Learn practical cyber security skills during SANS 2021 - Live Online. Choose from 30+ courses and three types of NetWars!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #54

July 11, 2017


DHS, FBI Warn of Cyber Attacks Against Energy Companies
CopyCat Malware Infects Millions of Android Devices
Kaspersky Says It Will Share Code with US Government
Ukraine Holds Off Second Round of Cyber Attacks


July Android Update Addresses Broadpwn Vulnerability
Stop Using SMB1
Ukrainian Police Seize M.E.Doc Servers
Bithumb Breach
An Argument for Inspecting SSLTraffic
Lessons Learned From US Cyber Command's Cyber Flag Exercise
Researchers Find Libgcrypt Vulnerability
Pentagon Will Encrypt Soldiers' eMail Within the Next Year


*************************** Sponsored By Cisco Systems *******************************

FREE Cloud eBook: The cloud opens up a whole new world for businesses; but it also creates fresh opportunities for attackers. As cloud adoption rises, so do security risks - one of the biggest being a lack of network visibility. Read our eBook and learn how to extend network visibility to the cloud for comprehensive threat protection.



-- SANS OnDemand and vLive Training
Special Offer! Get the brand new 12.9" iPad Pro, Microsoft Surface Pro 4, or take $550 off your course until July 12. 30+ courses with books, labs, mp3, & SME support.

-- SANSFIRE 2017 | Washington, DC | July 22-29 |

-- SANS Network Security | Las Vegas, NV | September 10-17 |

-- SANS Security Awareness Summit | Nashville, TN | July 31-August 9 |

-- SANS Boston 2017 | August 7-12 |

-- SANS London September 2017 | September 25-30 |

-- SANS Data Breach Summit & Training 2017 | Chicago, IL | September 25-October 2 |

-- SANS October Singapore 2017 | October 9-28 |

-- SANS Brussels Autumn 2017 | October 16-21 |

-- SANS Tokyo Autumn 2017 | October 16-28 |

-- Can't travel? SANS offers online instruction for maximum flexibility Live Daytime training with Simulcast - https://www.sans.org/simulcast
Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive
Anywhere, Anytime access for 4 months with OnDemand format - https://www.sans.org/ondemand/
SANS Online Training: Special Offer! Get the brand new 12.9" iPad Pro, or a Microsoft Surface Pro 4, or take $550 off OnDemand or vLive Training when you register by July 12! - https://www.sans.org/online-security-training/specials/

-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/find-training/



--DHS, FBI Warn of Cyber Attacks Against Energy Companies (July 1 & 6, 2017)

A joint report from the US Department of Homeland Security (DHS) and the FBI warns of malware attacks targeting nuclear power stations, energy facilities, and manufacturing plants. The attacks have been occurring since May. The report assigns the warning an amber rating, the second highest level. The attacks this far have appeared to be seeking access credentials and information to help them map infiltrated networks. The attackers targeted employees at the organizations through phony resumes with embedded malware and watering hole attacks.

[Editor Comments]

[Assante] Crafted targeting of engineers and I&C staff is very troubling. The implication is that someone intends to deliver a capability into a plant's operational systems. Looks like someone has been learning from recent incidents demonstrating how non-targeted malware found its way on to Nuclear Power Plant control systems.

[Murray] With the possible exception of Ukraine, potential attackers of power grids are in the target and vulnerability identification phase. The longer this phase lasts and the more effective it is, the greater the risk. It is as important to resist this intelligence gathering as it is to resist its exploitation. Power generation and distribution continues to be our most at risk infrastructure; continuous reminders are appropriate and, one hopes, effective.

Read more in:

NYT: Hackers are Targeting Nuclear Facilities, Homeland Security Dept. and F.B.I. Say https://www.nytimes.com/2017/07/06/technology/nuclear-plant-hack-report.html
Ars Technica: FBI-DHS "amber" alert warns energy industry of attacks on nuke plant operators https://arstechnica.com/security/2017/07/dhs-fbi-warn-of-attempts-to-hack-nuclear-plants/
The Hill: Russians suspected to be behind hacks of nuclear plant http://thehill.com/policy/cybersecurity/340938-russians-suspected-to-be-behind-hacks-of-nuclear-plant
Reuters: U.S. warns nuclear, energy firms of cyber plot (video) http://www.reuters.com/video/2017/07/01/us-warns-nuclear-energy-firms-of-cyber-p?videoId=372006762&videoChannel=118208

--CopyCat Malware Infects Millions of Android Devices (July 6, 2017)

Malware known as CopyCat has been infecting Android devices through apps available from third-party app stores. It does not appear to be infecting apps in the Google Play store. Once the malware has infected a device, it collects information from the device and downloads rootkits. According to CheckPoint, CopyCat has infected more than 14 million devices. Android's "fragmented" security updating system means that many users are running incompletely patched versions of the mobile operating system.

[Editor Comments]

[Honan] The longer our systems and businesses rely on out-of-date and unsupported platforms, the more vulnerable to attack they will be. We need to better communicate to business management the risk posed to the business by not investing in modern systems and applications. Senior management need to realise cyber-attacks no longer impact computers but also the business's bottom line as can be seen by Mondelez cuts growth forecast due to global cyber attack
and Reckitt Benckiser stating that the 'NotPetya' ransomware could cost them USD 130 million Read more in:

CNET: CopyCat malware infected 14 million outdated Android devices https://www.cnet.com/news/android-hack-copycat-malware-device-outdated-14-million/ SC Magazine: CopyCat malware infects 14M -plus Android devices, steals credits for app downloads https://www.scmagazine.com/copycat-malware-infects-14m-plus-android-devices-steals-credits-for-app-downloads/article/673361/ eWeek: CopyCat Malware Infects 14M Android Devices in Ad Fraud Attack http://www.eweek.com/security/copycat-malware-infects-14m-android-devices-in-ad-fraud-attack Cyberscoop: Scammers make millions in two months with dated Android exploits https://www.cyberscoop.com/android-malware-copycat-vroot-check-point-mobi-summer/?category_news=technology

--Kaspersky Says It Will Share Code with US Government (July 2, 3, & 5, 2017)

Some US legislators have expressed concerns that Kaspersky Lab may have ties to the Russian government. Eugene Kaspersky said he will disclose his company's source code with the US government to prove that the company's products do not contain malware that could be used by Russia's government. Meanwhile, Russia is said to be considering regulations that would eliminate foreign antivirus vendors from competing in the Russian market.

[Editor Comments]

[Pescatore] The UK has done this since 2005 with Chinese telecoms vendor Huawei after Huawei won the BT telecoms upgrade contract. Veracode, a US software testing vendor, has a program called VerAfied where software vendors pay for their products to be tested for vulnerabilities and malicious capabilities in order to sell into companies that want high levels of supply chain security. Chinese security vendor NS Focus has been in the VerAfied directory for years. Enterprises and government agencies should be proactively requiring all software suppliers, and especially all security software suppliers (regardless of what country the vendor calls home) to demonstrate similar inspection and verification.

[Murray] If code inspection was efficient, we would not be shipping so much bad code. Access to the source code is necessary but not sufficient to eliminate the potential for malicious code. It is also necessary that the code be completely specified, well structured, and written in a transparent language. Not impossible but rare enough.

[Williams] While I applaud the offer of transparency by Eugene Kaspersky, it won't really address the fears stated by the Senate and he probably knows this. Numerous companies in the US, including my own, fall into the same standard of "evidence" offered by the Senate. Namely that I'm former intelligence and was educated by our intelligence schools. While I suspect there is more we're not being told, what has been shared so far about Kaspersky's likelihood of being influenced by the Russian government is far from convincing. For more on why a source code audit isn't sufficient to address the Senate's statements, see this article (https://www.renditioninfosec.com/2017/07/why-a-kaspersky-code-audit-doesnt-really-ensure-security/).

Read more in:

The Hill: Kaspersky willing to turn over source code to US government http://thehill.com/policy/cybersecurity/340420-kaspersky-willing-to-turn-over-source-code-to-us-government Cyberscoop: Amid Kaspersky controversy, Russia considers pushing out foreign competitors https://www.cyberscoop.com/russia-computer-law-foreign-competitors-kaspersky/?category_news=technology V3: Eugene Kaspersky offers to show source code to US government to prove there's nothing shonky about its security software https://www.v3.co.uk/v3-uk/news/3013082/eugene-kaspersky-offers-to-show-source-code-to-us-government-to-prove-theres-nothing-shonky-about-its-security-software

--Ukraine Holds Off Second Round of Cyber Attacks (July 5, 2017)

Authorities in Ukraine say they have staved off a second wave of cyber attacks. Petya hit systems in Ukraine on Thursday, June 27. A second round of attacks attempted to start spreading on Tuesday, July 4 from the same servers at tax software company M.E. Doc.

Read more in:

Fifth Domain: Ukraine says it foiled 2nd cyberattack after police raid http://fifthdomain.com/2017/07/05/ukrainian-police-seize-software-companys-servers-block-second-attack/ *************************** SPONSORED LINKS ********************************
1) Don't miss: "ICS Cyber Security in The Real-World: Demonstrating Threat Detection and Mitigation In Industrial Networks"
Register: http://www.sans.org/info/196135
2) "Automating Cloud Security to Mitigate Risk" with Dave Shackelford.
Register: http://www.sans.org/info/196140
3) Learn why there is so much acclaim about Forcepoint NGFW products across the industry, and why NSS Labs recommends the Forcepoint NGFW to be on every company's short list.
http://www.sans.org/info/196145 ******************************************************************************


--July Android Update Addresses Broadpwn Vulnerability (July 6 & 7, 2017)

Google's July Android Security Bulletin includes a fix for a critical remote code execution flaw known as Broadpwn. The flaw lies in Broadcom BCM43xx WiFi chips. The same issue affects Apple chipsets.

Read more in:

Threatpost: Google Patches Critical 'Broadpwn' Bug in July Security Update https://threatpost.com/google-patches-critical-broadpwn-bug-in-july-security-update/126688/
The Register: Google patches pwnable 'droids for Wi-Fi vuln http://www.theregister.co.uk/2017/07/07/google_patches_pwnable_droids_against_wifi_vuln/
Android: Android Security Bulletin-July 2017 https://source.android.com/security/bulletin/2017-07-01

--Stop Using SMB1 (July 6, 2017)

The recent Petya malware attacks exploited a vulnerability in Windows Server Message Block 1 (SMB1), a decades-old networking protocol that Microsoft itself has said should no longer be in use. Microsoft plans to kill SMB1, but until it does, users would be well advised to remove the protocol themselves.

[Editor Comments]

[Ullrich] The Windows 10 Fall Creators Update will disable SMB1 by default. However, this will only affect clean installs. If you upgrade a system, SMBv1 will remain enabled unless you specifically turn it off. Windows Server 2008, the oldest still-supported Microsoft OS, supports SMBv 2.02. Microsoft maintains a site with a list of products that do require SMBv1: https://blogs.technet.microsoft.com/filecab/2017/06/01/smb1-product-clearinghouse/ . As a rule of thumb: Linux devices using older versions of Samba for file or printer sharing, still require SMBv1. Linux kernels 3.7 and later do support SMB2.

[Murray] System managers are reluctant to try workarounds such as this for fear of breaking applications. This fear is rooted in ignorance of their own networks. Disabling the protocol may tell them more about their networks than they wanted to know.

[Neely] SMB1 weakness are the new sweet spot for malware lateral movement. SMB1 can be disabled on Windows Vista and newer, Server 2008 and newer via GPO and Samba 3.6 also allows disablement. Even if you have legacy systems that still need SMB1, allowing it by exception and/or separating those services, will allow you to reduce that attack surface. Once reduced, add SMB1 monitoring to detect misuse.

Read more in:

Computerworld: The ancient Microsoft networking protocol at the core of the latest global malware attack http://computerworld.com/article/3206185/malware-vulnerabilities/the-ancient-microsoft-networking-protocol-at-the-core-of-the-latest-global-malware-attack.html
[Williams] I'm happy to beat the drum for "stop using SMB1." And if you can stop using it (e.g. you have no legacy devices in the network that require it) you'll likely be more secure as a result. But this is a dumb thing to call for in the context of the NotPetya attacks. The NotPetya malware was designed to abuse privileges of logged on users with WMI and PsExec. Those both work even if you're fully patched and have SMB1 disabled. Infosec basics like principles of least privilege would have done more to protect networks more than disabling SMB1.

Read more in:

Computerworld: The ancient Microsoft networking protocol at the core of the latest global malware attack http://computerworld.com/article/3206185/malware-vulnerabilities/the-ancient-microsoft-networking-protocol-at-the-core-of-the-latest-global-malware-attack.html

--Ukrainian Police Seize M.E.Doc Servers (July 4, 5, & 6, 2017)

Police in Ukraine have seized servers from accounting software company M.E.Doc.; the company's software is believed to have been used to spread the Petya malware. Investigators have found that servers and other infrastructure elements belonging to the company have not been updated since 2013.

Read more in:

The Register: Ukraine authorities raid MeDoc in NotPetya investigation http://www.theregister.co.uk/2017/07/05/ukraine_authorities_raid_me_docs_in_notpetya_investigation/ Dark Reading: Updates to NotPetya Lead to Server Seizure at Ukrainian Software Firm http://www.darkreading.com/attacks-breaches/updates-to-notpetya-lead-to-server-seizure-at-ukrainian-software-firm/d/d-id/1329280? Cyberscoop: 'Patient zero' of global ransomware incident was warned and owned before outbreak https://www.cyberscoop.com/patient-zero-global-ransomware-incident-warned-owned-outbreak/?category_news=technology V3: Ukrainian company compromised to spread NotPetya malware has servers seized by police https://www.v3.co.uk/v3-uk/news/3013273/ukrainian-company-compromised-to-spread-notpetya-malware-has-servers-seized-by-police BleepingComputer: M.E.Doc Software Was Backdoored 3 Times, Servers Left Without Updates Since 2013 https://www.bleepingcomputer.com/news/security/m-e-doc-software-was-backdoored-3-times-servers-left-without-updates-since-2013/ BleepingComputer: Ukrainian Police Seize Servers From Where NotPetya Outbreak First Spread https://www.bleepingcomputer.com/news/security/ukrainian-police-seize-servers-from-where-notpetya-outbreak-first-spread/ Ars Technica: Backdoor built in to widely used tax app seeded last week's NotPetya outbreak https://arstechnica.com/security/2017/07/heavily-armed-police-raid-company-that-seeded-last-weeks-notpetya-outbreak/

--Bithumb Breach (July 5 & 6, 2017)

South Korean cryptocurrency exchange Bithumb says that a breach compromised personal information of 30,000 customers, approximately three percent of its users overall. The stolen information was used to trick customers into allowing funds to be taken from their accounts. The breach is believed to have occurred on an employee's home computer. While it appears to have taken place in February, Bithumb detected the breach on June 28 and notified authorities the following day. The incident is being investigated by the Korea Internet & Security Agency.

[Editor Comments]

[Honan] "The breach is believed to have occurred on an employee's home computer" is a good example of how the D in BYoD can stand for Bring Your Own Data-breach as opposed to Bring Your Own Device. If you support staff working from home make sure you are providing them with a secure environment within which to protect your data and systems

Read more in:

SC Magazine: Bitthumb breach yields personal data on 30K, leads to funds scams https://www.scmagazine.com/bitthumb-breach-yields-personal-data-on-30k-leads-to-funds-scams/article/673051/ BBC: Hackers steal Bitcoin funds from Bithumb exchange traders http://www.bbc.com/news/technology-40506609 The Register: Breached Bitcoin Bithumb bosses blame bod's BYOD http://www.theregister.co.uk/2017/07/06/bithumb_hack/

--An Argument for Inspecting SSLTraffic (July 5, 2017)

The massive data breach that affected systems at the US Office of Personnel Management (OPM) in 2015 was first detected when a security engineer decrypted and inspected SSL traffic on the OPM network. The inspection revealed suspicious outbound traffic. According to a survey from the Ponemon Institute, half of malware attacks are likely to arrive over encrypted channels, but just 20 percent of organizations are inspecting their SSL traffic. If government agencies had the means to regularly inspect their networks' encrypted traffic, it could help detect incidents sooner.

[Editor Comments]

[Ullrich] Inspecting SSL traffic is absolutely critical to prevent data exfiltration and malware infections. Many control channels use SSL/TLS as well. But doing so will only get more difficult with more modern TLS configuration options like certificate pinning, in particular for devices that are not behind proxies 100% of the time.

[Pescatore and Honan] Usual disclaimer: the article was written by, and the study funded by, a vendor that sells a SSL decryption product. That said, attackers have definitely increased their use of SSL and other forms of transport encryption to evade detection. Increased enterprise use of cloud services has caused more very sensitive inside to outside communications to be carried over SSL, vs. across data center networks. Many good reasons to for SSL decryption to be on the priority list - after basic security hygiene, and after you have repeatable processes that can deal with the added inspection traffic load.

[Honan] I would add that implementing solutions to support this type of inspection can have major privacy implications on staff. Within the European Union there are strict requirements on protecting the privacy of employees' personal communications so organisations should ensure when rolling solutions to inspect SSL traffic that they can do so in such a way as not to impinge on staff accessing their personal online web services such as banking, email, social media, etc.

[Northcutt] The blog proposes an idea that is not very practical. About half of web traffic is encrypted. Before we invest in the capability to break encryption, inspect payload, make the allow/deny decision, rebuild traffic, what are we doing with the half of the traffic in plain text? Many of the Indicators of Compromise can be detected at the unencrypted (outside of the envelope) layers including the size of the flow for the example listed by the author.

[Neely] While SSL Inspection provides visibility into individual browser connections, the Server Name Indication (SNI) is sent in the clear during the initial SSL handshake, so network or proxy protection devices can still be configured to detect, alert or even block connections to disallowed sites even without SSL inspection.

Read more in:

Nextgov: Why All Federal Agencies Should Break and Inspect Secure Traffic http://www.nextgov.com/technology-news/tech-insider/2017/07/why-all-federal-agencies-should-break-and-inspect-secure-traffic/139196/?oref=ng-channelriver [Williams] Sure, this is a good argument for inspecting SSL traffic, but there are counter arguments too. For one, inspecting SSL is expensive. If you don't have basic infosec blocking and tackling down (see CIS 20 Critical Security Controls) then SSL interception is not the best use of your security budget. Also, SSL interception logs things like user's bank account passwords and other sensitive data that may cause non-repudiation issues.

Read more in:

Nextgov: Why All Federal Agencies Should Break and Inspect Secure Traffic http://www.nextgov.com/technology-news/tech-insider/2017/07/why-all-federal-agencies-should-break-and-inspect-secure-traffic/139196/?oref=ng-channelriver Johannes Ullrich's podcast from last year: https://www.sans.org/webcasts/8-ways-watch-invisible-analyzing-encrypted-network-traffic-103277

--Lessons Learned From US Cyber Command's Cyber Flag Exercise (July 5, 2017)

Leaders of the US Cyber Command's Cyber Flag exercise spoke with Fifth Domain about the lessons the exercise has revealed regarding the structure and deployment of teams and the best ways to conduct operations.

[Editor Comments]

[Murray] The story is that they learned lessons. One of the lessons is about the use of resources in smaller teams. We have known since Fred Brooks wrote the Mythical Man Month, indeed since Poor Richard's Almanac, that there is a practical limit to the number of cooks that can be usefully employed on a broth.

Read more in:

Fifth Domain: Cyber Flag exclusive: What Cyber Command learns from the annual exercise http://fifthdomain.com/2017/07/05/cyber-flag-exclusive-what-cyber-command-learns-from-the-annual-exercise/

--Researchers Find Libgcrypt Vulnerability (July 5, 2017)

Researchers from universities in Australia, the Netherlands, and the US have published a paper describing how they used a local side-channel attack to break the Libgcrypt encryption library. The exploit could be used to recover an RSA-1024 key.

[Editor Comments]

[Williams] It is important to note that this requires code to be running on the machine where the keys are stored.

Read more in:

Threatpost: Libgcrypt 'Sliding Right' Attack Allows Recovery of Rsa-1024 Keys https://threatpost.com/libgcrypt-sliding-right-attack-allows-recovery-of-rsa-1024-keys/126675/ SC Magazine UK: Researchers open sliding window to completely break libgcrypt RSA-1024 https://www.scmagazineuk.com/researchers-open-sliding-window-to-completely-break-libgcrypt-rsa-1024/article/673178/ Paper: Sliding right into disaster: Left-to-right sliding windows leak https://eprint.iacr.org/2017/627.pdf

--Pentagon Will Encrypt Soldiers' eMail Within the Next Year (July 6, 2017)

The US Defense Information Systems Agency (DISA) says it will soon start encrypting soldiers' email. DISA plans to complete migration to a new email gateway infrastructure that implements STARTTLS by July 2018.

[Editor Comments]

[Pescatore] Using STARTTLS is a good thing from the perspective of thwarting bulk collection of email in transit, but it does not equate to "encrypting email" as it is just transport encryption, not persistent content encryption. Much of the federal government (including the Executive Office of the President) has yet to move to enabling STARTTLS, but I'd really rather see a Pentagon headline that said "Pentagon Funds 3 year Plan to Modernize Strong Authentication and Enable Persistent Email Encryption" vs. more transport encryption.

[Ullrich] StartTLS is a good start, and will encrypt most e-mails. But its ease of use comes with a notable vulnerability. The initial handshake to establish STARTTLS is still in the clear and some countries have been found to strip out the STARTTLS headers which will then cause the e-mail to be send in the clear.

[Neely] Configuring SMTP to use TLS whenever possible is basic hygiene for protecting potentially sensitive information set over the Internet, and making it required between business partners should be a best practice. Beyond that, encryption of known sensitive email, PGP or S/MIME, to ensure only authorized recipients are able to read the message should be employed.

Read more in:

Motherboard: The Pentagon Says It Will Start Encrypting Soldiers' Emails Next Year https://motherboard.vice.com/en_us/article/bjxjxv/the-pentagon-says-it-will-start-encrypting-soldiers-emails-next-year


Microsoft Patches Skype Vulnerability


SystemD Invalid Username Bug Not Considered a Vulnerability (or Bug)


Cisco Fixes SNMP Vulnerability in IOS and IOS XEy


Smartphones Can Be Compromised with shady replacement parts


Siemens Fixes Intel AMT Bug


Update For libgcrypt


AVTest Report: Ransomware not a big deal; Android/MacOS Catching up to Windows


Microsoft Will Prompt Users to Update Windows 10


Bithumb Bitcoin Exchange Hacked (Article in Korean)


Turkish Airlines and Emirates Remove Laptop Ban


Ukrainian Authorities Raid MeDoc (Article in Ukrainian)


The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create