Final Week to Get an iPad Pro w/ Smart Keyboard, HP ProBook, or $350 Off with OnDemand and vLive Training!

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #8

January 29, 2019

Japanese Government to Hack Home IOT Devices; Users Urged to Delete WordPress Plug-in with Multiple Vulnerabilities



****************************************************************************

SANS NewsBites                Jan. 29, 2018                Vol. 21, Num. 008

****************************************************************************


TOP OF THE NEWS

 

  Japanese Government to Hack Home IOT Devices

  Users Urged to Delete WordPress Plug-in with Multiple Vulnerabilities


REST OF THE WEEKS NEWS


  Apple Plans to Release Fix for FaceTime Flaw Later This Week

  DOJ Unseals Huawei Indictments

  Tech Companies Need to Test Products for Abusability

  Chrome Will Block Unintended Downloads

  Attackers Targeting Unpatched Cisco Routers

  Microsoft Exchange Privilege Elevation Vulnerability

  Pear PHP Package Manager Compromised

  Georgia Elections Official Asks for Funding for New Voting Machines


INTERNET STORM CENTER TECH CORNER

 

*****************************************************************************

CYBERSECURITY TRANIG UPDATE


-- SANS 2019 | Orlando, FL | April 1-8 | https://www.sans.org/event/sans-2019


-- SANS London February 2019 | February 11-16 | https://www.sans.org/event/london-february-2019


-- SANS Anaheim 2019 | February 11-16 | https://www.sans.org/event/anaheim-2019


-- SANS Secure Japan 2019 | Tokyo, Japan | February 18-March 2 | https://www.sans.org/event/secure-japan-2019


-- Open-Source Intelligence Summit & Training | Alexandria, VA | February 25-March 3 | https://www.sans.org/event/osint-summit-2019


-- SANS Baltimore Spring 2019 | March 2-9 | https://www.sans.org/event/baltimore-spring-2019


-- SANS London March 2019 | March 11-16 | https://www.sans.org/event/london-march-2019


-- SANS Secure Singapore 2019 | March 11-23 | https://www.sans.org/event/secure-singapore-2019


-- ICS Security Summit & Training 2019 | Orlando, FL | March 18-25 | https://www.sans.org/event/ics-security-summit-2019


-- SANS OnDemand and vLive Training

The SANS Training you want with the flexibility you need.

Get an iPad Mini, Samsung Galaxy Tab S2, or Take $300 Off with OnDemand or vLive. Offer Ends February 6.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


Single Course Training

-- Single Course Training

SANS Mentor | https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap

 

***************************  Sponsored By Splunk ****************************


Organizations need an agile security solution that combines the power of an analytics-driven platform while unlocking the benefits of AI and ML. 40% of 200 global executives believe the answer to this challenge is hidden in machine data. Download the Harvard Business Review Analytic Services Pulse Survey, "IT Security: A New Analytics-Driven Model" and discover how AI and ML can help optimize security operations. http://www.sans.org/info/210030


*****************************************************************************

TOP OF THE NEWS


 --Japanese Government to Hack Home IOT Devices

(January 25 & 27, 2019)

A recently-passed amendment to a Japanese law will allow the government in that country to access peoples Internet of Things (IoT) devices to conduct a survey of unsecure IoT devices. The amendment allows employees of Japans National Institute of Information and Communications Technology (NICT) to access peoples devices using default passwords and password dictionaries and create a list of unsecure devices, which will be shared with authorities who can then alert consumers. The project is part of an effort to bolster cybersecurity prior to the 2020 Summer Olympic Games in Tokyo.


[Editor Comments]


[Pescatore] The way this is described makes it sound like the Japanese government is assuming that a major problem is users not configuring things correctly, vs. the things being built and sold without considering a due diligence level of security. This is kind of like testing the sandwich I bought at a fast food place and telling *me* it has e-coli vs. fining the restaurant that never put the mayonnaise in the refrigerator.


[Ullrich] This survey goes a step beyond what search engines like Shodan will do. The scan will actually try to log in to the devices. Currently, a device connected to the Internet will constantly be scanned for services like Telnet and SSH, and common username/passwords will be attempted. It is highly unlikely that this government-authorized scan will cause any damage that these unauthorized scans havent already caused. Owners of vulnerable devices will be notified and asked to improve their security. I find this an interesting experiment and hope it will help remove some of the problem devices.


Read more in:

ZDNet: Japanese government plans to hack into citizens' IoT devices

https://www.zdnet.com/article/japanese-government-plans-to-hack-into-citizens-iot-devices/

NHK: Govt. to access home devices in security survey

https://www3.nhk.or.jp/nhkworld/en/news/20190125_44/

 
 

--Users Urged to Delete WordPress Plug-in with Multiple Vulnerabilities

(January 25 & 28, 2019)

Hackers are exploiting several critical vulnerabilities in what appears to be an abandoned WordPress plug-in. The flaws can be exploited to gain administrative rights on affected websites. The Total Donations plug-in allows non-profit organizations to accept donations. Attempts to reach the plug-ins developers have been unsuccessful and suggest that the project has been abandoned. Researchers at Wordfence, which uncovered the issues, are urging users to delete the Total Donations plug-in.


[Editor Comments]


[Paller] Content management systems like WordPress, and their plug-ins, have been the most commonly attacked software on servers for at least two years. Their convenience lulls millions of unsuspecting organizations to rely on them. Is it time for them to be liable for the losses they are enabling? That wouldnt need litigation; just smartly written contracts.


[Neely] In addition to site takeover, exploiting the plugin also allows changes to a sites recurring donations, abuse mailing lists associated with donors, and access to the Stripe payment system API.  Additionally, the plugin no longer operates properly on certain browsers and has compatibility issues with PHP 7.1. Fortunately there are other equivalent donation pluginsdisable, migrate and delete immediately.


Read more in:

Wordfence: WordPress Sites Compromised via Zero-Day Vulnerabilities in Total Donations Plugin

https://www.wordfence.com/blog/2019/01/wordpress-sites-compromised-via-zero-day-vulnerabilities-in-total-donations-plugin/

Threatpost: WordPress Users Urged to Delete Zero-Day-Ridden Plugin

https://threatpost.com/wordpress-users-urged-to-delete-zero-day-ridden-plugin/141209/


****************************  SPONSORED LINKS  ******************************


1)  Attention Decision Makers of Every level: Gain a foothold on the first opportunity to narrow the vendor field. http://www.sans.org/info/210035


2) The 14th Annual ICS Security Summit: Orlando, Florida - Mar 18-19. http://www.sans.org/info/210040


3) Don't Miss "Modern AppSec Tools for Modern AppSec Problems: A Practical Introduction to the Next-Gen WAF"  Register:  http://www.sans.org/info/210050


*****************************************************************************

REST OF THE WEEKS NEWS     

 

--Apple Plans to Release Fix for FaceTime Flaw Later This Week

(January 28 & 29, 2019)

Apple says it plans to make a fix available for a bug in FaceTime that allows a caller to eavesdrop on the person being called before they accept the call. In some cases, an iPhone could also allow the caller to view the calls intended recipient. Apple has temporarily disabled FaceTimes group call feature in iOS and macOS.


[Editor Comments]


[Ullrich] Until a fix is released, you may want to disable FaceTime. Note that this will affect not just Phones, but it will also affect iPads and Macs supporting FaceTime. You should still see the incoming call ring.


[Neely] Securing the group calling features in FaceTime, released in iOS 12.1, has been challenging for Apple. This is expected to be a server side fix rather than another device update. As the group calling is disabled on the sever side, this cant be exploited until the fix is released. If youve disabled FaceTime on devices, test before re-enabling FaceTime on devices.

 

[Honan] Apple has disabled the Group FaceTime function to mitigate this issue until a more permanent software fix is found. Credit to Apple for their Incident Response team having the authority to disable a key function in their production environment to mitigate the potential harm to its customers. Remember to ensure your IR processes have escalation paths to the right people to authorise a similar action for your business should it be subject to a major breach or vulnerability.


