SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XX - Issue #65
August 17, 2018****************************************************************************
SANS NewsBites August 17, 2018 Vol. 20, Num. 065
****************************************************************************
TOP OF THE NEWS
Chinese Hackers Scanned US Communication Companies, Government Agencies in Weeks Surrounding Alaskan Trade Mission
Cybertropolis: Cyber Range for US Army
Markey Seeks Information from Government and Industry on Grid Security
Oracle Urges Update to Fix Critical Flaw in Database Server
REST OF THE WEEKS NEWS
Linux Kernel Updates
FCCs Pai Tells Senate Commerce Committee That He Didnt Think Comment System Outage Was Due to DDoS
Order Reverses Rules for Cyberattacks
Thieves Steal Millions from Indias Cosmos Bank
Patch Tuesday: Microsoft and Adobe
More Intel Chip Flaws
Cisco Patches IOS and IOS XE Firmware
Google Keeps On Tracking
INTERNET STORM CENTER TECH CORNER
*************************** Sponsored By Absolute Software Corp. ************************************
Learn about the key steps required to keep sensitive healthcare data safe and avoid disastrous data breaches. Register: http://www.sans.org/info/206170
*****************************************************************************
-- SANS Network Security 2018 | Las Vegas, NV | September 23-30 | https://www.sans.org/event/network-security-2018
-- SANS Amsterdam September 2018 | September 3-8 | https://www.sans.org/event/amsterdam-septembers-2018
-- SANS Tokyo Autumn 2018 | September 3-15 | https://www.sans.org/event/tokyo-autumn-2018
-- Threat Hunting & Incident Response Summit 2018 | New Orleans, LA | September 6-13 | https://www.sans.org/event/threat-hunting-and-incident-response-summit-2018
-- SANS Baltimore Fall 2018 | September 8-15 | https://www.sans.org/event/baltimore-fall-2018
-- SANS London September 2018 | September 17-22 | https://www.sans.org/event/london-september-2018
-- Oil & Gas Cyber Security Summit 2018 | Houston, TX | October 1-6 | https://www.sans.org/event/oil-gas-cybersecurity-summit-2018
-- SANS Northern VA Fall-Tysons 2018 | October 13-20 | https://www.sans.org/event/northern-va-fall-tysons-2018
-- SANS October Singapore 2018 | October 15-27 | https://www.sans.org/event/october-singapore-2018
-- SANS OnDemand and vLive Training
The SANS Training you want with the flexibility you need.
Get a GIAC Certification Attempt Included or Take $350 Off with OnDemand or vLive, Offer Ends August 22.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
*****************************************************************************
TOP OF THE NEWS
--Chinese Hackers Scanned US Communication Companies, Government Agencies in Weeks Surrounding Alaskan Trade Mission
(August 16, 2018)
In the weeks before and after an Alaskan trade mission to China, Chinese hackers used systems at Tsinghua University to scan systems at US energy companies, communications companies, and the Alaskan state government and Department of Natural Resources. A report from Recorded Future says that the Chinese hackers were seeking information to give the country an upper hand during the talks.
[Editor Comments]
[Pescatore] If your company has any physical security, someone checks that the doors are locked, and the alarms are set each night. If your company has a roof, someone checks that the roof isnt leaking. If the criminals (or rain drops) are coming from China, Russia or Iran, or Sheboygan or Granite City, it really doesnt change the basic security hygiene equationthe danger with these types of headlines is that they cause CEOs and Boards of Directors to say well, we are in the [non-sexy vertical business here] industry, China or Russia wont be going after us.
Read more in:
Reuters: Chinese hackers targeted U.S. firms, govt after trade mission: researchers
CNET: Chinese hackers targeted US agencies during trade talks
https://www.cnet.com/news/chinese-hackers-targeted-us-agencies-during-trade-talks/
Recorded Future: Chinese Cyberespionage Originating From Tsinghua University Infrastructure
https://www.recordedfuture.com/chinese-cyberespionage-operations/
--Cybertropolis: Cyber Range for US Army
(August 16, 2018)
The Army, along with the SANS Institute, has developed Cybertropolis, a cyber training in an environment that closely resembles a fully-functioning city. Most cyber ranges are solely digital, or fingers on keyboard, while this 400-acre facility has a functioning power grid and other physical features that soldiers are likely to encounter. The Army training complex has been used for years, but until recently there was no cyber component to the environment.
