SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XIX - Issue #76
September 26, 2017Cloud (In)Security Surprise
The Verizon Amazon S3 Server breach is a bigger story than it may seem at first. Ian Massingham, a technical evangelist at Amazon Web Services (AWS) explained (https://www.youtube.com/watch?v=zU1x5SfKEzs&t=806) how, for "infrastructure as a service," AWS takes no responsibility for secure configuration of the operating system or security monitoring, for application security configuration or monitoring, for account management, for access control lists, for identity management and more. Amazon provides great tools for implementing security controls, but as you'll see in the Amazon video (https://www.youtube.com/watch?v=3lkecchwxc4&feature=youtu.be), you need to be very skilled to deploy them broadly an deffectively. One of the least fun jobs at (all of the) cloud service providers is nicknamed "CAO" for chief apology officer, having to go to clients and explain to them that whatever they heard about cloud security being better, all the responsibility for making that happen rests on the user.
- Alan
TOP OF THE NEWS
Equifax CEO Richard Smith Steps Down.
Verizon Data Exposed on Unprotected Amazon S3 Server
RedBoot: Ransomware or Wiper?
US States Informed of Attempted Election Breaches
THE REST OF THE WEEK'S NEWS
Deloitte Breach
Man Sentenced for Making Bomb Threats and Swatting
Avast Posts List of Organizations Targeted by CCleaner Backdoor
Oracle Issues Patches for Apache Struts Flaws
Adobe Inadvertently Exposes PGP Key
Equifax's Breach Response Does Not Measure Up
Former Contractor Found Guilty of Planting Logic Bomb in Army Reserves Payroll System
INTERNET STORM CENTER TECH CORNER
*************************** Sponsored By VMRay ****************************On October 3rd go behind enemy lines with VMRay Co-Founder Carsten Willems and Forrester Principal Analyst Jeff Pollard as they expose the techniques (TTPs) used by threat actors to design evasive malware. Register Today: https://www.sans.org/info/198480
*****************************************************************************TRAINING UPDATE
-- SANS October Singapore 2017 | October 9-28 | https://www.sans.org/event/october-singapore-2017
-- SANS Secure DevOps Summit & Training | Denver, CO | October 10-17 | https://www.sans.org/event/secure-devops-summit-2017
-- SANS Brussels Autumn 2017 | October 16-21 | https://www.sans.org/event/brussels-autumn-2017
-- SANS Tokyo Autumn 2017 | October 16-28 | https://www.sans.org/event/tokyo-autumn-2017
-- SANS San Diego 2017 | October 30-November 4 | https://www.sans.org/event/san-diego-2017
-- SANS Pen Test HackFest Summit & Training | Bethesda, MD | November 13-20 https://www.sans.org/event/pen-test-hackfest-2017
-- SANS San Francisco Winter 2017 | November 27-December 2 | https://www.sans.org/event/san-francisco-winter-2017
-- SANS London November 2017 | November 27-December 2 | https://www.sans.org/event/london-november-2017
-- SANS Cyber Defense Initiative ® 2017 | Washington, DC | December 12-19 | https://www.sans.org/event/cyber-defense-initiative-2017
-- SANS OnDemand and vLive Training | Get an iPad Mini 4, a Galaxy Tab A, or Take $250 Off with Online Training - Register by 9/27! The SANS Training you want with the flexibility you need. https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format - https://www.sans.org/ondemand/
-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/security-training/by-location/all
TOP OF THE NEWS
--Equifax CEO Richard Smith Steps Down. (September 26, 2017)
Bloomberg reports that Equifax CEO Richard Smith has resigned after the uproar over the massive hack. https://www.bloomberg.com/news/articles/2017-09-26/equifax-ceo-smith-resigns-barros-named-interim-chief-after-hack [Editor Comments] [Northcutt/Paller] President Truman had a sign on his desk, "The buck stops here." Smith's resignation will set the bar for how executives will need to respond to major breaches and will get attention in boardrooms across the nation. Here is an article from Entrepreneur on other recent changes at the top: https://www.entrepreneur.com/slideshow/246043--Verizon Data Exposed on Unprotected Amazon S3 Server (September 22, 2017)
An unprotected Amazon Web Services (AWS) S3 server exposed 100 MB of Verizon Wireless internal corporate data. The compromised information includes server logs and internal credentials that could have been used to access other parts of the Verizon network. [Editor Comments] [Pescatore] Cloud services are to bad security hygiene as all you can eat dessert bars are to overweight people. With a bit of process discipline, you can use both safely but the sheer ease of consumption amplifies bad habits. Many great examples of cloud being used securely, often more security than home grown data centers. But attackers have learned to look for wide open and unprotected information on cloud providers. Read more in: ZDNet: New Verizon leak exposed confidential data on internal systems https://www.zdnet.com/article/another-verizon-leak-exposed-confidential-data-on-internal-systems/ CyberScoop: 'Confidential' Verizon credentials, server logs left publicly exposed https://www.cyberscoop.com/verizon-wireless-s3-bucket-public-access-kromtech/ Threatpost: Verizon Wireless Internal Credentials, Infrastructure Details Exposed in Amazon S3 Bucket https://threatpost.com/verizon-wireless-internal-credentials-infrastructure-details-exposed-in-amazon-s3-bucket/128108/--RedBoot: Ransomware or Wiper? (September 25, 2017)
Bootlocker ransomware known as RedBoot not only encrypts files on infected computers, but also replaces the system drive's Master Boot Record (MBR) and modifies the partition table. RedBoot may be more a wiper than ransomware because does not appear to be a way to restore the partition table. [Editor Comments] [Murray] It is past time to start restricting "write" access. What happens when the adversary switches from espionage to sabotage, from target identification to target destruction? [Neely] Attacks are shifting from collecting money to causing havoc such as wiping the boot record, or dropping other malware. The mitigations remain the same, up-to-date defense in-depth at the endpoint and network, appropriate relevant user training, good backups, and proven system restoration process. Read more in: BleepingComputer: Ransomware or Wiper? RedBoot Encrypts Files but also Modifies Partition Table https://www.bleepingcomputer.com/news/security/ransomware-or-wiper-redboot-encrypts-files-but-also-modifies-partition-table/--US States Informed of Attempted Election Breaches (September 22 & 25, 2017)
The US Department of Homeland Security (DHS) has notified election officials in 21 states that their systems were targeted by hackers prior to the 2016 presidential election. The Associated Press contacted election officials in all states to find out which ones had been contacted. While not all responded, at least 14 confirmed that they had received notice that their systems were targeted. Vote counting systems do not appear to have been affected. Some officials are questioning why it took DHS so long to inform them of the attempted breaches. Read more in: WashPost: Federal government notifies 21 states of election hacking https://www.washingtonpost.com/politics/federal-government-notifies-21-states-of-election-hacking/2017/09/22/4ee76ce0-9fda-11e7-b2a7-bc70b6f98089_story.html CNET: Hackers targeted election systems in 21 states, DHS says https://www.cnet.com/news/hackers-trump-putin-dhs-election-systems-in-21-states-dhs-says/ The Hill: DHS tells 21 states they were Russia hacking targets before 2016 election https://thehill.com/policy/cybersecurity/351981-dhs-notifies-21-states-of-they-were-targets-russian-hacking Fifth Domain: Federal government notifies 21 states of election hacking https://www.fifthdomain.com/civilian/dhs/2017/09/22/federal-government-notifies-21-states-of-election-hacking/ *************************** SPONSORED LINKS ******************************* 1) Don't Miss: "Your Security Sandbox Won't Catch It All - The Phishing Problem" Register: https://www.sans.org/info/198485 2) Where do elusive indicators come from? Register for this webcast to find out: https://www.sans.org/info/198490 3) In case you missed it: "Turning Threat Data into Threat Intel Using Automated Analysis" https://www.sans.org/info/198495 *****************************************************************************THE REST OF THE WEEK'S NEWS
--Deloitte Breach (September 25, 2017)
Deloitte has acknowledged that it suffered a breach of an email system. The intruders gained access to the system through an administrator account that was protected with a password but lacked two-factor authentication. The compromised data were stored in Microsoft's Azure cloud service. The breach was detected in March 2017 and is believed to have been initiated in October or November 2016. [Editor Comments] [Murray] Token-based strong authentication is mandatory for all those with administrative privileges. It is essential to control, accountability, and the ability to withdraw privileges in the event of an unfriendly termination. Read more in: Guardian: Deloitte hit by cyber-attack revealing clients' secret emails https://www.theguardian.com/business/2017/sep/25/deloitte-hit-by-cyber-attack-revealing-clients-secret-emails? KrebsOnSecurity: Source: Deloitte Breach Affected All Company Email, Admin Accounts https://krebsonsecurity.com/2017/09/source-deloitte-breach-affected-all-company-email-admin-accounts/#more-40890 The Register: Sensitive client emails, usernames, passwords exposed in Deloitte hack https://www.theregister.co.uk/2017/09/25/deloitte_email_breach/ BBC: Deloitte hit by data breach https://www.bbc.com/news/technology-41385951 Reuters: Deloitte hit by cyber attack, says 'very few' clients affected https://www.reuters.com/article/us-deloitte-cyber/deloitte-hit-by-cyber-attack-says-very-few-clients-affected-idUSKCN1C01PB--Man Sentenced for Making Bomb Threats and Swatting (September 25, 2017)
A Canadian man has been found guilty of making phony calls to emergency service providers in the US and Canada. The calls, which were made in 2013 and 2014, include bomb threats and swatting, or falsely reporting violent and/or dangerous situations requiring the help of law enforcement special forces. Curtis Gervais was sentenced to nine months of detention, which includes six months at a group home and three months under home detention. Gervais was 16 when he began making the phony emergency calls. [Editor Comments] [Pescatore] The ease of spoofing phone numbers so that caller ID shows an innocuous number or familiar exchange enables scams and harassment over the phone systems, just as the ease of spoofing email addresses does on the Internet. While the FCC has started fining a few spoofers, for some reason the FCC's so-called "Truth in Calling Act" allows spoofing unless harm is intended or caused. Much the way DMARC raises the bar against email address spoofing, the same should be done on the phone system. Read more in: KrebsOnSecurity: Canadian Man Gets 9 Months Detention for Serial Swattings, Bomb Threats https://krebsonsecurity.com/2017/09/canadian-man-gets-9-months-detention-for-serial-swattings-bomb-threats/--Avast Posts List of Organizations Targeted by CCleaner Backdoor (September 25, 2017)
Avast has published a list of all companies it knows to have been affected by second-stage malware through infected copies of the CCleaner utility. Avast was able to provide this information because it managed to find and access servers that the attackers were using to store information about their targets. While the CCleaner backdoor infected more than 1.6 million computers, just 40 computers at 12 companies were infected with the second-stage payload. Read more in: BleepingComputer: Avast Publishes Full List of Companies Affected by CCleaner Second-Stage Malware https://www.bleepingcomputer.com/news/security/avast-publishes-full-list-of-companies-affected-by-ccleaner-second-stage-malware/ Ars Technica: CCleaner backdoor infecting millions delivered mystery payload to 40 PCs https://arstechnica.com/information-technology/2017/09/ccleaner-backdoor-infecting-millions-delivered-mystery-payload-to-40-pcs/--Oracle Issues Patches for Apache Struts Flaws (September 25, 2017)
Oracle has released seven security updates to fix vulnerabilities in Apache Struts 2. According to the accompanying Oracle security bulletin, the fixes were released in response to the Equifax breach, but none of the flaws patched in this release was exploited in that breach. That flaw, CVE-2017-5638, was patched in Oracle's April security updates. Read more in: SC Magazine: Oracle patches 7 Apache Struts 2 vulnerabilities https://www.scmagazine.com/oracle-patches-7-apache-struts-2-vulnerabilities/article/695505/ Oracle: Oracle Security Alert Advisory - CVE-2017-9805 https://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html--Adobe Inadvertently Exposes PGP Key (September 22 & 25, 2017)
Adobe accidentally revealed its private PGP key on a company blog. The post, which appeared on Adobe's product security incident response team (PSIRT) blog, was removed and the key has been revoked. A new public key has been posted as well. [Editor Comments] [Neely] Adobe took the prudent step of replacing and revoking the compromised key pair. Also the published key was protected with a password, so while not directly usable, an off-line attack could be used to discover it. The risk is that If a system fails to check the revocation status, a spoofed message could be trusted. Further, because the message is encrypted, any embedded malware is delivered to the end point rather than being detected by perimeter or network protection. Making sure you don't have the old public key cached is key. Read more in: ZDNet: Adobe accidentally releases private PGP key https://www.zdnet.com/article/adobe-accidentally-releases-private-pgp-key/ Ars Technica: In spectacular fail, Adobe security team posts private PGP key on blog https://arstechnica.com/information-technology/2017/09/in-spectacular-fail-adobe-security-team-posts-private-pgp-key-on-blog/ Threatpost: Adobe Private PGP Key Leak a Blunder, But It Could Have Been Worse https://threatpost.com/adobe-private-pgp-key-leak-a-blunder-but-it-could-have-been-worse/128113/--Equifax's Breach Response Does Not Measure Up (September 24, 2017)
Equifax's response to the massive data breach has been a lesson in what not to do. From pointing consumers to a sketchy, ill-conceived website on a separate domain to tweets pointing consumers to a potential phishing site, Equifax's actions did little to provide consumers with clear, reliable information. Reports of earlier breaches and the company's failure to patch a known vulnerability have also eroded consumers' confidence in Equifax. Read more in: Wired: All the Ways Equifax Epically Bungled Its Breach Response https://www.wired.com/story/equifax-breach-response/--Former Contractor Found Guilty of Planting Logic Bomb in Army Reserves Payroll System (September 22, 2017)
A jury in North Carolina has found former US Army Reserves payroll system contractor Mittesh Das guilty of placing a logic bomb on his former employer's system. After Das's company lost its contract and another company assumed responsibilities, the logic bomb activated, causing disruptions that resulted in paychecks being delayed for more than two weeks. [Editor Comments] [Pescatore] I'd like to hear from the software vulnerability testing products and services whether any of them would have detected this type of thing. I tend to doubt it - I think skilled peer review would be the best hope and that probably didn't happen, and probably wasn't even required before authority to operate was given. Read more in: The Register: IT Plonker Stuffed 'Destructive' Logic Bomb into US Army Servers in Contract Revenge Attack https://www.theregister.co.uk/2017/09/22/it_contractor_logic_bombed_army_payroll/INTERNET STORM CENTER TECH CORNER
Forensic Use of "mount-bind"
https://isc.sans.edu/forums/diary/Forensic+use+of+mount+bind/22854/Adobe Publishes Secret PGP Key By Mistake
https://twitter.com/jupenur/status/911286403434246144AVAST Publishes CCleaner Update
https://blog.avast.com/avast-threat-labs-analysis-of-ccleaner-incidentCompromised Android Keyboard App
https://blog.adguard.com/en/go-spy-go-popular-android-keyboard-from-china-crosses-the-red-line/macOS High Sierra Security Updates
https://support.apple.com/en-us/HT201222Possible macOS Keychain Leak
https://twitter.com/patrickwardle/status/912254053849079808Monero Cryptocoin Miner Found on Showtime Website
https://badpackets.net/coinhive-miner-found-on-official-showtime-network-websites-in-latest-case-of-cryptojacking/***********************************************************************
The Editorial Board of SANS NewsBites
View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
