OnDemand + GIAC = Relevant Skills, Proven Ability

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #71

September 7, 2018


SANS NewsBites              September 7, 2018               Vol. 20, Num. 71




DOJ Charges North Korean in Sony Hack, Wanna Cry Attack


Tesla Will Reflash Car Firmware for Vulnerability Testers

  Windows Zero-Day: Advanced Local Procedure Call (ALPC)



Mozilla Releases Firefox 62


Schneider Controller Vulnerability


British Airways Data Breach


House Approves DHS Supply Chain Security Bill


Thousands of MikroTik Routers Unpatched Against Flaw Disclosed in April


Chrome 69 Includes Fix for Flaw That Could Be Exploited to Steal WiFi Credentials


Open .git Directories Expose Site Source Code



***************************  Sponsored By A10 Networks  ************************************

"SSL Traffic Inspection: Needed Visibility But At What Cost?"  In this webcast, SANS will explore the concerns faced by an organization that realizes it must improve visibility into its encrypted traffic, laying out both the business and the technical issues and how to approach both.  Register:  http://www.sans.org/info/206630


-- SANS Network Security 2018 | Las Vegas, NV | September 23-30 | https://www.sans.org/event/network-security-2018


-- SANS London September 2018 | September 17-22 | https://www.sans.org/event/london-september-2018

-- Oil & Gas Cyber Security Summit 2018 | Houston, TX | October 1-6 | https://www.sans.org/event/oil-gas-cybersecurity-summit-2018

-- SANS Northern VA Fall-Tysons 2018 | October 13-20 | https://www.sans.org/event/northern-va-fall-tysons-2018

-- SANS London October 2018 | October 15-20 | https://www.sans.org/event/london-october-2018

-- SANS October Singapore 2018 | October 15-27 | https://www.sans.org/event/october-singapore-2018

-- Secure DevOps Summit & Training 2018 | Denver, CO | October 22-29 | https://www.sans.org/event/secure-devops-summit-2018

-- SANS Sydney 2018 | November 5-17 | https://www.sans.org/event/sydney-2018

-- SANS San Diego Fall 2018 | November 12-27 | https://www.sans.org/event/san-diego-fall-2018

-- SANS OnDemand and vLive Training

The SANS Training you want with the flexibility you need.

Get a 9.7 iPad, Samsung Galaxy Tab A or Take $300 Off with OnDemand or vLive, Offer Ends September 19.


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/

Single Course Training

-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/


-- View the full SANS course catalog and Cyber Security Skills Roadmap






DOJ Charges North Korean in Sony Hack, Wanna Cry Attack

(September 6, 2018)

The US Department of Justice (DOJ) has charged Park Jin Hyok, a North Korean computer programmer, in the 2014 attack against Sony Pictures, a 2016 theft from Bangladesh Bank, and the 2017 Wanna Cry malware attack. The complaint alleges that Park carried out the attack against Sony Pictures on behalf of the North Korean government; it also links Park to the Lazarus Group, which is believed to be involved in the Wanna Cry attack and a Bangladesh Bank theft.   

Read more in:

DOJ: North Korean Regime-Backed Programmer Charged With Conspiracy to Conduct Multiple Cyber Attacks and Intrusions


The Hill: DOJ charges North Korean national in Sony, WannaCry attacks


Nextgov: DOJ Releases Charges Against Last of Four Top U.S. Cyber Adversaries


NYT: North Korean Spy to Be Charged in Sony Pictures Hacking


Reuters: U.S. charges North Korean hacker in Sony, WannaCry cyberattacks




Tesla Will Reflash Car Firmware for Vulnerability Testers

(September 6, 2018)

Tesla has reiterated that researchers are permitted to hack its cars without voiding the vehicles warranty or facing legal liability. Tesla says it will restore firmware and operating systems on cars that have undergone and have become incapacitated by testing, with some conditions: the researcher and the vehicle must be registered and approved as part of Teslas vulnerability reporting program. 

[Editor Comments]

[Pescatore] Kudos to Tesla for doing the right thing. Would you buy a car from a manufacturer who said, We are not going to allow Consumer Reports magazine to test our cars, because all that swerving around cones will void the warranty? Consumers demand safety features in the carscar advertisements seem to equally emphasize safety and style. We need to convince consumers that an important part of safety is high quality software in the cars they buy.

[Neely] Before signing up for the program, researchers need to note the limits to the number of times the vehicle will be re-flashed and that the researcher will bear the expense of getting the car to a service facility.

Read more in:

Bleeping Computer: Tesla Will Restore Car Firmware/OS When Hacking Goes Wrong


--Windows Zero-Day: Advanced Local Procedure Call (ALPC)

(September 5 & 6, 2018)

An unpatched flaw in Windows Advanced Local Procedure Call (ALPC) is being actively exploited. The vulnerability was first disclosed on August 27, 2018. The issue is due to the ALPC function not properly checking user permissions when interacting with files in the Windows Task Scheduler folder in Windows OS versions later than Windows 7. 

Read more in:

The Register: Do you really think crims would do that? Just go on the 'net and exploit a Windows zero-day?


ZDNet: Recent Windows ALPC zero-day has been exploited in the wild for almost a week



**************************  SPONSORED LINKS  ********************************

1) Don't Miss:  "Meeting the Critical Security Controls Using OSSEC" with John Pescatore.  Register: http://www.sans.org/info/206635

2) VMRay Product Manager, Rohan Viegas will show you how Gandcrab ransomware evades detection and analysis and infects victims. Register: http://www.sans.org/info/206640

3) Learn how to analyze data using advanced machine learning that mimics human analysts. Register: http://www.sans.org/info/206645    





Mozilla Releases Firefox 62

(September 6, 2018)

Mozilla has released Firefox 62 for Windows, Android, Linux, iOS, and macOS. The newest version of the browser includes fixes for nine security issues, including one that could be exploited to run arbitrary code. Now that Firefox 62 has been released, Firefox 63 is in beta. Firefox 63, which is expected to be generally released on October 23, will block slow loading web trackers by default. 

Read more in:

eWeek: Firefox 62 Improves CSS Support for Developers, Fixes Bugs


Threatpost: Mozilla Patches Critical Code Execution Bug in Firefox 62




Schneider Controller Vulnerability

(September 6, 2018)

A vulnerability in Schneider Electric Modicon controllers could be exploited to remotely reboot the device, which could prevent them from communicating with the other parts of the industrial control system (ICS) network. The issue is an improper check for unusual or exceptional conditions. The flaw affects Modicon M221 controllers prior to firmware versions

Read more in:

ZDNet: Schneider Electric Modicon vulnerability impacts ICS operation in industrial settings


Schneider: SoMachine Basic V1.6 SP2




British Airways Data Breach

(September 6, 2018)

British Airways has acknowledged that a data breach may have compromised personal information associated with 380,000 payments. The incident affects bookings made online between August 21 and September 5, 2018.

Read more in:

Reuters: British Airways website suffers data breach; 380,000 payments affected




House Approves DHS Supply Chain Security Bill

(September 5, 2018)

The US House of Representatives have approved a bill that would allow the Department of Homeland Security (DHS) to exclude certain contractors from conducting business with the government. The Securing the Homeland Security Supply Chain Act of 2018 requires that DHS notify contractors of the decision to ban them in most cases, but also allows the agency to impose an immediate ban in the interest of national security. The bill does not yet have a companion bill in the Senate.  

Read more in:

MeriTalk: House Approves DHS Authority to Address Supply Chain Risk, Bar Contractors


Nextgov: House Passes Bill Expanding DHSs Power to Block Risky Contractors From Government Networks


Congress: H.R.6430 - Securing the Homeland Security Supply Chain Act of 2018




Thousands of MikroTik Routers Unpatched Against Flaw Disclosed in April

(September 4 & 5, 2018)

Thousands of unpatched MirkoTik routers have been compromised with malware that sends network traffic data to a control server. MikroTik released a fix for the vulnerability in April. More than 370,000 routers have not yet been patched for the flaw.

[Editor Comments]

[Neely] The attackers seem to be focusing on SNMP traffic, and as organizations often reuse community strings, compromise could have broad consequences. As the hack installs added jobs, a factory reset in addition to applying the patch is a good idea. More routers are supporting automatic firmware updates which can mitigate some of these risks.


Read more in:

Ars Technica: Unpatched routers being used to build vast proxy army, spy on networks


The Register: Mikrotik routers pwned en masse, send network data to mysterious box




Chrome 69 Includes Fix for Flaw That Could Be Exploited to Steal WiFi Credentials

(September 4 & 5, 2018)

Google has released Chrome 69. The most recent stable version of the browser addresses 40 vulnerabilities, including an issue that could be used to steal WiFi login credentials because older versions of the browser auto-filled usernames and passwords in HTTP logon forms.

[Editor Comments]

[Neely] This fix to Chrome puts it on-par with Firefox, Internet Explorer, Edge and Safari for auto-filling login information in HTTP forms. Exploiting the vulnerability relies on getting the victim on a spoofed WiFi using Karma and presenting an imitation captive portal page for the users router, which the browser will autofill. The primary mitigation is updating Chrome. Beyond that, enable HTTPS on your home router if it supports it, administer your home router over a wired connection, or if on Wi-Fi, make sure that youre really on your network before connecting to the admin page.


[Murray] It is difficult to understand as stable products that persistently issue fixes for tens of vulnerabilities at a time.


Read more in:

ZDNet: Google fixes Chrome issue that allowed theft of WiFi logins


Threatpost: Google Rolls Out 40 Fixes with Chrome 69


The Register: Take a pinch of autofill, mix in HTTP, and bake on a Wi-Fi admin page: Quirky way to swipe a victim's router password




Open .git Directories Expose Site Source Code

(September 4 & 5, 2018)

Researcher Vladimir Smitka found nearly 400,000 web pages with open .git directories. The directories can expose database passwords, API keys, and other information that should not but which often is stored in the repository.

[Editor Comments]

[Williams] - This is a symptom of the larger problem of poorly audited permissions on directories accessible from the Internet. If you haven't audited your website for forced browsing attacks, the time to do so is now. With the increased attention on .git directories, expect to see an increase in attackers scanning for forced browsing vulnerabilities of all types.


[Neely] When deploying an application to your site, make sure that the .git directory is not available. Even without an index file and directory browsing disabled, well known files can still be retrieved, such as the list of commits in /.git/logs/HEAD. Verify the directory contents are not retrievable by attempting to access <web-site>/.git/HEAD.


Read more in:

The Register: Excuse me, but your website's source code appears to be showing


SC Magazine: 400,000 websites vulnerable through exposed .git directories


Lynt.cz: Global scan - exposed .git repos





Some More Interesting MicroTik Router Exploits


Exposed .git Directories


SSL Certificates Expose Tor Servers


Python Package Installer May Execute Code


Windows Scheduler Exploit Used in the Wild


Where Have All My Certificates Gone?


Malware Uses Powershell to Compile C# Code on the Fly


Stealing WiFi Credentials in Google Chrome


DNS Spoofing and Certificate Authority Domain Validation


Cisco Vulnerabilities


MEGA Chrome Extension Replaced with Password Stealer




The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create