Register Now for Online Training and get a GIAC Cert Attempt Included or $350 Off

Newsletters: Newsbites


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #56

July 17, 2018
****************************************************************************

SANS NewsBites                July 17, 2018                Vol. 20, Num. 056

****************************************************************************


TOP OF THE NEWS


 

Director of National Intelligence Warns of Cyber Attacks

 

Ukraine Blocked Cyber Attack Against Chlorine Distillation Plant

 

Mueller Investigation Issues Indictment of 12 Russian Intelligence Officers


REST OF THE WEEKS NEWS


 

Senators Want DoJ to Investigate Online Harassment of Military Families

 

US Coast Guard Academy to Introduce Cyber Systems Major

 

Federal Government DMARC Policy Adoption at 74 Percent

 

DanaBot Trojan

 

LuminosityLink RAT Creator Pleads Guilty


INTERNET STORM CENTER TECH CORNER


***************************  Sponsored By Sophos Inc. ************************************


Live Webcast: Ransomware continues to be one of the most dangerous threats organizations face today. An infection can have devastating effectswith the median impact of an attack estimated at $133K*. Join this webcast to see how Intercept X puts a stop to todays threats.  Register Today: http://www.sans.org/info/205325


*****************************************************************************


-- SANS Network Security 2018 | Las Vegas, NV | September 23-30 | https://www.sans.org/event/network-security-2018


-- SANS Boston Summer 2018 | August 6-11 | https://www.sans.org/event/boston-summer-2018


-- Security Operations Summit 2018 | New Orleans, LA | July 30-August 6 | https://www.sans.org/event/security-operations-summit-2018


-- Data Breach Summit & Training 2018 | New York, NY | August 20-27 | https://www.sans.org/event/data-breach-summit-2018


-- SANS Virginia Beach 2018 | August 20-31 | https://www.sans.org/event/virginia-beach-2018


-- SANS Amsterdam September 2018 | September 3-8 | https://www.sans.org/event/amsterdam-septembers-2018


-- SANS Tokyo Autumn 2018 | September 3-15 | https://www.sans.org/event/tokyo-autumn-2018


-- SANS London September 2018 | September 17-22  https://www.sans.org/event/london-september-2018


-- SANS October Singapore 2018 | October 15-27 | https://www.sans.org/event/october-singapore-2018


-- SANS OnDemand and vLive Training

The SANS Training you want with the flexibility you need.

Best Offers of the Year: Get a 12.9 iPad Pro with Smart Keyboard, HP ProBook 450 G5, or take $400 Off with Any OnDemand or vLive Course, Offer Ends July 18.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


Single Course Training

-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


*****************************************************************************


TOP OF THE NEWS

 

--

Director of National Intelligence Warns of Cyber Attacks

(July 13, 2018)

US Director of National Intelligence (DNI) Dan Coats warned that the threat of a crippling cyber attack on our critical infrastructure is growing. Speaking at the Hudson Institute think tank on Friday, July 13, Coats compared the threat level to that of activity detected by US intelligence agencies prior to the September 11, 2001 terrorist attacks.


[Editor Comments]


[Murray] We have already forgotten how to do many important things that we have programmed our computers to do for us. Indeed, we have generations that never learned to do those things. Our dependence on our technological infrastructure has created and existential vulnerability that those with far less power can exploit. Resilience, not security, must be our goal.  


Read more in:

Reuters: U.S. intel chief warns of devastating cyber threat to U.S. infrastructure

https://www.reuters.com/article/us-usa-russia-cyber-coats/u-s-intel-chief-warns-of-devastating-cyber-threat-to-u-s-infrastructure-idUSKBN1K32M9



--

Ukraine Blocked Cyber Attack Against Chlorine Distillation Plant

(July 13, 2018)

Ukraines Secret Service says it has thwarted a cyberattack against a network belonging to a chlorine distillation plant there. The attempted attack was carried out using VPNFilter malware and is believed to have been perpetrated by Russia.



Read more in:

The Register: Ukraine claims it blocked VPNFilter attack at chemical plant

http://www.theregister.co.uk/2018/07/13/ukraine_vpnfilter_attack/

SC Magazine: Ukrainian officials blame Russia for VPNFilter attack on chlorine plant

https://www.scmagazine.com/ukrainian-officials-blame-russia-for-vpnfilter-attack-on-chlorine-plant/article/780729/


 

-

Mueller Investigation Issues Indictment of 12 Russian Intelligence Officers

(July 13, 2018)

The Mueller investigations indictment of 12 Russian intelligence officers includes detailed technical information about the hacking of the Clinton 2016 presidential campaign and the Democratic National Committee. The indictment provides details of email and social media accounts used to target Democratic officials.


Read more in:

NYT: 12 Russian Agents Indicted in Mueller Investigation

https://www.nytimes.com/2018/07/13/us/politics/mueller-indictment-russian-intelligence-hacking.html

Reuters: U.S. indictments show technical evidence for Russian hacking accusations

https://www.reuters.com/article/us-usa-trump-russia-cyber/u-s-indictments-show-technical-evidence-for-russian-hacking-accusations-idUSKBN1K32X1

SC Magazine: Mueller indicts 12 Russian military intel officers for DNC hacks

https://www.scmagazine.com/mueller-indicts-12-russian-military-intel-officers-for-dnc-hacks/article/780712/

FCW: Mueller indicts 12 Russians for DNC hack, election interference

https://fcw.com/articles/2018/07/13/russia-cyber-indictments.aspx?admgarea=TC_Security

GCN: Mueller indictment details hacks on state election systems

https://gcn.com/articles/2018/07/13/russian-hacks-voting-systems.aspx?admgarea=TC_SecCybersSec


**************************  SPONSORED LINKS  ********************************


1) Gartner names Splunk a SIEM Magic Quadrant leader for the fifth year running. Read the report now. http://www.sans.org/info/205330


2) Register to  learn the techniques you must incorporate into your security strategy to prepare for the next wave of multi-vector DDoS attacks. http://www.sans.org/info/205335


3) How is your incident response team coping with protecting their organization? Take the SANS 2018 Incident Response Survey at http://www.sans.org/info/205340 and enter to win a $400 Amazon gift card!


*****************************************************************************


THE REST OF THE WEEKS NEWS

 

--

Senators Want DoJ to Investigate Online Harassment of Military Families

(July 9 & 13, 2018)

US Senators Ron Wyden (D-Oregon) and Cory Gardner (R-Colorado) want the Justice Department to investigate a potential false flag operation in which Russian operatives reportedly posed as Islamic extremists and threatened and harassed US military families online. 



Read more in:

Wyden: Letter to Atty. Gen. Jeff Sessions

https://www.wyden.senate.gov/imo/media/doc/07.09.18_DOJ.PDF

The Hill: Senators urge DOJ to probe whether Russians posed as Islamic extremist hackers to harass US military families

http://thehill.com/policy/cybersecurity/396960-senators-urge-doj-to-investigate-if-russians-posed-as-islamic-extremist



--

US Coast Guard Academy to Introduce Cyber Systems Major

(July 13, 2018)

This fall, the US Coast Guard will offer a new major in Cyber Systems. The program includes policy, law, ethics, operating systems, software design and intelligence. The last time USCG offered a new major was in 1993, when it added mechanical engineering to its curriculum. 


[Editor Comments]


[Northcutt] Hard or technical skills include malware analysis, network attacks, and industrial control systems. Ships are increasingly dependent on autonomous systems and will need technically savvy crews. The tanker scenario in Hackers 1995 may have been prescient.


Read more in:

USCGA: Cyber Systems

https://www.uscga.edu/cyber-systems/

FNR: Coast Guard Academy to offer new major in cyber systems

https://federalnewsradio.com/technology-news/2018/07/coast-guard-academy-to-offer-new-major-in-cyber-systems/

 
 

--

Federal Government DMARC Policy Adoption at 74 Percent

(July 16, 2018)

With just three months to go before a .gov website and email security security deadline, 74 percent of tested US federal government computer systems have established a Domain-based Message Authentication, Reporting, and Conformance (DMARC) policy; just 47 percent have implemented DMARCs highest policy level.


[Editor Comments]


[Pescatore and Murray] This is good news, showing rapid progress from the much lower DMARC implementation results from January 2018. Especially good to see 47% of agencies have enabled reject policies now, as only 16% were doing so in January.


[Neely] Excellent progress so far. One of the core concerns in conversations Ive had is about understanding who is sending email on your behalf and how to identify which is legitimate. DMARC aggregate reports contain information on how your messages are aligned with your DMARC settings, and DMARC forensic reports have information on failed messages. Leverage these by feeding them into a reporting and analysis tool to determine what needs addressing. If you havent already, make sure inbound DMARC processing is enabled to properly screen messages from domains with DMARC configured. Services like O365 and Google are already configured.


Read more in:

SC Magazine: With deadline looming, 74 percent of fed gov't domains implement DMARC

https://www.scmagazine.com/with-deadline-looming-74-percent-of-fed-govt-domains-implement-dmarc/article/781022/

 
 

--

DanaBot Trojan

(July 16, 2018)

Malware dubbed DanaBot has been spreading in the guise of invoices that appear to be from Australian company MYOB. The phony emails contain droppers that load the banking Trojan onto users machines. DanaBot is capable of stealing sensitive information, including taking screenshots, and downloading the data to a command and control server.  


Read more in:

Threatpost:

DanaBot Trojan

Targets Bank Customers In Phishing Scam

https://threatpost.com/danabot-trojan-targets-bank-customers-in-phishing-scam/133994/

 
 

--

LuminosityLink RAT Creator Pleads Guilty

(July 16, 2018)

Colton Grubbs has admitted to creating and selling a software tool that he knew some people were using to take control of other peoples computers. Grubbs pleaded guilty to invasion of privacy, causing loss of at least $5,000 USD to protected computers, and conspiracy. Although Grubbs initially maintained that LuminosityLink was designed to be a legitimate administrative tool, it was marketed as a tool that could be remotely installed on another persons computer without their knowledge.


Read more in:


KrebsOnSecurity: LuminosityLink RAT Author Pleads Guilty

https://krebsonsecurity.com/2018/07/luminositylink-rat-author-pleads-guilty/

Ars Technica: Developer faces prison after admitting admin software was really a RAT

https://arstechnica.com/tech-policy/2018/07/developer-faces-prison-after-admitting-admin-software-was-really-a-rat/

KrebsOnSecurity: Colton Grubbs Plea Agreement

https://krebsonsecurity.com/wp-content/uploads/2018/07/2018.07.16.Plea-Agreement.pdf



******************************************************************************

INTERNET STORM CENTER TECH CORNER

 

Processing JSON

https://isc.sans.edu/forums/diary/Video+Retrieving+and+processing+JSON+data+BTC+example/23874/


Cryptocoin Mining Javascript (yet again)

https://isc.sans.edu/forums/diary/Cryptominer+Delivered+Though+Compromized+JavaScript+File/23870/


Encrypted SNI in TLS 1.3

https://tools.ietf.org/html/draft-rescorla-tls-esni-00


Microsoft to Retire "Delta Updates"

https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-quality-updates-explained-amp-the-end-of-delta/ba-p/214426

 

Dahua Passwords Leaked/Cached by Search Engine

https://www.bleepingcomputer.com/news/security/passwords-for-tens-of-thousands-of-dahua-devices-cached-in-iot-search-engine/


MDM Used in Targeted Attack Against iPhone Users

https://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html

     

Practical GPS Spoofing of Navigation Devices

https://www.microsoft.com/en-us/research/uploads/prod/2018/06/security18gps.pdf

 
    

******************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.


Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create