Save $400 on InfoSec Training at SANS San Francisco Spring 2018. Ends Tomorrow!

Newsletters: Newsbites


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #101

December 29, 2017

****************************************************************************

SANS NewsBites               December 29, 2017                Vol. 19, Num. 101

****************************************************************************

TOP OF THE NEWS

   More WordPress Plug-ins with Backdoors

   Huawei Routers Are Being Used to Spread Mirai Malware

REST OF THE WEEK'S NEWS

   Computer History Museum Plans to Release Apple's Lisa Source Code

   Russia Investigating Botched Satellite Launches

   ISAOs for Connected Medical Devices

   RootsWeb.com Server Exposed User Data

   Digmine Bot Spreading Through Facebook Messenger

   Microsoft Sues IP Over Pirated Software Activations

   Mozilla Fixes Vulnerabilities in Thunderbird

   GoAhead Flaw Affects IoT Devices

   Man Sentenced to Prison for Threatening Cyber Attacks Against NC Company

   Opera to Introduce Cryptocurrency Mining Blocker


*************************  Sponsored By InfoBlox ****************************


DNS is one of the backbones of the Internet as we know it. It is crucial in making sure that packets get to the right destination, and you receive the information you need. However, DNS is yet another protocol that, over the years, has fallen victim to inherent vulnerabilities and attacker abuse.  Register for this webcast to learn more:  http://www.sans.org/info/200925


*****************************************************************************

TRAINING UPDATE


-- SANS Security East 2018 | New Orleans, LA | January 8-13 | https://www.sans.org/event/security-east-2018

 

-- SANS Amsterdam January 2018 | January 15-20 | https://www.sans.org/event/amsterdam-january-2018

 

-- SANS Las Vegas 2018 | January 28-February 2 |https://www.sans.org/event/las-vegas-2018

 

-- Cyber Threat Intelligence Summit | Bethesda, MD | January 29-February 5 | https://www.sans.org/event/cyber-threat-intelligence-summit-2018

 

-- SANS London February 2018 | February 5-10 | https://www.sans.org/event/london-february-2018

 

-- SANS Southern California-Anaheim 2018 | February 12-17 | https://www.sans.org/event/southern-california-anaheim-2018

 

-- Cloud Security Summit & Training 2018 | San Diego, CA | February 19-26 | https://www.sans.org/event/cloud-security-summit-2018

 

-- SANS Secure Japan 2018 | February 19-March 3 | https://www.sans.org/event/sans-secure-japan-2018

 

-- SANS Secure Singapore 2018 | March 12-24 | https://www.sans.org/event/secure-singapore-2018

 

-- SANS OnDemand and vLive Training

The SANS Training you want with the flexibility you need.

Special Offer: Get a 10.5" iPad Pro or an HP ProBook 450 G4, or take $400 Off with OnDemand and vLive Training when you register by January 10.

https://www.sans.org/online-security-training/specials/

 

-- Can't travel? SANS offers online instruction for maximum flexibility

Live Daytime training with Simulcast - https://www.sans.org/simulcast

Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive

Anywhere, Anytime access for 4 months with OnDemand format - https://www.sans.org/ondemand/

 

-- Single Course Training

SANS Mentor https://www.sans.org/mentor/about

Community SANS https://www.sans.org/community/

View the full SANS course catalog https://www.sans.org/security-training/by-location/all


*****************************************************************************

TOP OF THE NEWS

 --

More WordPress Plug-ins with Backdoors

(December 28, 2017)

Three more WordPress plug-ins have been found to contain backdoors. Like the Captcha plug-in that was recently found to have a back door, the Duplicate Page and Post, No Follow All External Links, and WP No External Links plug-ins were recently sold to a third party believed to be responsible for the addition of the malicious code. The altered plug-ins have been removed from the WordPress plug-ins directory.


[Editor Comments]


[Neely] When software is purchased, new features like this can be introduced, which necessitates analysis, but the complexity of a mature Wordpress site makes this analysis problematic. A plugin like Wordfence can help by alerting for malicious plugins.


[Williams] This is a recurring theme. Software's not automatically safe just because it's open source.  However, to some extent there is a safety in numbers effect.  By using a popular plugin, you are somewhat insulated from a backdoor. If a developer puts a backdoor in a plugin, there is a greater chance of it being discovered if more people are using it.


Read more in:

Bleeping Computer: Three More WordPress Plugins Found Hiding a Backdoor

https://www.bleepingcomputer.com/news/security/three-more-wordpress-plugins-found-hiding-a-backdoor/


 --

Huawei Routers Are Being Used to Spread Mirai Malware

(December 21 & 27, 2017)

An unpatched vulnerability in Huawei HG532 home routers is being used to spread a variant of Mirai botnet malware known as Okiku or Satori. Check Point detected suspicious activity in November and alerted Huawei, which has issued a security notice suggesting several mitigations for affected users.   


Read more in:

Huawei: Security Notice - Statement on Remote Code Execution Vulnerability in Huawei HG532 Product

http://www.huawei.com/en/psirt/security-notices/huawei-sn-20171130-01-hg532-en

Check Point: Huawei Routers Exploited to Create New Botnet

https://blog.checkpoint.com/2017/12/21/huawei-routers-exploited-create-new-botnet/

Threatpost: Huawei Router Vulnerability Used to Spread Mirai Variant

https://threatpost.com/huawei-router-vulnerability-used-to-spread-mirai-variant/129238/

Dark Reading: Hacker Targeted Huawei Router 0-Day in Attempt to Create New Mirai Botnet

https://www.darkreading.com/vulnerabilities---threats/hacker-targeted-huawei-router-0-day-in-attempt-to-create-new-mirai-botnet/d/d-id/1330715


**************************  SPONSORED LINKS  *********************************


1) Don't Miss: "Third Party Risk Assessment: Using BitSight for Consistent and Continuous Risk Rating" http://www.sans.org/info/200930


2) ICYMI: "The Convergence of EPP and EDR: Tomorrows Solution Today." http://www.sans.org/info/200935


3) Did you miss "Who Owns ICS Security? Fusing IT, OT, & IIoT Security in the Corporate SOC." View the archive: http://www.sans.org/info/200940



*****************************************************************************


THE REST OF THE WEEK'S NEWS    

 --

Computer History Museum Plans to Release Apple's Lisa Source Code

(December 28, 2017)

Apple is currently reviewing Lisa source code for public release. Lisa is the predecessor to Apple's Mac and was among the first operating systems with a graphical user interface. Lisa debuted in 1983 and was not a commercial success, due in part to its price tag: $10,000 USD. Once Apple has reviewed the code, the Computer History Museum plans to make it available to the public.


Read more in:

Ars Technica: Source code for Apple's historic Lisa OS to be made available in 2018

https://arstechnica.com/gadgets/2017/12/source-code-for-apples-historic-lisa-os-to-be-made-available-in-2018/

BBC: Apple to release source code for pre-Mac computer Lisa

http://www.bbc.com/news/technology-42502570

 

 --

Russia Investigating Botched Satellite Launches

(December 28, 2017)

Russia is examining two bungled satellite launches in two months. One of the incidents was due to the rocket carrying satellites being programmed to launch from the wrong cosmodrome. In the other incident, Russia lost contact with an Angolan telecommunications satellite.


Read more in:

Reuters: Kremlin says Russian satellite launch failures being investigated

https://www.reuters.com/article/us-space-launch-russia-angola/kremlin-says-russian-satellite-launch-failures-being-investigated-idUSKBN1EM11Z

ABC: Russia says embarrassing $58 million satellite launch failure due to 'human error'

http://www.abc.net.au/news/2017-12-28/russias-$58-million-satellite-launch-failure-due-to-human-error/9289816

BBC: Failed satellite programmed with 'wrong co-ordinates'

http://www.bbc.com/news/technology-42502571

 

 --

ISAOs for Connected Medical Devices

(December 28, 2017)

There are Information Sharing and Analysis Organizations (ISAOs) for connected medical devices. One focuses on helping manufacturers build security into devices; another focuses on making information about cyber threat into readable information for health care professionals. ISAOs are modeled in part on ISACs, which are organized around critical infrastructure sectors, but ISAOs "may be organized on the basis of [industry] sector, sub-sector, region, or any other affinity, including in response to particular emerging threats or vulnerabilities."


Read more in:

Nextgov: These LA Startups Are What Stand Between Hackers and Your Medical Devices

http://www.nextgov.com/cybersecurity/2017/12/these-la-startups-are-what-stand-between-hackers-and-your-medical-devices/144757/

 

 --

RootsWeb.com Server Exposed User Data

(December 23 & 28, 2017)

A server hosting Ancestry.com's RootsWeb.com site was found to have leaked information, compromising the email addresses and login credentials of 300,000 users to the free genealogy community site. Of those usernames, 55,000 are also used on the Ancestry.com site; 7,000 of those are current members.  


Read more in:

Ancestry.com: RootsWeb Security Update

https://blogs.ancestry.com/ancestry/2017/12/23/rootsweb-security-update/

The Register: Ancestry.com's RootsWeb forum breached, 300,000 records compromised

https://www.scmagazine.com/ancestrycoms-rootsweb-forum-breached-300000-records-compromised/article/733478/

Dark Reading: Exposed File From Ancestry's RootsWeb.com Contains Data on 300,000 Users

https://www.darkreading.com/perimeter/exposed-file-from-ancestrys-rootswebcom-contains-data-on-300000-users/d/d-id/1330710

Threatpost: Leaky RootsWeb Server Exposes Some Ancestry.com User Data

https://threatpost.com/leaky-rootsweb-server-exposes-some-ancestry-com-user-data/129248/

 

 --

Digmine Bot Spreading Through Facebook Messenger

(December 21 & 27, 2017)

The Digmine cryptocurrency miner has been spreading through desktop Chrome versions of Facebook Messenger. The malicious messages arrive via a messenger bot. Facebook says it has implemented measures to help protect users from Digmine.  


Read more in:

Trend Micro: Digmine Cryptocurrency Miner Spreading via Facebook Messenger

http://blog.trendmicro.com/trendlabs-security-intelligence/digmine-cryptocurrency-miner-spreading-via-facebook-messenger/

eWeek: Digmine Cryptocurrency Miner Spreads via Facebook Messenger

http://www.eweek.com/security/digmine-cryptocurrency-miner-spreads-via-facebook-messenger

 

 --

Microsoft Sues IP Over Pirated Software Activations

(December 22 & 27, 2017)

Microsoft has filed a lawsuit against John Does 1-10 who the company alleges have been using an IP address to activate pirated versions of Windows and Office. The IP address points to a Comcast office in New Jersey, but the John Does do not appear to have been identified. The IP likely belongs to a store that installs pirated software on the devices it sells.     


[Editor Comments]


[Williams] I expect to see more of this in 2018 as Microsoft cracks down on those who are misusing software assurance subscriptions to illegally license products.


Read more in:

Geek Wire: Microsoft just sued an IP address over Windows, Office piracy claims

https://www.geekwire.com/2017/microsoft-just-sued-ip-address-windows-office-piracy-claims/

Softpedia: Microsoft Goes After IP Address Trying to Activate Pirated Windows, Office

http://news.softpedia.com/news/microsoft-goes-after-ip-address-trying-to-activate-pirated-windows-office-519138.shtml

 

 --

Mozilla Fixes Vulnerabilities in Thunderbird

(December 22, 26, & 27, 2017)

Mozilla has released updated its Thunderbird email, news, RSS, and chat client to version 52.5.2. A critical buffer overflow flaw in the ANGLE graphics library affects only users running Thunderbird on Windows systems. The remaining flaws affect the Thunderbird RSS feed and email.


Read more in:

Mozilla: Security vulnerabilities fixed in Thunderbird 52.5.2

https://www.mozilla.org/en-US/security/advisories/mfsa2017-30/

Threatpost: Mozilla Patches Critical Bug in Thunderbird

https://threatpost.com/mozilla-patches-critical-bug-in-thunderbird/129244/

SC Magazine: Mozilla patches one critical, two high flaws in Thunderbird

https://www.scmagazine.com/mozilla-patches-one-critical-two-high-flaws-in-thunderbird/article/720762/

Ars Technica: Using Thunderbird? Update if you haven't already

https://arstechnica.com/information-technology/2017/12/mozilla-squashes-critical-thunderbird-bug/

 

 --

GoAhead Flaw Affects IoT Devices

(December 25, 2017)

A vulnerability in the GoAhead web server package embedded in Internet of Things (IoT) devices can be exploited to remotely execute code. The flaw lies in the GoAhead server's CGI package.


Read more in:

Bleeping Computer: Vulnerability Affects Hundreds of Thousands of IoT Devices

https://www.bleepingcomputer.com/news/security/vulnerability-affects-hundreds-of-thousands-of-iot-devices/

 

 --

Man Sentenced to Prison for Threatening Cyber Attacks Against NC Company

(December 19 & 24, 2017)

A judge in North Carolina has sentenced Todd Michael Gori to just over three years in prison for threatening to launch cyberattacks against a company where he wanted a job. In 2016, Gori sent emails to TSI Healthcare in Chapel Hill, North Carolina, threatening to launch attacks against its systems unless the company fired a certain employee and hired Gori instead. Gori was arrested in August 2017.


Read more in:

Bleeping Computer: Man Threatened Company with Cyber Attack to Fire Employee and Hire Him Instead

https://www.bleepingcomputer.com/news/security/man-threatened-company-with-cyber-attack-to-fire-employee-and-hire-him-instead/

DoJ: Washington Man Sentenced To Federal Prison For Threatening To Damage Computers

https://www.justice.gov/usao-mdnc/pr/washington-man-sentenced-federal-prison-threatening-damage-computers

 

 --

Opera to Introduce Cryptocurrency Mining Blocker

(December 21 & 22, 2017)

A new feature in the Opera desktop browser is designed to prevent cryptocurrency mining. The anti-cryptojacking feature, NOJACK, will debut in Opera v.50, which is currently in beta release.


[Editor Comments]


[Neely] Crypto currency mining is becoming a common threat; expect more software to implement defenses. Apply the same defenses to protect your systems from being hijacked for cryptocurrency mining theft that you do with online banking: secure browser, rigorous patching, single sensitive site at a time, possibly a dedicated system which isn't used for general web surfing or other activities.


[Williams] There's a bigger issue than cryptocurrency mining at play here. We need to ask ourselves if we are okay with running assembly-like language in a JavaScript virtual machine. This technology, WebAssembly, can be used for all sorts of malicious purposes. I was originally worried about attack surface (WebAssembly is relatively complex), but now I see that malicious parties will continue to find malicious uses for the technology. This may simply be a feature that nobody needs and can be done away with.


Read more in:

Opera: Opera 50 Beta RC with Cryptocurrency Mining Protection

https://blogs.opera.com/desktop/2017/12/opera-50-beta-rc-cryptocurrency-mining-protection/

ZDNet: Opera just added a Bitcoin-mining blocker to its browser

http://www.zdnet.com/article/opera-just-added-a-bitcoin-mining-blocker-to-its-browser/

CyberScoop: Opera adds cryptojacking defense to latest desktop browser

https://www.cyberscoop.com/opera-no-coin-cryptojacking-bitcoin-adblock/?category_news=technology

 

******************************************************************************

The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.


Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create