SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XX - Issue #68
August 28, 2018Next week, SANS will make available the first module of a remarkably effective technique for cybersecurity professionals who want to learn to give talks that cause their audiences to take the right actions. We need your help in ensuring we cover all the key talks you have to give. If you would like early access to the new training program, or just want to help, send me (apaller@sans.org) a note with a list of the key types of talks you have to or will have to give, what you want the audience to do when you are finished with each, and why it matters.
****************************************************************************
SANS NewsBites August 28, 2018 Vol. 20, Num. 068
****************************************************************************
TOP OF THE NEWS
Voting Machine Vendor Taking Steps to Improve Product Security Ahead of Midterm Elections
Iranian Hackers Targeting University Research
Facebook Bug Turned Off SMS 2FA When User Changed Privacy Settings
Struts POC Exploit Code on GitHub
REST OF THE WEEKS NEWS
Andromeda Botnet Operator Surrenders Profits, Avoids Prison
Details of Cosmos Bank Theft
US Legislators Ask FTC to Investigate Verizon for Deceptive Practices Over Throttling Emergency Crew Data Speeds
Bank of Spain Website Hit with Cyberattack
Hayden on US Cyber Strategy, Russia, China, and Hacking Back
T-Mobile Breach
INTERNET STORM CENTER TECH CORNER
*************************** Sponsored By InfoBlox *************************
Discover how to eliminate silos between networking and security operations and speed up response times. Attend this webinar and learn how Infoblox and Aruba ClearPass integration can help you. Register: http://www.sans.org/info/206460
*****************************************************************************
-- SANS Network Security 2018 | Las Vegas, NV | September 23-30 | https://www.sans.org/event/network-security-2018
-- SANS Baltimore Fall 2018 | September 8-15 | https://www.sans.org/event/baltimore-fall-2018
-- SANS London September 2018 | September 17-22 | https://www.sans.org/event/london-september-2018
-- Oil & Gas Cyber Security Summit 2018 | Houston, TX | October 1-6 | https://www.sans.org/event/oil-gas-cybersecurity-summit-2018
-- SANS Northern VA Fall-Tysons 2018 | October 13-20 | https://www.sans.org/event/northern-va-fall-tysons-2018
-- SANS London September 2018 | October 15-20 | https://www.sans.org/event/london-october-2018
-- SANS October Singapore 2018 | October 15-27 | https://www.sans.org/event/october-singapore-2018
-- Secure DevOps Summit & Training 2018 | Denver, CO | October 22-29 | https://www.sans.org/event/secure-devops-summit-2018
-- SANS Sydney 2018 | November 5-17 | https://www.sans.org/event/sydney-2018
-- SANS OnDemand and vLive Training
The SANS Training you want with the flexibility you need.
Get an iPad Mini, ASUS Chromebook C300SA or Take $250 Off with OnDemand or vLive, Offer Ends September 5.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/courses
https://www.sans.org/cyber-security-skills-roadmap
*****************************************************************************
TOP OF THE NEWS
--Voting Machine Vendor Taking Steps to Improve Product Security Ahead of Midterm Elections
(August 23, 2018)
Election Systems & Software says it plans to work with the US Department of Homeland Security (DHS) and the Elections Infrastructure and Information Technology Information Sharing and Analysis Centers (EI-ISAC and IT-ISAC) to improve the monitoring of potential exploitation of vulnerabilities in its products before Novembers midterm elections. The company also plans to install security sensors in its voter registration environments.
[Editor Comments]
[Murray and Paller] At this point, suppliers and government at all levels should be collaborating to compensate for both fundamental and implementation-induced weaknesses in our election systems. The time for admiring the problem is past. The new Election Infrastructure ISAC is the most promising approach toward that end. It has moved surprisingly fast.
https://www.cisecurity.org/ei-isac/ei-isac-services/
[Pescatore] Better late than never, which is the same comment I had back in 2002 when then Microsoft CEO Bill Gates sent out his Security is Job 1 email and Microsoft finally began to consider security as a demanded feature vs. an expense. But, just last month ES&S (the largest voting system vendor in the US) defended including PC Anywhere in some voting systems by saying it was considered an accepted practice by numerous technology companies, including other voting system manufacturers. Since their products will not be trustable anytime soon, good to see real time monitoring by the EI-ISAC will be prioritized.
