Learn How to Thwart Cyber Attackers with Training in New Orleans. Save $350 thru 3/27.

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #11

February 9, 2018


SANS NewsBites               February 9, 2018                Vol. 20, Num. 011



US State Voter Registration Rolls Breached

Fancy Bear Targeted US Defense Contractor Systems

High School Girls in 16 States Entering On-Ramp to Cybersecurity Careers

Swisscom Data Breached Through Partner's Access


Shopify Fixes Flaw, Pays Bug Bounty

Apple iBoot Source Code Posted to GitHub

Chrome 68 Will Label HTTP Sites "Not Secure"

US Law Enforcement Helps Take Down Infraud Cybercrime Ring

Cryptocurrency Mining Software Found on SCADA System

Consumer Reports Examines Smart TV Security

Adobe Fixes Flash Flaws

FBI and US Dept. of Education Warn Schools, Businesses of Cyber Threats


***************************  Sponsored By Splunk  ***************************

Gartner Names Splunk a SIEM Magic Quadrant Leader for the Fifth Year Running! Gartner recently published its 2017 Magic Quadrant (MQ) for Security Information and Event Management where Splunk was named a leader in the security information and event management (SIEM) market. Read the report to learn why Splunk is part of the select few that can replace outdated SIEM deployments and deliver the security analytics solution of tomorrow. http://www.sans.org/info/201970



-- SANS 2018 | Orlando, FL | April 3-10 | https://www.sans.org/event/sans-2018

-- Cloud Security Summit & Training 2018 | San Diego, CA | February 19-26 | https://www.sans.org/event/cloud-security-summit-2018

-- SANS Secure Japan 2018 | February 19-March 3 | https://www.sans.org/event/sans-secure-japan-2018

-- SANS London March 2018 | March 5-10 | https://www.sans.org/event/London-March-2018            

-- SANS Secure Singapore 2018 | March 12-24 | https://www.sans.org/event/secure-singapore-2018

-- SANS Northern VA Spring - Tysons 2018 | March 17-24 | https://www.sans.org/event/northern-va-spring-tysons-2018

-- SANS Pen Test Austin 2018 | March 19-24 | https://www.sans.org/event/pen-test-austin-2018

-- ICS Security Summit & Training 2018 | Orlando, FL | March 19-26 | https://www.sans.org/event/ics-security-summit-2018

-- SANS at RSA(R) Conference | San Francisco, CA | April 11-20 | https://www.sans.org/rsa-2018

-- SANS London April 2018 | April 16-21 | https://www.sans.org/event/london-april-2018

-- SANS OnDemand and vLive Training | The SANS Training you want with the flexibility you need. Special Offer: Get a GIAC Certification Attempt Included or Take $350 Off your OnDemand or vLive training course by February 21. https://www.sans.org/online-security-training/specials/

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format -https://www.sans.org/ondemand/

-- Single Course Training

SANS Mentor https://www.sans.org/mentor/about

Community SANS https://www.sans.org/community/

View the full SANS course catalog https://www.sans.org/security-training/by-location/all




US State Voter Registration Rolls Breached

(February 7 & 8, 2018)

US Department of Homeland Security (DHS) cybersecurity chief Jeanette Manfra said that Russian hackers breached voter registration rolls in some states. Manfra said that 21 states were targeted; of those, a small number of systems were successfully penetrated prior to the 2016 presidential election.

Read more in:

NBC: Russians penetrated U.S. voter systems, top U.S. official says


SC Magazine: DHS Manfra says Russians successfully penetrated some state election systems




Fancy Bear Targeted US Defense Contractor Systems

(February 7, 2018)

An Associated Press (AP) investigation found that a Russian hacking group known as Fancy Bear attempted to breach systems at major US defense contractors. The hackers sent phishing emails to people at nearly 90 contractors.  

Read more in:

FNR: AP: 'Fancy Bear' hackers took aim at US defense contractors


The Hill: Russian hackers targeting US defense contractors: report


Fifth Domain: 'Fancy Bear' hackers took aim at US defense contractors


SC Magazine: Fancy Bear targets defense contractors email to steal tech secrets




High School Girls in 16 States Entering On-Ramp to Cybersecurity Careers

(February 9, 2018)

More than 3,000 US high school girls will be playing CyberStart Feb 20-25.  Eight days left for girls to sign up in the 16 participating sites.

Information: www.girlsgocyberstart.com

Sample challenges anyone may use to see what they will be facing:



Swisscom Data Breached Through Partner's Access

(February 7 & 8)

Swiss telecommunications company Swisscom has acknowledged that "unknown parties misappropriated the access rights of a sales partner," exposing information of approximately 800,000 customers. The breach occurred in the fall of 2017. Swisscom has blocked that partner's access to its data, and says that it will start using two-factor authentication for its partners.

[Editor Comments]

[Neely] This highlights the need to not only flow security controls and practices to business partners, but also verify they are in place and followed. Using two-factor authentication for access to sensitive data is a good idea for both internal and external users to reduce the risk of unauthorized use of credentials.

Read more in:

Swisscom: Swisscom tightens security for customer information


SC Magazine: Dial 'B' for Breach: Unauthorized party access data on 800K Swisscom customers


ZDNet: Swisscom data breach: 800,000 customers affected


**************************  SPONSORED LINKS  ********************************

1) Learn how the CISO of a large hospital beat a ransomware attack using Cylance. Read the case study. http://www.sans.org/info/201975

2) "Walk, Run, Fly: Key Characteristics of Attaining an Advanced SOC Best practice tips on how to enter the advanced SOC dimension" Register: http://www.sans.org/info/201980

3) Watch this webinar to hear more about these trends and assess how you need to work within your organization to ensure the security of your application. Register: http://www.sans.org/info/201985




Shopify Fixes Flaw, Pays Bug Bounty

(February 8, 2018)

In December 2017, Shopify fixed a flaw in its ecommerce platform within hours after being notified of its presence. The vulnerability could have been exploited to circumvent Shopify's email authentication process to gain access to other Shopify customers' stores. Shopify paid the person who found the vulnerability a $15,250 USD bounty.

[Editor Comments]

[Pescatore] This is one of those "I started driving with my baby in the kiddie seat left on the roof of my car but luckily someone warned me before disaster happened" kind of stories. If Shopify's code had been run through the bug bounty program *prior* to being installed on production systems, much less risk. In this case it turned out OK, the bug bounty chasing "attacker" found the hole before any actual attacker - but doesn't always work that way.

Read more in:

Cyberscoop: Shopify pays $15,250 bug bounty for a Christmas Eve vulnerability




Apple iBoot Source Code Posted to GitHub

(February 8, 2018)

Apple says that the iBoot source code that was posted to GitHub is three years old and thus has no effect on the security of iOS devices. Apple sent GitHub a Digital Millennium Copyright Act (DMCA) takedown notice. GitHub took down the leaked code, but it had been available for several hours and is still available elsewhere on the Internet.

[Editor Comments]

[Ullrich] The code may be old, but it appears to have been "circulating" for a few months in less public places then GitHub. But while the release of this code may not have any immediate practical applications, it does symbolize how difficult, or even impossible, it is to keep secrets. Even for a company obsessed with secrecy like Apple.

[Neely] The leaked code will be used to leverage development of new jailbreak techniques by looking for logic flaws that still exist in the most recent code release. This is only one component in multiple layers of security designed to protect the boot process. This is the boot loader for iOS 9.3.3, and over 90% of iOS devices are running iOS 10+.  Expect updates to the jailbreak detection code in your MDM.

Read more in:

Threatpost: Apple Downplays Impact of iBoot Source Code Leak


Ars Technica: Leak of iBoot code to GitHub could potentially help iPhone jailbreakers




Chrome 68 Will Label HTTP Sites "Not Secure"

(February 7 & 8, 2018)

Starting with Chrome 68, Google's browser will begin calling out as unsecure websites that don't use HTTPS. When Chrome 68 users visit an HTTP site, Chrome will display a "Not Secure" message in the address bar. Chrome 68 is scheduled to be released to the stable channel in July 2018.  

[Editor Comments]

[Ullrich] About time. One of the big weaknesses of HTTPS was that users got no warning if they didn't use HTTPS. Tools like sslstrip exploited this for years.

Read more in:

The Register: From July, Chrome will name and shame insecure HTTP websites


ZDNet: In security push, Chrome will soon mark every HTTP page as "non-secure"


Bleeping Computer: Google Chrome to Mark All HTTP Sites "Not Secure" Starting July 2018




US Law Enforcement Helps Take Down Infraud Cybercrime Ring

(February 7 & 8, 2018)

US law enforcement authorities and their counterparts in other countries have taken down an international cybercrime ring that has caused more than $530 million USD in losses. The organization operated an online forum that facilitated the sale of stolen data and offered money laundering services by using cryptocurrencies. The US Department of Justice (DoJ) has indicted thirty-six people; 13 have been arrested.

