SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XX - Issue #4
January 16, 2018****************************************************************************
SANS NewsBites January 16, 2018 Vol. 20, Num. 004
****************************************************************************
TOP OF THE NEWS
New Intel Problem Affects Active Management Technology
Industrial Control Systems Feeling the Sting of CPU Patches
GSA to Make Data Protection Regulations for Contractors Official
CIA: NotPetya the Work of Russian Military Hackers
REST OF THE WEEK'S NEWS
Involuntary Manslaughter Charge in SWATting Case
Canadian Man Arrested in LeakedSource Case to Appear in Court
Seagate Fixes Vulnerability in NAS Devices
Let's Encrypt Discontinues TLS-SNI Validation
Indiana Hospital Hit by Ransomware
Fancy Bear Cyber Espionage Group Targeting US Legislators
Malware Labeled "AdultSwine" Targets Children
Best Security Products and Services of 2017
INTERNET STORM CENTER TECH CORNER
*************************** Sponsored By Splunk ***************************
Improve Your Cybersecurity Posture in the Financial Sector With NIST Standards-Based Solutions Financial institutions face a challenging environment in which cyber threats are growing in severity and sophistication. Splunk has been working with NIST's National Cybersecurity Center of Excellence to address two key challenges in the financial sector. Join this webinar to learn about Access Rights Management and IT Asset Management reference architectures, relevant use cases, and how Splunk Enterprise is integrated in the example solutions. http://www.sans.org/info/201180
*****************************************************************************
TRAINING UPDATE
-- SANS 2018 | Orlando, FL | April 3-10 | https://www.sans.org/event/sans-2018
-- SANS Las Vegas 2018 | January 28-February 2 | https://www.sans.org/event/las-vegas-2018
-- Cyber Threat Intelligence Summit | Bethesda, MD | January 29-February 5 | https://www.sans.org/event/cyber-threat-intelligence-summit-2018
-- SANS London February 2018 | February 5-10 | https://www.sans.org/event/london-february-2018
-- SANS Southern California-Anaheim 2018 | February 12-17 | https://www.sans.org/event/southern-california-anaheim-2018
-- Cloud Security Summit & Training 2018 | San Diego, CA | February 19-26 | https://www.sans.org/event/cloud-security-summit-2018
-- SANS Secure Japan 2018 | February 19-March 3 | https://www.sans.org/event/sans-secure-japan-2018
-- SANS London March 2018 | March 5-10 | https://www.sans.org/event/London-March-2018
-- SANS Secure Singapore 2018 | March 12-24 | https://www.sans.org/event/secure-singapore-2018
-- SANS OnDemand and vLive Training | The SANS Training you want with the flexibility you need. Special Offer: Get an iPad, ASUS Chromebook or $350 Off with your vLive Course when you register by January 24. https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format -https://www.sans.org/ondemand/
-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/security-training/by-location/all
*****************************************************************************
TOP OF THE NEWS
--
New Intel Problem Affects Active Management Technology
(January 12, 2018)
Researchers at cyber security and privacy company F-Secure have found a flaw in Intel's Active Management Technology (AMT) that could be exploited to bypass logins and take control of vulnerable machines in less than a minute. The attack requires physical access to the affected device.
[Editor Comments]
[Ullrich] I know Intel isn't in a good spot right now when it comes to security, just barely recovering from "Meltdown" and having had (real) issues with AMT in the recent past. But all this latest AMT problem refers to is the simple fact that an attacker with physical access to a system can configure AMT for you if you forgot to do so yourself. The same is true for traditional BIOS passwords and other systems that the user has to configure in order for them to be effective.
[Williams] "Flaw" is not the word I would use to describe this. F-Secure found a default password that is poorly documented. If organizations don't change the default password it can be used enable remote access and later used for code execution against the machine. In the nightmare scenario, an attacker would gain physical access to a machine with full disk encryption (say in a hotel room). The attacker boots the laptop and uses the default AMT password to enable remote administration later. The user later boots into the OS after providing the disk encryption password. The attacker can then remotely access the laptop on the hotel network remotely through Intel's AMT. Change your default passwords if your laptops and other machines support this feature.
Read more in:
F-Secure: A Security Issue in Intel's Active Management Technology (AMT)
https://business.f-secure.com/intel-amt-security-issue
Softpedia: New Intel Security Vulnerability Discovered, Millions of Laptops Affected
Threatpost: Intel AMT Loophole Allows Hackers to Gain Control of Some PCs in Under a Minute
--
Industrial Control Systems Feeling the Sting of CPU Patches
(January 15, 2018)
Several Supervisory Control and Data Acquisition (SCADA) vendors say that patches for the Meltdown CPU vulnerability are causing issues with their products. Wonderware notes that a Microsoft patch "causes instability for Wonderware Historian and the inability to access DA/OI Servers through the SMC." Rockwell said the same patch may be causing problems with Studio 5000, FactoryTalk View SE, and RSLinx Classic.
Read more in:
The Register: Now Meltdown patches are making industrial control systems lurch
http://www.theregister.co.uk/2018/01/15/meltdown_ics/
--
GSA to Make Data Protection Regulations for Contractors Official
(January 11 & 12, 2018)
The General Services Administration (GSA) plans to codify regulations for contractors regarding federal employer data security. While the requirements already exist, by putting them in a Federal Register Notice, GSA is ensuring that the rules will go through the federal regulatory process and become part of the GSA Acquisition Regulation.
[Editor Comments]
[Pescatore] This should have happened when the requirements first came out in 2013 or 2014, but better late than never. All procurements, whether by government or private industry, should require that contractors and suppliers demonstrate they have at least achieved basic security hygiene. In 2016, SANS gave John Martin, procurement officer for Boeing, a Difference Makers award for implementing this requirement across Boeing procurements.
Read more in:
Nextgov: GSA Plans to Formalize Cyber Rules for Contractors
http://www.nextgov.com/cybersecurity/2018/01/gsa-plans-formalize-cyber-rules-contractors/145145/
Fedscoop: Changes coming to GSA's contractor cybersecurity requirements
https://www.fedscoop.com/changes-coming-gsas-contractor-cybersecurity-requirements/
--
CIA: NotPetya the Work of Russian Military Hackers
(January 12, 2018)
The US Central Intelligence Agency (CIA) says with "high confidence" that the NotPetya malware attack that targeted computers in Ukraine in June 2017 was the work of Russian military hackers. The malware, which pretended to be ransomware, wiped data from computers at financial institutions, energy companies, and government offices. NotPetya also spread to systems in other countries.
[Editor Comments]
[Henry] I'm happy to see the Washington Post highlighting this attack, because destructive attacks are on the rise and the public needs to be aware. What the article fails to mention with any specificity, however, is the impact. Independent analysts and public reporting put lost revenue of US companies in the high-hundreds of millions of dollars, and much higher than that at the global level. How that is handled, government to government, to communicate the "red-lines" and what the ramifications are for crossing them is a question that needs to be addressed expeditiously. The absence of those discussions will result in critically dangerous escalation and exploitation.
Read more in:
WPost: Russian military was behind 'NotPetya' cyberattack in Ukraine, CIA concludes
************************** SPONSORED LINKS ********************************
1) "Why Insider Actions Matter: SANS Review of LogRhythm CloudAI for User and Entity Behavior Analytics" with Dave Shackleford. Register: http://www.sans.org/info/201185
2) It's time to make sure that DNS is part of your security posture. Register to Learn more: http://www.sans.org/info/201190
3) Don't Miss: "Are You in Control? Managing the CIS Critical Security Controls within your Enterprise" http://www.sans.org/info/201195
*****************************************************************************
THE REST OF THE WEEK'S NEWS
--
Involuntary Manslaughter Charge in SWATting Case
(January 12 & 15, 2018)
A suspect in the fatal Wichita, Kansas SWATting case has been charged with involuntary manslaughter. Tyler Barriss was arrested in Los Angeles, California in December and was extradited to Kansas. Barriss allegedly placed a hoax phone call to authorities that brought police expecting a dangerous situation to the home of an innocent man who was shot after opening his front door.
Read more in:
Ars Technica: Suspect in deadly Kansas "swatting" hoax charged with manslaughter
LA Times: L.A. 'swatting' suspect charged with manslaughter in Kansas over hoax call that led to fatal police shooting
http://www.latimes.com/local/lanow/la-me-ln-kansas-swatting-20180112-story.html
--
Canadian Man Arrested in LeakedSource Case to Appear in Court
(January 15, 2018)
Authorities in Canada have arrested a man for allegedly trafficking in stolen personal information. Jordan Evan Bloom allegedly operated the LeakedSource.com website, which was shut down early last year. Bloom is scheduled to appear in court on Monday, January 15, to face charges that he collected $247,000 (Canadian) from the sale of stolen information, including usernames and associated passwords. Ha faces charges of trafficking in identity information, unauthorized use of a computer, mischief to data, and possession of property obtained by crime.
Read more in:
Reuters: Canadian charged with running LeakedSource.com, selling stolen info
KrebsOnSecurity: Canadian Police Charge Operator of Hacked Password Service Leakedsource.com
Bleeping Computer: Canadian Police Charge Man Behind LeakedSource Portal
RCMP: RCMP Arrests Operator of Leakedsource.com
http://www.rcmp-grc.gc.ca/en/news/2018/rcmp-arrests-operator-leakedsourcecom
--
Oracle Patch Preview
(January 15, 2018)
Oracle's quarterly patch release scheduled for January 16, 2018 indicates that the company will provide fixes for 223 security issues. While Oracle has not made a public statement regarding how the Meltdown and Spectre CPU vulnerabilities affect its products, the preview's list of products slated to receive updates includes "Oracle X86 Servers, versions SW 1.x, SW 2.x."
Read more in:
The Register: Oracle still silent on Meltdown, but lists patches for x86 servers among 233 new fixes
Oracle: Oracle Critical Patch Update Pre-Release Announcement - January 2018
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
--
Seagate Fixes Vulnerability in NAS Devices
(January 15, 2018)
Seagate has released a fix for a firmware flaw in its Personal Cloud Home Media Storage product. The unauthenticated command injection vulnerability could be exploited to enable remote SSH access on an affected device and to change the device's root password. Seagate was notified of the issue in October 2017, and it has been fixed in version 4.3.18.0.
[Editor Comments]
[Williams] This follows on the heels of a major vulnerability (including a backdoor account) in Western Digital NAS devices. These vulnerabilities highlight the need for device inventories to detect these devices when they are installed by well-meaning employees. We find these types of consumer/SOHO grade NAS devices during many penetration tests and they represent two risks to the organization. First, they are always installed to overcome some IT imposed storage limitation. However, because they are not IT managed, the devices are not being backed up. Second, these devices aren't getting patches when vulnerabilities like these are announced.
Read more in:
Bleeping Computer: Seagate Quietly Patches Dangerous Bug in NAS Devices
https://www.bleepingcomputer.com/news/security/seagate-quietly-patches-dangerous-bug-in-nas-devices/
--
Let's Encrypt Discontinues TLS-SNI Validation
(January 13, 2018)
Certificate authority Let's Encrypt says it is disabling TLS-SNI validation. In a blog post Let's Encrypt (writes), "We have arrived at the conclusion that we cannot generally re-enable TLS-SNI validation. There are simply too many vulnerable shared hosting and infrastructure services that violate the assumptions behind TLS-SNI validation." TLS-SNI validation will be disabled for new accounts; existing accounts will be allowed a period of time for migration.
Read more in:
The Register: Let's Encrypt plugs hole that let miscreants grab HTTPS web certs for strangers' domains
http://www.theregister.co.uk/2018/01/13/lets_encrypt_certificate_drama/
Let's Encrypt: 2018.01.11 Update Regarding ACME TLS-SNI and Shared Hosting Infrastructure
--
Indiana Hospital Hit by Ransomware
(January 13 & 15, 2018)
An Indiana hospital's network was infected with ransomware; the attackers demanded payment in Bitcoin. When the Hancock Health IT team became aware of the problem, they shut down the entire Hancock network, including physicians' offices and wellness centers. Hancock worked with the FBI and an IT company to remove the malware from its network.
Read more in:
Greenfield Reporter: Hospital hit by ransomware: Attackers demand Bitcoin to release control of system
http://www.greenfieldreporter.com/2018/01/13/01132018dr_hancock_network_hack/
Healthcare IT News: Ransomware attack on Hancock Health drives providers to pen and paper
http://www.healthcareitnews.com/news/ransomware-attack-hancock-health-drives-providers-pen-and-paper
--
Fancy Bear Cyber Espionage Group Targeting US Legislators
(January 12, 2018)
According to security firm Trend Micro, the same cyber espionage group that broke into DNC systems prior to the 2016 US presidential election is targeting systems at the US Senate. The group, Pawn Storm, also known as Fancy Bear or APT 28, used a phony Senate login page to steal access credentials. Senator Ben Sasse (R-Nebraska) has demanded that Attorney general Jeff Sessions provide a briefing for US legislators regarding steps the administration has taken to thwart Russian hackers.
[Editor Comments]
[Pescatore] I believe Grant Schneider is still the acting CISO for the US Government. Congress (acting like a Board of Directors) should be requiring testimony from the CISO vs. from the Chief Legal Counsel equivalent - the DoJ does not actually have the responsibility for protecting US systems.
Read more in:
The Hill: GOP senator demands briefing from Sessions after reports of Russian hackers targeting Senate
SC Magazine: Pawn Storm readied attacks against U.S. senators, political and Olympic targets
https://www.scmagazine.com/pawn-storm-aims-at-political-targets/article/736975/
FNR: Cybersecurity firm: US Senate in Russian hackers' crosshairs
FCW: Senators, staffers are next on Russia's cyber hit list, says report
https://fcw.com/articles/2018/01/12/senate-cyber-fancy-bear.aspx
Nextgov: Russian DNC Hackers Targeting Senate, Cyber Firm Says
--
Malware Labeled "AdultSwine" Targets Children
(January 12, 2018)
The Google Play marketplace has removed 60 apps, including one titled "Paw Puppy Run Subway Surf," that contain malware targeting children.
[Editor Comments]
[Stephen Northcutt] The decision to give a smart phone to a child is a big one. Sadly, technical controls have significant limitations.
https://www.tigermobiles.com/2015/05/how-to-protect-your-children-on-their-smartphone/
Read more in:
https://threatpost.com/apps-exposing-children-to-porn-ads-booted-from-google-play/129400/
https://www.inc.com/joseph-steinberg/new-adultswine-malware-displays-pornography-to-children.html
--
Best Security Products and Services of 2017
Each year we survey the SANS community to nominate the cybersecurity products and services that actually worked and made a measurable difference in protecting business systems. The "Best of 2017" survey is now open at https://www.surveymonkey.com/r/B2NWD9N - help us highlight the vendors who are increasing your ability to stay secure vs. just increasing the hype and noise. Only users may make nominations, please!
INTERNET STORM CENTER TECH CORNER
Registry Keys Blocking Patches
Intel AMT Default Password
https://isc.sans.edu/forums/diary/Flaw+in+Intels+Active+Management+Technology+AMT/23231/
VMware Fixes Guest Escape via IPv6 Vulnerability
https://www.vmware.com/security/advisories/VMSA-2018-0005.html
Seagate Patches Critical CSRF Vulnerability in its Personal Cloud Drives
https://blogs.securiteam.com/index.php/archives/3548
Lenovo Removes Backdoor Access From Switches
https://support.lenovo.com/us/en/product_security/len-16095
Systems Infected Via CryptoMiner Written in Ruby
https://research.checkpoint.com/rubyminer-cryptominer-affects-30-ww-networks/
Shibboleth SAML Attribute Truncation
Solarwinds Measures Spectre/Meltdown Patch Performance Impact
https://blog.appoptics.com/visualizing-meltdown-aws/
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
