OnDemand Includes 4 Months Access to Course Content - Special Offers Available Now!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #44

June 2, 2017


Classified Defense Data Found in Unprotected Cloud Storage
OneLogin Breach
Google Improves Gmail Security for Enterprise Users
Insider Threat Training Requirement for US Gov't Contractors


Fireball Adware
Linux Sudo Patches
Nine Indicted in Car Theft Ring
NTFS Flaw Can Be Exploited to Crash Systems
When is a Chrome Flaw Not a Flaw? When Google Says So
NIST Draft Guide on Secure Inter-Domain Routing
Companies Prepare Fixes for Samba Vulnerability
RADIUS Server Flaw
Wannacry coding errors may enable data recovery



*************************** Sponsored By VMRay **************************

Meet the VMRay Team at the SANS SOC Summit in Arlington, VA June 5-6 and learn how VMRay Analyzer is virtually impossible for malware to evade. Download the latest whitepaper from the VMRay Research Team, "Defeat Evasive Malware". You'll learn how malware evades an analysis environment by using event-based triggers and exploiting sandbox weaknesses. http://www.sans.org/info/195310



-- SANS Secure Europe 2017 | Amsterdam, NL | June 12-20 |

-- Digital Forensics & Incident Response Summit & Training | Austin, TX | June 22-29 |

-- SANS Cyber Defence Canberra 2017 | June 26-July 8 |

-- SANS London July 2017 | July 3-8 |

-- SANS Cyber Defence Singapore | July 10-15 |

-- SANS ICS & Energy-Houston 2017 | July 10-15, 2017 |

-- SANSFIRE 2017 | Washington, DC | July 22-29 |

-- SANS Network Security | Las Vegas, NV | September 10-17 |

-- Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WK) and Evening (vLive - http://www.sans.org/u/WZ) courses available!

-- SANS Online Training: Special Offer! Register by May 10 and receive a new iPad, Samsung Galaxy Tab A or take $350 off your OnDemand or vLive Course!

-- OnDemand http://www.sans.org/u/pS9

-- vLive http://www.sans.org/u/pSj

-- Multi-week Live SANS training
Mentor - http://www.sans.org/u/X9
Contact mentor@sans.org

-- Looking for training in your own community?
Community - http://www.sans.org/u/Xo

-- SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/XD

Plus Brussels, San Francisco, Arlington, and Dubai all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org/u/XN



Classified Defense Data Found in Unprotected Cloud Storage (May 31 & June 1, 2017)

A US defense contractor appears to have stored top secret US intelligence data on a publicly-accessible Amazon cloud storage server. The account has been linked to contractors Booz Allen Hamilton. The data are related to the US National Geospatial-Intelligence Agency, which provides battlefield satellite and drone surveillance imagery.

[Editor Comments]

[Pescatore] Skyhigh Networks has published data showing a high percentage of cloud-based Outlook email are also using other features of Office365, in particular OneDrive cloud-based storage. The data also shows that 15-20% of the data users put in OneDrive is violating policy against such external storage. Their data focuses on Office365, but the same issues are likely true across other cloud-based email services. The biggest deterrent to this happening is IT offering users a standard and approved service. Monitoring of data being stored at cloud services is also available through a number of vendors, these days often called Cloud Access Security Brokers.

[Williams] While NGA is claiming that this data is sensitive but unclassified, it is clear that it should not have been unprotected in the Amazon cloud. Amazon has a special Gov Cloud environment that can be used for more sensitive data when multi-tenant concerns exist. Obviously this special protected enclave wasn't used for this data and of course multiple other security issues exist here. Some organizations think that moving to the cloud will automatically make them more secure. More often than not however, cloud adoption actually creates security issues rather than eliminating them.

[Neely] DHS requires the use of FedRAMP certified CSPs, which includes requiring access to government data over a TIC and the use of strong authentication. These do not mesh well with directives of cloud first and necessary open collaboration with the private sector, which is needed for the US to be competitive. Solutions are being implemented quickly to meet project deadlines which results in circumventing or ignore the required controls, underscoring the need for deeper understanding of how data in the cloud is secured, protected and accessed.

Read more in:

Ars Technica: Defense contractor stored intelligence data in Amazon cloud unprotected [Updated] https://arstechnica.com/security/2017/05/defense-contractor-stored-intelligence-data-in-amazon-cloud-unprotected/
CNET: US military data reportedly left on unsecured Amazon server https://www.cnet.com/news/us-military-data-reportedly-left-on-unsecured-amazon-server/
The Hill: Intelligence contractor credentials left unsecured on Amazon server: report http://thehill.com/policy/cybersecurity/335769-intelligence-contractor-credentials-left-unsecured-on-amazon-server
The Register: Security company finds unsecured bucket of US military images on AWS http://www.theregister.co.uk/2017/06/01/us_national_geospatial_intelligence_agency_leak/

OneLogin Breach (May 31 & June 1, 2017)

Password manager OneLogin has acknowledged that some of its customer data have been compromised. The breach appears to affect US data centers. OneLogin is urging its customers to change their passwords and generate new API keys and OAuth tokens. In an email to customers, OneLogin wrote that "customer data was compromised, including the ability to decrypt encrypted data."

[Editor Comments]

[Pescatore] To paraphrase an old saying "If you are going to put all your username/password pairs into someone else's basket, make sure it is a really, really secure basket - and that you can quickly recover if it isn't." OneLogin said "threat actor obtained access to a set of AWS keys and used them to access the AWS API from an intermediate host with another, smaller service provider in the US" but not how the keys were obtained. In past compromises of users of the major cloud services, the user company's cloud admin was phished and login and/or keys compromised. Points out the need for strong authentication for all admin accounts, including cloud admins.

Read more in:

KrebsOnSecurity: OneLogin: Breach Exposed Ability to Decrypt Data https://krebsonsecurity.com/2017/06/onelogin-breach-exposed-ability-to-decrypt-data/
Motherboard: Identity Manager OneLogin Has Suffered a Nasty Looking Data Breach https://motherboard.vice.com/en_us/article/identity-manager-onelogin-has-suffered-a-nasty-looking-data-breach
ZDNet: Password manager OneLogin hacked, exposing sensitive customer data http://www.zdnet.com/article/onelogin-hit-by-data-breached-exposing-sensitive-customer-data/
Cyberscoop: Password manager OneLogin hacked, attackers could 'decrypt encrypted data' https://www.cyberscoop.com/password-manager-onelogin-hacked/?category_news=technology
OneLogin: May 31, 2017 Security Incident https://www.onelogin.com/blog/may-31-2017-security-incident

Google Improves Gmail Security for Enterprise Users (May 31, 2017)

Google is adding security features to Gmail for its enterprise users to protect them from phishing, malicious links, and malware. Google is using machine-learning detection to block spam and phishing emails. Users will also see warnings when they click on suspicious links and when they attempt to send protected data to an address outside the company.

[Editor Comments]

[Pescatore] Google blocking more is good, but imagine if ISPs ever took initiative (or were required) to do the same thing closer to the source. If only the serious attacks reached the endpoints, the reduction in noise alone would make it much easier to quickly detect a targeted or zero day attack that got through.

Read more in:

ZDNet: Google adds security features to Gmail http://www.zdnet.com/article/google-adds-security-features-to-gmail/
eWeek: Google Adds New Anti-Phishing Features to Gmail for Enterprise Users http://www.eweek.com/security/google-adds-new-anti-phishing-features-to-gmail-for-enterprise-users
BleepingComputer: Google Says Gmail Now Blocks 99.9% of Spam and Phishing Emails https://www.bleepingcomputer.com/news/security/google-says-gmail-now-blocks-99-9-percent-of-spam-and-phishing-emails/

Insider Threat Training Requirement for US Gov't Contractors (May 31, 2017)

US federal contractors wishing to maintain their clearances must have completed an insider threat training course by June 1, 2017. The requirement is described in the National Industrial Security Program Operating Manual (NISPOM) Change 2. The course is the second step of a new compliance requirement. The first part took effect late last year and required contractors implementing changes to protect their systems from insider threats.

Read more in:

SC Magazine: Insider threat training deadline here for federal contractors https://www.scmagazine.com/insider-threat-training-deadline-here-for-federal-contractors/article/665358/
DTIC: NISPOM Change 2 (May 18, 2016) (PDF) http://www.dtic.mil/whs/directives/corres/pdf/522022M.pdf
*************************** SPONSORED LINKS *****************************
1) Be sure to check out "Fighting Account Takeover - Change The Battle and Win" Register: http://www.sans.org/info/195315
2) Webcast: "Evaluation Criteria for ICS Cyber Security Monitoring with Rockwell Automation and Claroty" Register: http://www.sans.org/info/195320
3) SANS Finance Briefing in NYC: Practical Threat Modeling For Financial Organizations - Free to the Financial Cybersecurity Community. Learn More: http://www.sans.org/info/195325


Fireball Adware (June 1, 2017)

Malware known as Fireball has made its way onto 20 percent of corporate networks around the world. According to Check Point, the browser-hijacking malware has infected more than 250 million computers. Fireball makes its way onto computers as part of a software bundle. Fireball "currently... installs plug-ins and additional configurations to boost its advertisements, but just as easily it can turn into a prominent distributor for any malware." While Check Point has classified Fireball as malware, a Chinese digital marketing company is using it as a research tool.

Read more in:

Dark Reading: Chinese 'Fireball' Malware Infects 20% of Global Corporate Networks http://www.darkreading.com/threat-intelligence/chinese-fireball-malware-infects-20--of-global-corporate-networks/d/d-id/1329025?
SC Magazine UK: Global Fireball adware epidemic infects nine percent of UK networks https://www.scmagazineuk.com/global-fireball-adware-epidemic-infects-nine-percent-of-uk-networks/article/665439/
eWeek: Fireball Hijack Infects 250 Million Browsers, Check Point Discovers http://www.eweek.com/security/fireball-hijack-infects-250-million-browsers-check-point-discovers
Check Point: FIREBALL - The Chinese Malware of 250 Million Computers Infected http://blog.checkpoint.com/2017/06/01/fireball-chinese-malware-250-million-infection/

Linux Sudo Patches (June 1, 2017)

Updates for several Linux distributions are available to address a flaw in Sudo. The vulnerability allows an attacker to use bash commands to create malicious sudo commands that can overwrite any file on the affected system. The issue affects Sudo and SELinux.

[Editor Comments]

[Williams] In order for a user to exploit this vulnerability, they must already be in the sudo group for at least one command and SELinux must be enabled. The majority of users should not have sudo privileges for any commands. This is a great time to review your sudo permissions enterprise wide. Also relevant, I gave a talk last year that shows how attackers use common sudo misconfigurations for privilege escalation (https://www.youtube.com/watch?v=kuE2yqULs-Y).

Read more in:

Bleeping Computer: Linux Distros Patch Dangerous Vulnerability in Sudo Command https://www.bleepingcomputer.com/news/security/linux-distros-patch-dangerous-vulnerability-in-sudo-command/

Nine Indicted in Car Theft Ring (May 31 & June 1, 2017)

The US Department of Justice has indicted nine members of a motorcycle gang in connection with a car theft scheme in which they allegedly used stolen automobile dealer credentials and handheld diagnostic tools to program and cut duplicate keys for hundreds of Jeep Wrangler vehicles. They would then allegedly steal the vehicles and strip them for parts. Three of the nine people named in the indictment have been arrested.

Read more in:

The Register: Sons of IoT: Bikers hack Jeeps in auto theft spree http://www.theregister.co.uk/2017/05/31/bikers_hack_jeeps_in_auto_theft_spree/
SC Magazine: Motorcycle gang hacks and steals Jeep Wranglers https://www.scmagazine.com/hooligans-motorcycle-gang-caught-hacking-and-stealing-jeep-wranglers/article/665320/
BleepingComputer: Motorcycle Gang Busted for Hacking and Stealing Over 150 Jeep Wranglers https://www.bleepingcomputer.com/news/security/motorcycle-gang-busted-for-hacking-and-stealing-over-150-jeep-wranglers/
ZDNet: Biker group charged with hacking hundreds of Jeeps, motorcycles in crime spree http://www.zdnet.com/article/biker-group-charged-with-hacking-hundreds-of-jeeps-in-crime-spree/
Regmedia: Indictment (PDF) https://regmedia.co.uk/2017/05/31/indictment5_30.pdf

NTFS Flaw Can Be Exploited to Crash Systems (May 26, 30, & 31, 2017)

A flaw in Windows NTFS could be exploited to crash vulnerable systems. The issue affects Windows Vista, 7, and 8.1, but not Windows 10. If $MFT is used as part of a directory path, the system will crash. Current versions of Chrome will block images with malformed directory paths.

Read more in:

ZDNet: A simple file naming bug can crash Windows 8.1 and earlier http://www.zdnet.com/article/old-windows-bug-can-crash-windows-8-1-and-below-with-a-bad-file-name/
SC Magazine: Flaw in Microsoft Master File Table could allow hackers to BSOD Windows https://www.scmagazineuk.com/flaw-in-microsoft-master-file-table-could-allow-hackers-to-bsod-windows/article/665006/
Ars Technica: In a throwback to the '90s, NTFS bug lets anyone hang or crash Windows 7, 8.1 https://arstechnica.co.uk/information-technology/2017/05/in-a-throwback-to-the-90s-ntfs-bug-lets-anyone-hang-or-crash-windows-7-8-1/

When is a Chrome Flaw Not a Flaw? When Google Says So (May 31, 2017)

Google says that a situation in Chrome in which a website can record audio and video from a user's computer without displaying the red recording light on the tab is not a security issue. Instead, the problem is a user issue, according to Google, because users have to give websites permission to record. "The dot is a best first-effort that only works on desktop when we have Chrome UI space available," wrote Google in its response to the Chrome bug report. "That being said, we are looking at ways to improve this situation." The researcher who discovered the issue notes that users are not always aware of what they are allowing when they grant website permissions.

Read more in:

Computerworld: Chrome bug that lets sites secretly record audio and video is not a flaw Google says http://computerworld.com/article/3199018/security/chrome-bug-that-lets-sites-secretly-record-audio-and-video-is-not-a-flaw-google-says.html

NIST Draft Guide on Secure Inter-Domain Routing (May 31, 2017)

The US National Institute of Standards and Technology (NIST) has released draft guide titled "Secure Inter-Domain Routing: Route Hijacks." Focusing on solutions to security problems present in the widely used Border Gateway Protocol (BGP), the document aims to "provide security recommendations for the use of Inter-domain protocols and routing technologies." The comment period on the draft document closes on June 29, 2017.

Read more in:

Nextgov: NIST Wants to Protect Internet Traffic From Hijacking and Spying http://www.nextgov.com/cybersecurity/2017/05/nist-wants-protect-internet-traffic-hijacking-and-spying/138294/?oref=ng-channeltopstory
NIST: Secure Inter-Domain Routing https://nccoe.nist.gov/projects/building-blocks/secure-inter-domain-routing

Companies Prepare Fixes for Samba Vulnerability (May 31, 2017)

Companies with products affected by the Samba vulnerability are readying fixes. Cisco is developing fixes for two of its products and is looking into the need for fixes for 11 additional products. Netgear has already pushed out patches for some products and is investigating which other products may also require patches.

Read more in:

Threatpost: Cisco, Netgear Readying Patches for Samba Vulnerability https://threatpost.com/cisco-netgear-readying-patches-for-samba-vulnerability/125974/

RADIUS Server Flaw (May 29 & 30, 2017)

FreeRADIUS developers have released an update to fix an authentication bypass issue in the server. The vulnerability lies in the way the FreeRADIUS TLS session cache behaves, allowing an attacker to potentially bypass authentication via PEAP or TTLS. The flaw affects FreeRADIUS versions 3.0.14 and earlier.

Read more in:

The Register: Popular RADIUS server exploitable with TLS session caching http://www.theregister.co.uk/2017/05/29/freeradius_exploitable_via_tls_session_caching/
Threatpost: FreeRADIUS Update Resolves Authentication Bypass https://threatpost.com/freeradius-update-resolves-authentication-bypass/125962/
NVD: CVE-2017-9148 Detail https://nvd.nist.gov/vuln/detail/CVE-2017-9148

Wannacry coding errors may enable data recovery (June 1, 2017)

Researchers at Kaspersky Labs have found errors in the software that may enable the recovery of impacted machines. Free utilities have been made available to attempt recovery which only work if the infected computers haven't been turned off, or rebooted.

Read more in:

Silicon: Kaspersky Labs identifies mistakes http://www.silicon.co.uk/security/kaspersky-wannacry-mistakes-213695
Threat post: Wannacry development errors enable file recovery https://threatpost.com/wannacry-development-errors-enable-file-recovery/126002/
Securelist: Wannacry mistakes that can help you restore files https://securelist.com/blog/research/78609/wannacry-mistakes-that-can-help-you-restore-files-after-infection/
Wannakey, wannakiwi recovery tools on Github:


FreeRADIUS Vulnerability


Microsoft Malware Protection Engine Update


Chrome UI Bug May Allow Unnoticed Recording


AWS Auditing Tools


Analysis of Competing Hypotheses, WCry and Lazarus


Windows XP Not Stable Enough for WannaCry


Mexican Biker Gang Uses Jeep Database to Steal Car


Dangers of Public AWS Snapshots


Sharing Private Data With Webcast Invitations


onelogin breach


Google AMP Phishing


The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create