OnDemand SME Support = Get Your Questions Answered! Get an iPad mini, Surface Go 2, of $300 Off Now

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #98

December 15, 2017

The 2017 SANS Holiday Hack Challenge is here!

Build your cyber security skills, including Linux and Windows exploitation, privilege escalation, lateral movement, data analysis, and de-anonymization, while enjoying the holidays. Created by Ed Skoudis and his team, this free challenge includes a video game and the opportunity to win prizes. Thousands of people play every year, many with their kids.

Son saw me playing and wanted his own character. He just told me he's looking for Ed Skoudis. - J. Huff.

Holiday Hack Challenge is the perfect mix of fun, gameplay, and education. Thank you for your hard work. I'm enjoying it so much! - Cleveland Josh.

The competition is open through January 3, 2018.

Please join the fun at www.holidayhackchallenge.com


SANS NewsBites               December 15, 2017                Vol. 19, Num. 098



US Military Suppliers Must Have Cybersecurity Implementation Plan by End of Year

Are Hackers Planning Another December Ukraine Power Grid Attack?


TRITON Malware Targets Industrial Safety Systems

Three Plead Guilty in Mirai Botnet Case

More Apple Updates

Intel Addresses ME Vulnerability with Downgrade Prevention

Internet Traffic Routed Through Russia

Patch Tuesday: Microsoft and Adobe

ROBOT TLS Vulnerability Resurfaces


***************************  Sponsored By Splunk  ***************************

Gartner Names Splunk a SIEM Magic Quadrant Leader for the Fifth Year Running!  Gartner recently published its 2017 Magic Quadrant (MQ) for Security Information and Event Management where Splunk was named a leader in the security information and event management (SIEM) market. Read the report to learn why Splunk is part of the select few that can replace outdated SIEM deployments and deliver the security analytics solution of tomorrow. http://www.sans.org/info/200715



-- SANS Security East 2018 | New Orleans, LA | January 8-13 | https://www.sans.org/event/security-east-2018

-- SANS Amsterdam January 2018 | January 15-20 | https://www.sans.org/event/amsterdam-january-2018

-- SANS Las Vegas 2018 | January 28-February 2 | https://www.sans.org/event/las-vegas-2018

-- Cyber Threat Intelligence Summit | Bethesda, MD | January 29-February 5 | https://www.sans.org/event/cyber-threat-intelligence-summit-2018

-- SANS London February 2018 | February 5-10 | https://www.sans.org/event/london-february-2018

-- SANS Southern California-Anaheim 2018 | February 12-17 | https://www.sans.org/event/southern-california-anaheim-2018

-- Cloud Security Summit & Training 2018 | San Diego, CA | February 19-26 | https://www.sans.org/event/cloud-security-summit-2018

-- SANS Secure Japan 2018 | February 19-March 3 | https://www.sans.org/event/sans-secure-japan-2018

-- SANS Secure Singapore 2018 | March 12-24 | https://www.sans.org/event/secure-singapore-2018

-- SANS OnDemand and vLive Training | The SANS Training you want with the flexibility you need. SAVE $350 or get a GIAC Certification Attempt Included with OnDemand or vLive Training when you register by December 27. https://www.sans.org/online-security-training/specials/

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format -https://www.sans.org/ondemand/

-- Single Course Training

SANS Mentor https://www.sans.org/mentor/about

Community SANS https://www.sans.org/community/

View the full SANS course catalog https://www.sans.org/security-training/by-location/all




US Military Suppliers Must Have Cybersecurity Implementation Plan by End of Year

(December 14, 2017)

The Pentagon has told US military contractors that they must have a plan in place for complying with DFARS: Defense Federal Acquisition Regulation Supplement by December 31, 2017. The rules, designed to help prevent data theft, comprise 110 specifications regarding both physical and digital security. A Pentagon spokesperson said in an email that by the end of this calendar year, "Contractors must document the state of their information system in a 'system security plan' and document how and when they will implement any 'not yet implemented' requirements in associated plans of action."

[Editor Comments]

[Pescatore] NIST SP 800-171 has been out for over 2 years now and isn't that high of a bar to jump for any business that wants to profit from the federal taxes we all pay. For small businesses that aren't there yet, this gives plenty of time to reach a basic security hygiene level - or to get into a different business. It is a good thing that the DoD is using its buying power to drive supply chain security higher, and the bar should keep getting higher.

Read more in:

Nextgov: Pentagon Delays Deadline For Military Suppliers to Meet Cybersecurity Rules


NIST: Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations (PDF)




Are Hackers Planning Another December Ukraine Power Grid Attack?


(December 13, 2017)

For the last two Decembers, Ukraine's power grid has been the target of cyberattacks that left people without power for hours at a time. Researchers at the cybersecurity firm Dragos say that while there has been little activity from the group believed to be responsible for the 2016 attack between then and mid-November 2017, a recent spike in activity has been noted over the past month. The increased activity could be reconnaissance, or it could be to create concern about an impending attack.

Read more in:

The Atlantic: Will Ukraine Be Hit by Yet Another Holiday Power-Grid Hack?


**************************  SPONSORED LINKS  ********************************

1) Navigate the crowded EPP and EDR vendor landscapes, get educated on different elements needed to maximize endpoint protection. Register: http://www.sans.org/info/200720

2) ICYMI:  "Breaking Down the Data: How Secure Are You and Your Supply Chain?" Archive at: http://www.sans.org/info/200725

3) If we had a clean slate and ample budget, how would we develop the ideal network security architecture? Learn More: http://www.sans.org/info/200730




TRITON Malware Targets Industrial Safety Systems

(December 14, 2017)

FireEye's Mandiant division has detected "malware designed to manipulate industrial safety systems" that provide emergency shutdown for industrial processes. Dubbed TRITON, the malware was found on the network of an organization that is part of critical infrastructure. TRITON was created to work with Triconex Safety Instrumented System (SIS) controllers. The attack caused an operational outage.

Read more in:

FireEye: Attackers Deploy New ICS Attack Framework "TRITON" and Cause Operational Disruption to Critical Infrastructure


Bleeping Computer: TRITON Malware Used in Attacks Against Industrial Safety Equipment


Dark Reading: TRITON Attacker Disrupts ICS Operations, While Botching Attempt to Cause Physical Damage


Ars Technica: Game-changing attack on critical infrastructure site causes outage


Wired: Unprecedented Malware Targets Industrial Safety Systems in the Middle East




Three Plead Guilty in Mirai Botnet Case

(December 13 & 14, 2017)

Three men have pleaded guilty to charges that they created, operated, and sold access to the Mirai botnet, which is made up of compromised Internet of Things (IoT) devices, including wireless routers, security cameras, and DVRs. One of the three also pleaded guilty to launching distributed denial-of-service (DDoS) attacks against Rutgers University networks between November 2014 and September 2016.     

[Editor Comments]

[Pescatore] Did you ever notice that fire departments and police departments invest a lot of resources in prevention and avoidance efforts, not just enforcement? Enforcement has a very important role to play - stories like this one are important in demonstrating to borderline criminals that the probability of getting caught is going up. But, making sure you know what IoT devices are on your network and that they are secure or segmented/shielded is like making sure you've locked the car doors rather than feeling satisfaction when they catch the thief who stole your car and sold it to the chop shop.

[Henry] Kudos to the FBI and Department of Justice for their successful efforts in this matter. Prosecutions such as these should help to deter those with malicious intent. Unfortunately, the challenges will become much greater for law enforcement as IoT grows exponentially, with a similar increase in vulnerabilities. Hardening the equipment, and recommendations and compliance efforts to ensure greater security of those devices, will be required going forward.

Read more in:

DOJ: Justice Department Announces Charges and Guilty Pleas in Three Computer Crime Cases Involving Significant DDoS Attacks


Dark Reading: Former Rutgers Student, Two Others Plead Guilty to Operating Mirai Botnet


KrebsOnSecurity: Mirai IoT Botnet Co-Authors Plead Guilty


Wired: How a Dorm Room Minecraft Scam Brought Down the Internet




More Apple Updates

(December 14, 2017)

Apple has released more security updates this week. Updates for AirPort Express, AirPort Extreme, and AirPort Time Capsule 802.11n and 802.11AC base stations fix flaws that would leave them susceptible to KRACK attacks. Updates for iOS and tvOS to versions 11.2.1 address a message handling issue that could be exploited to alter application state. And an update for iCloud for Windows in version 7.2 fixes a client certificate privacy issue.

[Editor Comments]

[Neely] The AirPort updates address the server side KRACK vulnerabilities, previous updates were to solve the iOS and MacOS Wi-Fi KRACK vulnerability. This is a good opportunity to make sure that youve applied KRACK updates to all your Wi-Fi access points, particularly with the increase in maleficence often seen around the holidays.  

Read more in:

SC Magazine: Apple releases security updates in devices shortly after releasing another KRACK fix


US-CERT: Apple Releases Security Updates




Intel Addresses ME Vulnerability with Downgrade Prevention

(December 13, 2017)

Newer Intel processors will have built in protections to prevent them from being susceptible to downgrade attacks. Intel released fixes for flaws in the ME firmware earlier this fall; the updates are making their way to organizations and users. "Starting with ME version 12, the chip's Security Version Number (SVN), which gets incremented with updates to prevent rollbacks, 'will be saved permanently in Field Programmable Fuses (FPFs) as a means to mitigate physically downgrading Intel ME [firmware] to a lower SVN.'"

[Editor Comments]

[Stephen Northcutt] Buying all new processors for a partial solution isnt a reasonable option. The technical advisory referenced by The Register article appears to have been removed from Github. In the meantime, this is still the best reference Ive seen:

https://www.blackhat.com/docs/eu-17/materials/eu-17-Sklyarov-Intel-ME-Flash-File-System-Explained-wp.pdf: Intel ME: Flash File System Explained

Read more in:

The Register: Intel to slap hardware lock on Management Engine code to thwart downgrade attacks




Internet Traffic Routed Through Russia

(December 13, 2017)

Internet traffic moving to and from major sites, including Facebook, Google, Apple, and Microsoft, was routed through a Russian Internet provider for two three-minute periods earlier this week. Researchers have called the event "suspicious," noting that the routing appears to have been deliberate rather than accidental. The incident involved 80 address blocks.

[Editor Comments]

[Northcutt] Autonomous System 12389 again, previous event was in April and appeared to be focused on financial institutions:



[Neely] BGP Hijacking continues to be a threat, and when realized can be quite a nuisance. In the past, the issue was improper BGP configuration, in this case the configuration appears deliberate. The configuration changes at the Russian ISP claimed the re-routed subnets originated on their network, and the other BGP peers respected and implemented the corresponding routing changes. The best mitigation for this threat is to require strong encryption (e.g. TLS) for access to all external services as even with traffic re-routed, there have been no reported successful decryption attempts on the traffic.

Read more in:

Ars Technica: "Suspicious" event routes traffic for big-name sites through Russia


The Register: 'Suspicious' BGP event routed big traffic sites through Russia




Patch Tuesday: Microsoft and Adobe

(December 12 & 13, 2017)

On Tuesday, December 12, Microsoft and Adobe released security updates for a variety of products. Microsoft released fixes for 34 security flaws in Windows, Office, SharePoint, Exchange, Internet Explorer, and Edge. Twenty of the flaws are rated critical and 12 are rated important. Two of the patches address remote code execution flaws in Microsoft's Malware Protection Engine. Adobe's monthly patch update comprises fixes for a Business logic error issue in Flash Player.

Read more in:

KrebsOnSecurity: Patch Tuesday, December 2017 Edition


The Register: Put down the eggnog, it's Patch Tuesday: Fix Windows boxes ASAP


ZDNet: Adobe patches Business Logic error in Flash


Threatpost: Microsoft December Patch Tuesday Update Fixes 34 Bugs


Microsoft: Security Update Summary


Adobe: Security updates available for Flash Player | APSB17-42




ROBOT TLS Vulnerability Resurfaces

(December 12 & 13, 2017)

A vulnerability first identified nearly 20 years ago has become an issue once again. The flaw, known as the Return Of Bleichenbacher's Oracle Threat, or ROBOT, exists in a transport layer security (TLS) protocol used in web encryption. ROBOT could be exploited to record traffic or launch a man-in-the-middle (MitM) attack. The version of the flaw recently detected was found through Facebook's bug bounty program. Facebook has fixed the issue, but it has also been found to affect other websites.    

[Editor Comments]

[Neely] When the vulnerable algorithm issues surfaced, the decision was to implement countermeasures rather than remove or replace the vulnerable RSA algorithms. The resurfacing of the issue is due to weaknesses in the implemented countermeasures rather than changes to the underlying algorithms. Patches are being distributed by the impacted vendors. US-Cert published a list of vulnerable vendors and status: http://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=144389&SearchOrder=4

Read more in:

RobotAttack: The ROBOT Attack


Forbes: 'ROBOT Attack' Exposed Facebook With 19-Year-Old Bug -- Massive Websites Still Vulnerable


Ars Technica: 1998 attack that messes with sites' secret crypto keys is back in a big way


ZDNet: ROBOT exploit from 1998 resurrected, leaves top websites' crypto vulnerable


Cyberscoop: Facebook patches security flaw based on 19-year-old bug; other sites may still be vulnerable


Threatpost: 19-year-old TLS Vulnerability Weakens Modern Website Crypto




Microsoft Patch Tuesday Summary


EV Certificate Model Broken?


ROBOT Attack Against TLS


Tracking Newly Registered Domains


Critical Palo Alto Firewall Flaws Allow RCE as Root


Hiding Changes from git-diff


Apple Airport Update


Citizen Lab Security Planner


Apple Update to iOS/tvOS/iCloud (Windows)


Fortinet Client Credentials Shared Key


Fox-IT Victim of a Man-in-the-Middle Attack



The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create