Get an 12.9" iPad Pro, Surface Pro or $400 Off Online Training - Only 2 Days Left!

Newsletters: Newsbites


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #82

October 17, 2017

TOP OF THE NEWS


DHS Orders Federal Agencies to Adopt DMARC and HTTPS
Degrees of Power Grid Compromise
KRACK: Vulnerability in WPA2 Protocol Puts Wi-Fi Traffic at Risk

THE REST OF THE WEEK'S NEWS


Kaspersky Report: BlackOasis APT Group Exploited Flash Flaw
Adobe Patches Flash Zero-Day Exploited by BlackOasis Group
North Korea Stole Military Plans from US, South Korea
North Korea Believed to be Responsible for SWIFT-Related Taiwanese Bank Theft
Infineon RSA Library Vulnerability Undermines Crypto Keys
Linux Kernel Team Releases Patch for Flaw in ALSA
Dutch Data Protection Authority Says Windows 10 Violates Law
Japan Targeted in Cyber Espionage Attacks
Another Ukraine Supply Chain Cyber Attack Likely, Say Authorities There

INTERNET STORM CENTER TECH CORNER

*************************** Sponsored By Sophos Inc. *******************************

Not happy with your old-school endpoint protection? Make the leap into next-gen cybersecurity with Sophos. Enhance your protection, simplify security management and enjoy peace of mind with expert support. It's time. Make the leap to next-gen protection with Sophos. Learn More: http://www.sans.org/info/198835

***************************************************************************

TRAINING UPDATE

-- SANS Cyber Defense Initiative 2017 | Washington, DC | December 12-19 | https://www.sans.org/event/cyber-defense-initiative-2017

-- SANS San Diego 2017 | October 30-November 4 | https://www.sans.org/event/san-diego-2017

-- SANS Pen Test HackFest Summit & Training | Bethesda, MD | November 13-20 | https://www.sans.org/event/pen-test-hackfest-2017

-- SANS Sydney 2017 | November 13-25 | https://www.sans.org/event/sydney-2017

-- SANS San Francisco Winter 2017 | November 27-December 2 | https://www.sans.org/event/san-francisco-winter-2017

-- SANS London November 2017 | November 27-December 2 | https://www.sans.org/event/london-november-2017

-- SIEM & Tactical Analytics Summit & Training | Scottsdale, AZ | November 28-December 5 | https://www.sans.org/event/siem-tactical-analytics-summit-2017

-- SANS Amsterdam January 2018 | January 15-20 | https://www.sans.org/event/amsterdam-january-2018

-- SANS Secure Japan 2018 | February 19-March 3 | https://www.sans.org/event/sans-secure-japan-2018

-- SANS OnDemand and vLive Training | SANS Online Training - Get an iPad, a Samsung Galaxy Tab A or take $250 Off with OnDemand or vLive training through October 11. The SANS Training you want with the flexibility you need. https://www.sans.org/online-security-training/specials/

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format - https://www.sans.org/ondemand/

-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/security-training/by-location/all

***************************************************************************

TOP OF THE NEWS

--DHS Orders Federal Agencies to Adopt DMARC and HTTPS
(October 16, 2017)

The US Department of Homeland Security (DHS) has issued a binding operational directive that requires federal agencies to adopt Domain-based Message Authentication, Reporting & Conformance (DMARC) within three months, and to have HTTPS in place within the next four months. The requirements aim to improve the security of federal agency networks. Agencies have 30 days to develop a plan for implementing DMARC and the STARTTLS protocol.

[Editor Comments]
[Pescatore] Great to see the directive start with "Federal agency "cyber hygiene" greatly impacts user security." While the deadlines are rarely met for these type of directives that come out at the start of a new government fiscal year, it will be a major plus to see a meaningful percentage of federal email using DMARC reject by October 2018. I'd also like to see all federal suppliers and contractors required to do so - the Government's most powerful weapon in driving up overall security hygiene is its buying power.
[Neely] OMB M-15-13 required agencies to implement HTTPS/HSTS for external web sites, which prevents HTTP fallback. We should all implement HTTPS/HSTS. Now the attention moves to implementing TLS & DMARC for email security. DMARC also requires DKIP and SPF, which can stop email domain impersonation attacks. Requiring TLS between SMTP servers means you have a higher assurance of the server you're communicating with and you make capturing email on the wire very difficult.

Read more in:
DHS: Binding Operational Directive 18-01
https://cyber.dhs.gov/
FNR: DHS tells agencies to put a stronger lock on the door to most cyber attacks
https://federalnewsradio.com/cybersecurity/2017/10/dhs-tells-agencies-to-put-a-stronger-lock-on-the-door-to-most-cyber-attacks/
FCW: DHS mandates new security standards for federal networks
https://fcw.com/articles/2017/10/16/dhs-directive-krack-wpa2.aspx
SC Magazine: DHS will order agencies to adopt DMARC, https
https://www.scmagazine.com/dhs-will-order-agencies-to-adopt-dmarc-https/article/700557/
ZDNet: Homeland Security orders federal agencies to start encrypting sites, emails
http://www.zdnet.com/article/homeland-security-orders-federal-agencies-to-encrypt-email-website/

--Degrees of Power Grid Compromise
(October 13, 2017)

When there are news reports of electric grid breaches, those reports are not always clear about how far into the system the intruders reached. This article offers insight into three different degrees of breaches and the concerns each poses. Network breaches often mean that the intruders have broken into email accounts and web servers, but have no access to controls that affect the flow of energy. Operational access indicates that the attackers have reached operational technology (OT) systems. While OT systems are often, but not always, air-gapped from IT systems, the gap is by no means foolproof. In a coordinated attack, intruders would have access to grid control systems, but even then, operating those controls requires expertise.

[Editor Comments]
[Assante] There is a chorus of concern as several power system intrusion campaigns come to light. Some of the stronger voices come from power system entities themselves; for today they are testing their capabilities and practicing for cyber actor attempts and successes. North America's electricity entities have just officially started Move Zero of the NERC-led GridEx. SANS, working with NERC, developed a power system ICS NetWars to challenge and develop power system cyber defenders to open this year's exercise.
[Northcutt] There is enough data following Dragonfly that we should expect an outage at some point. There are some excellent links about functioning in the dark. Keep in mind things are inter-related, they just published an article on the importance of cash after the hurricane in Puerto Rico:
https://www.usatoday.com/story/tech/news/2017/09/06/dozens-power-companies-breached-hackers-cybersecurity-researcher-says/638503001/
https://www.wired.com/story/hackers-gain-switch-flipping-access-to-us-power-systems/
https://www.nytimes.com/2017/09/29/us/puerto-rico-shortages-cash.html
https://www.ready.gov/power-outages

Read more in:
Wired: Hacking a Power Grid in Three (Not-So-Easy) Steps
https://www.wired.com/story/hacking-a-power-grid-in-three-not-so-easy-steps/

--KRACK: Vulnerability in WPA2 Protocol Puts Wi-Fi Traffic at Risk
(October 16, 2017)

A serious weakness in the WPA2 standard used to protect Wi-Fi networks could be exploited to steal data as they travel between wireless devices and Wi-Fi networks. The proof-of-concept exploit has been dubbed the Key Reinstallation Attack, or KRACK. The Belgian researchers who discovered the issue and developed the exploit write that "depending on the network configuration, it is also possible to inject and manipulate data." They will present a research paper on the topic at the Computer and Communications Security Conference in November. Microsoft said that it patched Windows to protect it from the KRACK exploit last week, but waited until the researchers had released their work to disclose the fix.

[Editor Comments]
[Neely] This weakness impacts both access points and clients. The fixes will come as firmware and OS updates/patches. Exploitation requires a device within range of the network, which means it's a bit harder to exploit than an Internet reachable vulnerability. When you're on someone else's Wi-Fi, using a VPN is a good way to protect yourself from manipulation of that network.

Read more in:
KrackAttacks: Key Reinstallation Attacks: Breaking WPA2 by forcing nonce reuse
https://www.krackattacks.com/
Paper: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2
https://papers.mathyvanhoef.com/ccs2017.pdf
KrebsOnSecurity: What You Should Know About the 'KRACK' WiFi Security Weakness
https://krebsonsecurity.com/2017/10/what-you-should-know-about-the-krack-wifi-security-weakness/
Threatpost: Krack Attack Devastates Wi-Fi Security
https://threatpost.com/krack-attack-devastates-wi-fi-security/128461/
Bleeping Computer: New KRACK Attack Breaks WPA2 WiFi Protocol
https://www.bleepingcomputer.com/news/security/new-krack-attack-breaks-wpa2-wifi-protocol/
Bleeping Computer: List of Firmware & Driver Updates for KRACK WPA2 Vulnerability
https://www.bleepingcomputer.com/news/security/list-of-firmware-and-driver-updates-for-krack-wpa2-vulnerability/
Ars Technica: How the KRACK attack destroys nearly all Wi-Fi security
https://arstechnica.com/information-technology/2017/10/how-the-krack-attack-destroys-nearly-all-wi-fi-security/
Ars Technica: Severe flaw in WPA2 protocol leaves Wi-Fi traffic open to eavesdropping
https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/
Bob Sullivan: The KRACK attack: Is all Wi-Fi unsafe now? No, not really. But you'd better patch
https://bobsullivan.net/cybercrime/the-krack-attack-is-all-wi-fi-unsafe-now-no-not-really-but-youd-better-patch/
Computerworld: Microsoft shuts down Krack with sneaky Windows update
https://www.computerworld.com/article/3233198/microsoft-windows/microsoft-shuts-down-krack-with-sneaky-windows-update.html

*************************** SPONSORED LINKS ********************************

1) Join this webinar with Splunk featuring Forrester to learn how to transform your security operations using analytics-driven security. http://www.sans.org/info/198840

2) Learn innovative techniques for detecting intrusions and producing actionable intelligence at the SIEM & Tactical Analytics Summit: http://www.sans.org/info/198845

3) Don't miss: "The Maturing of Endpoint Detection and Response (EDR): Choose the Right Solution" Register: http://www.sans.org/info/198850

******************************************************************************

THE REST OF THE WEEK'S NEWS

--Kaspersky Report: BlackOasis APT Group Exploited Flash Flaw
(October 16, 2017)

A hacking group known as BlackOasis has been exploiting a flaw in Adobe Flash Player to place FinSpy malware on targeted systems.
Read more in:
SecureList: BlackOasis APT and new targeted attacks leveraging zero-day exploit
https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/
Cyberscoop: Middle Eastern hacking group is using FinFisher malware to conduct international espionage
https://www.cyberscoop.com/middle-eastern-hacking-group-using-finfisher-malware-conduct-international-espionage/?category_news=technology
The Hill: State espionage group exploited Flash vulnerability: report
http://thehill.com/policy/cybersecurity/355653-new-flash-vulnerability-used-by-state-espionage-group-report

--Adobe Patches Flash Zero-Day Exploited by BlackOasis Group
(October 16, 2017)

Adobe has released a fix for a vulnerability in Flash that is reportedly being actively exploited by the BlackOasis APT group. The type confusion issue can be exploited to allow remote code execution. The issue affects Flash for Windows, Linux, macOS, and Chrome OS. The flaw has been fixed in Flash Player version 27.0.0.170.

Read more in:
Bleeping Computer: Adobe Patches Flash Zero-Day Used by BlackOasis APT
https://www.bleepingcomputer.com/news/security/adobe-patches-flash-zero-day-used-by-blackoasis-apt/
The Register: Here's a timeless headline: Adobe rushes out emergency Flash fix after hacker exploits bug
http://www.theregister.co.uk/2017/10/16/adobe_flash_emergency_patch/
Adobe: Security updates available for Flash Player | APSB17-32
https://helpx.adobe.com/security/products/flash-player/apsb17-32.html

--North Korea Stole Military Plans from US, South Korea
(October 11 & 16, 2017)

A South Korean legislator says that North Korea stole sensitive military documents, including war plans developed by the US and South Korea. The documents were part of a breach at South Korea's Defense Integrated Data center, in which of 235 gigabytes of data were stolen in August and September 2016.

Read more in:
Washington Post: S. Korean lawmaker says North Korea hacked war plans
https://www.washingtonpost.com/world/asia_pacific/media-s-korean-lawmaker-says-north-korea-hacked-war-plans/2017/10/10/8a97e022-ae20-11e7-9b93-b97043e57a22_story.html
eWeek: North Korea Steals Confidential US, South Korean Military Documents
http://www.eweek.com/security/north-korea-steals-confidential-us-south-korean-military-documents

--North Korea Believed to be Responsible for SWIFT-Related Taiwanese Bank Theft
(October 16, 2017)

BAE Systems Plc says it believes that North Korea's Lazarus hacking group is behind an attempted theft of funds from a Taiwanese bank through the SWIFT global funds transfer message system. BAE and other security firms have previously linked Lazarus to other SWIFT-related cyber thefts. Much of the stolen funds has been recovered.

Read more in:
Reuters: North Korea likely behind Taiwan SWIFT cyber heist: BAE
http://www.reuters.com/article/us-cyber-heist-north-korea-taiwan/north-korea-likely-behind-taiwan-swift-cyber-heist-bae-idUSKBN1CL2VO
BAE: Taiwan Heist: Lazarus Tools and Ransomware
https://baesystemsai.blogspot.ca/2017/10/taiwan-heist-lazarus-tools.html

--Infineon RSA Library Vulnerability Undermines Crypto Keys
(October 16, 2017)

The security of encryption keys used in a variety of national identity cards, software and application signing, and other sensitive functions is seriously weakened due to a vulnerability in the Infineon RSA library 1.02.013. The flaw lets attackers derive the private portion of the key using only the key's public portion. The issue lies in the algorithm the library uses for RSA primes generation. The flaw has existed in the library since at least 2012.

