45+ InfoSec Courses at SANS Network Security 2018 in Las Vegas! Save up to $200 thru 8/22.

Newsletters: Newsbites


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #55

July 13, 2018

****************************************************************************

SANS NewsBites                July 13, 2018                Vol. 20, Num. 055

****************************************************************************


TOP OF THE NEWS


 

Navy Contractor Engineer Stole Thousands of Files by Uploading Them to Dropbox

 

Google Pushes Out Site Isolation to Chrome 67 Users as More Spectre Variants Emerge

 

Meltdown, Spectre, and When Governments Should Be Told About Vulnerabilities


REST OF THE WEEKS NEWS


 

Cisco Releases Fixes for Flaw in VoIP Phones, FireSIGHT, and Other Products

  Timehop: Remember That Time We Were Breached? Theres More

 

Ticketmaster Breach Was Part of a Larger Campaign

 

Patch Tuesday, July 10, 2018

 

RDP Access Being Sold on Internet

 

Internet Address Hijack Factory Bitcanal Loses Bandwidth Providers

 

US Military Manuals on Unsecured FTP Server

 

Anubis Banking Malware targeted Turkish Users


INTERNET STORM CENTER TECH CORNER

 

***************************  Sponsored By InfoBlox  **************************

Live demo

Make DNS Your Star Defender: Thursday. July 19, 10 AM PDT, 1 PM EDT.  The bad guys love DNS. Its a leading pathway for malware, data exfiltration, and ransomware. Attend this live demo and learn how Infoblox ActiveTrust Cloud turns DNS from your weakest link into your chief defender. Register: http://www.sans.org/info/205305


*****************************************************************************


-- SANS Network Security 2018 | Las Vegas, NV | September 23-30 | https://www.sans.org/event/network-security-2018


-- SANS Boston Summer 2018 | August 6-11 | https://www.sans.org/event/boston-summer-2018


-- Security Operations Summit 2018 | New Orleans, LA | July 30-August 6 | https://www.sans.org/event/security-operations-summit-2018


-- Data Breach Summit & Training 2018 | New York, NY | August 20-27 | https://www.sans.org/event/data-breach-summit-2018


-- SANS Virginia Beach 2018 | August 20-31 | https://www.sans.org/event/virginia-beach-2018


-- SANS Amsterdam September 2018 | September 3-8 | https://www.sans.org/event/amsterdam-septembers-2018


-- SANS Tokyo Autumn 2018 | September 3-15 | https://www.sans.org/event/tokyo-autumn-2018


-- SANS London September 2018 | September 17-22  https://www.sans.org/event/london-september-2018


-- SANS October Singapore 2018 | October 15-27 | https://www.sans.org/event/october-singapore-2018


-- SANS OnDemand and vLive Training

The SANS Training you want with the flexibility you need.

Best Offers of the Year: Get a 12.9 iPad Pro with Smart Keyboard, HP ProBook 450 G5, or take $400 Off with Any OnDemand or vLive Course, Offer Ends July 18.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


Single Course Training

-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


*****************************************************************************


TOP OF THE NEWS


--

Navy Contractor Engineer Stole Thousands of Files by Uploading Them to Dropbox

(July 10 & 12, 2018)

An engineer who once worked for a US Navy contractor stole data from Navy projects by uploading files to a personal Dropbox account. Jared Dylan Sparks was accused of uploading more than 5,000 files to Dropbox. He was arrested in November 2016. Earlier this month a federal jury found him guilty of theft of trade secrets, upload of trade secrets, and transmission of trade secrets.  


[Editor Comments]


[Neely] This highlights the need to review and update current DLP provisions to ensure they cover cloud-based services. Once you start allowing traffic to cloud-based collaboration platforms, it is nearly impossible to distinguish between business and personal access of those services. Some mitigation can come from not permitting installation of the thick client for file sync and share services that are not explicitly approved and requiring authentication to access the Internet to provide trackability back to the user performing the actions.

