Final Week: Get an iPad (32 G), Galaxy Tab A, or Take $250 Off OnDemand Training - Ends Jan 27

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #9

January 31, 2017

The latest Ukraine attack choked off 65% more electric power, by disabling just 1 substation, than the major 2015 attack that disabled 50 substations. ICS attacks on power systems are gaining sophistication and virulence. The only place where the people, who actually know the attack vectors used in these and the other disabling intrusions, share defenses that are effective and contrast them with defenses that are ineffective is the SANS Industrial Control Systems Security Summit & Training in Orlando in March. Live demonstrations, hands-on simulations, and a strategic planning workshop, combined with hands-on immersion training classes.

Deadline in 12 days for nominations for the SANS "Best of 2016" awards for the products and services that made a difference for you in 2016. Information and instructions at

All who send in a nomination or participate in the survey are eligible to win an iPad.


Ransomware Locks Hotel Guests Out of Rooms
Ransomware Costs Texas PD Eight Years of Evidence
Ransomware Infects D.C. Police Closed Circuit Camera Storage Devices
Second Round Ukrainian Power Station Attack Investigation
Virginia Governor Announces Free Cyber Training for Skilled Veterans


Mozilla: Half of Web Traffic is Encrypted
Linux.Proxy.10 Trojan
U.S. and Russia Both Seeking Cyberattack Suspect's Extradition
Google Launches Root Certificate Authority
WordPress Updated to Version 4.7.2
Microsoft Warns of Clever PDF Phishing Techniques
Moving Target Defense
Army Reserve Cyber Warrior Database



*********************** Sponsored By Malwarebytes ***********************

Party with Malwarebytes at RSA Conference 2017! Visit us in Booth #2319 in the South Hall to get the latest on advanced-threat detection and incident response. And don't miss the Malwarebytes Crush Party. Mingle with your security peers at the SFMOMA on Tuesday, February 14. RSVP Today:



--SANS Munich Winter 2017 | Munich, Germany | February 13-18, 2017 |

--SANS Secure Japan 2017 | Tokyo, Japan | February 13-25, 2017 |

--SANS Secure Singapore 2017 | Singapore, Singapore | March 13-25, 2017 |

--SANS Pen Test Austin 2017 | March 27-April 1 |

--SANS 2017 | Orlando, FL | April 7-14 |

--SANS Online Training: Get an iPad Pro, Samsung Galaxy Tab S2, or $500 off with all OnDemand ( and vLive ( courses now.

--Single Course Training SANS Mentor Community SANS View the full SANS course catalog



Ransomware Locks Hotel Guests Out of Rooms (January 30, 2017)

A hotel in Austria paid 1,500 euros (USD 1,600) after its computer systems became infected with ransomware, which resulted in arriving guests being unable to unlock the doors to their rooms with card keys. Guests were not trapped in their rooms, despite early reports saying so. This was not the first time the Romantik Seehotel Jaegerwirt has experienced such an attack. The hotel replaced computers and decoupled networks, which prevented another attempted attack. The hotel is also planning to return to "old-fashioned door locks with real keys" to prevent guests from being locked out of their rooms by a malware attack in the future.

[Editor Comments ]

[Ullrich ]
It appears that the hotel's registration systems, which are regular Windows PC, were infected with ransomware. Earlier versions of the story reported that hotel's guests were locked in their rooms, which turned out to be wrong. The attack prevented the hotel from creating new room keys. But existing keys still worked and guests could leave their rooms. Fire codes usually require that egress is allowed in case of a system or power failure and electronic locks usually have a mechanical override at least on the inside of the room. Currently, this type of attack does not infect the devices themselves, but instead the PCs used to control the devices. Of course, more sophisticated attacks against power systems have been targeting and damaging devices as well, not just the control systems.

[Pescatore ]
A good reminder that ransomware is essentially a form of denial of service. The most common attack vector has been to encrypt data to deny access/use, and making sure that critical data has been backed up is a key part of preparedness. However, as this attack and the San Francisco Municipal rail system attack point out, malware encrypting data and/or executables can also disable revenue producing services. Basic security hygiene (such as the first 5 of the CIS Critical Security Controls) on critical servers raises the bar effectively and efficiently against these forms of attack.

[Honan ]
One of the key (excuse the pun) elements in a successful incident response process is the learnings gained from the security incident and how to prevent the same breach happening again. The fact the hotel suffered a similar attack but had not learned enough to prevent it reoccurring indicates that they should spend more time on improving that review process.

Read more in:

V3: Hotel pays ransomware after guests locked out of rooms

The Register: Ransomware avalanche at Alpine hotel puts room keycards on ice

SC Magazine UK: Hotel hit by ransomware attack, reports of guests trapped untrue

Ransomware Costs Texas PD Eight Years of Evidence (January 27, 2017)

The computer system at a police department in Texas became infected with ransomware. The Cockrell Hill Police Department's backup system had backed up its files only after they had been encrypted with the malware. The department decided not to pay the ransom after learning from the FBI that there was no guarantee their encrypted data would be returned. The lost files included video evidence in legal cases. The department has started notifying defense attorneys that the video evidence in those cases no longer exists.

[Editor Comments ]

[Murray ]
Backup must not be visible to the system being backed up. This is just one more example of why one must re-visit one's back-up strategy to resist ransom ware.

[Honan ]
The more I read about ransomware cases the more frustrated I become at the lack of basic principles regarding backup strategies and good Business Continuity Planning. If ransomware can make your backups ineffective and/or your BCP cannot recover you to a workable state, then you really are a hostage to fortune when it comes to the resilience of your systems. Forgetting about zero day malware detection solutions and focusing on a good solid backup and recovery strategy will enable many business to recover from a ransomware attack and indeed from other disasters.

Read more in:

The Register: Texas cops lose evidence going back eight years in ransomware attack

Ransomware Infects D.C. Police Closed Circuit Camera Storage Devices (January 27 & 30, 2017)

A ransomware attack caused storage devices for surveillance cameras used by police in Washington D.C. to be offline for three days in mid-January. The attack affected 70 percent of the devices that the police use to monitor public spaces. The ransom demand was not paid; instead, the city took the devices offline, removed all the software, and reset them.

Read more in:

SC Magazine: Police camera system in D.C. hit with ransomware

The Register: Ransomware killed 70% of Washington DC CCTV ahead of inauguration

Washington Post: Hackers hit D.C. closed-circuit camera network, city officials disclose

Second Round Ukrainian Power Station Attack Investigation (January 20, 2017)

A December 2016 power outage affecting a Ukrenergo substation in Pivnichna, Ukraine, was caused by outside attackers, according to a preliminary investigation. The incident affected parts of Kiev, and power was fully restored within one hour. Cybersecurity firm ISSP says that the December 2016 attack is likely related to another attack that occurred a year earlier and affected 225,000 people.

[Editor Comments ]

[Assante ]
The second round of cyber attacks resulting in another outage should not be a surprise to anyone. This successful attack impacted the Transmission Operator in Ukraine raising the stakes as the possible outage size grows tremendously. Time for defenders to notice! In ICS security, the difference between success and failure is often determined by a prepared mind, situational awareness, and a skilled workforce.

Read more in:

SocPedia: Cyber Attack Confirmed to Be the Cause of the Power Outage in the Ukraine over Christmas 2016

Virginia Governor Announces Free Cyber Training for Skilled Veterans (January 31, 2017)

Virginia and SANS partnered to provide two spring 2017 VetSuccess academies to train skilled veterans for immediate employment in cybersecurity. Joseph Robbins, 2015 VetSuccess Academy graduate said, "Without the Academy I'd have finished my degree and would still be looking for a job. Instead, everything worked out and I'm right where I want to be. SANS gave me the practical real world experience and certifications that employers demand. I even received a sizable pay raise as a direct result of putting the skills I learned through the SANS courses to use. I can't say enough about the VetSuccess program - definitely worth it!"


*************************** SPONSORED LINKS ********************************

1) Meet the company rewriting the book on Privileged Account Management.

2) Many organizations have recognized the need for a comprehensive incident management platform. Register to learn more:

3) An organization discovered commodity malware in their environment that transformed into a targeted attack. Register to learn more:



Mozilla: Half of Web Traffic is Encrypted (January 30, 2017)

According to Mozilla, the average volume of encrypted, or HTTPS, Internet traffic now exceeds the average volume of unencrypted traffic. While HTTPS does not hide the fact of visiting a website, it makes it more difficult for others to detect what content users are viewing or posting. It also makes it more likely that the content being viewed has not been altered by bad actors. HTTPS has been around for more than 20 years, but has only recently begun to gain purchase as an important security measure for online activity outside of payment card transactions. That said, HTTPS has its share of shortcomings: 200,000 servers are still vulnerable to Heartbleed, and there are cases of criminals obtaining certificates to make fraudulent websites appear legitimate.

[Editor Comments ]

[Pescatore ]
Outside of government surveillance, there aren't many real world attack scenarios where the use of HTTPS for browser-to-server communications would have thwarted the attack. More routine encryption of data in motion is a good thing, unless it diverts resources and attention away from making progress in encrypting data at rest - and progress there has been much slower. When thieves are stealing cars from driveways and parking lots, tinting the windows isn't the top priority action.

[Honan ]
While on the face of it this is good news, HTTPS encrypts only the traffic between the server and the client and we need to ensure that non-technical people do not fall into the trap of thinking HTTPS means the server, or indeed the client device, is secure.

Read more in:

Wired: Half the Web is Now Encrypted. That Makes Everyone Safer

Linux.Proxy.10 Trojan (January 30, 2017)

The Linux.Proxy.10 Trojan horse program infects devices with standard settings or that are already infected with Linux malware. Once it has gained access to a device, the malware runs a SOCKS5 proxy server that lets attackers connect to that device to hide their identities while online.

Read more in:

SC Magazine: Linux.Proxy.10 infects thousands of devices with standard settings

Softpedia: Malware Authors Switch Focus from Windows to Linux, Thousands of PCs Infected

U.S. and Russia Both Seeking Cyberattack Suspect's Extradition (January 27, 2017)

Both Russia and the U.S. are seeking the extradition of Yevgeniy Nikulin from Prague, Czechia
[the Czech Republic ]
. Nikulin was arrested by authorities in Prague last October. In the U.S., Nikulin is facing charges involving attacks against LinkedIn, Dropbox, and Formspring. Russia is seeking Nikulin's extradition to that country to face an eight-year-old charge related to an attack against a bank's computer system. Prague's chief prosecutor is expected to make a ruling in the case in early February.

Read more in:

The Register: US and Russia engaged in legal tug of war over LinkedIn hack suspect

Google Launches Root Certificate Authority (January 26, 27, & 30, 2017)

Last week, Google announced that it has established its own Root Certificate Authority. Google Trust Services will operate Certificate Authorities on behalf of Google and Alphabet. Google has bought existing root certificate authorities Global Sign R2 and R4. Google will continue to operate its GIAG2 subordinate Certificate Authority.

[Editor Comments ]

[Ullrich ]
Google has been a long-time critic of the existing certificate authority ecosystem, and has often been the victim of attacks and sloppy certificate authority practices. It is just logical for Google to try to control certificates it uses end-to-end and reduce their reliance on external certificate authorities.

[Pescatore ]
Per the Mozilla SSL item above, I would rather see Google resources focused on making it easier for all to routinely encrypt stored data. That runs against Google's search engine/ad revenue driven business model but would be much, much more powerful in making Internet use safer for all.

[Northcutt ]
: This is good news. Note where their blog post says "we still recommend you include a wide set of trustworthy roots." Google maintains a sample PEM, (X509 extension/encoding similar to .DER or .CRT), file". On a Mac this translates to the Keychain Access App: