DFIRCON - Live Online: The ALL Digital Forensics, Threat Hunting and Incident Response Training Event. Save $300 thru 10/7.

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #27

April 6, 2018

White House Flouts DMARC Requirement; Number of Facebook Users Affected by Cambridge Analytica Scandal Grows; Microsoft MPE Emergency Fix; Atlanta's Ransomware Recovery; Third Party Breach Affects Delta & Sears Payment Card Data


SANS NewsBites               April 6, 2018                Vol. 20, Num. 027



White House Flouts Security Requirement for DMARC; Domains "Sitting Ducks for Attacks"

Number of Facebook Users Affected by Cambridge Analytica Scandal Grows

Microsoft Pushes Out Emergency Fix for Critical Malware Protection Engine Flaw

Atlanta Takes Down Water Department Website After Ransomware Attack

Delta, Sears Payment Data Compromised in Third-Party Vendor Breach


Intel Halts Plan to Patch Some Processors

Microsoft Adds Ransomware Protection and Other Security Features to Office 365

Vulnerabilities in Moxa ICS Devices

Natus Releases Fixes for Five Flaws in its NeuroWorks Software

Intel Discontinuing Remote Keyboard; Users Urged to Uninstall App

DHS Acknowledges Rogue IMSI Catchers in Washington, DC Area

Hackers Compromising Magento Sites to Install Cryptominers

Attack on Pipeline Electronic Data Interchange May Have Been Financially Motivated

Android April Update


***************************  Sponsored By SANS  *****************************

Join SANS for the 2nd Annual Automotive Cybersecurity Summit, May 7-8, in Chicago. Through in-depth presentations and interactive panels, attendees will explore and discuss flashpoints around the following topics: autonomous vehicles, V2X security, automotive cybercrime, smart infrastructures, over-the-air updates, electric vehicle charging systems, and the rapidly evolving automotive threat landscape.  More information: http://www.sans.org/info/203315



-- SANS Security West 2018 | San Diego, CA | May 11-18 | https://www.sans.org/event/security-west-2018

-- SANS at RSA Conference | San Francisco, CA | April 11-20 | https://www.sans.org/rsa-2018

-- SANS London April 2018 | April 16-21 | https://www.sans.org/event/london-april-2018

-- Automotive Cybersecurity Summit 2018 | Chicago, IL | May 1-8 | https://www.sans.org/event/automotive-cybersecurity-summit-2018

-- SANS Melbourne 2018 | May 14-26 | https://www.sans.org/event/melbourne-2018

-- SANS Northern VA Reston Spring 2018 | May 2025 | https://www.sans.org/event/northern-va-reston-spring-2018

-- SANS Amsterdam May 2018 | May 28-June 2 | https://www.sans.org/event/amsterdam-may-2018

-- SANS Rocky Mountain 2018 | Denver, CO | June 4-9 | https://www.sans.org/event/rocky-mountain-2018

-- DFIR Summit & Training 2018 | Austin, TX | June 7-14 | https://www.sans.org/event/digital-forensics-summit-2018

-- SANS Cyber Defence Canberra 2018 | June 25-July 7 | https://www.sans.org/event/cyber-defence-canberra-2018

-- SANS OnDemand and vLive Training | The SANS Training you want with the flexibility you need. Special Offer: Get a 12.9" iPad Pro, HP ProBook 450 G5 or take $350 off your OnDemand or vLive course by April 18. https://www.sans.org/online-security-training/specials/

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLivehttps://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format https://www.sans.org/ondemand/

-- Single Course Training

SANS Mentor https://www.sans.org/mentor/about

Community SANS https://www.sans.org/community/

-- View the full SANS course catalog and Cyber Security Skills Roadmap





White House Flouts Security Requirement for DMARC;  Domains "Sitting Ducks for Attacks"

(April 4, 2018)

The Global Cyber Alliance found that the majority of White House email domains have not yet implemented Domain-based Message Authentication, Reporting, and Conformance (DMARC), technology that helps reduce the likelihood of the domains being used in large-scale phishing attacks. 18 of the 26 White House domains do not have DMARC. Only one domain has fully implemented DMARC at its highest level. According to an October 2017 Department of Homeland Security (DHS) directive, federal agencies had until January 15, 2018 to implement DMARC. Although the directive is "binding," DHS has no way to enforce it.  

[Editor Comments]

[Pescatore] Even without the recent hard evidence of Russian cyberattacks against US government systems, email security at the top of the Executive branch should be an obvious priority. That said, corporate adoption isn't stellar either: Agari and others report that only about 2 out of 3 Fortune 500 firms have active DMARC policies and only 8% or so are at quarantine/reject.  Healthcare has been one of the highest targets of phishing attacks, yet only about 2% of healthcare firms have enabled quarantine or reject.

Read more in:

Cyberscoop: White House email domains are sitting ducks for phishing attacks: study


FCW: Many White House domains lack required email security


DHS: Binding Operational Directive 18-01: Enhance Email and Web Security (October 16, 2017)


Number of Facebook Users Affected by Cambridge Analytica Scandal Grows

(April 4, 2018)

Facebook now says that the number of users whose information was improperly used by political consulting company Cambridge Analytica could be as high as 87 million, up from an earlier estimate of 50 million. Facebook says it has adopted new measures to restrict third-part access to user data.

[Editor Comments]

[Pescatore] This is a good "Don't Be" story to relate to CEOs, Chief Legal Counsels and Boards of Directors. Facebook decided to end the drip drip drip of increasing size of the compromise and now just says that its search tools were so easily misused that *most* of the 2 billion Facebook users should consider their personal information to have been harvested without their knowledge or permission. The FTC moved against Facebook in 2011 for privacy abuse and Facebook entered into a settlement that they appear to have violated, since they agreed to obtain "...consumers' express consent before their information is shared beyond the privacy settings they have established."

Read more in:

NYT: Facebook Says Cambridge Analytica Harvested Data of Up to 87 Million Users


The Hill: Facebook says up to 87 million people affected by Cambridge Analytica scandal



Microsoft Pushes Out Emergency Fix for Critical Malware Protection Engine Flaw

(April 4, 2018)

Microsoft has pushed out an emergency fix for a critical memory corruption flaw in its Microsoft Malware Protection Engine (MMPE). The flaw, which could be exploited to allow remote arbitrary code execution, is the result of MMPE failing to properly scan a maliciously-crafted file.

Read more in:

Microsoft: CVE-2018-0986 | Microsoft Malware Protection Engine Remote Code Execution Vulnerability


SC Magazine: Microsoft pushes update for critical RCE bug in Malware Protection Engine


Dark Reading: Microsoft Patches Critical Flaw in Malware Protection Engine


Atlanta Takes Down Water Department Website After Ransomware Attack

(April 5, 2018)

Nearly two weeks after the city of Atlanta, Georgia's computer systems were beset with ransomware, the city's water department website has been taken offline indefinitely. Other systems are slowly coming back online, but people are still unable to make online public service payments.     

Read more in:

Reuters: Atlanta takes down water department website two weeks after cyber attack



Delta, Sears Payment Data Compromised in Third-Party Vendor Breach

(April 4 & 5, 2018)

Breach was at a third-party entity called [24]7.ai, a customer support software company. The breach occurred sometime between September 26 and October 12, 2017, when it was detected and resolved. The breach compromised payment card information for customers of Sears retail stores, Delta Airlines and possibly other companies as well. Sears said that [24]7.ai notified them of the breach in March 2018. [24]7.ai provides support for customer chat, virtual agents, and customer analytics.    

[Editor Comments]  

[Ullrich] Just because it is a shiny new technology doesn't mean you don't still have to watch out for old threats. I often see developers discard advice because it doesn't specifically apply to the technology or the framework they are using. Even if your new chat bot uses the latest artificial intelligence blockchain based machine learning algorithms: personal data still needs to be properly secured.


[Pescatore] Supply chain security is a complex process and the best examples of success almost invariably include security criteria being pushed far upstream in the procurement chain. In 2016, SANS gave procurement manager John Martin of Boeing a Difference Maker's award for doing just that. A year ago we did a webinar on the topic with John, Steve Lipner of SAFECode and Chris Wysopal of Veracode - you can view it at https://www.sans.org/webcasts/increasing-software-security-down-supply-chain-104342         

[Murray] The fundamental vulnerability here remains the movement, storage, and acceptance of the card number in the clear.   We know how to fix this.  The brands must lead but the issuers and merchants must follow.       


Read more in:

The Register: Bot-ched security: Chat system hacked to slurp hundreds of thousands of Delta Air Lines, Sears customers' bank cards


The Hill: Third-party breach exposed credit card details on Sears, Delta Air Lines customers


Reuters: Sears Holding, Delta Air hit by customer data breach at tech firm


CNET: Delta, Sears, Kmart hit by data breach: What you need to know


SC Magazine: Sears and Delta Airlines customers' payment data exposed by third-party vendor breach


**************************  SPONSORED LINKS  ********************************

1) Don't miss: "Fighting Account Takeover - Change The Battle and Win" with Ido Safruti. Register: http://www.sans.org/info/203320

2) Do you believe in SOCs? How critical is the SOC to your organization? Take the SANS SOC survey and enter to win a $400 Amazon gift card | http://www.sans.org/info/203325

3) Take the SANS IIoT Survey by April 9 to enter to win a $400 Amazon gift card! http://www.sans.org/info/202640




Intel Halts Plan to Patch Some Processors

(April 4, 2018)

Intel has released update guidance saying that it does not plan to fix the Spectre flaw in some of its older processors. The reasons given for the decision include "Micro-architectural characteristics that preclude a practical implementation of features mitigating Variant 2 (CVE-2017-5715); Limited Commercially Available System Software support; ...and products ... implemented as "closed systems" and therefore are expected to have a lower likelihood of exposure to these vulnerabilities."

Read more in:

Intel: Microcode Revision Guidance (PDF)


The Register: Intel admits a load of its CPUs have Spectre v2 flaw that can't be fixed


ZDNet: Intel: We now won't ever patch Spectre variant 2 flaw in these chips


Ars Technica: Intel drops plans to develop Spectre microcode for ancient chips


Bleeping Computer: Intel Reveals Some CPU Models Will Never Receive Microcode Updates


Threatpost: Intel Halts Spectre Fixes on Older Chips, Citing Limited Ecosystem Support



Microsoft Adds Ransomware Protection and Other Security Features to Office 365

(April 5, 2018)

Microsoft has added security features to Office 365 Home and 365 personal to help protect users from ransomware attacks and other threats. Consumer level OneDrive accounts will now have the same File Restore feature that has been available only to OneDrive for Business account; the feature allows users to restore OneDrive accounts to a previous point within the past 30 days.     

[Editor Comments]

[Murray] Great move.

Read more in:

SC Magazine: Microsoft adds ransomware protection, recovery tools to Office 365



Vulnerabilities in Moxa ICS Devices

(April 5, 2018)

Security issues in two Moxa industrial control systems (ICS) devices could be exploited to inject command-line instructions or obtain private cryptographic keys. The first vulnerability affects Moxa's AWK-3131A 802.11n industrial wireless networking gear; it could be exploited to send commands to the device's operating system by placing the commands in a maliciously-crafted username login attempt. Moxa has released a firmware patch to address this issue. The second vulnerability affects Moxa's MXview network-management software and could be exploited to obtain the private key for a web server that manages network devices.    

Read more in:

Ars Technica: "Open sesame": Industrial network gear hackable with the right username


ICS-CERT: Advisory (ICSA-18-095-02) Moxa MXview



Natus Releases Fixes for Five Flaws in its NeuroWorks Software

(April 4 & 5, 2018)

Natus has released updates to address a handful of vulnerabilities in its Windows-based NeuroWorks software, which is used in electroencephalogram (EEG) systems. The devices use an ethernet connection to connect to networks to integrate patient data. The vulnerabilities could be exploited to obtain a persistent presence on hospital networks. Four of the flaws are code execution vulnerabilities, the fifth is a denial-of-service issue.

Read more in:

Talos: Vulnerability Spotlight: Natus NeuroWorks Multiple Vulnerabilities


ZDNet: Critical remote code execution vulnerabilities impact Natus medical devices


Ars Technica: Hacking your brain: Researchers discover security bugs in EEG systems


SC Magazine: Natus reportedly updates EEG device software to squash RCE, DoS bugs



Intel Discontinuing Remote Keyboard; Users Urged to Uninstall App

(April 4 & 5, 2018)

Intel is discontinuing its Intel Remote Keyboard app for Android and iOS. The company is recommending that users delete the app from their mobile devices. The app contains a critical unauthenticated keystroke injection vulnerability, as well as two additional vulnerabilities that are rated high severity.  

