Get an 12.9" iPad Pro, Surface Pro or $400 Off Online Training - Only 2 Days Left!

Newsletters: Newsbites


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #35

May 2, 2017

TOP OF THE NEWS


IBM: Some Storwize Initialization Tool USBs Contain File Infected with Malware
Intel Patches Flaw in Chips
GE is Fixing Energy Flow Bug

THE REST OF THE WEEK'S NEWS


US Federal Court Declines to Rehear Net Neutrality Case
NSA Announces Data Collection Changes
Dok Mac Malware Signed With Valid Certificate
NATO Locked Shields 2017 Cyber Defense Exercise
Chrome Cracking Down on http
Senate Cybersecurity Committee Hears Testimony
Emerging Chinese Cyberthreat
Stringbleed SNMP Authentication Bypass Vulnerability Affects Cable Modems
Curious Rerouting of Financial Services Internet Traffic

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER

*************************** Sponsored By VMWare, Inc ********************

Defeat evasive malware and achieve full, accurate analysis results. The VMRay Research Team provides a comprehensive look at the 3 key approaches threat actors use to evade sandbox analysis. By downloading this whitepaper you'll learn how malware: evades the analysis environment, uses event-based triggers, and exploits sandbox weaknesses. http://www.sans.org/info/194590
***************************************************************************
TRAINING UPDATE

-- SANS Security West 2017 | San Diego, CA | May 9-18 |
http://www.sans.org/u/qO8

-- SANS San Francisco Summer 2017 | June 5-10 |
http://www.sans.org/u/qE8

-- SANS Security Operations Center Summit & Training | Washington, DC | June 5-12 |
Build more effective security operations. Two days of in-depth Summit talks, 5 SANS courses, exclusive networking opportunities, & more!
http://www.sans.org/u/qof

-- SANS Secure Europe 2017 | Amsterdam, NL | June 12-20 |
http://www.sans.org/u/qqA

-- SANS Cyber Defence Canberra 2017 | June 26-July 8 |
http://www.sans.org/u/qqF

-- SANS London July 2017 | July 3-8 |
http://www.sans.org/u/pSD

-- SANS Cyber Defence Singapore | July 10-15 |
http://www.sans.org/u/pSI

-- SANSFIRE 2017 | Washington, DC | July 22-29 |
http://www.sans.org/u/r4U

-- SANS Network Security | Las Vegas, NV | September 10-17 |
https://www.sans.org/event/network-security-2017

-- Can't travel? SANS offers LIVE online instruction. Day (Simulcast - http://www.sans.org/u/WK) and Evening (vLive - http://www.sans.org/u/WZ) courses available!

-- SANS Online Training: Special Offer! Register by May 10 and receive a new iPad, Samsung Galaxy Tab A or take $350 off your OnDemand or vLive Course!

-- OnDemand http://www.sans.org/u/pS9

-- vLive http://www.sans.org/u/pSj

-- Multi-week Live SANS training
Mentor - http://www.sans.org/u/X9
Contact mentor@sans.org

-- Looking for training in your own community?
Community - http://www.sans.org/u/Xo

-- SANS OnDemand lets you train anytime, anywhere with four months of online access to your course. Learn more: http://www.sans.org/u/XD

Plus Brussels, San Francisco, Arlington, and Dubai all in the next 90 days.
For a list of all upcoming events, on-line and live: http://www.sans.org/u/XN

***************************************************************************

TOP OF THE NEWS

IBM: Some Storwize Initialization Tool USBs Contain File Infected with Malware (May 1, 2017)

IBM has issued an advisory warning users that some USB drives containing its Storwize initialization tool also contain a malware-infected file. The issue affects USB flash drives with part number 1AC585, which shipped with certain models of Storwize V3500, V3700, and V5000 Gen 1 systems.

[Editor Comments]

[Ullrich] This keeps happening, and will keep happening as long as there isn't a solid "write protect" solution for USB flash memory. While other media may certainly contain malware, the ability to modify USB flash drives anytime after they are originally created makes them particularly vulnerable to infection even during processes like quality control which only need read access to the device.

Read more in:

SC Magazine: USB drives containing IBM tool found infected with malicious code https://www.scmagazine.com/usb-drives-containing-ibm-tool-found-infected-with-malicious-code/article/653835/
IBM: Storwize USB Initialization Tool may contain malicious code http://www-01.ibm.com/support/docview.wss?uid=ssg1S1010146

Intel Patches Flaw in Chips (May 1, 2017)

Intel has fixed a privilege escalation flaw in a remote management feature in many of its chips that could be exploited to take control of vulnerable computers. The issue affects Intel's Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability. Chips running on consumer PCS are not affected.

[Editor Comments]

[Ullrich] The tricky part with this vPro vulnerability is that the patch will likely have to come from the OEM that manufactured your system. Intel is correct in stating that consumer PCs are less likely to be affected, but there is no clear definition of a "consumer PC." Business PCs certainly make it into private homes and networks. Systems that expose these services on wireless networks are particularly at risk, and patching will be tricky.

Read more in:
v Ars Technica: Intel patches remote code-execution bug that lurked in chips for 10 years https://arstechnica.com/security/2017/05/intel-patches-remote-code-execution-bug-that-lurked-in-cpus-for-10-years/
The Register: Red alert! Intel patches remote execution hole that's been hidden in biz, server chips since 2008 http://www.theregister.co.uk/2017/05/01/intel_amt_me_vulnerability/
Intel: Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability Escalation of Privilege https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr

GE is Fixing Energy Flow Bug (April 26, 2017)

The General Electric Company (GE) said it is fixing a flaw in some of its protection relays that could be exploited to shut down sections of the power grid. GE has released patches for five of the six models affected by the flaw.

[Editor Comments]

[Murray] It would be wonderful if the fix was in GE's hands. It isn't. GE's action is necessary but far from sufficient. This is one more instance of the failure of the strategy of "late discovery and patch." The cost of remediation goes up dramatically with the time to discovery. The strategy transfers the cost from vendors to customers. We tolerate this practice in IT infrastructure products but not in consumer products like automobiles.

Read more in:

Reuters: GE fixing bug in software after warning about power grid hacks http://www.reuters.com/article/us-cyber-generalelectric-power-idUSKBN17S23Y
*************************** SPONSORED LINKS *****************************
1) NSA Tools in Your Backyard: Protecting Outdated PCs Against Nation-Grade Tools. Register for the Webinar: http://www.sans.org/info/194595
2) Don't Miss: "Threat Hunting with Endpoints: A Methodology for Effective Detection and Agile Response" with John Pescatore. Register: http://www.sans.org/info/194600
3) Webcast: "A New Era in Endpoint Protection: A SANS Product Review of CrowdStrike Falcon(R) Endpoint Protection" Register: http://www.sans.org/info/194605
***************************************************************************

THE REST OF THE WEEK'S NEWS

US Federal Court Declines to Rehear Net Neutrality Case (May 1, 2017)

A US federal court has declined to rehear a case in which telecommunications companies seek to overturn net neutrality rules established during the Obama administration. The refusal paves the way for the plaintiffs to take the case to the Supreme Court. FCC chairman Ajit Pai recently announced a plan to undo the net neutrality regulations put in place by his predecessor. A legal ruling in their their favor would would give net neutrality opponents stronger legal protection when the issue is raised in the future.

[Editor Comments]

[Pescatore] One huge advance would be to require telecommunication companies to filter out known malicious traffic, whether net neutrality stays or goes. So far, ISPs have been able to avoid doing so both before and after net neutrality regulations were put in place.

Read more in:

Washington Post: Net neutrality may be poised for a Supreme Court showdown https://www.washingtonpost.com/news/the-switch/wp/2017/05/01/net-neutrality-may-be-poised-for-a-supreme-court-showdown
WSJ: Federal Court Turns Away Net Neutrality Challenge https://www.wsj.com/articles/federal-court-turns-away-net-neutrality-challenge-1493667111
Ars Technica: Too little, too late? FCC wins net neutrality court case https://arstechnica.com/tech-policy/2017/05/too-little-too-late-fcc-wins-net-neutrality-court-case/

NSA Announces Data Collection Changes (April 28 & 30, 2017)

The US National Security Agency (NSA) says it has stopped collecting email traffic for simply containing the email address or phone number of a foreign target. The NSA agreed to end the practice as part of an agreement with a federal court that allows the agency to continue its Section 702 surveillance program.

Read more in:

Wired: A Big Change in NSA Spying Marks a Win for American Privacy https://www.wired.com/2017/04/big-change-nsa-spying-marks-win-american-privacy/
The Register: NSA pulls plug on some email spying before Congress slaps it down http://www.theregister.co.uk/2017/04/28/nsa_may_stop_overseas_fisa_spying/
SC Magazine: NSA to end controversial warrantless surveillance practice https://www.scmagazine.com/nsa-to-end-controversial-warrantless-surveillance-practice/article/653729/
ZDNet: NSA stops controversial program that searches Americans' emails http://www.zdnet.com/article/nsa-to-end-controversial-program-that-searches-americans-emails/
Ars Technica: NSA ends spying on messages Americans send about foreign surveillance targets https://arstechnica.com/tech-policy/2017/04/nsa-stops-collection-of-us-citizens-e-mails-about-intel-targets/
Computerworld: NSA ends surveillance tactic that pulled in citizens' emails, texts http://computerworld.com/article/3193368/security/nsa-ends-surveillance-tactic-that-pulled-in-citizens-emails-texts.html
WPost: NSA halts controversial email collection practice to preserve larger surveillance program https://www.washingtonpost.com/world/national-security/nsa-halts-controversial-email-collection-practice-to-preserve-larger-surveillance-program/2017/04/28/e2ddf9a0-2c3f-11e7-be51-b3fc6ff7faee_story.html

Dok Mac Malware Signed With Valid Certificate (April 27, 28, 29, & May 1 2017)

Malware known as Dok targets computers running OSX. It has targeted users in Europe through spam emails. The malware uses "nag screens" that ask the user to install an update, but which really are seeking the user's admin password. Dok affects all versions of OSX. Apple has revoked a legitimate developer certificate that allowed the malware to eavesdrop on secure httpS traffic.

Read more in:

Threatpost: Apple revokes Certificate Used By OSX/Dok Malware https://threatpost.com/apple-revokes-certificate-used-by-osxdok-malware/125322/
SC Magazine: Mac malware signed with valid certificate reads httpS traffic https://www.scmagazine.com/osx-malware-uses-stolen-certs-and-reads-https-traffic/article/653723/
BleepingComputer: New Dok Mac Malware Uses Nag Screens, Intercepts Encrypted Web Traffic https://www.bleepingcomputer.com/news/security/new-dok-mac-malware-uses-nag-screens-intercepts-encrypted-web-traffic/
Check Point: OSX Malware is Catching Up, and it wants to Read Your httpS Traffic http://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/

NATO Locked Shields 2017 Cyber Defense Exercise (April 26, 29, & May 1, 2017)

From April 24-28, 800 participants from 25 countries took part in a network defense exercise organized by NATO's Cooperative Cyber Defense Center of Excellence (CCD CoE) in Tallinn, Estonia. Locked Shields 2017 teams were given the task of defending and maintaining the networks of a fictional military air base. CCD DoE acted as Red Team.

Read more in:

Wired: The US Takes On the World in NATO's Cyber War Games https://www.wired.com/2017/04/us-takes-world-natos-cyber-war-games/
The Hill: NATO hub hails major international cyber defense exercise http://thehill.com/policy/cybersecurity/330619-nato-hub-hails-major-international-cyber-defense-exercise
GCN: Cyber defenders hone skills in international wargame https://gcn.com/articles/2017/05/01/locked-shields.aspx?admgarea=TC_SecCybersSec
Fifth Domain Cyber: Czech cybersecurity experts win cyber defense exercise http://fifthdomain.com/2017/05/01/czech-cybersecurity-experts-win-cyber-defense-exercise/

Chrome Cracking Down on http (April 28, 2017)

Starting in October 2017, with version 62 of its Chrome browser, Google will warn users when they type any data into pages that are still using http rather than httpS. Earlier this year, Chrome users started seeing warnings when they visited http pages that transmitted sensitive data, like payment card and login information.

Read more in:

ZDNet: Google tightens noose on http: Chrome to stick 'Not secure' on pages with search fields http://www.zdnet.com/article/google-tightens-noose-on-http-chrome-to-stick-not-secure-on-pages-with-search-fields/
BleepingComputer: Chrome Will Mark http Sites in Incognito Mode as Not Secure https://www.bleepingcomputer.com/news/software/chrome-will-mark-http-sites-in-incognito-mode-as-not-secure/
Chromium: Marking http As Non-Secure https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure

Senate Cybersecurity Committee Hears Testimony (April 28, 2017)

At a hearing of the US Senate Armed Services Committee's Cybersecurity Subcommittee last week, witnesses spoke to the need "to develop the strategy, authorities and systems to combat cyber-enabled information operations." RAND Corporation senior information scientist Dr. Rand Waltzman proposed a cognitive security strategy. Former FBI special agent Clint Watts told the committee that Russia's competitive edge is fed by its government's willingness to recruit talent that the US government might overlook or reject - people who do not have traditional tech backgrounds, and people who may have pasts that would prevent them from obtaining security clearances.

Read more in:

Business Insider: Russia's risky strategy for recruiting hackers is also incredibly effective - and the US is lagging behind http://www.businessinsider.com/us-counter-russian-influence-campaigns-2017-4
FCW: Senate cyber panel makes public debut https://fcw.com/articles/2017/04/28/sasc-cyber-hearing-carberry.aspx

Emerging Chinese Cyberthreat (April 27 & 28, 2017)

A hacking group dubbed MenuPass or ATP10 is targeting companies around the world. The group focuses in cyber espionage. Affected organizations have included organizations in the construction, engineering, aerospace, and telecommunications fields, as well as government agencies. APT has been active since at least 2009, but cyber security companies noted a surge in the group's activity starting last summer. The US Department of Homeland Security's (DHS's) National Cybersecurity Communications and Integration Center (NCCOC) has issued an incident report.

Read more in:

Cyberscoop: U.S. warns of 'emerging' global cyber-espionage campaign by Chinese hackers https://www.cyberscoop.com/u-s-warns-emerging-global-cyber-espionage-campaign-chinese-hackers/?category_news=technology
US-CERT/NCCIC: Intrusions Affecting Multiple Victims Across Multiple Sectors https://www.us-cert.gov/sites/default/files/publications/IR-ALERT-MED-17-093-01C-Intrusions_Affecting_Multiple_Victims_Across_Multiple_Sectors.pdf

Stringbleed SNMP Authentication Bypass Vulnerability Affects Cable Modems (April 28, 2017)

An implementation flaw in versions 1 and 2 of the Simple Network Management Protocol (SNMP) could be exploited to bypass authentication, allowing attackers to take over vulnerable cable modems. The affected devices will accept any community string to unlock read and write access to configuration data.

Read more in:

BleepingComputer: Several Cable Modem Models Affected by SNMP God Mode Flaw https://www.bleepingcomputer.com/news/security/several-cable-modem-models-affected-by-snmp-god-mode-flaw/
PCWorld: Network management vulnerability exposes home cable modems to hacking http://www.pcworld.com/article/3193135/security/network-management-vulnerability-exposes-cable-modems-to-hacking.html
Stringbleed: SNMP authentication bypass https://stringbleed.github.io/

Curious Rerouting of Financial Services Internet Traffic (April 27, 2017)

For about seven minutes on Wednesday, April 26, a large swath of financial services Internet traffic was routed through Rostelecom, a company controlled by the Russian government. While such incidents are not uncommon, the fact that the traffic was from a high concentration of technology and financial services organizations raises suspicions that this incident could have been deliberately orchestrated.

[Editor Comments]

[Williams] BGP requires you to place complete trust in people you ordinarily wouldn't have reason to trust. BGP prefix hijacking, whether intentional or not, is amazingly common. The Twitter account @bgpstream tracks much of this activity. In the end, BGP hijacking facilitates man in the middle. Ensuring that your communications are encrypted will go a long way towards making these attacks unprofitable.

Read more in:

Ars Technica: Russian-controlled telecom hijacks financial services' Internet traffic https://arstechnica.com/security/2017/04/russian-controlled-telecom-hijacks-financial-services-internet-traffic/

INTERNET STORM CENTER TECH CORNER

Simple JavaScript Word Macro Not Recognized By Many AV Products

https://isc.sans.edu/forums/diary/Another+Day+Another+Obfuscation+Technique/22354/

OS X Malware Adds Proxy to Intercept httpS

http://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/

OVH Vulnerability Put Servers at Risk

https://jrwr.io/doku.php?id=blog:ovh_vrack_security_issue

Intel AMT, SBT and ISM Escalation of Privilege Vulnerability

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr https://semiaccurate.com/2017/05/01/remote-security-exploit-2008-intel-platforms/

Local Root Exploit in chkrootkit

https://lepetithacker.wordpress.com/2017/04/30/local-root-exploit-in-chkrootkit/

Escape Sequence Exploits in Various Linux Terminals

http://www.openwall.com/lists/oss-security/2017/05/01/13

***********************************************************************
The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create