DFIRCON - Live Online: The ALL Digital Forensics, Threat Hunting and Incident Response Training Event. Save $300 thru 10/7.

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #35

May 4, 2018

The list of major companies dealing with flaws that are already being exploited skyrocketed this week (too many to put them all in Top of the News), not because they are writing any worse software or firmware. Rather, malicious vulnerability seekers are improving their tools and skills while the large software and hardware developers are trying to get along on out-of-date skills or to put the entire product security load on a tiny number of elite cyber expertswho sometimes need to sleep.

The Cloud In-Security workshop in Washington DC (targeting solutions for the 10 most dangerous errors cloud users are making) is nearly full, but Austin has more space.

    -- Washington DC: https://www.sans.org/event/cloud-insecurity-summit-tx

    -- Austin: https://www.sans.org/event/cloud-insecurity-summit-tx


SANS NewsBites               May 4, 2018                Vol. 20, Num. 035



  Hackers Exploited Oracle Flaws Within Hours of Disclosure

Washington State Utility Adds Employee Security After Cryptocurrency Mining Incidents

Schneider Releases Fixes for Critical Flaws in ICS Software


  More Flaws in Intel Processors

Critical Flaw in Cisco WebEx Recording Function

Twitter Passwords Stored Unsecurely

Microsoft Patches Critical Flaw Affecting Docker Importer Service

Cambridge Analytica Shuts Down

Fancy Bear APT Group Likely Replaced LoJack Command and Control Server with Its Own Server

FacexWorm: Malicious Chrome Extension



***************************  Sponsored By DomainTools  ************************************

Threat actors tools, techniques and procedures are evolving at a rapid pace, making it even more difficult for organizations to effectively defend their network. This is forcing security professionals to be more agile and moving beyond simply block and tackle security strategies. Join SANS instructor, Rebekah Brown and DomainTools Data Systems Engineer, Mike Thompson to learn how the threat intelligence space is changing and what techniques security professionals can apply to stay ahead of threat actors. Register:  http://www.sans.org/info/203845



-- SANSFIRE 2018 | Washington, DC | July 14-21 | https://www.sans.org/event/sansfire-2018

-- SANS Melbourne 2018 | May 14-26 | https://www.sans.org/event/melbourne-2018

-- SANS Northern VA Reston Spring 2018 | May 2025 | https://www.sans.org/event/northern-va-reston-spring-2018

-- SANS Amsterdam May 2018 | May 28-June 2 | https://www.sans.org/event/amsterdam-may-2018

-- SANS Rocky Mountain 2018 | Denver, CO | June 4-9 | https://www.sans.org/event/rocky-mountain-2018

-- SANS London June 2018 | June 4-12 | https://www.sans.org/event/london-june-2018

-- DFIR Summit & Training 2018 | Austin, TX | June 7-14 | https://www.sans.org/event/digital-forensics-summit-2018

-- Cloud In-Security Summit - DC | Crystal City, VA | June 8 | https://www.sans.org/event/cloud-insecurity-summit-dc

-- Cloud In-Security Summit - Austin | Austin, TX | June 11 | https://www.sans.org/event/cloud-insecurity-summit-tx

-- SANS Cyber Defence Canberra 2018 | June 25-July 7 | https://www.sans.org/event/cyber-defence-canberra-2018

-- SANS OnDemand and vLive Training

The SANS Training you want with the flexibility you need.

Special Offer: Get an iPad, a Samsung Galaxy Tab A, or take $250 Off with OnDemand or vLive Training until May 16.


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/

Single Course Training

-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/


-- View the full SANS course catalog and Cyber Security Skills Roadmap






Hackers Exploited Oracle Flaws Within Hours of Disclosure

(April 30 & May 3, 2018)

Administrators are being urged to install Oracle patches for the CVE-2018-2628 remote code execution vulnerability. Just hours after Oracle released the fixes in mid-April, hackers began exploiting the flaw. Compounding the issue is research suggesting that the fix could be easily bypassed. Until that issue is resolved, administrators are advised to restrict the access to TCP/7001 port on WebLogic installations as much as possible. 

[Editor Comments]

[Neely] It appears Oracle blocked one attack vector rather than fixing the underlying vulnerability, so bypassing the fix was possible. Port 7001 is the default WebLogic Server Administration server listen port, and can be changed to anything from 7001-9000, so consider not only restricting access to that port, but also changing it. If you do change it, the administration tools will need reconfiguration.


Read more in:

SANS Internet Storm Center: WebLogic Exploited in the Wild (Again)


The Register: Hurry up patching those Oracle bugs? Attackers aren't waiting


The Register: Umm, Oracleabout that patch? It might not be very sticky ...



Washington State Utility Adds Employee Security After Cryptocurrency Mining Incidents

(May 2 & 3, 2018)

The Chelan County (Washington) Public Utility District is installing bulletproof panels and security cameras at PUD headquarters after several incidents involving unauthorized cryptocurrency miners who were upset because their power was cut off or unhappy wannabe cryptocurrency miners who were denied high-density load service due to a moratorium. In March 2018, PUD commissioners instituted the high-density load moratorium to allow staff to develop a plan to deal wit the increased demand. The moratorium also authorized Chelan PID staff to disconnect service to unauthorized cryptocurrency mining operations.

[Editor Comments]

[Northcutt] This really is an amazing story. I was just there 8 months ago and because of cheap hydroelectric power mining operations are everywhere. So they have been trying to crack down:

BTC Manager: Washington Chelan County PUD: We Will No Longer Tolerate Illegal Bitcoin Mining Activities


WSJ: Bitcoin Mania Triggers Miner Influx to Rural Washington (please note that the Wall Street Journal is behind a firewall)


[Pescatore] This is an extreme example, but still an example of two important points: (1) Business events or publicity can cause attacks against a company to quickly become much more likely and require increased levels of monitoring, prevention, response. (2) Physical security is a very different discipline than cybersecuritywhile the two areas have intersections and can benefit from integrated processes, it is important to have real expertise in both areas which very often means separate organizations.

Read more in:

Chelan PUD: PUD Board acts to halt unauthorized bitcoin mining


GovTech: Washington Utility Boosts Security After Bitcoin Mining Moratorium



Schneider Releases Fixes for Critical Flaws in ICS Software

(May 2, 2018)

Researchers from Tenable have found a critical flaw in Schneider Electric industrial control software that could be exploited to disrupt or shut down operations at facilities where the software is in use. The vulnerability affects Schneider Electrics InduSoft Web Studio and InTouch Machine Edition products. Schneider has released fixes for the flaws.

Read more in:

Schneider Electric: InduSoft Web Studio and InTouch Machine EditionRemote Code Execution Vulnerability


Tenable: Tenable Research Advisory: Critical Schneider Electric InduSoft Web Studio and InTouch Machine Edition Vulnerability


SC Magazine: Zero-Day vulnerability found in two Schneider Electric ICS products


ZDNet: A critical security flaw in popular industrial software put power plants at risk


Cyberscoop: New vuln discovered in Schneider Electric software, patches already issued


**************************  SPONSORED LINKS  ********************************

1) Don't Miss: "5 Ways Bro Gives You Better Data for Incident Response and Threat Hunting" Register: http://www.sans.org/info/203840

2) Learn about cyber deception and how to implement it. Register: http://www.sans.org/info/203850

3) Join SANS for the 2nd Annual Automotive Cybersecurity Summit, May 7-8, in Chicago. http://www.sans.org/info/203395




More Flaws in Intel Processors

(May 3, 2018)

German magazine ct is reporting that eight new flaws found in central processing units (CPUs) bear resemblances to the Meltdown and Spectre flaws found in Intel CPUs earlier this year. The issues may affect CPUs from ARM Holdings. 

[Editor Comments]

[Ullrich] CPU flaws are here to stay. Unless you are willing to take a significant performance hit by radically simplifying the CPU architecture and removing features like branch predication, you are not getting a secure CPU. The performance gain from these features is derived from executing code in order different from the order envisioned by the developer. We had similar issues with compiler optimization in that code was optimized to a point where it functioned differently. Compiler optimizations can be turned off. Maybe we need a similar switch for CPUs to allow software that performs operations relevant for security to reduce CPU features.


Read more in:

Reuters: 'Next generation' flaws found on computer processors: magazine


Heise: Exclusive: Spectre-NG - Multiple new Intel CPU flaws revealed, several serious




Critical Flaw in Cisco WebEx Recording Function

(May 3, 2018)

A critical flaw in the Recording Player for Advanced Recording Format for Ciscos WebEx conferencing platform could be exploited to execute arbitrary code. Attackers could trick users into opening a file that claims to be a recording of a previous WebEx event. Cisco has made a patch for the issue available. Cisco has also released fixes for a number of other security issues in its products.

[Editor Comments]

Read more in:

The Register: Quit WebEx now if you want to live! (Bad bugs, not killer slideware)


Threatpost: Critical Cisco WebEx Bug Allows Remote Code Execution


Cisco: Cisco WebEx Advanced Recording Format Remote Code Execution Vulnerability


Cisco: Cisco Security Advisories and Alerts




Twitter Passwords Stored Unsecurely

(May 3, 2018)

Twitter is urging all users to change their account passwords after learning that the data were stored unsecurely. While Twitter passwords are supposed to be masked so that no one at the company knows a users password, a bug was storing passwords in plain text in an internal log. Twitter recommends users also change passwords for any other sites on which they used the same password.

