Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #52

June 30, 2017

TOP OF THE NEWS


Petya: The Basics
Petya: Who Was Affected?
Petya: Vectors of Infection
Petya: Efforts to Stop its Spread
Petya's Purpose: It's a Wiper, not Ransomware

THE REST OF THE WEEK'S NEWS


US Legislators Amend Defense Spending Bill to Include Kaspersky Ban
Defense Contractors to be Held to Higher Cyber Security Standards
UK Met Police Slow to Migrate PCs from Windows XP
UK Police Arrest Four People in Windows Support Scam Case
Huge Ransomware Payout Emboldens Attackers
Skype Flaw
NIST Board Has Concerns About Possible Expansion of Responsibilities

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER

*************************** Sponsored By Cisco Systems *******************************

FREE Cloud eBook: The cloud opens up a whole new world for businesses; but it also creates fresh opportunities for attackers. As cloud adoption rises, so do security risks - one of the biggest being a lack of network visibility. Read our eBook and learn how to extend network visibility to the cloud for comprehensive threat protection. http://www.sans.org/info/196010

*************************************************************************** TRAINING UPDATE

-- SANSFIRE 2017 | Washington, DC | July 22-29 |
https://www.sans.org/event/sansfire-2017

-- SANS Cyber Defence Singapore | July 10-15 |
https://www.sans.org/event/cyber-defence-singapore-2017

-- SANS Network Security | Las Vegas, NV | September 10-17 |
https://www.sans.org/event/network-security-2017

-- SANS ICS & Energy-Houston 2017 | July 10-15, 2017 |
https://www.sans.org/event/ics-houston-summit-training-2017

-- SANS Security Awareness Summit | Nashville, TN | July 31-August 9 |
https://www.sans.org/event/security-awareness-summit-2017

-- SANS Boston 2017 | August 7-12 |
https://www.sans.org/event/boston-2017

-- SANS London September 2017 | September 25-30 |
https://www.sans.org/event/london-september-2017

-- SANS Brussels Autumn 2017 | October 16-21 | https://www.sans.org/event/brussels-autumn-2017

-- SANS Tokyo Autumn 2017 | October 16-28 |
https://www.sans.org/event/tokyo-autumn-2017

-- Can't travel? SANS offers online instruction for maximum flexibility
Live Daytime training with Simulcast - https://www.sans.org/simulcast
Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive
Anywhere, Anytime access for 4 months with OnDemand format - https://www.sans.org/ondemand/
SANS Online Training: Special Offer! Get the brand new 12.9" iPad Pro, or a Microsoft Surface Pro 4, or take $550 off OnDemand or vLive Training when you register by July 12! - https://www.sans.org/online-security-training/specials/

-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/find-training/

***************************************************************************

TOP OF THE NEWS

Petya: The Basics (June 27 & 28, 2017)

The Petya outbreak that began earlier this week appears to bear some similarities to the original Petya, which was first detected in 2016. The new variant has also been called NotPetya and GoldenEye.

[Editor Comments]
[Murray] One would like to hope that Wannacry and Petya will discourage browsing and e-mail on the same systems as other applications.. Hope that they will encourage default read-only access control on data and execute-only on programs. Hope that they would encourage strong authentication and end-to-end encryption on enterprise networks. Finally, as a last resort, Hope that they will encourage the use of backup specifically designed to be "ransomware" resistant. That said, one fears that convenience will continue to trump these measures that should now be seen as essential.

Read more in:

Wired: Latest Ransomware Hackers Didn't Make WannaCry's Mistakes https://www.wired.com/story/petya-ransomware-wannacry-mistakes/
The Register: Everything you need to know about the Petya, er, NotPetya nasty trashing PCs worldwide https://www.theregister.co.uk/2017/06/28/petya_notpetya_ransomware/?page=1
ZDNet: Six quick facts to know about today's global ransomware attack http://www.zdnet.com/article/six-quick-facts-june-global-ransomware-cyberattack/
Reuters: New computer virus spreads from Ukraine to disrupt world business http://www.reuters.com/article/us-cyber-attack-idUSKBN19I1TD
WashingtonPost: Companies struggle to recover after massive cyberattack with ransom demands https://www.washingtonpost.com/world/europe/companies-struggle-to-recover-after-massive-cyberattack-with-ransom-demands/2017/06/28/4e9e8fbe-5bd5-11e7-8e2f-ef443171f6bd_story.html
NextGov: Ukraine Police Say This is the Source of Tuesday's Massive Cyberattack http://www.nextgov.com/cybersecurity/2017/06/ukraine-police-say-source-tuesdays-massive-cyber-attack/139047/?oref=ng-channeltopstory
KrebsOnSecurity: 'Petya' Ransomware Outbreak Goes Global https://krebsonsecurity.com/2017/06/petya-ransomware-outbreak-goes-global/

Petya: Who Was Affected? (June 27 & 28, 2017)

Organizations affected by Petya include shipping company Maersk, which reportedly had its systems operational by Wednesday, June 28; FedEx's TNT Express unit in Europe, which experienced shipping delays; Russian oil company Rosneft; US pharmaceutical company Merck; and government, power grid, and healthcare systems around the world.

Read more in:

Reuters: Maersk says booking system back in action after cyber attack http://www.reuters.com/article/us-cyber-attack-maersk-line-idUSKBN19J2I9
WSJ: Cyberattacks Hit Major Companies Across Globe https://www.wsj.com/articles/cyberattacks-hit-global-companies-in-europe-1498575793
Bloomberg: FedEx's TNT Unit 'Significantly' Affected by Cyberattack https://www.bloomberg.com/news/articles/2017-06-28/fedex-says-cyberattack-disrupts-tnt-s-worldwide-operations
Business Wire: TNT Express Operations Disrupted: All Other FedEx Services Operating Normally http://www.businesswire.com/news/home/20170628006092/en/
Fifth Domain: Who got hit in global 'NotPetya' ransomware attack [Video] http://fifthdomain.com/2017/06/28/who-got-hit-in-global-notpetya-ransomware-attack/

Petya: Vectors of Infection (June 27 & 28, 2017)

Petya began infecting systems earlier this week. It has spread through a malicious update for Ukrainian tax software called MeDoc. Kaspersky has also noted that a Ukrainian government website was serving as a watering hole vector of infection. The malware itself appears to use two Windows exploits leaked by Shadow Brokers.

Read more in:

Threatpost: New Petya Distribution Vectors Bubbling to Surface https://threatpost.com/new-petya-distribution-vectors-bubbling-to-surface/126577/
CNET: From Ukraine with ransomware: How the global mess all began https://www.cnet.com/news/ukraine-ransomware-petya-goldeneye-medocs-microsoft-global/
BBC: Tax software blamed for cyber-attack spread http://www.bbc.com/news/technology-40428967
SCMagazine: Petya ransomware reportedly spread via malicious software updates, Windows exploits and tools https://www.scmagazine.com/petya-ransomware-reportedly-spread-via-malicious-software-updates-windows-exploits-and-tools/article/671543/
Wired: Ukrainians Say Petya Ransomware Hides State-Sponsored Attacks https://www.wired.com/story/petya-ransomware-ukraine/

Petya: Efforts to Stop its Spread (June 27, 2017)

A researcher has found a way to prevent NotPetya from infecting computers. The malware searches for a certain local file and stops the encryption process if that file is found. If users create the file and set it to read-only, NotPetya will not encrypt data on that computer. Posteo, the email provider hosting the account where the Petya ransomware author was receiving messages shut down the account, preventing victims from contacting the author to make payments and possibly recover their encrypted data.

Read more in:

BleepingComputer: Vaccine, not Killswitch, Found for Petya (NotPetya) Ransomware Outbreak https://www.bleepingcomputer.com/news/security/vaccine-not-killswitch-found-for-petya-notpetya-ransomware-outbreak/
BleepingComputer: Email Provider Shuts Down Petya Inbox Preventing Victims From Recovering Files https://www.bleepingcomputer.com/news/security/email-provider-shuts-down-petya-inbox-preventing-victims-from-recovering-files/

Petya's Purpose: It's a Wiper, not Ransomware (June 28 & 29, 2017)

A growing consensus among cybersecurity experts is that the recent wave of ransomware that began spreading in Ukraine earlier this week is not intended to make money from people wanting to decrypt their files, but is instead intent on destruction. Petya appears to be a wiper rather than true ransomware; it is not able to provide users with keys to regain access to their data.

[Editor Comments]
[Mike Assante] The required investment, attributes, and development from initial seeding-to-impacts for this 'outbreak' tells a different story than a bold but flawed criminal enterprise. I believe NATO's response and analysis is spot on. The people behind the waves of damage and orchestrated uncertainty are demonstrating their aggressive nature.

Read more in:

Ars Technica: Tuesday's massive ransomware outbreak was, in fact, something much worse https://arstechnica.com/security/2017/06/petya-outbreak-was-a-chaos-sowing-wiper-not-profit-seeking-ransomware/
ZDNet: Ransomware in disguise: Experts say Petya out to destroy not ransom http://www.zdnet.com/article/ransomware-in-disguise-experts-say-petya-out-to-destroy-not-ransom/
Bloomberg: The Latest Hack May Be About Disruption, Not Money https://www.bloomberg.com/news/articles/2017-06-28/latest-hack-may-be-about-disruption-not-money-experts-say
*************************** SPONSORED LINKS *****************************
1) In case you missed it: "Effortless Detection and Investigation of Cloud Breaches: A Review of Lacework's Zero Touch Cloud Workload Security Platform" http://www.sans.org/info/196015
2) Did you miss: "Putting Digital Threat Investigation and Response into Hyperdrive" with Dave Shackleford. View the archive: http://www.sans.org/info/196020
3) Share your best practices for assessing and securing your on-site, cloud and mobile applications and enter to win free Pass to SecDevOps Summit OR a $400 Amazon gift card. http://www.sans.org/info/196025
******************************************************************************

THE REST OF THE WEEK'S NEWS

US Legislators Amend Defense Spending Bill to Include Kaspersky Ban (June 28, 2017)

Kaspersky Lab has confirmed to news sources that FBI agents have visited several of its employees at their homes. Members of the US Senate are trying to ban government agencies from using Kaspersky products because they say the company "might be vulnerable to Russian government influence." The Senate's National Defense Authorization Act for Fiscal Year 2018 has been amended to include a possible ban.

[Editor Comments]
[Pescatore] Making sure the software supply chain is secure and that software being bought doesn't have malicious capabilities should be a standard part of all software procurements, especially by the Federal Government. While focusing on Kaspersky may make sense because of the proof that Russia launched cyber-attacks against the US during the election, rather than react to news, US cybersecurity would be much improved if federal buying power required all software to be tested for vulnerabilities and malicious capabilities as part of acceptance criteria.

[Murray] One hopes that cooler heads will prevail. AT&T, Microsoft, Google, Symantec, and other US firms "might" be vulnerable to US government influence. Government agencies should be diligent in selecting vendors but Congress should not write particular vendors into law. Incidentally, Kaspersky enjoys a good reputation among its peers in the anti-virus community.

[Northcutt] According to Reuters, no search warrants were served. NBC says, "FBI agents on Tuesday paid visits to at least a dozen employees of Kaspersky, asking questions about the company's operations as part of a counter-intelligence inquiry, multiple sources familiar with the matter told NBC News."

http://www.nbcnews.com/news/us-news/fbi-interviews-employees-russia-linked-cyber-security-firm-kaspersky-lab-n777571
Most anti-virus reviews list Kaspersky in the top ten of available A/V products: https://www.consumeraffairs.com/computers/antivirus-software/
The globally reported FBI counter-intelligence raids come at the same time the Senate is considering passing a law against using Kaspersky for certain gov't related computers, but there was some Russian law enforcement activity that also involved Kaspersky in the recent past: http://money.cnn.com/2017/02/01/news/fsb-kaspersky-arrests/index.html
https://www.forbes.com/forbes/welcome/?toURL=https://www.forbes.com/sites/thomasbrewster/2017/01/25/russia-kaspersky-treason-arrest/

Read more in:

Reuters: FBI questions U.S. employees of Russian cyber firm Kaspersky Lab http://www.reuters.com/article/us-kasperskylab-probe-idUSKBN19J2IX
The Hill: FBI visits Kaspersky Lab employees http://thehill.com/policy/cybersecurity/339887-fbi-visits-kaspersky-lab-employees
The Register: Kaspersky Lab US staff grilled by Feds in nighttime swoop http://www.theregister.co.uk/2017/06/28/kaspersky_lab_us_staff_questioned_by_fbi/
Bleeping Computer: Senate Gets Ready to Ban Kaspersky Products as FBI Interviews Company's US Employees https://www.bleepingcomputer.com/news/government/senate-gets-ready-to-ban-kaspersky-products-as-fbi-interviews-companys-us-employees/

Defense Contractors to be Held to Higher Cyber Security Standards (June 26, 2017)

A new regulation from the US Department of Defense (DoD) will require defense contractors to the same cybersecurity standards to which the DoD is itself required to adhere. Contractors will have until the end of the 2017 calendar year to come into compliance with the regulation.
[Editor Comments]

[Pescatore] This approach is based on NIST 800-171, which has been out since 2015. It is basically a subset of 800-53 and maps to a subset of ISO 27001. It is pretty much basic security hygiene - good to see the DoD use its buying power to at least raise the bar this high.

[Neely] FISMA already requires flow-down of cyber security requirements to sub-contractors. NIST 800-171 provides clear guidance as well as mappings between the Controlled Unclassified Information (CUI) security requirements, 800-53 and ISO/IEC 27001. Also included is the requirement for the use of multi-factor authentication for access, which aligns with government-wide (HSPD-12) multi-factor authentication requirements. DoD is not the only agency with CUI.

[Williams] This is just good common sense, and honestly most in the public have just assumed that this was already happening. It will however hurt some small business contractors who will now be required to comply with the standards. These standards were drafted assuming that only large organizations with many resources (e.g. DoD) would be forced to comply. No thought was given to how smaller contractors might adopt them. But given that DoD's network is only as secure as its weakest link, giving special security exceptions to small contractors is probably a losing move.

Read more in:

GovConWire: Defense Contractors will be Held to Higher Cyber Standards https://www.govconwire.com/2017/06/defense-contractors-will-be-held-to-higher-cyber-standards/
ACQ.OSD: Safeguarding Covered Defense Information and Cyber Incident Reporting (Oct 2016) http://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm#252.204-7012
NIST: Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations (PDF) http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf

UK Met Police Slow to Migrate PCs from Windows XP (June 28, 2017)

The UK's Metropolitan Police department is still running Windows XP on more than 18,000 PCs, as of December 2016. The migration program away from the now-unsupported Microsoft operating system began three years ago. Most of the machines that have been upgraded are now running Windows 8.1 rather than Windows 10.

[Editor Comments]
[Weatherford] The HMS Queen Elizabeth, the UK's newest aircraft carrier, which will join the active fleet in 2021, is built around WinXP.

Read more in:

V3: Met Police Windows XP migration programme slows with 18,000 PCs still running the antiquated operating system https://www.v3.co.uk/v3-uk/news/3012835/met-police-windows-xp-migration-programme-slows-with-18-000-pcs-still-running-the-antiquated-operating-system

UK Police Arrest Four People in Windows Support Scam Case (June 28 & 29, 2017)

Police in London (UK) have arrested four people in connection with a tech support fraud scheme involving a call center operated out of India. Some of the people making calls presented themselves as Microsoft employees; others claimed to work for British Internet service providers (ISPs) BT and TalkTalk.

Read more in:

Ars Technica: London police arrest four in Windows support scam bust https://arstechnica.com/tech-policy/2017/06/london-police-arrest-four-in-windows-support-scam-bust/
SC Magazine: Four nabbed for tech support telephone scam https://www.scmagazine.com/four-nabbed-for-tech-support-telephone-scam/article/671915/
Bleeping Computer: Microsoft-Led Investigation Results in Arrest of Four Tech Support Scammers https://www.bleepingcomputer.com/news/security/microsoft-led-investigation-results-in-arrest-of-four-tech-support-scammers/

Huge Ransomware Payout Emboldens Attackers (June 27, 2017)

A South Korean web hosting company's decision to pay more than 1 million USD to attackers who infected its servers with ransomware has emboldened other cyberattackers. A group of seven South Korean banks were issued a demand of 315,000 USD or, the attackers said, they would launch distributed denial-of-service (DDoS) attacks against their systems.

[Editor Comments]
[Pescatore] My wife and I just did a lot of hiking in Yellowstone and Glacier National Parks where there are many signs that tell you to avoid bears, and if you see them never feed the bears. Paying ransom is a business decision, but one that is pretty much the equivalent of feeding the bears - odds are high you will still get eaten, better to avoid the problem through basic security hygiene.

[Murray] Crypto currencies facilitate extortion and reduce the risk of being caught or punished.

[Williams] This is nothing but old school cyber extortion, there's nothing new going on here. We should not be confusing the million dollar ransomware payout with garden variety (and honestly script kiddie level) cyber extortion. But that's not to say that we shouldn't be concerned with the type of coordinated ransomware attack that we saw against the South Korean web hosting company. Organizations should examine how their organizations would respond to and recover from this sort of attack.

Read more in:

SC Magazine: Hackers threaten South Korean banks with DDoS attacks following record ransomware payment https://www.scmagazine.com/hackers-threaten-south-korean-banks-with-ddos-attacks-following-record-ransomware-payment/article/671377/

Skype Flaw (June 27, 2017)

A stack buffer overflow vulnerability in Skype could be exploited to allow remote code execution and crash systems. The issue affects Skype versions 7.2, 7.35 and 7.36. The problem is fixed in Skype version 7.37.138, which was released on June 8. Attackers can exploit the flaw without user interaction.

Read more in:
ZDNet: Zero-day Skype flaw causes crashes, remote code execution http://www.zdnet.com/article/zero-day-skype-flaw-causes-crashes-remote-code-execution/
Dark Reading: Massive Skype Zero-Day Enables Remote Crashes http://www.darkreading.com/vulnerabilities---threats/massive-skype-zero-day-enables-remote-crashes/d/d-id/1329232?

NIST Board Has Concerns About Possible Expansion of Responsibilities (June 28, 2017)

Earlier this year, the US House Science Committee approved a bill that would requite the National Institute of Standards and Technology (NIST) to conduct cybersecurity audits of federal government agencies. Agency audits are normally conducted by agency inspectors general and the Government Accountability Office (GAO). NIST's Information Security and Privacy Advisory Board have concerns about expanding NIST's mission in this way.

[Editor Comments]

[Murray] Such "concerns" are shared. Metrics are NIST's core competence; measuring not so much.

[Weatherford] This is a legitimate concern. Much of NIST's success comes from its recognized independence. Putting the standards setting body and auditors in the same organization creates a (perceived) conflict of interest and will harm NIST's reputation.

Read more in:

Nextgov: NIST Cyber Advisers Anxious Over Auditing Agencies http://www.nextgov.com/cybersecurity/2017/06/nist-cyber-advisors-anxious-about-auditing-other-agencies/139062/?oref=ng-channelriver

INTERNET STORM CENTER TECH CORNER

Petya/Goldeneye Variant Makes the Rounds

https://isc.sans.edu/forums/diary/Checking+out+the+new+Petya+variant/22562/

Petya Ransomware Update

https://isc.sans.edu/forums/diary/Petya+I+hardly+know+ya+an+ISC+update+on+the+20170627+ransomware+outbreak/22566/

Ubuntu systemd Vulnerability

https://www.ubuntu.com/usn/usn-3341-1/

Microsoft Will Include EMET in Windows 10

https://blogs.technet.microsoft.com/mmpc/2017/06/27/whats-new-in-windows-defender-atp-fall-creators-update/

BGB Attacks Against Bitcoin

https://blog.acolyer.org/2017/06/27/hijacking-bitcoin-routing-attacks-on-cryptocurrencies/

Catching up With Blank Slate

https://isc.sans.edu/forums/diary/Catching+up+with+Blank+Slate+a+malspam+campaign+still+going+strong/22570/

Azure AD Connect Vulnerability

https://technet.microsoft.com/library/security/4033453.aspx#ID0EN

Exploit Available For Stack Clash Vulnerability

https://www.qualys.com/research/security-advisories/

Paul Herschberger: Data Breach Impact Estimation

https://www.sans.org/reading-room/whitepapers/dlp/data-breach-impact-estimation-37502

***********************************************************************
The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create