OnDemand Includes 4 Months Access to Course Content - Special Offers Available Now!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #45

June 8, 2018

VPNFilter Malware Worse Than We Thought; Drupal Hole Unpatched on 115,000+ Sites; Facebook, RiotGames, NetFlix and Lyft Share the Most Dangerous Amazon Cloud Security Errors

Today's AWS Cloud Insecurity Workshop is quite remarkable (see the 3rd story in Top of the News). If you can spare the time Monday (June 11) it will probably be the most valuable day you can invest to ensure security of your AWS cloud applications.



SANS NewsBites               June 8, 2018                Vol. 20, Num. 045




VPNFilter Malware is Worse Than We Thought

  Drupal Vulnerability Unpatched on 115,000+ Sites


Harvard, Facebook, RiotGames, NetFlix and Lyft Share the Most Dangerous Amazon Cloud Security Errors and Approaches for Fixing Them



US Legislators Introduce Bill That Would Prevent States from Enacting Their Own Encryption Laws


Australian Law Will Require Tech Companies to Help Law Enforcement Access Data


Adobe Patches Flash Zero-Day


Merchants Face June 30 Payment Card Encryption Update Deadline


Ticketfly Acknowledges Customer Data Compromised


Transamerica Acknowledges Client Data Compromised


DHS Investigating Commercial Airline Cybersecurity


Getting Tech On Board with Regulation: Lawmakers and the Tech Grok Gap


Archive File Extraction Library Flaws


Google Releases Android Security Update for June


***************************  Sponsored By Pulse Secure **********************

Don't Miss: "What Works in Visibility, Access Control and IOT SecurityPulse Secure NAC Outcomes at Energy Provider" with John Pescatore. Learn how a medium-sized Canadian power company integrated Pulse Secure Network Access Control into their network fabric to gain visibility into the assets in use, as well as enforce access controls while minimizing any business user disruption. Register: http://www.sans.org/info/204450


-- SANSFIRE 2018 | Washington, DC | July 14-21 | https://www.sans.org/event/sansfire-2018

-- SANS Boston Summer 2018 | August 6-11 | https://www.sans.org/event/boston-summer-2018

-- SANS Cyber Defence Canberra 2018 | June 25-July 7 | https://www.sans.org/event/cyber-defence-canberra-2018

-- SANS London July 2018 | July 2-7 | https://www.sans.org/event/london-july-2018

-- Security Operations Summit 2018 | New Orleans, LA | July 30-August 6 | https://www.sans.org/event/security-operations-summit-2018

-- Security Awareness Summit 2018 | Charleston, SC | August 6-15 | https://www.sans.org/event/security-awareness-summit-2018

-- SANS Virginia Beach 2018 | August 20-31 | https://www.sans.org/event/virginia-beach-2018

-- SANS Amsterdam September 2018 | September 3-8 | https://www.sans.org/event/amsterdam-septembers-2018

-- SANS Tokyo Autumn 2018 | September 3-15 | https://www.sans.org/event/tokyo-autumn-2018

-- SANS OnDemand and vLive Training

The SANS Training you want with the flexibility you need.

Get an iPad Mini, ASUS Chromebook, or Take $250 Off with SANS OnDemand and vLive Training until June 13.


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/

Single Course Training

-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/


-- View the full SANS course catalog and Cyber Security Skills Roadmap







VPNFilter Malware is Worse Than We Thought

(June 6 & 7, 2018)

The VPNFilter malware is capable of infecting a broader range of devices than previously thought. The malware is also more powerful than initially believed; a newly-detected module conducts a man-in-the-middle attack on incoming web traffic. The majority of currently infected devices are in Ukraine.

[Neely] One good defensive measure you can take is to make sure remote administration of your devices is disabled, or if it must be enabled, tightly control the access and check the logs. Be proactive checking for and applying appropriate firmware updates.

Read more in:

Talos: VPNFilter Update - VPNFilter exploits endpoints, targets new devices


Ars Technica: VPNFilter malware infecting 500,000 devices is worse than we thought


Threatpost: VPNFilter Malware Impact Larger Than Previously Thought


Dark Reading: VPNFilter Poses Broader Threat Than First Thought; Endpoints At Risk Too


Cyberscoop: Russian-linked VPNFilter malware is even worse than originally thought, new research suggests



 --Drupal Vulnerability Unpatched on 115,000+ Sites

(June 5 & 6, 2018)

More than two months after a fix was released for the Drupalgeddon 2 vulnerability, more than 115,000 Drupal sites have not yet been patched. Some of the sites are reportedly already compromised and being used to surreptitiously mine cryptocurrency.

Read more in:

Ars Technica: Three months later, a mass exploit of powerful Web servers continues


ZDNet: Over 115,000 Drupal sites still vulnerable to critical flaw


Bleeping Computer: Two Months Later, Over 115,000 Drupal Sites Still Vulnerable to Drupalgeddon 2


 --Harvard, Facebook, RiotGames, NetFlix and Lyft Share the Most Dangerous Amazon Cloud Errors and Approaches for Fixing Them (Act today if you want to learn them)

(June 8, 2018)

In today's Washington DC workshop Facebook's security director listed the 10 errors that caused the most security problems on Amazon Web Services and four other users provided case studies on how they improved security on AWS and showed participants how to automate key functions. For example, they showed how Netflix security team builds guardrails that help AWS developers deploy applications securely while getting out of their way for 99% of the dev cycle, and at the same time how they "automate everything." Lots more. RiotGames (League of Nations and more) showed the mistakes they had made and how they solved them. Plus ten really useful tools and a couple processes that the speakers' organizations are using and have made open source for the community to automate critical functions that make scaling easier. The audience commented that they found tools that will be critically valuable, better approaches and learned lessons that could have been fatal had they not known them in time.

You can still hear these presentations if you register today or over the weekend. The workshop will be repeated Monday in Austin TX and be available live online on Monday.  Save $400 by using the code CLOUD500

In person in Austin (39 places left): https://www.sans.org/event/cloud-insecurity-summit-tx

Online (48 places left): https://www.sans.org/event/cloud-insecurity-summit-tx/attend-remotely/

**************************  SPONSORED LINKS  ********************************

1) Don't Miss "The Cloud Browser: Enabling Safe and Secure OSINT Malware Analysis" with John Pescatore.  Register: http://www.sans.org/info/204455

2) MobileIron Webcast: "Its 2 AM, do you know where your data is?" Register: http://www.sans.org/info/204460

3) How are you dealing with the rapid evolution of Secure DevOps? Take the SANS 2018 Secure DevOps Survey and enter to win a $400 Amazon gift card! http://www.sans.org/info/204465




US Legislators Introduce Bill That Would Prevent States from Enacting Their Own Encryption Laws

(June 7, 2018)

US House legislators have introduced a bill that would prohibit states from enacting laws that would compel technology companies to weaken the security of their products to allow law enforcement access to conduct surveillance. The Encrypt Act also prohibits states from banning sales of products with strong encryption, and bars states from prohibiting companies maintain the ability to decrypt data stored on the devices they manufacture. The bill has bipartisan support.   

[Editor Comments]

[Pescatore] There seems to be no evidence that any states with significant buying power were planning on introducing "cripple crypto" legislation, but real world experience has shown that fewer back doors is always more secure than more back doors.

[Northcutt] Rep. Ted Lieu (D-Calif.) said it better than I can: "Any discussion of encryption and law enforcement access to data needs to happen at the federal level. As a computer science major, I can tell you that having 50 different mandatory state-level encryption standards is bad for security, consumers, innovation, and ultimately law enforcement."

Read more in:

The Hill: Lawmakers renew push to preempt state encryption laws


Cyberscoop: Congress wants to prevent states from weakening encryption


FCW: Lawmakers seek standardized national encryption policy



Australian Law Will Require Tech Companies to Help Law Enforcement Access Data

(June 6, 2018)

Forthcoming laws in Australia will compel tech companies to help law enforcement access encrypted communications of criminal suspects. Australian cyber security minister Angus Taylor was short on specifics about what techniques for accessing the data will be used, but did say that there will not be built-in backdoors.

[Editor Comments]

[Pescatore] In the US in 1994, we passed the Communications Assistance to Law Enforcement Act (CALEA) which showed there are ways to balance court ordered access to private communications with the rights to privacy and security of legitimate citizens and businesses. Adding encryption to the mix causes breakage in today's techniques, just the way unencrypted digital telcomms broke pre-1994 surveillance and investigative techniques. Any legislative solutions need to maintain that same balance of judicial review and access.

Read more in:

CNET: Australia will force tech companies to help cops view encrypted data



Adobe Patches Flash Zero-Day

(June 7, 2018)

Adobe has released a fix for a zero-day vulnerability in its Flash Player. The flaw is being actively exploited in targeted attacks against Windows machines in the Middle East. The issue affects Adobe Flash versions and earlier; the flaw has been fixed as of version Updates are available for Adobe Flash for Windows, macOS, Linux, and Chrome OS.

[Editor Comments]


It bears repeating that enterprises should not be using or allowing historically broken Flash.

[Neely] Your IT team should already be sharing immediate deployment plans for this fix. Patching Chrome requires an update to version 67.0.3396.78, and patches to Edge require the updated flash player from Microsoft.

Read more in:

Cyberscoop: Flash zero-day shows up in Qatar amid geopolitical struggles


The Register: Stop us if you've heard this one: Adobe Flash gets emergency patch for zero-day exploit


Bleeping Computer:

Adobe Patches Flash Zero-Day


SC Magazine: Adobe issues critical patch after Flash zero-day bug actively exploited in Middle East


Adobe: Security updates available for Flash Player | APSB18-19




Merchants Face June 30 Payment Card Encryption Update Deadline

(May 30 & June 6, 2018)

Merchants have until June 30, 2018, to upgrade encryption protocols on websites and payment terminals. Last year, the Payment Card Industry Security Standards Council announced that it would phase out TLS 1.0 encryption. Merchants that fail to upgrade to TLS 1.1 or later run the risk of having payment card transactions not go through.

Read more in:

Wired: An Encryption Upgrade Could Upend Online Payments


Forbes: Changes to PCI Compliance are Coming June 30. Is Your Ecommerce Business Ready?




Ticketfly Acknowledges Customer Data Compromised

(June 7, 2018)

Ticketfly has acknowledged that a breach of its website compromised accounts belonging to 27 million customers. A week ago, an attacker defaced the ticketing services company's website and accessed customer information. The compromised data include names, email addresses, mailing addresses, and phone numbers.

Read more in:

Gizmodo: Ticketfly Confirms Hack Exposed Personal Information of 27 Million Accounts


CNET: Ticketfly confirms 27M people's data stolen -- a week after hack




Transamerica Acknowledges Client Data Compromised

(June 5, 2018)

In a letter to California's Attorney General's office, financial organization Transamerica acknowledges that a hacker managed to steal account information of roughly 45,000 clients. Transamerica says it appears that the thief was able to access the accounts because the clients were using the same username/password combination across multiple sites. The compromised data include names, Social Security numbers, dates of birth, financial account data, and employment information.    

Read more in:

The Register: Here's a transaction Transamerica regrets: Transgressors swipe retirees' personal info


California OAG: Letter from Transamerica




DHS Investigating Commercial Airline Cybersecurity

(June 6, 2018)

Documents obtained by Motherboard through a Freedom of Information Act (FOIA) request show that the Department of Homeland Security (DHS) is investigating the cybersecurity of commercial airliners. One of the documents notes that it is only "a matter of time before a cyber security breach on an airline occurs."  

[Editor Comments]

[Pescatore] Terms like "inevitable" or "only a matter of time" always set my hype detector alarm off - scare tactics are in use. You never hear a business unit manager tell the Board "It is only a matter of time before we start to make a profit" or a software or services vendor trumpet "It is inevitable that you will need our product." That said, yes - raising the bar on security of on-board systems on big things like aircraft and little things like drones is important to the success of those businesses - a more effective way to focus on obtaining the management support and investment to make it happen.

Read more in:

Motherboard: US Government Probes Airplane Vulnerabilities, Says Airline Hack Is 'Only a Matter of Time'




Getting Tech On Board with Regulation: Lawmakers and the Tech Grok Gap

(June 5 & 6, 2018)

Speaking on a panel earlier this week, US Senator Mark Warner (D-Virginia) said that technology companies need to help legislators develop regulations to protect citizens' data and privacy. Warner said that "if [tech companies] leave us to do this on our own, we're gonna mess it up." Warner also pointed out that lawmakers' questions during Mark Zuckerberg's testimony in April underscored their lack of technical savvy. In a separate yet related story, last month legislators heard testimony from experts in quantum computing, leading one lawmaker to admit, "I can understand about 50 percent of the things you say." Some legislators are seeking to revive the Office of Technology Assessment (OTA), which conducted technological research to help inform legislative decisions. OTA was defunded in 1995, but the law authorizing its existence remains.  

Read more in:

Nextgov: Lawmaker: Congress Will 'Mess Up' Tech Regulation Without Help from Industry


Washington Post: 'I can understand about 50 percent of the things you say': How Congress is struggling to get smart on tech




Archive File Extraction Library Flaws

(June 5 & 6, 2018)

A critical arbitrary file overwrite vulnerability affects multiple archive file-extraction libraries that are used in thousands of projects. Dubbed the Zip Slip vulnerability, the path traversal issue can be exploited to overwrite archive files.

Read more in:

Snyk: Zip Slip Vulnerability


ZDNet: Open-source security: Zip Slip critical flaw hits thousands of projects. Update now


The Register: Loose .zips sink chips: How poisoned archives can hack your computer


Threatpost: Zip Slip Flaw Affects Thousands of Open-Source Projects




Google Releases Android Security Update for June

(June 5, 2018)

On Monday, June 4, Google released the monthly Android security update. In all, the update addresses 57 security issues; of those, 11 are rated critical. The most severe, according to Google, is a flaw in the Media framework that could be exploited to remotely execute code. The fixes will be pushed out to Pixel and Nexus devices. Vendors' patch availability usually lags a bit behind Google's.   

Read more in:

Threatpost: Google Patches 11 Critical Android Bugs in June Update


Android: Android Security Bulletin--June 2018




Malicious Post-Exploitation Batch File


Zip Slip Vulnerability


Redis Exploits


Drupalgeddon 2 Update


VPNFilter Update


Prowli Botnet


Cisco Security Bulletins


F-Secure RAR Vulnerability


PCAP to Weblogs



Critical Adobe Flash Update


SuperMicro Firmware Vulnerability


FOSCAM Video Camera Vulnerabilities


Sofacy Update


Automated Twitter Loot Collection




The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create