans.org/event/tokyo-autumn-2019


-- SIEM Summit & Training 2019 | Chicago, IL | October 7-14 | https://www.sans.org/event/siem-summit-2019


-- SANS October Singapore 2019 | October 7-26 | https://www.sans.org/event/october-singapore-2019


-- SANS OnDemand and vLive Training

Get an 11" iPad Pro, Surface Pro, or Take $350 Off through August 7 with OnDemand or vLive training.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


Single Course Training

-- Single Course Training

SANS Mentor | https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


************************** Sponsored By Splunk ****************************


The SIEM Buyer's Guide for 2020. In 2020, security information event management (SIEM) solutions will be far more than an information platform, expanding to include compliance reporting and logs from firewalls and other devices, as well as User and Entity Behavior Analytics (UEBA) -- now considered an essential capability by Gartner. Download The SIEM Buyer's Guide for 2020 to learn the ROI benefits of adopting a modern SIEM solution. http://www.sans.org/info/213840


*****************************************************************************

TOP OF THE NEWS 

 

--Spearphishing Campaign Targets US Utility Companies with LookBack RAT

(August 1, 2, & 5, 2019)

Researchers from Proofpoint say that three US utility companies were recently targeted by spearphishing attacks. The messages were created to appear as though they were from an engineering licensing board. According to Proofpoint, the messages were sent to the targeted companies between July 19 and July 25 and "were found to contain a Microsoft Word document attachment that uses VBA macros to install?LookBack malware." LookBack is a remote access Trojan (RAT) which is capable of "viewing ...process, system, and file data; deleting files; executing commands;?taking screenshots; moving and clicking the mouse; rebooting the machine and deleting itself from an infected host." The researchers believe that a nation-state is responsible for the attacks.


[Editor Comments]


[Murray] Escape mechanisms in applications should not be enabled by default. Access control privileges to programs should be set to "execute only." While these rules should be the default for most enterprises, it is essential for those, like power utilities, that are part of national infrastructure.


Read more in:


Proofpoint: LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards

https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks


Threatpost: Nation-State APTs Target U.S. Utilities With Dangerous Malware

https://threatpost.com/nation-state-apts-target-u-s-utilities-with-dangerous-malware/146910/


Cyberscoop: A potentially state-sponsored hacking campaign tried to phish U.S. utilities in July, researchers say

https://www.cyberscoop.com/apt-10-utilities-phishing-proofpoint/

 
 

--More Vulnerabilities in WPA3 Security Standard

(August 3 & 5, 2019)

Researchers who found a set of vulnerabilities in the Dragonfly handshake implementation in WiFi Alliance's WPA3 security standard earlier this year have found two more flaws in the Dragonfly handshake. The first set of vulnerabilities, which were disclosed in April, were given the collective name of Dragonblood and could be exploited through downgrade and side-channel attacks. The new flaws exist in the Brainpool elliptic curves that the WiFi Alliance recommended be used to mitigate the Dragonblood vulnerabilities. The researchers note that the WiFi standard and the EAP-pwd protocol, which also uses Dragonfly, "are being updated with a more secure protocol. Although this update is not backwards-compatible with current deployments of WPA3, it does prevent most of our attacks."


[Pescatore] Making new security-improved protocols backwards compatible with previous insecure protocols usually seems to result in new insecure protocols. Security researchers have learned to zero-in quickly on those features, time for the WiFi Alliance to do so *before* releasing new versions.


[Neely] The increased security in WPA3, such as even open hotspots having encrypted traffic, and CNSA security suite, makes getting this right worth it, even risking backwards compatibility to correct theses vulnerabilities. 


[Murray] Vulnerabilities on the wireless side, where there are few attackers within range, seem to get disproportionate attention. The threat is on the wire side. That said, resist poaching on your network by your neighbor; he is not breaking WPA3. As Adi Shamir argues, "Cryptography is typically bypassed, not penetrated." 


Read more in:


WPA3: New Results

https://wpa3.mathyvanhoef.com/#new


Duo: New Weaknesses Found in WPA3

https://duo.com/decipher/new-weaknesses-found-in-wpa3


ZDNet: New Dragonblood vulnerabilities found in WiFi WPA3 standard

https://www.zdnet.com/article/new-dragonblood-vulnerabilities-found-in-wifi-wpa3-standard/

 
 

--Bill Would Amend Homeland Security Act to Include CDM

(July 31 & August 5, 2019)

US Senators have re-introduced a bill that would officially make the Continuous Diagnostics and Mitigation (CDM) program part of the 2002 Homeland Security Act. The bill would also have the Homeland Security Secretary offer the CDM program to state and local governments. The CDM program offers a set of tools that agencies can use to help monitor network traffic. The bill would also "establish policies for reporting cyber risks and incidents based upon data collected under CDM; direct the [DHS] Secretary to deploy new CDM technologies to continuously evolve the program; and mandate that DHS develop a strategy to ensure the program continues to adjust to the cyber threat landscape."


Read more in:


Congress: S.2318 - A bill to amend the Homeland Security Act of 2002 ...

https://www.congress.gov/bill/116th-congress/senate-bill/2318


FCW: Senators look to codify CDM

https://fcw.com/articles/2019/08/05/codify-cdm-senate-johnson.aspx


MeriTalk: Bill to Codify CDM Into Law Introduced in the Senate

https://www.meritalk.com/articles/bill-to-codify-cdm-into-law-introduced-in-the-senate/


****************************  SPONSORED LINKS  ******************************


1) Webcast 'Neighborhood Keeper: A Collaborative Initiative for Our ICS Community.' Register: http://www.sans.org/info/213845


2) What challenges do you face with implementing endpoint security in your organization? Take the SANS 2019 Endpoint Survey: http://www.sans.org/info/213850


3) August 7th at 1 PM ET: Dave Shackleford and Cynet to discuss how autonomous breach protection can radically change how cybersecurity is practiced. http://www.sans.org/info/213855


*****************************************************************************

REST OF THE WEEK'S NEWS      

 

--Microsoft Disabling VBScript in Internet Explorer 11

(August 2 & 5, 2019)

Microsoft has announced that it will disable VBScript by default in Internet Explorer 11. The change will take effect in cumulative updates for Windows 7, 8, and 8.1 included in the company's next monthly security release, which is scheduled for Tuesday, August 13. The change was implemented for IE 11 in in Windows 10 in the July 9, 2019 cumulative update. Microsoft's Edge browser does not support VBScript. 


Read more in:


blogs.windows: An update on disabling VBScript in Internet Explorer 11

https://blogs.windows.com/msedgedev/2019/08/02/update-disabling-vbscript-internet-explorer-windows-7-8/#BKSusGmhmqqaxf6V.97


ZDNet: Microsoft: We're disabling VBScript in Windows 7, 8 to block attackers

https://www.zdnet.com/article/microsoft-were-disabling-vbscript-in-windows-7-8-to-block-attackers/

 

--CafePress Announces Password Reset After February Breach is Revealed

(August 5, 2019)

In February 2019, a data breach compromised information associated with more than 23 million CafePress customer accounts. The incident remained undisclosed until Monday, August 5, when the Have I Been Pwned breach service began emailing affected customers. That same day, users who tried to log in to their CafePress accounts were greeted with an announcement that it was resetting customer passwords as part of an "updated ... password policy." The notification of the new password reset policy makes no mention of the breach.


Read more in:


Bleeping Computer: CafePress Data Breach Exposes Personal Info of 23 Million Users

https://www.bleepingcomputer.com/news/security/cafepress-data-breach-exposes-personal-info-of-23-million-users/


The Register: We've, um, changed our password policy, says CafePress amid reports of 23m pwned accounts

https://www.theregister.co.uk/2019/08/05/cafebreach_breach_23m_user_records/


Forbes: CafePress Hacked, 23M Accounts Compromised. Is Yours One Of Them?

https://www.forbes.com/sites/daveywinder/2019/08/05/cafepress-hacked-23m-accounts-compromised-is-yours-one-of-them/#5d2c384e407e

 
 

--Most Project Zero-Reported Flaws Fixed Within 90 Days

(August 2, 2019)

Google's Project Zero says that since the program's inception in July 2014, nearly 96 percent of security issues it detected were fixed before the 90-day disclosure window it allows. For the first seven months of the program, Project Zero held fast to its 90-day deadline. In February 2015, it began to allow 14-day grace periods under certain conditions.


[Editor Comments]


[Pescatore] I think we now have many years of data proving two key things: (1) "Hoarding" day zero vulnerabilities is much more likely to result in business damage than public outing of vulnerabilities that vendors fail to patch in a reasonable timeframe; and (2) continual patching of products doesn't cost any more than slower, periodic patching. We still see IT organizations talking about moving to DevOps, as they use cloud services and browsers that are constantly being updated, yet they patch desktops only once per month and servers twice per year...


Read more in:


ZDNet: Google Project Zero: 95.8% of all bug reports are fixed before deadline expires

https://www.zdnet.com/article/google-project-zero-95-8-of-all-bug-reports-are-fixed-before-deadline-expires/

 
 

--US Representative Will Hurd Won't Seek Re-election

(August 2, 2019)

US Representative Will Hurd (R-Texas) announced last week that he will not seek re-election in 2020. Hurd has chaired the House Oversight and Government Reform Committee's IT Subcommittee from 2015-2019, and has been actively involved in federal IT legislation. He was instrumental in getting the Office of Management and Budget to update security guidance for federal contractors.


Read more in:


Meritalk: Rep. Will Hurd Retiring From Congress in 2020

https://www.meritalk.com/articles/rep-will-hurd-retiring-from-congress-in-2020/


Nextgov: Will Hurd, The Most Vocal Lawmaker on Federal IT Issues, Won't Seek Reelection

https://www.nextgov.com/cio-briefing/2019/08/will-hurd-most-vocal-lawmaker-federal-it-issues-wont-seek-reelection/158907/


Cyberscoop: With Will Hurd's retirement, Congress loses a key cybersecurity advocate

https://www.cyberscoop.com/will-hurd-cybersecurity-issues/

 
 

--Phishing Scammer Facing Prison Time

(August 2, 2019)

Amil Hassan Raage pleaded guilty to conspiracy to commit wire fraud for his role in an email fraud scheme that stole more than US $870,000 from two US universities. Raage and his co-conspirators sent emails that impersonated Dell tech support and directed the schools to send payments to a different bank account. He fled to Kenya in September 2018 when his bank accounts were frozen. He was arrested there in May 2019 and extradited to the US later that same month.


Read more in:


The Register: Phisherman's blues: Bogus Dell support rep extradited from Kenya, admits he conned US colleges out of $900,000

https://www.theregister.co.uk/2019/08/02/bec_scammer_extradited_kenya/


Bleeping Computer: Scammer Arrested After Defrauding US Universities of Over $870K

https://www.bleepingcomputer.com/news/security/scammer-arrested-after-defrauding-us-universities-of-over-870k/


Justice: Fraudster Brought Back from Kenya to Face Jail Time for Stealing Almost $750,000 from UCSD through a Spear Phishing Campaign

https://www.justice.gov/usao-sdca/pr/fraudster-brought-back-kenya-face-jail-time-stealing-almost-750000-ucsd-through-spear

 
 

--Fix for New Vulnerability in Boeing 737 Max Flight Control System Will Also Improve MCAS

(August 1, 2, & 4, 2019)

In June, US Federal Aviation Administration (FAA) regulators testing the Boeing 737 MAX flight control system found a new vulnerability that requires Boeing engineers to make a significant change in the system's software architecture. The regulators found a microprocessor in onboard flight control computers to be susceptible to random bit flips. The solution is for the flight control system, which currently relies on readings from a single computer, to instead use readings from two computers. The change will also improve the reliability of the Maneuvering Characteristics Augmentation System (MCAS) system which was responsible for two deadly crashes. 


Read more in:


Seattle Times: Newly stringent FAA tests spur a fundamental software redesign of Boeing's 737 MAX flight controls

https://www.seattletimes.com/business/boeing-aerospace/newly-stringent-faa-tests-spur-a-fundamental-software-redesign-of-737-max-flight-controls/


Engadget: Boeing may use two computers to fix 737 Max's latest flaw

https://www.engadget.com/2019/08/04/boeing-737-max-fix-for-newer-flaw/


The Register: Another rewrite for 737 Max software as cosmic bit-flipping tests glitch out systems - report

https://www.theregister.co.uk/2019/08/02/737_max_cosmic_bit_flipping_test/

 
 

--Apple and Google Contractors to Stop Listening to Digital Assistant Recordings

(July 26 & August 2, 2019)

Apple says it has stopped its practice of having contractors listen to Siri queries to assess whether they were deliberate or accidental, whether Siri's response was appropriate. Apple may resume the practice, which it calls "grading," some time in the future, but only if users opt in. Apple says it will not resume "grading" until it has conducted "a thorough review." A July 26 report in The Guardian detailed how some Apple employees overheard conversations that were not intended to be Siri queries. In a related story, Google has "paused" having employees review Google Assistant queries in the European Union for three months pending the outcome of an investigation launched by Germany's data protection commissioner. Reports indicated that contractors were listening to conversations that users may not have known were being recorded.


Read more in:


The Guardian: Apple halts practice of contractors listening in to users on Siri

https://www.theguardian.com/technology/2019/aug/02/apple-halts-practice-of-contractors-listening-in-to-users-on-siri


The Guardian: Apple contractors 'regularly hear confidential details' on Siri recordings

https://www.theguardian.com/technology/2019/jul/26/apple-contractors-regularly-hear-confidential-details-on-siri-recordings


SC Magazine: Apple halts contractors listening to Siri recordings, will offer opt-out

https://www.scmagazine.com/home/security-news/privacy-compliance/apple-announced-it-will-temporarily-suspend-its-practice-of-allowing-human-contractors-to-grade-snippets-recordings-of-siri-conversations-for-accuracy/


Threatpost: Apple Suspends Siri Program After Privacy Backlash

https://threatpost.com/apple-suspends-siri-program-privacy-backlash/146894/


Ars Technica: Apple and Google temporarily stop listening to Siri and OK Google queries

https://arstechnica.com/tech-policy/2019/08/apple-and-google-temporarily-stop-listening-to-siri-and-ok-google-queries/


The Register: German privacy probe orders Google to stop listening in on voice recordings for 3 months

https://www.theregister.co.uk/2019/08/02/germany_probes_google_over_privacy_of_voice_recordings/


The Verge: Google will pause listening to EU voice recordings while regulators investigate

https://www.theverge.com/2019/8/1/20750327/google-assistant-voice-recording-investigation-europe

 

*****************************************************************************

INTERNET STORM CENTER TECH CORNER


Detecting Incognito Mode in Google Chrome 76

https://blog.jse.li/posts/chrome-76-incognito-filesystem-timing/


Extortion E-Mail: Where Did the Money Go?

https://isc.sans.edu/forums/diary/Sextortion+Follow+the+Money+The+Final+Chapter/25204/


VMWare Update

https://www.vmware.com/security/advisories/VMSA-2019-0012.html


Android Update Fixes Qualcomm Bug

https://source.android.com/security/bulletin/2019-08-01.html

https://blade.tencent.com/en/advisories/qualpwn/


Misconfigured JIRA Leaks User Details

https://medium.com/@logicbomb_1/one-misconfig-jira-to-leak-them-all-including-nasa-and-hundreds-of-fortune-500-companies-a70957ef03c7


NVidia Updates

https://nvidia.custhelp.com/app/answers/detail/a_id/4841/kw/Security%20Bulletin


Google, Amazon, Apple modify policy on listening in on Assistant Recordings

https://datenschutz-hamburg.de/assets/pdf/2019-08-01_press-release-Google_Assistant.pdf

https://www.bloomberg.com/news/articles/2019-08-02/amazon-gives-option-to-disable-human-review-of-alexa-recordings

https://www.theverge.com/2019/8/2/20751270/apple-stops-contractors-siri-voice-recordings-privacy-opt-out

https://www.blog.google/products/assistant/more-information-about-our-processes-safeguard-speech-data/


******************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.


Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create