Save $400 on 4-6 day Courses at SANS Cyber Defense Initiative 2017. Ends Tomorrow!

Newsletters: Newsbites


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #75

September 22, 2017

TOP OF THE NEWS


FedEx: $300 Million USD Loss from NotPetya
Equifax Tweets Pointed Consumers to Fake Support Site
SEC Acknowledges 2016 Breach of EDGAR Filing System

THE REST OF THE WEEK'S NEWS


Intruders Breached Equifax Systems in March
Jack Cable Interview
CCleaner Used to Target Technology Companies' Systems
APT33 Stealing Data from Energy and Aerospace Firms
Guilty Plea in Microsoft Piracy Case
Manchester (England) Police Running Windows XP on 1,500 Machines
WordPress Updated to Version 4.8.2
Harvard Business Review To CEOs: Better Training is the Best Cyber Security Investment

INTERNET STORM CENTER TECH CORNER

*************************** Sponsored By VMRay *******************************

On October 3rd go behind enemy lines with VMRay Co-Founder Carsten Willems and Forrester Principal Analyst Jeff Pollard as they expose the techniques (TTPs) used by threat actors to design evasive malware. Register Today: http://www.sans.org/info/198440

***************************************************************************

TRAINING UPDATE

-- SANS October Singapore 2017 | October 9-28 | https://www.sans.org/event/october-singapore-2017

-- SANS Secure DevOps Summit & Training | Denver, CO | October 10-17 | https://www.sans.org/event/secure-devops-summit-2017

-- SANS Brussels Autumn 2017 | October 16-21 | https://www.sans.org/event/brussels-autumn-2017

-- SANS Tokyo Autumn 2017 | October 16-28 | https://www.sans.org/event/tokyo-autumn-2017

-- SANS San Diego 2017 | October 30-November 4 | https://www.sans.org/event/san-diego-2017

-- SANS Pen Test HackFest Summit & Training | Bethesda, MD | November 13-20 https://www.sans.org/event/pen-test-hackfest-2017

-- SANS San Francisco Winter 2017 | November 27-December 2 | https://www.sans.org/event/san-francisco-winter-2017

-- SANS London November 2017 | November 27-December 2 | https://www.sans.org/event/london-november-2017

-- SANS Cyber Defense Initiative 2017 | Washington, DC | December 12-19 | https://www.sans.org/event/cyber-defense-initiative-2017

-- SANS OnDemand and vLive Training | Get an iPad Mini 4, a Galaxy Tab A, or Take $250 Off with Online Training - Register by 9/27! The SANS Training you want with the flexibility you need. https://www.sans.org/online-security-training/specials/

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format - https://www.sans.org/ondemand/

-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/security-training/by-location/all

***************************************************************************

TOP OF THE NEWS

--FedEx: $300 Million USD Loss from NotPetya (September 20 & 21, 2017)

FedEx points a finger at the NotPetya malware attack earlier this year as an explanation for an estimated 300 million USD loss in FY2018 Q1 earnings. NotPetya infected systems at FedEx Dutch subsidiary, TNT Express. Reuters reports that FedEx did not have cyber security insurance to offset the costs of the attack.

[Editor Comments]
[Honan] Interesting enough Maersk touted similar losses
https://www.cnbc.com/2017/08/16/maersk-says-notpetya-cyberattack-could-cost-300-million.html
[Assante] NotPetya was designed to quickly achieve scale and cause irrevocable damage. The cyber weapon was delivered in a way that specific targets were impacted in the initial execution, but became non-targeted as it was delivered to a broad set of organizations. This may have been the costliest collateral damage cyber incident, destroying value in companies without well designed recovery capabilities. NotPetya is a final wake-up call signaling destructive attacks will happen, sometimes with the simple nexus of where you do business and by possessing similar technology as the intended target.
[Pescatore] When numbers like this come out, they are great data for convincing your management that, almost invariably, fixing known security problems (even if it causes business disruption) is almost invariably cheaper than enduring an incident. FedEx acquired TNT Express in 2016 fort $4.4B, and the estimates for TNT's 2016 profit were about $150M. So, NotPetya essentially cost FedEx *two years* of TNT's profit. Even if mitigating the Windows SMB vulnerability back in March would have required TNT to shut down all revenue operations for an entire day, the impact would have been about $7M in revenue or in the range of $350K in profit, or about .1% of what enduring NotPetya has cost, so far.

Read more in:
ZDNet: NotPetya cyber attack on TNT Express cost FedEx $300m
http://www.zdnet.com/article/notpetya-cyber-attack-on-tnt-express-cost-fedex-300m/
CyberScoop: FedEx attributes $300 million loss to NotPetya ransomware attack
https://www.cyberscoop.com/fedex-attributes-300-million-loss-notpetya-attack/?category_news=technology
Reuters: Cyber attack, hurricane weigh on FedEx quarterly profit
https://www.reuters.com/article/us-fedex-results/cyber-attack-hurricane-weigh-on-fedex-quarterly-profit-idUSKCN1BU2RG

--Equifax Tweets Pointed Consumers to Fake Support Site (September 20 & 21, 2017))

A number of Tweets from Equifax's Twitter account pointed consumers to a phony site rather than the site that provides information about the breach. The tweets have been taken down. The site was quite clearly a parody. The site's creator said he established the site to demonstrate how easy it is for phishers to impersonate legitimate websites. Chrome, Firefox, and Safari have all blacklisted the site and its creator has taken it down.

[Editor Comments]
[Northcutt] There are two important lessons here. First, Equifax is not the only company entrusting their brand, (via social media), to employees very far down the food chain or in some cases, it is outsourced. Take a minute to see who has the twitter etc. password in your organization. Second is the unexpected vectors for problems with things like data leaks. I found this article by Consumer Reports eye-opening if not a bit depressing: https://www.consumerreports.org/equifax/a-freeze-wont-help-with-all-equifax-breach-threats/?SANS
[Honan] As an industry maybe it's time we use the Equifax breach to stop looking at the victim's gaps that allegedly allowed the attack to happen and instead to also focus on the potential gaps or shortfalls played by the security vendors and products used by the victim. If security breaches were analysed the same way as plane crashes we would not just focus on the pilot but all the components to ensure lessons are learnt and improvements are made to prevent a reoccurrence.

Read more in:
BBC: Fake website fools Equifax staff
http://www.bbc.com/news/technology-41347467
Ars Technica: Equifax sends breach victims to fake notification site
https://arstechnica.com/information-technology/2017/09/equifax-directs-breach-victims-to-fake-notification-site/
CNET: Equifax sends breach victims to fake support site
https://www.cnet.com/news/equifax-twitter-fake-support-site-breach-victims/
NYT: Someone Made a Fake Equifax Site. Then Equifax Linked to It.
https://www.nytimes.com/2017/09/20/business/equifax-fake-website.html

--SEC Acknowledges 2016 Breach of EDGAR Filing System (September 20 & 21, 2017)

The US Securities and Exchange Commission (SEC) has admitted that its EDGAR public-company filing system was breached in 2016. The Electronic Data Gathering, Analysis, and Retrieval (EDGAR) system "receives and processes over 1.7 million electronic filings per year," according to the SEC. The SEC now says it believes that information obtained from the 2016 breach was used to conduct insider trading. Reuters reports that the US Department of Homeland Security (DHS) found five critical security issues in SEC systems in January 2017. It is not known if these flaws were exploited in the 2016 breach.

Read more in:
SEC: Statement on Cybersecurity
https://www.sec.gov/news/public-statement/statement-clayton-2017-09-20
Reuters: Exclusive: U.S. Homeland Security found SEC had 'critical' cyber weaknesses in January
http://www.reuters.com/article/us-sec-cyber-weaknesses-exclusive/exclusive-u-s-homeland-security-found-sec-had-critical-cyber-weaknesses-in-january-idUSKCN1BW27P
CyberScoop: SEC reveals 2016 breach that may have led to insider trading
https://www.cyberscoop.com/sec-data-breach-insider-trading/?category_news=technology
FNR: SEC reveals 2016 hack that breached its filing system
https://federalnewsradio.com/cybersecurity/2017/09/sec-reveals-2016-hack-that-breached-its-filing-system/
ZDNet: SEC admits data breach, suggests illicit trading was key
http://www.zdnet.com/article/sec-admits-data-breach-suggests-insider-trading-was-the-key/
CNET: After breach, SEC says hackers used stolen data to buy stocks
https://www.cnet.com/news/after-breach-sec-says-hackers-used-stolen-data-to-buy-stocks/
The Hill: SEC says hackers may have profited from stolen insider information
http://thehill.com/policy/cybersecurity/351681-hackers-breached-top-us-markets-regulator
NYT: S.E.C. Says It Was a Victim of Computer Hacking Last Year
https://www.nytimes.com/2017/09/20/business/sec-hacking-attack.html

*************************** SPONSORED LINKS ********************************

1) Don't Miss: "The True Cost of Ransomware: 5 Companies, 5 Attacks, and the Reality of Recovery" Register: http://www.sans.org/info/198445

2) "Your Security Sandbox Won't Catch It All - The Phishing Problem" Register: http://www.sans.org/info/198450

3) What does your organization consider to be threat intelligence, and how do you use it? Take the SANS CTI survey and enter to win a $400 Amazon gift card or free pass to the SANS CTI Summit: http://www.sans.org/info/198455

******************************************************************************

THE REST OF THE WEEK'S NEWS

--Intruders Breached Equifax Systems in March (September 18, 19, & 20, 2017)

Equifax has acknowledged that its systems were breached in March, 2017, but maintains that the incident is unrelated to the massive breach that exposed information belonging to 143 million people. While some media outlets feel that the timelines of the two breaches pose questions about their connection, Brian Krebs, who reported the March breach on KrebsOnSecurity in May, writes that he has "thus far seen zero evidence that these two [breaches] are related." The March breach involved Equifax's TALX division and was perpetrated by hackers committing tax refund fraud.

Read more in:
Ars Technica: Massive Equifax hack reportedly started 4 months before it was detected
https://arstechnica.com/information-technology/2017/09/massive-equifax-hack-reportedly-started-4-months-before-it-was-detected/
Reuters: Equifax says attacker 'interacted' with server on March 10
http://www.reuters.com/article/us-equifax-cyber/equifax-says-attacker-interacted-with-server-on-march-10-idUSKCN1BW05X
KrebsOnSecurity: Equifax Breach: Setting the Record Straight
https://krebsonsecurity.com/2017/09/equifax-breach-setting-the-record-straight/
KrebsOnSecurity: Fraudsters Exploited Lax Security at Equifax's TALX Payroll Division (May 18, 2017)
https://krebsonsecurity.com/2017/05/fraudsters-exploited-lax-security-at-equifaxs-talx-payroll-division/

--Jack Cable Interview (September 21, 2017)

The Illinois teen who found more than 30 vulnerabilities in the Hack the Air Force bug bounty competition earlier this year talks with Nextgov. Seventeen-year-old Jack Cable talks about how he became interested in bug hunting and how he envisions his future after college.

[Editor Comments]
[Pescatore] Since managed bug bounty vendors like HackerOne, Bugcrowd and others do a decent job of vetting the participants, *and* they publicly list their rankings, looks like those ranking sites will be good starting points for recruiting! Though, many near the top of the list may not be old enough to drive...

Read more in:
Nextgov: Meet the 17-Year-Old Who Hacked the U.S. Air Force
http://www.nextgov.com/cybersecurity/2017/09/meet-17-year-old-who-hacked-us-air-force/141187/?oref=ng-channeltopstory

--CCleaner Used to Target Technology Companies' Systems (September 20 & 21, 2017)

While the malware that piggybacked on the CCleaner utility managed to infect at least 2 million computers, the backdoor was used to access systems at a small number of companies targeted for data exfiltration. The attackers were interested in gaining access to systems at large technology and telecommunications companies in the UK, the US, Japan, Germany, and Taiwan. Some researchers posit that the CCleaner malware infection was the work of an advanced persistent threat (APT) malware group with ties to China, but there is no conclusive evidence.

Read more in:
Motherboard: Researchers Link CCleaner Hack to Cyberespionage Group
https://motherboard.vice.com/en_us/article/7xkxba/researchers-link-ccleaner-hack-to-cyberespionage-group
CyberScoop: CCleaner attack was focused on stealing data from top level tech firms
https://www.cyberscoop.com/ccleaner-avast-china-apt/
Wired: The CCleaner Malware Fiasco Targeted at Least 20 Specific Tech Firms
https://www.wired.com/story/ccleaner-malware-targeted-tech-firms/
The Register: CCleaner targeted top tech companies in attempt to lift IP
http://www.theregister.co.uk/2017/09/21/ccleaner_secondary_payload_targeted_top_tech_companies/
ZDNet: CCleaner malware operators targeted tech firms including Cisco, Microsoft, Samsung
http://www.zdnet.com/article/ccleaner-malware-operators-targeted-cisco-microsoft-samsung-and-more/

--APT33 Stealing Data from Energy and Aerospace Firms (September 20, 2017)

A hacking group known as APT33, which has ties to Iran, has been infiltrating computer systems at aerospace, petro-chemical, and energy companies in the US, Saudi Arabia, and South Korea. APT33 is reportedly using spear phishing to help infect targeted systems.

[Editor Comments]
[Murray] As long as these attacks continue to be efficient, they will continue. We must raise the cost of attack. A ten percent loss of convenience, can yield a ninety percent increase in the cost of attack to our determined adversary. All the tools in the world will not fix our security unless we use them to implement effective policies.

Read more in:
Threatpost: Iranian Apt33 Targets US Firms with Destructive Malware
https://threatpost.com/iranian-apt33-targets-us-firms-with-destructive-malware/128074/
Wired: New Group of Iranian Hackers Linked to Destructive Malware
https://www.wired.com/story/iran-hackers-apt33/
Dark Reading: Iranian Cyberspy Group Targets Aerospace, Energy Firms
https://www.darkreading.com/attacks-breaches/iranian-cyberspy-group-targets-aerospace-energy-firms/d/d-id/1329940?
The Hill: Iran-linked hackers targeting Saudi petrochemicals and aerospace dealings
http://thehill.com/business-a-lobbying/351532-iran-linked-hackers-targeting-saudi-petrochemicals-and-aerospace-dealings
CyberScoop: Newly uncovered Iranian hacking group targeted energy, aerospace firms to steal secrets
https://www.cyberscoop.com/apt33-iranian-hackers-fireeye/?category_news=technology
Reuters: Once 'kittens' in cyber spy world, Iran gains prowess: security experts
http://www.reuters.com/article/us-iran-cyber/once-kittens-in-cyber-spy-world-iran-gains-prowess-security-experts-idUSKCN1BV1VA

--Guilty Plea in Microsoft Piracy Case (September 20, 2017)

Orland Liu has pleaded guilty to conspiracy and trafficking in counterfeit labels for his role in a software piracy scheme that sold at least 100 million USD worth of counterfeit Microsoft software. Liu reportedly obtained product activation keys from a source in China and sold the phony products.

Read more in:
The Register: Orland-whoa! Chap cops to masterminding $100m Microsoft piracy racket
http://www.theregister.co.uk/2017/09/20/chap_busted_100m_software_piracy_racket/
DoJ: Chinese National Pleads Guilty to Software Piracy Scheme
https://www.justice.gov/usao-wdmo/pr/chinese-national-pleads-guilty-software-piracy-scheme
DoJ: Indictment (from June 2016) (PDF)
https://regmedia.co.uk/2017/09/20/liuindictment.pdf

--Manchester (England) Police Running Windows XP on 1,500 Machines (September 20, 2017)

According to information obtained by the BBC under a Freedom of Information Act request, police in Manchester, England are still running Windows XP on about 1,500, or just over 20 percent of their computers. Microsoft discontinued most support for the operating system more than three years ago, in April 2014. A spokesperson for the Greater Manchester Police department said that they are working eliminate their dependence on those machines, and that the XP machines are still being used "due to complex technical requirements from a small number of externally provided highly specialised applications."

[Editor Comments]
[Neely] Critical applications that require old operating systems is an unfortunate reality, and replacing them, versus waiting for updates, is always a tough decision. It is important to provide external protections for legacy systems in this case, as you cannot count on them withstanding attacks in today's environment.

Read more in:
BBC: Manchester police still relies on Windows XP
http://www.bbc.com/news/technology-41306321
The Register: Manchester plod still running 1,500 Windows XP machines
http://www.theregister.co.uk/2017/09/20/manchester_police_still_running_1500_xp_machines/
V3: Manchester Police are using Windows XP on one in five computers
https://www.v3.co.uk/v3-uk/news/3017741/manchester-police-are-using-windows-xp-on-one-in-five-computers

--WordPress Updated to Version 4.8.2 (September 20, 2017)

WordPress version 4.8.2 addresses nine security issues, including five that could be exploited through cross-site scripting attacks. WordPress released the update for its content management system on September 19.

[Editor Comments]
[Neely] Due to the potential consequence of loss when a vulnerability in your Content Management Systems (CMS) is exploited, CMSs such as Wordpress need to be automatically (continuously) updated. It is safer to have a backup that can be restored if an update fails than accepting the risk of compromise performing formal regression testing before rolling updates.

Read more in:
SC Magazine: WordPress patches nine security vulnerabilities
https://www.scmagazine.com/wordpress-patches-nine-security-vulnerabilities/article/689988/
WordPress: WordPress 4.8.2 Security and Maintenance Release
https://wordpress.org/news/2017/09/wordpress-4-8-2-security-and-maintenance-release/

--Harvard Business Review To CEOs: Better Training is the Best Cyber Security Investment (May 16, 2017)

The authors of this article in the Harvard Business review note that cybersecurity cannot be addressed by technology alone, because "technology exists for and is utilized by people." Rather than striving for absolute risk management, organizations instead need to assume that breaches will happen and to develop a "risk agility" stance, which involves ensuring that all employees know company policy for online behavior as well as how to spot anomalous activity. "Corporate leaders would be wise to understand that the future of cybersecurity lies not in a single-pronged approach or miracle tool but in solutions that recognize the importance of layering human readiness on top of technological defenses."

[Editor Comments]
[Pescatore] There is some hyperbole in this article. In my 13+ years at Gartner I never actually ran into a single CEO, CIO or CISO who thought the solution to security problems was one magic product or new technology. However, the major reason I left Gartner to join SANS was that I did see a pattern - the enterprises that avoided or minimized damage from most attacks almost invariably had the stronger security teams. They almost never were the ones that spent the most and they had the same access to technology and information. Their operational security processes were better, *much* better than average because their teams were *above average.*

Read more in:
HBR: The Best Cybersecurity Investment You Can Make Is Better Training
https://hbr.org/2017/05/the-best-cybersecurity-investment-you-can-make-is-better-training?referral=03759&cm_vc=rr_item_page.bottom

INTERNET STORM CENTER TECH CORNER

Mac-Robber Python Rewrite

https://isc.sans.edu/forums/diary/New+tool+macrobberpy/22844/

Apache Tomcat Patch

https://www.us-cert.gov/ncas/current-activity/2017/09/19/Apache-Releases-Security-Updates-Apache-Tomcat

Apple Updates For iOS, Xcode, tvOS, watchOS and Safari

https://support.apple.com/en-us/HT201222

Newest Locky Update: RAR Attachments and "Invoice" E-Mails

https://isc.sans.edu/forums/diary/Ongoing+Ykcol+Locky+campaign/22848/

Viacom S3 Bucket Leak

https://www.upguard.com/breaches/cloud-leak-viacom

iOS 11 Outlook.com Bug

https://support.apple.com/en-us/HT208136

More (Likely Fake) DDoS Extortion Attempts

https://isc.sans.edu/forums/diary/Emails+threatening+DDoS+allegedly+from+Phantom+Squad/22856/

CVE-2017-8759 Used in Cyber Crime Attacks

https://isc.sans.edu/forums/diary/Email+attachment+using+CVE20178759+exploit+targets+Argentina/22850/

CCleaner Command and Control Server

http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html?m=1

Vulnerability in Intel Management Engine Can Lead to Execution of Unsigned Code

https://www.blackhat.com/eu-17/briefings/schedule/#how-to-hack-a-turned-off-computer-or-running-unsigned-code-in-intel-management-engine-8668


***********************************************************************
The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create