Learn practical cyber security skills during SANS 2021 - Live Online. Choose from 30+ courses and three types of NetWars!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #79

October 5, 2018


SANS NewsBites               October 5, 2018                Vol. 20, Num. 79



  Bloomberg Report Describes Supply Chain Nightmare

  DOJ: Seven Russian Military Intelligence Officers Indicted on Hacking Charges 

  FireEye: North Koreas APT38 is Hacking Financial Institutions


  DHS Report on Precision Agriculture Cyberthreats

  Irish Data Protection Commission is Investigating Facebook Breach

  Senate Passes Bill Elevating Renamed NDDP to Full Operating Agency

  California Law: No Bots During Elections

  Phantom Secure CEO Pleads Guilty to Providing Secure Blackberrys to Drug Traffickers

  Adobe Releases Updates for Acrobat and Reader

  Alabama Launches State Security Operations Center





-- Cyber Defense Initiative 2018 | Washington, DC | December 11-18 | https://www.sans.org/event/cyber-defense-initiative-2018


-- SANS London October 2018 | October 15-20 | https://www.sans.org/event/london-october-2018

-- SANS October Singapore 2018 | October 15-27 | https://www.sans.org/event/october-singapore-2018

-- Secure DevOps Summit & Training 2018 | Denver, CO | October 22-29 | https://www.sans.org/event/secure-devops-summit-2018

-- SANS London November 2018 | November 5-10 | https://www.sans.org/event/london-november-2018

-- SANS Sydney 2018 | November 5-17 | https://www.sans.org/event/sydney-2018

-- SANS San Diego Fall 2018 | November 12-17 | https://www.sans.org/event/san-diego-fall-2018

-- Pen Test HackFest Summit & Training 2018 | Bethesda, MD | November 12-19 | https://www.sans.org/event/pen-test-hackfest-2018

--  SANS San Francisco Fall 2018 | November 26-December 1 | https://www.sans.org/event/san-francisco-fall-2018

-- SANS OnDemand and vLive Training

The SANS Training you want with the flexibility you need.

Get an iPad, ASUS Chromebook C202SA, or Take $250 Off with OnDemand or vLive. Offer Ends October 17.


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/

Single Course Training

-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/


-- View the full SANS course catalog and Cyber Security Skills Roadmap



***************************  Sponsored By CrowdStrike ************************

"The Cybersecurity Talent Gap: An Unforeseen Impediment to Fast and Effective Incident Remediation"  Understand the extent of the problem and how an innovative solution, CrowdStrike Falcon Complete, solves the remediation challenge. Learn how this unique worry-free approach provides organizations with a dedicated team of security professionals focused on managing and monitoring endpoint security and responding to threats. Register:  http://www.sans.org/info/207215




--Bloomberg Report Describes Supply Chain Nightmare

(October 4, 2018)

According to a report from Bloomberg, Chinese agents infiltrated Super Micro motherboard manufacturing processes to add a tiny chip that allowed systems to be remotely accessed. The Bloomberg story describes the processes used, and how the supply chain was likely compromised. The story says that the chips were detected by both Apple and Amazon, independently of each other, in 2015 and that the companies reported their finding to the FBI. Both Apple and Amazon deny this.

[Editor Comments]

[Paller] Several wise people advised me not to include this article in NewsBites because of the lack of corroborating public evidence. I chose to include it partly because I know and trust the due diligence of each of the two journalists; their joint by-line gives me a great deal of confidence in the veracity of the story. The second reason is Bill Murrays note below. Even if this infestation turns out to be less widely damaging than initial reports imply, this type of infection is happening, will happen more, and will do a great deal of damage in debilitating the U.S. and its allies when nation-state conflicts arise. It is time to implement the actions Bill outlines.

[Pescatore] This is one of the reasons supply chain security has been a top tier issue for many CISOs at large companies. Most companies would not have the ability to detect whether a piece of standard procured hardware had been tampered with but often use distributors or integrators who need to raise the bar against this type of thing. The reason so many components, assemblies and products are produced in sketchy places like China has been purely cost-saving drivensome of that savings needs to applied towards assuring supply chain security.

[Murray] While we wait for data showing how widespread this infestation is, we should use the time to decide what to do assuming that the story is verified. Heres my initial list. (1) It is time to abandon the password for all but trivial applications. Steve Jobs and the ubiquitous mobile computer have lowered the cost and improved the convenience of strong authentication enough to overcome all arguments against it. (2) It is time to abandon the flat network. Secure and trusted communication now trump ease of any-to-any communication. (3) It is time to move traffic monitoring from encouraged to essential. (4) It is time for end-to-end encryptions for all applications. Think TLS, VPNs, VLANs and physically segmented networks. Software Defined Networks put this within the budget of most enterprises. (5) It is time to abandon the convenient but dangerously permissive default access control rule of read/write/execute in favor of restrictive read/execute-only or even better, Least privilege. Least privilege is expensive to administer but it is effective. Our current strategy of ship low-quality early/patch late is proving to be ineffective and more expensive in maintenance and breaches than we could ever have imagined. (6) Finally, we must consider abandoning the open and flexible von Neumann Architecture for something more like iOS or the IBM iSeries with strongly typed objects and APIs, process-to-process isolation, and a trusted computing base (TCB) protected from other processes. We know what to do. Do we have the will?

Read more in:

Bloomberg: The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies


Motherboard: The Worst Hack in Science Fiction Has Allegedly Already Happened in Real Life


ZDNet: Apple, Amazon deny claims Chinese spies implanted backdoor chips in company hardware: report


The Register: Decoding the Chinese Super Micro super spy-chip super-scandal: What do we knowand who is telling the truth?


Threatpost: Apple, Amazon Strongly Refute Server Infiltration Report



--DOJ: Seven Russian Military Intelligence Officers Indicted on Hacking Charges 

(October 4, 2018)

A grand jury has indicted seven Russian officers on hacking charges. All seven are members of the Russian Main Intelligence Directorate (GRU), a military intelligence agency. They have been charged with computer hacking, wire fraud, aggravated identity theft, and money laundering. The alleged hackers targets included anti-doping organizations around the world, Westinghouse Electrics nuclear power operations, and a chemical testing laboratory in Switzerland.

[Editor Comments]

[Murray] All of us, enterprises and consumers, are now targets of nation states, with the resources and resourcefulness that implies. Owners and custodians of IP and PII must protect it accordingly. Consumers of information must treat it with suspicion.

Read more in:

Wired: How Russian Spies Infiltrated Hotel Wi-Fi to Hack Victims Up Close


Bloomberg: Russians Hacked to Disrupt Doping, Poison Probes, U.S. Says


The Register: UK pins 'reckless campaign of cyber attacks' on Russian military intelligence


ZDNet: Russian cyber spies busted by Netherlands 'left behind evidence of many operations'


Ars Technica: Russian spies hacked officials to protect doping athletes, US charges


Justice: Indictment



--FireEye: North Koreas APT38 is Hacking Financial Institutions

(October 3, 2018)

A report from FireEye provides details about how the APT38 hacking group, which has been linked to North Korea, attempted to steal $1.1 billion USD from banks around the world. The thefts appear to be for the benefit of the countrys cash-strapped political regime. Unlike other hacking operations with ties to North Korea, APT38 is characterized by long planning, extended periods of access to compromised victim environments preceding any attempts to steal money, fluency across mixed operating system environments, the use of custom developed tools, and a constant effort to thwart investigations capped with a willingness to completely destroy compromised machines afterwards.   

Read more in:

FireEye: APT38: Details on New North Korean Regime-Backed Threat Group


Dark Reading: Inside the North Korean Hacking Operation Behind SWIFT Bank Attacks


SC Magazine: FireEye outs APT38 as North Korean cyber bank heist gang


The Register: 'Desperate' North Korea turns to APT hack attacks for cash


ZDNet: North Korea's APT38 hacking group behind bank heists of over $100 million



**************************  SPONSORED LINKS  ********************************

1) Watch: CIS RAM: This Math will Save You. Prioritize your CIS Controls and meet Duty of Care. http://www.sans.org/info/207220

2) "Defeating the next attack with old ideas, is Threat Prevention back?" with Jake Williams & Mark Arapovic.  Register:  http://www.sans.org/info/207225

3) What challenges do you face in using cyber threat intelligence (CTI)? Help SANS examine the state of CTI. Take the survey and enter to win a $400 Amazon gift card | http://www.sans.org/info/207230




--DHS Report on Precision Agriculture Cyberthreats

(October 4, 2018)

A report from the US Department of Homeland Security says that emerging digital technologies in the agricultural sector face a number of cybersecurity threats. The technologies, known collectively as precision agriculture, include Internet of Things (IoT) devices and the networks that they rely on. The report warns that devices and systems could be compromised through phishing attacks, infected USB drives, and other vectors. Attacks could be leveraged to steal data, damage equipment, and harm crops and livestock, and damage reputations. The report lists best practices for agricultural businesses.

Read more in:

SC Magazine: Precision agriculture advancement offers large attack surface, DHS report


Bleeping Computer: DHS Warns of Cybersecurity Threats to Agriculture Industry


DHS: 2018 Public-Private Analytic Exchange Program: Threats to Precision Agriculture (PDF)



--Irish Data Protection Commission is Investigating Facebook Breach

(October 4, 2018)

Irelands Data Protection Commission has opened an investigation into the recently-disclosed Facebook breach that prompted the company to force 90 million users to log out of the social networking site. The Commission says it plans to examine Facebooks compliance with its obligation under the General Data Protection Regulation to implement technical and organisational measures to ensure the security and safeguarding of the personal data it processes.

[Editor Comments]

[Honan] Under GDPR, Facebook could face several penalties, one of which is a fine of 20m or 4% of their global turnover, should the Commission determine they had not taken the appropriate steps to protect customers data. In addition, if the Commission finds that the breach response and notification was not sufficient an additional fine of 10m or 2% of annual global turnover could also be applied. Many companies will be watching the outcome of this case very closely as it will provide guidance on how future breaches will be managed.

Read more in:

Data Protection: Facebook Data BreachCommencement of Investigation


Silicon Republic: Irish Data Protection Commission confirms Facebook probe is underway


The Hill: Irish data watchdog opens investigation into Facebook breach



--Senate Passes Bill Elevating Renamed NDDP to Full Operating Agency

(October 3 & 4, 2018)

The US Senate has passed the Cybersecurity and Infrastructure Security Agency Act of 2017, legislation that elevates the Department of Homeland Securitys (DHSs) National Protection and Programs Directorate (NPPD) to a full operating agency, on the same level as FEMA or the Secret Service. The bill also renames NPPD the Cybersecurity and Infrastructure Security Agency. Christopher Krebs, Undersecretary for the soon-to-be renamed agency, said the change clarifies and clearly signifies our mission, and that it will help with recruiting.

Read more in:

FCW: Senate OKs creation of new DHS cyber agency


The Hill: Senate passes key cyber bill cementing cybersecurity agency at DHS


Cyberscoop: DHS's top cyber office is about to get a name that reflects its mission


Nextgov: Senate Agrees Federal Cybersecurity Office Should Have Name To Match


FNR: DHS cyber office name change more likely, USDS offers advice


Congress.gov: H.R.3359 - Cybersecurity and Infrastructure Security Agency Act of 2018



--California Law: No Bots During Elections

(October 3, 2018)

A bill recently signed into law in California makes it illegal to use surreptitious bots to communicate or interact with another person in California online with the intent to mislead the other person about its artificial identity for the purpose of knowingly deceiving the person about the content of the communication in order to incentivise a purchase or sale of goods or services in a commercial transaction or to influence a vote in an election. The law will take effect July 1, 2019.

[Editor Comments]

[Murray] The California legislature has what Congress clearly lacks: an understanding of the problem and the will to act.  

Read more in:

SC Magazine: California bill bans bots during elections



--Phantom Secure CEO Pleads Guilty to Providing Secure Blackberrys to Drug Traffickers

(October 2 & 3, 2018)

Vincent Ramos, CEO of Phantom Secure, has pleaded guilty to conspiracy to commit racketeering for his role in a scheme that facilitated the transnational importation and distribution of narcotics through the sale and service of encrypted communications devices. Phantom Secure provided stripped down, encrypted Blackberry devices and provided them to drug traffickers. Ramos and three co-conspirators were indicted earlier this year. Phantom Secure also maintained servers in Hong Kong and Panama which were obfuscated using virtual proxies.

Read more in:

Ars Technica: CEO who sold phones with totally unbreakable encryption takes plea deal


ZDNet: Phantom Secure CEO pleads guilty to providing drug cartels with encrypted phones


The Register: CEO pleads guilty of conspiring with drug cartels to sell them stealthy Blackberrys


DOJ: CEO of Encrypted Communications Company Pleads Guilty to Operating a Criminal Enterprise that Facilitated the Transnational Distribution of Narcotics



--Adobe Releases Updates for Acrobat and Reader

(October 2, 2018)

Adobe has released updates for Acrobat and Reader to address a total of 85 security issues. Many of the vulnerabilities could be exploited to allow remote code execution; other flaws could be exploited to obtain elevated privileges or disclose information. 

[Editor Comments]

[Murray] The Adobe (and other large vendor) strategy of transferring much of the cost of low quality to the end user is clearly working for them; the investors love them. The rest of us, not so much.

Read more in:

The Register: Haven't updated your Adobe PDF software lately? Here's 85 new reasons to do it now


Adobe: Security bulletin for Adobe Acrobat and Reader | APSB18-30



--Alabama Launches State Security Operations Center

(October 1, 2018)

The US state of Alabama has established a Security Operations Center (SOC) within its Office of Information Technology (OIT). The SOC, which monitors the states electronic resources, has been operational since mid-August. Alabamas OIT has also launched a new security website aimed at educating citizens. 

Read more in:

Statescoop: Alabama Gov. Kay Ivey announces state's first security operations center


OIT Alabama: OIT Unveils Security Operations Center to Fight Against Cyberattacks




How to Write Yara Rules


GhostDNS DNS Changer Malware


Foxit PDF Reader Vulnerabilities


Identifying a Phisher


Phishing via Azure Blob Storage


Zoho Domains Used for Phishing and Keyloggers


Apple Laptops Shipped With CPU in Manufacturing Mode


Dell iDRAC Exploit


Does the Chinese Military Manipulate Supermicro Motherboards?


Cloudflare IPFS Gateway Used For Phishing


DNSSEC Root Key Signing Key Rollover




The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create