Last Day: Get a 10.2" iPad (32 G), Galaxy Tab A, or Take $250 Off with OnDemand Training

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #82

October 17, 2017


DHS Orders Federal Agencies to Adopt DMARC and HTTPS
Degrees of Power Grid Compromise
KRACK: Vulnerability in WPA2 Protocol Puts Wi-Fi Traffic at Risk


Kaspersky Report: BlackOasis APT Group Exploited Flash Flaw
Adobe Patches Flash Zero-Day Exploited by BlackOasis Group
North Korea Stole Military Plans from US, South Korea
North Korea Believed to be Responsible for SWIFT-Related Taiwanese Bank Theft
Infineon RSA Library Vulnerability Undermines Crypto Keys
Linux Kernel Team Releases Patch for Flaw in ALSA
Dutch Data Protection Authority Says Windows 10 Violates Law
Japan Targeted in Cyber Espionage Attacks
Another Ukraine Supply Chain Cyber Attack Likely, Say Authorities There


*************************** Sponsored By Sophos Inc. *******************************

Not happy with your old-school endpoint protection? Make the leap into next-gen cybersecurity with Sophos. Enhance your protection, simplify security management and enjoy peace of mind with expert support. It's time. Make the leap to next-gen protection with Sophos. Learn More:



-- SANS Cyber Defense Initiative ® 2017 | Washington, DC | December 12-19 |

-- SANS San Diego 2017 | October 30-November 4 |

-- SANS Pen Test HackFest Summit & Training | Bethesda, MD | November 13-20 |

-- SANS Sydney 2017 | November 13-25 |

-- SANS San Francisco Winter 2017 | November 27-December 2 |

-- SANS London November 2017 | November 27-December 2 |

-- SIEM & Tactical Analytics Summit & Training | Scottsdale, AZ | November 28-December 5 |

-- SANS Amsterdam January 2018 | January 15-20 |

-- SANS Secure Japan 2018 | February 19-March 3 |

-- SANS OnDemand and vLive Training | SANS Online Training - Get an iPad, a Samsung Galaxy Tab A or take $250 Off with OnDemand or vLive training through October 11. The SANS Training you want with the flexibility you need.

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast -

-- Evening training 2x per week for 6 weeks with vLive -

-- Anywhere, Anytime access for 4 months with OnDemand format -

-- Single Course Training
SANS Mentor
Community SANS
View the full SANS course catalog



--DHS Orders Federal Agencies to Adopt DMARC and HTTPS
(October 16, 2017)

The US Department of Homeland Security (DHS) has issued a binding operational directive that requires federal agencies to adopt Domain-based Message Authentication, Reporting & Conformance (DMARC) within three months, and to have HTTPS in place within the next four months. The requirements aim to improve the security of federal agency networks. Agencies have 30 days to develop a plan for implementing DMARC and the STARTTLS protocol.

[Editor Comments]
[Pescatore] Great to see the directive start with "Federal agency "cyber hygiene" greatly impacts user security." While the deadlines are rarely met for these type of directives that come out at the start of a new government fiscal year, it will be a major plus to see a meaningful percentage of federal email using DMARC reject by October 2018. I'd also like to see all federal suppliers and contractors required to do so - the Government's most powerful weapon in driving up overall security hygiene is its buying power.
[Neely] OMB M-15-13 required agencies to implement HTTPS/HSTS for external web sites, which prevents HTTP fallback. We should all implement HTTPS/HSTS. Now the attention moves to implementing TLS & DMARC for email security. DMARC also requires DKIP and SPF, which can stop email domain impersonation attacks. Requiring TLS between SMTP servers means you have a higher assurance of the server you're communicating with and you make capturing email on the wire very difficult.

Read more in:
DHS: Binding Operational Directive 18-01
FNR: DHS tells agencies to put a stronger lock on the door to most cyber attacks
FCW: DHS mandates new security standards for federal networks
SC Magazine: DHS will order agencies to adopt DMARC, https
ZDNet: Homeland Security orders federal agencies to start encrypting sites, emails

--Degrees of Power Grid Compromise
(October 13, 2017)

When there are news reports of electric grid breaches, those reports are not always clear about how far into the system the intruders reached. This article offers insight into three different degrees of breaches and the concerns each poses. Network breaches often mean that the intruders have broken into email accounts and web servers, but have no access to controls that affect the flow of energy. Operational access indicates that the attackers have reached operational technology (OT) systems. While OT systems are often, but not always, air-gapped from IT systems, the gap is by no means foolproof. In a coordinated attack, intruders would have access to grid control systems, but even then, operating those controls requires expertise.

