Special Offer w/ OnDemand: Get an iPad (32 G), Galaxy Tab A, or Take $250 Off OnDemand Training thru Jan 27

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #98

December 14, 2018


SANS NewsBites                Dec. 14, 2018                 Vol. 20, Num. 98



  NIAC Report on Catastrophic Power Outage Preparation

  Iranian Hackers Targeted US Treasury Officials eMail Accounts

  Congressional Report on Equifax Breach Finds It Was Entirely Preventable


  US Legislators Can Spend Surplus Campaign Funds on Cybersecurity

  Italys Saipem Hit with Shamoon Data-Wiping Malware

  Maritime Cybersecurity Guidance

  Playing Hot Potato with Responsibility for Ticketmaster Magecart Infection

  DHS OIG Finds that US Customs and Border Patrol Agents Are Not Routinely Purging Data Taken From Searched Devices

  Operation Sharpshooter

  China Cyberespionage Threat

  Patch Tuesday: Microsoft and Adobe

  Mozilla Releases Firefox 64 and Firefox ESR 60.4

  Third-Party Investigation Finds No Evidence of Spy Chips on Super Micro Motherboards




-- SANS Security East 2019 | New Orleans, LA | February 2-9 | https://www.sans.org/event/security-east-2019

-- SANS Amsterdam January 2019 | January 14-19 | https://www.sans.org/event/amsterdam-jan-2019

-- Cyber Threat Intelligence Summit & Training | Arlington, VA | January 21-28 | https://www.sans.org/event/cyber-threat-intelligence-summit-2019

-- SANS Las Vegas 2019 | January 28-February 2 | https://www.sans.org/event/las-vegas-2019

-- SANS London February 2019 | February 11-16 | https://www.sans.org/event/london-february-2019

-- SANS Anaheim 2019 | February 11-16 | https://www.sans.org/event/anaheim-2019

-- SANS Secure Japan 2019 | Tokyo, Japan | February 18-March 2 | https://www.sans.org/event/secure-japan-2019

-- Open-Source Intelligence Summit & Training | Alexandria, VA | February 25-March 3 | https://www.sans.org/event/osint-summit-2019

-- SANS Secure Singapore 2019 | March 11-23 | https://www.sans.org/event/secure-singapore-2019

-- SANS OnDemand and vLive Training

The SANS Training you want with the flexibility you need.

Last Chance this year to Get a GIAC Certification Attempt Included or Take $350 Off with OnDemand or vLive. Offer Ends December 26.


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/

Single Course Training

-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/


-- View the full SANS course catalog and Cyber Security Skills Roadmap



***************************  Sponsored By  Splunk  ************************************

Read this Executive Brief from CSO, Closing the Cybersecurity Gap: 3 Keys to an Analytics-Driven Security, to learn how you can improve your security posture and gain real bottom-line benefits. http://www.sans.org/info/209280




--NIAC Report on Catastrophic Power Outage Preparation

(December 10, 2018)

A draft report from the US National Infrastructure Advisory Council found that the countrys current plans to prepare for and recover from a catastrophic power outage are insufficient. Significant public and private action is needed to prepare for and recover from a catastrophic outage that could leave large parts of the nation without power for weeks or months, and cause service failures in other sectors. The report makes two overarching recommendations for responding to the problem: the US should design a national approach for preparation, response, and recovery with guidance for all levels of government, industry, communities, and individuals; and should improve our understanding of how cascading failures across critical infrastructure will affect restoration and survival.

Read more in:

Cyberscoop: U.S. must prep for a cyberattack that coincides with a natural disaster, industry council says


Meritalk: NIAC Urges Preparation for Natural Disaster and Cyberattack


DHS: NIAC Draft Report: Surviving a Catastrophic Power Outage How to Strengthen the Capabilities of a Nation



--Iranian Hackers Targeted US Treasury Officials eMail Accounts

(December 13, 2018)

According to a report from the Associated Press (AP), Iranian hackers have been attempting to break into the personal email accounts of US officials who are responsible for enforcing renewed US economic sanctions against the country. The hacking group known as Charming Kitten is targeting the private email accounts of US Treasury officials, as well as those of other high profile individuals. The hackers activity has been tracked by London, UK-based cybersecurity group Certfa, which says the hackers have ties to Irans government.

[Editor Comments]

[Williams] It makes sense that nation-state attackers would Target personal email. If the Clinton private email server investigation taught us anything, it's that there can be very sensitive and even classified data in personal email accounts. It would not surprise me to learn that Google has terabytes of classified data across the many millions of Gmail accounts in use. Even removing classified data from the equation, we still have the concern of confidential and extremely sensitive data that is likely there as well.

[Henry] People have told me for a long time that attribution doesnt matter. Focus on patching systems and block malware, theyve said. While those things are critically important, we cant discount the importance of intelligence and the ability to peer around the corner to see whats coming. In the past, Iran has targeted the United States after economic sanctions were implemented; the Iranian targeting of US Treasury officials with new sanctions being initiated this past November should be expected. Understanding who your adversary iswhy they will target you, how they will target you, and when they will target youare all valuable pieces of intelligence that can help organizations better protect their environments by proactively hunting for adversary IOCs and TTPs.

Read more in:

AP: AP Exclusive: Iran hackers hunt nuke workers, US officials


The Hill: Iranian hackers targeted personal email accounts of US Treasury officials: report


Certfa: The Return of The Charming Kitten



--Congressional Report on Equifax Breach Finds It Was Entirely Preventable

(December 10 & 11, 2018)

The US House Oversight and Government Reform Committee has released a report on the massive Equifax data breach that was disclosed in September 2017. The report found that the breach was entirely preventable and that the company failed to implement clear lines of authority within their internal IT management structure,  allowed over 300 security certificates to expire,[and] were unprepared to identify, alert and support affected consumers.

[Editor Comments]

[Pescatore] Most accidents, thefts, financial disasters and illnesses are preventable. We need to see case studies on why other credit reporting agencies improved their abilities to prevent large scale incidents like this while Equifax seemed to just keep failing.

[Neely] An outgrowth of this breach was the May 2018 Economic Growth, Regulatory Relief and Consumer Protection Act (https://www.congress.gov/bill/115th-congress/senate-bill/2155), which makes credit freezes and thaws free. A recurring theme with this breach was the need for overlapping responsibilities, comprehensive communication, monitoring, and supporting processes to reach and maintain an appropriate security posture.

Read more in:

Nextgov: The Equifax Breach Affecting Nearly Half of Americans Was 'Entirely Preventable'


SC Magazine: House panel says Equifax breach was entirely preventable


The Register: Equifax how-it-was-mega-hacked damning dossier lands, in all of its infuriating glory


FCW: 'Culture of cybersecurity complacency' blamed for 2017 Equifax hack


House Oversight: Committee Releases Report Revealing New Information on Equifax Data Breach (Key Findings)


House Oversight: The Equifax Data BreachMajority Staff Report, 115th Congress, December 2018


**************************  SPONSORED LINKS  ********************************

1) Attend the inaugural SANS Open-Source Intelligence Summit in Washington, DC -Feb 25.  http://www.sans.org/info/209285

2) Don't Miss: "Defeating Attackers with Preventive Security" with Dave Shackleford. Register: http://www.sans.org/info/209290

3) What role does artificial intelligence play in security? Help SANS examine how security professionals are leveraging AI by taking this survey, and enter to win a $400 Amazon gift card | http://www.sans.org/info/209295




--US Legislators Can Spend Surplus Campaign Funds on Cybersecurity

(December 13, 2018)

The US Federal Elections Commission says that federal legislators may use surplus campaign funds to bolster cybersecurity for their personal devices and online accounts. The decision came in response to an advisory opinion request from Senator Ron Wyden (D-Oregon).

[Editor Comments]

[Pescatore] More security for legislators use of personal systems and accounts is a good thing, but more spending doesnt always equate to more security. The use of surplus campaign funds for personal physical security measures had already been deemed permissible and there have been reports of wasteful spending on guard stations and the like. The memo from Admiral Rogers that Sen. Wyden used in his justification points to NSA IAD guidance which is along the lines of the Critical Security Controlsguidance on spending needs to be issued to make sure it is along those lines.

Read more in:

The Register: US elections watchdog says it's OK to spend surplus campaign cash on cybersecurity gear


FEC: Draft Advisory Opinion


Wyden: Request for Advisory OpinionMay 16, 2018



--Italys Saipem Hit with Shamoon Data-Wiping Malware

(December 12 & 13, 2018)

A new version of the Shamoon data-wiping malware has been used to target computers that belong to Italys Saipem, an oil and gas contractor, which does the majority of its business in the Middle East. About 10 percent of the companys PCs were affected by the malware. Saipem is a contractor for Saudi Aramco, which was the target of earlier, highly-destructive Shamoon attacks. The newest version of Shamoon overwrites files with junk data.      

[Editor Comments]

[Murray] Enterprise data should be stored only on enterprise servers, never on desktops, and write access on those servers should be restricted to privileged processes. The practice of storing enterprise data on desktop personal computers with read/write access leaves one unnecessarily vulnerable to this kind of attack. 

Read more in:

Threatpost: Shamoon Reappears, Poised for a New Wiper Attack


ZDNet: Shamoon malware destroys data at Italian oil and gas company


SC Magazine: Cyberattack sidelines Middle East servers of Italian energy contractor Saipem



--Maritime Cybersecurity Guidance

(December 12, 2018)

Shipping associations and industry groups have published the third edition of the Guidelines on Cyber Security Onboard Ships, which offers guidance for securing ships IT systems. The document also includes examples of cybersecurity and IT failure incidents, including a virus infection found on a ships Electronic Chart Display and Information System (ECDIS) that delayed the vessels departure. In other cases, systems failed due to outdated operating systems, thumb drives infected systems with malware, and ransomware infected onboard IT systems as well as shipping company backend systems. Perhaps the most well-known incident involved systems at the Maersk cargo shipping line, which became infected with the NotPetya malware. The company had to reinstall more than 4,000 servers, more than 45,000 PCs, and incurred costs of more than US $300 million.  

Read more in:

ZDNet: Ships infected with ransomware, USB malware, worms


IUMI: The Guidelines on Cyber Security Onboard Ships



--Playing Hot Potato with Responsibility for Ticketmaster Magecart Infection

(December 12, 2018)

Ticketmaster UK and Inbenta Technologies disagree about which organization is responsible for the Magecart malware infection that compromised payment cards of Ticketmaster customers. Ticketmaster maintains the responsibility lies with a customer support product hosted by Inbenta, which said that it never intended for the customized Javascript to be used in the way Ticketmaster used it.

[Editor Comments]

[Neely] Ticketmaster had the responsibility for the security of their site, and it was their developers that deployed that Javascript. This highlights the importance of security and integration testing as well as properly vetting changes to code that interfaces with partner systems.

[Murray] Implementation induced vulnerabilities often exist at interfaces where responsibility changes at the interface. That said, users of a service are generally responsible for the security of that use.

Read more in:

The Register: Ticketmaster tells customer it's not at fault for site's Magecart malware pwnage



--DHS OIG Finds that US Customs and Border Patrol Agents Are Not Routinely Purging Data Taken From Searched Devices

(December 12, 2018)

A report from the US Department of Homeland Security Office of Inspector General (DHS OIG) found that US Customs and Border Patrol (CBP) agents are not purging their thumb drives of information copied while searching travelers devices. The report also found that CBP officers did not consistently disconnect electronic devices, specifically cell phones, from the network before searching them because headquarters provided inconsistent guidance to the ports of entry on disabling data connections on electronic devices. OIG made five recommendations, including ensuring that device searches are properly documented, ensuring that electronic devices are disconnected from the network prior to searches, and ensuring that copied data are removed from CBP thumb drives after the data have been uploaded to the Automated Targeting System for analysis.

[Editor Comments]

[Neely] Having consistent procedures for media sanitization combined with training so users intrinsically apply that guidance consistently is key, particularly in stressful situations such as a search and seizure scenario. If you find yourself on the receiving end of a CBP inspection, cooperate fully; dont aggravate the already stressful situation.

[Murray] DHS and BCP have been criticized in the past for not disclosing the instructions given to agents about the use of the extraordinary but reasonable power to search personal computers at border crossings. These issues may result, at least in part, from their lack of candor. One continues to suspect that the lack of candor results in part from an absence of instruction rather than from a desire to hide instruction given. 

Read more in:

Read more in:

ZDNet: US border agents aren't deleting travelers' data after device searches


Ars Technica: Was your phone imaged by border agents? They may still have the data


Nextgov: CBP Officers Arent Deleting Data After Warrantless Device Searches, IG Says


OIG.DHS: CBPs Searches of Electronic Devices at Ports of EntryRedacted



--Operation Sharpshooter

(December 12, 2018)

The Operation Sharpshooter phishing campaign uses phony job recruitment documents to place backdoors on computers at nuclear, defense, energy, and financial companies. The backdoor malware, dubbed Rising Sun, has been detected on systems at at least 87 organizations, according to McAfee Labs. The campaign uses source code that was used in the Lazarus Groups 2015 Trojan Duuzer backdoor. While this could suggest that the Lazarus Group is behind Sharpshooter, McAfee cautions that numerous technical links to the Lazarus Group seem too obvious to immediately draw the conclusion that they are responsible for the attacks, and instead indicate a potential for false flags.

Read more in:

McAfee: Operation Sharpshooter (PDF)


Securing Tomorrow: Operation Sharpshooter Targets Global Defense, Critical Infrastructure


SC Magazine: Sharpshooter cyberespionage campaign scopes out defense, critical infrastructure sectors


CNET: Global hacking campaign targets critical infrastructure


Dark Reading: U.S. Defense, Critical Infrastructure Companies Targeted in New Threat Campaign



--China Cyberespionage Threat

(December 11 & 12, 2018)

In a US Senate Judiciary Committee hearing, Assistant Director of the FBIs Counterintelligence Division Bill Priestap called China the most severe counterintelligence threat facing our country today. Officials from the Department of Justice (DOJ) and the Department of Homeland Security (DHS) concurred. Recent news stories suggest that the Marriott breach was allegedly the work of Chinese hackers gathering intelligence.

[Editor Comments]

[Murray] There is a story, which may be apocryphal, that during a blackout in Shanghai, the lights remained on on the non-existent thirteenth floor of the Marriott Hotel. 

Read more in:

Washington Post: Top FBI official warns of strategic threat from China through economic and other forms of espionage


The Hill: Top security officials issue stark warning of Chinese espionage efforts


NYT: Marriott Data Breach Is Traced to Chinese Hackers as U.S. Readies Crackdown on Beijing



--Patch Tuesday: Microsoft and Adobe

(December 11 & 12, 2018)

On Tuesday, December 11, Microsoft and Adobe released security updates. Microsofts updates address security issues in Windows and related products. In all, the Microsoft updates fix 39 vulnerabilities, one of which is being actively exploited. Adobe released updates for Acrobat and Reader to address nearly 90 security issues, 39 of which are rated critical.

Read more in:

KrebsOnSecurity: Patch Tuesday, December 2018 Edition


SC Magazine: Microsoft Patch Tuesday includes fix for actively exploited zero-day


The Register: It's December of 2018 and, to hell with it, just patch your stuff


V3: Microsoft issues Patch Tuesday fixes for 39 vulnerabilities


Bleeping Computer: Updates Released For Critical Vulnerabilities in Adobe Acrobat and Reader


Adobe: Security Bulletin for Adobe Acrobat and Reader | APSB18-41


Microsoft: Security Update Summary



--Mozilla Releases Firefox 64 and Firefox ESR 60.4

(December 11 & 12, 2018)

Mozilla has released Firefox 64. The newest version of the browser includes fixes for a number of security issues, including several critical memory safety bugs. Firefox 64 also incorporates several new features, including a new Task manager that shows energy consumption broken down by tab, add-on, or other task. In addition, the browser now distrusts all Symantec TLS certificates.

[Editor Comments]

[Northcutt] I still have Firefox as my default browser even as its in number three position, but this is too little, too late. This browser still helps give a privacy shelter between Chrome and Edge, so I will run it a bit longer.

Read more in:

ZDNet: Firefox 64 released with a Windows-like task manager


SC Magazine: Mozilla patches vulnerabilities in Firefox and Firefox ESR


Bleeping Computer: Mozilla Firefox 64.0 Released - Here's What's New


Mozilla: Firefox 64 Release Notes


Mozilla: Security vulnerabilities fixed in Firefox 64


Mozilla: Firefox ESR 60.4.0 Release Notes


Mozilla: Security vulnerabilities fixed in Firefox ESR 60.4.0



--Third-Party Investigation Finds No Evidence of Spy Chips on Super Micro Motherboards

(December 11, 2018)

In a letter to customers, Super Micro President and CEO Charles Liang and other executives wrote that after thorough examination and a range of functional tests, the [third-party] investigations firm found absolutely no evidence of malicious hardware on out motherboards. A Bloomberg news story in early October 2018 alleged that Chinese spies had placed spy chips on Super Micro motherboards. The allegations have also been refuted by Amazon and Apple, companies that use Super Micro motherboards in their data centers.

[Editor Comments]

[Pescatore] Bloomberg is still standing by its reporting despite no evidence of this sophisticated level of tampering. That said, we know intelligence agencies have done this kind of thing in the past; the issue of how to detect hardware tampering in high risk usage cases still needs to be part of supply security programs, especially in critical infrastructure areas.

Read more in:

Super Micro: Letter to Customers


Threatpost: Super Micro Says Its Gear Wasnt Bugged By Chinese Spies


ZDNet: Super Micro says external security audit found no evidence of backdoor chips


Ars Technica: Audit: No Chinese surveillance implants in Supermicro boards found


TechCrunch: Supermicro says investigation firm found no spy chips




Microsoft December 2018 Patch Tuesday


Adobe Patch Tuesday


Certificate Authority Weaknesses


Yet Another DOSfuscation Sample


OpenSSH Backdoors


Android Malware Bypasses 2FA For Paypal


Fake E-Mail Bomb Threats


Phishing Via Non-Delivery Notices


LamePyre MacOS Malware



The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create