SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVIII - Issue #44

June 03, 2016

TOP OF THE NEWS

Irongate ICS/SCADA Malware
US Federal Reserve Cyber Breaches
Russian Police Arrest 50 in Connection with Online Bank Account Theft

THE REST OF THE WEEK'S NEWS

Marcher Android Malware Expanding its Reach
WordPress Plugin Flaw is Being Actively Exploited
Flaws in Lenovo Support App
Federal Appeals Court Says No Warrant Needed for Stingray Use
Yahoo Publishes National Security Letters
'Demonically Clever' Backdoor in Computer Chip
Microsoft Warns About ZCrypt Ransomware
Google Updates Chrome for the 3rd Time in Little Over a Month

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER

---

************************* Sponsored By Splunk ***************************

Security and operational visibility are critical in AWS deployments. That's where Splunk can help. Splunk offers solutions that deliver end-to-end visibility on AWS. Learn more:
http://www.sans.org/info/185792

***************************************************************************

TRAINING UPDATE

--SANSFIRE 2016| Washington, DC | June 11-18 | Exclusive event powered by the Internet Storm Center 47 courses, bonus evening presentations, solutions expo, extraordinary networking opportunities, 2 nights of NetWars, industry receptions, and more!
http://www.sans.org/u/gRr

--DFIR Summit & Training | Austin, TX | June 23-30, 2016 | DFIR Superheroes aren't born; they're made. Two days of in-depth Summit talks, 9 SANS courses, DFIR Netwars, Night Out in Austin!, and @Night talks!
http://www.sans.org/u/gBD

--SANS Salt Lake City 2016 | Salt Lake City, UT | June 27-July 2 | New event with 6 courses in the IT security, security management, forensics, application developer, and industrial control systems disciplines plus multiple bonus evening presentations.
http://www.sans.org/u/gRQ

--SANS Rocky Mountain | Denver, CO | July 11-16 | 20 courses including the NEW Cyber Threat Intelligence course! 2 nights of Core NetWars tournaments, 8 bonus evening talks plus the vendor showcase providing networking opportunities.
http://www.sans.org/u/gSk

--SANS Minneapolis 2016 | Minneapolis, MN | July 18-23 | 8 courses in the IT security, pen testing, security management, and forensic and incident response disciplines and networking opportunities at the SANS@Night evening talks.
http://www.sans.org/u/gSE

--SANS San Antonio | San Antonio, TX | July 18-23 | 8 courses including the new Cyber Threat Intelligence, 2 nights of Core NetWars tournaments plus 6 bonus SANS@Night evening talks.
http://www.sans.org/u/gST

--Industrial Control Systems Security Training | Houston, TX | July 25-30| Five ICS-Focused courses including the NEW Essentials for NERC Critical Infrastructure Protection course! Networking opportunities at the ICS Security Briefing and SANS@Night Talks.
http://www.sans.org/u/hMn

--Security Awareness Summit & Training | San Francisco, CA | August 1-10, 2016 | Two days of Security Awareness talks and 6 SANS courses: Intro to Info Security, Advanced Security Essentials, Critical Security Controls, CISSP Cert Preparation, Intro to Cyber Risk, Securing the Human
http://www.sans.org/u/i2j

--Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WF) and Evening (vLive -
http://www.sans.org/u/WU) courses available!

-- Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

--Looking for training in your own community?
Community - http://www.sans.org/u/Xj

--SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/Xy

Plus Berlin, Delhi, Vienna, and Portland all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

Irongate ICS/SCADA Malware (June 2, 2016)

A strain of malware that targets industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems bears certain resemblances to Stuxnet, the malware that was used to damage uranium enrichment centrifuges that were part of Iran's nuclear program. Like Stuxnet, Irongate targets a specific control system: a Siemens PLC simulation environment. It also has its own DLLs that it uses to alter a certain process. The samples of Irongate, detected by FireEye, appear to be proof-of-concept rather than part of an active malicious attack.
-https://ics.sans.org/blog/2016/06/02/irongate-malware-thoughts-and-lessons-learn
ed-for-icsscada-defenders/
-http://www.darkreading.com/threat-intelligence/shades-of-stuxnet-spotted-in-newl
y-found-ics-scada-malware-/d/d-id/1325753?
-https://www.washingtonpost.com/news/the-switch/wp/2016/06/02/researchers-have-di
scovered-a-mysterious-malware-that-can-dupe-operators-at-an-industrial-plant/
-http://www.computerworld.com/article/3078562/security/mysterious-malware-targets
-industrial-control-systems.html
-https://www.fireeye.com/blog/threat-research/2016/06/irongate_ics_malware.html
[Editor's Note (Assante): The characteristics, constraints, and circumstances most likely points to this code written in Python as being a research or testing tool. Rob M. Lee shared some excellent analysis in the SANS ICS Blog. The defense community should pay attention though, even if we have not seen weaponization in terms of delivery or the development of a payload capable of working in an operational setting. Add this to your technical threat models used to test ICS designs and implementations and expect to see more PLC-focused attack concepts in the future. ]

US Federal Reserve Cyber Breaches (June 1 and 2, 2016)

According to reports obtained through a Freedom of Information Act (FOIA) request, the US Federal Reserve experienced at least 50 cyber breaches between 2011 and 2015. Some of the incidents were classified as espionage.
-http://www.reuters.com/article/us-usa-fed-cyber-idUSKCN0YN4AM
-http://www.computerworld.com/article/3078016/security/fed-reports-50-plus-breach
es-from-2011-to-2015-some-instances-of-espionage.html
-http://money.cnn.com/2016/06/01/technology/federal-reserve-hack/index.html

Russian Police Arrest 50 in Connection with Online Bank Account Theft (June 1 and 2, 2016)

Authorities in Russia have arrested 50 people in connection with a malware scheme that stole more than 1.7 billion roubles (US $25.4 million). The group allegedly used malware known as Lurk to steal the money from bank accounts.
-http://www.bloomberg.com/news/articles/2016-06-01/russia-detains-50-suspected-ha
ckers-for-malware-bank-attacks
-http://www.bbc.com/news/technology-36434104
-http://www.theregister.co.uk/2016/06/02/russia_launches_raids_over_sberbank_heis
t/
[Editors' Note (Honan and Murray): Kudos to Russian law enforcement for this action. One that will hopefully send a message to Russian cyber criminals that the law will catch up with you at some stage. There can be no "safe haven." ]

---

*************************** SPONSORED LINKS ****************************
1) The Case for PIM/PAM in Todays Infosec. Tuesday, June 14th, 2016 at 1:00 PM (13:00:00 EDT/US Eastern) with Barbara Filkins and Ken Ammon. http://www.sans.org/info/186352

2) MobileIron Mobile Security and Risk Review Research Results. Wednesday, June 15th, 2016 at 1:00 PM (13:00:00 EDT/US Eastern) with David Schwaartzberg. http://www.sans.org/info/186357

3) Warning: Email may be Hazardous to your Business. Wednesday, June 15th, 2016 at 3:00 PM (15:00:00 EDT/US Eastern) with John Devenyns. http://www.sans.org/info/186362
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Marcher Android Malware Expanding its Reach (June 2, 2016)

Malware known as Marcher, which infects devices running the Android operating system and steals bank login credentials, has broadened the scope of banks it targets. Initially, Marcher targeted banks in Germany, Austria, France, Turkey, and Australia. Now the malware has added nine UK banks to its list. Marcher spreads through phony Flash updates.
-http://www.zdnet.com/article/this-sneaky-mobile-malware-just-evolved-into-someth
ing-even-nastier/
-http://www.theregister.co.uk/2016/06/02/marcher_banking_trojan/

WordPress Plugin Flaw is Being Actively Exploited (June 2, 2016)

A vulnerability in a WordPress plugin is being actively exploited. The WP Mobile Detector plugin has at least 10,000 active installations. WP Mobile Detector has been removed from the WordPress plugin directory. As there is currently no fix for the problem, users can best protect their devices by uninstalling the plugin.
-http://arstechnica.com/security/2016/06/10000-wordpress-sites-imperilled-by-in-t
he-wild-mobile-plugin-exploit/
[Editor's Note (Williams): Since there is no patch for this plugin, the standard advice of "patch now" doesn't apply. Organizations should use this example as a teachable moment. When you depend on software for which no support is available, how will your organization choose to respond if a vulnerability is discovered? Create a patch yourself? Uninstall the plugin? In most cases the plugin was doing *something* if it was installed, so this doesn't come without fallout either. The bottom line is that free software isn't really free, it comes with a number of hidden costs that must be factored in, particularly when security is concerned. ]

Flaws in Lenovo Support App (June 1 and 2, 2016)

Lenovo is urging users to uninstall its Accelerator support app due to several serious vulnerabilities that could be exploited to launch man-in-the-middle attacks. The app comes bundled on Lenovo Windows 10 devices. The Accelerator app is designed to help certain applications launch more quickly.
-http://www.zdnet.com/article/lenovo-begs-users-to-uninstall-accelerator-app-in-t
he-name-of-security/
-http://www.theregister.co.uk/2016/06/02/lenovo_says_dump_our_support_app_after_m
aninthemiddle_diddle/
-http://www.computerworld.com/article/3078013/security/lenovo-advises-users-to-re
move-a-vulnerable-pre-installed-support-tool.html
Lenovo Advisory:
-https://support.lenovo.com/us/en/product_security/len_6718
[Editor's Note (Ullrich): This decision by Lenovo was based at least on part on a study by Duo Security revealing that most OEM update software delivered with new PCs suffers from insufficiently protected upgrade software.
-https://duo.com/blog/out-of-box-exploitation-a-security-analysis-of-oem-updaters
(Williams): This flaw is most likely to impact SMB's and home users. Larger enterprises tend to reload all of their machines to a custom, standard machine image that removes all bloatware included with the machine. One of our recommendations to smaller businesses for increasing security is to do the same. Even if they don't build a standard image, all new machines should be reloaded from OS media so as not to include all of the frequently vulnerable bloatware applications included with the machine. ]

Federal Appeals Court Says No Warrant Needed for Stingray Use (May 31, 2016)

The Fourth US Circuit Court of Appeals has overturned a lower court verdict that ruled law enforcement must obtain warrants before using cell-site simulators to determine a suspect's location. According to the ruling, obtaining the information does not violate a suspect's Fourth Amendment rights because the information is already being shared with the suspect's wireless carrier" "Whenever
[an individual ]
expects his phone to work, he is permitting - indeed, requesting - the service provider to establish a connection between his phone and a nearby cell tower."
-http://www.zdnet.com/article/us-court-says-cops-dont-need-a-warrant-for-cellphon
e-location-data/

Yahoo Publishes National Security Letters (June 1, 2016)

Yahoo has published three National Security letters it has received from the federal government. National Security Letters allow federal law enforcement officers to demand customer records and transaction information from communication companies without the need for a warrant. The letters also carried a gag order that until recently never expired - anyone or organization receiving an NSL was not permitted to disclose its contents or even its existence. The USA Freedom Act, which became law last year, changed those requirements. The FBI must now review gag orders once the investigation is closed or three years after it was opened, to determine if lifting the order will or will not be detrimental to the investigation. Yahoo's disclosure is the first since the USA Freedom Act passed.
-https://www.wired.com/2016/06/yahoo-publishes-national-security-letters-fbi-drop
s-gag-orders/
-http://www.eweek.com/security/yahoo-is-first-to-legally-disclose-national-securi
ty-letter-contents.html
[Editor's Note (Northcutt): Here is a link to the redacted letters. It shows the power of this form letter. Fill in a couple of fields, generate the letter and the service provider has work to do:
-https://www.wired.com/wp-content/uploads/2016/06/Redacted_NSLs-Yahoo.pdf
Below is Yahoo's position:
-https://yahoopolicy.tumblr.com/post/145258843473/yahoo-announces-public-disclosu
re-of-national]

'Demonically Clever' Backdoor in Computer Chip (June 1, 2016)

Researchers at the University of Michigan have developed a proof-of-concept backdoor in a computer chip that is virtually undetectable. The proof-of-concept backdoor is described as an "analog attack" because it physically alters the chip in a way that exploits unexpected features. The researchers "believe that a new type of defense is required: ...that the best method for detecting
[this ]
attack is some form of runtime verification that monitors a chip's behavior in the digital domain."
-https://www.wired.com/2016/06/demonically-clever-backdoor-hides-inside-computer-
chip/
[Editor's Note (Ullrich): The attack seems to be more demonically complex then clever. More stealthy attacks, like the altering of doping in hardware random number generators, have already been demonstrated, and in the end, if you don't control the supply chain end to end (which nobody does), then you will always be susceptible to a wide range of attacks including the addition of components, software or hardware. (Williams): This really speaks to the problems we currently have with supply chain integrity for digital devices. With few current detection methods, such a backdoor could exist comfortably in the wild today without detection. The good news is that such a backdoor is costly to design and deploy and would likely only be used by nation states to go after very important targets. Most readers can rest comfortably (for now) that this is not a threat to them. ]

Microsoft Warns About ZCrypt Ransomware (June 1, 2016)

Microsoft has issued a warning about ransomware known as ZCrypt, which affects removable drives. ZCrypt affects Windows XP, Windows 7 and Windows 8, but not Windows 10. The malware spreads through phishing messages, malicious Word document macros, and phony Flash installers. Microsoft recommends that users running older versions of Windows upgrade to Windows 10, update antivirus, back up hard drives, and use the Edge browser.
-http://www.theregister.co.uk/2016/06/01/microsoft_warns_of_worm_ransomware_finds
_fix_in_windows_10_upgrade/
-https://blogs.technet.microsoft.com/mmpc/2016/05/26/link-lnk-to-ransom/

Google Updates Chrome for the 3rd Time in Little Over a Month

June 2, 2016 Using the bounty program as well as internal assets Google has patched a number of vulnerabilities and updated their software. The most recent vulnerabilities, found by a number of security researchers including Mariusz Mlynski, were ranked high-severity. One of them was a cross-origin vulnerability.
-https://threatpost.com/google-patches-two-high-severity-flaws-in-chrome/118441/
(Northcutt): As soon as I read this I went to my Chrome browser. It had not updated yet. If you use Chrome at all, click on About Chrome as soon as you read this. Same origin is the heart of the browser security model: URI, IP, Port. And it seems that every browser implements it differently which increases the odds it can be abused:
-https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy]

---

INTERNET STORM CENTER TECH CORNER

Increase in Telnet Scans
-https://isc.sans.edu/forums/diary/Increase+in+Port+23+telnet+scanning/21115/

Exploit Released for Unpatchable SCADA Controller
-https://www.exploit-db.com/exploits/37154/

Fail2Ban Adding IPv6 Support
-https://www.slightfuture.com/security/fail2ban-ipv6

Critical LG Phone Security Flaws
-http://blog.checkpoint.com/2016/05/29/oems-have-flaws-too-exposing-two-new-lg-vu
lnerabilities/

KeePass Insecure Update
-https://bogner.sh/2016/03/mitm-attack-against-keepass-2s-update-check/

Possible TeamViewer Breach
-http://www.theregister.co.uk/2016/06/01/teamviewer_mass_breach_report/

Windows 10 Exploit Offered For Sale
-https://www.trustwave.com/Resources/SpiderLabs-Blog/Zero-Day-Auction-for-the-Mas
ses/?page=1&year=0&month=0

Intrusion Detection in Depth Minneapolis (July 18-23rd)
-https://www.sans.org/event/minneapolis-2016/course/intrusion-detection-in-depth

Docker Containers Logging
-https://isc.sans.edu/forums/diary/Docker+Containers+Logging/21121/

Google Chrome Update
-http://googlechromereleases.blogspot.com/search/label/Stable%20updates

MongoDB Injection
-http://blog.securelayer7.net/mongodb-security-injection-attacks-with-php/

Ouch! Newsletter
-https://securingthehuman.sans.org/resources/newsletters/ouch/2016#encryptio

Detecting DNS Tunneling With Splunk
-https://www.sans.org/reading-room/whitepapers/dns/splunk-detect-dns-tunneling-37
022

Android AV Vulnerabilities
-https://www.sit.fraunhofer.de/fileadmin/dokumente/Presse/teamsik_advisories_AV.p
df?_=1464692835

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create