SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XIX - Issue #27
April 4, 2017TOP OF THE NEWS
UK Finds Initial Solution For the Cyber Manpower Pipeline Puzzle
US & UK Governments Warn Airports and Power Stations of 'Credible Cyber Threat'
Kaspersky Lab: Server Logs Suggest North Korean Link to Bangladesh Bank Theft
2014 State Department Breach was "Hand-to-Hand Combat"
THE REST OF THE WEEK'S NEWS
Fancy Bear/APT28 Group Suspected of Compromising Athlete Data
Moonlight Maze and Turla Connection
Microsoft Shuttering CodePlex
Disgruntled Former Employee Pleads Guilty to Causing Computer Damage
TRANSCOM Commander Concerned About Disparity Between Civilian and DoD Network Security
DHS to Meet with State Election Officials to Discuss Critical Infrastructure Designation
Bill Would Establish Energy Sector Cybersecurity Testing Pilot Program
Legislators Ask FCC to Address Signaling System 7 Cellphone Security Issues
INTERNET STORM CENTER TECH CORNER
INTERNET STORM CENTER TECH CORNER*************************** Sponsored By Sophos Inc. ********************
NEW Research Report - 2017 Ransomware Defense Survey: The Enterprise Strikes Back. 36% of respondents say they were victims of ransomware and 57% say they are more likely to be a ransomware target in 2017. Find out more on what IT pros are saying about the true impact of ransomware on their organizations. Continue Reading: http://www.sans.org/info/193922
***************************************************************************
TRAINING UPDATE
-- Threat Hunting & IR Summit & Training 2017 | New Orleans, LA | April 18-25, 2017 | https://www.sans.org/event/threat-hunting-and-incident-response-summit-2017
-- SANS Baltimore Spring 2017 | April 24-29 | https://www.sans.org/event/baltimore-spring-2017
-- SANS Automotive Cybersecurity Summit & Training | Detroit, MI | May 1-8, 2017 | https://www.sans.org/event/automotive-cybersecurity-summit/
-- SANS Security West 2017 | San Diego, CA | May 9-18 | https://www.sans.org/event/sans-security-west-2017
-- SANS San Francisco Summer 2017 | June 5-10 | https://www.sans.org/event/san-francisco-summer-2017
-- SANS Security Operations Center Summit & Training | Washington, DC | June 5-12 | https://www.sans.org/event/security-operations-center-summit-2017
-- SANS Secure Europe 2017 | Amsterdam, NL | June 12-20 | https://www.sans.org/event/secure-europe-2017
-- SANS Cyber Defence Canberra 2017 | June 26-July 8 | https://www.sans.org/event/cyber-defence-canberra-2017
-- SANS London July 2017 | July 3-8 | https://www.sans.org/event/london-july-2017
-- SANS Cyber Defence Singapore | July 10-15 | https://www.sans.org/event/cyber-defence-singapore-2017
-- SANS Online Training: Special Offer! Register by March 1 and choose a GIAC Certification Attempt or $400 Off your OnDemand and vLive courses.
OnDemand - https://www.sans.org/ondemand/specials
vLive - https://www.sans.org/vlive/specials
-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/find-training/*************************************************************************** ***************************************************************************
TOP OF THE NEWS
UK Finds Initial Solution For the Cyber Manpower Pipeline Puzzle (April 1 & 3, 2017)
The UK government's Cyber Retraining Academy has just graduated its first group of 55 students. Candidates without prior information security experience were screened based on "the traits required to succeed in the profession." Screening used an innovative aptitude test suite measuring both the psychometric characteristics that advanced security practitioners display, as well as basic technical mastery. Each person left his/her current job for eight weeks of intensive hands-on training. Two graduates have already been offered positions in the cybersecurity industry; others have received job offers from or are interviewing at organizations like JP Morgan, Amazon, and the National Crime Agency. A pilot test of the program in 2016 placed 100% of the candidates in technical cybersecurity roles.[Editor Comments]
[Assante] I have to give a hand to the United Kingdom for marching out smartly with programs designed to fast tracking people into needed positions. A sign of a successful nation is its ability to get human talent to places where it needs them most to be competitive.
[Paller] The UK solution is especially useful because it provides further confirmation that strong technical security skills are built on a foundation of hands-on skills in computers/networks/LINUX/and Windows. Training programs that try to teach cybersecurity to people without those foundational skills usually produce people who can talk about security, but who would be like "a deer in the headlights" if asked to perform sophisticated hands-on tasks.
Read more in:
SC Magazine: Government Cyber Retraining Academy graduates snapped up by industry https://www.scmagazineuk.com/government-cyber-retraining-academy-graduates-snapped-up-by-industry/article/647986/
V3: First graduates from government Cyber Retraining Academy get IT jobs in industry http://www.v3.co.uk/v3-uk/news/3007636/first-graduates-from-government-cyber-retraining-academy-get-it-jobs-in-industry
US & UK Governments Warn Airports and Power Stations of 'Credible Cyber Threat' (April 2 & 3, 2017)
The UK and US governments have warned airports and nuclear power stations of the existence of a "'credible cyber threat." Nuclear stations received the warning in February. Intelligence agencies are warning that terrorists have developed methods of attacks that evade security screening.[Editor Comments]
[Assante] The articles are confounding two very different types of threats (one physical using computers to hide explosive devices) while the other warns of the broader risk associated with cyber threats to nuclear facilities. The realization that digital systems critical to nuclear processes for both safety and security are not immune is undeniable and disconcerting. There are very real implications to what is now believed to be the only responsible 'assumption', which is one of potential compromise vice holding on to the idea that cyber-attacks can be prevent.
[Ullrich] Airports are "easy" targets as they often serve as a hub between different airlines and interconnect their systems, including of course TSA. Running multi-tenant systems like this secure is challenging, and in this case, it often has to support legacy booking systems which are barely maintainable under good conditions. Some large airline outages over the last few years have shown how vulnerable they are, and how severe the impact of a simple outage is. Never mind a coordinated attack designed to disrupt air traffic.
Read more in:
Telegraph: Airports and nuclear power stations on terror alert as government warns of 'credible' cyber threat http://www.telegraph.co.uk/news/2017/04/01/airports-nuclear-power-stations-terror-alert-government-officials/
SC Magazine: U.S., U.K. warn airports, nuclear facilities, of cyberattacks https://www.scmagazine.com/us-uk-warn-airports-nuclear-facilities-of-cyberattacks/article/648163/
Kaspersky Lab: Server Logs Suggest North Korean Link to Bangladesh Bank Theft (April 3, 2017)
Kaspersky Lab said that logs from a European server used in the USD 81 million Bangladesh bank cyber heist show that it briefly connected with a computer in North Korea. Because North Korea has such a limited Internet presence, any connection at all could be perceived as significant. The theft is believed to be the work of the Lazarus Group, which was also behind the Sony Pictures breach. The evidence is not conclusive, as attackers could conceivably break into North Korean computers to make it appear that Lazarus has a connection there.Read more in:
WSJ: Digital Clue Links North Korea to Theft at NY Fed, Security Firm Says https://www.wsj.com/articles/north-korean-link-found-to-theft-at-new-york-fed-security-firm-says-1491242401
ITWorld: Banking hackers left a clue that may link them to North Korea http://www.itworld.com/article/3187394/security/banking-hackers-left-a-clue-that-may-link-them-to-north-korea.html
SecureList: Lazarus Under the Hood https://securelist.com/blog/sas/77908/lazarus-under-the-hood/
2014 State Department Breach was "Hand-to-Hand Combat" (April 3, 2017)
In 2014, hackers working for a Russian spy agency launched an alarmingly aggressive attack against an unclassified computer system belonging to the US State Department. Current and former US officials said that whenever the NSA severed the link between the command and control server and the malware in the State Department system, the attackers established new ones within the network. NSA Deputy Director Richard Ledgett described the incident as "basically hand-to-hand combat within a network."Read more in:
Washington Post: New details emerge about 2014 Russian hack of the State Department: It was "hand to hand combat" https://www.washingtonpost.com/world/national-security/new-details-emerge-about-2014-russian-hack-of-the-state-department-it-was-hand-to-hand-combat/2017/04/03/d89168e0-124c-11e7-833c-503e1f6394c9_story.html
Nextgov: NSA Engaged in Massive Battle With Russian Hackers in 2014 http://www.nextgov.com/cybersecurity/2017/04/nsa-engaged-massive-battle-russian-hackers-2014/136683/?oref=ng-channeltopstory
*************************** SPONSORED LINKS *****************************
1) Don't Miss: How to Achieve Visibility, Security and Integrity for Forward Looking Resilience. Register: http://www.sans.org/info/193927
2) "Struts-Shock: Current Attacks against Struts2 and How to Defend Against Them" with Johannes Ullrich. Register: http://www.sans.org/info/193932
3) Take the SANS 2017 Survey on Insider Threats and register for a chance to win a $400 Amazon gift card: http://www.sans.org/info/193937
***************************************************************************
THE REST OF THE WEEK'S NEWS
Fancy Bear/APT28 Group Suspected of Compromising Athlete Data (April 3, 2017)
A company contracted to "undertake a technical investigation across IAAF systems" found evidence that a hacking group known alternately as APT28 and Fancy Bear accessed information from IAAF. Specifically, the intruders compromised athletes' Therapeutic Use Exemptions (TUE) applications. The contracted firm found that "meta data on athlete TUEs was collected from a file server and stored in a newly created file." The breach was detected in February 2017.[Editor Comments]
[Williams] This should serve as a cautionary tale for those who say "nobody would have a reason to hack us." The reason is always intelligence and the value of intelligence is determined by the consumer. In other words, you can't hope to guess how your adversaries might use data stolen from your network. You may not even be the adversary's first choice for obtaining the data, but if others have measurably better security, attackers may choose to attack you instead.
Read more in:
V3: IAAF cracked by Russia-linked APT 28 'Fancy Bear' hackers http://www.v3.co.uk/v3-uk/news/3007707/iaaf-cracked-by-russia-linked-apt28-fancy-bear-hackers
The Register: Kremlin hackers suspected in assault on athletics governing body http://www.theregister.co.uk/2017/04/03/iaaf_security_breach/
IAAF: IAAF Victim of Cyber Attack https://www.iaaf.org/news/press-release/iaaf-cyber-attack
Moonlight Maze and Turla Connection (April 3, 2017)
According to researchers from Kings College London and Kaspersky Lab, code found in Moonlight Maze, malware used in attacks 20 years ago, is still being used today. In the mid 1990s, the Moonlight Maze campaign targeted computer systems at NASA, the Pentagon, and US Department of Energy. Code from that campaign has been found in an advanced persistent threat (APT) known as Turla that is being used today.Read more in:
DarkReading: Russian-Speaking APT Recycles Code Used in '90s Cyberattacks Against US http://www.darkreading.com/threat-intelligence/russian-speaking-apt-recycles-code-used-in-90s-cyberattacks-against-us/d/d-id/1328539?
Wired: Russian Hackers Have Used the Same Backdoor for Two Decades https://www.wired.com/2017/04/russian-hackers-used-backdoor-two-decades/
ZDNet: Ancient Moonlight Maze backdoor remerges as modern APT http://www.zdnet.com/article/ancient-moonlight-maze-backdoor-remerges-as-modern-apt/
eWeek: Moonlight Maze Attack Still Relevant Two Decades After Initial Debut http://www.eweek.com/security/moonlight-maze-attack-still-relevant-two-decades-after-initial-debut
Microsoft Shuttering CodePlex (March 31, 2017)
Microsoft has announced that it has begun the process of shutting down CodePlex, its open source project hosting service. Most open source projects now use GitHub. Effective immediately, no new CodePlex projects can be created. In October 2017, projects will become read only, and on December 15, 2017, CodePlex will be entirely shuttered "and the website will be replaced with a static archive." There is an import process for migrating projects to GitHub.Read more in:
Ars Technica: Microsoft closing CodePlex, tells devs to move to GitHub https://arstechnica.com/information-technology/2017/03/microsoft-closing-down-codeplex-tells-devs-to-move-to-github/
Microsoft: Brian Harry's blog: Shutting down CodePlex https://blogs.msdn.microsoft.com/bharry/2017/03/31/shutting-down-codeplex/
Disgruntled Former Employee Pleads Guilty to Causing Computer Damage (March 31, 2017)
A former Texas boot manufacturing company employee has pleaded guilty to transmission of a program to cause damage to a computer. Joe Vito Venzor admitted that after he was fired from his help desk position in September 2016, he accessed the company's network through an administrator account and shut down the email server and the application server, and deleted files necessary to restore the system.Read more in:
The Register: Yee-hacked! Fired Texas sysadmin goes rogue, trashes boot business http://www.theregister.co.uk/2017/03/31/it_admin_pleads_guilty_to_hacking_bosses/
DoJ: Former El Paso-Based Company Employee Pleads Guilty to Computer Intrusion https://www.justice.gov/usao-wdtx/pr/former-el-paso-based-company-employee-pleads-guilty-computer-intrusion
TRANSCOM Commander Concerned About Disparity Between Civilian and DoD Network Security (March 30, 2017)
The United States Transportation Command (TRANSCOM) coordinates military transportation. In its efforts, TRANSCOM accesses civilian travel assets. TRANSCOM Commander Gen. Darren McDew is concerned about the disparity in cyber standards between civilian and military networks. At a House joint committee hearing, McDew said that the majority of his activity is conducted through commercial networks and that "We are becoming more and more vulnerable because those commercial assets are part of national security."[Editor Comments]
[Ullrich] Civilian networks are often used for military purposes without the civilian network being aware of this use. They will not secure traffic they do not know exist. Overall, once traffic leaves your perimeter, which in some cases may be the network jack of the asset, all bets are off and you better rely on systems like VPNs that you control on both ends. On the other hand, the statement may also be rooted in the fact that civilian networks often follow different security policies and use different controls then military networks. Just because they are different doesn't mean they are weaker.
Read more in:
FNR: TRANSCOM worries about cybersecurity gap between DoD and civilian networks http://federalnewsradio.com/cybersecurity/2017/03/transcom-worried-cybersecurity-gap-dod-civilian-networks/
DHS to Meet with State Election Officials to Discuss Critical Infrastructure Designation (March 29, 2017)
The US Department of Homeland Security (DHS) plans to meet with state election officials to clarify what the designation of elections system as critical infrastructure means. Earlier this year, the announcement of the designation met with resistance. At a meeting in February, the National Association of Secretaries of State passed a resolution condemning the designation. At the same time, the organization established a task force to focus on election cybersecurity and threat information sharing.Read more in:
Nextgov: DHS Seeks to Reboot Relationship With Election Officials as Cyber Fears Loom in 2018 http://www.nextgov.com/cybersecurity/2017/03/dhs-seeks-reboot-relationship-election-officials-cyber-fears-loom-2018/136566/?oref=ng-channelriver
Bill Would Establish Energy Sector Cybersecurity Testing Pilot Program (March 28, 2017)
With an eye to improving the security of the country's electric grid, US Senator Angus King (I-Maine) has introduced a bill that would establish a pilot program to identify vulnerabilities in the energy sector. The Securing Energy Infrastructure Act would have the Department of Energy work with energy sector organizations to find vulnerabilities and develop technologies to fix them. The measure would also establish a working group to evaluate those technologies and "to develop a national cyber-informed engineering strategy to isolate and defend... the most critical systems of the covered entities."Read more in:
The Hill: Lawmakers call for pilot program to test energy sector vulnerabilities http://thehill.com/policy/cybersecurity/326191-lawmakers-push-for-pilot-program-to-test-for-energy-sector
US Congress: Senate Bill 79: The Securing Energy Infrastructure Act (PDF) https://www.congress.gov/115/bills/s79/BILLS-115s79is.pdf
Legislators Ask FCC to Address Signaling System 7 Cellphone Security Issues (March 28, 2017)
US Senator Ron Wyden (D-OR) and Congressman Ted Lieu (D-California) have written to the Federal Communications Commission (FCC) asking it to take "swift action" regarding vulnerabilities in the Signaling System 7 (SS7) cell phone protocol. SS7 allows cell phone network communicate with each other. A working group recently released a final report on SS7 security issues, but there are still some issues that bear examination and were outside the purview of the original working group. The letter urges the FCC to establish a new working group to examine the additional security concerns. The letter also urges the FCC to warn the public of the issue; to encourage the use of apps that employ end-to-end encryption; and to require cell phone networks to develop solutions.Read more in:
The Hill: Dem lawmakers push for FCC to tackle major cellphone security flaw http://thehill.com/policy/cybersecurity/326128-dem-lawmakers-push-for-fcc-to-tackle-major-cellphone-security-flaw
Senate: Letter to FCC https://www.wyden.senate.gov/download/?id=966D3BC6-A1FE-4BF5-8B6E-D0B391DB34C1&download=1
INTERNET STORM CENTER TECH CORNER
Apple Releases iOS 10.3.1 to Remedy Wi-Fi Remote Code Execution
https://support.apple.com/en-us/HT207688Practical Use of SHA1 Collisions: ISO Images
https://isc.sans.edu/forums/diary/A+Practical+Use+for+a+SHA1+Collision/22257/Microsoft Defender False Positive
https://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Worm%3AWin32%2FBluber.ACracking Weak Session Secrets
https://martinfowler.com/articles/session-secret.htmlSkype Malvertising Advertises Fake Flash Players
https://www.bleepingcomputer.com/news/security/skype-malvertising-campaign-pushes-fake-flash-player/Google Discovers More LastPass Vulnerabilities;
https://bugs.chromium.org/p/project-zero/issues/detail?id=1225&desc=6Attacking KeePass
https://www.slideshare.net/harmj0y/a-case-study-in-attacking-keepass https://github.com/HarmJ0y/KeeThiefBypassing Cylance
http://www.blackhillsinfosec.com/?p=5792Mimi Penguin: Extracting Credentials From Memory on Linux Tools
https://github.com/huntergregal/mimipenguinWindows 2003 / IIS 6 Exploit
https://0patch.blogspot.com/2017/03/0patching-immortal-cve-2017-7269.html https://github.com/rapid7/metasploit-framework/pull/8162***********************************************************************
The Editorial Board of SANS NewsBites
View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
