SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVIII - Issue #82

October 14, 2016

TOP OF THE NEWS

IAEA Director Says Nuclear Plant Experienced Cyber Attack
More than 58 Million Records Stolen from Data Aggregator
Nearly 6,000 Online Stores Infected with Skimming Malware

THE REST OF THE WEEK'S NEWS

Symantec Says Windows Script File Attachment Attacks on the Rise
Cisco Patches Critical Flaw in Conferencing Servers
A Conversation About Artificial Intelligence with Barack Obama and Joi Ito
GlobalSign Certificate Blunder
Adobe Patches 83 Flaws in Flash, Reader, and Acrobat
SAP Fixes Three-Year-Old Flaw
MatrixSSL Patches
Microsoft Patch Tuesday
Odinaff Trojan Targets SWIFT System

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER

---

*********************** Sponsored By Sophos Inc. **********************

Whitepaper: Defeating the Targeted Threat: Keeping threats away from your network is a critical first line of defense. A sandbox automatically isolates files to determine if they're safe, providing an instant additional layer of detection and protection. Find out why conventional defenses don't protect you from APTs and how sandboxing can help.

Learn More: http://www.sans.org/info/189062

***************************************************************************

TRAINING UPDATE

--SANS San Diego 2016 | October 23-28, 2016 | San Diego, CA |
https://www.sans.org/event/san-diego-2016

--SANS Munich Autumn 2016 | October 24-29, 2016 | Munich, Germany |
https://www.sans.org/event/munich-autumn-2016

--SANS Sydney 2016 | November 3-19, 2016 | Sydney, Australia |
https://www.sans.org/event/sydney-2016

--SANS London 2016 | November 12-21, 2016 | London, UK |
https://www.sans.org/event/london-2016

--Cyber Defense Initiative 2016 | December 10-17, 2016 | Washington, DC |
https://www.sans.org/event/cyber-defense-initiative-2016

--SANS Las Vegas 2017 | January 23-30, 2017 | Las Vegas, NV |
https://www.sans.org/event/las-vegas-2017

--SANS Secure Japan 2017 | February 13-25, 2017 | Tokyo, Japan |
https://www.sans.org/event/secure-japan-2017

***************************************************************************

---

TOP OF THE NEWS

IAEA Director Says Nuclear Plant Experienced Cyber Attack (October 10 & 13, 2016)

The director of the United Nation's (UN's) International Atomic Energy Agency (IAEA) said that an unnamed nuclear power plant suffered a cyberattack within the last three years. Yukiya Amano said that the targeted plant was not forced to shut down operations, and that "This issue of cyber attacks on nuclear-related facilities or activities should be taken very seriously." Amano said that IAEA is helping nuclear facilities around the word improve cyber and physical security.


[Editor Comments ]



[Assante ]
The director of IAEA is most likely referring to the incident involving a Korea Hydro & Nuclear Power (KHNP) plant, but recent discoveries in Germany of aged malware infections on plant process control equipment are also troubling. The nuclear industry has been well positioned to defend against Internet-borne, non-targeted, threats based because they adopted secure network architectures early, but they are now struggling to address human-enabled (e.g. infected USBs) and highly targeted cyber threats. The next step for the industry will be to transform its cyberdefense strategies from prevention-focused to a more active defense. Active defense is based on the assumption that intrusions will occur, and effective defense focuses on rapid detection of failures along with rapid collapse of free-time available to attackers.

Read more in:

SC Magazine: IAEA director: cyberattack against a nuclear power plan occurred years ago
-http://www.scmagazine.com/iaea-director-cyberattack-against-a-nuclear-power-plan
t-occurred-years-ago/article/548192/

Reuters: IAEA chief: Nuclear power plant was disrupted by cyber attack
-http://in.reuters.com/article/nuclear-cyber-idINKCN12A1P1

More than 58 Million Records Stolen from Data Aggregator (October 13, 2016)

Data aggregator Modern Business Solutions suffered a database breach that compromised at least 58 million records. Modern Businesses Solutions works primarily with the automotive and real estate industries.


[Editor Comments ]



[Liston ]
The really bad part about these types of breaches is that consumers don't have any kind of direct relationship with a data aggregator. If your favorite coffee chain is compromised, when the hack is publicized, you'll know your data has likely been taken. In this case, how do you know?

Read more in:

SC Magazine: Unsecured database lets hackers expose 58 million plus records from data management firm
-http://www.scmagazine.com/unsecured-database-lets-hacker-expose-58-million-plus-
records-from-data-management-firm/article/548357/

The Register: Personal info on more than 58 million people spills onto the web from data slurp biz
-http://www.theregister.co.uk/2016/10/13/us_data_aggregator_megabreach/

Nearly 6,000 Online Stores Infected with Skimming Malware (October 13, 2016)

Data thieves have installed scripts to skim payment card data on nearly 6,000 websites. Some of the information the malware harvests is being sent to servers in Russia. Dutch developer Willem de Groot has been investigating.


[Editor Comments ]



[Liston ]
Over the years, I've notified hundreds of organizations that they've been hacked. I'm constantly amazed at how clueless many are about the potential seriousness of a breach. Willem also found many of these companies just didn't understand the potential consequences of these skimming scripts.


[Murray ]
Merchants and consumers can reduce their risk by using proxies like PayPal, MasterPass, and Visa Checkout.

Read more in:

Computerworld: Thousands of online shops compromised for credit card theft
-http://www.computerworld.com/article/3131085/security/thousands-of-online-shops-
compromised-for-credit-card-theft.html

The Register: Hackers pop 6000 sites on active 18-month carding bonanza
-http://www.theregister.co.uk/2016/10/13/hackers_pop_6000_sites_on_active_18month
_carding_bonanza/

---

*************************** SPONSORED LINKS *****************************

1) FREE eBOOK! Download "Combating the Insider Threat" to learn who is lurking on your network! Learn More: http://www.sans.org/info/189067

2) The State of Vulnerability Discovery - How Bug Bounties Are Actually Making a Difference. Learn More: http://www.sans.org/info/189072

3) Prioritizing the CIS Critical Controls for ICS: Learning from recent incidents. Register: http://www.sans.org/info/189077

******************************************************************************

---

THE REST OF THE WEEK'S NEWS

Symantec Says Windows Script File Attachment Attacks on the Rise (October 13, 2016)

Symantec says it has seen a significant increase in the volume of email attacks that use malicious Windows Script File (WSF) attachments, which have recently been used to spread Locky ransomware. WSF files allow different scripting languages within a single file. Some email clients do not automatically block files with the .wsf extension.


[Editor Comments ]



[Murray ]
Prefer dedicated sacrificial systems for safe browsing. Script blockers are effective but many web sites just will not work.

Read more in:

V3: Ransomware attacks using Windows Scrip File attachments surge
-http://www.v3.co.uk/v3-uk/news/2474027/ransomware-attacks-using-windows-script-f
ile-attachments-surge

SC Magazine: Researchers spot uptick in phishing cyberattacks leveraging WSF files
-http://www.scmagazine.com/researchers-spot-wsf-files-leverage-in-phishing-campai
gn/article/548348/

Symantec: Surge of email attacks using malicious WSF attachments
-https://www.symantec.com/connect/blogs/surge-email-attacks-using-malicious-wsf-a
ttachments

Cisco Patches Critical Flaw in Conferencing Servers (October 13, 2016)

Cisco has released a patch for a critical vulnerability in its Cisco Meeting and Acano servers. The problem exists because the Extensible Messaging and Presence Protocol (XMPP) processes a deprecated authentication scheme. The flaw affects Cisco Meeting Server versions prior to 2.0.6 with XMPP enabled, and Acano Server versions prior to 1.8.18 and 1.9.6. Cisco patches other security issues in various other products as well, including Cisco Wide Area Application Services (WAAS); Cisco Unified Communications Manager (CUCM); Cisco Prime Infrastructure and Evolved Programmable Network Manager SQL database interface; and Cisco cBR-8 converged broadband routers.

Read more in:

Computerworld: Cisco patches critical authentication flaw in conferencing servers
-http://www.computerworld.com/article/3130614/security/cisco-patches-critical-aut
hentication-flaw-in-conferencing-servers.html

A Conversation About Artificial Intelligence with Barack Obama and Joi Ito (October 2016)

Wired editor-in-chief Scott Dadich talks with US President Barack Obama and MIT Media Lab director Joi Ito about the implications of artificial intelligence (AI) in our society.

Read more in:

Wired: Barack Obama, Neural Nets, Self-Driving Cars, and the Future of the World
-https://www.wired.com/2016/10/president-obama-mit-joi-ito-interview/

GlobalSign Certificate Blunder (October 13 & 14, 2016)

An inadvertent certificate revocation by GlobalSign rendered a number of secure websites unavailable. GlobalSign manages certain root SSL certificates. To improve browser compatibility, the organization linked some cross-certificates between the roots they manage. In the process of removing some of the links, GlobalSign revoked a cross-certificate linking two root certificates. Affected GlobalSign customers need to replace their certificates.


[Editor Comments ]



[Ullrich ]
You may still see invalid certificates on various sites today due to this blunder. Again, it isn't weak cryptography that breaks SSL, but instead human error by certificate authorities. GlobalSign did publish a list of hints on how to clear your certificate revocation list (CRL) cache to make sure your browser downloads the latest (fixed) version.


[Northcutt ]
GlobalSign realizes they screwed up and are trying hard to be responsive:


-https://www.globalsign.com/en/customer-revocation-error/


-https://support.globalsign.com/customer/portal/articles/2599710-ocsp-revocation-
errors---troubleshooting-guide


-https://support.globalsign.com/customer/portal/articles/2599975-ocsp-revocation-
errors-faq

NOTE: This was an administrative error, and should not affect the progress of OCSP as an Internet standard:
-https://tools.ietf.org/html/rfc6960

Read more in:

ZDNet: GlobalSign security certificate foul-up knocks out secure websites
-http://www.zdnet.com/article/globalsign-security-certificate-foul-up-knocks-out-
secure-websites/

The Register: GlobalSign screw-up cancels top websites' HTTPS certificates
-http://www.theregister.co.uk/2016/10/13/globalsigned_off/

Adobe Patches 83 Flaws in Flash, Reader, and Acrobat (October 12, 2016)

Adobe has released patches for a total of 83 vulnerabilities in Flash, Reader, and Acrobat. The majority of the patches address use-after-free, memory corruption, and buffer overflow flaws that could be exploited to execute code.

Read more in:

The Register: Adobe on patch parade to march out 83 bugs
-http://www.theregister.co.uk/2016/10/12/adobe_on_patch_parade_to_march_out_83_bu
gs/

SAP Fixes Three-Year-Old Flaw (October 12, 2016)

SAP's October security update includes fixes for 48 vulnerabilities. One of the flaws, a "missing authentication check-in" that affects SAP P4, has been known since 2013. SAP attempted to fix the problem three years ago, but the patch issued then was problematic.

Read more in:

The Register: SAP fixes gaping authentication bypass flaw after 3 YEARS
-http://www.theregister.co.uk/2016/10/12/sap_resolves_authentication_bug/

V3: SAP fixes three-year-old flaw in biggest patch release since 2012
-http://www.v3.co.uk/v3-uk/news/2473917/sap-fixes-three-year-old-flaw-in-biggest-
patch-release-since-2012

MatrixSSL Patches (October 12, 2016)

Fixes are available for three vulnerabilities in the MatrixSSL cryptographic protocol. According to an advisory from CERT, the heap overflow, out-of-bounds read, and unallocated free memory operation issues affect MatrixSSL version 3.8.5 and prior.

Read more in:

SC Magazine: Matrix SSL patched for heap overflow and other bugs
-http://www.scmagazine.com/matrix-ssl-patched-for-heap-overflow-and-other-bugs/ar
ticle/547138/

CERT Vulnerability Note: MatrixSSL contains multiple vulnerabilities
-https://www.kb.cert.org/vuls/id/396440

Microsoft Patch Tuesday (October 11 & 12, 2016)

Microsoft's Patch Tuesday for October addresses 45 security flaws, including five zero-day vulnerabilities. One of the vulnerabilities is being actively exploited in a malvertising campaign. Other bulletins include an update for Adobe Flash Player and cumulative updates for Internet Explorer (IE) and Edge. This set of updates marks Microsoft's shift from a cafeteria-style list of patches to rollups that are installed whole.


[Editor Comments ]



[Liston ]
"Roll up" patches have the potential to cause enormous problems for organizations. Up until now, organizations could choose to apply patches piecemeal, holding off on deploying patches that were problematic or that required further testing before being deployed. Now that it's become an "all or nothing" proposition, expect to see patching become a much bigger problem.

Read more in:

KrebsOnSecurity: Microsoft: No More Pick-and-Choose Patching
-https://krebsonsecurity.com/2016/10/microsoft-no-more-pick-and-choose-patching/

V3: Microsoft October Patch Tuesday release fixes five zero-day flaws
-http://www.v3.co.uk/v3-uk/news/2473878/microsoft-october-patch-tuesday-release-f
ixes-five-zero-day-flaws

ZDNet: Microsoft says hackers have exploited zero-days in Windows 10's Edge, Office, IE; issues fix
-http://www.zdnet.com/article/microsoft-hackers-have-exploited-zero-days-in-windo
ws-10s-edge-office-ie-issues-fix/

Odinaff Trojan Targets SWIFT System (October 11, 2016)

Malware known as Odinaff is being used to target the SWIFT funds transfer system. Symantec says that roughly 100 organizations have been infected with Odinaff. The malware makes its way into systems by getting users to click on a malicious Microsoft office macro or password-protected RAR archive file.


[Editor Comments ]



[Murray ]
Banks should use the indicators of compromise (IoCs) at
-https://www.symantec.com/security_response/writeup.jsp?docid=2016-083006-4847-99
&tabid=2

Read more in:

eWeek: Odinaff Trojan Taking Aim at Financial Services
-http://www.eweek.com/security/odinaff-trojan-taking-aim-at-financial-services.ht
ml

The Register: Second hacking group targets SWIFT-connected banks
-http://www.theregister.co.uk/2016/10/11/swift_bank_hacking_reloaded/

V3: British banks targeted in new wave of Swift payments system attacks
-http://www.v3.co.uk/v3-uk/news/2473922/british-banks-targeted-in-new-wave-of-swi
ft-payments-system-attacks

Ars Technica: Emboldened by $1B Bangladesh hackers, new group targets SWIFT users
-http://arstechnica.com/security/2016/10/emboldened-by-1b-bangladesh-hackers-new-
group-targets-swift-users/

Computerworld: Second group of hackers found also targeting SWIFT users
-http://www.computerworld.com/article/3130071/security/second-group-of-hackers-fo
und-also-targeting-swift-users.html

---

INTERNET STORM CENTER TECH CORNER

Microsoft and Adobe Patches
-https://isc.sans.edu/mspatchdays.html?viewday=2016-10-11
-https://helpx.adobe.com/security/products/acrobat/apsb16-33.html
-http://www.minixforum.com/threads/neo-z64w-doesnt-start-anymore-after-windows-10
-update-help.14122/

Review of Browsers SSL Failures
-https://docs.google.com/document/d/1b7lenmn5XO06QohaJzVffnJxjXjY1rD70wg34gfuxRo/
edit#heading=h.w6vk76mv9e6n

New Malware Targeting SWIFT Users
-http://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financi
al-attacks

WiFi Still Remains a Good Attack Vector
-https://isc.sans.edu/forums/diary/WiFi+Still+Remains+a+Good+Attack+Vector/21583/

AVTECH IP Camera Vulnerabilities
-http://seclists.org/bugtraq/2016/Oct/26

SAP Patches 3-Year-Old Bug in P4
-https://erpscan.com/press-center/blog/sap-cyber-threat-intelligence-report-octob
er-2016/

1024-bit DSA Keys Factored
-https://eprint.iacr.org/2016/961.pdf

Mount Docker Filesystems with docker-mount.py
-https://isc.sans.edu/forums/diary/New+tool+dockermountpy/21589/

Global Sign OCSP Mess Up Invalidates Countless Certs
-https://downloads.globalsign.com/acton/fs/blocks/showLandingPage/a/2674/p/p-008f
/t/page/fm/0

Cisco Releases LockyDump
-http://blog.talosintel.com/2016/10/lockydump.html

Google Updates Chrome
-https://googlechromereleases.blogspot.com/2016/10/stable-channel-update-for-desk
top.html

DXXD Ransomware Infected Un-mapped Shares
-http://www.bleepingcomputer.com/news/security/the-dxxd-ransomware-displays-legal
-notice-before-users-login/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create