SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XIX - Issue #32
April 21, 2017TOP OF THE NEWS
US Department of Energy Cyber Exercise Report
DARPA Project Aims to Protect Power Grid in the Face of an Attack
Oracle Security Update Patches Nearly 300 Vulnerabilities
THE REST OF THE WEEK'S NEWS
Linksys Router Vulnerabilities
Hajime Worm Closes Vulnerable Telnet Ports
Location Tracking Spyware Hid in App in Google Play Store
Firefox 53 is Here
Google Developing Ad Blocker for Chrome
Facebook Releases SDKs for Delegated Account Recovery Protocol
InterContinental Hotels Data Breach Affects Nearly 1,200 Properties
US Intelligence Looking for Mole Who Provided Wikileaks with Stolen Documents
Three Plead Guilty in ATM Skimming Case
INTERNET STORM CENTER TECH CORNER
INTERNET STORM CENTER TECH CORNER******************** Sponsored By Cisco Systems ************************
How much of your network can you see? Today's networks are large and complex, giving threat actors many places to hide. Most organizations have suspicious activities going on and don't even know it. Download our white paper to learn about the most common risks facing enterprise networks, then sign up for a free security assessment. http://www.sans.org/info/194300 ***************************************************************************
TRAINING UPDATE
-- SANS Automotive Cybersecurity Summit & Training | Detroit, MI | May 1-8, 2017 | https://www.sans.org/event/automotive-cybersecurity-summit/
-- SANS Security West 2017 | San Diego, CA | May 9-18 | https://www.sans.org/event/sans-security-west-2017
-- SANS San Francisco Summer 2017 | June 5-10 | https://www.sans.org/event/san-francisco-summer-2017
-- SANS Security Operations Center Summit & Training | Washington, DC | June 5-12 | https://www.sans.org/event/security-operations-center-summit-2017
-- SANS Secure Europe 2017 | Amsterdam, NL | June 12-20 | https://www.sans.org/event/secure-europe-2017
-- SANS Cyber Defence Canberra 2017 | June 26-July 8 | https://www.sans.org/event/cyber-defence-canberra-2017
-- SANS London July 2017 | July 3-8 | https://www.sans.org/event/london-july-2017
-- SANS Cyber Defence Singapore | July 10-15 | https://www.sans.org/event/cyber-defence-singapore-2017
--SANSFIRE 2017 | Washington, DC | July 22-29 | https://www.sans.org/event/sansfire-2017
-- SANS Online Training: Special Offer! Register by March 1 and choose a GIAC Certification Attempt or $400 Off your OnDemand and vLive courses.
OnDemand - https://www.sans.org/ondemand/specials
vLive - https://www.sans.org/vlive/specials
-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/find-training/***************************************************************************
TOP OF THE NEWS
US Department of Energy Cyber Exercise Report (April 19, 2017)
In December 2016, the US Department of Energy (DOE) held a cybersecurity incident exercise that tested state and emergency management officials' response to a major cyber incident that cut off power across seven states in the Northeast and mid-Atlantic regions. The summary report for the Liberty Eclipse exercise noted that "cyber incident coordination frameworks at both the state and federal levels need to be further defined and synchronized with industry;" and that "there are substantial resources available to support efforts that would enhance cybersecurity... but they are not always well known at the state and local levels by some of the organizations within the energy supply chain."[Editor Comments]
[Murray] The electrical power distribution is pretty good at responding to incidents. What we need is for them to be better at resisting mis-use of the controls that they use to respond.
[Honan] This report is a good example of why running IR exercises are so important in identifying gaps and issues in your incident response processes. The European Union Agency for Network and Information Security (ENISA) has an excellent resource for Cyber Exercises available on their website at https://www.enisa.europa.eu/topics/cyber-exercises
Read more in:
The Hill: Energy Department exercise reveals 'gaps' in major cyber incident response http://thehill.com/policy/cybersecurity/329499-energy-dept-exercise-reveals-gaps-in-response-to-major-cyber-incident
DOE: Liberty Eclipse Exercise Summary Report (PDF) https://energy.gov/sites/prod/files/2017/04/f34/LE%20FINAL%20Exercise%20Summary%2031March2017_Public%20Doc.pdf
DARPA Project Aims to Protect Power Grid in the Face of an Attack (April 13 & 17, 2017)
The US Defense Advanced Research Project Agency (DARPA) and BAE Systems are developing technologies that would allow the country's power grid to continue to function in the face of an attack. The Rapid Attack Detection, Isolation and Characterization Systems (RADICS) program is focused on developing technologies that allow for "early warning of impending attacks" and the ability to detect and disconnect unauthorized users from networks; isolation of attacked systems; and a shift to a Secure Emergency Network to ensure continued functioning of power grid.Read more in:
Defense Systems: DARPA tasks BAE with workaround to secure the power grid in event of massive attack https://defensesystems.com/articles/2017/04/13/grid.aspx
GCN: getting power to the grid after a cyber attack https://gcn.com/articles/2017/04/17/darpa-radics-power-grid.aspx?admgarea=TC_SecCybersSec
Oracle Security Update Patches Nearly 300 Vulnerabilities (April 19, 2017)
On Wednesday, April 19, Oracle released its quarterly patch update, fixing 299 vulnerabilities across its product lines. Among the patches are fixes for an exploit released by Shadow Brokers that affects Solaris 10 and 11.3; fixes for flaws associated with Apache Struts; and fixes for flaws in Oracle Financial Services and MySQL.[Editor Comments]
[Pescatore] Oracle's Critical Patch Updates (CPUs) have included over 250 vulnerabilities per issue since July 2016, so huge CPUs are normal for Oracle. This one has 40 critical vulnerabilities (CVSS score above 9) and 25 of those get CVSS scores of 10. Probably most importantly, 37% of the vulnerabilities are in Oracle's industry solutions like their Retail and Financial services applications - including one that ERPScan says "allows an attacker to read all key business data from the database remotely without authorization." Key takeways: faster CPU QA and push out is needed. Many success stories from IT programs using cloud IaaS services to spin up Dev/Test environments doing the same thing for fast patch testing using obfuscated sensitive data.
[Williams] Given the large number of exploits that impact older Solaris installations, organizations are wise to upgrade legacy Solaris to a more current version (10+). For legacy applications that only run on Solaris 8, Solaris zones are an option. For those already on Solaris 10+, you should install patches immediately. In most enterprise environments we work in, Unix machines have longer patching cycles than Windows machines.
Read more in:
The Register: Oracle patches Solaris 10 hole exploited by NSA spyware tool - and 298 other security bugs http://www.theregister.co.uk/2017/04/19/oracle_april_security_patches_nsa/
SC Magazine: Struts and Shadow Brokers exploits among the 299 fixed by Oracle patch https://www.scmagazine.com/struts-and-shadow-brokers-exploits-among-the-299-fixed-by-oracle-patch/article/651634/
ZDNet: Oracle drops massive299 vulnerability patch, fixes Shadow Broker exploit http://www.zdnet.com/article/oracle-drops-massive-patch-update-which-fixes-299-vulnerabilities/
eWeek: Oracle Parches 299 Vulnerabilities in April Critical Patch Update http://www.eweek.com/security/oracle-patches-299-vulnerabilities-in-april-critical-patch-update
Threatpost: Record Oracle Patch Update Addresses Shadowbrokers, Strust2 Vulnerabilities https://threatpost.com/record-oracle-patch-update-addresses-shadowbrokers-struts-2-vulnerabilities/125046/
Oracle: Oracle Critical Patch Update Advisory - April 2017 http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
*************************** SPONSORED LINKS ***************************** 1) Discover how Cloudflare can support DNSSEC at its scale with special consideration to key management, new DNSSEC algorithm types and signing on the fly. Register: http://www.sans.org/info/194305
2) Don't Miss: "WikiLeaks' Release of CIA Hacking Tools: What Security Professionals Need to Know." Register: http://www.sans.org/info/194310
3) Take the Threat Landscape Survey and enter to win a $400 Amazon gift card: http://www.sans.org/info/194315
***************************************************************************
THE REST OF THE WEEK'S NEWS
Linksys Router Vulnerabilities (April 20, 2017)
At least 20 different Linksys Smart Wi-Fi router models contain flaws that could be exploited to reboot vulnerable devices; lock users out of the devices; or obtain sensitive data. While there are currently no fixes for the issues, there are ways for users to mitigate their risk until firmware updates are available. The flaws were detected by IOActive.[Editor Comments]
[Murray] Real security people publish work-arounds, not exploits. "One must decide to be part of the solution or part of the problem."
Read more in:
Threatpost: 20 Linksys Router Models Vulnerable to Attack https://threatpost.com/20-linksys-router-models-vulnerable-to-attack/125085/
The Register: Flaws found in Linksys routers that could be used to create a botnet http://www.theregister.co.uk/2017/04/20/linksys_router_vulns/
IOActive: Linksys Smart Wi-Fi Vulnerabilities http://blog.ioactive.com/2017/04/linksys-smart-wi-fi-vulnerabilities.html
Linksys: Linksys Security Advisory http://www.linksys.com/us/support-article?articleNum=246427
Hajime Worm Closes Vulnerable Telnet Ports (April 19 & 20, 2017)
The Hajime worm seeks out poorly-secured Internet of Things (IoT) devices and closes their vulnerable telnet ports. Hajime, which was first detected in October 2016, appears not to have a malicious payload. It displays a message every 10 minutes notifying users that it's "Just a white hat, securing some systems."[Editor Comments]
[Northcutt] While Hajime, to date, has not had malicious content and it does more than just fix telnet, it does keep a back door open. Also history shows these "white hat" worms are typically only around for a short time.
https://arstechnica.com/security/2017/04/vigilante-botnet-infects-iot-devices-before-blackhats-can-hijack-them/
https://www.symantec.com/connect/blogs/hajime-worm-battles-mirai-control-internet-things
Read more in:
BleepingComputer: Vigilante Hacker Uses Hajime Malware to Wrestle with Mirai Botnets https://www.bleepingcomputer.com/news/security/vigilante-hacker-uses-hajime-malware-to-wrestle-with-mirai-botnets/
SC Magazine: Monster rivalry forming between IoT botnets Mirai and Hajime https://www.scmagazine.com/monster-rivalry-forming-between-iot-botnets-mirai-and-hajime/article/651643/
BBC: 'Benign' worm seeks out vulnerable smart devices http://www.bbc.com/news/technology-37307823
Symantec: Hajime work battles Mirai for control of the Internet of Things https://www.symantec.com/connect/blogs/hajime-worm-battles-mirai-control-internet-things
Location Tracking Spyware Hid in App in Google Play Store (April 19 & 20, 2017)
The Google Play Store has removed an app called System Update that was harboring spyware. The app that had been available in the Google Play store since 2014 claimed to ensure users got the latest Android operating system updates, but actually contained malware known as SMSVova that can track a user's location and send it to a third party. The app containing malware had been downloaded between one million and five million times before it was removed.[Editor Comments]
[Neely] The Zscalar ThreatLabz described this suspicious application here: https://www.zscaler.com/blogs/research/android-spyware-smsvova-posing-system-update-play-store. An important take away is to watch for applications that don't look right in the Google Play store e.g. blank screen shots, incomplete or misleading description, as well as needing excess privileges - in this case "special location services" and SMS access are not necessary to install a system update. When an application is removed from the Google Play store, it is not removed from devices, so you must rely on your MDM, AntiVirus or users to detect and block the application on devices. Because of the behavior of this application, it is not yet detected by AV products listed on VirusTotal; it may be prudent to scan for it with your MDM.
Read more in:
ZDNet: Location tracking Android spyware found in Google Play Store http://www.zdnet.com/article/location-tracking-android-spyware-found-in-google-play-store/
SC Magazine: SMSVova spyware downloaded millions of times from Google Play store since 2014 https://www.scmagazine.com/smsvova-spyware-downloaded-millions-of-times-from-google-play-store-since-2014/article/651894/
eWeek: Security Vendors Warn of Banking Malware, Spyware on Google Play http://www.eweek.com/mobile/security-vendors-warn-of-banking-malware-spyware-on-google-play
Firefox 53 is Here (April 20, 2017)
Mozilla has released Firefox 53. The newest version of the browser fixes 39 vulnerabilities that existed in the previous version. It also includes a new browser engine that is designed to reduce the frequency of browser crashes due to graphics issues. Called the Quantum Compositor, this technology renders graphics separately from the main Firefox process.Read more in:
eWeek: Firefox 53 Introduces Quantum Compositor, Reducing Browser Crashes http://www.eweek.com/security/firefox-53-introduces-quantum-compositor-reducing-browser-crashes
Google Developing Ad Blocker for Chrome (April 19 & 20, 2017)
Google is planning to incorporate an ad blocker into future versions of its Chrome browser; the feature will be enabled by default. Not all advertisements will be blocked; the feature will prevent only those ads that do not comply with standards established by the Coalition for Better Ads.[Editor Comments]
[Pescatore] Consumers have rapidly been adopting ad blockers, worrying the advertising industry. From a security perspective, malvertising is a significant attack vector; so ad blocking is a good thing. However, the reality is that (like television) advertising either pays for or subsidizes most of the useful content on the Internet; it isn't going away. Further, many so called "ad blockers" are either malware themselves, or take payments from advertiser to let certain ads through. The Coalition for Better Ads is a new organization that seems to be focusing on the user experience, and trying to devise ad standards and scoring mechanisms to support consistent automating blocking that could drive online advertising to safer levels. CISOs of companies doing online advertising should point their Chief Marketing Officers at this effort.
Read more in:
WSJ: Google Plans Ad-Blocking Feature in Popular Chrome Browser https://www.wsj.com/articles/google-plans-ad-blocking-feature-in-popular-chrome-browser-1492643233
BleepingComputer: Google Working on an Ad Blocker for Chrome https://www.bleepingcomputer.com/news/google/google-working-on-an-ad-blocker-for-chrome/
Ars Technica: Report: Google will add an ad blocker to all version of Chrome web browser https://arstechnica.com/gadgets/2017/04/report-google-will-add-an-ad-blocker-to-all-versions-of-chrome-web-browser/
ZDNet: Chrome: Is ad giant Google about to roll out in its own ad blocker? http://www.zdnet.com/article/chrome-is-ad-giant-google-about-to-roll-out-in-its-own-ad-blocker/
Coalition for Better Ads: Coalition for Better Ads Releases Initial Better Ads Standards for Desktop and Mobile Web in North America and Europe https://www.betterads.org/coalition-for-better-ads-releases-initial-better-ads-standards-for-desktop-and-mobile-web/
Facebook Releases SDKs for Delegated Account Recovery Protocol (April 18 & 20, 2017)
Facebook is sharing the code for a beta version of its Delegated Account Recovery protocol. The feature will allow third-party applications to let users reset account passwords by proving their identity to Facebook instead of answering security questions or receiving a password reset link in a text or email. This capability could would allow other entities to establish themselves as a locus of account recovery.Read more in:
Wired: Facebook Offers a Better Way to Get Back Into Your Locked-Out Apps https://www.wired.com/2017/04/facebook-offers-better-way-get-back-locked-apps/
eWeek: Facebook Advances Delegated Account Recovery Protocol http://www.eweek.com/security/facebook-advances-delegated-account-recovery-protocol
Nextgov: Facebook's Account Recovery Changes Could Drastically Improve Your Online Security http://www.nextgov.com/cybersecurity/2017/04/facebooks-account-recovery-changes-could-drastically-improve-your-online-security/137198/?oref=ng-channeltopstory
Threatpost: Facebook Advances delegated Account Recovery Protocol https://threatpost.com/facebook-delegated-account-recovery-sdks-published-for-java-ruby-apps/125028/
Facebook: Delegated Account Recovery with Facebook https://developers.facebook.com/docs/delegated-recovery/
Facebook: Improving account security with delegated recovery (January 30, 2017) https://www.facebook.com/notes/protect-the-graph/improving-account-security-with-delegated-recovery/1833022090271267/
InterContinental Hotels Data Breach Affects Nearly 1,200 Properties (April 19, 2017)
InterContinental Hotels Group now says that the number of properties affected by a payment system breach is close to 1,200, a notable increase from its first estimate of 12. All but one of the affected properties are in the US. The systems were compromised between September 29 and December 29, 2016.Read more in:
KrebsOnSecurity: InterContinental Hotel Chain Breach Expands https://krebsonsecurity.com/2017/04/intercontinental-hotel-chain-breach-expands/
ZDNet: InterContinental Hotels data breach expands from 12 to 1,200 hotels http://www.zdnet.com/article/intercontinental-data-breach-expands-to-thousands-of-hotels/
BBC: Holiday Inn hotels hit by card payment system hack http://www.bbc.com/news/technology-39642172
IHG: InterContinental Hotels Group (IHG) Notifies Guests of Payment Card Incident at IHG-Branded Franchise Hotel Locations in the Americas Region https://www.ihg.com/content/us/en/customer-care/protecting-our-guests/california-residents
US Intelligence Looking for Mole Who Provided Wikileaks with Stolen Documents (April 19, 2017)
The CIA and the FBI are searching for the individual who provided documents about CIA surveillance tools to Wikileaks. The source is believed to be a CIA insider. The Wikileaks dump comes at the same time as the Shadow Brokers dump of what they say are NSA hacking tools.Read more in:
The Hill: Report: FBI, CIA hunting for insider who gave docs to WikiLeaks http://thehill.com/policy/national-security/329627-report-cia-fbi-hunting-for-insider-who-gave-docs-to-wikileaks
V3: CIA and FBI manhunt for mole who leaked secrets to Wikileaks http://www.v3.co.uk/v3-uk/news/3008725/cia-and-fbi-manhunt-for-mole-who-leaked-secrets-to-wikileaks
SC Magazine UK: FBI and CIA searching for "insider" following Wikileaks data dump https://www.scmagazineuk.com/fbi-and-cia-searching-for-insider-following-wikileaks-data-dump/article/651752/
Three Plead Guilty in ATM Skimming Case (April 18 & 19, 2017)
Three people have pleaded guilty to conspiracy to commit bank fraud in a case involving an ATM skimming scheme. In all, 13 people were charged in connection with the scheme that stole more than USD 425,000 from PCN and Bank of America ATMs in New Jersey over a 15-month period.[Editor Comments]
[Murray] When, if ever, will the credit card brands and issuers announce a plan and set a date for eliminating account numbers in the clear on magnetic stripes? At what point does security trump backwards compatibility?
Read more in:
Ars Technica: Two members of ATM skimming ring plead guilty to bank fraud https://arstechnica.com/tech-policy/2017/04/two-members-of-atm-skimming-ring-plead-guilty-to-bank-fraud/
SC Magazine: New York men plead guilty to ATM theft scheme using skimmers and hidden cameras https://www.scmagazine.com/new-york-men-plead-guilty-to-atm-theft-scheme-using-skimmers-and-hidden-cameras/article/651614/
DoJ: Member of ATM Skimming Conspiracy Pleads Guilty for Targeting Multiple New Jersey Bank Locations https://www.justice.gov/opa/pr/member-atm-skimming-conspiracy-pleads-guilty-targeting-multiple-new-jersey-bank-locations
INTERNET STORM CENTER TECH CORNER
Details about how to exploit CVE-2017-0199
https://rewtin.blogspot.com.au/2017/04/cve-2017-0199-practical-exploitation-poc.htmlUser Provided Patch To Help Update Old Operating Systems on New CPU
https://github.com/zeffy/kb4012218-19Forensics Tools and Issues with Windows 10 Compact OS
https://www.heise.de/security/artikel/Forensik-Tools-patzen-bei-neuer-Windows-Kompression-3676075.htmlHunting and Analyzing Malicious Excel Files
https://isc.sans.edu/forums/diary/Hunting+for+Malicious+Excel+Sheets/22322/Bose May Be Spying on Listeners
https://www.scribd.com/document/345620278/Bose-Privacy-ComplaintMicrosoft No-Password Sign In
https://blogs.technet.microsoft.com/enterprisemobility/2017/04/18/no-password-phone-sign-in-for-microsoft-accounts/Owncloud/Nextcloud Bug Reports Include Passwords
https://blog.hboeck.de/archives/885-Passwords-in-the-Bug-Reports-OwncloudNextcloud.htmlFuzzing Used to Find a tcpdump Vulnerability
https://www.softscheck.com/en/identifying-security-vulnerabilities-with-cloud-fuzzing/DNS Homograph Detection
https://github.com/dutchcoders/homographsDetecting Covert DNS Channels
https://isc.sans.edu/forums/diary/DNS+Query+Length+Because+Size+Does+Matter/22326/Ambient Light Sensors May Become Accessible Via JavaScript
https://blog.lukaszolejnik.com/stealing-sensitive-browser-data-with-the-w3c-ambient-light-sensor-api/BIND Name Server Update
https://kb.isc.org/article/AA-01491Entropy As A Service
https://www.getnetrandom.com***********************************************************************
The Editorial Board of SANS NewsBites
View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
