Learn practical cyber security skills during SANS 2021 - Live Online. Choose from 30+ courses and three types of NetWars!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #42

May 26, 2017


Medical Device Vulnerabilities
Mac Malware
Target to Pay 18.5 million USD in Breach Settlement


Tainted Leaks
WannaCry Ransom Note Suggests Writer Speaks Chinese and English
Cloak and Dagger Android Attacks
Samba Patches Remote Code Execution Flaw
NSA Employee Identities Could Be Exposed
Apple Transparency Report
Subtitle Parsing Flaw Could Give Attackers Control of Devices
Russia Arrests 20 in Connection with Malware Schemes
DEFCON to Plumb Electronic Voting Machines' Security



*************************** Sponsored By Veracode ************************
Building secure web applications takes more than just testing the code to weed out flaws during development and keeping the servers on which it runs up to date. Register for "Using Dynamic Scanning to Secure Web Apps in Development and After Deployment" to learn more: http://www.sans.org/info/195140


-- SANS San Francisco Summer 2017 | June 5-10 |

-- SANS Security Operations Center Summit & Training | Washington, DC | June 5-12 |
Build more effective security operations. Two days of in-depth Summit talks, 5 SANS courses, exclusive networking opportunities, & more!

-- SANS Secure Europe 2017 | Amsterdam, NL | June 12-20 |

-- SANS Cyber Defence Canberra 2017 | June 26-July 8 |

-- SANS London July 2017 | July 3-8 |

-- SANS Cyber Defence Singapore | July 10-15 |

-- SANSFIRE 2017 | Washington, DC | July 22-29 |

-- SANS Network Security | Las Vegas, NV | September 10-17 |

-- Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WK) and Evening (vLive - http://www.sans.org/u/WZ) courses available!

-- SANS Online Training: Special Offer! Register by May 10 and receive a new iPad, Samsung Galaxy Tab A or take $350 off your OnDemand or vLive Course!

-- OnDemand http://www.sans.org/u/pS9

-- vLive http://www.sans.org/u/pSj

-- Multi-week Live SANS training
Mentor - http://www.sans.org/u/X9
Contact mentor@sans.org

-- Looking for training in your own community?
Community - http://www.sans.org/u/Xo

-- SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/XD

Plus Brussels, San Francisco, Arlington, and Dubai all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org/u/XN



Medical Device Vulnerabilities (May 25, 2017)

Two separate studies have found that numerous medical devices contain software vulnerabilities. One study that focused on implantable cardiac devices and their associated equipment found more than 8,000 vulnerabilities. That study found that in most cases, data were not protected either on the devices or while being transferred to monitoring equipment. In addition, the study found that there was no authentication for connecting devices. The second study examined a broader spectrum of devices, polling manufacturers, hospitals, and health organizations about the equipment; the majority said the devices are difficult to secure.

[Editor Comments]

[Assante] Good security is difficult, expensive, and mostly voluntary so not a cardiac shocker (pun intended) that these devices are insecure by design. The study also found only 9% of device makers and 5% of health organizations tested equipment annually for cyber vulnerabilities. The researchers should be commended for their good work and responsible disclosure approach!

Read more in:

BBC: 'Thousands' of known bugs found in pacemaker code http://www.bbc.com/news/technology-40042584

Mac Malware (May 19, 2017)

A variety of Mac malware has surfaced over the past several weeks. One interesting aspect of the malware is its diversity: Dok malware intercepts all web traffic; Proton.B gained traction when it was used in an infected version of HandBrake; and Systemd, a Trojan backdoor for OSX.

Read more in:

AlienVault: Diversity in Recent Mac Malware https://www.alienvault.com/blogs/labs-research/diversity-in-recent-mac-malware

Target to Pay 18.5 Million USD in Breach Settlement (May 23 & 24, 2017)

Target will pay 18.5 million USD to 47 US states and the District of Columbia as part of a settlement with state attorneys general. The settlement resolves an investigation into the 2013 breach that exposed sensitive personal information of more than 41 million Target customers. According to the terms of the settlement, Target has also agreed to implement a number of measures to improve digital security, including keeping customer payment card information separate from the rest of its network, using two factor authentication, and complying with stricter auditing and reporting requirements.

[Editor Comments]

[Pescatore] In 4Q16 Target said the breach had cost them $290M, with about $90M covered by insurance. This settlement adds to that, and there will likely be some more cost across 2017 - let's call it $250M. The incident could have been avoided for well under $10M - imagine if back in late 2013 a business unit leader had promised a three year return of $240M for a $1oM investment - an annualized ROI of 150%...

Read more in:

Dark Reading: Target Reaches Breach Settlement: $18.5 Million Fine, Security Controls http://www.darkreading.com/attacks-breaches/target-reaches-breach-settlement-$185-million-fine-security-controls/d/d-id/1328948?
SC Magazine: Target to pay out $18.5M to states in breach settlement https://www.scmagazine.com/target-to-pay-out-185m-to-states-in-breach-settlement/article/663905/
NYT: Target to Pay $18.5 Million to 47 States in Security Breach Settlement https://www.nytimes.com/2017/05/23/business/target-security-breach-settlement.html?_r=2
*************************** SPONSORED LINKS *****************************
1) Join this webinar to learn how Cisco can help you meet the challenges of mobile security. http://www.sans.org/info/195145
2) Don't Miss: "Fighting Account Takeover - Change The Battle and Win" Register: http://www.sans.org/info/195150
3) Webcast: "Evaluation Criteria for ICS Cyber Security Monitoring with Rockwell Automation and Claroty" Register: http://www.sans.org/info/195155


Tainted Leaks (May 25, 2017)

A report from the Citizen Lab group at the University of Toronto suggests that Russian hackers are not only leaking stolen documents, but are in some cases altering the documents' contents to spread disinformation.

[Editor Comments]

[Pescatore] Many targeted phishing attacks use "tainted" documents in similar manners, but encryption and digital signatures are required to deliver both confidentiality and integrity of critical business information. That doesn't stop people from falling for tainted information, since digital signatures are rarely validated - but it does provide a contractual/legal layer of risk reduction and business protection.

[Williams] Based on metadata analysis alone, it is obvious that the documents being leaked by Guccifer 2.0 (purported to be from the DNC) are not originals. The character set for most of the documents released is Cyrillic, even though they contain only English characters.

[Northcutt] So called "leaked documents" have been part of spy craft and diplomatic leverage since the beginning of time. Most Americans learn that the sinking of the U.S.S. Maine in Havana was a catalyst, if not the cause, of the Spanish American War. However, a "leaked letter" allegedly by a Spanish diplomat published by William Randolph Hearst's New York Journal a few days before the explosion was just as instrumental. This is not a crisis, the US has well tested methods to establish the accuracy and reliability of intelligence sources.

Read more in:

Wired: Russian Hackers Are Using 'Tainted' Leaks To Sow Disinformation https://www.wired.com/2017/05/russian-hackers-using-tainted-leaks-sow-disinformation/
Ars Technica: E-mails phished from Russian critic were "tainted" before being leaked https://arstechnica.com/security/2017/05/e-mails-phished-from-russian-critic-were-tainted-before-being-leaked/

WannaCry Ransom Note Suggests Writer Speaks Chinese and English (May 25, 2017)

Researchers from security firm Flashpoint conducted a linguistic analysis of the ransom notes that accompanied WannaCry infections. After examining the note as it appeared in 28 different languages, the researchers concluded that only the Chinese and English versions of the note are likely to have been written by someone who speaks those languages with a high degree of fluency. The finding does not necessarily rule out a link to the Lazarus Group.

Read more in:

ZDNet: WannaCry: Ransom note analysis throws up new clues http://www.zdnet.com/article/wannacry-ransom-note-analysis-throws-up-new-clues/
Dark Reading: WannaCry Ransom Notes Penned by Chinese-Speaking Authors, Analysis Shows http://www.darkreading.com/threat-intelligence/wannacry-ransom-notes-penned-by-chinese-speaking-authors-analysis-shows/d/d-id/1328965?
Threatpost: Wannacry Ransom Note Written By Chinese, English Speaking Authors https://threatpost.com/wannacry-ransom-note-written-by-chinese-english-speaking-authors/125906/

Cloak and Dagger Android Attacks (May 24 & 25, 2017)

A new class of attack targeting Android devices allows hackers to take control of the devices without the user's knowledge. Known as Cloak and Dagger, "these attacks allow a malicious app to completely control the UI feedback loop." The attack vector was disclosed to Google in August 2016 by researchers from Georgia Institute of Technology. The flaws affect all versions of Android.

