Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #97

December 12, 2017


****************************************************************************

SANS NewsBites               December 12, 2017                Vol. 19, Num. 097

****************************************************************************

TOP OF THE NEWS

Hacker Confessed to Being Hired by Russian State Intelligence to Hack the DNC During the Election

MoneyTaker Theft Ring Targets Banks

REST OF THE WEEK'S NEWS

HP Releases Update to Fix Synaptics Touchpad Driver Security Issue

ProxyM Botnet

Python Script Recovers Hidden Event Logs

Vietnamese Man Jailed Over Australian Airport Hack

Mozilla Patches Critical Flaws in Firefox

Google Adds National Security Letter Content to Transparency Report

Guilty Pleas in ATM Skimming Case

Apple Fixes HomeKit Flaw

Process Doppelganging Code Injection Technique

John Pescatore's Cybersecurity Predictions for 2018

INTERNET STORM CENTER TECH CORNER


***************************  Sponsored By Sophos Inc. ***********************


How does a typical ransomware attack happen? What are some of the common security mistakes organizations make? And what security measures should be in place to keep you secure? Read this ransomware whitepaper to find out. http://www.sans.org/info/200595


*****************************************************************************

TRAINING UPDATE


-- SANS Security East 2018 | New Orleans, LA | January 8-13 | https://www.sans.org/event/security-east-2018


-- SANS Amsterdam January 2018 | January 15-20 | https://www.sans.org/event/amsterdam-january-2018


-- SANS Las Vegas 2018 | January 28-February 2 | https://www.sans.org/event/las-vegas-2018


-- Cyber Threat Intelligence Summit | Bethesda, MD | January 29-February 5 | https://www.sans.org/event/cyber-threat-intelligence-summit-2018


-- SANS London February 2018 | February 5-10 | https://www.sans.org/event/london-february-2018


-- SANS Southern California-Anaheim 2018 | February 12-17 | https://www.sans.org/event/southern-california-anaheim-2018


-- Cloud Security Summit & Training 2018 | San Diego, CA | February 19-26 | https://www.sans.org/event/cloud-security-summit-2018


-- SANS Secure Japan 2018 | February 19-March 3 | https://www.sans.org/event/sans-secure-japan-2018


-- SANS Secure Singapore 2018 | March 12-24 | https://www.sans.org/event/secure-singapore-2018


-- SANS OnDemand and vLive Training | The SANS Training you want with the flexibility you need. Get a 10.5 iPad Pro with Smart Keyboard, or an ASUS Chromebook Flip, or take $400 Off OnDemand or vLive Training when you register by December 13. https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility


-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast


-- Evening training 2x per week for 6 weeks with vLivehttps://www.sans.org/vlive


-- Anywhere, Anytime access for 4 months with OnDemand format https://www.sans.org/ondemand/


-- Single Course Training

SANS Mentor https://www.sans.org/mentor/about

Community SANS https://www.sans.org/community/

View the full SANS course catalog https://www.sans.org/security-training/by-location/all


*****************************************************************************

TOP OF THE NEWS

 --

Hacker Confessed to Being Hired by Russian State Intelligence to Hack the DNC During the Election

(December 11, 2017)

Russian Site, The Bell, reported that Konstantin Kozlovsky testified to carrying out attacks at the request of the Russian FSB (the KGB-successor). The testimony is a first-hand account of Russian interference in the 2016 presidential election that directly contradicts Putin's denials of any involvement.

http://fortune.com/2017/12/11/russian-hacking-election-confession/

http://www.businessinsider.com/russian-hacker-democrats-dnc-intelligence-2017-12


 --

MoneyTaker Theft Ring Targets Banks

(December 11, 2017)

A cyber crime group nicknamed MoneyTaker has targeted banks in the US and Latin America, stealing $10 million USD since May 2016. The group operates by breaking into bank networks and altering card processing systems to allow fraudulent ATM withdrawals. They have also stolen admin guides, change request forms and other internal documentation from many of the targeted banks.


Read more in:

Ars Technica: Hackers hit key ATM network in crime spree that clears $10 million

https://arstechnica.com/information-technology/2017/12/hackers-hit-key-atm-network-in-crime-spree-that-clears-10-million/

The Register: New Ruski hacker clan exposed: They're called MoneyTaker, and they're gonna take your money

http://www.theregister.co.uk/2017/12/11/russian_bank_hackers_moneytaker/

Dark Reading: Russian-Speaking 'MoneyTaker' Group Helps Itself to Millions from US Banks

https://www.darkreading.com/attacks-breaches/russian-speaking-moneytaker-group-helps-itself-to-millions-from-us-banks/d/d-id/1330608


**************************  SPONSORED LINKS  ********************************


1) "Stop All Imposter Threats Coming Into and Going Out of your Organization" with Ryan Terry and John Pescatore: http://www.sans.org/info/200600


2) Don't Miss: "2017 Trends and Strategies for Protecting Endpoints in Healthcare."  Register: http://www.sans.org/info/200605


3) Register for "Who Owns ICS Security? Fusing IT, OT, & IIoT Security in the Corporate SOC." with Doug Wylie. http://www.sans.org/info/200610


*****************************************************************************

THE REST OF THE WEEK'S NEWS  

 --

HP Releases Update to Fix Synaptics Touchpad Driver Security Issue

(December 11, 2017)

HP has released an update to fix an issue that could be exploited to activate a keystroke logger on more than 460 models of HP laptops. The issue lies in a developmental-level debugger feature of a Synaptics Touchpad driver. The feature is off by default, but someone with administrative privileges on affected machines could enable it. The HP update removes the Windows software trace preprocessor (WPP) debugger code. Users are encouraged to update their drivers.


Read more in:

eWeek: Researcher Discovers Hidden Keylogger in HP Keyboard Driver

http://www.eweek.com/security/researcher-discovers-hidden-keylogger-in-hp-keyboard-driver

Ars Technica: Laptop touchpad driver included extra feature: a keylogger

https://arstechnica.com/information-technology/2017/12/touchpad-driver-with-keylogger-found-on-hp-may-affect-many-other-notebooks/

Threatpost: Leftover Debugger Doubles as a Keylogger on Hundreds of HP Laptop Models

https://threatpost.com/leftover-debugger-doubles-as-a-keylogger-on-hundreds-of-hp-laptop-models/129127/

HP: Security Bulletin: Synaptics Touchpad Driver Potential, Local Loss of Confidentiality

https://support.hp.com/us-en/document/c05827409

ZwClose: HP keylogger

https://zwclose.github.io/HP-keylogger/

                                                                

 --

ProxyM Botnet

(December 11, 2017)

An Internet of Things (IoT) botnet known as ProxyM is being used to to hide attacks on web applications by serving as a relay point SQL injection, cross-site scripting, and other attacks. ProxyM has been in existence since February 2017.


Read more in:

Bleeping Computer:

ProxyM Botnet

Used as Relay Point for SQLi, XSS, LFI Attacks

https://www.bleepingcomputer.com/news/security/proxym-botnet-used-as-relay-point-for-sqli-xss-lfi-attacks/

 

 --

Python Script Recovers Hidden Event Logs

(December 8 & 11, 2017)

Researchers at Fox-IT have developed a Python script that recovers Windows Event Log files deleted by the "eventlogedit" utility that is part of DanderSpritz, a tool allegedly used by the NSA. Apparently the utility unreferences the log entries rather than actually deleting them. DanderSpritz merges the tell-tale log entries with other, innocuous ones. The reason the merged events are not seen is that "all tested viewers parse the record binXml message data until the first end-tag and then move on to the next record." 


Read more in:

Fox-IT: Detection and recovery of NSA's covered up tracks

https://blog.fox-it.com/2017/12/08/detection-and-recovery-of-nsas-covered-up-tracks/

Bleeping Computer: Script Recovers Event Logs Doctored by NSA Hacking Tool

https://www.bleepingcomputer.com/news/security/script-recovers-event-logs-doctored-by-nsa-hacking-tool/

 

 --

Vietnamese Man Jailed Over Australian Airport Hack

(December 10, 2017)

In March 2016, a hacker broke into the Perth, Australia airport computer network and stole data pertaining to the facility's physical security and building schematics. The hacker has been identified as Le Duc Hoang Ha, a Vietnamese man, who used third-party contractor credentials to gain access to the airport network. Authorities in Australia traced the attack to Vietnam, and Australian Federal Police shared information with authorities in Vietnam, where Hai was arrested. He was also found to have hacked into infrastructure networks in Vietnam. Hai was convicted in a Vietnamese military court and sentenced to four year's detention.


Read more in:

The West Australian: 'Significant amount' of sensitive security data stolen in Perth Airport hacking

https://thewest.com.au/news/wa/significant-amount-of-sensitive-security-data-stolen-in-perth-airport-hacking-ng-b88686393z

 

 --

Mozilla Patches Critical Flaws in Firefox

(December 8, 2017)

Mozilla has fixed security flaws that affects Firefox and Firefox ESR. A critical buffer overflow vulnerability affects only users running Microsoft Windows. The flaw "is due to an incorrect value being passed within the library during checks and results in a potentially exploitable crash." A second flaw could be exploited "to write persistent data to IndexedDB and fingerprint a user uniquely." Users should update to Firefox 57.0.2 and Firefox ESR 52.5.2. 


Read more in:

Mozilla: Security vulnerabilities fixed in Firefox 57.0.2

https://www.mozilla.org/en-US/security/advisories/mfsa2017-29/

Mozilla: Security vulnerabilities fixed in Firefox ESR 52.5.2

https://www.mozilla.org/en-US/security/advisories/mfsa2017-28/

SC Magazine: Mozilla patches two vulnerabilities, one rated critical

https://www.scmagazine.com/mozilla-patches-two-vulnerabilities-one-rated-critical/article/712883/

 

 --

Google Adds National Security Letter Content to Transparency Report

(December 8, 2017)

Google's Transparency Report now includes National Security Letters (NSLs) that the FBI has determined no longer require gag-order protection. Google has published NSLs both in its Transparency Report and in a blog post. The Google Transparency Report includes another new section with data about government requests to remove content from YouTube and other services.  


Read more in:

ZDNet: Google lifts lid on FBI data requests: Now you can read actual letters online

http://www.zdnet.com/article/google-lifts-lid-on-fbi-data-requests-now-you-can-read-actual-letters-online/

Google: New government removals and National Security Letter data

https://www.blog.google/topics/public-policy/new-government-removals-and-national-security-letter-data/

 

 --

Guilty Pleas in ATM Skimming Case

(December 8, 2017)

Seven people from Romania have pleaded guilty in a Boston court to charges related to an ATM skimming scheme. Charges include conspiracy to use counterfeit access devices, possession of device making equipment, aggravated identity theft, and conspiracy to conduct enterprise affairs through a pattern of racketeering activity, or RICO conspiracy. Five other alleged co-conspirators remain at large. 


Read more in:

DoJ: Seven Romanian Nationals Plead Guilty to Racketeering Conspiracy and ATM Skimming

https://www.justice.gov/usao-ma/pr/seven-romanian-nationals-plead-guilty-racketeering-conspiracy-and-atm-skimming

 

 --

Apple Fixes HomeKit Flaw

(December 7 & 8, 2017)

Apple has fixed a vulnerability in its HomeKit framework running on iOS 11.2 that could have been exploited to gain unauthorized remote access to smart locks, garage door openers, and other HomeKit devices. The fix requires no action from users as Apple made a server-side update. The fix currently limits some device functionality, but that will be restored with an iOS update expected to be released this week.


Read more in:

9to5 Mac: Zero-day iOS HomeKit vulnerability allowed remote access to smart accessories including locks, fix rolling out

https://9to5mac.com/2017/12/07/homekit-vulnerability/

Threatpost: Apple Fixes Flaw Impacting Homekit Devices

https://threatpost.com/apple-fixes-flaw-impacting-homekit-devices/129114/

 

 --Process Doppelgnging Code Injection Technique

(December 7, 2017)

In a talk at the Black Hat Europe 2017 conference in London last week, security researchers from enSilo described ProcessDoppelgnging, a new code injection technique. Process Doppelgnging is a fileless attack that reportedly works on all versions of Windows and is able to evade detection by most security products.  


Read more in:

Bleeping Computer: "Process Doppelgnging" Attack Works on All Windows Versions

https://www.bleepingcomputer.com/news/security/-process-doppelg-nging-attack-works-on-all-windows-versions/

 

 --

John Pescatore's Cybersecurity Predictions for 2018

(December 2018)

Among John Pescatore's top five predictions for cybersecurity in 2018: the number of attacks against cloud services will rise; increased consumer use of stronger security for technology will drive businesses to up their game in that arena; and cyber insurance policies will not actually reduce the cost of breaches to businesses.


Read more in:

InfoSecurityBuzz: SANS Cybersecurity Trends And Predictions For 2018

https://www.informationsecuritybuzz.com/expert-comments/sans-cybersecurity-trends-predictions-2018/

 

INTERNET STORM CENTER TECH CORNER

Sometimes An RTF Document is Just an RTF Document

https://isc.sans.edu/forums/diary/Sometimes+its+a+dud/23115/


HP Keyboard Drivers Can Log Keystrokes

https://support.hp.com/us-en/document/c05827409

https://zwclose.github.io/HP-keylogger/


Android App Signature Bypass

https://www.guardsquare.com/en/blog/new-android-vulnerability-allows-attackers-modify-apps-without-affecting-their-signatures


MSFT Patches Antimalware Engine

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11937

       

Pornographic Spam Messages Used to Deliver Crypto Coin Miner

https://isc.sans.edu/forums/diary/Pornographic+malspam+pushes+coin+miner+malware/23119/


Microsoft Leaks Secret SSL Key For Dynamics 365

https://medium.com/matthias-gliwka/microsoft-leaks-tls-private-key-for-cloud-erp-product-10b56f7d648


Proxy Botnet Used to Launch Variety of Web Application Attacks

https://news.drweb.com/show/?i=11627&lng=en


FoxIT Releases Utility to Recover Manipulated Windows Logs

https://github.com/fox-it/danderspritz-evtx



******************************************************************************

The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.


Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create