SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVIII - Issue #19

March 08, 2016

For any reader considering becoming a "hunter," Ed Skoudis told 1,200
people attending his session at RSA 2016 last week about a tool that can
take data gathered from the network and logs and do automated anomaly
analysis of it based primarily on statistical analysis. It's called RITA
(Real Intelligence Threat Analysis) and is freely available from Black
Hills Information Security at:
http://www.blackhillsinfosec.com/#!rita/wrje5
More details are available here:
http://www.blackhillsinfosec.com/#!RITA-Real-Intelligence-Threat-Analysis/c1592/
5629695b0cf2f4d93f152218.
It doesn't look for changed files, but instead it looks for beaconing
of implanted malware / command-and-control channels, unusual concurrent
sessions, and more. Some of the top hunt teams in the world use it
regularly in their quests to find infected machines and other malicious
incursions.
Alan

---

TOP OF THE NEWS

US Air Force Cyberweapons Systems Operational
RSA: Seven Attack Trends

THE REST OF THE WEEK'S NEWS

Man Who Allegedly Broke Into Government eMail Accounts Will be Extradited to US
KeRanger Mac Ransomware
Seagate Phish Exposes Employee Tax Documents
Commerce Department Audit
Cambridge 2 Cambridge Hackathon
San Bernardino DA Says Suspect's iPhone Could Hold 'Dormant Cyber Pathogen'
Surge in Tor Hidden Services
Triada Android Trojan
Fortinet Login Page Vulnerability Fixed

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

*********************** Sponsored By Symantec **************************

Symantec Webcast: Symantec 2016: Unifying Your Security Strategy, March 17, 10am PT - If you want to protect your organization against advanced cyberattacks, you need to close the security gaps in your current threat strategy. Join Symantec in a real-world discussion about the future of security with end to end protection that seals the gaps.
http://www.sans.org/info/183797

***************************************************************************

TRAINING UPDATE

- --SANS 2016 | Orlando, Florida | March 12-21 | 43 courses, bonus evening presentations, solutions expo, extraordinary networking opportunities, 2 nights of NetWars, industry receptions, and more!
www.sans.org/u/dyG

- --SANS Northern Virginia - Reston | Reston, VA | April 4-9 | 9 courses including the NEW, Network Penetration Testing and Ethical Hacking & Cyber Threat Intelligence course
www.sans.org/u/dzf

- --SANS Atlanta | Atlanta, GA | April 4-9 | 6 courses including the new Network Penetration Testing and Ethical Hacking course
www.sans.org/u/dz0

- --Threat Hunting & Incident Response Summit & Training | New Orleans, LA | April 12-19, 2016 | Will you be the hunter or the prey? Two days of Summit talks, 6 courses, networking opportunities & more!
http://www.sans.org/u/dgM

- --SANS Pen Test Austin | Austin, TX | April 18-23 | 7 courses | 3 nights of NetWars | Coin-A-Palooza | Special evening events including a Night of Hands-On Pen Testing of "Internet of Things" Devices
www.sans.org/u/dzk

- --SANS Security West | San Diego, CA | April 29-May 6 | 28 courses, bonus evening presentations, 2 nights of NetWars, multiple talks on Emerging Trends, networking opportunities and more!
www.sans.org/u/dzz

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- -- Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/Xy

Plus Singapore, Amsterdam, Canberra, Prague, and Stockholm all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

US Air Force Cyberweapons Systems Operational (March 7, 2016)

The US Air Force Space Command's Cyberspace Vulnerability Assessment/Hunter (CVA/H) weapon system is now fully operational. CVA/H protects the Air Force information network with vulnerability assessments, threat detection, and compliance evaluation. Earlier this year the Air Force Intranet Control (AFINC) Weapon became operational. That system provides boundary defense for external and inter-base traffic. The Air Force has several other cyberweapons in development.
-http://www.zdnet.com/article/the-us-air-force-now-has-two-fully-operational-cybe
rspace-weapon-systems/

RSA: Seven Attack Trends (March 3, 2016)

At the RSA Conference in San Francisco last week, SANS researchers described seven cyberattack trends that are likely to come up again and again over the course of this year: Weaponization of Windows PowerShell; Stagefright-like mobile vulnerabilities; Developer environment vulnerabilities like Xcode Ghost; Industrial Control System (ICS) attacks; Targeting unsecure third-party software components; Internet of (Evil) Things; and Ransomware.
-http://www.darkreading.com/risk/7-attack-trends-making-security-pros-sweat/d/d-i
d/1324563

---

************************** SPONSORED LINKS ********************************
1) Free eBook Download: Data Breach Detection - What You Need to Know. http://www.sans.org/info/183802

2) Don't miss the Active Breach Detection discussion with Dave Shackleford on March 10. http://www.sans.org/info/183807

3) Where ARE the Endpoints? Find out 3/17 AND 3/18 - Endpoint Security Survey Results Webcasts 3/17, PART 1: http://www.sans.org/info/183812 3/18, PART 2: http://www.sans.org/info/183817
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Man Who Allegedly Broke Into Government eMail Accounts Will be Extradited to US (March 4 and 7, 2016)

A Romanian man who allegedly broke into email accounts of celebrities and political figures will be extradited to the US to face charges. Marcel Lazar Lehel allegedly stole and posted images of paintings by former president George W. Bush, as well as email messages of several celebrities and political figures. A US federal grand jury indicted Lehel in 2014 on charges of wire fraud, unauthorized access to a protected computer, aggravated identity theft, cyber stalking, and obstruction of justice. A Romanian court has approved extradition. Lehel is currently serving a four-year sentence in Romania for similar offenses.
-http://thehill.com/policy/cybersecurity/272066-bush-hacker-will-face-us-charges
-http://arstechnica.com/security/2016/03/hacker-who-exposed-bush-family-e-mails-p
hotos-will-be-extradited-to-us/
-http://www.theregister.co.uk/2016/03/07/hacker_guccifer_extradited_to_us/
-http://www.reuters.com/article/us-usa-cyber-guccifer-idUSKCN0W61TX

KeRanger Mac Ransomware (March 6 and 7, 2016)

The first known instance of "fully functional" ransomware targeting Mac OS X systems has been detected. KeRanger makes its way onto computers through infected downloads of the Transmission Bit Torrent client. People who downloaded and installed Transmission version 2.90 late last week are urged to upgrade to version 2.92. Apple has revoked the developer's certificate for the infected version of Transmission.
-http://www.csmonitor.com/Technology/2016/0307/KeRanger-attacks-What-Mac-users-ne
ed-to-know-about-ransomware
-http://www.zdnet.com/article/new-os-x-ransomware-found-in-the-wild/
-http://www.computerworld.com/article/3041082/security/apple-shuts-down-first-eve
r-ransomware-attack-against-mac-users.html
-http://www.cnet.com/news/apple-users-beware-first-live-ransomware-targeting-mac-
found-in-the-wild/
-http://arstechnica.com/security/2016/03/first-mac-targeting-ransomware-hits-tran
smission-users-researchers-say/
-http://www.theregister.co.uk/2016/03/07/first_working_mac_ransomware_infects_tra
nsmission_users/
-http://www.bbc.com/news/technology-35744416
-http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-
infected-transmission-bittorrent-client-installer/
[Editor's Note (Pescatore): The major issue is that Apple apparently issued a fraudulent developer's certificate that enabled the malicious version of Transmission to be easily installed. That process needs to be fixed. In general, the Apple ecosystem makes it easier for individuals to back-up regularly. While KeRanger has had minimal impact, it should be used as a driver to making sure that Backup/Recovery/CooP (Critical Security Control 10) processes are in place, run and tested frequently. ]

Seagate Phish Exposes Employee Tax Documents (March 6, 2017)

A Seagate Technology employee was successfully tricked into sending all company W-2 tax documents "to an unauthorized third party." The phishing attack compromised W-2 tax documents for all current and former employees of the company. W-2s include Social Security numbers (SSNs), pay data, and other information that could be used to file fraudulent tax returns. Federal authorities are investigating the incident.
-http://krebsonsecurity.com/2016/03/seagate-phish-exposes-all-employee-w-2s/
[Editor's Note (Williams): If you read the comments section, you'll see that Seagate isn't the only company impacted by this scam. Data loss prevention, if properly installed and configured, would have detected thousands of social security numbers being exfiltrated from the network. Organizations should take this as an opportunity to evaluate their own data loss prevention technologies to see how they would fare if one of their employees fell victim to the same attack. (Northcutt): About eleven years ago I noticed that the GIAC email letting students know their exam was available kept getting bounced. The bounces were all from the same large financial organization. Somehow their CISO had convinced management that not all of the employees needed unfettered access to Internet email. They developed an internal mail system for employee to employee communication and gave extra training to those that responded to public requests for information. At about the same time Will Pelgrin, CISO New York started training about test phishing New York State employees. Fast forward from 2005 to 2016 and many companies have programs to phish employees and they are all learning the same lesson, human error is going to happen some percent of the time. Jake Williams is right, Data Loss Prevention systems would go ape if they saw thousands, but less than ten thousand social security numbers flying by. But DLP can be tuned far better if the number of employees responding to the public is drastically reduced. And we have the ability to gateway critically important listserv email like Slashdot into the internal system:
-http://www.wsj.com/articles/SB112424042313615131
-http://slashdot.org/]

Commerce Department Audit (March 4, 2016)

A memo from Commerce Department assistant inspector general for systems acquisition and IT security notifies agency CIOs that their policies and practices will come under scrutiny during a required audit. The audit will examine systems that store personally identifiable information and information about people involved in national security and intelligence.
-http://www.nextgov.com/cybersecurity/2016/03/watchdogs-prep-review-agencies-it-s
ecurity-policies/126433/?oref=ng-channeltopstory
Memo:
-https://www.oig.doc.gov/OIGPublications/Announcement-of-Cybersecurity-Act-of-201
5-Department-Wide-Security-Metrics-Assessment.pdf

Cambridge 2 Cambridge Hackathon (March 4, 2016)

Students from the Massachusetts Institute of Technology (MIT) in Cambridge, Massachusetts, and University of Cambridge in Cambridge, England, competed in a series of cyber challenges over the weekend. Events included a 24-hour Capture the Flag competition with blended teams, as well as password-cracking, lock-picking, and code-breaking challenges.
-http://news.mit.edu/2016/cambridge-2-cambridge-hackathon-0307
-http://www.nbcnews.com/feature/college-game-plan/ready-set-hack-college-students
-compete-cybersecurity-project-n531821
-http://bostinno.streetwise.co/2016/03/07/mit-and-cambridge-university-compete-in
-hacking-competition/

San Bernardino DA Says Suspect's iPhone Could Hold 'Dormant Cyber Pathogen' (March 4, 2016)

The San Bernardino district attorney is insisting that Apple help unlock a shooting suspect's iPhone, saying that the device "may contain evidence ... that it was used as a weapon to introduce a lying dormant cyber pathogen that endangers San Bernardino County's infrastructure."
-http://arstechnica.com/tech-policy/2016/03/what-is-a-lying-dormant-cyber-pathoge
n-san-bernardino-da-wont-say/
-http://www.computerworld.com/article/3040796/data-privacy/san-bernardino-prosecu
tor-raises-cyber-pathogen-concerns-in-terrorists-iphone.html
-http://www.scmagazine.com/da-san-bernardino-shooter-could-have-introduced-dorman
t-cyber-pathogen/article/481297/

Surge in Tor Hidden Services (March 4, 2016)

The Tor Project has noted a spike in Tor hidden services over the last several weeks. On March 1, the number of hidden services rose to 114,000, then dropped to 70,000 within days. The Tor Project is not clear about why this happened. A similar spike occurred in February. The address volume fluctuation could be explained by a combination of factors, including the introduction of Tor messaging app Ricochet and the possibility of increased efforts by governments to compromise the privacy Tor provides.
-http://arstechnica.com/information-technology/2016/03/whole-lotta-onions-number-
of-tor-hidden-sites-spikes-along-with-paranoia/

Triada Android Trojan (March 3 and 4, 2016)

The Triada Trojan horse program targets Android devices and has been deemed "stealthy, modular,
[and ]
persistent," of a complexity on par with malware that targets Windows computers. Devices running Android OS versions 4.4.4 and earlier are at greatest risk of infection. Triada is capable of modifying SMS messages sent by applications; for example, if users are making in-app purchases, the malware can alter the message so the funds go to the cybercriminals rather than the developers.
-http://www.scmagazine.com/triada-trojan-on-android-devices-complex-as-windows-ma
lware/article/481108/
-http://www.theregister.co.uk/2016/03/03/triada_mobile_trojan/

Fortinet Login Page Vulnerability Fixed (March 4, 2016)

The login page for Fortinet was found to contain a flaw that was being exploited by a reflected cross-site scripting (RXXS) attack to steal users' passwords. The issue was detected in November 2015 and fixed on December 2, 2015. Another cross-site scripting-exploitable flaw in Fortinet's ticketing software has also been fixed.
-http://www.scmagazine.com/reflected-xss-vuln-found-on-fortinet-login-page/articl
e/481281/

---

STORM CENTER TECH CORNER

Amazon Removes Encryption From Fire OS
-http://www.amazon.com/forum/kindle/ref=cm_cd_tfp_ef_tft_tp?_encoding=UTF8&cd
Forum=Fx1D7SY3BVSESG&cdThread=TxGGU4M68VKGPD

Facebook Used As C&C Channel For Mobile Malware
-http://www.theregister.co.uk/2016/03/03/facebook_command_control_malware/

The Economics of DDoS Attacks
-http://www.arbornetworks.com/blog/asert/estimating-the-revenue-of-a-russian-ddos
-booter/

Weak Online Banking Password Policies
-http://www.unhcfreg.com/#!PasWoRd-eSaMe-Pa-Gaining-access-to-your-bank-account-w
ith-multiple-passwords-impacts-350-million-customers/c5rt/56d5ce580cf2cacdc4211d
f9

Paypal Phishing Pages Hiding on HostGator Server
-https://isc.sans.edu/forums/diary/Paypal+Phishing+landing+pages+hosted+at+HostGa
tor/20803/

Angler EK campaign targeting .co domains
-https://isc.sans.edu/forums/diary/Angler+EK+campaign+targeting+several+co+domain
s+deploying+teslacrypt+30+malware/20801/

Disk Encryption Will Return to Amazon Fire
-http://www.engadget.com/2016/03/04/amazon-will-bring-encryption-back-to-FireOS/

Cracking Pass Phrases With Phraser
-https://github.com/sparell/phraser

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/