SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XIX - Issue #50
June 23, 2017TOP OF THE NEWS
Krebs Explains Why Russia is Beating the US in Cybersecurity Skills
Honda Manufacturing Plant Temporarily Shut Down Due to WannaCry Infection
Web Hosting Company Pays One Million USD Ransom to Decrypt Customer Data
THE REST OF THE WEEK'S NEWS
Western Tech Firms Bow To Russian Demands To Share Cyber Secrets
NSA Tools Released by Shadow Brokers Used in Devious Attacks
FBI 2016 Internet Crime Report
Symantec Patches Messaging Gateway Flaws
DHS Says Russian Hackers Tried to Access Election Systems in 21 States
HHS Cyber Center: A Good Idea or Not?
US Cybersecurity Executive Order: All Talk and No Action
Microsoft Temporarily Disables AV for Windows 10 Incompatibility
China's Quantum Communication Breakthrough
Two Arrested in Connection with Microsoft Network Intrusions
INTERNET STORM CENTER TECH CORNER
INTERNET STORM CENTER TECH CORNER*************************** Sponsored By VMRay *******************************
In the fight against advanced malware, Analysts and Incident Responders need a One-Two combination of rapid threat detection and total visibility into malware behavior. VMRay delivers this combination by coupling our agentless hypervisor-based dynamic analysis with comprehensive file reputation classification. Get hands on with VMRay analyzer and achieve full, accurate analysis results.
http://www.sans.org/info/195880
TRAINING UPDATE
-- SANSFIRE 2017 | Washington, DC | July 22-29 | https://www.sans.org/event/sansfire-2017
-- SANS London July 2017 | July 3-8 | https://www.sans.org/event/london-july-2017
-- SANS Cyber Defence Singapore | July 10-15 | https://www.sans.org/event/cyber-defence-singapore-2017
-- SANS Network Security | Las Vegas, NV | September 10-17 | https://www.sans.org/event/network-security-2017
-- SANS ICS & Energy-Houston 2017 | July 10-15, 2017 | https://www.sans.org/event/ics-houston-summit-training-2017
-- SANS Security Awareness Summit | Nashville, TN | July 31-August 9 | https://www.sans.org/event/security-awareness-summit-2017
-- SANS Boston 2017 | August 7-12 | https://www.sans.org/event/boston-2017
-- SANS London September 2017 | September 25-30 | https://www.sans.org/event/london-september-2017
-- SANS Tokyo Autumn 2017 | October 16-28 | https://www.sans.org/event/tokyo-autumn-2017
-- Can't travel? SANS offers online instruction for maximum flexibility Live Daytime training with Simulcast - https://www.sans.org/simulcast Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive Anywhere, Anytime access for 4 months with OnDemand format - https://www.sans.org/ondemand/ SANS Online Training: Special Offer! Get the brand new 12.9" iPad Pro, or a Microsoft Surface Pro 4, or take $550 off OnDemand or vLive Training when you register by July 12! - https://www.sans.org/online-security-training/specials/
-- Single Course Training SANS Mentor https://www.sans.org/mentor/about Community SANS https://www.sans.org/community/ View the full SANS course catalog https://www.sans.org/find-training/
***************************************************************************TOP OF THE NEWS
--Krebs Explains Why Russia is Beating the US in Cybersecurity Skills (June 22, 2017)
Brian Krebs examines reasons why Russia and countries that were formerly part of the Soviet Union produce greater numbers of skilled hackers than the US produces. Students in those countries are required to study computer science from an early age, while in the US, the subject is not mandatory and is not even offered in all schools. The approach to teaching computer science in Russia differs greatly from the approach in US schools. Russian students have far more hands-on experience than do their US counterparts. [Editor Comments] [Shpantzer] Many countries have kids graduating from high school with STEM knowledge equivalent to juniors in any given American college. This is not an accident, but a strategic decision. [Assante] The world has begun embarking on a digital transformation and the architects are turning to places like Eastern Europe, Russia, and India for the technical brick-layers to build our future. Children in western societies have the digital exposure, but would benefit from the opportunity to go behind the applications that are a routine part of their young lives. [Northcutt] We have known about our educational shortfall for a long time, sadly the articles on the subject remind me of "global warming"; there are so many "loud" voices and publications it is hard to know what to believe, but this is a pretty accurate STEM article that hits home and addresses the "myth" problem head on: http://www.cio.com/article/2381541/careers-staffing/stem-talent-shortfall-frustrates-tech-recruiters.html Read more in: KrebsOnSecurity: Why So Many Top Hackers Hail from Russia https://krebsonsecurity.com/2017/06/why-so-many-top-hackers-hail-from-russia--Honda Manufacturing Plant Temporarily Shut Down Due to WannaCry Infection (June 21, 2017)
The Samaya Honda automobile manufacturing plant near Tokyo shut down production on Monday, June 19, after Honda systems around the world became infected with WannaCry ransomware. Other production plants remained active; the Samaya plant was operational as of Tuesday, June 20. [Editor Comments] [Shpantzer] If WannaCry hit your production factory floor, you might wanna investigate the integrity of the firmware/software/blueprints/models/etc. in said factory. AKA worm that got in and pwned you for money -- people trying to mess damage the quality of your products. Read more in: Ars Technica: Honda shuts down factory after finding NSA-derived Wcry in its networkshttps://arstechnica.com/security/2017/06/5-weeks-after-wcry-outbreak-nsa-derived-worm-shuts-down-a-honda-factory/ Reuters: Honda halts Japan car plant after WannaCry virus hits computer network https://arstechnica.com/security/2017/06/5-weeks-after-wcry-outbreak-nsa-derived-worm-shuts-down-a-honda-factory/ Threatpost: Honda Shut Down Plant Impacted by Wannacry https://threatpost.com/honda-shut-down-plant-impacted-by-wannacry/126429/--Web Hosting Company Pays One Million USD Ransom to Decrypt Customer Data (June 20, 2017)
A South Korean web hosting company has agreed to pay paid 1.3 billion won (1.14 million USD) to attackers after its systems became infected with ransomware that affected more than 150 servers. The servers support websites of more than 3,400 small businesses. The web hosting company, Nayana, was running outdated software. [Editor Comments] [Shpantzer] Availability is the new confidentiality. Server-side ransomware is (almost) a full kill-chain activity that offers multiple opportunities for detection and interdiction before the servers go boom: initial exploit on perimeter (ex: auth bypass on perimeter server), webshell installation on perimeter server, lateral movement on the network, identity logs for reused creds, newly installed software, some C2, etc. [Williams] Organizations that rely on third party service providers (that's almost all of us) should run tabletop exercises asking "how would we respond if our web hosting provider went offline for weeks." That's the situation many South Korean businesses found themselves in, and most were not ready. [Honan] A good example of why "accepting the risk" may not always be the most prudent course of action Read more in: The Register: South Korean hosting co. pays $1m ransom to end eight-day outage http://www.theregister.co.uk/2017/06/20/south_korean_webhost_nayana_pays_ransom/ ZDNet: Korean web host hands over 1 billion won to ransomware crooks http://www.zdnet.com/article/korean-web-host-hands-over-1-billion-won-to-ransomware-crooks/ BBC: South Korean firm's 'record' ransom payment http://www.bbc.com/news/technology-40340820 *************************** SPONSORED LINKS ******************************** 1) Don't Miss: "Putting Digital Threat Investigation and Response into Hyperdrive" with Dave Shackleford. Register: http://www.sans.org/info/195890 2) Register for "Automating Cloud Security to Mitigate Risk" and receive the associated whitepaper by Dave Shackleford. http://www.sans.org/info/195895 3) Where are your application-related risks? Take SANS survey enter to win free Pass to SecDevOps Summit OR a $400 Amazon gift card. http://www.sans.org/info/195900 ******************************************************************************THE REST OF THE WEEK'S NEWS
--Western Tech Firms Bow To Russian Demands To Share Cyber Secrets (June 23, 2017)
Western technology companies, including Cisco, IBM and SAP, are acceding to demands by Moscow for access to closely guarded product security secrets, at a time when Russia has been accused of a growing number of cyber attacks on the West, a Reuters investigation has found. Read more in: Under pressure, Western tech firms bow to Russian demands to share cyber secrets http://www.reuters.com/article/us-usa-russia-tech-idUSKBN19E0XB--NSA Tools Released by Shadow Brokers Used in Devious Attacks (June 22, 2017)
While the media has focused attention on WannaCry ransomware, the NSA exploit known as EternalBlue that is used in that malware has been used in tandem with another NSA exploit called DoublePulsar to burrow into the kernels of computer systems. [Editor Comments] [Williams] SANS broke the "attackers were using EternalBlue to perform much more advanced attacks" story with SECDO more than a month ago. https://www.sans.org/webcasts/105190 But this story is still significant. Read more in: NYT: A Cyberattack 'the World Isn't Ready For' https://www.nytimes.com/2017/06/22/technology/ransomware-attack-nsa-cyberweapons.html--FBI 2016 Internet Crime Report (June 22, 2017)
The 2016 Internet Crime Report from the FBI's Internet Crime Complaint Center (IC3) provides information about trends in online crime. In 2016, more than 10,000 incidents of tech support fraud were reported to IC3, with losses totaling nearly 8 million USD. Other trends noted in the report are email compromise, ransomware, and extortion. [Editor Comments] [Shpantzer] Some of the business email compromise (AKA spoofing the CEO/CFO) are very low tech. Zero malware and almost as few financial controls to backstop the fraud. See Ubiquiti case from 2015, where $46 million flew out the window, in a public company, ostensibly SOX compliant... https://krebsonsecurity.com/2015/08/tech-firm-ubiquiti-suffers-46m-cyberheist/ The Audit Committee head on the Board of Directors was fired and they brought in a consulting firm to reconstitute financial controls... and of course had to report to SEC. Can we say 'business risk' now? [Honan] It's interesting to note the top issues of Business Email Compromise, otherwise known as CEO fraud, Ransomware, and Tech Support scams are the issues law enforcement in many other countries also face. It's also worth noting that these crimes are not the result of any sophisticated attacks and can be prevented in many cases by basic security controls, such as the Top 20 critical security controls, and effective awareness training. Read more in: FBI: IC3 Releases Annual Report Highlighting Trends in Internet Crime https://www.fbi.gov/news/stories/ic3-releases-2016-internet-crime-report IC3: 2016 Internet Crime Report https://pdf.ic3.gov/2016_IC3Report.pdf--Symantec Patches Messaging Gateway Flaws (June 21 & 22, 2017)
Symantec has patched three flaws in its Symantec Messaging Gateway (SMG). All of the vulnerabilities could be exploited to execute code remotely. Symantec has rated two of the flaws as high severity; the third is rated as medium severity. Users are urged to upgrade to SMG v.10.6.3 if they have not already done so, and to apply patch 10.6.3-266. Read more in: ZDNet: Symantec patches Messaging Gateway remote code execution bugs http://www.zdnet.com/article/symantec-patches-messaging-gateway-remote-code-execution-bugs/ Symantec: Security Advisories Relating to Symantec Products - Symantec Messaging Gateway Multiple Vulnerabilities https://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2017&suid=20170621_00--DHS Says Russian Hackers Tried to Access Election Systems in 21 States (June 21 & 22, 2017)
A US Department of Homeland Security (DHS) official told the Senate Intelligence Committee that hackers with ties to the Russian government attempted to access election systems in 21 states. Samuel Liles, DHS acting director of the Office of Intelligence and Analysis Cyber Division, said that the attackers did not manipulate vote-tallying mechanisms, but instead seemed to be scanning the systems for vulnerabilities. In addition, cyber security experts have written a letter to US legislators warning that states lack adequate resources to respond to cybersecurity risks that accompany upcoming elections. Read more in: Washington Post: Homeland Security official: Russian government actors tried to hack election systems in 21 states https://www.washingtonpost.com/world/national-security/homeland-security-official-russian-government-actors-potentially-tried-to-hack-election-systems-in-21-states/2017/06/21/33bf31d4-5686-11e7-ba90-f5875b7d1876_story.html The Hill: Lawmakers told of growing cyber threat to election systems http://thehill.com/policy/cybersecurity/338823-lawmakers-told-of-growing-cyber-threat-to-election-systems SC Magazine: Election networks in 21 states hit by Russian hackers, DHS officials testify https://www.scmagazine.com/election-networks-in-21-states-hit-by-russian-hackers-dhs-officials-testify/article/670257/ ZDNet: Security experts warn lawmakers of election hacking risks http://www.zdnet.com/article/security-experts-sign-warning-letter-amid-election-security-failings/ The Register: Homeland Security: Putin's hackers tried to crack electoral networks in 21 US states http://www.theregister.co.uk/2017/06/22/russian_hackers_cracked_electoral_networks/ Document Cloud: Letter to Congress from Cybersecurity Experts http://www.documentcloud.org/documents/3870858-Security-experts-sign-on-letter-to-Congress-on.html--HHS Cyber Center: A Good Idea or Not? (June 21, 2017)
Earlier this year, the US Department of Health and Human Services (HHS) said it plans to establish a cybersecurity center for the healthcare sector. Legislators have expressed concerns that the center could actually make it more difficult for private sector organizations to navigate the jumble of cybersecurity regulations and compliance. Read more in: FCW: Why an HHS cyber center could confuse federal efforts https://fcw.com/articles/2017/06/21/hhs-cyber-center-hearing-hsgac.aspx--US Cybersecurity Executive Order: All Talk and No Action (June 21 & 22, 2017)
Former AT&T CSO Ed Amoroso says that the president's cybersecurity executive order focuses on reports, a paperwork exercise, rather than emphasizing action. Instead, says Amoroso, the administration should focus on three things: making the National Institute of Standards and Technology's (NIST's) Cybersecurity Framework the only framework and compliance standard for government agencies; moving to the cloud and stopping focus on perimeter security; and establishing a Cyber Corps to recruit and train young people in cybersecurity. Read more in: Threatpost: Trump's Cybersecurity Executive Order Under Fire https://threatpost.com/trumps-cybersecurity-executive-order-under-fire/126435/ TechRepublic: Trump's cybersecurity EO is 'terrible' says former AT&T CISO, recommends focus on 3 areas http://www.techrepublic.com/article/trumps-cybersecurity-eo-is-terrible-says-former-at-t-ciso-recommends-focus-on-3-areas/--Microsoft Temporarily Disables AV for Windows 10 Incompatibility (June 20, 2017)
Microsoft has admitted that it temporarily disables some third-party security software in machines running Windows 10 if the software is deemed to be incompatible with the operating system. Microsoft bundles Windows Defender with Windows 10 to ensure "that every Windows 10 device always have protection from viruses and malware." Most users are running security tools that are compatible with Windows 10, but on computers that are running incompatible tools, Microsoft temporarily disables parts of the software while Windows 10 is being updated. [Editor Comments] [Neely] When your AV subscription expires, or your AV is incompatible, Windows 10 alerts you it is activating Defender. While the goal was to keep systems protected, this behavior is quite surprising to an end user as it wasn't disclosed. While Microsoft claims Defender has improved as a solution for home and enterprise users, AV-Test and AV Comparatives testing show improvements, they still list Defender outside their top choices. Read more in: The Register: Microsoft admits to disabling third-party antivirus code if Win 10 doesn't like it http://www.theregister.co.uk/2017/06/20/microsoft_disabling_thirdparty_antivirus/ ZDNet: Windows 10 does temporarily disable third-party antivirus, admits Microsoft http://www.zdnet.com/article/windows-10-does-temporarily-disable-third-party-antivirus-admits-microsoft/ BBC: Microsoft admits disabling anti-virus software for Windows 10 users http://www.bbc.com/news/technology-40356889--China's Quantum Communication Breakthrough (June 20, 2017)
Researchers in China have made a breakthrough in quantum communication. The Micius quantum satellite has transmitted communications over a distance of nearly 750 miles. Canada is planning to launch a quantum satellite in the next four or five years. Read more in: CSM: Unbreakable: China doubles down on quantum internet https://www.csmonitor.com/Science/2017/0620/Unbreakable-China-doubles-down-on-quantum-internet CSM: China sees quantum leap in secure telecommunications technology https://www.csmonitor.com/Technology/2017/0620/China-sees-quantum-leap-in-secure-telecommunications-technology--Two Arrested in Connection with Microsoft Network Intrusions (June 22, 2017)
Police in the UK have arrested two men believed to be involved with a group of people who broke into Microsoft's networks. One of the suspects was arrested for allegedly "gaining unauthorized access to a computer." The second was arrested for alleged offenses under the Computer Misuse Act. The intrusion occurred between January and March 2017. Read more in: The Register: Two Brits nabbed in connection with global plot to hack Microsoft network http://www.theregister.co.uk/2017/06/22/two_men_arrested_probe_microsoft_networks_hack/ BleepingComputer: Two Men Arrested for Hacking Microsoft https://www.bleepingcomputer.com/news/security/two-men-arrested-for-hacking-microsoft/INTERNET STORM CENTER TECH CORNER
Cisco Ships Private Key For drmlocal.cisco.com With Video Player
https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/T6emeoE-lCUWindows Error Reporting: DFIR Benefits and Privacy Concerns
https://isc.sans.edu/forums/diary/Windows+Error+Reporting+DFIR+Benefits+and+Privacy+Concerns/22536/Detecting Memory Corruption in glibc
https://github.com/DhavalKapil/libdheapLet's Encrypt ACME Protocol To Become IETF Standard
https://tools.ietf.org/html/draft-ietf-acme-acme-06Microsoft Publishes Analysis of NSA Exploits
https://blogs.technet.microsoft.com/mmpc/2017/06/16/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security/New Vulnerabilities Found in OpenVPN
https://guidovranken.wordpress.com/2017/06/21/the-openvpn-post-audit-bug-bonanza/RAR Unpack Vulnerability Affects BitDefender
https://bugs.chromium.org/p/project-zero/issues/detail?id=1278&desc=6Honda Plant Shuts Down Over Wannacry
https://www.bleepingcomputer.com/news/security/one-month-later-wannacry-ransomware-is-still-shutting-down-factories/Obfuscating Without XOR
https://isc.sans.edu/forums/diary/Obfuscating+without+XOR/22544/Airbnb OAUTH Token Theft
https://www.arneswinnen.net/2017/06/authentication-bypass-on-airbnb-via-oauth-tokens-theft/Critical Drupal Vulnerability
https://www.drupal.org/SA-CORE-2017-003Auditing Docker Containers
https://www.sans.org/reading-room/whitepapers/auditing/checklist-audit-docker-containers-37437***********************************************************************
The Editorial Board of SANS NewsBites
View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
