SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVIII - Issue #13

February 16, 2016

FLASH: Today's discovery by Google matters to mobile, ICS, and server
users. See the first story.

---

TOP OF THE NEWS

Google Security Team Finds Remote Code Execution Flaw
Ransomware Hits California Hospital
Cybersecurity National Action Plan
Ransomware Hits California Hospital
Cybersecurity National Action Plan

THE REST OF THE WEEK'S NEWS

Password Protected Bitcoin Wallets Vulnerable to Theft
MazarBOT Trojan Steals Bank Account Access Data
Fysbis Trojan
Adobe Reissues Faulty Creative Cloud Update
VMware Reissues Inadequate Patch
Man Pleads Guilty to Money Laundering in PBX Scam
Nasdaq Will Use Blockchain for Shareholder Voting
Teen Arrested in Connection with DHS and FBI Employee Data Leak
Mozilla Updates Firefox and Firefox Extended Support Release
BlackEnergy Malware May Have been Used in Attacks on Ukrainian
Railway and Mining Company
Railway and Mining Company
Mozilla Updates Firefox and Firefox Extended Support Release
BlackEnergy Malware May Have been Used in Attacks on Ukrainian
Railway and Mining Company

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

********************* Sponsored By AlienVault **************************

Case Study: How the City of Lewiston Improved Threat Detection with AlienVault USM. Wednesday, February 17, 2016 at 11:00 AM EDT (16:00:00 UTC) with Danny Santiago and Dave Shackleford. Join this webcast to hear first-hand how the AlienVault Unified Security Management (USM) solution has helped this organization improve threat detection and incident response.
http://www.sans.org/info/183355

***************************************************************************

TRAINING UPDATE

- --ICS Security Summit & Training | Orlando, FL | Feb 16-23, 2016 | Training from industry experts on attacker techniques, testing approaches in ICS and defensive capabilities in ICS environments. 8 courses including the new ICS456 & SEC562 courses. Plus, CyberCity and two days of ICS Summit sessions.
http://www.sans.org/u/aBM

- --SANS 2016 | Orlando, Florida | March 12-21 | 43 courses, bonus evening presentations, solutions expo, extraordinary networking opportunities, 2 nights of NetWars, industry receptions, and more!
www.sans.org/u/dyG

- --SANS Northern Virginia - Reston | April 4-9 | 9 courses including the NEW, Network Penetration Testing and Ethical Hacking & Cyber Threat Intelligence course
www.sans.org/u/dzf

- -- SANS Atlanta | April 4-9 | 6 courses including the new Network Penetration Testing and Ethical Hacking course
www.sans.org/u/dz0

- --Threat Hunting & Incident Response Summit & Training | New Orleans, LA | April 12-19, 2016 | Will you be the hunter or the prey? Two days of Summit talks and 6 courses; including the new FOR578 Cyber Threat Intelligence course.
http://www.sans.org/u/dgM

- -- SANS Pen Test Austin | April 18-23 | 7 courses | 3 nights of NetWars | Coin-A-Palooza | Special evening events including a Night of Hands-On Pen Testing of "Internet of Things" Devices
www.sans.org/u/dzk

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- --Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/Xy

Plus Scottsdale, Munich, Tokyo, Anaheim, Philadelphia, and London all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

Google Security Team Finds Remote Code Execution Flaw in glibc's getaddinfo function used Widely in Mobile Phones, Servers, and Industrial Control Systems (February 17, 2016)

Google released a blog post announcing that it found a stack-based buffer overflow in glibc's getaddrinfo function. The issue, which has been assigned CVE-2015-7547, can lead to remote code execution even though Google states that exploitation is "not straight forward". A patch has been made available and major linux distributions have released updates. Exploitation will require the victim to attempt to resolve an address, and the response will be larger then 2048 bytes. Under certain conditions, glibc will not correctly expand the allocated memory leading to a buffer overflow. Google has been able to create a PoC exploit, but has so far not published it. This bug affects any system or device that uses glibc and getaddrinfo to resolve host names. This includes devices like mobile phones, servers and industrial control systems.

Ransomware Hits California Hospital (February 15, 2016)

Computer systems at the Hollywood Presbyterian Medical Center in southern California have fallen prey to ransomware. The systems have been offline for more than a week. Employees were not able to access patient files and the hospital declared the situation an internal emergency. The FBI, the Los Angeles Police Department, and cyberforensics experts are investigating. The attackers have demanded a ransom of 9,000 Bitcoins (approximately US $3.6 million; 3.2 million euros.)
-http://www.zdnet.com/article/hollywood-hospital-becomes-ransomware-victim/
-http://www.computerworld.com/article/3032310/security/hollywood-hospital-hit-wit
h-ransomware-hackers-demand-3-6-million-as-ransom.html
-http://www.bbc.com/news/technology-35584081
[Editor's note (Williams): This should be a wakeup call for organizations to plan today for how they will react to a ransomware attack (the answer should be a good DRP). We've seen several ransomware attacks where attackers were unaware that they had compromised a business and were still asking for relatively small ransom ($500 vs. millions). If presented with that opportunity, pay up immediately. Even the FBI recommends that paying is often the best strategy in case of ransomware (
-http://www.businessinsider.com/fbi-recommends-paying-ransom-for-infected-compute
r-2015-10).
(Murray): The HIPAA privacy rules have had the perverse effect of holding back the application of IT to health care without delivering the promised security. Health care security ranks just a little above that of government. (Honan): Ransomware attacks are a prime example of why you need to ensure you have effective Business Continuity Plans tied into your Security Incident Response processes. You should make sure to include Cyber- attacks into your own business continuity planning and contingencies. (Northcutt): Blessed are those with recent full backups . . . just remember to physically remove the backup drive from the system after making the backup. Ransom32 is the current state of the art and a couple graduate students of the SANS Technology Institute just completed a detailed analysis of that software:
-http://securitywa.blogspot.com/2016/02/javascript-ransomware-attack.html]

Cybersecurity National Action Plan (February 12, 2016)

President Obama's Cybersecurity National Action Plan (CNAP) aims to "enhance cybersecurity awareness and protections, protect privacy, maintain public safety as well as economic and national security, and empower Americans to take better control of their digital security."
-http://www.nextgov.com/cybersecurity/2016/02/obamas-war-hackers/125930/?oref=ng-
channeltopstory
-http://www.natlawreview.com/article/president-obama-unveils-cybersecurity-nation
al-action-plan-and-issues-two-new
[Editor's Note (Honan): In a timely coincidence the European Network Information Security Agency (ENISA) today launched an E-learning platform on National Cyber Security Strategies for experts involved in the process of creating or implementing a strategy at a national level. (Paller): Proposing all this in the last year of the administration, with almost no chance of Congressional adoption, is too little, too late. The new Federal CIO (Tony Scott) demonstrated what could be done through his cybersprint, but this administration has done nothing to correct its fundamental error of forcing agencies to follow NIST guidance that encourages them to measure the wrong things and spend billions on useless reports and ineffective defenses. ]

---

************************** SPONSORED LINKS ********************************
1) Hunting and Farming : Concepts and Strategies to Improve Your Cyber Defenses. Wednesday, February 24, 2016 at 1:00 PM EDT (18:00:00 UTC) with Ben Johnson. http://www.sans.org/info/183365

2) InfoSec Pros: Give us an update on your Incident Response policies & practices in the 2016 Survey. http://www.sans.org/info/183370
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Password Protected Bitcoin Wallets Vulnerable to Theft (February 15, 2016)

Digital thieves stole more than US $100,000 in Bitcoins from accounts that were protected with passwords rather than with lengthy cryptographic keys. Dubbed "brain wallets," these Bitcoin accounts were thought by some to be well protected because the access information was stored in account holders' brains, not digitally. Over a six-year period, thieves cracked nearly 900 such wallets to steal more than 1,800 Bitcoins.
-http://arstechnica.com/security/2016/02/password-cracking-attacks-on-bitcoin-wal
lets-net-103000/

MazarBOT Trojan Steals Bank Account Access Data (February 15, 2016)

A Trojan horse program that targets Android devices is capable of wiping the phones it compromises and stealing bank account access credentials. MazarBOT spreads through maliciously crafted multimedia messages. Because MazarBOT can read SMS messages, it can thwart two-factor authentication schemes in which access codes are sent to the device. MazarBOT is being used in active attacks. In an interesting twist, MazarBOT affects Android devices around the world, except those based on the Russian language.
-http://www.theregister.co.uk/2016/02/15/android_trojan_mazar_bot/
-http://www.zdnet.com/article/sms-android-malware-roots-and-hijacks-your-device/
-http://www.computerworld.com/article/3033392/security/malware-targets-all-androi
d-phones-except-those-in-russia.html
-https://heimdalsecurity.com/blog/security-alert-mazar-bot-active-attacks-android
-malware/

Fysbis Trojan (February 15, 2016)

The Pawn Storm cyberespionage group is using a Trojan horse program called Fysbis to infect Linux systems. Pawn Storm is believed to operate out of Russia and has been active since 2007. Fysbis can install without without root privileges.
-http://www.computerworld.com/article/3033195/security/russian-cyberspy-group-use
s-simple-yet-effective-linux-trojan.html
[Editor's Note (Murray): If one is compromised, one is compromised. One's only interest in the software used is the indicators of compromise. At the system level the remediation is the same. ]

Adobe Reissues Faulty Creative Cloud Update (February 15, 2016)

Adobe has reissued an update for Creative Cloud because the first version was deleting Mac users' files. The problematic update is version 3.5.0.206. When users updated to that version, the software deleted the first folder on the hard drive.
-http://www.bbc.com/news/technology-35577498
-http://www.zdnet.com/article/adobe-pulls-creative-cloud-update-that-deleted-appl
e-mac-data/
-http://www.theregister.co.uk/2016/02/15/adobe_re_releases_creative_cloud_update/

VMware Reissues Inadequate Patch (February 14, 2016)

VMware has released a new patch for a vulnerability in vCenter server that was inadequately addressed by a patch first issued in October 2015. The issue is an unsecurely configured JMX RMI service that can be accessed remotely. The patch is for vCenter Server 5.x on Windows.
-http://www.theregister.co.uk/2016/02/14/vmware_re_issues_patch/
-https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=di
splayKC&externalId=2144428
[Editor's Note (Williams): From VmWare's own site: "If Windows Firewall is enabled on the Windows system that runs vCenter Server, remote code execution is not possible." Though things aren't quite that simple this is another great example of a vulnerability at least partially mitigated by good defense in depth. ]

Man Pleads Guilty to Money Laundering in PBX Scam (February 12, 2016)

A man has admitted to laundering US $19.6 million for a group that stole close to US $50 million by breaking into PBX telephone systems at companies, finding phone extensions that were not assigned to employees, and reprogramming them so they could make long-distance calls to premium numbers operated by the group. Muhammad Sohail Qasmani has pleaded guilty to one count of conspiracy to commit wire fraud. In all, the group responsible for the scheme is believed to have made US $50 million over a four-year period.
-http://www.theregister.co.uk/2016/02/12/pbx_hacking_nets_crooks_50m/
-http://www.darkreading.com/attacks-breaches/man-admits-to-laundering-$196-millio
n-in-hacking-telecom-fraud-scam/d/d-id/1324296?

Nasdaq Will Use Blockchain for Shareholder Voting (February 12, 2016)

Nasdaq plans to use a blockchain system to record shareholder votes for companies listed on its Tallinn, Estonia exchange.
-http://www.computerworld.com/article/3032133/financial-it/nasdaq-to-use-blockcha
in-to-record-shareholder-votes.html
-http://www.cnbc.com/2016/02/12/nasdaq-to-trial-blockchain-voting-for-shareholder
s.html

Teen Arrested in Connection with DHS and FBI Employee Data Leak (February 12 and 15, 2016)

British police have arrested a 16-year-old for allegedly leaking personal information belonging to 9,000 Department of Homeland Security (DHS) employees and 20,000 FBI employees. The teen also allegedly broke into CIA Director John Brennan's AOL email account, which contained sensitive documents.
-http://www.scmagazine.com/british-authorities-and-fbi-arrest-crackas-with-attitu
de-teen-suspect-in-uk/article/473891/
-http://www.zdnet.com/article/alleged-cia-fbi-hacker-cracka-arrested-by-uk-police
/
-http://www.theregister.co.uk/2016/02/15/blighty_nabs_teen_brit_twit_for_hacking_
cia_brennans_aol_account/
-https://www.washingtonpost.com/world/national-security/british-teen-arrested-in-
hacking-of-top-us-intelligence-officials/2016/02/12/7b87351e-d1a5-11e5-b2bc-9884
09ee911b_story.html

Mozilla Updates Firefox and Firefox Extended Support Release (February 11 and 12, 2016)

Mozilla has updated its Firefox browser and Firefox Extended Support Release (ESR) to fix critical flaws that could be exploited to allow same-origin policy violations and arbitrary code execution. The most current version of Firefox is now 44.0.2, and the most current version of Firefox ESR is 38.6.1.
-http://www.scmagazine.com/mozilla-fixes-critical-vulnerabilities-in-firefox-brow
ser-and-extended-support-release/article/473866/
Firefox:
-https://www.mozilla.org/en-US/security/advisories/mfsa2016-13/
Firefox ESR:
-https://www.mozilla.org/en-US/security/advisories/mfsa2016-14/

BlackEnergy Malware May Have been Used in Attacks on Ukrainian Railway and Mining Company (February 12, 2016)

According to Trend Micro, BlackEnergy malware, which was used in attacks on Ukrainian power stations, may also have been used to launch attacks against a railway company and a mining company in that country.
-http://www.darkreading.com/threat-intelligence/ukraine-railway-mining-company-at
tacked-with-blackenergy/d/d-id/1324304?

---

STORM CENTER TECH CORNER

Ransomware Encrypts British Website
-http://www.theregister.co.uk/2016/02/12/this_is_what_it_looks_like_when_your_web
site_is_hit_by_nasty_ransomware/

Cracking PHP rand()
-http://www.sjoerdlangkemper.nl/2016/02/11/cracking-php-rand/

Cisco Universal Small Cell Devices Unauthorized Firmware Retrieval
-https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-2
0160212-usc

Exploiting (pretty) Blind SQL Injection
-https://isc.sans.edu/forums/diary/Exploiting+pretty+blind+SQL+injections/20733/

Multi Architecture Malware Against Devices
-https://isc.sans.edu/forums/diary/More+MultiArchitecture+IoT+Malware/20731/

VoIP Phone Exploits
-https://paul.reviews/pwnphone-default-passwords-allow-covert-surveillance/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/