Register Now for Online Training and get a GIAC Cert Attempt Included or $350 Off

Newsletters: Newsbites


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #25

March 30, 2018

The 2018 RSA conference added five very cool courses this year including some of SANS most popular immersion courses (Hacker Tools; Secure DevOps; and Lethal Windows Forensics) that have filled up early at other venues. If you think San Francisco in April might be nice, check out: https://www.sans.org/rsa-2018


****************************************************************************

SANS NewsBites               March 30, 2018                Vol. 20, Num. 025

****************************************************************************

TOP OF THE NEWS

Australia Passes Critical Infrastructure Security Legislation

Drupal Issues Patches for Critical Flaw

Microsoft's January Meltdown Fix Introduced New Vulnerability

EI-ISAC Plans to Install Intrusion Detection Sensors on Voter Registration Sites

REST OF THE WEEK'S NEWS

Cisco Releases Patches for Three Critical Flaws in IOS and IOS XE

Police in Europe Arrest 20 for Bank Fraud

NYC to Offer Free Cyber Security Tools

Malaysian Bank Foiled Wire Fraud Attempt

Boeing Hit with WannaCry Malware

Lizard Squad Member Sentenced

Baltimore Emergency Call System Hacked

DOJ OIG Report Suggests FBI May Not Have Exhausted Internal Options Before Seeking Apple's Help to Access iPhone

INTERNET STORM CENTER TECH CORNER

 

***************************  Sponsored By Qualys  ***************************


"Securing the Hybrid Cloud: A Guide to Using Security Controls, Tools and Automation" Take a look at the current state of cloud security, and some specific issues and recommendations for security best practices while taking into account typical staffing, technology and other resource issues. Register now and be among the first to receive the associated whitepaper written by SANS instructor and cloud expert Dave Shackleford. http://www.sans.org/info/203200


*****************************************************************************

TRAINING UPDATE


-- SANS Security West 2018 | San Diego, CA | May 11-18 | https://www.sans.org/event/security-west-2018


-- SANS at RSA Conference | San Francisco, CA | April 11-20 | https://www.sans.org/rsa-2018


-- SANS London April 2018 | April 16-21 | https://www.sans.org/event/london-april-2018


-- Automotive Cybersecurity Summit 2018 | Chicago, IL | May 1-8 | https://www.sans.org/event/automotive-cybersecurity-summit-2018


-- SANS Melbourne 2018 | May 14-26 | https://www.sans.org/event/melbourne-2018


-- SANS Northern VA Reston Spring 2018 | May 2025 | https://www.sans.org/event/northern-va-reston-spring-2018


-- SANS Amsterdam May 2018 | May 28-June 2 | https://www.sans.org/event/amsterdam-may-2018


-- SANS Rocky Mountain 2018 | Denver, CO | June 4-9 | https://www.sans.org/event/rocky-mountain-2018


-- DFIR Summit & Training 2018 | Austin, TX | June 7-14 | https://www.sans.org/event/digital-forensics-summit-2018


-- SANS Cyber Defence Canberra 2018 | June 25-July 7 | https://www.sans.org/event/cyber-defence-canberra-2018


-- SANS OnDemand and vLive Training | The SANS Training you want with the flexibility you need. Special Offer: Get a GIAC Certification Attempt Included or take $350 Off your OnDemand or vLive training course by April 4. https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility


-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast


-- Evening training 2x per week for 6 weeks with vLivehttps://www.sans.org/vlive


-- Anywhere, Anytime access for 4 months with OnDemand format https://www.sans.org/ondemand/


-- Single Course Training

SANS Mentor https://www.sans.org/mentor/about

Community SANS https://www.sans.org/community/


-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


*****************************************************************************

TOP OF THE NEWS

 --

Australia Passes Critical Infrastructure Security Legislation

(March 29, 2018)

The Australian government has passed the Security of Critical Infrastructure Bill, which gives ministers the authority to direct companies that operate the country's gas, water, electricity, ports, and other critical infrastructure sectors to take steps to protect their systems from cyber threats. The bill "is designed to strengthen the Government's capacity to manage the national security risks of espionage, sabotage and coercion arising from foreign involvement in Australia's critical infrastructure."  


