Final Week - Save $350 or Get A GIAC Cert Attempt Included with Online Training!

Newsletters: Newsbites


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #5

January 19, 2018

****************************************************************************

SANS NewsBites               January 19, 2018                Vol. 20, Num. 005

****************************************************************************

TOP OF THE NEWS

Cyber Security Competitions for Girls in US, UK

Indiana Hospital Paid Ransomware Attackers to Regain Data Access

Industrial Control Systems and CPU Bugs

REST OF THE WEEK'S NEWS

Microsoft Releases Fixes for Problematic CPU Patches

Cryptex Creator Pleads Guilty

Man Pleads Guilty to Dozens of DDoS Attacks  

Oracle Critical Patch Update

Trisis Malware Used in Attack Against Middle Eastern Energy Company

Hawaii Emergency Management Agency Password on a Post-it

House Passes Bill Flouting Tillerson's Decision to Eliminate State Dept. Cyber Post

Fixes Available for BIND Vulnerability

 

INTERNET STORM CENTER TECH CORNER

 

***************************  Sponsored By Unisys ****************************


The Zero Trust architecture is an ideal solution for the cloud where it is not possible to trust the network. Register for "Building Zero Trust Model with Microsegmentation in the Cloud" to learn more: http://www.sans.org/info/201245


*****************************************************************************

TRAINING UPDATE


-- SANS 2018 | Orlando, FL | April 3-10 | https://www.sans.org/event/sans-2018


-- SANS Las Vegas 2018 | January 28-February 2 | https://www.sans.org/event/las-vegas-2018


-- Cyber Threat Intelligence Summit | Bethesda, MD | January 29-February 5 | https://www.sans.org/event/cyber-threat-intelligence-summit-2018


-- SANS London February 2018 | February 5-10 | https://www.sans.org/event/london-february-2018


-- SANS Southern California-Anaheim 2018 | February 12-17 | https://www.sans.org/event/southern-california-anaheim-2018


-- Cloud Security Summit & Training 2018 | San Diego, CA | February 19-26 | https://www.sans.org/event/cloud-security-summit-2018


-- SANS Secure Japan 2018 | February 19-March 3 | https://www.sans.org/event/sans-secure-japan-2018


-- SANS London March 2018 | March 5-10 | https://www.sans.org/event/London-March-2018


-- SANS Secure Singapore 2018 | March 12-24 | https://www.sans.org/event/secure-singapore-2018


-- SANS OnDemand and vLive Training | The SANS Training you want with the flexibility you need. Special Offer: Get an iPad, ASUS Chromebook or $350 Off with your vLive Course when you register by January 24. https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility


-- Live Daytime training with Simulcast - https://www.sans.org/simulcast


-- Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive


-- Anywhere, Anytime access for 4 months with OnDemand format -https://www.sans.org/ondemand/


-- Single Course Training

SANS Mentor https://www.sans.org/mentor/about

Community SANS https://www.sans.org/community/

View the full SANS course catalog https://www.sans.org/security-training/by-location/all


*****************************************************************************

TOP OF THE NEWS

 --Cyber Security Competitions for Girls in US and UK

(January 16, 2018)

Signups are now open in the US for the high school girls GirlsGoCyberStart competition in 16 US states (www.girlsgocyberstart.com) and the UK 2018 CyberFirst Girls Competition (girls) and CyberDiscovery competition (boys and girls). The US competition is open to all high school girls (public/private/home-schooled) in the following states (HI, NV, CO, WY, TX, IA, IN, MS, NC, MD, WV, DE, NJ, NY, CT, VT, and American Samoa) and the schools don't have to participate - the kids can play from home. The UK CyberFirst competition is open to 12 to 13 year-old girls in year 8 in England, S2 in Scotland, and year 9 in Northern Ireland. Last year's US competition had 3,500 participants (reports from the participating states posted at cyberstart.us) while the UK competition had more than 8,000 participants.  In addition, more than 10,000 high school boys and girls in England have already signed up and are playing CyberDiscovery program.

[Editor Comments]

[Neely] This is an excellent opportunity to learn, network and apply skills at a young age. These participants will likely be a key part of our next generation of InfoSec professionals. I encourage any eligible girls in an area that is open to them to participate.

