SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVII - Issue #70

September 08, 2015

TOP OF THE NEWS

Researchers Disclose One Zero-Day Vulnerability in FireEye Security; Three More "For Sale"
Google Researcher Finds/Exploits Vulnerability in Kaspersky
Malicious Ads on Yahoo are Pushing Angler Exploit Kit

THE REST OF THE WEEK'S NEWS

Seagate Wireless Hard Drives Have Account with Hard-Coded Password
Police in Europe Arrest Two Men Wanted for Alleged Roles in Banking Malware
Cyber Intruders are Using Administrative Tools to Move Through Networks
Fiat Chrysler Recalls Nearly 8,000 Vehicles Over Another Software Vulnerability
Bugzilla Breach and Data Theft Led to Attacks Against Firefox
Gozi Banking Malware Author Charged
Cisco Updates Fix Denial-of-Service Flaw
Some Network Hardware Leaking Private Key Information

---

********************* Sponsored By Sophos Inc. ***************************

WEBCAST: Why Complexity is the Enemy of Enduser Security. Organizations are tasked with protecting their users and a broad range of endpoint devices from sophisticated attackers. Unfortunately, the complexity of the threats has been reflected in the complexity of security solutions. Learn how organizations can address IT risk without creating security chaos. Register today: http://www.sans.org/info/180045

***************************************************************************

TRAINING UPDATE

- --SANS Network Security 2015| Las Vegas, NV | September 14-19, 2015 | Join our top-notch instructors in Las Vegas where they will be teaching more than 45 courses. Enhance your information security skills by taking one of our advanced courses in digital forensics, penetration testing, cyber defense, or secure app development. SANS Network Security 2015 also offers specialty courses within the fields of Industrial Control Systems, Security Management, IT Audit, and Legal.
http://www.sans.org/u/5ZT

- --SANS Cyber Defense Initiative 2015 | Wash DC | December 12-19, 2015 | Join more than 1,000 information security experts and peers for SANS' final training event of the year! More than 30 courses will be taught by SANS' top instructors. Three NetWars challenges - including the 2015 NetWars Tournament of Champions - and numerous SANS@Night presentations will also be featured. 36 courses
http://www.sans.org/u/7Qx

- --Data Breach Investigation Summit | Dallas, TX | September 21-26, 2015 | Data Breach Investigation Summit and Training Dallas. TX September 21-26 4 courses
http://www.sans.org/u/7QM

- --SANS Baltimore 2015| Baltimore, MD | September 21-26, 2015 | 4 courses
http://www.sans.org/u/7tq

- --SANS Seattle 2015 | Seattle, WA | October 5-10, 2015 | 6 courses
http://www.sans.org/u/7QR

- --SANS Tysons Corner 2015 | Tysons Corner, VA | October 12-17, 2015 | 8 courses
http://www.sans.org/u/7R6

- --SANS DFIR Prague 2015 | Prague, Czech Republic | October 5-17, 2015 | 11 courses
http://www.sans.org/u/7tF

- --SOS: SANS October Singapore | Singapore, Singapore | October 12-24, 2015 | 8 courses
http://www.sans.org/u/7tK

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- --Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --Save on OnDemand training (30 full courses) - See samples at OnDemand Specials - http://www.sans.org/u/Xy

Plus Amsterdam, Seoul, Tallinn, and Bangalore all in the next 90 days.

For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

Researchers Disclose One Zero-Day Vulnerability in FireEye Security; Three More "For Sale" (September 7, 2015)

US security consultants Kristian Hermansen and Ron Perris have dropped a zero day remote file disclosure vulnerability affecting FireEye kit and say they have another three flaws for sale.
-http://www.csoonline.com/article/2980937/vulnerabilities/researcher-discloses-ze
ro-day-vulnerability-in-fireeye.html

Google Researcher Finds/Exploits Vulnerability in Kaspersky (September 7, 2015)

Kaspersky Lab has pushed out an emergency patch to fix flaws in several of its antivirus products. Google's Tavis Ormandy announced that he had created exploits for the vulnerabilities in the Kaspersky products before notifying the company.
-http://www.computerworld.com/article/2980726/security/kaspersky-lab-pushes-out-e
mergency-patch-for-critical-flaw.html
-http://www.ibtimes.com/kaspersky-fireeye-security-products-cracked-researchers-2
085291

Malicious Ads on Yahoo are Pushing Angler Exploit Kit (September 7, 2015)

Researchers at Malwarebytes say that miscreants are distributing malware through advertisements on Yahoo. They are tricking automated ad delivery systems into displaying ads that contain embedded malware. This particular attack attempts to load the Angler Exploit Kit onto users' computers. Yahoo has taken steps to stop the malvertising.
-http://www.scmagazine.com/hackers-spread-malware-via-yahoo-ads/article/437075/
[Editor's Note (Northcutt): Wired magazine has a great non-technical overview of malvertising, including how it can be precisely targeted. Malwarebytes, who apparently discovered the Yahoo problem, posted an article on how the attack works and also the scope of the problem. Regardless, this is clearly Malvertising month, you can add match.com/POF and MSN to the list. If you work for an organization that earns revenue by displaying ads supplied by 3rd parties, you may want to look into safe frame:
-http://www.wired.com/insights/2014/11/malvertising-is-cybercriminals-latest-swee
t-spot/
-https://blog.malwarebytes.org/malvertising-2/2015/08/large-malvertising-campaign
-takes-on-yahoo/
-https://blog.malwarebytes.org/malvertising-2/2015/09/malvertising-found-on-datin
g-site-matchdotcom/
-https://blog.malwarebytes.org/malvertising-2/2015/08/angler-exploit-kit-strikes-
on-msn-com-via-malvertising-campaign/
-http://www.iab.net/safeframe]

---

**************************** SPONSORED LINKS ******************************
1) Learn what it takes to build a successful threat intelligence program from real-world examples. Live webinar featuring Solutionary, a leading MSSP, on Wednesday, September 16 at 2:00 PM ET. Register now: http://www.sans.org/info/180050

2) What Works in Reducing Web Application Vulnerabilities: Using to WhiteHat Sentinel to Increase Application Security Before and After Production Deployment Thursday, September 10 at 3:00 PM EDT (19:00:00 UTC) featuring John Pescatore. http://www.sans.org/info/180055

3) Help SANS map the future use of Security Analytics and Intelligence. Take 2015 survey and enter to win $400 Amazon gift card. Results Webcast in two parts 11/11 and 11/12. http://www.sans.org/info/180060
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Seagate Wireless Hard Drives Have Account with Hard-Coded Password (September 7, 2015)

US/CERT has issued a vulnerability note warning of three vulnerabilities affecting certain Seagate wireless hard drives. One of the flaws involved "undocumented Telnet services" that can be accessed with hardcoded passwords. The others could be exploited to obtain "unrestricted file download capability" and "file upload capability." Seagate has released new firmware to address the problems.
-http://www.zdnet.com/article/seagate-hard-drives-open-to-hackers-thanks-to-hard-
coded-password/
-http://www.theregister.co.uk/2015/09/07/files_on_seagate_wireless_disks_can_be_p
oisoned_purloined/
-http://www.kb.cert.org/vuls/id/903500
[Editor's Note (Honan): It is simply inexcusable that vendors use hardcoded passwords with an insecure service such as Telnet. Until vendors take more responsibility for securing their products we are going to be in a constant uphill struggle to make our networks and systems secure. ]

Police in Europe Arrest Two Men Wanted for Alleged Roles in Banking Malware (September 7, 2015)

European authorities have arrested two men in connection with sophisticated banking malware. Both men were arrested outside their native countries and now face extradition to the US.
-http://krebsonsecurity.com/2015/09/arrests-tied-to-citadel-dridex-malware/

Cyber Intruders are Using Administrative Tools to Move Through Networks (September 6, 2015)

More and more often, cyber attackers are using tools already available on targeted systems to carry out their malicious activity. Once the attackers have gained a foothold in a network, usually through compromised credentials, they use administrator tools that are used by organizations to distribute patches and antivirus updates to move between systems and distribute malware.
-http://www.eweek.com/security/hackers-using-victims-own-software-to-breach-netwo
rk-firm-says.html
[Editor's Note (Henry): These 'malware-free' intrusions are not new, and adversaries have been exploiting them for years. Organizations cannot detect these breaches by scanning the system looking for signatures, because they often are not there. Successful detection and mitigation requires the organization to proactively hunt for malicious 'activity,' such as dumping of credentials and lateral movement, to identify an attack in progress. ]

Fiat Chrysler Recalls Nearly 8,000 Vehicles Over Another Software Vulnerability (September 4 & 6, 2015)

Fiat Chrysler is recalling 7,810 2015 Jeep Renegades due to a vulnerability in the radio that could allow attackers to remotely control the vehicle. Most of the affected vehicles are still on dealer lots and will be patched there; Fiat Chrysler will send the owners of the remaining vehicles a USB drive containing the security update.
-http://www.computerworld.com/article/2980348/telematics/fiat-chrysler-recalls-78
10-suvs-for-software-issues.html
-http://www.nbcnews.com/tech/security/fiat-chrysler-recalls-7-800-suvs-over-hacki
ng-concerns-n422131
-http://thehill.com/policy/cybersecurity/252812-fiat-recalls-over-7000-hackable-v
ehicles
-http://www.theregister.co.uk/2015/09/06/fiat_chrysler_recalls_more_jeeps/

Bugzilla Breach and Data Theft Led to Attacks Against Firefox (September 4 & 5, 2015)

Mozilla has acknowledged that someone breached its Bugzilla tracking database, stealing information about more than 50 vulnerabilities. At least one of the vulnerabilities has already been used in an attack against users running Firefox. That flaw was patched early last month, and the most recent version of Firefox, 40.0.3, addresses all of the compromised vulnerabilities the intruder could have exploited.
-http://www.computerworld.com/article/2980745/web-browsers/mozilla-admits-bug-tra
cker-breach-led-to-attacks-against-firefox-users.html
-http://www.scmagazine.com/mozilla-firefox-confirms-breach-of-bugzilla-data/artic
le/437077/
[Editor's Note (Honan): A prime example of why security programs need to extend beyond identifying securing just PII and credit card data. Many companies need to realise that systems such as support desk systems, bug tracking systems, and even email contain information that could potentially cause a lot of damage to them. ]

Gozi Banking Malware Author Charged (September 4, 2015)

A man responsible for helping to code malware known as Gozi has pleaded guilty to commit computer intrusion. Deniss Calovskis admitted in federal court in New York City that he "knew that what
[he ]
was doing was against the law." Gozi infected more than one million computers around the world and has been used to steal tens of millions of dollars. Two other suspects are in custody.
-http://thehill.com/policy/cybersecurity/252785-alleged-creator-of-infamous-gozi-
virus-to-appear-in-court
-http://arstechnica.com/tech-policy/2015/09/man-who-helped-code-highly-destructiv
e-financial-malware-pleads-guilty/
-http://www.nbcnews.com/tech/security/latvian-man-charged-massive-gozi-computer-v
irus-scheme-pleads-guilty-n421971

Cisco Updates Fix Denial-of-Service Flaw (September 4, 2015)

Cisco has issued updates to address a vulnerability that affects its Cisco Integrated Management Controller (IMC) Supervisor and Cisco UCS Director. The flaw could be exploited to create denial-of-service conditions. Users are urged to update to Cisco IMC Supervisor 1.0.0.1 and to Cisco UCS Director 5.2.0.1 or 5.3.0.0. The issue lies in the JavaServer Pages (JSP) input validation routines. There are no workarounds.
-http://www.scmagazine.com/vulnerability-addressed-in-cisco-imc-supervisor-and-ci
sco-ucs-director/article/437079/
-http://www.theregister.co.uk/2015/09/04/cisco_patches_overwrite_bug/

Some Network Hardware Leaking Private Key Information (September 4, 2015)

Network hardware from a handful of different manufacturers uses a flawed implementation of the RSA public key cryptographic standard, rendering the websites using the hardware susceptible to impersonation. The vulnerability is the result of errors that occasionally occur during computation of RSA signatures; the errors leak information that can be used to discover a site's private key.
-http://arstechnica.com/security/2015/09/serious-bug-causes-quite-a-few-https-sit
es-to-reveal-their-private-keys/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is a Principal at The Chertoff Group and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/