Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #76

September 27, 2019

GAO Report on Poor Grid Risk Mitigation; Ransomware Disrupts Healthcare at Hospital and more




****************************************************************************

SANS NewsBites               Sept. 27, 2019                Vol. 21, Num. 076

****************************************************************************


TOP OF THE NEWS 


  GAO Report on Grid Risk Mitigation

  Ransomware Disrupts Healthcare At Rural Hospital

  Union City, CA, Recovering from Ransomware Attack

  How Sparks, Nevada is Addressing Security Post-Ransomware Attack



REST OF THE WEEK'S NEWS        


  Guide Helps Healthcare Organizations Navigate Cybersecurity Information Sharing  

  Cisco IOS/IOS XE Software Security Advisory

  Guilty Plea for Role in "Massive" Data Theft from Financial Institutions

  Problematic Chrome Update Damages macOS File Systems

  Hackers are Exploiting WordPress Plugin Flaw

  Adobe Releases ColdFusion Patches 

  NIST Draft Document on Zero-Trust Architecture

  South African ISP Hit with DDoS Attack


INTERNET STORM CENTER TECH CORNER


*****************************************************************************


CYBERSECURITY TRAINING UPDATE


-- SANS Cyber Defense Initiative(R) 2019 | Washington, DC | December 10-17 | https://www.sans.org/event/cyber-defense-initiative-2019


-- SANS Baltimore Fall 2019 | October 7-12 | https://www.sans.org/event/baltimore-fall-2019


-- SANS October Singapore 2019 | October 7-26 | https://www.sans.org/event/october-singapore-2019


-- SANS Denver 2019 | October 14-19 | https://www.sans.org/event/denver-2019


-- SANS Amsterdam October 2019 | October 28-November 2 | https://www.sans.org/event/amsterdam-october-2019 


-- Cloud & DevOps Security Summit 2019 | Denver, CO | November 4-11 | https://www.sans.org/event/cloud-devops-security-summit-2019


-- SANS Sydney 2019 | November 4-23 | https://www.sans.org/event/sydney-2019


-- SANS London November 2019 | November 11-16 | https://www.sans.org/event/london-november-2019


-- Pen Test HackFest Summit 2019 | Washington, DC | November 18-25 | https://www.sans.org/event/pen-test-hackfest-2019


-- SANS OnDemand and vLive Training

Get an iPad Mini, Surface Go, or Take $300 Off through October 2 with your OnDemand or vLive course.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/ 


Single Course Training

-- Single Course Training

SANS Mentor | https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


*************************** Sponsored By ExtraHop **************************


ExtraHop Reveal(x) is a Network Detection and Response (NDR) system that provides machine learning-driven detection and guided investigation. In this webcast, expert Dave Shackleford and Tom Stitt from ExtraHop, discuss how Reveal(x) can help an organization evaluate threat activity in multiple scenarios, and how key new features make doing so easier than ever. Tuesday, October 1st at 10:30AM ET. http://www.sans.org/info/214335


*****************************************************************************

TOP OF THE NEWS   

 

--GAO Report on Grid Risk Mitigation

(September 26, 2019)

 

A report from the US Government Accountability Office (GAO) describes several risks that face the country's energy grid arising from threat actors becoming "increasingly capable" of launching attacks against the grid and the grid's increasing attack surface. The report looks at whether the Department of Energy has adequately defined a strategy for addressing cyber risks to the grid and whether the Federal Energy Regulatory Commission (FERC) approved standards adequately address those risks.  


[Editor Comments]


[Murray] I continue to be concerned about early compromise of these systems and applications that may not be exploited or discovered until a time of other conflict. Some may already have been compromised. These systems and applications should have positive and restrictive content control (think enterprise Tripwire) so that unauthorized changes can be more readily detected.


Read more in:

MeriTalk: GAO Identifies Electric Grid Cyber Risks, Calls for Stronger Strategy to Protect Grid

https://www.meritalk.com/articles/gao-identifies-electric-grid-cyber-risks-calls-for-stronger-strategy-to-protect-grid/

GAO: Critical Infrastructure Protection: Actions Needed to Address Significant Cybersecurity Risks Facing the Electric Grid

https://www.gao.gov/assets/710/701079.pdf



---Ransomware Disrupts Healthcare At Rural Hospital

(September 23 & 24, 2019)

A ransomware attack on Campbell County Health in Wyoming has caused disruptions in the availability of healthcare services at the Campbell County Memorial Hospital. Some patients have been sent to other hospitals more than 100 miles away. As of Thursday, September 26, a banner message on the Campbell County health website reads: "[We are] still working hard to restore our computer systems so we can resume normal operations. The Emergency Department, Emergency Medical Services, Maternal Child (OB), and all of our clinics are open to assess and treat patients as appropriate."  


Read more in:

SC Magazine: Ransomware attack disrupts Campbell County Health

https://www.scmagazine.com/home/security-news/ransomware/ransomware-attack-disrupts-campbell-county-health/

GovInfoSecurity: Ransomware Attack on Rural Hospital Disrupts Services

https://www.govinfosecurity.com/ransomware-attack-on-rural-hospital-disrupts-services-a-13136

Security Week: Wyoming Hospital's Services Disrupted by Ransomware

https://www.securityweek.com/wyoming-hospitals-services-disrupted-ransomware


 

---Union City, CA, Recovering from Ransomware Attack

(September 22 & 24, 2019)

Union City, California was hit with a ransomware attack on Saturday, September 21. The city shut down all IT systems as a precautionary measure. City employees were unable to access their email. The city website is operational, as is its cloud-based mass email contact system. The city's Emergency Operations Center is activated and will be open until systems are restored.      


Read more in:

NBC Bay Area: Computer Virus Affects Union City Services

https://www.nbcbayarea.com/news/local/Computer-Virus-Affects-Union-City-Services-561080921.html

GovTech: Union City, Calif., Works to Recover After Cyberattack

https://www.govtech.com/security/Union-City-Calif-Works-to-Recover-After-Cyberattack.html



--How Sparks, Nevada is Addressing Security Post-Ransomware Attack

(September 26, 2019)

In August 2015, municipal systems in the city of Sparks, Nevada were hit with a ransomware attack. The city had tape backups stored offsite, but it still took two weeks to fully restore their systems. To bolster its security, Sparks decided to use a security operations center as a service with a managed detection and response approach. To improve backup speeds, the city uses higher-capacity tapes and backs up to the cloud as well. 

  

[Editor Comments]


[Murray] "Ransomware" puts new requirements on backup; instead of recovering a few files one may have to recover many systems and applications at the same time. In light of these new requirements, one should revisit one's backup strategy before a ransomware attack. However, the availability of safe backup trumps the speed of recovery.  


Read more in:

Statescoop: How Sparks, Nevada, is rethinking security after ransomware

https://statescoop.com/how-sparks-nevada-is-rethinking-security-after-ransomware/


****************************  SPONSORED LINKS  ******************************


1) Give us insight into workforce transformation by taking this survey: http://www.sans.org/info/214340


2) ICYMI Webcast: NetOps and SecOps: "Can't We All Just Get Along?" View webcast. http://www.sans.org/info/214345


3) Learn how to assemble the systems, data and processes you'll need to threat hunt in this upcoming webcast: http://www.sans.org/info/214350


*****************************************************************************

REST OF THE WEEK'S NEWS


--Guide Helps Healthcare Organizations Navigate Cybersecurity Information Sharing  

(September 26, 2019)

The US's Healthcare and Public Health Sector Coordinating Council (HSCC) has established the Health Industry Cybersecurity Matrix of Information Sharing Organizations (HIC-MISO), which will help organizations in the healthcare sector find and participate in cybersecurity information sharing organizations.


[Editor Comments]


[Neely] This will be an aid to organizations that don't have the resources to track and analyze threats internally. They are also providing guidance on implementing a cybersecurity information sharing system in your organization as well as identifying trusted sources to share information with, which facilitates the process immensely. This should also provide needed information on prioritizing responses to threats and incidents from the organization's limited resources as well.


[Murray] While HIPAA was intended to make health information "portable," the security rules had the unintended and perverse consequences, not only of discouraging sharing, but of discouraging electronic medical records. After more than twenty years, HIPAA remains "in the ditch."


Read more in:


Infosecurity Magazine: Health Industry Cybersecurity Matrix Launched

https://www.infosecurity-magazine.com/news/health-industry-cybersecurity/

Health Sector Council: Health Industry Cybersecurity - Matrix of Information Sharing Organizations (HIC-MISO)

https://healthsectorcouncil.org/hic-miso/



--Cisco IOS/IOS XE Software Security Advisory

(September 26, 2019)

Cisco's September 2019 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication includes fixes for 13 vulnerabilities in the network operating systems. All 13 vulnerabilities are rated high severity. One of the flaws could be exploited to allow guest users to obtain root privileges to Cisco 800 and 1000 series Industrial Integrated Services routers.


Read more in:

Bleeping Computer: Cisco Fixes Critical IOx Flaw Allowing Root Access to Guest OS

https://www.bleepingcomputer.com/news/security/cisco-fixes-critical-iox-flaw-allowing-root-access-to-guest-os/

The Register: Four words from Cisco to strike fear into the most hardened techies: Guest account as root

https://www.theregister.co.uk/2019/09/26/cisco_guest_as_root_vuln_patches/

Cisco: Cisco IOx for IOS Software Guest Operating System Unauthorized Access Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-ios-gos-auth

Cisco: Cisco Event Response: September 2019 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication

https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-72547



--Guilty Plea for Role in "Massive" Data Theft from Financial Institutions

(September 25, 2019)

Andrei Tyurin has pleaded guilty to several charges, including conspiracy to commit computer hacking and wire fraud, for his role in a "massive" hacking scheme that stole data from financial institutions, brokerages and other entities. Tyurin and his associates, who were charged separately, used some of the stolen information to artificially increase the price of certain stocks which they then sold at a profit.   


Read more in:

SC Magazine: Russian man pleads guilty to financial firm hacks

https://www.scmagazine.com/home/security-news/legal-security-news/report-russian-man-to-plead-guilty-to-financial-firm-hacks/

The Register: We finally got one! Russian 'fesses up to cracking bank servers, netting big bucks

https://www.theregister.co.uk/2019/09/25/russian_finance_hacker/

Justice: Russian Hacker Pleads Guilty For Involvement In Massive Network Intrusions At U.S. Financial Institutions, Brokerage Firms, A Major News Publication, And Other Companies

https://www.justice.gov/usao-sdny/pr/russian-hacker-pleads-guilty-involvement-massive-network-intrusions-us-financial



--Problematic Chrome Update Damages macOS File Systems

(September 25, 2019)

A faulty Chrome update corrupted some macOS file systems rendering the machines unable to reboot. The issue affected macOS devices on which the security integrity prevention (SIP) feature had been disabled and which also met certain other conditions. Google has provided instructions for fixing the issue.


[Editor Comments]


[Neely] Since the fix requires booting the system in recovery mode, central application of the fix is problematic. Google has stopped pushing out the update until they resolve the bug. Only systems running older than OS X 10.11 or systems which have disabled SIP (which is on by default) are at risk.


Read more in:

Ars Technica: No, it wasn't a virus; it was Chrome that stopped Macs from booting

https://arstechnica.com/information-technology/2019/09/no-it-wasnt-a-virus-it-was-chrome-that-stopped-macs-from-booting/

Bleeping Computer: Buggy Google Chrome Update Behind Recent Unbootable Macs

https://www.bleepingcomputer.com/news/security/buggy-google-chrome-update-behind-recent-unbootable-macs/

Threatpost: Chrome Bug, Not Avid Software, Causes Damage to MacOS File Systems

https://threatpost.com/chrome-bug-not-avid-software-causes-damage-to-macos-file-systems/148691/

Google: Chrome Update Impacts Some macOS Systems

https://support.google.com/chrome/thread/15235262



--Hackers are Exploiting WordPress Plugin Flaw

(September 25, 2019)

A security flaw in the Rich Reviews plugin for WordPress is being actively exploited to inject malvertising code into vulnerable websites. The code creates redirects and generates pop-up ads. The Rich Reviews plugin was removed from the WordPress repository six months ago. An estimated 16,000 sites are still using it. If and when a fix becomes available, users will be able to update Rich Reviews only if the plugin is reinstated in the repository.     


[Editor Comments]


[Neely] While web application firewalls that include XSS protections can mitigate the risks of this exploit, the better fix is to retire/replace the plugin. While the developers have been enticed to fix the flaw, patches may have to be manually applied as this plugin is deprecated and no longer in the WordPress repository.


[Paller] One very common source of damaging vulnerabilities are web application developers who use add-ins to systems like WordPress and take no responsibility for the flaws that they create by using those insecure add-ins. I anticipate judges will find careless developers liable for damages and their liability will be limited only by the contractual clauses in their contracts.


Read more in:

Wordfence: Zero Day Vulnerability in Rich Reviews Plugin Exploited In The Wild

https://www.wordfence.com/blog/2019/09/rich-reviews-plugin-vulnerability-exploited-in-the-wild/

Threatpost: Unpatched Bug Under Active Attack Threatens WordPress Sites with XSS

https://threatpost.com/unpatched-bug-wordpress-xss/148656/

Bleeping Computer: Hackers Exploit Unpatched Bug in Rich Reviews WordPress Plugin

https://www.bleepingcomputer.com/news/security/hackers-exploit-unpatched-bug-in-rich-reviews-wordpress-plugin/



--Adobe Releases ColdFusion Patches 

(September 24 & 25, 2019)

Adobe has released an update for ColdFusion outside of its scheduled patch releases. The update addresses two critical and one important vulnerability in ColdFusion 2016 and ColdFusion 2018. The critical issues are a command injection flaw and a path traversal vulnerability.


Read more in:

Threatpost: Adobe Unscheduled Update Fixes Critical ColdFusion Flaws

https://threatpost.com/adobe-unscheduled-update-fixes-critical-coldfusion-flaws/148616/

The Register: Hot patches for ColdFusion: Adobe drops trio of fixes for three serious flaws

https://www.theregister.co.uk/2019/09/25/coldfusion_patches_adobe/

Adobe: Security updates available for ColdFusion | APSB19-47

https://helpx.adobe.com/security/products/coldfusion/apsb19-47.html



--NIST Draft Document on Zero-Trust Architecture

(September 24, 2019)

The National Institute of Standards and Technology (NIST) has released a draft document on Zero Trust Architecture. The document describes "a Zero Trust Architecture (ZTA) strategy [as] one where there is no implicit trust granted to systems based on their physical or network location." The publication also offers several ZTA use cases. NIST is seeking feedback on the draft publication; comments will be accepted through November 22, 2019.


[Editor Comments]


[Neely] Having a common definition of ZTA will help focus the conversation on how best to implement protections in that environment, as well as how to transform existing security models from an on-premise focus to protection of resources irrespective of location, ownership or network. While the vanishing perimeter for general purpose devices can be liberating, and support the mantra of anytime any place work, there remain specialized systems which depend on logical and physical protections due to either their nature or maturity.


Read more in:

Fedscoop: NIST defines zero trust architecture, releases use cases

https://www.fedscoop.com/nist-zero-trust-architecture-definition/

CSRC: SP 800-207 (DRAFT) Zero Trust Architecture

https://csrc.nist.gov/publications/detail/sp/800-207/draft

NVLPUBS: Draft NIST Special Publication 800-207 Zero Trust Architecture (PDF)

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207-draft.pdf



---South African ISP Hit with DDoS Attack

(September 24, 2019)

South African Internet service provider (ISP) Cool Ideas was the target of a distributed denial-of-service (DDoS) attack during the weekend of September 21-22. The attackers used a technique called "carpet bombing." Rather than target a critical server in the ISP's network, they instead send bogus traffic to random IP addresses on the Cool Ideas network.


Read more in:

ZDNet: 'Carpet-bombing' DDoS attack takes down South African ISP for an entire day

https://www.zdnet.com/article/carpet-bombing-ddos-attack-takes-down-south-african-isp-for-an-entire-day/



*****************************************************************************

INTERNET STORM CENTER TECH CORNER


Remotewebaccess.com Domain in Certificate Transparency Logs

https://isc.sans.edu/forums/diary/Huge+Amount+of+remotewebaccesscom+Sites+Found+in+Certificate+Transparency+Logs/25352/


Malspam Pushing Quasar RAT

https://isc.sans.edu/forums/diary/Malspam+pushing+Quasar+RAT/25354/


Adobe Releases Emergency ColdFusion Patch

https://blogs.adobe.com/psirt/?p=1789


Cisco Industrial Router Security Bulletin

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190925-ios-gos-auth


Apple Releases Additional Updates for iOS/iPadOS

https://support.apple.com/en-us/HT201222


vBulletin Vulnerability 0-Day Exploit Released

https://seclists.org/fulldisclosure/2019/Sep/31


vBulletin 0-Day Exploit Update

https://www.bleepingcomputer.com/news/security/vbulletin-zero-day-exploited-for-years-gets-unofficial-patch/


vBulletin Botnet

https://twitter.com/bad_packets/status/1177256656322695168


Fake Veteran Employment Site

https://blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html


Sniffle Bluetooth Sniffer

https://github.com/nccgroup/sniffle


Outlook on the web blocking more extensions

https://techcommunity.microsoft.com/t5/Exchange-Team-Blog/Changes-to-File-Types-Blocked-in-Outlook-on-the-web/ba-p/874451


******************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create