[Editor Comments]
[Assante] There is a chorus of concern as several power system intrusion campaigns come to light. Some of the stronger voices come from power system entities themselves; for today they are testing their capabilities and practicing for cyber actor attempts and successes. North America's electricity entities have just officially started Move Zero of the NERC-led GridEx. SANS, working with NERC, developed a power system ICS NetWars to challenge and develop power system cyber defenders to open this year's exercise.
[Northcutt] There is enough data following Dragonfly that we should expect an outage at some point. There are some excellent links about functioning in the dark. Keep in mind things are inter-related, they just published an article on the importance of cash after the hurricane in Puerto Rico:

Read more in:
Wired: Hacking a Power Grid in Three (Not-So-Easy) Steps

--KRACK: Vulnerability in WPA2 Protocol Puts Wi-Fi Traffic at Risk
(October 16, 2017)

A serious weakness in the WPA2 standard used to protect Wi-Fi networks could be exploited to steal data as they travel between wireless devices and Wi-Fi networks. The proof-of-concept exploit has been dubbed the Key Reinstallation Attack, or KRACK. The Belgian researchers who discovered the issue and developed the exploit write that "depending on the network configuration, it is also possible to inject and manipulate data." They will present a research paper on the topic at the Computer and Communications Security Conference in November. Microsoft said that it patched Windows to protect it from the KRACK exploit last week, but waited until the researchers had released their work to disclose the fix.

[Editor Comments]
[Neely] This weakness impacts both access points and clients. The fixes will come as firmware and OS updates/patches. Exploitation requires a device within range of the network, which means it's a bit harder to exploit than an Internet reachable vulnerability. When you're on someone else's Wi-Fi, using a VPN is a good way to protect yourself from manipulation of that network.

Read more in:
KrackAttacks: Key Reinstallation Attacks: Breaking WPA2 by forcing nonce reuse
Paper: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2
KrebsOnSecurity: What You Should Know About the 'KRACK' WiFi Security Weakness
Threatpost: Krack Attack Devastates Wi-Fi Security
Bleeping Computer: New KRACK Attack Breaks WPA2 WiFi Protocol
Bleeping Computer: List of Firmware & Driver Updates for KRACK WPA2 Vulnerability
Ars Technica: How the KRACK attack destroys nearly all Wi-Fi security
Ars Technica: Severe flaw in WPA2 protocol leaves Wi-Fi traffic open to eavesdropping
Bob Sullivan: The KRACK attack: Is all Wi-Fi unsafe now? No, not really. But you'd better patch
Computerworld: Microsoft shuts down Krack with sneaky Windows update

*************************** SPONSORED LINKS ********************************

1) Join this webinar with Splunk featuring Forrester to learn how to transform your security operations using analytics-driven security.

2) Learn innovative techniques for detecting intrusions and producing actionable intelligence at the SIEM & Tactical Analytics Summit:

3) Don't miss: "The Maturing of Endpoint Detection and Response (EDR): Choose the Right Solution" Register:



--Kaspersky Report: BlackOasis APT Group Exploited Flash Flaw
(October 16, 2017)

A hacking group known as BlackOasis has been exploiting a flaw in Adobe Flash Player to place FinSpy malware on targeted systems.
Read more in:
SecureList: BlackOasis APT and new targeted attacks leveraging zero-day exploit
Cyberscoop: Middle Eastern hacking group is using FinFisher malware to conduct international espionage
The Hill: State espionage group exploited Flash vulnerability: report

--Adobe Patches Flash Zero-Day Exploited by BlackOasis Group
(October 16, 2017)

Adobe has released a fix for a vulnerability in Flash that is reportedly being actively exploited by the BlackOasis APT group. The type confusion issue can be exploited to allow remote code execution. The issue affects Flash for Windows, Linux, macOS, and Chrome OS. The flaw has been fixed in Flash Player version

Read more in:
Bleeping Computer: Adobe Patches Flash Zero-Day Used by BlackOasis APT
The Register: Here's a timeless headline: Adobe rushes out emergency Flash fix after hacker exploits bug
Adobe: Security updates available for Flash Player | APSB17-32

--North Korea Stole Military Plans from US, South Korea
(October 11 & 16, 2017)

A South Korean legislator says that North Korea stole sensitive military documents, including war plans developed by the US and South Korea. The documents were part of a breach at South Korea's Defense Integrated Data center, in which of 235 gigabytes of data were stolen in August and September 2016.