Read more in:

SC Magazine: FaceTime bug lets callers eavesdrop on recipients

https://www.scmagazine.com/home/security-news/facetime-bug-lets-callers-eavesdrop-on-recipients/

BBC: Apple rushes to fix FaceTime 'eavesdropping' bug

https://www.bbc.com/news/technology-47037846

The Verge: Apple disables Group FaceTime following major security flaw

https://www.theverge.com/2019/1/29/18201667/apple-group-facetime-disabled-server-side-major-security-flaw-fix

 
 

--DOJ Unseals Huawei Indictments

(January 28, 2019)

The US Department of Justice (DOJ) has unsealed two indictments against Huawei. The first is a 13-count indictment against Huawei and the companys chief financial officer (CFO), alleging bank fraud and conspiracy to commit bank fraud, wire fraud and conspiracy to commit wire fraud, violations of the International Emergency Economic Powers Act (IEEPA) and conspiracy to violate IEEPA, and conspiracy to commit money laundering for allegedly violating trade sanctions against Iran and other actions. The second is a 10-count indictment against Huawei alleging theft of trade secrets conspiracy, attempted theft of trade secrets, seven counts of wire fraud, and one count of obstruction of justice for allegedly conspiring to steal trade secrets from T-Mobile.


Read more in:

DOJ: Acting Attorney General Matthew Whitaker Announces National Security Related Criminal Charges Against Chinese Telecommunications Conglomerate Huawei

https://www.justice.gov/opa/speech/acting-attorney-general-matthew-whitaker-announces-national-security-related-criminal

DOJ: Chinese Telecommunications Conglomerate Huawei and Huawei CFO Wanzhou Meng Charged With Financial Fraud

https://www.justice.gov/opa/pr/chinese-telecommunications-conglomerate-huawei-and-huawei-cfo-wanzhou-meng-charged-financial

DOJ: Chinese Telecommunications Device Manufacturer and its U.S. Affiliate Indicted for Theft of Trade Secrets, Wire Fraud, and Obstruction Of Justice

https://www.justice.gov/opa/pr/chinese-telecommunications-device-manufacturer-and-its-us-affiliate-indicted-theft-trade

ZDNet: United States unseals charges against Huawei and its CFO

https://www.zdnet.com/article/united-states-unseals-charges-against-huawei-and-its-cfo/

Washington Post: Justice Dept. charges Huawei with fraud, ratcheting up U.S.-China tensions

https://www.washingtonpost.com/world/national-security/justice-dept-charges-huawei-with-fraud-ratcheting-up-us-china-tensions/2019/01/28/70a7f550-2320-11e9-81fd-b7b05d5bed90_story.html

NYT: Huawei and Top Executive Face Criminal Charges in the U.S.

https://www.nytimes.com/2019/01/28/us/politics/meng-wanzhou-huawei-iran.html

 
 

--Tech Companies Need to Test Products for Abusability

(January 28, 2019)

Ashkan Soltani, former chief technologist at the US Federal Trade Commission (FTC), was scheduled to give a talk on Monday, January 28 at the USENIX Enigma conference about the need for tech companies to take the abusability of their products as seriously as they now take security. Abusability means the potential for exploiting a technology to cause damage to people or the planet. While some large companies have counter-abuse teams, they are largely reactive. Soltani would like the approach to become proactive. Soltani suggests tech firms consult those who make it their job to foresee the unintended consequence of technology: academics, futurists, and even science fiction authors.


