OnDemand Includes 4 Months Access to Course Content - Special Offers Available Now!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #100

December 21, 2018

Emergency Updates for Actively Exploited IE Flaw; Windows Sandbox; US Aerospace Industry Publishes Voluntary Cybersecurity Standard for Government Contractors


SANS NewsBites               Dec. 21, 2018                 Vol. 20, Num. 100




  Microsoft Releases Emergency Updates for Critical IE Flaw That is Being Actively Exploited

  Windows Sandbox

  US Aerospace Industry Lobby Group Publishes Voluntary Cybersecurity Standard for Government Contractors


  Alleged Chinese Espionage Violates 2015 Agreement

  US Senate Passes Bill That Would Create Pilot Program to Examine Using Analog Controls for Power Grid Security

  Hack the Air Force 3.0 Results

  EU Diplomatic Cables Exposed for Three Years

  Hackers Targeting Middle East Activists and Journalists eMail Accounts

  DOD Inspector General: Pentagon Has Not Implemented Software Application Rationalization Across the Organization

  Supply Chain Security Legislation

  US, UK, and Netherlands Seize Booter Domains

  NASA Internal Server Breached; Employee Data Compromised

  Baby Monitor Hacked; Nest Resets Re-Used Passwords




-- SANS Security East 2019 | New Orleans, LA | February 2-9 | https://www.sans.org/event/security-east-2019

-- SANS Amsterdam January 2019 | January 14-19 | https://www.sans.org/event/amsterdam-jan-2019

-- Cyber Threat Intelligence Summit & Training | Arlington, VA | January 21-28 | https://www.sans.org/event/cyber-threat-intelligence-summit-2019

-- SANS Las Vegas 2019 | January 28-February 2 | https://www.sans.org/event/las-vegas-2019

-- SANS London February 2019 | February 11-16 | https://www.sans.org/event/london-february-2019

-- SANS Anaheim 2019 | February 11-16 | https://www.sans.org/event/anaheim-2019

-- SANS Secure Japan 2019 | Tokyo, Japan | February 18-March 2 | https://www.sans.org/event/secure-japan-2019

-- Open-Source Intelligence Summit & Training | Alexandria, VA | February 25-March 3 | https://www.sans.org/event/osint-summit-2019

-- SANS Secure Singapore 2019 | March 11-23 | https://www.sans.org/event/secure-singapore-2019

-- SANS OnDemand and vLive Training

The SANS Training you want with the flexibility you need.

Last Chance this year to Get a GIAC Certification Attempt Included or Take $350 Off with OnDemand or vLive. Offer Ends December 26.


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/

Single Course Training

-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/


-- View the full SANS course catalog and Cyber Security Skills Roadmap



***************************  Sponsored By SANS  ******************************

Attend SANS Open-Source Intelligence Summitin Washington, DC; February

25 This inaugural Summit will bring together leading security

practitioners and investigators to share proven techniques and tools

that can be applied to OSINT gathering and analysis. You'll get

practical methods for collecting and leveraging available information

across the Internet. http://www.sans.org/info/209340



--Microsoft Releases Emergency Updates for Critical IE Flaw That is Being Actively Exploited

(December 19 & 20, 2018)

Microsoft has released a security update for Internet Explorer (IE) outside of its regular monthly security updates. The emergency patch addresses a remote code execution flaw in the way the IE scripting engine handles objects in memory. The vulnerability is being actively exploited. The vulnerability affects IE 9, 10, and 11; updates were released for Windows 7, 8.1, and 10, as well as for Windows Server 2008, 2012, 2016, and 2019. Microsoft said it learned of the vulnerability from Google.

Read more in:

Microsoft: CVE-2018-8653 | Scripting Engine Memory Corruption Vulnerability


Technet: December 2018 Security Update Release


The Register: On the first day of Christmas, Microsoft gave to me... an emergency out-of-band security patch for IE


ZDNet: Microsoft releases security update for new IE zero-day


CNET: Microsoft patches Internet Explorer to stop PC takeover attacks


KrebsOnSecurity: Microsoft Issues Emergency Fix for IE Zero Day


Threatpost: Microsoft IE Zero Day Gets Emergency Patch


Bleeping Computer: Microsoft Releases Out-of-Band Security Update for Internet Explorer RCE Zero-Day


Computerworld: Microsoft delivers emergency patch for under-attack IE



--Windows Sandbox

(December 19, 2018)

Earlier this year, Microsoft indicated that it was planning to release a Windows 10 feature called inPrivate Desktop for enterprise users; the feature has been renamed Windows Sandbox and is now available to Windows 10 Pro users as well. Windows Sandbox is an isolated, temporary, desktop environment where you can run untrusted software without the fear of lasting impact to your PC, according to Microsoft.

[Editor Comments]

[Murray] Users of Apple iOS have enjoyed such a safe execution environment for years. My PC is configured to resist running any untrusted software or to interpret downloaded data (a pain) and I do all browsing and e-mail on my iPad or iPhone. Software to automagically intercept and interpret all URLs in a virtual machine (isolated, temporary, and safe environment) has been available at a price for years. Provision of such an isolated environment by Microsoft is late but powerful. One hopes that it is on by default.

Read more in:

Ars Technica: Microsoft unveils Windows Sandbox: Run any app in a disposable virtual machine


Bleeping Computer: Microsoft's Windows Sandbox Runs Programs in an Isolated Desktop


Microsoft: Windows Sandbox


--US Aerospace Industry Lobby Group Publishes Voluntary Cybersecurity Standard for Government Contractors

(December 13, 2018)

A trade group that lobbies on behalf of US defense contractors has released voluntary cybersecurity standard that it says will provide industry with a baseline for true security and serve as a companion to DODs current minimum standards. The Aerospace Industries Association (AIA) standard offers a checklist based on 20 metrics, such as data protection, malware defenses, and training. Companies would rate themselves.

[Editor Comments]

[Neely] This is an attempt to devise standard practices for contractors to meet requirements in NIST SP 800-171 as well as other practices to insure the cyber protections of systems are sufficient. Devising a common control catalog or implementation guide provides a mechanism to see other accepted practices that meet the requirements rather than spending a lot of time second guessing the control intent. Using such a catalog requires implementers to not only adopt changes, but also seek to understand the threats those implementations are intended to mitigate.

[Paller] No contractor should follow this program until the team provides a prioritized map to the most critical controls, an order of implementation, and an automated systems for measuring implementation. As it is, its just more paper without any chance of improving security in the contractor community.

Read more in:

Washington Post: Trade group pushes voluntary cybersecurity standards for defense contractors


AIA: AIA Releases Cybersecurity Standard


AIA: Cyber Security



1) Don't Miss "Breaking Bad Bots - The New #1 Threat and How to Stop

Them" Register: http://www.sans.org/info/209345

2) Does your vulnerability management program cover your organization's

cloud workloads, partner access, IoT and industrial control systems?

Take the SANS Survey and enter to win a $400 Amazon gift card


3) How are you using the public cloud to meet your business needs? What

challenges do you face?  Take the SANS Cloud Survey and enter to win a

$400 Amazon gift card http://www.sans.org/info/209355




--Alleged Chinese Espionage Violates 2015 Agreement

(December 20, 2018)

The US Department of Justice (DOJ) has unsealed an indictment that alleges two Chinese citizens committed aggravated identity theft and conspired to commit computer intrusions and wire fraud. Zhu Hua and Zhang Shilong were allegedly members of the APT10 Group and allegedly worked on behalf of Chinas Ministry of State Security. They stand accused of infiltrating systems at numerous US companies and government agencies, as well as other organizations around the world, and of stealing sensitive business information. US officials say that the alleged activity violates the 2015 agreement between China and the US to stop conducting cyber espionage.

Read more in:

Justice: Two Chinese Hackers Associated With the Ministry of State Security Charged with Global Computer Intrusion Campaigns Targeting Intellectual Property and Confidential Business Information


Bloomberg: Chinese Nationals Accused in U.S. of Decade of Hacking


MeriTalk: DoJ Unveils Charges Against Chinese State-Sponsored Hackers


FBI: Chinese Hackers Indicted


Reuters: Exclusive: China hacked HPE, IBM and then attacked clients - sources


Ars Technica: US and allies: New hacks mean China broke 2015 economic espionage pact



--US Senate Passes Bill That Would Create Pilot Program to Examine Using Analog Controls for Power Grid Security

(December 20, 2018)

The US Senate has passed a bill that would establish a pilot program aimed at reintroducing analog security controls to the countrys power grid. The Securing Energy Infrastructure Act would appropriate US $10 million for the program. The Department of Energy (DOE) would be responsible for finding volunteer organizations within the energy sector to pilot analog and other non-digital systems for use in protecting the energy grid.

[Editor Comments]

[Neely] America has fully embraced technology and its use with power grid ICS components, which permits control and management of those systems to scale. While there are inherent risks with this path, recommendations have emerged since the 2015 and 2016 power grid attacks, which include strong egress controls, micro-segmentation/isolation, and separation of activities, which when implemented would strengthen the security posture of these systems. Given the long lifecycle of system components, these activities need to be completed regardless of replacing items with non-digital equivalents.