[Editor Comments]

[Stephen Northcutt] There have been vulnerabilities in remote keyboards for years. This one is a doozy. Recommend we concentrate on our own companies first, but then consider using social media to reach your friends and relatives, some may be technical enough to use the tool and not understand the risk: https://www.schneier.com/blog/archives/2016/08/security_vulner_7.html

Read more in:

Intel: Intel(r) Remote Keyboard Unauthenticated Keystroke Injection


Threatpost: Intel Tells Remote Keyboard Users to Delete App After Critical Bug Found


ZDNet: Intel Remote Keyboard app discontinued in the face of critical vulnerability



DHS Acknowledges Rogue IMSI Catchers in Washington, DC Area

(April 3 & 4, 2018)

In a March 26 letter responding to a November 2017 from US Senator Ron Wyden (D-Oregon), the US Department of Homeland Security (DHS) acknowledged that it had detected unauthorized cell-site simulators in the Washington, DC area. Also known as international mobile subscriber identity (IMSI) catchers, the technology has been used by law enforcement agencies for years. DHS has not attributed the IMSIs use to "specific entities."

Read more in:

AP: APNewsBreak: US suspects cellphone spying devices in DC


Wyden: Wyden's November 2017 letter to DHS (PDF)


SC Magazine: DHS acknowledges unauthorized foreign Stingray use in Washington D.C.


The Register: Hold the phone: Mystery fake cell towers spotted slurping comms around Washington DC


ZDNet: Evidence of stingrays found in Washington, DC, Homeland Security says


Ars Technica: Feds: There are hostile stingrays in DC, but we don't know how to find them


Cyberscoop: DHS says unauthorized Stingrays could be in D.C. area



Hackers Compromising Magento Sites to Install Cryptominers

(April 2 & 3, 2018)

Websites built on the Magento content management software (CMS) platform are being compromised through brute force attacks to steal payment card data and to install cryptomining software. Attackers are also targeting websites built on other CMS platforms, including OpenCarts and Powerfront CMS.

[Editor Comments]

[Ullrich] This is another case of attackers essentially ignoring the data on the systems they are compromising, and stealing CPU power for cryptocoin mining instead. The exploit does attempt to capture some credit card data via JavaScript, but this is probably not the main goal of the attacker. Many of these stores that were left with default passwords (and haven't been breached yet by someone else) are likely idle or not yet fully operational. Cryptocoin mining is probably the most promising route to monetize these breaches.

Read more in:

Flashpoint: Compromised Magento Sites Delivering Malware


The Register: Badmins: Magento shops brute-forced to scrape card deets and install cryptominers



Attack on Pipeline Electronic Data Interchange May Have Been Financially Motivated

(April 3 & 4, 2018)

Energy Services Group (ESG), an organization that manages customer transactions for natural gas pipelines for a number of energy companies, was the target of a cyberattack. The company has said that its electronic data interchange will be down until further notice. The attack disrupted several pipelines' communications systems. The attack appears to have been focused on obtaining data that could be used in financial markets rather than on disruption.   

Read more in:

Bloomberg: The Cyberattack That Crippled Gas Pipelines Is Now Hitting Another Industry


SC Magazine: Cyberattack knocks Energy Services Group offline


Cyberscoop: Major U.S. pipeline hit by cyberattack on transaction software


Threatpost: Insecure SCADA Systems Blamed in Rash of Pipeline Data Network Attacks


GovTech: Cyberattack Targets Energy Industry Pipeline Data



Android April Update

(April 3, 2018)

Google's Android Security update for April 2018 includes fixes for nine critical flaws and 19 security issues rated "high." The most severe flaw is an arbitrary code execution issue in the Media framework. Firmware updates are available and will be pushed out to Nexus and Pixel devices. Updates for other devices will be available from their manufacturers.

[Editor Comments]

Read more in:

Threatpost: Google's April Android Security Bulletin Warns of 9 Critical Bugs


Android: Android Security Bulletin-April 2018


Android: Pixel?/?Nexus Security Bulletin-April 2018






The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create