SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVIII - Issue #38

May 13, 2016

Updates on SANSFIRE in Washington DC in mid June.
1. All of SANS best-selling classes are there, each taught by one of the top-rated instructors, including, for example, Network Pen Testing (Skoudis), Continuous Monitoring (Misener), Reverse Engineering (Zeltzer), Advanced Forensics (Lee), Hacker Tools (Strand), Security Leadership (Hardy) and Security Essentials (Ham)
2. Internet Storm Center's handlers will share details of the newest attacks and other insights on changes coming in cybersecurity in free evening sessions.
3. An executive CISO session that finally answers the question of what works in making successful briefings for boards of directors with input directly from people on those boards. It's a free evening session - open to all CISOs in the Washington area.
SANSFIRE website: https://www.sans.org/event/sansfire-2016
CISO Session website:
https://www.sans.org/event/sansfire-2016/bonus-sessions/9997/#bonus-box

---

TOP OF THE NEWS

US House of Representatives Network Sees Surge in Ransomware
Intellectual Property Breaches
Windows and Flash Zero-Days
Patch Tuesday: Microsoft and Adobe

THE REST OF THE WEEK'S NEWS

Old Hardware is an Obstacle for US Marine Corps Windows 10 Migration
FDIC Belatedly Reports 'Major Incidents'
Allwinner Linux Kernel Backdoor
Microsoft is Disabling Wi-Fi Sense
Old SAP Flaw Unpatched at Three Dozen Organizations
More Information on Wendy's Breach
7-Zip Vulnerabilities
FBI Suspects Bangladesh Bank Theft Had Inside Help
Alleged Syrian Electronic Army Member Extradited to US

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER

---

************************* Sponsored By Splunk ****************************

Security and operational visibility are critical in AWS deployments. That's where Splunk can help. Splunk offers solutions that deliver end-to-end visibility on AWS. Learn more:
http://www.sans.org/info/185792

***************************************************************************

TRAINING UPDATE

- --Security Operations Center Summit & Training | Crystal City, VA | May 19-26, 2016 | Sharing information to make cybersecurity work effectively. Two days of in-depth Summit talks, 4 SANS courses, networking, & more!
http://www.sans.org/u/eQV

- --SANSFIRE 2016| Washington, DC | June 11-18 | Exclusive event powered by the Internet Storm Center 47 courses, bonus evening presentations, solutions expo, extraordinary networking opportunities, 2 nights of NetWars, industry receptions, and more!
http://www.sans.org/u/gRr

- --DFIR Summit & Training | Austin, TX | June 23-30, 2016 DFIR Superheroes aren't born; they're made. Two days of in-depth Summit talks, 9 SANS courses, DFIR Netwars, Night Out in Austin!, and @Night talks!
http://www.sans.org/u/gBD

- --SANS Salt Lake City 2016 | Salt Lake City, UT | June 27-July 2 | New event with 6 courses in the IT security, security management, forensics, application developer, and industrial control systems disciplines plus multiple bonus evening presentations.
http://www.sans.org/u/gRQ

- --SANS Rocky Mountain | Denver, CO | July 11-16 | 20 courses including the NEW Cyber Threat Intelligence course! 2 nights of Core NetWars tournaments, 8 bonus evening talks plus the vendor showcase providing networking opportunities.
http://www.sans.org/u/gSk

- --SANS Minneapolis 2016 | Minneapolis, MN | July 18-23 | 8 courses in the IT security, pen testing, security management, and forensic and incident response disciplines and networking opportunities at the SANS@Night evening talks.
http://www.sans.org/u/gSE

- --SANS San Antonio | San Antonio, TX | July 18-23 | 8 courses including the new Cyber Threat Intelligence, 2 nights of Core NetWars tournaments plus 6 bonus SANS@Night evening talks.
http://www.sans.org/u/gST

- --Industrial Control Systems Security Training | Houston, TX | July 25-30| Five ICS-Focused courses including the NEW Essentials for NERC Critical Infrastructure Protection course! Networking opportunities at the ICS Security Briefing and SANS@Night Talks.
http://www.sans.org/u/hMn

- --Can't travel? SANS offers LIVE online instruction.
Day (Simulcast - http://www.sans.org/u/WF) and Evening
(vLive - http://www.sans.org/u/WU) courses available!

- -- Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/Xy

Plus Berlin, Delhi, Vienna, and Portland all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

US House of Representatives Network Sees Surge in Ransomware (May 10 and 12, 2016)

The US House of Representatives tech service desk has warned members of an increase in ransomware in third-party email services. They have blocked access to Yahoo Mail on house networks. They have also blocked access to the domain used by apps hosted in the Google App Engine platform, but this appears to be related to a remote access Trojan (RAT) known as BLT.
-http://www.computerworld.com/article/3069954/security/us-house-bans-yahoo-mail-g
oogle-app-engine-over-malware-concerns.html
-http://techcrunch.com/2016/05/10/congress-warned-about-cybersecurity-after-attem
pted-ransomware-attack-on-house/

Intellectual Property Breaches (May 12, 2016)

Dark Reading's Ericka Chickowski profiles six breaches in which the thieves stole not customer data but intellectual property (IP). Cases include Coca-Cola, RSA, DOD/Lockheed Martin, Codan, American Semiconductor, and Sony.
-http://www.darkreading.com/vulnerabilities---threats/6-shocking-intellectual-pro
perty-breaches/d/d-id/1325487?

Windows and Flash Zero-Days (May 10, 2016)

Zero-day vulnerabilities in Windows and in Adobe Flash were disclosed earlier this week. The Windows flaw has been patched in Microsoft's most recent set of updates. It was recently used in a series of point-of-sale (POS) system attacks against more than 100 organizations, according to FireEye. Adobe has released a fix for the flaw in Flash, which affects Adobe Flash Player 21.0.0.226 and earlier for Windows, Mac, Linux, and Chrome OS.
-http://arstechnica.com/security/2016/05/beware-of-in-the-wild-0day-attacks-explo
iting-windows-and-flash/
-http://www.zdnet.com/article/microsoft-windows-zero-day-exposes-companies-to-cri
ppling-cyberattacks/
-http://www.darkreading.com/attacks-breaches/windows-0-day-exploit-used-in-recent
-wave-of-pos-attacks/d/d-id/1325485?
-http://www.zdnet.com/article/adobe-releases-emergency-flash-update-to-patch-crit
ical-security-flaw/

Patch Tuesday: Microsoft and Adobe (May 10 and 12, 2016)

On Tuesday, May 10, Microsoft issued 16 security bulletins to address multiple vulnerabilities in Internet Explorer, Edge, Microsoft Office, Windows Shell, and other products. Eight of the bulletins are rated critical. The majority of the patches are for flaws that could be exploited for remote code execution and privilege elevation. Adobe also released security updates to address flaws in PDF Reader and Cold Fusion; Adobe plans to issue a patch for Flash later this week (see story above).
-http://krebsonsecurity.com/2016/05/adobe-microsoft-push-critical-updates-2/
-http://www.theregister.co.uk/2016/05/10/ie_and_graphics_top_the_critical_list_fo
r_microsofts_patch_tuesday/
-https://isc.sans.edu/mspatchdays.html?viewday=2016-05-10
-http://www.computerworld.com/article/3068551/security/microsoft-fixes-actively-a
ttacked-ie-flaw-and-50-other-vulnerabilities.html
-http://www.scmagazineuk.com/critical-patches-target-privilege-escalation/article
/495961/
-https://technet.microsoft.com/en-us/library/security/ms16-May
[Editor's Note (Murray): How long will it take for us to realize that we have a fundamental development tool and process problem? Even major developers seem to be no better at shipping quality code than they were a decade ago. We cannot continue to rely upon a strategy of "patching quality in." Deming must be churning in his grave. ]

---

************************** SPONSORED LINKS ********************************
1) Save Hundreds! Register Now! Enfuse 2016: Cybersecurity - Digital Investigations - E-Discovery. Use Code SANS2016 http://www.sans.org/info/185797

2) How are organizations preventing CYBER BREACHES from affecting their business functions? Take the SANS Survey! http://www.sans.org/info/185802

3) How Aruba Leveraged Bug Bounty Hunters to Battle Test their Networking Solutions. Thursday, May 12, 2016 at 3:00 PM EDT (19:00:00 UTC) with John Pescatore, Leif Dreizler, and Jon Green. http://www.sans.org/info/185812
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Old Hardware is an Obstacle for US Marine Corps Windows 10 Migration (May 12, 2016)

Outdated hardware is slowing down the US Marine Corps' migration to Windows 10. The Marines had estimated that they could update 60 to 70 percent of their computers remotely, but that figure has been revised to 10 percent after they ran into problems with older hardware that "is having more difficulty accepting Windows 10 than hardware that is new." Having to perform the updates physically is adding time and cost to the project. The Department of Defense's (DOD) upgrade to Windows 10 has a "secure host baseline," which is important because it will be the first time DOD has common security configurations across all PCs. The National Security Agency's Information Assurance Directorate said that migrating to Windows 10 with or without the baseline security configuration would provide better security than not upgrading at all.
-http://federalnewsradio.com/marine-corps/2016/05/outdated-hardware-snags-marines
-migration-windows-10/
[Editor's Note (Pescatore): Moving to the Secure Host Baseline is a very good thing; it is essentially the path to implementing NSA IAD's Top Ten subset of the Critical Security Controls. However, putting Windows 10 on underpowered PCs would be a bad move - self-inflicted denial of service attacks always set security back. The CIO of the Marines is quoted as saying "And when you look at what 'new' means within DoD, we purchase yesterday's technology tomorrow. A lot of our brand-new systems are having difficulty with the upgrade as soon as they come out of the box, and we didn't anticipate that." I think this has happened to the DoD at the transition to every new version of Windows since Windows 95 came out - should not have been a surprise. (Honan): Many organisations would do well take heed of this project within the US Marine Corps as the Corps is not the only organisation that has this challenge. Years of under investment in IT in many organisations has not only undermined their IT capabilities but also has hindered their ability to evolve their defences as the threats change.]

FDIC Belatedly Reports 'Major Incidents' (May 9 and 12, 2016)

Officials from the Federal Deposit Insurance Corporation (FDIC) told the House Science, Space, and Technology Committee's oversight subcommittee that employees leaving the organization over the last seven months have inadvertently taken the personal data of approximately 160,000 taxpayers with them on removable storage devices. The FDIC did not classify the cases as major incidents until urged to do so by the inspector general. At least one of the incidents is the subject of a criminal investigation.
-http://thehill.com/policy/cybersecurity/279752-criminal-investigation-open-in-fd
ic-data-breach
-https://fcw.com/articles/2016/05/12/fdic-cyber-shakeup.aspx
-http://www.computerworld.com/article/3069530/security/lawmakers-probe-large-data
-breaches-at-fdic.html
-https://www.washingtonpost.com/news/powerpost/wp/2016/05/09/fdic-reports-five-ma
jor-incidents-of-cybersecurity-breaches-since-fall/

Allwinner Linux Kernel Backdoor (May 11, 2016)

A backdoor has been found in the Linux kernel from Chinese ARM vendor Allwinner. It is possible that the code was left in the kernel by accident after developer debugging.
-http://arstechnica.com/security/2016/05/chinese-arm-vendor-left-developer-backdo
or-in-kernel-for-android-pi-devices/

Microsoft is Disabling Wi-Fi Sense (May 11, 2016)

In the newest Windows 10 build, Microsoft has disabled the Wi-Fi Sense feature. A company blog notes that the Wi-Fi network sharing feature was seldom used. The feature, which let users share network access without sharing their network password, also raised security concerns.
-http://www.cnet.com/news/microsoft-to-kill-windows-10-option-to-share-your-wi-fi
-password/
-http://bgr.com/2016/05/11/windows-10-wifi-sense-turn-off-forever/
-http://www.informationweek.com/software/operating-systems/microsoft-kills-contro
versial-windows-10-wi-fi-sense/d/d-id/1325480
[Editor's Note (Pescatore): Good to hear. Back in the July 2015 NewsBites issue, my comment on an item about Windows 10 WiFi Sense being "on-by-default" was "(Pescatore): This should be a default off feature, requiring opt-in." Microsoft's reason for disabling this feature did not acknowledge the security issues, though - says decision was made because costly for them to keep updating and (surprise) very little usage of this feature. Point to note: there are increasing examples where users are actually valuing *safety over convenience* - I also notice some of the Windows 10 candidate updates are moving the Windows Store mechanism into a more App Store/Google Play role. Users have definitely voted with their wallets that they want their devices to have such whitelisting mechanisms in place to reduce the malware problem. ]

Old SAP Flaw Unpatched at Three Dozen Organizations (May 11 and 12, 2016)

The US Department of Homeland Security's (DHS) US-CERT has issued an alert regarding a SAP vulnerability dating back six years that remains unpatched in systems of at least 36 companies in Germany, China, the UK, and the US. SAP released NetWeaver 7.20 in 2010 to address the Invoker Servlet vulnerability. US-CERT is urging affected organizations to "implement SAP Security Note 1445998 and disable the Invoker Servlet."
-https://fcw.com/articles/2016/05/12/sap-vulnerable-uscert.aspx
-http://www.nextgov.com/cybersecurity/2016/05/new-homeland-security-alert-warns-s
ap-program-vulnerabilities/128236/?oref=ng-channelriver
-http://www.v3.co.uk/v3-uk/news/2457773/hackers-exploiting-six-year-old-sap-softw
are-flaw-warns-us-cert
-http://arstechnica.com/security/2016/05/dozens-of-companies-breached-through-sap
-bug-patched-years-ago/
-http://www.theregister.co.uk/2016/05/12/us_cert_warns_sap_users/
-http://www.computerworld.com/article/3068596/security/us-sounds-alarm-after-sap-
bug-found-affecting-multinationals.html
-https://www.onapsis.com/threat-report-tip-iceberg-wild-exploitation-cyber-attack
s-sap-business-applications

More Information on Wendy's Breach (May 11 and 12, 2016)

Wendy's fast-food restaurant chain says that an investigation into reports of a payment card breach affecting its restaurants found point-of-sale malware on systems at less than five percent of its 5,500 stores. Wendy's says that the malware has been removed, and that it "believes that malware, installed through the use of compromised third-party vendor credentials, affected one particular point of sale system."
-http://krebsonsecurity.com/2016/05/wendys-breach-affected-5-of-restaurants/
-http://www.theregister.co.uk/2016/05/12/wendys_breach_update/
[Editor's Note (Pescatore): A few years ago, every company that had a breach seemed to be saying "It was an advanced targeted threat; don't blame us," and now, since the Target breach, there seems to be a constant stream of "it was a third party vendor who was at fault." It doesn't matter who launched the attack, or who was the initial point of compromise - if customers trusted you with their data and their $$$, you are at fault if anything happens. Vendor remote access security is an area with many solutions. ]

7-Zip Vulnerabilities May 11, 2016

A number of security media sites are posting articles based on security vulnerabilities in 7-Zip discovered and reported by Marcin Noga of Cisco Talos. 7-Zip is a popular compression tool that also supports AES-256 encryption. It has been incorporated into other programs, websites and appliances so some users may not realize they are using it.
-http://www.theregister.co.uk/2016/05/12/popular_zip_tool_7zip_pwned_pain_flows_t
o_top_security_software_tools/
-http://www.networkworld.com/article/3069937/security/researchers-reveal-flaws-in
-7-zip-users-and-security-vendors-affected.html
[Editor's Note (Northcutt): This is more serious than the DLL Hijack problem of last year, the Cisco Talos blog post is here:
-http://blog.talosintel.com/2016/05/multiple-7-zip-vulnerabilities.html
-http://www.cvedetails.com/vendor/9220/7-zip.html
-https://packetstormsecurity.com/files/134742/7-Zip-DLL-Hijack.html
(Murray): Almost everyone uses it at some time or another. The mitigation continues to be not to open compressed files from untrusted sources. ]

FBI Suspects Bangladesh Bank Theft Had Inside Help (May 10, 2016)

According to the Wall Street Journal, sources say the FBI suspects that the breach at the Bangladesh central bank had inside help. Agents have reportedly identified at least one bank employee who as an alleged accomplice, and there is evidence that others may be involved as well.
-http://thehill.com/policy/cybersecurity/279348-fbi-suspects-an-inside-job-in-81m
-bangladesh-bank-hack
-http://www.japantimes.co.jp/news/2016/05/11/business/81-million-bangladesh-bank-
hacking-heist-may-inside-job-fbi/#.VzVRsUs6FuY
(Please note that the WSJ site requires a paid subscription)
-http://www.wsj.com/articles/fbi-suspects-insider-involvement-in-81-million-bangl
adesh-bank-heist-1462861549
[Editor's Note (Honan): This story continues to develop as it appears a second bank has been subject to a similar breach,
-https://www.finextra.com/newsarticle/28886/swift-warns-of-second-victim-of-bank-
hackers
It is not surprising, to see criminals move from targeting the clients of banks to the actual banks themselves. ]

Alleged Syrian Electronic Army Member Extradited to US (May 9 and 10, 2016)

US officials say that an alleged member of the Syrian Electronic Army (SEA) has been extradited from Germany to the US. Peter Romar will face charges of conspiracy related to a cyber extortion scheme.
-https://www.washingtonpost.com/world/national-security/syrian-hacker-extradited-
to-the-united-states-from-germany/2016/05/09/eb855654-15fa-11e6-aa55-670cabef46e
0_story.html
-http://thehill.com/policy/cybersecurity/279373-us-extradites-alleged-syrian-hack
er
-http://www.computerworld.com/article/3069192/security/alleged-syrian-hacker-extr
adited-to-us-on-extortion-charges.html

---

INTERNET STORM CENTER TECH CORNER

Free Decryption Tool For CryptXXX No Longer Works
-https://www.proofpoint.com/us/threat-insight/post/cryptxxx2-ransomware-authors-s
trike-back-against-free-decryption-tool

Ransomware Overview
-https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvm
c5g/edit#gid=0

Microsoft Excel Phishing
-https://isc.sans.edu/forums/diary/Another+Day+Another+Wave+of+Phishing+Emails/21
045/

Squid Proxy Bug Allows For Cache Poisoning
-http://bugs.squid-cache.org/show_bug.cgi?id=4501

Nation State Attackers May Exploit Firefox
-https://blog.mozilla.org/blog/2016/05/11/advanced-disclosure-needed-to-keep-user
s-secure/

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/