Last Day to Get an iPad Pro with Smart Keyboard, HP ProBook, or $350 Off with OnDemand or vLive Training!

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #79

October 8, 2019

Siemens Sees Operational Technology Attacks; Microsoft: Iranian Hackers Targeted 2020 Campaign; Ransomware At Multiple Hospitals




2019 Security Difference Makers Awards


Help the security community recognize unsung heroes of cybersecurity so that others can learn from their successes. Please nominate people and teams for the 2019 Security Difference Makers Awards. Winners/Recipients will be recognized on December 16 in Washington, DC. Choose people who deserve recognition for making meaningful progress in cybersecurity either by increasing security levels or by advancing security controls and processes to enable new business success. Send nominations to trends@sans.org. Deadline: October 18.


Full details on how to nominate at http://www.sans.org/cyber-innovation-awards



****************************************************************************

SANS NewsBites                 Oct. 8, 2019                Vol. 21, Num. 079

****************************************************************************


TOP OF THE NEWS


  Siemens Report Finds Attacks Are Targeting Utility Operational Technology

  Microsoft: Iranian Hackers Targeted 2020 Campaign

  Alabama Hospitals Pay Ransomware Demand

  Canadian Hospitals Hit With Ransomware



REST OF THE WEEK'S NEWS       


  Experts Say DNS-over-HTTPS is Problematic

  Check Point Report: Egyptian Government Tracking Journalists, Human Rights Activists

  Reductor Malware Manipulates HTTPS Traffic

  US Will Revive Program to Identify Vulnerabilities in Aircraft Systems

  Defense Dept. Improves Security for Servicemembers' Website

  US Will Help Baltic States Secure Energy Grid


INTERNET STORM CENTER TECH CORNER


*****************************************************************************

CYBERSECURITY TRAINING UPDATE


-- SANS Cyber Defense Initiative(R) 2019 | Washington, DC | December 10-17 | https://www.sans.org/event/cyber-defense-initiative-2019


-- SANS Amsterdam October 2019 | October 28-November 2 | https://www.sans.org/event/amsterdam-october-2019


-- DFIRCON 2019 | Miami, FL | November 4-9 | https://www.sans.org/event/dfircon-miami-2019


-- Cloud & DevOps Security Summit 2019 | Denver, CO | November 4-11 | https://www.sans.org/event/cloud-devops-security-summit-2019


-- SANS Sydney 2019 | November 4-23 | https://www.sans.org/event/sydney-2019


-- SANS London November 2019 | November 11-16 | https://www.sans.org/event/london-november-2019


-- SANS Atlanta Fall 2019 | November 18-23 | https://www.sans.org/event/atlanta-fall-2019


-- Pen Test HackFest Summit 2019 | Washington, DC | November 18-25 | https://www.sans.org/event/pen-test-hackfest-2019


-- SANS Tokyo January 2020 | January 20-25 | https://www.sans.org/event/tokyo-january-2020


-- SANS OnDemand and vLive Training

Get a 7th gen 10.2" iPad, Samsung Galaxy Tab A, or Take $250 off through October 16 with OnDemand or vLive training.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


Single Course Training

-- Single Course Training

SANS Mentor | https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


************************  Sponsored By Splunk   *****************************


How to Uplevel Your Defenses With Security Analytics. If you don't have actionable insights to detect and respond to emerging and current threats, you're not reaping the rewards of modern security information event management (SIEM) technology. Download How to Uplevel Your Defenses With Security Analytics, and find out what you (and your SIEM) are missing and how to harden your defenses. http://www.sans.org/info/214415


*****************************************************************************

TOP OF THE NEWS  

 

--Siemens Report Finds Attacks Are Targeting Utility Operational Technology

(October 4, 2019)

According to a report from Siemens, attacks against operational technology (OT) systems at utilities are increasing. The report compiles responses gathered from professionals around the world involved in gas, solar, and wind electric utilities and water utilities. The report follows just weeks after a report from the US Government Accountability Office (GAO) that said the Department of Energy is not doing enough to protect the country's electric grid from cyber attacks.


[Editor Comments]


[Paller] Siemens's disclosure may be groundbreaking because the only pathway toward protecting the grid is through major actions by the manufacturers (Siemens, ABB, Omron, Emerson Electric, Rockwell Automation, Honeywell, Yokogawa, and Schneider Electric). End users (utilities and local governments) are no more able to protect their systems than individual drivers are able to make their cars safe. Volvo gained significant market leadership in safe cars by building security in. Siemens will similarly gain substantial market share growth if it follows its disclosure with product-line-wide (not just protecting new devices) security wrappers that Siemens supports and markets as affordable options or even standard parts of maintenance. Many ICS manufacturers have treated security as an opportunity to get a lot of money from worried customers without substantially reducing the risk. We're counting on Siemens to lead the way toward a safer grid.


[Murray] While physical attacks might be more difficult to recover from, we can hardly do "enough to protect...from cyber attacks."


Read more in:

The Hill: Report finds cyberattacks on critical utility operating systems are increasing

https://thehill.com/policy/cybersecurity/464373-report-finds-cyberattacks-on-critical-utility-operating-systems-are

Siemens: Caught in the Crosshairs: Are Utilities Keeping Up with the Industrial Cyber Threat?

https://assets.new.siemens.com/siemens/assets/api/uuid:35089d45-e1c2-4b8b-b4e9-7ce8cae81eaa/version:1570030979/siemens-cybersecurity.pdf

GAO: Critical Infrastructure Protection: Actions Needed to Address Significant Cybersecurity Risks Facing the Electric Grid

https://www.gao.gov/assets/710/701079.pdf

 
 

--Microsoft: Iranian Hackers Targeted 2020 Campaign

(October 4, 2019)

Microsoft said that hackers working on behalf of Iran's government have targeted email accounts that belong to a US presidential campaign and a number of current and former US government officials. In a blog post, Microsoft writes that in a recent 30-day period, the hackers made "more than 2,700 attempts to identify consumer email accounts belonging to specific Microsoft customers and then attack 241 of those accounts." (Please note that the WSJ story is behind a paywall.)


[Editor Comments]


[Pescatore/Murray] To replay an over-used phrase, this is pretty much just the "new normal." The US, UK, France, China, Russia, Iran, N. Korea and other countries all have very active espionage programs against each other as well as other targets. Since the use of the Internet to carry critical commercial and government business (including census taking and elections) is increasing, the funding for cyber attacks in the espionage programs of all those countries is increasing to go after those communications and systems. Election systems and the systems used by candidates and government officials need better protection than normal business systems, let alone home level systems.


Read more in:

Microsoft: Recent cyberattacks require us all to be vigilant

https://blogs.microsoft.com/on-the-issues/2019/10/04/recent-cyberattacks-require-us-all-to-be-vigilant/

Ars Technica: Microsoft says Iranian hackers tried to hack a US presidential campaign

https://arstechnica.com/tech-policy/2019/10/microsoft-says-iranian-hackers-tried-to-hack-a-us-presidential-campaign/

Fifth Domain: Iran-backed hack attempt on government officials 'completely routine activity'

https://www.fifthdomain.com/civilian/2019/10/04/iran-backed-hackers-targeted-2020-presidential-campaign-says-microsoft/

Wired: Iranian Hackers Targeted a US Presidential Candidate

https://www.wired.com/story/iran-hackers-target-us-presidential-candidate/

WSJ: Presidential Campaign Targeted by Suspected Iranian Hackers, Microsoft Says (paywall)

https://www.wsj.com/articles/presidential-campaign-targeted-by-suspected-iranian-hackers-microsoft-says-11570205485

 
 

--Alabama Hospitals Pay Ransomware Demand

(October 5 & 7, 2019)

DCH Health System has paid a ransomware demand for an October 1 attack that affected systems at three hospitals in Alabama. DCH did not disclose the amount it paid. The organization is restoring some system components from backups and is using the decryption key provided by the attackers to regain access to locked systems.


[Editor Comments]


[Neely] The hospitals indicate they are methodically rebuilding servers individually, based on criticality. While they have brought in expert help to recover, the inability to restore systems without the decryption key, and the protracted restoration time indicate their D/R plan needs evaluation and updating.


[Murray] Having to make the decision to pay or not pay extortion is prima facia evidence of a failed backup and recovery strategy. One should be looking for a new CIO, CTO, and CISO. If you are in one of those roles, revisit your strategy.


Read more in:

DCH System: DCH Ongoing Response to Cyberattack and IT System Outage

https://www.dchsystem.com/Articles/dch_ongoing_response_to_cyberattack_and_it_system_outage.aspx

Threatpost: Alabama Hospitals Pay Up in Ransomware Attack

https://threatpost.com/alabama-hospitals-pay-up-ransomware-attack/148937/

Bleeping Computer: DCH Hospital Pays Ryuk Ransomware for Decryption Key

https://www.bleepingcomputer.com/news/security/dch-hospital-pays-ryuk-ransomware-for-decryption-key/

 
 

--Canadian Hospitals Hit With Ransomware

(September 29, 2019)

Two hospitals in rural southwestern Ontario, Canada, are offering limited services due to a ransomware attack. The attack affected the IT system of the Listowel Wingham Hospital Alliance. The emergency rooms at the two hospitals remained open.


[Editor Comments]


[Murray] Backup and recovery is the security measure of last resort, the one on which one relies when all else fails. Be sure that you have safe copies of all mission critical data and procedures and the ability to recover mission critical systems and applications on a timely basis. 


Read more in:

CBC: Rural southwestern Ontario hospitals struck by cyberattack

https://www.cbc.ca/news/canada/kitchener-waterloo/rural-hospitals-in-southwest-ontario-hit-by-ransomware-attack-1.5301947


****************************  SPONSORED LINKS  ******************************

 

1) In the Denver area? Register for this free Cloud Security Solutions Forum on October 18th: http://www.sans.org/info/214420


2) Survey | Tell us how your organization is making the most out of cyber threat intelligence. http://www.sans.org/info/214425


3) Webcast October 15: Hear how software supply chains are evolving with Reversing Labs. http://www.sans.org/info/214430



*****************************************************************************

REST OF THE WEEK'S NEWS   

 

--Experts Say DNS-over-HTTPS is Problematic

(September 30 & October 4 & 6, 2019)

Google's and Mozilla's plans to support DNS-over-HTTPS (DoH) in their browsers have met with objections from Internet service providers (ISPs) and others. While encrypting DNS queries sounds like a good idea, ISPs say that it would prevent them from monitoring traffic. Other critics have voiced concerns that traffic will be centralized- routed through a single entity's servers.


[Editor Comments]


[Neely] The better option is to wait for DNS over TLS, which encrypts the DNS traffic using existing resolvers and architecture. Fortunately, these browsers will fail back to the enterprise configuration for DNS when access to DoH servers is not available, so blocking port 853 may be prudent.


Read more in:

Ars Technica: Why big ISPs aren't happy about Google's plans for encrypted DNS

https://arstechnica.com/tech-policy/2019/09/isps-worry-a-new-chrome-feature-will-stop-them-from-spying-on-you/

Bleeping Computer: Dutch Govt Explains the Risks Behind DNS-Over-HTTPS Move

https://www.bleepingcomputer.com/news/security/dutch-govt-explains-the-risks-behind-dns-over-https-move/

ZDNet: DNS-over-HTTPS causes more problems than it solves, experts say

https://www.zdnet.com/article/dns-over-https-causes-more-problems-than-it-solves-experts-say/

 
 

--Check Point Report: Egyptian Government Tracking Journalists, Human Rights Activists

(October 3, 2019)

According to a report from Check Point, Egypt's government is using secretly installed software to track and spy on citizens, including journalists, human rights activists, and academics. The apps allow the government to track locations, read files and email, and view records of their communications. The server used in the attacks is registered to the Egyptian Ministry of Communications and Information Technology. The issue was initially investigated by Amnesty International.


[Editor Comments]


[Neely] These apps were delivered through the Google Play store, disguised as applications to increase user security or device functionality, such as Secure Mail, which also collected and forwarded user credentials utilizing OAuth phishing. The identified apps have been removed from Google Play and will be uninstalled by Play Protect on devices with that service enabled.


Read more in:

NYT: Egypt Is Using Apps to Track and Target Its Citizens, Report Says

https://www.nytimes.com/2019/10/03/world/middleeast/egypt-cyber-attack-phones.html

Check Point: The Eye on the Nile

https://research.checkpoint.com/the-eye-on-the-nile/

Amnesty: Phishing attacks using third-party applications against Egyptian civil society organizations

https://www.amnesty.org/en/latest/research/2019/03/phishing-attacks-using-third-party-applications-against-egyptian-civil-society-organizations/

Cyberscoop: An ongoing hacking campaign targets dissidents in Egypt, researchers say

https://www.cyberscoop.com/egypt-hacking-check-point-technologies/

 
 

--Reductor Malware Manipulates HTTPS Traffic

(October 3 & 4, 2019)

Malware known as Redactor installs its own digital certificate, then alters the browser's pseudo random number generator (PRNG) to manipulate the browser's process for establishing TLS handshakes for HTTPS connections. Reductor is likely being used by a Russian hacking group to conduct cyber espionage.


Read more in:

SC Magazine: New 'Reductor' malware compromises machines' encrypted TLS traffic

https://www.scmagazine.com/home/security-news/apts-cyberespionage/new-reductor-malware-compromises-machines-encrypted-tls-traffic/

Threatpost: New Reductor Malware Hijacks HTTPS Traffic

https://threatpost.com/new-reductor-malware-hijacks-https-traffic/148904/

ZDNet: Russian hacker group patches Chrome and Firefox to fingerprint TLS traffic

https://www.zdnet.com/article/russian-hacker-group-patches-chrome-and-firefox-to-fingerprint-tls-traffic/

 
 

--US Will Revive Program to Identify Vulnerabilities in Aircraft Systems

(September 29 & October 4, 2019)

The US Department of Homeland Security (DHS), the Pentagon, and the Department of Transportation plan to boost a program to find cybersecurity vulnerabilities in systems used on airplanes. DHS has not disclosed details about the program, but noted that there will be some testing done on actual planes. 


Read more in:

SC Magazine: Feds to boost scrutiny of airliner cybersecurity vulnerabilities

https://www.scmagazine.com/home/security-news/vulnerabilities/feds-to-boost-scrutiny-of-airliner-cybersecurity-vulnerabilities/

WSJ: U.S. Steps Up Scrutiny of Airplane Cybersecurity (paywall)

https://www.wsj.com/articles/u-s-government-steps-up-scrutiny-of-airplane-cybersecurity-11569764123

 
 

--Defense Dept. Improves Security for Servicemembers' Website

(October 3, 2019)

As part of a settlement reached with the Vietnam veterans of America, the Defense Department (DoD) will add security features to a website that is used to verify people's military service. The website is used primarily by financial institutions to verify eligibility of coverage under the Servicemembers Civil Relief Act. Previously, the site had no access controls in place; anyone could enter a name and birthdate or Social Security number (SSN) and view details of that individual's service record. Now, users are required to sign up for an account and provide their name and address. The settlement also required DoD to monitor the site for signs of suspicious activity.   


[Editor Comments]


[Neely] Additionally, mechanisms are being introduced to verify service without use of the SSN, which is required by the Federal Information Security Modernization Act (FISMA).


Read more in:

FNN: DoD agrees to lock down website storing personal info on vets, troops

https://federalnewsnetwork.com/defense-main/2019/10/dod-agrees-to-lock-down-website-storing-personal-info-on-vets-troops/

VVA: Settlement Agreement (PDF)

https://vva.org/wp-content/uploads/2019/10/SCRA-Settlement-Agreement.pdf

 
 

--US Will Help Baltic States Secure Energy Grid

(October 7, 2019)

The US has agreed to help Estonia, Latvia, and Lithuania protect their energy grids from cyberattacks while they disconnect from the Russian power grid. The Baltic states plan to connect their systems to the Western European grid by 2025.  


[Editor Comments]


[Murray] Perhaps we will learn enough to address the existential risk to our own grid. 


Read more in:

Baltic Times: US vows to help protect Baltics' energy infrastructure from cyber attacks

https://www.baltictimes.com/us_vows_to_help_protect_baltics__energy_infrastructure_from_cyber_attacks/

Cyberscoop: U.S. agrees to help Baltic states bolster grid cybersecurity

https://www.cyberscoop.com/us-baltic-states-grid-cybersecurity-agreement/

Euractiv: US to help secure Baltic energy grid against cyber-attacks

https://www.euractiv.com/section/energy/news/us-to-help-secure-baltic-energy-grid-against-cyber-attacks/


*****************************************************************************

INTERNET STORM CENTER TECH CORNER


visNetwork for Network Data

https://isc.sans.edu/forums/diary/visNetwork+for+Network+Data/25390/


Signal Eavesdropping Vulnerability

https://bugs.chromium.org/p/project-zero/issues/detail?id=1943


WhatsApp Bug

https://awakened1712.github.io/hacking/hacking-whatsapp-gif-rce/


Android Priv. Escalation Vulnerability Exploited in the Wild

https://bugs.chromium.org/p/project-zero/issues/detail?id=1942


Cloudflare Warp + NordVPN on iOS Leads to Traffic in the Clear

https://www.theregister.co.uk/2019/10/05/security_roundup_october_4/


MacOS Catalina and Safari Update Released

https://www.macrumors.com/2019/10/07/apple-releases-macos-catalina/

https://support.apple.com/en-us/HT201222 (nothing new yet)


Magecart Still Going Strong

https://www.theregister.co.uk/2019/10/04/magecart/

(original RiskIQ report requires Registration)



******************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create