SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVIII - Issue #34

April 29, 2016

TOP OF THE NEWS

Malware Found at German Nuclear Facility
Michigan Utility Cyberattack Affected Internal Systems
Legislators Want OMB To Update Federal Cybersecurity Regulation Now
SWIFT Warns Customers About Fraud in Global Financial System

THE REST OF THE WEEK'S NEWS

OpenSSL to Release Updates
Mozilla Patches Firefox 46, Releases Firefox 47 Public Beta
Seven-Year Sentence for DNSChanger Fraudster
Man Jailed for Seven Months (and Counting) for Failure to Decrypt
Gibraltar Team Wins CyberCenturion Competition
House Passes Bill Aimed at Closing ECPA Loophole
Malware Uses Windows Hotpatching
Blackberry Moves To Security For New Business

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************ Sponsored By Sophos ***************************

LIVE WEBCAST: Next-Gen Now: Outsmarting ransomware, rootkits, and zero-day attacks. From ransomware to rootkits, old school security cannot keep pace with today's advanced attacks. Learn why these threats work and how to protect against them.

Register Today:
https://attendee.gotowebinar.com/register/2836320359312459524?source=SANS

**************************************************************************

TRAINING UPDATE

- --SANS Security West | San Diego, CA | April 29-May 6 | 28 courses, bonus evening presentations, 2 nights of NetWars, multiple talks on Emerging Trends, networking opportunities and more!
www.sans.org/u/dzz

- --SANS Baltimore Spring 2016 | Baltimore, MD | May 9-14 | 9 courses in IT security, cyber defense, incident handling, security management, and Windows forensics plus multiple SANS@Night talks.
http://www.sans.org/u/gR7

- --SANS Houston 2016 | Houston, TX | May 9-14 | 7 courses including the NEW Network Penetration Testing & Ethical Hacking course.
http://www.sans.org/u/dzE

- --SANS Stockholm 2016 | Stockholm, Sweden | May 9-14 | 5 courses. SANS training in the Nordics, 5 courses including Mobile, Virtualisation, Defending Web Apps, and Reverse Engineering Malware.
http://www.sans.org/u/ffh

- --Security Operations Center Summit & Training | Crystal City, VA | May 19-26, 2016 | Sharing information to make cybersecurity work effectively. Two days of in-depth Summit talks, 4 SANS courses, networking, & more!
http://www.sans.org/u/eQV

- --SANSFIRE 2016| Washington, DC | June 11-18 | Exclusive event powered by the Internet Storm Center 47 courses, bonus evening presentations, solutions expo, extraordinary networking opportunities, 2 nights of NetWars, industry receptions, and more!
http://www.sans.org/u/gRr

- --DFIR Summit & Training | Austin, TX | June 23-30, 2016 DFIR Superheroes aren't born; they're made. Two days of in-depth Summit talks, 9 SANS courses, DFIR Netwars, Night Out in Austin!, and @Night talks!
http://www.sans.org/u/gBD

- --Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive - http://www.sans.org/u/WU) courses available!

- -- Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/Xy

Plus Prague, Berlin, Delhi, Vienna, and Portland all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

Malware Found at German Nuclear Facility (April 27 and 28, 2016)

At the Gundremmingen nuclear power facility in Germany, malware was found on computers that are part of a system that models nuclear fuel rod movement and on USB data storage devices. The malware, which includes Conficker and W32.Ramnit, was never activated because they require communication with a command-and-control network, and the infected systems were not connected to the Internet.
-http://arstechnica.com/security/2016/04/german-nuclear-plants-fuel-rod-system-sw
arming-with-old-malware/
-http://www.reuters.com/article/us-nuclearpower-cyber-germany-idUSKCN0XN2OS
[Editor's Note (Assante): I am amazed by statements from industry leaders about how "protected" their organizations and industries are, in response to stories about targeted cyber threats. Incidents like this one are common, and they cast a great deal of doubt on conventional prevention-focused security programs. Gundremmingen CNPP demonstrates how non-targeted malware can find its way onto critical systems (in this case a nuclear power plant's fuel rod movement/management system) and worse, be able to live there undetected for a significant period of time. Critical infrastructures must mature beyond simple cyber walls and invest in developing competent cyber defenses. (Murray): Mission critical applications should be isolated (VPNs) AND resistant to arbitrary changes to programs and other data (restrictive access control policy). Either a belt or braces may keep one's pants up but they complement one another and neither is expensive. (Williams): Years ago, I remember hearing the wise Ed Skoudis say "Airgaps are just very high latency networks." Eerily similar to the Stuxnet story, this discovery is definitely concerning but we should strive to keep it in perspective. Organizations should consider how they can most effectively restrict USB usage while still performing mission critical operations. ]

Michigan Utility Cyberattack Affected Internal Systems (April 27 and 28, 2016)

A malware attack caused the Lansing, Michigan Board of Water & Light to take its accounting system and email service offline indefinitely. The attack occurred on April 25 after an employee opened an email message and clicked on an attachment that began encrypting files. The attack affected the utility's internal network, and did not cause customers to lose power.
-http://www.scmagazine.com/senate-committee-leaders-ask-omb-to-update-15-year-old
-cyber-policy/article/492904/
-http://www.lansingstatejournal.com/story/news/2016/04/27/cyber-attack-bwl-keeps-
fbi-silent/83590820/
[Editor's Note (Williams): It is promising to see that this utility has (apparently) correctly segmented their IT and OT assets. Simultaneously, it is disheartening to hear that accounting and email systems are offline indefinitely. This speaks to poor disaster recovery planning, a hallmark of the small subset of ransomware cases that make the news. ]

Legislators Want OMB To Update Federal Cybersecurity Regulation Now Revision (April 28, 2016)

The chairman and ranking member of the US Senate Homeland Security Committee have asked the Office of Management and Budget (OMB) for an update on their progress with revisions to Circular A-130, a framework for IT management and cybersecurity. The framework has not been updated in more than 15 years. The Federal Information Security Modernization Act of 2014 required OMB to update portions of the framework "to eliminate inefficient or wasteful reporting" by December 2015. The letter from Senators Ron Johnson (R-Wisconsin) and Tom Carper (D-Delaware) notes, "Circular A-130 remains an obstacle to the full adoption of
[continuous monitoring ]
across government."
-http://www.scmagazine.com/senate-committee-leaders-ask-omb-to-update-15-year-old
-cyber-policy/article/492904/
-http://www.carper.senate.gov/public/index.cfm/pressreleases?ID=B3B96D5C-0F53-465
7-8BD7-4594E80C9CAD
[Editor's Note (Paller): A revision of A-130 has been drafted. Sadly, it fails to correct the problem. It adds words about continuous monitoring - allowing the drafters to hide the fact that the problematic language is still there. That language, because it is mandatory and enforced by GAO and the IGs, causes agencies to focus on the wrong indicators and spend hundreds of millions of dollars each year paying consultants to "admire the problem" instead of spending LESS to fix the problem. Franklin Reeder, who drafted both the Computer Security Act and the Computer Privacy Act when he headed all federal IT while a top OMB official under multiple Presidents, wrote the current OMB executives asking them to correct the key problem. They ignored him. ]

SWIFT Warns Customers About Fraud in Global Financial System (April 26, 2016)

The Society for Worldwide Interbank Financial telecommunication (SWIFT) has warned its customers of several recent incidents in which its system has been abused to commit fraud. The notification indicates that there have been other incidents in addition to the US $81 million theft from the Bangladesh Bank earlier this year. SWIFT urged its customers to step up the security of their systems and has released software update that users must install by May 12.
-http://www.reuters.com/article/us-cyber-banking-swift-exclusive-idUSKCN0XM2DI

---

************************** SPONSORED LINKS ********************************
1) Don't Miss: Connecting the Dots Between Your Threat Intelligence Tradecraft and Business Operations. Tuesday, May 10, 2016 at 1:00 PM EDT (17:00:00 UTC) with John Pescatore and Adam Meyer. http://www.sans.org/info/185362

2) What types of CYBER THREATS are driving the IT community to take action?? Tell us in SANS Survey. http://www.sans.org/info/185372

3) Who's Using Cyberthreat Intel & How? Take Survey for Chance to Win a $400 Gift Card or Summit Pass!!! http://www.sans.org/info/185377
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

OpenSSL to Release Updates (April 28, 2015)

The OpenSSL project has announced that it will release an update to fix a "high impact" vulnerability in the open source TLS/SSL protocol toolkit on Tuesday, May 3. The new versions will be 1.0.2h and 1.0.1t. The announcement also reminds users that support for OpenSSL 1.0.1 ends in December 31, 2016.
-http://www.theregister.co.uk/2016/04/28/openssl_vuln/
OpenSSL Update Announcement:
-https://mta.openssl.org/pipermail/openssl-announce/2016-April/000069.html

Mozilla Patches Firefox 46, Releases Firefox 47 Public Beta (April 28, 2016)

Mozilla has patched 10 vulnerabilities in Firefox 46, including four critical memory safety flaws. Mozilla also released the public beta of Firefox 47, which will allow embedded YouTube videos to play with HTML5 video if users do not have Flash installed, among other new features.
-http://www.zdnet.com/article/firefox-mozilla-patches-critical-flaws-that-let-att
ackers-execute-malicious-code/
-http://www.theregister.co.uk/2016/04/28/firefox_patch/
Firefox 47.0beta Release Notes:
-https://www.mozilla.org/en-US/firefox/47.0beta/releasenotes/

Seven-Year Sentence for DNSChanger Fraudster (April 28, 2016)

A US District Court in New York sentenced Vladimir Tsastsin to just over seven years in prison for his role in a click fraud scheme that operated through the DNSChanger botnet. More than four million computers were infected with the malware. Five other people have already been sentenced in connection with DNSChanger; Tsastsin's sentence is the longest.
-http://www.computerworld.com/article/3062659/security/man-sentenced-to-7-years-i
n-prison-for-role-in-global-dns-hijacking-botnet.html
-http://www.scmagazine.com/vladimir-tsastsin-sentenced-in-us-court-for-role-in-op
eration-ghost-click/article/492766/
DOJ Release:
-https://www.justice.gov/usao-sdny/pr/estonian-cybercriminal-sentenced-infecting-
4-million-computers-100-countries-malware

Man Jailed for Seven Months (and Counting) for Failure to Decrypt (April 28, 2016)

An unidentified Pennsylvania man has been held in jail for seven months because he has refused to decrypt hard drives that authorities believe contain illicit images. He has not been charged, but is being held in custody because he was found to be in contempt of court for his refusal. The Electronic Frontier Foundation (EFF) has filed an amicus brief on the defendant's behalf.
-http://arstechnica.co.uk/tech-policy/2016/04/child-porn-suspect-jailed-for-7-mon
ths-for-refusing-to-decrypt-hard-drives/
Electronic Frontier Foundation Amicus Brief:
-http://arstechnica.co.uk/wp-content/uploads/2016/04/effamicus.pdf

Gibraltar Team Wins CyberCenturion Competition (April 27, 2016)

A team of students from Gibraltar took first place at the British CyberCenturion competition, held at Bletchley Park. The contest involved identifying and fixing vulnerabilities in a simulated online organization's network. CyberCenturion has three rounds of competition, winnowing a field of 50 teams to the 10 that competed in the final round on Tuesday, April 26.
-http://www.theregister.co.uk/2016/04/27/gibraltar_kids_win_uk_cybercenturion_blu
e_team_hacker_comp/
-http://www.scmagazine.com/cybercenturion-crown-goes-to-team-from-gibraltar/artic
le/492460/
-https://cybersecuritychallenge.org.uk/competitors/cybercenturion/

House Passes Bill Aimed at Closing ECPA Loophole (April 27, 2016)

The US House of Representatives has unanimously passed the Email Privacy Act, which would amend an outdated law to protect the privacy of digital communications. The wording of 1986's Electronic Communications Privacy Act (ECPA) was being interpreted to allow law enforcement to demand email and other electronic communications without a warrant. The Email Privacy Act would require authorities to obtain warrants to access the information.
-http://thehill.com/policy/technology/277897-house-unanimously-passes-bill-to-pro
tect-email-privacy
-http://arstechnica.com/tech-policy/2016/04/us-house-unanimously-passed-bill-requ
iring-warrants-for-e-mail/
-http://www.computerworld.com/article/3062456/security/house-unanimously-passes-b
ill-to-protect-email-and-cloud-privacy.html

Malware Uses Windows Hotpatching (April 27, 2016)

According to researchers at Microsoft, an Asian cyberespionage group known as Platinum is using hotpatching, a feature that allows dynamic system component updating without the need to reboot a machine. Platinum makes a concerted effort to evade detection: the group launches a limited number of spear phishing attacks; it uses custom malware with self-deleting components; and the malware runs during a target's regular business hours, so its activity can hide among regular traffic.
-http://www.computerworld.com/article/3061998/security/group-uses-windows-hotpatc
hing-method-for-malware.html

Blackberry Moves To Security For New Business (April 28, 2016)

A focus on security at Blackberry led by turnaround CEO John Chen, largely by acquiring security companies is starting to show results. After a major drop in value in 2011, they are slightly positive for the quarter. The Priv handset running Android 6.0 Marshmallow has a wide variety of security tools and enterprise features.
-http://www.forbes.com/sites/stevemorgan/2016/04/28/blackberrys-turnaround-ceo-di
als-up-cybersecurity-and-it-answers/#26499d946921
-http://www.valuewalk.com/2016/04/blackberry-marshmallow-update-priv/
[Editor's Note (Northcutt): The acquisition of Good Technologies moves Blackberry away from smartphones and more into mobile device management which may lead the way for their return to large corporate environments. If their containerization strategy works, that helps raise the bar for mobile devices. They may even walk away from producing hardware smartphones, if this strategy works for them. It would be great to be able to point to cybersecurity improvement as a key factor in a corporate turnaround:
-http://learnbonds.com/128392/blackberry-ltd-bbry-finally-placing-all-bets-on-ent
erprise-software/
-http://www.valuewalk.com/2016/04/good-vital-blackberry-transition-plan/
-http://blogs.blackberry.com/2016/04/four-reasons-why-mobile-containerization-now
-matters-more-than-ever/]

---

STORM CENTER TECH CORNER

OS X Memory Forensics
-https://isc.sans.edu/forums/diary/An+Introduction+to+Mac+memory+forensics/20989/

Facebook App Used to Deliver Facebook Phish
-http://news.netcraft.com/archives/2016/04/22/hook-like-and-sinker-facebook-serve
s-up-its-own-phish.html

Android.Spy.277.origin Keeps Being Delivered By Google Play Store Apps
-http://blog.checkpoint.com/2016/04/22/in-the-wild-google-cant-close-the-door-on-
android-malware/

Tool To Replay RDP Sessions From pcaps
-http://www.contextis.com/resources/blog/rdp-replay-code-release/

Juniper Update
-http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10727&cat=SIRT
_1&actp=LIST

RouterSploit Router Exploit Framework
-https://github.com/reverse-shell/routersploit

SAML Federated Identity Vulnerability in Office 365
-http://www.economyofmechanism.com/office365-authbypass.html

.AS Registry Vulnerable to Direct Object Reference
-https://isecguy.wordpress.com/2016/04/25/flaw-allowed-anyone-to-modify-take-cont
rol-over-any-as-domain/

Driveby Exploit Used to Deliver Android Ransomware
-https://www.bluecoat.com/security-blog/2016-04-25/android-exploit-delivers-dogsp
ectus-ransomware

CryptXXX Decrypt Tool
-https://support.kaspersky.com/viruses/disinfection/8547?_ga=1.128163404.13974324
18.1454514283#block3

Powershell and DNS/DHCP
-https://isc.sans.edu/forums/diary/DNS+and+DHCP+Recon+using+Powershell/20995/

New Version of PCI Standard Released
-https://www.pcisecuritystandards.org/documents/PCI_DSS_v3-2_Summary_of_Changes.p
df

NTP Patches
-http://blog.talosintel.com/2016/04/vulnerability-spotlight-further-ntpd_27.html#
more

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/