One More Day to Get a MacBook Air, Surface Pro 7, or $350 Off with OnDemand Training

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #20

March 10, 2020

Dept. of Justice Guide for Cyber Research; ENTSO-E IT Security Breach; CPI and Durham NC Ransomware Attacks




****************************************************************************

SANS NewsBites               March 10, 2020                Vol. 22, Num. 020

****************************************************************************


TOP OF THE NEWS  

 

  DoJ Issues Guide for Cyber Research

  ENTSO-E IT Security Breach

  CPI Ransomware Attack

  Durham, NC Ransomware Attack

 

REST OF THE WEEK'S NEWS


  Lawmakers Ask Treasury Secretary if Cyber Sanctions Are Working

  Siemens Cybersecurity Incident Response Handbook for Energy Sector

  DoJ Charges Two Chinese Citizens With Cryptocurrency Money Laundering

  Unsupported Android Devices

  Google Releases March Android Updates

  Hackers Exploiting Known Vulnerability in Microsoft Exchange Servers

  FDA Warns of Cybersecurity Flaws That Could Affect Medical Devices

  GSA Makes .Gov Domains Somewhat Harder to Obtain


INTERNET STORM CENTER TECH CORNER


*************************  Sponsored By Splunk  *****************************


5 Key Ways CISOs Can Accelerate the Business. In a new report conducted by Forrester, CISOs are encouraged to align security with the enterprise, as well as juggle key innovations and manage the skills gap. Download your copy of 5 Key Ways CISOs Can Accelerate the Business and discover how to embed security into your business strategy. http://www.sans.org/info/215755


*****************************************************************************

CYBERSECURITY TRAINING UPDATE


-- SANS 2020 | Orlando, FL | April 3-10 | https://www.sans.org/event/sans-2020


-- SANS Security West 2020 |San Diego, CA | May 6-13 | https://www.sans.org/event/security-west-2020


-- SANS Secure Canberra 2020 | March 23-28 | https://www.sans.org/event/secure-canberra-2020


-- SANS London April 2020 | April 20-25 | https://www.sans.org/event/london-april-2020


-- SANS Pen Test Austin 2020 | April 27-May 2 | https://www.sans.org/event/pen-test-austin-2020


-- SANS Amsterdam May 2020 | May 11-18 | https://www.sans.org/event/amsterdam-may-2020


-- Cloud Security Summit & Training 2020 | Frisco, TX | May 27-June 3 | https://www.sans.org/event/cloud-security-summit-2020


-- Rocky Mountain Hackfest Summit & Training 2020 | Denver, CO | June 1-8 | https://www.sans.org/event/rockymountainhackfest-summit-2020


-- SANS Cyber Defence Canberra 2020 | June 29-July 11 | https://www.sans.org/event/canberra-june-2020


-- SANS OnDemand and vLive Training

Get an iPad mini (64GB), HP Chromebook 14 G5, or Take $300 Off through March 18 with OnDemand or vLive training.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


Single Course Training

-- Single Course Training

SANS Mentor | https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


*****************************************************************************

TOP OF THE NEWS   

 

--DoJ Issues Guide for Cyber Research

(March 3, 2020)

The US Department of Justice (DoJ) has published a document, Legal Considerations when Gathering Online Cyber Threat Intelligence and Purchasing Data from Illicit Sources, to guide "information security practitioners' cyber threat intelligence gathering efforts that involve online forums in which computer crimes are discussed and planned and stolen data is bought and sold."


[Editor Comments]


[Pescatore] There will always be cases on the edges, where criminals claim to be researchers, researchers get accused of being criminals, or companies with deficient software try to use laws like the DMCA to stop researchers from pointing out how bad their software is. If you or your company are thinking about doing your own cyber threat research, the DoJ paper is a good starting point for decreasing the odds that you become one of those edge cases and for defending your actions if you do.

 

Read more in:

FCW: DOJ's totally non-binding guide to legal cyber research

https://fcw.com/articles/2020/03/03/doj-cyber-research-guide-johnson.aspx

Justice: Legal Considerations when Gathering Online Cyber Threat Intelligence and Purchasing Data from Illicit Sources (PDF)

https://www.justice.gov/criminal-ccips/page/file/1252341/download


 

--ENTSO-E IT Security Breach

(March 9, 2020)

The European Network of Transmission System Operators for Electricity (ENTSO-E) has disclosed that its IT network was breached. In a brief statement, ENTSO-E notes that its network is not connected to those of operational Transmission System Operators (TSO). ENTSO-E's website notes that its security mission is "Pursuing coordinated, reliable and secure operations of the interconnected electricity transmission network, while anticipating the decision to cope with upcoming system evolutions."


