SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XX - Issue #71
September 7, 2018****************************************************************************
SANS NewsBites September 7, 2018 Vol. 20, Num. 71
****************************************************************************
TOP OF THE NEWS
DOJ Charges North Korean in Sony Hack, Wanna Cry Attack
Tesla Will Reflash Car Firmware for Vulnerability Testers
Windows Zero-Day: Advanced Local Procedure Call (ALPC)
REST OF THE WEEKS NEWS
Mozilla Releases Firefox 62
Schneider Controller Vulnerability
British Airways Data Breach
House Approves DHS Supply Chain Security Bill
Thousands of MikroTik Routers Unpatched Against Flaw Disclosed in April
Chrome 69 Includes Fix for Flaw That Could Be Exploited to Steal WiFi Credentials
Open .git Directories Expose Site Source Code
INTERNET STORM CENTER TECH CORNER
*************************** Sponsored By A10 Networks ************************************
"SSL Traffic Inspection: Needed Visibility But At What Cost?" In this webcast, SANS will explore the concerns faced by an organization that realizes it must improve visibility into its encrypted traffic, laying out both the business and the technical issues and how to approach both. Register: http://www.sans.org/info/206630
*****************************************************************************
-- SANS Network Security 2018 | Las Vegas, NV | September 23-30 | https://www.sans.org/event/network-security-2018
-- SANS London September 2018 | September 17-22 | https://www.sans.org/event/london-september-2018
-- Oil & Gas Cyber Security Summit 2018 | Houston, TX | October 1-6 | https://www.sans.org/event/oil-gas-cybersecurity-summit-2018
-- SANS Northern VA Fall-Tysons 2018 | October 13-20 | https://www.sans.org/event/northern-va-fall-tysons-2018
-- SANS London October 2018 | October 15-20 | https://www.sans.org/event/london-october-2018
-- SANS October Singapore 2018 | October 15-27 | https://www.sans.org/event/october-singapore-2018
-- Secure DevOps Summit & Training 2018 | Denver, CO | October 22-29 | https://www.sans.org/event/secure-devops-summit-2018
-- SANS Sydney 2018 | November 5-17 | https://www.sans.org/event/sydney-2018
-- SANS San Diego Fall 2018 | November 12-27 | https://www.sans.org/event/san-diego-fall-2018
-- SANS OnDemand and vLive Training
The SANS Training you want with the flexibility you need.
Get a 9.7 iPad, Samsung Galaxy Tab A or Take $300 Off with OnDemand or vLive, Offer Ends September 19.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
Single Course Training
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
*****************************************************************************
TOP OF THE NEWS
--
DOJ Charges North Korean in Sony Hack, Wanna Cry Attack
(September 6, 2018)
The US Department of Justice (DOJ) has charged Park Jin Hyok, a North Korean computer programmer, in the 2014 attack against Sony Pictures, a 2016 theft from Bangladesh Bank, and the 2017 Wanna Cry malware attack. The complaint alleges that Park carried out the attack against Sony Pictures on behalf of the North Korean government; it also links Park to the Lazarus Group, which is believed to be involved in the Wanna Cry attack and a Bangladesh Bank theft.
Read more in:
DOJ: North Korean Regime-Backed Programmer Charged With Conspiracy to Conduct Multiple Cyber Attacks and Intrusions
The Hill: DOJ charges North Korean national in Sony, WannaCry attacks
Nextgov: DOJ Releases Charges Against Last of Four Top U.S. Cyber Adversaries
NYT: North Korean Spy to Be Charged in Sony Pictures Hacking
https://www.nytimes.com/2018/09/06/us/politics/north-korea-sony-hack-wannacry-indictment.html
Reuters: U.S. charges North Korean hacker in Sony, WannaCry cyberattacks
--
Tesla Will Reflash Car Firmware for Vulnerability Testers
(September 6, 2018)
Tesla has reiterated that researchers are permitted to hack its cars without voiding the vehicles warranty or facing legal liability. Tesla says it will restore firmware and operating systems on cars that have undergone and have become incapacitated by testing, with some conditions: the researcher and the vehicle must be registered and approved as part of Teslas vulnerability reporting program.
[Editor Comments]
[Pescatore] Kudos to Tesla for doing the right thing. Would you buy a car from a manufacturer who said, We are not going to allow Consumer Reports magazine to test our cars, because all that swerving around cones will void the warranty? Consumers demand safety features in the carscar advertisements seem to equally emphasize safety and style. We need to convince consumers that an important part of safety is high quality software in the cars they buy.
[Neely] Before signing up for the program, researchers need to note the limits to the number of times the vehicle will be re-flashed and that the researcher will bear the expense of getting the car to a service facility.
Read more in:
Bleeping Computer: Tesla Will Restore Car Firmware/OS When Hacking Goes Wrong
--Windows Zero-Day: Advanced Local Procedure Call (ALPC)
(September 5 & 6, 2018)
An unpatched flaw in Windows Advanced Local Procedure Call (ALPC) is being actively exploited. The vulnerability was first disclosed on August 27, 2018. The issue is due to the ALPC function not properly checking user permissions when interacting with files in the Windows Task Scheduler folder in Windows OS versions later than Windows 7.
Read more in:
The Register: Do you really think crims would do that? Just go on the 'net and exploit a Windows zero-day?
https://www.theregister.co.uk/2018/09/06/microsoft_windows_attacked_wild/
ZDNet: Recent Windows ALPC zero-day has been exploited in the wild for almost a week
************************** SPONSORED LINKS ********************************
1) Don't Miss: "Meeting the Critical Security Controls Using OSSEC" with John Pescatore. Register: http://www.sans.org/info/206635
2) VMRay Product Manager, Rohan Viegas will show you how Gandcrab ransomware evades detection and analysis and infects victims. Register: http://www.sans.org/info/206640
3) Learn how to analyze data using advanced machine learning that mimics human analysts. Register: http://www.sans.org/info/206645
*****************************************************************************
REST OF THE WEEKS NEWS
--
Mozilla Releases Firefox 62
(September 6, 2018)
Mozilla has released Firefox 62 for Windows, Android, Linux, iOS, and macOS. The newest version of the browser includes fixes for nine security issues, including one that could be exploited to run arbitrary code. Now that Firefox 62 has been released, Firefox 63 is in beta. Firefox 63, which is expected to be generally released on October 23, will block slow loading web trackers by default.
Read more in:
eWeek: Firefox 62 Improves CSS Support for Developers, Fixes Bugs
http://www.eweek.com/security/firefox-62-improves-css-support-for-developers-fixes-bugs
Threatpost: Mozilla Patches Critical Code Execution Bug in Firefox 62
https://threatpost.com/mozillas-release-of-firefox-62-packs-nine-fixes/137230/
--
Schneider Controller Vulnerability
(September 6, 2018)
A vulnerability in Schneider Electric Modicon controllers could be exploited to remotely reboot the device, which could prevent them from communicating with the other parts of the industrial control system (ICS) network. The issue is an improper check for unusual or exceptional conditions. The flaw affects Modicon M221 controllers prior to firmware versions 1.6.2.0.
Read more in:
ZDNet: Schneider Electric Modicon vulnerability impacts ICS operation in industrial settings
Schneider: SoMachine Basic V1.6 SP2
https://www.schneider-electric.com/en/download/document/SoMachineBasicV1.6SP2/
--
British Airways Data Breach
(September 6, 2018)
British Airways has acknowledged that a data breach may have compromised personal information associated with 380,000 payments. The incident affects bookings made online between August 21 and September 5, 2018.
Read more in:
Reuters: British Airways website suffers data breach; 380,000 payments affected
--
House Approves DHS Supply Chain Security Bill
(September 5, 2018)
The US House of Representatives have approved a bill that would allow the Department of Homeland Security (DHS) to exclude certain contractors from conducting business with the government. The Securing the Homeland Security Supply Chain Act of 2018 requires that DHS notify contractors of the decision to ban them in most cases, but also allows the agency to impose an immediate ban in the interest of national security. The bill does not yet have a companion bill in the Senate.
Read more in:
MeriTalk: House Approves DHS Authority to Address Supply Chain Risk, Bar Contractors
https://www.meritalk.com/articles/dhs-supply-chain-risk-bill-approved/
Nextgov: House Passes Bill Expanding DHSs Power to Block Risky Contractors From Government Networks
Congress: H.R.6430 - Securing the Homeland Security Supply Chain Act of 2018
https://www.congress.gov/bill/115th-congress/house-bill/6430
--
Thousands of MikroTik Routers Unpatched Against Flaw Disclosed in April
(September 4 & 5, 2018)
Thousands of unpatched MirkoTik routers have been compromised with malware that sends network traffic data to a control server. MikroTik released a fix for the vulnerability in April. More than 370,000 routers have not yet been patched for the flaw.
[Editor Comments]
[Neely] The attackers seem to be focusing on SNMP traffic, and as organizations often reuse community strings, compromise could have broad consequences. As the hack installs added jobs, a factory reset in addition to applying the patch is a good idea. More routers are supporting automatic firmware updates which can mitigate some of these risks.
Read more in:
Ars Technica: Unpatched routers being used to build vast proxy army, spy on networks
The Register: Mikrotik routers pwned en masse, send network data to mysterious box
https://www.theregister.co.uk/2018/09/04/mikrotik_routers_pwned/
--
Chrome 69 Includes Fix for Flaw That Could Be Exploited to Steal WiFi Credentials
(September 4 & 5, 2018)
Google has released Chrome 69. The most recent stable version of the browser addresses 40 vulnerabilities, including an issue that could be used to steal WiFi login credentials because older versions of the browser auto-filled usernames and passwords in HTTP logon forms.
[Editor Comments]
[Neely] This fix to Chrome puts it on-par with Firefox, Internet Explorer, Edge and Safari for auto-filling login information in HTTP forms. Exploiting the vulnerability relies on getting the victim on a spoofed WiFi using Karma and presenting an imitation captive portal page for the users router, which the browser will autofill. The primary mitigation is updating Chrome. Beyond that, enable HTTPS on your home router if it supports it, administer your home router over a wired connection, or if on Wi-Fi, make sure that youre really on your network before connecting to the admin page.
[Murray] It is difficult to understand as stable products that persistently issue fixes for tens of vulnerabilities at a time.
Read more in:
ZDNet: Google fixes Chrome issue that allowed theft of WiFi logins
https://www.zdnet.com/article/google-fixes-chrome-issue-that-allowed-theft-of-wifi-logins/
Threatpost: Google Rolls Out 40 Fixes with Chrome 69
https://threatpost.com/google-rolls-out-40-fixes-with-chrome-69/137210/
The Register: Take a pinch of autofill, mix in HTTP, and bake on a Wi-Fi admin page: Quirky way to swipe a victim's router password
https://www.theregister.co.uk/2018/09/06/wifi_browser_autofill_chrome/
--
Open .git Directories Expose Site Source Code
(September 4 & 5, 2018)
Researcher Vladimir Smitka found nearly 400,000 web pages with open .git directories. The directories can expose database passwords, API keys, and other information that should not but which often is stored in the repository.
[Editor Comments]
[Williams] - This is a symptom of the larger problem of poorly audited permissions on directories accessible from the Internet. If you haven't audited your website for forced browsing attacks, the time to do so is now. With the increased attention on .git directories, expect to see an increase in attackers scanning for forced browsing vulnerabilities of all types.
[Neely] When deploying an application to your site, make sure that the .git directory is not available. Even without an index file and directory browsing disabled, well known files can still be retrieved, such as the list of commits in /.git/logs/HEAD. Verify the directory contents are not retrievable by attempting to access <web-site>/.git/HEAD.
Read more in:
The Register: Excuse me, but your website's source code appears to be showing
https://www.theregister.co.uk/2018/09/04/web_site_source_code_disclosure/
SC Magazine: 400,000 websites vulnerable through exposed .git directories
https://www.scmagazine.com/home/news/400000-websites-vulnerable-through-exposed-git-directories/
Lynt.cz: Global scan - exposed .git repos
https://lynt.cz/blog/global-scan-exposed-git
****************************************************************************
INTERNET STORM CENTER TECH CORNER
Some More Interesting MicroTik Router Exploits
Exposed .git Directories
https://lynt.cz/blog/global-scan-exposed-git
SSL Certificates Expose Tor Servers
Python Package Installer May Execute Code
https://github.com/mschwager/0wned
Windows Scheduler Exploit Used in the Wild
https://www.welivesecurity.com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/
Where Have All My Certificates Gone?
https://isc.sans.edu/forums/diary/Where+have+all+my+Certificates+gone+And+when+do+they+expire/24066/
Malware Uses Powershell to Compile C# Code on the Fly
https://isc.sans.edu/forums/diary/Malicious+PowerShell+Compiling+C+Code+on+the+Fly/24072/
Stealing WiFi Credentials in Google Chrome
https://www.surecloud.com/sc-blog/wifi-hijacking
DNS Spoofing and Certificate Authority Domain Validation
https://www.theregister.co.uk/2018/09/06/boffins_break_cas_domain_validation/
Cisco Vulnerabilities
MEGA Chrome Extension Replaced with Password Stealer
https://serhack.me/articles/mega-chrome-extension-hacked
******************************************************************************
The Editorial Board of SANS NewsBites
John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.
Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.
Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.
Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.
Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.
Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.
Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.
Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.
William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.
Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.
Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).
Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.
Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.
Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.
Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.
David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.
Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.
Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.
Alan Paller is director of research at the SANS Institute.
Brian Honan is an independent security consultant based in Dublin, Ireland.
David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create
