OnDemand Includes 4 Months Access to Course Content - Special Offers Available Now!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #48

June 16, 2017


Underwriters Laboratory Issuing Software Security Certifications
Microsoft Patch Tuesday Includes Fixes for XP


Flaw in XiongMai Software Used in DVRs
Europol Announces Arrests in Counter Anti-Virus and Crypter Case
University College London Reports Ransomware Infections
US-CERT: Hidden Cobra Advisory
FIN7's Malware Targeting Restaurants
Interview with NYT's Executive Director for Information Security
Firefox 54, Now with Multi-Process Support
OpenC2: NSA's Cyber Defense Language
Decryption Key for Jaff Ransomware
Adobe Issues Security Updates



*************************** Sponsored By Splunk *************************
Improve Posture Quickly With Splunk and the CIS 20 Critical Security Controls. The CIS 20 Critical Security Controls are best practices developed by experts across government and industry. Splunk can simplify how you monitor, report and alert on these critical controls. Read this e-book to learn how Splunk can help your security team quickly translate the logic from these controls into operational "readiness." http://www.sans.org/info/195610


-- SANS Cyber Defence Canberra 2017 | June 26-July 8 |

-- SANS London July 2017 | July 3-8 |

-- SANS Cyber Defence Singapore | July 10-15 |

-- SANS ICS & Energy-Houston 2017 | July 10-15, 2017 |

-- SANSFIRE 2017 | Washington, DC | July 22-29 |

-- SANS London September 2017 | September 25-30 |

-- SANS Network Security | Las Vegas, NV | September 10-17 |

-- SANS London September 2017 | September 25-30 |

-- Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WK) and Evening (vLive - http://www.sans.org/u/WZ) courses available!

-- Multi-week Live SANS training
Mentor - http://www.sans.org/u/X9
Contact mentor@sans.org

-- Looking for training in your own community?
Community - http://www.sans.org/u/Xo

-- SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/XD

-- SANS Online Training: Special Offer! Get a new iPad or an HP Chromebook 13 G1, or take $350 Off OnDemand or vLive Training when you register by June 21! - https://www.sans.org/online-security-training/specials/

Plus Brussels, San Francisco, Arlington, and Dubai all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org/u/XN



Underwriters Laboratory Issuing Software Security Certifications (June 13, 2017)

Underwriters Laboratory is now issuing security certifications for networked software. UL launched its Cybersecurity Assurance Program in April 2016. So far, just a few products have received certification.

[Editor Comments]

[Pescatore] The UL approach to product certification makes sense for static devices, but I don't think it translates well to software that will continually change. This has been true with both government run and private industry run software certification programs. Putting a requirement in for software certification into a procurement almost invariably runs into problems because the currently shipping version is not the one that went through certification. This can be dealt with for devices that will have relatively infrequent software updates but for more generic software products, it is a good bar to set but won't really change what enterprises need to do to make sure the software they buy and use remains secure.

[Stephen Northcutt]: I suspect UL is going to feel a bit like the dog that caught the car he was chasing. I wish them well and hope people get behind this instead of trying to move forward with their own proprietary specifications. If you are a cybersecurity professional there is no time like the present to become familiar with CAP;

Read more in:

Cyberscoop: UL now wants to be ubiquitous in cybersecurity, including medical devices and industrial controls https://www.cyberscoop.com/underwriters-laboratory-ubiquitous-in-cyber-electronics-certification-va/
UL: UL Launches Cybersecurity Assurance Program http://www.ul.com/newsroom/pressreleases/ul-launches-cybersecurity-assurance-program/

Microsoft Patch Tuesday Includes Fixes for XP (June 13 & 14, 2017)

For the second month in a row, Microsoft's patch Tuesday security update includes fixes for Windows XP and other currently unsupported operating systems. In a blog post, Microsoft said that it is providing manually downloadable patches for the older operating systems due to concerns that some of the vulnerabilities addressed in the regular security release "pose elevated risk of cyber attacks by government organizations." Microsoft's security updates for June address nearly 100 vulnerabilities, including a flaw in Windows Server Message Block (SMB).

[Editor Comments]

[Ullrich] Microsoft learned its lesson from "WannaCry" and released this update for XP before it is used by another worm. The "Search" SMB vulnerability could certainly have a similar impact. On the other hand, I doubt that organizations that don't control SMB at their perimeter will bother to apply this patch.

[Williams] The move by Microsoft to patch these vulnerabilities will be read by many as a signal that there is no real need to update their legacy operating systems. This is the third time Microsoft has updated Windows XP to reduce exposure to vulnerabilities being exploited in the wild. Given that Microsoft has never left legacy operating systems exposed to a widely exploited vulnerability, organizations can conclude this behavior will likely continue in the future. But newer versions of the OS have many built in exploit mitigations that make the attacker's job dramatically more difficult, even when exploiting a known vulnerability. These vulnerabilities have been known to Microsoft for some time. The timing of the patches suggests that Microsoft has some telemetry indicating an increase in their use in the wild.

[Honan] I have to admit that I am torn as to whether or not releasing the patches for Windows XP and other unsupported platforms is a good move. In the pro side of the argument it means those systems are better protected, however on the con side of the argument it makes the CISO argument to the board to migrate from old technology tougher as it could be seen that Microsoft will still provide patches for these platforms if the need is great enough.
v Read more in:

Technet: Guidance related to June 2017 security update release https://technet.microsoft.com/en-us/library/security/4025685.aspx
Microsoft: Microsoft releases additional updates to protect against potential nation-state activity https://blogs.windows.com/windowsexperience/2017/06/13/microsoft-releases-additional-updates-protect-potential-nation-state-activity/#KFLW1RwTJh0VssVe.97
ZDNet: Microsoft warns of 'destructive cyberattacks,' issues new Windows XP patches http://www.zdnet.com/article/microsoft-warns-of-destructive-cyberattacks-issues-new-windows-xp-patches/
SC Magazine: Microsoft releases Patch Tuesday fixes, including WannaCry defense https://www.scmagazine.com/microsoft-releases-patch-tuesday-fixes-including-wannacry-defense/article/668303/
KrebsOnSecurity: Microsoft, Adobe Ship Critical Fixes https://krebsonsecurity.com/2017/06/microsoft-adobe-ship-critical-fixes/
BleepingComputer: Microsoft's June Patch Tuesday Fixes Two Vulnerabilities Used in Live Attacks https://www.bleepingcomputer.com/news/microsoft/microsofts-june-patch-tuesday-fixes-two-vulnerabilities-used-in-live-attacks/
Ars Technica: Win XP patched to avert new outbreaks spawned by NSA-leaking Shadow Brokers https://arstechnica.com/security/2017/06/win-xp-patched-to-avert-new-outbreaks-spawned-by-nsa-leaking-shadow-brokers/
Cyberscoop: Microsoft patches Windows XP due to 'heightened risk' of nation-state activity https://www.cyberscoop.com/windows-xp-patches-wannacry-microsoft/?category_news=technology
*************************** SPONSORED LINKS *****************************
1) In case you missed it: "SecOps principles to close gaps in Vulnerability Management" with John Pescatore. Register: http://www.sans.org/info/195615
2) Do you know where your applications are? Take SANS survey and enter to win free Pass to SecDevOps Summit OR a $400 Amazon gift card. http://www.sans.org/info/195620
3) Join SANS Institute industry veteran Andrew Hay and Infoblox expert Krupa Srivatsan who'll discuss how to create the security environment you need. Register: http://www.sans.org/info/195625


Flaw in XiongMai Software Used in DVRs (June 6 & 15, 2017)

An unpatched buffer overflow vulnerability in networking software affects as many as one million digital video recorders (DVRs). The software is from Chinese manufacturer XiongMai and is used in more than 50 brands of DVRs.
[Editor Comments]
[Ullrich] These systems are likely already infected with some variant of Mirai, so the additional impact of these new vulnerabilities is likely minimal.
Read more in:
The Register: Don't all rush out at once, but there are a million devices ripe to be the next big botnet http://www.theregister.co.uk/2017/06/15/dvr_vuln_botnet_threat/
Pen Test Partners: What did Mirai Miss? Making a better, bigger botnet https://www.pentestpartners.com/security-blog/what-did-mirai-miss-making-a-better-bigger-botnet/

Europol Announces Arrests in Counter Anti-Virus and Crypter Case (June 14 & 15, 2017)

Europol says that six people were arrested and 36 interviewed earlier this month for their alleged use of "a counter anti-virus platform and crypter service." The operation was a coordinated effort involving six European countries. An earlier phase of the operation, in April 2016, focused on suspects believed to be operating the service along with several customers in Germany.

[Editor Comments]

[Honan] Europol is doing great work in coordinating international efforts to tackle cybercrime. Well done to all involved

Read more in:

Europol: International Operation Targets Customers of Counter Anti-Virus and Crypter Services: 6 Arrested and 36 Interviewed https://www.europol.europa.eu/newsroom/news/international-operation-targets-customers-of-counter-anti-virus-and-crypter-services-6-arrested-and-36-interviewed
ZDNet: European police break up counter antivirus, crypter ring http://www.zdnet.com/article/european-police-break-up-counter-antivirus-crypter-ring/
SC Magazine: Europol nabs six counter anti-virus, crypter services customers https://www.scmagazine.com/europol-nabs-six-counter-anti-virus-crypter-services-customers/article/668908/

University College London Reports Ransomware Infections (June 15, 2017)

Computers at University College London (UCL) have been hit with ransomware. The university says the infection has caused "very substantial disruption." The malware evaded antivirus detection. As soon as IT staff became aware of what was happening, they switched all shared drives to "read-only." Ulster University has also reported a ransomware infection.

[Editor Comments]

[Ullrich] Some reports call this a "zero day" attack because anti-virus did not detect this malware variant. In my opinion, this isn't a zero-day, but just how normal current malware operates.

Read more in:

BBC: Top university under 'ransomware' cyber-attack http://www.bbc.com/news/education-40288548
BleepingComputer: UK University Blames Ransomware Infection on Zero-Day Vulnerability https://www.bleepingcomputer.com/news/security/uk-university-blames-ransomware-infection-on-zero-day-vulnerability/
ZDNet: Major 'zero-day' ransomware attack strikes UCL university campus http://www.zdnet.com/article/major-zero-day-ransomware-attack-strikes-ucl-university-campus/

US-CERT: Hidden Cobra Advisory (June 14, 2017)

US-CERT has issued a warning about a North Korean hacking group dubbed Hidden Cobra (also known as the Lazarus Group and Guardians of Peace) that has been targeting critical infrastructure systems, as well as the financial, media, and aerospace sectors, in the US and in other countries. CERT, working with the Department of Homeland Security (DHS) and the FBI, has identified IP addresses that the group uses. The group has been active since 2009. They use DDoS botnets, remote access tools, keystroke loggers, and wiper malware.

Read more in:

US-CERT: HIDDEN COBRA - North Korea's DDoS Botnet Infrastructure https://www.us-cert.gov/ncas/alerts/TA17-164A
The Register: Crouching cyber, Hidden Cobra: Crack North Korean hack team ready to strike, says US-CERT http://www.theregister.co.uk/2017/06/14/north_korean_hidden_cobra_to_strike/
SC Magazine: DHS and FBI dish out details on North Korea's APT group Hidden Cobra https://www.scmagazine.com/dhs-and-fbi-dish-out-details-on-north-koreas-apt-group-hidden-cobra/article/668601/
Dark Reading: US Warns of North Korea's Not-So-Secret 'Hidden Cobra' DDoS Botnet http://www.darkreading.com/threat-intelligence/us-warns-of-north-koreas-not-so-secret-hidden-cobra-ddos-botnet/d/d-id/1329141?
Nextgov: DHS, FBI Alert About North Korean Hacking Campaign http://www.nextgov.com/cybersecurity/2017/06/dhs-fbi-alert-about-north-korean-hacking-campaign/138693/?oref=ng-channelriver
Fifth Domain: US blames N. Korea for series of cyberattacks http://fifthdomain.com/2017/06/14/us-blames-n-korea-for-series-of-cyberattacks/
BleepingComputer: DHS and FBI Publish Details on DeltaCharlie, North Korea's DDoS Botnet https://www.bleepingcomputer.com/news/security/dhs-and-fbi-publish-details-on-deltacharlie-north-koreas-ddos-botnet/

FIN7's Malware Targeting Restaurants (June 14, 2017)

Fileless malware used by the FIN7 hacking group has been targeting payment systems at restaurants. FIN7's malware spreads through phishing email messages that look like food orders. Once the malware gains purchase in a restaurant's system, it tries to install a backdoor that can be used to steal financial information. The malware hides in computer memory, a technique meant to evade detection by security tools.

Read more in:

SC Magazine: FIN7 targeting restaurants with fileless malware https://www.scmagazine.com/fileless-malware-seeks-to-place-backdoors-in-restaurant-systems/article/668604/
Ars Technica: Fileless malware targeting US restaurants went undetected by most AV https://arstechnica.com/security/2017/06/fileless-malware-attack-against-us-restaurants-went-undetected-by-most-av/

Interview with NYT's Executive Director for Information Security (June 14, 2017)

The New York Times Executive Director for Information Security Bill McKinley talks about the unique aspects of his job. He notes that "exposing a source or not properly protecting ... journalists could result in their being detained, the release of highly sensitive information, a source being burned and potentially putting someone's life at risk."

Read more in:

ZDNet: Securing the press: Meet The New York Times' new infosec leader http://www.zdnet.com/article/securing-the-press-meet-the-new-york-times-new-infosec-leader/

Firefox 54, Now with Multi-Process Support (June 14, 2017)

Mozilla has released Firefox 54, which has expanded its multi-process support. There is now one process for the user interface (UI), and four for browser content. The change aims to improve the browser's stability and performance. Firefox added multi-process support last summer with Firefox 48, which split the UI process from the page content process. Mozilla plans to eventually provide Firefox with unlimited multiple processes, like Chrome allows. Firefox 54 also fixes 32 security issues in the browser.

Read more in:

Mozilla: Mozilla Foundation Security Advisory 2017-15: Security vulnerabilities fixed in Firefox 54 https://www.mozilla.org/en-US/security/advisories/mfsa2017-15/
Ars Technica: Firefox 54 finally goes multiprocess, eight years after work began https://arstechnica.com/information-technology/2017/06/firefox-multiple-content-processes/
Threatpost: Mozilla Fixes 32 Vulnerabilities in Firefox 54 https://threatpost.com/mozilla-fixes-32-vulnerabilities-in-firefox-54/126278/
BleepingComputer: Firefox 54 Released With Improved Multi-Process Support https://www.bleepingcomputer.com/news/software/firefox-54-released-with-improved-multi-process-support/
Softpedia: Firefox 54 Web Browser Lands in All Supported Ubuntu Linux Releases, Update Now http://news.softpedia.com/news/firefox-54-web-browser-lands-in-all-supported-ubuntu-linux-releases-update-now-516470.shtml

OpenC2: NSA's Cyber Defense Language (June 14, 2017)

Cyber security experts and vendors are working with the US National Security Agency (NSA) to develop a standardized command and control language for cyber defenses, so cyber defense technologies can communicate regardless of vendor or programming language. The project is developing standardized interfaces to allow the different tools can communicate with each other at machine speed.

Read more in:

Cyberscoop: NSA's new open language for cyber-defenses will aid interoperability https://www.cyberscoop.com/openc2-nsa-open-source-cyber-defense/?category_news=technology

Decryption Key for Jaff Ransomware (June 14, 2017)

Researchers at Kaspersky Lab have released a decryption utility that lets users unlock files that have been encrypted with Jaff malware. The tool works for all currently known variants of Jaff.

[Editor Comments]

[Honan] This and other decryption keys are available on the No More Ransom website,www.nomoreransom.org which is a project headed by Europol in cooperation with law enforcement agencies and private sector companies

Read more in:

Threatpost: Decryption Utility Unlocks Files Encrypted by Jaff Ransomware https://threatpost.com/decryption-utility-unlocks-files-encrypted-by-jaff-ransomware/126276/
BleepingComputer: Decrypted: Kaspersky Releases Decryptor for the Jaff Ransomware https://www.bleepingcomputer.com/news/security/decrypted-kaspersky-releases-decryptor-for-the-jaff-ransomware/
The Register: If you haven't already obliterated your Jaff-infected comp, there is an antidote available http://www.theregister.co.uk/2017/06/15/jaff_ransomware_antidote/

Adobe Issues Security Updates (June 13, 2017)

Adobe has released updates for Flash Player, Shockwave Player, Adobe Captivate, and Adobe Digital Edition. The Flash update incudes fixes for critical use after free and memory corruption issues. The Shockwave update includes a fix for a critical memory corruption flaw. The Captivate update fixes an information disclosure flaw, and the Adobe Digital Editions update fixes several memory corruption issues.

Read more in:

Adobe: Adobe Product Security Incident Response Team (PSIRT) Blog https://blogs.adobe.com/psirt/?p=1469
SC Magazine: Adobe issues Patch Tuesday fixes https://www.scmagazine.com/adobe-issues-patch-tuesday-fixes/article/668122/
BleepingComputer: Adobe Patches Nine Security Flaws in Flash Player https://www.bleepingcomputer.com/news/security/adobe-patches-nine-security-flaws-in-flash-player/


MSFT June Patch Day Fixes Remaining Known NSA Vulnerabilities


North Korea Building DDoS Botnet


Systemd Odd Defaults


Voice over LTE Vulnerabilities


Tails 3.0 Released


Nexus 9 Headphone Jack Vulnerability


WikiLeaks Releases Documents About Cherry Blossom Wi-Fi Hacking Toolkit


More DVR Vulnerabilities


More Microsoft Windows Defender Vulnerabilities


Decryption Utility for Jaff Crypto Ransomware


The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create