Take your cyber security skills to the next level with SANS training in Miami! Save $300 thru 11/20.

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #33

April 27, 2018

Ski Lift Control Panel Internet-Connected and Unprotected; Cloud In-Security Top Errors; Attackers Exploiting Drupal Vulnerability; Few Federal Contractors Implemented DMARC; New FERC Standard

The Cloud In-Security panel published the list of the ten critical errors AWS users are making that cause that cause the most damage.  They'll discuss best mitigation approaches at the Cloud In-Security workshop. The top 2 are pretty obvious but remarkably common and dangerous errors: (1) Insecure use of developer credentials, (2) Publicly accessible S3 buckets. The rest are here: https://www.sans.org/event/cloud-insecurity-summit-tx


SANS NewsBites               April 27, 2018                Vol. 20, Num. 033



Ski Lift Control Panel Internet-Connected and Unprotected

Attackers Exploiting Drupal Vulnerability Hours After Disclosure

Few Major Federal Contractors Have Implemented DMARC

New FERC Standard Strengthens Security Controls


  Six People Arrested in China for Allegedly Stealing Electricity to Mine Cryptocurrency

Loud Noise Damages Nasdaq Servers in Sweden

SAP Configuration Vulnerability

Fixes Available for Hotel Card Key Electronic Lock Weaknesses

Webstresser DDoS for Hire Site Taken Down

Apple Updates for Safari, macOS, iOS

Ethereum Thieves Exploited BGP Leak

US Naval Academy Sees Number of Cybersecurity Majors Skyrocket



************************** Sponsored By Splunk ******************************

GDPR: Key Considerations on the Path to Compliance

Join this upcoming webinar to learn whats required from organizations under the GDPR, how machine data can help you to stay compliant, and how Splunk can help to address key articles under the new regulation.




-- SANS Security West 2018 | San Diego, CA | May 11-18 | https://www.sans.org/event/security-west-2018

-- SANS Melbourne 2018 | May 14-26 | https://www.sans.org/event/melbourne-2018

-- SANS Northern VA Reston Spring 2018 | May 2025 | https://www.sans.org/event/northern-va-reston-spring-2018

-- SANS Amsterdam May 2018 | May 28-June 2 | https://www.sans.org/event/amsterdam-may-2018

-- SANS Rocky Mountain 2018 | Denver, CO | June 4-9 | https://www.sans.org/event/rocky-mountain-2018

-- SANS London June 2018 | June 4-12 | https://www.sans.org/event/london-june-2018

-- DFIR Summit & Training 2018 | Austin, TX | June 7-14 | https://www.sans.org/event/digital-forensics-summit-2018

-- Cloud In-Security Summit - DC | Crystal City, VA | June 8 | https://www.sans.org/event/cloud-insecurity-summit-dc

-- Cloud In-Security Summit - Austin | Austin, TX | June 11 | https://www.sans.org/event/cloud-insecurity-summit-tx

-- SANS Cyber Defence Canberra 2018 | June 25-July 7 | https://www.sans.org/event/cyber-defence-canberra-2018

-- SANS OnDemand and vLive Training

The SANS Training you want with the flexibility you need.

Special Offer: Get an iPad Pro with Smart Keyboard, a Microsoft Surface Pro or Take $350 Off with OnDemand or vLive Training until May 2.


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/

Single Course Training

-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/


-- View the full SANS course catalog and Cyber Security Skills Roadmap






Ski Lift Control Panel Internet-Connected and Unprotected

(April 26, 2018)

A ski lift in Innsbruck, Austria, was shut down after its control panel was found to be accessible to anyone on the Internet, allowing them to manipulate the lift's speed, cable tension, and the distance between passenger cabins. The flaws in the software had been reported earlier to the manufacturer, who fixed it, but the ski lift was operating an older, unpatched version of the software.   

[Editor Comments]

[Neely] Proper isolation and separation of SCADA and Control Systems is a key requirement for their security. While firmware updates were available, application of updates during peak season is tricky without adequate downtime for regression testing and rollback. Too often old systems are exposed and "discovered" when the network they have been using is connected to the Internet, underscoring the importance of CSC 1: know what's on your network. Shodan can be leveraged as a reconnaissance source to validate your assumptions about what's internet accessible.


[Pescatore] Operational technology, like manufacturing systems, SCADA devices and even ski lift control panels have been Internet-connected and vulnerable long before the "Internet of Things" became a buzzword. The first step in securing OT is always visibility - what is out there on your network or in your IP address range? The Shodan search engine can be a first step; all credible vulnerability assessment products include capabilities for discovering and classifying OT devices.

Read more in:

Bleeping Computer: Ski Lift in Austria Left Control Panel Open on the Internet



Attackers Exploiting Drupal Vulnerability Hours After Disclosure

(April 25, 2018)

Within hours of Drupal's disclosure of a critical flaw in its content management system, attackers began actively exploiting the vulnerability in the wild. Drupal has released a fix for the flaw (CVE 2018-7602), which is not to be confused with a vulnerability known as Drupalgeddon 2 (CVE-2018-7600). That vulnerability was fixed several weeks ago. In a related story, attackers have exploited Drupalgeddon 2 in a ransomware attack against the Ukrainian Energy Ministry.  

[Editor Comments]

[Ullrich] Example attack taking advantage of the new flaw: https://isc.sans.edu/forums/diary/More+Threat+Hunting+with+User+Agent+and+Drupal+Exploits/23597/

[Williams] This is related to the revelation at RSA that NSA sees exploitation usually within 24 hours of a vulnerability release. Here, it took less than five hours. The time to patch is shortening dramatically and in many cases is a race that organizations simply cannot hope to win. The speed with which attackers are leveraging newly released vulnerabilities to achieve code execution highlights the need for continuous network monitoring (to detect an intrusion) and incident response plans (to respond to the inevitable compromises).

Read more in:

Drupal: Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-004


Ars Technica: Drupal users take cover-code-execution bug is being actively exploited [updated]


Bleeping Computer: Hackers Don't Give Site Owners Time to Patch, Start Exploiting New Drupal Flaw Within Hours


SC Magazine: Drupal releases patch for a code-execution bug actively being exploited


Threatpost: Ransomware Attack Hits Ukrainian Energy Ministry, Exploiting Drupalgeddon2



Few Major Federal Contractors Have Implemented DMARC

(April 25, 2018)

A survey of US federal government contractors found that just one of the 50 largest has fully implemented the Domain-based Message, Authentication, Reporting, and Conformance (DMARC) protocol to help prevent phishing attacks. One additional contractor has implemented a level of DMARC in which phishing emails are quarantined. A Department of Homeland Security (DHS) directive instructed federal agencies to implement DMARC by January 15, 2018.    

[Editor Comments]

[Henry]  The inability for the government to enforce a clear mandate which would make networks more secure is a problem. Effective security requires an organization have the authority to implement necessary policies, processes, and technology, and to hold accountable those who threaten the enterprise by failing to adhere to those standards.

[Pescatore] All you government CSOs and program managers reading this (non-government ones, too!): add a DMARC requirement to your next RFP and highly weight it in your evaluation criteria.

[Neely] There are three big challenges in implementing DMARC. First, making sure that not only are your domains configured, but also any third-party services which send email on your behalf. Second, making sure all legitimate sub-domains are included. Third, getting the confidence to block or quarantine messages. The last is the deal breaker as management is unlikely to take the risk of losing email without sufficient ROI. That requires use of DMARC analysis tools to identify and resolve problems, and a deliberate but careful advancement from no action, to quarantine, to blocking.  

Read more in:

Cyberscoop: Fed contractors aren't using DMARC, new study finds



New FERC Standard Strengthens Security Controls

(April 23, 2018)

The Federal Energy Regulatory Commission (FERC) has approved a new standard that is designed to help protect the power grid from cyberthreats. The critical infrastructure Reliability Standard, CIP-003-7, "requires mandatory security controls for transient [or portable] electronic devices... used at low impact BES Cyber Systems."  

[Editor Comments]

[Murray] The power grid remains an existential risk to our well being. Regulation for cost and rates by the several states and a culture that prioritizes ease of remedial intervention in its operation makes reducing this risk difficult. Support for this standard is critical.

Read more in:

FERC: Revised Critical Infrastructure Protection Reliability Standard CIP-003-7


SC Magazine: New standard accepted by Federal Energy Regulatory Commission for critical infrastructure protection


Cyberscoop: Regulators tightening controls on devices connecting to utility company networks



**************************  SPONSORED LINKS  ********************************

1) Quantstamp secures smart contracts. Learn more at: http://www.sans.org/info/203615

2) Don't Miss: "Tailored Intelligence for Automated Remediation: SANS Review of IntSights' Enterprise Intelligence and Mitigation Platform" Register: http://www.sans.org/info/203620

3) Don't Miss: "Incident Response: Give Me Data or Give Me Death!" with Nick Schroeder and Gary Harrison. Register: http://www.sans.org/info/203625





Six People Arrested in China for Allegedly Stealing Electricity to Mine Cryptocurrency

(April 26, 2018)

Authorities in China have arrested six people for allegedly stealing electricity to power cryptocurrency mining machines. They also seized 600 machines that were being used in the digital mining operation. Authorities were alerted to the situation by the power company, which noticed an unusual increase in line loss (the amount of electricity generated by a plant that does not get to customers).

Read more in:

The Register: Power spike leads Chinese police to 600-machine mining rig



Loud Noise Damages Nasdaq Servers in Sweden

(April 26, 2018)

Noise from an activated fire suppression system caused Nasdaq servers at a data center in Sweden to fail, shutting down stock market trading in Sweden, Finland, Denmark, Lithuania, Latvia, and Estonia, as well as other markets in Iceland. Data centers often use systems that replace oxygen with inert gas to suppress fires; the noise from these systems can sometimes be extremely loud.  

[Editor Comments]

[Ullrich] This is an interesting and often forgotten phenomenon. Unsurprisingly, mechanical hard drives are very sensitive to vibration. Loud noises, in particular at the right frequency, are able to sufficiently disrupt hard drives to force them into "auto protect" mode which disables them temporarily, or to permanently damage them. A nice demonstration of this effect can be found here: https://www.youtube.com/watch?v=tDacjrSCeq4

[Henry]  This is another example of the need for a strong COOP (Continuity of Operations Plan). While attackers and their tactics are many, organizations need to be cognizant of other risks they face too. Floods, power-outages, and, apparently, "loud noises."  The ability to quickly recover and reconstitute operations can be the difference between a minor inconvenience and a major catastrophe. Designing, implementing, and testing the COOP should be a top priority for every enterprise.

Read more in:

Nextgov: A Loud Noise Knocked Out Computers That Run Stock Exchanges Across Northern Europe



SAP Configuration Vulnerability

(April 26, 2018)

A default configuration setting in SAP NetWeaver that has existed for more than a decade could be exploited to take control of vulnerable systems. SAP has released updates to address the problem.

Read more in:

Onapsis: Critical Security Configuration Issue in SAP Implementations


Dark Reading: The Default SAP Configuration That Every Enterprise Needs to Fix


eWeek: Onapsis Reveals 13-Year Old Configuration Vulnerability in SAP



Fixes Available for Hotel Card Key Electronic Lock Weaknesses

(April 25 & 26, 2018)

Security flaws in a card key system used by hotels around the world can be exploited to create a master key, allowing access to rooms. Researchers at F-Secure found that expired card keys can provide enough information to create a master key. The vulnerable system is Vision by VingCard, made in Sweden by Assa Abloy, which has released fixes to address the vulnerabilities.

[Editor Comments]

[Ullrich] The part that scared me the most about this vulnerability was that it didn't leave behind any logs. In a hotel room, you should always assume that strangers will enter to clean or for maintenance. But typically, this access is logged. According to F-Secure's blog, cards taking advantage of this bug will bypass logging.

[Williams] This is a serious flaw in the locks; it requires a technician to be physically present at each lock to upgrade. This vulnerability is likely to take years to completely remediate, as hotel lock maintenance is normally performed by outside contractors who likely don't have the surge staff to handle all of these upgrades quickly (in addition to normal lock maintenance). From a consumer standpoint, it is impossible to know whether your lock has been patched against this flaw. Props to the researchers who disclosed this responsibly without dropping instructions on the Internet. They first disclosed the flaw to the manufacturer a year ago - that's a long time to wait before going public (and, even then, without full vulnerability information).

[Northcutt] This is not a new problem. It was demonstrated in 2012 and again in 2016:



Read more in:

SC Magazine: Lock maker offers fixes to prevent hackers from using fake master keys to open hotel locks


Reuters: Hotel key cards, even invalid ones, help hackers break into rooms


The Register: Hotel, motel, Holiday Inn? Doesn't matter - they may need to update their room key software


ZDNet: Hackers built a 'master key' for millions of hotel rooms


Bleeping Computer: Device Can Generate Master Keys From Valid or Expired Hotel Keys



Webstresser DDoS for Hire Site Taken Down

(April 25, 2018)

An international operation has taken down Webstresser, a website that offered distributed denial-of-service (DDoS) for hire services. Authorities arrested alleged Webstresser administrators in Canada, Croatia, Serbia, and the Netherlands. Operation Power Off was led by the UK National Crime Agency and the Dutch National Police, aided by Europol and other law enforcement agencies around the world.

Read more in:

Europol: World's Biggest Marketplace Selling Internet Paralysing DDoS Attacks Taken Down


Dark Reading: 'Webstresser' DDoS Attack Site Shut Down in International Operation


SC Magazine UK: Dutch Police & NCA lead takedown of world's largest DDoS marketplace


The Register: World's biggest DDoS-for-hire souk shuttered, masterminds cuffed


KrebsOnSecurity: DDoS-for-Hire Service Webstresser Dismantled


Cyberscoop: Cops shut down one of the largest DDoS marketplaces in the world


Threatpost: Europol Smacks Down World's Largest DDoS-For-Hire Market



Apple Updates for Safari, macOS, iOS

(April 25, 2018)

Apple has released security updates for Safari, macOS, and iOS. The updates fix several flaws, including two memory corruption issues in the WebKit browser engine used by iOS and Safari. The most current versions are now Safari 11.1, macOS High Sierra 10.13.4, and iOS 11.3.1.  

[Editor Comments]

[Neely] The iOS 11.3.1 update also addresses a flaw where a crafted text message will crash the iOS UI (Springboard) and an issue where third-party screen replacements resulted in reduced device responsiveness. If your applications are using the needed SDK updates to support 11.3, there are no issues updating devices to 11.3.1.

Read more in:

Apple: Apple security updates


The Register: Apple debugs debugger, nukes pesky vulns in iOS, WebKit, macOS


SC Magazine: Apple updates fix code execution, privilege escalation and spoofing issues


eWeek: Apple iOS 11.3.1 Fixes QR Code Security Flaw



Ethereum Thieves Exploited BGP Leak

(April 24 & 25, 2018)

Thieves exploited vulnerabilities in public facing DNS servers to steal $152,000 USD worth of Ethereum cryptocurrency. The attackers used a Border Gateway Protocol (BGP) leak to redirect users to a phony MyEtherWallet site.

Read more in:

SC Magazine: $152,000 in Ethereum stolen in Amazon DNS server attack


ZDNet: AWS traffic hijack: Users sent to phishing site in two-hour cryptocurrency heist


Ars Technica: Suspicious event hijacks Amazon traffic for 2 hours, steals cryptocurrency


Cyberscoop: Internet infrastructure server hijacked for $152,000 Ether theft



US Naval Academy Sees Number of Cybersecurity Majors Skyrocket

(April 24, 2018)

The number of cybersecurity majors at the US Naval Academy has grown from 22 in the class of 2018 to 110 in the current freshman class. The Naval Academy's first group of cybersecurity majors graduated in 2016. All midshipmen must take two semesters of cybersecurity courses.

Read more in:

Fifth Domain: Naval Academy sees big boost in cybersecurity majors




Amazon BGP Hijack


Apple Security Updates


MikroTik Router Update


New Drupal Remote Code Execution Vulnerability


Malicious Network Traffic From /bin/bash


Insecure Hotel Locks


Amazon Echo As Eavesdropping Device (sign-in required)



HP iLO Ransomware


Total Meltdown Exploit Available


WD My Cloud EX2 Access Control Bypass


Hyperoptic ZTE Home Router Hardcoded Account



The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create