[Neely] ES&S has identified steps that will raise the bar on these systems; the hard part will be having the new defenses and updates deployed in the field before the election. ES&S still needs partnerships with independent testers to verify the security of their systems. Without independent assessment with published results, the voter remains unaware of the level of security when casting a ballot.
Read more in:
The Hill: Major vendor of voting systems to boost security following criticism
http://thehill.com/policy/cybersecurity/403366-major-voting-system-vendor-announces-new-efforts-to-boost-security
ES&S: ES&S Establishes Top-Level Partnerships (Press Release)
https://www.essvote.com/blog/127/
--Iranian Hackers Targeting University Research
(August 24, 2018)
A group of hackers believed to be working on behalf of the Iranian government has been conducting phishing attacks on universities around the world with the apparent intent of stealing intellectual property. The attacks attempt to obtain account access credentials through phony university library login portals. Earlier this year, the US Department of Justice (DoJ) indicted nine people believed to be part of the same group.
[Editor Comments]
[Paller] College-based scientists are the Achilles heel of Americas space and military research programs. When I served on the NASA Advisory Councils Infrastructure Committee I met with university-based teams receiving tens of millions of dollars from NASA and DoD to design and operate the infrastructure for some of our most sensitive satellite systems. Their view of security was consistently that it wasnt their problem; that they were scientists and far too important to focus on cybersecurity.
Read more in:
ZDNet: Iranian hackers target 70 universities worldwide to steal research
https://www.zdnet.com/article/iran-hackers-target-70-universities-in-14-countries/
The Register: Uni credential-swiping hack campaign linked to Iranian government
https://www.theregister.co.uk/2018/08/24/iranian_hackers_secureworks/
Bleeping Computer: Iranian Hackers Charged in March Are Still Actively Phishing Universities
https://www.bleepingcomputer.com/news/security/iranian-hackers-charged-in-march-are-still-actively-phishing-universities/
--Facebook Bug Turned Off SMS 2FA When User Changed Privacy Settings
(August 24, 2018)
Journalist Louise Matsakis discovered that a bug in the way Facebook manages privacy setting changes turned off her SMS two-factor authentication (2FA). Matsakis received a notification from Facebook informing her that because her mobile phone number was removed from her account, the company turned off SMS 2FA to prevent her from being locked out. The problem was, Matsakis had not removed her phone number, so she assumed that her account had been hacked. With help from a colleague, Matsakis determined that her account appeared to be fine, and so she switched to a different form of account security. Later, she learned that Facebook has turned off SMS 2FA on her account after she changed the privacy level of her phone number so that it was visible only to her. The bug caused Facebook to believe she had deleted the phone number altogether. Facebook has since addressed the issue.
[Editor Comments]
[Murray] Any changes to phone numbers or addresses should be confirmed out of band to both the new and the old. Failure to receive an expected message (e.g., one time password) should be viewed as suspicious.
Read more in:
Wired: An Undiscovered Facebook Bug Made Me Think I was Hacked
https://www.wired.com/story/facebook-bug-two-factor-hack/
--Struts POC Exploit Code on GitHub
(August 24 & 27, 2018)
Proof-of-concept exploit code for the Apache Struts 2 vulnerability disclosed last week has been posted to GitHub. The improper data input validation flaw affects Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16. The vulnerability appears to be easier to exploit than the Struts flaw that was used in the Equifax breach.
[Editor Comments]
[Neely] While the specific code has not been confirmed as a working exploit, this reduces the effort needed to develop exploits that do work, re-enforcing the need to patch your struts environment now. Analysis of alternative model-view-controller frameworks should be conducted. Before switching, verify active development and flaw remediation practices are in place.
