SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XIX - Issue #37

May 9, 2017

Roger Grimes just finished his new book. It's a fun and useful read for anyone interested in how the cybersecurity field developed, including insightful profiles of 26 pioneers. Stephen Northcutt (whose profile will give you a rare picture of how SANS evolved) and Lance Spitzner are among them. It's called Hacking the Hacker https://www.amazon.com/Hacking-Hacker-Learn-Experts-Hackers/dp/1119396212/.

Alan

TOP OF THE NEWS

Microsoft: Attackers Used Software Updater to Infect Computers
Microsoft Releases Emergency Patch Critical Flaw in Microsoft Malware Protection Engine
FBI Says 5 Billion USD Lost to Business eMail Compromise
Intel Chip Flaw is Worse Than First Thought

THE REST OF THE WEEK'S NEWS

Google Tightening OAuth Rules
HandBrake App Site Used to Spread Mac Malware
Netrepser Espionage Group Uses Free, Legitimate Tools to Infect Targets
Police May Have Been Less Than Forthcoming to Judge About Stingray Use
Legislators Urge OPM to be Flexible in Cybersecurity Hiring
Lieu Renews Call for SS7 Fix
DoJ Expanding Investigation of Uber's Use of Greyball Tool
Sabre Hires Mandiant to Investigate Breach

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER

*************************** Sponsored By Sophos Inc. ********************

WEBINAR: The Fight Against Ransomware - From ransomware to rootkits, old school security cannot keep pace with today's advanced attacks. Join us for a live webcast every Wednesday at 2pm ET to learn how to get innovative next-gen protection without impacting performance. Register Today: http://www.sans.org/info/194650
***************************************************************************

TRAINING UPDATE

-- SANS San Francisco Summer 2017 | June 5-10 |
http://www.sans.org/u/qE8

-- SANS Security Operations Center Summit & Training | Washington, DC | June 5-12 |
Build more effective security operations. Two days of in-depth Summit talks, 5 SANS courses, exclusive networking opportunities, & more!
http://www.sans.org/u/qof

-- SANS Secure Europe 2017 | Amsterdam, NL | June 12-20 |
http://www.sans.org/u/qqA

-- SANS Cyber Defence Canberra 2017 | June 26-July 8 |
http://www.sans.org/u/qqF

-- SANS London July 2017 | July 3-8 |
http://www.sans.org/u/pSD

-- SANS Cyber Defence Singapore | July 10-15 |
http://www.sans.org/u/pSI

-- SANSFIRE 2017 | Washington, DC | July 22-29 |
http://www.sans.org/u/r4U

-- SANS Network Security | Las Vegas, NV | September 10-17 |
https://www.sans.org/event/network-security-2017

-- Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WK) and Evening (vLive - http://www.sans.org/u/WZ) courses available!

-- SANS Online Training: Special Offer! Register by May 10 and receive a new iPad, Samsung Galaxy Tab A or take $350 off your OnDemand or vLive Course!

-- OnDemand http://www.sans.org/u/pS9

-- vLive http://www.sans.org/u/pSj

-- Multi-week Live SANS training
Mentor - http://www.sans.org/u/X9
Contact mentor@sans.org

-- Looking for training in your own community?
Community - http://www.sans.org/u/Xo

-- SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/XD

Plus Brussels, San Francisco, Arlington, and Dubai all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org/u/XN

***************************************************************************

TOP OF THE NEWS

Microsoft: Attackers Used Software Updater to Infect Computers (May 5, 2017)

Microsoft detected a cyberattack campaign that used third-party editing software tools to infect systems at "several high-profile technology and financial organizations." By injecting code into the tools' updating mechanisms, the attackers were able to surreptitiously place malware on their targets' computers. Microsoft is urging software vendors to take steps to protect their updaters.

[Editor Comments]

[Williams] Perimeter security simply won't stop malware deployed through malicious updates. Organizations need good internal monitoring of endpoints and network traffic as well as effective verification of software supply chain security for the software and hardware your organization uses.

Read more in:

Microsoft: Windows Defender ATP thwarts Operation WilySupply software supply chain cyberattack https://blogs.technet.microsoft.com/mmpc/2017/05/04/windows-defender-atp-thwarts-operation-wilysupply-software-supply-chain-cyberattack/
Cyberscoop: Microsoft uncovers hacking operation aimed at software supply chain https://www.cyberscoop.com/microsoft-uncovers-hacking-operation-aimed-at-software-supply-chain/
ZDNet: Microsoft's Windows warning: Hackers hijacked software updater with in-memory malware http://www.zdnet.com/article/microsofts-windows-warning-hackers-hijacked-software-updater-with-in-memory-malware/

Microsoft Releases Emergency Patch Critical Flaw in Microsoft Malware Protection Engine (May 8 & 9, 2017)

Microsoft has issued an emergency patch for a critical remote code execution flaw in Microsoft Malware Protection Engine. Researchers from Google's Project Zero found the vulnerability that affects default Windows installs and can self-replicate.

[Editor Comments]

[Ullrich] The patch should already be on your system as it is rolled out with a malware signature update, not a distinct security patch. This is one reason why it was rolled out on Monday, not the more-regular patch Tuesday today. Currently there is no public exploit available.

[Williams] Microsoft's response to this flaw was nothing short of commendable. The fact that patches are likely automatic for most users will likely prevent this from becoming a worm. However, one needs to ask if it is really wise to have a non-sandboxed JavaScript engine running with superuser privileges in the first place. I think with this bug, Google has uncovered a structural issue Microsoft needs to change to ensure future security.

Read more in:

Microsoft: Security Update for Microsoft Malware Protection Engine https://technet.microsoft.com/en-us/library/security/4022344
Bleeping Computer: Google Researchers Find Wormable "Crazy Bad" Windows Exploit https://www.bleepingcomputer.com/news/security/google-researchers-find-wormable-crazy-bad-windows-exploit/
Threatpost: Wormable Windows Zero Day Reported to Microsoft https://threatpost.com/wormable-windows-zero-day-reported-to-microsoft/125513/
The Register: 'Crazy bad' bug in Microsoft's Windows malware scanner can be used to install malware http://www.theregister.co.uk/2017/05/09/microsoft_windows_defender_security_hole/

FBI Says 5 Billion USD Lost to Business eMail Compromise (May 5 & 8, 2017)

According to data from the FBI's Internet Crime Complaint Center (IC3), scammers stole more than 5 billion USD through Business eMail Compromise (BEC) schemes since 2013. Losses to BEC scams increased nearly 2,400 percent over the two-year period between January 2015 and December 2016.

[Editor Comments]

[Ullrich] We are seeing some automated BEC attempts that do exchange multiple e-mails, usually with the goal of getting access to e-mail credentials which will then be used to launch more targeted attacks. If you are using a cloud e-mail solution, you MUST implement two-factor authentication to evade phishing for e-mail credentials.

[Honan] One good step in protecting against these scam emails is to implement DMARC and other email anti-spoofing techniques. CERT-EU has a good white paper available for download titled "DMARC - Defeating Email Abuse" at http://cert.europa.eu/static/WhitePapers/Updated-CERT-EU_Security_Whitepaper_DMARC_17-001_v1_2.pdf

Read more in:

SC Magazine: BEC scammers picked off $5B, FBI says https://www.scmagazine.com/bec-scammers-picked-off-5b-fbi-says/article/655452/
The Register: Fake invoice scammers slurp $5bn+ from corp beancounters - FBI http://www.theregister.co.uk/2017/05/05/email_scammers_hit_businesses_5bn/
eWeek: Business Email Compromise Scams Continue to Grow With $5.3B in Losses http://www.eweek.com/security/business-email-compromise-scams-continue-to-grow-with-5.3b-in-losses

Intel Chip Flaw is Worse Than First Thought (May 6, 2017)

A flaw in the Active Management Technology (AMT) feature of Intel chips could be exploited to take administrative control of vulnerable systems without the need for a password. AMT lets sysadmins perform powerful tasks over a remote connection. The flaw has been present in some Intel chipsets since 2010. Computer manufacturers that use the affected chips say they are working on firmware fixes. Some companies have released timetables for the fixes, but even these extend into June, meaning computers will remain vulnerable for weeks.

[Editor Comments]

[Murray] Software for identifying instances of vulnerable systems is available from both Intel and Github. Identified instances should be disconnected from public networks, or hidden behind firewalls or VPNs. Other systems on the same networks as these may also have been compromised.

Read more in:

Ars Technica: The hijacking flaw that lurked in Intel chips is worse than anyone thought https://arstechnica.com/security/2017/05/the-hijacking-flaw-that-lurked-in-intel-chips-is-worse-than-anyone-thought/
Cyberscoop: Intel chip vulnerability gets quick patch in some products, longer timeline in others https://www.cyberscoop.com/manufacturers-scramble-to-roll-out-firmware-patches-for-intel-chip-vuln/
Computerworld: Patch to fix Intel-based PCs with enterprise bug rolls out this week http://computerworld.com/article/3194990/security/patch-to-fix-intel-based-pcs-with-enterprise-bug-rolls-out-this-week.html
Intel: Important Security Information About Intel Manageability Firmware https://newsroom.intel.com/news/important-security-information-intel-manageability-firmware/
The Register: Dell to patch AMT-vulnerable systems http://www.theregister.co.uk/2017/05/07/dell_patches_amtvulnerable_systems/
Dell: Dell Client Statement on Intel AMT Advisory (INTEL-SA-00075) http://en.community.dell.com/techcenter/extras/m/white_papers/20443914
*************************** SPONSORED LINKS *****************************
1) "Effortless Detection and Investigation of Cloud Breaches: A Review of Lacework's Zero Touch Cloud Workload Security Platform" Register: http://www.sans.org/info/194655
2) WEBCAST: "How to Conquer Targeted Email Threats: SANS Review of Agari Enterprise Protect" Register: http://www.sans.org/info/194660
3) Don't Miss: "Complying with Data Protection Law in a Changing World" Register: http://www.sans.org/info/194665
***************************************************************************

THE REST OF THE WEEK'S NEWS

Google Tightening OAuth Rules (May 8, 2017)

Google is cracking down on its policies and enforcement for its OAuth implementation to help prevent incidents like the Google Docs phishing campaign that targeted Gmail users last week. Google is also updating its anti-spam systems and increasing the monitoring of suspicious third-party apps requesting users' data.

Read more in:

ZDNet: Gmail fake Docs attack: Now Google tightens OAuth rules to block phishing http://www.zdnet.com/article/gmail-fake-docs-attack-now-google-tightens-oauth-rules-to-block-phishing/
Softpedia: Google to Tighten OAuth Rules to Block Phishing Attempts After Fake Docs Attack http://news.softpedia.com/news/google-to-tighten-oauth-rules-to-block-phishing-attempts-after-fake-docs-attack-515521.shtml
Dark Reading: Google Ratchets Up OAuth policies in Wake of Phishing Attacks http://www.darkreading.com/attacks-breaches/google-ratchets-up-oauth-policies-in-wake-of-phishing-attacks/d/d-id/1328820
Google: Protecting You Against Phishing https://security.googleblog.com/2017/05/protecting-you-against-phishing.html

HandBrake App Site Used to Spread Mac Malware (May 6, 7, & 8, 2017)

The website for the video transcoder app HandBrake was compromised some time between May 2 and May 6. The Mac version of the HandBrake client was replaced with a malicious version that contains a macOS remote Access Trojan (RAT) known as Proton. HandBrake creators have posted instructions for removing the malware from infected machines.

[Editor Comments]

[Neely] There is a 50% chance users with version 1.0.7 downloaded the compromised version. All versions of HandBrake have legitimate Apple Developer signatures, so only allowing signed code to be installed will not stop installation. The update XProtect signature will not detect existing infections, scan for published IOCs to find these. Change your passwords in KeyChain or browsers as part of remediation. Proton is a full featured commercial RAT, which now sells licensed signed versions between 2 and 40 BTC. SIXGILL Proton Threat Report is here: https://www.cybersixgill.com/wp-content/uploads/2017/02/02072017%20-%20Proton%20-%20A%20New%20MAC%20OS%20RAT%20-%20Sixgill%20Threat%20Report.pdf

[Williams] This is a great story to remind colleagues of software supply chain issues. In this case, our "safety" method is to validate the SHA256 of the binary, but this method is not perfect. If a software download server is compromised, the website displaying the SHA256 can be, as well. Although that didn't happen this time, the scenario shows why organizations need pay more attention to software supply chain issues than they have been traditionally.

Read more in:

Threatpost: HandBrake for Mac Compromised With Proton Spyware https://threatpost.com/handbrake-for-mac-compromised-with-proton-spyware/125518/
Bleeping Computer: Website of HandBrake App Hacked to Spread Proton RAT for Mac Users https://www.bleepingcomputer.com/news/security/website-of-handbrake-app-hacked-to-spread-proton-rat-for-mac-users/
The Register: Russian RATs bite Handbrake OSX download mirror http://www.theregister.co.uk/2017/05/08/russian_rats_bite_handbrake_osx_download_mirror/
ZDNet: Mac app developers issue malware warning after server compromise http://www.zdnet.com/article/mac-app-developers-issue-malware-warning-after-server-compromise/
HandBrake: Mirror Download Server Compromised https://forum.handbrake.fr/viewtopic.php?f=33&t=36364

Netrepser Espionage Group Uses Free, Legitimate Tools to Infect Targets (May 5 & 8, 2017)

Netrepser has compromised hundreds of computers using JavaScript code and free, publicly available, legitimate network admin software tools. Most of the targeted computers belong to government agencies and organizations, indicating that the group's goal is cyberespionage.

[Editor Comments]

[Honan] This is a good example of how low the barrier is for governments and other groups to enter the cyber espionage arena. A timely reminder to ensure that you regularly update your threat model to identify who could target your organisation and how best you should defend against them.

Read more in:

Computerworld: Cyberspies tap free tools to build powerful malware framework http://computerworld.com/article/3194752/security/cyberspies-tap-free-tools-to-build-powerful-malware-framework.html
The Hill: Deceptively simple espionage hacking campaign impresses researchers http://thehill.com/policy/cybersecurity/332059-espionage-hacking-campaign-deemed-sophisticated-for-its-lack-of
ZDNet: Hackers are reusing free online tools as part of their cyberespionage campaigns http://www.zdnet.com/article/hackers-are-re-using-free-online-tools-as-part-of-their-cyber-espionage-campaigns/
BitDefender: Inside Netrepser - a JavaScript-based Targeted Attack https://labs.bitdefender.com/2017/05/inside-netrepser-a-javascript-based-targeted-attack/

Police May Have Been Less Than Forthcoming to Judge About Stingray Use (May 6, 2017)

A California defense attorney maintains that law enforcement officers misled a judge when seeking a warrant to use cell-site simulator technology to track her client's location. In a related story, the US Supreme Court plans to discuss the issue of whether law enforcement authorities require warrants to compel mobile phone companies to disclose customer's cell site data.

[Editor Comments]

[Northcutt] It is always wise to take what a defense attorney says with a grain of salt and attempted murder is not exactly a "run-of-the-mill criminal case". That said, the case for requiring a warrant is becoming stronger and may be an appropriate issue in this case:

https://arstechnica.com/tech-policy/2015/10/dhs-now-needs-warrant-for-stingray-use-but-not-when-protecting-president/
https://arstechnica.com/tech-policy/2015/09/fbi-dea-and-others-will-now-have-to-get-a-warrant-to-use-stingrays/
https://www.usatoday.com/story/news/politics/onpolitics/2017/02/15/bipartisan-bill-seeks-warrants-police-use-stingray-cell-trackers/97954214/
https://arstechnica.com/tech-policy/2016/03/appeals-court-no-stingrays-without-a-warrant-explanation-to-judge/
http://www.reuters.com/article/us-usa-crime-stingray-idUSKCN0ZS2VI
Read more in:

Ars Technica: Lawyer: Cops "deliberately misled" judge who seemingly signed off on stingray https://arstechnica.com/tech-policy/2017/05/lawyer-cops-deliberately-misled-judge-who-seemingly-signed-off-on-stingray/
Ars Technica: Supreme Court asked to rule if cops need warrant for cell-site data https://arstechnica.com/tech-policy/2017/05/supreme-court-asked-to-rule-if-cops-need-warrant-for-cell-site-data/

Legislators Urge OPM to be Flexible in Cybersecurity Hiring (May 5, 2017)

Three US legislators have written to the Office of Personnel Management (OPM), urging flexibility with its hiring requirements for cybersecurity jobs. Applicants with "nontraditional education paths... especially in combination with high-value experience" should not be overlooked. The letter also noted that "offering industry-recognized certification testing would be a valuable tool for agencies to recruit and retain highly-qualified cyber professionals."

[Editor Comments]

[Murray] It is difficult to argue against flexibility. However government is not known for the flexibility in management that should accompany flexible evaluation of candidate qualifications. That said, both government and the private sector do use "industry-recognized certification testing."

Read more in:

Nextgov: New Dems Urge OPM to Hire More Cyber Pros Without 4-Year Degrees http://www.nextgov.com/cybersecurity/2017/05/new-dems-urge-opm-hire-more-cyber-pros-without-4-year-degrees/137616/?oref=ng-channeltopstory
FCW: Legislators call for more flexible cyber hiring and training https://fcw.com/articles/2017/05/05/democrats-cyber-workforce.aspx
Letter: Letter (PDF) http://www.nextgov.com/media/gbc/docs/pdfs_edit/050417jm1.pdf

Lieu Renews Call for SS7 Fix (May 5, 2017)

US Congressman Ted Lieu (D-California) has renewed his call for the US Federal Communications Commission (FCC) and the telecommunications industry to address security issues in Signaling System 7, SS7, a set of protocols that mobile networks use to communicate with each other. Flaws in SS7 were recently exploited to drain bank accounts in Europe by intercepting transmissions used in two-factor authentication.

Read more in:

SC Magazine: Rep. Lieu calls for SS7 vulnerability to be patched https://www.scmagazine.com/rep-lieu-calls-for-ss7-vulnerability-to-be-patched/article/655440/

DoJ Expanding Investigation of Uber's Use of Greyball Tool (May 4 & 5, 2017)

The US Department of Justice (DoJ) is expanding its investigation into Uber's use of Greyball, a software tool that helped drivers evade the attention of government transportation regulators. The software was used to display alternate versions of the Uber app to users who appeared to be linked to investigations. Uber has defended its use of Greyball, pointing out that it helps keep drivers safe by shielding their locations, helps determine the legitimacy of fried requests, and helps detect violations of the Uber app's terms of service. The initial inquiry was launched in Portland, Oregon and has now been expanded to Philadelphia.

Read more in:

BBC: Uber faces criminal probe in US over 'greyball' code http://www.bbc.com/news/technology-39816378
Reuters: Exclusive: Uber faces criminal probe over software used to evade authorities http://www.reuters.com/article/us-uber-tech-crime-exclusive-idUSKBN1802U1
WSJ: Uber Faces Federal Criminal Probe Over 'Greyball' Software https://www.wsj.com/articles/uber-faces-federal-criminal-probe-over-greyball-software-1493948944
NYT: Justice Department Expands Its Inquiry Into Uber's Greyball Tool https://www.nytimes.com/2017/05/05/technology/uber-greyball-investigation-expands.html

Sabre Hires Mandiant to Investigate Breach (May 2 & 3, 2017)

Sabre Corp. has acknowledged a breach of its hotel reservations system. The company has hired Mandiant to help with the investigation, and law enforcement has been notified. Sabre says that unauthorized access to the system has now been bl0cked. Sabre's reservations system serves more than 32,000 properties.

Read more in:

Reuters: Sabre hires Mandiant to probe breach in hotel reservation system http://www.reuters.com/article/us-sabre-cyber-idUSKBN17Z1W2
KrebsOnSecurity: Breach at Sabre Corp.'s Hospitality Unit https://krebsonsecurity.com/2017/05/breach-at-sabre-corp-s-hospitality-unit/
Sabre: Sabre Statement https://www.sabre.com/insights/releases/sabre-statement/

INTERNET STORM CENTER TECH CORNER

Tenable Discovers Details Regarding Intel AMT Vulnerability
http://www.tenable.com/blog/rediscovering-the-intel-amt-vulnerability

Android Apps Use Ultrasound Beacons To Track Users
http://christian.wressnegger.info/content/projects/sidechannels/2017-eurosp.pdf

http Headers... the Achilles' Heel of Many Applications
https://isc.sans.edu/forums/diary/http+Headers+the+Achilles+heel+of+many+applications/22382/

Exploring a P2P Transient Botnet - From Discovery to Enumeration
https://isc.sans.edu/forums/diary/Exploring+a+P2P+Transient+Botnet+From+Discovery+to+Enumeration/22392/

Video Conversion Application Handbrake Compromised
https://forum.handbrake.fr/viewtopic.php?f=33&t=36364

Emergency Update for Microsoft Malware Protection Engine
https://technet.microsoft.com/en-us/library/security/4022344

OS X Keychain OTR Vulnerability
https://medium.com/@longtermsec/bypassing-otr-signature-verification-to-steal-icloud-keychain-secrets-9e92ab55b605

---

***********************************************************************
The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create