 

Read more in:

DoJ: Electrical Engineer Found Guilty for Intending to Convert Trade Secrets from Defense Contractor

https://www.justice.gov/usao-ct/pr/electrical-engineer-found-guilty-intending-convert-trade-secrets-defense-contractor

Bleeping Computer: Engineer Found Guilty of Stealing Navy Secrets via Dropbox Account

https://www.bleepingcomputer.com/news/legal/engineer-found-guilty-of-stealing-navy-secrets-via-dropbox-account/

Document Cloud: Indictment (November 2016)

http://www.documentcloud.org/documents/4596229-Sparks-Indictment.html

 
 

--

Google Pushes Out Site Isolation to Chrome 67 Users as More Spectre Variants Emerge

(July 11 & 12, 2018)

Google has added a feature to Chrome to help protect users from Spectre and Meltdown attacks. Called Site Isolation, the new feature was released just a day after a new Spectre-like attack was disclosed. Site Isolation was released to a small number of users with Chrome 67s release in May; it has now been pushed out to most Chrome 67 users. The feature will use more memory, but developers are working to fix that issue.


[Editor Comments]


[Murray] Process-to-process isolation is fundamental. It does have some performance impact. Get over it.

 

Read more in:

Threatpost: Chrome Now Features Site Isolation to Defend Against Spectre

https://threatpost.com/chrome-now-features-site-isolation-to-defend-against-spectre/133902/

ZDNet: Google: Chrome now protects you from Spectre password-stealing attacks

https://www.zdnet.com/article/google-chrome-now-protects-you-from-spectre-password-stealing-attacks/

CNET: Chrome has a new way to keep Spectre hackers at bay

https://www.cnet.com/news/google-thwarts-spectre-attacks-with-new-chrome-feature/

Cyberscoop: Google Chrome shifts browser architecture to thwart Spectre attacks

https://www.cyberscoop.com/google-chrome-shifts-browser-architecture-to-defend-spectre-attacks/?category_news=technology

Intel: Analyzing potential bounds check bypass vulnerabilities

https://software.intel.com/sites/default/files/managed/4e/a1/337879-analyzing-potential-bounds-Check-bypass-vulnerabilities.pdf

Threatpost: Fresh Spectre Variants Come to Light

https://threatpost.com/fresh-spectre-variants-come-to-light/133862/

 
 

--

Meltdown, Spectre, and When Governments Should Be Told About Vulnerabilities

(July 11, 2018)

The US Senate Committee on Commerce, Science, and Transportation heard testimony about the Meltdown and Spectre flaws earlier this week. While chipmakers notified affected companies about the issue in 2017, the US government did not learn of the flaws until they were publicly disclosed in January 2018. The companies notified of the flaws in 2017 included some firms in China, which likely shared the information with Chinese government and intelligence officials.


[Editor Comments]


[Neely] Vulnerability disclosure is tricky on a good day, particularly with a flaw that impacts most computers operating world-wide. This is complicated by the announced Spectre 1.1 and 1.2 flaws are being disclosed: https://www.bleepingcomputer.com/news/security/new-spectre-11-and-spectre-12-cpu-flaws-disclosed/

The best plan is to be transparent and disclose equally as everyone, government or otherwise, wants to be the first to understand the risk and how it impacts their interests.

 

Read more in:

Wired: Senators Fear Meltdown and Spectre Disclosure Gave China an Edge

https://www.wired.com/story/meltdown-and-spectre-intel-china-disclosure/

Nextgov: The Chinese Government Likely Knew about Spectre and Meltdown Bugs Before the U.S.

https://www.nextgov.com/cybersecurity/2018/07/chinese-government-likely-knew-about-spectre-and-meltdown-bugs-us/149647/


**************************  SPONSORED LINKS  ********************************


1) "Single-Agent Cyber Security Analytics: A SANS Review of the Cybereason Platform" with Dave Shackleford. Register: http://www.sans.org/info/205310


2) Learn the techniques you must incorporate into your security strategy to prepare for the next wave of multi-vector DDoS attacks. Register: http://www.sans.org/info/205315


3) How is your incident response team coping with protecting their organization? Take the SANS 2018 Incident Response Survey at http://www.sans.org/info/205320 and enter to win a $400 Amazon gift card!


*****************************************************************************




THE REST OF THE WEEKS NEWS


--

Cisco Releases Fixes for Flaw in VoIP Phones, FireSIGHT, and Other Products

(July 12, 2018)

Cisco has released a fix for a high severity insufficient input validation vulnerability in the UI of some of its VoIP phones. The flaw could be exploited to allow command injection and remote code execution on vulnerable devices. Cisco also released fixes for four additional issues in the FireSIGHT management platform, Web Security Appliance, and the StarOS platform for mobile operator platforms.


Read more in:

Threatpost: Cisco Patches High-Severity Bug in VoIP Phones

https://threatpost.com/cisco-patches-high-severity-bug-in-voip-phones/133905/

Cisco: Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Web UI Command Injection Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180711-phone-webui-inject

Cisco: Cisco FireSIGHT System Software File Policy Bypass Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180711-firesight-file-bypass

Cisco: Cisco FireSIGHT System Software URL-Based Access Control Policy Bypass Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180711-firesight-url-bypass

Cisco: Cisco Web Security Appliance Cross-Site Scripting Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180711-wsa-xss

Cisco: Cisco StarOS IPv4 Fragmentation Denial of Service Vulnerability

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180711-staros-dos

 
 

--Timehop: Remember That Time We Were Breached? Theres More

(July 11 & 12, 2018)

More information is emerging about the Timehop breach. The attackers were able to access the system through an administrative account that was not protected with two-factor authentication (2FA). The intruders were also able to access more information that was first disclosed. Timehop has updated its incident notice, which now includes a full timeline of the attack, more granular information about the types of Personally Identifiable Information that were breached, and a narrative to contextualize these disclosures.


[Editor Comments]


[Neely] Timehop is being very transparent and up-front about what they know. The Timehop site lists exactly what fields were possibly exposed and categorizes the types and quantity of breached records. Lessons learned here are to remember to incorporate the new GDPR reporting requirements in breach notification processes, multi-factor authentication is critical for externally reachable accounts, and dont assume anomalous behavior on a holiday is benign, particularly recurring issues. Also note that customers that used their phone number as a login need to actively take steps to prevent unauthorized porting of their number.


Read more in:

Timehop: Timehop Security Incident, July 4th, 2018

https://www.timehop.com/security

ZDNet: Timehop reveals July 4 breach included gender, country, and DOB info

https://www.zdnet.com/article/timehop-reveals-july-4-breach-included-gender-country-and-dob-info/

The Register: Timehop admits to more data leakage, details GDPR danger

http://www.theregister.co.uk/2018/07/12/timehop_data_leak_update/

SC Magazine: Timehop discovers hackers swiped even more data than updates, notifications

https://www.scmagazine.com/timehop-discovers-hackers-swiped-even-more-data-than-updates-notifications/article/780032/

 
 

--

Ticketmaster Breach Was Part of a Larger Campaign

(July 10 & 11, 2018)

The breach that compromised Ticketmaster UK user data was part of a larger campaign that affected more than 800 e-commerce sites. The attacks were launched by the Magecart APT group, which managed to install card skimming software on third-party components and services used by the sites.


Read more in:

Threatpost: Ticketmaster Breach: Just One Part of a Wide-Ranging Campaign

https://threatpost.com/ticketmaster-breach-just-one-part-of-a-wide-ranging-campaign/133892/

SC Magazine: Third-party Ticketmaster breach targeted 800-plus e-commerce sites

https://www.scmagazine.com/third-party-ticketmaster-breach-targeted-800-plus-e-commerce-sites/article/780075/

Dark Reading: Ticketmaster Breach Part of Massive Payment Card Hacking Campaign

https://www.darkreading.com/attacks-breaches/ticketmaster-breach-part-of-massive-payment-card-hacking-campaign/d/d-id/1332266

 
 

--

Patch Tuesday, July 10, 2018

(July 10 & 11, 2018)

On Tuesday, July 10, Microsoft released security updates to address more than 50 security issues, including a fix for the Lazy FP State Restore bug. The majority of the Microsoft fixes address security issues in the companys Edge and Internet Explorer browsers. Adobe released updates for Flash Player and for Adobe Reader/Acrobat.


Read more in:

Dark Reading: Microsoft July Security Updates Mostly Browser-Related

https://www.darkreading.com/cloud/microsoft-july-security-updates-mostly-browser-related/d/d-id/1332258

KrebsOnSecurity: Patch Tuesday, July 2018 Edition

https://krebsonsecurity.com/2018/07/patch-tuesday-july-2018-edition/

The Register: Intel, Microsoft, Adobe release a swarm of bug fixes to ruin your week

http://www.theregister.co.uk/2018/07/11/july_patch_tuesday/

ZDNet: Adobe fixes over 100 vulnerabilities in latest security patch update

https://www.zdnet.com/article/adobe-fixes-over-100-vulnerabilities-in-latest-security-patch-update/

Bleeping Computer: Microsoft Rolls Out Patches for "Lazy FP State Restore" Bug Affecting Intel CPUs

https://www.bleepingcomputer.com/news/security/microsoft-rolls-out-patches-for-lazy-fp-state-restore-bug-affecting-intel-cpus/

Microsoft: Security Update Guide

https://portal.msrc.microsoft.com/en-us/security-guidance

Adobe: Security updates available for Flash Player | APSB18-24

https://helpx.adobe.com/security/products/flash-player/apsb18-24.html

Adobe: Security Bulletin for Adobe Acrobat and Reader | APSB18-21

https://helpx.adobe.com/security/products/acrobat/apsb18-21.html

 
 

--

RDP Access Being Sold on Internet

(July 11 & 12, 2018)

Researchers from the McAfee Advanced Threat Research team have found RDP shops on the Dark Web. RDP, or remote desktop protocol, is a Microsoft protocol intended for use by sys admins; it allows a user to access another machine remotely via graphical interface. The RDP shops were found to be selling RDP access to vulnerable systems for as little as $10 USD.


Read more in:

McAfee: Organizations Leave Backdoors Open to Cheap Remote Desktop Protocol Attacks

https://securingtomorrow.mcafee.com/mcafee-labs/organizations-leave-backdoors-open-to-cheap-remote-desktop-protocol-attacks/

The Register: What can $10 stretch to these days? Lunch... or access to international airport security systems

https://www.theregister.co.uk/2018/07/12/rdp_desktop_black_market/

Dark Reading: Major International Airport System Access Sold for $10 on Dark Web

https://www.darkreading.com/threat-intelligence/major-international-airport-system-access-sold-for-$10-on-dark-web/d/d-id/1332270

 
 

--

Internet Address Hijack Factory Bitcanal Loses Bandwidth Providers

(July 11, 2018)

Several companies that were providing bandwidth for Bitcanal, a company that has a reputation for helping spammers hijack dormant or unannounced Internet address ranges, have cut off service to the company. 


Read more in:

Dyn: Shutting down the BGP Hijack Factory

https://dyn.com/blog/shutting-down-the-bgp-hijack-factory/

KrebsOnSecurity: Notorious Hijack Factory Shunned from Web

https://krebsonsecurity.com/2018/07/notorious-hijack-factory-shunned-from-web/

The Register: BGP hijacker booted off the Internet's backbone

https://www.theregister.co.uk/2018/07/11/bgp_hijacker_booted_off_the_internets_backbone/

 
 

--

US Military Manuals on Unsecured FTP Server

(July 10 & 11, 2018)

A training manual for a US military drone, a maintenance manual for the Abrams tank, and other sensitive military documents were discovered for sale on the Internet. The documents appear to have been obtained with the help of a known NetGear router vulnerability. 


[Editor Comments]


[Neely] A reminder to change default credentials, disable unneeded services, and patch your infrastructure. Additionally, consider the risks of combining your perimeter router and fileserver into a single device, particularly when storing sensitive information there.


[Murray] The more secure alternatives to FTP are not even more expensive.  


Read more in:

Recorded Future: Military Reaper Drone Documents Leaked on the Dark Web

https://www.recordedfuture.com/reaper-drone-documents-leaked/

Dark Reading: Hacker Exploits 2-Year Old Router Issue To Steal Sensitive US Military Data

https://www.darkreading.com/attacks-breaches/hacker-exploits-2-year-old-router-issue-to-steal-sensitive-us-military-data/d/d-id/1332281

Ars Technica: Year-old router bug exploited to steal sensitive DOD drone, tank documents

https://arstechnica.com/information-technology/2018/07/year-old-router-bug-exploited-to-steal-sensitive-dod-drone-tank-documents/

The Register: US military manuals hawked on dark web after files left rattling in insecure FTP server

http://www.theregister.co.uk/2018/07/11/us_military_manual_dark_net_sale/

Cyberscoop: Stolen U.S. drone documents found for sale on dark web

https://www.cyberscoop.com/us-drone-dark-web-us-air-force-recorded-future/?category_news=technology

Nextgov: Hacker Caught Selling Maintenance Manuals for Military Drones

https://www.nextgov.com/cybersecurity/2018/07/hacker-caught-selling-maintenance-manuals-military-drones/149628/

 
 

--

Anubis Banking Malware targeted Turkish Users

(July 10, 2018)

At least 10 malicious apps targeting Turkish users made their way into the Google Play store last month. The fake shopping, automotive, and financial apps downloaded the BankBot Anubis Trojan onto users mobile devices. Anubis can record users keystrokes. All the associated apps have been reported for removal.


Read more in:

SC Magazine: BankBot Anubis campaign targets Turkish Android users with fake apps in Google Play Store

https://www.scmagazine.com/bankbot-anubis-campaign-targets-turkish-android-users-with-fake-apps-in-google-play-store/article/779500/

 

****************************************************************************

INTERNET STORM CENTER TECH CORNER

MSFT Patch Tuesday

https://isc.sans.edu/forums/diary/Microsoft+Patch+Tuesday+July+2018+now+with+Dashboard/23858/

https://patchtuesdaydashboard.com/


SettingContent-ms Files Blacklisted

https://support.office.com/en-us/article/packager-activation-in-office-365-desktop-applications-52808039-4a7c-4550-be3a-869dd338d834?ui=en-US&rs=en-US&ad=US


Adobe Patches

https://helpx.adobe.com/security.html


Stolen DLINK Certificate

https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/

       

Hello Peppa Followup

https://isc.sans.edu/forums/diary/Well+Hello+Again+Peppa/23860/


Internet Exchanges Band Together against BGP Hijacking

https://dyn.com/blog/shutting-down-the-bgp-hijack-factory/


Spectre 1.1 and 1.2 (PDF)

https://people.csail.mit.edu/vlk/spectre11.pdf


Google Enabled Site Isolation in Chrome

https://www.bleepingcomputer.com/news/security/google-enables-site-isolation-feature-for-99-percent-of-chrome-desktop-users/

       

Extortion Claims Include Leaked Passwords to Appear more Plausiable

https://isc.sans.edu/forums/diary/New+Extortion+Tricks+Now+Including+Your+Password/23866/


npm Package Compromised and Used To Steal Credentials

https://github.com/eslint/eslint-scope/issues/39#issuecomment-404533026


CIRCL IMAP Proxy

https://github.com/CIRCL/IMAP-Proxy


Checkpoint Names "Dorkbot" As A Top Threat (Signup required)

https://research.checkpoint.com/cyber-attack-trends-2018-mid-year-report/

    

******************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.


Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create