SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XIX - Issue #33
April 25, 2017TOP OF THE NEWS
Leaked NSA Tool DoublePulsar Has Infected 200,000+ Computers
BrickerBot Launching New Round of Attacks
SquirrelMail Code Execution Flaw
Vulnerabilities in Bosch Diagnostic Car Dongle
THE REST OF THE WEEK'S NEWS
Webroot Security Tools Mistakenly Quarantine Some Windows System Files
Interpol Investigation Identifies Thousands of Command-and-Control Servers in Eight Countries
FBI Obtained Warrant Under Rule 41 to Take Down Kelihos Botnet
Seleznev Sentenced to 27 Years in Prison for Role in Carding Scheme
FireEye: China Launching Digital Attacks to Stop South Korea's Deployment of Missile Defense System
Android MilkyDoor Malware Lets Attackers Access Connected Networks
Guilty Plea in Titanium Stresser Case
US Dept. of Health and Human Service's Health Cybersecurity and Communications Integration Center
INTERNET STORM CENTER TECH CORNER
INTERNET STORM CENTER TECH CORNER*************************** Sponsored By Sophos Inc. ********************
NEW Whitepaper: Don't Take the Bait: Phishing is big business. Don't get hooked - Phishing attacks have seen a rise in the last year as attackers continue to refine their tactics. Learn about the evolution of phishing, how it works and what it looks like. Get tips on how to educate your users. Learn more: http://www.sans.org/info/194320 ***************************************************************************
TRAINING UPDATE
-- SANS Automotive Cybersecurity Summit & Training | Detroit, MI | May 1-8, 2017 | https://www.sans.org/event/automotive-cybersecurity-summit/
-- SANS Security West 2017 | San Diego, CA | May 9-18 | https://www.sans.org/event/sans-security-west-2017
-- SANS San Francisco Summer 2017 | June 5-10 | https://www.sans.org/event/san-francisco-summer-2017
-- SANS Security Operations Center Summit & Training | Washington, DC | June 5-12 | https://www.sans.org/event/security-operations-center-summit-2017
-- SANS Secure Europe 2017 | Amsterdam, NL | June 12-20 | https://www.sans.org/event/secure-europe-2017
-- SANS Cyber Defence Canberra 2017 | June 26-July 8 | https://www.sans.org/event/cyber-defence-canberra-2017
-- SANS London July 2017 | July 3-8 | https://www.sans.org/event/london-july-2017
-- SANS Cyber Defence Singapore | July 10-15 | https://www.sans.org/event/cyber-defence-singapore-2017
--SANSFIRE 2017 | Washington, DC | July 22-29 | https://www.sans.org/event/sansfire-2017
-- SANS Online Training: Special Offer! Register by March 1 and choose a GIAC Certification Attempt or $400 Off your OnDemand and vLive courses.
OnDemand - https://www.sans.org/ondemand/specials
vLive - https://www.sans.org/vlive/specials
-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/find-training/***************************************************************************
TOP OF THE NEWS
Leaked NSA Tool DoublePulsar Has Infected 200,000+ Computers (April 21 & 24, 2017)
A hacking tool leaked by Shadow Brokers several weeks ago has already been used to infect tens of thousands of computers with malware. Known as DoublePulsar, the malware targets computers running Windows and is a backdoor through which other malware can be loaded onto infected computers. The infected machines can be used to distribute malware, send spam, and launch attacks on other computers. DoublePulsar is installed with the EternalBlue exploit. Microsoft patched the flaw that EternalBlue exploits last month, but not everyone has installed that update.[Editor Comments]
[Assante] The opportunistic use of these tools is worrisome for ICS applications as you have large numbers of Windows XP and Server 2003 that lack support while attack pathways into those environments continue to grow.
