SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XIX - Issue #51
June 27, 2017TOP OF THE NEWS
Wave of Ransomware Hitting Europe
US Senators Ask White House to Order Analysis of Russia's Ability to Disrupt US Energy Grid
German Police Get Broader Hacking Powers
Anthem to Pay 115 Million USD in Breach Settlement
THE REST OF THE WEEK'S NEWS
Intel Skylake and Kaby Lake Processor Flaws
Microsoft Fixes Critical Flaw in Malware Protection Engine
Guilty Plea in Utility Smart Meter Reader Hack
UK Parliamentary Accounts Targeted in Brute Force Account Password Attack
Report: British Officials' Passwords Being Sold
Google Will Stop Scanning eMail for Targeted Ads
Siemens Releases Patches
Responding to Russia's Interference in Elections
Virgin Media Tells Customers to Change Router Passwords
WikiLeaks: CIA Technique to Infect Air-Gapped Computers
Cryptocurrency Ethereum Plunged Over 10 Percent In Monday Trading
INTERNET STORM CENTER TECH CORNER
INTERNET STORM CENTER TECH CORNER*************************** Sponsored By Sophos Inc. *******************************
With firewalls becoming increasingly complex, buying one can be a confusing experience. And even when you've identified requirements you need for your firewall, trudging through each vendor's website and datasheets is a time-consuming process. This guide makes finding the right firewall easy for you, pulling together critical capabilities and features you should have. Read Now: http://www.sans.org/info/195965
*************************************************************************** TRAINING UPDATE-- SANSFIRE 2017 | Washington, DC | July 22-29 | https://www.sans.org/event/sansfire-2017
-- SANS London July 2017 | July 3-8 | https://www.sans.org/event/london-july-2017
-- SANS Cyber Defence Singapore | July 10-15 | https://www.sans.org/event/cyber-defence-singapore-2017
-- SANS Network Security | Las Vegas, NV | September 10-17 | https://www.sans.org/event/network-security-2017
-- SANS ICS & Energy-Houston 2017 | July 10-15, 2017 | https://www.sans.org/event/ics-houston-summit-training-2017
-- SANS Security Awareness Summit | Nashville, TN | July 31-August 9 | https://www.sans.org/event/security-awareness-summit-2017
-- SANS Boston 2017 | August 7-12 | https://www.sans.org/event/boston-2017
-- SANS London September 2017 | September 25-30 | https://www.sans.org/event/london-september-2017
-- SANS Tokyo Autumn 2017 | October 16-28 | https://www.sans.org/event/tokyo-autumn-2017
-- Can't travel? SANS offers online instruction for maximum flexibility Live Daytime training with Simulcast - https://www.sans.org/simulcast Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive Anywhere, Anytime access for 4 months with OnDemand format - https://www.sans.org/ondemand/ SANS Online Training: Special Offer! Get the brand new 12.9" iPad Pro, or a Microsoft Surface Pro 4, or take $550 off OnDemand or vLive Training when you register by July 12! - https://www.sans.org/online-security-training/specials/
-- Single Course Training SANS Mentor https://www.sans.org/mentor/about Community SANS https://www.sans.org/community/ View the full SANS course catalog https://www.sans.org/find-training/
***************************************************************************TOP OF THE NEWS
Wave of Ransomware Hitting Europe and Asia (June 27, 2017)
British advertising agency WPP is among dozens of firms reporting problems. Ukrainian firms, including the state power distributor and Kiev's main airport were among the first to report issues. Russian oil producer Rosneft and Danish shipping company Maersk also say they face disruption, including its offices in the UK and Ireland. http://www.bbc.com/news/technology-40416611?ns_mchannel=social&ns_campaign=bbc_breaking&ns_source=twitter&ns_linkname=news_central http://www.telegraph.co.uk/news/2017/06/27/ukraine-hit-massive-cyber-attack1/ https://www.bloomberg.com/news/articles/2017-06-27/ukraine-russia-report-ransomware-computer-virus-attacks Editor's Note: [Ullrich] They appear to be reaching some of the networks spared by Wannacry. InternetStorm Center has posted a preliminary summary: https://isc.sans.edu/forums/diary/Widescale+Petya+variant+ransomware+attack+noted/22560/US Senators Ask White House to Order Analysis of Russia's Ability to Disrupt US Energy Grid (June 22, 2017)
Nineteen US Senators have written a letter asking the White House "to direct the Department of Energy (DoE) to conduct a thorough analysis of Russian capabilities with respect to cyberattacks on our energy infrastructure." Legislators made a similar request in March but received no response. [Editor Comments] [Murray] Electrical generation and distribution is the infrastructure on which we are most dependent, ranking ahead of communication and finance. It demonstrates its resilience against weather, component failure, and human error on a daily basis. That said, we know that it remains vulnerable to malicious mis-operation. The public does not know its resilience in the face of such attacks as we have seen in Ukraine. We do not know whether controls have been compromised in advance of and in contemplation of such attacks. While one can understand that Congress would like the answer to these questions, one would expect the answers to be "classified." Read more in: Wired: Senators Push Trump for Answers on Power Grid Malware Attack https://www.wired.com/story/congress-trump-power-grid-malware-letter/ US Senate: Letter Seeking DoE Analysis of Russia's Cyber Capability to Disrupt Energy Infrastructure https://www.energy.senate.gov/public/index.cfm/files/serve?File_id=7E986259-2284-4FD3-A9ED-F2E7E6EE21CBGerman Police Get Broader Hacking Powers (June 23, 2017)
Germany's Parliament has passed legislation that extends law enforcement's authority to break into suspects' phones and computers. Until now, police have had the authority to hack into people's phones and computers in instances of suspected terrorism. The amendment expands the scope of cases in which police can use the techniques, known as Staatstrojanern, to include any case in which they would be permitted to tap a suspect's phone. The change was made as an amendment to a law dealing with driving bans. Read more in: ZDNet: Police get broad phone and computer hacking powers in Germany http://www.zdnet.com/article/police-get-broad-phone-and-computer-hacking-powers-in-germany/Anthem to Pay 115 Million USD in Breach Settlement (June 23 & 26, 2017)
US healthcare company Anthem will pay 115 million ISD to settle several lawsuits related to 2015 breach of customer data. Most of the money will be used to pay for victims' credit monitoring. Read more in: Cyberscoop: Anthem will pay $115 million in largest data breach settlement in history https://www.cyberscoop.com/anthem-data-breach-settlement/?category_news=technology Threatpost: Anthem Agrees to Settle 2015 Data Breach for $115 Million https://threatpost.com/anthem-agrees-to-settle-2015-data-breach-for-115-million/126527/ *************************** SPONSORED LINKS ***************************** 1) Don't Miss: Securing Critical Infrastructure Organizations against the Next Cyber Breach: Best Practices for organizations leveraging Managed Services. Register: http://www.sans.org/info/195970 2) "Effortless Detection and Investigation of Cloud Breaches: A Review of Lacework's Zero Touch Cloud Workload Security Platform" Register: http://www.sans.org/info/195980 3) "Complying with Data Protection Law in a Changing World" Register to receive the associated whitepaper by Benjamin Wright. http://www.sans.org/info/195985 ******************************************************************************THE REST OF THE WEEK'S NEWS
Intel Skylake and Kaby Lake Processor Flaws (June 26, 2017)
A flaw in Intel Skylake and Kaby Lake processors could be the reason some users are experiencing application and system hiccups, data corruption, and data loss. The bug can cause the processors to crash when hyperthreading is enabled. Users who have not installed an update are advised to disable hyperthreading in the system firmware. The fix has been available since May. Read more in: ZDNet: Debian Linux reveals Intel Skylake and Kaby Lake processors have broken hyper-threading http://www.zdnet.com/article/debian-linux-reveals-intel-skylake-kaby-lake-processors-have-broken-hyper-threading/ Ars Technica: Skylake, Kaby Lake chips have a crash bug with hyperthreading enabled https://arstechnica.com/information-technology/2017/06/skylake-kaby-lake-chips-have-a-crash-bug-with-hyperthreading-enabled/Microsoft Fixes Critical Flaw in Malware Protection Engine (June 23 & 26, 2017)
Microsoft has fixed a critical remote code execution flaw in its Malware Protection Engine. The vulnerability could be exploited by tricking a user into visiting a website seeded with malware or receiving an email or instant message with a malicious file attached as long as the user had real-time protection turned on. Google's project Zero disclosed the vulnerability to Microsoft on June 7. Read more in: Threatpost: Another RCE Vulnerability Patched In Microsoft Malware Protection Engine https://threatpost.com/another-rce-vulnerability-patched-in-microsoft-malware-protection-engine/126536/ Ars Technica: This Windows Defender bug was so gaping its PoC exploit had to be encrypted https://arstechnica.com/security/2017/06/latest-high-severity-flaw-in-windows-defender-highlights-the-dark-side-of-av/ Chromium: MsMpEng: mpengine x86 Emulator Heap Corruption in VFS API https://bugs.chromium.org/p/project-zero/issues/detail?id=1282&desc=2 Microsoft: CVE-2017-8558 | Microsoft Malware Protection Engine Remote Code Execution Vulnerability https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8558Guilty Plea in Utility Smart Meter Reader Hack (June 25 & 26, 2017)
A man who used to work for a company that manufacturers remote utility meter-reading equipment has admitted to using his knowledge of the systems to disable equipment in several states. Adam Flanagan pleaded guilty to two counts of unauthorized access to a protected computer. He was sentenced to a year in prison and fined 40 thousand USD. Flanagan had worked as an engineer setting up Tower Gateway Basestations (TGBs), which collect data from area customers' smart meters and send the information to the company's main systems. He was fired in November 2013; the incidents took place during the spring of 2014. [Editor Comments] [Neely] Making sure that accounts are disabled/changed on employee termination or transfer is key and can be difficult. It should both be a step in the termination process. Active accounts should also be reviewed, at least annually, to expose terminate employees who still have access. If disabled accounts can't be deleted, then monitor and alert on their use. [Stephen Northcutt] Mr. Flanagan faced 90 years, was sentenced to one; that will not serve as a deterrent. The BleepingComputer story has similar fired-insider stories at the bottom of their writeup. According to the DOJ, the "boot" hacker, Mr. Venzor, was supposed to be sentenced earlier this month: https://www.justice.gov/usao-wdtx/pr/former-el-paso-based-company-employee-pleads-guilty-computer-intrusion I can't find anything on it. If you have a source, please drop stephen@sans.edu a note. Read more in: BleepingComputer: Fired Employee Hacks and Shuts Down Smart Water Readers in Five US Cities https://www.bleepingcomputer.com/news/security/fired-employee-hacks-and-shuts-down-smart-water-readers-in-five-us-cities/ Ars Technica: Some beers, anger at former employer, and root access add up to a year in prison https://arstechnica.com/security/2017/06/ex-technician-convicted-of-possibly-drunken-attack-on-smart-water-meter-system/UK Parliamentary Accounts Targeted in Brute Force Account Password Attack (June 24 & 26, 2017)
On Friday, June 23, the (UK) Parliamentary Digital Service observed "unusual activity and evidence of an attempted cyber-attack on our network." The brute force attempts targeted the user accounts of MPs, peers, and parliamentary staff. Fewer than 90 email accounts were compromised. The Parliamentary email system and remote access tools were turned off over the weekend as a safety measure. [Editor Comments] [Murray] Clearly an application for strong authentication. It resists brute force attacks as well as the replay of compromised credentials. [Honan] We need to protect our systems and better protect our users using strict access control policies and implementing effective Multiple Factor Authentication for any critical web based systems. IF you protect your social media page using 2FA then you should so the same for email Read more in: The Register: UK parliamentary email compromised after 'sustained and determined cyber attack' http://www.theregister.co.uk/2017/06/26/uk_parliamentary_email_compromised_after_sustained_and_determined_cyber_attack/ The Register: UK Parliament hack: Really, a brute-force attack? Really? http://www.theregister.co.uk/2017/06/26/parliament_email_hack/ SC Magazine UK: [updated] UK Parliament records "unauthorised attempts" to access MP accounts https://www.scmagazineuk.com/updated-uk-parliament-records-unauthorised-attempts-to-access-mp-accounts/article/670991/ BBC: Parliament hit by 'sustained' cyber-attack http://www.bbc.com/news/uk-40394074 Parliament: Lord Speaker statement on parliamentary security and cyber security https://www.parliament.uk/business/news/2017/june/lord-speaker-statement-26-june/British Officials' Passwords Being Sold (June 23, 2017)
An investigation conducted by The Times has found that Russian hackers are trading account passwords belonging to British MPs, diplomats, and police officials, on the dark web. Most of the stolen credentials appear to be from a 2012 LinkedIn breach. Read more in: CNET: Russian hackers are selling British officials' passwords https://www.cnet.com/news/russian-hackers-are-selling-british-officials-passwords/Google Will Stop Scanning eMail for Targeted Ads (June 23 & 26, 2017)
By the end of this year, Google will stop scanning Gmail messages to serve personalized advertisements to users. Google has already stopped the practice in its G Suite Gmail. Ads will instead be served based on users' settings. [Editor Comments] [Williams] Google can effectively serve targeted ads to most users without reading their email. Read more in: Google: As G Suite gains traction in the enterprise, G Suite's Gmail and consumer Gmail to more closely align https://www.blog.google/products/gmail/g-suite-gains-traction-in-the-enterprise-g-suites-gmail-and-consumer-gmail-to-more-closely-align/ BBC: Gmail to end ad-targeting email scans http://www.bbc.com/news/technology-40404923 V3: Google to stop scanning email content for targeted adverts in Gmail https://www.v3.co.uk/v3-uk/news/3012652/google-to-stop-scanning-email-content-for-targeted-adverts-in-gmailSiemens Releases Patches (June 22 & 26, 2017)
Siemens has released fixes for vulnerabilities in two of its products. One of the vulnerabilities is an improper authentication issue that affects SIMATIC CP 44x-1 Redundant Network Access modules; it could be exploited to allow unauthenticated users to perform administrative actions. The other vulnerability is a privilege enforcement issue in XHQ; it would be exploited to allow read access to sensitive data. Read more in: SC Magazine: Siemens patches critical vulnerabilities in infrastructure tech https://www.scmagazine.com/siemens-vulnerabilities-patched-in-simatic-cp-and-xhq/article/671032/ ICS-CERT: Advisory (ICSA-17-173-01) Siemens SIMATIC CP 44x-1 Redundant Network Access Modules https://ics-cert.us-cert.gov/advisories/ICSA-17-173-01 Siemens: Vulnerability in Communication Processor module CP 44x-1 RNA (PDF) https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-126840.pdf Siemens: SSA-945660: Privilege Enforcement Vulnerability in XHQ (PDF) https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-945660.pdfResponding to Russia's Interference in Elections (June 23, 2017)
A story in the Washington Post describes how the CIA informed then-president Barack Obama of Vladimir Putin's direct involvement in disrupting the US presidential election, and how Obama responded to the information. It also reveals that Obama authorized an operation to plant malicious code in Russian computer systems. Read more in: Washington Post: Obama's secret struggle to punish Russia for Putin's election assault https://www.washingtonpost.com/graphics/2017/world/national-security/obama-putin-election-hacking/ Ars Technica: Obama reportedly ordered implants to be deployed in key Russian networks https://arstechnica.com/tech-policy/2017/06/obama-reportedly-ordered-hacking-operation-targeting-key-russian-networks/Virgin Media Tells Customers to Change Router Passwords (June 23, 2017)
Virgin Media is urging 800,000 customers to change their Super Hub 2 router passwords because of a vulnerability in the widely-used home routers. Attackers could use the router's default password to access not only the router, but also IoT devices on a user's home network. Routers from provided by other Internet service providers (ISPs) may also be vulnerable. [Editor Comments] [Williams] Default passwords and engineering backdoors are a scourge on Internet connected devices. UI engineers need to figure out ways to entice users to change default passwords, while still making the devices usable. Read more in: The Guardian: Virgin Media tells 800,000 users to change passwords over hub hacking risk https://www.theguardian.com/media/2017/jun/23/virgin-media-change-passwords-hacking-which-super-hub-2-router The Register: Virgin Media router security flap follows weak password expose http://www.theregister.co.uk/2017/06/23/virgin_media_router_security_flap/ BBC: Router hack risk 'not limited to Virgin Media' http://www.bbc.com/news/technology-40382877CIA Technique to Infect Air-Gapped Computers (June 22, 2017)
Documents posted on WikiLeaks provide information about a technique allegedly used by the CIA to infect air-gapped computers. Known as "brutal Kangaroo," the method involves USB drives. One tool called Drifting Deadline is installed on a broad range of computers and infects all USB drives attached to it. Those in turn will infect computers into which they are plugged. [Editor Comments] [Murray] Practice good hygiene. Do not take storage devices from strangers. Do not put your storage device in others' machines. Do not allow others to put their storage device in your machine. Use anti-virus and other protection. Do not rely upon representations made to you by strangers as to the state of their health. [Williams] The Brutal Kanagaroo documents outline a previously unknown vulnerability in LNK file parsing involving junctions, a vital roadmap for attackers wishing to create an exploit. Read more in: Ars Technica: How the CIA infects air-gapped networks https://arstechnica.com/security/2017/06/leaked-documents-reveal-secret-cia-operation-for-infecting-air-gapped-pcs/Cryptocurrency Ethereum Plunged Over 10 Percent In Monday Trading (June 26, 2017)
A hoax claiming cryptocurrency ETH's founder died apparently caused the currency to tank. [Editor Comments] [Stephen Northcutt] Love the response, he posted a photo of himself with current blockchain information as a "proof of life": http://www.coindesk.com/proof-life-vitalik-buterin-uses-ethereum-blockchain-disprove-death-hoax/ https://en.wikipedia.org/wiki/Proof_of_Life Read more in: Ethereal drops rapidly. http://www.cnbc.com/2017/06/26/ethereum-drops-more-than-10-percent-even-after-flash-crash-refund.html Vitalik Buterin confirmed dead post behind crash. https://qz.com/1014559/vitalik-buterin-dead-a-hoax-on-4chan-crashed-ethereums-price/INTERNET STORM CENTER TECH CORNER
Fake DDoS Extortions Continue
https://isc.sans.edu/forums/diary/Fake+DDoS+Extortions+Continue+Please+Forward+Us+Any+Threats+You+Have+Received/22550/Traveling with a Laptop
https://isc.sans.edu/forums/diary/Traveling+with+a+Laptop+Surviving+a+Laptop+Ban+How+to+Let+Go+of+Precious/22462/Side Channel Attacks on the Cheap
https://www.fox-it.com/nl/wp-content/uploads/sites/12/Tempest_attacks_against_AES.pdfLatest Locky Variant Hunting Down Windows XP Users
http://blog.talosintelligence.com/2017/06/necurs-locky-campaign.htmlWindows Beta Builds and Source Code Leaked
http://www.theregister.co.uk/2017/06/23/windows_10_leak/Investigation of BitTorrent Sync (v.2.0) as a P2P Cloud (Part 1)
https://isc.sans.edu/forums/diary/Investigation+of+BitTorrent+Sync+v20+as+a+P2P+Cloud+Part+1/22554/Ransomware Payment Triggers More DDoS Ransomware Attacks
https://www.bleepingcomputer.com/news/security/-1-million-ransomware-payment-has-spurred-new-ddos-for-bitcoin-attacks/Speed Trap Cameras in Australia Infected with WannaCrypt
http://www.camerassavelives.vic.gov.au/utility/latest+news/investigation+underway+into+cameras+affected+by+software+virusMore Vulnerabilities in Windows Defender
https://bugs.chromium.org/p/project-zero/issues/detail?id=1282&desc=2npm Developer Accounts Reset After Password Reuse Discovery
https://github.com/ChALkeR/notes/blob/master/Gathering-weak-npm-credentials.md***********************************************************************
The Editorial Board of SANS NewsBites
View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
