Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XVIII - Issue #98

December 19, 2016




The 2016 SANS Holiday Hack Challenge from Ed Skoudis and his team

Great challenge! Great fun!

Help unravel a fiendish plot to destroy Christmas. You'll build vital cyber security skills you'll use year 'round - social networking reconnaissance, mobile application analysis, vulnerability discovery in modern web development frameworks, Linux exploitation, and a whole lot more. All free!

The competition is open from now through January 4, and we'll keep the servers up all year so you can continue to practice.

Access it here: https://www.holidayhackchallenge.com

TOP OF THE NEWS

Obama Orders Investigation of Election Cyberattacks
CIA, FBI Differ in Assessment of Russia's Intentions
US Legislator Wants Single Cybersecurity Agency
Hackers Named Runner-Up for Time Man of The Year

THE REST OF THE WEEK'S NEWS

Global DDoS Crackdown Arrests 34; Most are Teenagers
Ransomware with a Twist
Microsoft Update is Knocking Some Users Offline
Quest Diagnostics Breach
PwC SAP Security Flaw
Patches for Linux Kernel Flaws
Netgear Router Flaws
Russian Authorities Arrested Bank Theft Suspects Last May
DDoS Attacks Against Russian Bank Used IoT Botnets

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER


*********************** Sponsored By Splunk ******************************

Looking for some specific ways to get started using Splunk? We can help. We have a step-by-step online experience to walk you through how to use login activity and Splunk to detect, validate and scope threats in your environment.

Learn more here: http://www.sans.org/info/190867

***************************************************************************

--SANS Security East 2017 | January 9-14, 2017 | New Orleans, LA | https://www.sans.org/event/security-east-2017

--Cloud Security Summit & Training | San Francisco, CA | Jan 17-19, 2017 | https://www.sans.org/event/cloud-security-summit-2017

--SANS Las Vegas 2017 | January 23-30, 2017 | Las Vegas, NV | https://www.sans.org/event/las-vegas-2017

--Cyber Threat Intelligence Summit & Training | Arlington, VA | Jan 25-Feb 1, 2017 | https://www.sans.org/event/cyber-threat-intelligence-summit-2017

--SANS Southern California - Anaheim 2017 | February 6-11, 2017 | Anaheim, CA | https://www.sans.org/event/anaheim-2017

--SANS Secure Japan 2017 | February 13-25, 2017 | Tokyo, Japan | https://www.sans.org/event/secure-japan-2017

--SANS Secure Singapore 2017 | March 13-25, 2017 | Singapore, Singapore | https://www.sans.org/event/secure-singapore-2017

--SANS Online Training Get a MacBook Air or PC Laptop with all OnDemand (https://www.sans.org/ondemand/specials) and vLive (https://www.sans.org/vlive/specials) courses now.

--Single Course Training: SANS Mentor https://www.sans.org/mentor/about Community SANS https://www.sans.org/community/ View the full SANS course catalog https://www.sans.org/find-training/

***************************************************************************

TOP OF THE NEWS

Obama Orders Investigation of Election Cyberattacks (December 9, 2016)

Prompted by allegations that Russia interfered in the presidential election, US President Barack Obama has called for "full review of what happened during the 2016 election process." The report from the inquiry is expected to be complete before January 20, 2017, when Obama leaves office.


[Editor Comments ]



[Pescatore ]
Given where technology has moved, for every Presidential election there should always be a cyber security review to make sure compromises didn't occur, document lessons learned and begin the improvement cycle for the next Presidential election.

Read more in:

Christian Science Monitor: Obama orders review of US election amid Russian hacking concerns
-http://www.csmonitor.com/World/Passcode/2016/1209/Obama-orders-review-of-US-elec
tion-amid-Russian-hacking-concerns


SC Magazine: Obama orders intel probe of election hacks
-https://www.scmagazine.com/obama-orders-intel-probe-of-election-hacks/article/57
8368/


Computerworld: Obama orders review of election hacks as Trump doubts Russia's role
-http://computerworld.com/article/3149050/security/obama-orders-review-of-electio
n-hacks-as-trump-doubts-russias-role.html


Dark Reading: Obama Orders Inquiry Into Cyberattacks On Democratic Party Websites
-http://www.darkreading.com/attacks-breaches/obama-orders-inquiry-into-cyberattac
ks-on-democratic-party-websites/d/d-id/1327684?


FCW: White House orders 'full review' of election hacking
-https://fcw.com/articles/2016/12/09/election-hack-probe-carberry.aspx

CIA, FBI Differ in Assessment of Russia's Intentions (December 9 & 10, 2016)

The CIA's secret assessment of Russia's involvement in the 2016 presidential election concluded that Russia interfered with the US presidential election not simply to undermine confidence in the legitimacy of the electoral system, but with a goal of helping Trump win. The FBI's assessment of the issue diverges from the CIA's. As one official who attended the briefing noted, "The FBI briefers think in terms of criminal standards - can we prove this in court. The CIA briefers weigh the preponderance of intelligence and then make judgment calls to help policymakers make informed decisions."

Read more in:

Washington Post: Secret CIA assessment says Russia was trying to help Trump win White House
-https://www.washingtonpost.com/world/national-security/obama-orders-review-of-ru
ssian-hacking-during-presidential-campaign/2016/12/09/31d6b300-be2a-11e6-94ac-3d
324840106c_story.html


Washington Post: FBI and CIA give differing accounts to lawmakers on Russia's motives in 2016 hacks
-https://www.washingtonpost.com/world/national-security/fbi-and-cia-give-differin
g-accounts-to-lawmakers-on-russias-motives-in-2016-hacks/2016/12/10/c6dfadfa-bef
0-11e6-94ac-3d324840106c_story.html


Ars Technica: Did the Russian's "hack" the election? A look at the established facts
-http://arstechnica.com/security/2016/12/the-public-evidence-behind-claims-russia
-hacked-for-trump/

US Legislator Wants Single Cybersecurity Agency (December 7, 2016)

US House Homeland Security Committee chairman Michael McCaul (R-Texas) says he plans to push for a single agency under which to consolidate government cybersecurity efforts during the next administration. The new agency would be under the aegis of the Department of Homeland Security (DHS). McCaul announced his plan at an event at the Heritage Foundation in Washington, DC, where he told the audience, "We need to start treating network security as national security."


[Editor Comments ]



[Pescatore ]
From a national government perspective, the US was actually making better progress in addressing cybersecurity when it was primarily treated as a national law enforcement issue, since the vast majority of attacks are financially motivated. That said, Congressman McCaul has been a pretty accurate critic of DHS in the past - would be good to see significant improvement in DHS programs and capabilities before adding responsibilities.

Read more in:

Cyberscoop: Influential Republican lawmaker proposes new cybersecurity-focused agency
-https://www.cyberscoop.com/mccaul-new-cybersecurity-agency/

Hackers Named Runner-Up for Time Magazine Man of The Year (December 9, 2016)

Time has named hackers as runner up for its Person of the Year, noting "In 2016 hackers took aim at American democracy itself."


-http://time.com/time-person-of-the-year-2016-hackers-runner-up/


[Paller ]
The clearest sign, yet, that our field is mainstream and that our work as technical professionals in cybersecurity is central to the well-being of the modern world.

*************************** SPONSORED LINKS ********************************

1) Whitepaper: Exploits Intercepted - learn how anti-exploit technology can efficiently and effectively secure your organization. http://www.sans.org/info/190872

2) Dont Miss: Cyber Threat Intelligence: Hurricanes and Earthquakes. Register: http://www.sans.org/info/190877

3) Winning the Culture War: Infusing Security into the Software Development Culture. Learn More: http://www.sans.org/info/190882

******************************************************************************

THE REST OF THE WEEK'S NEWS

Global DDoS Crackdown Arrests 34; Most are Teenagers (December 12, 2016)

The majority of suspects arrested in a global crackdown on people using distributed denial-of-service (DDoS) tools are under the age of 20. Europol officials arrested 34 people and interviewed and cautioned an additional 101 suspects. Europol has launched a campaign that focuses on the risk of young people becoming involved in cybercrime. The operation was a collaboration between Europol and 13 countries, including Australia, the US, the UK, Romania, and France.


[Editor Comments ]



[Honan ]
Encouraging young highly skilled people to avoid going down the route of cybercrime is a challenge we must all work together to address. Europol has already published some interesting research (Youth Pathways into Cybercrime) in this area which is available from their site in PDF format from
-http://www.mdx.ac.uk/__data/assets/pdf_file/0025/245554/Pathways-White-Paper.pdf


[Northcutt ]
DDOS does not require tremendous skill or knowledge, tools have been available on the Internet since the beginning. The rich question is how are these younger people getting connected. After they down load their booter and stresser tools how do they get paid? Somebody is clearly behind this. Kudos to Europol for their work:


-https://www.safeskyhacks.com/Forums/showthread.php?39-Top-10-DDoser-s-(Booters-S
tressers)



-https://www.europol.europa.eu/newsroom/news/joint-international-operation-target
s-young-users-of-ddos-cyber-attack-tools


Read more in:

ZDNet: Teenage DDoS users targeted by international law enforcement operation
-http://www.zdnet.com/article/teenage-ddos-users-targeted-by-international-law-en
forcement-operation/


The Register: DDoS script kiddies are also... actual kiddies, Europol arrests reveal
-http://www.theregister.co.uk/2016/12/12/europol_arrests_34_ddos_kiddies/

SC Magazine: Global authorities arrest 34 in DDoS busts; suspects mostly teenagers
-https://www.scmagazine.com/global-authorities-arrest-34-in-ddos-bust-suspects-mo
stly-teenagers/article/578671/

Ransomware with a Twist (December 9 & 11, 2016)

A new strain of ransomware known as "Popcorn Time" offers victims two ways to regain access to their encrypted files: either pay the ransom demand of one bitcoin or share a malicious link that spreads the malware with two other people; if those people become infected and pay the ransom within seven days, the initial victim will receive a decryption key.

Read more in:

ZDNet: New ransomware lets you decrypt your files - by infecting other users
-http://www.zdnet.com/article/new-ransomware-decrypts-your-files-if-you-infect-yo
ur-friends/


The Register: Ransomware scum offer free decryption if you infect two mates
-http://www.theregister.co.uk/2016/12/11/ransomware_offer_pay_us_a_770_ransom_or_
infect_two_friends/


SC Magazine: New ransomware asks victims to spread the malware as payment
-https://www.scmagazine.com/new-ransomware-asks-victims-to-spread-the-malware-as-
payment/article/578342/

Microsoft Update is Knocking Some Users Offline (December 12, 2016)

Updates for Windows 8 and Windows 10 have been causing problems for some users, knocking them off the Internet. The problem appears to be related to the Dynamic Host Configuration protocol (DHCP) clients.


[Editor Comments ]



[Williams ]
In infosec, we regularly urge users to patch immediately, but the reality is that patches can and do break things. Testing is critical before patching in business environments. This event also underscores the danger of Microsoft's forced patching model for non-enterprise managed machines. With a problem like this, users can't get back online to apply an update or research the problem.

Read more in:

The Register: Botched Microsoft update knocks Windows 8, 10 PCs offline - regardless of ISP
-http://www.theregister.co.uk/2016/12/12/ongoing_windows_8_10_dhcp_problems_affec
ting_all_isps/

Quest Diagnostics Breach (December 12, 2016)

New Jersey-based medical laboratory Quest Diagnostics has acknowledged that "an unauthorized third party" used a flaw in a mobile app to access patient data, including names, birth dates, and lab results. The vulnerability in MyQuest by Care360 has been addressed; Quest Diagnostics is investigating the breach.

Read more in:

New York Times: Hack of Quest Diagnostics App Exposes Data of 34,000 Patients
-http://www.nytimes.com/2016/12/12/us/hack-of-quest-diagnostics-app-exposes-data-
of-34000-patients.html

PwC SAP Security Flaw (December 9 & 12, 2016)

A SAP security tool from PricewaterhouseCoopers (PwC) has been found to contain a vulnerability that could be exploited to "manipulate accounting documents and financial results, bypass change management controls, and bypass segregation of duties restrictions," according to ESNC, a German security company that detected the issue. The flaw affects the Automated Controls Evaluator (ACE). Several weeks after ESNC notified PwC of the issue, it received a cease and desist letter from PwC attorneys. ESCN received a second letter from PwC lawyers after it notified the company of its intent to disclose the flaw. A PwC spokesperson has since said in an email that the flaw has been fixed.

Read more in:

The Register: Fatal flaw found in PricewaterhouseCoopers SAP security software
-http://www.theregister.co.uk/2016/12/09/fatal_flaw_in_pricewaterhousecoopers_sap
_software/


ZDNet: PwC sends 'cease and desist' letters to researchers who found critical flaw
-http://www.zdnet.com/article/pwc-sends-security-researchers-cease-and-desist-let
ter-instead-of-fixing-security-flaw/


ESNC Advisory: Critical Security Vulnerability in PwC ACE Software for SAP Security
-http://seclists.org/fulldisclosure/2016/Dec/33

Patches for Linux Kernel Flaws (December 9, 2016)

Linux developers have released patches for a trio of vulnerabilities in the Linux kernel. The first and most serious is a race condition in the af_packet implementation function that local users could exploit to crash systems or run arbitrary code as root. The second is a race condition in the Adaptec AAC RAID controller driver that local users to crash a system. The third flaw is a use after free vulnerability that could be exploited to break the Linux kernel's TCP retransmit queue handling code and crash a server or execute arbitrary code. Patches available on all major Linux distributions.


[Editor Comments ]



[Williams ]
Many users won't be vulnerable to these flaws, even if they are running a vulnerable distribution. For instance, the af_packet privilege escalation vulnerability required unprivileged namespaces to be configured to be exploited. This trio of vulnerabilities speaks to lowering attack surface. Only enable the services and features you absolutely need.

Read more in:

ZDNet: Three serious Linux kernel security holes patched
-http://www.zdnet.com/article/three-serious-linux-kernel-security-holes-patched/

Netgear Router Flaws (December 9 & 12, 2016)

Carnegie Mellon University's CERT has released an advisory warning of an arbitrary command injection vulnerability in Netgear routers. The flaw could be exploited to run commands with root privileges. Code that can be used to exploit the vulnerability has been publicly released. CERT recommends that "Users who have the option of doing so should strongly consider discontinuing use of affected devices until a fix is made available." The issue affects Netgear R7000, firmware version 1.0.7.2_1.1.93 and possibly earlier and Netgear R6400, firmware version 1.0.1.12_1.0.11 and possibly earlier. Community reports indicate R8000, firmware version 1.0.3.4_1.1.2 is also vulnerable.


[Editor Comments ]



[Williams ]
Most home users who use these routers don't know anything about this vulnerability announcement. Recommendations like "discontinue use of the router until a patch is available" are useless to your average user as well. The only realistic solution in this case is for the user to obtain another router for use until patched router firmware is made available - not a realistic suggestion for many/most users. Opt-out auto update mechanisms might fix this issue, but that can cause other issues as seen in the "Microsoft Update is Knocking Some Users Offline" story in this NewsBites.

Read more in:

Computerworld: An unpatched vulnerability exposes Netgear routers to hacking
-http://computerworld.com/article/3149555/security/an-unpatched-vulnerability-exp
oses-netgear-routers-to-hacking.html


ZDNet: Netgear users advised to stop using affected routers after severe flaw found
-http://www.zdnet.com/article/two-netgear-routers-are-vulnerable-to-trivial-to-re
mote-hack/


Ars Technica: Stop using Netgear routers with unpatched security bug, experts warn
-http://arstechnica.com/security/2016/12/unpatched-bug-allows-hackers-to-seize-co
ntrol-of-netgear-routers/


CERT: Multiple Netgear routers are vulnerable to arbitrary command injection
-https://www.kb.cert.org/vuls/id/582384

Russian Authorities Arrested Bank Theft Suspects Last May (December 7, 2016)

According to a Russian central bank official, authorities in Russia arrested an unspecified number of people in connection with US $19 million in electronic thefts. The thieves used phony client credentials to steal funds from correspondent accounts, which are used to conduct transactions on behalf of other banks. The arrests were made in May 2016.

Read more in:

Reuters: Suspects arrested in Russian central bank cyberheist: bank official
-http://www.reuters.com/article/us-russia-cenbank-cyberattack-idUSKBN13W2AK

DDoS Attacks Against Russian Bank Used IoT Botnets (December 9, 2016)

Attackers used botnets of compromised home routers to launch distributed denial-of-service (DDoS) attacks against five Russian financial institutions. Russian telecommunications company Rostelecom detected and mitigated the attacks. The compromised routers all used the CPE WAN Management Protocol (CWMP), or TR-069. A vulnerability in the TR-069 implementation in routers from ISPs in several countries was used to infect the devices.

Read more in:

Computerworld: Attackers use hacked home routers to hit 5 Russian banks
-http://computerworld.com/article/3149030/security/attackers-use-hacked-home-rout
ers-to-hit-5-russian-banks.html


INTERNET STORM CENTER TECH CORNER

Malware Uses NTP to Prevent Reverse Analysis
-https://isc.sans.edu/forums/diary/Sleeping+VBS+Really+Wants+To+Sleep/21801/

PwC ACE Tool for SAP Introduces Security Vulnerability into SAP
-http://seclists.org/fulldisclosure/2016/Dec/33

Steganography Used to Hide Exploits in Images
-https://isc.sans.edu/forums/diary/Steganography+in+Action+Image+Steganography+St
egExpose/21803/

Netgear R7000 and R6400 Arbitrary Command Execution
-http://www.kb.cert.org/vuls/id/582384

Apple Releases Patches for iOS/WatchOS and tvOS
-https://support.apple.com/en-us/HT201222

Windows 8/10 Update Causing DHCP Problems
-https://community.plus.net/t5/Broadband/Windows-8-10-Issues/m-p/1393675#M310992

McAfee VirusScan Enterprise for Linux Vulnerabilities
-https://nation.state.actor/mcafee.html

Snowball Marketing for Ransomware
-https://www.bleepingcomputer.com/news/security/new-scheme-spread-popcorn-time-ra
nsomware-get-chance-of-free-decryption-key/

Europol Arrests DDoS Miscreants
-http://www.theregister.co.uk/2016/12/12/europol_arrests_34_ddos_kiddies/

5 Questions to Ask you IoT Vendor
-https://isc.sans.edu/forums/diary/5+Questions+to+Ask+your+IoT+Vendors+But+Do+Not
+Expect+an+Answer/21807/



***********************************************************************
The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board