OnDemand Includes 4 Months Access to Course Content - Special Offers Available Now!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #8

January 30, 2018


SANS NewsBites               January 30, 2018                Vol. 20, Num. 008



  Lloyds's Report on Potential Economic Losses from Cloud Failure

  UK Critical Infrastructure Companies Could Be Fined for Inadequate Security

  Jackpotting ATM Attacks Spotted in US

  Triton/TriSIS - In Search of its Twin


  WordPress Sites Infected with Keystroke Logger

  Microsoft Releases Out-of-Cycle Update to Disable Spectre Mitigation

  Strava Fitness App Map Reveals Locations of Military Bases

  Malwarebytes Had a Busy Weekend Updating its Updates

  Lenovo Fixes Hard-Coded Password Issue in Laptops

  Coincheck Will Reimburse Customers for Stolen Crypto Currency

  Dutch Intelligence Helped FBI with DNC Hack Attribution


***************************  Sponsored By Sophos Inc.  **********************

WEBCAST: Intercept X - Seeing the future is the future of cybersecurity

Join us to discover how Sophos Intercept X leverages multiple advanced techniques, including deep learning, anti-ransomware and anti-exploit technology, to stop both known and unknown malware, dead. Register Today: http://www.sans.org/info/201390



-- SANS 2018 | Orlando, FL | April 3-10 | https://www.sans.org/event/sans-2018

-- SANS Southern California-Anaheim 2018 | February 12-17 | https://www.sans.org/event/southern-california-anaheim-2018

-- Cloud Security Summit & Training 2018 | San Diego, CA | February 19-26 | https://www.sans.org/event/cloud-security-summit-2018

-- SANS Secure Japan 2018 | February 19-March 3 | https://www.sans.org/event/sans-secure-japan-2018

-- SANS London March 2018 | March 5-10 | https://www.sans.org/event/London-March-2018            

-- SANS Secure Singapore 2018 | March 12-24 | https://www.sans.org/event/secure-singapore-2018

-- SANS Pen Test Austin 2018 | March 19-24 | https://www.sans.org/event/pen-test-austin-2018

-- ICS Security Summit & Training 2018 | Orlando, FL | March 19-26 | https://www.sans.org/event/ics-security-summit-2018

-- SANS at RSA(R) Conference | San Francisco, CA | April 11-20 | https://www.sans.org/rsa-2018

-- SANS London April 2018 | April 16-21 | https://www.sans.org/event/london-april-2018

-- SANS OnDemand and vLive Training | The SANS Training you want with the flexibility you need. Special Offer: Get an iPad Mini, Samsung Galaxy Tab S2 or take $300 Off your OnDemand or vLive training course by February 7. https://www.sans.org/online-security-training/specials/

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format -https://www.sans.org/ondemand/

-- Single Course Training

SANS Mentor https://www.sans.org/mentor/about

Community SANS https://www.sans.org/community/

View the full SANS course catalog https://www.sans.org/security-training/by-location/all



 --Lloyds's Report on Potential Economic Losses from Cloud Failure

(January 24, 2018)

According to an emerging risk report from Lloyds's, a major cyber event affecting a major cloud provider could have significant economic repercussions in the US economy, causing an estimated $15 billion USD in losses. The fact that there are just a handful of major cloud services companies that dominate the market "creates the potential for systemic risk for service users."

Read more in:

Cyberscoop: U.S. economy could lose billions if attack shut down major cloud providers, report says


Lloyds: An Emerging Risk Report from Lloyd's Innovation


 --UK Critical Infrastructure Companies Could Be Fined for Inadequate Security

(January 28 & 29, 2018)

The UK government has taken action that will impose fines of as much as GBP 17 million ($23.9 million USD) on companies that support the country's critical infrastructure if they fail to employ adequate security, fail to report an incident, refuse to cooperate with "competent authority," or fail to comply with regulators' instructions. The government will appoint sector-specific regulators to assess the companies' security postures.

[Editor Comments]

[Pescatore] In the US, the FTC has done a good job of fining companies that didn't sufficiently protect customer information. Those fines do get the attention of CEOs and Boards of Directors. Increased focus on basic security hygiene at critical infrastructure providers is needed. In the UK NCSC Cyber Essentials forms a nice baseline security hygiene level against which to base decisions.

Read more in:

Gov.uk: Government acts to protect essential services from cyber attack


SC Magazine: Failure to comply with U.K. gov't directive to bolster cybersecurity, infrastructure firms could face stiff fines


The Register: UK infrastructure firms to face u17m fine if their cybersecurity sucks



 --Jackpotting ATM Attacks Spotted in US

(January 27 & 29, 2018)

The US Secret Service has started warning banks that ATM "Jackpotting" attacks have been detected in the US. The attacks involve placing malware or specialized electronics on the targeted machines to reset them and cause them to dispense large amounts of cash on demand. An anonymous source said that the Secret Service has credible information that the thieves are targeting Opteva 500 and 700 series Diebold Nixdorf ATMs. Jackpotting attacks have been reported in Asia and Europe, but this marks their entry to the US.   

[Editor Comments]

[Pescatore] Over the years, Diebold ATMs and voting machines (a business Diebold sold off several years) always seem to be the low hanging fruit for attackers. However, this latest round of attack code shows the use of the Kalignite Platform, commercial software to allow applications to run across multi-vendor ATMs. So, just not using Diebold ATMs does not mean a bank is safe from the latest form of Ploutus attack ware. The risk is all on the banks - the attack does not impact individual accounts or data.

[Neely] To pull this off, you need to not only have an ATM with the vulnerable software, but also defeat the physical protections so you can access the USB ports. Regrettably, this is facilitated by many of these ATMs still running Windows XP. Like many appliances, updating the OS is often a function of device replacement rather than an in-place update. Free standing ATMs are only a few thousand dollars, while an in-wall unit can easily run $60,000, so replacement is often on-trivial or avoided.

Read more in:

KrebsOnSecurity: First 'Jackpotting' Attacks Hit U.S. ATMs


Reuters: 'Jackpotting' hackers steal over $1 million from ATMs across U.S.: Secret Service


 --Triton/TriSIS - In Search of its Twin

(January 29, 2018)

In this SANS Industrial Control Systems Security Blog post, Michael Assante asks whether Triton/TriSIS is "really an isolated capability that only focuses on the safety system inside of a larger industrial process? Or is there a more nefarious 3D chess game in play here?" The fact that the attackers chose to focus their time and effort on targeting a safety system rather than DCS suggests that Triton/TriSIS was created not to trigger a safety shutdown, but to prevent process shutdown during dangerous conditions. And this in turn suggests that there is likely to be an accompanying DCS attack designed to create a dangerous situation. Assante concludes, "I believe the ICS community should be on watch for a sister capability that takes control of a DCS to drive a process into unsafe conditions."

Read more in:

SANS: Triton/TriSIS - In Search of its Twin


**************************  SPONSORED LINKS  ********************************

1) It's Time to Move Endpoint Security to the Cloud - Register Now for Live Educational Webcast: http://www.sans.org/info/201395

2) Learn about the five key technologies that must evolve to implement a successful identity management solution that addresses hybrid and multi-cloud environments. Register: http://www.sans.org/info/201400

3) Don't Miss: "A pen-testers perspective on malware & ransomware attack techniques and the state of endpoint security" Register: http://www.sans.org/info/201405



 --WordPress Sites Infected with Keystroke Logger

(January 26 & 29, 2018)

At least 2,000 WordPress sites are infected with keystroke logging malware. The malware also appears to include a cryptocurrency mining component. The same malware was found on 5,500 WordPress sites late last year. Those sites were fixed when the websites serving the malicious scripts were taken down.

[Editor Comments]

[Ullrich] The vulnerable sites were not fixed. Instead, the infrastructure supporting the attack was taken down. But then again, 5,000 infected Wordpress sites is probably just a small fraction of all the Wordpress sites compromised. If you like Wordpress, then do not host it yourself but sign up for one of the plans at Wordpress.com. 

[Neely] Part of your WordPress (or other similar system) security toolkit should include a security plugin that can be used to monitor the integrity of the site as well as assist with updates. You also need a backup solution so you can roll a site backwards if something bad happens or you're unable to remove malware any other way. Part of the spread of this malware involves content embedded as comments. Moderating and reviewing comments before accepting them should be SOP.

Read more in:

Ars Technica: More than 2,000 WordPress websites are infected with a keylogger


Threatpost: Keylogger Campaign Returns, Infecting 2,000 WordPress Sites



 --Microsoft Releases Out-of-Cycle Update to Disable Spectre Mitigation

(January 28 & 29, 2018)

Over the weekend, Microsoft released an update for Windows systems that disables a problematic Intel microcode fix for CPUs affected by the Spectre bug. After issues with the Intel patches became known last week, Intel called for users to stop applying them. The Microsoft update disables the troublesome patches on machines where they have already been installed.

[Editor Comments]

[Ullrich] This patch was an Intel Microcode patch. Microsoft needs to include them in Windows to load them into the CPU at boot time. Intel is trying to find better workarounds to fix a problem that ultimately cannot be fixed in software. The workarounds Intel released try to shield software from the effects of the vulnerability without removing the performance benefit gained from the vulnerable features, which leads to rather complex and "ugly" patches and incompatibilities that Intel is trying to address.

Read more in:

Microsoft: Update to disable mitigation against Spectre, Variant 2


Dark Reading: Microsoft Issues Emergency Patch to Disable Intel's Broken Spectre Fix


Ars Technica: New Windows patch disables Intel's bad Spectre microcode fix


The Register: Microsoft works weekends to kill Intel's shoddy Spectre patch


ZDNet: Windows emergency patch: Microsoft's new update kills off Intel's Spectre fix


Bleeping Computer: Microsoft Issues Windows Out-of-Band Update That Disables Spectre Mitigations


Computerworld: Microsoft releases emergency Windows update to hamstring earlier 'Spectre' defense



 --Strava Fitness App Map Reveals Locations of Military Bases

(January 28 & 29, 2018)

A map generated by the Strava fitness tracking app has exposed information about military bases and facilities around the world. Strava published the map, which includes GPS data from the app's users, last year. The company's intent was to demonstrate how many people were already using the app. Instead, the map revealed the locations of military bases through concentrated areas of fitness activity in remote places. The exposed bases belong not just to the US, but to other countries as well. 

[Editor Comments]

[Pescatore] Years ago, the DoD announced a ban on all military use of social media because of fears of compromising operational security. The same week, a DoD press release reported that they had exceeded their recruiting goals (not easy with a volunteer army and multiple conflicts going on) and largely credited DoD's increased reach out on and use of social media.  DoD rescinded the ban - there are ways to control the risk and not lose the "business gain" for every new technology - and the same is true for the use of online fitness site tracking sites.

[Neely] The National Institute of Health posted an article in 2014 containing a similar heat map of San Francisco from 2012. The FitBit location database has been showcased on a heat map at the SF Exploritorium for at least four years. This is partly exacerbated by the US Military issuing FitBits in 2013 as part of a pilot fitness program. Mitigations include making sure that your privacy settings don't enable sharing more about your location than you would like when uploading workout data and consider not uploading information relating to workouts in sensitive areas and hold off on cross posting your workout location on social media.

Read more in:

BBC: Fitness app Strava lights up staff at military bases


The Hill: Experts suggest fitness tracking data reveals locations of US military bases


ZDNet: How Strava's "anonymized" fitness tracking data spilled government secrets


Bleeping Computer: Fitness Tracking App Accidentally Exposed Military Bases


Ars Technica: "Heatmap" for social athlete's app reveals secret bases, secret places



 --Malwarebytes Had a Busy Weekend Updating its Updates

(January 27 & 29, 2018)

Over the weekend, Malwarebytes pushed out two fixes for a recent update that was causing problems for users. Late last week, Malwarebytes pushed out an update to its Endpoint security products. Users reported that the update was consuming as much as 90 percent of their machines' RAM and CPU. Shortly after those reports emerged, Malwarebytes pushed out another update, but that one caused users' machines to crash on reboot. Malwarebytes released yet another update to fix that problem. 

Read more in:

The Register: You publish 20,000 clean patches, but one goes wrong and you're a PC-crippler forever


ZDNet: Malwarebytes product patch pummels user CPUs


Bleeping Computer: Malwarebytes Update Released to Fix High CPU & Memory Usage in Mbamservice.exe


Cyberscoop: Malwarebytes updates lead to a weekend full of crashing computers


Softpedia: Faulty Malwarebytes Update Causes High CPU Usage on Windows, Fix Available



 --Lenovo Fixes Hard-Coded Password Issue in Laptops

(January 26 & 29, 2018)

Lenovo has released a fix for a hard-coded password in its fingerprint-scanning app that affects a dozen models of the company's Windows-based laptops. The issue affects Lenovo Fingerprint Manager Pro for Windows 7, 8, and 8.1, but does not affect Lenovo laptops running Windows 10. Users are urged to upgrade to Lenovo Fingerprint Manager Pro version 8.01.87.

Read more in:

Threatpost: Lenovo Fixes Hardcoded Password Flaw Impacting ThinkPad Fingerprint Scanners


Bleeping Computer: Lenovo's Fingerprint Scanner Can Be Bypassed via a Hardcoded Password



 --Coincheck Will Reimburse Customers for Stolen Crypto Currency

(January 26, 28, & 29, 2018)

Late last week, someone hacked Japanese cryptocurrency exchange Coincheck's digital wallet, making off with nearly $500 million USD in virtual currency known as NEM coins. Coincheck says that it will use its own capital to repay customers roughly 90 percent of the value of the stolen cryptocurrency in Japanese yen.

[Editor Comments]

[Murray] One of the intended advantages of cryptocurrency was to reduce the reliance on third parties.  How is that working out?

Read more in:

Ars Technica: Two new cryptocurrency heists make off with over $400M worth of blockchange


SC Magazine: Hacked cryptocurrency exchange to reimburse customers after largest heist in history


Bloomberg: Coincheck to Repay Users Who Lost Money in $400 Million Hack



 --Dutch Intelligence Helped FBI with DNC Hack Attribution

(January 26, 2018)

Dutch newspaper de Volkskrant reports that intelligence officials in that country provided US intelligence agencies with crucial evidence that helped them tie Russia to interference in the 2016 US presidential election. de Volkskrant says that in 2014, members of the Netherlands General Intelligence Security Service (AIVD) gained access to networks that Russian hackers were using and observed the hacker actively breaking into DNC networks. The Dutch intelligence agents spied on the Russian hackers for more than two years, determining their location and even managing to watch the hackers in action over closed-circuit television systems.   

[Editor Comments]

[Northcutt] It is clear that data was shared with the US in 2014, 2015. French intelligence had data on three of the attackers before Paris 2015. The conversion from data to useful information is hard, just ask anyone trying to fully integrate a SIEM into their enterprise. This is why things like AI industry day at DIA last year are important, the volume of data is growing faster than the actionable information it produces. 




Read more in:

Dark Reading: Dutch Intel Agency Reportedly Helped US Attribute DNC Hack to Russia


The Hill: Dutch spy agencies passed FBI 'crucial' intel on Russian election hacking: reports


Washington Post: The Dutch were a secret U.S. ally in war against Russian hackers, local media reveal




Analyzing a Word Document Used in a Pentest


Analyzing BITS Activity


CryptoJacking on YouTube Due to Malicious Ads


Coincheck Hack Nets 400M USD


PHPBB Mirror Compromised


Microsoft Disables Spectre Variant 2 Patches



Lenovo Fingerprint Manager Pro Vulnerability


ClamAV Vulnerabilities


Malwarebytes Corrupted Update



Cisco Adaptive Security Appliance Remote Code Execution Vulnerability


Web2Top Proxy onion.tor Appears to Steal Ransomware Payments



The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create