Learn practical cyber security skills during SANS 2021 - Live Online. Choose from 30+ courses and three types of NetWars!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #40

May 16, 2017


Bipartisan, Bicameral Bill in US Congress Would Establish Vulnerabilities Equity Process Review Board
NSA Used EternalBlue for Five Years
SMB Patches for Windows XP, Server 2003, and Windows 8 RT Were Ready to Go Thanks to Custom Support
Adylkuzz Cryptocurrency Miner Also Uses EternalBlue Exploit


Master Keys for Wallet Ransomware Posted to BleepingComputer Forums
Report: Russia Tried to Take Over US Defense Dept. Twitter Accounts
Panic Apps' Source Code Stolen After Developer Downloaded Infected Version of HandBrake
WordPress Updated to Version 4.7.5
Flaw in Chrome Could Be Exploited to Steal Windows Credentials
DocuSign Acknowledges Breach



*************************** Sponsored By Splunk **************************

Don't Cry: Steer Clear and Get Ahead of Ransomware. Join Splunk's Head of Security Research Monzy Merza on a webinar to learn how to apply a broader analytical approach and data-driven techniques to quickly pinpoint the source of an attack and determine the appropriate remediation steps. http://www.sans.org/info/194945



-- SANS San Francisco Summer 2017 | June 5-10 |

-- SANS Security Operations Center Summit & Training | Washington, DC | June 5-12 |
Build more effective security operations. Two days of in-depth Summit talks, 5 SANS courses, exclusive networking opportunities, & more!

-- SANS Secure Europe 2017 | Amsterdam, NL | June 12-20 |

-- SANS Cyber Defence Canberra 2017 | June 26-July 8 |

-- SANS London July 2017 | July 3-8 |

-- SANS Cyber Defence Singapore | July 10-15 |

-- SANSFIRE 2017 | Washington, DC | July 22-29 |

-- SANS Network Security | Las Vegas, NV | September 10-17 |

-- Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WK) and Evening (vLive - http://www.sans.org/u/WZ) courses available!

-- SANS Online Training: Special Offer! Register by May 10 and receive a new iPad, Samsung Galaxy Tab A or take $350 off your OnDemand or vLive Course!

-- OnDemand http://www.sans.org/u/pS9

-- vLive http://www.sans.org/u/pSj

-- Multi-week Live SANS training
Mentor - http://www.sans.org/u/X9
Contact mentor@sans.org

-- Looking for training in your own community?
Community - http://www.sans.org/u/Xo

-- SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/XD

Plus Brussels, San Francisco, Arlington, and Dubai all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org/u/XN



Bipartisan, Bicameral Bill in US Congress Would Establish Vulnerabilities Equity Process Review Board (May 17, 2017)

Legislators in both the US House of Representatives and Senate have introduced legislation aimed at strengthening federal cybersecurity while increasing transparency of stockpiled vulnerability practices. The Protecting Our Ability to Counter Hacking (PATCH) Act would establish a review board for the Vulnerabilities Equity Process that would enforce consistent policies across government agencies regarding the evaluation and retention of software and hardware vulnerabilities. The bill has broad support from the tech industry and from cybersecurity organizations.

Read more in:

SC Magazine: PATCH Act introduced to improve federal cybersecurity and transparency https://www.scmagazine.com/patch-act-introduced-to-improve-federal-cybersecurity-and-transparency/article/662541/
ZDNet: Congress introduces bill to stop US from stockpiling cyber-weapons http://www.zdnet.com/article/congress-introduces-bill-to-prevent-us-from-stockpiling-cyber-weapons/
Cyberscoop: Lawmakers introduce bill to shine spotlight on government hacking stockpile https://www.cyberscoop.com/patch-act-vep-ron-johnson-ted-lieu-government-hacking/?category_news=technology
Nextgov: Bill Aims to Clarify When and How the Government Discloses Software Vulnerabilities http://www.nextgov.com/cybersecurity/2017/05/bill-aims-clarify-when-how-government-discloses-software-vulnerabilities/137951/?oref=ng-channelriver
Document Cloud: PATCH Act of 2017 https://www.documentcloud.org/documents/3725905-Patch-Act-bill-before-Congress.html

NSA Used EternalBlue for Five Years (May 16, 2017)

The NSA used the EternalBlue hacking tool for more than five years before disclosing its existence to Microsoft. With EternalBlue, the NSA was able to gather great quantities of foreign intelligence; an NSA employee speaking on the condition of anonymity said that using the tool "was like fishing with dynamite." The NSA decided to notify Microsoft only after learning that EternalBlue had been stolen.