Read more in:
SC Magazine: Proof-of-concept exploit published shortly after disclosure of critical Apache Struts 2 flaw
https://www.scmagazine.com/proof-of-concept-exploit-published-shortly-after-disclosure-of-critical-apache-struts-2-flaw/article/791343/
Threatpost: PoC Code Surfaces to Exploit Apache Struts 2 Vulnerability
https://threatpost.com/poc-code-surfaces-to-exploit-apache-struts-2-vulnerability/136921/
Apache: S2-057: Possible Remote Code Execution when using results with no namespace
https://cwiki.apache.org/confluence/display/WW/S2-057
************************** SPONSORED LINKS ********************************
1) Join SANS at the Threat Hunting & Incident Response Summit on Sep. 6-7 in New Orleans! Learn from top threat hunters and security practitioners as they share the latest methods and techniques used to hunt adversaries. http://www.sans.org/info/206465
2) Don't Miss "Stronger Security with Global IT Asset Inventory" with Matt Bromiley and Pablo Quiroga. Register: http://www.sans.org/info/206470
3) ICYMI: "What Works in Visibility, Access Control and IOT SecurityPulse Secure NAC Outcomes at Energy Provider" view the archive: http://www.sans.org/info/206480
*****************************************************************************
REST OF THE WEEKS NEWS
--Andromeda Botnet Operator Surrenders Profits, Avoids Prison
(August 27, 2018)
Authorities in Belarus have dropped all charges against a man who was running an Andromeda botnet. Sergey Yarets cooperated with investigators and surrendered the money he made by renting out the botnet. A Radio Free Europe reporter said that the judge handed down a light sentence because there were no Belarusian victims.
Read more in:
Bleeping Computer: Andromeda Botnet Operator Released With a Slap on the Wrist
https://www.bleepingcomputer.com/news/security/andromeda-botnet-operator-released-with-a-slap-on-the-wrist/
--Details of Cosmos Bank Theft
(August 27, 2018)
An in-depth look at the theft of 13.5 million USD from Indias Cosmos Bank earlier this month revealed that the thieves used malware not only to steal the institutions SWIFT transaction codes, but also to steal customer account information. The theft occurred in several waves; funds were withdrawn from ATMs worldwide, through debit card transactions across India, and were transferred to Hong Kong through fraudulent SWIFT transactions. Researchers from Securonix suggests that North Korea may be behind the thefts.
Read more in:
ZDNet: How hackers managed to steal 13.5 million in Cosmos bank heist
https://www.zdnet.com/article/how-hackers-managed-to-steal-13-5-million-in-cosmos-bank-heist/
Securonix: Securonix Threat Research: Cosmos Bank SWIFT/ATM US 13.5 Million Cyber Attack Detection Using Security Analytics
https://www.securonix.com/securonix-threat-research-cosmos-bank-swift-atm-us13-5-million-cyber-attack-detection-using-security-analytics
--US Legislators Ask FTC to Investigate Verizon for Deceptive Practices Over Throttling Emergency Crew Data Speeds
(August 27, 2018)
US legislators have asked the Federal Trade Commission (FTC) to investigate whether Verizon is guilty of deceptive practices for throttling data speeds of firefighters battling blazes in California The lawmakers wrote that with its repeal of net neutrality rules, the FCC has abdicated its jurisdiction over broadband communications and walked away from protecting consumers, including public safety agencies. We, therefore, call on the FTC to protect consumers from unfair or deceptive acts or practices stemming from this incident. While the FTC cannot enforce rules against throttling, it can sue companies that misrepresent their terms of service to consumers.
[Editor Comments]
[Pescatore] Ignoring the politics involved here, in February of 2018 a judge ruled the FTC did have authority to go after ATT (and ISPs in general) for a similar throttling complaint from 4 years ago. The real change is most likely to be ISP Terms of Service agreement that get a lot longer and provide a lot more posterior coverage for the ISPs, vs. any actual change in throttling practices. Any organization that has high throughput dependencies on wireless ISP data services should proactively contact the wireless ISP and work to arrange exemptions/services similar to what Verizon says it will provide for first defenders.
https://www.courtlistener.com/recap/gov.uscourts.cand.289688/gov.uscourts.cand.289688.103.0.pdf
[Murray] There is little to no agreement as to the meaning of net neutrality. However, one thing that it does not mean is that everyone gets the same band width regardless of what one pays. The FTC is not directly concerned with net neutrality but rather with fair trading practices, more specifically with contract or terms of service. If one wishes to rely upon terms of service one should not wait to read them until one is sitting in the ashes. It should be obvious to all, even Congress critters, that neither net neutrality or existing terms of service would have resulted in what everyone can agree would be the desired outcome in this situation. That said, it is time for Congress to do the duty that it has so far so scrupulously avoided.
[Neely] The FTC actions are constrained to protection of consumers from unfair practices. Verizon already admitted they didnt explain the plan limitations clearly and violated their own practices of removing the restrictions in an emergency. If you have first responders, review the data plans they and their devices are on and make sure your carrier has also identified them as emergency response personnel. Make sure they are also enrolled in Wireless Priority Service (WPS).
[Northcutt] Data throttling is not new. Comcast implemented it in 2008. AT&T was going to the Supreme Court over it and then changed their policies anyway.
Read more in:
Ars Technica: Verizon throttling could trigger FTC investigation of deceptive practices
https://arstechnica.com/tech-policy/2018/08/verizon-throttling-could-trigger-ftc-investigation-of-deceptive-practices/
Eshoo.house: Letter to FTC Chair
https://eshoo.house.gov/wp-content/uploads/2018/08/Rep.-Eshoo-Letter-8.24.18.pdf
--Bank of Spain Website Hit with Cyberattack
(August 27, 2018)
A spokesperson for the Bank of Spain said that its website has been the target of a distributed denial-of-service (DDoS) attack since Sunday. The attack is causing site availability problems, but has not affected the banks communications with other financial institutions.
[Editor Comments]
[Murray] When under denial of service, one should take care that one is not distracted from other potential attacks.
Read more in:
Reuters: Bank of Spain's website hit by cyber attack
https://www.reuters.com/article/us-spain-cyber-cenbank/bank-of-spains-website-hit-by-cyber-attack-idUSKCN1LC23B
--Hayden on US Cyber Strategy, Russia, China, and Hacking Back
(August 25, 2018)
In an interview with Fifth Domain, former NSA and CIA director Michael Hayden talks about the current administrations cyber strategy; threats posed by Russia and China; the governments relationship with Google and Facebook; and the current debate over cyber deterrence.
Read more in:
Fifth Domain: Former NSA, CIA director on cyber, Facebook and hacking back
https://www.fifthdomain.com/dod/cybercom/2018/08/24/former-nsa-cia-director-on-cyber-facebook-and-hacking-back/
--T-Mobile Breach
(August 24, 2018)
T-Mobile US and Metro PCS have notified customers that their personal information may have been compromised. The companys cybersecurity team detected the breach on August 20 and stopped it. A company spokesperson said the incident affected approximately three percent, or 2.3 million of T-Mobiles 77 million customers. The compromised data include encrypted passwords.
[Editor Comments]
[Neely] While the breach includes hashed passwords, assume they can be decoded over time. Changing your T-Mobile passwords is prudent. Verify your phone number remains blocked from unauthorized porting attempts.
Read more in:
Motherboard: Hackers Stole Personal Data of 2 Million T-Mobile Customers
https://motherboard.vice.com/en_us/article/a3qpk5/t-mobile-hack-data-breach-api-customer-data
CNBC: T-Mobile discovers security breach of certain customer information
https://www.cnbc.com/2018/08/24/t-mobile-discovers-security-breach-of-certain-customer-information.html
T-Mobile: Statement
https://www.t-mobile.com/customers/6305378821
INTERNET STORM CENTER TECH CORNER
Struts Exploits for CVE-2018-11776 on Github (Just a sample; there are more.)
https://github.com/mazen160/struts-pwn_CVE-2018-11776
https://github.com/jiguang7/CVE-2018-11776
Publisher Malware
https://isc.sans.edu/forums/diary/Microsoft+Publisher+Files+Delivering+Malware/24024/
https://isc.sans.edu/forums/diary/Microsoft+Publisher+malware+static+analysis/24026/
AT Commands
https://atcommands.org/atdb/vendors
Using a Microphone to Read Screen Content
https://www.cs.tau.ac.il/~tromer/synesthesia/synesthesia.pdf
H-Worm Variant Notes Infection Date in Registry
https://isc.sans.edu/forums/diary/When+was+this+machine+infected/24032/
CentOS/Ubuntu Turn Off Gnome "Bubblewrap" Sandbox
https://www.bleepingcomputer.com/news/security/ubuntu-and-centos-are-undoing-a-gnome-security-feature/
Fortnite Android Arbitrary Code Install Vulnerability
https://www.androidcentral.com/epic-games-first-fortnite-installer-allowed-hackers-download-install-silently
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
