Final Week to Get an iPad Pro w/ Smart Keyboard, HP ProBook, or $350 Off with OnDemand and vLive Training!

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #38

May 15, 2018


SANS NewsBites               May 15, 2018                Vol. 20, Num. 038



  House Panel Approves Language in the National Defense Authorization Act Allowing Military Cyber Support for Critical Infrastructure

  EFAIL Flaw Affects PGP and S/MIME Email Encryption

  House Passes Bill to Help Small Business Cybersecurity


  Adobe Releases Updates for Reader, Acrobat, and Photoshop

  Mexican Banks Lose Funds to Unauthorized Transfers

  Time to Update Electron-based Apps

  Chili's Point-of-Sale Breach

  Vega Stealer Malware

  City Hit with Ransomware Twice in One Month

  News of Symantec Internal Audit Prompts Drop in Stock Value

  Nomination Blocked Over Stingray Secrecy

  Wyden Wants FCC to Investigate Securus and Cell Phone Location Privacy

  Evidence That APT28 Posed as ISIS Group to Send Threatening Messages


***************************  Sponsored By Indegy  **************************

You are now exposed to consistent and confusing noise regarding various ICS security approaches. You must take action, but what is the right action to take? Don't Miss "Passive, Active or Hybrid Monitoring: What's the right choice for your ICS Network?" to help unravel the confusion.  Register:


-- SANSFIRE 2018 | Washington, DC | July 14-21 |

-- SANS Amsterdam May 2018 | May 28-June 2 |

-- SANS Rocky Mountain 2018 | Denver, CO | June 4-9 |

-- SANS London June 2018 | June 4-12 |

-- DFIR Summit & Training 2018 | Austin, TX | June 7-14 |

-- Cloud In-Security Summit - DC | Crystal City, VA | June 8 |

-- Cloud In-Security Summit - Austin | Austin, TX | June 11 |

-- SANS Boston Summer 2018 | August 6-11 |

-- SANS Cyber Defence Canberra 2018 | June 25-July 7 |

-- SANS Tokyo Autumn 2018 | September 3-15 |

-- SANS OnDemand and vLive Training

The SANS Training you want with the flexibility you need.

Special Offer: Get an iPad, a Samsung Galaxy Tab A, or take $250 Off with OnDemand or vLive Training until May 16.

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast -

-- Evening training 2x per week for 6 weeks with vLive |

-- Anywhere, Anytime access for 4 months with OnDemand format |

Single Course Training

-- Single Course Training

SANS Mentor |

Community SANS |


-- View the full SANS course catalog and Cyber Security Skills Roadmap




--House Panel Approves Language in the National Defense Authorization Act Allowing Military Cyber Support for Critical Infrastructure

(May 9, 2018)

The House Armed Services Committee has approved language approved for the National Defense Authorization Act, emerging threats section that would pave the way for military cyber specialists to step in and help the Department of Homeland Security (DHS) defend elements of critical infrastructure from cyber attacks. The committee also approved language that transfers responsibility for Defense Department daily network protection from the Defense Information Systems Agency (DISA) to US Cyber Command.

Read more in:

Nextgov: House Panel Approves More Military Cyber Support for Critical infrastructure

--EFAIL Flaw Affects PGP and S/MIME Email Encryption

(May 14, 2018)

A critical vulnerability dubbed EFAIL affects the OpenPGP and S/MIME email encryption tools. The flaw could be exploited to extract plaintext content from messages. Researchers recommend that users stop using the tools until mitigations or fixes are available.

[Editor Comments]

[Ullrich] You should first of all configure your mail reader to not automatically load external resources (images, style sheets, fonts..). This is a good idea regardless of whether or not you are using encryption. Do it even if you are missing out on the banner in this e-mail. Secondly, consider sending plain text e-mail whenever your marketing/sales people let you. I do not see people send a lot of encrypted e-mail. Instead of outright uninstalling the extensions, make sure they do not automatically decrypt messages that you receive. Finally: This does not affect digital signatures.


