SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVIII - Issue #5

January 19, 2016

TOP OF THE NEWS

Attacks in Critical Manufacturing Sector Doubled
Android Malware Steals Voice-Based Two-Factor Authentication Codes
Casino Sues Trustwave Over Inadequate Breach Investigation
Company Sues Insurer Over Cyberattack Loss

THE REST OF THE WEEK'S NEWS

Melbourne, Australia Hospital Windows XP Computers Hit with Malware
Ukrainian Government Blames Russia for Airport Cyberattack
FDA Issues Medical Device Cybersecurity Draft Guidance
Bitcoin Trading Site Cryptsy Alleges Cryptocurrency Theft
Five Arrested in Connection with MegalodonHTTP RAT
Hyatt Identifies Affected Hotels
Car Manufacturers Will Establish Industry ISAC

STORM CENTER TECH CORNER

STORM CENTER TECH CORNER

---

************************* Sponsored By Splunk **************************

Splunk is named a leader in the 2015 Gartner SIEM Magic Quadrant for the 3rd time in a row and remains at the forefront of solving advanced and emerging SIEM use cases. Learn how Splunk security analytics can dramatically improve the detection, response and recovery from advanced threats. Get your copy of the report today.
http://www.sans.org/info/180747

***************************************************************************

TRAINING UPDATE

- --SANS Security East 2016 | New Orleans, LA | January 25-30, 2016 | 12 courses.
http://www.sans.org/u/anl

- --Cyber Threat Intelligence Summit & Training | DC | Feb 3-10, 2016 | Enabling organizations to build effective cyber threat intelligence analysis capabilities. Two days of Summit talks and 4 courses.
http://www.sans.org/u/aBH

- --ICS Security Summit & Training | Orlando, FL | Feb 16-23, 2016 | Training from industry experts on attacker techniques, testing approaches in ICS and defensive capabilities in ICS environments. 8 courses including the new ICS456 & SEC562 courses. Plus, CyberCity and two days of ICS Summit sessions.
http://www.sans.org/u/aBM

- --Can't travel? SANS offers LIVE online instruction.
Day (Simulcast - http://www.sans.org/u/WF) and Evening
(vLive - http://www.sans.org/u/WU) courses available!

- --Multi-week Live SANS training
Mentor - http://www.sans.org/u/X4
Contact mentor@sans.org

- --Looking for training in your own community?
Community - http://www.sans.org/u/Xj

- --SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/Xy

Plus Brussels, Scottsdale, Munich, Tokyo, Anaheim, Philadelphia, and London all in the next 90 days. For a list of all upcoming events, on-line and live:
http://www.sans.org/u/XI

***************************************************************************

---

TOP OF THE NEWS

Attacks in Critical Manufacturing Sector Doubled (January 15, 2016)

According to a report from the US Department of Homeland Security's (DS's) Industrial Control System Computer Emergency Response Team (ICS-CERT), DHS investigated nearly twice as many critical manufacturing sector incidents between October 1, 2014 and September 30, 2015 as it did during the previous fiscal year. Of the 295 incidents ICS-CERT investigated, 97 involved organizations in the critical manufacturing sector; that sector includes automobile manufacturers and aviation equipment manufacturers. Forty-six incidents involved energy sector organizations, 25 involved water and wastewater systems, and 23 involved transportation systems.
-http://www.nbcnews.com/tech/security/cyber-attacks-manufacturing-jumped-past-yea
r-homeland-security-n497441
-http://thehill.com/policy/cybersecurity/266081-dhs-critical-manufacturing-cybera
ttacks-have-nearly-doubled
[Editor's Note (Murray): The success of "Phishing" accounts for the year-over-year increase. The isolation of e-mail from other processes is critical to defense against these attacks. If this cannot be achieved through proper configuration of software (can be, we just do not want to do it), then use hardware. It is both cheap and effective. ]

Android Malware Steals Voice-Based Two-Factor Authentication Codes (January 13 and 18, 2016)

Symantec has detected malware created for Android devices that steals single-use passcodes generated to add a layer of security to online banking authentication procedures. The malware, dubbed Android.Bankosy, enables call forwarding and silent mode so the devices' owners are unaware that their incoming calls are being redirected. Some organizations have started sending the single-use passwords in voice calls rather than SMS.
-http://www.theregister.co.uk/2016/01/18/updated_android_malware_steals_voice_two
_factor_authentication/
-http://www.pcworld.com/article/3021930/security/android-malware-steals-one-time-
passcodes.html
[Editor's Note (Murray): "Out-of-band" means just that. If one is to rely upon the same device to authenticate (receive a one-time password) as to process a (banking) transaction, then one had better be sure that process-to-process isolation within the device is adequate. Whether or not it is, in Android devices, is not possible for the average bank customer to assess. The bank cannot even rely upon what version of Android the app is running on. All that said, compared to UID and (reusable) password replay attacks, MITM and session-stealing attacks against one-time-passwords are difficult to mount and depend upon the legitimate user initiating a session. ]

Casino Sues Trustwave Over Inadequate Breach Investigation (January 15, 16, and 18, 2016)

A Nevada-based casino has sued Trustwave, alleging that the company mishandled a security breach investigation. The lawsuit filed by Affinity Gaming calls Trustwave's investigation of the incident "woefully inadequate," alleging that while Trustwave said it had identified the source of the breach and contained the malware, a later investigation conducted by Mandiant after a second breach revealed that the malware had not been completely scrubbed from the system.
-http://arstechnica.com/security/2016/01/security-firm-sued-for-filing-woefully-i
nadequate-forensics-report/
-http://www.theregister.co.uk/2016/01/16/trustwave_sued_by_casino/
-http://www.zdnet.com/article/trustwave-sued-over-failure-to-stop-security-breach
/
-http://thehill.com/policy/cybersecurity/266103-hacked-casino-sues-cybersecurity-
firm
-https://regmedia.co.uk/2016/01/16/affinity_trustwave.pdf
-http://uk.reuters.com/article/uk-ukraine-cybersecurity-malware-idUKKCN0UW0S7
-http://cert.gov.ua/?p=2464
(Original article in Ukrainian)
[Editor's Comment (Northcutt): With the explosion in cyber security as a business this is bound to happen. A bit of research into the quality companies is well worth the time. In the link below, (which is unvetted by myself or SANS), I have been noticing Stroz Friedberg employees consistently scoring above 85 on GIAC exams for months. Don't know anything else about them, but clearly they were focused on being in the game:
-http://www.itbusinessedge.com/slideshows/top-25-cybersecurity-companies-to-watch
-in-2015.html]

Company Sues Insurer Over Cyberattack Loss (January 18, 2016)

A Texas-based manufacturing company is suing its insurance company for not paying a claim over a US $480,000 loss from an email scam. The policy with Federal Insurance Co. was supposed to cover losses from computer fraud and funds transfer fraud up to US $3 million with a US $100,000 deductible. Federal Insurance maintains that the scheme did not meet the criteria of "forgery of a financial instrument." Instead, says Federal, the scheme was conducted through "business email compromise" or CEO fraud.
-http://krebsonsecurity.com/2016/01/firm-sues-cyber-insurer-over-480k-loss/
[Editor's Note (Pescatore): This is a common occurrence when companies try to make claims against cyberinsurance policies. CFOs and legal counsels need to review the language of insurance contracts and understand what is/isn't covered *before* signing on. No cyberinsurance policy actually caps liability and, as many examples point out, they often don't even limit liability when common phishing-based attacks succeed. ]

---

************************** SPONSORED LINKS ********************************
1) Learn how to Reduce Your Incident Response Costs - Download the Free White Paper: http://www.sans.org/info/182882

2) Why You Need Application Security. Thursday, January 28, 2016 at 1:00 PM EST (18:00:00 UTC) with Johannes B. Ullrich, Ph.D. and Joseph Feiman. http://www.sans.org/info/182887

3) SANS 2016 IT Security Spending Strategies Survey. Wednesday, February 03, 2016 at 1:00 PM EST (18:00:00 UTC) featuring Barbara Filkins, G. Mark Hardy (moderator) and Simon Gibson. http://www.sans.org/info/182892
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Melbourne, Australia Hospital Windows XP Computers Hit with Malware (January 18 and 19, 2016)

Computers in the pathology wing of the Royal Melbourne Hospital in Victoria, Australia became infected with malware in the past week. The blood bank has reverted to manual procedures for specimen processing. The issue affects PCs running Windows XP.
-http://www.theage.com.au/victoria/royal-melbourne-hospital-attacked-by-damaging-
computer-virus-20160118-gm8m3v.html
-http://www.theregister.co.uk/2016/01/19/melbourne_hospital_pathology_wing_splatt
ered_by_virus/

Ukrainian Government Blames Russia for Airport Cyberattack (January 18, 2016)

After Black Energy malware was found on the computer network at Boryspil Airport in Kiev, Ukraine, the country's government says it suspects that Russia is responsible. Ukraine's Computer Emergency Response Team (CERT-UA) has issued a warning that additional attacks could follow. Black Energy is the same malware that was found on systems at three Ukrainian power companies late last year. CERT-UA advises systems administrators to check log files for anomalous activity.
-http://www.scmagazine.com/ukraine-blames-russia-for-cyber-attack-on-airport/arti
cle/465675/
-http://www.theregister.co.uk/2016/01/18/blackenergy_power_outage_malware_kiev_ai
rport/
-http://www.irishtimes.com/news/world/europe/ukraine-blames-russian-hackers-for-a
irport-attack-1.2501363

FDA Issues Medical Device Cybersecurity Draft Guidance (January 18, 2016)

The US Food and Drug Administration (FDA) has issued draft guidance, "Postmarket Management of Cybersecurity in Medical Devices," for device manufacturers. In October 2014, the FDA issued guidance for medical device manufacturers regarding building cybersecurity into their product from the beginning of the development process.
-http://www.news-medical.net/news/20160118/FDA-issues-draft-guidance-to-address-c
ybersecurity-vulnerabilities-in-medical-devices.aspx
-http://www.govinfosecurity.com/fda-issues-more-medical-device-security-guidance-
a-8805
January 2016 Draft Guidance:
-http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/Guidance
Documents/UCM482022.pdf
October 2014 Guidance:
-http://www.fda.gov/downloads/MedicalDevices/DeviceRegulationandGuidance/Guidance
Documents/UCM356190.pdf
[Editor's Note (Pescatore): The FDA has been issuing this kind of guidance since 2010. I think it is time for it to focus on issuing penalties to companies that continue to ignore such guidance. The FTC has been doing this very effectively for several years, would be good to see the FDA work with them to focus on medical devices or for FDA to emulate the FTC a bit. (Murray): The value that arises from the ability to observe and control medical appliances at a distance comes at an unavoidable price. ]

Bitcoin Trading Site Cryptsy Alleges Cryptocurrency Theft (January 16 and 18, 2016)

Cryptocurrency trading website Cryptsy has accused the developer of Lucky7Coin of stealing currencies worth an estimated US $5.7 million. The theft allegedly occurred in late July 2014. Cryptsy says an internal investigation determined that the Lucky7Coin developer put an IRC backdoor into a wallet, allowing the currencies to be moves to another location. Cryptsy disclosed the alleged theft the day after the company learned that it had been named in a class-action lawsuit regarding the lost funds.
-https://www.cryptocoinsnews.com/lawsuit-cryptsy-proceed-planned-despite-theft-cl
aim/
-http://news.softpedia.com/news/cryptsy-bitcoin-trader-robbed-blames-backdoor-in-
the-code-of-a-wallet-498994.shtml
[Editor Note: (Northcutt): Cryptsy, a crypto coin exchange is announcing a breach that may shut them down now when it happened 18 months ago? A lot of people are going to get hurt. The article mentions the corrupt Secret Service agent Shaun Bridges, but that appears to be a red herring, though another warning of the dangers of unregulated currencies:
-http://blog.cryptsy.com/post/137323646202/announcement
-http://www.ibtimes.co.uk/silk-road-cop-shaun-bridges-gets-71-months-jail-stealin
g-bitcoins-dark-web-drug-site-1532336]

-http://www.bankinfosecurity.com/bitcoin-heist-steals-millions-from-exchange-a-88
03

Five Arrested in Connection with MegalodonHTTP RAT (January 15 and 18, 2016)

Law enforcement agents in Norway, along with Europol agents, arrested five people who are allegedly involved with the distribution of the MegalodonHTTP remote access Trojan (RAT). The suspects were arrested in France, Romania, and Norway.
-http://www.theregister.co.uk/2016/01/15/norway_cops_europol_throw_cage_over_rat/
-http://www.scmagazine.com/arrested-hackers-revealed-to-be-outfit-behind-megalodo
nhttp-trojan/article/465666/

Hyatt Identifies Affected Hotels (January 15, 2016)

Hyatt Hotels has identified the properties that were affected by data breaches last year. In all, payment systems at 250 hotels in 50 countries were compromised. The breaches occurred between July 30 and December 8, 2015. Most of the breached systems were in restaurants; the rest, a "small percentage," were at spas, shops, parking facilities ad front desks.
-http://www.bbc.com/news/technology-35322394
-http://krebsonsecurity.com/2016/01/hyatt-card-breach-hit-250-hotels-in-50-nation
s/
-http://www.zdnet.com/article/250-hyatt-hotels-infected-last-year-with-payment-da
ta-stealing-malware/
[Editor's Note (Murray): Hospitality in general, food service in particular, continues to be a favorite target. If one is in that industry, the Verizon Data Breach Incident Report is required reading. ]

Car Manufacturers Will Establish Industry ISAC (January 15, 2016)

US Department of Transportation (DOT) and most major car manufacturers have released a list of "proactive safety principles" that aim to help the industry improve cybersecurity. The list includes plans to create an automotive industry Information Sharing and Analysis Center (ISAC). Automobile supply companies will be urged to join as well. The car makers also want to work with bug hunters.
-http://www.computerworld.com/article/3023396/car-tech/automakers-will-collaborat
e-to-try-to-stop-car-hacks-before-they-happen.html
-http://www.wired.com/2016/01/feds-prod-automakers-to-play-nice-with-hackers/
Proactive Safety Principles 2016:
-https://www.transportation.gov/briefing-room/proactive-safety-principles-2016
[Editor's Note (Pescatore): ISACs seem to work best in verticals where there is "coop-etition" such as financial and energy. I'm not sure automotive really meets that definition, but it would be good to see this sector have an effective ISAC. ]

---

STORM CENTER TECH CORNER

JavaScript Deobfuscator
-https://isc.sans.edu/forums/diary/JavaScript+Deobfuscation+Tool/20619/

Test For Unsafe Subresources
-https://sritest.io

Apple's Gatekeeper Still Insufficient
-https://threatpost.com/apples-targeted-gatekeeper-bypass-patch-leaves-os-x-users
-exposed/115887/
-https://objective-see.com/products/ostiarius.html

Some Useful Volatility Plugins
-https://isc.sans.edu/forums/diary/Some+useful+volatility+plugins/20623/

3D Printing Key Blanks Based on a Photo of a Lock
-https://keysforge.com

Phishing Attack Against LastPass Users
-https://github.com/cxxr/lostpass

Database Security Scanner
-https://github.com/foospidy/DbDat

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is the Principal Information Security Architect for Warner Brothers Entertainment, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/