SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XIX - Issue #41
May 23, 2017TOP OF THE NEWS
EternalRocks Uses Seven NSA Exploits
Vault 7: Athena Surveillance Tool
Most WannaCry Infections Were Running Windows 7
WannaCry Infected Medical Devices Running Embedded Windows OSes
THE REST OF THE WEEK'S NEWS
Yahoo Retires Buggy ImageMagick Library
Australian Airport Passenger Processing System Outage
Unlocking WannaCry-Infected Computers Without Paying Ransom
China Considers Delaying Implementation of Cybersecurity Rules
Guilty Plea in Proprietary Code Theft
VMware Patches Workstation Flaws
Lazarus Group Profile
WannaCry Steps Up Scottish Public Sector Cyber Protection Plan
INTERNET STORM CENTER TECH CORNER
INTERNET STORM CENTER TECH CORNER*************************** Sponsored By SentinelOne ********************
The WanaCrypt0r ransomware hit with a vengeance on Friday, with the outbreak beginning in Europe, striking hospitals and other organizations, then quickly spreading across the globe. As of 1:00pm Pacific Time, it is believed more than 57,000 systems in more than 74 countries had been affected. Researchers at SentinelOne have determined that the Endpoint Protection Platform does successfully detect and block this ransomware strain. Customers are advised to make sure that they are running the latest version. http://www.sans.org/info/194965
***************************************************************************
TRAINING UPDATE
-- SANS San Francisco Summer 2017 | June 5-10 | http://www.sans.org/u/qE8
-- SANS Security Operations Center Summit & Training | Washington, DC | June 5-12 | Build more effective security operations. Two days of in-depth Summit talks, 5 SANS courses, exclusive networking opportunities, & more! http://www.sans.org/u/qof
-- SANS Secure Europe 2017 | Amsterdam, NL | June 12-20 | http://www.sans.org/u/qqA
-- SANS Cyber Defence Canberra 2017 | June 26-July 8 | http://www.sans.org/u/qqF
-- SANS London July 2017 | July 3-8 | http://www.sans.org/u/pSD
-- SANS Cyber Defence Singapore | July 10-15 | http://www.sans.org/u/pSI
-- SANSFIRE 2017 | Washington, DC | July 22-29 | http://www.sans.org/u/r4U
-- SANS Network Security | Las Vegas, NV | September 10-17 | https://www.sans.org/event/network-security-2017
-- Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WK) and Evening (vLive - http://www.sans.org/u/WZ) courses available!
-- SANS Online Training: Special Offer! Register by May 10 and receive a new iPad, Samsung Galaxy Tab A or take $350 off your OnDemand or vLive Course!
-- OnDemand http://www.sans.org/u/pS9
-- vLive http://www.sans.org/u/pSj
-- Multi-week Live SANS training Mentor - http://www.sans.org/u/X9 Contact mentor@sans.org
-- Looking for training in your own community? Community - http://www.sans.org/u/Xo
-- SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/XD
Plus Brussels, San Francisco, Arlington, and Dubai all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/u/XN
***************************************************************************TOP OF THE NEWS
EternalRocks Uses Seven NSA Exploits (May 19 & 22, 2017)
A new worm that exploits the Server Message Block (SMB) vulnerability exploited by WannaCry reportedly uses seven NSA hacking tools released by Shadow Brokers. The currently spreading iteration of EternalRocks, as the worm has been named, does not carry a malicious payload. Read more in: The Register: 7 NSA hack tool wielding follow-up worm oozes onto scene: Hello, no need for any phish! http://www.theregister.co.uk/2017/05/22/eternalrocks_worm/ Bleeping Computer: New SMB Worm Uses Seven NSA Hacking Tools. WannaCry Used Just Two https://www.bleepingcomputer.com/news/security/new-smb-worm-uses-seven-nsa-hacking-tools-wannacry-used-just-two/Vault 7: Athena Surveillance Tool (May 19, 2017)
A new batch of documents released in WikiLeaks Vault 7 details an alleged CIA hacking tool called Athena. The surveillance tool appears to have been designed to intercept communication from Windows computers. Read more in: Bleeping Computer: Vault 7: CIA Co-Developed Athena Malware with US Cyber-Security Company https://www.bleepingcomputer.com/news/security/vault-7-cia-co-developed-athena-malware-with-us-cyber-security-company/ ZDNet: CIA's Windows XP to Windows 10 malware: WikiLeaks reveals Athena http://www.zdnet.com/article/cias-windows-xp-to-windows-10-malware-wikileaks-reveals-athena/Most WannaCry Infections Were Running Windows 7 (May 20, 21, & 22, 2017)
Most of the systems affected by WannaCry ransomware were running Windows 7. Although some reports suggested that the infections at UK hospitals were due to the number of computers still running XP, researchers from Kaspersky Lab say that the number of infected XP systems was insignificant. The majority of infected systems infected had not been patched against the flaw, which Microsoft addressed in its March security updates. [Editor Comments] [Pescatore] Pescatore - Makes sense, since Windows 7 still has twice the market share of Windows 10 and there is some evidence that the exploit code used for the first wave was developed before Windows 10 was used much. A SANS/Secdo webinar (https://www.sans.org/webcasts/lingering-exploits-related-wannacry-ransomware-105190) also pointed out that there are many machines that were vulnerable and compromised that did *not* run WannaCry's payload but are sitting there ready to be remotely controlled by attackers. Still important to remove malicious/unknown executables, patch, close Internet facing SMB ports, etc. [Murray] In this case, "timely" was as important as "thorough." However, in the general case, patching every system is more important than urgent. Read more in: BBC: Windows 7 hardest hit by WannaCry worm http://www.bbc.com/news/technology-39997581 Computerworld: Windows Defender does not defend Windows 7 against WannaCry http://computerworld.com/article/3197674/cybercrime-hacking/windows-defender-does-not-defend-windows-7-against-wannacry.html Ars Technica: Windows 7, not XP, was the reason last week's WCry worm spread so widely https://arstechnica.com/security/2017/05/windows-7-not-xp-was-the-reason-last-weeks-wcry-worm-spread-so-widely/ V3: Windows XP vulnerability didn't help spread WannaCry https://www.v3.co.uk/v3-uk/news/3010467/windows-xp-vulnerability-didnt-help-wannacry BleepingComputer: Over 98% of All WannaCry Victims Were Using Windows 7 https://www.bleepingcomputer.com/news/security/over-98-percent-of-all-wannacry-victims-were-using-windows-7/WannaCry Infected Medical Devices Running Embedded Windows OSes (May 17 & 18, 2017)
According to an advisory from HITRUST, several types of medical devices became infected with WannaCrypt ransomware. HITRUST says there is evidence that MedRad (Bayer) and Siemens devices were infected. Read more in: eWeek: Embedded Windows Medical 'Devices' Infected by WannaCry Ransomware http://www.eweek.com/security/embedded-windows-medical-devices-infected-by-wannacry-ransomware Forbes: Medical Devices Hit By Ransomware For The First Time In US Hospitals https://www.forbes.com/sites/thomasbrewster/2017/05/17/wannacry-ransomware-hit-real-medical-devices/#425cf961425c HITRUST: HITRUST Update Regarding WannaCry Attack on Healthcare Sector https://hitrustalliance.net/hitrust-update-regarding-wannacry-attack-healthcare-sector/ *************************** SPONSORED LINKS ***************************** 1) Join Splunk's Head of Security Research Monzy Merza to learn how to steer clear and get ahead of ransomware http://www.sans.org/info/194970 2) Hear about current best practices to achieve visibility and deep knowledge in Critical Infrastructure Security Controls. Register: http://www.sans.org/info/194975 3) Don't Miss: The New Reality: Centralizing Security when Your Network is Decentralizing. Register: http://www.sans.org/info/194980 ***************************************************************************THE REST OF THE WEEK'S NEWS
Yahoo Retires Buggy ImageMagick Library (May 21 & 22, 2017)
Yahoo has retired the ImageMagick library image processing toolkit after the disclosure of a vulnerability that could expose image data from user inboxes. A series of flaws disclosed over the years meant that web developers moved to newer image processing libraries, but Yahoo continued to use it until the disclosure of this most recent flaw. [Editor Comments] [Williams] ImageMagick is in prolific use in websites around the Internet and is the go-to library for image processing. This makes Yahoo's decision to retire it all the more surprising. However, Yahoo realized what other organizations have not: that their software is only as strong as the weakest library in use. To that end, they ultimately made the decision to remove ImageMagick (and re-implement the functionality themselves). This is a great opportunity to look within your own organization and consider what code libraries may be causing some liability and consider replacement/retirement. Read more in: BleepingComputer: Yahoo Retires Problematic Library After Bug Exposes User Email Content https://www.bleepingcomputer.com/news/security/yahoo-retires-problematic-library-after-bug-exposes-user-email-content/ ZDNet: Yahoo retires ImageMagick library after 18-byte exploit leaks user email content http://www.zdnet.com/article/yahoo-retires-imagemagick-library-after-18-byte-exploit-leaks-user-email-content/ The Register: Yahoo! retires! bleeding! ImageMagick! to! kill! 0-day! vulnerability! http://www.theregister.co.uk/2017/05/21/yahoo_retires_imagemagick_library/ Ars Technica: "Yahoobleed" flaw leaked private e-mail attachments and credentials https://arstechnica.com/security/2017/05/yahoobleed-flaw-that-festered-for-years-leaked-private-yahoo-mail-data/ ScaryBeastSecurity: *bleed continues: 18 byte file, $14k bounty, for leaking private Yahoo! Mail images https://scarybeastsecurity.blogspot.com/2017/05/bleed-continues-18-byte-file-14k-bounty.htmlAustralian Airport Passenger Processing System Outage (May 21 & 22, 2017)
An outage of the system used to process passengers at Australia's international airports caused delays as passengers were checked in manually. The Advanced Passenger Processing System was down for not quite four hours, but dealing with the backlog created by the outage took additional time. The issue has been resolved. Read more in: ZDNet: Passenger processing system outage hits Australian airports http://www.zdnet.com/article/passenger-processing-system-outage-hits-australian-airports/ News.com: Passengers facing delays at airports in Australia due to passport software failure http://www.news.com.au/travel/travel-updates/incidents/passengers-facing-delays-at-sydney-airport/news-story/9f16aa4579ab670022a573e397c9dafc Guardian: Major airport delays in Australia and New Zealand as global passport system goes down https://www.theguardian.com/world/2017/may/22/major-airport-delays-in-australia-and-new-zealand-as-global-passport-system-goes-downUnlocking WannaCry-Infected Computers Without Paying Ransom (May 19, 2017)
A publicly available tool allows users running Windows XP, Windows 7, and Windows Server 2003 to decrypt locked files without paying ransom. The wanakiwi tool builds on the WannaKey tool that was released last week. [Editor Comments] [Murray] Important that the system not have been shut down or rebooted. [Honan] The Europol NoMoreRansom initiative holds the decryption keys for several know ransomware variants (www.nomoreransom.org). It is also good practice should you be infected with a new ransomware variant to keep a copy of your encrypted data rather than delete it, as decryption keys may be discovered at a later date. Read more in: Ars Technica: More people infected by recent WCry worm can unlock PCs without paying ransom https://arstechnica.com/security/2017/05/more-people-infected-by-recent-wcry-worm-can-unlock-pcs-without-paying-ransom/ Wired: A WannaCry Flaw Could Help Some Victims Get Files Back https://www.wired.com/2017/05/wannacry-flaw-help-windows-xp-victims-get-files-back/China Considers Delaying Implementation of Cybersecurity Rules (May 19, 2017)
China may delay the rollout of cybersecurity rules that would impose stringent regulations on foreign companies doing business in that country. Business organizations from all over the world wrote to the Cyberspace Administration of China (CAC) last week, saying that the rules presented "significant concerns" and asking for more time before its implementation. The CAC called a meeting last week that was attended by 100 interested parties. One possible change is phasing in the regulations, with full implementation being pushed back until the end of 2018. The rules as they are currently written require foreign companies to undergo security reviews and to store data on servers in China. Read more in: Reuters: Amid industry pushback, China offers changes to cyber rules: sources http://www.reuters.com/article/us-china-cyber-law-idUSKCN18F1VZ The Hill: China may change cybersecurity rules amid pushback: report http://thehill.com/policy/cybersecurity/334298-china-may-change-cybersecurity-rules-amid-pushback-reportGuilty Plea in Proprietary Code Theft (May 19, 2017)
Xu Jiaqiang has pleaded guilty to economic espionage and theft of a trade secret. Xu stole proprietary source code from his former employer, IBM, with the intent of benefitting the National Health and Family Planning Commission of the People's Republic of China. Xu will be sentenced in October. [Editor Comments] [Henry] This insider threat is more insidious than people realize. While we must focus on remote-access attack, we can't ignore that that is just one tool in the adversaries' arsenal. Getting people hired into major companies, or co-opting existing employees, so they have unfettered access is a legitimate and significant threat. Combining good personnel and physical security, in collaboration with information security, is necessary for a successful holistic security program. Read more in: DoJ: Chinese National Pleads Guilty to Economic Espionage and Theft of a Trade Secret From U.S. Company https://www.justice.gov/opa/pr/chinese-national-pleads-guilty-economic-espionage-and-theft-trade-secret-us-company-0 V3: Software engineer pleads guilty to stealing IBM source code https://www.v3.co.uk/v3-uk/news/3010553/software-engineer-pleads-guilty-to-steal-ibm-source-code BleepingComputer: Former IBM Engineer Admits He Stole Source Code for China https://www.bleepingcomputer.com/news/government/former-ibm-engineer-admits-he-stole-source-code-for-china/VMware Patches Workstation Flaws (May 19, 2017)
VMware has released fixes for two vulnerabilities in its VMware Workstation. One of the flaws is an insecure library loading vulnerability that could be exploited to gain root access privileges. The other is a NULL pointer defererence vulnerability that could be exploited by users with normal privileges to cause denial-of-service conditions. VMware urges Workstation users to upgrade to version 12.5.6. [Editor Comments] [Williams] These are very serious vulnerabilities, but it's worth noting that the null pointer dereference cannot be exploited on Windows 8.1 or later. Windows no longer allows the mapping of code in the first 64k of memory, preventing the exploitation of null pointer dereference vulnerabilities. OS run-time controls save the day again! Read more in: Threatpost: VMware Patches Multiple Issues in Workstation https://threatpost.com/vmware-patches-multiple-security-issues-in-workstation/125805/ VMware: VMware Workstation update addresses multiple security issues https://www.vmware.com/security/advisories/VMSA-2017-0009.htmlLazarus Group Profile (May 18, 2017)
This LA Times article offers an overview of the Lazarus Group, a hacking group believed to be behind the attacks on systems at Sony Pictures; the 81 million USD theft from the bank of Bangladesh's account at the Federal Reserve Bank of New York; and WannaCry ransomware. [Editor Comments] [Northcutt] Repeat after me, attribution is hard. (and easy to get wrong). I believe most of the stories are based on the Symantec blog and a Google employee tweet: https://www.symantec.com/connect/blogs/what-you-need-know-about-wannacry-ransomware https://twitter.com/neelmehta/status/864164081116225536 And here are a few more stories based on the posts above if this is what you want to believe: https://securelist.com/blog/research/78431/wannacry-and-lazarus-group-the-missing-link/ https://www.wired.com/2017/05/wannacry-ransomware-link-suspected-north-korean-hackers/ https://www.washingtonpost.com/world/global-markets-shrug-off-fears-after-massive-cyberattack/2017/05/15/16265198-3958-11e7-9e48-c4f199710b69_story.html Read more in: LATimes: Their code was used to hack Sony and create 'WannaCry.' Meet the 'Lazarus Group,' the armed robbers of the Internet http://www.latimes.com/nation/la-fg-lazarus-group-20170518-story.htmlWannaCry Steps Up Scottish Public Sector Cyber Protection Plan (May 16, 2017)
The recent WannaCry ransomware infections have prompted Scotland to bolster public sector entities protections against cyberattacks. Scottish justice secretary Michael Matheson said that an action plan has been accelerated. WannaCry infected computers at eleven Scottish health boards. Read more in: BBC: Action plan for public sector fast-tracked after cyber attack http://www.bbc.com/news/uk-scotland-39929302 https://www.sans.org/simulcast/details/ics410-oct-2017-staffINTERNET STORM CENTER TECH CORNER
Typosquatting: A recent example and what to do with look-alike domains
https://isc.sans.edu/forums/diary/Typosquatting+Awareness+and+Hunting/22436/Netgear Collecting Analytics Data in Recent Update
https://kb.netgear.com/000038663/What-router-analytics-data-is-collected-and-how-is-the-data-being-used-by-NETGEAR disable: https://kb.netgear.com/000038661/How-do-I-Enable-Disable-Router-Analytics-Data-CollectionWannaCry Updates
https://venturebeat.com/2017/05/19/ransomware-wannacry-causes-fewer-tears-than-feared/LastPass Authenticator Cloud Backup
https://blog.lastpass.com/2017/05/announcing-cloud-backup-for-lastpass-authenticator-easier-multifactor-security-for-everyone.html/Fake "Uber Disputes" Site Lures Victims with Valid TLS Certificate
https://isc.sans.edu/forums/diary/Investigating+Sites+After+They+are+Gone+And+a+Case+of+Uber+Phishing+With+SSL/22440/Let's Encrypt Outage
http://letsencrypt.status.io/pages/history/55957a99e800baa4470002da https://community.letsencrypt.org/t/ocsp-and-issuance-outage-2017-05-19/34506More ImageMagik Flaws
https://scarybeastsecurity.blogspot.com/2017/05/bleed-continues-18-byte-file-14k-bounty.html***********************************************************************
The Editorial Board of SANS NewsBites
View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
