SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XX - Issue #5
January 19, 2018****************************************************************************
SANS NewsBites January 19, 2018 Vol. 20, Num. 005
****************************************************************************
TOP OF THE NEWS
Cyber Security Competitions for Girls in US, UK
Indiana Hospital Paid Ransomware Attackers to Regain Data Access
Industrial Control Systems and CPU Bugs
REST OF THE WEEK'S NEWS
Microsoft Releases Fixes for Problematic CPU Patches
Man Pleads Guilty to Dozens of DDoS Attacks
Trisis Malware Used in Attack Against Middle Eastern Energy Company
Hawaii Emergency Management Agency Password on a Post-it
House Passes Bill Flouting Tillerson's Decision to Eliminate State Dept. Cyber Post
Fixes Available for BIND Vulnerability
INTERNET STORM CENTER TECH CORNER
*************************** Sponsored By Unisys ****************************
The Zero Trust architecture is an ideal solution for the cloud where it is not possible to trust the network. Register for "Building Zero Trust Model with Microsegmentation in the Cloud" to learn more: http://www.sans.org/info/201245
*****************************************************************************
TRAINING UPDATE
-- SANS 2018 | Orlando, FL | April 3-10 | https://www.sans.org/event/sans-2018
-- SANS Las Vegas 2018 | January 28-February 2 | https://www.sans.org/event/las-vegas-2018
-- Cyber Threat Intelligence Summit | Bethesda, MD | January 29-February 5 | https://www.sans.org/event/cyber-threat-intelligence-summit-2018
-- SANS London February 2018 | February 5-10 | https://www.sans.org/event/london-february-2018
-- SANS Southern California-Anaheim 2018 | February 12-17 | https://www.sans.org/event/southern-california-anaheim-2018
-- Cloud Security Summit & Training 2018 | San Diego, CA | February 19-26 | https://www.sans.org/event/cloud-security-summit-2018
-- SANS Secure Japan 2018 | February 19-March 3 | https://www.sans.org/event/sans-secure-japan-2018
-- SANS London March 2018 | March 5-10 | https://www.sans.org/event/London-March-2018
-- SANS Secure Singapore 2018 | March 12-24 | https://www.sans.org/event/secure-singapore-2018
-- SANS OnDemand and vLive Training | The SANS Training you want with the flexibility you need. Special Offer: Get an iPad, ASUS Chromebook or $350 Off with your vLive Course when you register by January 24. https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format -https://www.sans.org/ondemand/
-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/security-training/by-location/all
*****************************************************************************
TOP OF THE NEWS
--Cyber Security Competitions for Girls in US and UK
(January 16, 2018)
Signups are now open in the US for the high school girls GirlsGoCyberStart competition in 16 US states (www.girlsgocyberstart.com) and the UK 2018 CyberFirst Girls Competition (girls) and CyberDiscovery competition (boys and girls). The US competition is open to all high school girls (public/private/home-schooled) in the following states (HI, NV, CO, WY, TX, IA, IN, MS, NC, MD, WV, DE, NJ, NY, CT, VT, and American Samoa) and the schools don't have to participate - the kids can play from home. The UK CyberFirst competition is open to 12 to 13 year-old girls in year 8 in England, S2 in Scotland, and year 9 in Northern Ireland. Last year's US competition had 3,500 participants (reports from the participating states posted at cyberstart.us) while the UK competition had more than 8,000 participants. In addition, more than 10,000 high school boys and girls in England have already signed up and are playing CyberDiscovery program.
[Editor Comments]
[Neely] This is an excellent opportunity to learn, network and apply skills at a young age. These participants will likely be a key part of our next generation of InfoSec professionals. I encourage any eligible girls in an area that is open to them to participate.
Read more in:
United States Competitions
Introducing Girls Go CyberStart
And https://www.sans.org/CyberStartUS
United Kingdom
NCSC: It's back! The CyberFirst Girls Competition 2018
https://www.ncsc.gov.uk/blog-post/its-back-cyberfirst-girls-competition-2018
CyberFirst: Girls Competition is back!
https://www.cyberfirst.ncsc.gov.uk/girlscompetition/
UK CyberDiscovery: https://www.joincyberdiscovery.com/
--
Indiana Hospital Paid Ransomware Attackers to Regain Data Access
(January 16 & 17, 2018)
The Indiana hospital that was hit by ransomware last week paid the attackers four Bitcoins (approximately $55,000 USD) to regain access to their data. Hancock decided to pay the ransom instead of restoring its systems from backups because that process would be time-consuming and expensive.
[Editor Comments]
[Murray] In the face of ransomware, one needs a backup system designed with the necessary time to restore as a feature. The old assumptions, that backup would rarely be used and only to recover a limited number of files, no longer hold.
[Williams] We've seen evidence that attackers are experimenting to find that ransom sweet spot where companies will pay to avoid executing a DR plan. As long as restoring from backups is more expensive paying the ransom, it appears companies decide it makes financial sense to pay a ransom. However, 100% of the companies we work with that have paid a ransom have the attackers try to come back for more later. Paying the ransom works in the short term, but immediate changes are needed in network security to avoid paying ransoms again and again. Most important: implement network monitoring and skilled people who can detect attacks in the early stages.
[Neely] While these systems had backups, they could not be restored quickly enough to meet operational requirements. When managing a backup system remember to factor in the recovery time objective and test to make sure that objective can be met as well as verify that the objective has not changed or is appropriate for all use cases needed to meet operational requirements. Conducting regular DR exercises will help this process.
Read more in:
The Register: Hospital injects $60,000 into crims' coffers to cure malware infection
http://www.theregister.co.uk/2018/01/16/us_hospital_ransomware_bitcoin/
ZDNet: US hospital pays $55,000 to hackers after ransomware attack
http://www.zdnet.com/article/us-hospital-pays-55000-to-ransomware-operators/
--
Industrial Control Systems and CPU Bugs
(January 18, 2018)
Twelve industrial control system (ICS) vendors have told ICS-CERT that they use processors affected by the Meltdown and Spectre bugs. The companies have issued customer notifications that include recommendations for users.
[Editor Comments]
[Neely] ICS vendors are providing information on impact, applicability, patch guidance and mitigation information. Important ICS mitigations include isolation and not executing additional unnecessary applications on those systems. Work with your ICS vendor to make sure the patches are not only tested but any performance impacts are known and acceptable.
Read more in:
The Register: Industrial systems scrambling to catch up with Meltdown, Spectre
http://www.theregister.co.uk/2018/01/18/ics_cert_meltdown_responses/
ICS-CERT: Meltdown and Spectre Vulnerabilities (Update B)
https://ics-cert.us-cert.gov/alerts/ICS-ALERT-18-011-01B
************************** SPONSORED LINKS ********************************
1) Register now for our webcast to learn how we're redefining security in the software defined data center: http://www.sans.org/info/201250
2) Don't Miss: "Mind the Gap: going beyond penetration testing for security improvement" Register: http://www.sans.org/info/201255
3) "Why Insider Actions Matter: SANS Review of LogRhythm CloudAI for User and Entity Behavior Analytics" with Dave Shackleford. Register: http://www.sans.org/info/201260
*****************************************************************************
THE REST OF THE WEEK'S NEWS
--
Microsoft Releases Fixes for Problematic CPU Patches
(January 18, 2018)
Microsoft has released new updates to address problems with some of the initial patches it distributed to fix the Meltdown and Spectre issues. Some users were reporting that the patch rendered their AMD systems unbootable. The first patches were released on January 3, 2018; Microsoft stopped their distribution on January 9 following reports of the problems. New fixes are available for five of nine affected security updates.
Read more in:
Bleeping Computer: Microsoft Resumes Meltdown & Spectre Updates for AMD Devices
ZDNet: Windows 10 Meltdown-Spectre patch: New updates bring fix for unbootable AMD PCs
--
Cryptex Creator Pleads Guilty
(January 18, 2018)
The person who created the Cryptex and ReFUD.me malware has pleaded guilty to charges under the UK's Computer Misuse Act and Proceeds of Crime Act. Goncalo Esteves was arrested in 2015 and will be sentenced next month.
Read more in:
SC Magazine UK: KillaMuvz pleads guilty to being a sophisticated malware operator
--
Man Pleads Guilty to Dozens of DDoS Attacks
(January 17 & 18, 2018)
John Kelsey Gammell has pleaded guilty to charges connected to a series of distributed denial-of-service (DDoS) attacks. Gammell's DDoS targets included not only former employers but also companies that would not hire him, business competitors, and law enforcement websites. Gammell launched the attacks from his own computers and also paid DDoS-for-hire services to carry out attacks. Gammell pleaded guilty to conspiracy to commit intentional damage to a protected computer as well as other charges.
[Editor Comments]
[Honan] For those of you looking to start a career in cybersecurity, take a lesson from this story: threatening a potential employer with a cyber-attack is not the best way to make a positive impression.
Read more in:
ZDNet: Man pleads guilty to launching DDoS attacks against former employers
http://www.zdnet.com/article/man-pleads-guilty-to-launching-ddos-attacks-against-former-employers/
DoJ: New Mexico Man Pleads Guilty to Directing Computer Attacks Against Websites of Dozens of Victims, as Well as Felon-In-Possession Charges
--
Oracle Critical Patch Update
(January 17 & 18, 2018)
Oracle's most recent quarterly critical patch update, released earlier this week, includes fixes for 237 security issues. The batch includes fixes for 34 flaws in Oracle Financial Services Applications, 27 in Fusion Middleware, 25 in MySQL, and 21 in Java SE.
[Editor Comments]
[Williams] Also included in this patch roll up is a fix for a VirtualBox vulnerability (CVE-2018-2698) that allows attackers to exploit the host (hypervisor) operating system from inside the guest. This breaks the traditionally assumed isolation between the host and the guest operating systems. If you are using VirtualBox in production (particularly for malware sandboxes) this is one to patch immediately.
Read more in:
The Register: And Oracle E-biz suite makes 3: Package also vulnerable to exploit used by crypto-currency miner
http://www.theregister.co.uk/2018/01/18/oracle_app_crypto_mining_vuln/
Threatpost: Oracle Ships 237 Fixes in Latest Critical Patch Update
https://threatpost.com/oracle-ships-237-fixes-in-latest-critical-patch-update/129477/
Oracle:
Oracle Critical Patch Update
Advisory - January 2018
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
--
Trisis Malware Used in Attack Against Middle Eastern Energy Company
(January 16 & 18, 2018)
At the S4x18 ICS Security Conference in Miami, Florida, Schneider Electric offered new details about a breach at an energy plant in the Middle East late last summer that caused it to halt operations. Using malware known as Trisis, attackers exploited a zero-day privilege escalation flaw in Schneider's Triconex Tricon safety-controller firmware. Trisis also contained a Remote Access Trojan (RAT).
Read more in:
Dark Reading: Schneider Electric: TRITON/TRISIS Attack Used 0-Day Flaw in its Safety Controller System, and a RAT
Cyberscoop: Schneider Electric: Trisis leveraged zero-day flaw, used a RAT
https://www.cyberscoop.com/schneider-electric-trisis-zero-day-rat/
Cyberscoop: Trisis has the security world spooked, stumped and searching for answers
https://www.cyberscoop.com/trisis-ics-malware-saudi-arabia/
Reuters: Schneider Electric says bug in its software exploited in hack
--
Hawaii Emergency Management Agency Password on a Post-it
(January 17, 2018)
The Hawaii Emergency Management Agency (HEMA), currently making headlines for an erroneous missile alert, is now taking flak for a photo showing a password written on a Post-in stuck to a computer monitor. The picture was taken in July. The agency confirmed that it was a real password used for an internal application that is likely no longer in use.
[Editor Comments]
[Honan] As an industry we really should not be focusing on the fact that someone has to write down a password in order to enable them use a system. Rather than focusing on the end user we need to figure out how we can include secure access into our systems to make it convenient for users to have safe access.
[Neely] This takes the focus off the root efforts to prevent a recurrence of the unfortunate false alert. This is not the first time a password was recorded by a visiting camera and is a reminder to consider OPSEC when visitors are present. Also, while passwords written on Post-its and White Boards are generally immune to malware, it is still important to remember who else can view (and capture) them. If your password management still involves writing things down, store those notes securely where only those that have a need-to-know can access them. Better yet, this would be a great time to move to an electronic password manager.
Read more in:
SC Magazine: Post-it with password spotted in online photo of Hawaii Emergency Management Agency HQ
Quartz: A photo accidentally revealed a password for Hawaii's emergency agency
Motherboard: Go Ahead and Put Your Password on a Post-It Note
https://motherboard.vice.com/en_us/article/7xeqe9/hawaii-emergency-password-post-it
--
House Passes Bill Flouting Tillerson's Decision to Eliminate State Dept. Cyber Post
(January 17 & 18, 2018)
The US House of Representatives has passed the Cyber Diplomacy Act, which, if enacted, would restore a top-level cyber security position at the State Department eliminated by Secretary of State Rex Tillerson last year. The legislation would reinstate the position and expand its purview.
Read more in:
FCW: House passes bill restoring State cyber office
https://fcw.com/articles/2018/01/18/state-dept-cyber-johnson.aspx
Nextgov: House Votes to Restore Top Cyber Diplomat's Office
http://www.nextgov.com/policy/2018/01/house-votes-restore-top-cyber-diplomats-office/145256/
Cybrscoop: Cyber diplomacy office at State Department would return under House-passed bill
Congress: Cyber Diplomacy Act of 2017
--
Fixes Available for BIND Vulnerability
(January 16 & 17, 2018)
A patch is available for a vulnerability in BIND Domain Name System software that has existed since 2000. The denial-of-service flaw could lead to "a use-after-free error that can trigger an assertion failure and crash in named." Users could temporarily disable DNSSEC as a workaround.
Read more in:
KB ISC: Improper fetch cleanup sequencing in the resolver can cause named to crash
https://kb.isc.org/article/AA-01542
The Register: BIND comes apart thanks to ancient denial-of-service vuln
http://www.theregister.co.uk/2018/01/17/bind_patch_catches_crashes/
INTERNET STORM CENTER TECH CORNER
Are You Watching for Brute Force Attacks on IPv6?
https://isc.sans.edu/forums/diary/Are+you+watching+for+brute+force+attacks+on+IPv6/23213/
Oracle Critical Patch Update
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html#AppendixFMW
Kaspersky Observes Advanced Android Spyware
https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/
Auditing Secure USB Keys
https://www.j-michel.org/blog/2018/01/16/attacking-secure-usb-keys-behind-the-scene
Microsoft Resumes Patches for AMD Systems
https://www.amd.com/en/corporate/speculative-execution
Speculations About Yet Another CPU Attack
BIND Fixes DoS Vulnerability
https://kb.isc.org/article/AA-01542
Oracle E-Business Suite Server Can Be Attacked via WebLogic
Malicious Open Graph title Tag Crashes iMessage
https://www.macrumors.com/2018/01/16/malicious-link-ios-mac-freezes/
Smiths Medfusion 4000 Vulnerabilities
https://github.com/sgayou/medfusion-4000-research/blob/master/doc/README.md#summary
Reviewing the Spam Filters: Malspam Pushing Gozi-ISFB
https://isc.sans.edu/forums/diary/Reviewing+the+spam+filters+Malspam+pushing+GoziISFB/23245/
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Sean McBride is Director of Analysis and co-founder of Critical Intelligence, and, while at Idaho National Laboratory, he initiated the situational awareness effort that became the ICS-CERT.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
