OnDemand Includes 4 Months Access to Course Content - Special Offers Available Now!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #84

October 24, 2017


Dragonfly: DHS and FBI Warn of Cyber Attacks on Infrastructure Sectors
Canada Concerned About Infrastructure Attacks; Intelligence Agency Releases Malware Analysis Tool
FERC Proposes Power Grid Security Management Control


Encryption Prevented FBI from Accessing 6,900 Seized Mobile Phones
Google Transparency Report: HTTPS Traffic Increasing
Kaspersky Will Open Anti-Virus Code for Review
Hackers Exploiting Flash Flaw
Project Loon Bringing Emergency Internet to Puerto Rico
Study: DMARC Implementation at Federal Agencies
Reaper/IOTroop IoT Botnet
Elmedia Player and Folx Downloads Infected with OSX Proton Malware
Is NYPD's PETS Evidence Database Backed Up or Not?
Whole Foods Says Point-of-Sale Payment Card Breach is "Resolved"


*************************** Sponsored By Sqrrl Data, Inc. *******************************

Threat hunting for web shells [complimentary training]
Thursday, Nov 2nd @ 2 pm ET, 1 pm CT, 11 am PT.
In this session, Danny Akacki (Threat Hunter) and Paul Bartruff (InfoSec Engineer) will show you several different methods to threat hunt for web shells on your network. Sign up here:



-- SANS Cyber Defense Initiative ® 2017 | Washington, DC | December 12-19 | https://www.sans.org/event/cyber-defense-initiative-2017

-- SANS San Diego 2017 | October 30-November 4 | https://www.sans.org/event/san-diego-2017

-- SANS Pen Test HackFest Summit & Training | Bethesda, MD | November 13-20 | https://www.sans.org/event/pen-test-hackfest-2017

-- SANS Sydney 2017 | November 13-25 | https://www.sans.org/event/sydney-2017

-- SANS San Francisco Winter 2017 | November 27-December 2 | https://www.sans.org/event/san-francisco-winter-2017

-- SANS London November 2017 | November 27-December 2 | https://www.sans.org/event/london-november-2017

-- SIEM & Tactical Analytics Summit & Training | Scottsdale, AZ | November 28-December 5 | https://www.sans.org/event/siem-tactical-analytics-summit-2017

-- SANS Security East 2018 | New Orleans, LA | January 8-13 | https://www.sans.org/event/security-east-2018

-- SANS Amsterdam January 2018 | January 15-20 | https://www.sans.org/event/amsterdam-january-2018

-- SANS Secure Japan 2018 | February 19-March 3 | https://www.sans.org/event/sans-secure-japan-2018

-- SANS OnDemand and vLive Training | SANS Online Training - Get an iPad, a Samsung Galaxy Tab A or take $250 Off with OnDemand or vLive training through October 11. The SANS Training you want with the flexibility you need. https://www.sans.org/online-security-training/specials/

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format - https://www.sans.org/ondemand/

-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/security-training/by-location/all



--Dragonfly: DHS and FBI Warn of Cyber Attacks on Infrastructure Sectors
(October 21, 2017)

On Friday, October 20, the US Department of Homeland Security's (DHS) Computer Emergency Readiness Team (US-CERT) and the FBI issued an alert warning of advanced persistent threat activity targeting government and private sector organizations in several sectors of critical infrastructure. The group believed to be responsible for the activity has been code-named Dragonfly 2.0.

[Editor Comments]
[Murray] Observed attacks, unmeasured vulnerability, and untested resilience in the face of malice in our most critical infrastructure adds up to existential risk, a term that should be used most sparingly. That said, the resilience of the grid in the face of component failures, changes in load, and even force majeure, is little short of miraculous.
[Pescatore] US-CERT is still using the APT term, while most of the "real" world has retired it. The US-CERT Alert analysis of the stages of these attacks shows they pretty much follow the same path as most financially motivated attacks.
[Assante] The focus on supply chains has been particularly relevant for ICS-focused cyber intruders. Recent assessments place a sharp focus on supply chains not only as a potential weak point, but more importantly third-parties may possess the type of access that gets an attacker to high-value points in operational technology.

