The Most Comprehensive DFIR Event of the Year: SANS DFIRCON! Save $200 thru 10/3.

Newsletters: Newsbites


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #35

May 4, 2018

The list of major companies dealing with flaws that are already being exploited skyrocketed this week (too many to put them all in Top of the News), not because they are writing any worse software or firmware. Rather, malicious vulnerability seekers are improving their tools and skills while the large software and hardware developers are trying to get along on out-of-date skills or to put the entire product security load on a tiny number of elite cyber expertswho sometimes need to sleep.


The Cloud In-Security workshop in Washington DC (targeting solutions for the 10 most dangerous errors cloud users are making) is nearly full, but Austin has more space.

    -- Washington DC: https://www.sans.org/event/cloud-insecurity-summit-tx

    -- Austin: https://www.sans.org/event/cloud-insecurity-summit-tx


****************************************************************************

SANS NewsBites               May 4, 2018                Vol. 20, Num. 035

****************************************************************************

TOP OF THE NEWS

  Hackers Exploited Oracle Flaws Within Hours of Disclosure

Washington State Utility Adds Employee Security After Cryptocurrency Mining Incidents

Schneider Releases Fixes for Critical Flaws in ICS Software

REST OF THE WEEKS NEWS

  More Flaws in Intel Processors

Critical Flaw in Cisco WebEx Recording Function

Twitter Passwords Stored Unsecurely

Microsoft Patches Critical Flaw Affecting Docker Importer Service

Cambridge Analytica Shuts Down

Fancy Bear APT Group Likely Replaced LoJack Command and Control Server with Its Own Server

FacexWorm: Malicious Chrome Extension

INTERNET STORM CENTER TECH CORNER

 

***************************  Sponsored By DomainTools  ************************************


Threat actors tools, techniques and procedures are evolving at a rapid pace, making it even more difficult for organizations to effectively defend their network. This is forcing security professionals to be more agile and moving beyond simply block and tackle security strategies. Join SANS instructor, Rebekah Brown and DomainTools Data Systems Engineer, Mike Thompson to learn how the threat intelligence space is changing and what techniques security professionals can apply to stay ahead of threat actors. Register:  http://www.sans.org/info/203845


*****************************************************************************


TRAINING UPDATE


-- SANSFIRE 2018 | Washington, DC | July 14-21 | https://www.sans.org/event/sansfire-2018


-- SANS Melbourne 2018 | May 14-26 | https://www.sans.org/event/melbourne-2018


-- SANS Northern VA Reston Spring 2018 | May 2025 | https://www.sans.org/event/northern-va-reston-spring-2018


-- SANS Amsterdam May 2018 | May 28-June 2 | https://www.sans.org/event/amsterdam-may-2018


-- SANS Rocky Mountain 2018 | Denver, CO | June 4-9 | https://www.sans.org/event/rocky-mountain-2018


-- SANS London June 2018 | June 4-12 | https://www.sans.org/event/london-june-2018


-- DFIR Summit & Training 2018 | Austin, TX | June 7-14 | https://www.sans.org/event/digital-forensics-summit-2018


-- Cloud In-Security Summit - DC | Crystal City, VA | June 8 | https://www.sans.org/event/cloud-insecurity-summit-dc


-- Cloud In-Security Summit - Austin | Austin, TX | June 11 | https://www.sans.org/event/cloud-insecurity-summit-tx


-- SANS Cyber Defence Canberra 2018 | June 25-July 7 | https://www.sans.org/event/cyber-defence-canberra-2018


-- SANS OnDemand and vLive Training

The SANS Training you want with the flexibility you need.

Special Offer: Get an iPad, a Samsung Galaxy Tab A, or take $250 Off with OnDemand or vLive Training until May 16.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


Single Course Training

-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap



*****************************************************************************


TOP OF THE NEWS


 --

Hackers Exploited Oracle Flaws Within Hours of Disclosure

(April 30 & May 3, 2018)

Administrators are being urged to install Oracle patches for the CVE-2018-2628 remote code execution vulnerability. Just hours after Oracle released the fixes in mid-April, hackers began exploiting the flaw. Compounding the issue is research suggesting that the fix could be easily bypassed. Until that issue is resolved, administrators are advised to restrict the access to TCP/7001 port on WebLogic installations as much as possible. 


[Editor Comments]

[Neely] It appears Oracle blocked one attack vector rather than fixing the underlying vulnerability, so bypassing the fix was possible. Port 7001 is the default WebLogic Server Administration server listen port, and can be changed to anything from 7001-9000, so consider not only restricting access to that port, but also changing it. If you do change it, the administration tools will need reconfiguration.

