OnDemand Includes 4 Months Access to Course Content - Special Offers Available Now!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #99

December 19, 2017


SANS NewsBites               December 19, 2017                Vol. 19, Num. 099



  TRISIS/TRITON Malware Triggered Operational Shutdown at Unnamed Facility  DHS Pilot Program Finds Flaws In First Responder Apps

  Delaware Governor and CSO Receive SANS Difference Maker Award

  American Hospital Association Asks FDA to Actively Address Medical Device Security


  White House Attributes WannaCry to North Korea

  Hack the Air Force 2.0

  Fox-IT Was Victim of Man-in-the-Middle Attack

  Man Pleads Guilty to Stealing and Selling Website User Data

  Emotet Trojan

  Keeper Fixes Critical Flaw in Password Manager Plugin


***************************  Sponsored By FireEye  **************************

ICYMI: Join FireEye Product Marketing Director, Dan Reis for a webcast "The Convergence of EPP and EDR: Tomorrows Solution Today." Dan will help you navigate the crowded EPP and EDR vendor landscapes and educate you on different elements needed to maximize endpoint protection. View the archive: http://www.sans.org/info/200735



-- SANS Security East 2018 | New Orleans, LA | January 8-13 | https://www.sans.org/event/security-east-2018

-- SANS Amsterdam January 2018 | January 15-20 | https://www.sans.org/event/amsterdam-january-2018

-- SANS Las Vegas 2018 | January 28-February 2 | https://www.sans.org/event/las-vegas-2018

-- Cyber Threat Intelligence Summit | Bethesda, MD | January 29-February 5 | https://www.sans.org/event/cyber-threat-intelligence-summit-2018

-- SANS London February 2018 | February 5-10 | https://www.sans.org/event/london-february-2018

-- SANS Southern California-Anaheim 2018 | February 12-17 | https://www.sans.org/event/southern-california-anaheim-2018

-- Cloud Security Summit & Training 2018 | San Diego, CA | February 19-26 | https://www.sans.org/event/cloud-security-summit-2018

-- SANS Secure Japan 2018 | February 19-March 3 | https://www.sans.org/event/sans-secure-japan-2018

-- SANS Secure Singapore 2018 | March 12-24 | https://www.sans.org/event/secure-singapore-2018

-- SANS OnDemand and vLive Training | The SANS Training you want with the flexibility you need. SAVE $350 or get a GIAC Certification Attempt Included with OnDemand or vLive Training when you register by December 27. https://www.sans.org/online-security-training/specials/

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLivehttps://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format https://www.sans.org/ondemand/

-- Single Course Training

SANS Mentor https://www.sans.org/mentor/about

Community SANS https://www.sans.org/community/

View the full SANS course catalog https://www.sans.org/security-training/by-location/all



 --TRISIS/TRITON Malware Triggered Operational Shutdown at Unnamed Facility

(December 15 & 18, 2017)

Industrial Control System malware known as TRISIS or TRITON malware was found on the network of an unnamed company in the Middle East. TRISIS/TRITON targets Schneider Electrics Triconex Safety Integrated Systems (SIS) controllers. Researchers believe that the malware was used with the intent of causing physical damage to the facility, but instead triggered an operational shutdown, which prompted an investigation.

[Editor Comments]

[Assante] The malware is significant in its focus and capabilities along with providing a lens back into its creators. The incident, as described, indicates the attackers had high degree of confidence in their developed access deep into the Operational Segments of the targeted facility. We have been teaching about the risk that comes with connections between engineering workstations and SIS controllers. The investment made by these attackers in developing a malware that can interface and manipulate a specific SIS technology along with their experimentation inside of a production system makes it very likely that we will see this used again.

Read more in:

Dragos: TRISIS Malware Analysis of Safety System Targeted Malware (PDF)


Cyberscoop: Triton malware shines light on threat facing energy production companies


eWeek: TRITON Attack Targeted Critical Infrastructure, Security Firm Says


Threatpost: Triton Malware Targets Industrial Control Systems In Middle East


ZDNet: Hackers use Triton malware to shut down plant, industrial systems


FireEye: Attackers Deploy New ICS Attack Framework TRITON and Cause Operational Disruption to Critical Infrastructure



 --DHS Pilot Program Finds Flaws In First Responder Apps

(December 18, 2017)

A project piloted by the US Department of Homeland Security's (DHS's) Science and Technology Directorate has found 18 critical vulnerabilities in mobile apps used by first responders and other public safety officials. All but one of the 33 iOS and Android apps the program tested were found to pose security and/or privacy concerns.  

[Editor Comments]

[Neely] This is an excellent move for First Responder Apps. A similar approach can be applied to other sector specific critical applications. There are too many mobile applications changing rapidly for a ubiquitous solution to be viable. You may wish to consider creating an analysis capability for mission critical mobile applications.

Read more in:

The Hill: DHS project catches 18 first-responder apps with 'critical' cyber flaws


 --Delaware Governor and CSO Receive SANS Difference Maker Award

(December 15, 2017)

Delaware Governor John Carney and Chief Security Officer Elayne Starkey have received a 2017 SANS Difference Maker Award acknowledging Delaware "as a leader across the nation in cyber security awareness, education, and training." More than 350 high school and college students in Delaware participated in the CyberStart Program; of those, 20 students earned scholarships for further advanced cyber security study. Governor Carney has signed into law a bill that requires all public and charter high schools in the state to offer at least one computer security course. Carney also launched the NSA Day of Cyber School Challenge, a free program aimed at sparking interest in cybersecurity among students.  

[Editor Comments]

[Neely] Providing cyber awareness education and training in high school needs to be SOP. Kudos to Carney and Starkey for raising the bar. Hope others will follow suit.

Read more in:

Delaware: Delaware Honored for Cyber Security Innovation



 --American Hospital Association Asks FDA to Actively Address Medical Device Security

(December 12, 2017)

The American Hospital Association (AHA) wants the US Food and Drug Administration (FDA) to step up effort to ensure that medical device manufacturers bear responsibility for the digital security of their products. Responding to an FDA request for information about how the agency can help reduce regulatory burdens, AHA VP Ashley Thompson noted that even though the FDA has released cybersecurity standard guidance for medical devices, "device manufacturers have yet to resolve concerns, particularly for the large number of legacy devices still in use."  

[Editor Comments]

[Pescatore] While I'm a big believer in cybersecurity legislation only as a last resort, the medical machinery/device industry has had over a decade to focus on security and has failed. As far back as January 2005, the FDA issued guidance on cybersecurity for medical equipment that has largely been ignored. The FDA needs to act more like the FTC and take action when companies fail at protecting their customers.

[Neely] Modern medical devices managed, monitored and controlled using what is now commodity hardware and a security framework is needed insure the security of those systems is sufficiently robust. Additionally, standards need to include consequences for non-compliance to move adoption forward.

[Northcutt] Dr. Gottlieb, FDA, is correct that the procedural framework needs a major overhaul:


If you work in IT/cybersecurity in the healthcare field, you can review and comment of the documents which are supposed to air in the first quarter of 2018:


Executive Order 13777 and 13771 direct the review of cumbersome regulations, but don't include any language to hold medical device manufacturers accountable. Litigation after death or injury may be the only recourse:



Read more in:

Fierce Healthcare: AHA calls for more oversight of medical device cybersecurity as FDA outlines plans to modernize approvals


GPO.gov: Review of Existing General Regulatory and Information Collection Requirements of the Food and Drug Administration (PDF)


**************************  SPONSORED LINKS  ********************************

1) Gartner names Splunk a SIEM Magic Quadrant leader for the fifth year running. Read the report now: http://www.sans.org/info/200740

2) ICYMI: "Breaking Down the Data: How Secure Are You and Your Supply Chain?" with G. Mark Hardy. http://www.sans.org/info/200745

3) Did you miss "Who Owns ICS Security? Fusing IT, OT, & IIoT Security in the Corporate SOC." View the archive: http://www.sans.org/info/200750



 --White House Attributes WannaCry to North Korea

(December 18, 2017)

In an Op-Ed piece in the Wall Street Journal, White House Security Adviser Tom Bossert said that North Korea is behind the WannaCry ransomware that spread around the world in May. Bossert maintains that the allegation is based on evidence and plans to make (an official) statement on Tuesday, December 19. (Please note that the WSJ story is behind a paywall.)

