Learn practical cyber security skills during SANS 2021 - Live Online. Choose from 30+ courses and three types of NetWars!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #20

March 13, 2018


SANS NewsBites               March 9, 2018                Vol. 20, Num. 20



GAO: DHS Has Not Adopted Expedited Hiring for Cybersecurity Workers

Senate Bill Seeks to Add Analog Security Solutions to Power Grid


Firefox 60 Will Ship with W3C Proximity and Ambient Light APIs Off by Default

Guilty Plea in Business eMail Compromise Case

Slingshot Malware Lurked for Years

Size of Memcached DDoS Attacks Declining

NSA's Territorial Dispute Utility Among Leaked Tools

ISPs in Turkey and Egypt Found to be Spreading FinFisher Spyware

False Flags Compound the Complexity of Attribution



***************************  Sponsored By VMRay  ****************************

Get hands on with VMRay Analyzer, a revolutionary departure from traditional malware sandbox analysis methods. Combining an agentless, hypervisor-based approach with a rapid reputation engine, VMRay enables malware analysts and DFIR professionals to quickly analyze and identify threats and extract indicators of compromise (IOCs), while remaining invisible to malware. Try VMRay today. http://www.sans.org/info/202580



-- SANS 2018 | Orlando, FL | April 3-10 | https://www.sans.org/event/sans-2018

-- SANS Security West 2018 | San Diego, CA | May 11-18 | https://www.sans.org/event/security-west-2018

-- SANS Pen Test Austin 2018 | March 19-24 | https://www.sans.org/event/pen-test-austin-2018

-- ICS Security Summit & Training 2018 | Orlando, FL | March 19-26 | https://www.sans.org/event/ics-security-summit-2018

-- SANS at RSA Conference | San Francisco, CA | April 11-20 | https://www.sans.org/rsa-2018

-- SANS London April 2018 | April 16-21 | https://www.sans.org/event/london-april-2018

-- Automotive Cybersecurity Summit 2018 | Chicago, IL | May 1-8 | https://www.sans.org/event/automotive-cybersecurity-summit-2018

-- SANS Melbourne 2018 | May 14-26 | https://www.sans.org/event/melbourne-2018

-- SANS Amsterdam May 2018 | May 28-June 2 | https://www.sans.org/event/amsterdam-may-2018

-- SANS Cyber Defence Canberra 2018 | June 25-July 7 | https://www.sans.org/event/cyber-defence-canberra-2018

-- SANS OnDemand and vLive Training | The SANS Training you want with the flexibility you need. Special Offer: Get an iPad mini, ASUS Chromebook or take $250 Off your OnDemand or vLive training course by March 21. https://www.sans.org/online-security-training/specials/

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLivehttps://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format https://www.sans.org/ondemand/

-- Single Course Training

SANS Mentor https://www.sans.org/mentor/about

Community SANS https://www.sans.org/community/

View the full SANS course catalog https://www.sans.org/security-training/by-location/all




GAO: DHS Has Not Adopted Expedited Hiring for Cybersecurity Workers

(March 7 & 8, 2018)

According to a report from the Government Accountability Office (GAO), the US Department of Homeland Security (DHS) is dragging its feet when it comes to hiring cybersecurity professionals. Congress gave DHS approval for expedited hiring authority in 2014. A joint House Homeland Security subcommittee hearing reviewed the issue; Representative Bennie Thompson (D-Mississippi) said that DHS does not plan to fully implement the hiring authority until the spring of 2019 and noted that "We cannot afford to waste this kind of time."  

Read more in:

GAO: Cybersecurity Workforce: DHS Needs to Take Urgent Action to Identify Its Position and Critical Skill Requirements


Fifth Domain: GAO: Homeland Security too slow in hiring cyber workers



Senate Bill Seeks to Add Analog Security Solutions to Power Grid

(March 9, 2018)

Two US senators have introduced a bill that includes a pilot program to research power grid redundancy and security solutions that do not rely on digital technology. The idea came from the December 2015 attack on the Ukrainian power grid: workers were able to restore power using analog backups. The Securing Energy Infrastructure Act (S. 79) says that it aims "To provide for the establishment of a pilot program to identify security vulnerabilities of certain entities in the energy sector."

Read more in:

Nextgov: Senators Want Dumber Tech For Energy Grid Cybersecurity


**************************  SPONSORED LINKS  ********************************

1) Learn how to stop advanced cyberattacks and remain compliant at your hospital. Register now! http://www.sans.org/info/202590

2) Gartner names Splunk a SIEM Magic Quadrant leader for the fifth year running. Read the report now. http://www.sans.org/info/202595

3) Don't Miss: "Opening the Floodgates: How to Analyze 30+ TB of Endpoint Data Without Drowning Your Security Team" Register: http://www.sans.org/info/202600



 --Firefox 60 Will Ship With W3C Proximity and Ambient Light APIs Off by Default

(March 12, 2018)

When Mozilla releases Firefox 60, expected in May of this year, websites will no longer be able to access information from the W3C Proximity and Ambient Light APIs by default. Mozilla is not removing the APIs, but is shipping them disabled by default and allowing users to decide whether or not to enable them.    

Read more in:

Bleeping Computer: Firefox Gets Privacy Boost By Disabling Proximity and Ambient Light Sensor APIs




Guilty Plea in Business eMail Compromise Case

(March 12, 2018)

Kerby Rigaud has pleaded guilty to conspiracy to commit wire and bank fraud and money laundering, according to an announcement from the US Department of Justice (DoJ). Rigaud had a role in a business email compromise scheme that targeted organizations in several US states. Rigaud will be sentenced in June.

Read more in:

US DoJ: Defendant pleads guilty in international business email compromise scam




Slingshot Malware Lurked for Years

(March 9, 10, & 12, 2018)

Kaspersky Lab researchers have detected espionage malware dubbed Slingshot that has been lurking on at least 100 computers in Africa and the Middle East for as long as six years. Slingshot is sophisticated, indicating that it was likely developed by a nation state. Slingshot made initial infection on some systems through a compromised router software update. The attackers added a malicious DLL, which served as a downloader for additional malware, to the update package. A country of origin has not been named, but the debug notes are in perfect English and include references to JRR Tolkien's writing.

Read more in:

Kaspersky: Slingshot APT: Riding on a hardware Trojan horse


ZDNet: Spy malware secrets: How complex 'Slingshot' hit targets via hacked routers


Ars Technica: Potent malware that hid for six years spread through routers


SC Magazine: Slingshot APT campaign exposed after six years of sophisticated spying




Size of Memcached DDoS Attacks Declining

(March 9 & 12, 2018)

The bandwidth attack volume of memcached-amplified distributed denial-of-service (DDoS) attacks appear to be declining, likely as a result of users applying patches. The downturn may also in part be attributed to a controversial kill switch. Memcached can amplify UDP messages, a fact attackers exploited to launch the largest DDoS attacks yet seen. Memcached lacked security because it was never intended to be used on systems that are connected to the Internet. The kill switch involves sending a "flush_all" command to the memcached servers, but the ethics of this are questionable as the command could cause problems on the systems that receive the command, which are also an attack victim, not the perpetrator.

[Editor Comments]

[Dr. Johannes Ullrich and SANS Internet Storm Center Handler Donald Smith]

Both of those articles are incorrect. The main reason memcached attacks are dwindling in size is due actions (blocking, rate limiting, etc.) taken by ISPs and cloud services providers, not by individuals running affected memcached servers. Running a memcached server exposed to the internet has been considered reckless for a while and has been exploited for a while by ransom attacks. So it is fair to assume that none of these servers have actual production value and are probably off the radar for the organizations who put them up. They will probably not be patched anytime soon. A March 13 ISC post suggests that the "DDoS Ransom Messages" people are seeing are actually messages left behind by prior ransom attacks that erased the data and replaced it with ransom messages.

ISC: How did it all start? Early Memcached DDoS Attack Precursors and Ransom Notes https://isc.sans.edu/forums/diary/How+did+it+all+start+Early+Memcached+DDoS+Attack+Precursors+and+Ransom+Notes/23437/

Read more in:

The Register: Cavalry riding to the rescue of DDoS-deluged memcached users


eWeek: Memcached DDoS Attacks Slow Down as Patching Ramps Up




NSA's Territorial Dispute Utility Among Leaked Tools

(March 6 & 12, 2018)

Among the cache of National Security Agency (NSA) hacking tools leaked last spring is a utility known as Territorial Dispute, which detects the presence of advanced persistent threat (APT) malware on machines it scans so the NSA can retreat from the occupied machine and help prevent exposing NSA tools to other governments intelligence groups.   

Read more in:

Bleeping Computer: NSA Retreats From Targeted PCs If They're Already Infected by Other APT Malware


The Intercept: Leaked Files Show How the NSA Tracks Other Countries' Hackers




ISPs in Turkey and Egypt Found to be Spreading FinFisher Spyware

(March 9 & 12, 2018)

Canadian human rights organization Citizen Lab found that Internet Service Providers (ISPs) in Turkey and Egypt have been spreading FinFisher spyware. In Turkey, TrkTelekom users trying to access some websites that offer free software were redirected to malicious versions of the site that served the malware. Some users in Syria were affected as well. In Egypt, Telecom Egypt redirected users to fraudulent advertisement pages in limited 30-minute bursts. FinFisher allows attackers full access to infected computers, including cameras and microphones.

Read more in:

Cyberscoop: ISPs inside Turkey and Egypt spread FinFisher spyware in massive espionage campaign


Security Boulevard: Turkish, Egyptian ISPs help local government conduct massive spyware operation




False Flags Compound the Complexity of Attribution

(March 8, 2018)

Olympic Destroyer, the malware used to launch an attack against systems at the 2-18 Winter Olympics in Peyongchang last month, included code that was planted to make it seem as though the attack came from actors working on behalf of North Korea, Russia and China. Known as a false flag, it makes attribution, which is already a risky endeavor, even more difficult.

[Editor Comments]

[Jake Williams] This highlights why hacking back is such a problem. Early in the Olympic Destroyer investigation some "experts" claimed that that the malware was "obviously" North Korean in origin. It is now clear that some of the indicators being used for attribution early were planted. If organizations had hacked back in the early days of the attack, they would likely have targeted the wrong aggressors.

Read more in:

Threatpost: Olympic Destroyer: A False Flag Confusion Bomb


Reuters: Olympics hack highlights emerging 'false flags' threat: researcher




Paying For Ransomware Often Fails to Recover Files


Microtik Router Malware Infects Sysadmin PCs


CNNVD Held Back Vulnerabilities


Chip and Pin Clones


Keeper Exposes S3 Bucket



SMB Payload Delivery


Turkish Internet Service Provider Swaps Files


Firefox to Restrict Access to Sensors



The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create