[Neely] These flaws are relatively low risk as exploiting these vulnerabilities is tricky and relies on several things. Notably, the attacker needs full access to the target user's email account, the email rendering tool must render HTML, and the victim's system must be able to reach the attackers web site. Both exploits rely on sending a crafted payload to the victim which includes the cyphertext as well as HTML code that causes the email viewer to send the unencrypted content to a web server. Expect patches intended to make the vulnerabilities much harder to exploit, while the long term fix requires updates to the OpenPGP and S/MIME standards. A short term fix can be to disable HTML rendering in your email client used with PGP or S/MIME, or to use a separate application for decrypting email.

[Northcutt] A moment of silence might be appropriate. Back in 1991 people did not trust the Internet and wanted a method to protect the information in their email; Phil Zimmerman released PGP. It has been declared dead a couple times, but it really may be time to remove life support. Phil Zimmerman stated he wasn't using it a year before the Schneier blog post. If you are still using it, why?

[Honan] There has been a lot of criticism about how these vulnerabilities were disclosed. For those interested in implementing a robust vulnerability management program the European Union Agency for Network and Information Security has an excellent paper available on the topic:

[Murray] If you did not know before, you now know why Phil Zimmerman named his product "Pretty Good Privacy." Crypto is harder than it looks. That said, PGP has given us a quarter century of "pretty good." "Researcher's" advice notwithstanding, most of us should continue to use PGP as usual except for "life and death applications" versus nation states. A protective measure need not be perfect to be efficient.  

Read more in:

Ars Technica: Critical PGP and S/MIME bugs can reveal encrypted emails--uninstall now [Updated]

ZDNet: Uninstall PGP: EFF warns of exploit that may reveal plaintext of encrypted emails

The Register: PGP and S/MIME decryptors can leak plaintext from emails, says infosec Professor

Bleeping Computer: Users Warned of Critical Email Encryption Security Flaw

The Register: S/MIME artists: EFAIL email app flaws menace PGP-encrypted chats



--House Passes Bill to Help Small Business Cybersecurity

(May 8, 2018)

The US House of Representatives has passed a bill that is designed to help small businesses protect their systems from cyberattacks. The bill would require that the Small Business administration (SBA) establish a program to provide cybersecurity training to small business employees. The Small Business Development Center Cyber Training Act of 2017.

[Editor Comments]

[Murray] Been there, done that, have the t-shirt, dated 1985. Peter Browne was there with me. Small Business has such a high level of business risk that "cyber" risk rarely makes the cut. That said, we should be able to achieve "good hygiene" that will decrease the risk to the community.


[Honan] The UK has launched an interesting program aimed at small businesses for them to demonstrate they follow industry good practise cybersecurity recommendations. Details of the scheme are available at

[Neely] Small Businesses often lack the resources to devote to cyber security as compared to the more pressing issue of keeping the business viable and on-track. While the bill offers to offset costs to get training to small businesses, the costs to establish and maintain a cybersecurity program may remain elusive, modulating the success rate.

Read more in:

The Hill: House passes bill to help small businesses guard against hackers

House: H. R. 3170: The Small Business Development Center Cyber Training Act of 2017

**************************  SPONSORED LINKS  ********************************

1) Download "A Short Primer of GDPR Essentials." Achieve compliance, and get insights into financial implications, people, processes, and tools organizations need to consider under the GDPR.

2) "Defending Against the Rising Tide of Industrial CyberThreats: An OT CyberSecurity Case Study"  Register:

3) "Reclaim Your Freedom to Safely Access the Web" with John Pescatore.  Learn More:



--Adobe Releases Updates for Reader, Acrobat, and Photoshop

(May 14, 2018)

Adobe has released updates for Reader and Acrobat that address nearly 50 vulnerabilities, including 24 remote code execution flaws. Adobe has also updated Photoshop to address a remote code execution flaw. The updates follow Adobe updates to Flash, released last week.   