[Editor Comments]
[Neely] The library was created to enable cryptographic operations to work on smart cards, where resources are scarce. If you're not using smart cards, you're most likely to see this in your systems with Infineon TPM chips. Apply the firmware update to systems with Infineon TPM chips as well as the interim Windows Patch to mitigate this risk. Change the passwords/keys after the updates are made. Smart Cards will either need to switch to 3072/4096 bit keys, or wait for updates that use a patched library.
Read more in:
Ars Technica: Millions of high-security crypto keys crippled by newly discovered flaws
https://arstechnica.com/information-technology/2017/10/crypto-failure-cripples-millions-of-high-security-keys-750k-estonian-ids/
Bleeping Computer: TPM Chipsets Generate Insecure RSA Keys. Multiple Vendors Affected
https://www.bleepingcomputer.com/news/security/tpm-chipsets-generate-insecure-rsa-keys-multiple-vendors-affected/
Infineon: Information on TPM firmware update for Microsoft Windows systems as announced on Microsoft`s patchday on October 10th 2017
https://www.infineon.com/cms/en/product/promopages/tpm-update/?redirId=59160

--Linux Kernel Team Releases Patch for Flaw in ALSA
(October 15 & 16, 2017)

A patch is available to fix a flaw in the Linux kernel. The use-after-free memory corruption vulnerability in ALSA (Advanced Linux Sound Architecture) could be exploited to execute code with elevated privileges.

Read more in:
Bleeping Computer: Patch Available for Linux Kernel Privilege Escalation
https://www.bleepingcomputer.com/news/security/patch-available-for-linux-kernel-privilege-escalation/

--Dutch Data Protection Authority Says Windows 10 Violates Law
(October 13 & 16, 2017)

The Dutch Data Protection Authority (DPA) says that because Windows 10 collects user data without clearly describing what it plans to do with those data, Microsoft is in violation of Dutch data protection laws. DPA also notes that Windows 10 does not always maintain users' previous settings regarding data collection.

Read more in:
BBC: Microsoft Windows 10 breaches Dutch privacy law
http://www.bbc.com/news/technology-41634617
Ars Technica: Dutch privacy regulator says Windows 10 breaks the law
https://arstechnica.com/gadgets/2017/10/dutch-privacy-regulator-says-that-windows-10-breaks-the-law/

--Japan Targeted in Cyber Espionage Attacks
(October 14, 2017)

A cyber espionage group dubbed Bronze Butler has been targeting organizations in Japan since 2012. According to a report from SecureWorks, the group is likely to be from China. Bronze Butler has used spear phishing, watering hole attacks, and and a zero-day flaw to conduct its operations. The group has focused its attentions on companies associated with "critical infrastructure, heavy industry, manufacturing, and international relations," and has been exfiltrating intellectual property, network configuration files, and other sensitive data.

Read more in:
Threatpost: Cyberespionage Group Steps Up Campaigns Against Japanese Firms
https://threatpost.com/cyberespionage-group-steps-up-campaigns-against-japanese-firms/128447/
SecureWorks: BRONZE BUTLER Targets Japanese Enterprises
https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses

--Another Ukraine Supply Chain Cyber Attack Likely, Say Authorities There
(October 13, 2017)

Authorities in Ukraine say that the country's government and private companies could be facing another major cyberattack through infected software updates, like the Petya and WannaCry attacks earlier this year. In a press release, the Secret Service of Ukraine (SBU) warned that their "experts received data that the attack can be conducted with the use of software updating, including public applied software. The mechanism of its realization will be similar to cyber-attack of June 2017."

Read more in:
Cyberscoop: Massive supply chain cyberattack on the horizon in Ukraine, according to police
https://www.cyberscoop.com/ukraine-cyberattack-impending-petya-wannacry/

INTERNET STORM CENTER TECH CORNER

Peeking into an Outlook .msg File

https://isc.sans.edu/forums/diary/Peeking+into+msg+files/22926/

Abandoned Domains / Equifax/Transunion Lead to Fake Flash Update

https://blog.malwarebytes.com/threat-analysis/2017/10/equifax-transunion-websites-push-fake-flash-player/

Microsoft Patch Causes Corrupted Systems

https://support.microsoft.com/en-us/help/4049094

DoubleLocker Android Ransomware

https://www.welivesecurity.com/2017/10/13/doublelocker-innovative-android-malware/

Chrome Extension Mines Crypto Currency

https://www.bleepingcomputer.com/news/security/chrome-extension-uses-your-gmail-to-register-domains-names-and-injects-coinhive/

WPA2 "Krack" Attack

https://www.krackattacks.com/
https://securingthehuman.sans.org/blog/2017/10/16/28748/

Adobe Flash Player Update

https://helpx.adobe.com/security/products/flash-player/apsb17-32.html

Two (identical) uTorrent Binaries with Different Hashes

https://isc.sans.edu/forums/diary/Its+in+the+signature/22928/


***********************************************************************
The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create