[Editor Comments]

[Honan] The UK too:



[Read more in:

Washington Post: U.S. declares North Korea carried out massive WannaCry cyberattack


CNET: US blames North Korea for WannaCry cyberattack


WSJ: It's Official: North Korea Is Behind WannaCry


Reuters: U.S. blames North Korea for 'WannaCry' cyber attack



 --Hack the Air Force 2.0

(December 18, 2017)

HackerOne kicked off the Hack the Air Force 2.0 bug bounty program with a live hacking event in a downtown New York City subway station. Twenty-five people participated in the nine-hour event, during which they found a total of 55 vulnerabilities. Hack the Air Force 2.0 will continue through January 1, 2018. Details about participant eligibility are available in the HackerOne blog post.  

Read more in:

Nextgov: Air Force Pays Out Government's Biggest Bug Bounty Yet


Fifth Domain: Air Force gives 'ethical' hackers a second chance to hack its networks


HackerOne: Hacking The U.S. Air Force (Again) From a New York City Subway Station



 --Fox-IT Was Victim of Man-in-the-Middle Attack

(December 14 & 18, 2017)

Security company Fox-IT has acknowledged that it was the target of a Man-in-the-Middle (MitM) attack in September. The attacker accessed the Fox-IT.com domain DNS records at a third-party domain registrar and modified a DNS record for a certain server to point to a server in the attacker's possession/control so they could intercept traffic. The total time of the attack was roughly 10.5 hours. The Fox-IT blog includes a detailed time line of the attack.

[Editor Comments]

[Neely] This is a case of inadequate security for an outsourced function, in this case DNS. Also, a reminder to review the security capabilities of your service providers to make sure that they are keeping up with current best practices and to verify they meet your current security needs e.g. Multi-Factor authentication.  Fox-IT had both full packet capture and analysis capabilities that enabled them to determine exactly what had been exfiltrated and take appropriate corrective actions. The Fox-IT blog is a quick read and gives an excellent synopsis of what happened and lessons learned that could start the conversation in your business.

Williams - I'm reluctant to call this a man in the middle (MitM) attack. This attack was simply a configuration change in a hacked DNS control panel that redirected users to a malicious site. MitM typically implies intercepting and modifying traffic at a midpoint - this is not that. That said, this should serve as a wake-up call to organizations to enable multi-family authentication on their registrar accounts if that service is offered. An attacker who takes control of the account has near complete control of their domain through DNS.

Read more in:

Ars Technica: Hackers take control of security firm's domain, steal secret data


Fox-IT: Lessons learned from a Man-in-the-Middle attack



 --Man Pleads Guilty to Stealing and Selling Website User Data

(December 18, 2017)

A UK man has pleaded guilty to hacking into numerous websites, including Uber, T Mobile, and Groupon, to gain access to customer usernames, emails, and passwords, which he then sold online.

Read more in:

Bleeping Computer: Hacker "Courvoisier" Pleads Guilty to Attacks on Uber, Groupon, T Mobile, Others



 --Emotet Trojan

(December 18, 2017)

The Emotet banking Trojan, detected by Bromium, is being described as polymorphic malware, meaning that "malware authors are repacking their malicious software into a unique executable for each potential victim" to avoid detection by malware analysis tools. Emotet was found to have evaded detection by 50 of 66 products with which it was tested.

Read more in:

V3: Warning over 'polymorphic' Emotet banking Trojan that can evade most anti-virus software


Bromium: The Emotet Banking Trojan: Analysis of Dropped Malware Morphing at Scale



 --Keeper Fixes Critical Flaw in Password Manager Plugin

(December 15 & 18, 2017)

A third-party password manager with a critical flaw was bundled with certain versions of Windows 10, according to Google researcher Tavis Ormandy. The flaw in the Keeper password manager is nearly the same as the one in the same plugin that Ormandy disclosed 16 months ago. Keeper Security has issued an update to address the vulnerability in the browser extension within 24 hours of being notified about the issue.  

Read more in:

The Register: Windows 10 bundles a briefly-vulnerable password manager


Ars Technica: For 8 days Windows bundled a password manager with a critical plugin flaw


Keeper Security: Update for Keeper Browser Extension 11.4.4




Microsoft Office VBA Macro Obfuscation via Metadata


HSTS and HPKP Weaknesses in Firefox, IE/Edge and Chrome


Not So Malicious Word Doc



AMF Descerializer Vulnerability


Windows "Keeper" Password Manager Vulnerable


Android Malware Destroys Device


Large Scale BGP Attack




The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create