Ending Soon! Get an iPad Air with Smart Keyboard, Surface Go, or $300 Off thru Dec 11 with OnDemand or vLive Training!

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #90

November 15, 2019

County Uses New Paper-Based Voting Machines; Ransomware Outcomes




****************************************************************************

SANS NewsBites                Nov. 15, 2019                Vol. 21, Num. 090

****************************************************************************


TOP OF THE NEWS


  Choctaw County, Mississippi Uses New Paper-Based Voting Machines

  Indiana School District Recovering from Ransomware

  Pemex Will Not Pay Ransomware Demand




REST OF THE WEEK'S NEWS


  Brennan Center Report: A Framework for Election Vendor Oversight

  Patch Tuesday: Microsoft, Adobe, and Intel

  US-CERT Warning on Medtronic Surgery Equipment Security

  Royal Canadian Mounted Police Charge Man in Connection with Remote Access Trojan

  Alleged Online Criminal Marketplace Operator Extradited to US

  InfoTrax Settles with FTC Over Security Failures

  HHS Office for Civil Rights Investigating Google's Project Nightingale Medical Data Consolidation


INTERNET STORM CENTER TECH CORNER

 

****************************************************************************

CYBERSECURITY TRAINING UPDATE

 

-- SANS OnDemand and vLive Training

Get an 11" iPad Pro, a 12.3" Surface Pro, or Take $350 Off through December 4 with OnDemand or vLive training.

https://www.sans.org/online-security-training/specials/


-- SANS Cyber Defense Initiative(R) 2019 | Washington, DC | December 10-17 | https://www.sans.org/event/cyber-defense-initiative-2019


-- SANS Miami 2020 | January 13-18 | https://www.sans.org/event/miami-2020


-- SANS Threat Hunting & IR Summit & Training | London, UK | January 13-19, 2020 | https://www.sans.org/event/threat-hunting-europe-2020


-- SANS Tokyo January 2020 | January 20-25 | https://www.sans.org/event/tokyo-january-2020


-- SANS Amsterdam January 2020 | January 20-25 | https://www.sans.org/event/amsterdam-january-2020


-- Cyber Threat Intelligence Summit & Training | Arlington, VA | January 20-27 | https://www.sans.org/event/cyber-threat-intelligence-summit-2020


-- SANS Scottsdale 2020 | February 17-22 | https://www.sans.org/event/scottsdale-2020


-- Open-Source Intelligence Summit & Training 2020 | Alexandria, VA | February 18-24 | https://www.sans.org/event/osint-summit-2020


-- SANS Secure Singapore 2020 | 16-28 March | https://www.sans.org/event/secure-singapore-2020


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


Single Course Training

-- Single Course Training

SANS Mentor | https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


************************** Sponsored By Eclypsium **************************


Mother of All Drivers - New Vulnerabilities In Windows Drivers. Research from firmware security leader Eclypsium reveals how Windows kernel security mode enables attacks and identifies vulnerable drivers that can provide attackers with near-limitless control over a victim device. Research report and webinar describe common design flaws and what to do about them. http://www.sans.org/info/214765


****************************************************************************

TOP OF THE NEWS   

 

--Choctaw County, Mississippi Uses New Paper-Based Voting Machines

(November 12, 2019)

In a recent election, voters in Choctaw County, Mississippi used new machines from VotingWorks, a small, nonprofit organization that offers an inexpensive, easy to use, paper-based election system. VotingWorks' machines are not federally certified; Mississippi is one of a handful of US states that allows the use of voting machines that have not been federally certified. The process of federal certification is time consuming and expensive, creating roadblocks for innovation.


[Editor Comments]

 

[Pescatore] Lack of certification can be a barrier to cybersecurity innovation, too. We can't tell vendors "You need to jump this bar, unless you don't charge for your product." Has VotingWorks tried a GoFundMe campaign to fund certification, which would allow that software to be used by the 47 states that do require certification?


Read more in:


ProPublica: The Way America Votes Is Broken. In One Rural County, a Nonprofit Showed a Way Forward.

https://www.propublica.org/article/the-way-america-votes-is-broken-in-one-rural-county-a-nonprofit-showed-a-way-forward


 

--Indiana School District Recovering from Ransomware

(November 14, 2019)

A school district in Indiana is working on restoring its IT systems after a ransomware attack earlier this week. The Penn-Harris-Madison School Corp. notified families and staff of the incident on Tuesday, November 12. A spokesperson for Penn-Harris-Madison said that the IT staff shut down servers and began "scrubbing" on Tuesday, and on Wednesday, began bringing servers online. Staff members were notified that all files and data were backed up, but that complete restoration would take time.  


Read more in:                                         


GovTech: Indiana School District Restoring Computers After Ransomware

https://www.govtech.com/security/Indiana-School-District-Restoring-Computers-After-Ransomware.html

 
 

--Pemex Will Not Pay Ransomware Demand

(November 13, 2019)

Mexico's energy minister said that the state-owned oil company Pemex will not pay a ransom demanded by cyberattackers. The attack appears to have targeted corporate rather than operational systems.    


[Editor Comments]


[Neely] Pemex reverted to manual methods for payments during the system recovery. Kudos to them for isolating affected systems to stop lateral movement and exercising their DR plan rather than paying the ransom. The hardest part will be assurance of eradication and sufficient measures to prevent recurrence.


Read more in:


SC Magazine: Pemex claims victory over cyberattack; $4.9 million ransom reportedly demanded

https://www.scmagazine.com/home/security-news/cyberattack/pemex-claims-victory-over-cyberattack-4-9-million-ransom-reportedly-demanded/

GovInfosecurity: Ransomware: Mexican Oil Firm Reportedly Refuses to Pay Up

https://www.govinfosecurity.com/ransomware-mexican-oil-firm-reportedly-refuses-to-pay-up-a-13404

Reuters: Mexico's Pemex won't pay ransom after cyberattack: energy minister

https://www.reuters.com/article/us-mexico-pemex-cyber/mexicos-pemex-wont-pay-ransom-after-cyberattack-energy-minister-idUSKBN1XN2J3


****************************  SPONSORED LINKS  ******************************

 

1) Part 1 of a 3 Webcast Series: Outperform the Adversary with Tactical Decision-making and Rapid Response. Register: http://www.sans.org/info/214770


2) See how you can maximize threat hunting efficiency with automated queries in this upcoming webcast: http://www.sans.org/info/214775


3) Webcast November 20th at 10:30 AM ET: Threat Intelligence Driven Detect and Response Operations. Register: http://www.sans.org/info/214780


*****************************************************************************

REST OF THE WEEK'S NEWS      

 

--Brennan Center Report: A Framework for Election Vendor Oversight

(November 12 & 13, 2019)

A report from New York University Law School's Brennan Center for Justice notes that "more than 80 percent of voting systems in use today are under the purview of three vendors," yet those vendors "receive little or no federal review." The report proposes a framework for federal election oversight that includes independent oversight by a revamped Election Assistance Commission (EAC); issuance of vendor best practices from a "reconstituted" EAC Technical Guidelines Development Committee that includes members with cybersecurity expertise; vendor certification; ongoing review; and enforcement of guidelines.  


[Editor Comments]


[Pescatore] The report gives equal coverage to voluntary mechanisms that would not require federal legislative action. Since "timely federal legislative action" is largely an oxymoron, I'd like to see the National Association of Secretaries of State take action to have all the state secretaries (who oversee elections) agree to voluntary procurement requirements to drive those election vendors to first reach basic levels of security hygiene and then to move to critical infrastructure levels of security.


Read more in:


The Hill: Brennan Center calls for certification of companies that make voting equipment

https://thehill.com/policy/cybersecurity/470016-brennan-center-calls-for-certification-of-companies-that-make-voting

GovInfosecurity: Report Calls for Enforcing Voting Machine Standards

https://www.govinfosecurity.com/report-calls-for-enforcing-voting-machine-standards-a-13403

Brennan Center: A Framework for Election Vendor Oversight (PDF)

https://www.brennancenter.org/sites/default/files/2019-11/2019_10_ElectionVendors.pdf

 
 

--Patch Tuesday: Microsoft, Adobe, and Intel

(November 12 & 14, 2019)

On Tuesday, November 12, Microsoft released fixes for 4 security issues in Windows and related software. One of the flaws, a scripting engine memory corruption vulnerability in Internet Explorer, is being actively exploited. Adobe issued fixes for vulnerabilities in Animate, Illustrator, and other creative software products. Intel has announced that it will now release updates on the second Tuesday of the month as well; its inaugural scheduled release addresses 77 vulnerabilities.