[Williams] Organizations need to take this threat very seriously. There's already a metasploit module to deploy meterpreter over DoublePulsar, so the ease of exploitation is increasing. If you have Windows Server 2003 or Windows XP, know that you are never getting a patch for the underlying SMB exploits. Network segmentation and good internal access control lists will help limit attacker lateral movement using this vulnerability.
Read more in:
Threatpost: NSA'S DoublePulsar Kernel Exploit in Use Internet-wide https://threatpost.com/nsas-doublepulsar-kernel-exploit-in-use-internet-wide/125165/
V3: NSA-linked hacking tools released by Shadow Brokers have compromised almost 200,000 Windows PCs http://www.v3.co.uk/v3-uk/news/3008875/nsa-linked-hacking-tools-released-by-shadow-brokers-have-compromised-almost-200-000-windows-pcs
Cyberscoop: That was fast: Thousands of computers now compromised with leaked NSA tools, researchers say https://www.cyberscoop.com/fast-thousands-computers-now-compromised-leaked-nsa-tools-researchers-say/?category_news=technology
Cyberscoop: Leaked NSA tools, now infecting over 200,000 machines, will be weaponized for years https://www.cyberscoop.com/leaked-nsa-tools-now-infecting-over-200000-machines-will-be-weaponized-for-years/?category_news=technology
The Register: Script kiddies pwn 1000s of Windows boxes using leaked NSA hack tools http://www.theregister.co.uk/2017/04/21/windows_hacked_nsa_shadow_brokers/
Ars Technica: >10,000 Windows computers may be infected by advanced NSA backdoor https://arstechnica.com/security/2017/04/10000-windows-computers-may-be-infected-by-advanced-nsa-backdoor/
BrickerBot Launching New Round of Attacks (April 24, 2017)
BrickerBot, the botnet that renders Internet of Things (IoT) devices useless, has begun launching a new round of attacks, this time with more effective payloads. BrickerBot.3 was first detected on April 20, a month after the first version of the malware appeared; BrickerBot.4 made its appearance shortly after.[Editor Comments]
[Assante] There is a dark-side of using Botnets or worms to 'cull the herd', of vulnerable IoT devices. The evolution of BrickerBots will provide concepts and cover for others to damage/PDoS like-devices in industrial and infrastructure applications that can impact more than manufactures and individual consumers.
[Murray] Vigilantism! While nice people do not attach weak systems to public networks, neither do nice people interfere with their neighbors property. While this activity calls attention to the problem, it is not a legitimate solution. We judge actions, not motives. We will tolerate this activity at our peril.
Read more in:
Ars Technica: BrickerBot, the permanent denial-of-service botnet, is back with a vengeance https://arstechnica.com/security/2017/04/brickerbot-the-permanent-denial-of-service-botnet-is-back-with-a-vengeance/
SquirrelMail Code Execution Flaw (April 24, 2017)
A critical vulnerability in SquirrelMail could be exploited to execute arbitrary code. The issue is due to failure to sanitize user input; the exploit is possible only when SquirrelMail is configured with Sendmail as the main transport. The developers are working on a fix for the problem.[Editor Comments]
[Williams] The developers of this open source project were notified of the vulnerability in January, but requested additional time to fix this due to personal issues (https://legalhackers.com/advisories/SquirrelMail-Exploit-Remote-Code-Exec-CVE-2017-7692-Vuln.html), highlighting why disclosure deadlines are a good thing for open source and commercial software. This software has been vulnerable since 2011. The vulnerability was made public only after the developer had more than three months to patch the software.
Read more in:
Threatpost: No Fix for SquirrelMail Remote Code Execution Vulnerability https://threatpost.com/no-fix-for-squirrelmail-remote-code-execution-vulnerability/125151/
The Register: Alert: If you're running SquirrelMail, Sendmail... why? And oh yeah, remote code vuln found http://www.theregister.co.uk/2017/04/24/squirrelmail_vuln/
Vulnerabilities in Bosch Diagnostic Car Dongle (April 19 & 24, 2017)
In a blog post, the Argus Cyber Security firm described how they were able to take control of cars using vulnerabilities in the Bosch Drivelog Connect OBD-II dongle and to shut of the engine of a car in motion. The Bosch Drivelog Connect is used to communicate with a diagnostics interface, which gathers information about the car and notifies drivers of deadlines for car service on their smartphones that the drivers have paired with the dongle. Two security flaws in the dongles could be exploited to send commands to cars. Bosch has addressed one of the flaws in a server-side fix; the other will be addressed in a firmware update.[Editor Comments]
[Assante] The sheer complexity of the code base in newer cars paired with a multitude of attack surfaces requires exhaustive red teaming and testing by suppliers and OEMs. More intellectual energy needs to be expended on finding potential circumventions to security designs and implementations for attacks that can scale to place fleets of cars at risk.
[Pescatore] Back in 2010, Stuxnet pointed out that there was no such thing as a software system that was actually disconnected from attacks. If it has software, that software must be updated, as a minimum. In reality, the vast majority of software also needs to periodically report outwards. Sneaker-net via USB drives crosses all air gaps - just because the car doesn't yet have Bluetooth or WiFi built-in doesn't mean it is isolated.
Read more in:
Threatpost: Patched Flaw in Bosch Diagnostic Dongle Allowed Researchers to Shut Off Engine https://threatpost.com/patched-flaw-in-bosch-diagnostic-dongle-allowed-researchers-to-shut-off-engine/125061/
Computerworld: Researchers remotely kill the engine of a moving car by hacking vulnerable car dongle http://computerworld.com/article/3191519/security/researchers-remotely-kill-the-engine-of-a-moving-car-by-hacking-vulnerable-car-dongle.html
BleepingComputer: Flaws in Car Dongle Will Let Hackers Stop Your Car's Engine https://www.bleepingcomputer.com/news/security/flaws-in-car-dongle-will-let-hackers-stop-your-cars-engine/
Bosch: Bosch Drivelog Connector https://psirt.bosch.com/Advisory/BOSCH-2017-0201.html
Argus: A Remote Attack on the Bosch Drivelog Connector Dongle https://argus-sec.com/remote-attack-bosch-drivelog-connector-dongle/
*************************** SPONSORED LINKS *****************************
1) Discover why Splunk was named a leader in the Forrester Wave : Security Analytics Platforms, Q1 2017. http://www.sans.org/info/194325
2) Discover how Cloudflare can support DNSSEC at its scale with special consideration to key management, new DNSSEC algorithm types and signing on the fly. Register: http://www.sans.org/info/194330
3) Take the Threat Landscape Survey and enter to win a $400 Amazon gift card: http://www.sans.org/info/194335
***************************************************************************
THE REST OF THE WEEK'S NEWS
Webroot Security Tools Mistakenly Quarantine Some Windows System Files (April 24 & 25, 2017)
For several hours on Monday, April 24, a Webroot antivirus signature update caused the company's security tools to flag some Windows system files as malware and move them to quarantine. The bad signatures were live for just 13 minutes. The issue affected all versions of Windows. Webroot has suggested fixes for Windows Home edition and Windows Business edition.[Editor Comments]
[Williams] This case highlights why it is so critical to test AV signature updates before deploying them to the enterprise. It's easy enough to say "no big deal, we're not a WebRoot customer" but this sort of problem has happened before with practically every AntiVirus vendor out there (and likely will again). If you don't yet have an isolated environment for testing antivirus signatures, use this event to get backing for the project.
Read more in:
ZDNet: Webroot antivirus mistakenly flags Windows as malware http://www.zdnet.com/article/webroot-antivirus-mistakenly-flags-windows-system-files-as-malware/
The Register: Webroot antivirus goes bananas, starts trashing Windows system files http://www.theregister.co.uk/2017/04/25/webroot_windows_wipeout/
Ars Technica: AV provider Webroot melts down as update nukes hundreds of legit files https://arstechnica.com/security/2017/04/av-provider-webroot-melts-down-as-update-nukes-hundreds-of-legit-files/
Interpol Investigation Identifies Thousands of Command-and-Control Servers in Eight Countries (April 24, 2017)
An Interpol investigation has identified nearly 9,000 servers in Southeast Asia countries that are being used to further cybercrime. The machines act as command-and-control servers for malware schemes, including launching distributed denial-of-service (DDoS) attacks, spreading ransomware, and sending spam. Interpol provided the data it gathered to authorities in China, Indonesia, Malaysia, Myanmar, Philippines, Singapore, Thailand, and Vietnam. Seven companies aided in the Interpol investigation, which also discovered hundreds of compromised websites.[Editor Comments]
[Northcutt] I read all three links below" and was reminded of the movie Risky Business when Joel (Tom Cruise) drives all the way into the city just to nod at Lana (Rebecca De Mornay)," Joel: At least she knows we're on to her. Miles: Yeah, she must be terrified." It is great that all these countries and companies worked together. Identifying the sites is great. Now what? For my money/time investment, I am leaning towards the Google Safe Browsing API: https://developers.google.com/safe-browsing/v4/
Read more in:
Interpol: INTERPOL-led cybercrime operation across ASEAN unites public and private sectors https://www.interpol.int/News-and-media/News/2017/N2017-051
Cyberscoop: Interpol identifies 9,000 computers in Asia owned by hackers, used to launch ransomware https://www.cyberscoop.com/interpol-identifies-9000-computers-asia-owned-hackers-used-launch-ransomware/?category_news=technology
BleepingComputer: Interpol Identifies 8,800 C&C Servers Used for Malware, Ransomware, Others https://www.bleepingcomputer.com/news/security/interpol-identifies-8-800-candc-servers-used-for-malware-ransomware-others/
FBI Obtained Warrant Under Rule 41 to Take Down Kelihos Botnet (April 24, 2017)
Earlier this month, the FBI obtained a warrant in Alaska to break into thousands of computers to rid them of an infection that made them act as part of the Kelihos botnet. In 2014, the FBI obtained a warrant to infiltrate computers worldwide to take down the Gameover Zeus botnet. That operation involved redirecting requests made by victim computers and gathering certain information from those computers. The Kelihos takedown is more complex, involving modification of infected computers.Read more in:
Ars Technica: FBI allays some critics with first use of new mass-hacking warrant https://arstechnica.com/tech-policy/2017/04/fbi-allays-some-critics-with-first-use-of-new-mass-hacking-warrant/
Cyberscoop: DOJ moves to topple Kelihos, one of the world's largest botnets https://www.cyberscoop.com/doj-kelihos-botnet-peter-levashov-severa/
DoJ: US District Court for the District of Alaska: Application Under Rule 41 for a Search Warrant https://www.justice.gov/opa/press-release/file/956521/download
Seleznev Sentenced to 27 Years in Prison for Role in Carding Scheme (April 21 & 24, 2017)
Roman Valeryevich Seleznev has been sentenced to 27 years in prison for his role in a payment card data theft scheme. Seleznev was found guilty on charges of wire fraud, intentional damage to a protected computer, obtaining information from a protected computer, possession of unauthorized access devices, and aggravated identity theft. The sentence is the longest ever handed down to an individual convicted of a cybercrime; in 2010, Albert Gonzalez was sentenced to 20 years in prison for his role in a string of payment card theft schemes. Brian Krebs notes that the lengthy sentence, described by Seleznev's lawyer as "draconian," may be due in part to Seleznev's unwillingness to cooperate with authorities. He had declined a plea deal before the trial. Seleznev's father is a Russian MP.Read more in:
Computerworld: Russian man receives longest-ever prison sentence in the US for hacking http://computerworld.com/article/3191951/security/russian-man-receives-longest-ever-prison-sentence-in-the-us-for-hacking.html
KrebsOnSecurity: The Backstory Behind Carder Kingpin Roman Seleznev's Record 27 Year Prison Sentence https://krebsonsecurity.com/2017/04/the-backstory-behind-carder-kingpin-roman-seleznevs-record-27-year-prison-sentence/
BBC: Russian MP Seleznev incensed after son jailed in US http://www.bbc.com/news/world-us-canada-39672498
DoJ: Russian Cyber-Criminal Sentenced to 27 Years in Prison for Hacking and Credit Card Fraud Scheme https://www.justice.gov/opa/pr/russian-cyber-criminal-sentenced-27-years-prison-hacking-and-credit-card-fraud-scheme
FireEye: China Launching Digital Attacks to Stop South Korea's Deployment of Missile Defense System (April 21, 2017)
Security firm FireEye says that China has been launching digital attacks against South Korea's military, government and defense industry systems to stop the country from deploying an anti-ballistic weapons system. FireEye says that China is concerned that the Terminal High-Altitude Air Defense (THAAD) radar systems could be used for espionage.Read more in:
WSJ: China Hacked South Korea Over Missile Defense, U.S. Firm Says https://www.wsj.com/articles/chinas-secret-weapon-in-south-korea-missile-fight-hackers-1492766403
The Register: China 'hacked' South Korea to wreck Star Wars missile shield http://www.theregister.co.uk/2017/04/21/china_accused_south_korea_hack/
Ars Technica: Researchers claim China trying to hack South Korea missile defense efforts https://arstechnica.com/security/2017/04/researchers-claim-china-trying-to-hack-south-korea-missile-defense-efforts/
Android MilkyDoor Malware Lets Attackers Access Connected Networks (April 21, 2017)
Trend Micro has warned that recently-detected Android malware known as MilkyDoor makes infected devices into "walking backdoors," giving attacker access to the networks a user connects to. Trend Micro found that MilkyDoor was embedded in roughly 200 Android apps, each of which have between 500,000 and one million downloads. MilkyDoor "uses remote port forwarding via Secure Shell (SSH) tunnels to hide malicious traffic."[Editor Comments]
[Neely] This appears to be a successor to the DressCode malware which used a SOCKS proxy for access. MilkyDoor is using SSH port forwarding to pivot through the Android to the attached corporate network, and banking that port 22 is allowed through the firewall. And, as this is an SSH tunnel, organizations are not going to have visibility to the traffic. MilkyDoor is embedded in about 200 applications, increasing the odds of installation. Take Away: Android devices are really computers, not just phones, and that sophistication can be leveraged.
Read more in:
SC Magazine: Got MilkyDoor? Android malware lets attackers infiltrate your phone's connected network https://www.scmagazine.com/got-milkydoor-android-malware-lets-attackers-infiltrate-your-phones-connected-network/article/652045/
BleepingComputer: MilkyDoor Android Malware Uses SSH Tunnels to Access Secure Corporate Networks https://www.bleepingcomputer.com/news/security/milkydoor-android-malware-uses-ssh-tunnels-to-access-secure-corporate-networks/
Trend Micro: DressCode Android Malware Finds Apparent Successor in MilkyDoor http://blog.trendmicro.com/trendlabs-security-intelligence/dresscode-android-malware-finds-successor-milkydoor/
Guilty Plea in Titanium Stresser Case (April 21, 2017)
A British man has admitted to violations of the Computer Misuse Act for creating malware known as Titanium Stresser. Adam Mudd earned GBP 360,000 (USD $460,000) from malware sales. In all, there were more than 10,000 registered users who were behind roughly 1.7 million distributed denial-of-service (DDoS) attacks against websites. Some of the sites spent a significant amount of money defending themselves from the attacks.[Editor Comments]
[Honan] Adam Mudd was 16 when he created these tools and a prime example of why as an industry and a society we need to do more to steer those with an interest and talent in security away from the malicious side and to put those talents to good use. Europol have released its "Youth Pathways into Cybercrime" whitepaper on this topichttp://www.mdx.ac.uk/__data/assets/pdf_file/0025/245554/Pathways-White-Paper.pdf and last week the UK's National Crime Agency released its "Pathways to Cybercrime" paper http://www.nationalcrimeagency.gov.uk/publications/791-pathways-into-cyber-crime/file
Read more in:
BBC: Computer hacker Adam Mudd attacked gaming websites http://www.bbc.com/news/uk-england-beds-bucks-herts-39666593
Guardian: Teenage hacker made u300,000 from selling malware, court hears https://www.theguardian.com/uk-news/2017/apr/21/teenage-hacker-made-300000-from-selling-malware-court-hears
US Dept. of Health and Human Service's Health Cybersecurity and Communications Integration Center (April 20, 2017)
The US Department of Health and Human Services (HHS) is establishing its own version of the Department of Homeland Security's (DHS's) National Cybersecurity and Communications Integration Center (NCCIC). The Health Cybersecurity and Communications Integration Center (HCCIC) is expected to be operational by the end of June 2017. HHS has given the National Health Information Sharing and Analysis Center grants to help encourage wide participation and ensure that small health services offices can benefit from the information that is gathered.[Editor Comments]
[Pescatore] Strengthening ISACs is a good thing. Back in October 2016 HHS funded the NH-ISAC to accelerate development of the infrastructure and processes to increase collaboration across the healthcare cybersecurity communities, mostly focused around threat and vulnerability information sharing. The next phase up the "ISAC Maturity Model" is where members share tools, techniques and processes for increasing resistance to those threats.
[Murray] I am old, I drink, and I use medical services. I can receive no health services without signing away any privacy expectations that I might have had. Having signed my privacy rights away in any case, I really care about the fact that I am asked to complete a new medical history record before any service. I would gladly give my medical history to Google if the health care industry would use it. This must be the only sector of our economy that uses fax to the exclusion of e-mail, paper forms in preference to PDFs. "HIPAA is in the ditch," in large part because it treats paper records differently from electronic ones.
Read more in:
FNR: HHS to stand up its own version of the NCCIC for health https://federalnewsradio.com/health-it/2017/04/hhs-to-stand-up-its-own-version-of-the-nccic-for-health/
INTERNET STORM CENTER TECH CORNER
Increase in Port 81 Traffic
https://isc.sans.edu/forums/diary/WTF+tcp+port+81/22332/Analyzing a Document and Malware Trying to Exploit CVE-2017-0199 (HTA)
https://isc.sans.edu/forums/diary/Malicious+Documents+A+Bit+Of+News/22334/DOUBLEPULSAR Detected on Tens of Thousands of Systems
http://www.theregister.co.uk/2017/04/21/windows_hacked_nsa_shadow_brokers/NVidia Includes Node.js Server with Drivers
http://blog.sec-consult.com/2017/04/application-whitelisting-application.htmlAndroid SMSVova Spyware Survives in Google Play Store for 3 Years
https://www.zscaler.com/blogs/research/android-spyware-smsvova-posing-system-update-play-storeAndroid Malware MilkyDoor Builds Backdoor into Networks Via SSH/SOCKS
http://blog.trendmicro.com/trendlabs-security-intelligence/dresscode-android-malware-finds-successor-milkydoor/Remote Code Execution Flaw in Squirrelmail
http://seclists.org/fulldisclosure/2017/Apr/81Atlassian Confluence Update
https://confluence.atlassian.com/doc/confluence-security-advisory-2017-04-19-887071137.htmlTCP Proxy Over Named Pipes / SMB
https://github.com/dxflatline/flatpipes***********************************************************************
The Editorial Board of SANS NewsBites
View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
