Gain Top-Notch InfoSec Skills at SANS Las Vegas 2018. Save $400 thru 12/6.

Newsletters: Newsbites


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XVIII - Issue #94

November 29, 2016

TOP OF THE NEWS

Cities At Risk; San Francisco Ransomware Attack Could Have Caused Much More Damage
Deutsche Telekom Broadband Outages Involved Mirai Variant
Update: The Most Dangerous New Cyber Attack Vectors

THE REST OF THE WEEK'S NEWS

Japan's Defense Officials Investigating Reported Military Network Intrusion
Microsoft Patches Azure Flaw Affecting Red Hat Instances
CERT Analyst Says Microsoft Should Not Discontinue Support for EMET
Old InPage Zero Day Vulnerability Used in Attacks on Government and Bank Websites
US Navy Acknowledges Data Breach
Experts: Auditing Elections Should Be Routine
Gatak Trojan is Targeting the Healthcare Sector
Network Time Protocol Flaws Fixed
Akamai Report Details KrebsOnSecurity IoT DDoS
Pentagon Opens Hacking Challenge to Everyone

INTERNET STORM CENTER TECH CORNER

INTERNET STORM CENTER TECH CORNER


*********************** Sponsored By AlienVault ************************
Discover the various open source intrusion detection (IDS) tools available to you. Download the Beginner's Guide to Open Source IDS Tools to learn more. http://www.sans.org/info/190532
***************************************************************************

TRAINING UPDATE

--Cyber Defense Initiative 2016 | December 10-17, 2016 | Washington, DC | https://www.sans.org/event/cyber-defense-initiative-2016

--SANS Amsterdam 2016 | December 12-17, 2016 | Amsterdam, Netherlands | https://www.sans.org/event/amsterdam-2016

--SANS Security East 2017 | January 9-14, 2017 | New Orleans, LA | https://www.sans.org/event/security-east-2017

--Cloud Security Summit & Training | San Francisco, CA | Jan 17-19, 2017 | https://www.sans.org/event/cloud-security-summit-2017

--SANS Las Vegas 2017 | January 23-30, 2017 | Las Vegas, NV | https://www.sans.org/event/las-vegas-2017

--Cyber Threat Intelligence Summit & Training | Arlington, VA | Jan 25-Feb 1, 2017 | https://www.sans.org/event/cyber-threat-intelligence-summit-2017

--SANS Southern California - Anaheim 2017 | February 6-11, 2017 | Anaheim, CA | https://www.sans.org/event/anaheim-2017

--SANS Secure Japan 2017 | February 13-25, 2017 | Tokyo, Japan | https://www.sans.org/event/secure-japan-2017

--SANS Secure Singapore 2017 | March 13-25, 2017 | Singapore, Singapore | https://www.sans.org/event/secure-singapore-2017

--SANS Online Training Get a MacBook Air or PC Laptop with all OnDemand (https://www.sans.org/ondemand/specials) and vLive (https://www.sans.org/vlive/specials) courses now.

--Single Course Training: SANS Mentor https://www.sans.org/mentor/about Community SANS https://www.sans.org/community/ View the full SANS course catalog https://www.sans.org/find-training/

***************************************************************************

TOP OF THE NEWS

Cities At Risk; San Francisco Ransomware Attack Could Have Caused Much More Damage (November 27 & 28, 2016)

San Francisco (California) Municipal Transportation Agency (SFMTA) payment systems were offline over the weekend due to a ransomware attack. The attack began on Friday, November 25 and was contained by Sunday. SFMTA is in the process of restoring systems to operational status. The agency has refused to pay the US $73,000 ransom demand. In a note to Wired, the attacker claims this first attack was a "proof of concept," and critical infrastructure guru Mike Assante told Wired, "Unlike this attack, in a very sophisticated attack, they not only impact control systems, but also impede the ability to restore them." In other words public services can be out for a long time.


[Editor Comments ]



[Williams ]
Ransomware attacks traditionally only impact availability, but in this case attackers apparently stole information as well. Faced with the prospect that SFMTA may not pay the ransom, the attackers are now threatening to release 30GB of stolen data online. The attackers (who are speaking to the press) have claimed that the initial intrusion vector was a malware laden keygen utility used by an administrator. Also, ironically, the hacker who is extorting SFMTA has apparently been hacked himself (
-https://krebsonsecurity.com/2016/11/san-francisco-rail-system-hacker-hacked/).


[Assante ]
The attack was probably opportunistic and automated. The people behind these attacks do not have a great day when their conquest ends up attracting a lot of attention in the media or provoking prioritized law enforcement investigations.

Read more in:

SF's Transit Hack Could've Been Way Worse-And Cities Must Prepare
-https://www.wired.com/2016/11/sfs-transit-hack-couldve-way-worse-cities-must-pre
pare


CNET: Hackers take SF Muni for weekend joy ride
-https://www.cnet.com/news/hackers-sf-muni-ransomware-attack-muni/

Ars Technica: Ransomware locks up San Francisco public transportation ticket machines
-http://arstechnica.com/security/2016/11/san-francisco-muni-hit-by-black-friday-r
ansomware-attack/


Christian Science Monitor: Weekend of free rides follows ransomware attack on Bay Area transit
-http://www.csmonitor.com/Technology/2016/1128/Weekend-of-free-rides-follows-rans
omware-attack-on-Bay-Area-transit


Dark Reading: San Francisco Transit Agency Earns Praise For Denying Ransom Request
-http://www.darkreading.com/endpoint/san-francisco-transit-agency-earns-praise-fo
r-denying-ransom-request/d/d-id/1327574?

Deutsche Telekom Broadband Outages Involved Mirai Variant (November 28, 2016)

As many as 900,000 Deutsche Telekom customers found themselves without broadband service over the weekend due to attempts to infect home routers with a new variant of Mirai botnet malware. Since Sunday, November 27, customers using certain routers have had their Internet, phone, and television reception interrupted. Deutsche Telekom has released a software update and advised customers to reboot their routers.


[Editor Comments ]



[Ullrich ]
The underlying vulnerability was publicly released about 2 weeks before, and only known to affect routers of one Irish ISP. But even though Deutsche Telekom's modems are made by a different unrelated company, they apparently were vulnerable to the same flaw. It is very likely that the outage at Deutsche Telekom was not caused intentionally, but that instead the overly aggressive Mirai scanning engine used caused the outage as a side effect. Deutsche Telekom was able to react quickly and push firmware updates to affected users. Something we don't have for most of the other IoT type attacks.


[Honan ]
We are seeing a large uptick in scanning on port 7547 which is an indicator that an IP address may be hosting a vulnerable device. If you are a telco I suggest you investigate ways to remediate these vulnerabilities with your customer devices as soon as practicable, while the rest of us should review our own systems to ensure appropriate DDoS mitigations are in place.

Read more in:

Computerworld: Upgraded Mirai botnet disrupts Deutsche Telekom by infecting routers
-http://computerworld.com/article/3145372/security/upgraded-mirai-botnet-disrupts
-deutsche-telekom-by-infecting-routers.html


Reuters: German internet outage was failed botnet attempt: report
-http://www.reuters.com/article/us-deutsche-telekom-outages-idUSKBN13N12K

Ars Technica: Newly discovered router flaw being hammered by in-the-wild attacks
-http://arstechnica.com/security/2016/11/notorious-iot-botnets-weaponize-new-flaw
-found-in-millions-of-home-routers/


Deutsche Telekom: Advisory: Information on current problems
-https://www.telekom.com/en/media/media-information/archive/information-on-curren
t-problems-444862

Update: The Most Dangerous New Cyber Attack Vectors (November 28, 2016)

Ed Skoudis, Johannes Ullrich, and Michael Assante update their RSA2016 Conference briefing on the most dangerous new cyber attacks they are seeing against the critical infrastructure, other enterprises, and even IOT in homes. Their webcast is scheduled Thursday at 1 PM EST. RSA set a limit of 3,000 attendees and more than 1,600 have already signed up. Registration link:
-https://www.rsaconference.com/videos/virtual-session-the-six-most-dangerous-new-
cyber-attack-techniques



*************************** SPONSORED LINKS *****************************

1) Don't miss: Redefining Endpoint Incident Response with Behavioral Analysis. Register: http://www.sans.org/info/190537

2) A SOC means many things to different people. "You Can't Stop What You Can't SOC" Register: http://www.sans.org/info/190542

3) How does your organization classify systems as endpoints, prioritize & manage risks related to those endpoints, and define next-generation endpoint protections? http://www.sans.org/info/190547

***************************************************************************

THE REST OF THE WEEK'S NEWS

Japan's Defense Officials Investigating Reported Military Network Intrusion (November 28, 2016)

An unnamed source inside the Japanese military (Ground Self-Defense Force)'s system reported a September attack that was successful. The attack may have compromised Japan's internal military network, the Defense Information Infrastructure. One official called it "a very serious situation," but other officials declined to provide additional information. At the same time, Japan's Defense Ministry has denied that the attack occurred while saying that they experience many attacks every week.

Read more in:

The Japan Times: Defense Ministry, SDF networks hacked; state actor suspected
-http://www.japantimes.co.jp/news/2016/11/28/national/politics-diplomacy/defense-
ministry-hit-cyberattack-info-may-accessed/#.WDzuTqIrL-Y


The Register: Japan investigating defence network break-in
-http://www.theregister.co.uk/2016/11/28/japan_investigating_defence_network_brea
kin/


Computerworld: Japanese government denies report that its defense forces were hacked
-http://computerworld.com/article/3144062/security/japanese-government-denies-rep
ort-that-its-defense-forces-were-hacked.html

Microsoft Patches Azure Flaws Affecting Red Hat Instances (November 28, 2016)

Microsoft has fixed a configuration flaw in its Azure cloud platform that could have been exploited to gain administrative rights to Red Hat Enterprise Linux (RHEL) instances. It also patched a flaw in the Microsoft Azure Linux Agent that could have been exploited to obtain administrator API keys.

Read more in:

V3: Microsoft Azure bug put Red Hat instances at risk
-http://www.v3.co.uk/v3-uk/news/2478544/microsoft-azure-bug-put-red-hat-instances
-at-risk


The Register: Microsoft update servers left all Azure RHEL instances hackable
-http://www.theregister.co.uk/2016/11/28/microsoft_update_servers_left_all_azure_
rhel_instances_hackable/


SC Magazine: Microsoft update left Azure Linux virtual machines open to hacking
-http://www.scmagazineuk.com/microsoft-update-left-azure-linux-virtual-machines-o
pen-to-hacking/article/575219/

CERT Analyst Says Microsoft Should Not Discontinue Support for EMET (November 24, 2016)

A vulnerability analyst from Carnegie Mellon University's CERT is urging Microsoft to reconsider its plan to end support for the Enhanced Mitigation Experience Toolkit (EMET). Microsoft plans to discontinue support for EMET because it says that "Windows 10 includes all the mitigation features that EMET administrators have come to rely on." CERT's Will Dorman says that a Windows 7 machines running EMET is more secure than a Windows 10 machine.


[Editor Comments ]



[Murray ]
While it might be true that "a Windows 7 machines running EMET is more secure than a Windows 10 machine" it does not follow that Microsoft should continue support. The use of Windows 7 with EMET is low, has never been as high as its security might justify, and its continued use does not require Microsoft's "support" or consent. The market clearly prefers open, general, and flexible systems from Microsoft to "secure" ones.

Read more in:

ZDNet: CERT to Microsoft: Don't kill EMET, Windows 10 will be less secure without it
-http://www.zdnet.com/article/cert-to-microsoft-dont-kill-emet-windows-10-will-be
-less-secure-without-it/


The Register: CERT tells Microsoft to keep EMET alive because it's better than Win 10's own security
-http://www.theregister.co.uk/2016/11/24/cert_no_microsoft_even_win_7_emet_is_bet
ter_than_solo_win_10/

Old InPage Zero Day Vulnerability Used in Attacks on Government and Bank Websites (November 23 & 24, 2016)

Government and banking organizations are being targeted in attacks that exploit a zero-day flaw in the InPage desktop publishing application. The software is used primarily in Urdu-, Pashto-, and Arabic-speaking countries. Attacks have been detected against organizations in Myanmar, Sri Lanka, and Uganda. Kaspersky Lab, which detected the issue, has notified the vendor and Indian CERT. Once the malware had gained a foothold in a system, it contacts a command-and-control server and downloads remote access tools.

Read more in:

The Register: Attackers use ancient zero-day to pop Asian banks, govts
-http://www.theregister.co.uk/2016/11/24/attackers_use_yearsold_software_zero_day
_to_pop_asia_pac_banks_govts/


Threatpost: InPage Zero Day user in Attacks Against Banks
-https://threatpost.com/inpage-zero-day-used-in-attacks-against-banks/122112/

InfoSecurity Magazine: African and Asian Banks Hit by Targeted Zero Day
-http://www.infosecurity-magazine.com/news/african-and-asian-banks-hit-by/

US Navy Acknowledges Data Breach (November 24, 2016)

The laptop of a US Navy contractor employee was compromised, exposing personal information of more than 134,000 current and former US sailors. Investigators say that unknown people accessed the information which includes names and Social Security numbers (SSNs). The breach occurred in October.


[Editor Comments ]



[Pescatore ]
In December 2015 the new version of DFARS Clause 252.204-7012 detailed contractors responsibilities for protecting sensitive information. Contractors have until December 2017 to be in full compliance with the requirements outlined in the clause and NIST 800-171.


[Honan ]
A good example of why supply chain security is important to today's businesses. If you have outsourced business functions to a third party ask yourself what assurances have you got that the third party will secure your information in accordance to your requirements? Also ask yourself what assurances have you got should that third party decide to then outsource those same functions to another party? You can outsource the function but not the responsibility for the security of that function.

Read more in:

Ars Technica: US Navy warns 134,000 sailors of data breach after HPE laptop is compromised
-http://arstechnica.com/security/2016/11/us-navy-warns-134000-sailors-data-breach
-hpe-laptop-compromised/


SC Magazine: US Navy suffers data breach
-https://www.scmagazine.com/us-navy-suffers-data-breach/article/575184/

Federal News Radio: Navy: Sailors' personal information hacked on contractor's laptop
-http://federalnewsradio.com/navy/2016/11/navy-sailors-personal-info-hacked-on-co
ntractors-laptop/

Experts: Auditing Elections Should Be Routine (November 23, 2016)

Some election security experts say that audits should be a routine part of US elections. Audits should not be used only to challenge results in contentious races, but should be a matter of course in all elections to help ease concerns about the trustworthiness of the security of the voting process.


[Editor Comments ]



[Pescatore ]
Volkswagen purposely used cheating software to make their cars report bogus emission levels - and got away with it for over 7 years. Auditing software-driven vote tabulation should be part of basic security hygiene for such a critical process. In line with that, I like Poorvi Vora's quote "Brush your teeth. Eat your spinach. Audit your elections."

Read more in:

Wired: Hacked or Not, Audit This Election (And All Future Ones)
-https://www.wired.com/2016/11/hacked-not-audit-election-rest/

Gatak Trojan is Targeting the Healthcare Sector (November 22 & 23, 2016)

The Gatak Trojan horse program has been targeting systems in the healthcare sector. Gatak spreads through websites that claim to offer licensing keys for pirated software, and through watering hole attacks. It evades detection by putting itself into a prolonged sleep mode after infecting computers.

Read more in:

The Register: Hospital info thief malware puts itself into a coma to avoid IT bods
-http://www.theregister.co.uk/2016/11/22/healthcare_trojan/

SC Magazine: On the Gatak: Trojan gang lures victims with fake software keys
-https://www.scmagazine.com/on-the-gatak-trojan-gang-lures-victims-with-fake-soft
ware-keys/article/574772/


InfoSecurity Magazine: Gatak Trojan Turns to Healthcare as Its Key Target
-http://www.infosecurity-magazine.com/news/gatak-trojan-turns-to-healthcare/

Network Time Protocol Flaws Fixed (November 21 & 23, 2016)

Those responsible for maintaining the Network Time Protocol daemon have patched 10 security issues in the "protocol
[that is ]
designed to synchronize the clocks of computers over a network." The vulnerabilities affect versions of NTP.org ntpd prior to 4.2.8p9. Of the 10 flaws, one, which affects only Windows, is deemed critical.

