Special Offer w/ OnDemand: Get an iPad (32 G), Galaxy Tab A, or Take $250 Off OnDemand Training thru Jan 27

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #21

March 16, 2018

Two big stories at Top of the News - especially when taken together:  

1. The Petrochemical Plant Attack (that failed) is the next public awakening in the age of cyber intrusions causing explosions. The first was was 10 years ago when this video was displayed on CNN  https://www.youtube.com/watch?v=fJyWngDco3g and 60 Minutes https://www.youtube.com/watch?v=rTkXgqK1l9A  Then there was Stuxnet and the destruction of the Iranian uranium enrichment equipment https://www.youtube.com/watch?v=6WmaZYJwJng.  Now we see the first glimpse of the coming age of attacks aimed at destroying power and energy resources.

2. The revelation that foreign intruders are deeply embedded in our energy infrastructure.


SANS NewsBites               March 16, 2018                Vol. 20, Num. 021



Petrochemical Plant Cyberattack Was Designed to Cause Physical Harm

FBI and DHS: Russian Hackers Targeted US Critical Infrastructure

US Imposes Sanctions on Russia


Energy Company Fined for Cybersecurity Compliance Issues

Intel Cascade Lake Processors Will Incorporate Meltdown and Spectre Fixes

Dofoil Spread Through Backdoored BitTorrent App

AMD Processor Flaws

Former Equifax Exec Facing Insider Trading Charges

Samba Patches Two Critical Flaws

Microsoft Patch Tuesday

Adobe Patch Tuesday



***************************  Sponsored By VMRay  ************************************

Get hands on with VMRay Analyzer, a revolutionary departure from traditional malware sandbox analysis methods. Combining an agentless, hypervisor-based approach with a rapid reputation engine, VMRay enables malware analysts and DFIR professionals to quickly analyze and identify threats and extract indicators of compromise (IOCs), while remaining invisible to malware. Try VMRay today.




-- SANS 2018 | Orlando, FL | April 3-10 | https://www.sans.org/event/sans-2018

-- SANS Security West 2018 | San Diego, CA | May 11-18 | https://www.sans.org/event/security-west-2018

-- SANS at RSA Conference | San Francisco, CA | April 11-20 | https://www.sans.org/rsa-2018

-- SANS London April 2018 | April 16-21 | https://www.sans.org/event/london-april-2018

-- Automotive Cybersecurity Summit 2018 | Chicago, IL | May 1-8 | https://www.sans.org/event/automotive-cybersecurity-summit-2018

-- SANS Melbourne 2018 | May 14-26 | https://www.sans.org/event/melbourne-2018

-- SANS Northern VA Reston Spring 2018 | May 2025 | https://www.sans.org/event/northern-va-reston-spring-2018

-- SANS Amsterdam May 2018 | May 28-June 2 | https://www.sans.org/event/amsterdam-may-2018

-- DFIR Summit & Training 2018 | Austin, TX | June 7-14 | https://www.sans.org/event/digital-forensics-summit-2018

-- SANS Cyber Defence Canberra 2018 | June 25-July 7 | https://www.sans.org/event/cyber-defence-canberra-2018

-- SANS OnDemand and vLive Training | The SANS Training you want with the flexibility you need. Special Offer: Get an iPad mini, ASUS Chromebook or take $250 Off your OnDemand or vLive training course by March 21. https://www.sans.org/online-security-training/specials/

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLivehttps://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format https://www.sans.org/ondemand/

-- Single Course Training

SANS Mentor https://www.sans.org/mentor/about

Community SANS https://www.sans.org/community/

View the full SANS course catalog https://www.sans.org/security-training/by-location/all




Petrochemical Plant Cyberattack Was Designed to Cause Physical Harm

(March 15, 2018)

Last summer, a petrochemical plant in Saudi Arabia was the target of a cyberattack that investigators believe was designed to sabotage the plant's operations and cause an explosion. Investigators have not identified the company or the country where it is based, and no culprit has been named. The only reason the explosion did not occur was that there was a flaw in the attack code. The incident is being investigated by Mandiant, Schneider Electric, the NSA, the FBI, the US Department of Homeland Security (DHS) and the Pentagon's Defense Advanced Research Projects Agency (DARPA).   

Read more in:

NYT: A Cyberattack in Saudi Arabia Had a Deadly Goal. Experts Fear Another Try.




FBI and DHS: Russian Hackers Targeted US Critical Infrastructure

(March 15, 2018)

The US Department of Homeland Security (DHS) and the FBI say that Russian hackers launched attacks against organizations that are part of US critical infrastructure. A "multi-stage intrusion campaign" spread through spearphishing attacks and was used to compromise networks at small commercial facilities, from which the hackers moved laterally to infiltrate other networks and harvest information about Industrial Control Systems (ICS) used in critical infrastructure.   

Read more in:

The Hill: Russian hackers targeted US energy assets, officials say



US Imposes Sanctions on Russia

(March 15, 2018)

The US has imposed new sanctions on Russia for interfering in elections, for the NotPetya malware attack, and for other malicious cyber activity. The US Treasury has filed sanctions against five organizations and 19 individuals.     

Read more in:

SC Magazine: Trump administration imposes sanctions on Russia for election interference, NotPetya


ZDNet: US slaps new sanctions on Russia over NotPetya cyberattack, election meddling


CNET: US sanctions Russia for election interference, cyberattacks


WPost: Trump administration hits Russian spies, trolls with sanctions over U.S. election interference, cyberattacks


**************************  SPONSORED LINKS  ********************************

1) What are the 11 requirements for next-generation endpoint security? learn more about the vendors, their products, and how they measure up:  http://www.sans.org/info/202650

2) Do you believe in SOCs? How critical is the SOC to your organization? Take the SANS SOC survey and enter to win a $400 Amazon gift card | http://www.sans.org/info/202655

3) Take the SANS IIoT Survey by April 9 to enter to win a $400 Amazon gift card! http://www.sans.org/info/202660




Energy Company Fined for Cybersecurity Compliance Issues

(March 15, 2018)

According to a North American Electric Reliability Corporation (NERC) filing, an unidentified registered entity (URE) has ordered to pay a penalty of $2.7 million USD for failure to comply with Federal Energy Regulatory Commission (FERC) rules, regulations, and orders. A white hat researcher found that sensitive data had been exposed online for more that two months.  

Read more in:

Tripwire: US Power Company Fined $2.7M for Failing to Comply with Energy Industry Cyber Standards


NERC: NERC Full Notice of Penalty regarding Unidentified Registered Entity




Intel Cascade Lake Processors Will Incorporate Meltdown and Spectre Fixes

(March 15, 2018)

Intel says that the next generation of Xeon Scalable Processors will include fixes for the Meltdown vulnerability and certain Spectre vulnerability variants. The new processors, which will be known as Cascade Lake, are expected to ship later this year.   

Read more in:

Ars Technica: Intel releasing yet more Spectre microcodes; hardware fixes coming 2H18


CNET: Intel will block Spectre attacks with new chips this year


The Register: Intel: Our next chips won't have data leak flaws we told you totally not to worry about




Dofoil Spread Through Backdoored BitTorrent App

(March 14 & 15, 2018)

The Dofoil, or Smoke Loader, trojan that tried to infect 400,000 computers over the course of 12 hours appears to have spread through a backdoored version of the MediaGet BitTorrent app. The attackers poisoned the MediaGet update server to deliver the altered version of the app.

Read more in:

Ars Technica: Malware attack on 400k PCs caused by backdoored BitTorrent app


ZDNet: Windows attack: Poisoned BitTorrent client set off huge Dofoil outbreak, says Microsoft


Bleeping Computer: 400K Malware Outbreak Caused by Backdoored Russian Torrenting Client




AMD Processor Flaws

(March 13, 14, & 15, 2018)

Researchers say that AMD processors suffer from a host of security issues, including critical flaws and backdoors. AMD is investigating the report. Some members of the security community say that the manner in which the flaws were disclosed did not allow AMD adequate time to address the issues.

Read more in:

SC Magazine: AMD processors riddled with critical flaws, claim researchers who reportedly fail to disclose responsibly


ZDNet: AMD investigating chip security flaws after less than 24 hours notice


Ars Technica: A raft of flaws in AMD chips makes bad hacks much, much worse


Threatpost: Hyperbole Swirls Around AMD Processor Security Threat


Bleeping Computer: Researchers Who Found AMD CPU Flaws Explain Chaotic Disclosure


Motherboard: Serious Vulnerabilities and Backdoors




Former Equifax Exec Facing Insider Trading Charges

(March 14, 2018)

Former Equifax CIO Jun Ying is facing insider trading charges from both the US Securities and Exchange Commission (SEC) and the Department of Justice. The charges allege that Ying exercised company stock options work nearly $1 million USD before news of the company's massive breach became public.

[Editor Comments]

[Pescatore] Good idea to check Incident Response playbooks and disaster response procedures and communications policies to make sure that everyone involved knows that prior to public release, the information should be treated like financial data is treated before results are announced - including inability to trade your company's stock or give others insider recommendations.

Read more in:

DoJ: Former Equifax employee indicted for insider trading


SEC: Former Equifax Executive Charged With Insider Trading


SC Magazine: SEC charges former Equifax U.S. CIO with insider trading related to data breach


ZDNet: Former Equifax executive charged with insider trading after data breach


Ars Technica: Senior ex-Equifax executive charged with insider trading


Cyberscoop: Former Equifax executive charged with insider trading after mega breach




Samba Patches Two Critical Flaws

(March 13 & 14, 2018)

Samba has released fixes for two critical flaws. One of the vulnerabilities could be exploited to create a denial of service condition. The other could be exploited by any authenticated user to change other user passwords, including administrative passwords.

[Editor Comments]

[Neely] These patches are for 4.6+. If you're running older Samba releases, update to at least 4.6 as the issues in those versions are worse.

Read more in:

ZDNet: Samba critical flaws: Patch now but older open instances have 'far worse issues'


Threatpost: Samba Patches Two Critical Vulnerabilities in Server Software


Samba: CVE-2018-1050 | Denial of Service Attack on external print server


Samba: CVE-2018-1057 | Authenticated users can change other users' password




Microsoft Patch Tuesday

(March 13 & 14, 2018)

Microsoft's monthly security update for March includes fixes for more than 70 security issues, including 15 rated critical. The updates include additional Intel CPU microcode fixes. Microsoft has also removed an antivirus software compatibility check.

Read more in:

SC Magazine: Patch Tuesday: Microsoft patches Remote Desktop Protocol exploit


ZDNet: March security updates expand Meltdown-Spectre protection for Windows


ZDNet: Windows RDP flaw: 'Install Microsoft's patch, turn on your firewall'


KrebsOnSecurity: Flash, Windows Users: It's Time to Patch


Threatpost: Microsoft Patches 15 Critical Bugs in March Patch Tuesday Update


Microsoft: Security Update Summary


Microsoft: Release Notes: March 2018 Security Updates




Adobe Patch Tuesday

(March 13, 2018)

Adobe has released fixes for security issues in Flash Player, Adobe Connect, and Adobe Dreamweaver. The flaws could be exploited to allow remote code execution, information leaks, and file deletion.

Read more in:

SC Magazine: Patch Tuesday: Adobe patches 7 critical flaws


ZDNet: Adobe patches critical vulnerabilities in Flash, Dreamweaver


Adobe: Security updates available for Flash Player | APSB18-05


Adobe: Adobe Security Bulletins and Advisories




Samba Vulnerability


Windows Patch Tuesday



AMD CPU Vulnerabilities


Early Memcached DDoS Attack Precursors and Ransom Notes



.DS_Store Files on Alexa Top 1 Million Websites (German)


Malspam Pushing Sigma Ransomware


Letsencrypt Releases Wildcard Certificates


Microsoft Moves Away from Registry Key Check for Patches


Microsoft Stops Pushing Buggy Windows 7 Patch



SAP Vulnerabilities


VPN Vulnerability Test



The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create