Read more in:
US-CERT: Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors
Threatpost: DHS Alert on Dragonfly APT Contains IOCs, Rules Likely to Trigger False Positives
Reuters: U.S. warns public about attacks on energy, industrial firms
The Register: US energy, nuke and aviation sectors under sustained attack
ZDNet: Hackers are attacking power companies, stealing critical data: Here's how they are doing it
Dark Reading: US Critical Infrastructure Target of Russia-Linked Cyberattacks
Cyberscoop: Security researchers call for calm after DHS warns of energy grid hacking

--Canada Concerned About Infrastructure Attacks; Intelligence Agency Releases Malware Analysis Tool
(October 19 & 23, 2017)

Canada's Communications Security Establishment (CSE) is releasing a malware analysis tool called Assemblyline to the public in an effort to help organizations defend their networks. CSE uses Assemblyline to help protect the government's infrastructure. In a related story, the Canadian government is concerned about attacks on the country's critical infrastructure. The government has helped organizations that have been targeted by attacks but has not disclosed the attacks to the public.

Read more in:
CBC: Canada's 'super secret spy agency' is releasing a malware-fighting tool to the public
Reuters: Canada worried about infrastructure hacks: intelligence official

--FERC Proposes Power Grid Security Management Controls
(October 19, 2017)

The Federal Energy Regulatory Commission (FERC) has proposed new security management control standards for electric grid system operators. The standards include "mandatory controls to address the risks posed by malware from transient electronic devices like laptop computers, thumb drives and other devices used at low-impact bulk electric system cyber systems."

[Editor Comments]
[Assante] The enhancement to the standard, changes to Transient Cyber Assets and Removable Media, will begin to cut down on the large volume of non-targeted infections and raise the bar in one dimension of supply chain vectors. SANS has fielded a new GIAC certification (GCIP) and course, ICS456 Essentials for NERC Critical Infrastructure Protection, to help security practitioners and compliance-related staff develop the best security approach while meeting the standards.

Read more in:
The Hill: FERC proposes new cyber controls for power grid
FERC: FERC Proposes New Security Management Controls for Grid Cyber Systems
*************************** SPONSORED LINKS ********************************

1) IT Pros: Join us Nov 2nd in Boston to see the future of cybersecurity:

2) Learn innovative techniques for detecting intrusions and producing actionable intelligence at the SIEM & Tactical Analytics Summit:

3) Don't Miss "Closing the Skills Gap Chasm with Automation and Actionable Analytics" with Dave Shackleford.



--Encryption Prevented FBI from Accessing 6,900 Seized Mobile Phones
(October 23, 2017)

FBI Director Christopher Wray told an audience at the International Association of Chiefs of Police conference that encryption kept his agency from accessing nearly 7,000 seized mobile phones over an 11-month period. He also called for US legislators to reauthorize the Foreign Intelligence Surveillance Act (FISA), which is set to expire at the end of this calendar year.

[Editor Comments]
[Pescatore, Murray, Honan and Neely] We would reword that headline "Encryption Prevented Thieves from Exploiting Data on More Than Three Million Stolen Cellphones and the FBI From Investigating Fewer Than Seven Thousand"

Read more in:
The Register: Phone crypto shut FBI out of 7,000 devices, complains chief g-man
Fifth Domain: FBI couldn't access nearly 7K devices because of encryption
Ars Technica: FBI Director: unbreakable encryption is a "huge, huge problem"
Reuters: Ex-U.S. spy chiefs urge Congress to renew internet surveillance law

--Google Transparency Report: HTTPS Traffic Increasing
(October 23, 2017)

According to Google's most recent Transparency Report, HTTPS traffic on its Chrome browser on Android has increased from 42 percent to 64 percent over the past year. HTTPS traffic accounts for more than 75 percent of Chrome traffic on Chrome OS and Mac. The percentage of top 100 sites on the Internet using HTTPS by default has nearly doubled in the past year, from 37 percent to 71 percent.

[Editor Comments]
[Ullrich] Probably the easiest and most effective way to gather information from encrypted (in particular https) traffic uses proxies. But even without decrypting the traffic, network traffic analysis techniques can be useful, as mare profiling of SSL certificates as well as SSL handshakes. Salesforce recently released a nice tool, JA3, to profile SSL traffic. The tool can easily be integrated into Bro and Moloch to attach SSL client hello fingerprints to your data. Cisco for example has shown how this data can be used to identify malicious traffic.
[Neely] Search engines are now favoring HTTPS sites over HTTP sites. Not using HTTPS, with very few exceptions, is no longer worth the risk. In addition to having your web sites use HTTPS, also configure them for HTTP Strict Transport Security (HSTS) to prevent fallback to HTTP.
Read more in:
V3: Google claims almost two-thirds of web traffic is now HTTPS
Softpedia: Google: Chrome's Aggressive HTTPS Push Successful on Android, Mac, Windows
Google Transparency Report: HTTPS encryption on the web
Google: Say "yes" to HTTPS: Chrome secures the web, one site at a time