[Editor Comments]


[Murray] That said, the industry culture is to connect the controls of the grid to the public networks to allow operators timely and convenient access to them in a crisis.


Read more in:

Cyberscoop: European power grid organization says its IT network was hacked

https://www.cyberscoop.com/european-entso-breach-fingrid/

ENTSOE: ENTSO-E has recently found evidence of a successful cyber intrusion into its office network

https://www.entsoe.eu/news/2020/03/09/entso-e-has-recently-found-evidence-of-a-successful-cyber-intrusion-into-its-office-network/

ENTSOE: entsoe: Our Mission

https://www.entsoe.eu/about/

 
 

--CPI Ransomware Attack

(March 5, 2020)

Electronics manufacturer Communications & Power Industries (CPI) suffered a ransomware attack in mid-January 2020. The infection spread quickly to all CPI offices as the company's computers were on an unsegmented network. CPI paid a ransom of US $500,000, but is still working on recovering its systems. CPI customers include the US Department of Defense and the Defense Advanced Research Projects Agency (DARPA).


[Editor Comments]


[Neely] The root cause appears to be a domain administrator clicking on the malicious link. Controlled use of administrative privileges, including running with the lowest level of privilege is CIS Control 4. Network segmentation, particularly for older operating systems such as XP, is key to not only restrict lateral movement but also mitigate shortfalls in legacy system security.


Read more in:

Tech Crunch: Defense contractor CPI knocked offline by ransomware attack

https://techcrunch.com/2020/03/05/cpi-ransomware-defense-contractor/

 
 

--Durham, NC Ransomware Attack

(March 8 & 9, 2020)

Computers belonging to the city of Durham, North Carolina, were infected with Ryuk ransomware over the weekend. The city made the decision to shut down certain systems, including its phone system. The decision rendered an information phone line unavailable, but emergency services "are operational and emergency calls are being handled."


Read more in:

SC Magazine: Durham, N.C. bull rushed by ransomware; recovery underway

https://www.scmagazine.com/home/security-news/ransomware/durham-n-c-bull-rushed-by-ransomware-recovery-underway/

News Observer: Russian malware cripples some Durham city and county systems. City is investigating

https://www.newsobserver.com/news/local/article241015176.html


****************************  SPONSORED LINKS  ******************************


1) Webinar: How to Prioritize Security Controls for Situational Awareness in AWS. http://www.sans.org/info/215760


2) Survey | Participate in the SANS 2020 SOC Skills Survey and enter for a chance to win a $400 Amazon gift card! http://www.sans.org/info/215765


3) Webcast March 18th at 1PM ET: Empower Your Security Team with Approachable Threat Intelligence. Register: http://www.sans.org/info/215770


*****************************************************************************

REST OF THE WEEK'S NEWS

 

--Lawmakers Ask Treasury Secretary if Cyber Sanctions Are Working

(March 4, 2020)

At a congressional hearing earlier this month, members of the US House Appropriations Committee asked Treasury Secretary Steven Mnuchin if the Treasury Department's financial sanctions against countries that had launched cyberattacks against the organizations in the US have produced "any sizable positive impact on the reduction of breach attempts on U.S. companies."


Read more in:

FCW: Lawmakers grill Mnuchin on Treasury's cyber sanctions

https://fcw.com/articles/2020/03/04/treasury-cyber-sanctions-hill-johnson.aspx

 
 

--Siemens Cybersecurity Incident Response Handbook for Energy Sector

(March 6, 2020)

Siemens has published its energy sector cybersecurity incident response handbook. The book, which is based on an exercise involving a simulated attack against a fictional electrical utility. The handbook notes that "the focus of cyberattacks against the energy industry has shifted from targeting information technologies (IT) toward operating technologies (OT)," and spells out incident response steps.


Read more in:

Siemens: Energy Industry Cybersecurity: A Playbook for Incident Response (press release)

https://new.siemens.com/us/en/company/press/siemens-stories/energy/simulating-a-cyberattack-on-the-energy-industry-a-playbook-for-incident-response.html

Siemens: Simulating a Cyberattack on the Energy Industry: A PLAYBOOK FOR INCIDENT RESPONSE (PDF)

https://assets.new.siemens.com/siemens/assets/api/uuid:7ee9587c-dfd3-4f8a-b447-c9fb7302ed96/version:1582144985/cyberattackdigitalr4v2.pdf

Dark Reading: Siemens Shares Incident Response Playbook for Energy Infrastructure

https://www.darkreading.com/attacks-breaches/siemens-shares-incident-response-playbook-for-energy-infrastructure/d/d-id/1337256

 
 

--DoJ Charges Two Chinese Citizens With Cryptocurrency Money Laundering

(March 2, 3, & 6, 2020)

The US Department of Justice (DoJ) has indicted two Chinese citizens, Tian Yinyin and Li Jiadong, on charges of helping North Korean cyber thieves launder more than US $100 million in funds stolen in a 2018 cryptocurrency heist.  In addition, the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) has imposed sanctions on the pair.


Read more in:

Washington Post: Two Chinese nationals indicted in cryptocurrency laundering scheme linked to North Korea

https://www.washingtonpost.com/local/legal-issues/two-chinese-nationals-indicted-in-cryptocurrency-laundering-scheme-linked-to-north-korea/2020/03/02/b6a286c2-5c8d-11ea-9055-5fa12981bbbf_story.html

Wired: How an Elaborate North Korean Crypto Heist Fell Apart

https://www.wired.com/story/how-an-elaborate-north-korean-crypto-heist-fell-apart/

Justice: Two Chinese Nationals Charged with Laundering Over $100 Million in Cryptocurrency From Exchange Hack

https://www.justice.gov/opa/pr/two-chinese-nationals-charged-laundering-over-100-million-cryptocurrency-exchange-hack

 
 

--Unsupported Android Devices

(March 6, 2020)

UK consumer rights and advice organization Which? Estimates that more than one billion Android devices worldwide are no longer receiving updates. Of particular concern are devices released in 2012 or earlier, because they do not have built-in protections that newer devices have. Any devices running versions prior to Android "will carry security risks."


[Editor Comments]


[Neely] Android devices, where updates are provided, are supported for only three years; and the last year is typically limited to security updates. As devices age, security updates may move from monthly to quarterly. If you're an Android shop, plan for at most a three-year lifecycle for these devices. When qualifying devices for enterprise or personal use, verify the support lifecycle prior to purchase.


Read more in:

Which: Void Android: More than one billion Android devices at risk of hacking attacks

https://press.which.co.uk/whichpressreleases/void-android-more-than-one-billion-android-devices-at-risk-of-hacking-attacks/

The Register: More than a billion hopelessly vulnerable Android gizmos in the wild that no longer receive security updates - research

https://www.theregister.co.uk/2020/03/06/1_billion_vulnerable_android_devices_which/

ZDNet: Android security warning: One billion devices no longer getting updates

https://www.zdnet.com/article/android-security-warning-one-billion-devices-no-longer-getting-updates/

 
 

--Google Releases March Android Updates

(March 3 & 5, 2020)

Google's monthly batch of updates for Android includes fixes for 70 security issues. Seventeen of the vulnerabilities are critical remote code execution flaws, sixteen of which are in Qualcomm components. A high severity privilege elevation flaw that affects MediaTek chipsets is being actively exploited.


[Editor Comments]


[Neely] Unlike computer operating systems, Android updates tend to be cumulative, so make sure that you've applied all the updates for your device. Also, check your device manufacturer's web site to verify the update schedule for your particular devices.


Read more in:

Android: Android Security Bulletin--March 2020

https://source.android.com/security/bulletin/2020-03-01

The Register: Android users, if you could pause your COVID-19 panic buying for one minute to install these critical security fixes, that would be great

https://www.theregister.co.uk/2020/03/05/google_march_android_fixes/

 
 

--Hackers Exploiting Known Vulnerability in Microsoft Exchange Servers

(March 9, 2020)

Attackers are exploiting a known remote code execution vulnerability in Microsoft Exchange servers. The issue lies in the Exchange Control Panel; all Microsoft Exchange email servers released over the past decade have the same backend cryptographic keys. The vulnerability is being exploited by multiple groups of hackers. Microsoft issued a fix for the flaw in its February Patch Tuesday updates.


[Editor Comments]


[Neely] The patches were released February 11th; attempted exploits began after the zero-day report went live on February 26. While proof-of-concept code was released to GitHub, and there is also a Metasploit module. This is a difficult bug to exploit. Rolling out the patch quickly is still prudent, even if APT groups are not in your threat matrix.  


Read more in:

ZDNet: Multiple nation-state groups are hacking Microsoft Exchange servers

https://www.zdnet.com/article/multiple-nation-state-groups-are-hacking-microsoft-exchange-servers/

Infosecurity Magazine: APT Groups Attack Exchange Servers Via Patched Flaw

https://www.infosecurity-magazine.com/news/apt-groups-attack-exchange-servers/

Threatpost: Microsoft Exchange Server Flaw Exploited in APT Attacks

https://threatpost.com/microsoft-exchange-server-flaw-exploited-in-apt-attacks/153527/

 
 

--FDA Warns of Cybersecurity Flaws That Could Affect Medical Devices

(March 3 & 5, 2020)

The US Food and Drug Administration (FDA) is warning about a group of cybersecurity vulnerabilities that could impact certain medical devices. The vulnerabilities, known collectively as SweynTooth, could be exploited to crash devices, cause denial-of-service or deadlock conditions, and to circumvent security protections to access sensitive functions without authorization. The FDA offers recommendations for patients, healthcare providers, and medical device manufacturers.


Read more in:

Cyberscoop: FDA warns patients about Bluetooth flaws affecting pacemakers, glucose monitors

https://www.cyberscoop.com/fda-advisory-bluetooth-pacemakers-glucose-monitors/

FDA: SweynTooth Cybersecurity Vulnerabilities May Affect Certain Medical Devices: FDA Safety Communication

https://www.fda.gov/medical-devices/safety-communications/sweyntooth-cybersecurity-vulnerabilities-may-affect-certain-medical-devices-fda-safety-communication

   
 

--GSA Makes .Gov Domains Somewhat Harder to Obtain

(March 5 & 7, 2020)

As of March 10, 2020, the US General Services Administration (SA) will require entities requesting .gov domains to include notarized signatures on their authorization letters. Previously, applicants needed to submit a completed authorization letter, listing admin, tech, and billing contacts, printed on official letterhead. The IS Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) would like to assume responsibility for granting .gov domains and to "ensure that only authorized users obtain a .gov domain, and proactively validate existing .gov holders."


[Editor Comments]


[Pescatore] Notaries seem like such a quaint idea in the digital age but a few years ago I didn't notice that my driver's license had expired, and in over 6 months of traveling, neither did any TSA inspectors at airport security. Then I had to get some form notarized at my local bank, and the Notary said "Nope, can't do it - your license expired 6 months ago!" Moral of the story: there is still benefit to a detailed manual inspection of credentials.


[Neely] Validating the identity of the person authorizing the domain request, which is required for granting .GOV domains, is a good start. Strongly issued digital signatures, such as the HSPD-12 credentials, should be considered as an alternative to a Notary.

 

[Murray] Enterprise identity and authentication is more important than individual. At enrollment time, it is necessary to ensure that the agent of the enterprise establishing the identity is both authentic and authorized.  


Read more in:

KrebsOnSecurity: U.S. Govt. Makes it Harder to Get .Gov Domains

https://krebsonsecurity.com/2020/03/u-s-govt-makes-it-harder-to-get-gov-domains/

dotgov: It should be easy to identify governments on the internet.

https://home.dotgov.gov/

 

*****************************************************************************

INTERNET STORM CENTER TECH CORNER



Excel Maldocs: Hidden Sheets

https://isc.sans.edu/forums/diary/Excel+Maldocs+Hidden+Sheets/25876/


Malicious Spreadsheet With Data Connection and Excel 4 Macros

https://isc.sans.edu/forums/diary/Malicious+Spreadsheet+With+Data+Connection+and+Excel+4+Macros/25880/


Wireshark 3.2.2 Released

https://www.wireshark.org/docs/relnotes/wireshark-3.2.2.html


Linux PPP Vulnerability

https://www.kb.cert.org/vuls/id/782301/


NordVPN Vulnerability

https://www.theregister.co.uk/2020/03/06/nordvpn_no_auth_needed_view_user_payments/


Unpatched Android Devices

https://www.which.co.uk/news/2020/03/more-than-one-billion-android-devices-at-risk-of-malware-threats/


Take A Way: Exploring the Security Implications of AMD's Cache Way Predictors

https://mlq.me/download/takeaway.pdf

https://www.amd.com/en/corporate/product-security


Google Play Store Protect Fails Security Test

https://www.av-test.org/en/news/here-s-how-well-17-android-security-apps-provide-protection/



*****************************************************************************

The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create