Online Training Special Offer - Get an iPad Mini 4, Samsung Galaxy Tab A, or $250 Off OnDemand and vLive - Ends 9/27!

Newsletters: Newsbites


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #24

March 24, 2017

TOP OF THE NEWS


Study: ICS Systems Getting Infected, But Most Not Targeted
Apple Says Flaws Exploited by CIA Tools Contained in New WikiLeaks Dump Are No Longer Active
US Federal Prosecutors Preparing Cases Linking North Korea to Bangladesh Heist
Draft Bill Would Codify US Government's Vulnerabilities Equities Process

THE REST OF THE WEEK'S NEWS


Pew Center Survey Finds Americans Lack Understanding of Cybersecurity Measures
Phony Mobile Base Stations Spreading "Swearing Trojan" in China
Guilty Plea in Citadel Malware Case
Suspect Charged in USD 100m Whaling Scheme
W3C Proposes DRM Web Standard
Google's Android Security 2016 Year in Review Report: Android Security Improving
Google and Jigsaw Are Offering Free Election Cybersecurity Tools

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER


*************************** Sponsored By Splunk *******************************

Splunk named a leader in the Forrester Wave(TM): Security Analytics Platforms, Q1 2017
To assess the state of the security analytics (SA) market and see how vendors stack up against each other, Forrester evaluated the strengths and weaknesses of top SA vendors. Register for a complimentary copy to discover why. http://www.sans.org/info/193527
***************************************************************************


TRAINING UPDATE



-- SANS 2017 | Orlando, FL | April 7-14 | https://www.sans.org/event/sans-2017

-- Threat Hunting & IR Summit & Training 2017 | New Orleans, LA | April 18-25, 2017 | https://www.sans.org/event/threat-hunting-and-incident-response-summit-2017

-- SANS Baltimore Spring 2017 | April 24-29 | https://www.sans.org/event/baltimore-spring-2017

-- SANS Automotive Cybersecurity Summit & Training | Detroit, MI | May 1-8, 2017 | https://www.sans.org/event/automotive-cybersecurity-summit/

-- SANS Security West 2017 | San Diego, CA | May 9-18 |
https://www.sans.org/event/sans-security-west-2017

-- SANS San Francisco Summer 2017 | June 5-10 | https://www.sans.org/event/san-francisco-summer-2017

-- SANS Secure Europe 2017 | Amsterdam, NL | June 12-20 | https://www.sans.org/event/secure-europe-2017

-- SANS Cyber Defence Canberra 2017 | June 26-July 8 | https://www.sans.org/event/cyber-defence-canberra-2017

-- SANS London July 2017 | July 3-8 | https://www.sans.org/event/london-july-2017

-- SANS Cyber Defence Singapore | July 10-15 | https://www.sans.org/event/cyber-defence-singapore-2017

-- SANS Online Training: Special Offer! Register by March 1 and choose a GIAC Certification Attempt or $400 Off your OnDemand and vLive courses.
OnDemand - https://www.sans.org/ondemand/specials
vLive - https://www.sans.org/vlive/specials

-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/find-training/

***************************************************************************

TOP OF THE NEWS

Study: ICS Systems Getting Infected, But Most Not Targeted (March 22, 2017)

According to a study from Dragos, roughly 3,000 industrial sites are infected with opportunistic malware every year, while attacks specifically crafted to target industrial control systems are considerably less common. Dragos found malware pretending to be Siemens software has infiltrated the industrial control systems (ICS) of at least 10 organizations over the last four years. The malware pretends to be software for Siemens programmable logic controllers (PLCs).

[Editor Comments]

[Murray] One would expect perhaps years between the compromise of an ICS and its exploitation. Indeed, such vulnerabilities might be exploited only as part of a coordinated attack. Assuming, identifying and eliminating such compromises must be a continuing effort.

Read more in:

SC Magazine: Study: Infections of industrial systems common, but few are targeted https://www.scmagazine.com/study-infections-of-industrial-systems-common-but-few-are-targeted/article/645906/
The Register: Malware 'disguised as Siemens software drills into 10 industrial plants' http://www.theregister.co.uk/2017/03/22/malware_siemens_plc_firmware/
Dragos: ICS Media Center: Project MIMICS -Stage One https://dragos.com/blog/mimics/

Apple Says Flaws Exploited by CIA Tools Contained in New WikiLeaks Dump Are No Longer Active (March 23, 2017)

WikiLeaks has released documents detailing CIA tools for infecting Apple devices. Apple says that the flaws exploited by the tools have long been patched. The iPhone flaw was fixed in 2009 with the release of the iPhone 3Gs and the Mac flaws were addressed in "all Macs launched after 2013."

[Editor Comments]

[Ullrich] Unlike some of the older "Vault7" releases, these documents appear to be rather old. Some of the Thunderbolt issues have been fixed. As far as the iPhone issues go, the documents only refer to the rather old "iPhone 3G". But in general, any iPhone that can be jail broken can be manipulated by an attacker with physical access to the phone.

[Williams] Several indicators of compromise may still be active so organizations that may have been targeted by the CIA in the past can scan system backups that may still be available for these filenames. A negative result doesn't mean you haven't been targeted, but a positive result clearly does.

Read more in:

The Hill: Apple: Security vulnerabilities revealed by WikiLeaks no longer active http://thehill.com/business-a-lobbying/325579-apple-new-wikileaked-vulnerabilities-no-longer-work
Softpedia: WikiLeaks Vault 7: CIA Infects "Factory Fresh" iPhones http://news.softpedia.com/news/wikileaks-vault-7-cia-infects-factory-fresh-iphones-514212.shtml
Wired: WikiLeaks Reveals How the CIA Can Hack a Mac's Hidden Code https://www.wired.com/2017/03/wikileaks-shows-cia-can-hack-macs-hidden-code/
Ars Technica: New WikiLeaks dump: The CIA built Thunderbolt exploit, implants to target Macs https://arstechnica.com/security/2017/03/new-wikileaks-dump-the-cia-built-thunderbolt-exploit-implants-to-target-macs/
Computerworld: Newly leaked documents show low-level CIA Mac and iPhone hacks http://computerworld.com/article/3184490/security/newly-leaked-documents-show-low-level-cia-mac-and-iphone-hacks.html

US Federal Prosecutors Preparing Cases Linking North Korea to Bangladesh Heist (March 22, 2017)

US federal prosecutors are reportedly building cases that would link North Korea to the USD 81 million Bangladesh bank heist. The charges would target Chinese middlemen who allegedly helped North Korea coordinate the scheme that stole the funds from the Bangladesh bank's account at the Federal Reserve Bank of New York. While the cases may not contain charges against North Koreans, they would likely implicate North Korea.

[Editor Comments]

[Williams] Organizations should be examining their threat models in light of this unprecedented example of a government attacking another nation's banks with the goal of stealing money.

Read more in:

WSJ: U.S. Preparing Cases Linking North Korea to Theft at N.Y. Fed https://www.wsj.com/articles/u-s-preparing-cases-linking-north-korea-to-theft-at-n-y-fed-1490215094

Draft Bill Would Codify US Government's Vulnerabilities Equities Process (March 22, 2017)

US Senators are drafting a bill that would codify the government's practice of deciding if and when to notify software companies of zero-day flaws in their products, known as the vulnerabilities equities process (VEP). An early draft of the bill provides a definition for a software vulnerability and specifies who is on the VEP review board. In a related story, technology companies are calling for increased government transparency in the wake of WikiLeaks' Vault 7 dump of CIA hacking tools.

[Editor Comments]

[Pescatore] To paraphrase an old saying, "There's many a spill twixt the intent and the bill." Government policy across both classified and unclassified agencies on responsible vulnerability reporting is needed. Legislation and a review board seem like a heavy-handed, unworkable process.

Read more in:

CyberScoop: Senators draft bill to turn government's vulnerabilities equities process into law https://www.cyberscoop.com/senators-draft-bill-to-codify-governments-vulnerabilities/
CyberScoop: Government hoarding of software vulnerabilities needs more transparency, tech firms say https://www.cyberscoop.com/government-hoarding-software-vulnerabilities-needs-transparency-tech-firms-say/
*************************** SPONSORED LINKS *****************************
1) What is the State of Your Application Security Program? Begin your journey toward that robust program by taking this interactive quiz to find out what stage youâre in. http://www.sans.org/info/193532
2) The Data Breach Summit Call for Presentations is open! Submit your talk and join us in Chicago: http://www.sans.org/info/193537
3) Don't Miss: Forensic State Analysis: A New Approach to Threat Hunting - with Alyssa Torres. Register: http://www.sans.org/info/193542
******************************************************************************

THE REST OF THE WEEK'S NEWS

Pew Center Survey Finds Americans Lack Understanding of Cybersecurity Measures (March 23, 2017)

According to a survey from the Pew Research Center, most Americans lack a basic understanding of online security measures. While most of the people responding to the survey were able to identify string passwords from a list and knew that public Wi-Fi is not safe, just one-third knew what httpS is and just one-tenth were able to identify two-factor authentication. The survey of 1,055 American adults consisted of a 13 question online quiz. The median score was 5.5.

[Editor Comments]

[Murray] Few understand better than Pew that survey design is difficult. Just for example, I would not expect users to identity httpS but would hope that they could identify it presence or absence.

Read more in:

CyberScoop: Americans ignorant on cybersecurity, Pew poll shows
https://www.cyberscoop.com/cybersecurity-pew-study-2017/?category_news=technology
Nextgov: Most American Internet Users Have No Idea How to Protect Their Accounts http://www.nextgov.com/cybersecurity/2017/03/most-american-internet-users-have-no-idea-how-protect-their-accounts/136399/?oref=ng-channeltopstory
Pew Research Center: What the Public Knows About Cybersecurity http://www.pewinternet.org/2017/03/22/what-the-public-knows-about-cybersecurity/

Phony Mobile Base Stations Spreading "Swearing Trojan" in China (March 22 & 23, 2017)

Phony mobile base stations in China are being used to spread Android malware known as the swearing Trojan. The malware spreads through text messages. The malware's authors are already under arrest, but the phony base stations are a new vector of attack. The malicious messages appear to come from legitimate carriers. Once a device is infected, the malware steals two-factor authentication bank account codes.

[Editor Comments]

[Ullrich] It has gotten much easier and cheaper to create fake mobile base stations. Like so many exploits, something that used to be the domain of nation states has now trickled down to cyber criminals and will soon become common knowledge like Wi-Fi "war driving". However, it is still surprising that these fake base stations achieved sufficient coverage to become significant infection vectors, and it will have to be seen how many victims were reached that way.

[Murray] Until now these attacks have been limited to the authorities. However, it was only a matter of time until the cost fell. The fundamental vulnerability is weak authentication of base stations by handsets, a difficult problem to fix. Application security on the mobile must be resistant to replay attacks. Even these may rely upon strong process-to-process isolation in the device.

[Northcutt] This is currently limited to Asia, but it is a big concern. In the USA they have been running "stingray" fake wireless for years. Now criminals have picked up on the technique. It would be wisest to avoid cell phone payment systems until they develop end to end encryption and authentication. https://www.aclu.org/map/stingray-tracking-devices-whos-got-them

Read more in:

Wired: Fake mobile base stations spreading malware in China http://www.theregister.co.uk/2017/03/23/fake_base_stations_spreading_malware_in_china/
CNET: Chinese Trojan detected spreading through fake base stationshttps://www.cnet.com/news/chinese-trojan-detected-spreading-through-fake-base-stations/

Guilty Plea in Citadel Malware Case (March 22 & 23, 2017)

Mark Vartanyan has pleaded guilty to computer fraud for his role in the creation of banking Trojan known as Citadel. The malware has been used to steal more than USD 500 million from bank accounts worldwide. Prosecutors estimate that Citadel infected more than 1 million computers. Vartanyan faces up to 10 years in prison and a fine of up to USD 250,000 when he is sentenced in June.

Read more in:

The Register: Russian mastermind of $500m bank-raiding Citadel coughs to crimes http://www.theregister.co.uk/2017/03/22/russian_citadel_malware_pleads_guilty/
BBC: Russian man pleads guilty over $500m malware scam http://www.bbc.com/news/technology-39364968
Reg Media: Guilty Plea and Plea Agreement (PDF) https://regmedia.co.uk/2017/03/22/plea.pdf

Suspect Charged in USD 100m Whaling Scheme (March 21, 22 & 23, 2017)

US federal authorities have charged Evaldas Rimasauskas with defrauding two US companies of more than USD 100 million in whaling attacks. Whaling involves tricking companies' financial controllers into sending funds to bank accounts set up for the purpose of the thefts. Authorities in Lithuania arrested Rimasauskas was arrested last week. The US Department of Justice (DoJ) has not commented on extradition plans; a trial date has not been set.

Read more in:

eWeek: Hacker Accused of Carrying Out Business Email Scam Netting $100M http://www.eweek.com/security/hacker-accused-of-carrying-out-business-email-scam-netting-100m
The Register: Bloke, 48, accused of whaling two US tech leviathans out of $100m http://www.theregister.co.uk/2017/03/22/man_charged_for_stealing_100m_from_unnamed_usbased_multinational_internet_companies/
SC Magazine UK: Lithuanian arrested in $100 million multinational BEC whaling fraud https://www.scmagazineuk.com/lithuanian-arrested-in-100-million-multinational-bec-whaling-fraud/article/645989/
BBC: Two major US technology firms 'tricked out of $100m' http://www.bbc.com/news/technology-39351215
US DoJ: Lithuanian Man Arrested For Theft Of Over $100 Million In Fraudulent Email Compromise Scheme Against Multinational Internet Companies https://www.justice.gov/usao-sdny/pr/lithuanian-man-arrested-theft-over-100-million-fraudulent-email-compromise-scheme

W3C Proposes DRM Web Standard (March 22, 2017)

The World Wide Web Consortium (W3C) has published Encrypted Media Extensions (EME) as a proposed recommendation for a new digital rights management (DRM) web standard. Official adoption depends on a vote of W3C members.

[Editor Comments]

[Pescatore] Most countries went through the "Content wants to be free/Content costs money to create and distribute and needs to be paid for" debate as satellite TV and cable TV grew more ubiquitous and subscriptions were the revenue source vs. the broadcast TV advertising model. In the US, in 2012 the FCC allowed cable TV providers to implement encryption; I think most countries went the same way. Encryption of content on the Internet is long overdue and interoperable standards are needed. Language to avoid DMCA-like attempts to penalize legitimate investigation of security protocols seems feasible.

Read more in:

The Register: It's happening! It's happening! W3C erects DRM as web standard http://www.theregister.co.uk/2017/03/22/w3c_drm_web_standard/
W3C: Encrypted Media extensions is a W3C Proposed Recommendation http://lists.w3.org/Archives/Public/public-html-media/2017Mar/0016.html

Google's Android Security 2016 Year in Review Report: Android Security Improving (March 22, 2017)

According to Google's Android Security 2016 Year in Review, half of Android devices received security updates in 2016. While 50 percent seems quite low, it is actually a marked increase over 2015's figures. The report notes, "Several manufacturers, including Samsung, LG and OnePlus, regularly deliver security updates to flagship devices on the same day as Google's updates to Nexus and Pixel devices." The report also discusses diminishing instances of malware in the Google Play store, improved device encryption, and an increase in reported vulnerabilities through the bug bounty program.

[Editor Comments]

[Pescatore] Two points: (1) the Android patch rate issue is a microcosm for that problem in the overall Internet of Things. The IoT world will always be heterogeneous and fragmented and look more like Google/Android and less like Apple/iOS. (2) Only .05% of Android phones using the Google Play app store had malware on them, down from .15% at the end of 2015.

[Murray] It is still not for use by the young, the elderly, or the otherwise naive.

Read more in:

Wired: Good News: Android's Huge Security Problem is Getting Less Huge https://www.wired.com/2017/03/good-news-androids-huge-security-problem-getting-less-huge/
Google: Android Security 2016 Year In Review (PDF) https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2016_Report_Final.pdf

Google and Jigsaw Are Offering Free Election Cybersecurity Tools (March 21, 2017)

Google and Jigsaw, both part of the Alphabet family, have developed a package of tools to help organizations facilitating elections protect themselves from digital threats. The "Protect Your Election" suite of tools includes two-factor authentication, the Password Alert Chrome extension, and access to Project Shield, which offers free DDoS defense to independent news site and human rights groups.

Read more in:

Wired: A Cybersecurity Arsenal That'll Help 'Protect Your Election' https://www.wired.com/2017/03/cybersecurity-arsenal-thatll-help-protect-election/
ZDNet: Google, sister company Jigsaw offer cybersecurity to election groups http://www.zdnet.com/article/google-sister-company-jigsaw-offer-cybersecurity-to-election-groups/
CNET: Google, Jigsaw seek to stop election hackshttps://www.cnet.com/news/alphabets-google-jigsaw-want-to-protect-elections-from-hacks/
CyberScoop: Google will provide free cybersecurity tools for election organizers in Europe https://www.cyberscoop.com/google-will-provide-free-cybersecurity-tools-election-organizers-europe/?category_news=technology

INTERNET STORM CENTER TECH CORNER

Password Encrypted Word File Delivers Malware

https://isc.sans.edu/forums/diary/Malspam+with+passwordprotected+Word+documents/22203/

Critical LastPass Vulnerability

https://bugs.chromium.org/p/project-zero/issues/detail?id=1209

Nest Camera Bluetooth Vulnerability

https://github.com/jasondoyle/Google-Nest-Cam-Bug-Disclosures/blob/master/README.md

Criminals Threaten to Erase Millions of iCloud Connected Apple devices

https://motherboard.vice.com/en_us/article/hackers-we-will-remotely-wipe-iphones-unless-apple-pays-ransom?utm_source=vicefbus

Siemens Control Systems Affected by Fake Firmware

https://dragos.com/blog/mimics/

GitHub Used for C&C

http://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/

Adium IM Vulnerable to Older libpurple Issue

http://seclists.org/fulldisclosure/2017/Mar/57

"Swearing Trojan" Uses Fake BTSs To Spread Malware

http://blog.checkpoint.com/2017/03/21/swearing-trojan-continues-rage-even-authors-arrest/

Lastpass Updates ClickJacking Exploit (Again)

https://bugs.chromium.org/p/project-zero/issues/detail?id=1188&desc=2

Application Verifier "Bug"

https://github.com/ionescu007/HookingNirvana/blob/master/Esoteric%20Hooks.pdf

***********************************************************************
The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create