 

Read more in:

SANS Internet Storm Center: WebLogic Exploited in the Wild (Again)

https://isc.sans.edu/forums/diary/WebLogic+Exploited+in+the+Wild+Again/23617/

The Register: Hurry up patching those Oracle bugs? Attackers aren't waiting

http://www.theregister.co.uk/2018/05/03/slow_to_patch_oracle_bugs_dont_be_attackers_jump_all_over_them/

The Register: Umm, Oracleabout that patch? It might not be very sticky ...

https://www.theregister.co.uk/2018/04/30/oracle_weblogic_software_patch_can_be_bypassed/



 --

Washington State Utility Adds Employee Security After Cryptocurrency Mining Incidents

(May 2 & 3, 2018)

The Chelan County (Washington) Public Utility District is installing bulletproof panels and security cameras at PUD headquarters after several incidents involving unauthorized cryptocurrency miners who were upset because their power was cut off or unhappy wannabe cryptocurrency miners who were denied high-density load service due to a moratorium. In March 2018, PUD commissioners instituted the high-density load moratorium to allow staff to develop a plan to deal wit the increased demand. The moratorium also authorized Chelan PID staff to disconnect service to unauthorized cryptocurrency mining operations.


[Editor Comments]


[Northcutt] This really is an amazing story. I was just there 8 months ago and because of cheap hydroelectric power mining operations are everywhere. So they have been trying to crack down:

BTC Manager: Washington Chelan County PUD: We Will No Longer Tolerate Illegal Bitcoin Mining Activities

https://btcmanager.com/washington-chelan-county-pud-we-will-no-longer-tolerate-illegal-bitcoin-mining-activities/

WSJ: Bitcoin Mania Triggers Miner Influx to Rural Washington (please note that the Wall Street Journal is behind a firewall)

https://www.wsj.com/articles/rural-washington-is-a-hot-spot-for-bitcoin-miners-1518354001


[Pescatore] This is an extreme example, but still an example of two important points: (1) Business events or publicity can cause attacks against a company to quickly become much more likely and require increased levels of monitoring, prevention, response. (2) Physical security is a very different discipline than cybersecuritywhile the two areas have intersections and can benefit from integrated processes, it is important to have real expertise in both areas which very often means separate organizations.


Read more in:

Chelan PUD: PUD Board acts to halt unauthorized bitcoin mining

https://www.chelanpud.org/about-us/newsroom/news/2018/04/03/pud-board-acts-to-halt-unauthorized-bitcoin-mining

GovTech: Washington Utility Boosts Security After Bitcoin Mining Moratorium

http://www.govtech.com/public-safety/Washington-Utility-Boosts-Security-After-Bitcoin-Mining-Moratorium.html



 --

Schneider Releases Fixes for Critical Flaws in ICS Software

(May 2, 2018)

Researchers from Tenable have found a critical flaw in Schneider Electric industrial control software that could be exploited to disrupt or shut down operations at facilities where the software is in use. The vulnerability affects Schneider Electrics InduSoft Web Studio and InTouch Machine Edition products. Schneider has released fixes for the flaws.


Read more in:

Schneider Electric: InduSoft Web Studio and InTouch Machine EditionRemote Code Execution Vulnerability

http://software.schneider-electric.com/pdf/security-bulletin/lfsec00000125/

Tenable: Tenable Research Advisory: Critical Schneider Electric InduSoft Web Studio and InTouch Machine Edition Vulnerability

https://www.tenable.com/blog/tenable-research-advisory-critical-schneider-electric-indusoft-web-studio-and-intouch-machine

SC Magazine: Zero-Day vulnerability found in two Schneider Electric ICS products

https://www.scmagazine.com/zero-day-vulnerability-found-in-two-schneider-electric-ics-products/article/763083/

ZDNet: A critical security flaw in popular industrial software put power plants at risk

https://www.zdnet.com/article/critical-security-flaw-schneider-industrial-software-power-plants-vulnerabilty/

Cyberscoop: New vuln discovered in Schneider Electric software, patches already issued

https://www.cyberscoop.com/schneider-electric-tenable-hmi-vulnerability/?category_news=technology


**************************  SPONSORED LINKS  ********************************


1) Don't Miss: "5 Ways Bro Gives You Better Data for Incident Response and Threat Hunting" Register: http://www.sans.org/info/203840


2) Learn about cyber deception and how to implement it. Register: http://www.sans.org/info/203850


3) Join SANS for the 2nd Annual Automotive Cybersecurity Summit, May 7-8, in Chicago. http://www.sans.org/info/203395


*****************************************************************************


THE REST OF THE WEEKS NEWS    


 --

More Flaws in Intel Processors

(May 3, 2018)

German magazine ct is reporting that eight new flaws found in central processing units (CPUs) bear resemblances to the Meltdown and Spectre flaws found in Intel CPUs earlier this year. The issues may affect CPUs from ARM Holdings. 

[Editor Comments]

[Ullrich] CPU flaws are here to stay. Unless you are willing to take a significant performance hit by radically simplifying the CPU architecture and removing features like branch predication, you are not getting a secure CPU. The performance gain from these features is derived from executing code in order different from the order envisioned by the developer. We had similar issues with compiler optimization in that code was optimized to a point where it functioned differently. Compiler optimizations can be turned off. Maybe we need a similar switch for CPUs to allow software that performs operations relevant for security to reduce CPU features.

 

Read more in:

Reuters: 'Next generation' flaws found on computer processors: magazine

https://www.reuters.com/article/us-cyber-intel/next-generation-flaws-found-on-computer-processors-magazine-idUSKBN1I42BZ

Heise: Exclusive: Spectre-NG - Multiple new Intel CPU flaws revealed, several serious

https://www.heise.de/ct/artikel/Exclusive-Spectre-NG-Multiple-new-Intel-CPU-flaws-revealed-several-serious-4040648.html

 

 --

Critical Flaw in Cisco WebEx Recording Function

(May 3, 2018)

A critical flaw in the Recording Player for Advanced Recording Format for Ciscos WebEx conferencing platform could be exploited to execute arbitrary code. Attackers could trick users into opening a file that claims to be a recording of a previous WebEx event. Cisco has made a patch for the issue available. Cisco has also released fixes for a number of other security issues in its products.

[Editor Comments]

Read more in:

The Register: Quit WebEx now if you want to live! (Bad bugs, not killer slideware)

http://www.theregister.co.uk/2018/05/03/cisco_patches_may_2/

Threatpost: Critical Cisco WebEx Bug Allows Remote Code Execution

https://threatpost.com/critical-cisco-webex-bug-allows-remote-code-execution/131657/

Cisco: Cisco WebEx Advanced Recording Format Remote Code Execution Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180502-war

Cisco: Cisco Security Advisories and Alerts

https://tools.cisco.com/security/center/publicationListing.x

 

 --

Twitter Passwords Stored Unsecurely

(May 3, 2018)

Twitter is urging all users to change their account passwords after learning that the data were stored unsecurely. While Twitter passwords are supposed to be masked so that no one at the company knows a users password, a bug was storing passwords in plain text in an internal log. Twitter recommends users also change passwords for any other sites on which they used the same password.


[Editor Comments]

[Neely] While this is an insider threat risk, it is still a good idea to not only change your Twitter account password, but also enable login verification (two-factor authentication). It uses SMS and is an improvement over single-factor authentication. Also, its a good time to get rid of unused Twitter accounts.


Read more in:

Twitter: Keeping your account secure

https://blog.twitter.com/official/en_us/topics/company/2018/keeping-your-account-secure.html

Cyberscoop: Twitter warns all users to change passwords after discovering internal bug

https://www.cyberscoop.com/twitter-password-bug/?category_news=technology

Ars Technica: Twitter alerts users: Please change your passwords, weve seen them

https://arstechnica.com/information-technology/2018/05/twitter-advises-users-to-reset-passwords-after-bug-posts-passwords-to-internal-log/



 --

Microsoft Patches Critical Flaw Affecting Docker Importer Service

(May 2 & 3, 2018)

Microsoft has released a fix for an improper input validation issue affecting the Windows Host Computer Service Shim (hcsshim) library. The service is used to import Docker container images, and could be exploited to execute code by tricking users into importing a malicious Docker image.


Read more in:

Microsoft: CVE-2018-8115 | Windows Host Compute Service Shim Remote Code Execution Vulnerability

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8115

ZDNet: Windows security: Microsoft issues fix for critical Docker tool flaw, so patch now

https://www.zdnet.com/article/windows-security-microsoft-issues-fix-for-critical-docker-tool-flaw-so-patch-now/

The Register: Using Docker and Windows Server Containers? There's a patch for that

https://www.theregister.co.uk/2018/05/03/docker_for_windows_vuln/

 

 --

Cambridge Analytica Shuts Down

(May 2, 2018)

Cambridge Analytica is shutting down. The company was recently revealed to be involved in a scandal involving Facebook user data that were used to serve targeted advertisements aimed at influencing the 2016 US presidential election. A Facebook survey app making the rounds in 2014 required login credentials and allowed the surveys creator to harvest personal information from those responding to the survey as well as that of their Facebook friends. The information wound up in the possession of Cambridge Analytica, which worked on behalf of the Trump presidential campaign. The company is filing for bankruptcy.   


[Editor Comments]

[Murray] Cambridge Analytica may be gone but the people and attitudes that led to it persist.  


Read more in:

Wired:

Cambridge Analytica Shuts Down

All Offices Amid Ongoing Facebook Crisis

https://www.wired.com/story/cambridge-analytica-shuts-down-offices-facebook-crisis/

SC Magazine: Cambridge Analytica shuts down, Twitter defends sale of data to firm

https://www.scmagazine.com/cambridge-analytica-shuts-down-twitter-defends-sale-of-data-to-firm/article/763108/

Ars Technica: Cambridge Analytica shuts down after Facebook user data scandal

https://arstechnica.com/tech-policy/2018/05/cambridge-analytica-shuts-down-after-facebook-user-data-scandal/

BBC: Cambridge Analytica: Facebook data-harvest firm to shut

http://www.bbc.com/news/business-43983958


 

 --

Fancy Bear APT Group Likely Replaced LoJack Command and Control Server with Its Own Server

(May 1 & 2, 2018)

Researchers have found instances of the LoJack laptop recovery tool that have had their command and control server addresses replaced with a command and control server that appears to be under the control of the Fancy Bear APT group.


Read more in:

The Register: Fancy that, Fancy Bear: LoJack anti-laptop theft tool caught phoning home to the Kremlin

http://www.theregister.co.uk/2018/05/02/lojack_fancy_bear/

SC Magazine: Fancy Bear likely behind malware found on Lojack C2 domains

https://www.scmagazine.com/fancy-bear-likely-behind-malware-found-on-lojack-c2-domains/article/763102/

Dark Reading: LoJack Attack Finds False C2 Servers

https://www.darkreading.com/attacks-breaches/lojack-attack-finds-false-c2-servers/d/d-id/1331691?

 

 --

FacexWorm: Malicious Chrome Extension

(May 2, 2018)

Malware known as the FacexWorm is a malicious Chrome extension that spreads over Facebook Messenger using social engineering. For example, a user might be tricked into adding the malicious extension after clicking on a link that takes them to a phony YouTube page that prompts them to install the extension. FacexWorm has a variety of malicious capabilities, including intercepting account login credentials, swapping out a users cryptocurrency wallet address with one under the control of the attacker, and using infected devices resources to mine cryptocurrency.


[Editor Comments]

[Murray] The attack surface offered by browsers is already so broad that adding to it by the use of extensions is not prudent.  


Read more in:

TrendMicro: FacexWorm Targets Cryptocurrency Trading Platforms, Abuses Facebook Messenger for Propagation

https://blog.trendmicro.com/trendlabs-security-intelligence/facexworm-targets-cryptocurrency-trading-platforms-abuses-facebook-messenger-for-propagation/

Cyberscoop: Chrome malware targets cryptocurrency, spreads through Facebook's Messenger

https://www.cyberscoop.com/facexworm-trend-micro-facebook-messenger-cryptocurrency/


 


INTERNET STORM CENTER TECH CORNER

Creating Malicious Office Documents

https://isc.sans.edu/forums/diary/Diving+into+a+Simple+Maldoc+Generator/23609/


Google (and Amazon) Disable Domain Fronting

https://arstechnica.com/information-technology/2018/04/google-disables-domain-fronting-capability-used-to-evade-censors/


       

GPS Jamming Becoming More Common

https://www.avweb.com/avwebflash/news/GPS-Jamming-Major-Threat-to-Drone-230749-1.html

https://www.heise.de/newsticker/meldung/GPS-unter-Beschuss-Jamming-und-Spoofing-nehmen-zu-4038137.html (in German)


Windows Command Line References

https://isc.sans.edu/forums/diary/Windows+Commands+Reference+An+InfoSec+Must+Have/23613/


LoJack Laptop Anti-Theft Software "Phones Home" to Russia

https://asert.arbornetworks.com/lojack-becomes-a-double-agent/


Google Maps Can Be Used as a URL Shortener

https://nakedsecurity.sophos.com/2018/05/01/google-maps-open-redirect-flaw-abused-by-spammers/


More WebLogic Exploits

https://isc.sans.edu/forums/diary/WebLogic+Exploited+in+the+Wild+Again/23617/


Google Chrome To Enforce Certificate Transparency

https://groups.google.com/a/chromium.org/forum/#!msg/ct-policy/wHILiYf31DE/iMFmpMEkAQAJ


Retrieving DVR Credentials via "Admin Cookie"

https://github.com/ezelf/CVE-2018-9995_dvr_credentials

       

Ouch! GDPR Newsletter

https://www.sans.org/security-awareness-training/ouch-newsletter


GitHub/Twitter Password Storage Issues

https://blog.twitter.com/official/en_us/topics/company/2018/keeping-your-account-secure.html

https://www.zdnet.com/article/github-says-bug-exposed-account-passwords/


Facebook Adds Homegraph Alert to Certificate Transparency Log Monitoring

https://www.facebook.com/notes/protect-the-graph/phishing-domain-detection/2037453483161459/


Disrupting the Empire: Identifying PowerShell Empire Command and Control Activity

https://www.sans.org/reading-room/whitepapers/forensics/disrupting-empire-identifying-powershell-empire-command-control-activity-38315

       

 

******************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.


Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create