[Editor Comments]

[Ullrich] Interesting for Adobe to release this update a few days after patch Tuesday. One of the vulnerabilities, the NTLM SSO credential leakage, has already been widely discussed and is easy to exploit.

Read more in:

The Register: How many ways can a PDF mess up your PC? 47 in this Adobe update alone

SC Magazine: Adobe releases more updates following Patch Tuesday fixes


--Mexican Banks Lose Funds to Unauthorized Transfers

(May 13 & 14, 2018)

Thieves stole as much as 300 million pesos ($15.27 million USD) from Mexican banks using unauthorized wire transfer orders. A Banco de Mexico official said that the problem was not with Mexico's SPEI interbank transfer system, but with the software that other financial institutions and third parties use to connect to SPEI.

Read more in:

SC Magazine: Third-party software vulnerability results in Mexican bank heist scoring millions

Reuters: Thieves suck millions out of Mexican banks in transfer heist

Washington Post: Mexico's banking system misplaces $18M to $20M in transfers

Bloomberg: Mexico Says Possible Bank Hack Led to Large Cash Withdrawals


 --Time to Update Electron-based Apps

(May 10, 13, & 14, 2018)

A flaw in the Electron application framework could be exploited through cross-site scripting (XSS) attacks to execute code. Electron allows developers to create cross-platform desktop applications using HTML, CSS, and JavaScript. Developers should check to make sure their apps are patched or not vulnerable; users running Electron-based apps should make sure they are running the most recent, updated versions.

[Editor Comments]

[Ullrich] The Electron framework is trying to do something very dangerous and hard. It "translates" applications written in HTML/JS, technologies designed to run in the browser sandbox, to native applications. While this is very cool and efficient for developers, it does turn some XSS vulnerabilities into remote-code execution vulnerabilities. Most (all?) complex web applications suffer from XSS and I doubt this will be the last time we see issues with how Electron attempts to limit the impact of these vulnerabilities.


"Cross Site Scripting" attacks exploit "incomplete input checking," perhaps the most wide-spread vulnerability class. Complete input checking is harder than it looks.

Read more in:

Trustwave: CVE-2018-1000136 - Electron nodeIntegration Bypass

SC Magazine: Vulnerability in Electron could pose danger to Skype and Wordpress web apps

The Register: Have you updated your Electron app? We hope so. There was a bad code-injection bug in it

Bleeping Computer: Security Flaw Impacts Electron-Based Apps


--Chili's Point-of-Sale Breach

(May 13 & 14, 2018)

The Chili's restaurant chain has acknowledged that malware made its way onto a point-of-sale system used at its restaurants. The malware harvested payment card numbers and associated names. Chili's believes that data were stolen during March and April 2018.

[Editor Comments]

[Murray] Years after Target, compromised point-of-sale constitutes gross negligence, if not recklessness.  

Read more in:

ZDNet: Chili's restaurant chain suffers data breach

The Hill: Chili's says customers' payment information compromised in data breach


--Vega Stealer Malware

(May 10, 11, & 14, 2018)

Malware known as Vega Stealer steals saved financial data from Chrome and Firefox browsers. Vega Stealer harvests profile information, account credentials, documents, and cryptocurrency wallet data. Machines become infected through spear phishing email attachments that contain macros that then download Vega Stealer.

Read more in:

ZDNet: This malware is harvesting saved credentials in Chrome, Firefox browsers

Dark Reading: Proofpoint Sounds Warning on Vega Stealer Targeted Data Theft Campaign

Threatpost: Vega Stealer Malware Takes Aim At Chrome, Firefox


--City Hit with Ransomware Twice in One Month

(May 11 & 12, 2018)

The city of Riverside, Ohio has seen its fire and police department computers infected with ransomware twice in less than a month. The first attack took place on April 23; it encrypted 10 months worth of data related to active investigations. The city did not pay the ransom, instead choosing to recover some data from backups. The second attack occurred on May 4. Having learned from the earlier attack, city officials were making daily backups and so lost just eight hours' worth of work. The US Secret Service is investigating.

[Editor Comments]

[Honan] An excellent resource for the prevention and recovery from ransomware is provided by Europol and its partners. It is the NoMoreRansom project and provides a central repository to download known decryption keys for various strains of ransomware

Read more in:

Bleeping Computer: Police Dept Loses 10 Months of Work to Ransomware. Gets Infected a Second Time!

GovTech: U.S. Secret Service Investigating Cyberattack on Ohio City


--News of Symantec Internal Audit Prompts Drop in Stock Value

(May 11, 2018)

The value of Symantec stock dropped 30 percent late last week (from $29.18 USD at Thursday's close to $20 USD at Friday's open) after the company disclosed that it was conducting "an internal investigation in connection with concerns raised by a former employee." News of the internal audit appeared in Symantec's a quarterly earnings report.

[Editor Comments]

[Murray] Outsiders damage the brand; insiders bring down the business.

Read more in:

Cyberscoop: Symantec's stock plummets after announcement of internal audit

ZDNet: Symantec shares plunge after board discloses internal investigation

Symantec: Symantec Reports Fiscal Fourth Quarter and Full Year 2018 Results


---Nomination Blocked Over Stingray Secrecy

(May 10 & 11, 2018)

US Senator Ron Wyden (D-Oregon) is objecting to the confirmation of Christopher Krebs as undersecretary of the National Protection and Programs Directorate until the Department of Homeland Security (DHS) makes public a report on unauthorized cell-site simulators detected in Washington, DC. The information was presented to lawmakers earlier this year.

Read more in:

Cyberscoop: Sen. Wyden blocks Krebs nomination over Stingray demands

FCW: Senator freezes DHS cyber nominee over Stingray info

The Hill: Wyden: I object to Trump's DHS cyber nomination over demands for Stingray information


--Wyden Wants FCC to Investigate Securus and Cell Phone Location Privacy

(May 10, 11, & 14 2018)

Senator Ron Wyden (D-Oregon) has asked the Federal Communications Commission (FCC) to investigate who has access to the geolocation data for cell phones in the US. A New York Times article describes how Securus, a company that monitors prison inmates' phone calls, also has a service that allows law enforcement to pinpoint the location of any cell phone in the country. Normally cellphone geolocation data are sold to marketers who want to send advertisements based on a user's location. Securus has purchased access to the data and provides cell phone locations to law enforcement officers if they enter a phone number and upload a document that they say authorizes them to have the information.     

Read more in:

NYT: Service Meant to Monitor Inmates' Calls Could Track You, Too

ZDNet: Senator wants to know how police can locate any phone in seconds without a warrant

CNET: This senator wants to know why police can track any phone in seconds

Bleeping Computer: Senator Wants Answers Why Prison Contractor Was Able to Spy on All Americans


--Evidence That APT28 Posed as ISIS Group to Send Threatening Messages

(May 8 & 9, 2018)

Evidence obtained by the Associated Press suggests that threatening digital messages from what appeared to be an ISIS group calling itself the CyberCalpihate was a false flag operation. The messages were actually the work of the Russian hacking group known as APT28, the same group that meddled in the 2016 US presidential election and exposed email messages of Clinton campaign manager John Podesta.   

Read more in:

Cyberscoop: Lawmakers call for action following revelations that APT28 posed as ISIS online

AP: Russian hackers posed as IS to threaten military wives




Reversed C2 traffic from China

Electron Vulnerability

Cryptocoin Miner Found in Ubuntu Snap Store


PGP and S/MIME EFAIL Vulnerability

Adobe PDF Reader/Acrobat Bulletins

Signal Vulnerability (Possibly in Electron, which affects Skype/Slack/others)



The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit