Interactive Courses + Cyber Defense NetWars Available During SANS Scottsdale: Virtual Edition 2021. Save $300 thru 1/27.

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #37

May 9, 2017

Roger Grimes just finished his new book. It's a fun and useful read for anyone interested in how the cybersecurity field developed, including insightful profiles of 26 pioneers. Stephen Northcutt (whose profile will give you a rare picture of how SANS evolved) and Lance Spitzner are among them. It's called Hacking the Hacker



Microsoft: Attackers Used Software Updater to Infect Computers
Microsoft Releases Emergency Patch Critical Flaw in Microsoft Malware Protection Engine
FBI Says 5 Billion USD Lost to Business eMail Compromise
Intel Chip Flaw is Worse Than First Thought


Google Tightening OAuth Rules
HandBrake App Site Used to Spread Mac Malware
Netrepser Espionage Group Uses Free, Legitimate Tools to Infect Targets
Police May Have Been Less Than Forthcoming to Judge About Stingray Use
Legislators Urge OPM to be Flexible in Cybersecurity Hiring
Lieu Renews Call for SS7 Fix
DoJ Expanding Investigation of Uber's Use of Greyball Tool
Sabre Hires Mandiant to Investigate Breach



*************************** Sponsored By Sophos Inc. ********************

WEBINAR: The Fight Against Ransomware - From ransomware to rootkits, old school security cannot keep pace with today's advanced attacks. Join us for a live webcast every Wednesday at 2pm ET to learn how to get innovative next-gen protection without impacting performance. Register Today:


-- SANS San Francisco Summer 2017 | June 5-10 |

-- SANS Security Operations Center Summit & Training | Washington, DC | June 5-12 |
Build more effective security operations. Two days of in-depth Summit talks, 5 SANS courses, exclusive networking opportunities, & more!

-- SANS Secure Europe 2017 | Amsterdam, NL | June 12-20 |

-- SANS Cyber Defence Canberra 2017 | June 26-July 8 |

-- SANS London July 2017 | July 3-8 |

-- SANS Cyber Defence Singapore | July 10-15 |

-- SANSFIRE 2017 | Washington, DC | July 22-29 |

-- SANS Network Security | Las Vegas, NV | September 10-17 |

-- Can't travel? SANS offers LIVE online instruction. Day (Simulcast - and Evening (vLive - courses available!

-- SANS Online Training: Special Offer! Register by May 10 and receive a new iPad, Samsung Galaxy Tab A or take $350 off your OnDemand or vLive Course!

-- OnDemand

-- vLive

-- Multi-week Live SANS training
Mentor -

-- Looking for training in your own community?
Community -

-- SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more:

Plus Brussels, San Francisco, Arlington, and Dubai all in the next 90 days.
For a list of all upcoming events, on-line and live:



Microsoft: Attackers Used Software Updater to Infect Computers (May 5, 2017)

Microsoft detected a cyberattack campaign that used third-party editing software tools to infect systems at "several high-profile technology and financial organizations." By injecting code into the tools' updating mechanisms, the attackers were able to surreptitiously place malware on their targets' computers. Microsoft is urging software vendors to take steps to protect their updaters.

[Editor Comments]

[Williams] Perimeter security simply won't stop malware deployed through malicious updates. Organizations need good internal monitoring of endpoints and network traffic as well as effective verification of software supply chain security for the software and hardware your organization uses.

Read more in:

Microsoft: Windows Defender ATP thwarts Operation WilySupply software supply chain cyberattack
Cyberscoop: Microsoft uncovers hacking operation aimed at software supply chain
ZDNet: Microsoft's Windows warning: Hackers hijacked software updater with in-memory malware

Microsoft Releases Emergency Patch Critical Flaw in Microsoft Malware Protection Engine (May 8 & 9, 2017)

Microsoft has issued an emergency patch for a critical remote code execution flaw in Microsoft Malware Protection Engine. Researchers from Google's Project Zero found the vulnerability that affects default Windows installs and can self-replicate.

[Editor Comments]

[Ullrich] The patch should already be on your system as it is rolled out with a malware signature update, not a distinct security patch. This is one reason why it was rolled out on Monday, not the more-regular patch Tuesday today. Currently there is no public exploit available.

[Williams] Microsoft's response to this flaw was nothing short of commendable. The fact that patches are likely automatic for most users will likely prevent this from becoming a worm. However, one needs to ask if it is really wise to have a non-sandboxed JavaScript engine running with superuser privileges in the first place. I think with this bug, Google has uncovered a structural issue Microsoft needs to change to ensure future security.

Read more in:

Microsoft: Security Update for Microsoft Malware Protection Engine
Bleeping Computer: Google Researchers Find Wormable "Crazy Bad" Windows Exploit
Threatpost: Wormable Windows Zero Day Reported to Microsoft
The Register: 'Crazy bad' bug in Microsoft's Windows malware scanner can be used to install malware

FBI Says 5 Billion USD Lost to Business eMail Compromise (May 5 & 8, 2017)

According to data from the FBI's Internet Crime Complaint Center (IC3), scammers stole more than 5 billion USD through Business eMail Compromise (BEC) schemes since 2013. Losses to BEC scams increased nearly 2,400 percent over the two-year period between January 2015 and December 2016.

[Editor Comments]

[Ullrich] We are seeing some automated BEC attempts that do exchange multiple e-mails, usually with the goal of getting access to e-mail credentials which will then be used to launch more targeted attacks. If you are using a cloud e-mail solution, you MUST implement two-factor authentication to evade phishing for e-mail credentials.

[Honan] One good step in protecting against these scam emails is to implement DMARC and other email anti-spoofing techniques. CERT-EU has a good white paper available for download titled "DMARC - Defeating Email Abuse" at

Read more in:

SC Magazine: BEC scammers picked off $5B, FBI says
The Register: Fake invoice scammers slurp $5bn+ from corp beancounters - FBI
eWeek: Business Email Compromise Scams Continue to Grow With $5.3B in Losses

Intel Chip Flaw is Worse Than First Thought (May 6, 2017)

A flaw in the Active Management Technology (AMT) feature of Intel chips could be exploited to take administrative control of vulnerable systems without the need for a password. AMT lets sysadmins perform powerful tasks over a remote connection. The flaw has been present in some Intel chipsets since 2010. Computer manufacturers that use the affected chips say they are working on firmware fixes. Some companies have released timetables for the fixes, but even these extend into June, meaning computers will remain vulnerable for weeks.

[Editor Comments]

[Murray] Software for identifying instances of vulnerable systems is available from both Intel and Github. Identified instances should be disconnected from public networks, or hidden behind firewalls or VPNs. Other systems on the same networks as these may also have been compromised.

Read more in:

Ars Technica: The hijacking flaw that lurked in Intel chips is worse than anyone thought
Cyberscoop: Intel chip vulnerability gets quick patch in some products, longer timeline in others
Computerworld: Patch to fix Intel-based PCs with enterprise bug rolls out this week
Intel: Important Security Information About Intel Manageability Firmware
The Register: Dell to patch AMT-vulnerable systems
Dell: Dell Client Statement on Intel AMT Advisory (INTEL-SA-00075)
*************************** SPONSORED LINKS *****************************
1) "Effortless Detection and Investigation of Cloud Breaches: A Review of Lacework's Zero Touch Cloud Workload Security Platform" Register:
2) WEBCAST: "How to Conquer Targeted Email Threats: SANS Review of Agari Enterprise Protect" Register:
3) Don't Miss: "Complying with Data Protection Law in a Changing World" Register:


Google Tightening OAuth Rules (May 8, 2017)

Google is cracking down on its policies and enforcement for its OAuth implementation to help prevent incidents like the Google Docs phishing campaign that targeted Gmail users last week. Google is also updating its anti-spam systems and increasing the monitoring of suspicious third-party apps requesting users' data.

Read more in:

ZDNet: Gmail fake Docs attack: Now Google tightens OAuth rules to block phishing
Softpedia: Google to Tighten OAuth Rules to Block Phishing Attempts After Fake Docs Attack
Dark Reading: Google Ratchets Up OAuth policies in Wake of Phishing Attacks
Google: Protecting You Against Phishing

HandBrake App Site Used to Spread Mac Malware (May 6, 7, & 8, 2017)

The website for the video transcoder app HandBrake was compromised some time between May 2 and May 6. The Mac version of the HandBrake client was replaced with a malicious version that contains a macOS remote Access Trojan (RAT) known as Proton. HandBrake creators have posted instructions for removing the malware from infected machines.

[Editor Comments]

[Neely] There is a 50% chance users with version 1.0.7 downloaded the compromised version. All versions of HandBrake have legitimate Apple Developer signatures, so only allowing signed code to be installed will not stop installation. The update XProtect signature will not detect existing infections, scan for published IOCs to find these. Change your passwords in KeyChain or browsers as part of remediation. Proton is a full featured commercial RAT, which now sells licensed signed versions between 2 and 40 BTC. SIXGILL Proton Threat Report is here:

[Williams] This is a great story to remind colleagues of software supply chain issues. In this case, our "safety" method is to validate the SHA256 of the binary, but this method is not perfect. If a software download server is compromised, the website displaying the SHA256 can be, as well. Although that didn't happen this time, the scenario shows why organizations need pay more attention to software supply chain issues than they have been traditionally.

Read more in:

Threatpost: HandBrake for Mac Compromised With Proton Spyware
Bleeping Computer: Website of HandBrake App Hacked to Spread Proton RAT for Mac Users
The Register: Russian RATs bite Handbrake OSX download mirror
ZDNet: Mac app developers issue malware warning after server compromise
HandBrake: Mirror Download Server Compromised

Netrepser Espionage Group Uses Free, Legitimate Tools to Infect Targets (May 5 & 8, 2017)

Netrepser has compromised hundreds of computers using JavaScript code and free, publicly available, legitimate network admin software tools. Most of the targeted computers belong to government agencies and organizations, indicating that the group's goal is cyberespionage.

[Editor Comments]

[Honan] This is a good example of how low the barrier is for governments and other groups to enter the cyber espionage arena. A timely reminder to ensure that you regularly update your threat model to identify who could target your organisation and how best you should defend against them.

Read more in:

Computerworld: Cyberspies tap free tools to build powerful malware framework
The Hill: Deceptively simple espionage hacking campaign impresses researchers
ZDNet: Hackers are reusing free online tools as part of their cyberespionage campaigns
BitDefender: Inside Netrepser - a JavaScript-based Targeted Attack

Police May Have Been Less Than Forthcoming to Judge About Stingray Use (May 6, 2017)

A California defense attorney maintains that law enforcement officers misled a judge when seeking a warrant to use cell-site simulator technology to track her client's location. In a related story, the US Supreme Court plans to discuss the issue of whether law enforcement authorities require warrants to compel mobile phone companies to disclose customer's cell site data.

[Editor Comments]

[Northcutt] It is always wise to take what a defense attorney says with a grain of salt and attempted murder is not exactly a "run-of-the-mill criminal case". That said, the case for requiring a warrant is becoming stronger and may be an appropriate issue in this case:
Read more in:

Ars Technica: Lawyer: Cops "deliberately misled" judge who seemingly signed off on stingray
Ars Technica: Supreme Court asked to rule if cops need warrant for cell-site data

Legislators Urge OPM to be Flexible in Cybersecurity Hiring (May 5, 2017)

Three US legislators have written to the Office of Personnel Management (OPM), urging flexibility with its hiring requirements for cybersecurity jobs. Applicants with "nontraditional education paths... especially in combination with high-value experience" should not be overlooked. The letter also noted that "offering industry-recognized certification testing would be a valuable tool for agencies to recruit and retain highly-qualified cyber professionals."

[Editor Comments]

[Murray] It is difficult to argue against flexibility. However government is not known for the flexibility in management that should accompany flexible evaluation of candidate qualifications. That said, both government and the private sector do use "industry-recognized certification testing."

Read more in:

Nextgov: New Dems Urge OPM to Hire More Cyber Pros Without 4-Year Degrees
FCW: Legislators call for more flexible cyber hiring and training
Letter: Letter (PDF)

Lieu Renews Call for SS7 Fix (May 5, 2017)

US Congressman Ted Lieu (D-California) has renewed his call for the US Federal Communications Commission (FCC) and the telecommunications industry to address security issues in Signaling System 7, SS7, a set of protocols that mobile networks use to communicate with each other. Flaws in SS7 were recently exploited to drain bank accounts in Europe by intercepting transmissions used in two-factor authentication.

Read more in:

SC Magazine: Rep. Lieu calls for SS7 vulnerability to be patched

DoJ Expanding Investigation of Uber's Use of Greyball Tool (May 4 & 5, 2017)

The US Department of Justice (DoJ) is expanding its investigation into Uber's use of Greyball, a software tool that helped drivers evade the attention of government transportation regulators. The software was used to display alternate versions of the Uber app to users who appeared to be linked to investigations. Uber has defended its use of Greyball, pointing out that it helps keep drivers safe by shielding their locations, helps determine the legitimacy of fried requests, and helps detect violations of the Uber app's terms of service. The initial inquiry was launched in Portland, Oregon and has now been expanded to Philadelphia.

Read more in:

BBC: Uber faces criminal probe in US over 'greyball' code
Reuters: Exclusive: Uber faces criminal probe over software used to evade authorities
WSJ: Uber Faces Federal Criminal Probe Over 'Greyball' Software
NYT: Justice Department Expands Its Inquiry Into Uber's Greyball Tool

Sabre Hires Mandiant to Investigate Breach (May 2 & 3, 2017)

Sabre Corp. has acknowledged a breach of its hotel reservations system. The company has hired Mandiant to help with the investigation, and law enforcement has been notified. Sabre says that unauthorized access to the system has now been bl0cked. Sabre's reservations system serves more than 32,000 properties.

Read more in:

Reuters: Sabre hires Mandiant to probe breach in hotel reservation system
KrebsOnSecurity: Breach at Sabre Corp.'s Hospitality Unit
Sabre: Sabre Statement


Tenable Discovers Details Regarding Intel AMT Vulnerability

Android Apps Use Ultrasound Beacons To Track Users

http Headers... the Achilles' Heel of Many Applications

Exploring a P2P Transient Botnet - From Discovery to Enumeration

Video Conversion Application Handbrake Compromised

Emergency Update for Microsoft Malware Protection Engine

OS X Keychain OTR Vulnerability

The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here:

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit