SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XIX - Issue #38
May 12, 2017Hackers use NSA tools in UK health service cyber attack. Ransomware known as âeternal blueâ strikes organisations across the world. Medical staff at hospitals across the UK were confronted with messages demanding payment to unlock access to data.
https://www.ft.com/content/e96924f0-3722-11e7-99bd-13beb0903fa3
http://www.independent.co.uk/news/uk/home-news/nhs-cyber-attack-hospitals-hack-england-emergency-patients-divert-shut-down-a7732816.html
TOP OF THE NEWS
NSA Chief Tells US Senate That US Is Incapable of Effective Response to Nation-State Attacks - Needs Stronger White House Leadership on Federal Cybersecurity
Cybersecurity Executive Order Demands Report Writing; Not Improved Security
Cisco Patches Flaw in IOS and IOS XE Software
THE REST OF THE WEEK'S NEWS
HP Releases Fixes to Remove Keylogger Feature in Audio Driver on Laptops
Man Ordered to Pay 300,000 USD for Breaking Into Former Employer's System
Avast Update Blocks Users' Internet Access
Firmware Update for Asus RT Wireless Routers
Edge and IE Now Blocking SHA-1 Certificates
Adobe Releases Critical Patches for Flash
Senate Committee Asks What Private Sector Needs from Government to Fight Cyber Attacks
US Senate Domain Now Served Over Encrypted httpS Channel
Persirai IoT Malware Targets IP Cameras
Microsoft Patch Tuesday
INTERNET STORM CENTER TECH CORNER
INTERNET STORM CENTER TECH CORNER*************************** Sponsored By VMRay **************************
Defeat evasive malware and achieve full, accurate analysis results. The VMRay Research Team provides a comprehensive look at the 3 key approaches threat actors use to evade sandbox analysis. By downloading this whitepaper youâll learn how malware: evades the analysis environment, uses event-based triggers, and exploits sandbox weaknesses. http://www.sans.org/info/194800
***************************************************************************
TRAINING UPDATE
-- SANS San Francisco Summer 2017 | June 5-10 | http://www.sans.org/u/qE8
-- SANS Security Operations Center Summit & Training | Washington, DC | June 5-12 | Build more effective security operations. Two days of in-depth Summit talks, 5 SANS courses, exclusive networking opportunities, & more! http://www.sans.org/u/qof
-- SANS Secure Europe 2017 | Amsterdam, NL | June 12-20 | http://www.sans.org/u/qqA
-- SANS Cyber Defence Canberra 2017 | June 26-July 8 | http://www.sans.org/u/qqF
-- SANS London July 2017 | July 3-8 | http://www.sans.org/u/pSD
-- SANS Cyber Defence Singapore | July 10-15 | http://www.sans.org/u/pSI
-- SANSFIRE 2017 | Washington, DC | July 22-29 | http://www.sans.org/u/r4U
-- SANS Network Security | Las Vegas, NV | September 10-17 | https://www.sans.org/event/network-security-2017
-- Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WK) and Evening (vLive - http://www.sans.org/u/WZ) courses available!
-- SANS Online Training: Special Offer! Register by May 10 and receive a new iPad, Samsung Galaxy Tab A or take $350 off your OnDemand or vLive Course!
-- OnDemand http://www.sans.org/u/pS9
-- vLive http://www.sans.org/u/pSj
-- Multi-week Live SANS training Mentor - http://www.sans.org/u/X9 Contact mentor@sans.org
-- Looking for training in your own community? Community - http://www.sans.org/u/Xo
-- SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/XD
Plus Brussels, San Francisco, Arlington, and Dubai all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/u/XN
***************************************************************************TOP OF THE NEWS
NSA Chief Tells US Senate That US Is Incapable of Effective Response to Nation-State Attacks - Needs Stronger White House Leadership on Federal Cybersecurity (May 10, 2017)
Adm. Michael Rogers, NSA Director and head of the US Cyber Command, told the US Senate Armed Services Committee that the US Cyber Command lacks the necessary capability to deal with the digital information salvos from foreign powers that have been targeting election processes. Rogers agreed that to take meaningful action in that area would require policy and strategy that reaches across government agencies and departments.Read more in:
Cyberscoop: Cyber Command head: We are not prepared to counter info operations https://www.cyberscoop.com/cyber-command-head-not-prepared-counter-info-operations/?category_news=technology
GT: McCain: U.S. 'Woefully Unprepared' to Counter Russian Cyber Attacks http://www.govtech.com/security/McCain-US-woefully-unprepared-to-Counter-Russian-Cyber-Attacks.html
Wired: The NSA Confirms It: Russia Hacked French Election 'Infrastructure' https://www.wired.com/2017/05/nsa-director-confirms-russia-hacked-french-election-infrastructure/
Cybersecurity Executive Order Demands Report Writing; Not Improved Security (May 11, 2017)
The recently signed cybersecurity executive order requires federal agencies to adopt the National Institute of Standards and Technology's (NIST's) Cybersecurity Framework; the agency heads have 90 days to prepare a report describing how they will implement the Framework. The previous administration had encouraged adoption of the framework, but did not make it a requirement. Former White House cyber security coordinator Michael Daniel wrote in an email, "This order is more of a plan for a plan."[Editor Comments]
[Pescatore] As of early 2016, about 75% of agencies reported they were already using the NIST framework. The Executive Order is mostly a plan for 14 or so reports on current cybersecurity status to be produced over the next few months. This is certainly appropriate for any incoming administration but the real need in federal government security is action dealing with well-known problems in the ways federal systems are procured and administered.
[Murray] As with too many government management initiatives, it starts with a reporting requirement, the response to which is too often outsourced to consultants.
[Neely] The focus needs to be on securing systems rather than focusing resources on generating compliance reports.
[Paller] The Executive Order was a shocker - telling agencies to "admire the problem" instead of putting the controls in place to fix it. How does it do that? The EO requires reports, not action nor visible weekly measurement of what matters and motivates rapid improvement: dwell time, recovery time, bug bounties and important vulnerabilities unpatched for more than 24 hours, and procurement language that bakes security in. I would have expected a weak EO if the White House had another technically weak cyber advisor. What was surprising for me is that the OMB/NIST cabal was able to continue its mis-management of federal cybersecurity in spite of the new White House cyber advisor's technical mastery and well-respected expertise on how to make security programs much more effective.
Read more in:
Reuters: Trump signs cyber security executive order http://www.reuters.com/article/us-usa-trump-cyber-idUSKBN1872L9
Computerworld: Trump's cybersecurity order pushes U.S. government to the cloud http://computerworld.com/article/3196358/security/trumps-cybersecurity-order-pushes-us-government-to-the-cloud.html
eWeek: Technologists Say Trump Cybersecurity Executive Order Only a 'Plan of a Plan' http://www.eweek.com/security/technologists-say-trump-cybersecurity-executive-order-only-a-plan-of-a-plan
NIST: Cybersecurity Framework Draft Version 1.1 https://www.nist.gov/cyberframework/draft-version-11
Cisco Patches Flaw in IOS and IOS XE Software (May 8 & 11, 2017)
Cisco has released updates to fix a vulnerability in the Cluster Processing Management code running in its IOS and IOS XE software. The flaw could be exploited to gain elevated privileges or cause vulnerable switches or networking devices to reload. The vulnerability was likely among those disclosed in the Vault 7 WikiLeaks dump.Read more in:
Threatpost: Cisco Patches IOS ZXE Vulnerability Leaked in Vault 7 Dump https://threatpost.com/cisco-patches-ios-xe-vulnerability-leaked-in-vault-7-dump/125568/
Cisco: Cisco IOS and IOS XE Software Cluster Management Protocol Remote Code Execution Vulnerability https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmp
*************************** SPONSORED LINKS *****************************
1) Don't Miss: "The Power of Bro - and why you should include it in your security infrastructure" Register: http://www.sans.org/info/194805
2) Webcast: "The New Reality: Centralizing Security when Your Network is Decentralizing" http://www.sans.org/info/194810
3) What Threats Keep You Up at Night? Tell Us in the SANS 2017 Threat Landscape Survey and Enter to Win $400 Amazon Gift Card: http://www.sans.org/info/194815
***************************************************************************
THE REST OF THE WEEK'S NEWS
HP Releases Fixes to Remove Keylogger Feature in Audio Driver on Laptops (May 11, 2017)
An audio driver installed on some HP computers contains a feature that logs keystrokes and stores them in a plaintext log file. The issue exists in the Conexant HD audio driver package versions 1.0.0.46 and older. HP has released updates to remove the keylogging feature; the patches also delete the log file.[Editor Comments]
[Neely] This is a case of bad QA/coding not malicious intent.
Make sure that you check for both locations (Program FilesCONEXANTMicTray and WindowsSystem32) for the binary, and after remediation double check that the MicTray.log file is not recreated.
Read more in:
ZDNet: HP issues fix for 'keylogger' found on several laptop models http://www.zdnet.com/article/keylogger-found-on-several-hp-laptops/
Threatpost: Keylogger Found in Audio Drivers on Some HP Machines https://threatpost.com/keylogger-found-in-audio-drivers-on-some-hp-machines/125600/
BleepingComputer: Keylogger Found in Audio Driver of HP Laptops https://www.bleepingcomputer.com/news/security/keylogger-found-in-audio-driver-of-hp-laptops/
ModZero: modzero Security Advisory: Unintended/Covert Storage Channel for sensitive data in Conexant HD Audio Driver Package. [MZ-17-01] https://www.modzero.ch/advisories/MZ-17-01-Conexant-Keylogger.txt
Man Ordered to Pay 300,000 USD for Breaking Into Former Employer's System (May 11, 2017)
Yovan Garcia was fired from his job as at Security Specialists for falsifying his overtime hours in the online payroll system. He later broke into the company's computer system and defaced the company website, deleted and/or corrupted backup files, and stole client information to help establish a competing business. A judge in California has ordered Garcia to pay more than 300,000 USD in damages.Read more in:
BBC: Man to pay $300,000 in damages for hacking employer http://www.bbc.com/news/technology-39883229
The Register: Dude hit with $300K bill for faking his hours, hacking boss's website http://www.theregister.co.uk/2017/05/11/dude_whacked_with_us300k_bill_for_faking_his_hours_hacking_bosss_website/
Regmedia: US District Court, Central District of California: Tyan, Inc., v Yovan Garcia https://regmedia.co.uk/2017/05/11/tyan_inc_judgement.pdf
Avast Update Blocks Users' Internet Access (May 11, 2017)
An update for Avast's free antivirus software has inadvertently blocked users' access to the Internet. An Avast spokesperson said that the problem has been identified as "an update issue of the dynamic link library (dll), which is part of the WebShield feature." Avast is preparing a patch for the issue.Read more in:
The Register: Avast blocks the entire internet - again http://www.theregister.co.uk/2017/05/11/avast_web_connection_snafu/
Bleeping Computer: Avast Antivirus Update Blocks Internet Access https://www.bleepingcomputer.com/news/software/avast-antivirus-update-blocks-internet-access/
Firmware Update for Asus RT Wireless Routers (May 9 & 11, 2017)
Asus has released a firmware update to fix several security issues in 30 models of its RT wireless routers. The issues affect RT-AC and RT-N devices running firmware older than version 3.0.0.4.380.7378.Read more in:
The Register: Attention, Asus RT wireless router owners: Patch your gear now to squash web hijack bugs http://www.theregister.co.uk/2017/05/11/asus_routers_need_patching/
Threatpost: ASUS Patches RT Router Vulnerabilities https://threatpost.com/asus-patches-rt-router-vulnerabilities/125592/
Nightwatch: Multiple Vulnerabilities in ASUS Routers https://wwws.nightwatchcybersecurity.com/2017/05/09/multiple-vulnerabilities-in-asus-routers/
Edge and IE Now Blocking SHA-1 Certificates (May 10 & 11, 2017)
As part of Microsoft's Patch Tuesday security release for May, new policies for its Edge and Internet Explorer (IE) browsers will prevent sites using SHA-1 signed httpS certificates from loading. The change will not affect enterprise or self-signed SHA-1 certificates, but "recommend[s] that all customers quickly migrate to SHA-2 based certificates." Google Chrome, Firefox, and Apple all ended support for SHA-1 earlier this year.[Editor Comments]
[Northcutt] And none too soon, in addition to the Snowden release about WindsorBlue, new evidence has surfaced about a crypto cracking machine called WindsorBlue. The problem is twofold, with that kind of power governments can brute force encrypted communications and also create a fake certificate that appears to be valid. As it says in the article use at least SHA-256:
https://theintercept.com/2017/05/11/nyu-accidentally-exposed-military-code-breaking-computer-project-to-entire-internet/
Read more in:
ZDNet: Windows 10 Edge, IE: We're now blocking sites signed with SHA-1 certs, says Microsoft http://www.zdnet.com/article/windows-10-edge-ie-were-now-blocking-sites-signed-with-sha-1-certs-says-microsoft/
Computerworld: Microsoft finally bans SHA-1 certs in IE and Edge http://computerworld.com/article/3195985/security/microsoft-finally-bans-sha-1-certs-in-ie-and-edge.html
Threatpost: Microsoft Makes It Official, Cuts Off SHA-1 Support in IE, Edge https://threatpost.com/microsoft-makes-it-official-cuts-off-sha-1-support-in-ie-edge/125579/
Microsoft: Deprecation of SHA-1 for SSL/TLS Certificates in Microsoft Edge and Internet Explorer 11 https://technet.microsoft.com/en-us/library/security/4010323
Adobe Releases Critical Patches for Flash (May 10, 2017)
On Tuesday, May 9, Adobe released patches for several vulnerabilities in Flash Player. The updates fix seven critical flaws in Flash, six of which are memory corruption issues. There are updates for Windows, Mac, Linux, and Chrome; the most current version of Flash is now 25.0.0.171. Adobe has also released a patch for an information disclosure vulnerability in Experience Manager (AEM) Forms.Read more in:
ZDNet: Adobe patches critical vulnerabilities in Flash, OEM http://www.zdnet.com/article/adobe-patches-critical-vulnerabilities-in-flash-oem/
Adobe: Security Bulletin posted for Adobe Flash Player and Adobe Experience Manager Forms http://blogs.adobe.com/psirt/?p=1465
Senate Committee Asks What Private Sector Needs from Government to Fight Cyber Attacks (May 10, 2017)
A panel of private sector corporate cyber security executives told members of the Senate Homeland Security and Governmental Affairs Committee how they would like to see the government help them fight cyber crime. One panel member said that the government could strike back at cyber attackers; the Computer Fraud and Abuse Act (CFAA) prohibits private companies from taking such action. Another panel member urged caution regarding striking back at attackers. A third panel member said that providing guidelines and information about patches will not help stem the tide of attacks, but that getting rid of the threats through diplomacy and judicial prosecution could help.Read more in:
Cyberscoop: Cyber experts tell Congress that if companies can't hack back, maybe the feds should https://www.cyberscoop.com/corporate-cybersecurity-hacking-back-hearing/
US Senate Domain Now Served Over Encrypted httpS Channel (May 9 & 10, 2017)
All US Senate websites are now served over an encrypted httpS channel by default. The shift took more than a year to complete. The US House of Representatives is working its deployment of httpS; all representatives' websites currently support httpS, but just half do so by default. Nearly two years ago, the Office of Management and Budget (OMB) issued an order requiring a public facing federal websites and services to adopt httpS.Read more in:
ZDNet: Good news! The entire Senate just embraced web encryption http://www.zdnet.com/article/senate-switches-to-https-by-default/
ObamaWhiteHouse: Policy to Require Secure Connections across Federal Websites and Web Services https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2015/m-15-13.pdf
Persirai IoT Malware Targets IP Cameras (May 9 & 10, 2017)
Malware dubbed Perserai is targeting more than 1,000 models of IP cameras. Trend Micro has detected at least 120,000 vulnerable devices. Most device owners are unaware of the compromise.[Editor Comments]
[Murray] Most such appliances need not be directly connected to the public networks. Until we get thoughtful labeling, the assumption should be that such "things" be attached only to local area networks.
Read more in:
ZDNet: 120,000 IoT cameras vulnerable to new Persirai botnet say researchers http://www.zdnet.com/article/120000-iot-cameras-vulnerable-to-new-persirai-botnet-say-researchers/
The Register: Another IoT botnet has been found feasting on vulnerable IP cameras http://www.theregister.co.uk/2017/05/10/persirai_iot_botnet/
SC Magazine: New IoT bot Persirai ensnaring IP cameras https://www.scmagazine.com/new-iot-bot-persirai-ensnaring-ip-cameras/article/655875/
V3: New Mirai-like threat, dubbed Persirai, targeting online IP cameras, warns Trend Micro http://www.v3.co.uk/v3-uk/news/3009857/new-mirai-like-threat-dubbed-persirai-targeting-online-ip-cameras-warns-trend-micro
Trend Micro: Persirai: New Internet of Things (IoT) Botnet Targets IP Cameras http://blog.trendmicro.com/trendlabs-security-intelligence/persirai-new-internet-things-iot-botnet-targets-ip-cameras/
Microsoft Patch Tuesday (May 9, 2017)
Microsoft's security update for May addresses 55 vulnerabilities in Windows, Office, Edge, Internet Explorer (IE), and its malware protection engine. Fifteen of the flaws are rated critical. Three of the flaws are already being actively exploited.Read more in:
Microsoft: Security Update Summary https://portal.msrc.microsoft.com/en-us/security-guidance/summary
KrebsOnSecurity: Emergency Fix for Windows Anti-Malware Flaw Leads May's Patch Tuesday https://krebsonsecurity.com/2017/05/emergency-fix-for-windows-anti-malware-flaw-leads-mays-patch-tuesday/
Computerworld: Microsoft fixes 55 flaws, 3 of them exploited by Russian cyberspies http://computerworld.com/article/3195786/security/microsoft-fixes-55-flaws-3-of-them-exploited-by-russian-cyberspies.html
Microsoft: Coming together to address Encapsulated PostScript (EPS) attacks https://blogs.technet.microsoft.com/msrc/2017/05/09/coming-together-to-address-encapsulated-postscript-eps-attacks/
Ars Technica: Microsoft's recent success in blocking in-the-wild attacks is eerily good https://arstechnica.com/security/2017/05/microsofts-recent-success-in-blocking-in-the-wild-attacks-is-eerily-good/
INTERNET STORM CENTER TECH CORNER
Microsoft Path Tuesday Summary
https://isc.sans.edu/forums/diary/Microsoft+Patch+Tuesday+and+Adobe/22396/Cisco Patches CMP-Telnet Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170317-cmpWolfSSL Library X.509 Certificate Text Parsing Code Execution Vulnerability
http://blog.talosintelligence.com/2017/05/wolfssl-x509-vuln.htmlHow to Review OAUTH Application Permissions for Popular Sites
https://isc.sans.edu/forums/diary/OAuth+and+Its+High+Time+for+Some+Personal+SecurityScaping+Today/22400/Apple Working on Firmware Integrity Check
http://apple.stackexchange.com/questions/282028/pop-up-firmware-changes-detected-randomly-appearPanda Mobile Anti Malware Releases Patch for Evilgrade Bug
https://www.contextis.com/resources/blog/exploiting-vulnerable-pandas/ASUS RT Router Vulnerabilities
https://wwws.nightwatchcybersecurity.com/2017/05/09/multiple-vulnerabilities-in-asus-routers/Microsoft Edge SOP Bypass
https://www.brokenbrowser.com/sop-bypass-uxss-stealing-credentials-pretty-fast/Linux Kernel Packet Socket Vulnerability Exploit
https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.htmlConexant Audio Drivers Log Keystrokes;
https://www.modzero.ch/modlog/archives/2017/05/11/en_keylogger_in_hewlett-packard_audio_driver/index.htmlRig Exploit Kit Used to Send Ramnit Trojan
https://isc.sans.edu/forums/diary/Seamless+Campaign+using+Rig+Exploit+Kit+to+send+Ramnit+Trojan/22404/Encase Forensic Imager Exploit
http://blog.sec-consult.com/2017/05/chainsaw-of-custody-manipulating.html***********************************************************************
The Editorial Board of SANS NewsBites
View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create