SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XIX - Issue #85
October 27, 2017TOP OF THE NEWS
Windows 10 Fall Creators Update Has Anti-Ransomware Feature
Election Database at Center of Investigation is Wiped, Backup Servers Degaussed
Dell Customer Support Domain Hijacked for a Month
THE REST OF THE WEEK'S NEWS
Maritime Communication Platform Flaws
Kaspersky Says It Collected Then Deleted NSA Hacking Tool Code
Amazon Key System Lets Amazon Deliver Packages Inside Customers' Houses
SecureDrop Releases Fix for Whistleblowing Submission System
Bad Rabbit
Microsoft Will Drop Lawsuit Challenging Government's Use of Gag Orders
DoD Acquisition Practices and Cyber Security
INTERNET STORM CENTER TECH CORNER
*************************** Sponsored By SANS *******************************2nd Annual SANS Automotive Cybersecurity Summit, May 7-8 in Chicago, IL. Explore case studies and learn first-hand from security practitioners representing manufacturers, suppliers, assemblers, technology providers and V2X partners. Engage with fellow attendees and experts as you work to better protect your organization, your products, and your customers from ever-evolving threats. Summit Information: http://www.sans.org/info/199135
***************************************************************************TRAINING UPDATE
-- SANS Cyber Defense Initiative ® 2017 | Washington, DC | December 12-19 | https://www.sans.org/event/cyber-defense-initiative-2017
-- SANS Pen Test HackFest Summit & Training | Bethesda, MD | November 13-20 | https://www.sans.org/event/pen-test-hackfest-2017
-- SANS Sydney 2017 | November 13-25 | https://www.sans.org/event/sydney-2017
-- SANS San Francisco Winter 2017 | November 27-December 2 | https://www.sans.org/event/san-francisco-winter-2017
-- SANS London November 2017 | November 27-December 2 | https://www.sans.org/event/london-november-2017
-- SIEM & Tactical Analytics Summit & Training | Scottsdale, AZ | November 28-December 5 | https://www.sans.org/event/siem-tactical-analytics-summit-2017
-- SANS Security East 2018 | New Orleans, LA | January 8-13 | https://www.sans.org/event/security-east-2018
-- SANS Amsterdam January 2018 | January 15-20 | https://www.sans.org/event/amsterdam-january-2018
-- SANS Secure Japan 2018 | February 19-March 3 | https://www.sans.org/event/sans-secure-japan-2018
-- SANS OnDemand and vLive Training | Get a New 12.9â iPad Pro with Smart Keyboard, or an HP ProBook 450 G4, or take $500 Off OnDemand or vLive Training when you register by November 8! The SANS Training you want with the flexibility you need. https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format - https://www.sans.org/ondemand/
-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/security-training/by-location/all
TOP OF THE NEWS
--Windows 10 Fall Creators Update Has Anti-Ransomware Feature
(October 23 & 25, 2017)
The Windows 10 Fall Creators Update, also known as Windows 10 version 1709, includes a feature to protect information on computers from ransomware. The Controlled Folder Access feature prevents unauthorized apps from altering files in specified locations. The feature requires that users have Windows Defender real-time protection enabled.[Editor Comments]
[Neely] This uses Controlled Folder Access and Defender to block malware attempting to write to identified folders. The feature doesn't current work with third party AV solutions. Enterprise users can enable Controlled Folder Access via PowerShell, GPO and MDM services.
Read more in:
ZDNet: Windows 10 tip: Turn on the new anti-ransomware features in the Fall Creators Update
http://www.zdnet.com/article/windows-10-tip-turn-on-the-new-anti-ransomware-features-in-the-fall-creators-update/
The Register: Please activate the anti-ransomware protection in your Windows 10 Fall Creators Update PC. Ta
https://www.theregister.co.uk/2017/10/23/fyi_windows_10_ransomware_protection/
--Election Database at Center of Investigation is Wiped, Backup Servers Degaussed
(October 26, 2017)
Just days after election reform advocates filed a lawsuit against election officials in the U.S. state of Georgia seeking to annul June 20 special election results and force the state to stop using its current electronic voting system, the Georgia election server that contained data integral to the investigation into Russia's interference in the US election was wiped. A month later, two backup servers were each degaussed three times just before the case moved to federal court. The FBI made an image of the relevant server in March 2017, but will not say whether that copy still exists.Read more in:
Ars Technica: Days after activists sued, Georgia's election server was wiped clean
https://arstechnica.com/tech-policy/2017/10/days-after-activists-sued-georgias-election-server-was-wiped-clean/
The Register: US voting server at heart of Russian hack probe mysteriously wiped
http://www.theregister.co.uk/2017/10/26/voting_server_georgia_wiped/
Associated Press: APNewsBreak: Georgia election server wiped after suit filed
https://apnews.com/877ee1015f1c43f1965f63538b035d3f/APNewsBreak:-Georgia-election-server-wiped-after-suit-filed
--Dell Customer Support Domain Hijacked for a Month
(October 24, 2017)
A Dell website run by a contractor was hijacked for about a month over the summer. During that time, the domain may have been used to serve malware. The site, DellBackupandRecoveryCloudStorage[dot]com, was set up to help Dell users who needed to restore factory settings due to malware or other computer troubles. The domain is used by a program on Dell machines called Dell Backup and Recovery Application. The domain was stolen from a Dell contractor for about a month over the summer after the contractor failed to renew it.[Editor Comments]
[Ullrich] It is not all that expensive to hold onto a domain for a few additional years after a product is discontinued. But companies continue to forget to renew domains in time, or drop them as soon as a product is taken off the market. This causes dangerous security problems, because users have often marked these long-used domains as "trusted."
Read more in:
KrebsOnSecurity: Dell Lost Control of Key Customer Support Domain for a Month in 2017
https://krebsonsecurity.com/2017/10/dell-lost-control-of-key-customer-support-domain-for-a-month-in-2017/
*************************** SPONSORED LINKS ********************************
1) Great upcoming webinar â Threat Hunting for Web Shells - Sign up for it here: http://www.sans.org/info/199140
2) Don't Miss "Spamhaus DNS Firewall ( DNS RPZ ) - DNS as a 'Critical Choke Point' to Block Resolution of Known Malicious Sites" Register: http://www.sans.org/info/199145
3) Join John Pescatore and Palo Alto Networks to discuss why a layered security approach doesn't work. http://www.sans.org/info/199150
******************************************************************************THE REST OF THE WEEK'S NEWS
--Maritime Communication Platform Flaws
(October 26, 2017)
Vulnerabilities in a platform used on ships to access the Internet could expose data and possibly be exploited to allow access to other critical systems on the ship. The researchers who found the vulnerabilities in the AmosConnect shipboard platform said that the systems are using software that "is often 10 to 15 years old [and] was meant to be implemented in an isolated way." A July 2017 vulnerability note from CERT notes that "AmosConnect 8 has been deemed End of Life, and no longer supported."[Editor Comments]
[Honan] We are going to see more and more of these issues in many other sectors over the coming years. We cannot rely on organisations simply replacing end of life or outdated software as many of these systems have been designed to last for many years rather than be replaced. Instead, we need to look at better compensating controls, proper isolation and segmentation of critical systems, and improved monitoring for suspicious events. A good place to start is the SANS CIS Critical Security Controls https://www.sans.org/critical-security-controls/
[Paller] And the best place way to implement the Critical Security Controls (CSC) is with the "Essential Eight" which are the most important mitigations of CSC, have proven to radically decrease the number of attacks and damage from attacks, and have a very strong maturity model published by government so you can measure progress reliably:
https://www.asd.gov.au/publications/protect/essential-eight-maturity-model.htm
Read more in:
Wired: A Bug in a Popular Maritime Platform Left Ships Exposed
https://www.wired.com/story/bug-in-popular-maritime-platform-isnt-getting-fixed/
Threatpost: Two Critical Vulnerabilities Found in Inmarsat's SATCOM Systems
https://threatpost.com/two-critical-vulnerabilities-found-in-inmarsats-satcom-systems/128632/
The Register: Maritime comms flaws exposed: It's OK cuz we canned it, says vendor
http://www.theregister.co.uk/2017/10/26/inmarsat_maritime_sat_comms_security/
ZDNet: Hackers can gain full access to maritime ship data through a built-in backdoor
http://www.zdnet.com/article/hackers-gain-full-access-to-maritime-ships/
CERT: Inmarsat AmosConnect8 Mail Client Vulnerable to SQL Injection and Backdoor Account
https://www.kb.cert.org/vuls/id/586501
--Kaspersky Says It Collected Then Deleted NSA Hacking Tool Code
(October 25, 2017)
Kaspersky Lab says through an automated process in its anti-virus software, it did collect NSA hacking tool source code from a PC in the US, but quickly deleted the code. The code came from the home computer of an NSA employee, who had also installed a malware-infected key generator for a pirated version of Microsoft Office.[Editor Comments]
[Ullrich] Anybody using an anti-malware product should be aware that the product may send suspect files to the manufacturer, or in the case of platforms like Virustotal, to multiple organizations. This data exfiltration can in some cases include corporate documents especially if they trigger a signature, even as a false positive.
Read more in:
Kaspersky: Preliminary results of the internal investigation into alleged incidents reported by US media
https://www.kaspersky.com/blog/internal-investigation-preliminary-results/19894/
Bleeping Computer: Kaspersky Gives Its Side of the Story on How the NSA Lost Some Its Hacking Tools
https://www.bleepingcomputer.com/news/security/kaspersky-gives-its-side-of-the-story-on-how-the-nsa-lost-some-its-hacking-tools/
The Register: NSA bloke used backdoored MS Office key-gen, exposed secret exploits - Kaspersky
http://www.theregister.co.uk/2017/10/25/kaspersky_nsa_keygen_backdoor_office/
ZDNet: Kaspersky says NSA hacking tools obtained after malware was found
http://www.zdnet.com/article/kaspersky-admits-to-reaping-nsa-code-from-us-pc/
Ars Technica: Worker who snuck NSA malware home had his PC backdoored, Kaspersky says
https://arstechnica.com/information-technology/2017/10/worker-who-snuck-nsa-secrets-home-had-a-backdoor-on-his-pc-kaspersky-says/
Fifth Domain: Kaspersky: We uploaded US documents but quickly deleted them
https://www.fifthdomain.com/industry/2017/10/25/kaspersky-we-uploaded-us-documents-but-quickly-deleted-them/
--Amazon Key System Lets Amazon Deliver Packages Inside Customers' Houses
(October 25, 2017)
In an attempt to help prevent the theft of customers' packages from their porches and doorsteps, Amazon will launch a system that lets customers remotely control access to their homes so Amazon deliveries can be left inside. The system can also be used to allow access to other people, like friends and people making service calls. Amazon Prime customers can buy a camera and lock that are controlled from the cloud for $250 USD. The price includes a smart lock and installation for both the lock and the camera. Amazon Key is scheduled to launch on November 8 in certain US cities.[Editor Comments]
[Ullrich] If you are concerned about packages being stolen from your porch, it may be simpler, safer, and wiser to install a lockable box on your porch for Amazon to leave packages.
[Neely] Package theft is real, and Amazon keeps adding options designed to prevent it, including Amazon Hub for apartments and Amazon Locker for home/business users. While the Amazon system has controls, such as verification of the driver and expected package before remotely unlocking the door, with everything on camera; this is all a single system. An out-of-band camera monitoring access and diligent use of your home security system can mitigate some of the risk of unauthorized access.
Read more in:
CSMonitor: New smart locks would allow Amazon to delivery directly into homes
https://www.csmonitor.com/Business/2017/1025/New-smart-locks-would-allow-Amazon-to-delivery-directly-into-homes
Ars Technica: Amazon Key unlocks your door for in-home package deliveries
https://arstechnica.com/information-technology/2017/10/amazon-key-unlocks-your-door-for-in-home-package-deliveries/
BBC: Amazon service will let couriers open front doors
http://www.bbc.com/news/technology-41747074
--SecureDrop Releases Fix for Whistleblowing Submission System
(October 25, 2017)
Whistleblower submission system SecureDrop has fixed a critical vulnerability that could be exploited to conduct a man-in-the middle attack. SecureDrop is used by journalists to communicate with sources who need to remain anonymous. The issue lies in the configuration logic used during initial installation, and allowed tor, ntp, and the tor keyring to install without adequate validation of cryptographic signatures. The company issued a private fix to news organizations last week.Read more in:
ZDNet: Whistleblower system SecureDrop fixes information leak vulnerability
http://www.zdnet.com/article/whistleblower-system-securedrop-fixes-information-leak-flaw/
Cyberscoop: High-severity vulnerability found in SecureDrop system
https://www.cyberscoop.com/securedrop-vulnerability-found-fixed/?category_news=technology
SecureDrop: We found a vulnerability in the SecureDrop installation process. Here's how we're fixing it.
https://securedrop.org/news/we-found-vulnerability-securedrop-installation-process-here%E2%80%99s-how-we%E2%80%99re-fixing-it
GitHub: Unauthenticated packages installed on app and mon servers during initial provisioning #2472
https://github.com/freedomofpress/securedrop/issues/2472
--Bad Rabbit
(October 24 & 25, 2017)
The majority of servers and websites that supported Bad Rabbit activity appear to have been shut down, just a day after reports of the ransomware campaign emerged. Bad Rabbit affected computers in Russia and Ukraine earlier this week. The malware was spread largely through watering hole attacks that pushed out phony Flash updates that execute a dropper on infected machines. According to several research firms, there is evidence that suggests Bad Rabbit may have a connection to Petya and NotPetya.Read more in:
Motherboard: Infrastructure for the 'Bad Rabbit' Ransomware Appears to Have Shut Down
https://motherboard.vice.com/en_us/article/d3dp5q/infrastructure-for-the-bad-rabbit-ransomware-appears-to-have-shut-down
Dark Reading: Bad Rabbit Dies Down But Questions Remain
https://www.darkreading.com/endpoint/bad-rabbit-dies-down-but-questions-remain/d/d-id/1330224?
ZDNet: Bad Rabbit: Ten things you need to know about the latest ransomware outbreak
http://www.zdnet.com/article/bad-rabbit-ten-things-you-need-to-know-about-the-latest-ransomware-outbreak/
SC Magazine: BadRabbit ransomware moves to the U.S., links to Petya/NotPetya being debated
https://www.scmagazine.com/badrabbit-ransomware-moves-to-the-us-links-to-petyanotpetya-being-debated/article/702816/
Threatpost: Bad Rabbit Linked to Expetr/Not Petya Attacks
https://threatpost.com/bad-rabbit-linked-to-expetrnot-petya-attacks/128611/
Bleeping Computer: Security Firms Say Bad Rabbit Attack Carried Out by NotPetya Group
https://www.bleepingcomputer.com/news/security/security-firms-say-bad-rabbit-attack-carried-out-by-notpetya-group/
--Microsoft Will Drop Lawsuit Challenging Government's Use of Gag Orders
(October 24 & 25, 2017)
Microsoft will move to dismiss a lawsuit it brought against the US Justice Department (DoJ), saying a new DoJ policy restricts the use of gag orders that prevents cloud providers from notifying customers when the government has accessed their accounts. The new policy affects gag orders obtained under the Electronic Communications Privacy Act/Stored Communications Act, but does not apply to National Security Letters. Microsoft's lawsuit alleged that the US government used overly broad gag orders with search warrants for email and other customer information. Microsoft president and chief legal officer Brad Smith wrote in a blog post that DOJ's new policy "helps ensure that secrecy orders are used only when necessary and for defined periods of time." Read more in:
ZDNet: Microsoft: DoJ is curbing secret gag orders so we're dropping lawsuit
http://www.zdnet.com/article/microsoft-doj-is-curbing-secret-gag-orders-so-were-dropping-lawsuit/
GovTech: Microsoft Drops DOJ Lawsuit Following Policy Change
http://www.govtech.com/security/Microsoft-Drops-DOJ-Lawsuit-Following-Policy-Change.html
Document Cloud: DoJ Memorandum: Policy Regarding Applications for Protective Orders
https://www.documentcloud.org/documents/4116083-Policy-Regarding-Applications-for-Protective.html
Microsoft: DOJ acts to curb the overuse of secrecy orders. Now it's Congress' turn.
https://blogs.microsoft.com/on-the-issues/2017/10/23/doj-acts-curb-overuse-secrecy-orders-now-congress-turn/
--DoD Acquisition Practices and Cyber Security
(October 24, 2017)
The US Defense Department's (DoD) approach to acquisition does not translate well to keeping pace with cyber security defense. DoD abides by principles of competition, transparency, and integrity, but the length of time involved in developing aircraft or weapons systems would mean that any cyber defense project would be vastly out of date by the time it is deployed.[Editor Comments]
[Pescatore] It is not news that federal and especially DoD procurement practices need vast improvement. But, there is a lot in this article I disagree with. "Offense is the best defense" absolutely does not apply in preventing, let alone mitigating, the vast majority of real world cyber-attacks. DoD already buys huge amounts of cybersecurity products and services and rarely are they tied to 7-10 weapons systems procurements - the issue more is how slowly DoD standards and processes move to address basic security hygiene (required for any effective defense, strong offense or not) - let alone changing threats. Buying and deploying the wrong things faster will not help DoD.
Read more in:
FNR: DoD acquisition 'slow by design,' can't handle cybersecurity defense
https://federalnewsradio.com/cybersecurity-2017/2017/10/dod-acquisition-slow-by-design-cant-handle-cybersecurity-defense/
INTERNET STORM CENTER TECH CORNER
Stop Relying on File Extensions
https://isc.sans.edu/forums/diary/Stop+relying+on+file+extensions/22962/BadRabbit New Ransomware Wave Hitting Russia and Ukraine
https://isc.sans.edu/forums/diary/BadRabbit+New+ransomware+wave+hitting+RU+UA/22964/https://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamous-diskcoder-ransomware/
Over 70% Of Web Traffic Now via TLS
https://transparencyreport.google.com/https/overview?hl=enStatic RNG Seeds in Fortinet Devices
https://duhkattack.comUsers in Iran Targeted by Cryptoransomware Masquerading as VPN
https://www.bleepingcomputer.com/news/security/tyrant-ransomware-spreads-in-iran-disguised-as-popular-vpn-app/Dell Loses Control of Backup and Recovery Cloud Storage Domain
https://krebsonsecurity.com/2017/10/dell-lost-control-of-key-customer-support-domain-for-a-month-in-2017/Google ReCaptcha Broken
https://github.com/ecthros/uncaptchaCoinhive Domain Compromise
https://coinhive.com/blog/dns-breachCrypto Currency Phishing
https://www.dearbytes.com/blog/cryptocurrency-phishing/Results of Kaspersky's Internal Investigation
https://www.kaspersky.com/blog/internal-investigation-preliminary-results/19894/Infineon Bug Testing Tool
https://gist.githubusercontent.com/marcan/fc87aa78085c2b6f979aefc73fdc381f/raw/526bc2f2249a2e3f5d4450c7c412e0dbf57b2288/roca_test.pyhttps://github.com/ThomasHabets/simple-tpm-pk11/blob/master/check-srk/check-srk.cc
Micropatch Available for "DDE Vulnerability"
https://0patch.blogspot.com/2017/10/0patching-office-dde-ddeauto.htmlFinding Cryptocurrency Miners
https://medium.com/@s3yfullah/hacking-cryptocurrency-miners-with-osint-techniques-677bbb3e0157***********************************************************************
The Editorial Board of SANS NewsBites
View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