[Editor Comments]

[Neely] While this is an insider threat risk, it is still a good idea to not only change your Twitter account password, but also enable login verification (two-factor authentication). It uses SMS and is an improvement over single-factor authentication. Also, its a good time to get rid of unused Twitter accounts.

Read more in:

Twitter: Keeping your account secure


Cyberscoop: Twitter warns all users to change passwords after discovering internal bug


Ars Technica: Twitter alerts users: Please change your passwords, weve seen them



Microsoft Patches Critical Flaw Affecting Docker Importer Service

(May 2 & 3, 2018)

Microsoft has released a fix for an improper input validation issue affecting the Windows Host Computer Service Shim (hcsshim) library. The service is used to import Docker container images, and could be exploited to execute code by tricking users into importing a malicious Docker image.

Read more in:

Microsoft: CVE-2018-8115 | Windows Host Compute Service Shim Remote Code Execution Vulnerability


ZDNet: Windows security: Microsoft issues fix for critical Docker tool flaw, so patch now


The Register: Using Docker and Windows Server Containers? There's a patch for that




Cambridge Analytica Shuts Down

(May 2, 2018)

Cambridge Analytica is shutting down. The company was recently revealed to be involved in a scandal involving Facebook user data that were used to serve targeted advertisements aimed at influencing the 2016 US presidential election. A Facebook survey app making the rounds in 2014 required login credentials and allowed the surveys creator to harvest personal information from those responding to the survey as well as that of their Facebook friends. The information wound up in the possession of Cambridge Analytica, which worked on behalf of the Trump presidential campaign. The company is filing for bankruptcy.   

[Editor Comments]

[Murray] Cambridge Analytica may be gone but the people and attitudes that led to it persist.  

Read more in:


Cambridge Analytica Shuts Down

All Offices Amid Ongoing Facebook Crisis


SC Magazine: Cambridge Analytica shuts down, Twitter defends sale of data to firm


Ars Technica: Cambridge Analytica shuts down after Facebook user data scandal


BBC: Cambridge Analytica: Facebook data-harvest firm to shut




Fancy Bear APT Group Likely Replaced LoJack Command and Control Server with Its Own Server

(May 1 & 2, 2018)

Researchers have found instances of the LoJack laptop recovery tool that have had their command and control server addresses replaced with a command and control server that appears to be under the control of the Fancy Bear APT group.

Read more in:

The Register: Fancy that, Fancy Bear: LoJack anti-laptop theft tool caught phoning home to the Kremlin


SC Magazine: Fancy Bear likely behind malware found on Lojack C2 domains


Dark Reading: LoJack Attack Finds False C2 Servers




FacexWorm: Malicious Chrome Extension

(May 2, 2018)

Malware known as the FacexWorm is a malicious Chrome extension that spreads over Facebook Messenger using social engineering. For example, a user might be tricked into adding the malicious extension after clicking on a link that takes them to a phony YouTube page that prompts them to install the extension. FacexWorm has a variety of malicious capabilities, including intercepting account login credentials, swapping out a users cryptocurrency wallet address with one under the control of the attacker, and using infected devices resources to mine cryptocurrency.

[Editor Comments]

[Murray] The attack surface offered by browsers is already so broad that adding to it by the use of extensions is not prudent.  

Read more in:

TrendMicro: FacexWorm Targets Cryptocurrency Trading Platforms, Abuses Facebook Messenger for Propagation


Cyberscoop: Chrome malware targets cryptocurrency, spreads through Facebook's Messenger




Creating Malicious Office Documents


Google (and Amazon) Disable Domain Fronting



GPS Jamming Becoming More Common


https://www.heise.de/newsticker/meldung/GPS-unter-Beschuss-Jamming-und-Spoofing-nehmen-zu-4038137.html (in German)

Windows Command Line References


LoJack Laptop Anti-Theft Software "Phones Home" to Russia


Google Maps Can Be Used as a URL Shortener


More WebLogic Exploits


Google Chrome To Enforce Certificate Transparency


Retrieving DVR Credentials via "Admin Cookie"



Ouch! GDPR Newsletter


GitHub/Twitter Password Storage Issues



Facebook Adds Homegraph Alert to Certificate Transparency Log Monitoring


Disrupting the Empire: Identifying PowerShell Empire Command and Control Activity





The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create