Read more in:

SC Magazine: Fixes issued for ntpd flaws
-https://www.scmagazine.com/fixes-issued-for-ntpd-flaws/article/574722/

The Register: It's time: Patch Network Time Protocol before it loses track of time
-http://www.theregister.co.uk/2016/11/23/ntp_patch_time_rolls_around_again/

CERT: HTP.org ntpd contains multiple denial of service vulnerabilities
-http://www.kb.cert.org/vuls/id/633847

support.ntp.org: November 2016 ntp-4.2.8p9 NTP Security Vulnerability Announcement
-http://support.ntp.org/bin/view/Main/SecurityNotice#November_2016_ntp_4_2_8p9_NT
P_Se

Akamai Report Details KrebsOnSecurity IoT DDoS (November 22, 2016)

Akamai's most recent quarterly State of the Internet report includes a detailed account of the massive, IoT-fueled distributed denial-of-service (DDoS) attack against the KrebsOnSecurity website in September. It "was the largest attack ever mitigated by Akamai" and was launched by approximately 24,000 Mirai-infected systems, most of which were DVRs, security cameras, and other devices that are part of the Internet of Things (IoT).


[Editor Comments ]



[Murray ]
The security concern of the "IoT" is the connection to the Internet of millions of weak systems, systems that can be exploited, from the Internet, by malicious people, for their own purposes. Of less concern, we are talking about the use of the Internet to connect to and interfere with the intended operation or use of "things" addressable from it. According to the Akamai most of these compromised systems used in the Krebs attack were old appliances that need not have been, should not have been, addressable from the public Internet in order to perform their intended purpose. Nice people do not connect weak systems directly to the public network. Even a relatively small number can be misused in very disruptive ways.

Read more in:

KrebsOnSecurity: Akamai on the Record KrebsOnSecurity Attack
-https://krebsonsecurity.com/2016/11/akamai-on-the-record-krebsonsecurity-attack/

Pentagon Opens Hacking Challenge to Everyone (November 22, 2016)

The US Department of Defense (DoD) has opened its "Hack the Pentagon" challenge to everyone. The program is not a bug bounty challenge - there are no monetary rewards for finding vulnerabilities - but it does provide a legal avenue for people to notify DoD of security issues they uncover.

Read more in:

Federal News Radio: Pentagon expands white-hat hacker challenge to all comers
-http://federalnewsradio.com/defense/2016/11/pentagon-expands-white-hat-hacker-ch
allenge-comers/


INTERNET STORM CENTER TECH CORNER

Extracting Shellcode from Javascript
-https://isc.sans.edu/forums/diary/Extracting+Shellcode+From+JavaScript/21753/

Using Scapy to Test CozyDuke Snort Signatures
-https://isc.sans.edu/forums/diary/Scapy+vs+CozyDuke/21755/

Malicious JPEG Spreading via Facebook
-http://blog.checkpoint.com/2016/11/24/imagegate-check-point-uncovers-new-method-
distributing-malware-images/

San Francisco Public Transport ("MUNI") hit by Ransomware
-http://sanfrancisco.cbslocal.com/2016/11/26/you-hacked-cyber-attackers-crash-mun
i-computer-system-across-sf/

Tesla Smartphone App Vulnerability
-https://promon.co/blog/tesla-cars-can-be-stolen-by-hacking-the-app/

Mirai Variant Scanning Port 5555 and 7547 For TR-069/SOAP Vulnerability
-https://isc.sans.edu/forums/diary/Port+7547+SOAP+Remote+Code+Execution+Attack+Ag
ainst+DSL+Modems/21759/

Paypal OAuth Vulnerability
-http://blog.intothesymmetry.com/2016/11/all-your-paypal-tokens-belong-to-me.html


***********************************************************************
The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board