Learn cyber security skills you can implement immediately! Seven courses offered Jan. 20-25 in Anaheim, CA

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #28

April 7, 2017


DHS, FBI Differ on When to Tell Victims They've Been Hacked
Attackers Took Control of Entire On-Line Operation of Brazilian Bank
Broadcom Chip Flaw Affects Android, iOS Devices


Amnesia Botnet
Attackers Exploiting Struts2 Vulnerability to Distribute Cerber Ransomware
China's APT10 the Focus of Two Reports
Pegasus Spyware Variant Chrysaor Affects Android
RCMP Acknowledges Use of IMSIs
Xen Hypervisor Vulnerability
CERT Warns of Vulnerabilities in Java AMF3 Implementations
State of Georgia (US) Adopting httpS for Government Websites
NIST Extends Comment Period for Digital Identity Guidelines Parent Volume



*************************** Sponsored By Splunk *************************

Splunk named a leader in the Forrester Wave(TM): Security Analytics Platforms, Q1 2017. To assess the state of the security analytics (SA) market and see how vendors stack up against each other, Forrester evaluated the strengths and weaknesses of top SA vendors. Register for a complimentary copy to discover why. http://www.splunk.com/goto/forrester-wave-security-analytics-platform



-- Threat Hunting & IR Summit & Training 2017 | New Orleans, LA | April 18-25, 2017 | https://www.sans.org/event/threat-hunting-and-incident-response-summit-2017

-- SANS Baltimore Spring 2017 | April 24-29 | https://www.sans.org/event/baltimore-spring-2017

-- SANS Automotive Cybersecurity Summit & Training | Detroit, MI | May 1-8, 2017 | https://www.sans.org/event/automotive-cybersecurity-summit/

-- SANS Security West 2017 | San Diego, CA | May 9-18 |

-- SANS San Francisco Summer 2017 | June 5-10 | https://www.sans.org/event/san-francisco-summer-2017

-- SANS Security Operations Center Summit & Training | Washington, DC | June 5-12 | https://www.sans.org/event/security-operations-center-summit-2017

-- SANS Secure Europe 2017 | Amsterdam, NL | June 12-20 | https://www.sans.org/event/secure-europe-2017

-- SANS Cyber Defence Canberra 2017 | June 26-July 8 | https://www.sans.org/event/cyber-defence-canberra-2017

-- SANS London July 2017 | July 3-8 | https://www.sans.org/event/london-july-2017

-- SANS Cyber Defence Singapore | July 10-15 | https://www.sans.org/event/cyber-defence-singapore-2017

-- SANS Online Training: Special Offer! Register by March 1 and choose a GIAC Certification Attempt or $400 Off your OnDemand and vLive courses.
OnDemand - https://www.sans.org/ondemand/specials
vLive - https://www.sans.org/vlive/specials

-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/find-training/

*************************************************************************** ***************************************************************************


DHS, FBI Differ on When to Tell Victims They've Been Hacked (April 6, 2017)

Because of their differing operational goals, the US Department of Homeland Security (DHS) and the FBI do not always agree on when to inform victims of cyberattacks. DHS's National Cybersecurity and Communications Integration Center's focus is on "asset response [and] threat mitigation," while the FBI aims to catch the criminal and gather admissible evidence for prosecution. The two entities find ways to work together in the best interest of security.

[Editor Comments]

[Pescatore] The FBI's official mission statement lists *protecting* the US against terrorists, foreign espionage and cybercrime as its top 3 priorities. Investigations and prosecution are theoretically lower down in the priority list. There will always be that tension or difference in goals between intelligence (watch the bad guys) and defense (avoid or stop the bad guys) but the defense part has been getting short-changed.

[Northcutt] The question of "contain and clean" or "watch and learn" has been part of incident response for over 25 years. Generally, the choice should be made in advance as part of the organization's incident response plan. The FBI and DHS are not beholden to an organization's incident response plan, but they have leverage only when they have more knowledge about an intrusion than the organization has. Interesting on the "watch and learn" side of things there are a number of startups with next generation version of the Fred Cohen DTK.



[Honan] From my experience with IRISSCERT I can attest that victim notification is a proverbial mine-field and needs to be approached with careful consideration. Once you decide when to notify the victim you have the added challenge on deciding the best means of communicating to the victims so that the message is delivered in a way that it will be actioned, while also ensuring it is not exploited by criminals by phishing or other means.

Read more in:

CyberScoop: Friction by design: FBI, DHS disagree on when to tell victims they've been hacked https://www.cyberscoop.com/friction-design-fbi-dhs-disagree-tell-victims-theyve-hacked/

Attackers Took Control of Entire On-Line Operation of Brazilian Bank (April 4 & 5, 2017)

At the Security Analyst Summit, researchers from Kaspersky Lab presented their findings of an incident in which attackers took control of a Brazilian bank's DNS infrastructure to steal information from customers and infect their computers with malware. The hackers were able to transfer all the bank's domains to websites they controlled.

[Editor Comments]

[Williams] This reminds me of the Poisoned Hurricane attacks on Hurricane Electric some years ago (though different in scale) (link: https://www.fireeye.com/blog/threat-research/2014/08/operation-poisoned-hurricane.html). DNS is an oft-neglected area of infrastructure, at least from a security perspective. DNSSEC can not fix this problem. DNSSEC is simply not widely implemented enough for a client machine to refuse to recognize a DNS response if it is not signed.

Read more in:

Threatpost: Lessons From Top-to-Bottom Compromise of Brazilian Bank https://threatpost.com/lessons-from-top-to-bottom-compromise-of-brazilian-bank/124770/
Wired: How Hackers Hijacked a Bank's Entire Online Operation https://www.wired.com/2017/04/hackers-hijacked-banks-entire-online-operation/
The Register: Brazilians whacked: Crooks hijack bank's DNS to fleece victims http://www.theregister.co.uk/2017/04/05/hackers_take_over_banks_dns_system/
SC Magazine: Brazilian bank hacked, loses control of its online presence https://www.scmagazine.com/brazilian-bank-hacked-loses-control-of-its-online-presense/article/648773/

Broadcom Chip Flaw Affects Android, iOS Devices (April 5, 2017)

A variety of Android handsets are vulnerable to hijacking due to a flaw in a Broadcom Wi-Fi chipset. Attackers could use maliciously altered Wi-Fi signals to cause a stack overflow. The chipset is also used in iOS devices; the issue was fixed in iOS 10.3.1, which was released earlier this week. Google plans to fix the issue in its April Android update.

[Editor Comments]

[Neely] System On a Chip components raise the complexity of securing the devices that contain them. This is being rated as a critical vulnerability because an exploit could allow remote code execution within the context of the Wi-Fi SoC. Google has not made a fix publicly available yet; it is being tracked as CVE-2017-0561 and is contained in the latest binary drivers for Nexus devices on the Google Developer Site. When the update is published, expect updates for other device manufacturers such as Samsung to be available within a couple of weeks. Apply the patches to your devices as soon as they are released. The Apple and Google updates address the vulnerability at the OS level without patching the Broadcom firmware. Because exploiting this vulnerability requires a crafted access point, and no public exploit has surfaced yet, the current risk of exploit is low. The published mitigation for an unpatched device is disabling Wi-Fi, which is not very practical. Gal Beniamini, Project Zero, released an in-depth article about gaining remote code execution on Broadcom SOCs over Wi-Fi with no user interaction required: https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html

Read more in:

Ars Technica: Android devices can be fatally attacked by malicious Wi-Fi networks https://arstechnica.com/security/2017/04/wide-range-of-android-phones-vulnerable-to-device-hijacks-over-wi-fi/
*************************** SPONSORED LINKS *****************************

1) "Learn how to protect your infrastructure against the widest range of DNS attacks" with John Pescatore: https://www.sans.org/webcasts/learn-protect-infrastructure-widest-range-dns-attacks-104512
2) There is a wealth of information surrounding Industrial Control Systems that is unrecognized by the traditional IT cybersecurity industry. Learn More:https://www.sans.org/webcasts/exploring-unknown-ics-threat-landscape-104612
3) Don't Miss: Influencing and Effectively Communicating to CEOs and Boards of Directors. Register: https://www.sans.org/webcasts/influencing-effectively-communicating-ceos-boards-directors-103927


Amnesia Botnet (April 6, 2017)

A botnet that has been nicknamed Amnesia is targeting DVRs with malware to enlist their resources in launching attacks. Amnesia is a variant of the Tsunami botnet, which targets Linux IoT devices. Amnesia exploits a known, unpatched vulnerability that affects more than 200,000 devices.

Read more in:

Palo Alto: New IoT/Linux Malware Targets DVRs, Forms Botnet http://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
SC Magazine: Amnesia botnet targeting DVRs, Palo Alto report https://www.scmagazine.com/amnesia-botnet-targeting-dvrs-palo-alto-report/article/649070/

Attackers Exploiting Struts2 Vulnerability to Distribute Cerber Ransomware (April 6, 2017)

Attackers are actively exploiting a known flaw in Apache Struts2 to infect servers with Cerber ransomware. The flaw resides in the Jakarta Multipart parser; the issue was fixed in Struts versions 2.3.32 and, which were released a month ago.

Read more in:

ISC: Java Struts2 Vulnerability Used to Install Cerber Crypto Ransomware https://isc.sans.edu/forums/diary/Java+Struts2+Vulnerability+Used+To+Install+Cerber+Crypto+Ransomware/22264/
Computerworld: Apache Struts 2 exploit allows ransomware on servers http://computerworld.com/article/3188042/security/apache-struts-2-exploit-allows-ransomware-on-servers.html

China's APT10 the Focus of Two Reports (April 4 & 6, 2017)

Operation Cloud Hopper is believed to be "one of the largest ever sustained global cyber espionage campaigns." Orchestrated by a group known as APT10, the campaign targeted managed IT service providers to get to companies. According to a report from Fidelis, APT10 also infiltrated the website of the National Foreign Trade Council.

Read more in:

SC Magazine: APT 10's Cloud Hopper campaign exposed https://www.scmagazine.com/report-exposes-apt-10s-cloud-hopper-campaign/article/648775/
SC Magazine: PwC and BAE Systems Report: Operation Cloud Hopper https://media.scmagazine.com/documents/292/cloud-hopper-report-final-upda_72977.pdf
PwC: Uncovering a new sustained global cyber espionage campaign https://www.pwc.co.uk/issues/cyber-security-data-privacy/insights/operation-cloud-hopper.html
Fidelis: Operation TradeSecret: Cyber Espionage at the Heart of Global Trade https://www.fidelissecurity.com/TradeSecret
Computerworld: U.S. trade lobbying group attacked by suspected Chinese hackers http://computerworld.com/article/3188231/security/us-trade-lobbying-group-attacked-by-suspected-chinese-hackers.html
CyberScoop: Chinese hacking unit spied on U.S. trade group ahead of Trump meeting, security firm claims https://www.cyberscoop.com/chinese-hacking-unit-spied-u-s-trade-groups-ahead-trump-meeting-security-firm-claims/?category_news=technology
The Hill: China-linked espionage campaign targets major trade group http://thehill.com/policy/cybersecurity/327567-chinese-espionage-campaign-targets-major-trade-advocacy-group
eWeek: Chinese Nation-State Hackers Target U.S in Operation TradeSecret http://www.eweek.com/security/chinese-nation-state-hackers-target-u.s-in-operation-tradesecret
ZDNet: Elite Chinese hackers target board directors at some of the world's largest firms http://www.zdnet.com/article/elite-chinese-hackers-target-board-directors-at-some-of-the-worlds-largest-firms/
ZDNet: Advanced Chinese hacking campaign infiltrates IT service providers across the globe http://www.zdnet.com/article/advanced-chinese-hacking-campaign-infiltrates-managed-it-service-providers-across-the-globe/

Pegasus Spyware Variant Chrysaor Affects Android (April 3 & 6, 2017)

Spyware known as Pegasus, which was detected last year targeting iOS devices, now has a variant that targets Android devices, according to Google and security company Lookout. Pegasus was being used to spy on human rights activists and journalists around the world. The Android variant, which Google has named Chrysaor (Pegasus's brother in Greek mythology), can log keystrokes, take screenshots, and read messages in various applications. It uses the device's microphone and camera to spy on target. Chrysaor can also remove itself from the device.

Read more in:

Wired: Total-Takeover iPhone Spyware Lurks on Android, Too https://www.wired.com/2017/04/total-takeover-iphone-spyware-lurks-android/
DarkReading: Pegasus For Android Spyware Just As Lethal As iOS Version http://www.darkreading.com/mobile/pegasus-for-android-spyware-just-as-lethal-as-ios-version/d/d-id/1328574?
Google: An Investigation of Chrysaor Malware in Android https://security.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html

RCMP Acknowledges Use of IMSIs (April 6, 2017)

The Royal Canadian Mounted Police (RCMP) has acknowledged that they have used IMSI-catchers, also known as Stingrays or cell-site simulators in its investigations. RCMP held a briefing to clarify that it does use the technology in the wake of CBC reports that IMSI catchers may have been used near government buildings in Ottawa. Canada's Public Safety Minister said that the devices detected did not belong to Canadian law enforcement or intelligence.

Read more in:

The Register: Sorry eh? Canadian mounties own up: Yes, we own 10 IMSI-catchers http://www.theregister.co.uk/2017/04/05/mounties_own_up_to_owning_imsicatchers/
CBC: RCMP reveals use of secretive cellphone surveillance technology for the first time http://www.cbc.ca/news/technology/rcmp-surveillance-imsi-catcher-mdi-stingray-cellphone-1.4056750

Xen Hypervisor Vulnerability (March 5, 2017)

A critical flaw in the Xen hypervisor could allow attackers to obtain access to a vulnerable system's memory. The issue is due to "an insufficient check on XENMEM_exchange Input" which could be exploited to break out of a guest operating system inside a virtual machine. This is especially concerning in data centers where customers' virtualized servers share hardware. The issue was inadvertently introduced in a December 2012 fix for a different flaw. The Xen project has released a patch to fix the flaw, which affects only x86 systems.

[Editor Comments]

[Williams] Two points: First, is the obligatory note about the inherent dangers of shared tenant virtualization. Multi-tenant attacks should be part of your threat model. Second, this does not work on x64 systems. If you're an x86 holdout, you will likely gain some immunity from future attacks just by moving to an x64 architecture.

Read more in:

Computerworld: Critical Xen hypervisor flaw endangers virtualized environments http://computerworld.com/article/3187945/security/critical-xen-hypervisor-flaw-endangers-virtualized-environments.html
Xen: Broken check in memory_exchange () permits PV guest breakout https://xenbits.xen.org/xsa/advisory-212.html

CERT Warns of Vulnerabilities in Java AMF3 Implementations (April 5, 2017)

An advisory from CERT urges users running certain Java implementations of AMF3 to upgrade as soon as possible to fix three vulnerabilities. Two of the flaws - Deserialization of Untrusted Data and Improper Control of Dynamically-Managed Code Resources - could be exploited to allow arbitrary code execution. The third flaw - Improper Restriction of XML External Entity reference (XXE) - could be exploited to access sensitive data, cause denial-of-service conditions, or allow server-side request forgery.

Read more in:

SC Magazine: Patches issued for Java flaws https://www.scmagazine.com/patches-issued-for-java-flaws/article/648753/
CERT: Vulnerability Note VU#307983: AMF Java implementations are vulnerable... https://www.kb.cert.org/vuls/id/307983

State of Georgia (US) Adopting httpS for Government Websites (April 5, 2017)

The US state of Georgia is migrating all its public-facing government websites to httpS. GeorgiaGov Interactive expects the change to be complete by the end of April. The migration follows the lead of the federal government's httpS-Only standard.

Read more in:

GCN: Georgia gets serious about httpS https://gcn.com/articles/2017/04/05/georgia-https.aspx?admgarea=TC_SecCybersSec
Georgia.gov: We're Adding More Security to Your Sites with httpS http://portal.georgia.gov/interactive/blog/2017-04-04/we%E2%80%99re-adding-more-security-your-sites-https
CIO: The httpS-Only Standard https://https.cio.gov/

NIST Extends Comment Period for Digital Identity Guidelines Parent Volume (April 5, 2017)

The US National Institute of Standards and Technology (NIST) has extended by one month the deadline for public comment on part of its digital identity guidelines. Initially, comments were due by March 31, 2017, but the deadline has been extended to May 1, 2017 for the parent volume, SP 800-63-3 because of changes made to risk management and mitigation issues.

Read more in:

GCN: NIST extends comment period for digital identity guidelines https://gcn.com/articles/2017/04/05/nistdigital-identity-guidelines.aspx?admgarea=TC_SecCybersSec
NIST: A minor plot twist: Comment period extended for PART of SP 800-63-3 http://trustedidentities.blogs.govdelivery.com/2017/03/31/a-minor-plot-twist-comment-period-extended-for-part-of-sp-800-63-3/


Exploiting Broadcom's Wi-Fi Stack


Covert Channel Between Virtual Machines Via CPU Cache


40 Vulnerabilities in Samsung Tizen


Whitelists: The Holy Grail of Attackers


Java Struts2 Vulnerability Used to Install Ransomware


Brazilian Bank Loses Control Over Domains


Google Android April Patch Day


Radware Observes "BrickerBot" Destroying Devices


Struts2 Vulnerability Webcast


Automatically Inferring Malware Signatures for Anti-Virus Assisted Attacks


Cisco Aironet Default Credentials


Intercepting Two-Factor Authentication


QNAP NAS Vulnerabilities


The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create