SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XIX - Issue #71
September 8, 2017Most news outlets are highlighting the Equifax (and Time Warner) breaches, but the power grid intrusions are far more dangerous. As Bill Murray suggests, these intrusions should be the subject of immediate Congressional hearings.
Alan
TOP OF THE NEWS
US Power Grid Intrusions - Dragonfly Hacking Group
Equifax Breach Affects Up to 143 Million; Did Execs Sell Stock Before Disclosing the Breach?
Time Warner Cable Data Breach
THE REST OF THE WEEK'S NEWS
MongoDB Databases Targeted in Ransomware Attacks
NIST Published Draft Ransomware Guidelines
Chrome 61 Includes Support for WebUSB
EU Cyber Defense War Games
Android Releases September Update
Apache Struts Vulnerability Fixed
Clarification: Extradited Hacker Charges
INTERNET STORM CENTER TECH CORNER
*************************** Sponsored By Veracode *******************************Dont' Miss: "Asking the Right Questions about Dynamic Scanning to Secure Web Applications: A Buyer's Guide to App Sec Scanning Tools" with SANS Expert, Barbara Filkins. Learn More: http://www.sans.org/info/198205
***************************************************************************TRAINING UPDATE
-- SANS London September 2017 | September 25-30 | https://www.sans.org/event/london-september-2017
-- SANS Baltimore Fall 2017 | September 25-30 | https://www.sans.org/event/baltimore-fall-2017
-- SANS Data Breach Summit & Training 2017 | Chicago, IL | September 25-October 2 | https://www.sans.org/event/data-breach-summit-2017
-- SANS October Singapore 2017 | October 9-28 | https://www.sans.org/event/october-singapore-2017
-- SANS Secure DevOps Summit & Training | Denver, CO | October 10-17 | https://www.sans.org/event/secure-devops-summit-2017
-- SANS Brussels Autumn 2017 | October 16-21 | https://www.sans.org/event/brussels-autumn-2017
-- SANS Tokyo Autumn 2017 | October 16-28 | https://www.sans.org/event/tokyo-autumn-2017
-- SANS San Diego 2017 | October 30-November 4 | https://www.sans.org/event/san-diego-2017
-- SANS Cyber Defense Initiative ® 2017 | Washington, DC | December 12-19 | https://www.sans.org/event/cyber-defense-initiative-2017
-- SANS OnDemand and vLive Training | Get a GIAC Certification Attempt or $350 Off your OnDemand or vLive course when you register by September 13! https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format - https://www.sans.org/ondemand/
-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/security-training/by-location/all
TOP OF THE NEWS
--US Power Grid Intrusions - Dragonfly Hacking Group (September 6, 2017)
According to a report from Symantec, intruders gained access to power grid system in the US. The group responsible for the attacks is known as Dragonfly. The group has been active since at least 2011. In the recent string of attacks, Dragonfly appears to have gained operational access to some systems, meaning they could have caused power outages.[Editor Comments]
[Assante] This is the first credible evidence of intruder success associated with what was believed to be an electricity-focused cyber access campaign. The evidence indicates intrusions/footholds have escalated into some attacker freedom of movement and action. According to Symantec, exfiltrated files include screen captures of HMIs (a workstation or device with ICS software running on it) . Using the SANS ICS Kill-Chain Model to provide context, a number of power system entities have experienced successful stage one cyber intrusions that probably included gap-jumping (circumvented in place protections) into operational environments. This does not mean sabotage or disruption of power is imminent or even possible. The attacker's may simply be gathering information, but possession of that information is a key enabler for developing a concept to attack a system (possibly like what has occurred in Ukraine). Although the electric grid in North America has pursued cybersecurity and operational reliability improvements for well over a decade, it is still a challenge for asset owners and operators to defend complex control system environments from capable adversaries. SANS subject matter experts have faced these challenges and work with students from across the electric industry to teach the foundations of cybersecurity in operational environments, and how to implement NERC CIP regulations in a manner that support the reliability mission. Join the team of electric system cyber operators and defenders in SANS ICS456
[Henry] There's no surprise here, as this isn't a new revelation. The US government has put out multiple reports on this and similar-type activity, including a DHS alert from December of 2014 describing this in some detail, stating this activity goes back to 2011. What is amazing is the lack of broad coverage of this by the media, and the ongoing absence of urgency and execution to have it successfully resolved. We can't wait until the lights go out to address this.
[Murray] The power systems are the Achilles Heel of our economy. They are unstable at best and require constant monitoring and control to compensate for changes in supply and load and inevitable component failures. The attachment of their controls to the public networks is both necessary for the efficiency of the grid and vulnerable to leakage of intelligence about the grid and to potential misuse of those controls. The identification of attacks against and compromises of those controls and the hardening of those controls against misuse should be the highest priority of the DHS, indeed the justification for its very existence. Moreover, as we modernize the grid, resilience in the face of malicious use of controls should be a priority. [One sympathizes with Cassandra.]
Read more in:
Wired: Hackers Gain Direct Access to US Power Grid Controls
https://www.wired.com/story/hackers-gain-switch-flipping-access-to-us-power-systems/
The Register: Energy sector biz hackers are back and badder than ever before
http://www.theregister.co.uk/2017/09/06/energy_sector_attacks/
Fifth Domain: Resurgent hackers target energy sector
http://www.fifthdomain.com/critical-infrastructure/2017/09/07/resurgent-hackers-target-energy-sector/
Symantec: Dragonfly: Western energy sector targeted by sophisticated attack group
https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group
--Equifax Breach Affects Up to 143 Million; Did Execs Sell Stock Before Disclosing the Breach? (September 7, 2017)
US credit bureau Equifax has acknowledged a breach that may have compromised as many as 143 million records. The exposed data include Social Security numbers (SSNs), birth dates, and driver's licenses. The breach also compromised payment card numbers of more than 200,000 consumers. Equifax detected the breach in late July and hired a forensics company to investigate the incident. The latest reports say that three Equifax senior executives sold nearly 1.8 million USD worth of company shares before the breach was publicly disclosed.[Editor Comments]
[Neely] Joff Thyer estimated this breach impacts 57% of adult Americans. Equifax set up a web site to allow you to check whether you are impacted, but it requires the last six digits of your SSN, and suggests returning regularly to make sure your status hasn't changed. Taking action to establish credit monitoring and lock your credit profile would be more prudent.
[Pescatore] 2017 had been shaping up as a year where we would actually see fewer records exposed than 2016, even though the number of breaches would be significantly higher. This mega-breach, reportedly enabled by exposed web application vulnerabilities, will change that. Since this breach will get high visibility, security managers should use this as leverage to reduce vulnerabilities in all web facing applications, starting with application security testing/pen testing.
[Murray] This breach is in a class by itself and should invite immediate Congressional hearings regarding the legal regimes under which this target exists and its questionable business practices. It is not simply the sensitivity of the fields of data that were compromised but the exponential increase in sensitivity of those fields in combination. If Congress is to sanction the existence of these firms then there must be accountability. It is ironic that the credit bureaus make money off of the other victims of breaches including the OPM. It will be interesting to see what remedies Equifax offers to the subjects of the data.
[Williams] Beware of vendors offering magic bullet solutions in the coming days. At the moment, nobody not under NDA knows the full details of the breach, including what could have been done to stop it. That said, it is clear that Equifax has some security problems that persist to the present. Their website is printing stack traces when an error is encountered. This means that there are exceptions are unhandled (not ideal) and the stack trace gives potential attackers information about the application, which may help in exploitation. We also know that a trivial XSS vulnerability was reported on the Equifax site more than a year ago, but still has not been fixed (https://www.openbugbounty.org/reports/141440/). These two facts alone indicate that there is no web application firewall (WAF) or it is misconfigured. Additionally interesting, a new domain equihax.com was registered September 5, 2017 - before the breach had been publicly announced. Finally, an unverified actor has published a ransom message demanding 600 BTC ($2.7 million) before September 15th. The actor claims they will verify the breach with data samples and threatens to dump the entire database if the ransom is not received.
Read more in:
Reuters: Equifax says hack potentially exposed details of 143 million consumers
http://www.reuters.com/article/us-equifax-cyber/equifax-says-hack-potentially-exposed-details-of-143-million-consumers-idUSKCN1BI2VK
Bloomberg: Three Equifax Managers Sold Stock Before Cyber Hack Revealed
https://www.bloomberg.com/news/articles/2017-09-07/three-equifax-executives-sold-stock-before-revealing-cyber-hack
The Hill: Equifax says hackers accessed up to 143 million US consumers' info
http://thehill.com/policy/cybersecurity/349707-equifax-says-hackers-accessed-info-on-up-to-143-million-us-consumers
KrebsOnSecurity: Breach at Equifax May Impact 143M Americans
https://krebsonsecurity.com/2017/09/breach-at-equifax-may-impact-143m-americans/
Equifax: Cybersecurity Incident & Important Consumer Information
https://www.equifaxsecurity2017.com/
--Time Warner Cable Data Breach (September 5, 2017)
Time Warner Cable (TWC), aka Spectrum, has acknowledged a data breach that exposed roughly four million customer records. A third-party contractor that manages TWC's web applications left AWS S3 storage buckets open to public access on the Internet. A similar situation was reported last week, when a TigerSwan vendor left an AWS S3 server containing military personnel data exposed.[Editor Comments]
[Neely] The Amazon IDP can be difficult to understand. In the past, dropping or weakening the ACL to make things work was an acceptable risk when the services were in your data center. Additionally, there seems to be a perception that S3 Buckets are accessed within your AWS VPC, which is not the case. Service administrators are still coming to terms with the consequences of this architecture, and until they do, expect more unwanted S3 access to be discovered. The risks can be mitigated a bit by regularly reviewing your AWS S3 configuration.
Read more in:
SC Magazine: Data breach exposes about 4 million Time Warner customer records
https://www.scmagazine.com/data-breach-exposes-about-4-million-time-warner-customer-records/article/686592/
The Register: Yet another AWS config fumble: Time Warner Cable exposes 4 million subscriber records
http://www.theregister.co.uk/2017/09/05/twc_loses_4m_customer_records/
*************************** SPONSORED LINKS ********************************
1) Join this webinar with IDC and Splunk to understand the State of Security Operations today. http://www.sans.org/info/198210
2) "EDR + NGAV Working Together: SANS Review of Carbon Black Cb Defense" Register: http://www.sans.org/info/198215
3) Security teams must stay ahead of modern day attacks by challenging their defenses automatically, continuously and at scale with breach and attack simulation. Learn More: http://www.sans.org/info/198220
******************************************************************************THE REST OF THE WEEK'S NEWS
--MongoDB Databases Targeted in Ransomware Attacks (September 4 & 5, 2017)
At least three groups of attackers wiped thousands of MongoDB databases last weekend, demanding a ransom of up to 0.15 bitcoin (approximately 650 USD) for the return of the data.[Editor Comments]
[Neely] A reminder to make sure you changed default security settings. This has been a busy year from an InfoSec perspective: S3, EternalBlue, MongoDB, Equifax, etc. which increases the likelihood of overlooking these basics.
[Williams] MongoDB has some pretty bad defaults. It's too easy to deploy in an insecure configuration. If MongoDB were a 727 cockpit, they'd have littered the control panels with "press here to crash plane" buttons.
Read more in:
SC Magazine: Labor Day ransomware attacks wipe 26,000 MongoDB databases
https://www.scmagazine.com/labor-day-ransomware-attacks-wipe-26000-mongodb-databases/article/686409/
ZDNet: MongoDB ransacking starts again: Hackers ransom 26,000 unsecured instances
http://www.zdnet.com/article/mongodb-ransacking-starts-again-hackers-ransom-26000-unsecured-instances/
Bleeping Computer: Massive Wave of MongoDB Ransom Attacks Makes 26,000 New Victims
https://www.bleepingcomputer.com/news/security/massive-wave-of-mongodb-ransom-attacks-makes-26-000-new-victims/
--NIST Published Draft Ransomware Guidelines (September 7, 2017))
The US National Institute of Standards and Technology's (NIST's) National Cybersecurity Center of Excellence (NCCOE) has published a draft guidance document titled Data Integrity: Recovering from Ransomware and Other Destructive Events. The guide "demonstrates how organizations can develop and implement appropriate actions following a detected cybersecurity event."[Editor Comments]
[Northcutt] We have all heard the ancient criticism of NIST cybersecurity publications, they tell you what to do, but not how. Not this time! Nice work on the "C" part of the document:
https://nccoe.nist.gov/publication/1800-11/VolC/
[Pescatore] [This is the 10th Cybersecurity Practice guide draft made public since NIST started developing the 1800 series in 2015. None have turned into final documents, not sure why. The 1800 series are deep dives into point security issues, presenting reference architectures and example product integrations as example solutions, with mapping back to the NIST Cybersecurity Framework. While there is good, detailed, practical information in many of the guides, putting out individual guides for individual issues leads to a "spending in depth" point solution approach, vs deploying common high value security services (a la the Critical Security Controls) that provide efficient and integrated services that deal with a wide range of real world threats.
Read more in:
SC Magazine: NIST develops guidelines for dealing with ransomware recovery
https://www.scmagazine.com/feds-release-guided-on-mitigating-ransomware-threats/article/687317/
NCCOE: Data Integrity: Recovering from Ransomware and Other Destructive Events
https://nccoe.nist.gov/publication/1800-11/index.html
--Chrome 61 Includes Support for WebUSB (September 6, 2017)
Google has begun rolling out Chrome 61 for Windows, Mac, and Linux. The newest version of the browser includes fixes for several high-severity vulnerabilities, as well as support for WebUSB, an API specification that allows that allows secure connections for atypical USB devices.[Editor Comments] [Stephen Northcutt] I am running 61.0.3163.79 on a Mac and all of my âusualâ suspect applications seem to be happy. Here is the highlighted list of fixes with a link to all 22:
https://chromereleases.googleblog.com/2017/09/stable-channel-update-for-desktop.html
http://www.askvg.com/download-google-chrome-latest-version/
Read more in:
ZDNet: Chrome 61 is now headed your way: Fixes 22 flaws, connects USB science kit to web
http://www.zdnet.com/article/chrome-61-patches-22-security-flaws-helps-uses-connect-usb-science-kit-to-the-web/
--EU Cyber Defense War Games (September 6, 2017)
Defense ministers from the European Union took part in a cyber war game last week. The exercise, defending against a simulated attack on an EU naval mission, included a social media disinformation campaign.[Editor Comments]
[Henry]The insertion of a propaganda campaign tactic into the exercise is appropriate, given multiple real-world examples of propaganda being implemented in adversary attack strategies. Defenders must constantly evaluate and change their training to quickly address developing offensive strategies, so they can be best prepared for real-world events. That's why you train, and you play the way you practice.
Read more in:
Reuters: Cyber alert: EU ministers test responses in first computer war game
http://www.reuters.com/article/us-eu-defence-cyber/cyber-alert-eu-ministers-test-responses-in-first-computer-war-game-idUSKCN1BI0HR
--Android Releases September Update (September 6, 2017)
Google's Android security bulletin for September includes fixes for 81 flaws, including 13 critical remote code execution vulnerabilities. Google has released over-the-air updates to Google devices. Patching non-Google devices is up to the device manufacturers.Read more in:
Threatpost: 13 Critical Remote Code Execution Bugs Fixed in September Android Update
https://threatpost.com/13-critical-remote-code-execution-bugs-fixed-in-september-android-update/127832/
Android: Android Security Bulletin-September 2017
https://source.android.com/security/bulletin/2017-09-01
--Apache Struts Vulnerability Fixed (September 5, 2017)
The Apache Software Foundation has released a fix for a critical remote code execution flaw in Apache Struts that could be exploited to take control of vulnerable systems. The issue affects all versions of Struts since 2008. Developers should upgrade to Apache Struts v.2.5.13.[Editor Comments]
[Williams] This is another drop everything and patch kind of vulnerability. If you haven't patched a publicly facing server yet, assume breach at this point. Patch and perform threat hunting. Pay special attention to source files in the webroot and libraries. Timestamp analysis is a key for finding post-exploitation activities. While attackers can change timestamps, it's hard for them to get everything right. Most attackers, even APT, leave some timestamp evidence behind.
Read more in:
The Register: Apache Struts you're stuffed: Vuln allows hackers to inject evil code into biz servers
http://www.theregister.co.uk/2017/09/05/apache_struts_vuln/
ZDNet: A critical Apache Struts security flaw makes it 'easy' to hack Fortune 100 firms
http://www.zdnet.com/article/critical-security-bug-threatens-fortune-100-companies/
Threatpost: Patch Released for Critical Apache Struts Bug
https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/
Apache: Apache Struts 2 Documentation: S2-052
https://struts.apache.org/docs/s2-052.html
Clarification: Extradited Hacker Charges (August 31, 2017)
Daniel Kaye, who was recently extradited from Germany to the UK, will face charges not only under the Computer Misuse Act, but also charges of blackmail and possession of criminal property.Read more in:
BBC: Briton accused of cyber attacks extradited from Germany
http://www.bbc.com/news/uk-england-surrey-41103188
INTERNET STORM CENTER TECH CORNER
A Look Back at Mirai and What's Next
https://isc.sans.edu/forums/diary/The+Mirai+Botnet+A+Look+Back+and+Ahead+At+Whats+Next/22786/New Struts Vulnerability and Patch
https://isc.sans.edu/forums/diary/Struts+vulnerability+patch+released+by+apache+patch+now/22788Mastercard Internet Gateway Service Flaw
http://tinyhack.com/2017/09/05/mastercard-internet-gateway-service-hashing-design-flaw/Mac OS X High Sierra Insecure Kernel Module Loading
https://objective-see.com/blog/blog_0x21.htmlStruts2 Metasploit Module
https://github.com/rapid7/metasploit-framework/pull/8924/commits/5ea83fee5ee8c23ad95608b7e2022db5b48340efGoogle Docs Table With Hacked MongoDB Databases
https://docs.google.com/spreadsheets/d/1QonE9oeMOQHVh8heFIyeqrjfKEViL0poLnY8mAakKhM/edit#gid=1781677175Bypassing Cloudflare
https://rhinosecuritylabs.com/cloud-security/cloudflare-bypassing-cloud-security/Yet Another Struts RCE Vulnerability
https://struts.apache.org/docs/s2-053.htmlEquifax Compromise
https://www.bloomberg.com/news/articles/2017-09-07/three-equifax-executives-sold-stock-before-revealing-cyber-hackHash Extension Flaws
https://isc.sans.edu/forums/diary/Modern+Web+Application+Penetration+Testing+Hash+Length+Extension+Attacks/22792/***********************************************************************
The Editorial Board of SANS NewsBites
View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
