Final Week: Get an iPad (32 G), Galaxy Tab A, or Take $250 Off OnDemand Training - Ends Jan 27

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #49

June 20, 2017


Ukraine Was Russia's Test-Lab For CyberWar
Voting Record Database Configuration Error Exposes Nearly 200 Million Records


UK Universities Recover from Ransomware Infection
Mexican Government Believed to be Targeting Journalists and Others with Spyware
Breach Reporting Requirements Affect Institutions Regulated by European Central Bank
Stack Clash Vulnerability
QakBot Variant Uses UPnP to Turn Infected Machines into Proxies
Google Play Adware
NIST's Cybersecurity and Risk Management Frameworks
Girl Scouts to Offer Cyber Security Badges
Cherry Blossom
Man Pleads Guilty to Stealing US Defense Dept. Satellite Network Account Data



*************************** Sponsored By Remediant *******************************

Ready to try something new in Privileged Access Management? Remediant brings insight and control over privileged access without agents or password vaults. Enforces 2FA for admin accounts and integrates with SIEMs for log correlation. Visit us at Black Hat booth #IC17, or email to set up a demo!

*************************************************************************** TRAINING UPDATE

-- SANSFIRE 2017 | Washington, DC | July 22-29 |

-- SANS Cyber Defence Canberra 2017 | June 26-July 8 |

-- SANS London July 2017 | July 3-8 |

-- SANS Cyber Defence Singapore | July 10-15 |

-- SANS ICS & Energy-Houston 2017 | July 10-15, 2017 |

-- SANS Security Awareness Summit | Nashville, TN | July 31-August 9 |

-- SANS Boston 2017 | August 7-12 |

-- SANS Network Security | Las Vegas, NV | September 10-17 |

-- SANS London September 2017 | September 25-30 |

-- SANS Tokyo Autumn 2017 | October 16-28 |

-- Can't travel? SANS offers online instruction for maximum flexibility
Live Daytime training with Simulcast -
Evening training 2x per week for 6 weeks with vLive -
Anywhere, Anytime access for 4 months with OnDemand format -
SANS Online Training: Special Offer! Get a new iPad or an HP Chromebook 13 G1, or take $350 Off OnDemand or vLive Training when you register by June 21! -

-- Single Course Training
SANS Mentor
Community SANS
View the full SANS course catalog



Ukraine Was Russia's Test-Lab For CyberWar The quintessential cyberwar scenario has come to life in the Ukraine. Twice. On separate occasions, invisible saboteurs turned off the electricity to hundreds of thousands of people. The blackouts were part of a digital blitzkrieg that has pummeled Ukraine for the past three years-a sustained cyberassault.

Read more in:

Wired: How an Entire Nation Became Russia's Test Lab for Cyberwar

Voting Record Database Configuration Error Exposes Nearly 200 Million Records (June 19, 2017)

Databases containing information about 198 million US voters was found to be stored in an Amazon cloud account with no access protection. The databases belong to Deep Root Analytics, a contractor employed by the US Republican National Committee (RNC). While the information contained in the database is by and large a matter of public record, having all those data aggregated could prove valuable to data thieves.

[Editor Comments]

[Williams] This information is likely to be used by identity thieves. Some in the media have focused on the fact that this is "not a big deal" since the information was publicly available. However, this was built as a work product for the RNC so despite being publicly available, the data aggregated in this fashion has obvious benefit to the RNC. Also, because it is a work product, the contractor who failed to secure the data is likely liable to the RNC for damages since they no longer hold a competitive advantage as the sole user of the data.

[Murray] The records of the Federal Election Commission are online. While there is no suggestion that they are used by identity thieves, they are certainly used by political fund raisers.

Read more in:

ZDNet: 198 million Americans hit by "largest ever" voter records leak
WSJ: Computer-Security Firm Says Voter Data Set Left Unprotected Online
Threatpost: Republican Data Broker Exposes 198m Voter Records
Wired: The Scarily Common Screw-Up That Exposed 198 Million Voter Records
Dark Reading: RNC Voter Data on 198 Million Americans Exposed in the Cloud
The Hill: Data on 198M voters exposed by GOP contractor
Washington Post: A Republican contractor's database of nearly every voter was left exposed on the Internet for 12 days, researcher says
*************************** SPONSORED LINKS *****************************
1) Improve Your Security Posture Quickly with Splunk and the CIS 20 Critical Security Controls E-book:
2) Join SANS Institute industry veteran Andrew Hay and Infoblox expert Krupa Srivatsan discuss how to create the security environment you need Register:
3) Do you know where your applications are? Take SANS survey and enter to win free Pass to SecDevOps Summit OR a $400 Amazon gift card.


