Take your cyber security skills to the next level with SANS training in Miami! Save $300 thru 11/20.

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #7

January 25, 2019
****************************************************************************

SANS NewsBites               Jan. 25, 2018                Vol. 21, Num. 007

****************************************************************************


TOP OF THE NEWS


  DHS Issues Emergency Directive to Mitigate DNS Infrastructure Tampering

  Sammamish Washington Declares Ransomware Emergency

  2019 US National Intelligence Strategy Prioritizes Cybersecurity


REST OF THE WEEKS NEWS


  DARPAs GAPS Program Seeks to Protect Data in Transit

  Cisco Patches Buffer Overflow Flaw in SD-WAN Solution

  Googles Proposed Changes to Chrome Extension APIs Could Break Ad Blockers

  Adobe Releases Fixes for Flaws in Experience Manager Platform

  URLhaus Project Helps Take Down Sites Distributing Malware

  House Passes Bill that Would Require State Dept. To Establish Processes to Identify and Address Cybersecurity Issues

  Apple Releases Updates for Multiple Products

  Ransomware Hobbling Bitcoin Miners in China

  US Government Shutdown Detrimental to National Security

  GoDaddy is Fixing DNS Setup Flaw Exploited by Spammers


INTERNET STORM CENTER TECH CORNER


*****************************************************************************

CYBERSECURITY TRAINING UPDATE


-- SANS Security East 2019 | New Orleans, LA | February 2-9 | https://www.sans.org/event/security-east-2019


-- SANS 2019 | Orlando, FL | April 1-8 | https://www.sans.org/event/sans-2019


-- SANS London February 2019 | February 11-16 | https://www.sans.org/event/london-february-2019


-- SANS Anaheim 2019 | February 11-16 | https://www.sans.org/event/anaheim-2019


-- SANS Secure Japan 2019 | Tokyo, Japan | February 18-March 2 | https://www.sans.org/event/secure-japan-2019


-- Open-Source Intelligence Summit & Training | Alexandria, VA | February 25-March 3 | https://www.sans.org/event/osint-summit-2019


-- SANS London March 2019 | March 11-16 | https://www.sans.org/event/london-march-2019


-- SANS Secure Singapore 2019 | March 11-23 | https://www.sans.org/event/secure-singapore-2019


-- ICS Security Summit & Training 2019 | Orlando, FL | March 18-25 | https://www.sans.org/event/ics-security-summit-2019


-- SANS OnDemand and vLive Training

The SANS Training you want with the flexibility you need.

Get an iPad Mini, Samsung Galaxy Tab S2, or Take $300 Off with OnDemand or vLive. Offer Ends February 6.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


Single Course Training

-- Single Course Training

SANS Mentor | https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap

 

***************************  Sponsored By Splunk   ********************************


Organizations need an agile security solution that combines the power of an analytics-driven platform while unlocking the benefits of AI and ML. 40% of 200 global executives believe the answer to this challenge is hidden in machine data. Download the Harvard Business Review Analytic Services Pulse Survey, "IT Security: A New Analytics-Driven Model" and discover how AI and ML can help optimize security operations.  http://www.sans.org/info/210010


*****************************************************************************

TOP OF THE NEWS

 

--DHS Issues Emergency Directive to Mitigate DNS Infrastructure Tampering

(January 22 & 23, 2019)

On Tuesday, January 22, 2019, the US Department of Homeland Security (DHS) issued an Emergency Directive in which it said that multiple executive agency domains

were impacted by the [Domain Name System] tampering campaigns. DHS Emergency Directive 19-01 lists required actions for agencies to take to protect their systems from such attacks. Agencies are being urged to audit DNS security for the next 10 days.


[Editor Comments]


[Pescatore] Fireeye and Cisco first reported seeing these DNS hijacking attacks against .gov domains in Northern Africa and Europe and the US CERT says they were subsequently seen against US agencies. The DHS advice is pretty straightforward but the US Government still trying to force the use of PIV/CAC/SmartCards for 2 factor authentication makes it hard for the government to follow its own advice.


[Neely] DNS tampering is a threat that can be mitigated. The actions in the directive (audit your DNS, change existing reusable passwords, implement MFA for DNS Administration users/accounts and then monitor) are as relevant in the private as they are in the public sector.


Read more in:

DHS: Emergency Directive 19-01: Mitigate DNS Infrastructure Tampering

https://cyber.dhs.gov/ed/19-01/

DHS: Emergency Directive 19-01: Mitigate DNS Infrastructure Tampering (PDF)

https://cyber.dhs.gov/assets/report/ed-19-01.pdf

SC Magazine: DHS issues emergency directive to protect federal domains from DNS hijacking campaign

https://www.scmagazine.com/home/security-news/government-and-defense/dhs-issues-emergency-directive-to-protect-federal-domains-from-dns-hijacking-campaign/

FCW: DHS issues emergency directive to counter DNS hijacking campaign

https://fcw.com/articles/2019/01/22/cisa-dns-hack-johnson.aspx

NextGov: Agencies Have 10 Days to Review, Secure Critical IT Weakness

https://www.nextgov.com/cybersecurity/2019/01/agencies-have-10-days-review-secure-critical-it-weakness/154372/

 

--Sammamish Washington Declares Ransomware Emergency

(January 23, 2019)

"The city of Sammamish declared an emergency on Wednesday in response to a ransomware attack on the citys computer system. The emergency declaration by interim City Manager Larry Patterson allowed the city to bring in a third-party security expert without having to go through the standard contracting process."


[Editor Comments]


[Northcutt] The best defense against ransomware is good backups. That saves the expense of having to bring in an outside expert.

https://www.seattletimes.com/seattle-news/sammamish-declares-emergency-in-response-to-ransomware-attack/


 

--2019 US National Intelligence Strategy Prioritizes Cybersecurity

(January 22 & 23, 2019)

On Tuesday, January 22, the Office of the Director of National Intelligence (US) released its quadrennial National Intelligence Strategy. The strategy lists cybersecurity as a top priority, noting that our adversaries are increasingly leveraging rapid advances in technology to pose new and evolving threats particularly in the realm of space, cyberspace, computing, and other emerging, disruptive technologies. 


Read more in:

DNI: National Intelligence Strategy of the United States of America 2019 (PDF)

https://www.dni.gov/files/ODNI/documents/National_Intelligence_Strategy_2019.pdf

Fifth Domain: Nearly all American networks will be susceptible to cyberattacks

https://www.fifthdomain.com/dod/2019/01/23/nearly-all-american-networks-will-be-susceptible-to-cyberattacks/

Nextgov: National Intelligence Strategy Warns of Technological Threats to U.S.

https://www.nextgov.com/cybersecurity/2019/01/national-intelligence-strategy-warns-technological-threats-us/154370/


****************************  SPONSORED LINKS  ******************************


1) Don't Miss "Game Changing Defensive Strategies for 2019" with Alissa Torres. Register: http://www.sans.org/info/210015

2) Attention Decision Makers of Every level: Gain a foothold on the first opportunity to narrow the vendor field. http://www.sans.org/info/210020

3) The 14th Annual ICS Security Summit: Orlando, Florida - Mar 18-19. http://www.sans.org/info/210025


*****************************************************************************

REST OF THE WEEKS NEWS     

 

--DARPAs GAPS Program Seeks to Protect Data in Transit

(January 16 & 24, 2019)

The Pentagons Defense Advanced Research Projects Agency (DARPA) has launched a program to develop technologies to ensure the security of data as they move between systems.  Dubbed GAPS, for Guaranteed Architecture for Physical Security, the goal of [the program] is to develop hardware and software architectures that can provide physically provable guarantees around high-risk transactions, or where data moves between systems of different security levels. GAPS is part of a larger DARPA program, the Electronics Resurgence Initiative (ERI), which aims to develop a new generation of trusted electronics components, particularly with regard to security and privacy protections.


Read more in:

DARPA: DARPA Explores New Computing Architectures to Deliver Verifiable Data Assurances

https://www.darpa.mil/news-events/2019-01-16

MeriTalk: Pentagon Aims to Close the GAPS for Sensitive Data in the Cloud

https://www.meritalk.com/articles/pentagon-aims-to-close-the-gaps-for-sensitive-data-in-the-cloud/

 
 

--Cisco Patches Buffer Overflow Flaw in SD-WAN Solution

(January 23 & 24, 2019)

Cisco has released fixes to address a buffer overflow vulnerability in its SD-WAN Solution. The issue is caused by improper bounds checking by vContainer. The flaw affects Cisco vSmart Controller Software running a Cisco SD-WAN Solution prior to Release 18.4.0.


Read more in:

Cisco: Cisco SD-WAN Solution Buffer Overflow Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-sdwan-bo

ZDNet: Cisco discloses arbitrary execution in SD-WAN Solution and Webex

https://www.zdnet.com/article/cisco-discloses-arbitrary-execution-in-sd-wan-solution-and-webex/

 
 

--Googles Proposed Changes to Chrome Extension APIs Could Break Ad Blockers

(January 22, 23, & 24, 2019)

Googles proposed changes to its Chrome browser would break content-blocking extensions. This includes ad blockers. The potential changes will limit the capabilities of extension developers. The proposed changes would also affect antivirus browser extensions, parental control extensions, and others. A Google software engineer notes that this design is still in a draft state, and will likely change.  


[Editor Comments]


[Neely] Google is working to limit extensions ability to increase security for the user, unfortunately some of these same capabilities are needed by ad blockers. The balance of security and actions available to extensions is still being finalized. It may become prudent to have separate browsers for applications that require extensions that no longer function.


Read more in:

ZDNet: Chrome API update will kill a bunch of other extensions, not just ad blockers

https://www.zdnet.com/article/chrome-api-update-will-kill-a-bunch-of-other-extensions-not-just-ad-blockers/

Wired: Google's Proposed Changes to Chrome Could Weaken Ad Blockers

https://www.wired.com/story/googles-proposed-changes-chrome-could-weaken-ad-blockers/

The Register: As netizens, devs scream bloody murder over Chrome ad-block block, Googlers insist: It's not set in stone (yet)

https://www.theregister.co.uk/2019/01/23/google_chrome_extension_change/

The Register: Wow, fancy that. Web ad giant Google to block ad-blockers in Chrome. For safety, apparently

https://www.theregister.co.uk/2019/01/22/google_chrome_browser_ad_content_block_change/

 
 

--Adobe Releases Fixes for Flaws in Experience Manager Platform

(January 22 & 23, 2019)

On Tuesday, January 22, Adobe released fixes for several vulnerabilities affecting its Experience Manager platform. The updates address two vulnerabilities in Adobe Experience Manager: a flaw that could allow stored cross-site scripting attacks affecting versions 6.0 through 6.4, and a flaw that could be exploited to allow reflected cross-site scripting attacks affecting versions 6.3 and 6.4. A reflected cross-site scripting issue also affects Adobe Experience Manager Forms versions 6.2, 6.3, and 6.4. These fixes are the second unscheduled security release from Adobe this month.


Read more in:

Threatpost: Adobe Issues Unscheduled Updates for Experience Manager Platform

https://threatpost.com/adobe-patches-experience-manager/141046/

Adobe: Security updates available for Adobe Experience Manager | APSB19-09

https://helpx.adobe.com/security/products/experience-manager/apsb19-09.html

Adobe: Security updates available for Adobe Experience Manager Forms | APSB19-03

https://helpx.adobe.com/security/products/aem-forms/apsb19-03.html

 
 

--URLhaus Project Helps Take Down Sites Distributing Malware

(January 23, 2019)

The URLhaus project was created as a clearinghouse to share information about URLs that are being used to distribute malware. The project members notify the companies that host the identified websites and have kept track of how long it has taken each company to take down the offending site. 


