iPad Pro w/ Magic KB, Surface Go 2, or $350 Off with OnDemand Training - Register Now

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #100

December 22, 2017

A Christmas present and two Grinch stories in top of the news.  The present is for you alone or for you and your kids; the Grinch is WordPress.


SANS NewsBites               December 22, 2017                Vol. 19, Num. 100



SANS Holiday Hack Challenge 2017

Backdoor Found in WordPress Captcha Plugin

WordPress Sites Attacked to Install Cryptocurrency Miner


FedRAMP Best Practices for Cloud Adoption

Google Removes Phony Bitcoin Wallet Apps from Google Play Store

CrowdStrike Report on Alleged Chinese Cyber Espionage

Twitter Updating its Two-Factor Authentication to Support Third-Party Apps

Russian Bank Says Attackers Tried to Steal Millions of Rubles

Five Arrested in Romania for Allegedly Spreading Ransomware

New Feature in Firefox 57 Improves Page Load Times

Wassenaar Arrangement Changes Ease Licensing Worries for Researchers


***************************  Sponsored By Bitsight  *************************

Join John Pescatore and Michael Roling where they'll discuss how The Chief Information Security Officer State of Missouri, Office of Administration uses BitSight Technologies Security Rating services as a key input in assuring that third party State of Missouri suppliers and partners that will handle sensitive information are secure enough to keep that information safe. Register:  http://www.sans.org/info/200825



-- SANS Security East 2018 | New Orleans, LA | January 8-13 | https://www.sans.org/event/security-east-2018

-- SANS Amsterdam January 2018 | January 15-20 | https://www.sans.org/event/amsterdam-january-2018

-- SANS Las Vegas 2018 | January 28-February 2 | https://www.sans.org/event/las-vegas-2018

-- Cyber Threat Intelligence Summit | Bethesda, MD | January 29-February 5 | https://www.sans.org/event/cyber-threat-intelligence-summit-2018

-- SANS London February 2018 | February 5-10 | https://www.sans.org/event/london-february-2018

-- SANS Southern California-Anaheim 2018 | February 12-17 | https://www.sans.org/event/southern-california-anaheim-2018

-- Cloud Security Summit & Training 2018 | San Diego, CA | February 19-26 | https://www.sans.org/event/cloud-security-summit-2018

-- SANS Secure Japan 2018 | February 19-March 3 | https://www.sans.org/event/sans-secure-japan-2018

-- SANS Secure Singapore 2018 | March 12-24 | https://www.sans.org/event/secure-singapore-2018

-- SANS OnDemand and vLive Training | The SANS Training you want with the flexibility you need. SAVE $350 or get a GIAC Certification Attempt Included with OnDemand or vLive Training when you register by December 27. https://www.sans.org/online-security-training/specials/

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format -https://www.sans.org/ondemand/

-- Single Course Training

SANS Mentor https://www.sans.org/mentor/about

Community SANS https://www.sans.org/community/

View the full SANS course catalog https://www.sans.org/security-training/by-location/all




SANS Holiday Hack Challenge 2017

From the makers of SANS NetWars and CyberCity and the authors of SANS top Penetration Testing courses comes the free 2017 SANS Holiday Hack Challenge. There is something for everyone - introductory challenges for new people all the way up to advanced exploits, and everything in between. Many people play the challenge with their children; the kids play the video game portion of the challenge while the parents show their kids how to complete the infosec pieces. There are prizes and giveaways for participants, including one complimentary SANS OnDemand course for the Grand Prize winner!


Here's what some of this year's participants are saying:

---My Daughter just snapchatted me a picture of her working on the #SANSHolidayHack challenge. I couldn't be a more proud dad right now, keep it up! Thanks @SANSInstitute @SANSPenTest and @edskoudis for putting this together. (Tim Garcia)

 ---Just finished all the terminal challenges!

Didn't realize how much learning I'd be doing over winter break.

Thanks a ton, #SANSHolidayHack!(Brian Jopling)


---If you are in information security, or even have a slight interest, you need to check out the #SANSHolidayHack Challenge. No matter your skill level, it is fantastic. Great job as always @edskoudis @SANSInstitute and team. #Infosec (Steve Hardee)



Backdoor Found in WordPress Captcha Plugin

(December 19 & 20, 21, 2017)

A WordPress plugin known as Captcha, which has been installed at least 300,000 times, was recently altered to add a backdoor. Captcha's original developer sold the plugin to a new developer in September. The new owner released Captcha 4.3.7, which contained the backdoor, in early December.  The backdoored plugin has been removed from the WordPress plugin repository and a clean version, Captcha 4.4.5, was being pushed out to websites that were running the older version.

Read more in:

Bleeping Computer: Backdoor Found in WordPress Plugin With More Than 300,000 Installations


The Register: WordPress captcha plugin on 300,000 sites had a sneaky backdoor


Security Boulevard: Yet Another WordPress Extension Changes Owner and Gets Backdoored



 --WordPress Sites Attacked to Install Cyrptocurrency Miner

(December 18 & 20, 2017)

Attackers have recently been targeting WordPress sites with brute-force attacks to gain administrative access and install a Monero cryptocurrency miner. Infected sites are also used to help with the brute-force attacks against other WordPress sites. Wordfence says the attack "is the most aggressive campaign we have seen to date, peaking at over 14 million attacks per hour."

[Editor Comments]

[Honan] The motivation for most attacks by criminals is to make money as quickly as possible. This is one of the reasons behind the growth of ransomware and will see more attacks leading to infecting systems with mining software for digital currencies.

Read more in:

Bleeping Computer: Massive Brute-Force Attack Infects WordPress Sites with Monero Miners


Wordfence: Breaking: Aggressive WordPress Brute Force Attack Campaign Started Today, 3am UTC



**************************  SPONSORED LINKS  ********************************

1) Did you miss "Who Owns ICS Security? Fusing IT, OT, & IIoT Security in the Corporate SOC." View the archive: http://www.sans.org/info/200830

2) ICYMI: "Breaking Down the Data: How Secure Are You and Your Supply Chain?" with G. Mark Hardy. http://www.sans.org/info/200835

3) ICYMI:  "The Convergence of EPP and EDR: Tomorrows Solution Today." http://www.sans.org/info/200840




FedRAMP Best Practices for Cloud Adoption

(December 21, 2017)

The Federal Risk and Authorization Management Program (FedRAMP) office has published the Agency Authorization Playbook, which offers guidance for cloud adoption by government agencies. The Playbook breaks down the authorization process into parts and describes roles, responsibilities, and best practices for cloud services providers, federal agencies, and third-party assessment organizations.

[Editor Comments]

[Pescatore, Neely and Murray] This playbook is complex because it is written around government agencies who want to use a Cloud Service Provider that is *not* already FedRAMP certified. Looking at the 93 CSPs already certified, plus the 60 already in process, the majority of CSPs government agencies will use are already certified. I'd like to see a much more simplified "quick start" guide aimed at helping small agencies quickly get up and running on cloud services that other government agencies have already signed off on with Authority to Operate.

Read more in:

Nextgov: FedRAMP Issues Step-By-Step Guide for Cloud Adoption


Amazon AWS: FedRAMP Agency Authorization Playbook


FedRAMP: Introducing the New Agency Authorization Playbook




Google Removes Phony Bitcoin Wallet Apps from Google Play Store

(December 21, 2017)

Google has pulled three phony Bitcoin wallets apps from its Google Play store. The apps redirected Bitcoin payments to attackers' addresses. The apps had been available in the Google Play store for several months before they were removed; the three apps were downloaded a total of 20,000 times.

[Editor Comments]

[Williams] Downloading a "mobile wallet" for Bitcoin is like downloading a mobile banking application. Don't do it unless you trust the source with your money. Also, your Bitcoin wallet doesn't have FDIC insurance...

Read more in:

Threatpost: Google Play Boots 3 Fake Bitcoin Wallet Apps


eWeek: Google Removes Three Fake Bitcoin Wallet Apps From Google Play




CrowdStrike Report on Alleged Chinese Cyber Espionage

(December 20 & 21, 2017)

Hackers believed to be operating under the aegis of the Chinese government have targeted Western think tanks and nongovernmental organizations (NGOs) in the past few months, according to a report from CrowdStrike's Falcon Intelligence and OverWatch teams. In a blog post, CrowdStrike writes that it detected Chinese hackers attempting to infiltrate servers at six such organizations in October and November. The attacks appeared to target "the communications of foreign personnel involved in Chinese economic policy research and the Chinese economy, as well as users with noted expertise in defense, international finance, U.S.-Sino relations, cyber governance, and democratic elections."  

[Editor Comments]

[Murray] Professional criminals and nation states have all but driven amateur hackers from the threat landscape.  Narrowly targeted attacks have replaced those against targets of opportunity.   Attacks against user credentials continue.  Strong authentication is now an essential practice.  Another necessary response is to dramatically improve application to application isolation to resist lateral attacks.    

Read more in:

CrowdStrike: An End to "Smash-and-Grab" and a Move to More Targeted Approaches


Cyberscoop: Chinese hackers tried to spy on U.S. think tanks to steal military strategy documents, CrowdStrike says


SC Magazine: Report: Chinese cyberspies targeted Western think tanks with spy tools, DDos attacks in Q4




Twitter Updating its Two-Factor Authentication to Support Third-Party Apps

(December 20 & 21, 2017)

Twitter is rolling out an update to its login verification to include support for third-party two-factor authentication (2FA) tools. The company has supported 2FA since 2013, using SMS to send a six-digit verification code. In July 2016, the US National Institute of Standards and Technology (NIST) said in its updated Digital Authentication Guidelines, that SMS-based 2FA is not adequately secure.   

[Editor Comments]

[Pescatore] The NIST concern over the use of SMS is that the legitimate mobile phone number could be transferred to the attacker, unless carriers require 2FA for number change requests. That is a good reason for moving from SMS-based 2FA to something stronger, but any rational ranking of risk says it is a bad decision to stick with re-usable passwords over adding SMS 2FA. Luckily, the commercial offerings are leading the way and increasing numbers of users will adopt stronger authentication use at home and drive the adoption at work later.

[Murray] For public applications where the use of strong authentication is a user choice, the more options, the more likely the user will find one that he likes.  Google should be the model.  

[Neely] While SMS two-factor is not secure, it is an improvement over single factor password use. Adding support for mobile applications that use a time based one-time-password (TOTP) takes this to the necessary next level. Note that enabling this feature will require you to reauthenticate to your twitter accounts from all devices/browsers currently logged into Twitter.

Read more in:

eWeek: Twitter Expands Two-Factor Authentication Security Options


Cyberscoop: Twitter upgrades two-factor authentication options by allowing third party apps


Twitter: We're rolling out an update to login verification.




Russian Bank Says Attackers Tried to Steal Millions of Rubles

(December 21, 2017)

Russia's Globex state bank says that attackers tried to steal 55 million rubles ($940,000 USD) through the SWIFT international payments messaging system. The attack was reportedly spotted and thwarted before the thieves managed to steal the full amount. Last month, SWIFT said that its bank messaging system continues to be targeted by criminals, and that security measures put in place following the February 2016 $81 million USD theft from the Bangladesh central bank are helping to prevent many of the attempts.

Read more in: Russia's Globex bank says hackers targeted its SWIFT computers





Five Arrested in Romania for Allegedly Spreading Ransomware

(December 11, 20, & 21, 2017)

Law enforcement officials in Romania have arrested five people in connection with ransomware attacks. Three of the suspects allegedly infected computers in Europe with CTB-Locker or Critroni ransomware. The other two suspects allegedly used a Washington, DC police surveillance system to infect computers in the US with Cerber ransomware. Romania's Directorate for Investigating Organized Crime and Terrorism made the arrests after receiving intelligence from Europol, the FBI, and Dutch National Police.  

[Editor Comments]

[Honan] Kudos to all in law enforcement involved arresting those alleged to be behind these ransomware attacks.  This is not only a good example of international LEA cooperation but highlights how by reporting cybercrime victims can provide law enforcement with the intelligence they need to tackle criminal gangs.

[Henry] The close coordination between international law enforcement agencies is critical to deter the attacker, and its great to see the collaboration here. We must continue defense in depth, we much patch systems, and we must be proactive in hunting in our networks for anomalous behavior. Regardless, the attacks will continue indefinitely until well-sourced and determined adversaries are identified, disrupted, and/or otherwise mitigated.

Read more in:

The Hill: Romania arrests five for spreading ransomware in Europe, US


Bleeping Computer: Five Romanians Arrested for Spreading CTB-Locker and Cerber Ransomware


Bleeping Computer: Hackers Used DC Police Surveillance System to Distribute Cerber Ransomware


Tripwire: Two Romanians Charged with Hacking 65% of DC Surveillance Camera Computers


SC Magazine: Washington, D.C. police computers used by two Romanians to operate ransomware campaign




New Feature in Firefox 57 Improves Page Load Times

(December 20 & 21, 2017)

A new feature in Firefox 57, which was released in November, delays tracking scripts from loading in an effort to help improve page load times. The engineer who developed the feature calls it "tailing." The feature currently will "delay scripts only when they are added dynamically to a page or via an async call." The feature was not announced when Firefox 57 was released.  

[Editor Comments]

[Northcutt] I will not be back to high speed Internet till 12/26. My Verizon "unlimited" phone tether plan has already put me in the 600 kbs penalty box. It is amazing watching various browsers at slow speed. Safari just will not load images. Firefox 57 loads the fastest, but good luck with "check out" buttons. If you have to operate on limited bandwidth, Chrome or Opera seem to be the best of the mainstream browsers.

Read more in:

Bleeping Computer: Firefox Will Now Delay the Loading of Tracking Scripts


The Register: Firefox 57's been quietly delaying tracking scripts




Wassenaar Arrangement Changes Ease Licensing Worries for Researchers

(December 20, 2017)

Delegates at the annual plenary session of the Wassenaar Arrangement have have reached agreement about changes to the global multilateral arrangement on export controls for conventional weapons and sensitive dual-use goods and technologies. The changes include exemptions to certain export control requirements, which eases concerns for researchers working in the areas of vulnerability disclosure and incident response.

[Editor Comments]

[Williams] This is a significant improvement to the language used in Wassenaar.  Prior to this rewrite there was much ambiguity about how the regulations may have been applied to those who build penetration testing tools.  I have to applaud Katie Moussouris for her work in making this happen.  As a private citizen, she volunteered time (taking away from her business Luta Security) and spent her own money on travel and other expenses.  If you get the opportunity, please thank her for her efforts (she goes by @k8em0 on Twitter).

Read more in:

Cyberscoop: The Wassenaar Arrangement's latest language is making security researchers very happy


Wassenaar: Summary of Changes: List of Dual-Use Goods & Technologies and Munitions List as of 7 December 2017 (PDF)


Wassenaar: What is the Wassenaar Arrangement?




Example of "MouseOver" Link in a Powerpoint File


Adups Malware Still Haunting Android Phones


Popular Wordpress Captcha Included Backdoor


Comparing DNS Filters



Kernel Hooking Basics


WordPress Sites Infected with Monero Miners


Intel Memory Encryption (PDF)




Critical Flaw in SMBv1 Implementation of Dell EMC Data Domain DD OS


Facebook Enables Feature To Review All E-Mails Sent By Facebook


EtherDelta DNS Attack


Enigmail Vulnerability (PDF)




The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create