[Editor Comments]

[Pescatore] The bill seems to create an "Asset Register" of all Critical Infrastructure systems and who operates them, and empower the Minister or Secretary to both demand information and issue directives if a national threat is declared. In 2017, Australia established a Critical Infrastructure Centre, mainly to deal with non-Australian companies looking to buy or make majority share investments in large Australian companies. As part of that, Australia (like the US) came out with a very broad definition of Critical Infrastructure. It is hard for me to imagine government directives across such a broad swath of the economy could ever be timely enough to improve cybersecurity. More reporting, yes.


Read more in:

ZDNet: Government passes critical infrastructure national security Bill

http://www.zdnet.com/article/government-passes-critical-infrastructure-national-security-bill/

Parlinfo.aph.gov: Security of Critical Infrastructure (Consequential and Transitional Provisions) Bill 2017: Revised Explanatory Memorandum (PDF)

http://parlinfo.aph.gov.au/parlInfo/download/legislation/ems/s1119_ems_926b4525-c093-4b09-bea5-8036a1418c9e/upload_pdf/668496.pdf;fileType=application%2Fpdf

ParlInfo.aph.gov: Security of Critical Infrastructure (Consequential and Transitional Provisions) Bill 2018 (PDF)

http://parlinfo.aph.gov.au/parlInfo/download/legislation/bills/s1119_third-senate/toc_pdf/1729020.pdf;fileType=application%2Fpdf


 --

Drupal Issues Patches for Critical Flaw

(March 28 & 29, 2018)

The Drupal security team has issued a security advisory warning of a highly critical remote code execution flaw that affects versions 6, 7, & 8 of its content management system (CMS) platform. Users running Drupal version 7.x should upgrade to version 7.58; users running version 8.5.x should upgrade to version 8.5.1. While Drupal version 8.3.x and 8.4.x are no longer supported, the issue is serious enough that Drupal is releasing updates for these versions. The Drupal advisory notes, "Drupal 6 is End of Life. For more information on Drupal 6 support please contact a D6LTS vendor."


[Editor Comments]

[Williams] This vulnerability impacts more than a million websites on the Internet. The patches involve (unsurprisingly) input validation in data passed from the user. Even if you don't run Drupal, you should expect to see an uptick in scanning activity from compromised sites in the coming weeks as exploits for this vulnerability become available. If you have Drupal servers, this one is worth cancelling some weekend plans to patch. Although I haven't yet seen an exploit for this in the wild, I expect one to come quickly.


[Neely] When a vendor patches unsupported versions, take heed. While it can be challenging to keep your CMS current, that has to be SOP to keep the system secure. Don't forget to check and update your plugins while you are updating your core products.

 

Read more in:

Drupal: Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002

https://www.drupal.org/sa-core-2018-002

The Register: Running Drupal? You need to patch, patch, patch right now!

http://www.theregister.co.uk/2018/03/28/drupal_urgent_security_software_patch/

ZDNet: Update Drupal ASAP: Over a million sites can be easily hacked by any visitor

http://www.zdnet.com/article/update-drupal-asap-over-a-million-sites-can-be-easily-hacked-by-any-visitor/

Cyberscoop: 'Highly critical' Drupal security flaw prompts urgent patch

https://www.cyberscoop.com/drupalgeddon2-patch-security-flaw/?category_news=technology

Threatpost: Drupal Issues Highly Critical Patch: Over 1M Sites Vulnerable

https://threatpost.com/drupal-issues-highly-critical-patch-over-1m-sites-vulnerable/130859/

 

 --

Microsoft's January Meltdown Fix Introduced New Vulnerability

(March 28 & 29, 2018)

Microsoft's January security updates included fixes intended to address the Meltdown vulnerabilities. It appears that those fixes in some cases made the situation worse instead of better. The problematic fix "allowed any process to read the complete memory contents at gigabytes per second [and made] it... possible to write to arbitrary memory as well" on machines running Windows 7 (64-bit) and Windows Server 2008 R2. Microsoft fixed the problem in its March security update release.   


