Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XVIII - Issue #101

December 27, 2016

TOP OF THE NEWS

Malware Used in DNC Hack Also Used to Infect Ukrainian Military App
NIST Publishes Cyber Attack Recovery Guidebook
US Congressional Encryption Working Group 2016 Year-End Report

THE REST OF THE WEEK'S NEWS

Apple Extends App Transport Security Deadline for Developers
FBI Investigating FDIC Breach
Signal Encrypted Messaging App Update Circumvents Blocking
VMware Hypervisor Patch
NIST Seeks Proposals for Post-Quantum Crypto Project
Firefox Multi-Process Architecture in Current Stable Version
EU Court Says Bulk Communications Data Retention Not Permitted
Methbot Ad Fraud Scheme Believed to Emanate from Russia
Five Years in Prison for Man Who Stole Nearly USD 1 Million From Online Bank Accounts

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER


*********************** Sponsored By Sophos Inc. ************************

NEW Whitepaper: How to Ensure You're Not Part of the Next Botnet:

With an estimated 500,000 'Internet of Things' devices using default security credentials its little wonder the recent Mirai botnet's DDoS attack was able to cause such disruption. Organizations like yours are being targeted with malware in order to compromise your network. Continue reading: http://www.sans.org/info/191042

***************************************************************************

TRAINING UPDATE

--SANS Security East 2017 | January 9-14, 2017 | New Orleans, LA | https://www.sans.org/event/security-east-2017

--Cloud Security Summit & Training | San Francisco, CA | Jan 17-19, 2017 | https://www.sans.org/event/cloud-security-summit-2017

--SANS Las Vegas 2017 | January 23-30, 2017 | Las Vegas, NV | https://www.sans.org/event/las-vegas-2017

--Cyber Threat Intelligence Summit & Training | Arlington, VA | Jan 25-Feb 1, 2017 | https://www.sans.org/event/cyber-threat-intelligence-summit-2017

--SANS Southern California - Anaheim 2017 | February 6-11, 2017 | Anaheim, CA | https://www.sans.org/event/anaheim-2017

--SANS Secure Japan 2017 | February 13-25, 2017 | Tokyo, Japan | https://www.sans.org/event/secure-japan-2017

--SANS Secure Singapore 2017 | March 13-25, 2017 | Singapore, Singapore | https://www.sans.org/event/secure-singapore-2017

--SANS Online Training: Get an iPad Air 2, Samsung Galaxy Tab A, or a $350 discount with all OnDemand (https://www.sans.org/ondemand/specials) and vLive (https://www.sans.org/vlive/specials) courses now.

--Single Course Training

SANS Mentorhttps://www.sans.org/mentor/about

Community SANS https://www.sans.org/community/

View the full SANS course catalog https://www.sans.org/find-training/

***************************************************************************

TOP OF THE NEWS

Malware Used in DNC Hack Also Used to Infect Ukrainian Military App (December 22, 2016)

Malware used in the breach of computers belonging to the US Democratic National Committee (DNC) has also been used to inject a Trojan horse program into an app used by Ukraine's military, according to researchers at CrowdStrike. The group responsible for both attacks is likely linked to Russia's military intelligence service. CrowdStrike CTO Dmitri Alperovitch notes that the source code for the malware, known as X-Agent, "is not publicly available."


[Editor Comments ]



[Assante ]
Conflicts with protracted cyber campaigns provide opportunities for sustained cyber threat TTP advancement. Ukraine has become Russia's forge for the refinement of cyber offense applications against institutions and infrastructures to influence, destabilize, disrupt, damage and find & fix military units. Reinforcing that it is not just about the tool but the people behind them and how they use those tools to meet their objectives. If this analysis holds up, the Russians have demonstrated the ability to integrate cyber into tactical battlefield kinetic operations.

Read more in:

Dark Reading: Malware Used In DNC Breach Found Tracking Ukraine Military
-http://www.darkreading.com/threat-intelligence/malware-used-in-dnc-breach-found-
tracking-ukraine-military/d/d-id/1327778?


Computerworld: group that hacked the DNC also infiltrated Ukrainian artillery units
-http://computerworld.com/article/3153169/security/group-that-hacked-the-dnc-also
-infiltrated-ukrainian-artillery-units.html

NIST Publishes Cyber Attack Recovery Guidebook (December 23, 2016)

The US National Institute of Standards and Technology (NIST) has published the Guide for Cybersecurity Event Recovery. The document describes the two phases of recovery: tactical and strategic. Tactical recovery is based on procedures established prior to a cyber attack; strategic recovery involves identifying lessons learned from the event and using those lessons to plan for recovery from future events. Recovery is one of five aspects of NIST's Cybersecurity Framework. The others are identification, protection, detection, and response.


[Editor Comments ]



[Williams ]
While there's no one size fits all guide to recovering from a cybersecurity incident, this NIST publication is a good start. Organizations that do not have a formal recovery plan can base their recovery plan on this NIST publication. Spending a few hours today can save huge amounts of time and expense later in the inevitable event of an incident.


[Shpantzer ]
I'm happy to see disruptive/destructive attacks explicitly addressed here, something we will see more of in the future. It's not all about sneaky APT Zero Day Nation State silent attacks on Confidentiality.


[Northcutt ]
This seems to map to the reality of our times. There are a number of companies offering solutions at this point. Here is a quick and readable overview:


-https://lunarline.com/blog/2015/04/guide-cyber-disaster-recovery-planning/

Read more in:

Federal News Radio: NIST gifts guidebook for recovering from cyber attack
-http://federalnewsradio.com/technology/2016/12/nist-gifts-guidebook-recovering-c
yber-attack/


NIST: Guide for Cybersecurity Event Recovery (PDF)
-http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-184.pdf

US Congressional Encryption Working Group 2016 Year-End Report (December 20, 22, & 26, 2016)

According to a report from the Encryption Working Group, weakening encryption by requiring backdoors is contrary to the country's national interest, yet acknowledges law enforcement's need to access communications for investigations. The Encryption Working group was created when the FBI and Apple were unable to come to an agreement over the government's demands that Apple decrypt a shooting suspect's iPhone. It is composed of members of the US House Judiciary Committee and Energy and Commerce Committee.


[Editor Comments ]



[Murray ]
This report reflects the testimony heard by the Committee and ignored by Senators Burr and Feinstein in their proposal
-http://www.sfchronicle.com/opinion/editorials/article/Feinstein-encryption-bill-
sets-off-alarm-bells-7244584.php


Read more in:

eWeek: Congressional Report Backs Strong Encryption, Police Decryption Rights
-http://www.eweek.com/security/congressional-report-backs-strong-encryption-polic
e-decryption-rights.html


ZDNet: Encryption backdoors are against US national interest, say lawmakers
-http://www.zdnet.com/article/encryption-backdoors-are-against-us-national-intere
st-say-lawmakers/


US Dept. of Energy and Commerce: Encryption Working Group Releases Year-End Report
-https://energycommerce.house.gov/news-center/press-releases/encryption-working-g
roup-releases-year-end-report


US House Energy and Commerce Committee: Encryption Working Group Year-End Report (PDF)
-https://energycommerce.house.gov/sites/republicans.energycommerce.house.gov/file
s/documents/114/analysis/20161219EWGFINALReport_0.pdf



*************************** SPONSORED LINKS ********************************

1) Trend Micro researchers published a report on the risks posed in using pagers with IT systems. http://www.sans.org/info/191047

2) Looking for a solution to your security issue? Visit the SANS Affiliate Directory for a list of vendors who may be able to help! http://www.sans.org/info/191052

3) Cyber Threat Intelligence Survey - Take the SANS 2017 Cyber Threat Intelligence Survey and enter to win a $400 Amazon Gift Card! http://www.sans.org/info/191062

******************************************************************************

THE REST OF THE WEEK'S NEWS

Apple Extends App Transport Security Deadline for Developers (December 23, 2016)

Apple has pushed out the deadline for app developers to implement support for the App Transport Security (ATS). The company had announced that developers would be required to adopt the feature, which was introduced in iOS 9, by January 1, 2017. The company has not announced new deadline.

Read more in:

The Register: Apple drops requirements for apps to use HTTPS by 2017
-http://www.theregister.co.uk/2016/12/23/apple_drops_requirement_for_apps_to_use_
https_by_2017/


Computerworld: Apple gives iOS app developers more time to encrypt communications
-http://computerworld.com/article/3152736/security/apple-gives-ios-app-developers
-more-time-to-encrypt-communications.html

FBI Investigating FDIC Breach (December 23, 2016)

The FBI is investigating a security breach of computers at the US Federal Deposit Insurance Corporation (FDIC) believed to have been conducted by attackers working on behalf of China's military. The intrusion began in 2010 and lasted for several years.

Read more in:

Reuters: Exclusive: FBI probes FDIC hack linked to China's military - sources
-http://www.theregister.co.uk/2016/12/23/apple_drops_requirement_for_apps_to_use_
https_by_2017/

Signal Messaging App Update Circumvents Blocking (December 21 & 23, 2016)

The Signal chat application has adopted a feature that allows it to circumvent blocking efforts put in place in Egypt and the United Arab Emirates (UAE). The feature uses domain fronting, which involves hiding traffic inside encrypted connections to major services.

Read more in:

The Register: Sneaky chat app Signal deploys decoy domains to deny despots
-http://www.theregister.co.uk/2016/12/23/signal_deploys_domain_deceit_to_deny_cen
sorship/


Wired: Encryption App 'Signal' Fights Censorship With a Clever Workaround
-https://www.wired.com/2016/12/encryption-app-signal-fights-censorship-clever-wor
karound/


Computerworld: Encrypted messaging app Signal uses Google to bypass censorship
-http://computerworld.com/article/3153059/security/encrypted-messaging-app-signal
-uses-google-to-bypass-censorship.html

VMware Hypervisor Patch (December 20 & 22, 2016)

VMware has made a patch available for a vulnerability in its ESXi hypervisor that could be exploited through cross-site scripting attacks. Fixes are available for ESXi hypervisor versions affected by the Host Client stored cross-site scripting issue. VMware cautions users "not to import VMs from untrusted sources."


[Editor Comments ]



[Williams ]
While you should always patch vulnerabilities as quickly as possible, this one isn't a "drop everything" patch. The vulnerability can be exploited only by those who can manage virtual machines on ESXi. Attackers could also exploit vulnerable deployments if they trick an admin into importing a specially crafted VM. This vulnerability can be exploited only in environments where infosec best practices are not being followed. Also, the latest version of ESXi is not vulnerable, likely because input sanitization is being applied due to better SDLC.

Read more in:

SC Magazine: VMware fixes stored XSS vulnerability in ESXi hypervisor
-https://www.scmagazine.com/vmware-fixes-stored-xss-vulnerability-in-esxi-hypervi
sor/article/627706/


VMware: VMware ESXi updates address a cross-site scripting issue
-http://www.vmware.com/security/advisories/VMSA-2016-0023.html

NIST Seeks Proposals for Post-Quantum Crypto Project (December 22, 2016)

The US National Institute of Standards and Technology (NIST) is seeking proposals for Post-Quantum Cryptography Standardization. NIST notes that "If large-scale quantum computers are ever built, they will be able to break many of the public key cryptosystems currently in use," and that "the goal of
[the project ]
is to develop cryptographic systems that are secure against both quantum and classical computers." Proposals are due to NIST by November 30, 2017.

Read more in:

GCN: NIST looks for defense against code-cracking quantum machines
-https://gcn.com/articles/2016/12/22/nist-quantum-encryption.aspx?admgarea=TC_Sec
CybersSec


NIST: Post-Quantum Crypto Project
-http://csrc.nist.gov/groups/ST/post-quantum-crypto/

Federal Register: Announcing Request for Nominations for Public-Key Post-Quantum Cryptographic Algorithms
-https://www.federalregister.gov/documents/2016/12/20/2016-30615/announcing-reque
st-for-nominations-for-public-key-post-quantum-cryptographic-algorithms

Firefox Multi-Process Architecture in Current Stable Version (December 21, 2016)

Mozilla's current stable release of Firefox, version 50, makes multi-process architecture available for most users and most extensions. All other major browsers (Edge, Internet Explorer, Chrome, and Safari) have already incorporated multiple process design, which means that their rendering engines are separated from the browser frames. The design helps improve browsers' stability and security.


[Editor Comments ]



[Murray ]
In order to make any claim to being securable, a process must be able to resist contamination by its input. Many of our desktop processes, specifically to include Flash, Reader, and many browsers, have been unable to meet this test.

Read more in:

Ars Technica: Firefox takes the next step toward rolling out multi-process to everyone
-http://arstechnica.com/information-technology/2016/12/firefox-takes-the-next-ste
p-towards-rolling-out-multi-process-to-everyone/

EU Court Says Bulk Communications Data Retention Not Permitted (December 21, 2016)

The European Court of Justice has ruled that governments in member nations may not compel communications network operators to retain customer data in bulk. The ruling is the result of a question brought by the UK Court of Appeals examining the legality of the UK's Data Retention and Investigatory Powers Act of 2014, and a similar issue raised by the Swedish telecommunications regulator. The ruling challenges recent laws passed in Britain regarding bulk data collection.

Read more in:

Computerworld: No more bulk communications data retention, top EU court tells U.K.
-http://computerworld.com/article/3152825/internet/no-more-bulk-communications-da
ta-retention-top-eu-court-tells-uk.html

Methbot Ad Fraud Scheme Believed to Emanate from Russia (December 20 & 21, 2016)

An advertising fraud scheme dubbed Methbot is believed to be responsible for stealing as much as USD 5 million a day by pretending to be be both major websites and end users. Methbot tricks advertising networks into believing that ads have been legitimately served. The scheme is believed to be operating out of Russia.


[Editor Comments ]



[Shpantzer ]
WhiteOps, co founded by Dan Kaminsky, discovered methbot and specializes in combatting online ad fraud. This is their report:
-https://www.whiteops.com/methbot

Read more in:

Dark Reading: Russian Hackers Run Record-Breaking Online Ad-Fraud Operation
-http://www.darkreading.com/operations/russian-hackers-run-record-breaking-online
-ad-fraud-operation/d/d-id/1327753


eWeek: Russian Methbot Attack Defrauds Advertisers
-http://www.eweek.com/security/russian-methbot-attack-defrauds-advertisers.html

KrebsOnSecurity: Report: $3-5M in Ad Fraud Daily From Methbot
-https://krebsonsecurity.com/2016/12/report-3-5m-in-ad-fraud-daily-from-methbot/

Five Years in Prison for Man Who Stole Nearly USD 1 Million From Online Bank Accounts (December 20, 2016)

A court in the UK has sentenced Tomasz Skowron to more than five years in prison for his role in a scheme that stole GBP 840,000 (USD 1.03 million) from online banking accounts. Skowron pleaded guilty to charges of conspiracy to defraud, fraud, and money laundering. Police became aware of the thefts after a number of fraudulent transfers were made from a bank in Australia to bank accounts in Britain. Several of the transactions were conducted over a public IP address that was traced to Skowron's home.

Read more in:

The Register: Kingpin in $1, global bank malware ring gets five years in chokey
-http://www.theregister.co.uk/2016/12/20/key_player_global_bank_malware_ring_jail
ed/


INTERNET STORM CENTER TECH CORNER

Critical RCE Flaw in PHPMailer
-https://isc.sans.edu/forums/diary/Critical+security+update+PHPMailer+5218+CVE201
610033/21855/

Malware Delays Execution with "Ping"
-https://isc.sans.edu/forums/diary/Pinging+All+The+Way/21849/

Apple Extends TLS Deadline
-https://developer.apple.com/news/?id=12212016b

vSphere Data Protection Known SSH Key
-http://www.vmware.com/security/advisories/VMSA-2016-0024.html

nmap Update
-https://nmap.org/download.html

SCCM Software Metering
-https://www.fireeye.com/blog/threat-research/2016/12/do_you_see_what_icc.html

CryptXXX Version 3 Decryptor Available
-https://noransom.kaspersky.com

Airline Inflight Entertainment System Hack
-http://blog.ioactive.com/2016/12/in-flight-hacking-system.html

Mirai Trying Various Telnet Alternatives
-https://isc.sans.edu/forums/diary/UPDATED+x1+Mirai+Scanning+for+Port+6789+Lookin
g+for+New+Victims+Now+hitting+tcp23231/21833/

Ukrainian Power Outages
-http://uawire.org/news/ukrenergo-claims-that-blackouts-in-kyiv-could-have-been-c
aused-by-hackers

OurMine Hacks Netflix and Other Twitter Accounts
-http://www.bbc.com/news/technology-38390343?ocid=socialflow_twitter

Methbot Generating Millions of Dollars with Click Fraud
-http://go.whiteops.com/rs/179-SQE-823/images/WO_Methbot_Operation_WP.pdf


***********************************************************************
The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board