[Editor Comments]


[Pescatore]  First, Id rather see the focus be on safety, both short term and long term, vs. create new terms. Second, the track record on academics, futurists and even science fiction writers in the aggregate (as measure by % false positives + % false negatives) is not stellar, or we would all be flying around with jetpacks and using Segways instead of driving


[Henry] This is a very interesting concept raised by Soltani, and I see the opportunity for engineers and manufacturers to take this perspective during the research and design phase of the product cycle. I can see too where this could become overly burdensome if carried too far. What is the abusability for a truck used by a madman to drive through a crowded pedestrian walk? What is the abusability of a steak knife when a jilted partner stabs a spouse? While assessing abusability seems to have some value during development, presenting some opportunity to build in controls, there will always be a balance between security and functionality and well never protect against every abuse (meaning assessing abusability should not unnecessarily curtail innovation).

 

[Murray] Companies need to test, full stop. Quality should be part of the requirements statement and test data should be part of the specification. The code must be written in such a way, simple, structured, and documented, as to facilitate effective testing.  


Read more in:

Wired: Security Isn't Enough. Silicon Valley Needs 'Abusability' Testing

https://www.wired.com/story/abusability-testing-ashkan-soltani/

 
 

--Chrome Will Block Unintended Downloads

(January 24, 26, & 28, 2019)

When version 73 of Googles Chrome browser is released this spring, it will include a feature to help prevent drive-by downloads. Until the feature is added to Chrome, users can prevent JavaScript and embedded active content from running. Firefox and Internet Explorer have already added functionality to prevent unwanted downloads. 


[Editor Comments]


[Pescatore]  Microsoft and Mozilla have done this for a few years in their browsers. Good to see Google add this level of safetyI think the browser industry has been really slow to put safety ahead of (or even equal to) advertising support in their priority lists, which is kind of like the hair dryer industry building in shampoo dispensers to blow dryers instead of ground fault interruption breakers


Read more in:

ZDNet: Google Chrome to add drive-by-download protection

https://www.zdnet.com/article/google-chrome-to-add-drive-by-download-protection/

Softpedia: Future Google Chrome Security Update Will Block Drive-By-Downloads

https://news.softpedia.com/news/future-google-chrome-security-update-will-block-drive-by-downloads-524708.shtml

Bleeping Computer: Google Chrome Adding Malicious Drive-By-Downloads Protection

https://www.bleepingcomputer.com/news/security/google-chrome-adding-malicious-drive-by-downloads-protection/

 
 

--Attackers Targeting Unpatched Cisco Routers

(January 27 & 28, 2019)

Last week Cisco released fixes to address two vulnerabilities in its Small Business RV320 and RV325 Dual Gigabit WAN VPN routers. The command injection and information disclosure flaws affect the routers web management interface. Just days later, active scanning for unpatched devices has been detected.


[Editor Comments]


[Neely] These are small business and home office class rather than enterprise devices. While the fix is to patch the devices, updating the firmware requires connecting a USB device with new firmware rather than an automated download/install process, which makes the process more resource intensive. Owners need to consider that the exploit has been published and the devices are discoverable on Shodan when considering the risks of not patching.


Read more in:

Threatpost: Active Scans Target Vulnerable Cisco Routers for Remote Code-Execution

https://threatpost.com/scans-cisco-routers-code-execution/141218/

Bleeping Computer: Hackers Targeting Cisco RV320/RV325 Routers Using New Exploits

https://www.bleepingcomputer.com/news/security/hackers-targeting-cisco-rv320-rv325-routers-using-new-exploits/

Cisco: Cisco Small Business RV320 and RV325 Routers Command Injection Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-inject

Cisco: Cisco Small Business RV320 and RV325 Routers Information Disclosure Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info

 
 

--Microsoft Exchange Privilege Elevation Vulnerability

(January 25, 2019)

A privilege elevation flaw in Microsoft Exchange could be exploited to allow any user with a mailbox to gain Domain Admin privileges. The flaw is the result of three issues: high default Exchange permissions; NTLM vulnerability to relay attacks; and automatic authentication in Exchange. Microsoft has thus far not commented specifically on the vulnerability.


[Editor Comments]


[Ullrich] This is a classic case of how different vulnerabilities and misconfigurations, that by themselves do not look all that terribly bad, can be combined to cause significant damage. Do not get fooled into thinking that you are secure because the exploit requires credentials. Any set of credentials from any of your Exchange users (not just admins) will work. This issue could easily be used by an attacker who already has some access to your network to elevate privileges. See also the related writeup in the ISC Storm Center Tech Corner section below: Relaying Exchanges NTLM authentication to domain admin (and more).


[Neely] This can be mitigated by a registry change on your Exchange servers. Per Microsoft advisory November 13, 2018 for CVE-2018-8581, remove the DisableLoopbackChecks value in HKLMSYSTEMCurrentControlSetControlLsa registry key.  


[Honan] While the media attention is focused mostly on the FaceTime bug this bug will have bigger impacts on businesses. The ISC Storm Center blog on has some suggested mitigations (see below).


Read more in:

The Register: You're an admin! You're an admin! You're all admins, thanks to this Microsoft Exchange zero-day and exploit

https://www.theregister.co.uk/2019/01/25/microsoft_exchange_domain_admin_eop/

SystemTek: Microsoft Exchange Domain Escalation Vulnerability

https://www.systemtek.co.uk/2019/01/microsoft-exchange-domain-escalation-vulnerability/

 
 

--Pear PHP Package Manager Compromised

(January 23, 2019)

The PEAR (PHP Extension and Application Repository) webserver is down because the main package manager was replaced with a malicious version. Most of the PEAR website has been disabled until a clean site is rebuilt. Users who installed PEAR PHP within the past six months could have the infected file.


[Editor Comments]


[Neely] The malicious package manager attempts to spawn a reverse shell to 104.131.154.154. An updated version of PEAR v1.10.10 was released to address the issue while the investigation completes. Consider using Composer/Pickle as an alternative package manager.


[Williams] This is yet another example of a serious supply chain attack targeting the distribution and installation chain. This has the potential to impact very large numbers of users and will be very difficult to detect. I posted some thoughts on this supply chain compromise at https://blog.renditioninfosec.com/2019/01/php-pear-backdoor-discovered-2/


Read more in:

Ars Technica: If you installed PEAR PHP in the last 6 months, you may be infected

https://arstechnica.com/information-technology/2019/01/pear-php-site-breach-lets-hackers-slip-malware-into-official-download/

PearPHP: PEAR server is down

http://blog.pear.php.net/

 
 

--Georgia Elections Official Asks for Funding for New Voting Machines

(January 23, 2019)

Georgia Secretary of State Brad Raffensperger is seeking US $150 million to replace the states outdated electronic voting machines. The devices currently in use do not provide a paper trail. Raffensperger said that he believes the best option is a system that uses touchscreens and prints a marked ballot. Experts and voting rights advocates have said that hand-marked paper ballots that are scanned provide better security. The hand-marked ballot system is also one-third the price of the ballot printing system. Raffensperger hopes to have new machines operational across the state in time for the 2020 elections.


Read more in:

NYT: Georgia Official Seeks to Replace Criticized Voting Machines

https://www.nytimes.com/aponline/2019/01/23/us/ap-us-voting-machines-georgia.html

 

*****************************************************************************

INTERNET STORM CENTER TECH CORNER


Relaying Exchange's NTLM Authentication to Become Domain Admin

https://isc.sans.edu/forums/diary/Relaying+Exchanges+NTLM+authentication+to+domain+admin+and+more/24578/


FaceTime Bug Allows Users to Receive Audio Before Call is Accepted

https://9to5mac.com/2019/01/28/facetime-bug-hear-audio/


Cisco RV320/325 Router Vulnerability Exploited

https://github.com/0x27/CiscoRV320Dump

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-inject

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190123-rv-info


Packet Challenge

https://johannes.homepc.org/packet9.txt


HTTP Signed Exchanges

https://wicg.github.io/webpackage/draft-yasskin-http-origin-signed-responses.html


BGP Experiments Disrupt Routers

https://mailman.nanog.org/pipermail/nanog/2019-January/098761.html


AZORult Fake (signed) Google Update

https://blog.minerva-labs.com/azorult-now-as-a-signed-google-update


******************************************************************************

The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.


Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create