Read more in:

DoJ: Thirty-six Defendants Indicted for Alleged Roles in Transnational Criminal Organization Responsible for More than $530 Million in Losses from Cybercrimes


DoJ: Indictment


Ars Technica: Feds drop hammer on massive "carder" ring that caused $530 million in losses


Dark Reading: US, International Law Enforcement Shut Down Massive Cybercrime Marketplace


KrebsOnSecurity: U.S. Arrests 13, Charges 36 in 'Infraud' Cybercrime Forum Bust




Cryptocurrency Mining Software Found on SCADA System

(February 7, 2018)

Cryptocurrency mining software has been found on the Industrial Control System (ICS) of a water utility in Europe. Radiflow, the company that detected the mining software says it is the first case they have seen of such malware on an industrial system. Radiflow detected the malware with its intrusion detection system.  

[Editor Comments]

[Ullrich] Are you looking for crypto miners yet in your environment? You should! It is a relatively easy thing to find and can easily be used to pinpoint vulnerable systems. If they can install a crypto miner, then they will probably be able to install more nefarious tools as well. At the internet storm center, we offer a feed of IP addresses associated with crypto mining pools: https://isc.sans.edu/api/threatlist/miner . (See isc.sans.edu/api for details)

[Murray] Most industrial control systems should be configured as single-application-only systems.  The ability to run additional applications should be hidden.  

Read more in:

eWeek: Water Utility in Europe Hit by Cryptocurrency Malware Mining Attack




Consumer Reports Examines Smart TV Security

(February 7, 2018)

A Consumer Reports analysis of five brands of smart TVs found that all can track users' viewing habits. Security on two of the brands was so weak that hackers were able to remotely change channels, install apps, and play YouTube videos of their choosing. The evaluated TVs did ask permission to collect viewing data and additional information, but they did not make it easy for viewers to understand exactly what they were agreeing to share.     

[Editor Comments]

[Neely] The preference to collect the viewing data is not well worded. Always consider agreeing to share data with your vendor to exceed your expectation. This collection is intended to allow rating services to measure viewership and can, and should be disabled. As compelling as the argument is to connect smart devices, TVs, Refrigerators, the security implications have to be remembered, particularly if you're considering connecting them to your corporate network. Protect them as you would any other IoT device. Or don't connect them in the first place.

Read more in:

USA Today: Your smart TV may be prey for hackers and collecting more info than you realize, Consumer Reports warns




Adobe Fixes Flash Flaws

(February 6 & 7, 2018)

Adobe has issued a patch for its Flash Player to address two critical use-after-free vulnerabilities, one of which has been exploited in the wild. Fixes are available for Flash for Windows, Mac, Linux, and Chrome OS.

Read more in:

Adobe: Security updates available for Flash Player | APSB18-03


The Register: Adobe: Two critical Flash security bugs fixed for the price of one


SC Magazine: Adobe releases desperately needed fix for Flash Player bug exploited by zero-day attackers


ZDNet: Windows security: Microsoft issues Adobe patch to tackle Flash zero-day




FBI and US Dept. of Education Warn Schools, Businesses of Cyber Threats

(February 6, 2018)

In a Private Industry Notification, the FBI and the US Department of Education's Office of the Inspector General have warned of a group of cyber criminals that is targeting systems at public schools and businesses to steal sensitive data. The data thieves have sought to extort money from victims by threatening to release the data if they are not paid. The notice recommends that the organizations do not pay ransom, and provides a list of actions organizations can take if they suffer an intrusion.

Read more in:

FCW: Feds warn on ransomware threat to schools


Private Industry Notification: Cyber Criminal Group Threatens Schools and Students




Loki Bot Malspam Variations


Adobe Releases Out-of-Band Patch


Grammarly Fixes Patch in Google Chrome Plugin


Windows Protected Folders Bypass


DanderSpritz/PeddleCheap Traffic Analysis



PinMe: Tracking a Smarthphone User around the World


Manipulating Gas Prices via Vulnerable Software


Android February Patches


NameCheap Vulnerability Allows Unauthorized Subdomain Creation


Cisco Updates for Cisco RV132W and RV134W



Exploiting Blind SQL Injection and Division by Zero Exceptions


Netgear Router Flaws


Apple's iBoot Source Code Leaks on Github


Hotspot Shield VPN Vulnerable to DNS Rebinding


UDPOS Exfiltrates Credit Card Data from PoS Systems via DNS



The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create