[Editor Comments]
[Murray] Train as we fight, fight as we train. As a young artillery forward observer in training, one fired a lot of rounds at Fort Sill. One watched exercises that were even more expensive. The more accurately the range and the training simulate the real thing, the more effective the troops will be in combat.
[Neely] A life size implementation allows participants to practice like you play; providing real-world experience is key for preparing to deal with a response scenario. This takes SANS CyberCity to the next level.
[Paller] What makes a cyber range useful and cost effective is pre-planned and pre-deployed scenarios that can be quickly reset. That sets the Armys Cybertropolis apart from the many cyber ranges developed previously where most new scenarios required extensive and expensive custom work to develop and deploy. Its also the reason that NetWars and CyberCity have helped tens of thousands of soldiers and others develop strong scenario-based response skills, while other ranges generally cost ten times as much and count their student successes in the dozens or low hundreds.
Read more in:
FNR: In Cybertropolis, Army begins to move its cyber training exercises into the physical world
--Markey Seeks Information from Government and Industry on Grid Security
(August 13 & 14, 2018)
US Senator Edward Markey (D-Massachusetts) has written to US utility companies and federal agencies seeking information about reported cyberattacks conducted by hackers working on behalf of Russia against US utility company systems in 2016 and 2017. Markey wants to know how they are maximiz[ing] the security of our electric grid and minimiz[ing] its vulnerabilities to attack.
[Editor Comments]
[Murray] It is likely that nation states are in the target and vulnerability identification, espionage, phase at the moment. They may also be planting attack code that they plan to trigger for sabotage only at the time of other conflict.
Read more in:
FCW: Sen. Markey wants details on cyber threats to the U.S. grid
https://fcw.com/articles/2018/08/14/markey-cyber-grid-letter.aspx
Markey: Letter to DHS Secretary Nielsen
https://www.markey.senate.gov/imo/media/doc/Electric%20Utility%20Attacks%20Letter%20to%20DHS.pdf
Markey: Letter to ConEd CEO
--Oracle Urges Update to Fix Critical Flaw in Database Server
(August 14, 2018)
Oracle is urging its customers to update vulnerable versions of its Database Server to fix a critical code execution flaw. The issue lies in the Oracle Database Server JavaVM component; exploitation requires that the attacker have a connection to the server through Oracle Net. The vulnerability affects Oracle Database Server 11.2.0.4, 12.1.0.2, 12.2.0.1 on Windows, and Oracle Database 18 on Linux and Unix. Fixes for version 12.2.0.1 and Oracle Database 18 were included in Oracles July Critical Patch Update.
[Editor Comments]
[Neely] The flaw is critical, receiving a 9.9 out of 20 rating, easily exploitable, but requires access to the Oracle Net (formerly SQL*Net) traffic. While your Oracle Net traffic is likely not exposed to the Internet, it is likely reachable on your Internet, so judicious patching is warranted.
Read more in:
The Register: Oracle: Run, don't walk, to patch this critical Database takeover bug
https://www.theregister.co.uk/2018/08/14/oracle_database_flaw/
Oracle: Oracle Security Alert Advisory - CVE-2018-3110
http://www.oracle.com/technetwork/security-advisory/alert-cve-2018-3110-5032149.html
************************** SPONSORED LINKS ********************************
1) Join SANS at the Threat Hunting & Incident Response Summit on Sep. 6-7 in New Orleans! Learn from top threat hunters and security practitioners as they share the latest methods and techniques used to hunt adversaries. http://www.sans.org/info/206175
2) Learn best practices and real-life examples for building and maintaining an effective insider threat program. Register: http://www.sans.org/info/206180
3) "How Network Traffic Analytics Eliminates Darkspace for the SOC" with Chris Crowley. Register: http://www.sans.org/info/206185
*****************************************************************************
REST OF THE WEEKS NEWS
--Linux Kernel Updates
(August 16, 2018)
Those responsible for maintaining the Linux kernel have released fixes for two vulnerabilities that could be exploited to create denial-of-service conditions. Both flaws affect the kernels TCP stack.
Read more in:
Internet Storm Center: Back to the 90's: FragmentSmack
https://isc.sans.edu/forums/diary/Back+to+the+90s+FragmentSmack/23998/
Bleeping Computer: Two DDoS Friendly Bugs Fixed in Linux Kernel
https://www.bleepingcomputer.com/news/linux/two-ddos-friendly-bugs-fixed-in-linux-kernel/
Mitre: CVE-2018-5390: Linux kernel versions 4.9+ can be forced to make very expensive calls
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5390
KB CERT: Vendor Information for VU#641765: Linux kernel IP fragment re-assembly vulnerable to denial of service
https://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=641765&SearchOrder=4
--FCCs Pai Tells Senate Commerce Committee That He Didnt Think Comment System Outage Was Due to DDoS
(August 15 & 16, 2018)
Earlier this month, the US Federal Communications Commission (FCC) inspector general released an internal report that concluded that the FCCs statement that the FCCs comment system was hit with distributed denial-of-service (DDoS) attacks was untrue. In testimony before the US Senate Commerce Committee on August 16, FCC chairman Ajit Pai told lawmakers that he did not believe that the agencys comment system had been the target of DDoS attacks. Pai said that he took the FCC CIOs word that it had. Pai also maintained that he was bound by a confidentiality request from FCC office of inspector general regarding the incidents until the investigation was complete.
[Editor Comments]
[Pescatore] Focusing on the security aspect, I cant resist a mangled metaphor, or maybe strangled simile: oh, what a tangled web we weave when we shout Wolf! when we didnt build the hut strong enough to allow all the little piggies to successfully use our website without it getting blown down. From a customer perspective, the site didnt work, and the business failedthe CIO is to blame either way for the failure, whether it was not sufficiently protected from denial of service attacks, or it wasnt robust enough to handle customer loads.
[Murray] Ongoing investigation seems to cover (hide?) a lot of sins.
Read more in:
Washington Post: FCC chief Ajit Pai testifies on Capitol Hill after agency was found to have misled public about cyberattack
Motherboard: Ajit Pai Says He Had Doubts About DDoS Attack, But Didnt Say Anything
MeriTalk: House Democrats Hammer FCC Chairman Over Cyber Attack Claim
https://www.meritalk.com/articles/house-democrats-hammer-fcc-chairman-over-cyber-attack-claim/
--Order Reverses Rules for Cyberattacks
(August 15 & 16, 2018)
The president has signed an order that reverses the Obama-era Presidential Policy Directive 20, which sets forth a specific process that must take place before cyberweapons can be deployed. Presidential Policy Directive 20 required multiple agencies to sign off on offensive cyber operations. (Please note that the WSJ story is behind a paywall.)
[Editor Comments]
[Neely] Launching cyberweapons is not the same as launching a battlefield attack. Obfuscation techniques make accurate attribution difficult and an intentional US Government sponsored action could lead to non-cyber response.
[Northcutt] This is a complex problem and no response procedure will be perfect. It is important to consider the impact of a failure to properly attribute cyberwarfare artifacts as attribution is an inexact art at best.
[Williams] As someone who has been involved in offensive cyber operations first hand, I think this is a policy mistake. The military typically must receive authorization from the President before performing any offensive military operations precisely because of the potential political fallout from those operations. Cyber operations are no different and, if anything, offer increased possibility of political fallout due to misattribution. While NSA and CYBERCOM definitely want more autonomy to deploy their cyber weapons, this policy reversal is a mistake in my opinion.
[Murray] Cyber weapons are not consumed by their use. Their target identification and aiming are imprecise. They can, and have been, turned upon their creator/user. They should be used sparsely and with care. Rules of engagement should reflect this.
Read more in:
The Hill: Trump ends Obama-era rules on US-led cyberattacks: report
BBC: President Trump relaxes US cyber-attacks rules
https://www.bbc.com/news/technology-45208776
WSJ: Trump, Seeking to Relax Rules on U.S. Cyberattacks, Reverses Obama Directive (Paywall)
--Thieves Steal Millions from Indias Cosmos Bank
(August 15, 2018)
Thieves stole more than 940 million rupees ($13.4 million USD) from Indias Cosmos Bank over a three-day period. The first attacks, which occurred on Saturday, August 11, involved 805 million rupees ($11.5 million USD) in fraudulent withdrawals made from ATMs around the world. In a second wave of attacks, on Monday, August 13, thieves used the SWIFT network to conduct three fraudulent transactions, sending funds to a bank in Hong Kong. The incidents bear out the FBIs warning of an imminent ATM cashout scheme (see Brian Krebss story).
Read more in:
The Register: India's Cosmos bank raided for $13m by hackers
https://www.theregister.co.uk/2018/08/15/cosmos_bank_raided/
Bleeping Computer: Hackers Steal $13.5 Million Across Three Days From Indian Bank
KrebsOnSecurity: FBI Warns of Unlimited ATM Cashout Blitz
https://krebsonsecurity.com/2018/08/fbi-warns-of-unlimited-atm-cashout-blitz/
--Patch Tuesday: Microsoft and Adobe
(August 14 & 15, 2018)
On Tuesday, August 14, Microsoft and Adobe released their monthly security updates. Microsoft issued fixes for 60 vulnerabilities, including two zero-day flaws that are being actively exploited to take control of machines. Adobe has released patches for vulnerabilities in Flash Player, Acrobat/Reader, Creative Cloud, and Experience Manager.
[Editor Comments]
[Neely] The MS patches include fixes to how linked/shortcut (.lnk) files are handledCVD-2018-8345. Previously, just viewing the shortcut, rather than clicking on it, could result in the linked content being executed. Deploy this fix to workstations and servers.
[Murray] The number of vulnerabilities detected continues to be in the tens per month. The developers are pushing great maintenance cost onto the users but patching seems futile; the number of undetected flaws does not appear to be going down. The tools and processes that we are using for development are inadequate to the task. We need a better strategy than late error detection and remediation and better tactics and tools to implement it.
Read more in:
KrebsOnSecurity: Patch Tuesday, August 2018 Edition
https://krebsonsecurity.com/2018/08/patch-tuesday-august-2018-edition/
The Register: Patch Tuesday heats up with pair of exploited zero-days squashedplus 58 other vulns fixed
https://www.theregister.co.uk/2018/08/14/august_bank_holiday/
SC Magazine: Patch Tuesday August 2018: Microsoft corrects two actively exploited zero-day bugs
SC Magazine: Patch Tuesday August 2018: Adobe mends two critical bugs in Acrobat and Reader
MSRC: Security Update Summary
https://portal.msrc.microsoft.com/en-us/security-guidance/summary
Adobe: Security updates available for Flash Player | APSB18-25
https://helpx.adobe.com/security/products/flash-player/apsb18-25.html
Adobe: Security Bulletin for Adobe Acrobat and Reader | APSB18-29
https://helpx.adobe.com/security/products/acrobat/apsb18-29.html
Adobe: Security updates available for Creative Cloud Desktop Application | APSB18-20
https://helpx.adobe.com/security/products/creative-cloud/apsb18-20.html
Adobe: Security updates available for Adobe Experience Manager | APSB18-26
https://helpx.adobe.com/security/products/experience-manager/apsb18-26.html
--More Intel Chip Flaws
(August 14, 2018)
A newly-detected group of Spectre-like flaws detected in Intel chips can bypass Intels Software Guard Extensions (SGX) feature. The family of flaws, dubbed Foreshadow, could be exploited to steal sensitive information.
Read more in:
Wired: Spectre-Like Flaw Undermines Intel Processors' Most Secure Element
https://www.wired.com/story/foreshadow-intel-secure-enclave-vulnerability/
The Register: Three more data-leaking security holes found in Intel chips as designers swap security for speed
https://www.theregister.co.uk/2018/08/14/intel_l1_terminal_fault_bugs/
SC Magazine: New family of new speculative execution bugs, Foreshadow, adds to Spectre-Meltdown misery
Ars Technica: Intels SGX blown wide open by, you guessed it, a speculative execution attack
Dark Reading: Intel Reveals New Spectre-Like Vulnerability
Intel: Q3 2018 Speculative Execution Side Channel Update
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00161.html
Intel: L1 Terminal Fault / CVE-2018-3615 , CVE-2018-3620,CVE-2018-3646 / INTEL-SA-00161
https://software.intel.com/security-software-guidance/software-guidance/l1-terminal-fault
--Cisco Patches IOS and IOS XE Firmware
(August 14 & 15, 2018)
Cisco has released fixes to address a security bypass vulnerability in the Internet Key Exchange (IKEv1) protocol that could be exploited to obtain IKEv1 encrypted nonces. Three other vendorsHuawei, Clavister, and ZyXELhave also patched IKEv1 vulnerabilities in their products.
Read more in:
Cisco: Cisco IOS and IOS XE Software Internet Key Exchange Version 1 RSA-Encrypted Nonces Vulnerability
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180813-rsa-nonce
The Register: Cisco patches IOS in response to boffins' IKE-busting breakthrough
https://www.theregister.co.uk/2018/08/14/cisco_patches_ios/
ZDNet: Cisco patches router OS against new crypto attack on business VPNs
https://www.zdnet.com/article/cisco-patches-router-os-against-new-crypto-attack-on-business-vpns/
The Register: Support for ageing key exchange crypto leaves VPNs open to attack
https://www.theregister.co.uk/2018/08/15/ipsec_vpn_vulnerability/
--Google Keeps On Tracking
(August 13, 2018)
An investigation conducted by the Associated Press (AP) found that Google stores users location data even when those users have switched off Location History in their account settings. In fact, turning off Location History only stops Google from adding location information to a viewable timeline. The issue affects all iPhone and Android users who run Google Maps on their devices. There is a way to completely turn off location tracking by making changes to the Web and App Activity setting, but it is not easy to find.
[Editor Comments]
[Pescatore] Google does lots of really good stuff in security, but exposing user information to sell ads at higher rates is pretty well entrenched in their DNA, as it is with most companies with free products that get revenue through advertising.
Read more in:
CSM: Turned off location history tracking? Google might still be following you
BBC: Google tracks users who turn off location history
https://www.bbc.com/news/technology-45183041
Wired: Google Tracks You Even if Location History's Off. Here's How to Stop it
https://www.wired.com/story/google-location-tracking-turn-off/
*****************************************************************************
INTERNET STORM CENTER TECH CORNER
Microsoft Patch Tuesday Summary
https://isc.sans.edu/forums/diary/Microsoft+August+2018+Patch+Tuesday/23986/
Oracle Database Patch
http://www.oracle.com/technetwork/security-advisory/alert-cve-2018-3110-5032149.html
Intel Fixes Three More CPU Flaws
https://software.intel.com/security-software-guidance/software-guidance/l1-terminal-fault
Password Protected Word Documents Push AZORult and Hermes Ransomware
Linux IP Fragmentation DoS
https://www.kb.cert.org/vuls/id/641765
Scripting Mouse Clicks to Bypass macOS Security
https://speakerdeck.com/patrickwardle/the-mouse-is-mightier-than-the-sword
Concentration of Coinhive Miners
https://arxiv.org/pdf/1808.00811.pdf
Anonymize PCAPS
https://isc.sans.edu/forums/diary/Truncating+Payloads+and+Anonymizing+PCAP+files/23990/
OpenSSH User Enumeration Vulnerability
http://seclists.org/oss-sec/2018/q3/124
VoiceXML XML External Entity Vulnerability
https://hackerone.com/reports/395296
Skimreaper Credit Card Skimmer Detector
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create