OnDemand + GIAC - Get your Certification Attempt Included for a Limited Time!

Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #73

September 15, 2017


Equifax CEO Invited to Testify Before Congress
Some US States Are Going Back to Paper Ballots
DHS Bans Use of Kaspersky Products on Federal Systems


Malware-Harboring Apps Pulled from GooglePlay Stores
Senator Seeks Answers from Telecoms on SS7 Security Solutions
Apache Struts Vulnerability Exploited in Equifax Breach
Lawsuit Targets Warrantless Device Searches at US Border
Adobe Security Updates
WordPress Plugin Installs Backdoo
Microsoft Patch Tuesday
BlueBorne Bluetooth Attack
Flaws in D-Link Routers Exposed Before Fixes Are Available


*************************** Sponsored By Splunk *******************************

The State of Security Operations With IDC and Splunk. Does your organization have the processes in place to investigate and effectively respond to cyberattacks? IDC surveyed security decision makers at 600 organizations to understand the state of security operations today. Join this webinar to learn why an analytics-driven approach can make security investigation more efficient and effective, reducing costs and improving security posture. http://www.sans.org/info/198325



-- SANS London September 2017 | September 25-30 | https://www.sans.org/event/london-september-2017

-- SANS Baltimore Fall 2017 | September 25-30 | https://www.sans.org/event/baltimore-fall-2017

-- SANS Data Breach Summit & Training 2017 | Chicago, IL | September 25-October 2 | https://www.sans.org/event/data-breach-summit-2017

-- SANS October Singapore 2017 | October 9-28 | https://www.sans.org/event/october-singapore-2017

-- SANS Secure DevOps Summit & Training | Denver, CO | October 10-17 | https://www.sans.org/event/secure-devops-summit-2017

-- SANS Brussels Autumn 2017 | October 16-21 | https://www.sans.org/event/brussels-autumn-2017

-- SANS Tokyo Autumn 2017 | October 16-28 | https://www.sans.org/event/tokyo-autumn-2017

-- SANS San Diego 2017 | October 30-November 4 | https://www.sans.org/event/san-diego-2017

-- SANS Cyber Defense Initiative 2017 | Washington, DC | December 12-19 | https://www.sans.org/event/cyber-defense-initiative-2017

-- SANS OnDemand and vLive Training | Get a GIAC Certification Attempt or $350 Off your OnDemand or vLive course when you register by September 13! https://www.sans.org/online-security-training/specials/

-- Can't travel? SANS offers online instruction for maximum flexibility
Live Daytime training with Simulcast - https://www.sans.org/simulcast
Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive
Anywhere, Anytime access for 4 months with OnDemand format - https://www.sans.org/ondemand/

-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/security-training/by-location/all



--Equifax CEO Invited to Testify Before Congress (September 13, 2017)

The US House Energy and Commerce Committee has formally invited Equifax Chairman and CEO Richard F. Smith to testify before Congress on October 3. Other congressional committees are also planning hearings on the Equifax breach.

[Editor Comments]
[Pescatore] We can now tick off 3 of the four predictable "Post Mega-Breach Cha Cha" dance steps; only some C-level firings are left. The final stage is usually just a lot of clicking of the "Like" button - "slacktivism" and no movement forward. Use the publicity tailwind to gain C-level support to make changes.
[Murray] One hopes that this will not be merely one more public shaming of a hapless executive. This industry is the, perhaps unintended, creature of the Fair Credit Reporting Act. It deals in hearsay, not to say slander, which it is manifestly unable to control or protect. It represents an unacceptable risk to the identity, reputation, and privacy of American consumers. The Law desperately needs reform and that reform should be the focus of congressional hearings.
[Northcutt] One of the topics needs to be the problems citizens are running into trying to freeze their own credit reports. It is what most security experts recommend, but the credit brokers are overwhelmed. Don't give up, keep trying, keep notes and let your elected officials know if you ran into problems:
[Guest Editor: Lance Spitzner] Here is information you can use to build an email template to inform your organization's workforce about the incident:

Read more in:
Cyberscoop: Equifax CEO called to testify before Congress about breach
The Hill: Equifax CEO formally called to testify before Congress

--Some US States Are Going Back to Paper Ballots (September 11 & 13, 2017)

In the wake of rising concerns about the security of electronic voting systems, several US states are returning to the use of paper ballots for their elections. Virginia and Iowa have established post-election audit requirements that compare electronic vote totals with paper ballots. Just five states - Delaware, Georgia, Louisiana, New Jersey, and North Carolina - use exclusively electronic voting systems. Georgia will pilot a paper-ballot system in elections this fall.

[Editor Comments]
[Neely] Falling back to paper removes the electronic voting machine vulnerabilities, allows states to return to a system where they know how to mitigate the vulnerabilities and allows the electronic systems to mature. This also restores the paper record of each ballot cast, while leveraging electronic readers to count those votes. The challenge will be agreement on the re-entry condition for a secure paperless voting system.

Read more in:
GovTech: Some States Return to Paper Ballots Following 2016 Election Hacks
Governing: Paper Ballots May Make a Comeback in Georgia

--DHS Bans Use of Kaspersky Products on Federal Systems (September 13, 2017)

The US Department of Homeland Security (DHS) has issued a binding operational directive (BOD) requiring all federal agencies to cease the use of Kaspersky Lab products and services. The agencies have 30 days to identify which products are in use and then 60 days beyond that to create plans to remove them. After 90 days, agencies will need to begin the process of removing the products and services.

[Editor Comments]
[Pescatore] The risk cited by DHS aren't in Kaspersky's products, it is in "the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks." Many US and Israeli security product and services companies have those same ties to, and abide by laws dictating cooperation with, their own national intelligence agencies. Bottom line: for enterprises and non-Federal Executive Branch departments and agencies not under this directive, there is no current reason for out of cycle replacement of Kaspersky products.

Read more in:
DHS: DHS Statement on the Issuance of Binding Operational Directive 17-01
ZDNet: Homeland Security bans Kaspersky Lab software across US government
Ars Technica: Kaspersky software banned from US government agencies
CNET: US bans Kaspersky software from government agencies
eWeek: DHS Bans Federal Agencies From Using Kaspersky Security Products
FNR: DHS gives agencies 90 days to remove Kaspersky Lab IT from networks
FCW: DHS bans Kaspersky from federal systems
Cyberscoop: Eugene Kaspersky speaks out, defends company over espionage allegations
Nextgov: Trump Administration Orders Russian Anti-Virus Off All Government Systems
Fifth Domain: DHS gives agencies 90 days to purge all Kaspersky products
Bleeping Computer: US Officially Bans Kaspersky Products From Government Systems

*************************** SPONSORED LINKS ********************************

1) SANS analyst Jerry Shenk will reveal how he put Carbon Black's Cb Defense through simulated attacks to see what it detected and how it took action. Register: http://www.sans.org/info/198330

2) "Behavior-Based IOCs: A New Approach for Automated Incident Response" with Jake Williams. Register: http://www.sans.org/info/198335

3) John Pescatore will discuss the latest in malware attacks and how your organization can respond using a synchronized security approach. http://www.sans.org/info/198340



--Malware-Harboring Apps Pulled from GooglePlay Store (September 14, 2017)

Google has removed 50 apps from the GooglePlay Store because they contained malware that sends premium SMS messages without user consent and registers users for paid services. The free apps, which masqueraded as wallpaper, camera, and video editing apps, have been downloaded between 1 and 4.2 million times.

[Editor Comments]
[Pescatore] As far back as 2011, Google put out technical papers on detecting malware that was using packing/encrypting to evade detection. They were granted a patent for one technique just last year. Google has been quick to upgrade the protections in the Google Play app store process but looks like they've had a blind spot here for quite some time.
[Neely] The malware embedded in these applications is using advanced obfuscation techniques that make it much harder to detect. The tradeoffs made between application validation and timely release of new and updated apps in the Google Play Store allow for a certain amount of maleficence to slip through. If youre running the latest Android OS, Google Play Protect will remove applications like this when identified. Older device owners have to rely on adding anti-malware applications to their devices. If your device isnt already running Android 7.1 or 8, or prompting you to apply the update to those versions, its time to replace it. Chris Crowley and Joshua Wright have put together a scorecard and processes which can be used to evaluate mobile applications.

Read more in:
Threatpost: Premium SMS Malware 'ExpensiveWall' Infects Millions of Android Devices
CNET: Google purges malicious Android apps with millions of downloads
Ars Technica: Malicious apps with >1 million downloads slip past Google defenses twice

--Senator Seeks Answers from Telecoms on SS7 Security Solutions (September 14, 2017)

Senator Ron Wyden, (D-Oregon) has written to CEOs of major telecommunications companies, asking them to what they are doing to protect their systems from vulnerabilities presented by the Signaling System 7 (SS7) protocols. SS7 allows mobile networks to communicate with each other. Wyden asked the companies to answer a number of questions, including whether they are having SS7-focused penetration tests conducted and whether they have installed an SS7 firewall. Wyden has requested responses by October 13.

Read more in:
Daily Beast: Senator Demands Answers From Telecom Giants on Phone Spying

--Apache Struts Vulnerability Exploited in Equifax Breach (September 13 & 14, 2017)

Equifax has acknowledged that the massive breach that exposed personal information of as many as 143 million people was due to a failure to apply a patch for a vulnerability in Apache Struts. A patch for the flaw was released on March 6, 2017. The Equifax breach occurred in "mid-May" 2017.

[Editor Comments]
[Pescatore] This breach and WannaCry were just the most recent examples that "Security Hygiene Matters!" Back in 2002, Microsoft shut down the Windows division for a "security push" and put the keyboards down to focus on security of existing code before doing anything related to new features or new releases. It really is time for CIOs, CISOs and IT operations to be forced to do the same for configuration and vulnerability management Critical Security Controls processes.
[Neely] There are situations in which the possible business impact of applying a patch versus the risk of exploit has come down in favor of minimizing impact to the business. As a result of this disclosure, regulators are now making queries to ensure that CVE-2017-5638 and CVE-2017-9805 are patched, which puts efforts on reporting and tracking a specific potential weakness. Rather than second guessing what happened to Equifax, or debating exactly which threat vector was successfully exploited, this is a time to revisit your patching and vulnerability scanning processes to make sure that youre not missing patches, mitigations or supporting processes.

Read more in:
The Register: Missed patch caused Equifax data breach
Ars Technica: Failure to patch two-month-old bug led to massive Equifax breach
BleepingComputer: Equifax Confirms Hackers Used Apache Struts Vulnerability to Breach Its Servers

--Lawsuit Targets Warrantless Device Searches at US Border (September 13, 2017)

The American Civil Liberties Union (ACLU), ACLU of Massachusetts, and the Electronic Frontier Foundation (EFF) have filed a lawsuit against the US Department of Homeland Security (DHS) on behalf of 11 plaintiffs over warrantless searches of their digital devices at the US border. The plaintiffs, 10 US citizens and one lawful permanent resident, had their laptops and cell phones searched when they re-entered the US from traveling abroad. In some cases, the devices were retained for extended periods of time; one, confiscated in January, 2017, has yet to be returned. None of the plaintiffs has been charged with wrongdoing.

Read more in:
SC Magazine: ACLU, EFF sue DHS over electronic device searches at border
CNET: Homeland Security hit with lawsuit over phone, laptop searches
EFF: Complaint for Injunctive and Declaratory Relief

--Adobe Security Updates (September 13, 2017)

Adobe has released updates to address security issues in Flash Player, ColdFusion, and RoboHelp for Windows. The Flash updates, available for Windows, Mac, Linux, and Chrome OS, address two critical memory corruption flaws. The ColdFusion update includes fixes for four flaws, and the RoboHelp update fixes two flaws.

Read more in:
Threatpost: Adobe Fixes Eight Vulnerabilities in Flash, Robohelp, Coldfusion
KrebsOnSecurity: Adobe, Microsoft Plug Critical Security Holes
Adobe: Security updates available for Flash Player | APSB17-28
Adobe: Security updates available for ColdFusion | APSB17-30
Adobe: Security update available for RoboHelp | APSB17-25

--WordPress Plugin Installs Backdoor (September 13 & 14, 2017)

A WordPress plugin that has been downloaded more than 200,000 times has been found to install backdoors on websites. The malicious code has been found in DisplayWidgets plugin versions 2.6.1 through 2.6.3. The plugin has been removed from the WordPress plugin repository. DisplayWidgets has previously been removed three times for similar infractions.

Read more in:
Bleeping Computer: Backdoor Found in WordPress Plugin With More Than 200,000 Installations
SC Magazine: Malicious WordPress plugin installed backdoor on 200,000 websites

--Microsoft Patch Tuesday (September 12 & 13, 2017)

On Tuesday, September 12, Microsoft released fixes for more than 80 security issues in multiple products, including Windows, Office, Microsoft .NET Framework, Flash, Internet Explorer, and Edge.

Read more in:
ZDNet: Microsoft patches Office zero-day used to spread FinSpy surveillance malware
Ars Technica: Windows 0-day is exploited to install creepy Finspy malware (again)
Computerworld: Bloated Patch Tuesday brings fix for nasty Word/RTF/Net vulnerability
Softpedia: Microsoft Releases Security Updates to Fix 38 Windows Vulnerabilities
Threatpost: Microsoft Patches .Net Zero Day Vulnerability in September Update
Microsoft: Security TechCenter: Security Update Summary

--BlueBorne Bluetooth Attack (September 12 & 13, 2017)

A group of eight exploits, collectively dubbed BlueBorne, could be used to access devices that use Bluetooth. Attackers can use BlueBorne to access a device and control its screen and applications. Apple devices running iOS 10 and newer are not vulnerable to BlueBorne. Microsoft patched the flaws in Windows in July, and Google released a patch last month.

Read more in:
Wired: Hey, Turn Bluetooth Off When You're Not Using It
TechCrunch: New Bluetooth vulnerability can hack a phone in 10 seconds
Ars Technica: Billions of devices imperiled by new clickless Bluetooth attack
Cyberscoop: BlueBorne: The latest Bluetooth vulnerability that impacts billions of devices
Threatpost: Wireless 'BlueBorne' Attacks Target Billions of Bluetooth Devices

--Flaws in D-Link Routers Exposed Before Fixes Are Available (September 12 & 13, 2017)

A dozen vulnerabilities in D-Link routers have been disclosed before the company has had time to develop and release patches. Ten of the flaws were disclosed without any prior notification to D-Link. The other two flaws were reported to the company, which has yet to issue patches for them.

Read more in:
Bleeping Computer: Second Researcher Drops Router Exploit Code After D-Link Mishandles Bug Reports
The Register: D-Link router riddled with 0-day flaws


Microsoft Patch Tuesday


BlueBorne Bluetooth Vulnerability


No IPv6? Challenge Accepted


Exploiting CVE-2017-8759


Wordpress Plugin Found with Backdoor


Another Webshell; Another Backdoor


D-Link Vulnerability


Chrome To Label FTP As Insecure


More Google Play Store Malware


Elasticsearch Botnet


The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create