Online Training Special Offer - Get an iPad Mini 4, Samsung Galaxy Tab A, or $250 Off OnDemand and vLive - Ends 9/27!

Newsletters: Newsbites


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #68

August 25, 2017

TOP OF THE NEWS


US-CERT Provides Technical Details About North Korea's Hidden Cobra Botnet Infrastructure
AccuWeather App Still Sharing User Data After Update

THE REST OF THE WEEK'S NEWS


WireX Botnet Takedown
Brazilian University Tor Relay Banned for Gathering .onion Addresses
Judge Says Stingray Use Requires Warrant, But Warrantless Use Was Justified in Murder Case
Prison Sentence for Engineer Who Oversaw Volkswagen Diesel Emissions Cheating
IoT Device Credentials Leaked
Five People Detained in Turkey Over Qatar News Agency Hacking
Eight National Infrastructure Advisory Council Members Resign
Google Accidentally Shuts Down Internet in Japan
Clarification: Windows Upgrades in Germany

INTERNET STORM CENTER TECH CORNER

*************************** Sponsored By Splunk *******************************

The State of Security Operations With IDC and Splunk. Does your organization have the processes in place to investigate and effectively respond to cyberattacks? IDC surveyed security decision makers at 600 organizations to understand the state of security operations today. Join this webinar to learn why an analytics-driven approach can make security investigation more efficient and effective, reducing costs and improving security posture. http://www.sans.org/info/197770

***************************************************************************

TRAINING UPDATE

-- SANS Network Security | Las Vegas, NV | September 10-17 | https://www.sans.org/event/network-security-2017

-- SANS London September 2017 | September 25-30 | https://www.sans.org/event/london-september-2017

-- SANS Baltimore Fall 2017 | September 25-30 | https://www.sans.org/event/baltimore-fall-2017

-- SANS Data Breach Summit & Training 2017 | Chicago, IL | September 25-October 2 | https://www.sans.org/event/data-breach-summit-2017

-- SANS October Singapore 2017 | October 9-28 | https://www.sans.org/event/october-singapore-2017

-- SANS Secure DevOps Summit & Training | Denver, CO | October 10-17 | https://www.sans.org/event/secure-devops-summit-2017

-- SANS Brussels Autumn 2017 | October 16-21 | https://www.sans.org/event/brussels-autumn-2017

-- SANS Tokyo Autumn 2017 | October 16-28 | https://www.sans.org/event/tokyo-autumn-2017

-- SANS San Diego 2017 | October 30-November 4 | https://www.sans.org/event/san-diego-2017

-- SANS OnDemand and vLive Training | Get an iPad Pro (10.5") with Smart Keyboard, an HP Chromebook 13 G1 or take $350 Off OnDemand or vLive Training when you register by August 30! https://www.sans.org/online-security-training/specials/

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format - https://www.sans.org/ondemand/

-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/security-training/by-location/all

***************************************************************************

TOP OF THE NEWS

US-CERT Provides Technical Details About North Korea's Hidden Cobra Botnet Infrastructure (August 25, 2017)

Earlier this summer, a joint alert from the FBI and the US Department of Homeland Security (DHS) warned that North Korea was using a botnet infrastructure called Hidden Cobra to launch distributed denial-of-service (DDoS) attacks against systems at media, aerospace, financial companies and elements of critical infrastructure around the world. A recent alert from the US Department of Homeland Security's (DHS's) US-CERT "provides technical details on the tools and infrastructure" of Hidden Cobra. The malware could potentially spread through older, unpatched versions of Adobe Flash and Microsoft Silverlight.

[Editor Comments]
[Northcutt] TA17-164A may be the most useful CERT advisory ever. Even if you are not technical skim through it and make the technical people tell you that have implemented the guidance within. If they try to tell you "this doesn't apply to us", ask if anyone from your organization runs, or has run, Adobe Flash or Microsoft Silverlight. CERT/FBI have given us a great starter set of signatures and crucial information, now it is up to us to implement it.

Read more in:
FCW: How to spot a North Korean bot
https://fcw.com/articles/2017/08/24/north-korea-botnet-rockwell.aspx
US-CERT: HIDDEN COBRA - North Korea's DDoS Botnet Infrastructure
https://www.us-cert.gov/ncas/alerts/TA17-164A

AccuWeather App Still Sharing User Data After Update (August 25, 2017)

AccuWeather was criticized for sharing user data with an advertising company. AccuWeather has removed a feature that collected users' location data without their permission and shared it with Reveal Mobile. However, AccuWeather still appears to be sharing geolocation data, ostensibly collected for the purpose of providing users with precise, location-specific weather information, with another third-party advertising company.

[Editor Comments]
[Murray] AccuWeather's disingenuous apology should have been sufficient for one to delete the app.
[Northcutt] The Softpedia story is hard to read, jump to the bottom for update 2. Right now it looks like ZDNet is the best source for updated data. Under the circumstances I would recommend using a different weather app, asking your mother and brother to do the same.

Read more in:
ZDNet: Despite privacy outrage, AccuWeather still shares precise location data with ad firms
http://www.zdnet.com/article/accuweather-still-shares-precise-location-with-advertisers-tests-reveal/
Softpedia: AccuWeather Still Sharing User Data Without Consent Despite Update
http://news.softpedia.com/news/accuweather-still-sharing-user-data-without-consent-despite-update-517514.shtml

*************************** SPONSORED LINKS ********************************

1) Need a Primer on IT Security? Check out this Beginner's Guide Series to learn more. http://www.sans.org/info/197775

2) In case you missed it: "Cutting Through the Noise: How Automated Analysis Turns Threat Data into Threat Intel" http://www.sans.org/info/197780

3) Don't Miss: "The latest 2017 NSS Labs NGFW test results reveals many NGFWs may be vulnerable to evasions. Does your current firewall or IPS protect against AETs?" http://www.sans.org/info/197785

******************************************************************************

THE REST OF THE WEEK'S NEWS

WireX Botnet Takedown (August 28, 2017)

Several tech companies have worked together to take down the WireX botnet. Researchers first became aware of WireX at the beginning of August; now there are at tens of thousands of infected nodes. The malware appears to have been hiding in apps in the Google Play Store. Google has identified roughly 300 rogue apps, has blocked them from the store and is in the process of removing them from users' devices.

[Editor Comments]
[Murray] We have to judge "researchers" on their behavior, not their motives or their pretenses.

Read more in:
The Register: Tech firms take down WireX Android botnet
http://www.theregister.co.uk/2017/08/28/tech_firms_take_down_wirex_android_botnet/

Brazilian University Tor Relay Banned for Gathering .onion Addresses (August 25, 2017)

Researchers at a Brazilian university have had their Tor relay banned after it was found to be harvesting users' .onion addresses. One of the researchers says they were working on a tool that would be able to distinguish malicious hidden services from those that do not pose a threat. Harvesting .onion addresses violates Tor guidelines.

[Editor Comments]
[Williams] It is reasonable to assume that a large number of Tor relays are harvesting data. While Tor offers a level of anonymity, don't assume that it offers complete security. Any infrastructure you use (but don't own) should be part of your threat model.

Read more in:
The Register: Brazilians waxed: Uni's Tor relay node booted after harvesting .onions
http://www.theregister.co.uk/2017/08/25/brazilians_waxed_for_slurping_tor_addresses/

Judge Says Stingray Use Requires Warrant, But Warrantless Use Was Justified in Murder Case (August 26, 2017)

A US federal judge in California has ruled that evidence gathered through the warrantless use of a cell-site simulator may not be suppressed in a murder case. The evidence was used to locate the defendant, Purvis Ellis. Judge Phyllis Hamilton did find that using the technology to locate Ellis constituted a search under the Fourth Amendment, which under normal circumstances would require a warrant. In this case, Hamilton agreed with the government that there were "exigent circumstances," justifying the use of a cell-site simulator.

[Editor Comments]
[Neely] The rules on Stingray use changed in 2015, this use occurred in 2013. Because of the rule change, the judges carefully worded ruling is unlikely to have bearing on cases of Stingray use post 2015.

Read more in:
Ars Technica: Court: Locating suspect via stingray definitely requires a warrant
https://arstechnica.com/tech-policy/2017/08/court-locating-suspect-via-stingray-definitely-requires-a-warrant/
Document Cloud: Pretrial Order Denying Motions to Suppress
https://www.documentcloud.org/documents/3962321-Gov-Uscourts-Cand-273044-337-0.html

Prison Sentence for Engineer Who Oversaw Volkswagen Diesel Emissions Cheating (August 25, 2017)

James Liang has been sentenced to 40 months in prison for his role in the Volkswagen diesel emissions scandal. Liang was Volkswagen's Leader of Diesel Competence during the period of time the company installed software in vehicles that allowed them to trick emissions tests. Liang pleaded guilty in September 2016 to wire fraud and violations of the US Clean Air Act. Liang has also been ordered to pay a fine of 200,000 USD.

[Editor Comments]
[Pescatore] This kind of thing (software in a company's product that is purposely designed to do something illegal) isn't really within the purview of most cybersecurity programs. But, the fact that this incident will cost VW in the range of $25B (billion) dollars has obviously made it of high interested to CEOs and Boards. CISOs can tap in by drawing the analogy to software product vulnerabilities that are known in advance of shipping yet go unfixed are a very similar form of corporate malfeasance.
[Williams] This is a great reminder that just because the boss tells you to do it, it doesn't make it legal. In infosec, this most commonly manifests in penetration tests performed out of scope (or completely without authorization) and monitoring of employees that exceeds that allowed by law.
[Neely] Mr. Liang caved to pressure from his employer to make the vehicles pass the emissions tests. Since this is going badly for VW, he, and likely others, are also taking the fall. A bit outside our normal Cyber Security wheelhouse, this is a reminder that ethics matter, regardless of pressure from your employer to the contrary.

Read more in:
Ars Technica: VW engineer sentenced to 40 months in prison for role in emissions cheating
https://arstechnica.com/cars/2017/08/vw-engineer-sentenced-to-40-months-in-prison-for-role-in-emissions-cheating/
Reuters: VW engineer sentenced to 40-month prison term in diesel case
http://www.reuters.com/article/us-volkswagen-emissions-sentencing-idUSKCN1B51YP
Ars Technica: Plea Agreement
https://cdn.arstechnica.net/wp-content/uploads/2016/09/show_temp.pl-4.pdf

IoT Device Credentials Leaked (August 25 & 26, 2017)

Someone posted a list of Telnet credentials to Pastebin in June. The information could be used to compromise home routers and IoT devices and use them as part of a botnet. The list includes IP addresses, device usernames, and passwords. In many cases, the passwords are default passwords. Researchers are attempting to notify the owners of the affected devices.

[Editor Comments]
[Neely] The good news is the number of still open telnet servers has been dropping since the list was published. The bad news is these devices were installed with telnet servers that were open to the Internet. While default passwords need to be changed wherever possible, cases of embedded credentials in IoT devices continue to surface, reinforcing the need to disable insecure protocols. Better still, have a controlled interface such as a Bastian host for access to limit access and log activity.
Access, or attempted access to these services. On the other hand, if youâre building a credentials dictionary for IoT devices, make sure to include these.

Read more in:
Threatpost: Race is On to Notify Owners After Public List of IoT Device Credentials Published
https://threatpost.com/race-is-on-to-notify-owners-after-public-list-of-iot-device-credentials-published/127661/
Bleeping Computer: Someone Published a List of Telnet Credentials for Thousands of IoT Devices
https://www.bleepingcomputer.com/news/security/someone-published-a-list-of-telnet-credentials-for-thousands-of-iot-devices/
Ars Technica: Leak of >1,700 valid passwords could make the IoT mess much worse
https://arstechnica.com/information-technology/2017/08/leak-of-1700-valid-passwords-could-make-the-iot-mess-much-worse/

Five People Detained in Turkey Over Qatar News Agency Hacking (August 26, 2017)

Authorities in Turkey have detained five people believed to be involved with the May 2017 hacking of the Qatar news agency. The incident has caused problems between Qatar and some of its neighboring countries.

Read more in:
Reuters: Qatar says five suspects in news agency hacking detained in Turkey
http://www.reuters.com/article/us-gulf-qatar-cyber-idUSKCN1B608L

Eight National Infrastructure Advisory Council Members Resign (August 24, 2017)

More than a quarter of the 28 members of the US National Infrastructure Advisory Council (NIAC) have resigned. A resignation letter obtained by Nextgov reads, "My experience to date has not demonstrated that the Administration is adequately attentive to the pressing national security matters within the NIAC's purview, or responsive to sound advice received from experts and advisors on these matters." Specifically, the letter cites the current president's "fail[ure] to denounce the intolerance and violence of hate groups [and] insufficient attention to the growing threats to the critical systems on which all Americans depend," as well as the decision to withdraw from the Paris Agreement.

Read more in:
Nextgov: Trump's Lack of 'Moral Infrastructure' Causes Cyber Advisers to Resign
http://www.nextgov.com/cybersecurity/2017/08/trumps-lack-moral-infrastructure-causes-cyber-advisers-resign/140512/
Nextgov: Resignation Letter
http://www.nextgov.com/media/gbc/docs/pdfs_edit/082417jm1.pdf

Google Accidentally Shuts Down Internet in Japan (August 26, 27, & 28, 2017)

Due to a configuration error by Google that resulted in a broken Border Gateway Protocol (BGP), major Japanese Internet providers were temporarily left without a connection on Friday, August 25. Google fixed the problem within minutes, but outages for customers existed for several hours. The outage prompted an investigation from Japan's Internal Affairs and Communications Ministry.

[Editor Comments]
[Williams] While this as an accident rather than an attack, it's a great incentive to educate yourself on BGP security. BGP was not designed with security in mind and basically trusts that BGP peers are not operating maliciously. This does not appear to be the case and we've seen a number of suspicious BGP routes injected in recent years that routed large swaths of traffic through China and Russia (https://arstechnica.com/information-technology/2017/04/russian-controlled-telecom-hijacks-financial-services-internet-traffic/). For some additional information, follow the Twitter account @bgpstream. This account tweets about BGP outages and route hijacks in real time.

Read more in:
Bleeping Computer: Google Error Causes Widespread Internet Outage in Japan
https://www.bleepingcomputer.com/news/technology/google-error-causes-widespread-internet-outage-in-japan/
Softpedia: Google Shuts Down the Internet in Japan... by Mistake
http://news.softpedia.com/news/google-shuts-down-the-internet-in-japan-by-mistake-517525.shtml
The Register: Google routing blunder sent Japan's Internet dark on Friday
https://www.theregister.co.uk/2017/08/27/google_routing_blunder_sent_japans_internet_dark/
BGPMon: BGP leak causing Internet outages in Japan and beyond.
https://bgpmon.net/bgp-leak-causing-internet-outages-in-japan-and-beyond/

Clarification: Windows Upgrades in Germany (August 25, 2017)

In last Friday's NewsBites (Volume 19, Number 067), we reported that Microsoft has agreed to stop forcibly downloading operating system upgrades onto computers in Germany. We would like to clarify that the agreement applies to new versions of the operating system, not to fixes to the current version.

Read more in:
Bleeping Computer: Germany: Microsoft Agrees to Stop Forcibly Downloading Windows Upgrades
https://www.bleepingcomputer.com/news/microsoft/germany-microsoft-agrees-to-stop-forcibly-downloading-windows-upgrades/

INTERNET STORM CENTER TECH CORNER

Analyzing 7zip Malware

https://isc.sans.edu/forums/diary/Malware+analysis+searching+for+dots/22758/

Worldwide DNS Manipulation Survey

https://people.eecs.berkeley.edu/~pearce/papers/dns_usenix_2017.pdf

Sophos Withdraws UTM Update

https://community.sophos.com/products/unified-threat-management/b/utm-blog/posts/utm-up2date-9-503-released

Crypto Currency Malware

https://resources.netskope.com/h/i/361264722-coin-mining-malware-heads-to-the-cloud-with-zminer

Survey of Recent DVR Attacks

https://isc.sans.edu/forums/diary/An+Update+On+DVR+Malware+A+DVR+Torture+Chamber/22762/

Disabling Intel ME

http://blog.ptsecurity.com/2017/08/disabling-intel-me.html

Wire-X Take Down

https://blogs.akamai.com/2017/08/the-wirex-botnet-an-example-of-cross-organizational-cooperation.html


***********************************************************************
The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create