Online Training Special Offer - Get an iPad Mini 4, Samsung Galaxy Tab A, or $250 Off OnDemand and vLive - Ends 9/27!

Newsletters: Newsbites


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #34

April 28, 2017

TOP OF THE NEWS


Microsoft Word Bug Patched Two Weeks Ago Has Been Exploited for Months
Verizon and Symantec Reports Say Ransomware is on the Rise
IoT, Automation, Autonomy, and Megacities in 2025

THE REST OF THE WEEK'S NEWS


TalkTalk Hack Guilty Pleas
Felismus Remote Access Trojan is Stealthy, Sophisticated, and a Bit of a Mystery
Hajime Infections Now Number 300,000; Its Purpose Remains a Mystery
ColdFusion Hotfixes
US Air Force Bug Bounty Program
Chipotle Payment Card Data Breach
Titanium Stresser Author Sentenced
EFF Files Petition for Writ of Mandamus in Megaupload Case
Hyundai Patches Mobile App

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER

*************************** Sponsored By Cisco Systems ******************

It is no longer a matter of if, but when, attackers will break into your network. Today's enterprises need a well-established plan for responding to security incidents quickly and effectively. Download our white paper to learn about the people, processes, and technologies needed to build a strong incident response strategy and avoid damaging data breaches. http://www.sans.org/info/194520 ***************************************************************************
TRAINING UPDATE

-- SANS Security West 2017 | San Diego, CA | May 9-18 |
http://www.sans.org/u/qO8

-- SANS San Francisco Summer 2017 | June 5-10 |
http://www.sans.org/u/qE8

-- SANS Security Operations Center Summit & Training | Washington, DC | June 5-12 |
Build more effective security operations. Two days of in-depth Summit talks, 5 SANS courses, exclusive networking opportunities, & more!
http://www.sans.org/u/qof

-- SANS Secure Europe 2017 | Amsterdam, NL | June 12-20 |
http://www.sans.org/u/qqA

-- SANS Cyber Defence Canberra 2017 | June 26-July 8 |
http://www.sans.org/u/qqF

-- SANS London July 2017 | July 3-8 |
http://www.sans.org/u/pSD

-- SANS Cyber Defence Singapore | July 10-15 |
http://www.sans.org/u/pSI

-- SANSFIRE 2017 | Washington, DC | July 22-29 |
http://www.sans.org/u/r4U

-- Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WK) and Evening (vLive - http://www.sans.org/u/WZ) courses available!

-- SANS Online Training: Special Offer! Register by May 10 and receive a new iPad, Samsung Galaxy Tab A or take $350 off your OnDemand or vLive Course!

-- OnDemand http://www.sans.org/u/pS9

-- vLive http://www.sans.org/u/pSj

-- Multi-week Live SANS training
Mentor - http://www.sans.org/u/X9
Contact mentor@sans.org

-- Looking for training in your own community?
Community - http://www.sans.org/u/Xo

-- SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/XD

Plus Brussels, San Francisco, Arlington, and Dubai all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org/u/XN

***************************************************************************

TOP OF THE NEWS

Microsoft Word Bug Patched Two Weeks Ago Has Been Exploited for Months (April 27, 2017)

A vulnerability in Microsoft Word, that was fixed on April 11, has been used in exploits since January 2017. The flaw (CVE-2017-0199) has been used to spy on Russian speakers in an undetermined country, and as a component of an international online bank account theft scheme. Microsoft was notified about the issue in October 2016, but did not patch the issue right away because it did not appear that it was being exploited at the time and the company wanted to be sure that the fix it released would be comprehensive. The flaw was also exploited after April 11 to target employees at Ben-Gurion University in Israel.

[Editor Comments]

[Pescatore] For many, many years, Microsoft made technical decisions about the Office Suite and the Windows operating system that were driven by the business side of the company to grow or maintain market share and profit. The level of integration between all those components continues to make patching major vulnerabilities much more complex, resulting in slower patching or problematic rapid patches. Those problems will remain, even though Microsoft has placed more emphasis on security. Desktops running Windows and Office really should have standard configuration settings turning on application control and privilege management features to raise barriers to malware being able to successfully exploit Windows vulnerabilities. If you are rolling out Windows 10, great time to do it.

[Williams] I'm all for comprehensive patches, but patching timelines like this make me appreciate the forced disclosure mode of Google Project Zero all the more. When Microsoft says that a vulnerability has not been exploited, what they really mean is they haven't yet seen it exploited in the telemetry they receive from users who choose to share it. Their view is far from complete, especially for targeted attacks.

[Paller] The problem described in this note is systemic and much greater than a single event Microsoft shares patches with certain governments two weeks before the patches are released to the public, allowing the governments to get their systems protected. One of those governments (an Asian nation) has been reported to have used their early knowledge of Microsoft-patched vulnerabilities as two-weeks of free zero-days, every month.

Read more in:

Reuters: Hackers exploited Word flaw for months while Microsoft investigated http://www.reuters.com/article/us-microsoft-cyber-idUSKBN17S32G
Cyberscoop: Iran-linked hackers used Microsoft Word flaw against Israeli targets, security firm says https://www.cyberscoop.com/iranian-hackers-used-a-microsoft-word-flaw-in-a-campaign-against-israeli-targets/?category_news=technology

Verizon and Symantec Reports Say Ransomware is on the Rise (April 27, 2017)

Reports from Verizon and Symantec note a surge in the incidence of ransomware. Symantec's Internet Security Threat Report found that average demand in ransomware tripled in 2016. Verizon's 2017 Data Breach Investigations Report found that ransomware levels in 2016 were up 50 percent over 2015 figures. Verizon also found that the types of attacks targeting organizations vary from sector to sector. "Manufacturing has the lowest median level DDoS level, but the highest level of espionage-related breaches."

[Editor Comments]

[Murray] Verizon has been careful, not to say scrupulous, to try to ensure that users do not draw unwarranted conclusions from its "data breach incident" data. Therefore, the subtle change in the name in 2014 from "incident" to "investigations" is significant. The data does not include all "incidents" but only some "investigated" by those with forensic training, experience, and supervision. Read accordingly. That said, the report is a powerful tool to move security from anecdotal ("seat of the pants") risk management to "data driven."

[Honan] The Data Breach Investigations Report is a great resource for all in information security as it gives a vendor-neutral, fact-based analysis of the threats we face. It is essential reading to counter a lot of the hyperbole we hear from vendors. I encourage everyone to download and read the report, and also to get their organisation to contributeas does the Irish Reporting and Information Security Service (IRISSCERT). The more data we have the better this report will be.

[Neely] The SANS 2016 Threat Landscape survey reported phishing and spearphishing were among the top ways threats enter organizations, which setup a perfect storm for ransomware to blossom. 75% of threats entered via email attachment, 46% malicious link. User education alone is not sufficient. At a corporate level, perimeter protections, including email screening and NGFW can reduce the volume of malware that can trip up an end user. From there, the endpoint needs every advantage to remain secure - behavior based malware detection, whitelisting, access control and appropriate network segmentation.

Read more in:

eWeek: Verizon Data Breach Investigations Report Reveals Ransomware Surge http://www.eweek.com/security/verizon-data-breach-investigations-report-reveals-ransomware-surge
Bloomberg: Cyberattacks Involving Extortion Are on the Up, Verizon Says https://www.bloomberg.com/news/articles/2017-04-27/cyberattacks-involving-extortion-are-on-the-rise-report-shows
CNET: Ransomware became three times as expensive in 2016 https://www.cnet.com/news/ransomware-became-three-times-as-expensive-in-2016/
Dark Reading: Web Attacks Decline, Ransomware Attacks Surge http://www.darkreading.com/endpoint/web-attacks-decline-ransomware-attacks-surge/d/d-id/1328726

IoT, Automation, Autonomy, and Megacities in 2025 (April 26, 2017)

Engineers designing and implementing internet-connected IOT devices face daunting challenges that is creating a discomfort with what they see evolving in their infrastructures. This paper brings their concerns to life by extrapolating from present trends to describe plausible (likely?) future crises playing out in multiple global cities within 10 years. Much of what occurs in the scenarios is fully possible today. Written by Mike Assante and Idaho National Lab's Andy Bochman; published be the Center for Strategic and International Studies. A comment from Mike: "The digitization of the world's structures and systems is a powerful economic force enabling profit from increases in productivity and efficiency. This new wave of economic growth is not the only driver for the digital transformation. Our digital future is not so much a choice as it is a societal necessity. These complex, hyper-connected, and interdependent infrastructures are more intelligent, but they are also more fragile to certain types of assaults. The paper is an attempt to inform current designs and future response and risk planning."

[Editor Comments]

[Paller] Mike and Andy's description of real-world impacts of continuing our current policies and practices in IOT is likely to have the same outsized impact on the dialogue and actions as the seminal 1998 Wired article by Rand's John Arquila projecting what would happen in the "Great Cyber War." [https://www.wired.com/1998/02/cyberwar/]

Read more in:

CSIS: IoT, Automation, Autonomy, and Megacities in 2025
https://www.csis.org/analysis/iot-automation-autonomy-and-megacities-2025
*************************** SPONSORED LINKS *****************************

1) In case you missed it! Embrace mobile devices for employees while protecting them from evolving mobile threats! Register: http://www.sans.org/info/194525
2) Join us for a ground-breaking webinar, Taming the IoT Infestation in your Enterprise. Register: http://www.sans.org/info/194530
3) Discover how Cloudflare can support DNSSEC at its scale with special consideration to key management, new DNSSEC algorithm types and signing on the fly. Register: http://www.sans.org/info/194535
***************************************************************************

THE REST OF THE WEEK'S NEWS

TalkTalk Hack Guilty Pleas (April 27, 2017)

Two people have pleaded guilty in connection with the 2015 theft of TalkTalk customer data. Matthew Hanley pleaded guilty to violation of the Computer Misuse Act and supplying an article for use in fraud. Connor Douglass Allsopp pleaded guilty to supplying an article for use in fraud and supplying an article intended for use in the commission of an offence. Two other people were arrested in connection with the scheme. Hanley and Allsopp will se sentenced on May 31, 2017.

Read more in:

The Register: TalkTalk HackHack DuoDuo PleadPlead GuiltyGuiltyGuiltyGuilty http://www.theregister.co.uk/2017/04/27/talktalk_hack_duo_cop_pleas/

Felismus Remote Access Trojan is Stealthy, Sophisticated, and a Bit of a Mystery (April 27, 2017)

A remote access Trojan (RAT) code named 'Felismus' has self-updating capabilities that can help it fix flaws and change what it looks like in a system to evade detection. Felismus can take complete control of systems it infects. The malware appears to be designed for espionage, but those responsible for its spread remain a mystery. Felismus has not been widely detected in the wild, leading to speculation that it is being used in highly targeted attacks.

[Editor Comments]

[Northcutt] We don't know that much, but we will probably know more soon as a number of security companies are on the case. Currently they believe it may have been running for six months and may be targeting computers in China or Korea, (these were surmised because it evades antivirus common in those countries. The first link is Forcepoint, the company that discovered it, the second is AlienVault one of the security companies involved in trying to learn more about it:
https://blogs.forcepoint.com/security-labs/playing-cat-mouse-introducing-felismus-malware
https://www.alienvault.com/blogs/security-essentials/the-felismus-rat-powerful-threat-mysterious-purpose

Read more in:

ZDNet: Mysterious cat-and-mouse-themed Trojan RAT is potentially dangerous, but its creators and purpose remain unclear http://www.zdnet.com/article/mysterious-cat-and-mouse-themed-trojan-rat-is-potentially-dangerous-but-its-creators-and-purpose/

Hajime Infections Now Number 300,000; Its Purpose Remains a Mystery (April 26 & 27, 2017)

The Hajime Botnet is now estimated to have infected more than 300,000 Internet of Things (IoT) devices. Hajime appears to infect devices to keep them from being infected by Mirai botnet malware. While Hajime currently has no malicious payload and has been touted as vigilante malware that aims to keep devices safe, it could easily be turned into a vector for malicious attacks.

[Editor Comments]

[Murray] We would all like to be judged by the motives that we assert, but we tend to judge others by their behavior.

Read more in:

The Register: Mysterious Hajime botnet has pwned 300,000 IoT devices http://www.theregister.co.uk/2017/04/27/hajime_iot_botnet/
Ars Technica: A vigilante is putting a huge amount of work into infecting IoT devices https://arstechnica.com/security/2017/04/a-vigilante-is-putting-huge-amount-of-work-into-infecting-iot-devices/
ZDNet: A mysterious botnet has hijacked 300,000 devices, but nobody knows why http://www.zdnet.com/article/a-mysterious-botnet-has-hijacked-thousands-of-devices/
BleepingComputer: Security Experts Worry as Hajime Botnet Grows to 300,000 Bots https://www.bleepingcomputer.com/news/security/security-experts-worry-as-hajime-botnet-grows-to-300-000-bots/

ColdFusion Hotfixes (April 25 & 27, 2017)

Adobe has released several hotfixes to address an input validation vulnerability in multiple versions of its ColdFusion web application development platform. The flaw could be exploited to launch reflected cross-site scripting attacks. The hotfixes also include an updated version of Apache BlazeDS to address a java deserialization issue. The ColdFusion flaw affects the 2016 release (Update 3 and earlier), version 11 (Update 11 and earlier), and version 10 (Update 22 and earlier).

Read more in:

SC Magazine: Hot & Cold: Adobe apples hotfixes to ColdFusion to help prevent XSS exploit https://www.scmagazine.com/hot-cold-adobe-apples-hotfixes-to-coldfusion-to-help-prevent-xss-exploit/article/653243/
Adobe: Security Update: Hotfixes available for ColdFusion https://helpx.adobe.com/security/products/coldfusion/apsb17-14.html

US Air Force Bug Bounty Program (April 26, 2017)

The US Air Force (USAF) will launch a bug bounty program later this spring. Registration for the "Hack the Air Force" exercise opens on May 15, and the event runs from May 30 through June 23, 2017. Participation is open to citizens of the US, UK, Canada, Australia, and New Zealand; all participants must be vetted.

[Editor Comments]

[Pescatore] Well managed bug bounty programs, with emphasis on the "well managed" have been very successful in identifying more critical application vulnerabilities and providing better information on how to fix them, compared to traditional approaches. However, "well managed" isn't just choosing a vendor, it means managing the effort from start to finish, where finish is when the vulnerability is fixed or mitigated. By themselves, increased trouble tickets listing vulnerabilities doesn't actually increase security, even if the trouble tickets were created cheaper/faster/better.

Read more in:

DarkReading: USAF Launches 'Hack the Air Force' http://www.darkreading.com/vulnerabilities---threats/usaf-launches-hack-the-air-force-/d/d-id/1328736?
FNR: In DoD first, Air Force launches bug bounty open to foreign hackers https://federalnewsradio.com/air-force/2017/04/in-dod-first-air-force-launches-bug-bounty-open-to-foreign-hackers/
Threatpost: Air Force Hopes to Attract Hackers With Bug Bounty Program https://threatpost.com/air-force-hopes-to-attract-hackers-with-bug-bounty-program/125235/
FCW: Air Force invites hackers to a friendly dogfight https://fcw.com/articles/2017/04/26/usaf-bug-bounty-carberry.aspx

Chipotle Payment Card Data Breach (April 26, 2017)

Chipotle has issued a statement saying that it detected unauthorized activity on its payment card system earlier this year. Chipotle has enlisted the help of cyber security firms, law enforcement, and its payment processor in its investigation. The system appears to have been infected from March 24 through April 18, 2017.

Read more in:

The Register: Chipotle may have banished E coli, but now it has a new infection http://www.theregister.co.uk/2017/04/26/chipotle_malware_infection/
The Hill: Chipotle investigating breach of payment system http://thehill.com/policy/cybersecurity/330634-chipotle-investigating-breach-of-payment-system
Chipotle: Notice of Data Security Incident http://chipotle.com/security

Titanium Stresser Author Sentenced (April 25, 2017)

Adam Mudd, the man who created and sold the Titanium Stresser malware when he was 15, has been sentenced to two years in a young offenders institution. Last October, Mudd pleaded guilty to violating the Computer Misuse Act and concealing criminal property.

Read more in:

KrebsOnSecurity: UK Man Gets Two Years in Jail for Running 'Titanium Stresser' Attack-for-Hire Servicehttps://krebsonsecurity.com/2017/04/uk-man-gets-two-years-in-jail-for-running-titanium-stresser-attack-for-hire-service/
The Register: Brit behind Titanium Stresser DDoS malware sent to chokey http://www.theregister.co.uk/2017/04/25/british_malware_author_2_years_jail_titanium_stresser/

EFF Files Petition for Writ of Mandamus in Megaupload Case (April 25, 2017)

Five years after they were seized by authorities, more than 1,000 servers containing Megaupload data remain powered down and in storage. Megaupload customers whose data are on the servers have not been able to access their content, but not for lack of trying. Two months after the servers were seized, the Electronic Frontier Foundation (EFF) filed a legal motion to regain access to data belonging to an Ohio man (Goodwin) whose hard drive had crashed just days before. Earlier this week, the EFF filed a petition for a writ of mandamus with the US Court of Appels for the 4th Circuit to force the lower court, which has not taken action in the case, to rule on submitted motions.

Read more in:

Ars Technica: Five years later, legal Megaupload data is still trapped on dead servershttps://arstechnica.com/tech-policy/2017/04/eff-heads-to-appeals-court-demanding-judge-take-action-on-megaupload-user-data/
EFF: Petition for Writ of Mandamus (PDF) https://www.eff.org/files/2017/04/24/megamandamus_petition_as_filed_.pdf

Hyundai Patches Mobile App (April 25 & 26, 2017)

In March, carmaker Hyundai released version 3.9.6 of its Blue Link mobile app to fix a pair of vulnerabilities. Car owners can use the app perform various tasks, including locking and unlocking their vehicles, starting their vehicles remotely, receiving service alerts and other The flaws exist in Hyundai's Blue Link versions 3.9.4 and 3.9.5. One of the flaws involves a failure to verify communications channel endpoints, which could be exploited to launch man-in-the-middle attacks/ The second flaw involves a hard-coded decryption password.

Read more in:

Threatpost: Hyundai Patches Leaky Blue Link Mobile App https://threatpost.com/hyundai-patches-leaky-blue-link-mobile-app/125182/
eWeek: Hyundai Mobile App Patched for Car Hacking Vulnerabilities http://www.eweek.com/security/hyundai-mobile-app-patched-for-car-hacking-vulnerabilities

INTERNET STORM CENTER TECH CORNER

CAA Records and Certificate Issuance

https://isc.sans.edu/forums/diary/CAA+Records+and+Certificate+Issuance/22342/

Hyundai Blue Link Information Disclosure

https://community.rapid7.com/community/infosec/blog/2017/04/25/r7-2017-02-hyundai-blue-link-potential-info-disclosure-fixed

HP, Philips, Fujitsu Display Software Privilege Escalation

http://blog.sec-consult.com/2017/04/what-unites-hp-philips-and-fujitsu-one.html

Bots Disrupts US ISP

https://www.bleepingcomputer.com/news/security/us-isp-goes-down-as-two-malware-families-go-to-war-over-its-modems/

Samsung Smart TV Wi-Fi Direct Exploit

http://seclists.org/fulldisclosure/2017/Apr/101

Adobe Publishes ColdFusion Update

https://helpx.adobe.com/security/products/coldfusion/apsb17-14.html

SNMP Misconfiguration Eliminates Community String Validation

https://stringbleed.github.io/#

VISA IP Block Hijacked By Russian ISP

https://isc.sans.edu/forums/diary/BGP+Hijacking+The+Internet+is+StillAgain+Broken/22350/

Antminer "Checking" DoS Vulnerability

http://www.antbleed.com

Symantec Offers Audits To Stave Off Google's CA Blacklisting

https://www.symantec.com/connect/blogs/symantec-ca-proposal

Security Review of nomx e-mail Appliance

https://scotthelme.co.uk/nomx-the-worlds-most-secure-communications-protocol/

***********************************************************************
The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create