UK Universities Recover from Ransomware Infection (June 19, 2017)

Both University College London (UCL) and Ulster University say their computer systems have been restored in the wake of ransomware infections. Last week, both institutions reported that they had to take their systems offline after machines became infected with ransomware. UCL's response team blocked access to shared and network drives once it learned of the infection, but access has now been restored.

Read more in:

ZDNet: Ransomware attacks: Universities back online after 'zero-day' infections

Mexican Government Believed to be Targeting Journalists and Others with Spyware (June 19, 2017)

A report from the University of Toronto's Citizen Lab found that Mexican journalists, lawyers, and others have been targeted with spyware. The infections are believed to be the work of the Mexican government. The software used in the highly targeted attacks is made by Pegasus, which sells exclusively to governments.

[Editor Comments]

[Stephen Northcutt] The Munk School Citizen Lab that uncovered this does a lot of interesting, needed, work:
My favorite story on the subject is the NY Times:
Mexican president Nieto realizes there is a cyber-corruption problem facing government, but doesn't know where to start:
Read more in:

Citizen Lab: Reckless Exploit: Mexican Journalists, Lawyers, and a Child Targeted with NSO Spyware
The Register: Mexican government accused of illegal phone hacking of citizens
Threatpost: Mexican Journalists, Lawyers Focus of Government Spyware

Breach Reporting Requirements Affect Institutions Regulated by European Central Bank (June 19, 2017)

Starting this summer, all banks regulated by the European Central Bank (ECB) will be required to report cyber security breaches to ECB. The requirement will help ECB "assess more objectively how many incidents there are and how cyber threats evolve ... [and] to identify vulnerabilities and common pitfalls."

Read more in:

V3: Banks will be forced to reveal cyber security breaches to European Central Bank

Stack Clash Vulnerability (June 19, 2017)

A memory management vulnerability affecting a number of open source operating systems (OSes), including Linux, OpenBSD, NetBSDm FreeBSD, and amd64, could be exploited to corrupt memory and allow arbitrary code execution. Dubbed Stack Clash, the flaw was discovered by researchers at Qualys. Patches for seven known affected OSes have been released and users are urged to upgrade as soon as possible. Other OSes may be affected as well.

Read more in:

Threatpost: Stack Clash Vulnerability in Linux, BSD Systems Enables Root Access
Ars Technica: Serious privilege escalation bug in Unix OSes imperils servers everywhere
SC Magazine: Stack Clash exploits spotted in Linux, OpenBSD, NetBSD, FreeBSD and Solaris
Qualys: The Stack Clash

QakBot Variant Uses UPnP to Turn Infected Machines into Proxies (June 19, 2017)

A new variant of the QakBot/Pinkslipbot malware has been found to cause problems even after it is deleted from infected systems. The banking Trojan spreads through networks and can surreptitiously steal account access credentials, open a backdoor on infected systems, and download more malware. By using universal plug and play (UPnP) to open ports, the new variant makes infected computers into httpS-based proxies for the malware's command-and-control servers.

Read more in:

ZDNet: This sneaky malware will cause headaches even after it is deleted from your PC
The Register: It's 2017, and UPnP is helping black-hats run banking malware

Google Play Adware (June 16, 2017)

Google Play is working to remove annoying and malicious Android apps that bombard users with advertisements. Researchers from SophosLabs say they have found 47 separate apps that have been downloaded as many as six million times. The apps all use a library that displays ads even after users have force closed the app or even scrubbed memory.

[Editor Comments]

[Neely] The Google anti-malware apps will detect App/MarsDee-A. Google hasn't removed all applications that use this library. With the ongoing battle to discover and remove malicious applications in the Google Play store, use of a reputable Anti-Malware application could save some headaches. SophosLabs describes how MarsDee works, as well as some other potentially unwanted applications:

Read more in:
Ars Technica: Google Play is fighting an uphill battle against Android adware

NIST's Cybersecurity and Risk Management Frameworks (June 16, 2017)

A recent US presidential executive order directed federal agencies to manage cybersecurity risk with the National Institute of Standards and Technology's (NIST's) Cybersecurity Framework (CSF). Prompted by a 2013 executive order, CSF was introduced in 2014 as a voluntary framework of best practices. There has been some confusion between CSF and NIST's Risk Management Framework (RMF), which was introduced in 2010 and is mandatory for federal agencies and organizations that deal with federal data.

[Editor Comments]

[Neely] The EO is really about mapping what is being done with the mandatory RMF to the CSF. The CSF controls can be implemented with NIST controls. For organizations which have fully implemented the RMF, the gap here is small. The RMF, and corresponding updates to NIST guides, added a lot of prioritization and risk based guidance. The CSF even more so. These together make implementation much simpler than the absolute compliance model of old.

[Murray] Risk management begins with an expression of risk tolerance by executive management. NIST guidance scrupulously avoids any such expression and no one else in government is doing it. A simple such expression might be "Manage such that defalcations or material errors must involve two or more people," but does not speak to timing. A higher but more complex standard might say something like "breaches in sensitive business or public facing applications must be detected and remediated within two weeks." It is meaningless to tell management to manage risk without some measure.

Read more in:

Nextgov: How to Know Which NIST Framework to Use

Girl Scouts to Offer Cyber Security Badges (June 13 & 16, 2017)

The Girl Scouts of the USA (GSUSA) will start offering badges in cyber security in 2018. In all, there will be 18 cyber security badges. GSUSA is partnering with Palo Alto Networks to develop the curriculum.

[Editor Comments]

[Neely] Bravo to GSUSA and Palo Alto Networks for working to create substantive curriculum and requirements behind those badges. Cyber security acumen needs to become a foundation skill building in youth organizations. A challenge here is finding industry partners to develop and help maintain the program. Cyber security training is anything but static.

Read more in:

Fortune: Why Girl Scouts Make Great Cybersecurity Hackers
Girl Scouts: Girl Scouts and Palo Alto Networks: Preparing Girls for the Future of Cybersecurity
Palo Alto Networks: Palo Alto Networks and Girl Scouts of the USA Announce Collaboration for First-Ever National Cybersecurity Badges

Cherry Blossom (June 15 & 16, 2017)

Last week, WikiLeaks released documentation about a purported CIA tool that can be used to break into wireless home routers. Known as Cherry Blossom, the tool installs firmware that can be used to monitor Internet activity.

[Editor Comments]

[Williams] That nation state actors sought to implant malware on routers is old news. The original Vault 7 dumps showed the CIA had developed an exploit for Cisco routers. Shadow Brokers leaks showed that NSA had developed the EXTRABACON vulnerability, again targeting routers. The only thing new about this leak is the revelation that CIA was targeting SOHO routers. Most models required administrative credentials to upload custom firmware. With administrative credentials, attackers can perform MITM attacks without custom firmware. To protect against this type of attack: 1) Change default administrative credentials on your access point 2) Update firmware to the latest versions 3) Select an access point that checks the digital signature of firmware.

Read more in:

Threatpost: Wikileaks Alleges Years of CIA D-Link and Linksys Router Hacking via 'Cherry Blossom' Program
The Register: WikiLeaks emits CIA's Wi-Fi pwnage tool docs
Wired: Wikileaks Reveals How the CIA Could Hack Your Router
Ars Technica: Advanced CIA firmware has been infecting Wi-Fi routers for years
WikiLeaks: Cherry Blossom Blossom

Man Pleads Guilty to Stealing US Defense Dept. Satellite Network Account Data (June 15 & 16, 2017)

A UK man has admitted to breaking into a US Defense Department computer system in June, 2014, and stealing user account data for 30,000 satellite phones, and for 800 users of a satellite communications system. Sean Caffrey was arrested in March 2015. Last week, he pleaded guilty to an offense under the Computer Misuse Act at Birmingham Crown Court.

Read more in:

The Register: Brit hacker admits he siphoned info from US military satellite network
Motherboard: British Hacker Pleads Guilty to Hacking US Military Satellite Phone And Messaging System
NCA: Hacker stole satellite data from US Department of Defence


Uptick in Port 83 Traffic

WINS DoS Vulnerability will not be fixed by Microsoft

Microsoft to Release Patch to Turn off SMB1

UK Hacker Stole Personnel Data For US Military Satellite Network

Sophos Web Appliance Will Now Update via https

Stack Clash Vulnerability Affects Various Unix Based Operating Systems

Separation of Duties / Malicious Administrators

Progress in Satellite Based Quantum Cryptography

The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here:

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit