Online Training Special Offer - Get an iPad Mini 4, Samsung Galaxy Tab A, or $250 Off OnDemand and vLive - Ends 9/27!

Newsletters: Newsbites


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #60

July 28, 2017

TOP OF THE NEWS


Power Companies Receiving Ukrainian Power Station Attack Analysis
DEF CON Voting Village
Merck Earnings Report Lists Ransomware Attack
FireEye Denies Claims of Mandiant Breach

THE REST OF THE WEEK'S NEWS


Suspended Sentence for Mirai Botnet Attack That Disrupted Service to Deutsche Telekom Customers
Man Charged with Extortion
Another Anthem Breach
FCC's Secret Plan to Protect Comment System from DDoS Attacks
Microsoft Releases Outlook Patches
Microsoft Has No Plans to Patch SMBLoris Flaw
Locked Shields Cyber Exercise
ECPA Reform Legislation Introduced

INTERNET STORM CENTER TECH CORNER

*************************** Sponsored By Cybereason *******************************

Join Cybereason's Sean Ennis, Senior Systems Engineer as he dissects specific DGA methods currently being used by malware and exploit kits. Also, learn to identify DGA communication patterns and see how behavioral DGA detection actually works in a corporate scenario. Register: http://www.sans.org/info/197000

***************************************************************************

TRAINING UPDATE

-- SANS OnDemand and vLive Training | One Week Only - 12.9" iPadPro, or $550 Off With OnDemand or vLive Training - ends August 2. 30+ courses with books, labs, mp3, & SME support. https://www.sans.org/online-security-training/specials/

-- SANS Network Security | Las Vegas, NV | September 10-17 | https://www.sans.org/event/network-security-2017

-- SANS Virginia Beach 2017 | August 21-September 1 | https://www.sans.org/event/virginia-beach-2017

-- SANS London September 2017 | September 25-30 | https://www.sans.org/event/london-september-2017

-- SANS Baltimore 2017 | September 25-30 | https://www.sans.org/event/baltimore-fall-2017

-- SANS Data Breach Summit & Training 2017 | Chicago, IL | September 25-October 2 | https://www.sans.org/event/data-breach-summit-2017

-- SANS October Singapore 2017 | October 9-28 | https://www.sans.org/event/october-singapore-2017

-- SANS Secure DevOps Summit & Training | Denver, CO | October 10-17 | https://www.sans.org/event/secure-devops-summit-2017

-- SANS Brussels Autumn 2017 | October 16-21 | https://www.sans.org/event/brussels-autumn-2017

-- SANS Tokyo Autumn 2017 | October 16-28 | https://www.sans.org/event/tokyo-autumn-2017

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format - https://www.sans.org/ondemand/

-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/find-training/

***************************************************************************

TOP OF THE NEWS

--Power Companies Receiving Ukrainian Power Station Attack Analysis (July 30, 2017)

Analysis of the attacks against Ukrainian power stations is being shared with power companies around the world to help them recognize activity that could indicate they are being targeted by attackers. The warning information includes text and code the attackers used as they began to take control of systems at the Ukrainian power stations.

[Editor Comments]
[Murray] The power grid is the Achilles Heel of our infra-structure. We must assume that it is under persistent quiet attack, intended in part to compromise its controls for a possible future attack. Systems and controls attached to the public networks must be hardened. They must be "content controlled" (think Tripwire) to resist, detect, and remediate any attempts to compromise them. CISOs of power utilities should consider operating their entire IT systems in this manner. Enterprises that operate this way freely testify that the advantages of doing so far outweigh any cost.

Read more in:

BBC: Power firms alerted on hack attack scenarios
http://www.bbc.com/news/technology-40766757

--DEF CON Voting Village (July 28, 29, & 30, 2017)

People attending DEF CON last week were given the opportunity to try to hack voting machines and voter databases. DEF CON's "hacker voting village" was created to let attendees discover vulnerabilities in a variety of decommissioned voting equipment that conference organizers bought on eBay.

[Editor Comments]
[Pescatore] Just last month, when he was still the Secretary of the Department of Homeland Security, now White House Chief of Staff John Kelly said "There is nothing more fundamental to our democracy than voting" in support of declaring election systems to be part of US critical infrastructure. This type of public hacking contests are good to generate short term buzz, but the voting machine industry has shown no ability to enhance security to avoid federal legislation and regulation.
[Williams] While voting machine manufacturers will likely claim that these are old versions of the software and hardware, it's important to note that they were vulnerable in production. Current machines (which are not made available for independent testing) likely are vulnerable too. Legislation will probably be required to force vendors to secure their devices.

Read more in:
SC Magazine: Election tech hacked within hours at DEF CON Voting Village
https://www.scmagazine.com/election-tech-hacked-within-hours-at-def-con-voting-village/article/678454/
CNET: Defcon hackers find it's very easy to break voting machines
https://www.cnet.com/news/defcon-hackers-find-its-very-easy-to-break-voting-machines/
Dark Reading: DEF CON Rocks the Vote with Live Machine Hacking
http://www.darkreading.com/vulnerabilities---threats/def-con-rocks-the-vote-with-live-machine-hacking/d/d-id/1329492?
eWeek: Hackers Demonstrate Voting Machine Vulnerabilities at DefCon
http://www.eweek.com/security/hackers-demonstrate-voting-machine-vulnerabilities-at-defcon
WSJ: Hacker Cracks Voting Machine in Less Than 2 Hours
https://www.wsj.com/articles/hacker-cracks-voting-machine-in-less-than-2-hours-1501357973
Reuters: Hackers scour voting machines for election bugs
http://www.reuters.com/article/us-cyber-conference-election-hacking-idUSKBN1AD1BF

--Merck Earnings Report Lists Ransomware Attack (July 31, 2017)

In its second quarter 2017 earnings report, released on July 28, pharmaceutical company Merck said that a ransomware attack in June 2017 disrupted its global manufacturing, research, and sales operations. The report states that Merck "does not yet know the magnitude of the impact of the disruption, which remains ongoing in certain operations, [and] it continues to work to minimize the effects." (In the Merck report below, scroll down to the "Financial Outlook" section.)

[Editor Comments]
[Pescatore] Last month SWIFT also reported that cybersecurity incidents had a material impact on profit. Most of the attacks were not very sophisticated - failures to have adequate backup processes and failures in basic security hygiene are generally the common root cause. These financial announcements make Boards of Directors ask questions about cybersecurity - the additional attention is only good if you have strategic answers to give them about what needs to change and how it can get done.
Read more in:
Dark Reading: Ransomware Attack on Merck Caused Widespread Disruption to Operations
http://www.darkreading.com/attacks-breaches/ransomware-attack-on-merck-caused-widespread-disruption-to-operations/d/d-id/1329503?
Merck: Merck Announces Second-Quarter 2017 Financial Results
http://www.mrknewsroom.com/news-release/corporate-news/merck-announces-second-quarter-2017-financial-results

--FireEye Denies Claims of Mandiant Breach (July 31, 2017)

Someone claims to have stolen information from the Mandiant network and posted it to the Internet. Mandiant parent company FireEye says that it has looked into the matter and has found no evidence that Mandiant or FireEye systems were breached. It did acknowledge that a Mandiant employee's social media accounts were compromised.

[Editor Comments]
[Williams] While I don't doubt Mandiant in this matter, the attackers allude to the fact that they have taken data from the Jira server for which they show a URL and credentials. In our penetration tests, we look for ticketing systems like Jira since they frequently contain sensitive data including usernames and passwords to systems. In some instances, we have even found private keys in Jira systems. In a default configuration, it may be impossible to tell what data the compromised user looked at or searched for on the Jira server (default logging is not very verbose).
[Pescatore] We've talked about the blurring between work and personal lives for years, and social media are the petri dish where problems are emerging. Direct sensitive data leakage to social media is one issue; the bigger issue is phishing and drive by attacks via Facebook/LinkedIn etc. that lead to compromise of passwords that are also used on corporate accounts. Make sure your awareness and education programs address this area, especially for corporate management and board members. They are a frequent target via social media.

Read more in:
Cyberscoop: Mandiant researcher doxed by hackers; FireEye counters claim that internal info dumped
https://www.cyberscoop.com/mandiant-hacked-fireeye-linkedin-2017/?category_news=technology
The Register: PasteBin data dump: Hackers claim files are from Mandiant FireEye 'breach'
https://www.theregister.co.uk/2017/07/31/mandiant_fireeye_leak/
Bleeping Computer: Hackers Leak Data From Mandiant Security Researcher in Operation #LeakTheAnalyst
https://www.bleepingcomputer.com/news/security/hackers-leak-data-from-mandiant-security-researcher-in-operation-leaktheanalyst/
Reuters: FireEye researcher hacked; firm says no evidence its systems hit
http://www.reuters.com/article/us-cyber-fireeye-idUSKBN1AG1TP

*************************** SPONSORED LINKS ********************************
1) Register to understand why machine learning is gaining prominence and how it will impact the future. http://www.sans.org/info/197005
2) 5.3 Billion Reasons to Keep Up-to-date with BEC. Register to learn more: http://www.sans.org/info/197010
3) See how your efforts to keep the cloud secure for business compare. | Take the SANS Cloud Security Survey | Remain anonymous or enter your name to win a $400 gift certificate. http://www.sans.org/info/197015
******************************************************************************

THE REST OF THE WEEK'S NEWS

--Suspended Sentence for Mirai Botnet Attack That Disrupted Service to Deutsche Telekom Customers (July 28, 2017)

The man who used Mirai in an attack that knocked 900,000 Deutsche Telekom customers offline has been given a 20-month suspended sentence in German court. Daniel Kaye was arrested in London in February 2017 and faced charges in a German court. He must now return to the UK to face additional cybercrime charges.

Read more in:
KrebsOnSecurity: Suspended Sentence for Mirai Botmaster Daniel Kaye
https://krebsonsecurity.com/2017/07/suspended-sentence-for-mirai-botmaster-daniel-kaye/

--Man Charged with Extortion (July 28 & 31, 2017)

Authorities in the US have arrested a man suspected of launching distributed denial-of-service (DDoS) attacks and other crimes against media websites, the Canadian government, and other targets. Kamyar Jahanrakhshan sent emails to websites that posted information about his criminal record seeking to have that information removed. When they refused, Jahanrakhshan allegedly launched a campaign of DDoS attacks, demanding the removal of the information.

Read more in:
Bleeping Computer: DDoS Extortionist Who Posed as Anonymous Hacker Arrested in the US
https://www.bleepingcomputer.com/news/security/ddos-extortionist-who-posed-as-anonymous-hacker-arrested-in-the-us/
DoJ: Seattle Man Arrested for the Attempted Extortion of Leagle.com and Several Other Media Companies
https://www.justice.gov/usao-ndtx/pr/seattle-man-arrested-attempted-extortion-leaglecom-and-several-other-media-companies

--Another Anthem Breach (July 31, 2017)

Anthem Health Insurance has disclosed another data breach. The information of 18,500 Anthem members was sent to a private email address belonging to a staff member at a third-party vendor. The incident came to light when an insurance coordination company, Launch Point Ventures, learned that one of its employees was likely involved in activity involving identity fraud. Anthem suffered a massive breach in 2015, when 80 million customer records were compromised. Anthem paid 115 million USD to settle a class action lawsuit arising from that breach.

Read more in:
SC Magazine: Anthem reports 18,500 members involved in new data breach
https://www.scmagazine.com/anthem-reports-18500-members-involved-in-new-data-breach/article/678483/
Anthem: LaunchPoint Medicare Privacy Concern Impacting Medicare Members:
https://www.anthem.com/blog/member-news/launchpoint-privacy-concern-impacts-medicare-members/

--FCC's Secret Plan to Protect Comment System from DDoS Attacks (July 31, 2017)

Earlier this year, FCC chairman Ajit Pai had told legislators in a letter that his agency was looking into "additional solutions" to hardening its comment system after it experienced what FCC said was a DDoS attack in early May. In response to further written questions from US legislators, the Federal Communications Commission (FCC) says it cannot disclose details about its plans to protect its computer systems from DDoS attacks because "it would undermine our system's security to provide a specific roadmap of the additional solutions."

[Editor Comments]
[Pescatore] We are a decade or so beyond "security through obscurity" justifying "We're doing great stuff, but can't tell you or we'd have to kill you" kind of statements - especially for DDoS defenses. The FCC hasn't even publicly released enough information to demonstrate that the outage was caused by malicious DDoS attack vs. a publicity-driven surge of user traffic. I guess we will have to wait for the GAO audit report later in the year - I'm betting it will point to shortcomings in continuous monitoring of critical systems that were running in external cloud systems.
[Williams] There was no reason to expose an API for the comments feature of the website. Removing that feature is a good first step in protecting against DDoS. It's also worth noting that the "DDoS" that the FCC still claims occurred was almost certainly a response from viewers of the HBO John Oliver show rushing to submit comments when he encouraged them to do so on air.

Read more in:
Ars Technica: FCC says its specific plan to stop DDoS attacks must remain secret
https://arstechnica.com/information-technology/2017/07/fcc-wont-tell-congress-how-it-plans-to-stop-attacks-on-comment-system/

--Microsoft Releases Outlook Patches (July 31, 2017)

Last week, Microsoft released fixes for security issues in Outlook. Three of the issues addressed in the patches for Outlook were newly reported; they all address issues with Click-to-Run. Six others address problems with patches issued in June's patch update. There are still two more unfixed problems with the June Outlook patches.

[Editor Comments]
[Neely] Microsoft is pushing patches for Office products more frequently, just as they are doing for Windows 10. Deploying Click-to-Run is designed the enterprise on both the most recent patches and the most recent product feature based on the update channel selected. Having monthly updates in features and patches is very attractive. Also, having updates automatically pushed rather than staging them through a patch management solution reduces the delay in getting fixes to the desktop.

