Learn from real-world practitioners in real-time during SANS San Diego Fall Live Online. Save $300 thru 10/21.

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #43

June 1, 2018


SANS NewsBites                June 1, 2018                 Vol. 20, Num. 043




North Korean Hackers Exploiting ActiveX Flaws in Attacks


Report Finds Gaps in Electrical Grid Disruption Preparedness


Congress Adds Amendment to NDAA That Would Require Warrants for eMail Searches



Fixes Available for Git Bugs


Singapore Telecommunications Limited Left Port 10000 Open on More than 1,000 Routers


Pentagons Defense Travel System Bug Bounty Program


Chrome 67 Includes Default Supports for WebAuthn


Canadian Man Who Helped FSB Break Into eMail Accounts Sentenced to Prison in US


Two Canadian Banks Say Customer Data May Have Been Stolen


Coca-Cola Internal Data Breach


DHS-Dept. Of Commerce Report Makes Recommendations for Developers and Manufacturers to Enhance Botnets and DDoS Protection



***************************  Sponsored By Magnet Forensics  ************************************

Magnet AXIOM. Recover digital evidence from the most sources, including smartphones, cloud services, computers, IoT devices and third-party images. Analyze all the data in one case file. Make sure no evidence is missed. Visit Magnet Forensics for a live demonstration at SANS DFIR Summit. http://www.sans.org/info/204395


-- SANSFIRE 2018 | Washington, DC | July 14-21 | https://www.sans.org/event/sansfire-2018

-- Cloud In-Security Summit - DC | Crystal City, VA | June 8 | https://www.sans.org/event/cloud-insecurity-summit-dc

-- Cloud In-Security Summit - Austin | Austin, TX | June 11 | https://www.sans.org/event/cloud-insecurity-summit-tx

-- SANS Boston Summer 2018 | August 6-11 | https://www.sans.org/event/boston-summer-2018

-- SANS Cyber Defence Canberra 2018 | June 25-July 7 | https://www.sans.org/event/cyber-defence-canberra-2018

-- SANS London July 2018 | July 2-7 | https://www.sans.org/event/london-july-2018

-- Security Operations Summit 2018 | New Orleans, LA | July 30-August 6 | https://www.sans.org/event/security-operations-summit-2018

-- SANS Virginia Beach 2018 | August 20-31 | https://www.sans.org/event/virginia-beach-2018

-- SANS Amsterdam September 2018 | September 3-8 | https://www.sans.org/event/amsterdam-septembers-2018

-- SANS Tokyo Autumn 2018 | September 3-15 | https://www.sans.org/event/tokyo-autumn-2018

-- SANS OnDemand and vLive Training

The SANS Training you want with the flexibility you need.

Get an iPad Mini, ASUS Chromebook, or Take $250 Off with SANS OnDemand and vLive Training until June 13.


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/

Single Course Training

-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/


-- View the full SANS course catalog and Cyber Security Skills Roadmap






North Korean Hackers Exploiting ActiveX Flaws in Attacks

(May 31, 2018)

South Korean researchers say that North Korean hackers have been exploiting a zero-day ActiveX vulnerability to infect computers in South Korea with malware and to steal data. The North Korean hacking group, known as Andariel, have been using at least nine ActiveX vulnerabilities in their attacks.

Read more in:

Bleeping Computer: ActiveX Zero-Day Discovered in Recent North Korean Hacks




Report Finds Gaps in Electrical Grid Disruption Preparedness

(May 31, 2018)

A joint report from the US Department of Homeland Security (DHS) and the Department of Energy (DoE) says that while the country in general, is well prepared to manage most electricity disruptions, there are gaps that are preventing some stakeholders from improving their ability to respond effectively to major cyber events that target the grid. The problems include a lack of adequate information sharing between the government and the private sector; a lack of clarity about the roles specific organizations play in incident response; inadequate efforts to address electric sector supply chain security issues; and an insufficient work force.

Read more in:

The Hill: Federal assessment finds gaps in preparation for electric grid attacks


Energy: Section 2(e): Assessment of Electricity Disruption Incident Response Capabilities



Congress Adds Amendment to NDAA That Would Require Warrants for eMail Searches

(May 30, 2018)

The US House of Representatives has added an amendment to the National Defense Authorization Act (NDAA) that would require law enforcement to obtain a warrant from a judge before compelling service providers to turn over customers messages. The amendment is the latest effort to establish a formal email privacy law.

[Murray] As important, not to say urgent, as this issue is, the amendment is a questionable, not to say terrible, way to deal with it.


Read more in:

The Register: Law forcing Feds to get warrants for email slurping is sneaked into US military budget


Amendments-Rules: Privacy Protections for Electronic Communications Information That is Stored by Third-Party Service Providers


**************************  SPONSORED LINKS  ********************************

1) ThreatX Webcast: "Your Current Approach to Threat Detection & Neutralization is Broken" Register: http://www.sans.org/info/204400

2) How can you proactively improve your ability to better detect and respond to threats? Register to learn more: http://www.sans.org/info/204405

3) How are you dealing with the rapid evolution of Secure DevOps? Take the SANS 2018 Secure DevOps Survey and enter to win a $400 Amazon gift card! http://www.sans.org/info/204410





Fixes Available for Git Bugs

(May 30, 2018)

An arbitrary code execution flaw in Git has been fixed. The issue affected GitHub, GitLab, Microsoft VSTS. The bug could be exploited through a malicious repository. Git tool developers pushed out a fix in version 2.17.1, which addresses this issue and another vulnerability. Earlier versions have also been updated to 2.13.7, 2.14.4, 2.15.2, and 2.16.4. 

Read more in:

The Register: Git security vulnerability could lead to an attack of the (repo) clones


Threatpost: Bug in Git Opens Developer Systems Up to Attack


SC Magazine UK: Flaw in Git could result in remote code execution




Singapore Telecommunications Limited Left Port 10000 Open on More than 1,000 Routers

(May 30, 2018)

Singapore Telecommunications Limited (SingTel) forgot to secure port 10000 in more than 1,000 of its Wi-Fi gigabit routers, exposing customers to attacks and exposing Internet of Things (IoT) devices connected to the vulnerable routers. Attackers could have exploited the open ports to access administrative settings in vulnerable devices. SingTel enabled port forwarding on port 10000 while troubleshooting Wi-Fi issues. The company has disabled port forwarding to port 10000 for the affected devices.

Read more in:

SC Magazine UK: Open ports left over 1,000 SingTel routers vulnerable to cyber-attacks




Pentagons Defense Travel System Bug Bounty Program

(May 30, 2018)

The US Department of Defenses (DoDs) Hack the Defense Travel System (DTS) bug bounty program turned up 65 valid security issues over the four weeks that it ran. Of those, 28 were rated high or critical severity. DTS is used by millions of DoD workers around the world.

Read more in:

Dark Reading: Dozens of Vulnerabilities Discovered in DoD's Enterprise Travel System


Nextgov: Hackers Find 65 Bugs in the Pentagons Travel Management System


SC Magazine: DTS bug bounty challenge yields 654 valid, unique vulnerabilities


Business Wire: U.S. Department of Defense Secures the DTS With Help From Hackers on HackerOne




Chrome 67 Includes Default Supports for WebAuthn

(May 30, 2018)

Google has released version 67 of its Chrome browser for Android to the stable channel. Chrome 67.0.3396.68 addresses 34 security issues including mitigations for the Spectre flaw. The newest version of Chrome also supports WebAuthn by default. Among the fixes are nine high-severity flaws, 12 medium-security flaws and three low-severity issues. The update is expected to be available soon for Windows, Mac, and Linux. 

[Neely]  24 of the 34 fixes were reported by external researchers. Chromes site isolation feature is their primary mitigation for Spectre which is still in trial form. The footprint is at most 1% less in Chrome 67 than Chrome 63. It adds more protections from a single browser tab crashing, which could previously be leveraged to exploit Spectre weaknesses. Eventually this will be the default. Use guidance from the Chromium.org Site Isolation page (https://www.chromium.org/Home/chromium-security/site-isolation) to help determine if site isolation is causing issues.


WebAuthN is a really good idea and it builds on 4 years of previous industry standards work. It has many of the big technology companies behind itbut not all, as Apple doesnt currently support it, even though Apple is on the W3C Web Auth working group. While the three major browsers now support it, it is not yet built into mobile devices and Apple has a large share of those devices. Google and Facebook own a huge share of web logins, both of them getting behind WebAuthN could drive consumer adoption. But, if Apple isnt rowing as hard as the others, the boat will go slowly or in circles.

Read more in:

Chrome Releases: Chrome for Android Update


ZDNet: Chrome 67 is out: Password-free logins get closer, plus bug fixes, better AR-VR support


Threatpost: Google Patches 34 Browser Bugs in Chrome 67, Adds Spectre Fixes




Canadian Man Who Helped FSB Break Into eMail Accounts Sentenced to Prison in US

(May 29 & 30, 2018)

A Canadian man who helped Russian hackers break into email accounts in 2014 has been sentenced to five years in US prison. Karin Baratov was extradited to the US in March 2017 and pleaded guilty to conspiracy to commit computer fraud and aggravated identity theft in November 2017. Baratov was also ordered to pay a $250,000 USD fine. Baratov was working on behalf of Russian FSB agents.

Read more in:

The Register: Yahoo! merc! hacker! Karim! Baratov! gets! five! years! in! the! clink!


Reuters: Canadian who helped Yahoo email hackers gets five years in prison


Bob Sullivan: Yahoo hacker, focus of Breach podcast, sentenced to five years in prison


DoJ: Canadian Hacker Who Conspired With and Aided Russian FSB Officers Pleads Guilty (November 2017)




Two Canadian Banks Say Customer Data May Have Been Stolen

(May 28 & 30, 2018)

Two banks in Canada say they have been contacted by someone claiming to have stolen information on tens of thousands of customer accounts. The Bank of Montreal and Simplii Financial are both taking the claim of the breach seriously.

Read more in:

eWeek: Two Canadian Banks Report Breaches Exposing Customer Data


Motherboard: Canadian Banks Say Fraudsters Stole Information From at Least 40,000 Customers


Threatpost: Fraudsters Claim to Hack Two Canadian Banks


InfoSecurity Magazine: Two Canadian Banks Warn Customers of Possible Breach




Coca-Cola Internal Data Breach

(May 25 & 29, 2018)

Coca-Cola has acknowledged that personally identifiable information of approximately 8,000 employees was compromised after it was discovered that a former employee was in possession of a hard drive containing the data. 

[Neely] While the breach happened in September of 2017, announcement was delayed to allow the investigation to complete. This came back to a former employee of a subsidiary having a drive with data at home, which points to the harder task of sub-contractor security rather than internal corporate security. Beyond inclusion of cyber security requirements in contract language, it is critical to verify that the requirements are being followed. Regular reviews of that language are also needed to insure it is consistent with the current threat landscape/risk profile. While Coca-Cola is offering one year of free identity monitoring, affected employees should plan on using monitoring services indefinitely regardless of who pays for them as the company cannot characterize the data lost for each employee.

Read more in:

Bleeping Computer: Coca-Cola Suffers Breach at the Hands of Former Employee


SC Magazine: Coca-Cola hit with insider breach, 8,000 affected



 --DHS-Dept. Of Commerce Report Makes Recommendations for Developers and Manufacturers to Enhance Botnets and DDoS Protection

(May 22, 29, & 31, 2018)

A joint report from the US Department of Homeland Security (DHS) and the Department of Commerce says that there should be incentives for developers, manufacturers, and vendors to build security into their products to protect networks from botnets and distributed denial-of-service (DDoS) attacks. The report advocates not only for better security in devices, but also more cooperation between companies that comprise the countrys infrastructure, and improved procurement practices for businesses.

Read more in:

ZDNet: Internet security: Slaying the botnet beast and the DDoS dragon


Cyberscoop: In war against botnets, manufacturers need to step up, report says


Dept. of Commerce: A Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats




New DNS Features


Apple Updates


Scans For Misconfigured EOS Blockchain Nodes


NPM Bug Causes Update Failures/Application Crashes


MnuBot Exfiltrates Data Via MSSQL


Windows JScript Vulnerability


Two Git Vulnerabilities Patched



SpamCannibal Blacklist Temporarily Marks All IPs as "Spam"


QRadar Remote Code Execution


Safely Resetting Routers


CSS mix-blend-mode Side Channel Attack


New ActiveX Exploit Seen in the Wild (in Korean with translate option)


Apple iMessage Security


10 Year Old Vulnerability in Steam Discovered




The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create