OnDemand Includes 4 Months Access to Course Content - Special Offers Available Now!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #88

November 7, 2017

Tough week.  Trusted organizations are making us vulnerable.



SANS NewsBites               November 7, 2017                Vol. 19, Num. 088



Phony WhatsApp in Google Play Store

Zeus Panda Malware Spreading Through Google SEO Poisoning

Tor Project Releases Updates to Fix for IP Address Leak Issue

Microsoft Pulls Buggy Patches


Crunchyroll DNS Hijack

Level 3 Configuration Error Caused Internet Outages

First US Government Agency Sends Data to CDM Dashboard

Cisco Issues Fixes for Flaw in IOS XE DoS Vulnerability

Estonia Suspending Use of ID Smart Cards

Trump Organization Domains Compromised in 2013

Cryptographic Flaw in IEEE Standard

Siemens Releasing Updates for SIMATIC PCS 7 Vulnerability


***************************  Sponsored By Sophos Inc. ***********************

Do you really know what your network is up to? On average 60% of corporate traffic is unidentified. Read the whitepaper to learn more about network visibility, the risks from unidentified traffic and the critical features to solve the issue. Download whitepaper:




-- SANS Cyber Defense Initiative 2017 | Washington, DC | December 12-19 | https://www.sans.org/event/cyber-defense-initiative-2017

-- SANS San Francisco Winter 2017 | November 27-December 2 | https://www.sans.org/event/san-francisco-winter-2017

-- SANS London November 2017 | November 27-December 2 | https://www.sans.org/event/london-november-2017

-- SIEM & Tactical Analytics Summit & Training | Scottsdale, AZ | November 28-December 5 | https://www.sans.org/event/siem-tactical-analytics-summit-2017

-- SANS Security East 2018 | New Orleans, LA | January 8-13 | https://www.sans.org/event/security-east-2018

-- SANS Amsterdam January 2018 | January 15-20 | https://www.sans.org/event/amsterdam-january-2018

-- Cyber Threat Intelligence Summit | Bethesda, MD | January 29-February 5 | https://www.sans.org/event/cyber-threat-intelligence-summit-2018

-- SANS Secure Japan 2018 | February 19-March 3 | https://www.sans.org/event/sans-secure-japan-2018

-- SANS Secure Singapore 2018 | March 12-24 | https://www.sans.org/event/secure-singapore-2018

-- SANS OnDemand and vLive Training | Get a New 12.9" iPad Pro with Smart Keyboard, or an HP ProBook 450 G4, or take $500 Off OnDemand or vLive Training when you register by November 8! The SANS Training you want with the flexibility you need. https://www.sans.org/online-security-training/specials/

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format -https://www.sans.org/ondemand/

-- Single Course Training

SANS Mentor https://www.sans.org/mentor/about

Community SANS https://www.sans.org/community/

View the full SANS course catalog https://www.sans.org/security-training/by-location/all




Phony WhatsApp in Google Play Store

(November 3 & 6, 2017)

A phony version of the WhatsApp messaging app was downloaded at least one million times before being pulled from the Google Play Store. The fake app included advertisements and had the capability to download software onto devices.

[Editor Comments]

[Ullrich] Malicious applications impersonating popular applications have become a big problem in the Google Play Store. Be very careful what you download. This fake WhatsApp application had over a million downloads, which of course causes even more users to believe it to be "safe". The only difference was an invisible Unicode space added to the publisher's name, something Google should be able to detect as an indicator of malicious intent.

[Neely] This was tricky to identify as the developer placed a space after the app name using Unicode characters. Once installed, the app hid itself with a blank icon and no title, and used its Internet permissions to download ads and other apps. Beyond Google's Play Protect or third-party AV detections, the new Google Play Security Reward Program, aka bug bounty program, will help root out malicious third-party applications in the Google Play store. Keeping on the current patched Android OS versions is also important to ensure updated application security measures are in place.


[Murray] The inability of Android to enforce process-to-process isolation is a fundamental vulnerability.  Security should not have to rely on every process being well-behaved.


Read more in:

Threatpost: 1M Downloads Later, Google Pulls Phony WhatsApp From Google Play


The Register: Over a million Android users fooled by fake WhatsApp app in official Google Play Store


ZDNet: Fake WhatsApp app fooled million Android users on Google Play: Did you fall for it?


BBC: Fake WhatsApp app downloaded more than one million times




Zeus Panda Malware Spreading Through Google SEO Poisoning

(November 2 & 3, 2017)

Cyber criminals are using Google search engine optimization (SEO) poisoning along with compromised servers and websites to help them spread the Zeus Panda banking malware. The attackers appear to be targeting customers of certain banks in Sweden, Australia, Saudi Arabia, and India, as well as users of the SWIFT international financial transaction messaging network.

