SANS NewsBites

Was Georgia Election System Server Compromised?; Iowa Caucus Results at Risk with Smartphone App; IE Zero-Day Actively Exploited; California Profile Rises in National Cybersecurity Talent Search

January 21, 2020  |  Volume XXII - Issue #6

Top of the News


2020-01-16

Georgia Election System Server May Have Been Compromised Through Shellshock in 2014

Evidence suggests that an election system server in the US state of George was vulnerable to the Shellshock flaw for several months in 2014, and that the server was compromised through the vulnerability.

Editor's Note

While much of the attention on election systems has been on vote recording, history suggests that problems are more likely to occur in the backend tabulation and reporting systems.

William Hugh Murray
William Hugh Murray

Computers can be hacked; voting machines are computers. Computers connected to the Internet have a greater chance of being hacked, voting machines are, (sometimes), connected to the Internet. https://qz.com/1783766/these-voting-machine-security-flaws-threaten-election-2020/

Stephen Northcutt
Stephen Northcutt

States are increasingly turning to National Guard cyber forces. https://www.thenewstribune.com/news/politics-government/article239319613.html

Russ McRee
Russ McRee

2020-01-14

Iowa Caucus Results to be Calculated with Smartphone App

When Iowa's Democratic Party holds its caucuses next month, the results will be calculated and reported with the help of a mobile app. (Iowa, like several other US states, holds caucuses, where voters must be physically present to declare their support for a candidate.) The reasoning behind using the app is that results will be available to the public more quickly. The Iowa Democratic Party chairperson declined to disclose which app they will use.

Editor's Note

The risk there is the human firewall, which social engineers have repeatedly shown will be compromised. Iowa does have contingency plans in case something goes wrong; detecting the anomaly and providing corrected information, particularly after results are published, is problematic.

Lee Neely
Lee Neely

2020-01-20

IE Zero-Day is Being Actively Exploited

Microsoft has published mitigations and workarounds for "a remote code execution vulnerability ... in the way that the scripting engine handles objects in memory in Internet Explorer." The flaw is being actively exploited. Microsoft is developing a fix for the vulnerability.

Editor's Note

Time to re-assess the use of IE in the enterprise. Microsoft has done a lot of work to make Edge more compatible and functional. Some applications still require plugins that only work in IE, such as Silverlight, or those using active X controls; consider providing them a sandboxed enterprise browser solution rather than running these on the endpoint.

Lee Neely
Lee Neely

2020-01-21

State of California Raises Profile in National Cybersecurity Talent Search

Texas and New Jersey and Nevada are still the top three states in the national cybersecurity high school talent search, but last week California's Department of Technology and CIO raised the level of visibility for California's high schools. California's numbers have nearly doubled since then.


Read more in:

https://www.techwire.net/news/cdt-promoting-cybersecurity-as-career-path-for-girls.html: CDT Promoting Cybersecurity as Career Path for Girls


To see where your state stands: https://www.girlsgocyberstart.org/leaderboard


To make sure your students have the opportunity to participate: https://www.girlsgocyberstart.org

The Rest of the Week's News


2020-01-16

Senator Has Questions About Compromise of Service Members' Medical Data

US Senator Mark Warner (D-Virginia) wants to know how American service members' medical data were left unprotected on the Internet. In a letter to Defense Health Agency (DHA) Assistant Secretary Thomas McCaffery, Warner notes that Picture and Archiving Servers (PACS) at three military medical facilities left service members' "personally identifiable and sensitive medical information available online for anyone with a DICOM viewer to find." Warner asks McCaffery to provide "information about [DHA's] oversight of the information practices at military hospitals," and that the PACS be removed from open Internet access.


2020-01-19

Travelex CEO Says Some Services Restored

In a video statement, Travelex CEO Tony D'Souza said that the company is making progress in restoring its systems in the wake of a December 31 ransomware attack. D'Souza said that the company "is bringing systems up in a controlled and secure manner." The company's main website is still not operational.

Editor's Note

Restored services are currently only in the UK, with service restoration outside the UK scheduled for a future phase.

Lee Neely
Lee Neely

Enterprise management should immediately take steps to resist and mitigate "ransomware" and "wiper" attacks. Use strong authentication, system-to-system and application-to-application isolation, and at least 3 copies of mission critical applications and data, on at least 2 different media, with at least 1 copy off site. If one cannot mitigate attacks within hours to days, the life of the enterprise is at risk.

William Hugh Murray
William Hugh Murray

2020-01-17

Companies Need to Patch Pulse Secure VPN Flaw Exploited in Attack Against Travelex

In a Flash Security Alert issued earlier this month, the FBI said that hackers exploited a known vulnerability in Pulse Secure VPN servers to breach. The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) also issued an alert, urging companies to patch the flaw. A fix for the issue has been available since April 2019. (Please note that the WSJ story is behind a paywall.)

Editor's Note

This is a case where defense in depth visibly paid off. While the flaw allowed attackers to access the agency network on a single segment and enumerate users from Active Directory, services on other segments were protected by MFA and were not able to be accessed.

Lee Neely
Lee Neely

2020-01-17

WeLeakInfo Domain Seized, Two People Arrested

Law enforcement authorities in the Netherlands, the UK, Northern Ireland, Germany, and the US have taken down the WeLeakInfo website, which was used to sell access to more than 12 billion stolen user records. Two people have been arrested in connection with the site's operation.


2020-01-20

Citrix Releases Fixes for Critical Vulnerability in Application Delivery Controller and Gateway

Citrix has released permanent fixes for its Application Delivery Controller (ADC) and Gateway versions 11.1 and 12.0. Citrix expects to release fixes for ADC versions 12.1, 13, and 10.5, as well as for SD-WAN WANOP, on Friday, January 24. The vulnerability, which was initially disclosed in mid-December 2019, is being actively exploited.

Editor's Note

Citrix has accelerated the release of the permanent fixes, with an ETA of January 24th for the balance of them. As the vulnerabilities are being actively exploited, implementing the available mitigations now is prudent until the fixes for your particular device and service are released and you've completed appropriate regression testing on those patches.

Lee Neely
Lee Neely

2020-01-17

Hackers Install Citrix Mitigation and Leave Backdoor Open for Themselves

Among the numerous exploits of the Citrix vulnerability, FireEye noted one threat actor who reportedly scans for vulnerable Citrix servers, then installs mitigations that keep others out while establishing a backdoor for themselves.

Editor's Note

When verifying that the mitigations have been implemented, verify that devices showing as no longer vulnerable were patched by your team. Also, verify NOTROBIN has not been installed. The FireEye article explains behavior and indications of compromise you can incorporate into your SIEM.

Lee Neely
Lee Neely

2020-01-20

Major Telnet Credential Leak

A hacker posted a list of Telnet credentials for more than half a million devices, including servers, home routers, and Internet of Things (IoT) devices. The information was reportedly posted by someone who maintains a DDoS-for-hire service.

Editor's Note

Enterprises should offer strong authentication options to users. Users should employ strong authentication where available and use password managers to resist password re-use across applications and systems.

William Hugh Murray
William Hugh Murray

Internet Storm Center Tech Corner

Microsoft Scripting Engine Memory Corruption Vulnerability

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV200001


CVE-2020-0601 Update

https://isc.sans.edu/forums/diary/Summing+up+CVE20200601+or+the+Lets+Decrypt+vulnerability/25720/


Curveball Update

https://www.citrix.com/blogs/2020/01/19/vulnerability-update-first-permanent-fixes-available-timeline-accelerated/

https://isc.sans.edu/diary//25724


Twist on Sextortion

https://www.dailymail.co.uk/sciencetech/article-7886055/Sextortion-campaign-targets-users-Google-Nest-smart-camera.html


Emotet Uses Extortion to Infect Systems

https://www.bleepingcomputer.com/news/security/emotet-malware-dabbles-in-extortion-with-new-spam-template/


Lastpass Outage

https://www.theregister.co.uk/2020/01/20/lastpass_outage/


Netgear Signed TLS Cert Private Key Disclosure

https://gist.github.com/nstarke/a611a19aab433555e91c656fe1f030a9