Register Now for Online Training and get a GIAC Cert Attempt Included or $350 Off

Newsletters: Newsbites


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #21

March 16, 2018

Two big stories at Top of the News - especially when taken together:  

1. The Petrochemical Plant Attack (that failed) is the next public awakening in the age of cyber intrusions causing explosions. The first was was 10 years ago when this video was displayed on CNN  https://www.youtube.com/watch?v=fJyWngDco3g and 60 Minutes https://www.youtube.com/watch?v=rTkXgqK1l9A  Then there was Stuxnet and the destruction of the Iranian uranium enrichment equipment https://www.youtube.com/watch?v=6WmaZYJwJng.  Now we see the first glimpse of the coming age of attacks aimed at destroying power and energy resources.

2. The revelation that foreign intruders are deeply embedded in our energy infrastructure.


****************************************************************************

SANS NewsBites               March 16, 2018                Vol. 20, Num. 021

****************************************************************************

TOP OF THE NEWS

Petrochemical Plant Cyberattack Was Designed to Cause Physical Harm

FBI and DHS: Russian Hackers Targeted US Critical Infrastructure

US Imposes Sanctions on Russia

REST OF THE WEEK'S NEWS

Energy Company Fined for Cybersecurity Compliance Issues

Intel Cascade Lake Processors Will Incorporate Meltdown and Spectre Fixes

Dofoil Spread Through Backdoored BitTorrent App

AMD Processor Flaws

Former Equifax Exec Facing Insider Trading Charges

Samba Patches Two Critical Flaws

Microsoft Patch Tuesday

Adobe Patch Tuesday

INTERNET STORM CENTER TECH CORNER

 

***************************  Sponsored By VMRay  ************************************


Get hands on with VMRay Analyzer, a revolutionary departure from traditional malware sandbox analysis methods. Combining an agentless, hypervisor-based approach with a rapid reputation engine, VMRay enables malware analysts and DFIR professionals to quickly analyze and identify threats and extract indicators of compromise (IOCs), while remaining invisible to malware. Try VMRay today.

http://www.sans.org/info/202645


*****************************************************************************

TRAINING UPDATE


-- SANS 2018 | Orlando, FL | April 3-10 | https://www.sans.org/event/sans-2018


-- SANS Security West 2018 | San Diego, CA | May 11-18 | https://www.sans.org/event/security-west-2018


-- SANS at RSA Conference | San Francisco, CA | April 11-20 | https://www.sans.org/rsa-2018


-- SANS London April 2018 | April 16-21 | https://www.sans.org/event/london-april-2018


-- Automotive Cybersecurity Summit 2018 | Chicago, IL | May 1-8 | https://www.sans.org/event/automotive-cybersecurity-summit-2018


-- SANS Melbourne 2018 | May 14-26 | https://www.sans.org/event/melbourne-2018


-- SANS Northern VA Reston Spring 2018 | May 2025 | https://www.sans.org/event/northern-va-reston-spring-2018


-- SANS Amsterdam May 2018 | May 28-June 2 | https://www.sans.org/event/amsterdam-may-2018


-- DFIR Summit & Training 2018 | Austin, TX | June 7-14 | https://www.sans.org/event/digital-forensics-summit-2018


-- SANS Cyber Defence Canberra 2018 | June 25-July 7 | https://www.sans.org/event/cyber-defence-canberra-2018


-- SANS OnDemand and vLive Training | The SANS Training you want with the flexibility you need. Special Offer: Get an iPad mini, ASUS Chromebook or take $250 Off your OnDemand or vLive training course by March 21. https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility


-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast


-- Evening training 2x per week for 6 weeks with vLivehttps://www.sans.org/vlive


-- Anywhere, Anytime access for 4 months with OnDemand format https://www.sans.org/ondemand/


-- Single Course Training

SANS Mentor https://www.sans.org/mentor/about

Community SANS https://www.sans.org/community/

View the full SANS course catalog https://www.sans.org/security-training/by-location/all


*****************************************************************************

TOP OF THE NEWS

 --

Petrochemical Plant Cyberattack Was Designed to Cause Physical Harm

(March 15, 2018)

Last summer, a petrochemical plant in Saudi Arabia was the target of a cyberattack that investigators believe was designed to sabotage the plant's operations and cause an explosion. Investigators have not identified the company or the country where it is based, and no culprit has been named. The only reason the explosion did not occur was that there was a flaw in the attack code. The incident is being investigated by Mandiant, Schneider Electric, the NSA, the FBI, the US Department of Homeland Security (DHS) and the Pentagon's Defense Advanced Research Projects Agency (DARPA).   


Read more in:

NYT: A Cyberattack in Saudi Arabia Had a Deadly Goal. Experts Fear Another Try.

https://www.nytimes.com/2018/03/15/technology/saudi-arabia-hacks-cyberattacks.html

 

 --

FBI and DHS: Russian Hackers Targeted US Critical Infrastructure

(March 15, 2018)

The US Department of Homeland Security (DHS) and the FBI say that Russian hackers launched attacks against organizations that are part of US critical infrastructure. A "multi-stage intrusion campaign" spread through spearphishing attacks and was used to compromise networks at small commercial facilities, from which the hackers moved laterally to infiltrate other networks and harvest information about Industrial Control Systems (ICS) used in critical infrastructure.   


Read more in:

The Hill: Russian hackers targeted US energy assets, officials say

http://thehill.com/policy/cybersecurity/378627-homeland-security-fbi-say-russian-hackers-of-targeted-us-energy-assets


 --

US Imposes Sanctions on Russia

(March 15, 2018)

The US has imposed new sanctions on Russia for interfering in elections, for the NotPetya malware attack, and for other malicious cyber activity. The US Treasury has filed sanctions against five organizations and 19 individuals.     


Read more in:

SC Magazine: Trump administration imposes sanctions on Russia for election interference, NotPetya

https://www.scmagazine.com/trump-administration-imposes-sanctions-on-russia-for-election-interference-notpetya/article/751235/

ZDNet: US slaps new sanctions on Russia over NotPetya cyberattack, election meddling

http://www.zdnet.com/article/us-drops-sanctions-on-russia-over-notpetya-cyberattack-election-meddling/

CNET: US sanctions Russia for election interference, cyberattacks

https://www.cnet.com/news/russia-faces-us-sanctions-for-election-interference-cyberattacks/

WPost: Trump administration hits Russian spies, trolls with sanctions over U.S. election interference, cyberattacks

https://www.washingtonpost.com/world/national-security/trump-administration-sanctions-russian-spies-trolls-over-us-election-interference-cyber-attacks/2018/03/15/3eaae186-284c-11e8-b79d-f3d931db7f68_story.html


**************************  SPONSORED LINKS  ********************************


1) What are the 11 requirements for next-generation endpoint security? learn more about the vendors, their products, and how they measure up:  http://www.sans.org/info/202650


2) Do you believe in SOCs? How critical is the SOC to your organization? Take the SANS SOC survey and enter to win a $400 Amazon gift card | http://www.sans.org/info/202655


3) Take the SANS IIoT Survey by April 9 to enter to win a $400 Amazon gift card! http://www.sans.org/info/202660


*****************************************************************************

THE REST OF THE WEEK'S NEWS      

 --

Energy Company Fined for Cybersecurity Compliance Issues

(March 15, 2018)

According to a North American Electric Reliability Corporation (NERC) filing, an unidentified registered entity (URE) has ordered to pay a penalty of $2.7 million USD for failure to comply with Federal Energy Regulatory Commission (FERC) rules, regulations, and orders. A white hat researcher found that sensitive data had been exposed online for more that two months.  


Read more in:

Tripwire: US Power Company Fined $2.7M for Failing to Comply with Energy Industry Cyber Standards

https://www.tripwire.com/state-of-security/latest-security-news/us-power-company-fined-2-7m-failing-comply-energy-industry-cyber-standards/

NERC: NERC Full Notice of Penalty regarding Unidentified Registered Entity

https://www.eenews.net/assets/2018/03/05/document_ew_01.pdf

 

 --

Intel Cascade Lake Processors Will Incorporate Meltdown and Spectre Fixes

(March 15, 2018)

Intel says that the next generation of Xeon Scalable Processors will include fixes for the Meltdown vulnerability and certain Spectre vulnerability variants. The new processors, which will be known as Cascade Lake, are expected to ship later this year.   


Read more in:

Ars Technica: Intel releasing yet more Spectre microcodes; hardware fixes coming 2H18

https://arstechnica.com/gadgets/2018/03/intel-outlines-plans-for-meltdown-and-spectre-fixes-microcode-for-older-chips/

CNET: Intel will block Spectre attacks with new chips this year

https://www.cnet.com/news/intel-blocks-spectre-attacks-with-new-server-chips-this-year/

The Register: Intel: Our next chips won't have data leak flaws we told you totally not to worry about

http://www.theregister.co.uk/2018/03/15/intel_spectre_mitigation/

 

 --

Dofoil Spread Through Backdoored BitTorrent App

(March 14 & 15, 2018)

The Dofoil, or Smoke Loader, trojan that tried to infect 400,000 computers over the course of 12 hours appears to have spread through a backdoored version of the MediaGet BitTorrent app. The attackers poisoned the MediaGet update server to deliver the altered version of the app.


Read more in:

Ars Technica: Malware attack on 400k PCs caused by backdoored BitTorrent app

https://arstechnica.com/information-technology/2018/03/malware-attack-on-400k-pcs-caused-by-backdoored-bittorrent-app/

ZDNet: Windows attack: Poisoned BitTorrent client set off huge Dofoil outbreak, says Microsoft

http://www.zdnet.com/article/windows-attack-poisoned-bittorrent-client-set-off-huge-dofoil-outbreak-says-microsoft/

Bleeping Computer: 400K Malware Outbreak Caused by Backdoored Russian Torrenting Client

https://www.bleepingcomputer.com/news/security/400k-malware-outbreak-caused-by-backdoored-russian-torrenting-client/

 

 --

AMD Processor Flaws

(March 13, 14, & 15, 2018)

Researchers say that AMD processors suffer from a host of security issues, including critical flaws and backdoors. AMD is investigating the report. Some members of the security community say that the manner in which the flaws were disclosed did not allow AMD adequate time to address the issues.


Read more in:

SC Magazine: AMD processors riddled with critical flaws, claim researchers who reportedly fail to disclose responsibly

https://www.scmagazine.com/amd-processors-riddled-with-critical-flaws-claim-researchers-who-reportedly-fail-to-disclose-responsibly/article/750746/

ZDNet: AMD investigating chip security flaws after less than 24 hours notice

http://www.zdnet.com/article/amd-investigates-chip-flaws-after-zero-day-research/

Ars Technica: A raft of flaws in AMD chips makes bad hacks much, much worse

https://arstechnica.com/information-technology/2018/03/a-raft-of-flaws-in-amd-chips-make-bad-hacks-much-much-worse/

Threatpost: Hyperbole Swirls Around AMD Processor Security Threat

https://threatpost.com/hyperbole-swirls-around-amd-processor-security-threat/130481/

Bleeping Computer: Researchers Who Found AMD CPU Flaws Explain Chaotic Disclosure

https://www.bleepingcomputer.com/news/security/researchers-who-found-amd-cpu-flaws-explain-chaotic-disclosure/

Motherboard: Serious Vulnerabilities and Backdoors

https://motherboard.vice.com/en_us/article/kzpm5x/amd-secure-processor-ryzen-epyc-vulnerabilities-and-backdoors

 

 --

Former Equifax Exec Facing Insider Trading Charges

(March 14, 2018)

Former Equifax CIO Jun Ying is facing insider trading charges from both the US Securities and Exchange Commission (SEC) and the Department of Justice. The charges allege that Ying exercised company stock options work nearly $1 million USD before news of the company's massive breach became public.


[Editor Comments]

[Pescatore] Good idea to check Incident Response playbooks and disaster response procedures and communications policies to make sure that everyone involved knows that prior to public release, the information should be treated like financial data is treated before results are announced - including inability to trade your company's stock or give others insider recommendations.


Read more in:

DoJ: Former Equifax employee indicted for insider trading

https://www.justice.gov/usao-ndga/pr/former-equifax-employee-indicted-insider-trading

SEC: Former Equifax Executive Charged With Insider Trading

https://www.sec.gov/news/press-release/2018-40

SC Magazine: SEC charges former Equifax U.S. CIO with insider trading related to data breach

https://www.scmagazine.com/sec-charges-former-equifax-us-cio-with-insider-trading-related-to-data-breach/article/751109/

ZDNet: Former Equifax executive charged with insider trading after data breach

http://www.zdnet.com/article/sec-charges-former-equifax-executive-with-insider-trading-after-data-breach/

Ars Technica: Senior ex-Equifax executive charged with insider trading

https://arstechnica.com/information-technology/2018/03/senior-equifax-executive-charged-with-insider-trading/

Cyberscoop: Former Equifax executive charged with insider trading after mega breach

https://www.cyberscoop.com/former-equifax-cio-insider-trading/?category_news=technology

 

 --

Samba Patches Two Critical Flaws

(March 13 & 14, 2018)

Samba has released fixes for two critical flaws. One of the vulnerabilities could be exploited to create a denial of service condition. The other could be exploited by any authenticated user to change other user passwords, including administrative passwords.


[Editor Comments]

[Neely] These patches are for 4.6+. If you're running older Samba releases, update to at least 4.6 as the issues in those versions are worse.