Read more in:

United States Competitions

Introducing Girls Go CyberStart

https://Girlsgocyberstart.com

And https://www.sans.org/CyberStartUS


United Kingdom

NCSC: It's back! The CyberFirst Girls Competition 2018

https://www.ncsc.gov.uk/blog-post/its-back-cyberfirst-girls-competition-2018

CyberFirst: Girls Competition is back!

https://www.cyberfirst.ncsc.gov.uk/girlscompetition/

UK CyberDiscovery: https://www.joincyberdiscovery.com/

 

 --

Indiana Hospital Paid Ransomware Attackers to Regain Data Access

(January 16 & 17, 2018)

The Indiana hospital that was hit by ransomware last week paid the attackers four Bitcoins (approximately $55,000 USD) to regain access to their data. Hancock decided to pay the ransom instead of restoring its systems from backups because that process would be time-consuming and expensive.    


[Editor Comments]

[Murray] In the face of ransomware, one needs a backup system designed with the necessary time to restore as a feature.   The old assumptions, that backup would rarely be used and only to recover a limited number of files, no longer hold.  


[Williams] We've seen evidence that attackers are experimenting to find that ransom sweet spot where companies will pay to avoid executing a DR plan. As long as restoring from backups is more expensive paying the ransom, it appears companies decide it makes financial sense to pay a ransom. However, 100% of the companies we work with that have paid a ransom have the attackers try to come back for more later.  Paying the ransom works in the short term, but immediate changes are needed in network security to avoid paying ransoms again and again. Most important: implement network monitoring and skilled people who can detect attacks in the early stages.

[Neely] While these systems had backups, they could not be restored quickly enough to meet operational requirements. When managing a backup system remember to factor in the recovery time objective and test to make sure that objective can be met as well as verify that the objective has not changed or is appropriate for all use cases needed to meet operational requirements. Conducting regular DR exercises will help this process.

Read more in:

The Register: Hospital injects $60,000 into crims' coffers to cure malware infection

http://www.theregister.co.uk/2018/01/16/us_hospital_ransomware_bitcoin/

ZDNet: US hospital pays $55,000 to hackers after ransomware attack

http://www.zdnet.com/article/us-hospital-pays-55000-to-ransomware-operators/

                                                                                        

 --

Industrial Control Systems and CPU Bugs

(January 18, 2018)

Twelve industrial control system (ICS) vendors have told ICS-CERT that they use processors affected by the Meltdown and Spectre bugs. The companies have issued customer notifications that include recommendations for users.

[Editor Comments]

[Neely] ICS vendors are providing information on impact, applicability, patch guidance and mitigation information. Important ICS mitigations include isolation and not executing additional unnecessary applications on those systems. Work with your ICS vendor to make sure the patches are not only tested but any performance impacts are known and acceptable.

Read more in:

The Register: Industrial systems scrambling to catch up with Meltdown, Spectre

http://www.theregister.co.uk/2018/01/18/ics_cert_meltdown_responses/

ICS-CERT: Meltdown and Spectre Vulnerabilities (Update B)

https://ics-cert.us-cert.gov/alerts/ICS-ALERT-18-011-01B


**************************  SPONSORED LINKS  ********************************


1) Register now for our webcast to learn how we're redefining security in the software defined data center: http://www.sans.org/info/201250


2) Don't Miss: "Mind the Gap: going beyond penetration testing for security improvement"  Register: http://www.sans.org/info/201255


3) "Why Insider Actions Matter: SANS Review of LogRhythm CloudAI for User and Entity Behavior Analytics" with Dave Shackleford. Register:  http://www.sans.org/info/201260


*****************************************************************************

THE REST OF THE WEEK'S NEWS    

 --

Microsoft Releases Fixes for Problematic CPU Patches

(January 18, 2018)

Microsoft has released new updates to address problems with some of the initial patches it distributed to fix the Meltdown and Spectre issues. Some users were reporting that the patch rendered their AMD systems unbootable. The first patches were released on January 3, 2018; Microsoft stopped their distribution on January 9 following reports of the problems. New fixes are available for five of nine affected security updates.


Read more in:

Bleeping Computer: Microsoft Resumes Meltdown & Spectre Updates for AMD Devices

https://www.bleepingcomputer.com/news/microsoft/microsoft-resumes-meltdown-and-spectre-updates-for-amd-devices/

ZDNet: Windows 10 Meltdown-Spectre patch: New updates bring fix for unbootable AMD PCs

http://www.zdnet.com/article/windows-10-meltdown-spectre-patch-new-updates-bring-fix-for-unbootable-amd-pcs/

 

 --

Cryptex Creator Pleads Guilty

(January 18, 2018)

The person who created the Cryptex and ReFUD.me malware has pleaded guilty to charges under the UK's Computer Misuse Act and Proceeds of Crime Act. Goncalo Esteves was arrested in 2015 and will be sentenced next month.   


Read more in:

SC Magazine UK: KillaMuvz pleads guilty to being a sophisticated malware operator

https://www.scmagazineuk.com/killamuvz-pleads-guilty-to-being-a-sophisticated-malware-operator/article/737745/

 

 --

Man Pleads Guilty to Dozens of DDoS Attacks  

 

(January 17 & 18, 2018)

John Kelsey Gammell has pleaded guilty to charges connected to a series of distributed denial-of-service (DDoS) attacks. Gammell's DDoS targets included not only former employers but also companies that would not hire him, business competitors, and law enforcement websites. Gammell launched the attacks from his own computers and also paid DDoS-for-hire services to carry out attacks. Gammell pleaded guilty to conspiracy to commit intentional damage to a protected computer as well as other charges.   


[Editor Comments]

[Honan] For those of you looking to start a career in cybersecurity, take a lesson from this story: threatening a potential employer with a cyber-attack is not the best way to make a positive impression.


Read more in:

ZDNet: Man pleads guilty to launching DDoS attacks against former employers

http://www.zdnet.com/article/man-pleads-guilty-to-launching-ddos-attacks-against-former-employers/

DoJ: New Mexico Man Pleads Guilty to Directing Computer Attacks Against Websites of Dozens of Victims, as Well as Felon-In-Possession Charges

https://www.justice.gov/opa/pr/new-mexico-man-pleads-guilty-directing-computer-attacks-against-websites-dozens-victims-well

 

 --

Oracle Critical Patch Update

(January 17 & 18, 2018)

Oracle's most recent quarterly critical patch update, released earlier this week, includes fixes for 237 security issues. The batch includes fixes for 34 flaws in Oracle Financial Services Applications, 27 in Fusion Middleware, 25 in MySQL, and 21 in Java SE.


[Editor Comments]

[Williams] Also included in this patch roll up is a fix for a VirtualBox vulnerability (CVE-2018-2698) that allows attackers to exploit the host (hypervisor) operating system from inside the guest. This breaks the traditionally assumed isolation between the host and the guest operating systems.  If you are using VirtualBox in production (particularly for malware sandboxes) this is one to patch immediately.


Read more in:

The Register: And Oracle E-biz suite makes 3: Package also vulnerable to exploit used by crypto-currency miner

http://www.theregister.co.uk/2018/01/18/oracle_app_crypto_mining_vuln/

Threatpost: Oracle Ships 237 Fixes in Latest Critical Patch Update

https://threatpost.com/oracle-ships-237-fixes-in-latest-critical-patch-update/129477/

Oracle:

Oracle Critical Patch Update

Advisory - January 2018

http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

 

 --

Trisis Malware Used in Attack Against Middle Eastern Energy Company

(January 16 & 18, 2018)

At the S4x18 ICS Security Conference in Miami, Florida, Schneider Electric offered new details about a breach at an energy plant in the Middle East late last summer that caused it to halt operations. Using malware known as Trisis, attackers exploited a zero-day privilege escalation flaw in Schneider's Triconex Tricon safety-controller firmware. Trisis also contained a Remote Access Trojan (RAT).


Read more in:

Dark Reading: Schneider Electric: TRITON/TRISIS Attack Used 0-Day Flaw in its Safety Controller System, and a RAT

https://www.darkreading.com/vulnerabilities---threats/schneider-electric-triton-trisis-attack-used-0-day-flaw-in-its-safety-controller-system-and-a-rat/d/d-id/1330845

Cyberscoop: Schneider Electric: Trisis leveraged zero-day flaw, used a RAT

https://www.cyberscoop.com/schneider-electric-trisis-zero-day-rat/

Cyberscoop: Trisis has the security world spooked, stumped and searching for answers

https://www.cyberscoop.com/trisis-ics-malware-saudi-arabia/

Reuters: Schneider Electric says bug in its software exploited in hack

https://www.reuters.com/article/us-schneider-cyber-attack/schneider-electric-says-bug-in-its-software-exploited-in-hack-idUSKBN1F7228

 

 --

Hawaii Emergency Management Agency Password on a Post-it

(January 17, 2018)

The Hawaii Emergency Management Agency (HEMA), currently making headlines for an erroneous missile alert, is now taking flak for a photo showing a password written on a Post-in stuck to a computer monitor. The picture was taken in July. The agency confirmed that it was a real password used for an internal application that is likely no longer in use.  


[Editor Comments]

[Honan] As an industry we really should not be focusing on the fact that someone has to write down a password in order to enable them use a system. Rather than focusing on the end user we need to figure out how we can include secure access into our systems to make it convenient for users to have safe access.

[Neely] This takes the focus off the root efforts to prevent a recurrence of the unfortunate false alert. This is not the first time a password was recorded by a visiting camera and is a reminder to consider OPSEC when visitors are present. Also, while passwords written on Post-its and White Boards are generally immune to malware, it is still important to remember who else can view (and capture) them. If your password management still involves writing things down, store those notes securely where only those that have a need-to-know can access them. Better yet, this would be a great time to move to an electronic password manager.

Read more in:

SC Magazine: Post-it with password spotted in online photo of Hawaii Emergency Management Agency HQ

https://www.scmagazine.com/post-it-with-password-spotted-in-online-photo-of-hawaii-emergency-management-agency-hq/article/737661/

Quartz: A photo accidentally revealed a password for Hawaii's emergency agency

https://qz.com/1181763/hawaiis-emergency-management-agency-accidentally-revealed-an-internal-password/

Motherboard: Go Ahead and Put Your Password on a Post-It Note

https://motherboard.vice.com/en_us/article/7xeqe9/hawaii-emergency-password-post-it

 

 --

House Passes Bill Flouting Tillerson's Decision to Eliminate State Dept. Cyber Post

(January 17 & 18, 2018)

The US House of Representatives has passed the Cyber Diplomacy Act, which, if enacted, would restore a top-level cyber security position at the State Department eliminated by Secretary of State Rex Tillerson last year. The legislation would reinstate the position and expand its purview.


Read more in:

FCW: House passes bill restoring State cyber office

https://fcw.com/articles/2018/01/18/state-dept-cyber-johnson.aspx

Nextgov: House Votes to Restore Top Cyber Diplomat's Office

http://www.nextgov.com/policy/2018/01/house-votes-restore-top-cyber-diplomats-office/145256/

Cybrscoop: Cyber diplomacy office at State Department would return under House-passed bill

https://www.cyberscoop.com/cyber-diplomacy-office-state-department-return-house-passed-bill/?category_news=technology

Congress: Cyber Diplomacy Act of 2017

https://www.congress.gov/bill/115th-congress/house-bill/3776/text?q=%7B%22search%22%3A%5B%22cyber+diplomacy+act%22%5D%7D&r=1

 

 --

Fixes Available for BIND Vulnerability

(January 16 & 17, 2018)

A patch is available for a vulnerability in BIND Domain Name System software that has existed since 2000. The denial-of-service flaw could lead to "a use-after-free error that can trigger an assertion failure and crash in named." Users could temporarily disable DNSSEC as a workaround.


Read more in:

KB ISC: Improper fetch cleanup sequencing in the resolver can cause named to crash

https://kb.isc.org/article/AA-01542

The Register: BIND comes apart thanks to ancient denial-of-service vuln

http://www.theregister.co.uk/2018/01/17/bind_patch_catches_crashes/

 

INTERNET STORM CENTER TECH CORNER

Are You Watching for Brute Force Attacks on IPv6?

https://isc.sans.edu/forums/diary/Are+you+watching+for+brute+force+attacks+on+IPv6/23213/


Oracle Critical Patch Update

http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html#AppendixFMW


Kaspersky Observes Advanced Android Spyware

https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/

        

Auditing Secure USB Keys

https://www.j-michel.org/blog/2018/01/16/attacking-secure-usb-keys-behind-the-scene


Microsoft Resumes Patches for AMD Systems

https://www.amd.com/en/corporate/speculative-execution


Speculations About Yet Another CPU Attack

https://skyfallattack.com


BIND Fixes DoS Vulnerability

https://kb.isc.org/article/AA-01542        


Oracle E-Business Suite Server Can Be Attacked via WebLogic

https://www.onapsis.com/blog/oracle-january-cpu-analysis-64-patches-affect-business-critical-applications


Malicious Open Graph title Tag Crashes iMessage

https://www.macrumors.com/2018/01/16/malicious-link-ios-mac-freezes/


Smiths Medfusion 4000 Vulnerabilities

https://github.com/sgayou/medfusion-4000-research/blob/master/doc/README.md#summary


Reviewing the Spam Filters: Malspam Pushing Gozi-ISFB

https://isc.sans.edu/forums/diary/Reviewing+the+spam+filters+Malspam+pushing+GoziISFB/23245/


******************************************************************************

The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.


Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create