Read more in:

Washington Post: NSA officials worried about the day its potent hacking tool would get loose. Then it did. https://www.washingtonpost.com/business/technology/nsa-officials-worried-about-the-day-its-potent-hacking-tool-would-get-loose-then-it-did/2017/05/16/50670b16-3978-11e7-a058-ddbb23c75d82_story.html
Ars Technica: Fearing Shadow Brokers leak, NSA reported critical flaw to Microsoft https://arstechnica.com/security/2017/05/fearing-shadow-brokers-leak-nsa-reported-critical-flaw-to-microsoft/
Softpedia: NSA Reported WannaCry Vulnerability to Microsoft After Using It for 5 Years http://news.softpedia.com/news/nsa-reported-wannacry-vulnerability-to-microsoft-after-using-it-for-5-years-515827.shtml

SMB Patches for Windows XP, Server 2003, and Windows 8 RT Were Ready to Go Thanks to Custom Support (May 16, 2017)

Microsoft reportedly learned in January of the EternalBlue tool used to exploit a vulnerability in Server Message Block. Microsoft fixed the flaw in its March patch update, and a month later, Shadow Brokers published a cache of stolen NSA hacking tools that included EternalBlue. When WannaCrypt spread quickly last week, Microsoft released emergency patches for unsupported versions of Windows. Analysis of those patches' metadata indicates that they were built in February while the company was readying its patches for supported versions of Windows, which means the fixes were released only to users who were paying for custom support of the older operating systems.

[Editor Comments]

[Assante] Microsoft realizes particular customers will lock-into a product beyond its supported lifetime and has chosen to offer special custom support for a price. Microsoft's decision to create a public release patch for unsupported versions of Windows was a choice to be a good steward at the risk of providing mixed signals. Windows XP may not be considered abandonware as its End of Life (EOL) status is best described as minimal life-support that can't be counted on or expected (i.e. "highly unusual"). Risk managers should account for the amount of business that relies on EOL software and present that as a risk (might even be something worthy of disclosure).

Read more in:

The Register: While Microsoft griped about NSA exploit stockpiles, it stockpiled patches: Friday's WinXP fix was built in February http://www.theregister.co.uk/2017/05/16/microsoft_stockpiling_flaws_too/

Adylkuzz Cryptocurrency Miner Also Uses EternalBlue Exploit (May 15 & 16, 2017)

The same stolen NSA exploit the attackers behind WannaCry used is being used in a cryptocurrency miner known as Adylkuzz. "Initial statistics suggest that [the Adylkuzz] attack may be larger in scale than WannaCry," according to a researcher from Proofpoint. The Adylkuzz attack began before WannaCry, possibly in late April.

[Editor Comments]

[Neely] It is fortunate that Adylkuzz nicely shut down SMB after infecting a system to prevent multiple infections which limited the spread of WannaCry. In the wake of WannaCry and Adylkuzz, the Department of Energy requires all vulnerable systems to be disconnected from the network, coupled with continuous monitoring for compliance. I have seen a corresponding significant uptake of patch application. While you're checking for vulnerable systems, don't forget to check (and block) remote/VPN systems. This activity must revitalize the conversation around which systems cannot be patched, or aren't being patched according to plan and stimulate the projects to migrate to newer Windows versions. Avoid the temptation to wait to achieve an update path that works flawlessly 100% of the time for 100% of the users, rather move forward with a plan that works for most of your users.

Read more in:

SC Magazine: Cryptocurrency miner Adylkuzz attack could be bigger than WannaCry https://www.scmagazine.com/cryptocurrency-miner-adylkuzz-attack-could-be-bigger-than-wannacry/article/662128/
Ars Technica: Massive cryptocurrency botnet used leaked NSA exploits weeks before WCry https://arstechnica.com/security/2017/05/massive-cryptocurrency-botnet-used-leaked-nsa-exploits-weeks-before-wcry/
*************************** SPONSORED LINKS *****************************
1) SANS Finance Briefing in NYC: Practical Threat Modeling For Financial Organizations - Free to the Financial Cybersecurity Community. Learn More: http://www.sans.org/info/194950
2) Don't Miss: What Works in Situational Awareness and Visibility: Reducing Time to Detect and Enhancing Business Outcomes with Splunk. Register: http://www.sans.org/info/194955
3) The New Reality: Centralizing Security when Your Network is Decentralizing. Learn More: http://www.sans.org/info/194960


Master Keys for Wallet Ransomware Posted to BleepingComputer Forums (May 18, 2017)

Decryption keys for Wallet ransomware have been posted to the BleepingComputer online forums. It is not clear exactly why the malware creators have released the keys. The ransomware family of which Wallet is a part often releases keys when it has switched to a new extension. The attackers may also have surmised that they are not going to make any more money from that particular variant.

Read more in:

BleepingComputer: Wallet Ransomware Master Keys Released on BleepingComputer. Avast Releases Free Decryptor https://www.bleepingcomputer.com/news/security/wallet-ransomware-master-keys-released-on-bleepingcomputer-avast-releases-free-decryptor/

Report: Russia Tried to Take Over US Defense Dept. Twitter Accounts (May 18, 2017)

Earlier this year, US counterintelligence officials received a report detailing how Russians sent targeted malicious tweets to Defense Department Twitter users. If the recipients clicked on the proffered links, which claimed to be sports or entertainment stories, their devices were redirected to a Russian server that downloaded malware, allowing the attackers to take control of the device and the user's Twitter account.

