OnDemand Includes 4 Months Access to Course Content - Special Offers Available Now!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #47

June 13, 2017


Crash Override/Industroyer Malware Targets Industrial Control Systems
Which Federal Contractors Are Best at Hiring and Retaining Cyber Ninjas?
US Cyber Weapons Lack Desired Effect Against ISIS


Virgin Media Fixes Flaw in Wireless Home Routers
US Dept. of Health and Human Services Cybersecurity Center
US Commerce Dept. Request for Public Comment on Fighting Automated Threats
SWIFT Profits Drop
Suspect in Scareware Scheme Extradited to US
Attackers Exploiting Samba Flaw to Install Cryptocurrency Mining on Linux Machines
US Trade and Development Agency 's Risk-Based Approach to Cybersecurity
Apple Employees in China Allegedly Sold Customer Data



*************************** Sponsored By Remediant ***********************

Ready to try something new in Privileged Access Management? Remediant brings insight and control over privileged access without agents or password vaults. Enforces 2FA for admin accounts and integrates with SIEMs for log correlation. Visit us at Black Hat booth #IC17, or email blackhat@remediant.com to set up a demo! http://www.sans.org/info/195515



-- Digital Forensics & Incident Response Summit & Training | Austin, TX | June 22-29 |

-- SANS Cyber Defence Canberra 2017 | June 26-July 8 |

-- SANS London July 2017 | July 3-8 |

-- SANS Cyber Defence Singapore | July 10-15 |

-- SANS ICS & Energy-Houston 2017 | July 10-15, 2017 |

-- SANSFIRE 2017 | Washington, DC | July 22-29 |

-- SANS London September 2017 | September 25-30 |

-- SANS Network Security | Las Vegas, NV | September 10-17 |

-- SANS London September 2017 | September 25-30 |

-- Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WK) and Evening (vLive - http://www.sans.org/u/WZ) courses available!

-- Multi-week Live SANS training
Mentor - http://www.sans.org/u/X9
Contact mentor@sans.org

-- Looking for training in your own community?
Community - http://www.sans.org/u/Xo

-- SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/XD

-- SANS Online Training: Special Offer! Get a new iPad or an HP Chromebook 13 G1, or take $350 Off OnDemand or vLive Training when you register by June 21! - https://www.sans.org/online-security-training/specials/

Plus Brussels, San Francisco, Arlington, and Dubai all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org/u/XN



Crash Override/Industroyer Malware Targets Industrial Control Systems (June 12, 2017)

The malware used in an attack against the Ukrainian power grid in December 2016, causing a power outage, has been found in the wild. Dubbed Crash Override by security firm Dragos and Industroyer by ESET, this malware is the first known malware designed to attack electric grids. It is significantly more advanced than the malware used in a December 2015 attack against power stations in Ukraine, even though the 2015 attack was seen as more severe than the 2016 attack. There are features of Crash Override not used in the 2016 attack that could cause systems to be down for as long as a week.

[Editor Comments]

[Neely] Limiting access, physical and logical, is your number one protection for ICS systems. Beyond that, evaluate your ICS systems to determine where you can best leverage network segmentation or isolation, whitelisting, auditing, anti-malware, and monitoring the environment.

[Murray] SCADA systems should be locked down such that it is not possible to install or modify programs while in an operational mode. The practice should be to disconnect it both from the Internet and the controls that it operates when performing maintenance of its programming.

[Weatherford] One of the most important and effects security components of any organization is system and network monitoring. If you aren't looking, you won't see when something unusual or bad happens.

[Assante] If this tool was actually used in the Dec 17, 2016 attack, a comparison with the 2015 incidents, reveals that in less than one year there exists a flexible attack tool engineered to facilitate a multi-modal attack to maliciously operate a power system with the additional capability of then damaging the SCADA system. The significance is that tools like this one collapses the timeline from ICS access to impact.

Read more in:

We Live Security: Industroyer: Biggest threat to industrial control systems since Stuxnet https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/
Dragos: CRASHOVERRIDE: Analyzing the Threat to Electric Grid Operations (PDF) https://dragos.com/blog/crashoverride/CrashOverride-01.pdf
US-CERT: Alert (TA17-163A): CrashOverride Malware https://www.us-cert.gov/ncas/alerts/TA17-163A
WSJ: Cyber Experts Identify Malware That Could Disrupt U.S. Power Grid https://www.wsj.com/articles/cyber-experts-identify-malware-that-could-disrupt-u-s-power-grid-1497271444
Ars Technica: Found: "Crash Override" malware that triggered Ukrainian power outage https://arstechnica.com/security/2017/06/crash-override-malware-may-sabotage-electric-grids-but-its-no-stuxnet/
Wired: 'Crash Override': The Malware That Took Down a Power Grid https://www.wired.com/story/crash-override-malware/
Motherboard: The Malware Used Against The Ukrainian Power Grid Is More Dangerous Than Anyone Thought https://motherboard.vice.com/en_us/article/ukraine-power-grid-malware-crashoverride-industroyer
Washington Post: Russia has developed a cyberweapon that can disrupt power grids, according to new research https://www.washingtonpost.com/world/national-security/russia-has-developed-a-cyber-weapon-that-can-disrupt-power-grids-according-to-new-research/2017/06/11/b91b773e-4eed-11e7-91eb-9611861a988f_story.html

Which Federal Contractors Are Best at Hiring and Retaining Cyber Ninjas? (May 31 & June 12, 2017)

Building on research done by the Center for Strategic and International Studies (CSIC), a new study has identified eight US government contractors that have managed to recruit and retain cyber ninjas, those who can do the threat-hunting that eludes even the AI tools at a higher rate than other organizations. The CSIS study, published last fall, found that once basic salary and benefit needs are met, cyber ninjas prefer to work at organizations where they have the opportunity to continue their training, do challenging work, and to advance without having to become a manager.

[Editor Comments]

[Ullrich] This study very well matches what I learned anecdotally in conversations with students. The right pay and benefits will initially attract qualified candidates, but they stay for an interesting job where they can make a difference and have a well-defined career path.

Read more in:

Cyberscoop: Recruitment and retention of 'cyber ninjas' doesn't have to be a dark art, report says https://www.cyberscoop.com/systems-integrators-top-cybersecurity-recruitment-talent-sans-institute-report-workforce/
SANS: Best Places to Work for Cyber Ninjas https://www.sans.org/best-places-to-work-for-cyber-ninjas?ref=195285
CSIS: Recruiting and Retaining Cybersecurity Ninjas https://www.csis.org/analysis/recruiting-and-retaining-cybersecurity-ninjas

US Cyber Weapons Lack Desired Effect Against ISIS (June 12, 2017)

While US offensive cyber efforts against Iran and North Korea have met with moderate success, efforts targeting ISIS have proven less fruitful. More than a year ago, the Pentagon announced a line of attack, directing Cyber Command to disrupt ISIS's recruitment efforts, dissemination of propaganda, and general business operations. Israeli intelligence managed to infiltrate ISIS computer systems, where it discovered that the group is capable of making bombs that look like laptop computer batteries. The US president shared this information with Russian dignitaries during a visit last month, angering Israel.

Read more in:

NYT: U.S. Cyberweapons, Used Against Iran and North Korea, Are a Disappointment Against ISIS https://www.nytimes.com/2017/06/12/world/middleeast/isis-cyber.html
CNET: Israel reportedly hacked ISIS, then Trump told Russia https://www.cnet.com/news/israel-hacked-isis-then-trump-shared-findings-with-russians/
*************************** SPONSORED LINKS *****************************
1) In case you missed it: "SecOps principles to close gaps in Vulnerability Management" with John Pescatore. Register: http://www.sans.org/info/195520
2) Did you miss it? Be sure to check out "Fighting Account Takeover - Change The Battle and Win" Register: http://www.sans.org/info/195525
3) Join the SANS Institute for the latest NYC Financial Briefing for the Financial Community in the New York City area. Free to the Financial Cybersecurity Community: http://www.sans.org/info/195530


Virgin Media Fixes Flaw in Wireless Home Routers (June 12, 2017)

Virgin Media has patched a vulnerability that affects its Super Hub wireless home routers. The flaw could be exploited to gain administrative-level to vulnerable devices. The flaw lies in a software feature that lets users create backups of custom configurations. While the backups were encrypted, the encryption key was the same for all the routers. Virgin pushed out a firmware patch for the vulnerability last month.

Read more in:

The Register: Virgin Media resolves flaw in config backup for Super Hub routers http://www.theregister.co.uk/2017/06/12/virgin_media_router_vuln/
V3: Virgin Media fixes Super Hub security flaw uncovered by researchers https://www.v3.co.uk/v3-uk/news/3011775/virgin-media-fixes-super-hub-security-flaw-uncovered-by-researchers
Contextis: Hacking the Virgin Media Super Hub https://www.contextis.com/resources/blog/hacking-virgin-media-super-hub/

US Dept. of Health and Human Services Cybersecurity Center (June 12, 2017)

US Health and Human Services (HHS) Department deputy CISO Leo Scanlon told the House Energy and Commerce Subcommittee that his agency's Health Cybersecurity and Communications Integration Center (HCCIC) provided early warning of the possible impact of the WannaCry ransomware attack last month. The HCCIC provided its sector with "real-time cyber situation awareness, best practices guidance, and coordination with the US-CERT."

[Editor Comments]

[Pescatore] I attended an HHS Security Day back in 2015 and HHS had defined SOC processes as key to moving forward in security. Their results demonstrate that a strong SOC does act as a real force multiplier, and a key indicator of risk reduction - a much better indicator than quantity of risk analysis reports.

Read more in:

FNR: HHS' cybersecurity center offering much more than a Band-Aid for health IT cyber attacks https://federalnewsradio.com/health-it/2017/06/hhs-cybersecurity-center-offering-much-more-than-a-band-aid-for-health-it-cyber-attacks/

US Commerce Dept. Request for Public Comment on Fighting Automated Threats (June 12 & 13, 2017)

The US Department of Commerce has issued a notice in the Federal Register seeking input on how best to fight botnets and other automated attacks. The request grew out of an executive order, issued in May, that calls for the Department of Commerce and the Department of Homeland Security (DHS) to manage the organization of technology companies and other stakeholders to help protect the Internet from botnet attacks. Comments on the request will be taken through July 13, 2017.

[Editor Comments]

[Honan] - The fight against botnets cannot be done by one country on its own. This will require international cooperation, including cooperation with states that previously have not been willing to step forward in the fight against cybercrime.

[Paller] The most promising front in the fight against phishing that leads to these botnet armies has been opened by the multi-national consortium called the Global Cyber Alliance through its DMARC and safer DNS automation programs. Nearly a million systems are already protected in the first 6 months - and the number is growing very rapidly. The alliance includes primarily law enforcement leaders who see prevention as a key part of their mandate. Primary funding was provided by the US Manhattan District Attorney Cyrus Vance, Jr. and the Commissioner of the UK City Policy, with Michael Bloomberg and the SANS Institute also providing substantial financial support. With the emerging set of corporate partners, led by Barclay's Chief Security Officer, Troels Oerting, GCA looks to be the one organization that is actually doing something about the problem globally.
[Pescatore] - This RFC references the 2014 final report on this topic, from the FCC's Communications Security, Reliability and Interoperability Council (CSRIC) advisory committee. Back then, the report concluded with 6 recommendations for the FCC to "encourage" ISPs and others to "consider" "voluntary" adoption of best practices - and apparently the ISPs are still "considering" taking any action to block known bad traffic related to DDoS, botnets, etc. with very little actual volunteering happening. It is as if the water company continued to consider ways to remove known pollutants from the water it sold to homes and businesses. Enterprises should get corporate backing to comment on the RFC on the need to apply market and regulatory forces to drive ISPs to act vs. continue "considering."

Read more in:

Nextgov: Commerce Seeks Input on Fighting Botnets http://www.nextgov.com/cybersecurity/2017/06/commerce-seeks-input-fighting-botnets/138601/?oref=ng-channeltopstory
Federal Register: Promoting Stakeholder Action Against Botnets and Other Automated Threats https://www.federalregister.gov/documents/2017/06/13/2017-12192/promoting-stakeholder-action-against-botnets-and-other-automated-threats

SWIFT Profits Drop (June 10 & 12, 2017)

International financial transaction messaging system SWIFT saw a 31-percent drop in profits following a year in which the SWIFT network was abused to conduct tens of millions of dollars worth of fraudulent transactions, most notably, an 81 USD million theft from Bangladesh's central bank in February 2016.

[Editor Comments]

[Pescatore]SWIFT is a good case study on the real financial impact of being late to emphasize basic security hygiene, effective Security Operations Center, security skills and staffing, etc. An especially good example for those in the financial vertical, obviously â but actually a really good example to show to CXOs and boards if you are heavily dependent on third parties, partners, suppliers, etc. in any industry.

Read more in:

Reuters: Costs of bank cyber thefts hit SWIFT profit last year https://www.reuters.com/article/us-banks-swift-cybercrime-idUSKBN1910FX
V3: SWIFT profits slump following string of cyber-attacks on banks https://www.v3.co.uk/v3-uk/news/3011760/swift-profits-slump-after-string-of-cyber-attacks-on-banks

Suspect in Scareware Scheme Extradited to US (June 12, 2017)

Peteris Sahurovs has been extradited from Poland to the US to face charges of wire fraud, computer fraud, and conspiracy for his alleged role in a scareware scheme. Sahurovs was arrested in Latvia in 2011, but fled after a court there released him. The scheme allegedly earned Sahurovs and his accomplices more than two million USD.

Read more in:

The Hill: Cybercriminal extradited for multimillion dollar 'scareware' hacking scheme http://thehill.com/policy/cybersecurity/337510-cybercriminal-extradited-for-multimillion-dollar-scareware-hacking
Bleeping Computer: Hacker "Sagade" Extradited to the US for Role in Scareware Scheme https://www.bleepingcomputer.com/news/security/hacker-sagade-extradited-to-the-us-for-role-in-scareware-scheme/
US Justice Dept.: Latvian Cybercriminal Extradited For "Scareware" Hacking Scheme That Caused Millions Of Dollars In Loss https://www.justice.gov/usao-mn/pr/latvian-cybercriminal-extradited-scareware-hacking-scheme-caused-millions-dollars-loss

Attackers Exploiting Samba Flaw to Install Cryptocurrency Miner on Linux Machines (June 12, 2017)

Attackers are exploiting a known flaw in Samba to place crypto-currency mining programs on vulnerable systems. Samba released a fix for the vulnerability on May 25. Tens of thousands of Linux machines appear to still be running unpatched versions of Samba. Samba is an interoperability suite that uses the SMB protocol to allow file and print sharing between Windows and Linux machines. (The recent WannaCry ransomware attacks exploited a vulnerability in the Windows implementation of SMB to spread.)

[Editor Comments]

[Ullrich] This vulnerability is often compared to the "eternal blue" vulnerability that gave rise to WannaCry. However, the two vulnerabilities have little in common other than the fact that both are exploitable via SAMBA. "eternal blue" allowed attackers to execute arbitrary code on vulnerable systems, without having to first authenticate. The new Linux vulnerability allows an attacker to execute code after uploading a library to the vulnerable system. The file upload will typically require credentials. A worm like WannaCry is much less likely to take advantage of the Linux flaw and only a small subset of the vulnerable population is exploitable. Attackers typically have other avenues of attack for a system implements no authentication, or weak authentication for file uploads.

Read more in:

ZDNet: Linux server attack: Patch Samba or risk cryptocurrency mining malware http://www.zdnet.com/article/linux-server-attack-patch-samba-or-risk-cryptocurrency-mining-malware/
Threatpost: Attackers Mining Cryptocurrency Using Exploits for Samba Vulnerability https://threatpost.com/attackers-mining-cryptocurrency-using-exploits-for-samba-vulnerability/126191/
BleepingComputer: Linux Servers Hijacked to Mine Cryptocurrency via SambaCry Vulnerability https://www.bleepingcomputer.com/news/security/linux-servers-hijacked-to-mine-cryptocurrency-via-sambacry-vulnerability/
Samba: Remote code execution from a writable share. https://www.samba.org/samba/security/CVE-2017-7494.html

US Trade and Development Agency's Risk-Based Approach to Cybersecurity (June 9, 2017)

US Trade and Development Agency (USTDA) CIO Benjamin Bergersen says the agency has been using a risk-based approach to cybersecurity for several years.

USTDA uses a number of different documents as guidance for its approach including several frameworks from the National Institute of Standards and Technology (NIST) and the action plan and milestones template from the Federal Risk Authorization Management Program (FedRAMP). USTDA also uses a "closeout package" that Bergersen developed while working in private industry. It includes operation and maintenance instructions, a standard configuration report based on NIST and Defense Department standards, and a risk assessment report, which is based on a vulnerability management scan. USTDA also takes advantage of the Department of Homeland Security's (DHS's) continuous diagnostics and mitigation (CDM) program.

[Editor Comments]

[Weatherford] This kind of risk-based approach to security is orders of magnitude more effective than FISMA book-keeping.

Read more in:

FNR: Even before cyber EO, U.S. Trade and Development Agency bakes in risk management https://federalnewsradio.com/ask-the-cio/2017/06/even-before-cyber-eo-u-s-trade-and-development-agency-bakes-in-risk-management/

Apple Employees in China Allegedly Sold Customer Data (June 8, 2017)

Authorities in China have detained 22 people for allegedly selling the personal information of Apple customers. Twenty of the suspects are employees of an Apple "domestic direct sales company and outsourcing company." The scheme involved harvesting customer data from internal computer systems.

[Editor Comments]

[Stephen Northcutt] Ouch. I guess there were still a few kinks in "Differential Privacy":
Sadly this is a not a new problem for Apple in China:
https://www.nytimes.com/2017/06/09/business/china-apple-personal-data-sold.html *** read to the bottom
Apple's privacy policy in China is different than in the US:
Read more in:

Hong Kong Free Press: China uncovers massive underground network of Apple employees selling customers' personal data https://www.hongkongfp.com/2017/06/08/china-uncovers-massive-underground-network-apple-employees-selling-customers-personal-data/


SAMBA Vulnerability Exploited To Install Bitcoin Miners


Intel's AMT Technology Used For Covert Channel


Broadcom Vulnerablities to be Announced


Release Lag In National Vulnerablity Database


Industroyer / CrashOverride Malware Analysis From Power System Attacks

https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/ https://dragos.com/blog/crashoverride/CrashOverride-01.pdf

MacSpy Spyware As A Service For Macs


VolUtility Memory Analysis Made Easy


Google News Abused For Spam


The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create