Get an 11 iPad Pro, Surface Pro, or $350 Off thru Dec 4 with OnDemand or vLive Training!

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #84

October 25, 2019

Cyberinsurance Payout Disclosed; AWS DDoS Attack; Map of Reported US Public Sector Ransomware Attacks



****************************************************************************

SANS NewsBites                Oct. 25, 2019                Vol. 21, Num. 084

****************************************************************************


TOP OF THE NEWS

 

  Norsk Hydro Discloses Cyberinsurance Payout in Quarterly Results

  AWS DDoS Attack

  Map of Reported US Public Sector Ransomware Attacks



REST OF THE WEEK'S NEWS


  12-Year Sentence for Hacking Court System, Sending Phishing eMail

  UK Fraud Database Problem Quarantined Reports

  Symantec Endpoint Protection 14 Causing Problems in Chrome 78

  Samsung Rolling Out Fix for Galaxy S10 and Note 10 Fingerprint Flaw

  Banks Remove Apps for Samsung Galaxy S10 from Google Play Store

  Man Admits Installing Keystroke Loggers on Companies' Computers

  BEC Suspects Arrested in Spain

  FTC Settles with Retina-X Over Tracking Apps


INTERNET STORM CENTER TECH CORNER


*****************************************************************************

CYBERSECURITY TRAINING UPDATE


-- SANS Cyber Defense Initiative(R) 2019 | Washington, DC | December 10-17 | https://www.sans.org/event/cyber-defense-initiative-2019


-- DFIRCON 2019 | Miami, FL | November 4-9 | https://www.sans.org/event/dfircon-miami-2019


-- Cloud & DevOps Security Summit 2019 | Denver, CO | November 4-11 | https://www.sans.org/event/cloud-devops-security-summit-2019


-- SANS Sydney 2019 | November 4-23 | https://www.sans.org/event/sydney-2019


-- SANS London November 2019 | November 11-16 | https://www.sans.org/event/london-november-2019


-- SANS Atlanta Fall 2019 | November 18-23 | https://www.sans.org/event/atlanta-fall-2019


-- Pen Test HackFest Summit 2019 | Washington, DC | November 18-25 | https://www.sans.org/event/pen-test-hackfest-2019


-- SANS Threat Hunting & IR Summit & Training | London, UK | January 13-19, 2020 | https://www.sans.org/event/threat-hunting-europe-2020


-- SANS Tokyo January 2020 | January 20-25 | https://www.sans.org/event/tokyo-january-2020


-- SANS OnDemand and vLive Training

Get an iPad Mini, an ASUS Chromebook Flip, or Take $250 Off through October 30 with OnDemand or vLive training.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


Single Course Training

-- Single Course Training

SANS Mentor | https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


**************************  Sponsored By SANS  ******************************


Want more women in cybersecurity?  Don't just talk about it, do it! Scholarships for Women Studying Information Security (SWSIS) funds women undergrads & Masters students across the US. Individual & corporate tax-deductible donations to 501(c)(3) welcome. Applications for 2020-21 academic year Dec 15-Feb 01. Learn about current & past scholars, apply, and donate at http://www.sans.org/info/214575 or donors@swsis.org.


*****************************************************************************

TOP OF THE NEWS   

 

--Norsk Hydro Discloses Cyberinsurance Payout in Quarterly Results

(October 24, 2019)

Norsk Hydro, the Oslo-based, multinational aluminum and renewable energy company that was hit with a cyberattack in March of this year, has disclosed the amount its cyberinsurance policy paid in the company's quarterly report. The report estimated the "financial impact" of the attack to be NOK550-650 million ($60-71 million). The payout from the insurance policy was NOK33 million ($3.6 million). It is possible that additional insurance payments forthcoming are forthcoming.


[Editor Comments]


[Paller] This insurance payout of less than 10% of financial losses is another piece of strong evidence that Baltimore and others seeking to buy cyber insurance may be wasting their money. We received two notes in the last month from advocates of cyber insurance claiming the policies are worth the investment. We asked for evidence and got one promise to provide it. But after that: silence.


Read more in:

Insurance Business: Nork Hydro gives details on initial cyber insurance payout

https://www.insurancebusinessmag.com/us/news/cyber/nork-hydro-gives-details-on-initial-cyber-insurance-payout-189462.aspx

Hydro: Third quarter 2019: Ramping up production in Brazil, declining market prices

https://www.hydro.com/en-US/media/news/2019/third-quarter-2019-ramping-up-production-in-brazil-declining-market-prices/



--AWS DDoS Attack

(October 23 & 24, 2019)

Amazon Web Services (AWS) was hit with a distributed denial-of-service (DDoS) attack on Wednesday, October 23. The outages lasted eight hours. Google also suffered outages on Wednesday, but said that they were not caused by a DDoS.


[Editor Comments]


[Pescatore] An 8-hour outage is just over 1% of the hours in a month. Typical AWS service level agreements would provide a 25% service credit for that outage - the outage would have to be over 36 hours to get the full month refunded. So, not a lot of financial impact reduction there. More importantly: how many of your service providers were also impacted by that outage? This aggregate risk is often overlooked and is a big deal with the high market shares of AWS and Azure IaaS services being used by SaaS providers.


Read more in:

Infosecurity Magazine: AWS Left Reeling After Eight-Hour DDoS

https://www.infosecurity-magazine.com/news/aws-customers-hit-by-eighthour-ddos/

Tech Radar: AWS hit by major DDoS attack

https://www.techradar.com/news/aws-hit-by-major-ddos-attack

 

--Map of Reported US Public Sector Ransomware Attacks

(October 22, 2019)

Statescoop's interactive map includes information about 245 public sector ransomware attacks that have been reported in the US since November 2013. The data include the targeted organization, the date of the attack, and the type of ransomware and amount paid if known.


Read more in:

Statescoop: Ransomware Attacks Map chronicles a growing threat

https://statescoop.com/ransomware-attacks-map-state-local-government/

Statescoop: Ransomware Attacks Map

https://statescoop.com/ransomware-map/


****************************  SPONSORED LINKS  ******************************


1) Survey | Understanding Workforce Transformation and Risks. Take this survey and enter to win a $400 Amazon gift card. http://www.sans.org/info/214580


2) Webcast October 29th at 10:30AM ET: Real World Challenges for PCI Compliant Containers. Register: http://www.sans.org/info/214585


3) ICYMI Webcast: How to Inject Security Into Your Software Development Life Cycle. View webcast: http://www.sans.org/info/214590


*****************************************************************************

REST OF THE WEEK'S NEWS    

 

--12-Year Sentence for Hacking Court System, Sending Phishing eMail

(October 22, 23, & 24, 2019)

A Texas man has been sentenced to 145 months in prison for breaking into the Los Angeles (California) Superior Court computer system and sending phishing emails using the court's servers. Oriyomi Sadiq Aloba is believed to have sent more than 2 million messages in an attempt to trick people into disclosing payment card account information.


[Editor Comments]


[Neely] Having multi-factor authentication on externally accessible services can mitigate the effectiveness of stolen reusable credentials. Modern authentication services can be adjusted to incorporate not only user credentials but also device certificates, AD domain membership and device location as transparent security features.


Read more in:

Bleeping Computer: U.S. Superior Court Systems Hacked to Spread Phishing Emails

https://www.bleepingcomputer.com/news/security/us-superior-court-systems-hacked-to-spread-phishing-emails/

GovInfosecurity: 12-Year Prison Term for Hacking LA Court System

https://www.govinfosecurity.com/12-year-prison-term-for-hacking-la-court-system-a-13285

Tripwire: 12 year jail sentence for man who hacked Los Angeles Superior Court to send two million phishing emails

https://www.tripwire.com/state-of-security/security-data-protection/12-year-jail-sentence-hacked-los-angeles-superior-court-two-million-phishing-emails/

Justice: Texas Man Convicted of Multiple Federal Criminal Charges for Orchestrating Phishing Attack on Los Angeles County Superior Court (July 2019)

https://www.justice.gov/usao-cdca/pr/texas-man-convicted-multiple-federal-criminal-charges-orchestrating-phishing-attack-los

 
 

--UK Fraud Database Problem Quarantined Reports

(October 23 & 24, 2019)

A glitch in a system update to the Know Fraud database, which holds reports of suspected fraud in the UK, caused it to quarantine thousands of reports rather than processing them and assigning them to investigators. Some of the cases date back to last October. Reports made to Action Fraud are passed on to the National Fraud Intelligence Bureau, where they were entered in the Know Fraud database. In April of this year, the number of incorrectly quarantined reports was 9,000; by July, the number had been reduced to 6,500.


[Editor Comments]


[Neely] While it's commendable that the reports were quarantined rather than deleted, it's important to have a process to review quarantined items as well as web application security protections on a regular basis to ensure important relevant information is not missed.


Read more in:

The Register: Antivirus hid more than 9,000 'cybercrime' reports from UK cops, says watchdog

https://www.theregister.co.uk/2019/10/24/hmicfrs_report_cyber_crime/

Infosecurity Magazine: Action Fraud Snafu Leaves 9000 Cases Quarantined

https://www.infosecurity-magazine.com/news/action-fraud-snafu-leaves-9000/

The Guardian: Police database flagged 9,000 cybercrime reports as 'security risk'

https://www.theguardian.com/uk-news/2019/oct/24/police-database-flagged-9000-cybercrime-reports-as-security-risk

 
 

--Symantec Endpoint Protection 14 Causing Problems in Chrome 78

(October 24, 2019)

A Symantec antivirus product is causing problems with Google's Chrome 78 browser, which was released on Tuesday, October 22. Users running Chrome 78 along with Symantec Endpoint Protection 14 (SEP 14) are finding that the browser will not load any pages. According to a Symantec support document, the issue affects SEP 14 users running on Windows 10 RS1, Windows Server 2012, and Windows Server 2016.


[Editor Comments]


[Neely] The behavior is triggered by the use of Microsoft's Code Integrity feature which is not supported by SEP 14. The issue will also occur with 78.0.x of Microsoft Edge Chromium when released. The preferred fix is to update to SEP 14.2; alternate options include adding an application control exception in SEP for Chrome.exe and MSEdge.exe or disabling the code integrity feature via command line or registry key.


Read more in:

ZDNet: Symantec antivirus crashes something again. This time Chrome 78 browsers

https://www.zdnet.com/article/symantec-antivirus-crashes-something-again-this-time-chrome-78-browsers/

Support.Symantec: Google Chrome/Microsoft Edge Chromium version 78.0.x error "Aw, Snap! Something went wrong while displaying this webpage." when using Endpoint Protection

https://support.symantec.com/us/en/article.tech256047.html

 
 

--Samsung Rolling Out Fix for Galaxy S10 and Note 10 Fingerprint Flaw

(October 23 & 24, 2019)

Samsung is rolling out a fix for a flaw that allows the ultrasonic fingerprint recognition feature to be bypassed on the Galaxy S10 and the Note10 phones when a third-party screen protector is used on the devices. Users should look for an update notification called "Biometric Update."


[Editor Comments]


[Neely] Although the update from Samsung is expected immediately, mobile operator review processes may delay availability of the fix to be installed. As the problem exists where fingerprints were registered while using a screen protector, an immediate fix is to either disable fingerprint recognition or delete and re-register those fingerprints without a screen protector.


Read more in:

Threatpost: Samsung Rolls Out Fix For Galaxy S10 Fingerprint Sensor Glitch

https://threatpost.com/samsung-fix-galaxy-s10-fingerprint-sensor/149510/

Engadget: Samsung's fix for Galaxy S10 fingerprint scanning will roll out soon

https://www.engadget.com/2019/10/23/samsung-galaxy-s10-fingerprint-reader-fix-in-hours/

Android Police: Samsung will begin patching fingerprint scanner security flaw within 24 hours

https://www.androidpolice.com/2019/10/23/samsung-will-begin-patching-fingerprint-scanner-security-flaw-within-24-hours/

 
 

--Banks Remove Apps for Samsung Galaxy S10 from Google Play Store

(October 22 & 24, 2019)

Several banks have removed their apps for the affected Samsung devices from the Google Play store. At least one bank is urging customers who have already downloaded the mobile app to disable biometrics on their devices. Other banks have updated their apps to remove support for fingerprint recognition.


[Editor Comments]


[Neely] Expect some delay for verification between the release of the Samsung fix and updates to the banking applications to re-enable support for the devices and/or fingerprints.


Read more in:

BBC: RBS pulls Samsung Galaxy S10 app over security flaw

https://www.bbc.com/news/technology-50169457

Softpedia: Banks Remove Mobile Apps for Samsung Galaxy S10 Due to Major Security Flaw

https://news.softpedia.com/news/banks-remove-mobile-apps-for-samsung-galaxy-s10-due-to-major-security-flaw-527929.shtml

 
 

--Man Admits Installing Keystroke Loggers on Companies' Computers

(October 24, 2019)

A New Jersey man has admitted that he placed hardware keystroke loggers on computers that belong to two companies that were developing an "emerging technology." Ankur Agarwal placed the devices on computers at one of the targeted companies in February 2017 and was able to access the company's network until April 2018, when a security team detected his presence. Agarwal conducted a similar attack against a different company several years earlier. On Tuesday, October 22, 2019, Agarwal pleaded guilty to charges of obtaining information from computers and aggravated identity theft.   


