Get an 12.9" iPad Pro, Surface Pro or $400 Off Online Training - Only 2 Days Left!

Newsletters: Newsbites


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #81

October 13, 2017

TOP OF THE NEWS


SEC Malware Campaign: Spoofing That Could Have Been Avoided
Israel Says It Detected Russian Hackers Using Kaspersky AV to Spy
IRS Temporarily Suspends Equifax Contract
Equifax Website Serving Adware

THE REST OF THE WEEK'S NEWS


Hyatt Breach
GAO to Investigate Alleged DDoS Attack on FCC System
Kirstjen Nielsen Nominated DHS Secretary
Microsoft Patch Tuesday
BPC Banking Software Has QL Injection Vulnerability
AUSA Panel: "A New Kind of Force for a New Fighting Domain: Cyber Talent Management"
Judge Restricts Warrant in Anti-Trump Protest Site Case
FireEye: North Korea Targeted US Electric Firms in Spear Phishing Campaign

INTERNET STORM CENTER TECH CORNER

*************************** Sponsored By DomainTools *******************************

In case you missed it: "Clustering, Sourcing, and Correlating All Things Indicators" Join Rebekah Brown and DomainTools Sr. Researcher Kyle Wilhoit as they walk through all things indicators! http://www.sans.org/info/198785

***************************************************************************

TRAINING UPDATE

-- SANS Cyber Defense Initiative 2017 | Washington, DC | December 12-19 | https://www.sans.org/event/cyber-defense-initiative-2017

-- SANS San Diego 2017 | October 30-November 4 | https://www.sans.org/event/san-diego-2017

-- SANS Pen Test HackFest Summit & Training | Bethesda, MD | November 13-20 | https://www.sans.org/event/pen-test-hackfest-2017

-- SANS Sydney 2017 | November 13-25 | https://www.sans.org/event/sydney-2017

-- SANS San Francisco Winter 2017 | November 27-December 2 | https://www.sans.org/event/san-francisco-winter-2017

-- SANS London November 2017 | November 27-December 2 | https://www.sans.org/event/london-november-2017

-- SIEM & Tactical Analytics Summit & Training | Scottsdale, AZ | November 28-December 5 | https://www.sans.org/event/siem-tactical-analytics-summit-2017

-- SANS Amsterdam January 2018 | January 15-20 | https://www.sans.org/event/amsterdam-january-2018

-- SANS Secure Japan 2018 | February 19-March 3 | https://www.sans.org/event/sans-secure-japan-2018

-- SANS OnDemand and vLive Training | SANS Online Training - Get an iPad, a Samsung Galaxy Tab A or take $250 Off with OnDemand or vLive training through October 11. The SANS Training you want with the flexibility you need. https://www.sans.org/online-security-training/specials/

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format - https://www.sans.org/ondemand/

-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/security-training/by-location/all

***************************************************************************

TOP OF THE NEWS

--SEC Malware Campaign: Spoofing That Could Have Been Avoided
(October 11 & 12, 2017)

A spear-phishing campaign spoofed the US Securities and Exchange Commission (SEC) email address. The deceptive emails appeared to come from the agency, but instead came from attackers attempting to spread DNSMessenger malware through malicious Microsoft Word attachments. [Editors: This reflects a major problem because people trust(ed) the SEC. A now-tardy DMARC implementation at the SEC could have stopped citizens and businesses from having their systems infected.]

[Editor Comments]
[Pescatore] Big issues here in this one around dynamic data exchange (DDE) vulnerabilities that Microsoft is treating as "features," but I'll focus on the phishing front end. Email authentication approaches like DMARC, DKIM, and SPF are effective at greatly raising the bar against phishing. A FTC report earlier this year showed about 33% of businesses have deployed DMARC, with 10% in reject mode. The success stories around deploying DMARC in monitor mode and quickly moving to reject vastly out-number the horror stories. Use this SEC example as "click bait" to gain support for driving the messaging group to move to technologies like DMARC.
[Paller] If you haven't implemented DMARC you are missing a chance to become a hero in your organization. It's a game changer in stopping people from spoofing email from your site. The best program for DMARC information and low-cost capabilities globally is from the non-profit Global Cyber Alliance (created jointly by District Attorney Cyrus Vance in New York and the City of London Police, with support from the Center for Internet Security, and now with 12 nations participating). They have ultra-low cost services and free seminars and here's their page to help you get started https://dmarcguide.globalcyberalliance.org/#/
Read more in:
Cyberscoop: Cybercriminals hijacked a government server to send sophisticated malware to U.S. companies
https://www.cyberscoop.com/cybercriminals-hijacked-government-server-send-sophisticated-malware-u-s-companies/?category_news=technology
ZDNet: SEC spoofed, malware hosted on US gov't server in new DNS attack
http://www.zdnet.com/article/sec-spoofed-malware-hosted-on-us-govt-servers-in-new-dns-attack/
SC Magazine: Phishers imitate SEC, abuse Microsoft feature, to distribute DNSMessenger malware
https://www.scmagazine.com/phishers-imitate-sec-abuse-microsoft-feature-to-distribute-dnsmessenger-malware/article/699918/

--Israel Says It Detected Russian Hackers Using Kaspersky AV to Spy
(October 10 & 11, 2017)

When Israeli intelligence broke into the Kaspersky network in 2014, it allegedly found that Russian hackers were using Kaspersky antivirus software as a search tool. Israel alerted US intelligence. Kaspersky Lab has issued a statement in which it asserts that it "has never helped, nor will help, any government in the world with its cyberespionage efforts." The NSA does not allow the use of Kaspersky software because it is aware of how antivirus products can be exploited to obtain information. In a related story, Germany's federal cyber agency, BSI, said it has "no plans to warn against the use of Kaspersky products since" it has no evidence that the company behaved questionably.

[Editor Comments]
[Pescatore] So far, you could block replace "Kaspersky software" with "any AV software" in all of the public data that has come out on this. All AV software products are essentially rootkits - if Kaspersky or any other commercial product is known to be a "malicious rootkit" then that information should be made public.
[Murray] Kaspersky is suffering the death of a thousand cuts. If one wanted to improve one's security by eliminating vendors, one would start with Microsoft and Adobe, not Kaspersky.
[Williams] Perhaps more concerning than the Israeli allegations are those made in the CyberScoop article (https://www.cyberscoop.com/kaspersky-fbi-cia-fsb-demarche-2015/) claiming that Kaspersky offered to sell access to their customer data. Despite refuting claims in the NYT article, Kaspersky has been absolutely silent about the claims they tried to sell their data. The CyberScoop article broke more than 12 hours before the NYT article - it's certain that Kaspersky has seen it. Their silence in the face of these allegations is deafening.
Read more in:
NYT: How Israel Caught Russian Hackers Scouring the World for U.S. Secrets
https://www.nytimes.com/2017/10/10/technology/kaspersky-lab-israel-russia-hacking.html
The Register: 'Israel hacked Kaspersky and caught Russian spies using AV tool to harvest NSA exploits'
http://www.theregister.co.uk/2017/10/11/israel_russia_kaspersky/
Reuters: Germany: 'No evidence' Kaspersky software used by Russians for hacks
https://www.reuters.com/article/us-usa-security-kaspersky-germany/germany-no-evidence-kaspersky-software-used-by-russians-for-hacks-idUSKBN1CG284

--IRS Temporarily Suspends Equifax Contract
(October 12, 2017)

The US Internal Revenue Service (IRS) has temporarily suspended a $7.2 million USD contract with Equifax. The contract was to help fight fraud by verifying taxpayer identities; it had been granted without going through a bidding process. The announcement of the suspension followed news that an Equifax website was serving malware (see story below).

[Editor Comments]
[Pescatore] This is a good news headline to use with the C-suite and Boards of Directors to drive support for secure supply chain strategies. Equifax was deficient on due diligence checking of a third-party vendor used to collect website performance data and they are paying the price - not just embarrassment, immediate loss of revenue, likely future loss of revenue. All code running on customer facing web servers should be tested for vulnerabilities and malicious capabilities.
[Murray]This service is no longer valuable. The information upon which it rests has been compromised. It is no longer available only to Equifax and the subject but now also to fraudsters. How ironic would it be for the IRS to continue to pay Equifax a premium for use of information that fraudsters buy cheaper in the black market? One hopes that the IRS is taking steps to resist the inevitable increase in tax refund fraud that will result from the compromise of Equifax.
Read more in:
Politico: IRS temporarily suspends contract with Equifax
http://www.politico.com/story/2017/10/12/irs-equifax-contract-suspended-243732
The Hill: IRS suspends Equifax contract: report
http://thehill.com/blogs/blog-briefing-room/355247-irs-suspends-equifax-contract-report

--Equifax Website Serving Adware
(October 12, 2017)

The Equifax customer help website has been encouraging visitors to download what the message claims is a Flash update, but which is actually adware. Users' machines are infected if they click on the download. Equifax says the problem stems from a third-party data analysis company and that it has removed the offending code from its website and disabled the page.

[Editor Comments]
[Williams] Equifax continues to shirk responsibility for its security issues. When you put third party code on your website, you have to take responsibility for what it does to your customers. It's as simple as that.
Read more in:
Ars Technica: Equifax website borked again, this time to redirect to fake Flash update
https://arstechnica.com/information-technology/2017/10/equifax-website-hacked-again-this-time-to-redirect-to-fake-flash-update/
KrebsOnSecurity: Equifax Credit Assistance Site Served Spyware
https://krebsonsecurity.com/2017/10/equifax-credit-assistance-site-served-spyware/
CNET: Watch out, Equifax may have been hacked again by adware
https://www.cnet.com/news/watch-out-equifax-may-have-been-hacked-again-by-adware/
Threatpost: Equifax Takes Down Compromised Page Redirecting to Adware Download
https://threatpost.com/equifax-takes-down-compromised-page-redirecting-to-adware-download/128406/

*************************** SPONSORED LINKS ********************************

1) SANS Analyst Dave Shackleford will discuss his review of Endgame's Managed Detection and Response Services under real-world threats in a simulated environment. Register: http://www.sans.org/info/198790

2) Share your latest techniques and tools for securing cloud-based assets at the SANS Cloud Security Summit. Our call for presentations is open thru 10/13: http://www.sans.org/info/198800

3) Don't Miss: "Threat Intelligence for Every Security Function" with Davie Shackleford and Chris Pace. Register: http://www.sans.org/info/198805

******************************************************************************

THE REST OF THE WEEK'S NEWS

--Hyatt Breach
(October 12, 2017)

The Hyatt Corp. has begun notifying customers of a breach of payment systems at some of its properties. The incident affects cards manually entered or machine-swiped at from desks of certain Hyatt locations between March 18, 2017 and July 2, 2017. In all, 41 Hyatt properties in 11 countries are affected. Hyatt suffered another data breach in 2015 which affected 250 locations in approximately 50 countries.

[Editor Comments]
[Murray] These breaches will continue as long as the mag-stripe carries the account number in the clear and online merchants continue to accept them.
Read more in:
KrebsOnSecurity: Hyatt Hotels Suffers 2nd Card Breach in 2 Years
https://krebsonsecurity.com/2017/10/hyatt-hotels-suffers-2nd-card-breach-in-2-years/

Reuters: Hyatt Hotels discovers card data breach at 41 properties
http://www.reuters.com/article/us-hyatt-hotels-cyber/hyatt-hotels-discovers-card-data-breach-at-41-properties-idUSKBN1CH2WP

--GAO to Investigate Alleged DDoS Attack on FCC System
(October 12, 2017)

The US Government Accountability Office (GAO) says it will investigate an alleged distributed denial-of-service (DDoS) attack against the Federal Communications Commission (FCC) electronic comment system. The incident allegedly occurred as the FCC was talking about undoing net neutrality rules.
[Editor Comments]
[Williams] This is a tremendous waste of resources. It is clear this was not truly a DDoS. It's just poor architecture and an attempt to shift blame away from that.
Read more in:
The Hill: GAO to probe FCC cyberattack that struck amid net neutrality debate
http://thehill.com/policy/cybersecurity/355174-watchdog-to-probe-fcc-cyberattack

--Kirstjen Nielsen Nominated DHS Secretary
(October 11 & 12, 2017)

Former US Department of Homeland Security (DHS) chief of staff Kirstjen Nielsen has been nominated to be the next DHS Secretary. A former Obama administration cybersecurity official said of Nielson, "This is the first time we've had somebody who has actually worked in the field before, someone who's of the 9/11 generation-not Vietnam or the Cold War-and that shapes her perception of national security."
Read more in:
Quartz: The woman keeping order in Trump's White House has been nominated to keep the US safe
https://qz.com/1100229/meet-kirstjen-nielsen-donald-trumps-pick-to-head-the-us-department-of-homeland-security/
Nextgov: DHS Nominee Would Be Agency's First Homegrown Cyber Leader
http://www.nextgov.com/cybersecurity/2017/10/dhs-nominee-would-be-agencys-first-homegrown-cyber-leader/141754/?oref=ng-channeltopstory

--Microsoft Patch Tuesday
(October 11, 2017)

On Tuesday, October 10, Microsoft released fixes for at least 62 vulnerabilities in a variety of products. Two of the flaws were disclosed prior to the updates' release, and one is already being actively exploited. The flaw in Microsoft Office can be exploited to take control of vulnerable systems.

Read more in:
KrebsOnSecurity: Microsoft's October Patch Batch Fixes 62 Flaws
https://krebsonsecurity.com/2017/10/microsofts-october-patch-batch-fixes-62-flaws/
Threatpost: Microsoft Patches Office Bug Actively Being Exploited
https://threatpost.com/microsoft-patches-office-bug-actively-being-exploited/128367/
Computerworld: Early reports of myriad Microsoft Patch Tuesday problems
https://www.computerworld.com/article/3232624/microsoft-windows/early-reports-of-myriad-microsoft-patch-tuesday-problems.html
Microsoft: Security Update Summary
https://portal.msrc.microsoft.com/en-us/security-guidance/summary

--BPC Banking Software Has QL Injection Vulnerability
(October 11 & 12, 2017)

A vulnerability in the BPC ecommerce platform has gone unpatched since it was privately disclosed to the Swiss company BPC Banking Technologies in April 2017. The flaw could be exploited through an SQL injection attack to steal sensitive data. To exploit the flaw, an attacker would need to be authenticated to a computer that is running the vulnerable software.

Read more in:
Threatpost: Vendor BPC Banking Silent on Patching SQL Injection in Smartvista eCommerce Software
https://threatpost.com/vendor-bpc-banking-silent-on-patching-sql-injection-in-smartvista-ecommerce-software/128386/
The Register: Swiss banking software has Swiss cheese security, says Rapid7
https://www.theregister.co.uk/2017/10/12/rapid7_identifies_bpc_banking_sql_injection_flaw/
Rapid7: R7-2017-08: BPC SmartVista SQL Injection Vulnerability
https://blog.rapid7.com/2017/10/11/r7-2017-08-bpc-smartvista-sql-injection-vulnerability/

--AUSA Panel: "A New Kind of Force for a New Fighting Domain: Cyber Talent Management"
(October 11, 2017)

Speaking on a panel at the Association of the United States Army (AUSA) annual meting earlier this week, Defense Digital Service leader Chris Lynch said that the military needs to reconsider its position of requiring people to be promoted to become managers and let "nerds be nerds." Defense Digital Service is an agency within the Defense Department that hires private sector employees with cyber skills. Other panel members spoke to the value of allowing cyber personnel to leave for the private sector, learn new skills, and return.

Read more in:
Fifth Domain: Army cyber should 'let nerds be nerds,' experts say
https://www.fifthdomain.com/news/your-army/2017/10/11/army-cyber-should-let-nerds-be-nerds-experts-say/

--Judge Restricts Warrant in Anti-Trump Protest Site Case
(October 11, 2017)

A judge in Washington, DC, has ruled that the US Department of Justice (DoJ) "does not have the right to rummage through the information contained on DreamHost's website and discover the identity of, or access communications by, individuals not participating in alleged criminal activity, particularly those persons who were engaging in First Amendment activities." Chief Judge Robert E. Morin ordered DreamHost, the site's hosting company, to redact all personally identifiable information belonging to non-subscribers of the site.
[Editor Comments]
[Stephen Northcutt] To rephrase, Judge Morin restricted the warrant in part, because it asked for data about individuals that had not committed a crime.
http://www.npr.org/sections/thetwo-way/2017/10/11/557222814/enter-title
Read more in:
Engadget: Judge limits government warrant for info on anti-Trump protest site
https://www.engadget.com/2017/10/11/department-of-justice-dreamhost-warrant-limit/
The Register: Judge says US govt has 'no right to rummage' through anti-Trump protest website logs
http://www.theregister.co.uk/2017/10/11/trump_protest_website_privacy_latest/
ZDNet: Judge smashes boundless warrant for identities of anti-Trump website users
http://www.zdnet.com/article/judge-smashes-boundless-warrant-for-identities-of-anti-trump-website-users/
DreamHost: In the Matter of the Search of www.disruptj20.org that is Stored at Premises Owned, Maintained, Controlled, or Operated by DreamHost (PDF)
https://www.dreamhost.com/blog/wp-content/uploads/2017/10/DreamHost-Order-10-10-17.pdf

--FireEye: North Korea Targeted US Electric Firms in Spear Phishing Campaign
(October 10, 11, & 12, 2017)

Hackers linked to North Korea's government launched reconnaissance spear phishing campaigns against US electric companies, according to FireEye, which says it detected and stopped the suspect emails in September.

Read more in:
FireEye: North Korean Actors Spear Phish U.S. Electric Companies
https://www.fireeye.com/blog/threat-research/2017/10/north-korean-actors-spear-phish-us-electric-companies.html
The Register: North Korean hackers allegedly probing US utilities for weaknesses
http://www.theregister.co.uk/2017/10/11/dprk_hackers_probe_us_utilities/
SC Magazine: North Korea spearphishing campaign aimed at U.S. power grid
https://www.scmagazine.com/north-korea-spearphishing-campaign-aimed-at-us-power-grid/article/699599/
Dark Reading: North Korean Threat Actors Probe US Electric Companies
https://www.darkreading.com/attacks-breaches/north-korean-threat-actors-probe-us-electric-companies/d/d-id/1330106

INTERNET STORM CENTER TECH CORNER

Microsoft Monthly Updates

https://isc.sans.edu/forums/diary/October+2017+Security+Updates/22916/

Spoofed iOS iCloud Login

https://krausefx.com/blog/ios-privacy-stealpassword-easily-get-the-users-apple-id-password-just-by-asking

Outlook Includes plain text version of e-mail with S/MIME Encryption

https://www.sec-consult.com/en/blog/2017/10/fake-crypto-microsoft-outlook-smime-cleartext-disclosure-cve-2017-11776/index.html

RubyGems Remote Code Execution Vulnerability

http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html

Macro-less Code Exec in MSWord Rediscovered

https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/
https://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/

Cameradar Finds Open RTSP Streams

https://github.com/EtixLabs/cameradar

Version Control Tools Are Not Only For Developers

https://isc.sans.edu/forums/diary/Version+control+tools+arent+only+for+Developers/22922/

Coin Hive Javascript Crypto Currency Miner Found on Piratebay

https://twitter.com/esterling_/status/918240914623090695
https://crypto-loot.com

Google Home Mini Recorded Everything

http://www.androidpolice.com/2017/10/10/google-nerfing-home-minis-mine-spied-everything-said-247/

Hard Disks Can Be Used As Microphones (PDF)

https://github.com/ortegaalfredo/kscope/blob/master/doc/HDD-microphones.pdf


***********************************************************************
The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create