SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XIX - Issue #88
November 7, 2017Tough week. Trusted organizations are making us vulnerable.
Alan
****************************************************************************
SANS NewsBites November 7, 2017 Vol. 19, Num. 088
****************************************************************************
TOP OF THE NEWS
Phony WhatsApp in Google Play Store
Zeus Panda Malware Spreading Through Google SEO Poisoning
Tor Project Releases Updates to Fix for IP Address Leak Issue
REST OF THE WEEK'S NEWS
Level 3 Configuration Error Caused Internet Outages
First US Government Agency Sends Data to CDM Dashboard
Cisco Issues Fixes for Flaw in IOS XE DoS Vulnerability
Estonia Suspending Use of ID Smart Cards
Trump Organization Domains Compromised in 2013
Cryptographic Flaw in IEEE Standard
Siemens Releasing Updates for SIMATIC PCS 7 Vulnerability
INTERNET STORM CENTER TECH CORNER
*************************** Sponsored By Sophos Inc. ***********************
Do you really know what your network is up to? On average 60% of corporate traffic is unidentified. Read the whitepaper to learn more about network visibility, the risks from unidentified traffic and the critical features to solve the issue. Download whitepaper:
http://www.sans.org/info/199315
*****************************************************************************
TRAINING UPDATE
-- SANS Cyber Defense Initiative 2017 | Washington, DC | December 12-19 | https://www.sans.org/event/cyber-defense-initiative-2017
-- SANS San Francisco Winter 2017 | November 27-December 2 | https://www.sans.org/event/san-francisco-winter-2017
-- SANS London November 2017 | November 27-December 2 | https://www.sans.org/event/london-november-2017
-- SIEM & Tactical Analytics Summit & Training | Scottsdale, AZ | November 28-December 5 | https://www.sans.org/event/siem-tactical-analytics-summit-2017
-- SANS Security East 2018 | New Orleans, LA | January 8-13 | https://www.sans.org/event/security-east-2018
-- SANS Amsterdam January 2018 | January 15-20 | https://www.sans.org/event/amsterdam-january-2018
-- Cyber Threat Intelligence Summit | Bethesda, MD | January 29-February 5 | https://www.sans.org/event/cyber-threat-intelligence-summit-2018
-- SANS Secure Japan 2018 | February 19-March 3 | https://www.sans.org/event/sans-secure-japan-2018
-- SANS Secure Singapore 2018 | March 12-24 | https://www.sans.org/event/secure-singapore-2018
-- SANS OnDemand and vLive Training | Get a New 12.9" iPad Pro with Smart Keyboard, or an HP ProBook 450 G4, or take $500 Off OnDemand or vLive Training when you register by November 8! The SANS Training you want with the flexibility you need. https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format -https://www.sans.org/ondemand/
-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/security-training/by-location/all
*****************************************************************************
TOP OF THE NEWS
--
Phony WhatsApp in Google Play Store
(November 3 & 6, 2017)
A phony version of the WhatsApp messaging app was downloaded at least one million times before being pulled from the Google Play Store. The fake app included advertisements and had the capability to download software onto devices.
[Editor Comments]
[Ullrich] Malicious applications impersonating popular applications have become a big problem in the Google Play Store. Be very careful what you download. This fake WhatsApp application had over a million downloads, which of course causes even more users to believe it to be "safe". The only difference was an invisible Unicode space added to the publisher's name, something Google should be able to detect as an indicator of malicious intent.
[Neely] This was tricky to identify as the developer placed a space after the app name using Unicode characters. Once installed, the app hid itself with a blank icon and no title, and used its Internet permissions to download ads and other apps. Beyond Google's Play Protect or third-party AV detections, the new Google Play Security Reward Program, aka bug bounty program, will help root out malicious third-party applications in the Google Play store. Keeping on the current patched Android OS versions is also important to ensure updated application security measures are in place.
[Murray] The inability of Android to enforce process-to-process isolation is a fundamental vulnerability. Security should not have to rely on every process being well-behaved.
Read more in:
Threatpost: 1M Downloads Later, Google Pulls Phony WhatsApp From Google Play
https://threatpost.com/1m-downloads-later-google-pulls-phony-whatsapp-from-google-play/128778/
The Register: Over a million Android users fooled by fake WhatsApp app in official Google Play Store
http://www.theregister.co.uk/2017/11/03/fake_whatsapp_app/
ZDNet: Fake WhatsApp app fooled million Android users on Google Play: Did you fall for it?
BBC: Fake WhatsApp app downloaded more than one million times
http://www.bbc.com/news/technology-41886157
--
Zeus Panda Malware Spreading Through Google SEO Poisoning
(November 2 & 3, 2017)
Cyber criminals are using Google search engine optimization (SEO) poisoning along with compromised servers and websites to help them spread the Zeus Panda banking malware. The attackers appear to be targeting customers of certain banks in Sweden, Australia, Saudi Arabia, and India, as well as users of the SWIFT international financial transaction messaging network.
Read more in:
SC Magazine: Hackers find an evil use for SEO
https://www.scmagazine.com/hackers-find-an-evil-use-for-seo/article/705363/
ZDNet: Google search results poisoned by banking trojan attackers' clever SEO
http://www.zdnet.com/article/google-search-results-poisoned-by-banking-trojan-attackers-clever-seo/
Talos: Poisoning the Well: Banking Trojan Targets Google Search Results
http://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html
--
Tor Project Releases Updates to Fix for IP Address Leak Issue
(November 3 & 6, 2016)
The Tor Project has made updates available for its Tor Browser running on Mac and Linux to address a security issue that exposes users actual IP addresses. The flaw was privately reported to Tor last week. The Tor Project has released Tor Browser version 7.0.9 for Mac and Linux; the problem does not affect Tor running on Windows.
Read more in:
Tor Project Blog: Tor Browser 7.0.9 is released
https://blog.torproject.org/tor-browser-709-released
Ars Technica: Critical Tor flaw leaks users' real IP address-update now
Threatpost: Tor Browser Users Urged to Patch Critical 'Tormoil' Vulnerability
https://threatpost.com/tor-browser-users-urged-to-patch-critical-tormoil-vulnerability/128769/
Bleeping Computer: TorMoil Vulnerability Leaks Real IP Address from Tor Browser Users
ZDNet: A serious Tor browser flaw leaks users' real IP addresses
http://www.zdnet.com/article/critical-tor-browser-flaw-leaks-users-real-ip-addresses/
The Register: Biggest Tor overhaul in a decade adds layers of security improvements
http://www.theregister.co.uk/2017/11/03/tor_ravamp/
--
Microsoft Pulls Buggy Patches
(November 3 & 6, 2017)
Last week, Microsoft released patches for five Windows versions to address an "unexpected error from external database driver" bug that was introduced in the October 10 monthly update. The patches are not part of Windows Update; users would have to download them and install them manually. The new patches were reportedly causing older security updates to be re-enabled. Three of the patches along with their associated KB articles were apparently pulled from the Microsoft website over the weekend.
Read more in:
Computerworld: Microsoft yanks buggy Windows patches KB 4052233, 4052234, 4052235
Computerworld: MS fixes 'external database' bug with patches that have even more bugs
*************************** SPONSORED LINKS *******************************
1) Detect & Eliminate Insider Threats with Teramind User Behavior Analytics: Start your Free Trial Today http://www.sans.org/info/199320
2) In Boston? Register for the SANS SOC Brief on Nov 17. Networking Lunch follows. SPACE LIMITED. http://www.sans.org/info/199340
3) Attend the 2nd Annual SANS Automotive Cybersecurity Summit, May 7-8, Chicago, IL. Register: http://www.sans.org/info/199335
*****************************************************************************
THE REST OF THE WEEK'S NEWS
--
Crunchyroll DNS Hijack
(November 4 & 6, 2017)
Ellation, parent company of the Crunchyroll anime streaming website, says that the site's Cloudflare configuration was altered over the weekend to redirect users to a server that attempted to download malware onto users' devices. The Ellation blog post says users who downloaded files between 3:30AM PST and 9:00AM PST on Saturday, November 4, may have been infected. The blog describes steps Crunchyroll users can take to remove the malware from their devices.
[Editor Comments]
[Ullrich] Yet again an attack using misplaced Cloudflare credentials. If you use Cloudflare, then please treat it like the critical part of your infrastructure that it is, and secure it accordingly. Cloudflare offers a few different two-factor authentication options. Crunchyroll has not stated how they think the credentials were leaked, but in the past, this often happened by using the same credentials on different sites and having them leaked on one of the sites they are used at.
[Williams] Despite widespread reports that this was the result of a DNS hijack, there's no evidence that this is the case. During the outage, many were reporting that this was the result of DNS spoofing. However, DNS spoofing on such a wide scale is usually only feasible for sites that are visited infrequently. Most as popular as Crunchyroll probably have a DNS entry cached in most upstream DNS servers. That said, this IS an interesting supply chain attack where attackers used a content delivery network (Cloudflare in this case) to deliver malware.
Read more in:
SC Magazine: Anime enemy: Asian content distributor Crunchyroll blames DNS hijack for malicious redirection
The Register: Crumbs! Crunchyroll distributed malware for a couple of hours
http://www.theregister.co.uk/2017/11/06/crunchyroll_spent_a_couple_of_hours_distributing_malware/
Ellation: Crunchyroll.com update
https://blog.ellation.com/crunchyroll-com-update-a2a593cf9155
--
Level 3 Configuration Error Caused Internet Outages
(November 6, 2017)
A configuration error at Internet backbone company Level 3 caused Internet outages across the US on Monday, November 6. Level 3 said the problem was resolved within 90 minutes of its detection, but the issue caused ripple effect problems across the country.
[Editor Comments]
[Williams] BGP is the backbone of the Internet, but any BGP peer can inject routes to other peers. Sometimes this is a misconfiguration, but there are suspicions that nation-state groups including China and Russia have used BGP route hijacks for short duration man in the middle attacks. Follow Twitter account @bgpstream to see how often BGP routes are hijacked.
Read more in:
Wired: How a Tiny Error Shut Off the Internet For Parts of the US
https://www.wired.com/story/how-a-tiny-error-shut-off-the-internet-for-parts-of-the-us/
--
First US Government Agency Sends Data to CDM Dashboard
(November 6, 2017)
The US Department of Homeland Security (DHS) expects that by the end of this calendar year, five US federal government agencies will send data to the continuous diagnostic and mitigation (CDM) program's federal dashboard. One agency has already begun submitting data to the dashboard.
Read more in:
FNR: 5 agencies expected to send data to governmentwide cyber dashboard by end of 2017
--
Cisco Issues Fixes for Flaw in IOS XE DoS Vulnerability
(November 3 & 6, 2017)
Cisco has released updates for its IOS XE software to address a flaw introduced in changes made to its implementation of the Border Gateway Protocol (BGP) over an Ethernet VPN (EVPN). The flaw could be exploited to create denial of service conditions or corrupt the BGP routing table.
Read more in:
Threatpost: Cisco Patches DoS Flaw in BGP Over Ethernet VPN Implementation
https://threatpost.com/cisco-patches-dos-flaw-in-bgp-over-ethernet-vpn-implementation/128780/
Cisco: Cisco IOS XE Software Ethernet Virtual Private Network Border Gateway Protocol Denial of Service Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171103-bgp
--
Estonia Suspending Use of ID Smart Cards
(November 3 & 6, 2017)
Estonia has suspended the use of its national ID smartcards after learning of a cryptographic flaw in the firmware of the cards' chips that could be used to steal RSA keys and create clones of the cards. The flaw is apparently easier to exploit than was initially reported. The Estonian government recently urged citizens to update their cards' electronic certificates; the cards without updated certificates are being suspended.
[Editor Comments]
[Neely] That's a tough call to suspend use versus wait for reissue to complete. It's going to take a while to re-issue 760,000 cards in Estonia. Estonia is wisely taking measures to side-step the weakness by having replacement credentials use ECC rather than RSA keys generated using the Infineon code which eliminates dependency on the soundness of the bug fix.
Read more in:
Ars Technica: Flaw crippling millions of crypto keys is worse than first disclosed
Silicon: Estonia Disables Digital ID Cards After Security Scare
http://www.silicon.co.uk/security/estonia-disables-digital-id-cards-security-scare-224313
The Register: Estonia government locks down ID smartcards: Refresh or else
http://www.theregister.co.uk/2017/11/03/estonian_e_id_lockdown/
V3: Estonian authorities block national ID cards due to ROCA security flaw
https://www.v3.co.uk/v3-uk/news/3020479/estonion-authorities-block-national-id-cards-due-to-flaw
--
Trump Organization Domains Compromised in 2013
(November 1 & 6, 2017)
According to news reports, nearly 200 web domains at the Trump Organization were compromised in 2013. The compromised addresses redirected visitors to malicious servers in Russia. The Trump organization said the domains were not compromised despite Internet records that say otherwise.
[Editor Comments]
[Williams] This sort of attack is not new and is unfortunately on the rise. Attackers compromise the domain control panel at the registrar and then insert false entries in DNS. The attack is very effective at distributing malware since users are visiting legitimate domains. Additionally, attackers can create a new CNAME record in DNS to purchase a legitimate SSL certificate. This makes the attack much more devastating. While Trump Organization officials deny their domains were compromised, passive DNS records show that this is an inarguable fact.
Read more in:
Fifth Domain: Trump a victim of hackers years before election
https://www.fifthdomain.com/civilian/2017/11/06/trump-a-victim-of-hackers-years-before-election/
Mother Jones: Hackers Compromised the Trump Organization 4 Years Ago-and the Company Never Noticed
--
Cryptographic Flaw in IEEE Standard
(November 4, 2017)
The CERT Division of the Software Engineering Institute at Carnegie Mellon University has issued a warning about a cryptographic flaw in an IEEE standard that could be exploited to gain access to intellectual property in plaintext. The IEEE P1735 standard is used to protect digital intellectual property. It allows vendors to combine their code to create new products while ostensibly protecting their intellectual property from reverse engineering and theft.
[Editor Comments]
[Ullrich] This flawed standard is less likely going to affect end users, but more a problem to manufacturers of "Systems on a Chip" devices. The standard is used to encrypt and authenticate drawings exchanged between companies. An adversary would be able to replace features in drawings (for example adding a backdoor) without the manufacturer of the device realizing that they are producing an altered circuit.
Read more in:
Bleeping Computer: Crypto Bugs in IEEE Standard Expose Intellectual Property in Plaintext
Threatpost: US-CERT Warns of Crypto Bugs in IEEE Standard
https://threatpost.com/us-cert-warns-of-crypto-bugs-in-ieee-standard/128784/
CERT: IEEE P1735 implementations may have weak cryptographic protections
https://www.kb.cert.org/vuls/id/739007
ePrint: Standardizing Bad Cryptographic Practice (PDF)
https://eprint.iacr.org/2017/828.pdf
--
Siemens Releasing Updates for SIMATIC PCS 7 Vulnerability
(November 3, 2017)
Siemens has begun releasing updates to address an input validation vulnerability in its SIMATIC PCS 7 distributed control systems. The issue affects versions 8.2 and 8.1 prior to 8.1 SP1 with WinCC v.7.3 Update 13 and could be exploited to crash services on vulnerable systems.
Read more in:
Threatpost: Siemens Update Patches Simatic PCS 7 Bug in Some Versions
https://threatpost.com/siemens-update-patches-simatic-pcs-7-bug-in-some-versions/128753/
ICS-CERT: Advisory (ICSA-17-306-01) Siemens SIMATIC PCS 7
https://ics-cert.us-cert.gov/advisories/ICSA-17-306-01
INTERNET STORM CENTER TECH CORNER
PDF Parser for URLs and Text Content of PDFs
Crunchyroll.com Redirect Leads to Malware
https://blog.ellation.com/crunchyroll-com-update-a2a593cf9155
https://bartblaze.blogspot.com.au/2017/11/crunchyroll-hack-delivers-malware.html
IEEE P1735 Standard Leads to Weak Crypto (PDF)
https://eprint.iacr.org/2017/828.pdf
Mobile Pwn2Own Contest 2017
https://www.zerodayinitiative.com/blog
OpenSSL Patch
https://www.openssl.org/news/secadv/20171102.txt
Fake WhatsApp App in Google Play Store
https://www.reddit.com/r/Android/comments/7ahujw/psa_two_different_developers_under_the_same_name/
Recovering Previously Encrypted iOS Backups
https://www.gillware.com/forensics/blog/digital-forensics-case-study/new-solution-encrypted-backups/
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create