SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XX - Issue #40
May 22, 2018****************************************************************************
SANS NewsBites May 22, 2018 Vol. 20, Num. 040
****************************************************************************
TOP OF THE NEWS
FCC Investigating LocationSmart
Securus Hacked
More Meltdown and Spectre Issues
REST OF THE WEEKS NEWS
Wicked Mirai Botnet Variant Exploit IoT Vulnerabilities
RedDawn Malware Campaign Spies on North Korean Defectors
ISC Issues Advisories for Two BIND Vulnerabilities
WinstarNssmMiner Cryptomining Malware
Federal Vehicle Telematics Cybersecurity
Google Expands Availability of Project Shield to Include Elections and Political Campaigns
INTERNET STORM CENTER TECH CORNER
*************************** Sponsored By Indegy ***************************
You are now exposed to consistent and confusing noise regarding various ICS security approaches. You must take action, but what is the right action to take? Don't Miss "Passive, Active or Hybrid Monitoring: Whats the right choice for your ICS Network?" to help unravel the confusion. Register: http://www.sans.org/info/204070
*****************************************************************************
-- SANSFIRE 2018 | Washington, DC | July 14-21 | https://www.sans.org/event/sansfire-2018
-- SANS Rocky Mountain 2018 | Denver, CO | June 4-9 | https://www.sans.org/event/rocky-mountain-2018
-- SANS London June 2018 | June 4-12 | https://www.sans.org/event/london-june-2018
-- DFIR Summit & Training 2018 | Austin, TX | June 7-14 | https://www.sans.org/event/digital-forensics-summit-2018
-- Cloud In-Security Summit - DC | Crystal City, VA | June 8 | https://www.sans.org/event/cloud-insecurity-summit-dc
-- Cloud In-Security Summit - Austin | Austin, TX | June 11 | https://www.sans.org/event/cloud-insecurity-summit-tx
-- SANS Boston Summer 2018 | August 6-11 | https://www.sans.org/event/boston-summer-2018
-- SANS Cyber Defence Canberra 2018 | June 25-July 7 | https://www.sans.org/event/cyber-defence-canberra-2018
-- SANS London July 2018 | July 2-7 | https://www.sans.org/event/london-july-2018
-- SANS Tokyo Autumn 2018 | September 3-15 | https://www.sans.org/event/tokyo-autumn-2018
-- SANS OnDemand and vLive Training
The SANS Training you want with the flexibility you need.
Special Offer: Get a GIAC Certification Attempt Included or Take $350 Off with SANS Online Training until May 30.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
*****************************************************************************
TOP OF THE NEWS
--
FCC Investigating LocationSmart
(May 17, 18, & 19, 2018)
The US Federal Communications Commission (FCC) is reportedly beginning an investigation into LocationSmart, a company that identifies the locations of mobile phones connected to major carriers services. LocationSmart allegedly sold mobile device location information to Securus. LocationSmarts website was also found to be leaking mobile device location information without the need for authentication.
Read more in:
Ars Technica: FCC investigates site that let most US mobile phones location be exposed
The Register: LocationDumb: Phone tracker foul-up exposes world+dog to tracking
http://www.theregister.co.uk/2018/05/18/phone_tracker_foulup/
KrebsOnSecurity: Tracking Firm LocationSmart Leaked Location Data for Customers of All Major U.S. Mobile Carriers Without Consent in Real Time Via Its Web Site
--
Securus Hacked
(May 16 & 18, 2018)
Securus, the company that was recently revealed to be providing cell phone location data to law enforcement, was the target of a data breach last week. The intruder stole a database that includes some passwords for some of Securuss law enforcement customers. Securus acquires phone location data from service providers. The information is usually sold to marketing companies, but it was recently found that Securus offers a service for law enforcement agencies as well. Last week, US Senator Ron Wyden (D-Oregon) asked the Federal Communications Commission (FCC) to investigate wireless carriers that allow law enforcement unrestricted access to customer location data.
Read more in:
SC Magazine: Securus hacked after reports cops used it for tracking location
Motherboard: Hacker Breaches Securus, the Company That Helps Cops Track Phones Across the US
https://motherboard.vice.com/en_us/article/gykgv9/securus-phone-tracking-company-hacked
--
More Meltdown and Spectre Issues
(May 21 & 22, 2018)
Additional variants of the Meltdown/Spectre processor flaws have been detected. Dubbed Variants 3A and 4, the newly detected issues are a rogue system register read and a speculative store bypass. Intel and other companies are releasing microcode updates to address the problem.
[Editor Comments]
[Neely] Regression testing is key in this space. As more Meltdown/Spectre fixes are released, make sure to fully test them before deploying to the enterprise as the impact of the fix is tied to the specific work mix of the systems were the fixes are being deployed.
Cyberscoop: Tech giants reveal new variant of Meltdown and Spectre vulns
https://www.cyberscoop.com/variant-4-spectre-meltdown-intel-microsoft/?category_news=technology
ZDNet: Spectre chip security vulnerability strikes again; patches incoming
https://www.zdnet.com/article/spectre-chip-security-vulnerability-strikes-again-patches-incoming/
CNET: Intel discloses new variant on Spectre, Meltdown security flaws
https://www.cnet.com/news/intel-discloses-new-variant-on-spectre-meltdown-security-flaws/
The Register: Microsoft, Google: We've found a fourth variant of Meltdown-Spectre CPU holes
http://www.theregister.co.uk/2018/05/21/spectre_meltdown_v4_microsoft_google/
US-CERT: Side-Channel Vulnerability Variants 3a and 4
https://www.us-cert.gov/ncas/alerts/TA18-141A
************************** SPONSORED LINKS ********************************
1) How are you dealing with the rapid evolution of Secure DevOps? Take the SANS 2018 Secure DevOps Survey and enter to win a $400 Amazon gift card! http://www.sans.org/info/204075
2) "Defending Against the Rising Tide of Industrial CyberThreats: An OT CyberSecurity Case Study" Register: http://www.sans.org/info/204080
3) "Reclaim Your Freedom to Safely Access the Web" with John Pescatore. Learn More: http://www.sans.org/info/204085
*****************************************************************************
THE REST OF THE WEEKS NEWS
--
Wicked Mirai Botnet Variant Exploit IoT Vulnerabilities
(May 18 & 21, 2018)
Wicked, a new variant of the Mirai botnet, incorporates exploits for at least three unpatched IoT (Internet of Things) vulnerabilities, expanding the base of devices it has the power to infect. The original Mirai used brute force attacks to take control of vulnerable devices.
Read more in:
Threatpost: Wicked Botnet Uses Passel of Exploits To Target IoT
https://threatpost.com/wicked-botnet-uses-passel-of-exploits-to-target-iot/132125/
ZDNet: Mirai botnet adds three new attacks to target IoT devices
https://www.zdnet.com/article/mirai-botnet-adds-three-new-attacks-to-target-iot-devices/
--
RedDawn Malware Campaign Spies on North Korean Defectors
(May 21, 2018)
Some Android Apps found in the Google Play store appear to contain malware aimed at infecting mobile devices belonging to North Korean defectors, people who help them, and associated journalists. The campaign, which has been named RedDawn, is believed to be the work of a group known as Sun Team.
Read more in:
Dark Reading: North Korean Defectors Targeted with Malicious Apps on Google Play
ZDNet: North Korean defectors, journalists targeted through Google Play
https://www.zdnet.com/article/north-korean-defectors-targeted-through-google-play/
--
ISC Issues Advisories for Two BIND Vulnerabilities
(May 18 & 21, 2018)
The Internet Systems Consortium (ISC) has released two advisories detailing vulnerabilities in BIND. Both vulnerabilities could be exploited to cause denial-of-service for domain name resolution. The flaws affect BIND versions 9.12.0 and 9.12.1. Users should upgrade to BIND 9.12.1-P2.
Read more in:
ISC.org: CVE-2018-5736: Multiple transfers of a zone in quick succession can cause an assertion failure in rbtdb.c
https://kb.isc.org/article/AA-01602/0
ISC.org: CVE-2018-5737: BIND 9.12's serve-stale implementation can cause an assertion failure in rbtdb.c or other undesirable behavior, even if serve-stale is not enabled.
https://kb.isc.org/article/AA-01606/0
Dark Reading: New BIND Vulnerabilities Threaten DNS Availability
--
WinstarNssmMiner Cryptomining Malware
(May 17 & 18, 2018)
Cryptocurrency mining malware called WinstarNssmMiner has attempted to infect half a million computers in just three days. WinstarNssmMiner targets Windows machines and is capable of shutting down certain antivirus processes. In addition, if a user tries to shut down XMRig, the mining utility that WinstarNssmMiner uses, the malware crashes the users computer.
Read more in:
360 Total Security: CryptoMiner, WinstarNssmMiner, Has Made a Fortune By Brutally Hijacking Computers
Bleeping Computer: WinstarNssmMiner Coinminer Campaign Makes 500,000 Victims in Three Days
SC Magazine: Attempts to terminate new WinstarNssmMiner cryptominer result in computer crash
--
Federal Vehicle Telematics Cybersecurity
(May 15 & 18, 2018)
A March 2015 Executive Order requires that all US federal government vehicle fleet managers gather operational data, including fuel consumption, maintenance, and vehicle location. Because the data are collected and transmitted using telematics, the process raises cybersecurity concerns. The Department of Homeland Security (DHS) and Department of Transportation (DoT) have together developed a Telematics Cybersecurity Primer for Agencies. The guidelines cover protecting communications to and from the devices; protecting device firmware; protecting actions on the device through the least privilege principle; and protecting device integrity.
[Editor Comments]
[Pescatore] Glad to see DoT/DHS cooperation on an important topic but I couldnt find a copy to review. There have been a number of NIST and other agency reports on the same topic since 2014. What is needed is the US government to use it buying power to require all vehicle purchases to require basic security hygiene be demonstrated by all vendors.
Read more in:
DHS: Snapshot: DHS, DOT Partner on Government Vehicle Telematics Cybersecurity Primer
SC Magazine: DHS, DoT team up to secure federal vehicle fleets
https://www.scmagazine.com/dhs-and-dot-team-up-to-secure-federal-vehicle-fleets/article/767092/
--
Google Expands Availability of Project Shield to Include Elections and Political Campaigns
(May 16, 2018)
Google has expanded the availability of Project Shield, the companys free protection from Distributed denial-of-service (DoS) attacks to include political campaigns, candidates, and political action committees. Previously, Project Shield was available to journalists, human rights advocates, human rights groups, and election monitors. Project Shield uses a reverse proxy to help make sure that customers website servers receive only legitimate traffic.
[Editor Comments]
[Pescatore] Interesting market place dynamics going on here. ISPs get paid by the bandwidth consumedeven though they are most logical place to stop brute force type DDoS (and spam and phishing for that matter), ISPs have only provided, at best, reactive support. Google makes money on ad views, fewer web sites down due to denial of service attacks means more ads to view.
Read more in:
Google: Project Shield Help
https://support.google.com/projectshield/answer/6358588
CNET: Google rolls out free cyberattack shield for elections and campaigns
INTERNET STORM CENTER TECH CORNER
Redis Cryptocoin Mining Worm
https://isc.sans.edu/forums/diary/Anatomy+of+a+Redis+mining+worm/23673/
Evolving Chrome's Security Indicator
https://blog.chromium.org/2018/05/evolving-chromes-security-indicators.html
DrayTek CSRF 0-Day Exploited to Change DNS Servers
https://www.draytek.co.uk/support/security-advisories/kb-advisory-csrf-and-dns-dhcp-web-attacks
Rowhammer Remote Exploit
https://www.cs.vu.nl/~herbertb/download/papers/throwhammer_atc18.pdf
https://arxiv.org/abs/1805.04956
Spectre NG Patches
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180012
https://newsroom.intel.com/editorials/addressing-new-research-for-side-channel-analysis/
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180013
https://bugs.chromium.org/p/project-zero/issues/detail?id=1528
New "Moon" Variant
http://blog.netlab.360.com/gpon-exploit-in-the-wild-iv-themoon-botnet-join-in-with-a-0day/
https://isc.sans.edu/forums/diary/Something+Wicked+this+way+comes/23681/
Extracting Keys From Windows ssh-agent
https://blog.ropnop.com/extracting-ssh-private-keys-from-windows-10-ssh-agent/
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