Read more in:

The Register: Microsoft's Windows 7 Meltdown fixes from January, February made PCs MORE INSECURE

http://www.theregister.co.uk/2018/03/28/microsoft_windows_meltdown_patch_security_flaw/

Cybersecurity: Microsoft's Meltdown patches introduced a whole new vulnerability

https://www.cyberscoop.com/microsoft-meltdown-patches-windows-7-memory-management/?category_news=technology

Threatpost: Bad Microsoft Meltdown Patch Made Some Windows Systems Less Secure

https://threatpost.com/bad-microsoft-meltdown-patch-made-some-windows-systems-less-secure/130844/

 

 --

EI-ISAC Plans to Install Intrusion Detection Sensors on Voter Registration Sites

(March 28, 2018)

The Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC) plans to install intrusion detection sensors on all US state voter registration websites before the 2018 midterm elections. EI-ISAC was established by the Center for Internet Security (CIS).


[Editor Comments]

[Pescatore] Since elections are really run locally, good to see CIS and the MS-ISAC take initiative in this area. Basic security hygiene at the local level plus federal level pressure on the vendors of voting systems and software are badly needed.


Read more in:

GCN: Protecting election registration sites from cyber intrusions

https://gcn.com/articles/2018/03/28/albert-intrusion-detection-voter-registration.aspx?admgarea=TC_SecCybersSec


**************************  SPONSORED LINKS  ********************************


1) Don't Miss: "Anatomy of the TRITON ICS Cyberattack" with Justin Searle and Phil Neray. Register: http://www.sans.org/info/203205


2) Do you believe in SOCs? How critical is the SOC to your organization? Take the SANS SOC survey and enter to win a $400 Amazon gift card | http://www.sans.org/info/203210


3) Take the SANS IIoT Survey by April 9 to enter to win a $400 Amazon gift card! http://www.sans.org/info/203215


*****************************************************************************

THE REST OF THE WEEK'S NEWS      

 --

Cisco Releases Patches for Three Critical Flaws in IOS and IOS XE

(March 29, 2018)

On Wednesday, March 28, Cisco released security updates to fix three critical flaws in its IOS and IOS XE software. Two of the flaws are remote code execution issues that affect both IOS and IOS XE; the third is a static credential vulnerability that affects only IOS XE. Cisco also released fixes for 19 additional security issues in IOS and IOS XE that are rated as having a high security impact.  


[Editor Comments]

[Neely] The XE fix includes removing a back door account leftover from the development of XE version 16. The back door and remote code execution flaws are high risk vulnerabilities which warrant immediate remediation.


Read more in:

Cisco: Cisco Event Response: March 2018 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication

https://tools.cisco.com/security/center/viewErp.x?alertId=ERP-66682

The Register: Egg on Cisco's face: Three critical software bugs to fix over Easter

http://www.theregister.co.uk/2018/03/29/cisco_critical_ios_bugs/

ZDNet: Cisco critical flaw: At least 8.5 million switches open to attack, so patch now

http://www.zdnet.com/article/cisco-critical-flaw-at-least-8-5-million-switches-open-to-attack-so-patch-now/

Threatpost: Cisco Patches Two Critical RCE Bugs in IOS XE Software

https://threatpost.com/cisco-patches-two-critical-rce-bugs-in-ios-xe-software/130852/

 

 --

Police in Europe Arrest 20 for Bank Fraud

(March 29, 2018)

Law enforcement officials in Europe have arrested 20 people in connection with an online banking fraud scheme. The arrests are the result of a two-year investigation involving Europol, Eurojust, and National Police in Romania and Italy. The suspects face allegations of using spear phishing and mass email campaigns to impersonate tax authorities and steal online banking account access credentials.   


Read more in:

Europol: 20 Hackers Arrested in EUR 1 Million Banking Phishing Scam

https://www.europol.europa.eu/newsroom/news/20-hackers-arrested-in-eur-1-million-banking-phishing-scam

ZDNet: 20 suspect hackers arrested over online banking fraud

http://www.zdnet.com/article/20-suspect-hackers-arrested-over-online-banking-fraud/

 

 --

NYC to Offer Free Cyber Security Tools

(March 29, 2018)

New York City plans to offer free cyber security tools. The program, NYC Secure, will offer an app that will warn smartphone users when suspicious activity is detected on their devices. NYC agencies will also bolster public Wi-Fi network security.   


[Editor Comments]

[Pescatore] Increasing public WiFi security is a good thing but there are already literally thousands of free security tools in the Apple store and Google Play. Since cellular service operators pay local property taxes on cell towers, how about offering tax rebates to cellular carriers that agree to block known malicious traffic, or agree to make out of the box mobile phone configurations meet basic security hygiene requirements?


[Neely] This effort arose as a mitigation to future Ransomware attacks. A key component is their selection of Quad9's DNS security product to sinkhole know bad sites. More on Quad9.net.


Read more in:

Secure.nyc: NYC Secure: Protecting New Yorkers Online

https://secure.nyc/

Reuters: New York offers free cyber security tools to public to deter hackers

https://www.reuters.com/article/us-usa-cyber-new-york/new-york-offers-free-cyber-security-tools-to-public-to-deter-hackers-idUSKBN1H52XC

 

 --

Malaysian Bank Foiled Wire Fraud Attempt

(March 29, 2018)

Bank Negara Malaysia, the country's central bank. Says that it thwarted an attempt to steal funds through fraudulent wire transfers using the SWIFT bank messaging network.


Read more in:

Reuters: Malaysian central bank says foiled attempted cyber-heist

https://www.reuters.com/article/us-malaysia-cenbank-cybersecurity-incide/malaysian-central-bank-says-foiled-attempted-cyber-heist-idUSKBN1H50YF

 

 --

Boeing Hit with WannaCry Malware

(March 28 & 29, 2018)

Earlier this week, WannaCry malware infected a number of computers at a Boeing aircraft manufacturing facility in South Carolina. The company reported that the incident was contained with "no interruption to the 777 jet program or any of our programs." At least three other companies in the US have experienced work stoppages as a result of WannaCry infections over the past six months.


[Editor Comments]

[Neely] Kudos to Boeing for getting all hands on deck to shut this down quickly. WannaCry is still operating in the wild; if you haven't incorporated the patches into your minimum security configuration, now would be an excellent time to do so.

 

Read more in:

Seattle Times: Boeing hit by WannaCry virus, but says attack caused little damage

https://www.seattletimes.com/business/boeing-aerospace/boeing-hit-by-wannacry-virus-fears-it-could-cripple-some-jet-production/

SC Magazine: Boeing hit and recovering from possible WannaCry attack

https://www.scmagazine.com/boeing-hit-and-recovering-from-possible-wannacry-attack/article/754599/

The Register: It's baaack - WannaCry nasty soars through Boeing's computers

http://www.theregister.co.uk/2018/03/28/wannacry_boeing/

CNET: WannaCry ransomware reportedly reappears to strike Boeing

https://www.cnet.com/news/wannacry-reportedly-reappears-to-strike-boeing/

 

 --

Lizard Squad Member Sentenced

(March 28 & 29, 2018)

A US federal judge in Illinois has sentenced Zachary Buchta to three months in prison for his role in a series of attacks against video game networks and other computer-related crimes. In December, 2017, Buchta pleaded guilty to one count of conspiracy to commit damage to protected computer. Buchta faced a much longer prison sentence but because he cooperated with prosecutors, his sentence was significantly reduced. He has also agreed to pay a $350,000 USD fine. Buchta was a member of a hacking group that called itself Lizard Squad.


Read more in:

SC Magazine: Lizard Squad member Zachary Buchta receives three month sentence

https://www.scmagazine.com/lizard-squad-member-zachary-buchta-receives-three-month-sentence/article/754287/

Cyberscoop: Lizard Squad's '@fbiarelosers' hacker gets smaller sentence for helping FBI arrest his friends

https://www.cyberscoop.com/zachary-buchta-lizard-squad-sentence/?category_news=technology

Chicago Tribune: 'Lizard Squad' hacker-for-hire cries in court as he's sentenced to three months in prison

http://www.chicagotribune.com/news/local/breaking/ct-met-hacker-zachary-buchta-sentenced-20180327-story.html

 

 --

Baltimore Emergency Call System Hacked

(March 27 & 28, 2018)

Last weekend, hackers disrupted a computer system that is used to support emergency calls in the city of Baltimore, Maryland. The attack prevented details about emergency callers from being automatically forwarded to dispatchers. Earlier the same week, the city of Atlanta, Georgia suffered ransomware attacks targeting systems that support several city services, including bill collection services and the airport's wireless network.


[Editor Comments]

[Pescatore] In times of political turmoil (global and national), state governments can be easy targets. A related, non-cyber thought from past experience: we have seen a definite increase in malicious packages being sent/delivered. A good time to review mail room security readiness - DHS (https://www.fbiic.gov/public/2010/nov/safe_Mail_Handling.pdf) and the USPS (https://about.usps.com/publications/pub166.pdf) have good publications/checklists online.


Read more in:

Baltimore Sun: Baltimore 911 dispatch system hacked, investigation underway, officials confirm

http://www.baltimoresun.com/news/maryland/crime/bs-md-ci-911-hacked-20180327-story.html

Reuters: Hackers disrupt Baltimore's emergency call system; Atlanta still affected

https://www.reuters.com/article/us-usa-cyber-baltimore/hackers-disrupt-baltimores-emergency-call-system-atlanta-still-affected-idUSKBN1H42I2

 

 --

DOJ OIG Report Suggests FBI May Not Have Exhausted Internal Options Before Seeking Apple's Help to Access iPhone

(March 27, 2018)

A report from the Office of Inspector General (OIG) for the US Department of Justice (DOJ) suggests that the FBI may not have exhausted all its internal options for accessing information on an iPhone seized following the December 2015 San Bernardino shooting before pressuring Apple to provide a way for the agency to break into the device. It seems that the FBI never directly inquired whether its Remote Operations Unit (ROU), which focuses on national security, had the capability to unlock the device.


Read more in:

DoJ OIG: A Special Inquiry Regarding the Accuracy of FBI Statements Concerning its Capabilities to Exploit an iPhone Seized During the San Bernardino Terror Attack Investigation (PDF)

https://oig.justice.gov/reports/2018/o1803.pdf

The Register: Did the FBI engineer its iPhone encryption court showdown with Apple to force a precedent? Yes and no, say DoJ auditors

http://www.theregister.co.uk/2018/03/27/fbi_encryption_showdown/

Ars Technica: FBI didn't fully know its own capabilities during showdown with Apple

https://arstechnica.com/tech-policy/2018/03/fbi-didnt-try-hard-enough-to-crack-iphone-before-taking-apple-to-court/

Nextgov: The FBI Didn't Explore All Options Before Trying to Force Apple to Break Into an Encrypted iPhone

http://www.nextgov.com/cybersecurity/2018/03/fbi-didnt-explore-all-options-trying-force-apple-break-encrypted-iphone/147021/

Reuters: FBI sought iPhone order before exhausting options: U.S. inspector general

https://www.reuters.com/article/us-usa-cyber-apple-encryption/fbi-sought-iphone-order-before-exhausting-options-u-s-inspector-general-idUSKBN1H32PA

 

INTERNET STORM CENTER TECH CORNER

Side-channel Information Leakage in Mobile Applications

https://isc.sans.edu/forums/diary/Sidechannel+information+leakage+in+mobile+applications/23487/


Branchscope: New Spectre Variant

http://www.cs.ucr.edu/~nael/pubs/asplos18.pdf

        

Critical Drupal Vulnerability Patched

https://www.drupal.org/sa-core-2018-002


Microsoft Meltdown Patch Gave USers Read/Write Access to All Memory

http://blog.frizk.net/2018/03/total-meltdown.html?m=1


MikroTik Botnet

https://blog.netlab.360.com/quick-summary-port-8291-scan-en/


Cisco Patches

https://tools.cisco.com/security/center/publicationListing.x


******************************************************************************

The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.


Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create