Get an 12.9" iPad Pro, Surface Pro or $400 Off Online Training - Only 2 Days Left!

Newsletters: Newsbites


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #73

September 15, 2017

TOP OF THE NEWS


Equifax CEO Invited to Testify Before Congress
Some US States Are Going Back to Paper Ballots
DHS Bans Use of Kaspersky Products on Federal Systems

THE REST OF THE WEEK'S NEWS


Malware-Harboring Apps Pulled from GooglePlay Stores
Senator Seeks Answers from Telecoms on SS7 Security Solutions
Apache Struts Vulnerability Exploited in Equifax Breach
Lawsuit Targets Warrantless Device Searches at US Border
Adobe Security Updates
WordPress Plugin Installs Backdoo
Microsoft Patch Tuesday
BlueBorne Bluetooth Attack
Flaws in D-Link Routers Exposed Before Fixes Are Available

INTERNET STORM CENTER TECH CORNER

*************************** Sponsored By Splunk *******************************

The State of Security Operations With IDC and Splunk. Does your organization have the processes in place to investigate and effectively respond to cyberattacks? IDC surveyed security decision makers at 600 organizations to understand the state of security operations today. Join this webinar to learn why an analytics-driven approach can make security investigation more efficient and effective, reducing costs and improving security posture. http://www.sans.org/info/198325

***************************************************************************

TRAINING UPDATE

-- SANS London September 2017 | September 25-30 | https://www.sans.org/event/london-september-2017

-- SANS Baltimore Fall 2017 | September 25-30 | https://www.sans.org/event/baltimore-fall-2017

-- SANS Data Breach Summit & Training 2017 | Chicago, IL | September 25-October 2 | https://www.sans.org/event/data-breach-summit-2017

-- SANS October Singapore 2017 | October 9-28 | https://www.sans.org/event/october-singapore-2017

-- SANS Secure DevOps Summit & Training | Denver, CO | October 10-17 | https://www.sans.org/event/secure-devops-summit-2017

-- SANS Brussels Autumn 2017 | October 16-21 | https://www.sans.org/event/brussels-autumn-2017

-- SANS Tokyo Autumn 2017 | October 16-28 | https://www.sans.org/event/tokyo-autumn-2017

-- SANS San Diego 2017 | October 30-November 4 | https://www.sans.org/event/san-diego-2017

-- SANS Cyber Defense Initiative 2017 | Washington, DC | December 12-19 | https://www.sans.org/event/cyber-defense-initiative-2017

-- SANS OnDemand and vLive Training | Get a GIAC Certification Attempt or $350 Off your OnDemand or vLive course when you register by September 13! https://www.sans.org/online-security-training/specials/

-- Can't travel? SANS offers online instruction for maximum flexibility
Live Daytime training with Simulcast - https://www.sans.org/simulcast
Evening training 2x per week for 6 weeks with vLive - https://www.sans.org/vlive
Anywhere, Anytime access for 4 months with OnDemand format - https://www.sans.org/ondemand/

-- Single Course Training
SANS Mentor https://www.sans.org/mentor/about
Community SANS https://www.sans.org/community/
View the full SANS course catalog https://www.sans.org/security-training/by-location/all

***************************************************************************

TOP OF THE NEWS

--Equifax CEO Invited to Testify Before Congress (September 13, 2017)

The US House Energy and Commerce Committee has formally invited Equifax Chairman and CEO Richard F. Smith to testify before Congress on October 3. Other congressional committees are also planning hearings on the Equifax breach.

[Editor Comments]
[Pescatore] We can now tick off 3 of the four predictable "Post Mega-Breach Cha Cha" dance steps; only some C-level firings are left. The final stage is usually just a lot of clicking of the "Like" button - "slacktivism" and no movement forward. Use the publicity tailwind to gain C-level support to make changes.
[Murray] One hopes that this will not be merely one more public shaming of a hapless executive. This industry is the, perhaps unintended, creature of the Fair Credit Reporting Act. It deals in hearsay, not to say slander, which it is manifestly unable to control or protect. It represents an unacceptable risk to the identity, reputation, and privacy of American consumers. The Law desperately needs reform and that reform should be the focus of congressional hearings.
[Northcutt] One of the topics needs to be the problems citizens are running into trying to freeze their own credit reports. It is what most security experts recommend, but the credit brokers are overwhelmed. Don't give up, keep trying, keep notes and let your elected officials know if you ran into problems:
https://www.usatoday.com/story/money/2017/09/13/equifax-data-breach-tried-freeze-my-credit-there-were-problems/663014001/
[Guest Editor: Lance Spitzner] Here is information you can use to build an email template to inform your organization's workforce about the incident:
https://securingthehuman.sans.org/blog/2017/09/08/awareness-officers-what-to-communicate-about-the-equifax-hack

Read more in:
Cyberscoop: Equifax CEO called to testify before Congress about breach
https://www.cyberscoop.com/equifax-ceo-richard-smith-asked-to-testify-before-congress/?category_news=technology
The Hill: Equifax CEO formally called to testify before Congress
http://thehill.com/policy/cybersecurity/350517-equifax-ceo-formally-called-to-testify-before-congress

--Some US States Are Going Back to Paper Ballots (September 11 & 13, 2017)

In the wake of rising concerns about the security of electronic voting systems, several US states are returning to the use of paper ballots for their elections. Virginia and Iowa have established post-election audit requirements that compare electronic vote totals with paper ballots. Just five states - Delaware, Georgia, Louisiana, New Jersey, and North Carolina - use exclusively electronic voting systems. Georgia will pilot a paper-ballot system in elections this fall.

[Editor Comments]
[Neely] Falling back to paper removes the electronic voting machine vulnerabilities, allows states to return to a system where they know how to mitigate the vulnerabilities and allows the electronic systems to mature. This also restores the paper record of each ballot cast, while leveraging electronic readers to count those votes. The challenge will be agreement on the re-entry condition for a secure paperless voting system.

Read more in:
GovTech: Some States Return to Paper Ballots Following 2016 Election Hacks
http://www.govtech.com/security/Some-States-Return-to-Paper-Ballots-Following-2016-Election-Hacks.html
Governing: Paper Ballots May Make a Comeback in Georgia
http://www.governing.com/topics/politics/tns-georgia-election-paper-ballots.html

--DHS Bans Use of Kaspersky Products on Federal Systems (September 13, 2017)

The US Department of Homeland Security (DHS) has issued a binding operational directive (BOD) requiring all federal agencies to cease the use of Kaspersky Lab products and services. The agencies have 30 days to identify which products are in use and then 60 days beyond that to create plans to remove them. After 90 days, agencies will need to begin the process of removing the products and services.

[Editor Comments]
[Pescatore] The risk cited by DHS aren't in Kaspersky's products, it is in "the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks." Many US and Israeli security product and services companies have those same ties to, and abide by laws dictating cooperation with, their own national intelligence agencies. Bottom line: for enterprises and non-Federal Executive Branch departments and agencies not under this directive, there is no current reason for out of cycle replacement of Kaspersky products.

Read more in:
DHS: DHS Statement on the Issuance of Binding Operational Directive 17-01
https://www.dhs.gov/news/2017/09/13/dhs-statement-issuance-binding-operational-directive-17-01
ZDNet: Homeland Security bans Kaspersky Lab software across US government
http://www.zdnet.com/article/dhs-issues-directive-to-pull-government-use-of-kaspersky-lab-software/
Ars Technica: Kaspersky software banned from US government agencies
https://arstechnica.com/tech-policy/2017/09/kaspersky-software-banned-from-us-government-agencies/
CNET: US bans Kaspersky software from government agencies
https://www.cnet.com/news/us-bans-kaspersky-software-from-government-agencies-trump-dhs-russia/
eWeek: DHS Bans Federal Agencies From Using Kaspersky Security Products
http://www.eweek.com/security/dhs-bans-federal-agencies-from-using-kaspersky-security-products
FNR: DHS gives agencies 90 days to remove Kaspersky Lab IT from networks
https://federalnewsradio.com/cybersecurity/2017/09/dhs-gives-agencies-90-days-to-remove-kaspersky-lab-it-from-networks/
FCW: DHS bans Kaspersky from federal systems
https://fcw.com/articles/2017/09/13/kaspersky-ban-dhs.aspx
Cyberscoop: Eugene Kaspersky speaks out, defends company over espionage allegations
https://www.cyberscoop.com/eugene-kaspersky-speaks-out-us-government/?category_news=technology
Nextgov: Trump Administration Orders Russian Anti-Virus Off All Government Systems
http://www.nextgov.com/cybersecurity/2017/09/trump-administration-orders-russian-anti-virus-all-government-systems/140971/?oref=ng-channeltopstory
Fifth Domain: DHS gives agencies 90 days to purge all Kaspersky products
https://www.fifthdomain.com/civilian/dhs/2017/09/13/dhs-gives-agencies-90-days-to-purge-all-kaspersky-products/
Bleeping Computer: US Officially Bans Kaspersky Products From Government Systems
https://www.bleepingcomputer.com/news/government/us-officially-bans-kaspersky-products-from-government-systems/

*************************** SPONSORED LINKS ********************************

1) SANS analyst Jerry Shenk will reveal how he put Carbon Black's Cb Defense through simulated attacks to see what it detected and how it took action. Register: http://www.sans.org/info/198330

2) "Behavior-Based IOCs: A New Approach for Automated Incident Response" with Jake Williams. Register: http://www.sans.org/info/198335

3) John Pescatore will discuss the latest in malware attacks and how your organization can respond using a synchronized security approach. http://www.sans.org/info/198340

******************************************************************************

THE REST OF THE WEEK'S NEWS

--Malware-Harboring Apps Pulled from GooglePlay Store (September 14, 2017)

Google has removed 50 apps from the GooglePlay Store because they contained malware that sends premium SMS messages without user consent and registers users for paid services. The free apps, which masqueraded as wallpaper, camera, and video editing apps, have been downloaded between 1 and 4.2 million times.

[Editor Comments]
[Pescatore] As far back as 2011, Google put out technical papers on detecting malware that was using packing/encrypting to evade detection. They were granted a patent for one technique just last year. Google has been quick to upgrade the protections in the Google Play app store process but looks like they've had a blind spot here for quite some time.
[Neely] The malware embedded in these applications is using advanced obfuscation techniques that make it much harder to detect. The tradeoffs made between application validation and timely release of new and updated apps in the Google Play Store allow for a certain amount of maleficence to slip through. If youre running the latest Android OS, Google Play Protect will remove applications like this when identified. Older device owners have to rely on adding anti-malware applications to their devices. If your device isnt already running Android 7.1 or 8, or prompting you to apply the update to those versions, its time to replace it. Chris Crowley and Joshua Wright have put together a scorecard and processes which can be used to evaluate mobile applications.
https://github.com/joswr1ght/MobileAppReportCard

Read more in:
Threatpost: Premium SMS Malware 'ExpensiveWall' Infects Millions of Android Devices
https://threatpost.com/premium-sms-malware-expensivewall-infects-millions-of-android-devices/127976/
CNET: Google purges malicious Android apps with millions of downloads
https://www.cnet.com/news/google-removes-android-malware-downloaded-up-to-5-9m-times/
Ars Technica: Malicious apps with >1 million downloads slip past Google defenses twice
https://arstechnica.com/information-technology/2017/09/malicious-apps-with-1-million-downloads-slip-past-google-defenses-twice/

--Senator Seeks Answers from Telecoms on SS7 Security Solutions (September 14, 2017)

Senator Ron Wyden, (D-Oregon) has written to CEOs of major telecommunications companies, asking them to what they are doing to protect their systems from vulnerabilities presented by the Signaling System 7 (SS7) protocols. SS7 allows mobile networks to communicate with each other. Wyden asked the companies to answer a number of questions, including whether they are having SS7-focused penetration tests conducted and whether they have installed an SS7 firewall. Wyden has requested responses by October 13.

Read more in:
Daily Beast: Senator Demands Answers From Telecom Giants on Phone Spying
http://www.thedailybeast.com/senator-demands-answers-from-telecom-giants-on-phone-spying

--Apache Struts Vulnerability Exploited in Equifax Breach (September 13 & 14, 2017)

Equifax has acknowledged that the massive breach that exposed personal information of as many as 143 million people was due to a failure to apply a patch for a vulnerability in Apache Struts. A patch for the flaw was released on March 6, 2017. The Equifax breach occurred in "mid-May" 2017.

[Editor Comments]
[Pescatore] This breach and WannaCry were just the most recent examples that "Security Hygiene Matters!" Back in 2002, Microsoft shut down the Windows division for a "security push" and put the keyboards down to focus on security of existing code before doing anything related to new features or new releases. It really is time for CIOs, CISOs and IT operations to be forced to do the same for configuration and vulnerability management Critical Security Controls processes.
[Neely] There are situations in which the possible business impact of applying a patch versus the risk of exploit has come down in favor of minimizing impact to the business. As a result of this disclosure, regulators are now making queries to ensure that CVE-2017-5638 and CVE-2017-9805 are patched, which puts efforts on reporting and tracking a specific potential weakness. Rather than second guessing what happened to Equifax, or debating exactly which threat vector was successfully exploited, this is a time to revisit your patching and vulnerability scanning processes to make sure that youre not missing patches, mitigations or supporting processes.

Read more in:
The Register: Missed patch caused Equifax data breach
http://www.theregister.co.uk/2017/09/14/missed_patch_caused_equifax_data_breach/
Ars Technica: Failure to patch two-month-old bug led to massive Equifax breach
https://arstechnica.com/information-technology/2017/09/massive-equifax-breach-caused-by-failure-to-patch-two-month-old-bug/
BleepingComputer: Equifax Confirms Hackers Used Apache Struts Vulnerability to Breach Its Servers
https://www.bleepingcomputer.com/news/security/equifax-confirms-hackers-used-apache-struts-vulnerability-to-breach-its-servers/

--Lawsuit Targets Warrantless Device Searches at US Border (September 13, 2017)

The American Civil Liberties Union (ACLU), ACLU of Massachusetts, and the Electronic Frontier Foundation (EFF) have filed a lawsuit against the US Department of Homeland Security (DHS) on behalf of 11 plaintiffs over warrantless searches of their digital devices at the US border. The plaintiffs, 10 US citizens and one lawful permanent resident, had their laptops and cell phones searched when they re-entered the US from traveling abroad. In some cases, the devices were retained for extended periods of time; one, confiscated in January, 2017, has yet to be returned. None of the plaintiffs has been charged with wrongdoing.

Read more in:
SC Magazine: ACLU, EFF sue DHS over electronic device searches at border
https://www.scmagazine.com/aclu-eff-sue-dhs-over-electronic-device-searches-at-border/article/688570/
CNET: Homeland Security hit with lawsuit over phone, laptop searches
https://www.cnet.com/news/aclu-eff-sue-department-of-homeland-security-for-searches-of-phones-laptops/
EFF: Complaint for Injunctive and Declaratory Relief
https://www.eff.org/document/alasaad-v-duke-complaint

--Adobe Security Updates (September 13, 2017)

Adobe has released updates to address security issues in Flash Player, ColdFusion, and RoboHelp for Windows. The Flash updates, available for Windows, Mac, Linux, and Chrome OS, address two critical memory corruption flaws. The ColdFusion update includes fixes for four flaws, and the RoboHelp update fixes two flaws.

Read more in:
Threatpost: Adobe Fixes Eight Vulnerabilities in Flash, Robohelp, Coldfusion
https://threatpost.com/adobe-fixes-eight-vulnerabilities-in-flash-robohelp-flash-player/127944/
KrebsOnSecurity: Adobe, Microsoft Plug Critical Security Holes
https://krebsonsecurity.com/2017/09/adobe-microsoft-plug-critical-security-holes/
Adobe: Security updates available for Flash Player | APSB17-28
https://helpx.adobe.com/security/products/flash-player/apsb17-28.html
Adobe: Security updates available for ColdFusion | APSB17-30
https://helpx.adobe.com/security/products/coldfusion/apsb17-30.html
Adobe: Security update available for RoboHelp | APSB17-25
https://helpx.adobe.com/security/products/robohelp/apsb17-25.html

--WordPress Plugin Installs Backdoor (September 13 & 14, 2017)

A WordPress plugin that has been downloaded more than 200,000 times has been found to install backdoors on websites. The malicious code has been found in DisplayWidgets plugin versions 2.6.1 through 2.6.3. The plugin has been removed from the WordPress plugin repository. DisplayWidgets has previously been removed three times for similar infractions.

Read more in:
Bleeping Computer: Backdoor Found in WordPress Plugin With More Than 200,000 Installations
https://www.bleepingcomputer.com/news/security/backdoor-found-in-wordpress-plugin-with-more-than-200-000-installations/
SC Magazine: Malicious WordPress plugin installed backdoor on 200,000 websites
https://www.scmagazine.com/malicious-wordpress-plugin-installed-backdoor-on-200000-websites/article/688878/

--Microsoft Patch Tuesday (September 12 & 13, 2017)

On Tuesday, September 12, Microsoft released fixes for more than 80 security issues in multiple products, including Windows, Office, Microsoft .NET Framework, Flash, Internet Explorer, and Edge.

Read more in:
ZDNet: Microsoft patches Office zero-day used to spread FinSpy surveillance malware
http://www.zdnet.com/article/microsoft-patches-office-zero-day-used-to-spread-finspy-surveillance-malware/
Ars Technica: Windows 0-day is exploited to install creepy Finspy malware (again)
https://arstechnica.com/information-technology/2017/09/for-2nd-time-this-year-windows-0day-exploited-to-install-finspy-creepware/
Computerworld: Bloated Patch Tuesday brings fix for nasty Word/RTF/Net vulnerability
https://www.computerworld.com/article/3224390/microsoft-windows/bloated-patch-tuesday-brings-fix-for-nasty-wordrtfnet-vulnerability.html
Softpedia: Microsoft Releases Security Updates to Fix 38 Windows Vulnerabilities
http://news.softpedia.com/news/microsoft-releases-security-updates-to-fix-38-windows-vulnerabilities-517722.shtml
Threatpost: Microsoft Patches .Net Zero Day Vulnerability in September Update
https://threatpost.com/microsoft-patches-office-zero-day-vulnerability/127946/
Microsoft: Security TechCenter: Security Update Summary
https://portal.msrc.microsoft.com/en-us/security-guidance/summary

--BlueBorne Bluetooth Attack (September 12 & 13, 2017)

A group of eight exploits, collectively dubbed BlueBorne, could be used to access devices that use Bluetooth. Attackers can use BlueBorne to access a device and control its screen and applications. Apple devices running iOS 10 and newer are not vulnerable to BlueBorne. Microsoft patched the flaws in Windows in July, and Google released a patch last month.

Read more in:
Wired: Hey, Turn Bluetooth Off When You're Not Using It
https://www.wired.com/story/turn-off-bluetooth-security/
TechCrunch: New Bluetooth vulnerability can hack a phone in 10 seconds
https://techcrunch.com/2017/09/12/new-bluetooth-vulnerability-can-hack-a-phone-in-ten-seconds/
Ars Technica: Billions of devices imperiled by new clickless Bluetooth attack
https://arstechnica.com/information-technology/2017/09/bluetooth-bugs-open-billions-of-devices-to-attacks-no-clicking-required/
Cyberscoop: BlueBorne: The latest Bluetooth vulnerability that impacts billions of devices
https://www.cyberscoop.com/bluetooth-vulnerability-blueborne-android-linux-microsoft/?category_news=technology
Threatpost: Wireless 'BlueBorne' Attacks Target Billions of Bluetooth Devices
https://threatpost.com/wireless-blueborne-attacks-target-billions-of-bluetooth-devices/127921/

--Flaws in D-Link Routers Exposed Before Fixes Are Available (September 12 & 13, 2017)

A dozen vulnerabilities in D-Link routers have been disclosed before the company has had time to develop and release patches. Ten of the flaws were disclosed without any prior notification to D-Link. The other two flaws were reported to the company, which has yet to issue patches for them.

Read more in:
Bleeping Computer: Second Researcher Drops Router Exploit Code After D-Link Mishandles Bug Reports
https://www.bleepingcomputer.com/news/security/second-researcher-drops-router-exploit-code-after-d-link-mishandles-bug-reports/
The Register: D-Link router riddled with 0-day flaws
http://www.theregister.co.uk/2017/09/12/dlink_router_security_fail/

INTERNET STORM CENTER TECH CORNER

Microsoft Patch Tuesday

https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html
https://technet.microsoft.com/security/advisories

BlueBorne Bluetooth Vulnerability

http://go.armis.com/hubfs/BlueBorne%20Technical%20White%20Paper.pdf

No IPv6? Challenge Accepted

https://isc.sans.edu/forums/diary/No+IPv6+Challenge+Accepted+Part+1/22820/

Exploiting CVE-2017-8759

https://www.mdsec.co.uk/2017/09/exploiting-cve-2017-8759-soap-wsdl-parser-code-injection/

Wordpress Plugin Found with Backdoor

https://www.pluginvulnerabilities.com/2017/09/11/wordpress-poor-handling-of-plugin-security-exacerbates-malicious-takeover-of-display-widgets/

Another Webshell; Another Backdoor

https://isc.sans.edu/forums/diary/Another+webshell+another+backdoor/22826/

D-Link Vulnerability

https://pierrekim.github.io/blog/2017-09-08-dlink-850l-mydlink-cloud-0days-vulnerabilities.html

Chrome To Label FTP As Insecure

https://groups.google.com/a/chromium.org/forum/#!msg/security-dev/HknIAQwMoWo/xYyezYV5AAAJ

More Google Play Store Malware

https://blog.checkpoint.com/2017/09/14/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/

Elasticsearch Botnet

https://mackeepersecurity.com/post/kromtech-discovers-massive-elasticsearch-infected-malware-botnet


***********************************************************************
The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create