DFIRCON - Live Online: The ALL Digital Forensics, Threat Hunting and Incident Response Training Event. Save $300 thru 10/7.

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #18

March 6, 2018


SANS NewsBites               March 6, 2018                Vol. 20, Num. 018



Australian Dept. of Human Services Building Cyber Staff With New University Graduates

Microsoft Reissuing Patches with Intel Firmware Fixes

The SEC is Serious About Regulating Cryptocurrencies


Upgrade Available for Pivotal Spring Web App Platform Flaw

Windows Defender Can Detect FinFisher

Facebook Adopts HSTS Preloading

4G LTE Security Flaws

Updated SEC Cybersecurity Guidance is Problematic

Authorities in Iceland Arrest Suspects in Bitcoin Server Thefts

UDP-Amplified DDoS Attacks Include Extortion



***************************  Sponsored By SANS  *****************************

Since 2013, SANS has been surveying users to give out the annual SANS "Best of" awards for the products and services that really worked for you during the previous year. We think it is important to celebrate cyber-security excellence and highlight proven processes and products so others can learn from the leaders. Please take the following survey and tell us YOUR Best of 2017. http://www.sans.org/info/202375



-- SANS 2018 | Orlando, FL | April 3-10 | https://www.sans.org/event/sans-2018

-- SANS Northern VA Spring - Tysons 2018 | March 17-24 | https://www.sans.org/event/northern-va-spring-tysons-2018

-- SANS Pen Test Austin 2018 | March 19-24 | https://www.sans.org/event/pen-test-austin-2018

-- ICS Security Summit & Training 2018 | Orlando, FL | March 19-26 | https://www.sans.org/event/ics-security-summit-2018

-- SANS at RSA(R) Conference | San Francisco, CA | April 11-20 | https://www.sans.org/rsa-2018

-- SANS London April 2018 | April 16-21 | https://www.sans.org/event/london-april-2018

-- Automotive Cybersecurity Summit 2018 | Chicago, IL | May 1-8 | https://www.sans.org/event/automotive-cybersecurity-summit-2018

-- SANS Melbourne 2018 | May 14-26 | https://www.sans.org/event/melbourne-2018

-- SANS Amsterdam May 2018 | May 28-June 2 | https://www.sans.org/event/amsterdam-may-2018

-- SANS Cyber Defence Canberra 2018 | June 25-July 7 | https://www.sans.org/event/cyber-defence-canberra-2018

-- SANS OnDemand and vLive Training | The SANS Training you want with the flexibility you need. Special Offer: Get an iPad, Samsung Galaxy Tab A or take $250 Off your OnDemand or vLive training course by March 7. https://www.sans.org/online-security-training/specials/

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format -https://www.sans.org/ondemand/

-- Single Course Training

SANS Mentor https://www.sans.org/mentor/about

Community SANS https://www.sans.org/community/




Australian Dept. of Human Services Building Cyber Staff With New University Graduates

 (March 5, 2018)

Facing a significant shortage of qualified cybersecurity specialists, Australia's Department of Human Services (DHS) "made a conscious decision to hire straight from school and train them internally." DHS also hired people with more experience who are contracted to spend half their time as mentors to the trainees. The agency more than tripled its cybersecurity workforce in just 12 months. DHS estimates that it will know in two years if the new strategy is effective. DHS's new hiring approach was detailed in Microsoft's "Navigating the new cybersecurity threat landscape" report.

[Editor Comments]

[Murray] Sounds like normal procedure to me.  Someone hires and trains new grads.   If no one is doing it, that would account for the lack of experienced people in the market place.

[Paller]  The UK has taken this approach a step further by making sure students they hire have the aptitude and the basic technical mastery necessary for success and are ready for jobs in cybersecurity.  HMG CyberDiscovery Programme, a $25 million program that is transforming the UK cyberskills pipeline. https://www.joincyberdiscovery.com/resources

[Ullrich] Part of the skill shortage is that employers expect to hire individuals who already have all the skills they need for a given role. This may work for traditional jobs with a long history of training and recruiting. But cybersecurity roles are different. Even if you happen to find the odd candidate who actually has worked and is an expert using the exact security product you are using, chances are that this knowledge will be out of date in a couple years. It is much more effective to hire individuals who have been taught solid foundational skills and who are willing and have the ability to continue to learn.

Read more in:

ZDNet: Microsoft details Human Services cybersecurity hiring spree in new report



Microsoft Reissuing Patches with Intel Firmware Fixes

(March 1 & 2, 2018)

Microsoft has begun reissuing patches that include Intel firmware fixes for the Meltdown and Spectre CPU flaws. Earlier versions of the patches caused problems for some users.

[Editor Comments]

[Neely] Test these patches before deploying, both for reliability and impact.

Read more in:

The Register: Microsoft lobs Skylake Spectre microcode fixes out through its Windows


eWeek: Microsoft Resumes Issuing Windows Patches to Fix Meltdown, Spectre




The SEC is Serious About Regulating Cryptocurrencies

(February 28 & March 1, 2018)

The US Securities and Exchange Commission (SEC) has signaled that it is getting serious about regulating cryptocurrencies. The SEC has issued subpoenas and information requests to financial technology (FinTech) companies that have made initial coin offerings (ICOs). The FinTech industry has by and large resisted the notion that cryptocurrencies are securities and therefore subject to federal regulation. (please note that the WSJ article is behind a paywall.)

[Editor Comments]

[Neely] No surprise here. With more companies participating in ICOs, cryptocurrency is moving to the mainstream; this is now on the regulators' radar. While lack of regulation was an appeal for cryptocurrency, malware mining and theft is driving the need for consumer protections.

Read more in:

Computerworld: SEC eyes crackdown on cryptocurrencies


WSJ: Cryptocurrency Firms Targeted in SEC Probe


**************************  SPONSORED LINKS  ********************************

1) Learn how to stop advanced cyberattacks and remain compliant at your hospital. Register now!   http://www.sans.org/info/202380

2) Do you believe in SOCs? How critical is the SOC to your organization? Take the SANS SOC survey and enter to win a $400 Amazon gift card | http://www.sans.org/info/202385

3) Don't Miss:  "Dramatically Reduce Incident Response Time with Splunk and Bro"  Register:  http://www.sans.org/info/202390




Upgrade Available for Pivotal Spring Web App Platform Flaw

(March 5, 2018)

A critical flaw in the Pivotal Spring web development framework could be exploited to remotely execute arbitrary code. Users are urged to upgrade to Spring Data REST 2.5.12, 2.6.7, 3.0 RC3; Spring Boot 2.0.0.M4; and Spring Data release train Kay-RC3.

[Editor Comments]

[Ullrich] Note that the patch was released in September. I applaud the researchers at lgtm.com for delaying the more detailed release to give people some time to patch. But if you haven't patched yet: You better do so this week.

Read more in:

Pivotal: CVE-2017-8046: RCE in PATCH requests in Spring Data REST


LGTM: Critical security vulnerability found: remote code execution affecting various Pivotal Spring projects (CVE-2017-8046)


Computing: Security researchers identify new vulnerability affecting Pivotal Spring projects


The Register: Spring break! Critical vuln in Pivotal framework's Data parts plugged




Windows Defender Can Detect FinFisher

(March 1 & 5, 2018)

Microsoft Windows Defender is now able to detect FinFisher spyware. FinFisher has proven difficult to reverse engineer because it employs "all kinds of tricks, ranging from junk instructions and 'spaghetti code' to multiple layers of virtual machines and several known and lesser-known anti-debug and defensive measures." FinFisher has typically been used by law enforcement agencies.

[Editor Comments]

[Pescatore] Great blog writeup on the forensic analysis of FinFisher but any AV software announcing it now stops "MalwareX" is like a mesh snow parka that now stops "SnowflakeX" but doesn't mention all those other snowflakes that get right through...

Read more in:

Microsoft: FinFisher exposed: A researcher's tale of defeating traps, tricks, and complex virtual machines


ZDNet: Microsoft: Windows Defender can now spot FinFisher government spyware




Facebook Adopts HSTS Preloading

(March 5, 2018)

On March 5, Facebook implemented HTTPS Strict Transport Security (HSTS) preloading. This means that if a user clicks on a link and an HTTPS-secured version of that link is available, Facebook will automatically direct the users there.

[Editor Comments]

[Neely] There are three components to HSTSa valid certificate, a redirect from HTTP to HTTPS, and the HSTS header which includes a max age setting directing the browser to not attempt HTTP connections for at least 1 year. HSTS is also designed to prevent HTTP downgrade attacks, and we all should be using it. When implementing HSTS, add the preload option last and start with shorter age settings while testing as changing data that is cached for a year can be problematic.

Read more in:

eWeek: Facebook Automatically Upgrading Links to HTTPS to Boost Security


Facebook: Upgrades to Facebook's link security




4G LTE Security Flaws

(March 2 & 5, 2018)

Vulnerabilities in the 4G LTE wireless telecommunications standard could be exploited to send phony emergency alert messages to mobile phones and launch at least nine other attacks. Researchers from Purdue University and the University of Iowa have published a paper describing tool they have developed to detect these security issues.

[Editor Comments]

[Neely] Some of the security in LTE depends on security by obscurity, including temporary random unique identifiers which turned out to be neither temporary or random. Expect carriers to jump on remedying that oversight.

Read more in:

ZDNet: New LTE attacks can snoop on messages, track locations and spoof emergency alerts


Cyberscoop: Researchers uncover 4G LTE exploits that can be used to spy, spoof and cause panic


Ars Technica: LTE security flaws could be used for spying, spreading chaos


SC Magazine: Researchers: LTE vulnerabilities enable attackers to disrupt service, send fake emergency alerts


Document Cloud: LTEInspector: A Systematic Approach for Adversarial Testing of 4G LTE




Updated SEC Cybersecurity Guidance is Problematic

(February 26 & March 5, 2018)

Updated cybersecurity guidance from the US Securities and Exchange Commission (SEC) does not adequately address the quandary companies face when they are required to report a breach yet in some cases must not disclose the breach while law enforcement is investigating. In addition, the new guidance has been criticized for not going far enough to make sure that companies pay more attention to their cybersecurity.

[Editor Comments]

[Pescatore] The "we couldn't report the breach because of an ongoing law enforcement investigation" is a false strawman. Well over 95% of breaches that aren't reported in a timely manner where law enforcement is involved are due to the fact that the breached company didn't even notice they had a breach until notified by law enforcement! In the vast majority of incidents, there is no law enforcement involvement early enough to be any impediment to protecting customers by notifying them of the breach.

Read more in:

CSO: SEC's new cybersecurity guidance falls short


NYT: When to Report a Cyberattack? For Companies, That's Still a Dilemma


SEC: Commission Statement and Guidance on Public Company Cybersecurity Disclosures




Authorities in Iceland Arrest Suspects in Bitcoin Server Thefts

(March 2, 2018)

Police in Iceland have arrested 11 people in connection with the theft of hundreds of servers along with graphics cards, processors, motherboards, and other equipment that were being used to mine cryptocurrency. The stolen machines have not been recovered. Authorities are asking ISPs, electricians, and storage units to report unusual spikes in energy consumption.     

[Editor Comments]

[Williams] Know how to get replacement hardware for your mission critical workloads in case of theft, damage, etc. Due to market demand and product scarcity, replacing the mining rigs probably isn't an option at all. This also demonstrates an interesting intersection between the digital and physical worlds, where electricians and utility records are the most likely methods to find the stolen goods.

Read more in:

Ars Technica: Bitcoin thirst spurs Icelandic heist-"Grand theft on a scale unseen before"


CNET: Thieves steal 600 powerful bitcoin-mining computers in huge heist


BBC: Iceland police arrest suspected Bitcoin server thieves




UDP-Amplified DDoS Attacks Include Extortion

(March 2 & 5, 2018)

Some of the recent memcached amplified distributed denial of service (DDoS) attacks have been accompanied by demands for ransom paid in Monero cryptocurrency. The DDoS attacks have been the largest yet seen. An attack on GitHub last week topped out at 1.3 Tbps for eight minutes. And Arbor Networks recently reported a 1.7 Tbps attack against a service provider.

[Editor Comments]

[Ullrich] In this case, paying the ransom is absolutely useless. The extortion attempts seen so far all use the same Monero destination address for the ransom, so whoever is launching these attacks has no idea who is paying and they probably do not care as they will just continue their random attacks.

Read more in:

KrebsOnSecurity: Powerful New DDoS Method Adds Extortion


Bleeping Computer: Some Memcached DDoS Attackers Are Asking for a Ransom Demand in Monero


Threatpost: In Wake Of 'Biggest-Ever' DDoS Attack, Experts Say Brace For More


SC Magazine: Researchers identify extortion as motive behind memcached DDoS attacks


The Register: World's biggest DDoS attack record broken after just five days




Protective Malicious Monero Crypto Coin Miners


memcached DDoS Attacks Ask For Ransom


More Memcached DDoS Attacks


Cheap Android Trojans Come PreInstalled With Banking Malware


Malicious Bash Script with Multiple Features


Spring Framework Vulnerability


LTE Vulnerabilities


RedDrop Android Malware Installed via 3rd Party App Stores



The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create