3 Days Left! iPad Pro w/ Smart Keyboard, $400 Off, or ASUS Chromebook w/ Online Training!

Newsletters: Newsbites


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #93

November 28, 2017


****************************************************************************

SANS NewsBites               November 28, 2017                Vol. 19, Num. 093

****************************************************************************

TOP OF THE NEWS

Microsoft Office Equation Editor Flaw is Already Being Exploited

Phony Symantec Blog Site Serving OSX.Proton Malware

Uber Breach

REST OF THE WEEK'S NEWS

Alleged Chinese Cyber Spies Indicted

FBI Failed to Notify Targets of Russian Hackers

Imgur Discloses 2014 Breach

Guilty Plea Expected from Man Linked to Yahoo Breach

#IRISSCERT Keynote: Use Cyber Incidents to Learn How to Improve Security

Patches Available for Samba Vulnerabilities

Manufacturers Starting to Release Intel Firmware Fixes

HP Releases Updates to Fix Flaws in Printer Firmware

INTERNET STORM CENTER TECH CORNER


***************************  Sponsored By Splunk  ***************************


Why You Should Take Security in the Cloud With Splunk.  Advanced security threats and attacks are getting harder to detect as hackers are becoming more sophisticated. At the same time, the tools used to defend against cyberattacks keep multiplying and becoming more complex. Download this white paper to learn how to get ahead of these attacks by adopting a cloud analytics-driven security platform. http://www.sans.org/info/200170


*****************************************************************************

TRAINING UPDATE


-- SANS Cyber Defense Initiative 2017 | Washington, DC | December 12-19 | https://www.sans.org/event/cyber-defense-initiative-2017


-- SANS Security East 2018 | New Orleans, LA | January 8-13 | https://www.sans.org/event/security-east-2018


-- SANS Amsterdam January 2018 | January 15-20 | https://www.sans.org/event/amsterdam-january-2018


-- SANS Las Vegas 2018 | January 28-February 2 | https://www.sans.org/event/las-vegas-2018


-- Cyber Threat Intelligence Summit | Bethesda, MD | January 29-February 5 | https://www.sans.org/event/cyber-threat-intelligence-summit-2018


-- SANS London February 2018 | February 5-10 | https://www.sans.org/event/london-february-2018


-- Cloud Security Summit & Training 2018 | San Diego, CA | February 19-26 | https://www.sans.org/event/cloud-security-summit-2018


-- SANS Secure Japan 2018 | February 19-March 3 | https://www.sans.org/event/sans-secure-japan-2018


-- SANS Secure Singapore 2018 | March 12-24 | https://www.sans.org/event/secure-singapore-2018


-- SANS OnDemand and vLive Training | The SANS Training you want with the flexibility you need. Get a 10.5" iPad Pro with Smart Keyboard, or an ASUS Chromebook Flip, or take $400 Off OnDemand or vLive Training when you register by December 13. https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility


-- Live Daytime training with Simulcast - https://www.sans.org/simulcast


-- Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive


-- Anywhere, Anytime access for 4 months with OnDemand format -https://www.sans.org/ondemand/


-- Single Course Training

SANS Mentor https://www.sans.org/mentor/about

Community SANS https://www.sans.org/community/

View the full SANS course catalog https://www.sans.org/security-training/by-location/al


*****************************************************************************

TOP OF THE NEWS

--

Microsoft Office Equation Editor Flaw is Already Being Exploited

(November 24, 2017)

The Cobalt hacking group is reportedly exploiting a flaw in Microsoft Office Equation Editor that was patched in Microsoft's batch of November updates two weeks ago. The flaw allows attackers to execute code without user interaction. The exploit is being spread through maliciously-crafted RTF (Rich Text Format) documents. The flaw's rapid exploitation makes it likely that it will soon be used in other attacks; users are urged to update their vulnerable systems. The Cobalt group is known for targeting financial institutions, including banks and STM networks. This is not the first time that they have quickly taken advantage of a Microsoft vulnerability.


Read more in:

Bleeping Computer: A Hacking Group Is Already Exploiting the Office Equation Editor Bug

https://www.bleepingcomputer.com/news/security/a-hacking-group-is-already-exploiting-the-office-equation-editor-bug/

 

--

Phony Symantec Blog Site Serving OSX.Proton Malware

(November 20 & 27, 2017)

A spoofed Symantec blog is being used to spread a variant of the OSX.Proton password-stealing malware. The site mirrors content from the Symantec's actual blog. Portions of the domain's registration information appear to be legitimate, but the associated email address appears suspicious and the site itself has a legitimate SSL certificate issued by Comodo rather than by Symantec.


Read more in:

SC Magazine: Fake Symantec site spreads OSX.Proton password stealer

https://www.scmagazine.com/osxproton-spread-via-fake-symantec-blog/article/709695/

Malwarebytes: OSX.Proton spreading through fake Symantec blog

https://blog.malwarebytes.com/threat-analysis/mac-threat-analysis/2017/11/osx-proton-spreading-through-fake-symantec-blog/


--

Uber Breach

(November 21, 22, & 24, 2017)

Uber has acknowledged that a massive data breach in the fall of 2016 compromised information from 57 million accounts. The attackers found Uber developer account credentials on GitHub and used them to access an Amazon Web Services account that held the data. They then contacted Uber and demanded a ransom. The company paid the attackers $100,000 USD to destroy the data while making it look like the payment was part of a bug bounty program. The company's current CEO, while not in his current job when the breach occurred, waited more than two months after learning of the incident to inform affected individuals. Dara Khosrowshahi ordered an investigation to be completed before disclosing the breach. Two Uber security executives were dismissed after it was determined that they had mishandled the incident. Uber failed to disclose the breach to the Federal Trade Commission (FTC) despite already being investigated regarding other issues. [Please note that the Wall Street Journal story is behind a paywall.]     


[Editor Comments]

[Pescatore] Many, probably most, breach disclosure laws define a breach as unauthorized access to protected information - actual disclosure is not required. So, paying off the criminals in this case (or in most ransomware attacks) does not eliminate the requirement to notify the account holders that their information was breached.


Read more in:

Bloomberg: Uber Paid Hackers to Delete Stolen Data on 57 Million People

https://www.bloomberg.com/news/articles/2017-11-21/uber-concealed-cyberattack-that-exposed-57-million-people-s-data

Cyberscoop: Uber paid $100K to cover up 2016 data breach of 57 million users

https://www.cyberscoop.com/uber-hack-57-million-customers-joe-sullivan/?category_news=technology

WSJ: New Uber CEO Knew of Hack for Months

https://www.wsj.com/articles/ubers-hack-disclosure-raises-questions-about-timing-1511462671

The Register: Uber: Hackers stole 57m passengers, drivers' info. We also bribed the thieves $100k to STFU

http://www.theregister.co.uk/2017/11/22/uber_2016_data_breach/

Dark Reading: Uber Paid Hackers $100K to Conceal 2016 Data Breach

https://www.darkreading.com/attacks-breaches/uber-paid-hackers-$100k-to-conceal-2016-data-breach/d/d-id/1330487?


**************************  SPONSORED LINKS  ********************************


1) Intezer Analyze and SANS' Jake Williams demonstrate how finding code reuse of known malware enables you to improve and accelerate incident response plans. http://www.sans.org/info/200175


2) Find out why NSS Labs recommends the Forcepoint NGFW to be on every company's short list. Register: http://www.sans.org/info/200180


3) Took Talk Webcast: "Business-Driven Network Security Policy Management" Register: http://www.sans.org/info/200185


*****************************************************************************

THE REST OF THE WEEK'S NEWS   

--

Alleged Chinese Cyber Spies Indicted

(November 27, 2017)

The US Department of Justice (DoJ) has unsealed an indictment charging three Chinese people for breaking into computer systems at three companies - Moody's Analytics, Siemens, and Trimble - between 2011 and 2017 to steal intellectual property. The indictment was filed in September 2017.  


Read more in:

Cyberscoop: DOJ reveals indictment against Chinese cyber spies that stole U.S. business secrets

https://www.cyberscoop.com/boyusec-china-doj-indictment/

Bleeping Computer: US Charges Three Members of Elite Chinese Cyber-Espionage Unit

https://www.bleepingcomputer.com/news/security/us-charges-three-members-of-elite-chinese-cyber-espionage-unit/

Reuters: Siemens, Trimble, Moody's breached by Chinese hackers, U.S. charges

https://www.reuters.com/article/us-usa-cyber-china-indictments/siemens-trimble-moodys-breached-by-chinese-hackers-u-s-charges-idUSKBN1DR26D

Document Cloud: Indictment

http://www.documentcloud.org/documents/4310946-Wu-Yingzhou-Et-Al-Indictment.html

 

--

FBI Failed to Notify Targets of Russian Hackers

(November 26 & 27, 2017)

The FBI was aware that Russian hackers were targeting personal gmail accounts belonging to US officials, politicians, and organizations, but did not warn them, according to the Associated Press (AP). In interviews conducted with 80 people whose accounts were targeted, AP found that the FBI has notified just two, or 2.5 percent. AP reporters pored over information provided by Secureworks to identify people whose accounts were targeted.   


[Editor Comments]

[Williams] Any criticism of the FBI's failure to notify victims should not come without context. This was likely not a process failure and is more likely a case of the competing priorities to collect intelligence/investigate crimes and protect the public. These are often mutually exclusive. Further, notifying too many potential victims could have let the Russians deduce the source of the FBI's data, denying the FBI additional collection. The FBI has to conduct a balancing act here and they are honestly in uncharted waters with little precedent to guide them. Rather than second guess what the FBI did and didn't do, we should use this to drive a public policy discussion on what the appropriate actions are for the inevitable next time the FBI finds itself in this position.


[Northcutt] Every incident handler knows the "contain and clean" or "watch and learn" decision is going to have to be made. They also know that decision is above their pay grade. This decision had to be made at high levels of government using data we are not going to read about in the trade press. I vote we give the FBI a "hall pass" on this one.


[Murray] The FBI does not disclose investigations in progress because such disclosure would aid the perpetrators in resisting the investigation.


Read more in:

SC Magazine: FBI didn't warn gov't officials, others that Fancy Bear hacks targeted private gmail

https://www.scmagazine.com/fbi-didnt-warn-govt-officials-others-that-fancy-bear-hacks-targeted-private-gmail/article/709496/

The Hill: Report: FBI failed to tell US officials they were targets of Russian hackers

http://thehill.com/policy/cybersecurity/361834-report-fbi-failed-to-tell-us-officials-they-were-targets-of-russian

CNET: FBI reportedly failed to inform US targets of Russian hackers

https://www.cnet.com/news/fbi-reportedly-failed-to-inform-us-targets-of-russian-hackers/

AP: FBI gave heads-up to fraction of Russian hackers' US targets

https://apnews.com/f1a5570b7ce04d39bab00ae3a9041460

 

--

Imgur Discloses 2014 Breach

(November 25 & 26, 2017)

Imgur has disclosed that it recently discovered a breach that occurred in 2014. The attacker stole 1.7 million email addresses and password hashes. Imgur believes that the attack was conducted by brute forcing an older password hashing system (SHA-256) in use at the time. Imgur began using the bcrypt hashing algorithm in 2015. Imgur notified users 25 hours after learning of the breach.


Read more in:

CNET: Imgur just learned 1.7M accounts exposed in 2014 hack

https://www.cnet.com/news/imgur-just-learned-1-7m-accounts-exposed-in-2014-hack/

Bleeping Computer: Imgur Suffered a Small Data Breach in 2014

https://www.bleepingcomputer.com/news/security/imgur-suffered-a-small-data-breach-in-2014/

 

--

Guilty Plea Expected from Man Linked to Yahoo Breach

(November 24, 2017)

A Canadian man who allegedly helped Russian agents break into email accounts as part of a huge Yahoo breach in 2014 is expected to plead guilty to associated charges in a San Francisco court. Earlier this year, Karim Baratov was arrested in Canada at the request of US prosecutors. He waived his right to fight an extradition hearing to the US. In August, Baratov pleaded not guilty to conspiracy to commit computer fraud, conspiracy to commit access device fraud, conspiracy to commit wire fraud, and aggravated identity theft. Baratov is scheduled to appear in court for a "change of plea" hearing on Tuesday, November 28.


Read more in:

Reuters: Canadian charged in Yahoo hacking case to plead guilty in U.S.

https://www.reuters.com/article/us-yahoo-cyber/canadian-charged-in-yahoo-hacking-case-to-plead-guilty-in-u-s-idUSKBN1DO2PJ

 

--

#IRISSCERT Keynote: Use Cyber Incidents to Learn How to Improve Security

(November 24, 2017)

In a keynote speech at the #IRISSCERT conference in Dublin, Ireland last week, Brian Honan called for a shift in the way cybersecurity incidents are managed. Rather than blaming victims and not disclosing breaches and reporting them to law enforcement, organizations should instead aspire to increased transparency, disclosing incidents and learning from them to better protect systems in the future. Honan is the founder and head of Ireland's first CSIRT and is also advises Europol on Internet security matters.


Read more in:

The Register: 'Treat infosec fails like plane crashes' - but hopefully with less death and twisted metal

http://www.theregister.co.uk/2017/11/24/infosec_disasters_learning_op/

 

--

Patches Available for Samba Vulnerabilities

(November 23, 2017)

Last week, major Linux distributions released updates to fix a use-after-free issue affecting every version of SAMBA since 4.0, which was released in 2012. While the workaround for users who cannot update immediately would be to disable SMB1 altogether, there are clients that support only SMB1. Fixes are also available for a server heap memory information leak affecting SMB1 v.3.6.0 and later.


[Editor Comments]

[Williams] This is not an SMBv1 issue. Many embedded devices (particularly multifunction devices and network attached storage) rely on SMBv1 and are unlikely to receive patches in a timely manner (if ever).  Sure, you can disable SMBv1 to mitigate this specific threat (maybe, if that's supported by your device firmware). But the real issue to consider here is lifecycle management of embedded device software. If for whatever reason you have samba running in a non-embedded device, you should patch that too...


Read more in:

The Register: Samba needs two patches, unless you're happy for SMB servers to dance for evildoers

http://www.theregister.co.uk/2017/11/23/samba_needs_two_patches/

Samba: Use-after-free vulnerability: CVE-2017-14746

https://www.samba.org/samba/security/CVE-2017-14746.html

Samba: Server heap memory information leak: CVE-2017-15275

https://www.samba.org/samba/security/CVE-2017-15275.html

 

 --

Manufacturers Starting to Release Intel Firmware Fixes

(November 20, 21, 22, & 23, 2017)

US-CERT has issued an alert warning of several flaws in firmware included in some Intel CPUs. Some manufacturers have already made fixes available; others may not have fixes available until January or later. The flaws affect Intel's Management Engine, Trusted Execution Engine and Server Platform Services.   


Read more in:

The Register: To fix Intel's firmware fiasco, wait for Christmas Eve or 2018

http://www.theregister.co.uk/2017/11/23/intel_firmware_fixes_slow_to_arrive/

Dark Reading: Intel Firmware Flaws Found

https://www.darkreading.com/vulnerabilities---threats/intel-firmware-flaws-found/d/d-id/1330486?

Cyberscoop: Intel patches flaw that leaves millions of computers vulnerable to hidden attacks

https://www.cyberscoop.com/intel-me-management-engine-buffer-overflow-2017/?category_news=technology

Threatpost: Intel Patches CPU Bugs Impacting Millions of PCs, Servers

https://threatpost.com/intel-patches-cpu-bugs-impacting-millions-of-pcs-servers/128962/

Reuters: U.S. government warns businesses about cyber bug in Intel chips

https://www.reuters.com/article/us-intel-cyber-vulnerability/u-s-government-warns-businesses-about-cyber-bug-in-intel-chips-idUSKBN1DM01R

US-CERT: Intel Firmware Vulnerability

https://www.us-cert.gov/ncas/current-activity/2017/11/21/Intel-Firmware-Vulnerability

 

 --

HP Releases Updates to Fix Flaws in Printer Firmware

(November 21, 22, & 23, 2017)

HP has released firmware fixes to address a flaw that could be exploited to allow remote code execution attacks against certain HP printers. The flaw could be exploited to bypass signature validation protections. The flaws affect 54 models of HP printers.


[Editor Comments]

[Williams] HP painted this target on its back with their ridiculous marketing videos talking about their "BIOS defense system" and other such marketing fluff. That said, there's less to this than meets the hype and I'm amazed this got an 8.1 CVSS score (someone must have been feeling generous). To be exploited, the attacker must be able to upload firmware to the printer. This means they must have administrative access. The vulnerability writeup notes multiple ways the printer may be hard reset, but the best data you can recover from a printer involves the configured accounts, print jobs, etc. By hard resetting the printer, all of this data is lost.  If this were a Windows vulnerability it would be titled "with remote administrative access you can run code" - nobody would be excited.


Read more in:

ZDNet: HP patches severe code execution bug in enterprise printers

http://www.zdnet.com/article/hp-patches-severe-code-execution-bug-in-enterprise-printers/

The Register: Patch on way 'this week' for HP printer vulns

http://www.theregister.co.uk/2017/11/21/patch_coming_for_hp_printer_vulnerabilities/

Threatpost: HP to Patch Bug Impacting 50 Enterprise Printer Models

https://threatpost.com/hp-to-patch-bug-impacting-50-enterprise-printer-models/128984/

Bleeping Computer: HP to Release Patch This Week for Printer Security Bugs

https://www.bleepingcomputer.com/news/security/hp-to-release-patch-this-week-for-printer-security-bugs/

HP: HPSBPI03569 rev 1 - HP LaserJet Enterprise printers, HP PageWide Enterprise printers, HP LaserJet Managed printers, HP OfficeJet Enterprise printers, Execution of arbitrary code

https://support.hp.com/nz-en/document/c05839270

 

INTERNET STORM CENTER TECH CORNER

Ethereum JSON-RPC Scans

https://isc.sans.edu/forums/diary/Internet+Wide+Ethereum+JSONRPC+Scans/23061/


Updated OWASP Top 10 Released (PDF)

https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf


TPLink Often Provides Outdated Firmware Version For Download

https://www.ctrl.blog/entry/tplink-firmware-outdated-downloads


Critical Exim Mail Server Vulnerability (Exploit released!)

https://bugs.exim.org/show_bug.cgi?id=2199


CoinPouch "Verge" Token Loss

http://www.documentcloud.org/documents/4309909-StatementonVerge-11-21-17.html


Bitcoin Routing Attacks

https://btc-hijack.ethz.ch


Scanning Ethereum Smart Contracts For Vulnerabilities

https://hackernoon.com/scanning-ethereum-smart-contracts-for-vulnerabilities-b5caefd995df


Fortiweb Manager Vulnerability

https://fortiguard.com/psirt/FG-IR-17-248

        

Golden SAML Ticket Attack

https://www.cyberark.com/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-cloud-apps/


Facebook Poll Image Vulnerability

https://blog.darabi.me/2017/11/image-removal-vulnerability-in-facebook.html

 

******************************************************************************

The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.


Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create