Read more in:
Threatpost: Microsoft Releases Outlook and Office Click-to-Run Patches
https://threatpost.com/microsoft-releases-outlook-and-office-click-to-run-patches/127095/
SC Magazine: Microsoft patches memory corruption and information disclosure vulnerabilities
https://www.scmagazine.com/microsoft-patches-two-bugs-that-would-have-allowed-remote-takeover/article/678684/

--Microsoft Has No Plans to Patch SMBLoris Flaw (July 26 & 30, 2017)

Researchers say that Microsoft does not plan to patch a flaw in Windows Server Message Block (SMB) disclosed last week at DEF CON because the service should be firewalled off from the Internet. The vulnerability, which has been dubbed SMBLoris, has been present in SMB for 20 years. The flaw could be exploited to launch a remote denial-of-service attack if the machine has SMB exposed to the Internet.

[Editor Comments]
[Neely]Another reason to turn SMBv1 off wherever you can to reduce the attack surface. Ideally, only enable SMBv1 by approved exception. Where it remains enabled, configure network monitoring and alerting for anomalous SMBv1 use.
[Williams] While SMB shouldn't be exposed to the Internet, there is no reason to leave such an attack open from internal users.

Read more in:
The Register: Microsoft won't patch SMB flaw that only an idiot would expose
http://www.theregister.co.uk/2017/07/30/slow_loris_smbv1_attack/
Threatpost: Windows SMB Zero Day to be Disclosed During DEF CON
https://threatpost.com/windows-smb-zero-day-to-be-disclosed-during-def-con/126927/

--Locked Shields Cyber Exercise (July 28, 2017)

This year's Locked Shields cyber defense exercise, run by NATO's Cooperative Cyber Defence Centre of Excellence (CCD COE) pitted 19 teams of defenders, charged with protecting a fictional country's air base against a barrage of attacks from a red team.

Read more in:
Tech Republic: Defending against cyberwar: How the cybersecurity elite are working to prevent a digital apocalypse
http://www.techrepublic.com/article/defending-against-cyberwar-how-the-cybersecurity-elite-are-working-to-prevent-a-digital-apocalypse/

--ECPA Reform Legislation Introduced (July 28, 2017)

US legislators are working on a bill that would update the Electronic Communications Privacy Act of 1986 (ECPA). The new bill would require law enforcement to obtain a warrant prior to accessing stored electronic communications. The Senate's version of the bill would also require a warrant for obtaining location data.

[Editor Comments]
[Northcutt] The fact that it is bi-partisan gives me a bit of hope, and the ECPA is certainly in need of an update. I think most citizens would appreciate law enforcement requiring a warrant before accessing stored communications. However, what will happen next is that stories will be circulated that Law Enforcement needs this access to stop terrorists and drug dealers. Before you believe such malarky consider what they are already doing and it isn't targeting terrorists:
https://arstechnica.com/tech-policy/2017/03/feds-were-pulling-data-from-100-phones-seized-during-trump-inauguration/
https://apnews.com/699236946e3140659fff8a2362e16f43/ap-across-us-police-officers-abuse-confidential-databases

Read more in:
eWeek: New U.S. Cyber-Security Legislation May Help Reassert Fourth Amendment
http://www.eweek.com/security/new-u.s.-cyber-security-legislation-may-help-reassert-fourth-amendment
Lee Senate: Sens. Lee and Leahy Introduce ECPA Modernization Act
https://www.lee.senate.gov/public/index.cfm/2017/7/sens-lee-and-leahy-introduce-ecpa-modernization-act

INTERNET STORM CENTER TECH CORNER

SMBloris DoS Attack Locks Up Windows

https://twitter.com/jennamagius/status/891434286212984832
https://isc.sans.edu/forums/diary/SMBLoris+the+new+SMB+flaw/22662/

Text Banking Attacks

https://isc.sans.edu/forums/diary/Text+Banking+Scams/22666/

Nissan Leaf WiFi Vulnerability

https://github.com/HackingThings/Publications/blob/cdb72df7c3feffd02593a31d67a34ae353b09114/2017/DC25_Driving%20down%20the%20rabbit%20hole-Mickey_Jesse_Oleksander.pdf

MSFT Re-Releases June Outlook Update

https://support.office.com/en-us/article/Outlook-known-issues-in-the-June-2017-security-updates-3f6dbffd-8505-492d-b19f-b3b89369ed9b?ui=en-US&rs=en-US&ad=US&fromAR=1

Iranian Hackers Use Social Media To Collect Data

https://www.darkreading.com/attacks-breaches/iranian-hackers-ensnared-targets-via-phony-female-photographer/d/d-id/1329502?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

ShieldFS Self-Healing Filesystem

http://shieldfs.necst.it/continella-shieldfs-2016.pdf


***********************************************************************
The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create