[Editor Comments]

[Murray] These reports are from general news sources. One might want to see a report from technical sources. "Allowing the attackers to take control of the device and the user's Twitter account" seems to be a very broad claim. Any "device" seems unlikely. One might also want to know if Twitter's strong authentication option would be effective.

Read more in:

The Hill: Russia tried to take over Pentagon Twitter accounts: report http://thehill.com/policy/cybersecurity/334045-russia-tried-to-gain-access-to-pentagon-twitter-accounts-report
Time: Inside Russia's Social Media War on America http://time.com/4783932/inside-russia-social-media-war-america/?iid=sr-link1

Panic Apps' Source Code Stolen After Developer Downloaded Infected Version of HandBrake (May 18, 2017)

The founder of the software development company Panic said that source code for some of its apps was stolen after he downloaded an infected version of HandBrake. Panic develops software for Mac and iOS. Users are urged to download Panic apps only from the Panic website or Apple's App Store.

Read more in:

BBC: App maker's code stolen in malware attack http://www.bbc.com/news/39960721

WordPress Updated to Version 4.7.5 (May 17, 2017)

WordPress has updated its content management platform to version 4.7.5. The newest version of WordPress includes fixes for six security issues and three maintenance issues.

Read more in:

SC Magazine: WordPress releases version 4.7.5 fixing 6 security issues https://www.scmagazine.com/wordpress-releases-version-475-fixing-6-security-issues/article/662482/
WordPress: WordPress 4.7.5 Security and Maintenance Release https://wordpress.org/news/2017/05/wordpress-4-7-5/

Flaw in Chrome Could Be Exploited to Steal Windows Credentials (May 17, 2017)

A flaw in Google's Chrome browser running on Windows systems can be exploited to put malicious files on PCs that can then steal Windows credentials and launch a Server Message Block (SMB) relay attack. The issue affects the default Chrome configuration for all versions of Windows. The Chrome team is working on a fix.

Read more in:

The Register: Chrome on Windows has credential theft bug http://www.theregister.co.uk/2017/05/17/chrome_on_windows_has_credential_theft_bug/
SC Magazine: Google Chrome flaw could allow Windows credential theft https://www.scmagazine.com/google-chrome-flaw-could-allow-windows-credential-theft/article/662515/
ZDNet: Windows 10 credential theft: Google is working on fix for Chrome flaw http://www.zdnet.com/article/windows-10-credential-theft-google-is-working-on-fix-for-chrome-flaw/
BleepingComputer: You Can Steal Windows Login Credentials via Google Chrome and SCF Files https://www.bleepingcomputer.com/news/security/you-can-steal-windows-login-credentials-via-google-chrome-and-scf-files/

DocuSign Acknowledges Breach (May 15, 2017)

Electronic signature company DocuSign has acknowledged that one of its computer systems was breached and the compromised information was used to launch phishing attacks against customers. The phishing emails contained links to malicious Word documents. If a recipient downloads the document and the macro it contains is enabled, the Hancitor downloader is delivered to their device.

[Editor Comments]

[Williams] This is far from a worst-case scenario for a Docusign breach. When I think of all the sensitive data DocuSign has, it is obvious it could have been far worse. Bravo to the DocuSign team for getting this handled before attackers stole customer documents en-masse. Organizations should realize that attackers may target them for their infrastructure rather than their data. Here, attackers appeared more interested in sending phishing emails than stealing customer data.

[Northcutt] INC takes a shot at DocuSign's claim "The Most Rigorous Security Standards In The World", however the last paragraph of their writeup should catch our attention. Some pretty sensitive stuff goes through the DocuSign network, I suspect a class action lawsuit will be filed in the next ten days:

Read more in:

KrebsOnSecurity: Breach at DocuSign Led to Targeted Email Malware Campaign https://krebsonsecurity.com/2017/05/breach-at-docusign-led-to-targeted-email-malware-campaign/
ThreatPost: DocuSign Phishing Campaign Includes Hancitor Downloader https://threatpost.com/docusign-phishing-campaign-includes-hancitor-downloader/125724/


Docusign Breach Leads to Increase in Phishing Email


HP Updates Audio Drivers (twice) to Remove Keylogger


Chrome File Download Behaviour Can Lead to SMB Credential Theft


Handbreak Proton Malware Used to Steal Sourcecode


NIST Password Guidance Update


Exploiting XXE Vulnerabilities in Peoplesoft


Discovering Relevant CVEs with CVE Bot


Probablility of Vulnerability Re-Discovery


Wannakey May Recover WannaCry Keys


Finding Bad With Splunk


The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create