OnDemand SME Support = Get Your Questions Answered! Get an iPad mini, Surface Go 2, of $300 Off Now

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XVIII - Issue #94

November 29, 2016


Cities At Risk; San Francisco Ransomware Attack Could Have Caused Much More Damage
Deutsche Telekom Broadband Outages Involved Mirai Variant
Update: The Most Dangerous New Cyber Attack Vectors


Japan's Defense Officials Investigating Reported Military Network Intrusion
Microsoft Patches Azure Flaw Affecting Red Hat Instances
CERT Analyst Says Microsoft Should Not Discontinue Support for EMET
Old InPage Zero Day Vulnerability Used in Attacks on Government and Bank Websites
US Navy Acknowledges Data Breach
Experts: Auditing Elections Should Be Routine
Gatak Trojan is Targeting the Healthcare Sector
Network Time Protocol Flaws Fixed
Akamai Report Details KrebsOnSecurity IoT DDoS
Pentagon Opens Hacking Challenge to Everyone



*********************** Sponsored By AlienVault ************************
Discover the various open source intrusion detection (IDS) tools available to you. Download the Beginner's Guide to Open Source IDS Tools to learn more. http://www.sans.org/info/190532


--Cyber Defense Initiative 2016 | December 10-17, 2016 | Washington, DC | https://www.sans.org/event/cyber-defense-initiative-2016

--SANS Amsterdam 2016 | December 12-17, 2016 | Amsterdam, Netherlands | https://www.sans.org/event/amsterdam-2016

--SANS Security East 2017 | January 9-14, 2017 | New Orleans, LA | https://www.sans.org/event/security-east-2017

--Cloud Security Summit & Training | San Francisco, CA | Jan 17-19, 2017 | https://www.sans.org/event/cloud-security-summit-2017

--SANS Las Vegas 2017 | January 23-30, 2017 | Las Vegas, NV | https://www.sans.org/event/las-vegas-2017

--Cyber Threat Intelligence Summit & Training | Arlington, VA | Jan 25-Feb 1, 2017 | https://www.sans.org/event/cyber-threat-intelligence-summit-2017

--SANS Southern California - Anaheim 2017 | February 6-11, 2017 | Anaheim, CA | https://www.sans.org/event/anaheim-2017

--SANS Secure Japan 2017 | February 13-25, 2017 | Tokyo, Japan | https://www.sans.org/event/secure-japan-2017

--SANS Secure Singapore 2017 | March 13-25, 2017 | Singapore, Singapore | https://www.sans.org/event/secure-singapore-2017

--SANS Online Training Get a MacBook Air or PC Laptop with all OnDemand (https://www.sans.org/ondemand/specials) and vLive (https://www.sans.org/vlive/specials) courses now.

--Single Course Training: SANS Mentor https://www.sans.org/mentor/about Community SANS https://www.sans.org/community/ View the full SANS course catalog https://www.sans.org/find-training/



Cities At Risk; San Francisco Ransomware Attack Could Have Caused Much More Damage (November 27 & 28, 2016)

San Francisco (California) Municipal Transportation Agency (SFMTA) payment systems were offline over the weekend due to a ransomware attack. The attack began on Friday, November 25 and was contained by Sunday. SFMTA is in the process of restoring systems to operational status. The agency has refused to pay the US $73,000 ransom demand. In a note to Wired, the attacker claims this first attack was a "proof of concept," and critical infrastructure guru Mike Assante told Wired, "Unlike this attack, in a very sophisticated attack, they not only impact control systems, but also impede the ability to restore them." In other words public services can be out for a long time.

[Editor Comments ]

[Williams ]
Ransomware attacks traditionally only impact availability, but in this case attackers apparently stole information as well. Faced with the prospect that SFMTA may not pay the ransom, the attackers are now threatening to release 30GB of stolen data online. The attackers (who are speaking to the press) have claimed that the initial intrusion vector was a malware laden keygen utility used by an administrator. Also, ironically, the hacker who is extorting SFMTA has apparently been hacked himself (

[Assante ]
The attack was probably opportunistic and automated. The people behind these attacks do not have a great day when their conquest ends up attracting a lot of attention in the media or provoking prioritized law enforcement investigations.

Read more in:

SF's Transit Hack Could've Been Way Worse-And Cities Must Prepare

CNET: Hackers take SF Muni for weekend joy ride

Ars Technica: Ransomware locks up San Francisco public transportation ticket machines

Christian Science Monitor: Weekend of free rides follows ransomware attack on Bay Area transit

Dark Reading: San Francisco Transit Agency Earns Praise For Denying Ransom Request

Deutsche Telekom Broadband Outages Involved Mirai Variant (November 28, 2016)

As many as 900,000 Deutsche Telekom customers found themselves without broadband service over the weekend due to attempts to infect home routers with a new variant of Mirai botnet malware. Since Sunday, November 27, customers using certain routers have had their Internet, phone, and television reception interrupted. Deutsche Telekom has released a software update and advised customers to reboot their routers.

[Editor Comments ]

[Ullrich ]
The underlying vulnerability was publicly released about 2 weeks before, and only known to affect routers of one Irish ISP. But even though Deutsche Telekom's modems are made by a different unrelated company, they apparently were vulnerable to the same flaw. It is very likely that the outage at Deutsche Telekom was not caused intentionally, but that instead the overly aggressive Mirai scanning engine used caused the outage as a side effect. Deutsche Telekom was able to react quickly and push firmware updates to affected users. Something we don't have for most of the other IoT type attacks.

[Honan ]
We are seeing a large uptick in scanning on port 7547 which is an indicator that an IP address may be hosting a vulnerable device. If you are a telco I suggest you investigate ways to remediate these vulnerabilities with your customer devices as soon as practicable, while the rest of us should review our own systems to ensure appropriate DDoS mitigations are in place.

Read more in:

Computerworld: Upgraded Mirai botnet disrupts Deutsche Telekom by infecting routers

Reuters: German internet outage was failed botnet attempt: report

Ars Technica: Newly discovered router flaw being hammered by in-the-wild attacks

Deutsche Telekom: Advisory: Information on current problems

Update: The Most Dangerous New Cyber Attack Vectors (November 28, 2016)

Ed Skoudis, Johannes Ullrich, and Michael Assante update their RSA2016 Conference briefing on the most dangerous new cyber attacks they are seeing against the critical infrastructure, other enterprises, and even IOT in homes. Their webcast is scheduled Thursday at 1 PM EST. RSA set a limit of 3,000 attendees and more than 1,600 have already signed up. Registration link:

*************************** SPONSORED LINKS *****************************

1) Don't miss: Redefining Endpoint Incident Response with Behavioral Analysis. Register: http://www.sans.org/info/190537

2) A SOC means many things to different people. "You Can't Stop What You Can't SOC" Register: http://www.sans.org/info/190542

3) How does your organization classify systems as endpoints, prioritize & manage risks related to those endpoints, and define next-generation endpoint protections? http://www.sans.org/info/190547



Japan's Defense Officials Investigating Reported Military Network Intrusion (November 28, 2016)

An unnamed source inside the Japanese military (Ground Self-Defense Force)'s system reported a September attack that was successful. The attack may have compromised Japan's internal military network, the Defense Information Infrastructure. One official called it "a very serious situation," but other officials declined to provide additional information. At the same time, Japan's Defense Ministry has denied that the attack occurred while saying that they experience many attacks every week.

Read more in:

The Japan Times: Defense Ministry, SDF networks hacked; state actor suspected

The Register: Japan investigating defence network break-in

Computerworld: Japanese government denies report that its defense forces were hacked

Microsoft Patches Azure Flaws Affecting Red Hat Instances (November 28, 2016)

Microsoft has fixed a configuration flaw in its Azure cloud platform that could have been exploited to gain administrative rights to Red Hat Enterprise Linux (RHEL) instances. It also patched a flaw in the Microsoft Azure Linux Agent that could have been exploited to obtain administrator API keys.

Read more in:

V3: Microsoft Azure bug put Red Hat instances at risk

The Register: Microsoft update servers left all Azure RHEL instances hackable

SC Magazine: Microsoft update left Azure Linux virtual machines open to hacking

CERT Analyst Says Microsoft Should Not Discontinue Support for EMET (November 24, 2016)

A vulnerability analyst from Carnegie Mellon University's CERT is urging Microsoft to reconsider its plan to end support for the Enhanced Mitigation Experience Toolkit (EMET). Microsoft plans to discontinue support for EMET because it says that "Windows 10 includes all the mitigation features that EMET administrators have come to rely on." CERT's Will Dorman says that a Windows 7 machines running EMET is more secure than a Windows 10 machine.

[Editor Comments ]

[Murray ]
While it might be true that "a Windows 7 machines running EMET is more secure than a Windows 10 machine" it does not follow that Microsoft should continue support. The use of Windows 7 with EMET is low, has never been as high as its security might justify, and its continued use does not require Microsoft's "support" or consent. The market clearly prefers open, general, and flexible systems from Microsoft to "secure" ones.

Read more in:

ZDNet: CERT to Microsoft: Don't kill EMET, Windows 10 will be less secure without it

The Register: CERT tells Microsoft to keep EMET alive because it's better than Win 10's own security

Old InPage Zero Day Vulnerability Used in Attacks on Government and Bank Websites (November 23 & 24, 2016)

Government and banking organizations are being targeted in attacks that exploit a zero-day flaw in the InPage desktop publishing application. The software is used primarily in Urdu-, Pashto-, and Arabic-speaking countries. Attacks have been detected against organizations in Myanmar, Sri Lanka, and Uganda. Kaspersky Lab, which detected the issue, has notified the vendor and Indian CERT. Once the malware had gained a foothold in a system, it contacts a command-and-control server and downloads remote access tools.

Read more in:

The Register: Attackers use ancient zero-day to pop Asian banks, govts

Threatpost: InPage Zero Day user in Attacks Against Banks

InfoSecurity Magazine: African and Asian Banks Hit by Targeted Zero Day

US Navy Acknowledges Data Breach (November 24, 2016)

The laptop of a US Navy contractor employee was compromised, exposing personal information of more than 134,000 current and former US sailors. Investigators say that unknown people accessed the information which includes names and Social Security numbers (SSNs). The breach occurred in October.

[Editor Comments ]

[Pescatore ]
In December 2015 the new version of DFARS Clause 252.204-7012 detailed contractors responsibilities for protecting sensitive information. Contractors have until December 2017 to be in full compliance with the requirements outlined in the clause and NIST 800-171.

[Honan ]
A good example of why supply chain security is important to today's businesses. If you have outsourced business functions to a third party ask yourself what assurances have you got that the third party will secure your information in accordance to your requirements? Also ask yourself what assurances have you got should that third party decide to then outsource those same functions to another party? You can outsource the function but not the responsibility for the security of that function.

Read more in:

Ars Technica: US Navy warns 134,000 sailors of data breach after HPE laptop is compromised

SC Magazine: US Navy suffers data breach

Federal News Radio: Navy: Sailors' personal information hacked on contractor's laptop

Experts: Auditing Elections Should Be Routine (November 23, 2016)

Some election security experts say that audits should be a routine part of US elections. Audits should not be used only to challenge results in contentious races, but should be a matter of course in all elections to help ease concerns about the trustworthiness of the security of the voting process.

[Editor Comments ]

[Pescatore ]
Volkswagen purposely used cheating software to make their cars report bogus emission levels - and got away with it for over 7 years. Auditing software-driven vote tabulation should be part of basic security hygiene for such a critical process. In line with that, I like Poorvi Vora's quote "Brush your teeth. Eat your spinach. Audit your elections."

Read more in:

Wired: Hacked or Not, Audit This Election (And All Future Ones)

Gatak Trojan is Targeting the Healthcare Sector (November 22 & 23, 2016)

The Gatak Trojan horse program has been targeting systems in the healthcare sector. Gatak spreads through websites that claim to offer licensing keys for pirated software, and through watering hole attacks. It evades detection by putting itself into a prolonged sleep mode after infecting computers.

Read more in:

The Register: Hospital info thief malware puts itself into a coma to avoid IT bods

SC Magazine: On the Gatak: Trojan gang lures victims with fake software keys

InfoSecurity Magazine: Gatak Trojan Turns to Healthcare as Its Key Target

Network Time Protocol Flaws Fixed (November 21 & 23, 2016)

Those responsible for maintaining the Network Time Protocol daemon have patched 10 security issues in the "protocol
[that is ]
designed to synchronize the clocks of computers over a network." The vulnerabilities affect versions of NTP.org ntpd prior to 4.2.8p9. Of the 10 flaws, one, which affects only Windows, is deemed critical.

Read more in:

SC Magazine: Fixes issued for ntpd flaws

The Register: It's time: Patch Network Time Protocol before it loses track of time

CERT: HTP.org ntpd contains multiple denial of service vulnerabilities

support.ntp.org: November 2016 ntp-4.2.8p9 NTP Security Vulnerability Announcement

Akamai Report Details KrebsOnSecurity IoT DDoS (November 22, 2016)

Akamai's most recent quarterly State of the Internet report includes a detailed account of the massive, IoT-fueled distributed denial-of-service (DDoS) attack against the KrebsOnSecurity website in September. It "was the largest attack ever mitigated by Akamai" and was launched by approximately 24,000 Mirai-infected systems, most of which were DVRs, security cameras, and other devices that are part of the Internet of Things (IoT).

[Editor Comments ]

[Murray ]
The security concern of the "IoT" is the connection to the Internet of millions of weak systems, systems that can be exploited, from the Internet, by malicious people, for their own purposes. Of less concern, we are talking about the use of the Internet to connect to and interfere with the intended operation or use of "things" addressable from it. According to the Akamai most of these compromised systems used in the Krebs attack were old appliances that need not have been, should not have been, addressable from the public Internet in order to perform their intended purpose. Nice people do not connect weak systems directly to the public network. Even a relatively small number can be misused in very disruptive ways.

Read more in:

KrebsOnSecurity: Akamai on the Record KrebsOnSecurity Attack

Pentagon Opens Hacking Challenge to Everyone (November 22, 2016)

The US Department of Defense (DoD) has opened its "Hack the Pentagon" challenge to everyone. The program is not a bug bounty challenge - there are no monetary rewards for finding vulnerabilities - but it does provide a legal avenue for people to notify DoD of security issues they uncover.

Read more in:

Federal News Radio: Pentagon expands white-hat hacker challenge to all comers


Extracting Shellcode from Javascript

Using Scapy to Test CozyDuke Snort Signatures

Malicious JPEG Spreading via Facebook

San Francisco Public Transport ("MUNI") hit by Ransomware

Tesla Smartphone App Vulnerability

Mirai Variant Scanning Port 5555 and 7547 For TR-069/SOAP Vulnerability

Paypal OAuth Vulnerability

The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board