SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

• SANS NewsBites RSS
• Editorial Board

Volume XVIII - Issue #51

June 28, 2016

TOP OF THE NEWS

Cerber Ransomware Targets (Lots Of) Office365 Users
US Legislators Want to Know How DoD Will Respond to Critical Infrastructure Cyberattack
DNC Attackers Also Targeted Clinton Campaign and Clinton Foundation
Federal Progress in Cybersecurity Uneven

THE REST OF THE WEEK'S NEWS

Stolen Patient Records Offered for Sale
Traditional Security Not Working for Hospitals
Microsoft Will Pay US $10,000 for Windows 10 Update That Damaged Machine
IRS Retires E-file PIN Application
Chrome DRM Vulnerability Can be Exploited to Copy Streamed Movies
SMS Texts for Two-Factor Authentication? Think Again
EU Will Vote on Revised Privacy Shield Draft Next Month
Lenovo Fixes Support Tool Flaws

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER

---

********************** Sponsored By ThreatSTOP **************************

Stop admiring threats, start blocking them with ThreatSTOP. Automatically supercharge your existing network security devices with operationalized threat intelligence. Special SANS promotion: 25% off our Starter Kit. Start blocking threat today!
http://go.threatstop.com/25offStarterKitPromo_ThreatSTOPStarterKit.html

***************************************************************************

TRAINING UPDATE

--SANS Salt Lake City 2016 | Salt Lake City, UT | June 27-July 2 | https://www.sans.org/event/salt-lake-city-2016

--MGT 433 at SANS London Summer 2016| London, UK | July 7-8 | https://www.sans.org/event/mgt433-at-sans-london-summer-2016

--SANS London Summer 2016| London, UK | July 9-16 | https://www.sans.org/event/london-in-the-summer-2016

--SANS Rocky Mountain | Denver, CO | July 11-16 | https://www.sans.org/event/rocky-mountain-2016

--SANS Minneapolis 2016 | Minneapolis, MN | July 18-23 | https://www.sans.org/event/minneapolis-2016

--SANS San Antonio | San Antonio, TX | July 18-23 | https://www.sans.org/event/san-antonio-2016

--Industrial Control Systems Security Training | Houston, TX | July 25-30 | https://www.sans.org/event/ics-houston-summit-training-2016

--SANS Vienna | Vienna, Austria | August 1-6 | https://www.sans.org/event/vienna-2016

--Security Awareness Summit & Training | San Francisco, CA | August 1-10, 2016 | https://www.sans.org/event/security-awareness-summit-2016

--Data Breach Summit: Assessment, Compliance, Communication | Chicago, IL | August 18, 2016 | https://www.sans.org/event/data-breach-summit-2016

--SANS Alaska | August 22-27, 2016 | Anchorage, AK | https://www.sans.org/event/alaska-2016

***************************************************************************

---

TOP OF THE NEWS

Cerber Ransomware Targets Office365 Users (June 27 and 28, 2016)

More than half of cloud security firm Avanan's customers using Office365 received phishing emails that were designed to infect computers with ransomware. Microsoft started blocking the malicious attachment on June 23, one day after the attack began.

[Editor Comments ]
(Pescatore): The major lesson here is that the AV capabilities built into email services like Gmail or Office365 are usually the first thing targeted threat actors test their payload against. The old adage "Infrastructure can not protect itself" is definitely still valid with email services. You still need to monitor and protect your Windows endpoints at least as well as before outsourcing email. Ideally, use the transition to *improve* security - add stronger authentication and better endpoint protection, or both, as part of that switchover. Finally, make sure your incident response processes extend out to each new eternal service or cloud service provider - they all do things differently, they don't adapt to you.
(Williams): While managed services such as Office365 are not a panacea (logging for instance is often subpar), they adapt to threats much faster than most enterprise managed offerings. The same ransomware phishing emails will continue to threaten enterprise managed email users for months.
(Northcutt): Same day service in a nanosecond world! According to Avanan, they first detected the attack at 6:44 AM June 22 UTC and blocking started at 11:34 AM UTC. Millions of people received the phishing emails. In the days to come we will have some idea of the size of the cleanup. Blessed are they that maintain frequent backups:
-http://www.avanan.com/resources/attack-on-office-365-corporate-users-with-zero-d
ay-ransomware-virus
Read more in: SC Magazine: Microsoft Office 365 hit with massive Cerber ransomware attack, report
-http://www.scmagazine.com/microsoft-office-365-hit-with-massive-cerber-ransomwar
e-attack-report/article/505845/
The Register: Ransomware scum target corporate Office 365 users in 0-day campaign
-http://www.theregister.co.uk/2016/06/28/ransomware_scum_target_corporate_office_
365_users_in_0day_campaign/

US Legislators Want to Know How DoD Will Respond to Critical Infrastructure Cyberattack (June 23, 2016)

The US House Armed Services Committee wants to know how the Department of Defense (DoD) would respond to a cyberattack against the country's critical infrastructure, but DoD Acting Assistant Secretary for Homeland Defense and Global Security Thomas Atkin was not able to provide specific answers. Atkin did say that if requested, DoD would assist the Department of Homeland Security (DHS), which has jurisdiction over homeland attacks. Congress is also moving toward elevating US Cyber Command to a full combatant command.

[Editor Comments ]
(Assante): There are two main camps on this issue. One camp advocates for more clearly defined thresholds as a necessary element to establishing norms and supporting a policy of deterrence. (Let alone the operational practicalities of having a plan.) The other camp believes a more powerful tool is uncertainty and values flexibility allowing the context and specifics involved in an attack to drive a decision. There are merits to both approaches, but we should not miss the opportunity to establish norms and expectations as real world events come to light. The attack on Ukraine's power system impacted the critical lifeline service of electricity during winter. The attacks were both disruptive and destructive, and it clearly targeted civilian infrastructure. We must ask ourselves, what lessons are being drawn?
(Murray): Regardless of the intent or capability of the DoD, the response to a "cyber attack against the country's critical infrastructure" will be in the hands of those who manage and operate the infrastructure day to day.
Read more in: Federal News Radio: When should DoD respond to a cyberattack? No one really knows
-http://federalnewsradio.com/defense/2016/06/dod-respond-cyber-attack-no-one-real
ly-knows/

DNC Attackers Also Targeted Clinton Campaign and Clinton Foundation (June 21, 22, and 27 2016)

Earlier this month, researchers confirmed that attackers working on behalf of the Russian government infiltrated the US Democratic National Committee (DNC) network and stole information. Now there are reports that the same groups of attackers also breached the networks of the Hillary Clinton campaign and the Clinton Foundation.

[Editor Comments ]
Read more in: Washington Post: Cyber researchers confirm Russian government hack of Democratic National Committee
-https://www.washingtonpost.com/world/national-security/cyber-researchers-confirm
-russian-government-hack-of-democratic-national-committee/2016/06/20/e7375bc0-37
19-11e6-9ccd-d6005beac8b3_story.html
NBC News: Russian Hackers Believed to Have Breached Clinton Foundation Computers
-http://www.nbcnews.com/politics/2016-election/russian-hackers-believed-have-brea
ched-clinton-foundation-computers-n596701
Bloomberg: Clinton Foundation Said to Be Breached by Russian Hackers
-http://www.bloomberg.com/news/articles/2016-06-22/clinton-foundation-said-to-be-
breached-by-russian-hackers
DarkReading: Google Accounts Of US Military, Journalists Targeted By Russian Attack Group
-http://www.darkreading.com/attacks-breaches/google-accounts-of-us-military-journ
alists-targeted-by-russian-attack-group/d/d-id/1326069?

Federal Progress in Cybersecurity Uneven (June 24, 2016)

Alan Paller speaks with Federal News Radio's Tom Temin about cybersecurity preparedness in the US federal government. While most agencies currently have a broad and thin layer of cybersecurity, some - most notably the military and law enforcement - have learned that they need people with hands-on cybersecurity skills to meet the rapidly changing attack surface.
Read more in: Federal News Radio: Alan Paller: Federal progress in cybersecurity
-http://federalnewsradio.com/federal-drive/2016/06/alan-paller-federal-progress-i
n-cybersecurity/

---

*************************** SPONSORED LINKS *****************************
1) On-Demand Webcast: Key Findings from Symantec's 2016 Internet Security Threat Report https://www.brighttalk.com/webcast/13361/200205?cid=70138000000eMqiAAE&mc=19
9238&ot=wc&tt=tp

2) Stop Ransomware Attacks Before They Start: Get the Latest Research on How Ransomware Arrives. http://blog.trendmicro.com/trendlabs-security-intelligence/ransomware-arrival-me
thods

3) FREE eBook - Improve Network Security and Visibility with NetFlow! http://go.lancope.com/SANSNewsbitesAdLower_DummiesBookLP.html
***************************************************************************

---

THE REST OF THE WEEK'S NEWS

Stolen Patient Records Offered for Sale (June 27, 2016)

A data thief has offered hundreds of thousands of healthcare records for sale on the Internet. Three health care organizations are also reportedly being asked for ransom. The attack was likely carried out trough a vulnerability in the remote desktop protocol (RDP), which allows workers to access their work computers while away from the office.

[Editor Comments ]
(Williams): The key to this story was buried - it's that the attacker claims to have discovered a remotely exploitable vulnerability in RDP. When possible RDP should not be directly exposed to the Internet without the protection of a VPN. ]

Read more in: Computerworld: Hacker selling 655,000 patient records from 3 hacked healthcare organizations
-http://www.computerworld.com/article/3088907/security/hacker-selling-655-000-pat
ient-records-from-3-hacked-healthcare-organizations.html
BBC: US Healthcare records offered for sale online
-http://www.bbc.com/news/technology-36639981

Microsoft Will Pay US $10,000 for Windows 10 Update That Damaged Machine (June 27, 2016)

Microsoft will pay a California woman US $10,000 after her computer was automatically updated to Windows 10 without her authorization. The update rendered the computer unusable. In February 2016, Microsoft included Windows 10 in its monthly update. Because it was classified as a "recommended update," it automatically installed unless users deliberately blocked it.
Read more in: BBC: Payout of $10,000 for Windows 10 update
-http://www.bbc.com/news/technology-36640464

IRS Retires E-file PIN Application (June 26 and 27, 2016)

The US Internal revenue Service (IRS) has discontinued its Electronic Filing PIN web application due to "questionable activity." The IRS disclosed earlier this year that attackers had exploited weaknesses in the app to steal PINs ostensibly to file fraudulent returns. Although the IRS reinforced security for the app, PINs were still being compromised, so the decision was made to retire the app.

[Editor Comments ]
(Ullrich): Fraudulent tax returns have been a preferred way to cash in on stolen PII for a while now. The IRS has a particular challenging problem in having to authenticate users with whom it interacts only once a year. Traditional passwords will not work in this case. Social security numbers used to work as a form of "password", but with pretty much every social security number being leaked over the last couple of years, they can no longer be used. It will be interesting to see if the new scheme of using information from prior year tax returns will work, or if the IRS has to change its business rules which would likely lead to slower refunds. ]

Read more in: FCW: Another IRS tax tool bites the dust
-https://fcw.com/articles/2016/06/27/irs-tax-tool-noble.aspx
The Hill: IRS under fire from hackers
-http://thehill.com/business-a-lobbying/284983-irs-again-under-fire-by-hackers
The Register: IRS kills off PINs citing increasing suspicious activity
-http://www.theregister.co.uk/2016/06/26/irs_kills_off_pins_citing_increasing_sus
picious_activity/
Computerworld: IRS kills electronic filing PIN feature due to repeated attacks
-http://www.computerworld.com/article/3088905/security/irs-kills-electronic-filin
g-pin-feature-due-to-repeated-attacks.html
ZDNet: IRS dumps e-filing PIN security early - after yet more automated attacks
-http://www.zdnet.com/article/irs-dumps-e-filing-pin-security-early-after-yet-mor
e-automated-attacks/

Traditional Security Not Working for Hospitals (June 24 and 27, 2016)

A study conducted by researchers at a trio of US universities (the University of Pennsylvania, Dartmouth University, and the University of Southern California) found that medical professionals at hospitals routinely take steps to bypass security measures on computers, medical devices, and keypad-protected rooms. While the workers are aware that they are not following best practices, the situation underscores the fact that the way security is currently implemented does not allow medical professionals to do their jobs in a timely manner.

[Editor Comments ]
(Pescatore): The report points out a mix of issues. Some reflect bad design of electronic health record systems that force caregivers to take risky actions just to get their job done. Most of the others are the traditional problems of high power users finding that security solutions cause too much "friction," so they evade them. Too much of health care cybersecurity has been compliance driven, vs. building in (ironically) basic security hygiene.
(Ullrich): In my SANS classes, I often use a true story of an operating room nurse who couldn't access a cabinet with restricted medication during a surgery after the authentication server went down. Availability trumps confidentiality and integrity if someone's life is at risk, and "fail open" is a very sensible solution. Controls have to be designed very careful in these environments. In addition, the access to medical data has to happen quickly and without friction in emergency situations. Traditional security is just not designed for these use cases.
(Williams): In my experience in healthcare environments, the devices most likely to be left logged in are those in critical care patient areas (ER, ICU, etc.). Recognizing this enabled creative protection strategies including enhanced monitoring for account misuse and limiting what internal resources could be accessed from these machines. The healthcare IT security problem is just an extension of threat modeling: understanding where your threats are most significant will enable better defensive strategies.
(Murray): HIPAA remains "in the ditch." The law that was supposed to encourage the "portability" of patient data by ensuring security has had unintended and perverse consequences. In the name of not being "too prescriptive," it asks healthcare providers to do something that they simply are not equipped to do, design security. Hospitals desperately need help in designing security that strikes an appropriate balance between effectiveness and convenience in their applications and environments.
(Paller): The help Murray calls for begins with prescriptive guidance that provides a minimum standard of due care. The Center for Internet Security Critical Controls provide just such a baseline. As automated tools emerge over the next few months that reliably measure compliance with the Critical Controls, they will slowly but inexorably raise security standards across hospitals and other key technology using organizations. Hospitals with highly experienced security architects on staff - not consultants - may consider adapting the Critical Controls to their unique needs - all others should implement the Critical Controls thoughtfully without adjustments.
Read more in: The Register: Medicos could be world's best security bypassers, study finds
-http://www.theregister.co.uk/2016/06/27/medicos_could_be_worlds_best_security_by
passers_study_finds/
The Hill: Study slams hospitals for lax use of passwords
-http://thehill.com/business-a-lobbying/284782-study-slams-hospitals-for-lax-use-
of-passwords

Chrome DRM Vulnerability Can be Exploited to Copy Streamed Movies (June 24 and 27, 2016)

A bug in Google Chrome's Widevine EME/CDM technology digital rights management (DRM) technology allows users to make illegal copies of movies from streaming services. Google was notified about the issue on May 24, but has not yet fixed the problem.
Read more in: Christian Science Monitor: Why pirates can easily steal movies from Chrome
-http://www.csmonitor.com/Technology/2016/0627/Why-pirates-can-easily-steal-movie
s-from-Chrome
Wired: A Bug in Chrome Makes It Easy to Pirate Movies
-https://www.wired.com/2016/06/bug-chrome-makes-easy-pirate-movies/
Ars Technica: Chrome DRM bug makes it easy to download streaming video
-http://arstechnica.com/security/2016/06/chrome-drm-download-netflix-piracy/

SMS Texts for Two-Factor Authentication? Think Again (June 26, 2016)

SMS messages for two-factor authentication are not as secure as they might seem. Rather that something users possess, SMS messages are something users are sent, which means they can be intercepted. Alternatives include authentication apps for smartphones or a physical token that generates one-time codes.

[Editor Comments ]
(Pescatore): The article points out that even SMS messages are way more secure than just relying on reusable passwords alone, and that the attacks against SMS messaging authentication approaches are difficult to carry out. Those attacks also don't lend themselves to mass exploitation the way phishing attacks do against reusable passwords. Bottom line: if you have an opportunity to move your organization to some form of token or biometric for higher levels of authentication, definitely go for it. Don't allow claims that "message 2FA solutions aren't perfect" to be an excuse for doing nothing.
(Murray): The security professional who does not implement one-time-passwords because he "knows how to defeat them," continues to tolerate reusable passwords that he also "knows how to defeat." Perfect security is the enemy of the good and the excuse for the status quo. This report notwithstanding, there is nothing higher on the enterprise security agenda, no opportunity with a greater return, than the implementation of strong authentication. The real reason that one-time-passwords are not more widely used has more to do with inertia and sloth than security.
Read more in: Wired: So Hey You Should Stop Using Texts for Two-Factor Authentication
-https://www.wired.com/2016/06/hey-stop-using-texts-two-factor-authentication/

EU Will Vote on Revised Privacy Shield Draft Next Month (June 24 and 26, 2016)

A revised version of a data transfer agreement between the US and the European Union has been sent to EU member states for review. The Privacy Shield agreement has been drafted to replace the Safe Harbor arrangement that the EU struck down last fall over US surveillance concerns. The EU is expected to vote on the new Privacy Shield draft in early July.
Read more in: Reuters: EU, United States agree on changes to strengthen data transfer pact
-http://www.reuters.com/article/us-eu-dataprotection-usa-idUSKCN0ZA1QT
The Hill: Draft of new US-EU data transfer deal sent to EU member states
-http://thehill.com/policy/cybersecurity/284763-draft-of-new-us-eu-data-transfer-
deal-sent-to-eu-member-states
Computerworld: The EU and U.S. reach data-transfer deal, report says
-http://www.computerworld.com/article/3088221/security/the-eu-and-us-reach-data-t
ransfer-deal-report-says.html
SC Magazine: Industry, privacy groups: EU and U.S. Privacy Shield changes unlikely to ease concerns
-http://www.scmagazine.com/the-eu-and-us-agreed-to-changes-to-the-privacy-shield-
pact-that-officials-hope-will-appease-privacy-concerns-raised-by-privacy-regulat
ors/article/505608/

Lenovo Fixes Support Tool Flaws (June 24, 2016)

Lenovo has released patches for a pair of vulnerabilities in the Lenovo Solution Center (LSC), a support tool that comes preinstalled on laptops and desktops. The flaws could be exploited to take control of vulnerable machines and terminate processes. Users are advised to upgrade to LSC version 3.3.003.

[Editor Comments ]
(Williams): The Lenovo support tools vulnerabilities are just a small sample of vulnerabilities in poorly tested, manufacturer specific bloatware. These tools have no place on enterprise managed machines if they are not explicitly needed for operations. If the tools are required for operations, don't assume that the manufacturer has adequately tested them for security - engage qualified testers to determine your exposure.
Read more in: Computerworld: Lenovo patches two high-severity flaws in PC support tool
-http://www.computerworld.com/article/3088547/security/lenovo-patches-two-high-se
verity-flaws-in-pc-support-tool.html
Lenovo Advisory: LEN-7814 Lenovo Solution Center Arbitrary Process Termination or Code Execution by Unprivileged Local Users
-https://support.lenovo.com/us/en/product_security/len_7814

---

INTERNET STORM CENTER TECH CORNER

"Bart" Ransomware
-https://isc.sans.edu/forums/diary/Bart+a+new+Ransomware/21195/

Swagger Vulnerablity
-https://community.rapid7.com/community/infosec/blog/2016/06/23/r7-2016-06-remote
-code-execution-via-swagger-parameter-injection-cve-2016-5641

"Enriched" Voter Database Leak
-https://mackeeper.com/blog/post/239-another-us-voter-database-leak

Recent Fake DDOS Threats by "Armada Collective"
-https://blog.cloudflare.com/empty-ddos-threats-meet-the-armada-collective/

CCTV Cameras Still A Major Threat
-https://blog.sucuri.net/2016/06/large-cctv-botnet-leveraged-ddos-attacks.html

---

***********************************************************************
The Editorial Board of SANS NewsBites

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create