Read more in:

Nextgov: Plan to Dumb-Down the Power Grid In Name of Cybersecurity Passes Senate


MeriTalk: Senate Passes Legislation to Secure Electric Grid, Control Systems



--Hack the Air Force 3.0 Results

(December 20, 2018)

The Hack the Air Force 3.0 bug bounty program took place between October 19 and November 22 of this year. Nearly 30 participants discovered more than 120 vulnerabilities in public-facing Air Force website and services. This is the third bug bounty program for the Air Force and the seventh overall within the Department of Defense (DOD). The competition was open to participants from 191 countries; applicants were vetted by HackerOne, which facilitated the event along with the Department of Defenses Defense Digital Service.

[Editor Comments]

[Pescatore] We have several years of data points showing well-managed bug bounty programs can be both effective and efficient at finding vulnerabilities in systems and software. But, the headlines we really, really need to see are something like Bug Hunting Challenge Finds No Vulnerabilities in Production Systems Because Bug Hunting Challenge Prior to Production Release Found Them First.

Read more in:

ZDNet: 'Hack the Air Force' bug hunting challenge uncovers 120 flaws in websites and services


Fedscoop: Hack the Air Force 3.0 pays out $130,000 for 120 vulnerabilities found


BusinessWire: U.S. Department of Defense Concludes Third Hack the Air Force Bug Bounty Challenge with HackerOne to Improve Cybersecurity



--EU Diplomatic Cables Exposed for Three Years

(December 19 & 20, 2018)

Hackers had access to European Union diplomatic cables for more than three years. The breach was disclosed by Area 1, which found the breach while investigating phishing campaigns. The initial breach took place in April 2015; the attackers exfiltrated data until they were discovered in early December 2018. The breach was part of a broader campaign that also targeted the United Nations, the AFL-CIO, and ministries of finance and foreign affairs around the world.

[Editor Comments]

[Northcutt] This has the smell of old milk. Elite Chinese Hackers penetrate Euro/NATO sites, store their finds in the cloud, which happen to be found by a cybersecurity firm which then publishes them.

https://www.cbronline.com/news/area-1-hack: Area 1s European Cable Hack Leak Leaves Infosec Pros Confounded

Read more in:

Area 1: Phishing Diplomacy


NYT: Hacked European Cables Reveal a World of Anxiety About Trump, Russia and Iran


Wired: Hacking Diplomatic Cables Is Expected. Exposing Them Is Not


Cyberscoop: Cybersecurity firm Area 1 defends pointing finger at China over European cables hack


Fifth Domain: How the European Union was stymied by phishing



--Hackers Targeting Middle East Activists and Journalists eMail Accounts

(December 19, 2018)

A report from Amnesty International says that hackers are targeting email accounts belonging to human rights activists, journalists, and others in the Middle East and North Africa. The hackers have been using spoofed login pages, phony security alerts, and other tricks to gather credentials and circumvent two-factor authentication. The majority of those targeted are in the United Arab Emirates, Egypt, Yemen, and Palestine.

[Editor Comments]

[Honan] While Multi-Factor Authentication raises the bar against phishing attacks, it should not be viewed as being the panacea to the threat.  

[Murray] Circumventing strong authentication is more difficult than it sounds, can take place only at logon time, and leaves evidence that it is happening. It should not be compared to the ease with which compromised passwords can be fraudulently reused over and over. The perfect should not be made the enemy of the good.  

Read more in:

Amnesty: When Best Practice Isnt Good Enough: Large Campaigns of Phishing Attacks in Middle East and North Africa Target Privacy-Conscious Users


Cyberscoop: Hackers target 'hundreds' of Middle East activists with fake login pages, 2FA bypass schemes



--DOD Inspector General: Pentagon Has Not Implemented Software Application Rationalization Across the Organization

(December 19, 2018)

According to an audit report from the US Department of Defense Inspector general (DODIG), DOD lacks a complete picture of the software applications running on its systems. The Federal Information Technology Acquisition Reform Act (FITARA) requires that agencies implement software application rationalization, which helps organizations identify all application in use; determine which applications are necessary, redundant, or obsolete; and determine if an application already exists within the organization before it is bought again. The DOD Chief Information Officer (CIO) did not implement agency-wide software application rationalization and instead limited rationalization to data center consolidation efforts. The DOD CIOs office declined to respond to the OIG draft report.

Read more in:

Nextgov: The Pentagon Doesnt Know All the Software on Its NetworksAnd Thats a Problem


MeriTalk: DoD CIO Gives IG Cold Shoulder on Software Management Report


Defense: DoD Management of Software Applications



--Supply Chain Security Legislation

(December 20, 2018)

Both houses of the US legislature have passed the SECURE Technology Act, which combines three existing bills to establish a Federal Acquisition Security Council to help reduce the supply chain threat for federal agencies, and establish a bug bounty and vulnerability disclosure program at the Department of Homeland Security (DHS).  

Read more in:

Government CIO Media: Homeland Security SECURE Technology Act Passes Congress


MeriTalk: House, Senate Clear Combined Fed Supply Chain Security, DHS Bug Bounty Bill


Congress: H.R.7327 - To require the Secretary of Homeland Security to establish a security vulnerability disclosure policy, to establish a bug bounty program for the Department of Homeland Security, to amend title 41, United States Code, to provide for Federal acquisition supply chain security, and for other purposes.



--US, UK, and Netherlands Seize Booter Domains

(December 20, 2018)

Law enforcement authorities from the US, the UK, and the Netherlands have seized 15 domains used to launch distributed denial-of-service (DDoS) attacks. US authorities have brought criminal charges against three individuals in two separate cases: two people were charged with violating the Computer Fraud and Abuse Act for allegedly operating DDoS for hire services; and one person faces charges for allegedly operating a service that was used to launch more than 50,000 attacks in 2018.

Read more in:

KrebsOnSecurity: Feds Charge Three in Mass Seizure of Attack-for-hire Services


ZDNet: Law enforcement shut down DDoS booters ahead of annual Christmas DDoS attacks


Cyberscoop: Justice Department hopes to disrupt 'dumbest tradition ever' with latest DDoS seizure



--NASA Internal Server Breached; Employee Data Compromised

(December 18 & 19, 2018)

NASA has acknowledged that a breach of an internal server compromised personal information of current and former employees. The compromised data include Social Security numbers. In an internal memo, NASA says it detected the breach on October 23. The breach affects NASA employees who joined, left, or transferred between centers within the agency from July 2006 through October 2018. 

[Editor Comments]

[Neely] CSC 1 & 2 are about knowing what you have and what it is doing. This feels like a case of unknown or shadow IT. Developing a complete hardware and software inventory can be very difficult in an agency as diverse as NASA. CDM efforts, now no longer optional, will help them with the discovery of assets and shadow IT on their network, to help discover outlying systems like this in the future, particularly if they leverage the available DHS DEFEND and other CDM resources to fast track acquisition and deployment.

Read more in:

ZDNet: NASA discloses data breach


The Register: Houston, we've had a problem: NASA fears internal server hacked, staff personal info swiped by miscreants


CNET: NASA reveals employee data breach in internal memo


Dark Reading: NASA Investigating Breach That Exposed PII on Employees, Ex-Workers


FNN: NASA suffers breach of employee data



-Baby Monitor Hacked; Nest Resets Re-Used Passwords

(December 20, 2018)

Parents using a Nest camera baby monitor were horrified to discover that a hacker had gained access to their device and was verbally threatening them. While Nest did not comment on the specific case, it did send this statement to Yahoo Lifestyle: Nest has reset all the accounts where customers reused passwords that were previously exposed through breaches on other websites and published publicly. Even though Nest was not breached, these customers were vulnerable because their credentials were freely available on the Internet. Each customer has received instructions on how to establish new credentials. For added password security, were preventing customers from using passwords which appear on known compromised lists. As before, we encourage all customers to use two-factor verification for added account security, even if your password is compromised.

[Editor Comments]

[Neely] Nest is proactively searching for the reuse of compromised credentials on their user accounts and providing notification to customers when detected. See https://nakedsecurity.sophos.com/2018/05/14/nest-turns-up-the-temperature-on-password-reusers/. Additionally, Nest introduced two-factor verification in March 2017 which can be enabled via the web site or the mobile application. It must be separately enabled for both primary and family member accounts. This story offers a reminder to use unique passwords and enable multi-factor authentication when setting up accounts associated with new electronic devices, and to connect the devices to the Internet only if necessary.

Read more in:

Washington Post: Im in your babys room: A hacker took over a baby monitor and broadcast threats, parents say


Yahoo: Family on edge after man hacks Nest baby monitor, threatens to kidnap their son




ASUS Vulnerabilities


GIGABYTE Vulnerabilities


Apple App Store Phishing


FBI Shuts Down Booter Services


Kibana Vulnerability Exploited


SANS Holiday Hack Challenge


Remotely Bricking a Server


Microsoft Publishes Emergency Patch for Internet Explorer


Restricting PowerShell Capabilities with NetSh


Windows 0-Day PoC Published: Arbitrary File Read as System


Attacks Against 2FA in the Middle East


Intel VISA Undocumented Debug Feature


Decrypter for InsaneCrypt and Everbe 1




The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create