SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVIII - Issue #26

April 01, 2016

TOP OF THE NEWS

US Federal Agencies and Ransomware
MedStar Cleaning Up Malware Infection
Ukraine Cybersec Strategy

THE REST OF THE WEEK'S NEWS

SideStepper Attack Exploits Weakness in iOS Mobile Device Management Protocol
Cisco Patches Flaw in Firepower Software
US Marines Launches Cyberspace Warfare Group
Trend Micro Command Execution Flaw
SupplyStation Medical Dispensing Systems Have Remotely Exploitable Flaws
Remaiten Telnet Malware
SamSam Ransomware
FBI Investigating Law Firm Cyberattacks
Petya Ransomware Encrypt Master File Table
DNS Root Server Attack Was Targeting Chinese Domains
Speed Increase in Blind SQL Injection Attacks

STORM CENTER TECH CORNER

---

******************* Sponsored By HP Enterprise Security ******************

Gamification of a Fortune 20 SOC. Thursday, April 07, 2016 at 1:00 PM EDT (17:00:00 UTC) with Marcel Hoffmann and Josh Stevens. Many Security Operations Centers (SOCs) struggle in 3 key areas when it comes to personnel: continuous training, extending retention and measuring effective KPIs. In this talk we introduce the combination of gamification, user experience and machine learning as a concept to address these 3 challenges.
http://www.sans.org/info/184617

***************************************************************************

TRAINING UPDATE

- --SANS Northern Virginia - Reston | Reston, VA | April 4-9 | 9 courses including the NEW, Network Penetration Testing and Ethical Hacking & Cyber Threat Intelligence course
www.sans.org/u/dzf

- --SANS Secure Europe 2016 | Amsterdam, Netherlands | April 4-16 | 5 courses. Mainland Europe's largest security training event, 8 courses across 2 weeks, all aligned to a GIAC exam, plus @night talks.
http://www.sans.org/u/dPP

- --SANS Atlanta | Atlanta, GA | April 4-9 | 6 courses including the new Network Penetration Testing and Ethical Hacking course
www.sans.org/u/dz0

- --Threat Hunting & Incident Response Summit & Training | New Orleans, LA | April 12-19, 2016 | Will you be the hunter or the prey? Two days of Summit talks, 6 courses, networking opportunities & more!
http://www.sans.org/u/dgM

- --SANS Pen Test Austin | Austin, TX | April 18-23 | 7 courses | 3 nights of NetWars | Coin-A-Palooza | Special evening events including a Night of Hands-On Pen Testing of "Internet of Things" Devices
http://www.sans.org/u/dzk

- --SANS Security West | San Diego, CA | April 29-May 6 | 28 courses, bonus evening presentations, 2 nights of NetWars, multiple talks on Emerging Trends, networking opportunities and more!
http://www.sans.org/u/dzz

- --SANS Stockholm 2016 | Stockholm, Sweden | May 9-14 | 5 courses. SANS training in the Nordics, 5 courses including Mobile, Virtualisation, Defending Web Apps, and Reverse Engineering Malware.
http://www.sans.org/u/ffh

- --Security Operations Center Summit & Training | Crystal City, VA | May 19-26, 2016 | Sharing information to make cybersecurity work effectively. Two days of in-depth Summit talks, 4 SANS courses, networking, & more!
http://www.sans.org/u/eQV

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- -- Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/Xy Plus Canberra, Copenhagen, Prague, Houston, and Berlin all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

US Federal Agencies and Ransomware (March 30, 2016)

Twenty-nine US federal government agencies have reported a total of 321 ransomware incidents since June 2015, according to the Department of Homeland Security (DHS). Not all of the incidents resulted in infections, and no incidents resulted in payment of ransom. Last December, Senators Ron Johnson (R-Wisconsin) and Tom Carper (D-Delaware), chairman and ranking member of the Senate Homeland Security and Government Affairs Committee, requested information about agencies' efforts to protect systems from ransomware. Carper has posted the responses to his website.
-https://fcw.com/articles/2016/03/30/ransomware-carper-hsgac.aspx
-http://thehill.com/policy/cybersecurity/274724-dhs-ransomware-attacks-widely-tar
geting-feds
-http://www.nextgov.com/cybersecurity/2016/03/dhs-agencies-reported-321-cases-pot
ential-ransomware/127107/?oref=ng-HPtopstory
Results on Senator Carper's Website:
-http://www.carper.senate.gov/public/index.cfm/pressreleases?ID=01C0457D-DF6D-47E
1-9096-07413536C080
[Editor's Note (Pescatore): From a detection and prevention point of view, ransomware is just another form of malware attack. However, the impact is denial of service vs. data breach, and the key to minimizing business disruption is rapid Business Recovery through good old Critical Security Control 10 (in V6) Data Recovery, or in US Government terminology Continuity of Operations. Always a good idea to test your BR/DR/COOP processes at least as often as you test your emergency backup power - if you have met resistance, use the recent publicity around ransomware (especially if you are in healthcare) to make progress. ]

MedStar Cleaning Up Malware Infection (March 30, 2016)

MedStar Health is in the process of restoring its systems after a malware attack. By Tuesday evening, Mach 29, the organization could reportedly read patient records but not update them. MedStar Officials have not classified the infection as ransomware. There have been reports that patients have been turned away or treated without complete health records.
-http://www.computerworld.com/article/3050018/security/medstar-health-partially-r
estores-services-after-ransomware-attack.html
-https://www.washingtonpost.com/local/medstar-health-turns-away-patients-one-day-
after-cyberattack-on-its-computers/2016/03/29/252626ae-f5bc-11e5-a3ce-f06b5ba21f
33_story.html

Ukraine Cybersec Strategy (March 31, 2016)

Ukraine's president has approved a draft cybersecurity strategy following escalating attacks against the country's critical and social infrastructure. The strategy calls for establishing standards that mesh with those established by the European Union and NATO. The Ukrainian government says it will no longer buy software and IT technology from Russian companies.
-http://www.scmagazine.com/ukraine-approves-new-cyber-security-strategy/article/4
86498/
[Editor's Note (Pescatore): Recent reports have shown that close to two-thirdsof Ukrainian email accounts are hosted by Russian email providers who are subject to Russia's "System for Operative Investigative Activities" which requires Russian ISPs to support Russian intelligence monitoring, so they have a long way to go in moving off of Russian IT. In general, best to keep political strategy separate from cybersecurity strategy, use other mechanisms like Presidential Directives or procurement regulations to address that side of things. Keep cybersecurity strategy focused on achieving basic security hygiene and then moving up from there. ]

---

************************** SPONSORED LINKS ********************************
1) Overcome Privilege Management Obstacles with CSC v. 6. Tuesday, April 26, 2016 at 11:00 AM EDT (15:00:00 UTC) with John Pescatore and Jon Wallace. http://www.sans.org/info/184622

2) Tell us about the role and value of Cyber Insurance in the 2016 Survey: http://www.sans.org/info/184627

3) Survey: Help SANS assess state of infosec in healthcare -- Chance to win $400 Amazon gift card. http://www.sans.org/info/184632
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

SideStepper Attack Exploits Weakness in iOS Mobile Device Management Protocol (March 31, 2016)

A flaw in Apple's mobile device management protocol for iOS can be exploited to install dodgy apps with minimal user interaction. The attack has been called Side-Stepper. It begins with a phishing attack and finishes with a compromised iOS device.
-http://arstechnica.com/security/2016/03/weakness-in-ios-enterprise-hooks-could-l
et-bad-apps-sneak-in/
-http://www.theregister.co.uk/2016/03/31/unpatched_stealthy_ios_mdm_hack_spells_r
uin_for_apple_tech_enterprises/
[Editor's Note (Pescatore): This attack is another example of the widespread problem of digital certificates being used in ways that provide a false sense of security. In SSL, the verification processes before issuing certs are weak and Apple's vetting of Enterprise Developer Certificates is similarly weak. In mobile, Enterprise Mobility Management product vendors need to make their products harder to abuse in this manner. For enterprises, to succeed this requires users to fall for a mobile phishing attack - good idea to update user education/awareness around phishing to highlight this type of attack. ]

Cisco Patches Flaw in Firepower Software (March 31, 2016)

A "URL sanitization flaw" in Cisco's Firepower system software fails to properly validate fields in HTTP headers. The issue could be exploited to evade detection of malicious files, or to block policies configured on the system. The updated versions of Firepower are 5.4.0.7 and later, 5.4.1.6 and later, and 6.0.1 and later. The flaw also affects certain Snort installations.
-http://www.theregister.co.uk/2016/03/31/cisco_snort_scramble_to_plug_malware_hol
e/

US Marines Launches Cyberspace Warfare Group (March 31, 2016)

The US Marine Corps Cyberspace Warfare Group (MCCYWG), which was recently activated, is expected to be fully operational next year. MCCYWG has been described as the "firewall" that protects email and critical communications from cyberattacks. It supports the US Cyber Command and the Marine Force Cyberspace Command. It will train marines in cyber warfare.
-http://www.theregister.co.uk/2016/03/31/us_marines_launches_hacker_support_unit/
-http://www.zdnet.com/article/us-marines-ramp-up-cyber-warfare-support/
-http://www.marines.mil/News/NewsDisplay/tabid/3258/Article/705570/marine-corps-e
nters-realm-of-cyberspace-through-new-unit.aspx

Trend Micro Command Execution Flaw (March 31, 2016)

Trend Micro has pushed out updates to address a security issue that was opening a Node.js debugging server. The issue affects Trend Micro's Password Manager, Maximum Security, and Premium Security. The flaw was detected by Google's Project Zero, which notified Trend Micro of the issue on March 22, 2016.
-http://www.theregister.co.uk/2016/03/31/trend_micro_patches_command_execution_fl
aw/
-https://bugs.chromium.org/p/project-zero/issues/detail?id=773&can=1&q=tr
end

SupplyStation Medical Dispensing Systems Have Remotely Exploitable Flaws (March 30 and 31, 2016)

More than 1,400 remotely exploitable vulnerabilities were found in CareFusion's Pyxis SupplyStation medical dispensing systems. More than half of the flaws found were given a severity rating of high or critical. The issues affect Pyxis SupplyStation versions 8.0, 8.1.3, 9.0, 9.1, 9.2, and 9.3 on Windows Server 2003/Windows XP. Version 9.3, 9.4, and 10.0 running on Windows Server 2008/Windows Server 2012/Windows 7 are not affected. The US Department of Homeland Security's (DHS's) Industrial Control System CERT has issued an advisory.
-http://www.theregister.co.uk/2016/03/31/legion_of_demons_found_in_ancient_auto_d
rug_dispensing_cabinets/
-http://www.scmagazine.com/nearly-1500-vulnerabilities-found-in-automated-medical
-equipment/article/486497/
-http://www.computerworld.com/article/3049361/security/1-418-remotely-exploitable
-flaws-found-in-automated-medical-supply-system.html
ICS-CERT Advisory:
-https://ics-cert.us-cert.gov/advisories/ICSMA-16-089-01
[Editor's Note (Murray): Running appliances on general purpose operating systems dramatically and unnecessarily increases the attack surface. Embedded general purpose operating systems are unlikely to be maintained ("patched"). ]

Remaiten Telnet Malware (March 30 and 31, 2016)

Remaiten malware is a Linux bot that can perform telnet scans and spreads through easily-guessed telnet passwords. When a scan reveals a vulnerable system, Remaiten sends an executable file to that device through telnet; the file then fetches the bot malware from Remaiten's command and control server. Remaiten contains a variety of downloaders so it can match the requirements of the systems it infects.
-http://www.computerworld.com/article/3049982/security/your-linux-based-home-rout
er-could-succumb-to-a-new-telnet-worm-remaiten.html
-http://www.scmagazine.com/remaiten-linux-bot-uses-a-unique-method-of-distributio
n/article/486416/
-http://www.welivesecurity.com/2016/03/30/meet-remaiten-a-linux-bot-on-steroids-t
argeting-routers-and-potentially-other-iot-devices/

SamSam Ransomware (March 30, 2016)

Ransomware known as SamSam, Samas, and MSIL has been targeting hospital computer systems. It was the subject of a recent "Flash" message from the FBI seeking help in fighting the malware. SamSam is believed to be the ransomware that recently hit MedStar Health, which operates 10 hospitals in the Baltimore-Washington area.
-http://arstechnica.com/security/2016/03/maryland-hospital-group-hit-by-ransomwar
e/
-http://www.theregister.co.uk/2016/03/30/hospital_ransomware_samsam/

FBI Investigating Law Firm Cyberattacks (March 30 and 31, 2016)

The FBI is investigating an attack that targeted systems at several US law firms. According to an unnamed insider, the FBI is attempting to determine whether the attacks were conducted for gathering information for insider trading, or for other reasons.
-http://www.scmagazine.com/fbi-investigating-attack-against-computer-networks-at-
us-law-firms/article/486419/
-http://www.bbc.com/news/technology-35933246
[Editor's Note (Honan): A prime example of why you need to ensure your supply chain is secure, this includes professional services that will have access to sensitive information and not just those suppliers who have direct access to your network and systems. ]

Petya Ransomware Encrypt Master File Table (March 29 and 30, 2016)

Petya ransomware encrypts hard disks on computers it infects, making it impossible for users to access their files or their operating system unless they obtain a key. Petya spreads through links to Dropbox in email messages.
-http://arstechnica.com/security/2016/03/new-ransomware-installs-in-boot-record-e
ncrypts-hard-disk/
-http://www.zdnet.com/article/new-ransomware-skips-files-encrypts-your-whole-hard
-drive/
-http://www.theregister.co.uk/2016/03/29/petya_ransomware/
-http://www.bleepingcomputer.com/news/security/petya-ransomware-skips-the-files-a
nd-encrypts-your-hard-drive-instead/

DNS Root Server Attack Was Targeting Chinese Domains (March 29, 2016)

According to research scheduled to be presented at a conference in Argentina this week, an attack against DNS root servers late last year, was not aimed at the root servers themselves, but was instead targeting two Chinese domains. The attack briefly took four of the root servers out of commission. The researchers presenting the findings are DNS specialists with Verisign.
-http://www.theregister.co.uk/2016/03/29/root_server_attack_not_aimed_at_root_ser
vers/

Speed Increase in Blind SQL Injection Attacks (March 23, 2016)

Security researcher Keith Maken released methods at an OWASP meeting to increase the speed of Blind SQL Injection making it a far more credible attack vector.
-https://www.youtube.com/watch?v=7WA9Muvt4Sg
[Editor's comment (Northcutt): Blind SQIi is not new, but has been very slow since the attack requires asking a huge number of true false questions to extract information from the database. This methodology increases the time to results making input validation and database monitoring even more important:
-http://securitywa.blogspot.com/2016/03/extraction-at-light-speed-faster-blind.ht
ml]

Decoding Encoded Visual Basic Scripts
-https://isc.sans.edu/forums/diary/VBE+Encoded+VBS+Script/20891/

Node.JS NPM Vulnerability
-https://www.kb.cert.org/CERT_WEB/services/vul-notes.nsf/6eacfaeab94596f585256929
0066a50b/018dbb99def6980185257f820013f175/$FILE/npmwormdisclosure.pdf

SAP Default Accounts
-https://protect4s.com/erp-sec-releases-free-tooling-check-sap-platform-default-s
olution-manager-users/

Apple OS X SIP Bypass
-https://twitter.com/i0n1c/status/714261458851221504?ref_src=twsrc%5Etfw

Malicious Advertisements Hit LiveJournal and Likes
-https://blog.malwarebytes.org/threat-analysis/2016/03/social-sites-likes-and-liv
ejournal-hit-with-malvertising/

Trend Micro Leaves Remote Debugger in Password Manager
-https://bugs.chromium.org/p/project-zero/issues/detail?id=773&can=1&q=tr
end

Several Palo Alto Vulnerabilities
-https://www.troopers.de/media/filer_public/a5/4d/a54da07e-3780-4f83-b4ac-8c62066
6a60a/paloalto_troopers.pdf

Bypassing The iOS Gatekeeper
-https://www.checkpoint.com/resources/sidestepper-ios-vulnerability/iOS_Vulnerabi
lity_Report_160330_A.pdf

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/