Read more in:

SC Magazine: Hackers find an evil use for SEO


ZDNet: Google search results poisoned by banking trojan attackers' clever SEO


Talos: Poisoning the Well: Banking Trojan Targets Google Search Results




Tor Project Releases Updates to Fix for IP Address Leak Issue

(November 3 & 6, 2016)

The Tor Project has made updates available for its Tor Browser running on Mac and Linux to address a security issue that exposes users actual IP addresses. The flaw was privately reported to Tor last week. The Tor Project has released Tor Browser version 7.0.9 for Mac and Linux; the problem does not affect Tor running on Windows.  

Read more in:

Tor Project Blog: Tor Browser 7.0.9 is released


Ars Technica: Critical Tor flaw leaks users' real IP address-update now


Threatpost: Tor Browser Users Urged to Patch Critical 'Tormoil' Vulnerability


Bleeping Computer: TorMoil Vulnerability Leaks Real IP Address from Tor Browser Users


ZDNet: A serious Tor browser flaw leaks users' real IP addresses


The Register: Biggest Tor overhaul in a decade adds layers of security improvements




Microsoft Pulls Buggy Patches

(November 3 & 6, 2017)

Last week, Microsoft released patches for five Windows versions to address an "unexpected error from external database driver" bug that was introduced in the October 10 monthly update. The patches are not part of Windows Update; users would have to download them and install them manually. The new patches were reportedly causing older security updates to be re-enabled. Three of the patches along with their associated KB articles were apparently pulled from the Microsoft website over the weekend.  

Read more in:

Computerworld: Microsoft yanks buggy Windows patches KB 4052233, 4052234, 4052235


Computerworld: MS fixes 'external database' bug with patches that have even more bugs


***************************  SPONSORED LINKS  *******************************

1) Detect & Eliminate Insider Threats with Teramind User Behavior Analytics: Start your Free Trial Today http://www.sans.org/info/199320

2) In Boston? Register for the SANS SOC Brief on Nov 17. Networking Lunch follows. SPACE LIMITED. http://www.sans.org/info/199340

3) Attend the 2nd Annual SANS Automotive Cybersecurity Summit, May 7-8, Chicago, IL.  Register:  http://www.sans.org/info/199335




Crunchyroll DNS Hijack

(November 4 & 6, 2017)

Ellation, parent company of the Crunchyroll anime streaming website, says that the site's Cloudflare configuration was altered over the weekend to redirect users to a server that attempted to download malware onto users' devices. The Ellation blog post says users who downloaded files between 3:30AM PST and 9:00AM PST on Saturday, November 4, may have been infected. The blog describes steps Crunchyroll users can take to remove the malware from their devices.    

[Editor Comments]

[Ullrich] Yet again an attack using misplaced Cloudflare credentials. If you use Cloudflare, then please treat it like the critical part of your infrastructure that it is, and secure it accordingly. Cloudflare offers a few different two-factor authentication options. Crunchyroll has not stated how they think the credentials were leaked, but in the past, this often happened by using the same credentials on different sites and having them leaked on one of the sites they are used at.

[Williams] Despite widespread reports that this was the result of a DNS hijack, there's no evidence that this is the case. During the outage, many were reporting that this was the result of DNS spoofing. However, DNS spoofing on such a wide scale is usually only feasible for sites that are visited infrequently. Most as popular as Crunchyroll probably have a DNS entry cached in most upstream DNS servers. That said, this IS an interesting supply chain attack where attackers used a content delivery network (Cloudflare in this case) to deliver malware.

Read more in:

SC Magazine: Anime enemy: Asian content distributor Crunchyroll blames DNS hijack for malicious redirection


The Register: Crumbs! Crunchyroll distributed malware for a couple of hours


Ellation: Crunchyroll.com update




Level 3 Configuration Error Caused Internet Outages

(November 6, 2017)

A configuration error at Internet backbone company Level 3 caused Internet outages across the US on Monday, November 6. Level 3 said the problem was resolved within 90 minutes of its detection, but the issue caused ripple effect problems across the country.  

[Editor Comments]

[Williams] BGP is the backbone of the Internet, but any BGP peer can inject routes to other peers. Sometimes this is a misconfiguration, but there are suspicions that nation-state groups including China and Russia have used BGP route hijacks for short duration man in the middle attacks. Follow Twitter account @bgpstream to see how often BGP routes are hijacked.

Read more in:

Wired: How a Tiny Error Shut Off the Internet For Parts of the US




First US Government Agency Sends Data to CDM Dashboard

(November 6, 2017)

The US Department of Homeland Security (DHS) expects that by the end of this calendar year, five US federal government agencies will send data to the continuous diagnostic and mitigation (CDM) program's federal dashboard. One agency has already begun submitting data to the dashboard.

Read more in:

FNR: 5 agencies expected to send data to governmentwide cyber dashboard by end of 2017




Cisco Issues Fixes for Flaw in IOS XE DoS Vulnerability

(November 3 & 6, 2017)

Cisco has released updates for its IOS XE software to address a flaw introduced in changes made to its implementation of the Border Gateway Protocol (BGP) over an Ethernet VPN (EVPN). The flaw could be exploited to create denial of service conditions or corrupt the BGP routing table.  

Read more in:

Threatpost: Cisco Patches DoS Flaw in BGP Over Ethernet VPN Implementation


Cisco: Cisco IOS XE Software Ethernet Virtual Private Network Border Gateway Protocol Denial of Service Vulnerability




Estonia Suspending Use of ID Smart Cards

(November 3 & 6, 2017)

Estonia has suspended the use of its national ID smartcards after learning of a cryptographic flaw in the firmware of the cards' chips that could be used to steal RSA keys and create clones of the cards. The flaw is apparently easier to exploit than was initially reported. The Estonian government recently urged citizens to update their cards' electronic certificates; the cards without updated certificates are being suspended.

[Editor Comments]

[Neely] That's a tough call to suspend use versus wait for reissue to complete.  It's going to take a while to re-issue 760,000 cards in Estonia. Estonia is wisely taking measures to side-step the weakness by having replacement credentials use ECC rather than RSA keys generated using the Infineon code which eliminates dependency on the soundness of the bug fix.

Read more in:

Ars Technica: Flaw crippling millions of crypto keys is worse than first disclosed


Silicon: Estonia Disables Digital ID Cards After Security Scare


The Register: Estonia government locks down ID smartcards: Refresh or else


V3: Estonian authorities block national ID cards due to ROCA security flaw




Trump Organization Domains Compromised in 2013

(November 1 & 6, 2017)

According to news reports, nearly 200 web domains at the Trump Organization were compromised in 2013. The compromised addresses redirected visitors to malicious servers in Russia. The Trump organization said the domains were not compromised despite Internet records that say otherwise.

[Editor Comments]

[Williams] This sort of attack is not new and is unfortunately on the rise. Attackers compromise the domain control panel at the registrar and then insert false entries in DNS. The attack is very effective at distributing malware since users are visiting legitimate domains. Additionally, attackers can create a new CNAME record in DNS to purchase a legitimate SSL certificate. This makes the attack much more devastating. While Trump Organization officials deny their domains were compromised, passive DNS records show that this is an inarguable fact.

Read more in:

Fifth Domain: Trump a victim of hackers years before election


Mother Jones: Hackers Compromised the Trump Organization 4 Years Ago-and the Company Never Noticed




Cryptographic Flaw in IEEE Standard

(November 4, 2017)

The CERT Division of the Software Engineering Institute at Carnegie Mellon University has issued a warning about a cryptographic flaw in an IEEE standard that could be exploited to gain access to intellectual property in plaintext. The IEEE P1735 standard is used to protect digital intellectual property. It allows vendors to combine their code to create new products while ostensibly protecting their intellectual property from reverse engineering and theft.   

[Editor Comments]

[Ullrich] This flawed standard is less likely going to affect end users, but more a problem to manufacturers of "Systems on a Chip" devices. The standard is used to encrypt and authenticate drawings exchanged between companies. An adversary would be able to replace features in drawings (for example adding a backdoor) without the manufacturer of the device realizing that they are producing an altered circuit.


Read more in:

Bleeping Computer: Crypto Bugs in IEEE Standard Expose Intellectual Property in Plaintext


Threatpost: US-CERT Warns of Crypto Bugs in IEEE Standard


CERT: IEEE P1735 implementations may have weak cryptographic protections


ePrint: Standardizing Bad Cryptographic Practice (PDF)




Siemens Releasing Updates for SIMATIC PCS 7 Vulnerability

(November 3, 2017)

Siemens has begun releasing updates to address an input validation vulnerability in its SIMATIC PCS 7 distributed control systems. The issue affects versions 8.2 and 8.1 prior to 8.1 SP1 with WinCC v.7.3 Update 13 and could be exploited to crash services on vulnerable systems.

Read more in:

Threatpost: Siemens Update Patches Simatic PCS 7 Bug in Some Versions


ICS-CERT: Advisory (ICSA-17-306-01) Siemens SIMATIC PCS 7




PDF Parser for URLs and Text Content of PDFs



Crunchyroll.com Redirect Leads to Malware



IEEE P1735 Standard Leads to Weak Crypto (PDF)


Mobile Pwn2Own Contest 2017


OpenSSL Patch


Fake WhatsApp App in Google Play Store


Recovering Previously Encrypted iOS Backups



The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create