Read more in:

ZDNet: Samba critical flaws: Patch now but older open instances have 'far worse issues'

http://www.zdnet.com/article/samba-critical-flaws-patch-now-but-older-open-instances-have-far-worse-issues/

Threatpost: Samba Patches Two Critical Vulnerabilities in Server Software

https://threatpost.com/samba-patches-two-critical-vulnerabilities-in-server-software/130383/

Samba: CVE-2018-1050 | Denial of Service Attack on external print server

https://www.samba.org/samba/security/CVE-2018-1050.html

Samba: CVE-2018-1057 | Authenticated users can change other users' password

https://www.samba.org/samba/security/CVE-2018-1057.html

 

 --

Microsoft Patch Tuesday

(March 13 & 14, 2018)

Microsoft's monthly security update for March includes fixes for more than 70 security issues, including 15 rated critical. The updates include additional Intel CPU microcode fixes. Microsoft has also removed an antivirus software compatibility check.


Read more in:

SC Magazine: Patch Tuesday: Microsoft patches Remote Desktop Protocol exploit

https://www.scmagazine.com/this-months-patch-tuesday-fixed-bug-that-could-exploit-authentication-in-microsoft-remote-desktop-protocol/article/750777/

ZDNet: March security updates expand Meltdown-Spectre protection for Windows

http://www.zdnet.com/article/march-security-updates-expand-meltdown-spectre-protection-for-windows/

ZDNet: Windows RDP flaw: 'Install Microsoft's patch, turn on your firewall'

http://www.zdnet.com/article/windows-rdp-flaw-install-microsofts-patch-turn-on-your-firewall/

KrebsOnSecurity: Flash, Windows Users: It's Time to Patch

https://krebsonsecurity.com/2018/03/flash-windows-users-its-time-to-patch/

Threatpost: Microsoft Patches 15 Critical Bugs in March Patch Tuesday Update

https://threatpost.com/microsoft-patches-15-critical-bugs-in-march-patch-tuesday-update/130424/

Microsoft: Security Update Summary

https://portal.msrc.microsoft.com/en-us/security-guidance/summary

Microsoft: Release Notes: March 2018 Security Updates

https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/6c8fa125-28f6-e711-a963-000d3a33a34d

 

 --

Adobe Patch Tuesday

(March 13, 2018)

Adobe has released fixes for security issues in Flash Player, Adobe Connect, and Adobe Dreamweaver. The flaws could be exploited to allow remote code execution, information leaks, and file deletion.


Read more in:

SC Magazine: Patch Tuesday: Adobe patches 7 critical flaws

https://www.scmagazine.com/the-vulnerabilities-included-a-user-after-free-and-type-confusion-vulnerability-which-could-both-result-in-remote-code-execution-if-exploited/article/750776/

ZDNet: Adobe patches critical vulnerabilities in Flash, Dreamweaver

http://www.zdnet.com/article/adobe-patches-critical-vulnerabilities-in-flash-dreamweaver/

Adobe: Security updates available for Flash Player | APSB18-05

https://helpx.adobe.com/security/products/flash-player/apsb18-05.html

Adobe: Adobe Security Bulletins and Advisories

https://helpx.adobe.com/security.html

 

INTERNET STORM CENTER TECH CORNER

Samba Vulnerability

https://www.samba.org/samba/security/CVE-2018-1057.html


Windows Patch Tuesday

https://isc.sans.edu/forums/diary/Microsoft+March+2018+Patch+Tuesday/23441/

https://support.microsoft.com/en-us/help/4093492/credssp-updates-for-cve-2018-0886-march-13-2018


AMD CPU Vulnerabilities

https://amdflaws.com


Early Memcached DDoS Attack Precursors and Ransom Notes

https://isc.sans.edu/forums/diary/How+did+it+all+start+Early+Memcached+DDoS+Attack+Precursors+and+Ransom+Notes/23437/

 

.DS_Store Files on Alexa Top 1 Million Websites (German)

https://www.internetwache.org/analyse-der-ds-store-datei-in-den-alexa-top-1-millionen-12-03-2018/


Malspam Pushing Sigma Ransomware

https://isc.sans.edu/forums/diary/Malspam+pushing+Sigma+ransomware/23443/


Letsencrypt Releases Wildcard Certificates

https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579


Microsoft Moves Away from Registry Key Check for Patches

https://support.microsoft.com/en-us/help/4072699/windows-security-updates-and-antivirus-software


Microsoft Stops Pushing Buggy Windows 7 Patch

https://www.computerworld.com/article/3263645/windows-pcs/microsoft-stops-pushing-buggy-win7-patch-kb-4088875-hopefully-as-a-precursor-to-yanking-it.html

https://support.microsoft.com/en-us/help/4088875/windows-7-update-kb4088875


SAP Vulnerabilities

https://erpscan.com/research/hacking-sap-crm/


VPN Vulnerability Test

https://www.vpnmentor.com/blog/vpn-leaks-found-3-major-vpns-3-tested/


******************************************************************************

The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.


Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create