SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XIX - Issue #46
June 9, 2017TOP OF THE NEWS
FBI and MI-6: Fake Reports Spread by Russian Hackers Sparked Qatar Crisis
Al Jazeera Network Hit With 'Continual Hacking Attempts'
Harvard Business Review: Why Senior Executives Underinvest in Cybersecurity
THE REST OF THE WEEK'S NEWS
House Bill Would Require DoD to Notify Congress of Cyber Actions
VMware Patches vSphere Data Protection
Malware Infects Computers When Users Place Cursor Over Link
Cisco Patches Critical Flaws
CertLock Trojan
Google Pulls Bad App Containing DVMap Trojan Google Play Store
Foscam IP Camera Vulnerabilities
Microsoft Blog Warns of File Transfer Tool from Platinum Hacking Group
DHS Secretary Supports Critical Infrastructure Designation for Voting Systems
Cyber Deterrence Requires Complex Planning
EternalBlue Ported to Windows 10
INTERNET STORM CENTER TECH CORNER
INTERNET STORM CENTER TECH CORNER*************************** Sponsored By Cisco Systems ****************** NetFlow Security Monitoring For Dummies - FREE DUMMIES eBOOK! Download our Dummies eBook to learn how NetFlow intelligence plays a role in network security and best practices for developing and implementing a scalable NetFlow-based monitoring strategy. Download the DUMMIES eBook today! http://www.sans.org/info/195490 ***************************************************************************
TRAINING UPDATE
-- Digital Forensics & Incident Response Summit & Training | Austin, TX | June 22-29 | https://www.sans.org/event/digital-forensics-summit-2017
-- SANS Cyber Defence Canberra 2017 | June 26-July 8 | http://www.sans.org/u/qqF
-- SANS London July 2017 | July 3-8 | http://www.sans.org/u/pSD
-- SANS Cyber Defence Singapore | July 10-15 | http://www.sans.org/u/pSI
-- SANS ICS & Energy-Houston 2017 | July 10-15, 2017 | https://www.sans.org/event/ics-houston-summit-training-2017
-- SANSFIRE 2017 | Washington, DC | July 22-29 | http://www.sans.org/u/r4U
-- SANS London September 2017 | September 25-30 | https://www.sans.org/event/london-september-2017
-- SANS Network Security | Las Vegas, NV | September 10-17 | https://www.sans.org/event/network-security-2017
-- SANS London September 2017 | September 25-30 | https://www.sans.org/event/london-september-2017
-- Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WK) and Evening (vLive - http://www.sans.org/u/WZ) courses available!
-- Multi-week Live SANS training Mentor - http://www.sans.org/u/X9 Contact mentor@sans.org
-- Looking for training in your own community? Community - http://www.sans.org/u/Xo
-- SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/XD
Plus Brussels, San Francisco, Arlington, and Dubai all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/u/XN
***************************************************************************TOP OF THE NEWS
FBI and MI-6: Fake Reports Spread by Russian Hackers Sparked Qatar Crisis (June 9, 2017)
A report on May 24 from the Qatar news Agency quoted the emir of Qatar describing "tensions" with President Trump and speculating he may not last in office, recommending friendship with Iran, praising the Palestinian militants of Hamas, and then attesting to his own "good" relations with Israel. The contradictory statements could hardly have been better contrived to alienate the United States and Arab countries around the Gulf. The FBI and British law enforcement have now confirmed the fake news releases were the result of the Qatar news agency being hacked, most likely by Russia-based hackers for hire. Hacking in Qatar Highlights a Shift Toward Espionage-for-Hire https://www.nytimes.com/2017/06/08/world/middleeast/qatar-cyberattack-espionage-for-hire.html?_r=0 Russian hackers to blame for sparking Qatar crisis, FBI inquiry finds https://www.theguardian.com/world/2017/jun/07/russian-hackers-qatar-crisis-fbi-inquiry-saudi-arabia-uae As Gulf tensions flare, reports of hacking pour in http://abcnews.go.com/Technology/wireStory/gulf-tensions-flare-reports-hacking-pour-47922164Al Jazeera network hit with 'continual hacking attempts' (June 8-9, 2017)
The Al Jazeera news network says it is experiencing "systematic and continual hacking attempts...[that] are gaining intensity and taking various forms." The announcement comes days after the reported hacking of the Qatar News Agency (QNA). Read more in: Motherboard: Al Jazeera Says It's Under a Massive 'Cyber Attack' https://motherboard.vice.com/en_us/article/al-jazeera-massive-cyber-attack Ars Technica: Al-Jazeera claims to be victim of cyber attack as Qatar crisis continues https://arstechnica.com/security/2017/06/al-jazeera-claims-to-be-victim-of-cyber-attack-as-qatar-crisis-continues/ Softpedia: Al Jazeera Network Hit with "Hacking Attempts" http://news.softpedia.com/news/al-jazeera-network-hit-with-hacking-attempts-516339.shtml Guardian: Hackers target al-Jazeera as Qatar crisis deepens https://www.theguardian.com/media/2017/jun/08/hackers-target-al-jazeera-as-qatar-crisis-deepensHarvard Business Review: Why Senior Executives Underinvest in Cybersecurity (June 7, 2017)
Harvard Business Review reports that some decision makers use the wrong mental models to help them determine how much investment is necessary and where to invest. Wrong models include: (1) thinking of cyber defense as a fortification process - if you build strong firewalls, with well-manned turrets, you'll be able to see the attacker from a mile away; (2) assuming that complying with a security framework like NIST or FISMA is sufficient security -just check all the boxes and you can keep pesky attackers at bay; and (3) failing to consider the counterfactual thinking - We didn't have a breach this year, so we don't need to ramp up investment - when in reality they probably either got lucky this year or are unaware that a bad actor is lurking in their system, waiting to strike. [Editor Comments] [Murray] Nothing recent has changed my career long perception that senior "decision makers" under invest in security because, for a number of reasons including fear of being told "no," security professionals are not proposing how to do so profitably. There is no "Budget Fairy;" those who have budget asked for it. They often got told "no" often while getting to "yes." Those getting budget are the same ones getting promotions. Senior executives love nothing quite so much as managers and professionals who tell them how to invest profitably. [Shpantzer] Availability is the new confidentiality. CIOs and business executives are compensated on metrics related to availability metrics like uptime, latency and and other such items. Infosec's obsessions with sneaky APTs hiding in the network to steal PII is not what they're interested in. BUT NOW we have ransomware (since 2014 when it was ramping up and certainly since 2016 it's become the #1 foreseeable business interruption). When their server farm, for which they have strict SLAs, is locked up, as is the unprotected backup infrastructure (which was designed for hazard, not malice...), the CIO and business execs understand the importance of not having admin rights everywhere and 445 open to the internet. Take all your sneaky APT thinking and apply it to prevention and post-ex mitigation (segmentation) of ransomware, and you'll have an entirely different conversation with your IT and business execs. The Behavioral Economics of Why Executives Underinvest in Cybersecurity https://hbr.org/2017/06/the-behavioral-economics-of-why-executives-underinvest-in-cybersecurity *************************** SPONSORED LINKS ***************************** 1) Don't Miss: "Catch Me if You can - Pentesting vs APT" with Cybereason's Mor Levi. Register: http://www.sans.org/info/195495 2) Webcast: "The Efficiency of Context: Review of WireX Network Forensics Platform." Learn More: http://www.sans.org/info/195505 3) Join the SANS Institute for the latest NYC Financial Briefing for the Financial Community in the New York City area. Free to the Financial Cybersecurity Community: http://www.sans.org/info/195510 ***************************************************************************THE REST OF THE WEEK'S NEWS
House Bill Would Require DoD to Notify Congress of Cyber Actions (June 8, 2017)
A bill introduced in the US House of Representatives would require the Defense Department (DoD) to notify legislators within 48 hours after initiating sensitive offensive and defensive cyber operations. The law would not include covert actions, which are usually conducted by intelligence agencies. [Editor Comments] [Pescatore] The mention of "defensive cyber operations" worried me, but the wording in the draft limits the requirement to defensive actions that are "... outside the Department of Defense Information Networks to defeat an ongoing or imminent threat." It also exempts action where US armed forces are "involved in hostilities" or conducing training exercises. Given the high probability of "friendly fire" incidents when offensive cyber payloads are let loose on real world networks, some level of accountability and oversight is needed - this will start the debate. [Murray] Advice from my senior colleague, David Kennedy of Verizon, do not worry about House Bills unless and until they get committee consideration. [Northcutt] Last year we passed rule 41 to enable law enforcement to hack. In addition to this, we have HR 584 The Cyber Preparedness Act of 2017 and S 536 The Cybersecurity Disclosure Act of 2017 in committee. Since the technology Congress wants to regulate changes very quickly, I hope someone is keeping track of the total cost to implement all of this: https://www.dailydot.com/layer8/rule-41-fbi-hacking-powers-expansion/ https://www.congress.gov/bill/115th-congress/house-bill/584 https://www.congress.gov/bill/115th-congress/senate-bill/536/text? Read more in: Nextgov: Lawmakers Want Notice When Pentagon Uses Cyber Weapons http://www.nextgov.com/cybersecurity/2017/06/lawmakers-want-notice-when-pentagon-uses-cyber-weapons/138534/?oref=ng-channeltopstory Armed Services House: Draft Bill https://armedservices.house.gov/sites/republicans.armedservices.house.gov/files/wysiwyg_uploaded/CYBER_NOTICE_001_xml%20%28003%29.pdfVMware Patches vSphere Data Protection (June 8, 2017)
VMware has released updates to address two flaws in its vSphere Data Protection backup solution. The updates fix a Java deserialization issue that could be exploited to allow remote code execution, and a credential-storing issue that could let attackers obtain decrypted credentials. Users are urged to upgrade to versions 6.1.4 and 6.0.5. Read more in: Threatpost: VMware Patches Critical Vulnerabilities in vSphere Data Protection https://threatpost.com/vmware-patches-critical-vulnerabilities-in-vsphere-data-protection/126150/ VMware: vSphere Data Protection (VDP) updates address multiple security issues http://www.vmware.com/security/advisories/VMSA-2017-0010.htmlMalware Infects Computers When Users Place Cursor Over Link (June 2 & 8, 2017)
A recently detected attack technique requires only that users hover their cursor over a malicious link to become infected with malware. The attacks have been launched by sending targets an email with an attached Power Point document. [Editor Comments] [Eubanks] Interesting development that challenges the advice we have provided for many years - "mouse over the link before clicking". This is a good catalyst for us to verify advice we have always given to ensure it is still valid. [Neely] The exploit relies on PowerPoint being configured to execute external content, and the execution of the PowerShell script. PowerPoint by default displays a user bypassable warning, attempting to block harmful content. The PowerShell script is crafted to bypass ExecutionPolicy and profile restrictions. The number one mitigation is user not enabling the external content, or better still, using caution with unrecognized attachments. Next, look for the indicated IOCs or block access to the identified sites. Other mitigations include GPO settings for PowerShell execution policy of Restricted or AllSigned, as well as GPOs for Office security settings for non-click-to-run deployments. Read more in: SC Magazine: Mouse hovering malware delivery scheme spotted, called potentially very dangerous https://www.scmagazine.com/mouse-hovering-malware-delivery-scheme-spotted-called-potentially-very-dangerous/article/667379/ DodgethisSecurity: New PowerPoint Mouseover Based Downloader - Analysis Results https://www.dodgethissecurity.com/2017/06/02/new-powerpoint-mouseover-based-downloader-analysis-results/Cisco Patches Critical Flaws (June 7 & 8, 2017)
Cisco has released an update to fix two flaws in its Prime Data Center Network Manager (DCNM) 10.1(1) and 10.1(2) for Windows, Linux, and virtual appliance platforms. One of the flaws lies in a debugging tool that lacks authentication and authorization mechanisms. Attackers could exploit this flaw by "remotely connecting to the debugging tool via TCP." The other flaw is a hard-coded static credential that could be exploited to access the administrative console of a DCNM server. Cisco has also released updated for other flaws in its AnyConnect and TelePresence Endpoint products. Read more in: Threatpost: Cisco Patches Critical Flaws in Prime Data Center Network Manager https://threatpost.com/cisco-patches-critical-flaws-in-prime-data-center-network-manager/126147/ Cisco: Cisco Prime Data Center Network Manager Debug Remote Code Execution Vulnerability https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170607-dcnm1 Cisco: Cisco Prime Data Center Network Manager Server Static Credential Vulnerability https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170607-dcnm2 Cisco: Cisco AnyConnect Local Privilege Escalation Vulnerability https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170607-anyconnect Cisco: Cisco TelePresence Endpoint Denial of Service Vulnerability https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170607-teleCertLock Trojan (June 8, 2017)
The CertLock Trojan, which anti-malware products are detecting as Ceram or Wdfload, disallows security certificates on computers it infects, preventing users from installing and running security programs on their computers. CertLock spreads through software bundles. Read more in: BleepingComputer: CertLock Trojan Blocks Security Programs by Disallowing Their Certificates https://www.bleepingcomputer.com/news/security/certlock-trojan-blocks-security-programs-by-disallowing-their-certificates/Google Pulls Bad App Containing DVMap Trojan Google Play Store (June 8, 2017)
Google has removed an app from the Google Play store because it was found to contain a Trojan known as DVMap. The colourblock app appears to have been downloaded more than 50,000 times. When colourblock was first added to the Google Play Store, it did not contain malware, but between April 18 and May 15, its developers updated it at least five times. Each time, a malicious version of the app was left up for just a day. DVMap contains four exploit packages that are used to infect Android devices. Read more in: BleepingComputer: Google Removes App Infested with New and Deadly DVMap Trojan From the Play Store https://www.bleepingcomputer.com/news/security/google-removes-app-infested-with-new-and-deadly-dvmap-trojan-from-the-play-store/ SC Magazine: Android malware: Now with code injection https://www.scmagazine.com/android-malware-now-with-code-injection/article/667201/ Securelist: Dvmap: the first Android malware with code injection https://securelist.com/78648/dvmap-the-first-android-malware-with-code-injection/Foscam IP Camera Vulnerabilities (June 7 & 8, 2017)
F-Secure has identified 18 vulnerabilities in Foscam IP cameras. Although F-Secure tested just two cameras, internal workings of Foscam IP cameras are used by many other brands. Foscam was notified of the security issues months ago but has not yet released fixes. Issues include hardcoded passwords, incorrect permission assignment, hidden Telnet functionality, and no restriction on login attempts. [Editor Comments] [Murray] Cameras are more of a problem than many other appliances, e.g., baby monitors, because so many are attached directly to the public, rather than private, networks. Those appliances ("things") that are intended for direct connection to the Internet have higher security requirements. Read more in: The Register: White-box webcam scatters vulnerabilities through multiple OEMs http://www.theregister.co.uk/2017/06/08/whitebox_webcam_scatters_vulnerabilities_through_multiple_oems/ Ars Technica: Internet cameras have hard-coded password that can't be changed https://arstechnica.com/security/2017/06/internet-cameras-expose-private-video-feeds-and-remote-controls/ BleepingComputer: Boatload of Security Flaws Make Fosscam IP Cameras Absolutely Useless https://www.bleepingcomputer.com/news/security/boatload-of-security-flaws-make-fosscam-ip-cameras-absolutely-useless/ F-Secure: Vulnerabilities in Foscam IP Cameras http://images.news.f-secure.com/Web/FSecure/%7B43df9e0d-20a8-404a-86d0-70dcca00b6e5%7D_vulnerabilities-in-foscam-IP-cameras_report.pdfMicrosoft Blog Warns of File Transfer Tool from Platinum Hacking Group (June 7 & 8, 2017)
In a blog post, Microsoft describes a file transfer tool that uses Intel's Active Management technology (AMT) Serial-over-LAN (SOL) to hide its communications from firewalls and other security products. The file transfer tool is being used by a hacking group known as Platinum, and has been detected only in Asia. [Editor Comments] [Shpantzer] Look for the Ports section of Device Manager in any given Windows laptop in your fleet. If AMT drivers are there, you may be exposed to this. Note that the host firewall does NOT filter out Serial-over-LAN traffic, as it's 'below' the OS. [Williams] This story underscores the need for network monitoring inside the perimeter. If defenders have access to both network flows and host firewall logs they can easily detect any communications that bypass the host-based firewall. As robust as host-based monitoring has become, attackers will continue to develop techniques to bypass it. Network monitoring cannot be bypassed. Read more in: Microsoft Technet: PLATINUM continues to evolve, find ways to maintain invisibility https://blogs.technet.microsoft.com/mmpc/2017/06/07/platinum-continues-to-evolve-find-ways-to-maintain-invisibility/ BleepingComputer: Malware Uses Obscure Intel CPU Feature to Steal Data and Avoid Firewalls https://www.bleepingcomputer.com/news/security/malware-uses-obscure-intel-cpu-feature-to-steal-data-and-avoid-firewalls/ The Register: Vxers exploit Intel's Active Management for malware-over-LAN http://www.theregister.co.uk/2017/06/08/vxers_exploit_intels_amt_for_malwareoverlan/ ZDNet: Windows firewall dodged by 'hot-patching' spies using Intel AMT, says Microsoft http://www.zdnet.com/article/windows-firewall-dodged-by-hot-patching-spies-using-intel-amt-says-microsoft/ Ars Technica: Sneaky hackers use Intel management tools to bypass Windows firewall https://arstechnica.com/security/2017/06/sneaky-hackers-use-intel-management-tools-to-bypass-windows-firewall/DHS Secretary Supports Critical Infrastructure Designation for Voting Systems (June 6, 2017)
US Department of Homeland Security (DHS) Secretary John Kelly told the Senate Homeland Security and Governmental Affairs Committee that he fully supports designating voting systems as critical infrastructure. The designation was first announced by former DS Secretary Jeh Johnson in early January. Kelly will meet with state officials next week to discuss how DHS can best help secure their election systems. [Editor Comments] [Northcutt] The "double down" title of the featured article is well chosen; John Kelly has been thumping this drum for a while now. And doing what we can to secure voting systems is important: http://thehill.com/policy/cybersecurity/overnights/318400-overnight-cybersecurity-elections-are-still-critical-dont-believe http://www.reuters.com/article/us-usa-trump-immigration-election-idUSKBN15M23H http://www.defenseone.com/threats/2017/02/elections-systems-are-critical-infrastructure-dhs-chief-affirms/135241/ https://gcn.com/articles/2017/03/17/voting-systems.aspx And of course the latest from Leakville: https://www.cyberscoop.com/leaked-nsa-hacking-report-ratchets-pressure-local-election-officials/ [Henry] The security of the voting process is critical to the national security of all democracies, and it begins with understanding the threat and implementing consistent security technology. Additionally, the U. S. needs to ensure an effective deterrent strategy is implemented to thwart attackers. Read more in: FCW: DHS chief doubles down on critical infrastructure designation for voting systems https://fcw.com/articles/2017/06/06/gunter-dhs-kelly-election-protection.aspxCyber Deterrence Requires Complex Planning (June 6, 2017)
Speaking on a panel at the Brookings Institution on June 6, former US under secretary of defense for policy James Miller said that cyber deterrence is possible but complicated. Miller identified the US's main cyber adversaries - Russia, China, North Korea, Iran, and terrorist groups - and said, "In order to deter them - rather than just respond to them - you need to have a plan in advance, you need to communicate to some degree your capabilities and your intent to respond." Strategies will be different for each adversary. [Editor Comments] [Henry] This may be complicated, but it's critical. We aren't able to secure every device, nor defend against every attack. The value to adversaries is high, and the risk of being caught and/or punished is low. Read more in: The growing threat from cyber weapons and what the United States needs to do to prepare FCW: Why there's no silver bullet for cyber deterrence https://fcw.com/articles/2017/06/06/carberry-cyber-deterrence.aspx Brookings Institute Panel: The growing threat from cyber weapons and what the United States needs to do to prepare https://www.brookings.edu/events/the-growing-threat-from-cyber-weapons-and-what-the-united-states-needs-to-do-to-prepare/EternalBlue Ported to Windows 10 (June 6, 2017)
Researchers have ported the EternalBlue exploit to Windows 10. The NSA's exploit, which was used in the WannaCry ransomware attacks, now can be used against unpatched versions of Windows as far back as XP. The new EternalBlue port works against Windows 10 versions prior to the April 2016 Redstone 1 release, and that have not received the March 2017 MS17-010 patch. The researchers do not plan to release the Windows 10 port source code anytime soon. Read more in: Threatpost: NSA'S EternalBlue Exploit Ported 1o Windows 10 https://threatpost.com/nsas-eternalblue-exploit-ported-to-windows-10/126087/ BleepingComputer: Researchers Port NSA EternalBlue Exploit to Windows 10 https://www.bleepingcomputer.com/news/security/researchers-port-nsa-eternalblue-exploit-to-windows-10/INTERNET STORM CENTER TECH CORNER
Finding XOR Keys Part 2
https://isc.sans.edu/forums/diary/Malware+and+XOR+Part+2/22490/Instagram Stories Not Using TLS
https://vvyper.com/2017/05/22/instagram-stories-ssl/Printer "Dots" May Have Led to Arrest of NSA Contractor
http://blog.erratasec.com/2017/06/how-intercept-outed-reality-winner.html#.WTc9SMbMyRtExfiltrating Data via Blinking Router LEDs
https://arxiv.org/abs/1706.01140 [Comment from Donald Smith] Deceptive Advertisements: What They Do and Where They Come From https://isc.sans.edu/forums/diary/Deceptive+Advertisements+What+they+do+and+where+they+come+from/22494/Instagram as Covert Channel
https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/Domain Shadowing Used in Rik Exploit Kit
https://blogs.rsa.com/shadowfall/Cisco Prime Data Center Network Manager Vulnerabilities
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170607-dcnm1 https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170607-dcnm2Oracle Peoplesoft Default Accounts
https://erpscan.com/press-center/blog/peoplesoft-default-accounts/FOSCAM Camera Default Passwords and Other Vulnerabilities
http://images.news.f-secure.com/Web/FSecure/%7B43df9e0d-20a8-404a-86d0-70dcca00b6e5%7D_vulnerabilities-in-foscam-IP-cameras_report.pdfAndroid Malware with Code Injections
https://securelist.com/78648/dvmap-the-first-android-malware-with-code-injection/***********************************************************************
The Editorial Board of SANS NewsBites
View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
