Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #36

May 8, 2018


The Cloud In-Security workshop will be in both Washington and Austin:

    -- Washington DC: https://www.sans.org/event/cloud-insecurity-summit-tx

    -- Austin: https://www.sans.org/event/cloud-insecurity-summit-tx


****************************************************************************

SANS NewsBites               May 8, 2018                Vol. 20, Num. 036

****************************************************************************


TOP OF THE NEWS


 

DHS Program Gives Agencies Weekly Vulnerability Report Cards

 

UK CyberFirst Girls Top Competitors Invited to Buckingham Palace

 

Desert Research Institute Partners with SANS for Cybersecurity Internship Program

 

Unpatched Drupal Sites Targeted by Cryptojacking Malware


REST OF THE WEEK'S NEWS

 

DHS Conducting US State Election Security Reviews

 

Lenovo Patches

 

SynAck Ransomware Variant Employs Process Doppelgnging Fileless Evasion

 

Companies Have Not Learned from Equifax Breach

 

IC3 2017 Internet Crime Report

 

Russia's Further Efforts to Block Telegram


INTERNET STORM CENTER TECH CORNER

 

***************************  Sponsored By Splunk  ***************************


A Short Primer of GDPR Essentials.  

Download A Short Primer of GDPR Essentials. This is a cheat sheet to help both the data privacy expert and non-expert approach the GDPR with key takeaways.   http://www.sans.org/info/203855  


*****************************************************************************


-- SANSFIRE 2018 | Washington, DC | July 14-21 | https://www.sans.org/event/sansfire-2018


-- SANS Northern VA Reston Spring 2018 | May 2025 | https://www.sans.org/event/northern-va-reston-spring-2018


-- SANS Amsterdam May 2018 | May 28-June 2 | https://www.sans.org/event/amsterdam-may-2018


-- SANS Rocky Mountain 2018 | Denver, CO | June 4-9 | https://www.sans.org/event/rocky-mountain-2018


-- SANS London June 2018 | June 4-12 | https://www.sans.org/event/london-june-2018


-- DFIR Summit & Training 2018 | Austin, TX | June 7-14 | https://www.sans.org/event/digital-forensics-summit-2018


-- Cloud In-Security Summit - DC | Crystal City, VA | June 8 | https://www.sans.org/event/cloud-insecurity-summit-dc


-- Cloud In-Security Summit - Austin | Austin, TX | June 11 | https://www.sans.org/event/cloud-insecurity-summit-tx


-- SANS Cyber Defence Canberra 2018 | June 25-July 7 | https://www.sans.org/event/cyber-defence-canberra-2018


-- SANS Tokyo Autumn 2018 | September 3-15 | https://www.sans.org/event/tokyo-autumn-2018


-- SANS OnDemand and vLive Training


The SANS Training you want with the flexibility you need.


Special Offer: Get an iPad, a Samsung Galaxy Tab A, or take $250 Off with OnDemand or vLive Training until May 16.


https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility


-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast


-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive


-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


Single Course Training


-- Single Course Training


SANS Mentor |  https://www.sans.org/mentor/about


Community SANS | https://www.sans.org/community/


-- View the full SANS course catalog and Cyber Security Skills Roadmap


https://www.sans.org/courses


https://www.sans.org/cyber-security-skills-roadmap


*****************************************************************************


TOP OF THE NEWS


 --

DHS Program Gives Agencies Weekly Vulnerability Report Cards

(May 4, 2018)

The US Department of Homeland Security (DHS) is giving 106 federal agencies weekly cyber hygiene report cards. The information on the report cards comes from live dashboards. Some agencies have been questioning the integrity of the data; because the information is updated frequently, the information from a report card on Monday could differ from what the dashboard shows later in the week.


[Editor Comments]

[Pescatore] For close to 8 years now, agencies have been required to do continuous monitoring, so "fresh" vulnerability data shouldn't be that much of a shock - and is much needed!


Read more in:

MeriTalk: DHS Program Offers Cyber Report Cards to 106 Agencies, Threat Intel to White House

https://www.meritalk.com/articles/dhs-program-offers-cyber-report-cards-to-106-agencies-threat-intel-to-white-house/


 

 --

UK CyberFirst Girls Top Competitors Invited to Buckingham Palace

(May 4 & 6, 2018)

The top student teams that participated in the UK CyberFirst Girls competition were invited to Buckingham Palace by the Duke of York. In all, 4,500 young women participated in the challenge; the teams from the top ten performing schools were invited.  The Duke of York said, "CyberFirst is absolutely crucial to encourage girls to be at the forefront of cyber security."     


[Editor Comments]

[Paller] The same contest (CyberStart) was played by 6,650 US high school girls in February in a program called GirlsGoCyberStart. Results: The percent of young women who were interested in careers in cybersecurity doubled from 36% to 70%. The game identified and reinforced curious, tenacious students, developed creativity and problem-solving skills, taught foundations of cybersecurity and more, and now teachers and parents in the 16 states where the governor sponsored GirlsGoCyberStart are asking their governors for permission to use CyberStart in their classrooms in the fall. https://www.sans.org/CyberStartUS


Read more in:

NCSC: His Royal Highness The Duke Of York, KG welcomes finalists of the National Cyber Security Challenge to Buckingham Palace

https://www.ncsc.gov.uk/news/his-royal-highness-duke-york-kg-welcomes-finalists-national-cyber-security-challenge-buckingham

Chelmsford Weekly News: Girls who took part in nationwide cyber security challenge invited to Buckingham Palace

http://www.chelmsfordweeklynews.co.uk/news/16208001.Girls_who_took_part_in_nationwide_cyber_security_challenge_invited_to_Buckingham_Palace/

 

 --

Desert Research Institute Partners with SANS for Cybersecurity Internship Program

(April 27, 2018)

The Desert Research Institute (DRI) is partnering with SANS to launch the 2018 DRI Cybersecurity Internship Program. The program will run from August-December 2018 and is open to residents of northern Nevada. Applications will be accepted through May 31, 2018; applicants must participate in the SANS CyberStart Game in Reno, held June 18-22. People chosen for the program will take the SANS CyberStart Essentials course, and then work at DRI one day a week from August through December. At the end of the [program, interns will take the CyberStart Essentials Certification Exam.


Read more in:

DRI: DRI Cybersecurity Internship Program

https://www.dri.edu/cybersecurity

Globe Newswire: DRI launches cybersecurity internship program in collaboration with SANS Institute

https://globenewswire.com/news-release/2018/04/27/1489446/0/en/DRI-launches-cybersecurity-internship-program-in-collaboration-with-SANS-Institute.html



 --

Unpatched Drupal Sites Targeted by Cryptojacking Malware

(May 3 & 7, 2018)

Websites that have not been patched against two recently disclosed Drupal vulnerabilities are being targeted by Cryptojacking malware. More than 400 university and government websites have been infected.


Read more in:

Bleeping Computer: Drupal Sites Fall Victims to Cryptojacking Campaigns

https://www.bleepingcomputer.com/news/security/drupal-sites-fall-victims-to-cryptojacking-campaigns/

Threatpost: Cryptojacking Campaign Exploits Drupal Bug, Over 400 Websites Attacked

https://threatpost.com/cryptojacking-campaign-exploits-drupal-bug-over-400-websites-attacked/131733/

Ars Technica: Hundreds of big-name sites hacked, converted into drive-by currency miners

https://arstechnica.com/information-technology/2018/05/hundreds-of-big-name-sites-hacked-converted-into-drive-by-currency-miners/

The Register: That Drupal bug you were told to patch weeks ago? Cryptominers hope you haven't bothered

http://www.theregister.co.uk/2018/05/07/drupal_bug_exploits/

SC Magazine: Cat burglar: Kitty cryptominer targets web application servers, then spreads to app users

https://www.scmagazine.com/cat-burglar-kitty-cryptominer-targets-web-application-servers-then-spreads-to-app-users/article/763411/

 

**************************  SPONSORED LINKS  ********************************


1) Don't Miss: "Passive, Active or Hybrid Monitoring: Whats the right choice for your ICS Network?" Register:  http://www.sans.org/info/203860


2) "Defending Against the Rising Tide of Industrial CyberThreats: An OT CyberSecurity Case Study"  Register:  http://www.sans.org/info/203865


3) What experience and skills do you look for in a threat hunting expert? Take the SANS 2018 Threat Hunting survey at  and enter to win a $400 Amazon gift card!  http://www.sans.org/info/203870


*****************************************************************************


THE REST OF THE WEEK'S NEWS     


 --

DHS Conducting US State Election Security Reviews

(May 7, 2018)

The US Department of Homeland Security (DHS) has completed security assessments of elections systems for nine of the17 states that have formally requested them. DHS says it plans to complete assessments for the remaining eight states prior to the mid-term elections in November. Each review takes approximately two weeks. An Associated Press survey found that 28 US states said they wanted DHS to review their election systems security.  


Read more in:

Fifth Domain: State election systems still waiting for security checkups

https://www.fifthdomain.com/critical-infrastructure/2018/05/07/state-election-systems-still-waiting-for-security-checkups/


 

 --

Lenovo Patches

(May 7, 2018)

Lenovo has released fixes for two vulnerabilities that affect the company's ThinkPads and System x servers. One of the issues is an authentication flaw in the Secure Boot process; the second is a buffer overflow flaw in the system drive mapping utility that could be exploited to execute arbitrary code.  


Read more in:

Threatpost:

Lenovo Patches

Arbitrary Code Execution Flaw

https://threatpost.com/lenovo-patches-arbitrary-code-execution-flaw/131725/

Lenovo: System x Secure Boot Vulnerability

https://support.lenovo.com/us/en/solutions/LEN-20241

Lenovo: Buffer Overflow in Lenovo System Update Drive Mapping Utility

https://support.lenovo.com/us/en/solutions/LEN-19625

 

 --

SynAck Ransomware Variant Employs Process Doppelgnging Fileless Evasion

(May 7, 2018)

A new variant of SynAck ransomware is using Process Doppelgnging to evade detection by antimalware tools. The new version of SynAck has reportedly been used in targeted attacks in the US, Germany, Kuwait, and Iran. Process Doppelgnging allows the attackers to run malicious code by using NTFS transactions to launch the code, making it appear to be a legitimate Windows process.  


Read more in:

Securelist: SynAck targeted ransomware uses the Doppelgnging technique

https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/

Threatpost: Variant Of Synack Malware Adopts Doppelgnging Technique

https://threatpost.com/variant-of-synack-malware-adopts-doppelganging-technique/131760/

Dark Reading: SynAck Ransomware Gets Dangerous 'Doppleganging' Feature

https://www.darkreading.com/attacks-breaches/synack-ransomware-gets-dangerous-doppleganging-feature/d/d-id/1331736

SC Magazine: SynAck ransomware implements Doppelgnging evasion technique

https://www.scmagazine.com/the-evasion-technique-was-first-demonstrated-by-ensilo-researchers-tal-liberman-and-eugene-kogan-at-the-balckhat-2017-conference-in-london/article/764149/

 

 --

Companies Have Not Learned from Equifax Breach

(May 7 & 8, 2018)

Eight months after the massive Equifax data breach came to light, many companies are still running vulnerable versions of Apache Struts. Attackers exploited a flaw in the open source web server software to steal 145 million records from the credit reporting agency. In a separate story, Equifax has recently released additional information about the data compromised in the breach.


[Neely] Equifax is revealing that not only were names, dates of birth, SSNs, payment card numbers and addresses stolen, as previously reported, but that driver's licenses and passport details were lost as well.

 

[Murray] The collection and publication of open source "cyber security" intelligence has become an industry. Indeed we may be paying for more than we are reading. Nonetheless, our adversaries appear to be reading it and acting on it.  


Read more in:

ZDNet: After Equifax breach, major firms still rely on same flawed software

https://www.zdnet.com/article/after-equifax-breach-companies-rely-on-same-flawed-software/

Cyberscoop: Over 10,000 companies downloading software vulnerable to Equifax hack

https://www.cyberscoop.com/apache-struts-downloads-sonatype-equifax/?category_news=technology

Reuters: Equifax provides more detail to Congress on cyber security incident

https://www.reuters.com/article/us-equifax-cyber/equifax-provides-more-detail-to-congress-on-cyber-security-incident-idUSKBN1I903V

The Register: Equifax reveals full horror of its data breach

https://www.theregister.co.uk/2018/05/08/equifax_breach_may_2018/

 

 --

IC3 2017 Internet Crime Report

(May 7, 2018)

The Internet Crime Complaint Center's (IC3's) 2017 Internet Crime Report shows that the IC3 received more than 300,000 complaints amounting to more than $1.4 billion USD in losses. The most commonly reported crimes were non-payment and non-delivery; personal data breaches; and phishing and related schemes. People over the age of 60 were most likely to be victims of reported Internet crimes. The report also includes success stories from the Operation Wellspring Initiative, which "builds the cyber investigative capability and capacity of the state and local law enforcement community."


[Editor Comments]

[Northcutt] The report is well done. Page 17 has the stats on people over 60; this is also the fastest rising group. People who have worked hard, saved their money, just want to use the computer to send pictures of the grandkids. It is up to each of us to help. One program is the AARP Elderwatch: https://www.aarp.org/aarp-foundation/our-work/income/elderwatch/report-fraud/


Read more in:

FBI: Latest Internet Crime Report Released

https://www.fbi.gov/news/stories/2017-internet-crime-report-released-050718

IC3: 2017 Internet Crime Report

https://pdf.ic3.gov/2017_IC3Report.pdf

 

 --

Russia's Further Efforts to Block Telegram

(May 6, 2018)

Last week, Russia's state censor blocked access to more than 50 VPNs and proxy services in that country. The action was taken in an effort to prevent Russian citizens' from accessing the Telegram messaging app, which was formally banned last month. Roskomnadzor initially banned Telegram's known IP addresses, and when Telegram began switching their IP addresses, Roskomnadzor subsequently inadvertently blocked millions of Amazon and Google Cloud IP addresses. That action caused massive service outages in Russia and was discontinued after a week and a half.


Read more in:

Bleeping Computer: Russia Blocks 50 VPNs and Proxy Services Providing Access to Telegram

https://www.bleepingcomputer.com/news/government/russia-blocks-50-vpns-and-proxy-services-providing-access-to-telegram/

 
 

INTERNET STORM CENTER TECH CORNER

 

Malicious NPM Library Stopped

https://blog.npmjs.org/post/173526807575/reported-malicious-module-getcookies


Popular GDPR Shield

http://gdpr-shield.io (currently down)


More Spectre Flaws

https://www.heise.de/ct/artikel/Exclusive-Spectre-NG-Multiple-new-Intel-CPU-flaws-revealed-several-serious-4040648.html

        

Parsing Windows Job Files

https://isc.sans.edu/forums/diary/Adding+Persistence+Via+Scheduled+Tasks/23633/


SYN-ACK Ransomware Uses Dopplegnging Technique

https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/


More Drupal Compromises

https://badpackets.net/large-cryptojacking-campaign-targeting-vulnerable-drupal-websites/


Russia vs. Telegram

https://twitter.com/instasegv/status/993521755192020992

https://www.bleepingcomputer.com/news/government/russia-blocks-50-vpns-and-proxy-services-providing-access-to-telegram/


******************************************************************************


The Editorial Board of SANS NewsBites

 

John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.


Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.


Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.


Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.


Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.


Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.


Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.


Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.


William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.


Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.


Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).


Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.


Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.


Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.


Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.


David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.


Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.


Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.


Alan Paller is director of research at the SANS Institute.


Brian Honan is an independent security consultant based in Dublin, Ireland.


David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.


Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create