SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XX - Issue #32
April 24, 2018****************************************************************************
SANS NewsBites April 24, 2018 Vol. 20, Num. 032
****************************************************************************
TOP OF THE NEWS
NSA Official at RSA: Known Vulnerabilities Used Within 24 Hours
Abbott Releases Fixes for Medical Devices
Qihoo Reports Internet Explorer Kernel Flaw to Microsoft
REST OF THE WEEK'S NEWS
Cisco Releases Fixes for Flaw in SAML Implementation
Russia Blocking IP Addresses to Prevent Telegram Use
Orangeworm Malware Group Targeting Healthcare Organizations
SunTrust Notifying Customers of Data Compromise
FDIC OIG Report Reveals Systemic Problems in Handling Information Security Incidents
Prison Sentence for Man Who Broke into US Officials' Accounts
Trustjacking Gives Attackers Persistent Control Over iOS Devices
INTERNET STORM CENTER TECH CORNER
*************************** Sponsored By Rapid7 Inc. ***********************
Incident response is nothing new. Were all familiar with it and were exposed to it more and more everyday as attacks get bigger and more sophisticated. In this webcast, an overview of incident detection fundamentals, the incident response process, and common questions that need to be answered during an incident, such as where we can find critical and incident-relevant data, will be addressed. Register: http://www.sans.org/info/203570
*****************************************************************************
TRAINING UPDATE
-- SANS Security West 2018 | San Diego, CA | May 11-18 https://www.sans.org/event/security-west-2018
-- Automotive Cybersecurity Summit 2018 | Chicago, IL | May 1-8 https://www.sans.org/event/automotive-cybersecurity-summit-2018
-- SANS Melbourne 2018 | May 14-26 https://www.sans.org/event/melbourne-2018
-- SANS Northern VA Reston Spring 2018 | May 2025 https://www.sans.org/event/northern-va-reston-spring-2018
-- SANS Amsterdam May 2018 | May 28-June 2 https://www.sans.org/event/amsterdam-may-2018
-- SANS Rocky Mountain 2018 | Denver, CO | June 4-9 https://www.sans.org/event/rocky-mountain-2018
-- SANS London June 2018 | June 4-12 https://www.sans.org/event/london-june-2018
-- DFIR Summit & Training 2018 | Austin, TX | June 7-14 https://www.sans.org/event/digital-forensics-summit-2018
-- SANS Cyber Defence Canberra 2018 | June 25-July 7 https://www.sans.org/event/cyber-defence-canberra-2018
-- SANS OnDemand and vLive Training The SANS Training you want with the flexibility you need. Special Offer: Get an iPad Pro with Smart Keyboard, a Microsoft Surface Pro or Take $350 Off with OnDemand or vLive Training until May 2. https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLivehttps://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format https://www.sans.org/ondemand/
-- Single Course Training SANS Mentor https://www.sans.org/mentor/about
-- Community SANS https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
*****************************************************************************
TOP OF THE NEWS
--
NSA Official at RSA: Known Vulnerabilities Used Within 24 Hours
(April 17, 2018)
At the RSA Conference last week, a National Security Agency (NSA) official said that nation-state hackers tried to break into the US Defense Department's systems using the same vulnerability that attackers used to breach Equifax. The incident occurred less than a day after the Apache Struts vulnerability was made public. David Hogue, a senior technical director for the NSA's Cybersecurity Threat Operations Center, noted that this is the norm.
Read more in:
Cyberscoop: Nation-state hackers attempted to use Equifax vulnerability against DoD, NSA official says
https://www.cyberscoop.com/dod-apache-struts-equifax-david-hogue-nsa/
PCMag: NSA: Hackers Weaponize Known Vulnerabilities Within 24 Hours
https://www.pcmag.com/news/360496/nsa-hackers-weaponize-known-vulnerabilities-within-24-hours
--
Abbott Releases Fixes for Medical Devices
(April 19 & 20, 2018)
Abbott Laboratories has released firmware updates to address vulnerabilities in its pacemakers, programmers, and remote monitoring systems. The flaws could be exploited to access the devices and modify the controls. The devices were manufactured by St. Jude Medical, which Abbott acquired in January 2017.
[Editor Comments]
[Pescatore] I like that the FDA uses the term "recall" for this, since it adds some urgency. But, recalls typically mean the consumer bears no cost, such as in automobile recalls. In the medical implant world, physicians are the repair people, the hospitals are the dealerships - but costs tend to be inflated and passed on to insurance companies who of course will then just charge the patient. The costs of flaws need to more directly fall on the manufacturers of the devices.
Read more in:
HealthcareITNews: Abbott releases firmware patch to fix cybersecurity flaws in 350,000 medical devices
GovInfoSec: Abbott Issues Software Patches for More Cardiac Devices
https://www.govinfosecurity.com/abbott-issues-software-patches-for-more-cardiac-devices-a-10869
--
Qihoo Reports Internet Explorer Kernel Flaw to Microsoft
(April 20 & 23, 2018)
Researchers at Chinese firm Qihoo 360's Core security group have notified Microsoft of a vulnerability in Internet Explorer (IE) (applies to Internet Explorer and not Microsoft Edge) that an advanced persistent threat (APT) group is reportedly exploiting to infect computers with malware. The issue affects IE as well as other apps that use the IE kernel.
[Editor Comments]
[Ullrich] The fallout of this policy shows how difficult it is to block content based on IP addresses. With most services migrating to one of the large cloud providers, blocking by IP addresses will lock out various unrelated services in addition to the targeted service. Telegram has since moved on to different providers to minimize the collateral damage somewhat, but I expect them to keep moving to evade various blocks Russia and other countries may put up.
Read more in:
ISC Link:https://isc.sans.edu/forums/diary/New+IE+0day+in+the+wild/23581/
ZDNet: Internet Explorer zero-day alert: Attackers hitting unpatched bug in Microsoft browser
The Register: Chinese web giant finds Windows zero-day, stays schtum on specifics
Bleeping Computer: Internet Explorer Zero-Day Exploited in the Wild by APT Group
************************** SPONSORED LINKS ********************************
1) Don't Miss: "Tailored Intelligence for Automated Remediation: SANS Review of IntSights' Enterprise Intelligence and Mitigation Platform" Register: http://www.sans.org/info/203575
2) Join SANS for the 2nd Annual Automotive Cybersecurity Summit, May 7-8, in Chicago. http://www.sans.org/info/203580
3) How do complex systems affect the cost of your endpoint management?
Take our survey: http://www.sans.org/info/203585
*****************************************************************************
THE REST OF THE WEEK'S NEWS
--
Cybersecurity Tech Accord
(April 17, 2018)
Microsoft, Facebook, and other high-tech companies have signed a
Cybersecurity Tech Accord
, committing to stronger defense by protecting users and customers everywhere; adopting a stance of no offensive action by opposing cyberattacks on innocent citizens and enterprises; to empowering users, customers, and developers to strengthen cybersecurity; and to taking collective action to improve cybersecurity.[Editor Comments]
[Pescatore] Laudable goals but most of the signees are security technology companies, not infrastructure software vendors. To me the most important principle of the accord is "We will design, develop, and deliver products and services that prioritize security, privacy, integrity and reliability..." - there is still way more talk than walk there from all software and software-based services vendors.
Read more in:
NYT: Tech Firms Sign 'Digital Geneva Accord' Not to Aid Governments in Cyberwar
https://www.nytimes.com/2018/04/17/us/politics/tech-companies-cybersecurity-accord.html
CyberTechAccord:
Cybersecurity Tech Accord
https://cybertechaccord.org/accord/
--
Cisco Releases Fixes for Flaw in SAML Implementation
(April 23, 2018)
Cisco has released patches to address a vulnerability in its implementation of the Security Assertion Markup Language (SAML) standard. The issue affects a number of Cisco products, including Adaptive Security Appliance (ASA) software; Firepower Threat Defense (FTD) software; and Single sign-on authentication for the AnyConnect client.
Read more in:
The Register: Single single-sign-on SNAFU threatens three Cisco products
http://www.theregister.co.uk/2018/04/23/cisco_saml_bug_hits_firepower_anyconnect_asa/
Cisco: Cisco ASA Software, FTD Software, and AnyConnect Secure Mobility Client SAML Authentication Session Fixation Vulnerability
--
Russia Blocking IP Addresses to Prevent Telegram Use
(April 23, 2018)
Russian communications regulator, Roskomnadzor, has blocked millions of IP addresses in an attempt to prevent Russian citizens from using the Telegram messaging app, which has been banned in that country. The IP blocking has affected the availability of Google products, including Gmail, Google search, and Android push notifications. The block has also affected Slack, Nintendo, SoundCloud, and Spotify.
[Editor Comments]
[Neely] While blocking services at the IP/Domain layer is performant and scales, with modern service delivery which includes virtualization, and content delivery networks designed to expediently move content to users, blocking has to happen at the application layer or you will have collateral damage.
[Murray] Blocking an app without breaking others is proving to be more difficult than expected.
Read more in:
Silicon Republic: Telegram ban: Google confirms Russia is blocking some of its services
https://www.siliconrepublic.com/enterprise/russia-telegram-google-gmail
V3: Russia blocks Google IP addresses days after Telegram ban
https://www.v3.co.uk/v3-uk/news/3030687/russia-blocks-google-ip-addresses-days-after-telegram-ban
--
Orangeworm Malware Group Targeting Healthcare Organizations
(April 23, 2018)
A cybercrime group that Symantec researchers have dubbed Orangeworm appears to be targeted toward organizations within the healthcare sector and its supply chain to conduct espionage. The malware, called Kwampirs, has been detected at companies in Europe, Asia, and the US. It has been found on MRI and X-ray machines, as well as systems that help patients fill out forms. Instead of stealing patient information, the malware appears to be trying to learn about the devices themselves. Kwampirs has also been found on systems at agricultural, logistics, IT, and manufacturing organizations.
Read more in:
ZDNet: Mysterious cyber worm targets medical systems, is found on X-ray machines and MRI scanners
The Hill: New hacker group targets US health-care industry, researchers say
Bleeping Computer: Orangeworm Hackers Infect X-Ray and MRI Machines In Their Quest for Patient Data
--
SunTrust Notifying Customers of Data Compromise
(April 20 & 21, 2018)
A former SunTrust Bank employee allegedly tried to download information belonging to 1.5 million customers. SunTrust says the affected data include names and account balances. The incident occurred six to eight weeks ago.
Read more in:
Reuters: SunTrust says ex-employee may have shared info on 1.5 million clients
SunTrust: SunTrust to Offer Free Identity Protection
http://newsroom.suntrust.com/2018-04-20-SunTrust-to-Offer-Free-Identity-Protection
ZDNet: SunTrust Banks ex-employee may have stolen 1.5 million customer records
Bleeping Computer: SunTrust Bank Says Former Employee Stole Details on 1.5 Million Customers
--
FDIC OIG Report Reveals Systemic Problems in Handling Information Security Incidents
(April 20, 2018)
According to a report from the Federal Deposit Insurance Corporation (FDIC) Office of Inspector General (OIG), the FDIC experienced more than 50 breaches over a two-year period. Eight of the incident involved employees who were leaving the organization taking data with them. The report also notes that the FDIC failed to report security breaches accurately and did not respond to requests for documents. US House Science, Space and Technology Committee chair Lamar Smith (R-Texas) sent a letter to the FDIC asking if any officials had been held accountable for the findings of the report, what action has been taken as a result, and the status of the implementation of each of the recommendations made in the report.
[Editor Comments]
[Honan] Anyone responsible for incident response in their organisation should review the excellent material provided by the European Union Agency for Network and Information Security (ENISA) on the area of CSIRTS which includes overviews of training, exercises, tools, and processes that organisations can employ. https://www.enisa.europa.eu/topics/csirt-cert-services
Read more in:
The Hill: GOP committee chair blasts agency over scathing data security report
FDIC OIG: Special Inquiry Report: The FDIC's Response, Reporting, and Interactions with Congress Concerning Information Security Incidents and Breaches
https://www.fdicig.gov/sites/default/files/publications/OIG-18-001.pdf
Science Committee: Smith's letter to FDIC
--
Prison Sentence for Man Who Broke into US Officials' Accounts
(April 20, 2018)
Kane Gamble of the UK has been sentenced to two years in prison there for breaking into online accounts belonging to several high-profile US government officials, including former CIA Director John Brennan and former Director of National Intelligence James Clapper. Gamble, who is now 18, was 15 at the time of the incidents.
Read more in:
BBC: Two years for teen 'cyber terrorist' who targeted US officials
http://www.bbc.com/news/uk-england-leicestershire-43840075
Motherboard: Teen Who Hacked Ex-CIA Director John Brennan Gets Sentenced to 2 Years of Prison
--
Trustjacking Gives Attackers Persistent Control Over iOS Devices
(April 18 & 19, 2018)
A vulnerability in Apple's iTunes Wi-Fi sync feature could be exploited by attackers to gain persistent remote control over iOS devices that connect to a computer to which they have access. By merely getting the device owner to agree to trust the connected device, the computer then can access photos, install apps, and take other actions on the iOS device even after it has been disconnected from the computer, as long as the device and the computer are on the same network.
[Editor Comments]
[Ullrich] This vulnerability has been overhyped. In order to exploit this issue, an attacker first needs to trick a user into accepting the pairing request. Only after doing so has the attacker access to the data. Some of the proposed attack scenarios, like for example first gaining control over a trusted computer, and then accessing the phone, do not provide the attacker with much the attacker didn't already have access to, assuming that the trusted device has data like past backups sitting on it.
[Neely] This exploit leverages the user trusting the computer that they connect the device to. Since iOS 7, when you connect to a computer, you have to confirm trusting the device, to mitigate the risks of Juice jacking (malicious USB charger.) With iOS 11, device trust also requires entering the device passcode. If a trusted device enables wireless iTunes sync, while the device is connected, the trust extends to permit wireless communication when the devices are on the same Wi-Fi, or VPN. The Wi-Fi sync enables backup as well as other features such as remote screen capture. To reduce the risk, enable encrypted iTunes backups with a strong password. The password is stored on the device, so any backup will be encrypted. Revoking trust relationships can only be done by resetting the location and privacy settings on the device, and then you will have to re-authorize trusted devices and access to location services.
Read more in:
Symantec: iOS Trustjacking - A Dangerous New iOS Vulnerability
https://www.symantec.com/blogs/feature-stories/ios-trustjacking-dangerous-new-ios-vulnerability
SC Magazine: Trustjacking exploit abuses iTunes feature to spy on iOS devices
INTERNET STORM CENTER TECH CORNER
Double Password Malspam
Internet Explorer 0-Day
https://www.anquanke.com/post/id/105663
Fire Alarm Shuts Down NASDAQ Datacenter
Virtual Machine Escape Exploits Released
https://keenlab.tencent.com/en/2018/04/23/A-bunch-of-Red-Pills-VMware-Escapes/
Users Do Not Know How to Secure a Wi-Fi Router
https://www.broadbandgenie.co.uk/blog/20180409-wifi-router-security-survey
Cisco Patches SAML Vulnerability
"Orangeworm" Group Targets Medical Equipment and Data
https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
