SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XX - Issue #12
February 13, 2018Four more days to sign up for GirlsGoCyberStart to identify and motivate the next generation of cybersecurity stars. Info at girlsgocyberstart.com and cyberstart.us
Try out the challenges at:
https://medium.com/girls-go-cyberstart/girls-go-cyberstart-challenge-teasers-ea7d0c35c5d3
Associated Press Story:
http://abcnews.go.com/Technology/wireStory/woman-top-game-seeks-girls-cyber-aptitude-52828858
****************************************************************************
SANS NewsBites February 13, 2018 Vol. 20, Num. 012
****************************************************************************
TOP OF THE NEWS
Equifax Breach Compromised Taxpayer IDs and Card Expiration Dates
Olympic Destroyer Malware Likely Used to Disrupt Servers and Wi-Fi at Opening Ceremonies
Australian Cyber Breach Law Takes Effect
REST OF THE WEEK'S NEWS
Iceland Concerned About Cryptocurrency Mining Energy Consumption
Cryptocurrency Miner Found in Browsealoud Extension
Russian Engineers, Ukrainian Professor Arrested for Alleged Cryptocurrency Mining at Work
NSF Cyber Program Establishes New Job Category in Singapore Defense Force
Windows Defender ATP Support Will Be Extended to Windows 7 and 8.1
Universities Adding Computer Science Ethics Courses
Phishing Campaign Used to Spread Lokibot Malware
PoS Malware Exfiltrates Data Through DNS Traffic
INTERNET STORM CENTER TECH CORNER
*************************** Sponsored By Sophos Inc. ***********************
WEBCAST: Did you know 60% of Network traffic is unidentifiable by network firewalls. Which means ransomware, advanced threats, and active adversaries are happily entering your network. Join this webcast to learn top problems with firewalls today and what you should be looking for in your next firewall. Register Today: http://www.sans.org/info/201990
*****************************************************************************
TRAINING UPDATE
-- SANS 2018 | Orlando, FL | April 3-10 | https://www.sans.org/event/sans-2018
-- SANS London March 2018 | March 5-10 | https://www.sans.org/event/London-March-2018
-- SANS Secure Singapore 2018 | March 12-24 | https://www.sans.org/event/secure-singapore-2018
-- SANS Northern VA Spring - Tysons 2018 | March 17-24 | https://www.sans.org/event/northern-va-spring-tysons-2018
-- SANS Pen Test Austin 2018 | March 19-24 | https://www.sans.org/event/pen-test-austin-2018
-- ICS Security Summit & Training 2018 | Orlando, FL | March 19-26 | https://www.sans.org/event/ics-security-summit-2018
-- SANS at RSA(R) Conference | San Francisco, CA | April 11-20 | https://www.sans.org/rsa-2018
-- SANS London April 2018 | April 16-21 | https://www.sans.org/event/london-april-2018
-- Automotive Cybersecurity Summit 2018 | Chicago, IL | May 1-8 | https://www.sans.org/event/automotive-cybersecurity-summit-2018
-- SANS Melbourne 2018 | May 14-26 | https://www.sans.org/event/melbourne-2018
-- SANS OnDemand and vLive Training | The SANS Training you want with the flexibility you need. Special Offer: Get a GIAC Certification Attempt Included or Take $350 Off your OnDemand or vLive training course by February 21. https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format -https://www.sans.org/ondemand/
-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/security-training/by-location/all
*****************************************************************************
TOP OF THE NEWS
--
Equifax Breach Compromised Taxpayer IDs and Card Expiration Dates
(February 13, 2018)
Equifax says that the information compromised in the massive data security breach that the company acknowledged last year includes some taxpayer identification numbers and payment card expiration dates. The additional compromised information was revealed in documents that Equifax provided to the US Senate Banking Committee.
[Editor Comments]
[Honan] In today's environment you will no longer be judged if you have a security breach, but on how well you respond to a security breach. The slow drip of details about this breach, particularly on compromised data that could damage the individual customers affected, is not a good reflection on Equifax.
[Neely] Equifax is still one of the three credit bureaus used in the US. Don't wait for the next breach disclosure, you can still freeze your credit report for free with Equifax until June 30, 2018. Experian and Transunion charge $10/each to freeze your credit report.
Read more in:
The Register: Equifax hack worse than previously thought: Biz kissed goodbye to card expiry dates, tax IDs etc
https://www.theregister.co.uk/2018/02/13/equifax_security_breach_bad/
--
Olympic Destroyer Malware Likely Used to Disrupt Servers and Wi-Fi at Opening Ceremonies
(February 11 & 12, 2018)
Internal servers and Wi-Fi services at the Pyeongchang 2018 Winter Olympics crashed during the event's opening ceremonies on Friday, February 9. The issues were resolved by the following morning. An organizing committee spokesperson said that such attacks are not unexpected and that they organization made the decision, along with the ICO, not to reveal the source of the crashes. Security firms have identified malware, which they are calling Olympic Destroyer, that was likely used to cause the disruptions.
[Editor Comments]
[Murray] The servers that controlled the fireworks, lighting, sound, and the Intel drones worked flawlessly.
Read more in:
Threatpost: 'Olympic Destroyer' Malware Behind Winter Olympics Cyberattack, Researchers Say
Bleeping Computer: Destructive Malware Wreaks Havoc at PyeongChang 2018 Winter Olympics
SC Magazine: 2018 Winter Olympic Games hit with destroyer malware during opening ceremony
The Hill: Cyber experts identify destructive malware used against Olympics
Motherboard: Researchers: We Found the Olympic-Disrupting Malware
https://motherboard.vice.com/en_us/article/d3w7jz/olympic-destroyer-opening-ceremony-hack
Reuters: 'Olympic Destroyer' malware targeted Pyeongchang Games: firms
Cyberscoop: Winter Olympics cyberattacks meant to 'send a message'
--
Australian Cyber Breach Law Takes Effect
February 13, 2018
Legislation passed last year in Australia concerning cyber breach notification is phasing in February 13 and additional measures February 22nd, 2018.
[Editor Comments]
************************** SPONSORED LINKS ********************************
1) Free eBook: 7 Experts on Moving to a Cloud-Based Endpoint Security Platform - Download Now: http://www.sans.org/info/201995
2) Gartner names Splunk a SIEM Magic Quadrant leader for the fifth year running. Read the report now. http://www.sans.org/info/202000
3) Anatomy of the TRITON ICS Cyberattack. Earn CPE credit by attending this live webcast. Register here: http://www.sans.org/info/202005
*****************************************************************************
THE REST OF THE WEEK'S NEWS
--
Newtek Domain Theft
(February 12, 2018)
Hackers stole several core domain names from Newtek, a company that operates more than 100,000 business Web sites and 40,000 managed technology accounts, over the weekend. The attack interfered with email and site availability. In its initial email to its customers, Newtek referred to increased security as the reason for changing its domains. In a second message, Newtek acknowledged that three domain names were the subject of a "dispute."
[Editor Comments]
[Neely] Newtek is a large hosting as well as business service provider. The domains that were stolen were access points customers use to manage their sites and access services. This event serves as an example of the need to be proactive of reported security issues as well as communicate clearly with users.
Read more in:
KrebsOnSecurity: Domain Theft Strands Thousands of Web Sites
https://krebsonsecurity.com/2018/02/domain-theft-strands-thousands-of-web-sites/
Krebs: Newtek eMail to Customers (February 10, 2018)
https://krebsonsecurity.com/wp-content/uploads/2018/02/newtek1.pdf
Krebs: Newtek Follow-up eMail
https://krebsonsecurity.com/wp-content/uploads/2018/02/newtek2.pdf
--
Iceland Concerned About Cryptocurrency Mining Energy Consumption
(February 12, 2018)
According to Icelandic energy company HS Orka, the energy consumed by Bitcoin mining centers in that country is likely to exceed the amount of energy used by homes there. The majority of Iceland's energy comes from renewable resources - geothermal, hydroelectric, and wind. Companies that create cryptocurrencies have established cryptocurrency "farms" in that country. An Icelandic legislator has proposed that the companies be taxed on their profits.
[Editor Comments]
[Murray] The cost of mining crypto currency, particularly using stolen resources, is too low. Taxation could make it more equitable. The value of BitCoin is based in part upon "proof of work." Its replacement should include "proof of origin of work" and proof of taxes paid.
[Williams] I expect other governments to become increasingly intolerant to crypto-currency mining (and crypto-currency in general). Whatever their true motivations for regulating crypto-currency, expect power consumption concerns to be cited.
Read more in:
Ars Technica: In Iceland, bitcoin mining will soon use more energy than its residents
BBC: Bitcoin energy use in Iceland set to overtake homes, says local firm
http://www.bbc.com/news/technology-43030677
Christian Science Monitor: Iceland sees bitcoin 'mining' boom
https://www.csmonitor.com/Business/2018/0212/Iceland-sees-bitcoin-mining-boom
--
Cryptocurrency Miner Found in Browsealoud Extension
(February 11 & 12, 2018)
The UK Information Commissioner's Office (ICO) took down its website after learning that the CPUs of computers of people who visited the site were being used to mine cryptocurrency. UK researchers Scott Helme discovered that the Coinhive cryptocurrency mining script had been injected into the Browsealoud text-to-speech accessibility extension. The issue affected thousands of websites around the world. Browsealoud parent company Texthelp has addressed the issue and has taken the Browsealoud service offline temporarily.
[Editor Comments]
[Honan] A classic example of vendor management in relation to cyber security. Blindly trusting a third party to update your website with JavaScript is potentially a major vulnerability and one that you should ensure you manage with the appropriate controls and restrictions. In this case it is lucky the attackers only infected the sites with cryptomining software, there could have been a lot more damage caused if the attackers decided to infect the sites with more malicious type software such as ransomware.
[Ullrich] Including resources like the Browsealoud JavaScript code from 3rd party is risky, and has been abused in the past to compromise sites. A simple <script src= tag inclusion should be avoided if at all possible. At the very least, a Subresources Integrity (SRI) hash should be added. But often, the reason developers like Texthelp recommend against copying the code to your site is their ability to make changes to the code on the fly, which in turn breaks SRI. While this event did hit some well known sites, I do not believe it is the biggest event of this kind. A couple years ago, the jQuery website was compromised and an exploit kit was injected. Luckily, at that time the popular jQuery JavaScript library was not affected.
Read more in:
Scott Helme: Protect your site from Cryptojacking with CSP + SRI
https://scotthelme.co.uk/protect-site-from-cryptojacking-csp-sri/
Texthelp: Data security investigation underway at Texthelp
BBC: Hackers hijack government websites to mine crypto-cash
http://www.bbc.com/news/technology-43025788
Bleeping Computer: U.S. & UK Govt Sites Injected With Miners After Popular Script Was Hacked
Cyberscoop: Government websites, including uscourts.gov, pulled into cryptomining scheme
https://www.cyberscoop.com/cryptomining-government-websites-browsealoud-us-courts-wmata/
eWeek: Cryptocurrency Miner Hits Thousands of Sites via Accessibility Script
http://www.eweek.com/security/cryptocurrency-miner-hits-thousands-of-sites-via-accessibility-script
--
Russian Engineers, Ukrainian Professor Arrested for Alleged Cryptocurrency Mining at Work
(February 9, 10, & 12, 2018)
Engineers at the Russian Federation Nuclear Center have been arrested for allegedly using supercomputers there to mine cryptocurrency. The Center's security department became aware of the situation when the supercomputer, which is not supposed to be Internet-connected attempted to connect to the Internet. In a separate incident, Ukrainian authorities arrested a university professor for allegedly using computers at a university in Lutsk to mine cryptocurrency.
[Editor Comments]
[Ullrich] Using work computers for crypto coin mining has become very popular among system administrators. In some cases, companies even found unauthorized hardware deployed in server rooms and offices. The simples way to find these unauthorized miners is to look for connections to mining pools. Some have however resorted to the use of infrared cameras to find equipment that runs hotter then it should (and to find equipment hidden under raised floors in data centers). First stories like this emerged back in February of 2014 (https://www.ccn.com/harvard-student-uses-14000-core-supercomputer-mine-dogecoin/).
Read more in:
ZDNet: Russian Nuclear Center engineers arrested for using supercomputers to mine cryptocurrency
CNET: Russian nuclear weapons staff arrested in cryptocurrency scheme
https://www.cnet.com/news/russian-nuclear-weapons-lab-arrest-for-cryptocurrency-mining/
BBC: Russian nuclear scientists arrested for 'Bitcoin mining plot'
http://www.bbc.com/news/world-europe-43003740
Bleeping Computer: Russian Nuke Scientists, Ukrainian Professor Arrested for Bitcoin Mining
--
NSF Cyber Program Establishes New Job Category in Singapore Defense Force
(Feb 12, 2018)
A newly established Cyber NSF scheme will enable national servicemen (NSF) in Singapore to develop and prove mastery of one of four specializations: cybersecurity monitoring, threat assessment and response, vulnerability audit and penetration testing and malware analysis and cyber forensics. Those with higher aptitude and skills, and meet the selection requirements, will be offered the opportunity to take up the Cyber Specialist Award, in which one- or two-year contracts with MINDEF, during which they will undergo intensive training and take modules that would prepare them for their roles.
Read more in: https://www.channelnewsasia.com/news/singapore/mindef-singapore-institute-of-technology-partner-to-train-ns-9951538
--
Windows Defender ATP Support Will Be Extended to Windows 7 and 8.1
(February 12, 2018)
Microsoft's Windows Defender Advanced Threat Protection (ATP) has been available only for Windows 10. But starting this summer. Microsoft will extend ATP Endpoint Data and Response (EDR) support to Windows 7 SP1 and Windows 8.
[Editor Comments]
[Pescatore] Microsoft ATP pricing was about $2/month/user which can look lower than 3rd party EDR alternatives. But you have to compare the total cost of all the various Microsoft licenses required vs. third party products with EPP and EDR bundled in.
[Neely] Microsoft is acknowledging the need to augment their security offerings for Windows 7 & 8 by adding behavior-based security tools to modernize their security offerings for these older operating systems. Even so, organizations should continue their migration to Windows 10 to leverage all the security improvements from Microsoft.
[Honan] Microsoft are making great inroads on tackling security threats against the Windows platform. The recent update to Windows 10 with features that tackle ransomware and other threats, and now this extension of Windows Defender ATP, make Microsoft a major player in the security space.
Read more in:
Windows: Announcing: Windows Defender ATP support for Windows 7 and Windows 8.1
ZDNet: Microsoft to add Windows Defender Advanced Threat Protection support for Windows 7 this summer
Ars Technica: Windows Defender Advanced Threat Protection coming to Windows 7 and 8.1
The Register: Still not on Windows 10? Fine, sighs Microsoft, here are its antivirus tools for Windows 7, 8.1
http://www.theregister.co.uk/2018/02/12/microsoft_windows_atp/
--
Universities Adding Computer Science Ethics Courses
(February 12, 2018)
US universities are beginning to introduce computer science ethics courses to help guide the next generation of computer scientists through the issues they are likely to face over the coming years. Harvard and MIT are offering a joint course, "The Ethics and Governance of Artificial Intelligence." The University of Texas at Austin has recently introduced a course called "Ethical Foundations of Computer Science" that is likely to become a requirement for all students majoring in computer science. And at Stanford University, the computer science department will offer a course called "Ethics, Public Policy, and Computer Science."
[Editor Comments]
[Pescatore/Neely] It is hard to be against such ethics courses, but in a world of limited resources I'd rather first see computer science curricula first focus on safety and security in teaching computer science and programming fundamentals.
Read more in:
NYT: Universities Rush to Roll Out Computer Science Ethics Courses
https://www.nytimes.com/2018/02/12/business/computer-science-ethics-courses.html
--
Amazon Patches Key Flaw
(February 12, 2018)
Amazon has released updates to fix a vulnerability in Amazon Key, the company's smart door lock. Amazon Key was designed to allow Amazon delivery people to delivery packages inside customers' homes.
Read more in:
ZDNet: After dismissing security flaw, Amazon patches Key smart lock anyway
http://www.zdnet.com/article/after-dismissing-security-flaw-amazon-patches-key-smart-lock-anyway/
--
Phishing Campaign Used to Spread Lokibot Malware
(February 9, 2018)
A phishing campaign is exploiting a remote code execution vulnerability in Microsoft Office Equation Editor to try to spread LokiBot malware through Windows Installer. Microsoft released a fix for the issue in November 2017.
Read more in:
Trend Micro: Attack Using Windows Installer msiexec.exe leads to LokiBot
SC Magazine: Malspam campaign delivers LokiBot by abusing Windows Installer
--
PoS Malware Exfiltrates Data Through DNS Traffic
(February 8 & 9, 2018)
Point-of-Sale (PoS) malware known as UDPoS disguises itself as a LogMeIn service pack. It exfiltrates stolen data through UDP-based DNS traffic, which helps it avoid firewalls and other security measures.
[Editor Comments]
[Williams] Using DNS for exfiltration is nothing new, but it is becoming more common as other exfiltration methods are being blocked. If you haven't evaluated your ability to detect DNS exfiltration, the time to do so is now. A free project called RITA easily detects DNS exfiltration through network traffic analysis (https://www.blackhillsinfosec.com/projects/rita/). This conference talk gives a useful overview of using the tool to detect real world attackers (https://www.youtube.com/watch?v=64wabnF-X1A).
Read more in:
Forcepoint: UDPoS - Exfiltrating Credit Card Data via DNS
https://blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns
Dark Reading: New POS Malware Steals Data via DNS Traffic
SC Magazine: UDPoS malware spotted exfiltrating credit card data via DNS server
https://www.scmagazine.com/udpos-malware-first-new-malware-spotted-in-a-while/article/743172/
INTERNET STORM CENTER TECH CORNER
Olympic Destroyer Disrupts Winter Olympics
http://blog.talosintelligence.com/2018/02/olympic-destroyer.html
Signed Dridex Malware and Identifying Signed Word Macros
https://isc.sans.edu/forums/diary/An+autograph+from+the+Dridex+gang/23331/
https://isc.sans.edu/forums/diary/Finding+VBA+signatures+in+Word+documents/23333/
Browsealoud Plugin Used to Compromise High Profile Sites
http://www.theregister.co.uk/2018/02/11/browsealoud_compromised_coinhive/
BitGrail Insolvent After Breach (in Italian)
Sandboxed Mac Apps Can Use Screen Shots to Leak Information
https://krausefx.com/blog/mac-privacy-sandboxed-mac-apps-can-take-screenshots
Malspam using Valentines Day and IRS to Lure Users
https://securityintelligence.com/necurs-spammers-go-all-in-to-find-a-valentines-day-victim/
https://myonlinesecurity.co.uk/please-note-irs-urgent-message-164-malspam-delivers-rapid-ransomware/
Resurrecting Old GitHub Accounts
https://www.theregister.co.uk/2018/02/10/github_account_name_reuse/
Simple USB Exploit for KDE
https://www.kde.org/info/security/advisory-20180208-2.txt
Wordpress Breaks Auto-Update
https://wordpress.org/news/2018/02/wordpress-4-9-4-maintenance-release/
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create