Interactive Courses + Cyber Defense NetWars Available During SANS Scottsdale: Virtual Edition 2021. Save $300 thru 1/27.

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #22

March 17, 2017

SANS would like to hear your thoughts on the most important trends impacting cybersecurity programs over the next three years. See the list here ( Tell us whether you agree and what is missing.


Rob Joyce to be Named White House Cybersecurity Coordinator
Just 11 Percent of Cybersecurity Jobs Held by Women
RAND Zero-Day Vulnerability Study


Fixes Available for Linux Kernel Flaw
Apache Struts Attacks
Critical SAP Flaw in GUI Client
Four Charged in Yahoo Breach
WhatsApp and Telegram Fix Flaws that Could Be Exploited to Take Over Accounts
Adobe Releases Updates for Flash and Shockwave
Second Person Charged in Connection with Citadel Malware
Microsoft's March Patch Tuesday Incorporates February's Fixes, Postpones Move to Database
SXSW: Congressman Proposes National Guard for Cybersecurity



*************************** Sponsored By Carbon Black **********************
Thinking about replacing your antivirus? Download this free proof of concept checklist for selecting a next-gen antivirus solution - Download now: ***************************************************************************


-- SANS 2017 | Orlando, FL | April 7-14 |

-- Threat Hunting & IR Summit & Training 2017 | New Orleans, LA | April 18-25, 2017 |

-- SANS Baltimore Spring 2017 | April 24-29 |

-- SANS London July 2017 | July 3-8 |

-- SANS Cyber Defence Singapore | July 10-15 |

-- SANS Online Training: Special Offer! Register by March 1 and choose a GIAC Certification Attempt or $400 Off your OnDemand and vLive courses.
OnDemand -
vLive -

-- Single Course Training
SANS Mentor
Community SANS
View the full SANS course catalog



Rob Joyce to be Named White House Cybersecurity Coordinator (March 13 & 15, 2017)

The White House will appoint Rob Joyce, currently chief of the NSA's Tailored Access Operations, to manage federal cybersecurity policy. In his capacity as White House cyber security coordinator, Joyce will sit on the National Security Council.

[Editor Comments]

[Paller] Rob has been one of the leaders at NSA in sharing knowledge. A flash notice in Newsbites 9 months ago points to a prime example: "Amazing! The leader of most skilled people at NSA who carry out nation-state attacks (Rob Joyce of TAO) shared the techniques his team would use to stop nation-state attackers like themselves, in a briefing that was recorded and is a 35-minute YouTube video at This is the most authoritative talk on offense informing defense I have very seen." He starts that talk saying 'I am going to show you what you can do to stop nation-state hackers like me.'

Read more in:

The Hill: White House to bring on NSA hacker to NSC
Nextgov: Trump Cyber Czar Brings Deep Expertise But Maybe Some Baggage, Too
FCW: NSA vet Joyce to lead cyber at White House
Keynote, BSides Augusta 2016: Robert Joyce

Just 11 Percent of Cybersecurity Jobs Held by Women (March 15 & 16, 2017)

According to the 2017 Global Information Security Workforce Study, just 11 percent of cybersecurity jobs are held by women. North America has the highest percentage of women in the cybersecurity workforce at just 14 percent. The report found that women earned less than their male counterparts.

Read more in:

FCW: More work needed to get women in cyber jobs
CyberScoop: Women paid less than men at every level of cybersecurity industry, report says
Dark Reading: Women Still Only 11% of Global InfoSec Workforce
IAmCyberSafe: Global Information Security Workforce Study
CyberScoop: CyberScoop's 2017 Top Women in Cybersecurity

RAND Zero-Day Vulnerability Study (March 9, 2017)

A zero-day vulnerability study from the RAND Corporation found that zero-day exploits and their associated flaws have an average lifespan of 6.9 years; there were no characteristics of vulnerabilities that determined their life-span; and "for a given stockpile of zero-day vulnerabilities, after a year, approximately 5.7 percent have been publicly discovered and disclosed by another entity."

[Editor Comments]

[Pescatore] The report is aimed at policy makers considering the "Should the government tell private industry about zero day vulnerabilities it discovers?" and is based on looking at 207 zero day vulnerabilities that were discovered by white hat researchers between 2002-2016. From this data, the risk of the government staying quiet is numerically low - 94.3% of time no other good guys found the zero day vulnerability. But, they point out they don't have data on how many the bad guys found, and I think we have learned that the US certainly does *not* have a monopoly on skilled white hats or black hats - the real world percentage of zero days known by adversaries is surely higher. This is a tough national policy problem but an easy security problem - vulnerabilities that are disclosed faster get fixed faster. Of course, software that is built better starts out fixed...

Read more in:

RAND: Zero Days, Thousands of Nights
CyberScoop: Zero day study: Hoarding exploits less harmful than generally thought
*************************** SPONSORED LINKS *****************************
1) Protect Your Users Everywhere and Proactively Fight Against Cyberattacks. Try a FREE Product Eval Today!
2) Join Cybereason's Brad Mecha, and Dave Shackelford, SANS Analyst, to learn how to elevate your current threat hunting program. Register:
3) Don't Miss: MobileIron Security Labs: Combatting the Current State of Mobile Enterprise Security. Register:


Fixes Available for Linux Kernel Flaw (March 16, 2017)

Fixes are available for a vulnerability in the Linux kernel that has been present for seven years. The race condition in the n_hdlc driver could be exploited to gain elevated privileges. Users should install available updates or block the affected module manually.

Read more in:

The Register: Dormant Linux kernel vulnerability finally slayed

Apache Struts Attacks (March 16, 2017)

A vulnerability in Apache Struts is being actively exploited. The issue lies in the Apache Struts Jakarta Multipart parser. The flaw can be exploited to execute code by using a specially-crafted Content-Type http header. Users are urged to upgrade to Apache Struts version 2.3.32 or version

Read more in:

SC Magazine UK: Apache Struts vulnerability being exploited by attackers
Apache: Apache Struts 2 Documentation

Critical SAP Flaw in GUI Client (March 15 & 16, 2017)

SAP's monthly security update for March includes fixes for a number of flaws in the SAP HANA database system. The batch of fixes also addresses a vulnerability in the SAP GUI client that affects millions of users.

Read more in:

eWeek: SAP Patches Multiple HANA Vulnerabilities in March Update
Dark Reading: ERP Attack Risks Come into Focus
V3: Warning over critical SAP vulnerability affecting millions of client PCs worldwide
The Register: SAP pushes 25 patches and two patch patches

Four Charged in Yahoo Breach (March 15, 2017)

The US Department of Justice (DoJ) has announced the indictment of four people in connection with a massive breach that compromised 500 million Yahoo accounts. Two of the suspects, Dmitry Dokuchaev and Igor Sushchin, are officers in Russia's Federal Security Service (FSB). The other two suspects, Alexsey Belan and Karim Baratov, are cybercriminals who allegedly worked with Russian intelligence. Charges against the four include conspiracy, computer fraud and abuse, economic espionage, and aggravated identity theft.

[Editor Comments]

[Northcutt] There are two stories in this stack. One is clearly the Russian FSB officers and their minions. However the US and Russia do not have an extradition agreement. The second story which I find more interesting is the use of forged cookies to access accounts. A large number of websites use cookies to allow users to access their sites without logging in every time. Even if you do not accept cookies with your browser, an attacker who can deduce the structure of the cookie and collect enough information to fill in the fields, will have a fair chance of accessing your account. So be patient with web sites that require two-factor authentication such as a code sent to your mobile phone. They have your best interest at heart. The WSJ cookie article appears to be pay-walled so I have found an alternative.
Read more in:

DoJ: U.S. Charges Russian FSB Officers and Their Criminal Conspirators for Hacking Yahoo and Millions of Email Accounts
CSMonitor: US charges Russian spies, hackers with massive Yahoo breach
WSJ: How Hackers Turned Yahoo's Own System Against Its Users
NYT: Indictment Details Collusion Between Cyberthief and 2 Russian Spies
Ars Technica: US charges two Russian agents with ordering hack of 500m Yahoo accounts
DarkReading: DoJ Indicts Russian FSB Officers and Cybercriminals in Yahoo Breach

WhatsApp and Telegram Fix Flaws that Could Be Exploited to Take Over Accounts (March 15, 2017)

WhatsApp and Telegram have patched the web-based versions of their encrypted communications services to fix a vulnerability that could have put accounts at risk of being hijacked. Check Point Software, which detected the flaw, notified both companies on March 7; both companies have fixed the problem.

Read more in:

ZDNet: Flaw in web versions of WhatsApp, telegram put accounts at risk
Computerworld: Malicious uploads allowed hijacking of WhatsApp and telegram accounts
CNET: WhatsApp, Telegram flaws left accounts vulnerable to hackers
Softpedia: WhatsApp & Telegram Fix Critical Flaws in Web Platforms Allowing Account Hijack
Wired: WhatsApp Hack Shows That Even Encryption Apps are Vulnerable in a Browser
Check Point: Check Point Discloses Vulnerability That Allowed Hackers to Take over Hundreds of Millions of WhatsApp & Telegram Accounts

Adobe Releases Updates for Flash and Shockwave (March 14 & 15, 2017)

Adobe has released updates for Flash Player and Shockwave Player. The Flash updates fix seven vulnerabilities, six of which are considered critical. Users running Flash on Windows, Mac, Linux, and Chrome operating systems are urged to upgrade to version The Shockwave update fixes one vulnerability that could be exploited to gain elevated privileges.

[Editor Comments]

[Neely] Here is another reminder to reconsider your use of Flash. Many organizations replace flash with HTML 5 but leaving Flash behind means some content, often training material, is not available to users. This has to be factored into the decision to restrict its use. If you must use Flash, you must also commit to patching it as the cycle of patch upon patch is not going to let up anytime soon, and you'll need to have sufficient defense mechanisms at the endpoint to protect against exploitation.

Read more in:

ZDNet: Adobe fixes critical code execution bugs in Flash
KrebsOnSecurity: Adobe, Microsoft Push Critical Security Fixes
Softpedia: Adobe Fixed Critical Vulnerabilities in Flash and Shockwave
Adobe: Security updates available for Adobe Flash Player
Adobe: Security update available for Adobe Shockwave Player

Second Person Charged in Connection with Citadel Malware (March 14 & 15, 2017)

The US Department of Justice (DoJ) has charged Mark Vartanyan with computer fraud for allegedly developing, improving and maintaining malware known as Citadel. Vartanyan was extradited to the US from Norway in December 2016. Citadel is used to steal information, including financial account access credentials. The malware is estimated to have infected 11 million computers and is responsible for losses of more than USD 500 million. Vartanyan is the second person to be charged in connection with Citadel. In December 2015, Dimitry Belorossov was sentenced to four-and-a-half years in prison for operating a Citadel botnet.

Read more in:

Dark Reading: Russian Hacker Charged in 'Citadel' Malware Attacks
DoJ: Russian Hacker "Kolypto" Extradited from Norway
Reuters: Russian sentenced to four-and-a-half years in U.S. prison for 'Citadel' malware (2015)

Microsoft's March Patch Tuesday Incorporates February's Fixes, Postpones Move to Database (March 14, 2017)

March's Patch Tuesday comprises 18 security bulletins fixing at least 135 vulnerabilities. In addition to the large patch release due to February's patched being delayed, Microsoft has put off retiring the bulletin model that was supposed to end in January. February's update was going to be the debut of Microsoft's searchable support document database, but the March update, which incorporates fixes that presumable had been scheduled for release last month, returns to the bulletin model.

Read more in:

ZDNet: Microsoft finally fixes 'critical' Windows security flaw after patch delay
Computerworld: Microsoft fixes record number of flaws, some publicly known
TechNet: Microsoft Security Bulletin Summary for March 2017
Computerworld: Microsoft stays security bulletins' termination

SXSW: Congressman Proposes National Guard for Cybersecurity (March 12 & 14, 2017)

Speaking at the SXSW (South by Southwest) conference last week, US congressman Ruben Gallego said that establishing cybersecurity reserve could help the government protect the country from digital threats and bolster the country's security. The military has established career paths that focus on cybersecurity, but many people with cybersecurity skills may not be interested in joining the military. "We could definitely use their knowledge in service to our country," said Gallego, adding that "we need to find a way to bring in your cyber warrior to come in and work for the NSA, or Department of Defense for a couple weeks per year."

[Editor Comments]

[Neely] This is an attractive idea. It is challenging to get cyber defenders to join the military, so a reserve model of a couple of weeks a year would sweeten the pot, and possibly mitigate the risks of them getting lured away by the private sector.

Read more in:

CNN: Congressman: We need a National Guard for cybersecurity
Military Times: Congressman proposes creating a National Guard for cybersecurity


Microsoft's Double Patch Tuesday

Twitter App "Twitter Counter" Compromise Leads to Unauthorized Tweets from a Large Number of Accounts

Telegram and WhatsApp Image Vulnerability

RSA Panel Webcast

Certain Ubiquity Equipment Vulnerable to CSRF/Code Execution

Proton Mac OS RAT

Linux Kernel n_hdlc Privilege Escalation

VMWare Copy/Paste Exploit Fixed

The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here:

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit