Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #29

April 11, 2017

TOP OF THE NEWS


Dallas Emergency Sirens Go Off for 90 Minutes, Hacking Suspected
Hackers Target Amazon Third-Party Sellers
AIG's High End Cyber Insurance

THE REST OF THE WEEK'S NEWS


Mirai Variant Installed Bitcoin Miner
Bill Would Establish Grants for State Governments' Cyber Security
Vault 7 Tools Used by Longhorn Cyberespionage Group Dozens of Attacks
Attempted Cybertheft From Indian Bank Bears Similarities to Bangladesh Bank Theft
Alleged Kelihos Botnet Kingpin Arrested in Spain
Critical Microsoft Word Zero-Day is Being Actively Exploited
BrickerBot Malware Renders IoT Devices Useless
DHS Withdraws Administrative Summons Demanding Identity of Twitter Account Holder
Gamestop.com Looking into Report of Data Breach

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER

*************************** Sponsored By Pwnie Express ******************* Join us for an exciting webinar with Tony Sager, Director of SANS Innovation Center and leader of the development of the CIS Controls. Tony and Pwnie Express experts will discuss IoT Security in healthcare and provide a framework for adapting IT security programs to address the risks and threats associated with medical connected devices. Register: http://www.sans.org/info/194117 ***************************************************************************


TRAINING UPDATE



-- SANS Baltimore Spring 2017 | April 24-29 | https://www.sans.org/event/baltimore-spring-2017

-- SANS Automotive Cybersecurity Summit & Training | Detroit, MI | May 1-8, 2017 | https://www.sans.org/event/automotive-cybersecurity-summit/

-- SANS Security West 2017 | San Diego, CA | May 9-18 |
https://www.sans.org/event/sans-security-west-2017

-- SANS San Francisco Summer 2017 | June 5-10 | https://www.sans.org/event/san-francisco-summer-2017

-- SANS Security Operations Center Summit & Training | Washington, DC | June 5-12 | https://www.sans.org/event/security-operations-center-summit-2017

-- SANS Secure Europe 2017 | Amsterdam, NL | June 12-20 | https://www.sans.org/event/secure-europe-2017

-- SANS Cyber Defence Canberra 2017 | June 26-July 8 | https://www.sans.org/event/cyber-defence-canberra-2017

-- SANS London July 2017 | July 3-8 | https://www.sans.org/event/london-july-2017

-- SANS Cyber Defence Singapore | July 10-15 | https://www.sans.org/event/cyber-defence-singapore-2017

-- SANS Online Training: Special Offer! Register by March 1 and choose a GIAC Certification Attempt or $400 Off your OnDemand and vLive courses.
OnDemand - https://www.sans.org/ondemand/specials
vLive - https://www.sans.org/vlive/specials

-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/find-training/

***************************************************************************

TOP OF THE NEWS

Dallas Emergency Sirens Go Off for 90 Minutes, Hacking Suspected (April 9 & 10, 2017)

Late Friday, April 7, all 156 emergency sirens in Dallas, Texas were activated. The incident is believed to have been caused by hackers. The sirens started blaring at 11:40 pm and were finally stopped at 1:20 am Saturday morning. Dallas Mayor Mike Rawlings said the incident was "an attack on our emergency notification system," and underscored the need to improve the technology infrastructure. Officials believe the attack originated locally. The city has asked the federal Communications Commission (FCC) for help in the matter.

[Editor Comments]

[Williams] There are a couple of important points to note here. If this was a cyber attack, the odds of catching the perpetrator are nil to none. Though it hurts me to say this as an incident responder, the dollars being spent on the investigation are better spent securing these and other systems the city of Dallas may have exposed.

Read more in:

NYT: Hacking Attack Woke Up Dallas With Emergency Sirens, Officials Say https://www.nytimes.com/2017/04/08/us/dallas-emergency-sirens-hacking.html
Computerworld: Hack of Dallas emergency sirens prompts more warnings to bolster cybersecurity http://computerworld.com/article/3187519/security/hack-of-dallas-emergency-sirens-prompts-more-warnings-to-bolster-cybersecurity.html
V3: Hackers set-off emergency alarms across Dallas 'for a laugh' http://www.v3.co.uk/v3-uk/news/3008183/hackers-set-off-emergency-alarms-across-dallas-for-a-laugh
Bob Sullivan: Hacked Dallas sirens, maintained by office furniture movers, shows U.S. not serious about critical infrastructure https://bobsullivan.net/cybercrime/hacked-dallas-sirens-maintained-by-office-furniture-movers-shows-u-s-not-serious-about-critical-infrastructure/

Hackers Target Amazon Third-Party Sellers (April 10, 2017)

Attackers have been targeting third-party sellers on Amazon, changing bank account deposit information and offering too-good-to-be-true deals on items that are never delivered. The attack appears to be using account credentials stolen from other accounts. The phony offers are being made from accounts that have been dormant.

[Editor Comments]

[Murray] While Amazon does offer a strong authentication option, it is fairly recent, one has to know about it and look for it, and it would not likely be enabled on dormant accounts. Dormant accounts are a problem in any case and a program to identify and deactivate them is a good idea.

Read more in:

WSJ: Amazon's Third-Party Sellers Hit By Hackers https://www.wsj.com/articles/amazon-coms-third-party-sellers-hit-by-hackers-1491816600

AIG's High End Cyber Insurance (April 5 & 8, 2017)

Insurance company AIG will offer a personal cyber insurance product to wealthy private customers. The product includes an audit of mobile devices, home networks, wireless access points, and online banking accounts. It also offers continuous online monitoring of personal information.

[Editor Comments]

[Northcutt] From a marketing perspective this is brilliant. Lots of companies want the business of high end players. Note that continuous monitoring is possible only if they know what you have. There are hundreds of wealth monitoring services, but this stands out.

[Pescatore] Consumer Reports advises consumers that LifeLock's identity theft protection services weren't worth the cost and this (and other) consumer cyberinsurance services are very similar in both coverage and cost.

[Paller] Much more valuable to that community is personalized cyber protection programs. Several hedge fund folks and a couple of very famous actresses say that cyberwa.com is good at this.

Read more in:

Fortune: How AIG's Cyber Security Gamble Could Pay Off http://fortune.com/2017/04/08/cyber-security-insurance-cybersecurity-aig-2017-tools-news/
CyberScoop: New insurance covers cyber risks for the wealthy https://www.cyberscoop.com/aig-insurance-covers-cyber-risks-wealthy-identity-theft/?category_news=technology
*************************** SPONSORED LINKS *****************************
1) New! Beginner's Guide to Hybrid Cloud Security. Download your free copy! http://www.sans.org/info/194122
2) Don't Miss: "Real Steps to Build a Threat Intelligence Framework" Register: http://www.sans.org/info/194127
3) What threats keep you up at night? Take SANS survey! Enter to win prize. http://www.sans.org/info/194132
***************************************************************************

THE REST OF THE WEEK'S NEWS

Mirai Variant Installed Bitcoin Miner (April 10, 2017)

According to research from IBM X-Force team, a variant of the Mirai botnet is installing Bitcoin mining software in devices it infects. Known as the ELF Linux/Mirai botnet, the strain of malware was first detected in August 2016. The Bitcoin mining attack took place over a week-long period in March 2017.

[Editor Comments]

[Ullrich] IoT devices have been used as Bitcoin miners for a few years now. For the most part, they are a bad fit for mining cryptocurrency due to their low power CPUs. We documented a case (including a snapshot from the attacker's dashboard) here: https://isc.sans.edu/forums/diary/Coin+Mining+DVRs+A+compromise+from+start+to+finish/18071

Read more in:

eWeek: IBM Discovers Mirai IoT Botnet deploying Bitcoin Mining Payload http://www.eweek.com/security/ibm-discovers-mirai-iot-botnet-deploying-bitcoin-mining-payload
BleepingComputer: Mirai Botnet Temporarily Adds Bitcoin Mining Component, Removes It After a Week https://www.bleepingcomputer.com/news/security/mirai-botnet-temporarily-adds-bitcoin-mining-component-removes-it-after-a-week/

Bill Would Establish Grants for State Governments' Cyber Security (April 10, 2017)

US legislators have introduced a bill that would help state governments improve their cyber security posture. The State Cyber Resiliency Act would establish a grant program to help states fund cybersecurity improvements. Some of the money would go to local governments.

[Editor Comments]

[Pescatore ] Back in 2013, the DHS CDM program was also supposed to aid state/local/tribal governments in increasing cybersecurity. This new act would direct FEMA (also in DHS) to add state cybersecurity grants to its existing grant program, and create a 15-person (unpaid) review committee to review proposals and award funds. Redirecting CDM SLT efforts and funds to a new FEMA grant program, vs. more redundant and bureaucratic efforts, would be a good thing.

[Henry] I applaud the federal government for assistance to the states; they've been long-overlooked in security policy, and there are substantial risks in these areas, where the states lack expertise and resources. I would offer, rather, that there be a coordinated and consolidated offering for the states. This is one area where a comprehensive strategy, consisting of best practices and state-of-the-art capabilities, is necessary. Merely writing a check, enabling the states to purchase technology and/or services that each state independently assesses as important, is a mistake in my opinion, and will result in lots of cost with a marginal increase in security. Much better to create and execute a plan that can be applied against the highest priority risks.

Read more in:

Pew Trusts: Looking to the Feds for Help in Fighting Cybercriminals http://www.pewtrusts.org/en/research-and-analysis/blogs/stateline/2017/04/10/looking-to-the-feds-for-help-in-fighting-cybercriminals

Vault 7 Tools Used by Longhorn Cyberespionage Group Dozens of Attacks (April 10, 2017)

Symantec says that at least 40 attacks on organizations around the world were conducted using tools released in the WikiLeaks Vault 7 information dump. The attackers were perpetrated "by a group Symantec calls Longhorn." The advanced persistent threat (APT) cyberespionage group has been active since at least 2011.

[Editor Comments]

[Williams] This report from Symantec shows that sophisticated adversaries are being uncovered in the wild, even without the help of leaks. The leaked Vault 7 data was instrumental in enabling Symantec to attribute hacking activity that was originally unattributed. Without the leaked Vault7 data, Symantec would not know who the Longhorn attacker was.

Read more in:

Symantec: Longhorn: Tools used by cyberespionage group linked to Vault 7 https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7
Dark Reading: CIA-Linked Hacking Tools Tied to Longhorn Cyber Espionage Group http://www.darkreading.com/attacks-breaches/cia-linked-hacking-tools-tied-to-longhorn-cyber-espionage-group/d/d-id/1328597?
eWeek: Symantec Links Vault 7 Tools With Longhorn Attacks Ongoing Since 2011 http://www.eweek.com/security/symantec-links-vault-7-tools-with-longhorn-attacks-ongoing-since-2011
The Hill: Security firm links CIA leaks to series of past attacks http://thehill.com/policy/cybersecurity/328093-security-firm-links-cia-leaks-to-series-of-past-attacks
CyberScoop: Symantec links CIA tools to mysterious group that hacked 40 organizations globally https://www.cyberscoop.com/symantec-links-cia-mysterious-espionage-group-hacked-40-organizations-globally/?category_news=technology
Reuters: Symantec attributes 40 cyber attacks to CIA-linked hacking tools http://www.reuters.com/article/us-cia-wikileaks-symantec-idUSKBN17C1FK

Attempted Cybertheft From Indian Bank Bears Similarities to Bangladesh Bank Theft (April 10, 2017)

Tactics used in a July 2016 attack on Union Bank of India in which thieves attempted to steal USD 170 million bear a striking resemblance to those used in an attack that stole USD 81 million from Bangladesh's central bank. The Union Bank attack began with a spear phishing email that allowed the attackers to steal the bank's SWIFT access codes. (SWIFT, or the Society for Worldwide Interbank Financial Telecommunication, is the messaging system banks use to transfer funds to institutions in other countries.) Once the suspect transactions were noticed, Union Bank recovered all of the stolen funds.

Read more in:

WSJ: Cybertheft Attempt on Indian Bank Resembles Bangladesh Heist https://www.wsj.com/articles/cybertheft-attempt-on-indian-bank-resembles-bangladesh-heist-1491816614

Alleged Kelihos Botnet Kingpin Arrested in Spain (April 9 & 10, 2017)

Police in Spain have arrested Pyotr Levashov who is believed to be the mastermind behind the Kelihos botnet. Levashov was arrested under an international warrant. US court documents describe Levashov as "one of the world's most notorious criminal spammers." As soon as Levashov was arrested, the FBI, working with private companies, took down the Kelihos botnet.

Read more in:

NYT: U.S. Accuses Russian Email Spammer of Vast Network of Fraud https://www.nytimes.com/2017/04/10/technology/us-arrest-russian-email-spam-peter-levashov.html
Washington Post: US says global spam scheme targeted after mastermind nabbed https://www.washingtonpost.com/business/technology/alleged-russian-hacker-arrested-in-spain-at-us-request/2017/04/10/3e4830e6-1dd9-11e7-bb59-a74ccaf1d02f_story.html?utm_term=.68544ec4c676
Computerworld: Spain arrests supposed Russian computer scientists at U.S. request http://computerworld.com/article/3188684/security/spain-arrests-supposed-russian-computer-scientist-at-us-request.html
KrebsOnSecurity: Alleged Spam King Pyotr Levashov Arrested https://krebsonsecurity.com/2017/04/alleged-spam-king-pyotr-levashov-arrested/
FCW: Feds make arrest in decade-long botnet probe https://fcw.com/articles/2017/04/10/botnet-fbi-probe.aspx
DoJ: Justice Department Announces Actions to Dismantle Kelihos Botnet https://www.justice.gov/opa/pr/justice-department-announces-actions-dismantle-kelihos-botnet-0

Critical Microsoft Word Zero-Day is Being Actively Exploited (April 8 & 9, 2017)

A critical flaw in Microsoft Word has been actively exploited since January 2017 to install malware on vulnerable systems. The vulnerability lies in the Windows Object Linking and Embedding (OLE) component that allows embedded references and links. Microsoft plans to address the problem in its monthly security update on Tuesday, April 11. The flaw was disclosed by both McAfee and FireEye.

[Editor Comments]

[Williams] This is an obvious "patch now" vulnerability. Setting a couple of non-default registry values will block exploitation for those who can't patch. The values are listed in the ArsTechnica article linked below. If your organization has a 30 or 60 day patch target, that's simply not good enough for this actively exploited vulnerability.

Read more in:

Ars Technica: Booby-trapped Word documents in the wild exploit critical Microsoft 0day https://arstechnica.com/security/2017/04/booby-trapped-word-documents-in-the-wild-exploit-critical-microsoft-0day/
Computerworld: Email-based attacks exploit unpatched vulnerability in Microsoft Word http://computerworld.com/article/3187802/security/email-based-attacks-exploit-unpatched-vulnerability-in-microsoft-word.html
eWeek: Microsoft Set to Patch New Zero-Day Office Vulnerability http://www.eweek.com/security/microsoft-set-to-patch-new-zero-day-office-vulnerability
Bleeping Computer: Attacks Detected with New Microsoft Office Zero-Day https://www.bleepingcomputer.com/news/security/attacks-detected-with-new-microsoft-office-zero-day/

BrickerBot Malware Renders IoT Devices Useless (April 7 & 8, 2017)

Malware known as BrickerBot targets Internet of Things (IoT) devices and renders them useless. BrickerBot overwrites data from an infected device's mounted partitions and tries to sever the device's Internet connection. BrickerBot uses Telnet brute force attacks to infect devices, but the overall intent of the malware is not clear. It could be an attempt to prevent IoT devices from becoming part of a botnet. While devices infected with other bot malware may not make it clear to owners that there's a problem, BrickerBot will make them notice and do something about their vulnerable devices. BrickerBot was detected by the Radware security firm.

Read more in:

The Register: Forget Mirai - Brickerbot malware will kill your crap IoT devices http://www.theregister.co.uk/2017/04/08/brickerbot_malware_kills_iot_devices/
Computerworld: IoT malware begins to show destructive behavior http://computerworld.com/article/3188302/security/iot-malware-begins-to-show-destructive-behavior.html
Radware: "BrickerBot" Results in Permanent Denial-of-Service https://security.radware.com/ddos-threats-attacks/brickerbot-pdos-permanent-denial-of-service/

DHS Withdraws Administrative Summons Demanding Identity of Twitter Account Holder (April 7, 2017)

The US Department of Homeland Security's (DHS) Customs and Border Protection agency has withdrawn its demand that Twitter reveal the identity of an account holder whose tweets have been critical of the president. DHS filed an administrative summons demanding the information on March 14. Twitter filed a lawsuit on Thursday, April 6, saying that the demand violated the user's First Amendment right to free expression. Twitter dropped the lawsuit on Friday, saying that the DHS's demand had been withdrawn.

Read more in:

Washington Post: The U.S. government has withdrawn its request ordering Twitter to identify a Trump critic https://www.washingtonpost.com/news/the-switch/wp/2017/04/07/the-u-s-government-has-withdrawn-its-request-ordering-twitter-to-identify-a-trump-critic/?utm_term=.246a0a3d4cdd
GovInfoSecurity: U.S. Withdraws Summons to Unmask Administration Critic http://www.govinfosecurity.com/us-withdraws-summons-to-unmask-administratoin-critic-a-9818
CS Monitor: Federal government drops inquiry into Twitter account critical of Trump http://www.csmonitor.com/Technology/2017/0407/Federal-government-drops-inquiry-into-Twitter-account-critical-of-Trump
Bob Sullivan: Asking Twitter to unmask an anonymous account is serious; this DHS request is amateurish, but scary https://bobsullivan.net/cybercrime/asking-twitter-to-unmask-an-anonymous-account-is-serious-this-dhs-request-is-amateurish-but-scary/

Gamestop.com Looking into Report of Data Breach (April 7, 2017)

Gamestop.com has hired a security firm to look into reports that its website may have been breached, compromising sensitive customer data. GameStop learned of the possible breach from a third party, which notified the company when payment card information that appeared to have been taken from its website was being offered for sale on the Internet.

Read more in:

KrebsOnSecurity: Gamestop.com Investigating Possible Breach https://krebsonsecurity.com/2017/04/gamestop-com-investigating-possible-breach/

INTERNET STORM CENTER TECH CORNER

Domain Whitelisting with Alexa and Umbrella Lists (and update)

https://isc.sans.edu/forums/diary/Domain+Whitelisting+With+Alexa+and+Umbrella+Lists/22270/
https://isc.sans.edu/forums/diary/Domain+Whitelisting+With+Alexa+and+Umbrella+Lists+update/22274/

Dallas Tornado Sirens Hacked

https://www.washingtonpost.com/news/the-intersect/wp/2017/04/09/someone-hacked-every-tornado-siren-in-dallas-it-was-loud/?utm_term=.ca706deea318

Shadowbroker Files

https://github.com/x0rz/EQGRP

Word Vulnerability

https://securingtomorrow.mcafee.com/mcafee-labs/critical-office-zero-day-attacks-detected-wild/

TPLink Modem Responds with Admin Password to SMS

http://www.theregister.co.uk/2017/04/10/tplink_3gwifi_modem_spills_credentials_to_an_evil_text_message/

Fake Google Map Weblinks

https://www.bleepingcomputer.com/news/google/thousands-of-fake-google-maps-listings-redirect-users-to-fraudulent-sites-each-month/

Apple Fixes Apple Music for Android

http://seclists.org/bugtraq/2017/Apr/26

Dallas Sirens Hacked via Wireless Attacks

http://www.theregister.co.uk/2017/04/10/hackers_set_off_dallas_emergency_siren_system/

NATO Finally Discovers That IPv6 Can be Used as a Covert Channel

https://t.co/FvSSwhtUH7


***********************************************************************
The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create