Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #69

August 25, 2017

TOP OF THE NEWS


FDA Approves Pacemaker Patch, Announces Recall of Abbott/St. Jude Medical Devices
DoD Cyber Workforce Pay Changes
DHS Amps Up Cyber Supply Chain Risk Management
Lawmakers Seek Probe of Post-Breach Identity Theft Services

THE REST OF THE WEEK'S NEWS


Spam Bot Holds Massive Trove of eMail Addresses
Siemens Releases Fixes for One of Two Flaws in LOGO!
Turla Targeting Embassies and Consulates with Gazer Backdoor
Kaspersky Report Describes Alleged Russian Cyber Espionage Group Activity
Chinese Cyber Espionage Efforts Targeting Vietnamese Organizations
Arris Modems Have Hardcoded Backdoors

INTERNET STORM CENTER TECH CORNER

*************************** Sponsored By WireX Systems ********************

WireX Systems officials think they have found the way to slash the time it takes to spot an intruder by making it easier for mere mortals to read and understand network traffic and identify early signs of a breach. Register for this webcast to learn more: http://www.sans.org/info/197875

*****************************************************************************

TRAINING UPDATE

-- SANS Network Security | Las Vegas, NV | September 10-17 | https://www.sans.org/event/network-security-2017

-- SANS London September 2017 | September 25-30 | https://www.sans.org/event/london-september-2017

-- SANS Baltimore Fall 2017 | September 25-30 | https://www.sans.org/event/baltimore-fall-2017

-- SANS Data Breach Summit & Training 2017 | Chicago, IL | September 25-October 2 | https://www.sans.org/event/data-breach-summit-2017

-- SANS October Singapore 2017 | October 9-28 | https://www.sans.org/event/october-singapore-2017

-- SANS Secure DevOps Summit & Training | Denver, CO | October 10-17 | https://www.sans.org/event/secure-devops-summit-2017

-- SANS Brussels Autumn 2017 | October 16-21 | https://www.sans.org/event/brussels-autumn-2017

-- SANS Tokyo Autumn 2017 | October 16-28 | https://www.sans.org/event/tokyo-autumn-2017

-- SANS San Diego 2017 | October 30-November 4 | https://www.sans.org/event/san-diego-2017

-- SANS OnDemand and vLive Training | Get an iPad Pro (10.5") with Smart Keyboard, an HP Chromebook 13 G1 or take $350 Off OnDemand or vLive Training when you register by August 30! https://www.sans.org/online-security-training/specials/

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format - https://www.sans.org/ondemand/

-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/security-training/by-location/all

*****************************************************************************

TOP OF THE NEWS

FDA Approves Pacemaker Patch, Announces Recall of Abbott/St. Jude Medical Devices (August 30, 2017)

The US Food and Drug Administration (FDA) has announced a recall of more than 450,000 pacemakers because they require a firmware update to address several security issues. The recall applies to several models of pacemakers manufactured by Abbott, formerly known as St. Jude Medical. Patients must visit their doctor's office where the update can be installed while the device is in backup mode. The flaws could be exploited to gain unauthorized access to vulnerable devices and issue commands to modify the pacemaker's settings and functionality.

[Editor Comments]

[Neely] Pacemakers have been controlled/managed using an RF signal for a long time, and the intended range is measured in inches. Exploiting these vulnerabilities requires the attacker to be very close (under 50 feet) to the pacemaker. There is no publically available exploit at this time. The firmware update addresses authentication power control regulation vulnerabilities as well as encryption of sensitive data. The notice from Abbott Laboratories details the risks associated with the firmware update and advises patients to work with their doctor to make a risk based decision on the update. This highlights the logistical complications of applying IoT updates and need for strong security and SDLC practices, particularly for medical devices, despite pressure to deliver to market as fast as possible.

[Northcutt] Abbot said they wanted to be the leader in the medical device area; I doubt this is what they meant. This is the vulnerability published by Muddy Waters about a year ago that St. Jude/Abbott labeled "false and misleading". According to a CSO article by Roger Grimes, 25% of released patches never get applied

that would be ~116k human hearts in the USA alone.
http://abbott.mediaroom.com/2017-01-04-Abbott-Completes-the-Acquisition-of-St-Jude-Medical
http://www.csoonline.com/article/3025807/data-protection/why-patching-is-still-a-problem-and-how-to-fix-it.html

Read more in:

Bleeping Computer: Welcome to 2017: Pacemaker Patients Told to Visit Doctors to Receive Security Patches https://www.bleepingcomputer.com/news/security/welcome-to-2017-pacemaker-patients-told-to-visit-doctors-to-receive-security-patches/
SC Magazine: Abbott Laboratories securing vulnerable pacemakers with firmware and software updates https://www.scmagazine.com/abbott-laboratories-securing-vulnerable-pacemakers-with-firmware-and-software-updates/article/685215/
ZDNet: FDA issues recall of 465,000 St. Jude pacemakers to patch security holes http://www.zdnet.com/article/fda-forces-st-jude-pacemaker-recall-to-patch-security-vulnerabilities/
Ars Technica: 465k patients told to visit doctor to patch critical pacemaker vulnerability https://arstechnica.com/information-technology/2017/08/465k-patients-need-a-firmware-update-to-prevent-serious-pacemaker-hacks/
Dark Reading: St. Jude Pacemaker Gets Firmware Update 'Intended as a Recall' https://www.darkreading.com/iot/st-jude-pacemaker-gets-firmware-update-intended-as-a-recall-/d/d-id/1329769?
FDA Advisory: Firmware Update to Address Cybersecurity Vulnerabilities Identified in Abbott's (formerly St. Jude Medical's) Implantable Cardiac Pacemakers: FDA Safety Communication https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm573669.htm
ICS-CERT Advisory: Abbott Laboratories' Accent/Anthem, Accent MRI, Assurity/Allure, and Assurity MRI Pacemaker Vulnerabilities https://ics-cert.us-cert.gov/advisories/ICSMA-17-241-01

DoD Cyber Workforce Pay Changes (August 30, 2017)

The US Defense Department (DoD) has published new regulations to help improve the government's ability to attract, hire, and retain talented cybersecurity personnel. If agencies are recruiting for a Cyber Excepted Service (CES) position, for example, they are permitted to advertise the position through "any legal means," rather than be limited to the usual avenues.

[Editor Comments]

[Northcutt/Paller] This would be a year in the making, details published by August, 2016. It looks like the first 3,000 employees will be transfers not new hires and maybe focused on background checking.
https://federalnewsradio.com/defense/2017/06/pentagon-nearly-ready-to-implement-new-personnel-system-for-cyber-workforce/
https://federalnewsradio.com/dod-reporters-notebook-jared-serbu/2016/08/dod-targets-3000-civilian-workers-for-new-cyber-excepted-service/

Read more in:

FNR: DoD issues rules setting up new pay, personnel system for cyber workforce https://federalnewsradio.com/dod-reporters-notebook-jared-serbu/2017/08/dod-issues-rules-setting-up-new-pay-personnel-system-for-cyber-workforce/
DoD: DoD Civilian Personnel Management System: Cyber Excepted Service (CES) Introduction http://fedne.ws/uploads/JiD1mdkwCP

DHS Amps Up Cyber Supply Chain Risk Management (August 30, 2017)

The US Department of Homeland Security has updated its CDM (continuous diagnostic and mitigation) supply chain risk management plan. The changes are aimed at alleviating concern about the origins of cyber security products that agencies are using.

[Editor Comments]

[Pescatore] While this is still a YASAQ (Yet Another Self-Assessment Questionnaire), I'm a big fan of GSA/DHS doing this. The first two questions are basically (1) "Do you have a Secure Development Lifecycle? If so, where is the documentation" and (2) "Do you test compiled code for known vulnerabilities? If so, where is the documentation?" For all software buys (not just security software like CDM) if a vendor can't say "Yes, and here's the proof" to both questions, you shouldn't be buying from them.

[Henry] Adversaries across the spectrum have looked to exploit the supply chain as an attack vector to achieve their ultimate objective for years. Nationstates, in particular, have actively targeted the supply chain for access. The US government, under the Comprehensive National Cybersecurity Initiative (CNCI) identified this vulnerability, and has had a program in place to actively mitigate it. Those efforts have had some success, but the government must work collaboratively and aggressively across all agencies and with the private sector to identify and disrupt this critical threat.

[Murray] While it is relatively easy to do by design and intent, few products are designed and implemented in a way that makes it possible, much less efficient, to demonstrate by inspection that they do only what is intended and advertised, that is, that they do nothing covert or malicious. This makes "supply chain risk management" inefficient. That said, to the extent that the DHS program is effective in reducing risk to Federal agencies, we all benefit.

Read more in:

FNR: Cyber products to get further scrutiny under new DHS plan https://federalnewsradio.com/cybersecurity/2017/08/cyber-products-to-get-further-scrutiny-under-new-dhs-plan/
GSA: Continuous Diagnostics and Mitigation (CDM) Approved Products List (APL) Supply Chain Risk Management (SCRM) Plan https://www.gsa.gov/portal/getMediaData?mediaId=167734

Lawmakers Seek Probe of Post-Breach Identity Theft Services (August 30, 2017)

US legislators are seeking further investigation into the efficacy of credit monitoring services that are routinely offered to data breach victims. Three US congressmen have asked US Comptroller General Gene Dodaro to further investigate issues raised in a March 2017 report from the Government Accountability Office (GAO). Among the questions raised: Are some credit monitoring services more effective than others? Is credit monitoring the best response? And are there other measures that could be taken to protect data theft victims from fraud?

[Editor Comments]

[Pescatore] Those are very good questions to ask. The discrepancy in the title "...Identity Theft Services" and the body of the article "...credit monitoring services" points out the main issue. Many, probably most, of these services just repackage free credit reports and monitoring info and provide little or no added value that is at all related to "identity theft protection."

Read more in:

The Hill: Watchdog pressed to probe post-data breach services http://thehill.com/policy/cybersecurity/348605-watchdog-pressed-to-probe-post-breach-services
Letter: https://democrats-energycommerce.house.gov/sites/democrats.energycommerce.house.gov/files/GAO.2017.08.30.%20Letter%20re%20previous%20report%20and%20request%20on%20data%20breaches.DCCP_.OI_.pdf
GAO: IDENTITY THEFT SERVICES: Services Offer Some Benefits but Are Limited in Preventing Fraud (PDF) https://www.gao.gov/assets/690/683842.pdf
*************************** SPONSORED LINKS *******************************
1) In case you missed it: "Turning Threat Data into Threat Intel Using Automated Analysis" http://www.sans.org/info/197880
2) "Asking the Right Questions about Dynamic Scanning to Secure Web Applications: A Buyer's Guide to App Sec Scanning Tools" Register: http://www.sans.org/info/197885
3) Security teams must stay ahead of modern day attacks by challenging their defenses automatically, continuously and at scale with breach and attack simulation. Learn More: http://www.sans.org/info/197890
*****************************************************************************

THE REST OF THE WEEK'S NEWS

Spam Bot Holds Massive Trove of eMail Addresses (August 29 & 30, 2017)

Researchers have found a spam bot that contains hundreds of thousands of email addresses, passwords, SMTP credentials, and configuration data. The spam bot, which is known as Onliner, has been used to spread the Ursnif banking Trojan.

Read more in:

The Register: 'Open and accessible' spambot server leaks 711 million records http://www.theregister.co.uk/2017/08/30/spambot_leak/
ZDNet: 711 million email addresses ensnared in 'largest' spambot http://www.zdnet.com/article/onliner-spambot-largest-ever-malware-campaign-millions/
BBC: Giant spambot scooped up 711 million email addresses http://www.bbc.com/news/technology-41095606
Threatpost: Spambot Contains 'Mind-Boggling' Amount of Email, SMTP Credentials https://threatpost.com/spambot-contains-mind-boggling-amount-of-email-smtp-credentials/127722/

Siemens Releases Fixes for One of Two Flaws in LOGO! (August 30 & 31, 2017)

Siemens has released an update for its LOGO! 8 BM devices to address a vulnerability that could be exploited to hijack existing web sessions. The flaw affects versions of the universal logic module older than 1.81.2. A second known flaw in the same module has not been patched. That flaw could be exploited to launch a man-in-the-middle attack and possibly decrypting and modifying traffic. While Siemens has not provided a fix for this issue, the company does offer suggestions for mitigation. Siemens has also warned of flaws in other products.

Read more in:

The Register: Siemens patches one security vuln, leaves folks to block second http://www.theregister.co.uk/2017/08/31/siemens_patches_one_vuln_leaves_customers_to_block_second/
Threatpost: Siemens Fixes Session Hijacking Bug in Logo!, Warns Of Man-in-the-Middle Attacks https://threatpost.com/siemens-fixes-session-hijacking-bug-in-logo-warns-of-man-in-the-middle-attacks/127728/
Siemens: SSA-087240: Vulnerabilities in SIEMENS LOGO! (PDF) https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-087240.pdf

Turla Targeting Embassies and Consulates with Gazer Backdoor (August 30, 2017)

The Turla Russian advanced persistent threat (APT) group has reportedly been using a backdoor to spy on computers at diplomatic offices in Europe, Asia, and South America. ESET, which detected Gazer, believes it has been in use since 2016. Turla uses spear phishing and watering hole attacks to spread its malware.

Read more in:

ZDNet: Stealthy malware targets embassies in snooping campaign http://www.zdnet.com/article/this-stealthy-malware-targets-embassies-in-snooping-campaign/
Cyberscoop: Researchers uncover maze of hidden backdoors in European embassy and ministry systems https://www.cyberscoop.com/gazer-backdoor-turla-eset-2017/?category_news=technology
Threatpost: Turla APT Used Whitebear Espionage Tools Against Defense Industry, Embassies https://threatpost.com/turla-apt-used-whitebear-espionage-tools-against-defense-industry-embassies/127737/
Bleeping Computer: New Backdoor Trojan Deployed in Cyber-Espionage Campaign Targeting Embassies https://www.bleepingcomputer.com/news/security/new-backdoor-trojan-deployed-in-cyber-espionage-campaign-targeting-embassies/

Kaspersky Report Describes Alleged Russian Cyber Espionage Group Activity (August 30, 2017)

A report from Kaspersky Lab details a cyber espionage operation allegedly orchestrated by a Russian advanced persistent threat (APT) group.

[Editor Comments]

[Williams] - This is almost certainly the Russian government intelligence services that Kaspersky is reporting on. This is incongruous with FBI and US IC claims that Kaspersky is cooperating with Russian intelligence services. The report itself is interesting and the malware shows a level of development sophistication almost exclusively seen with nation-state groups.

[Murray] Kaspersky, man and firm, have been respected, responsible, and contributing members of the world-wide security community for more than a quarter of a century. Their relationship to the Russian state is no more nefarious than that of any US corporate citizen to the US state. Unless and until the US government produces evidence, I will consider their derogation of Kaspersky to be political propaganda.

Read more in:

Cyberscoop: Kaspersky exposes apparent Russian cyber-espionage operation amid U.S. criticism https://www.cyberscoop.com/kaspersky-whitebear-turla-russia/?category_news=technology
Securelist: Introducing WhiteBear https://securelist.com/introducing-whitebear/81638/

Chinese Cyber Espionage Efforts Targeting Vietnamese Organizations (August 31, 2017)

Cyber espionage operations emanating from China have been targeting companies in Vietnam, according to FireEye. The evidence suggests the origin of the attacks is China, because a previously-identified Chinese espionage group had used the same attack infrastructure. The attacks in Vietnam are targeting both government and private sector organizations.

Read more in:

Reuters: Chinese cyber spies broaden attacks in Vietnam, security firm says http://www.reuters.com/article/us-vietnam-china-cyber-idUSKCN1BB0I5

Arris Modems Have Hardcoded Backdoors (August 31, 2017)

Researchers have detected five security flaws in Arris modem firmware. Three of the vulnerabilities are hardcoded backdoors. The flaws appear to affect discontinued models of Arris modems, meaning they are not available for purchase. However, researchers believe there are more than 200,000 of the routers online.

Read more in:

Bleeping Computer: Three Hardcoded Backdoor Accounts Discovered in Arris Modems https://www.bleepingcomputer.com/news/security/three-hardcoded-backdoor-accounts-discovered-in-arris-modems/

INTERNET STORM CENTER TECH CORNER

Another Chrome Extension Banking Malware

https://isc.sans.edu/forums/diary/Second+Google+Chrome+Extension+Banker+Malware+in+Two+Weeks/22766/

Vulnerable Docker VM

https://www.notsosecure.com/vulnerable-docker-vm/

Large Spam E-Mail and Password List Discovered

https://www.troyhunt.com/inside-the-massive-711-million-record-onliner-spambot-dump/

IoT Gear Affected by ConnMan Vulnerability

http://connmando.nri-secure.co.jp/index.html

Trickbot Going After Coinbase

https://blogs.forcepoint.com/security-labs/trickbot-goes-after-cryptocurrency

Pacemakers Need Patch

https://www.fda.gov/MedicalDevices/Safety/AlertsandNotices/ucm573669.htm

Inaudible Voice Commands

https://arxiv.org/pdf/1708.07238.pdf

Is Remote Work Feasible in a SOC?

https://isc.sans.edu/forums/diary/Remote+SOC+Workers+Concerns/22772/

Linux Random Number Generator Reviewed

https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Studien/LinuxRNG/LinuxRNG_EN.pdf?__blob=publicationFile&v=5

Adobe Acrobat and Reader Security Patch

https://blogs.adobe.com/psirt/?p=1484

Turning Speakers into Microphones

https://www.usenix.org/system/files/conference/woot17/woot17-paper-guri.pdf

***********************************************************************
The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create