[Editor Comments]


[Pescatore] In the US, volunteer roadside litter pickup programs, where people/families/companies adopt sections of road to pick up trash, have been a huge successthe roads are much cleaner and the people providing the active effort get recognition. Id like to see ISPs voluntarily adopt some roadways on the information highway and keep them clean of what they clearly know is trash.


Read more in:

URLhaus: URLhaus

https://urlhaus.abuse.ch/

URLhaus: Average Reaction Time

https://urlhaus.abuse.ch/statistics/reactiontime/

Bleeping Computer: 265 Researchers Take Down 100,000 Malware Distribution Websites

https://www.bleepingcomputer.com/news/security/265-researchers-take-down-100-000-malware-distribution-websites/

 
 

--House Passes Bill that Would Require State Dept. To Establish Processes to Identify and Address Cybersecurity Issues

(January 23 & 24, 2019)

Earlier this week, the US House of Representatives passed the Hack Your State Department Act, a bill that would require the State Department to create a Vulnerability Disclosure Process, establishing clear procedures for reporting discovered vulnerabilities. The bill would also require the State Department to develop and implement a bug bounty program. There is currently no companion bill in the Senate.


[Editor Comments]


[Pescatore] The latest version of the NIST Cybersecurity Framework has the requirement for processes to receive, analyze and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers) Since agencies are required by executive order to use the NIST framework, not sure why a law telling the State Department to do so is necessary, nor is it ever a good idea for laws to require a particular technology.  By the way, I tried to check that updated framework has that exact language from the draft, but the NIST website says it isnt being updated because of the government shutdown


Read more in:

Executive Gov: House Passes Bill Identifying State Department Cyber Weaknesses; Rep. Ted Lieu Quoted

https://www.executivegov.com/2019/01/house-passes-bill-identifying-state-department-cyber-weaknesses-rep-ted-lieu-quoted/

MeriTalk: House Passes Bill to Help Identify Cybersecurity Vulnerabilities

https://www.meritalk.com/articles/house-passes-bill-to-help-identify-cybersecurity-vulnerabilities/

Congress: H.R.328 - Hack Your State Department Act

https://www.congress.gov/bill/116th-congress/house-bill/328

 
 

--Apple Releases Updates for Multiple Products

(January 23, 2019)

On Tuesday, January 22, Apple released security updates for multiple products, including iOS, macOS, watchOS, tvOS, and Safari. Some of the fixes for macOS and iOS address security issues in the operating systems kernel that could be exploited to allow arbitrary code execution.


Read more in:

Apple: Apple security updates

https://support.apple.com/en-us/HT201222

SC Magazine: Apple releases updates for iOS, macOS, tvOS, watchOS and other products

https://www.scmagazine.com/home/security-news/apple-tuesday-released-updates-to-address-vulnerabilities-in-several-of-its-products-including-its-macos-and-ios-operating-systems/

eWeek: Apple Issues First iOS, macOS Security Updates for 2019

https://www.eweek.com/security/apple-issues-first-ios-macos-security-updates-for-2019

 
 

--Ransomware Hobbling Bitcoin Miners in China

(January 23, 2019)

Ransomware appears to be targeting bitcoin mining farms in China. Most of the affected mining rigs are Antminer S9 and T9 devices. It is unclear how the malware is spreading; one possibility is that it is being hidden in specially-crafted versions of mining rig firmware. 


Read more in:

ZDNet: New ransomware strain is locking up Bitcoin mining rigs in China

https://www.zdnet.com/article/new-ransomware-strain-is-locking-up-bitcoin-mining-rigs-in-china/

 
 

--US Government Shutdown Detrimental to National Security

(January 23, 2019)

The US government shutdown it taking a toll on the FBIs ability to move forward on cybercrime cases and its efforts against threats to national security. Even when the government reopens, the talent drain effects of the shutdown will be felt for years, according to an anonymous source speaking to Brian Krebs. Earlier this month the FBI Agents Association (FBIAA) published a report that includes reports from FBI special agents across the country that illustrate how the government shutdown affects our work and identifies the risks that may emerge as it continues.


[Editor Comments]


[Neely] While many financial institutions are offering low or zero interest loans to those furloughed or working without pay, a number of workers are electing to retire or seek employment elsewhere and cyber maintenance is not being performed. Make sure that your patching capability can handle a restart when the first thing the systems will do is start updating and patching and have a contingency for the loss of productivity during that interval.


Read more in:

KrebsOnSecurity: How the U.S. Govt. Shutdown Harms Security

https://krebsonsecurity.com/2019/01/how-the-u-s-govt-shutdown-harms-security/

Washington Post: The Cybersecurity 202: FBI cyber investigations hit hard by shutdown

https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity-202/2019/01/23/the-cybersecurity-202-fbi-cyber-investigations-hit-hard-by-shutdown/5c475f7c1b326b29c3778c68/

FBIAA: Voices From The Field: FBI Agent Accounts of the Real Consequences of the Government Shutdown (PDF)

https://www.fbiaa.org/sites/default/files/downloadable/FBIAA%20Voices%20from%20the%20Field.pdf

 
 

--GoDaddy is Fixing DNS Setup Flaw Exploited by Spammers

(January 22, 2019)

GoDaddy is taking corrective action immediately to address a weakness in its DNS setup process that spammers exploited to launch disturbing email campaigns: the December 2018 email bomb threat hoax that caused schools, businesses, and government buildings to shut down, and a sextortion campaign that has been operating since July 2018. The weakness allowed the attackers to piggyback on the reputations of known and trusted website names.


Read more in:

KrebsOnSecurity: Bomb Threat, Sextortion Spammers Abused Weakness at GoDaddy.com

https://krebsonsecurity.com/2019/01/bomb-threat-sextortion-spammers-abused-weakness-at-godaddy-com/

Ars Technica: GoDaddy weakness let bomb threat scammers hijack thousands of big-name domains

https://arstechnica.com/information-technology/2019/01/godaddy-weakness-let-bomb-threat-scammers-hijack-thousands-of-big-name-domains/

 

INTERNET STORM CENTER TECH CORNER

 

Turning MISP Data into RPZs

https://isc.sans.edu/forums/diary/DNS+Firewalling+with+MISP/24556/


Man in the Middle Vulnerability in apt

https://justi.cz/security/2019/01/22/apt-rce.html


PHP PEAR Compromised Package

http://pear.php.net


Apple Security Updates

https://support.apple.com/en-us/HT201222


Tech Support Scammers Unmasked

https://www.fidusinfosec.com/turning-the-tables-on-virgin-media-twitter-scammers/


Abuse of Trusted Microsoft Azure Domains

https://github.com/MicrosoftDocs/OfficeDocs-Enterprise/issues/233


DHS Emergency Directive Regarding DNS Tampering

https://cyber.dhs.gov/ed/19-01/


Ghostscript Remote Code Execution Vulnerability

https://www.openwall.com/lists/oss-security/2019/01/23/5


Abusing Exchange to Obtain Domain Admin

https://dirkjanm.io/abusing-exchange-one-api-call-away-from-domain-admin/


IPC Voucher UaF Remote Jailbreak

http://blogs.360.cn/post/IPC%20Voucher%20UaF%20Remote%20Jailbreak%20Stage%202%20(EN).html


Cisco Security Updates

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-sdwan-bo

 

******************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.


Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create