--Kaspersky Will Open Anti-Virus Code for Review
(October 23, 2017)

Kaspersky Lab says it will open its anti-virus code for third-party review. The effort is part of the company's Global Transparency Initiative, which aims to reassure those who are concerned that Kaspersky could have ties to the Russian government. In September, the US Department of Homeland Security ordered federal agencies to stop using Kaspersky products. Some security experts and politicians have called Kaspersky's effort relatively meaningless, as software is frequently updated.

[Editor Comments]
[Ullrich] I do not think this solves anything for Kaspersky. The issue with Kaspersky isn't its source code, but the fact that the Russian government may have used its tools to infiltrate organizations. This can happen even if the code operates as designed and is bug/vulnerability free. The problem is a "Layer 8" (human/politics) issue, not a software problem.
[Williams] No independent reviewers can move at the speed that AV must adapt to keep networks safe from emerging threats. Also, the issue is more about the built-in capabilities of the product and how they can be used to copy data inappropriately - a threat that is present in all AV products.
Read more in:
The Register: 'We've nothing to hide': Kaspersky Lab offers to open up source code
ZDNet: Kaspersky Lab tries to claw back trust with transparency initiative
Fifth Domain: Kaspersky Lab to open anti-virus software to outside review
Bleeping Computer: Kaspersky Opens Code to 3rd-Party Review in Effort to Combat Spying Accusations
Ars Technica: Kaspersky pledges independent code review to cast off spying suspicions

--Hackers Exploiting Flash Flaw
(October 20, 2017)

The APT28 cyber espionage group has been launching attack campaigns that exploit a recently patched flaw in Adobe Flash. Adobe released a fix for the vulnerability last week; APT28 is taking advantage of the lag between the patch's availability and users installing the fix.

Read more in:
Bleeping Computer: Russian Cyberspies Are Rushing to Exploit Recent Flash 0-Day Before It Goes Cold
ZDNet: Hackers race to use Flash exploit before vulnerable systems are patched

--Project Loon Bringing Emergency Internet to Puerto Rico
(October 20 & 23, 2017)

Project Loon has been clustering its stratospheric LTE balloon network over Puerto Rico, to provide emergency Internet service. Project Loon is run by X, a subsidiary of Google parent company Alphabet. Alphabet is working with the Federal Communications Commission, Federal Aviation Administration, FEMA, and other authorities.

[Editor Comments]
[Northcutt] Disaster Recovery people are probably watching the Apple-Google hookup very closely. When tons of do-gooders come flooding in after buying all the shiny satellite phones in the continental US only to find out they have to share satellites with each other; plan B starts to sound good.

Read more in:
Blog.x: Turning on Project Loon in Puerto Rico
The Verge: Alphabet's Project Loon deploys LTE balloons in Puerto Rico
BBC: Project Loon restores web in hurricane-hit Puerto Rico

--Study: DMARC Implementation at Federal Agencies
(October 23, 2017)

A study of Domain-based Message Authentication, Reporting & Conformance (DMARC) adoption in the US federal government has found that just 18 percent of agencies have implemented the standard. The study also found that 25 percent of email that appears to be from federal agencies is either fraudulent or unauthenticated. The study comes just days after the Department of Homeland Security (DHS) announced that federal agencies must implement a DMARC monitoring policy within 90 days.

[Editor Comments]
[Pescatore] The Federal Government is not that far behind private industry in this area. The Agari data showed that only 8% of the Fortune 500 had active Quarantine or Reject DMARC policies compared to 9.2% of Federal Agencies. However, 25% of the F500 had DMARC enabled in Monitor only mode (usually the starting point for full DMARC enablement) while only 9% of Federal Agencies were at that point. The DHS mandate needs to jumpstart government agencies to get moving implementing DMARC - and ideally mandating that all their suppliers do so, as well.
[Ullrich] Commercial organization should also implement DMARC. Despite weaknesses, DMARC provides a meaningful layer of protection to better authenticate e-mail, and more importantly, to identify who is spoofing your email and why or how they are doing it.
[Neely] Public and private sector implementations of DMARC will reduce the ability to impersonate domains. Phishing from rogue lookalike domains is still possible (e.g. gmai1.com vs gmail.com). DMARC can be implemented first in reporting mode, which allows you to see who else is using your domain for sending messages without blocking any email. Before you can do this, you need SPF and DKIP in place.

Read more in:
SC Magazine: Study: 18% of fed agencies embrace DMARC yet 25% of email fraudulent, unauthenticated
Agari: Agari Federal DMARC Adoption Report (PDF)
DHS: Binding Operational Directive 18-01

--Reaper/IOTroop IoT Botnet
(October 20 & 23, 2017)

A botnet known as Reaper or IOTroop has infected systems at more than one million organizations. The malware spreads through at least nine vulnerabilities in IoT software and hardware.

[Editor Comments]
[Ullrich] Botnets like "Mirai" were just the beginning. Attackers figured out that there are many unpatched vulnerabilities in these devices that can be used to execute code on the device even if the password is not known. Users have very little hope of mitigating these vulnerabilities if there is no patch. Past experience has shown that almost nobody patches IoT devices, so unlike with desktops (Windows), the release of a patch does not significantly reduce the number of vulnerable systems.

Read more in:
KrebsOnSecurity: Reaper: Calm Before the IoT Security Storm?
Threatpost: 'IOTroop' Botnet Could Dwarf Mirai in Size and Devastation, Says Researcher
Bleeping Computer: A Gigantic IoT Botnet Has Grown in the Shadows in the Past Month
Wired: The Reaper IoT Botnet Has Already Infected a Million Networks
Cyberscoop: Check Point warns of 'vast' new IoT botnet
CheckPoint: A New IoT Botnet Storm is Coming

--Elmedia Player and Folx Downloads Infected with OSX Proton Malware
(October 20, 2017)

Last week, hackers infected downloads of Eltima's Elmedia Player and Folx download manager for macOS with the OSX/Proton malware. OSX/Proton acts as a backdoor on infected systems and can be used to steal data. Users who recently downloaded either app should run a system check to find out if their computers have been compromised. The only way to be sure an infected computer is rid of the malware is to wipe the system and reinstall the OS.

Read more in:
The Register: Malware hidden in vid app is so nasty, victims should wipe their Macs
SC Magazine: Elmedia unknowingly distributed OSX/Proton malware
ZDNet: Mac OSX Trojan malware spread via compromised software downloads
Eltima: Elmedia Player and Folx malware threat Neutralized!
WeLiveSecurity: OSX/Proton spreading again through supply-chain attack

--Is NYPD's PETS Evidence Database Backed Up or Not?
(October 20, 2017)

Seeking to clarify statements made about the lack of backups for a NYPD evidence database, NYPD Deputy Commissioner Stephen Davis wrote in an email that "contrary to some published reports suggesting that NYPD does not electronically back up the data in its Property and Evidence Tracking System (PETS), all such data is backed up continuously in multiple data centers." That statement appears to contradict an affidavit "in which NYPD Director of Strategic Technology Programs Christian Schnedler stated, 'Currently, there is no secondary or back-up system, and no repository of the data in PETS outside of PETS itself.'" Davis's statement may "conflate NYPD's business continuity plan with "backups." The PETS system is replicated across multiple NYPD data centers, but all copies of the system are in active use."

Read more in:
Ars Technica: NYPD can't get story straight on evidence system backups

--Whole Foods Says Point-of-Sale Payment Card Breach is "Resolved"
(October 20, 2017)

Whole Foods Market says it has "resolved" a point-of-sale data breach disclosed in September. The breach, which exposed payment card data, affected systems used in table service restaurants, taprooms, and other specialized venues available at some Whole Foods locations. Whole Foods said it has replaced the affected systems, which are separate from its primary grocery store systems.

[Editor Comments]
[Neely] As a consumer, you can start using replay resistant payment options - secure mobile payments like Apple, Samsung and Android pay, or Chip + PIN/Signature (versus magnetic stripe) credit card readers, or possibly cash.

Read more in:
Cyberscoop: Whole Foods says it has 'resolved' point-of-sale breach incident
Reuters: Whole Foods says hacking incident resolved
Whole Foods: Whole Foods Market Payment Card Investigation Update


IoT "Reaper" Botnet


Elmedia Player and Folx Infected with Proton Malware


Android May Be Adding DNS Over TLS


Google Expands Bug Bounty To Popular Android Apps


Increased Use of Last Week's Flash Vulnerability


Is a Telco in Brazil Hosing An Epidemic of Open SOCKS Proxies?


Fake Crypto Currency Trading Applications


The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create