SANS Open-Source Intelligence (OSINT) Summit & Training offers immersive cyber security courses and a free Summit!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #101

December 28, 2018


SANS NewsBites                Dec. 28, 2018                Vol. 20, Num. 101



  SANS Holiday Hack Challenge Open Now through January 14, 2019



  Bitcoin Stolen From Electrum Wallets

  Shamoon Sample Signed with Expired Baidu Certificate

  FBI Warns of Port 1911 Vulnerability in Buildings Control Systems

  Guardzilla Home Security System Has Hard-Coded Credentials

  San Diego Unified School District Discloses Data Breach

  Schneider Fixes EVLink Parking Charging Station Flaws

  Orange LiveBox ADSL Modems Leak Credentials

  Indian Government Gives Agencies Authority to Intercept, Monitor, and Decrypt Data




-- SANS Security East 2019 | New Orleans, LA | February 2-9 |

-- SANS Amsterdam January 2019 | January 14-19 |

-- Cyber Threat Intelligence Summit & Training | Arlington, VA | January 21-28 |

-- SANS Las Vegas 2019 | January 28-February 2 |

-- SANS London February 2019 | February 11-16 |

-- SANS Anaheim 2019 | February 11-16 |

-- SANS Secure Japan 2019 | Tokyo, Japan | February 18-March 2 |

-- Open-Source Intelligence Summit & Training | Alexandria, VA | February 25-March 3 |

-- SANS Secure Singapore 2019 | March 11-23 |

-- SANS OnDemand and vLive Training

The SANS Training you want with the flexibility you need.

Get an iPad Mini, Samsung Galaxy Tab S2, or Take $300 Off with OnDemand or vLive Training. Offer Ends January 9.

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast

-- Evening training 2x per week for 6 weeks with vLive |

-- Anywhere, Anytime access for 4 months with OnDemand format |

Single Course Training

-- Single Course Training

SANS Mentor |

Community SANS |


-- View the full SANS course catalog and Cyber Security Skills Roadmap


***************************  Sponsored By Cylance ************************************

Don't Miss: "Using Data Science to Secure Cloud Workloads."  In this session, you will learn how and where data science is being applied in the security industry as well as Cylance's Threat Predictive Advantage, which is one of the many benefits of applying data science to Next-Gen AV products.



-SANS Holiday Hack Challenge Open Now through January 14, 2019

The FREE annual SANS Holiday Hack Challenge is underway right now! This year, Santa is hosting KringleCon, a virtual conference at the North Pole, where you walk through Santas virtual castle and watch 22 top-notch recorded 12-18 minute talks with directly applicable technical skills. And, within your browser, you can also walk around Santas castle solving cyber defense, DFIR, and pen test challenges as an entertaining and surprising holiday plot unfolds. Youll get to match wits with a holiday super villain while listening to a custom album of holiday tunes. Its fun for all ages, and it is SANS gift to the cyber security community. Over 15,000 people have played so far! Get it all for free at


1) Attend the inaugural SANS Open-Source Intelligence Summit in Washington, DC - Feb 25.  :

2) SANS Instructor, Matt Bromiley talks on "Enterprise Security with a Fluid Perimeter" Sponsored by Aruba. Register:

3) Infoblox Webcast: "Remediating Threats by Bridging Islands of Security" with John Pescatore. Register:




--Bitcoin Stolen From Electrum Wallets

(December 27, 2018)

More than 200 bitcoin has been stolen from Electrum wallets since December 21. The attacker or attackers exploited a vulnerability in the Electrum architecture that allows Electrum servers to trigger custom pop-ups in users wallets. The attack involves adding malicious servers to the Electrum network. When legitimate transactions initiated by other users reached one of the malicious servers, they would display a message urging them to download a malicious wallet update from an unauthorized GitHub repository. GitHub admins have taken down the repository, but the pop-up issue has not been fixed. 

Read more in:

ZDNet: Users report losing Bitcoin in clever hack of Electrum wallets


--Shamoon Sample Signed with Expired Baidu Certificate

(December 27, 2018)

A new sample of the Shamoon disk-wiping malware was uploaded to VirusTotal. It uses an expired digital certificate issued by Baidu. The Shamoon sample is disguised as a Baidu system optimization tool. 

Read more in:

Bleeping Computer: New Shamoon Sample from France Signed with Baidu Certificate


--FBI Warns of Port 1911 Vulnerability in Buildings Control Systems

(December 27, 2018)

In a recent industry advisory, the FBI warned that port 1911, which is used to communicate with control systems in buildings could be used to access unpatched devices on those networks. The report warns that successful exploitation could lead to data leakage and possible privilege escalation.

Read more in:

Cyberscoop: FBI warns industry that hackers could probe vulnerable connections in building systems


--Guardzilla Home Security System Has Hard-Coded Credentials

(December 27, 2018)

A vulnerability in the GZ501W Guardzilla home security device could be exploited to access stored video data. The device uses a shared Amazon S3 credential for storing video in the cloud. Guardzilla learned of the vulnerability on October 24.

[Editor Comments]

[Neely] The hard-coded credentials provide access to multiple Guardzilla S3 buckets, rather than a device specific storage location. The additional buckets include free and premium storage as well as development and test buckets. The device firmware root account had an easily cracked DES encoded password. The root password and AWS have been published. Mitigation is dependent on a firmware update from Guardzilla. Changing the firmware to use an intermediate system to limit devices to specific storage with end-user supplied credentials as well as resolving any vulnerabilities in supporting software will be a significant change for Guardzilla, who is keeping tight-lipped about their response to the issue.

Read more in:

Cyberscoop: Flaw in Guardzilla home security devices allows outsiders to view stored video, researchers say

Forbes: 0DayAllDay Hackers Go Godzilla On Guardzilla To Reveal A Real Video Nasty

Rapid7: R7-2018-52: Guardzilla IoT Video Camera Hard-Coded Credential (CVE-2018-5560)


--San Diego Unified School District Discloses Data Breach

(December 25 & 26, 2018)

On Friday, December 21, the San Diego (California) Unified School District has posted a notice on its website acknowledging that a hacker stole personally identifiable information of 500,000 students and staff members from its network. The hacker was able to gain access to the school districts system through a phishing attack. Some staff members reported the suspicious emails to the IT department, which discovered the breach in October. The system was compromised from January 2018 through November 1, 2018. The hacker stole data dating back to the 2008-2009 school year. A suspect has been identified.

[Editor Comments]

[Neely] A concern here is that the school district data may be used to pressure parents to respond to false threats against their children. The school district is notifying those impacted and advising them to take measures to prevent fraud and identity-theft.


[Northcutt] If you read to the bottom of the data safety note, they lost control of fairly sensitive data on minors and arent doing anything to help the victims. It gives weak advice in the form of you can.


[Murray] In a world of advanced persistent threat, one person taking bait should not be sufficient to compromise so much sensitive data. I do not like the term zero trust security but its principle, never trust, always verify, and the measures that it identifies, e.g., least privilege, strong authentication, end-to-end application layer encryption, are now essential practices. New tools, including network defined security services, make this more convenient than it sounds.  

Read more in:

ZDNet: Hacker steals ten years worth of data from San Diego school district

SC Magazine: San Diego Unified School District data breach exposed 500,000 students, staff, parents

San Diego Unified: Data Safety


--Schneider Fixes EVLink Parking Charging Station Flaws

(December 24, 2018)

Schneider Electric has fixed a critical vulnerability affecting its EVLink Parking electric vehicle charging stations. The hard-coded credential flaw could be exploited to gain access to the device. Schneider fixed two other flaws in EVLink Parking: a code injection vulnerability and an SQL injection vulnerability.

Read more in:

Threatpost: Critical Bug Patched in Schneider Electric Vehicle Charging Station

Schneider: Security NotificationEVLink Parking


--Orange LiveBox ADSL Modems Leak Credentials

(December 24 & 26, 2018)

A vulnerability affecting Orange LiveBox ADSL modems can be exploited to obtain the devices SSIDs and WiFi passwords with a simple GET request. More than 19,000 modems in France and Spain are affected.

[Editor Comments]

[Neely] Many of these routers are using default credentials (admin/admin) and are discoverable in Shodan. Once you have the credentials for the targeted SSID, a service such as WiGLE can be used to obtain the exact geolocation of that network. Possible mitigations for this threat include changing both the default credentials as well as the WiFi passwords or possibly moving to a separate WiFi access point and ADSL modem.  

Read more in:

ZDNet: Over 19,000 Orange modems are leaking WiFi credentials

Threatpost: 19K Orange Livebox Modems Open to Attack

Bleeping Computer: Orange LiveBox Modems Targeted for SSID and WiFi Info


--Indian Government Gives Agencies Authority to Intercept, Monitor, and Decrypt Data

(December 21, 2018)

The Indian government has issued an order that gives ten agencies the authority to intercept, monitor or decrypt information generated, transmitted, received or stored in any computer. Individuals and organizations that refuse to comply with interception, monitoring, and access requests could face fines or prison sentences of up to seven years.

Read more in:

ZDNet: India authorizes 10 agencies to intercept, monitor, and decrypt citizens' data

Twitter (The Leaflet): MHA authorises following agencies for the purpose of interception, monitoring &decryption of any Information-



Problems with IE Emergency Patch

Bitcoin Blacklists

D-Link DIR-816 A2 Stack Overflow


Phishing Attack Uses IP Counter

JungleSec Ransomware Attacks via IPMI

Microsoft Edge PoC RCE Exploit



The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit