Two Days Left to Get an iPad Air with Smart Keyboard, Surface Go, or $300 Off with Online Training!

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #62

August 9, 2019

Back-end Election Systems Connected to the Internet; Russian Hackers Targeting IoT Devices to Access Corporate Networks



****************************************************************************

SANS NewsBites                 Aug. 9, 2019                Vol. 21, Num. 062

****************************************************************************


TOP OF THE NEWS


  Researchers Find Some Back-end Election Systems Are Connected to the Internet

  Microsoft Researchers Say Russian Hacking Group is Targeting IoT Devices to Access Corporate Networks


REST OF THE WEEK'S NEWS       

 

  NSA's Ghidra Has Been Downloaded More Than Half a Million Times

  WordPress Developers Propose Plan for Updating Unsupported Versions  

  Rotational Cyber Workforce Costs Seem Reasonable

  Some States Are Struggling to Meet the Real ID Implementation Deadline

  North Korea Stole $2 Billion for Weapons Program

  GSA's 18F Agency Publishes De-risking Handbook for States

  Man Charged for Allegedly Bribing AT&T Employees to Unlock Phones

  Silent Windows Fix for Speculative Execution Flaw in Intel CPUs


INTERNET STORM CENTER TECH CORNER


****************************************************************************

Cybersecurity Training Update

 

-- SANS Network Security 2019 | Las Vegas, NV | September 9-16 | https://www.sans.org/event/network-security-2019


-- SANS Chicago 2019 | August 19-24 | https://www.sans.org/event/chicago-2019


-- SANS Virginia Beach 2019 | August 19-30 | https://www.sans.org/event/virginia-beach-2019


-- SANS London September 2019 | September 23-28 | https://www.sans.org/event/london-september-2019


-- SANS DFIR Europe Summit and Training 2019| Prague, CZ | September 30-October 6 | https://www.sans.org/event/dfir-prague-2019


-- Threat Hunting & Incident Response Summit 2019 | New Orleans, LA | September 30-October 7 | https://www.sans.org/event/threat-hunting-and-incident-response-summit-2019


-- SANS Tokyo Autumn 2019 | September 30-October 12 | https://www.sans.org/event/tokyo-autumn-2019


-- SIEM Summit & Training 2019 | Chicago, IL | October 7-14 | https://www.sans.org/event/siem-summit-2019


-- SANS October Singapore 2019 | October 7-26 | https://www.sans.org/event/october-singapore-2019


-- SANS OnDemand and vLive Training

Get a 10.5" iPad Air with Smart Keyboard, a Surface Go, or Take $300 off through August 21 with OnDemand or vLive training.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


Single Course Training

-- Single Course Training

SANS Mentor | https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap

 

************************  Sponsored By DomainTools   ************************


The Beginner's Guide to Applying Machine Learning to Incident Response. There is a lot of hype around Machine Learning (ML) and its application in InfoSec. Join SANS Analyst Dave Shackleford and Senior Data Scientist Sean McNee for an introduction to AI and ML and tips for harnessing the power of ML in incident response. August 15 at 1 PM ET: http://www.sans.org/info/213880


*****************************************************************************

TOP OF THE NEWS  

 

--Researchers Find Some Back-end Election Systems Are Connected to the Internet

(August 8, 2019)

Election security experts have found what they believe to be more than 30 back-end election systems in 10 US states connected to the Internet, some for more than a year. The researchers contacted the jurisdictions and some removed the systems from the Internet, but others did not. Some election officials said their systems were not connected because the vendor had installed the system and the jurisdiction had no oversight in the process.


[Editor Comments]


[Pescatore] We went through this 20 years ago when the power industry claimed SCADA systems and the like were never connected to the Internet, but every pen test engagement would find they were. The scary and telling quote in this piece is the ES&S VP of engineering saying that the systems are "...not pingable or addressable from the public internet" and therefore are "invisible to bad actors or unauthorized users" So, now we know that the ES&S approach to secure election systems is at the same level as that of people who put their wallets in their sneakers at the beach when they go for a swim.


Read more in:

Vice: Exclusive: Critical U.S. Election Systems Have Been Left Exposed Online Despite Official Denials

https://www.vice.com/en_us/article/3kxzk9/exclusive-critical-us-election-systems-have-been-left-exposed-online-despite-official-denials


 

--Microsoft Researchers Say Russian Hacking Group is Targeting IoT Devices to Access Corporate Networks

(August 5 & 7, 2019)

Researchers from Microsoft Threat Intelligence Center say that earlier this year, they detected efforts by a hacking group working on behalf of the Russian government to attack IoT devices at companies in an effort to gain access to the companies' networks and search for accounts with higher privileges. In some instances, the hackers accessed IoT devices using default manufacturer passwords.  


[Editor Comments]


[Murray] Often, the gratuitous function included in appliances exceeds that necessary to its intended function. This greatly increases the attack surface and risk.  


Read more in:

MSRC Blog: Corporate IoT - a path to intrusion

https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/

SC Magazine: Russian hacking group STRONTIUM attacking corporate IoT devices, Microsoft says

https://www.scmagazine.com/home/security-news/apts-cyberespionage/russian-hacking-group-strontium-attacking-corporate-iot-devices-microsoft-says/

Cyberscoop: Russian government hackers used office technology to try to breach privileged accounts

https://www.cyberscoop.com/russian-apt-iot-device-security/

ZDNet: Microsoft: Russian state hackers are using IoT devices to breach enterprise networks

https://www.zdnet.com/article/microsoft-russian-state-hackers-are-using-iot-devices-to-breach-enterprise-networks/

Ars Technica: Microsoft catches Russian state hackers using IoT devices to breach networks

https://arstechnica.com/information-technology/2019/08/microsoft-catches-russian-state-hackers-using-iot-devices-to-breach-networks/


****************************  SPONSORED LINKS  ******************************


1) Take the SANS 2019 Endpoint Survey and enter for a chance to win a $400 Amazon gift card: http://www.sans.org/info/213885


2) Webcast August 13 at 1 PM ET: Visibility for Incident Response: A Review of Forescout 8.1 Register http://www.sans.org/info/213890


3) ICYMI: Neighborhood Keeper: A Collaborative Initiative for our ICS Community. View webcast http://www.sans.org/info/213895


*****************************************************************************

REST OF THE WEEK'S NEWS  

     

--NSA's Ghidra Has Been Downloaded More Than Half a Million Times

(August 8, 2019)

The NSA released its Ghidra malware reverse-engineering tool at RSA in March.  Since its release, Ghidra has been downloaded from GitHub more than 500,000 times. Outside developers have been creating new features for Ghidra, and an NSA senior researcher noted that they can now hire people who already know how to use the tool.   


Read more in:

Axios: NSA's free malware research tool gains traction, 6 months on

https://www.axios.com/nsas-free-malware-research-tool-gains-traction-6-months-on-a3d8c64a-97aa-4726-8fef-f71d5c591a97.html

Cyberscoop: NSA's reverse-engineering malware tool, Ghidra, to get new features to save time, boost accuracy

https://www.cyberscoop.com/ghidra-nsa-new-version-black-hat-2019/

GitHub: NationalSecurityAgency/ghidra

https://github.com/NationalSecurityAgency/ghidra

 
 

--WordPress Developers Propose Plan for Updating Unsupported Versions  

(August 7 & 8, 2019)

The WordPress core development team has posted a proposal for updating outdated versions of the content management system (CMS). WordPress currently supports the six most recent major releases, WordPress versions 4.7 through 5.2. For six years, WordPress developers have been back-porting security fixes for every version back to 3.7. With the growing number of older versions, that is becoming unsustainable. The proposed plan would push out updates to old WordPress sites in increments, which would be moved to the next version, for example from 3.7 to 3.8, not a jump from, say, 3.7 to 5.2. If the process is breaking sites, it will be halted, the broken sites rolled back to their previous versions, and site owners notified. Site owners would be able to opt out of the forced update, and sites running on WordPress versions older than 3.7 would not be updated because they lack the automated update mechanism and need to be updated manually.


Read more in:

Make.wordpress: Proposal: Auto-Update Old Versions to 4.7

https://make.wordpress.org/core/2019/08/07/proposal-auto-update-old-versions-to-4-7/

ZDNet: WordPress team working on daring plan to forcibly update old websites

https://www.zdnet.com/article/wordpress-team-working-on-daring-plan-to-forcibly-update-old-websites/

 
 

--Rotational Cyber Workforce Costs Seem Reasonable

(August 8, 2019)

According to an estimate from the Congressional Budget Office, the cost of implementing the Federal Rotational Cyber Workforce Program Act of 2019 would be less than US $500,000 a year. The goal of the program is to allow federal cybersecurity workers to rotate through positions at other agencies for between six months and one year to "develop multiagency and policy expertise on cyber threats." The legislation has passed unanimously in the Senate and has been approved by the House Committee on Oversight and Reform. It now goes to the full House for consideration.


Read more in:

MeriTalk: CBO: Fed Rotational Cyber Workforce Program is Cheap to Implement

https://www.meritalk.com/articles/cbo-fed-rotational-cyber-workforce-program-is-cheap-to-implement/

CBO: Congressional Budget Office Cost Estimate: S. 406, Federal Rotational Cyber Workforce Program Act of 2019

https://www.cbo.gov/system/files/2019-08/s406hog.pdf

 
 

--Some States Are Struggling to Meet the Real ID Implementation Deadline

(August 8, 2019)

Several US states are experiencing complications in implementing the Real ID program. The Real ID law was enacted in 2005 and requires people to provide proof of residency to obtain Real ID certified driver's licenses. States are expected to have completed the rollout prior to October 1, 2020, after which time US residents will be required to have a driver's license that meets Real ID standards to board aircraft or enter secure federal buildings.


Read more in:

GCN: Real ID, real problems: States cope with changing rules, late rollouts

https://gcn.com/articles/2019/08/08/real-id.aspx

 
 

--North Korea Stole $2 Billion for Weapons Program

(August 5, 7, & 8, 2019)

According to a report from Reuters, a confidential UN report says that North Korea has stolen US $2 billion from banks and cryptocurrency exchanges to fund its weapons of mass destruction program. The report to the U.N. Security Council North Korea sanctions committee calls the attacks "widespread and increasingly sophisticated."


Read more in:

Reuters: North Korea took $2 billion in cyberattacks to fund weapons program: U.N. report

https://www.reuters.com/article/us-northkorea-cyber-un/north-korea-took-2-billion-in-cyberattacks-to-fund-weapons-program-u-n-report-idUSKCN1UV1ZX

Dark Reading: North Korean Cyber Ops Reportedly Stole $2B to Fund Weapons Programs

https://www.darkreading.com/north-korean-cyber-ops-reportedly-stole-$2b-to-fund-weapons-programs/d/d-id/1335467

Infosecurity Magazine: North Korean Hackers Amass $2bn Via Cyber-Attacks

https://www.infosecurity-magazine.com/news/north-korean-hackers-amass-2bn/

 
 

--GSA's 18F Agency Publishes De-risking Handbook for States

(August 7, 2019)

The US General Services Administration's (GSA's) 18F digital services agency has published a "De-risking" handbook for "'non-technical' decision-makers who fund or oversee state government technology projects." The handbook explains "six basic concepts of modern software development: "user-centered design, agile software development, DevOps, building with loosely coupled parts, modular contracting, and product ownership." It also lists best practices for project management.


[Editor Comments]


[Pescatore] I'm pretty sure "40-page software development handbook for non-technical decision makers" is an oxymoron no matter what. The 18F document is a pretty good checklist for a technical program manager but ignores all the realities of the organizational and contractual barriers state and local governments face that are usually the biggest reason projects fail. One overriding truth does come from the Dutch study of local government IT contracts that the 18F document cites: only 13% of large (over $6M) were deemed successful, 58% were "challenged" and 29% failed. The same study cites small (under $1M) contracts as succeeding 57% of the time, being "challenged" 29% and failing only 14% of the time. The 18F report goes through all the DevOps buzzwords but the data pretty much says "build a little, test a little" is key to successful software development - avoiding multiyear system development efforts in government contracts is especially important.


[Murray] "Agile" is synonymous with "seat of the pants;" rarely results in secure code.  


Read more in:

GitHub: De-risking custom technology projects

https://github.com/18F/technology-budgeting/blob/master/handbook.md

Statescoop: GSA releases 'de-risking' handbook for state technology projects

https://statescoop.com/gsa-derisking-custom-technology-projects-state-government/

 
 

--Man Charged for Allegedly Bribing AT&T Employees to Unlock Phones

(August 6 & 7, 2019)

Muhammad Fahd is facing numerous charges, including conspiracy to commit wire fraud, conspiracy to violate the Computer Fraud and Abuse Act, and accessing a protected computer in the furtherance of fraud, for allegedly bribing AT&T workers to use their access to unlock phones from the AT&T network. Fahd, who is originally from Pakistan, was arrested in Hong Kong in February 2018 and extradited to the US on August 2, 2019.


Read more in:

Justice: Leader of Conspiracy to Illegally Unlock Cell Phones for Profit Extradited from Hong Kong

https://www.justice.gov/opa/pr/leader-conspiracy-illegally-unlock-cell-phones-profit-extradited-hong-kong

Ars Technica: AT&T workers took $1 million in bribes to unlock 2 million phones, DOJ says

https://arstechnica.com/tech-policy/2019/08/att-employees-took-bribes-to-unlock-phones-and-plant-malware-doj-says/

Wired: How AT&T Insiders Were Bribed to 'Unlock' Millions of Phones

https://www.wired.com/story/att-insiders-bribed-unlock-phones/

The Register: There's fraud, and then there's backdoor routers, fenced logins, malware, and bribing AT&T staff seven figures to unlock 2m phones

https://www.theregister.co.uk/2019/08/06/att_unlock_fraud_hack_charges/

Cyberscoop: Pakistani man allegedly paid AT&T employees big bucks to jailbreak millions of iPhones

https://www.cyberscoop.com/iphone-jailbreak-law-arrest-att/

MeriTalk: Malware Cybercriminal Extradited From Hong Kong

https://www.meritalk.com/articles/malware-cybercriminal-extradited-from-hong-kong/

 
 

--Silent Windows Fix for Speculative Execution Flaw in Intel CPUs

(August 6, 2019)

In its July security update, Microsoft silently fixed a speculative execution vulnerability in Intel CPUs. The issue affects all CPUs that the company has made since 2012. The vulnerability was privately reported to Intel a year ago.


Read more in:

Ars Technica: Silent Windows update patched side channel that leaked data from Intel CPUs

https://arstechnica.com/information-technology/2019/08/silent-windows-update-patched-side-channel-that-leaked-data-from-intel-cpus/


 

INTERNET STORM CENTER TECH CORNER


Corporate IoT Used in Intrusion

https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/


New Spectre Variant: SWAPGS

https://www.bitdefender.com/business/swapgs-attack.html


New WPA3 Weaknesses

https://wpa3.mathyvanhoef.com/#new


AT&T Insiders Bribed to Obtain Unlock Codes

https://www.justice.gov/usao-wdwa/press-release/file/1191031/download


Cisco Patches Smart Switch 220 Vulnerabilities

https://tools.cisco.com/security/center/publicationListing.x


Firefox for Android Supporting WebAuthn

https://blog.mozilla.org/security/2019/08/05/web-authentication-in-firefox-for-android/


0-Day Privilege Escalation in Steam Client

https://amonitoring.ru/article/steamclient-0day/


Actual Sextortion Trojan

https://www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/


Older RDP Vulnerability Can be Used for HyperV VM Escape

https://www.microsoft.com/security/blog/2019/08/07/a-case-study-in-industry-collaboration-poisoned-rdp-vulnerability-disclosure-and-response/


Kubernetes Security Audit Published

https://github.com/kubernetes/community/blob/master/wg-security-audit/findings/Kubernetes%20Final%20Report.pdf

https://www.cncf.io/blog/2019/08/06/open-sourcing-the-kubernetes-security-audit/


Apple Expands Bug Bounty

https://www.blackhat.com/us-19/briefings/schedule/index.html#behind-the-scenes-of-ios-and-mac-security-17220

https://www.forbes.com/sites/thomasbrewster/2019/08/08/apple-confirms-1-million-reward-for-hackers-who-find-serious-iphone-vulnerabilities/


******************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create