SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XIX - Issue #36
May 5, 2017TOP OF THE NEWS
Smaller Nations Developing Cyberespionage Programs
DHS Wants Broader Authority to Secure Mobile Networks
Google Docs Phishing Scam
SS7 Flaws Exploited in Online Bank Account Heists
THE REST OF THE WEEK'S NEWS
WordPress Password Reset Zero Day Vulnerability
Blackmoon Banking Trojan is Using a Three-stage Downloader
BondNet Botnet Mines Cryptocurrencies
IT Failure at NHS Trust Results in Cancelled Operations and Appointments
US Congressional Committee Chastises IRS, Dept. of Education Data Over Breach
FIN7 Carbanak Group May Be Behind Chipotle Breach
Google Releases Android Updates
INTERNET STORM CENTER TECH CORNER
INTERNET STORM CENTER TECH CORNER*************************** Sponsored By Cisco Systems ******************
It is no longer a matter of if, but when, attackers will break into your network. Today's enterprises need a well-established plan for responding to security incidents quickly and effectively. Download our white paper to learn about the people, processes, and technologies needed to build a strong incident response strategy and avoid damaging data breaches. http://www.sans.org/info/194630 ***************************************************************************
TRAINING UPDATE
-- SANS San Francisco Summer 2017 | June 5-10 | http://www.sans.org/u/qE8
-- SANS Security Operations Center Summit & Training | Washington, DC | June 5-12 | Build more effective security operations. Two days of in-depth Summit talks, 5 SANS courses, exclusive networking opportunities, & more! http://www.sans.org/u/qof
-- SANS Secure Europe 2017 | Amsterdam, NL | June 12-20 | http://www.sans.org/u/qqA
-- SANS Cyber Defence Canberra 2017 | June 26-July 8 | http://www.sans.org/u/qqF
-- SANS London July 2017 | July 3-8 | http://www.sans.org/u/pSD
-- SANS Cyber Defence Singapore | July 10-15 | http://www.sans.org/u/pSI
-- SANSFIRE 2017 | Washington, DC | July 22-29 | http://www.sans.org/u/r4U
-- SANS Network Security | Las Vegas, NV | September 10-17 | https://www.sans.org/event/network-security-2017
-- Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WK) and Evening (vLive - http://www.sans.org/u/WZ) courses available!
-- SANS Online Training: Special Offer! Register by May 10 and receive a new iPad, Samsung Galaxy Tab A or take $350 off your OnDemand or vLive Course!
-- OnDemand http://www.sans.org/u/pS9
-- vLive http://www.sans.org/u/pSj
-- Multi-week Live SANS training Mentor - http://www.sans.org/u/X9 Contact mentor@sans.org
-- Looking for training in your own community? Community - http://www.sans.org/u/Xo
-- SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/XD
Plus Brussels, San Francisco, Arlington, and Dubai all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/u/XN
***************************************************************************TOP OF THE NEWS
Smaller Nations Developing Cyberespionage Programs (May 3, 2017)
Cybersecurity companies are noticing an increasing number of countries that are building their up cyberespionage capabilities. Unlike physical weaponry, the cost is not prohibitive and lives not at risk, which lets smaller nations enter the arena.[Editor Comments]
[Pescatore] Sophisticated attack code for cybercrime has long come from cyber criminals outside the US, China, Russia or North Korea. The important part: the vulnerabilities that enable the nation-state attacks are what allow all other attacks to succeed. There is an old saying "People who live in glass houses should build stronger houses."
[Murray] No surprise here. As some costs of attack fall, we must use security measures to increase others and decrease the value of success.
[Williams] The Shadow Brokers' release of (what are reportedly) NSA hacking tools will accelerate the development of nation-state hacking programs. Even though the exploits have been patched and the tools will have antivirus signatures, the tools offer insight into how well-funded nation states build their programs. The documentation released through the Wikileaks disclosures of CIA hacking tools offers additional insight to nations developing offensive cyber programs.
Read more in:
GT: Several New Players With No Prior Cyber Espionage Experience Jump Into the Hacking Game http://www.govtech.com/security/Several-New-Players-With-No-Prior-Cyber-Espionage-Experience-Jump-Into-the-Hacking-Game.html
DHS Wants Broader Authority to Secure Mobile Networks (May 4, 2017)
According to a report from the US Department of Homeland Security's (DHS's) Science and technology Directorate, the DHS lacks sufficient authority to take the steps it believes are necessary to secure mobile phone networks as part of its job of securing federal IT systems. Currently, DHS cannot inspect mobile carrier infrastructure without the carrier's authorization, and cannot require mobile carriers to implement security measures. The DHS Study on Mobile Device Security notes that "the enhanced capabilities that mobile devices provide, the ubiquity and diversity of mobile applications, and the typical use of the devices outside the agency's traditional network boundaries requires a security approach that differs substantially from the protections developed for desktop workstations."[Editor Comments]
[Pescatore] The DHS study ignores the government's 5 years of experience in widely using smartphones and tablets, no lessons learned at all. It recommends that the DHS Continuous Diagnostics and Mitigation program, which has been slow to address basic security hygiene issues on government PCs and servers, be expanded to include mobile devices. Rather than look at how the GSA FedRamp program has been able to use the government's procurement power to drive cloud providers to high levels of security and visibility, it recommends DHS get new authority. The report also recommends that the government only used NIAP certificated devices - a snail's pace approach which failed for PCs, servers and software that have much longer life cycles than mobile devices.
[Murray] Wow! First, the report is "threat," rather than risk, oriented. Second, the attacks and breaches that the government continues to suffer are aimed at desktops, and to a lesser degree, servers and legacy mainframes, not mobiles. While mobiles are novel, they have proven to be far less vulnerable than desktops. Third, while the government MAY have unique requirements to which the market MIGHT not respond, that does not justify giving DHS broad authority over the private sector. Fortunately, we remain very far from legislation, much less law.
Read more in:
Nextgov: DHS: Time to Beef Up Mobile Security http://www.nextgov.com/cybersecurity/2017/05/dhs-time-beef-mobile-security/137592/?oref=ng-channeltopstory
Cyberscoop: DHS: More authority needed to secure mobile networks https://www.cyberscoop.com/dhs-mobile-security-report-federal-it/
DHS: DHS Study on Mobile Device Security https://www.dhs.gov/publication/csd-mobile-device-security-study
Google Docs Phishing Scam (May 3, 4, & 5, 2017)
An enormous phishing scheme disguised as a Google Docs request has been sent to as many as one million users. The attackers used Google developer tools that create an app that was designed to trick users into thinking they were viewing the real Google Docs app. It displayed a legitimate OAuth screen seeking permission to access and manage users' email and contacts. Within an hour of learning about the phishing scheme, Google had taken steps to protect users.[Editor Comments]
[Honan] Companies will be judged on how well they respond and deal with the breach rather than the breach itself. Incident response teams need to test their capabilities regularly so they know how to operate during a breach; good training enables teams to respond well to breach scenarios they may not have thought about.
Read more in:
Computerworld: Google Docs phishing scam underscores OAuth security risks http://computerworld.com/article/3194788/security/google-docs-phishing-scam-underscores-oauth-security-risks.html
Wired: Don't Open That Google Doc Unless You're Positive It's Legit https://www.wired.com/2017/05/dont-open-google-doc-unless-youre-positive-legit/
SC Magazine: Massive Google Docs phishing attack targeted credentials, permissions https://www.scmagazine.com/massive-google-docs-phishing-attack-targeted-credentials-permissions/article/654938/
eWeek: Google Docs Phishing Attack Tricks Unsuspecting Users to Click http://www.eweek.com/security/google-docs-phishing-attack-tricks-unsuspecting-users-to-click
Cyberscoop: OAuth-based phishing campaign gives Gmail users a scare https://www.cyberscoop.com/gmail-phishing-attack-oauth/?category_news=technology
Threatpost: 1 Million Gmail Users Impacted by Google Docs Phishing Attack https://threatpost.com/1-million-gmail-users-impacted-by-google-docs-phishing-attack/125436/
BleepingComputer: It Took Google One Hour to Shut Down Massive Self-Replicating Phishing Campaign https://www.bleepingcomputer.com/news/security/it-took-google-one-hour-to-shut-down-massive-self-replicating-phishing-campaign/
SS7 Flaws Exploited in Online Bank Account Heists (May 3, 2017)
Attackers recently exploited vulnerabilities in the Signaling System 7 (SS7) protocol to steal money from bank accounts protected with two-factor authentication. The SS7 protocol allows mobile phone networks to talk to each other. The attacks, which began in January 2017, exploited flaws in SS7 to intercept text messages with mobile transaction authentication numbers (mTANs) or single-use passwords sent by banks as part of two-factor authentication schemes for funds transfers. The attackers used mTAN interception only after they had infected bank account holders' accounts with more traditional means to obtain access passwords and view balances.[Editor Comments]
[Murray] While it has limitations, and while some implementations and uses may be vulnerable to (difficult) man-in-the-middle attacks, strong authentication is far from "so broken" as the ZDNet headline says. "Nothing useful can be said about the security of a mechanism except in the context of a specific application and (threat) environment." While I use strong authentication on all my financial and e-commerce accounts, my security does not rely upon it exclusively.
[Honan] SMS for two-factor authentication (or really two-stage authentication as you enter two passwords) has been a cheap way to improve security for end users. It is a solution that NIST highlighted last year as being a vector not secure enough for this purpose, https://pages.nist.gov/800-63-3/sp800-63b/cover.html But yet again, convenience and cost trump security until a major event happens.
Read more in:
ZDNet: Two-factor security is so broken, now hackers can drain bank accounts http://www.zdnet.com/article/two-factor-security-is-so-broken-criminals-drained-a-persons-bank-account/
The Register: After years of warnings, mobile network hackers exploit SS7 flaws to drain bank accounts http://www.theregister.co.uk/2017/05/03/hackers_fire_up_ss7_flaw/
Ars Technica: Thieves drain 2fa-protected bank accounts by abusing SS7 routing protocol https://arstechnica.com/security/2017/05/thieves-drain-2fa-protected-bank-accounts-by-abusing-ss7-routing-protocol/
SAddeutsche Zeitung: Schwachstelle im Mobilfunknetz: Kriminelle Hacker rNumen Konten leer (In German) http://www.sueddeutsche.de/digital/it-sicherheit-schwachstelle-im-mobilfunknetz-kriminelle-hacker-raeumen-konten-leer-1.3486504
*************************** SPONSORED LINKS *****************************
1) WEBCAST: "How to Conquer Targeted Email Threats: SANS Review of Agari Enterprise Protect" Register: http://www.sans.org/info/194635
2) In case you missed it: A New Era in Endpoint Protection: "A SANS Product Review of CrowdStrike Falcon(R) Endpoint Protection" Register: http://www.sans.org/info/194640
3) Take the SANS 2017 Survey on Insider Threats and register for a chance to win a $400 Amazon gift card: http://www.sans.org/info/194645
***************************************************************************
THE REST OF THE WEEK'S NEWS
WordPress Password Reset Zero Day Vulnerability (May 4, 2017)
An unpatched flaw in WordPress Core could be exploited to obtain a user's account password reset link. The issue affects all versions of WordPress, including the most up-to-date, version 4.7.4.[Editor Comments]
[Williams] Exploitation of this is VERY difficult. The attacker must send the email to an account that bounces the complete content of the message (with reset link) to the address specified by the reply-to address. So the attacker would have to know the reset address, fill up the mailbox where the reset link is sent, and finally hope that the configured mail server bounces the complete contents of the email message to the attacker. This is a vulnerability, but not one that is easily exploited.
Read more in:
BleepingComputer: WordPress Zero-Day Could Expose Password Reset Emails https://www.bleepingcomputer.com/news/security/wordpress-zero-day-could-expose-password-reset-emails/
Threatpost: Unpatched WordPress Password Reset Vulnerability Lingers https://threatpost.com/unpatched-wordpress-password-reset-vulnerability-lingers/125421/
Blackmoon Banking Trojan is Using a Three-stage Downloader (May 4, 2017)
The Blackmoon banking Trojan has been used in attacks targeting customers of of South Korean banks. Blackmoon uses a three-stage downloader dubbed Blackmoon Downloader Framework to evade detection.Read more in:
SC Magazine: Trio of downloaders used in recent Blackmoon banking trojan campaignhttps://www.scmagazine.com/trio-of-downloaders-used-in-recent-blackmoon-banking-trojan-campaign/article/654963/
Threatpost: Blackmoon Banking Trojan Using New Infection Technique https://threatpost.com/blackmoon-banking-trojan-using-new-infection-technique/125425/
Fidelis: Blackmoon Rising: Banking Trojan Back with New Framework https://www.fidelissecurity.com/threatgeek/2017/05/blackmoon-rising-banking-trojan-back-new-framework
BondNet Botnet Mines Cryptocurrencies (May 4, 2017)
The BondNet botnet has harnessed the processing resources of roughly 15,000 Windows Server machines to mine for cryptocurrencies. The culprit appears to be operating out of China and is earning about 25,000 USD a month from the botnet's activity. BondNet's presence was first detected in December 2016.Read more in:
Cyberscoop: Monero mining botnet earns suspected Chinese hacker $25,000 per month https://www.cyberscoop.com/monero-mining-botnet-earns-suspected-chinese-hacker-25000-per-month/?category_news=technology
BleepingComputer: 15K Botnet Mines for Cryptocurrencies on Vulnerable Windows Servers https://www.bleepingcomputer.com/news/security/15k-botnet-mines-for-cryptocurrencies-on-vulnerable-windows-servers/
Dark Reading: New 'Bondnet' Botnet Mines Cryptocurrencies http://www.darkreading.com/attacks-breaches/new-bondnet-botnet-mines-cryptocurrencies/d/d-id/1328802?
IT Failure at NHS Trust Results in Cancelled Operations and Appointments (April 28, May 2, & 4, 2017)
An unspecified IT equipment failure at Barts Health NHS Trust has forced the cancellation of more than 100 operations and hundreds of chemotherapy appointments. The issues began on April 20, 2017 and have not been entirely resolved.Read more in:
V3: Barts: 136 operations and hundreds of chemotherapy appointments cancelled due to recent IT failure http://www.v3.co.uk/v3-uk/news/3009507/barts-136-operations-and-hundreds-of-chemotherapy-appointments-cancelled-due-to-recent-it-failure
Computing: Barts Health NHS Trust suffers catastrophic IT failure - for EIGHT days http://www.computing.co.uk/ctg/news/3009193/barts-health-nhs-trust-suffering-catastrophic-it-failure-for-eight-days
Digital Health: Imaging and pathology IT restored at Barts Health https://www.digitalhealth.net/2017/05/imaging-and-pathology-it-restored-at-barts-health/
US Congressional Committee Chastises IRS, Dept. of Education Data Over Breach (May 3, 2017)
The US House Oversight and Government Reform Committee took the Internal Revenue Service (IRS) and the Department of Education to task earlier this week for delaying the disclosure of a breach that may have compromised sensitive personal information of as many as 100,000 families who applied for federal student financial aid. The IRS's Data Retrieval Tool allowed financial aid applicants to populate the Free Application for Federal Student Aid (FAFSA) with information from tax returns. Attackers were abusing the tool to steal information and file fraudulent tax returns to obtain refunds. The tool was closed down in early March.Read more in:
FNR: IRS, Education Dept. delayed reporting major data breach, lawmakers claim https://federalnewsradio.com/cybersecurity/2017/05/irs-education-dept-delayed-reporting-major-data-breach-lawmakers-claim/
The Hill: Lawmakers grill IRS, Education officials over data breach http://thehill.com/policy/cybersecurity/331791-lawmakers-take-aim-at-irs-education-dept-over-data-breach
FIN7 Carbanak Group May Be Behind Chipotle Breach (May 3 & 4, 2017)
A cybercrime group known as FIN7/Carbanak is believed to be responsible for the payment card breach at Chipotle and several other restaurants. The group appears to be misusing the Windows Application Compatibility Infrastructure, which lets app developers create patches called shims to help apps run smoothly on newer versions of Windows. FIN7/Carbanak is believed to have registered a shim database that allowed it top inject a backdoor into targeted computers.Read more in:
Computerworld: Cybercrime group abuses Windows app compatibility feature http://computerworld.com/article/3194587/security/cybercrime-group-abuses-windows-app-compatibility-feature.html
Cyberscoop: This elite cybercrime group is wreaking havoc on the U.S. restaurant industry https://www.cyberscoop.com/chipotle-hack-fin7-carbanak-baja-fresh-ruby-tuesday/
Google Releases Android Updates (May 2, 2017)
On Monday, May 1, Google released patches for Android. In all, the update fixes 17 critical vulnerabilities. Of those, six are related to the operating system's Mediaserver component. Four of the critical flaws lie in Qualcomm components in Android handsets. Android updates are released in two batches: The May 1 batch was the partial security patch level; the complete security patch level update is expected to be released on Friday, May 5.Read more in:
Threatpost: Google Patches Six Critical Mediaserver Bugs in Android https://threatpost.com/google-patches-six-critical-mediaserver-bugs-in-android/125347/
INTERNET STORM CENTER TECH CORNER
Scans Sighted for Ports Used by Intel Remote Management Interface
https://isc.sans.edu/port.html?port=16992https://isc.sans.edu/port.html?port=16993
Outlook Forms Can Run Macros
https://sensepost.com/blog/2017/outlook-forms-and-shells/Jenkins Vulnerability
https://jenkins.io/security/advisory/2017-04-26/Google Android May Patchday
https://source.android.com/security/bulletin/2017-05-01IBM Storwize USB Stick Malware
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010146&myns=s028&mynp=OCSTHGUJ&mynp=OCSTLM5A&mynp=OCSTLM6B&mynp=OCHW206&mync=E&cm_sp=s028-_-OCSTHGUJ-OCSTLM5A-OCSTLM6B-OCHW206-_-EGoogle Docs OAUTH Phishing E-Mails
https://isc.sans.edu/forums/diary/OAUTH+phishing+against+Google+Docs+beware/22372/Review Google App Permissions https://myaccount.google.com/u/0/permissions?pli=1
SS7 Exploits Documented in Banking Attacks
http://www.sueddeutsche.de/digital/it-sicherheit-schwachstelle-im-mobilfunknetz-kriminelle-hacker-raeumen-konten-leer-1.3486504http://www.theregister.co.uk/2017/05/03/hackers_fire_up_ss7_flaw/
Google OAUTH Spam Wrap-up
https://threatpost.com/1-million-gmail-users-impacted-by-google-docs-phishing-attack/125436/Artificial Master Fingerprint Set
https://wp.nyu.edu/memon/the-master-print/rpcbind denial of service
https://guidovranken.wordpress.com/2017/05/03/rpcbomb-remote-rpcbind-denial-of-service-patches/Debian Discontinue FTP Support for Downloads
https://www.debian.org/News/2017/20170425***********************************************************************
The Editorial Board of SANS NewsBites
View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create