SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XIX - Issue #6
January 20, 2017TOP OF THE NEWS
More Databases Targeted By Ransomware AttacksOracle's Mammoth Security Update
KrebsOnSecurity Publishes Detailed Account of Tracking Down Mirai Author
THE REST OF THE WEEK'S NEWS
U.S. Air Force's Prattle Would Take Honeypots to the Next LevelRush to Save Climate Change Data Before New Administration
"Old-School" Malware Found Targeting Biomedical Firms' Systems
Sweden is Testing Ambulance Alert System That Interrupts Car Radios
Disgruntled Former Employee Extortion Leads To $250,000 Fine
Researchers, Experts Develop Remote Software Update Protocol for Cars
Webmaster Used Backdoor to Steal Data
US CERT Warns of Possible Zero-Day Attack Targeting Server Message Block
Access Tokens and API Keys Found in Android Apps
INTERNET STORM CENTER TECH CORNER
INTERNET STORM CENTER TECH CORNER************************** Sponsored By Splunk **************************
Looking for some specific ways to get started using Splunk? We can help. We have a step-by-step online experience to walk you through how to use login activity and Splunk to detect, validate and scope threats in your environment.
http://www.sans.org/info/191637
***************************************************************************
TRAINING UPDATE
--Cyber Threat Intelligence Summit & Training | Arlington, VA | Jan 25-Feb 1, 2017 | https://www.sans.org/event/cyber-threat-intelligence-summit-2017
--SANS Southern California - Anaheim 2017 | Anaheim, CA |February 6-11, 2017 | https://www.sans.org/event/anaheim-2017
--SANS Munich Winter 2017 | Munich, Germany | February 13-18, 2017 | https://www.sans.org/event/munich-winter-2017
--SANS Secure Japan 2017 | Tokyo, Japan | February 13-25, 2017 | https://www.sans.org/event/secure-japan-2017
--SANS Secure Singapore 2017 | Singapore, Singapore | March 13-25, 2017 | https://www.sans.org/event/secure-singapore-2017
--SANS Pen Test Austin 2017 | March 27-April 1 | https://www.sans.org/event/pentest2017
--SANS 2017 | Orlando, FL | April 7-14 | https://www.sans.org/event/sans-2017
--SANS Online Training: Get an iPad Pro, Samsung Galaxy Tab S2, or $500 off with all OnDemand (https://www.sans.org/ondemand/specials) and vLive (https://www.sans.org/vlive/specials) courses now.
--Single Course Training SANS Mentor https://www.sans.org/mentor/about Community SANS https://www.sans.org/community/ View the full SANS course catalog https://www.sans.org/find-training/
***************************************************************************
TOP OF THE NEWS
More Databases Targeted By Ransomware Attacks (January 19, 2017)
Ransomware groups that have targeted MongoDB databases and Elasticsearch clusters are expanding their scope to include Hadoop and CouchDB data storage technologies. The Hadoop attacks are leaving behind messages telling admins to do a better job of securing their deployments. The CouchDB attacks have been demanding 0.1 bitcoins to return the data. Paying the ransom is unadvisable because previous attacks have not returned the wiped data.[Editor Comments ]
[Paller ]
For more than five years, widely used web content management systems (WordPress, et al.) have offered fertile gardens of vulnerable code for attackers to use to take control of many organizations' computers. Now the attackers have found that data storage systems are ripe for exploitation. There is an easy-to-discern pattern here of entrepreneurial organizations (open source included) attracting huge numbers but putting off security until it is too late to bake it in.
Read more in:
Computerworld: Attackers start wiping data from CouchDB and Hadoop databases
-http://computerworld.com/article/3159545/security/attackers-start-wiping-data-fr
om-couchdb-and-hadoop-databases.html
The Register: Insecure Hadoop installs next in 'net scum crosshairs
-http://www.theregister.co.uk/2017/01/19/insecure_hadoop_installs_under_attack/
Oracle's Mammoth Security Update (January 18, 2017)
Oracle's first quarterly security patch update for 2017 comprises fixes for 270 vulnerabilities. The majority of the flaws are remotely exploitable. Oracle's E-Business Suite tops the list with 121 fixes, followed by 37 in Oracle Financial Services, and 18 in Oracle Fusion Middleware.[Editor Comments ]
[Pescatore ]
Unfortunately, this is really just an average-sized set of vulnerability fixes for Oracle, with no sign of any trending in a positive direction. The volume and the impact of Oracle's patch dumps, combined with demands for reduced duration of change windows in data centers, often leads to looong times before IT operations actually update servers. A number of forward looking enterprises are using IaaS services like AWS or Azure to spin up full production copies of systems (with obfuscated data) to shorten patch testing cycles and shorten that vulnerability window.
Read more in:
ZDNet: Oracle's monster security update: 270 fixes and over 100 remotely exploitable flaws
-http://www.zdnet.com/article/oracles-monster-security-update-270-fixes-and-over-
100-remotely-exploitable-flaws/
V3: Oracle issues a whopping 270 security fixes
-http://www.v3.co.uk/v3-uk/news/3002822/oracle-issues-a-whopping-270-security-fix
es
Computerworld: Oracle patches raft of vulnerabilities in business applications
-http://computerworld.com/article/3158694/security/oracle-patches-raft-of-vulnera
bilities-in-business-applications.html
KrebsOnSecurity Publishes Detailed Account of Tracking Down Mirai Author (January 18, 2017)
Brian Krebs has traced the origin of the Mirai botnet, which was used to launch massive distributed denial-of-service (DDoS) attacks against his website last September, to the New Jersey owner of a DDoS mitigation company. The attacks forced the KrebsOnSecurity website offline for several days. Mirai exploits poorly secured Internet of Things (IoT) devices to launch its attacks.Read more in:
KrebsOnSecurity: Who is Anna-Senpai, the Mirai Worm Author?
-https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/
*************************** SPONSORED LINKS *****************************
1) Join this webinar for a discussion of cloud security benchmarks for 2017 based on Skyhigh's newly published Cloud Adoption & Risk Report. Register: http://www.sans.org/info/191642
2) SANS 2017 Threat Hunting Survey - Is threat hunting proactive, reactive or both? Tell us in this SANS survey: http://www.sans.org/info/191647
3) SANS 2017 SOC Survey is NOW OPEN - It takes a village to protect today's networks from cyber threats. Tell us how your organization is accomplishing these tasks and enter to win a $400 Amazon gift card! Survey link: http://www.sans.org/info/191652
******************************************************************************
THE REST OF THE WEEK'S NEWS
U.S. Air Force's Prattle Would Take Honeypots to the Next Level (January 19, 2017)
The U.S. Air Force's Prattle program aims to "transform... the traditional 'honeypot' method of catching hackers." Rather than simply disguising a honeypot as a network that hackers will try to access, Prattle will provide misinformation that could lead intruders to unimportant parts of the network, delaying them from getting to the sensitive data. They could also provide documents that are fake or that contain digital watermarks.[Editor Comments ]
[Honan ]
Honeypots if used properly can be a great proactive security resource. ENISA (the European Union Agency for Network and Information Security) have an excellent resource on using honeypots called "Proactive detection of security incidents II - Honeypots" at
-https://www.enisa.europa.eu/publications/proactive-detection-of-security-inciden
ts-II-honeypots
Read more in:
Federal News Radio: Loose lips may better Air Force security with 'Prattle'
-http://federalnewsradio.com/air-force/2017/01/loose-lips-may-better-air-force-se
curity-prattle/
Rush to Save Climate Change Data Before New Administration (January 19, 2017)
Scientists, librarians, archivists, and hackers have been working feverishly to preserve climate change data stored on the websites of the Environmental Protection Agency (EPA) and the National Oceanic and Atmospheric Administration (NOAA). The incoming U.S. administration is likely to remove much of the information from the public domain.Read more in:
Wired: Rogue Scientists Race to Save Climate Change Data From Trump
-https://www.wired.com/2017/01/rogue-scientists-race-save-climate-data-trump/
"Old-School" Malware Found Targeting Biomedical Firms' Systems (January 18 & 19, 2017)
Malwarebytes researchers have found code on Macs that appears to target biomedical research companies. Dubbed Quimitchin by Malwarebytes and Fruitfly by Apple, the malware appears to have been infecting machines for at least two years. What is particularly curious about Fruitfly is that is contains very old coding functions. It is also built with Linux shell commands. Fruitfly takes screenshots and webcam images and harvests information about devices connected to the infected computer. Apple has released a fix to protect against Fruitfly infections; the update will be automatically downloaded.Read more in:
Dark Reading: Old-School Mac OS Malware Spotted Targeting Biomedical Industry
-http://www.darkreading.com/endpoint/old-school-mac-os-malware-spotted-targeting-
biomedical-industry/d/d-id/1327936?
Computerworld: Mac malware is found targeting biomedical research
-http://computerworld.com/article/3159136/malware-vulnerabilities/mac-malware-is-
found-targeting-biomedical-research.html
The Register: 'Ancient' Mac backdoor discovered that targets medical research forms
-http://www.theregister.co.uk/2017/01/18/mac_malware/
Ars Technica: Newly discovered Mac malware found in the wild also works well on Linux
-http://arstechnica.com/security/2017/01/newly-discovered-mac-malware-may-have-ci
rculated-in-the-wild-for-2-years/
Malwarebytes: New Mac backdoor using antiquated code
-https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-ant
iquated-code/
Sweden is Testing Ambulance Alert System That Interrupts Car Radios (January 18, 2017)
Sweden is testing a system that would interrupt car radios when ambulances are nearby and need to get past. The system, which operates over an FM radio signal, also sends a message to the radio display. The ambulance alert system will give drivers more time to move out of the ambulance's path.Read more in:
BBC: Ambulances to jam car radios in Sweden
-http://www.bbc.com/news/technology-38650441
Disgruntled Former Employee Extortion Leads To $250,000 Fine (January 18, 2017)
Triano Williams, a former IT administrator at the American College of Education, changed the administrator password on a Google account used by the college before leaving his position. The affected account held email and course material for more than 2,000 students. When the school contacted Google to regain access to the account, they were told the account could be recovered only by the owner, in this case, Williams. When the school contacted Williams, he filed a complaint seeking "a clean letter of reference and payment of $200,000" in exchange for helping recover the account password. The school filed a suit against Williams, which resulted in a default judgment of nearly USD 250,000.[Editor Comments ]
[Williams ]
I keep hearing this reported as an extortion story, but that's missing the point. In this case, the school allowed the admin to build critical services on an account he owned. In my practice I've seen this more than once with Dropbox and more recently with Amazon Web Services. This is really an extension of BYOD where the organization does not clearly delineate between its assets and those of its employees. Organizations should use the momentum (hopefully) created by this story to audit accounts used for business processes (correcting issues where required).
[Honan ]
This is a good example as to why you need to have a policy in place with employees to ensure that any social media accounts or accounts used to access third party services and any associated data are the property of the organisation and not the employee.
Read more in:
The Register: College fires IT admin, loses access to Google email, successfully sues IT admin for $250,000
-http://www.theregister.co.uk/2017/01/18/school_fires_sues_it_admin/
Tripwire: Fired IT Employee Demands $200K in Exchange for Unlocking Data
-https://www.tripwire.com/state-of-security/latest-security-news/fired-employee-d
emands-200k-exchange-unlocking-data/#.WH90Yiy7-lM.twitter
Researchers, Experts Develop Remote Software Update Protocol for Cars (January 18, 2017)
A team of experts and researchers from New York University's Tandon School of Engineering and University of Michigan's Transport Research Institute have developed a protocol that will allow code embedded in vehicle components to be remotely updated. Some major car manufacturers have already implemented systems to update and fix vehicle software over Wi-Fi or cellular connections.[Editor Comments ]
[Pescatore ]
The technical issues around confidentiality/integrity/availability of any over-the-air update protocol are really important. Decisions about what is an acceptable "update" are equally important from a security perspective and from other issues - like fraud. We know mixing new features with vulnerability fixes is a bad idea, but in the consumer industry that has been the norm. We know at least 2 large car manufactures have routinely included software in their products to cheat on emission tests - over the air updates could enable more of that. The auto industry (or if not those companies, their regulators) needs to define standards of practice around OTA updates.
[Honan ]
Why does the phrase "what could possibly go wrong" come to mind when I see the phrase "will allow code embedded in vehicle components to be remotely updated"? I sincerely hope the protocol being developed includes security measures to prevent this from being abused.
[Northcutt ]
Its not new, but the Wired Magazine story says it best. I am seriously considering an old school pony car with points and condensers:
-https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/
Read more in:
CS Monitor: Are software updates key to stopping criminal car hacks?
-http://www.csmonitor.com/World/Passcode/2017/0118/Are-software-updates-key-to-st
opping-criminal-car-hacks
Webmaster Used Backdoor to Steal Data (January 17 & 18, 2017)
A webmaster in the Netherlands built backdoors into sites he created and used the access to steal site visitors' personal data. Dutch police are warning 20,000 people that their email accounts were compromised. The data thief used the information to make purchases, open online accounts, and receive fraudulent money transfers.[Editor Comments ]
[Williams ]
The unfortunate reality is that while theft is relatively uncommon, backdoors are extremely common. A relatively simple audit can uncover issues before code is deployed.
Read more in:
The Register: Dodgy Dutch developer built backdoors into thousands of sites
-http://www.theregister.co.uk/2017/01/17/police_warn_of_dutch_developer_who_built
_backdoors_for_carding/
Computerworld: Thousands warned they may be victims of rogue webmaster
-http://www.bbc.com/news/technology-38663392
US CERT Warns of Possible Zero-Day Attack Targeting Server Message Block (January 16 & 18, 2017)
US-CERT is recommending that Windows admins take steps to protect their systems from a possible zero-day exploit targeting a vulnerability in Windows Server Message Block (SMB). Admins are advised to disable SMB v. 1 and block SMB traffic at the network boundary. The US-CERT advisory notes "that disabling or blocking SMB may create problems by obstructing access to shared files, data or devices. The benefits of mitigation should be weighted against potential disruptions to users."Read more in:
The Register: Kill it with fire: US-CERT warns admins of Server Message Block
-http://www.theregister.co.uk/2017/01/18/uscert_warns_admins_to_kill_smb_after_sh
adow_brokers_dump/
Softpedia: US-CERT Warns of Zero-Day Windows Exploit Owned by Shadow Brokers
-http://news.softpedia.com/news/us-cert-warns-of-zero-day-windows-exploit-owned-b
y-shadow-brokers-511990.shtml
US CERT Advisory: SMB Security Best Practices
-https://www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Pract
ices
Access Tokens and API Keys Found in Android Apps (January 17, 2017)
Researchers examined thousands of Android apps and found that some contained embedded access tokens and API keys. Of the 16,000 apps analyzed, 2,500 were found to contain hard-coded secret credentials. Roughly 300 of the apps contained credentials for sensitive accounts, including Twitter, Dropbox, Flickr, and Amazon Web Services.Read more in:
ZDNet: Secret tokens found hard-coded in hundreds of Android apps
-http://www.zdnet.com/article/secret-tokens-found-hard-coded-in-hundreds-of-andro
id-apps/
The Register: Devs reverse-engineer 16,000 Android apps, find secrets and keys to AWS accounts
-http://www.theregister.co.uk/2017/01/17/hackers_reverse_16000_apps_find_secrets_
and_keys_for_aws_others/
Computerworld: Access tokens and keys found in hundreds of Android apps
-http://computerworld.com/article/3158494/security/access-tokens-and-keys-found-i
n-hundreds-of-android-apps.html
INTERNET STORM CENTER TECH CORNER
domain_stats.py: A Web API For SEIM Phishing Hunts;-https://isc.sans.edu/forums/diary/domainstatspy+a+web+api+for+SEIM+phishing+hunt
s/21943/
Multiple RCE in ZyXEL/Billion/True Online Routers
-http://seclists.org/fulldisclosure/2017/Jan/40
Dovecot Passes Security Audit
-https://wiki.mozilla.org/images/4/4d/Dovecot-report.pdf
Dutch Web Developers Left Backdoors Behind
-http://www.theregister.co.uk/2017/01/17/police_warn_of_dutch_developer_who_built
_backdoors_for_carding/
Mobile Applications Contain Secrets
-https://hackernoon.com/we-reverse-engineered-16k-apps-heres-what-we-found-51bdf3
b456bb
US-Cert Considers Netbios/SMBv1 Harmful
-https://www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Pract
ices
IPv6 Atomic Fragments Can Lead to DDoS Attack
-https://tools.ietf.org/html/rfc8021
Facebook Was Affected by ImageTragick Flaw
-http://4lemon.ru/2017-01-17_facebook_imagetragick_remote_code_execution.html
Malwarebytes Identifies Old Mac Backdoor
-https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-ant
iquated-code/
Oracle Quarterly Critical Patch Update
-http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html#Appe
ndixJAVA
Open Hadoop Instances Are at Risk
-http://www.threatgeek.com/2017/01/open-hadoop-installs-wiped-worldwide.html
Upcoming SHA-1 Deadlines
-https://blog.mozilla.org/security/2016/10/18/phasing-out-sha-1-on-the-public-web
/
Google "Verify Apps" Algorithm
-https://blog.google/topics/connected-workspaces/silence-speaks-louder-words-when
-finding-malware/
Practical JSONP Injection
-https://securitycafe.ro/2017/01/18/practical-jsonp-injection/
Necurs Decline Hurting Loky Distribution
-http://blog.talosintel.com/2017/01/locky-struggles.html
***********************************************************************
The Editorial Board of SANS NewsBites
View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board