Read more in:


KrebsOnSecurity: Patch Tuesday, November 2019 Edition

https://krebsonsecurity.com/2019/11/patch-tuesday-november-2019-edition/

The Register: This November, give thanks for only having one exploited Microsoft flaw for Patch Tues. And four Hyper-V escapes

https://www.theregister.co.uk/2019/11/12/november_2019_patch_tuesday/

Threatpost: Microsoft Patches RCE Bug Actively Under Attack

https://threatpost.com/microsoft-patches-rce-bug/150136/

MSRC: Security Update Summary

https://portal.msrc.microsoft.com/en-us/security-guidance/summary

Adobe: Security Bulletins and Advisories

https://helpx.adobe.com/security.html

Intel: IPAS: November 2019 Intel Platform Update (IPU)

https://blogs.intel.com/technology/2019/11/ipas-november-2019-intel-platform-update-ipu/

 
 

--US-CERT Warning on Medtronic Surgery Equipment Security

(November 7 & 14, 2019)

US-CERT has issued an advisory warning of security flaws in Medtronic Valleylab FT10 and FX8 Energy Platforms as well as Valleylab Exchange Client. The security issues include hardcoded credentials, a reversible one-way hash, and improper input validation. Medtronic has made fixes available for the FT10 Platform; fixes for the FX8 platform are expected to be available early next year.   


Read more in:


Dark Reading: US-CERT Warns of Remotely Exploitable Bugs in Medical Devices

https://www.darkreading.com/threat-intelligence/us-cert-warns-of-remotely-exploitable-bugs-in-medical-devices/d/d-id/1336362

US-CERT: ICS Medical Advisory (ICSMA-19-311-02) Medtronic Valleylab FT10 and FX8

https://www.us-cert.gov/ics/advisories/icsma-19-311-02

 
 

--Royal Canadian Mounted Police Charge Man in Connection with Remote Access Trojan

(November 12 & 13, 2019)

Authorities in Canada have charged John Paul Revesz with allegedly operating a malware scheme. Revesz maintained that the product in question, Orcus RAT, is a Remote Administration Tool, useful for sysadmin remote management, but evidence suggests that the way Orcus RAT was marketed is more in line with it being a Remote Access Trojan.


Read more in:


KrebsOnSecurity: Orcus RAT Author Charged in Malware Scheme

https://krebsonsecurity.com/2019/11/orcus-rat-author-charged-in-malware-scheme/


 
 

--Alleged Online Criminal Marketplace Operator Extradited to US

(November 12 & 13, 2019)

Aleksei Yurievich Burkov appeared in federal court in Virginia on Tuesday, November 12, to face charges enumerated in a 2016 indictment. They include conspiracy to commit access device fraud, conspiracy to commit wire fraud, computer intrusion, and identity theft for his alleged role in running two websites that facilitated payment card fraud and other illegal activity. Burkov, a Russian citizen, was arrested in Israel nearly four years ago. His extradition was approved in 2017, and his appeals were recently denied.


Read more in:


Justice: Russian National Extradited for Running Online Criminal Marketplace

https://www.justice.gov/usao-edva/pr/russian-national-extradited-running-online-criminal-marketplace

Wired: Russia Fails to Stop Alleged Hacker From Facing US Charges

https://www.wired.com/story/aleksei-burkov-russia-hacking-extradition/

The Register: Russian bloke charged in US with running $20 million stolen card-as-a-service online souk

https://www.theregister.co.uk/2019/11/13/russian_charged_cardplanet/

SC Magazine: Russian who allegedly ran illegal Cardplanet site extradited to U.S.

https://www.scmagazine.com/home/security-news/cybercrime/russian-who-allegedly-ran-illegal-cardplanet-site-extradited-to-u-s/

Ars Technica: Russian man charged with running money-back-guaranteed criminal marketplace

https://arstechnica.com/information-technology/2019/11/russian-man-charged-with-running-money-back-guaranteed-criminal-marketplace/

 
 

--InfoTrax Settles with FTC Over Security Failures

(November 12 & 13, 2019)

A Utah company has settled a US Federal Trade Commission (FTC) complaint over its failure to adequately protect customer data. InfoTrax Systems failed to detect numerous intrusions over a 22-month period; the company was unaware that its systems had been breached until in 2016 when it learned that one of its servers had maxed out its storage capacity. The intruder had created a data archive file that grew with each intrusion until it used up all the remaining disk space. InfoTrax has agreed to a settlement that calls for it "to implement a comprehensive data security program."


[Editor Comments]


[Neely] Being revisited by an intruder after detection, which happened at least twice in this case, is not the best way to find gaps in your security program. Verification that configured monitoring triggers a response that is acted upon should be performed regularly. Fortunately for InfoTrax, the settlement doesn't include a fine as often happens in with FTC complaints.


[Pescatore] The FTC continues to quietly go after egregious violators, but often ends up with these types of settlements. I think it is time for something like a GAO report that looks into the track record of companies that agreed "to implement a comprehensive data security program." Seems like there have been some high-profile backsliding; we should have an accounting of the real-world effectiveness of those agreements.


Read more in:


FTC: Utah Company Settles FTC Allegations it Failed to Safeguard Consumer Data

https://www.ftc.gov/news-events/press-releases/2019/11/utah-company-settles-ftc-allegations-it-failed-safeguard-consumer

Ars Technica: Breach affecting 1 million was caught only after hacker maxed out target's storage

https://arstechnica.com/information-technology/2019/11/breach-affecting-1-million-was-caught-only-after-hacker-maxed-out-targets-storage/

ZDNet: Company discovered it was hacked after a server ran out of free space

https://www.zdnet.com/article/company-discovered-it-was-hacked-after-a-server-ran-out-of-free-space/

FTC: Decision and Order In the Matter of Infotrax Systems, L.C., A Limited Liability Company, and Mark Rawlins

https://www.ftc.gov/system/files/documents/cases/162_3130_infotrax_order_clean.pdf

FTC: Complaint In the Matter of Infotrax Systems, L.C., A Limited Liability Company, and Mark Rawlins (2016)

https://www.ftc.gov/system/files/documents/cases/162_3130_infotrax_complaint_clean.pdf

 
 

--HHS Office for Civil Rights Investigating Google's Project Nightingale Medical Data Consolidation

(November 13, 2019)

The Office for Civil Rights in the US Department of Health and Human Services has launched an investigation into "Project Nightingale," a joint effort between Ascension, a non-profit healthcare system with more than 50 million patients in 23 states, and Google. The plan calls for Google to analyze Ascension patient data to provide improved patient care. Ascension did not notify patients or doctors before it started sharing the data with Google. Prior to Project Nightingale, Ascension patient information resided in 40 data centers in dozens of states. (Please note that the WSJ story is behind a paywall.)


[Editor Comments]


[Neely] The HIPAA paperwork you sign at your doctor's office or hospital acknowledges that they are allowed to share data with other entities only to help with their health care functions, which covers this sort of data sharing. Healthcare data custodians have the burden of assurance that the data shared is only used for the intended purposes. The HHS Health Information Privacy Site has guides and reference material that be leveraged to develop controls needed to properly protect PHI data. https://www.hhs.gov/hipaa/for-professionals/security/guidance/index.html: Security Rule Guidance Material


Read more in:


WSJ: Google's 'Project Nightingale' Triggers Federal Inquiry (paywall)

https://www.wsj.com/articles/behind-googles-project-nightingale-a-health-data-gold-mine-of-50-million-patients-11573571867

Ars Technica: Google: You can trust us with the medical data you didn't know we already had [Updated]

https://arstechnica.com/tech-policy/2019/11/google-you-can-trust-us-with-the-medical-data-you-didnt-know-we-already-had/

Threatpost: Google's Plan to Crunch Health Data on Millions of Patients Draws Fire

https://threatpost.com/googles-plan-to-crunch-health-data-on-millions-of-patients-draws-fire/150172/

ZDNet: Google's plan to collect health data on millions of Americans faces federal inquiry

https://www.zdnet.com/article/googles-plan-to-collect-health-data-on-millions-of-americans-faces-federal-inquiry/

 

******************************************************************************

INTERNET STORM CENTER TECH CORNER


Microsoft Patch Tuesday

https://isc.sans.edu/forums/diary/November+2019+Microsoft+Patch+Tuesday/25516/


Adobe Update

https://helpx.adobe.com/security.html


Lokibot Update (November 2019)

https://isc.sans.edu/forums/diary/An+example+of+malspam+pushing+Lokibot+malware+November+2019/25518/


Facebook Camera Bug

https://www.cnet.com/news/facebook-bug-has-camera-activated-while-people-are-using-the-app


McAfee Anti Virus Bypass and Persistence

https://safebreach.com/Post/McAfee-All-Editions-MTP-AVP-MIS-Self-Defense-Bypass-and-Potential-Usages-CVE-2019-3648


Some Packet-Fu with Zeek

https://isc.sans.edu/forums/diary/Some+packetfu+with+Zeek+previously+known+as+bro/25510/


Zombieload 2.0 Vulnerability

https://zombieloadattack.com/



******************************************************************************

The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create