[Editor Comments]


[Neely] The challenge here was detection. Knowing what is on your network, detecting unauthorized devices is CSC number 1. While keystroke loggers are harder to detect, USB controls can help because these devices don't fingerprint the same as a recognized keyboard, even when connected through a USB hub.


Read more in:

Bleeping Computer: Hacker Plants Keylogger Devices on Company Systems Faces 12yr in Jail

https://www.bleepingcomputer.com/news/security/hacker-plants-keylogger-devices-on-company-systems-faces-12yr-in-jail/

Justice: Morris County Man Admits Hacking Scheme That Targeted Two New Jersey Companies

https://www.justice.gov/usao-nj/pr/morris-county-man-admits-hacking-scheme-targeted-two-new-jersey-companies

 
 

--BEC Suspects Arrested in Spain

(October 22, 23, & 24, 2019)

Authorities in Spain have arrested three people in connection with a business email compromise (BEC) scheme. The group allegedly stole a total of [euro]10.7 million ($11,900,000) from a dozen companies in different countries.


Read more in:

Bleeping Computer: Scammers Behind [euro]10 Million BEC Fraud Arrested in Spain

https://www.bleepingcomputer.com/news/security/scammers-behind-10-million-bec-fraud-arrested-in-spain/

ZDNet: Prolific business email scam takedown leads to arrests in Spain

https://www.zdnet.com/article/prolific-ceo-business-email-scam-leads-to-arrests-in-spain/

Bank Infosecurity: Three Charged in $11 Million BEC Scam

https://www.bankinfosecurity.com/three-charged-in-11-million-bec-scam-a-13290

 
 

--FTC Settles with Retina-X Over Tracking Apps

(October 22 & 23, 2019)

The US Federal Trade Commission (FTC) has reached a settlement with Retina-X Studio over its surveillance apps. An FTC attorney says that Retina-X did not ensure that the apps were used for legitimate purposes. While the company markets the tracking apps as being for parents who want to keep track of their children or for employers to track company-owned devices, they were actually available to anyone who wanted to use them. The apps have a variety of features, including GPS tracking, phone call recording, and access to text messages and browsing history. According to the settlement, Retina-X will make sure that the apps are used for legitimate purposes and will destroy all data that was collected by the apps. The company is also required to establish an information security program. The people being tracked need to give consent, with the exception of a minor child being monitored by their parent.


[Editor Comments]


[Neely] Characteristics of illegitimate tracking applications include installation outside the app store, rooting the device and hiding the icon. Disablement of third-part app stores and side-loading are key first steps; concerned users can run root checking apps to see if they have a problem. Recovery options, upon detection, include installing an OS update using factory recovery tools; performing a factory wipe, restoring only known good applications and data; or simply replacing the device.


Read more in:

ZDNet: FTC takes a stand against stalker apps through Retina-X court settlement

https://www.zdnet.com/article/ftc-takes-a-stand-against-stalkerware-apps-through-retina-x-court-settlement/

Duo: FTC to Developers: Get Consent

https://duo.com/decipher/ftc-to-developers-get-consent

FTC: Agreement Containing Consent Order

https://www.ftc.gov/system/files/documents/cases/172_3118_-_retina-x_studios_agreement_containing_consent_order.pdf

 

*****************************************************************************

INTERNET STORM CENTER TECH CORNER


Testing TLS 1.3 And Supported Ciphers

https://isc.sans.edu/forums/diary/Testing+TLSv13+and+supported+ciphers/25442/


Leftover Gigamon Configurations

https://isc.sans.edu/forums/diary/Your+Supply+Chain+Doesnt+End+At+Receiving+How+Do+You+Decommission+Network+Equipment/25448/


Google Chrome 78 Released

https://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_22.html


Firefox 70 Released

https://www.mozilla.org/en-US/firefox/70.0/releasenotes/


Cache Poisoning DoS

https://cpdos.org/


FTC Issues SIM Swapping Guidance

https://www.consumer.ftc.gov/blog/2019/10/sim-swap-scams-how-protect-yourself


Google Chrome Will Make "SameSite" Default

https://blog.chromium.org/2019/10/developers-get-ready-for-new.html


Discord Used as Info Stealer Backdoor

https://www.bleepingcomputer.com/news/security/discord-turned-into-an-info-stealing-backdoor-by-new-malware/


Cisco Exploit Code

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190828-iosxe-rest-auth-bypass


Tails 4.0 Released

https://tails.boum.org/news/version_4.0/index.en.html


XML External Entity Vuln in LSP4XML Affects Various Developer Tools

https://www.shielder.it/blog/dont-open-that-xml-xxe-to-rce-in-xml-plugins-for-vs-code-eclipse-theia/



******************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create