[Editor Comments]

[Neely] These attacks work on Android versions 5.0 through 7.1.2. They exploit the "draw on top" function and "accessibility " permissions. Draw on top allows for layering fake prompts (such as a password box) over the real one; accessibility can be abused to capture keystrokes. Both permissions are automatically granted without user interaction. The core mitigations are to disable draw on top via the settings app and use caution when installing applications.

Read more in:

The Register: 'Cloak and dagger' vuln rolls critical hit against latest Android versions http://www.theregister.co.uk/2017/05/25/cloak_dagger_android_vuln/
The Hill: Researchers spotlight 'cloak and dagger' attack against Android devices http://thehill.com/policy/cybersecurity/335126-researchers-spotlight-cloak-and-dagger-attack-against-android-devices
Cyberscoop: 'Cloak & Dagger' attack hits all the typical Android security weaknesses https://www.cyberscoop.com/android-cloak-and-dagger-attack-google-play/?category_news=technology
Threatpost: Android Overlay and Accessibility Features Leave Millions at Risk https://threatpost.com/android-overlay-and-accessibility-features-leave-millions-at-risk/125888/
Cloak and Dagger: Cloak & Dagger http://cloak-and-dagger.org/

Samba Patches Remote Code Execution Flaw (May 24 & 25, 2017)

Samba has released a fix for a remote code execution vulnerability. The flaw allows attackers upload malicious files to systems and servers and cause them to be executed. The issue affects all versions of Samba from 3.5.0 forward. Samba has released versions 4.6.4, 4.5.10, and 4.4.14 as well as patches for older versions of Samba.

[Editor Comments]

[Ullrich and Honan] Even if you have a "Windows Only" network, be aware that network storage devices often run Linux and use Samba to share files. These devices may be vulnerable. An attacker does need to first upload a file to the system, which typically requires credentials, and will make exploitation less likely.

[Williams] This is a bad vulnerability and some are comparing it to EternalBlue (the vulnerability that powered WannaCry). However, this vulnerability requires a fairly non-standard configuration to exploit. In order to be exploited, the attacker must be able to write files to a Samba share. Most device configurations do not allow anonymous personnel to write arbitrary files to a remote Samba share. So yes, there are hundreds of thousands of devices on the Internet that can be tricked into loading an arbitrary shared library. But without the ability to write a malicious library to the device, the threat is reduced substantially. The threat of this vulnerability is much greater in internal networks environments where attackers have likely already compromise accounts they can use to write files to a Samba share.

Read more in:

Threatpost: Samba Patches Wormable Bug Exploitable With One Line of Code https://threatpost.com/samba-patches-wormable-bug-exploitable-with-one-line-of-code/125915/
BleepingComputer: Over 104,000 Samba Installations Vulnerable to Remote Takeover Attacks https://www.bleepingcomputer.com/news/security/over-104-000-samba-installations-vulnerable-to-remote-takeover-attacks/
Dark Reading: New Samba Bug Dangerous But No WannaCry http://www.darkreading.com/attacks-breaches/new-samba-bug-dangerous-but-no-wannacry/d/d-id/1328975?
The Register: Fat-thumbed dev slashes Samba security http://www.theregister.co.uk/2017/05/25/fatthumbed_dev_slashes_samba_security/
Ars Technica: A wormable code-execution bug has lurked in Samba for 7 years. Patch now! https://arstechnica.com/security/2017/05/a-wormable-code-execution-bug-has-lurked-in-samba-for-7-years-patch-now/
ZDNet: It's not just Windows anymore, Samba has a major SMB bug http://www.zdnet.com/article/its-not-just-windows-anymore-samba-has-a-major-smb-bug/
GCN: US-CERT urges fast patch to Samba vulnerability https://gcn.com/articles/2017/05/25/us-cert-samba.aspx?admgarea=TC_SecCybersSec
Samba: Remote code execution from a writable share https://www.samba.org/samba/security/CVE-2017-7494.html

NSA Employee Identities Could Be Exposed (May 24, 2017)

Shadow Brokers, the group that has been releasing alleged NSA hacking tools, may now be exposing the identities of NSA employees. In the metadata of some of the leaked files are names; at least one of the people named has worked for the NSA. In 2014, the US named and indicted five Chinese hackers and more recently, brought charges against two Russian Federal Security Service officers. These actions may have motivated Shadow Brokers to expose the identities of NSA cyber agents.

[Editor Comments]

[Williams] As one of the subjects of the article (yes, I'm that Jake Williams), I'm not thrilled with the US Government's response to this threat so far. I wrote in 2014 that the indictment of Chinese hackers would have consequences for US Government network exploitation operators and I stand by that today. While no foreign government has taken action yet, I am convinced the Shadow Brokers have much more left to leak. There's a cautionary tale here to anyone considering working in offensive cyber operations.

Read more in:

WSJ: In Modern Cyber War, the Spies Can Become Targets, Too https://www.wsj.com/articles/in-modern-cyber-war-the-spies-can-become-targets-too-1495618209

Apple Transparency Report (May 24, 2017)

Apple's transparency report for the second half of 2016 shows that the company received between 5,750 and 5,999 FISA orders and National Security Letters regarding between 4,750 and 4,999 accounts.

Read more in:

SC Magazine: Apple transparency report shows increased U.S. national security requests https://www.scmagazine.com/apple-transparency-report-shows-increased-us-national-security-requests/article/664101/
Threatpost: Apple Receives First National Security Letter, Reports Spike in Requests for Data https://threatpost.com/apple-receives-first-national-security-letter-reports-spike-in-requests-for-data/125856/
Apple: Report on Government and Private Party Requests for Customer Information: July 1 - December 31, 2016 (PDF) https://images.apple.com/legal/privacy/transparency/requests-2016-H2-en.pdf

Subtitle Parsing Flaw Could Give Attackers Control of Devices (May 23, 2017)

A flaw in some media players that parse subtitles could be exploited to take control of the device running the vulnerable software. Attackers could create malicious subtitle files for video content; if viewers running vulnerable media players download the infected content, their devices could become compromised.

Read more in:

CheckPoint: Hacked in Translation - from Subtitles to Complete Takeover http://blog.checkpoint.com/2017/05/23/hacked-in-translation/
The Register: Media players wide open to malware fired from booby-trapped subtitles
Threatpost: Subtitle Hack Leaves 200 Million Vulnerable to Remote Code Execution
BleepingComputer: Malicious Movie Subtitles Can Give Hackers Full Control Over Your PC

Russia Arrests 20 in Connection with Malware Schemes (May 23, 2017)

Authorities in Russia have arrested 20 people in connection with a malware campaign that stole money from online bank accounts. There is some evidence the group were planning to expand their operations beyond Russian banks.

Read more in:

The Register: Russian raids sweep up 20 malware scum

DEFCON to Plumb Electronic Voting Machines' Security (May 23, 2017)

The DEFCON conference in July will include a "village" of electronic voting machines for attendees to try to crack. DEFCON founder Jeff Moss said that the voting machine companies are welcome to be involved in the process, but expects that they will not take him up on his offer.

Read more in:

Politico: Top hacker conference to target voting machines


Multiple Video Players are Vulnerable to Code Execution via Subtitle Files


Samsung Galaxy S8 Iris Scanner Bypass


Verizon XSS Flaw in Web Messaging Application


Jaff Ransomware Gets a Makeover


OpenVPN Access Server Vulnerability


Large Credential Dumps Used in Password Brute Forcing Attacks


Samba Remote Code Execution Vulnerability


Pacemaker Vulnerabilities


Patching May have Affected Access to Australian Health Systems


The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create