Read more in:
Washington Post: S. Korean lawmaker says North Korea hacked war plans
eWeek: North Korea Steals Confidential US, South Korean Military Documents

--North Korea Believed to be Responsible for SWIFT-Related Taiwanese Bank Theft
(October 16, 2017)

BAE Systems Plc says it believes that North Korea's Lazarus hacking group is behind an attempted theft of funds from a Taiwanese bank through the SWIFT global funds transfer message system. BAE and other security firms have previously linked Lazarus to other SWIFT-related cyber thefts. Much of the stolen funds has been recovered.

Read more in:
Reuters: North Korea likely behind Taiwan SWIFT cyber heist: BAE
BAE: Taiwan Heist: Lazarus Tools and Ransomware

--Infineon RSA Library Vulnerability Undermines Crypto Keys
(October 16, 2017)

The security of encryption keys used in a variety of national identity cards, software and application signing, and other sensitive functions is seriously weakened due to a vulnerability in the Infineon RSA library 1.02.013. The flaw lets attackers derive the private portion of the key using only the key's public portion. The issue lies in the algorithm the library uses for RSA primes generation. The flaw has existed in the library since at least 2012.

[Editor Comments]
[Neely] The library was created to enable cryptographic operations to work on smart cards, where resources are scarce. If you're not using smart cards, you're most likely to see this in your systems with Infineon TPM chips. Apply the firmware update to systems with Infineon TPM chips as well as the interim Windows Patch to mitigate this risk. Change the passwords/keys after the updates are made. Smart Cards will either need to switch to 3072/4096 bit keys, or wait for updates that use a patched library.
Read more in:
Ars Technica: Millions of high-security crypto keys crippled by newly discovered flaws
Bleeping Computer: TPM Chipsets Generate Insecure RSA Keys. Multiple Vendors Affected
Infineon: Information on TPM firmware update for Microsoft Windows systems as announced on Microsoft`s patchday on October 10th 2017

--Linux Kernel Team Releases Patch for Flaw in ALSA
(October 15 & 16, 2017)

A patch is available to fix a flaw in the Linux kernel. The use-after-free memory corruption vulnerability in ALSA (Advanced Linux Sound Architecture) could be exploited to execute code with elevated privileges.

Read more in:
Bleeping Computer: Patch Available for Linux Kernel Privilege Escalation

--Dutch Data Protection Authority Says Windows 10 Violates Law
(October 13 & 16, 2017)

The Dutch Data Protection Authority (DPA) says that because Windows 10 collects user data without clearly describing what it plans to do with those data, Microsoft is in violation of Dutch data protection laws. DPA also notes that Windows 10 does not always maintain users' previous settings regarding data collection.

Read more in:
BBC: Microsoft Windows 10 breaches Dutch privacy law
Ars Technica: Dutch privacy regulator says Windows 10 breaks the law

--Japan Targeted in Cyber Espionage Attacks
(October 14, 2017)

A cyber espionage group dubbed Bronze Butler has been targeting organizations in Japan since 2012. According to a report from SecureWorks, the group is likely to be from China. Bronze Butler has used spear phishing, watering hole attacks, and and a zero-day flaw to conduct its operations. The group has focused its attentions on companies associated with "critical infrastructure, heavy industry, manufacturing, and international relations," and has been exfiltrating intellectual property, network configuration files, and other sensitive data.

Read more in:
Threatpost: Cyberespionage Group Steps Up Campaigns Against Japanese Firms
SecureWorks: BRONZE BUTLER Targets Japanese Enterprises

--Another Ukraine Supply Chain Cyber Attack Likely, Say Authorities There
(October 13, 2017)

Authorities in Ukraine say that the country's government and private companies could be facing another major cyberattack through infected software updates, like the Petya and WannaCry attacks earlier this year. In a press release, the Secret Service of Ukraine (SBU) warned that their "experts received data that the attack can be conducted with the use of software updating, including public applied software. The mechanism of its realization will be similar to cyber-attack of June 2017."

Read more in:
Cyberscoop: Massive supply chain cyberattack on the horizon in Ukraine, according to police


Peeking into an Outlook .msg File

Abandoned Domains / Equifax/Transunion Lead to Fake Flash Update

Microsoft Patch Causes Corrupted Systems

DoubleLocker Android Ransomware

Chrome Extension Mines Crypto Currency

WPA2 "Krack" Attack

Adobe Flash Player Update

Two (identical) uTorrent Binaries with Different Hashes

The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here:

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit