Last Day: Get a 10.2" iPad (32 G), Galaxy Tab A, or Take $250 Off with OnDemand Training

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #39

May 18, 2018


SANS NewsBites               May 18, 2018                Vol. 20, Num. 039



  German Prosecutors Investigating Energy Company Cyberattack

  Windows/Adobe Reader Combination Exploit

  Senate Passes Resolution to Prevent Dissolution of Net Neutrality


  Data-Stealing Malware Targets Desktop Version of Telegram

  Cisco Patches Flaws in Digital Network Architecture Center and Other Products

  Minnesota Election Official Wants State Legislators to OK Spending Federal Funds on Cybersecurity

  DHS Issues Cyber Risk Strategy

  US Legislators Introduce Bill to Reinstate White House Cybersecurity Advisor Position

  Mexico Bank Theft Prompts Creation of Cybersecurity Unit

  Signal Messaging App Flaw Fixed



***************************  Sponsored By Indegy *****************************

You are now exposed to consistent and confusing noise regarding various ICS security approaches. You must take action, but what is the right action to take? Don't Miss "Passive, Active or Hybrid Monitoring: What's the right choice for your ICS Network?" to help unravel the confusion. Register:



-- SANSFIRE 2018 | Washington, DC | July 14-21 |


-- SANS Amsterdam May 2018 | May 28-June 2 |


-- SANS Rocky Mountain 2018 | Denver, CO | June 4-9 |


-- SANS London June 2018 | June 4-12 |


-- DFIR Summit & Training 2018 | Austin, TX | June 7-14 |


-- Cloud In-Security Summit - DC | Crystal City, VA | June 8 |


-- Cloud In-Security Summit - Austin | Austin, TX | June 11 |


-- SANS Boston Summer 2018 | August 6-11 |


-- SANS Cyber Defence Canberra 2018 | June 25-July 7 |


-- SANS Tokyo Autumn 2018 | September 3-15 |


-- SANS OnDemand and vLive Training

The SANS Training you want with the flexibility you need.

Special Offer: Get a GIAC Certification Attempt Included or Take $350 Off with SANS Online Training until May 30.


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast -

-- Evening training 2x per week for 6 weeks with vLive |

-- Anywhere, Anytime access for 4 months with OnDemand format |


-- Single Course Training

SANS Mentor |

Community SANS |


-- View the full SANS course catalog and Cyber Security Skills Roadmap



 --German Prosecutors Investigating Energy Company Cyberattack

(May 16, 2018)

Federal prosecutors in Germany are investigating a cyberattack against networks at an energy firm there. Hackers reportedly breached networks at NetCom BW last summer.

Read more in:

Reuters: German prosecutors probing hack of energy firm last year

 --Windows/Adobe Reader Combination Exploit

(May 15, 2018)

Attackers are exploiting a known privilege elevation vulnerability in Windows along with a known remote code execution vulnerability in Adobe Reader through a malicious PDF file. There are fixes available for both vulnerabilities.

Read more in:

SC Magazine: PDF exploit built to combine zero-day Windows and Adobe Reader bugs

 --Senate Passes Resolution to Prevent Dissolution of Net Neutrality

(May 16, 2018)

Earlier this week, the US Senate voted 52-47 to approve a Congressional Review Act (CRA) resolution to preserve net neutrality, nixing the Federal Communication Commission's (FCC's) decision to dissolve net neutrality. For the resolution to take effect, it must be approved by the House of Representatives and signed by the president. Otherwise, the FCC ruling will take effect on June 11, 2018.  

[Editor Comments]

[Murray] No one wants to see traffic in the Internet treated differently based upon origin or application, but there is honest disagreement about the risk or the remedy.  Regulating the Internet under an ancient regimen, developed to deal with what appeared at the time to be a natural monopoly, is likely to have all kinds of unintended consequences.  While I do not want to under estimate the difficulty, the Congress needs to draft new rules and grant new carefully crafted powers.  

Read more in:

SC Magazine: Senate votes 52-47 to preserve net neutrality

Ars Technica: Senate votes to overturn Ajit Pai's net neutrality repeal

**************************  SPONSORED LINKS  *********************************

1) How are you dealing with the rapid evolution of Secure DevOps? Take the SANS 2018 Secure DevOps Survey and enter to win a $400 Amazon gift card!

2) "Defending Against the Rising Tide of Industrial CyberThreats: An OT CyberSecurity Case Study" Register:

3) "Reclaim Your Freedom to Safely Access the Web" with John Pescatore. Learn More:



 --Data-Stealing Malware Targets Desktop Version of Telegram

(May 16 & 17, 2018)

Newly-detected malware steals credentials from the desktop version of the Telegram messaging app. It also harvests browser credentials and cookies. The malware exploits weak default settings and the fact that the desktop version of Telegram does not support Secret Chat.

[Editor Comments]

[Murray] The key here is "desktop version;" the desktop is the Achilles Heel of the Internet and provides limited protection for sensitive applications.  In the absence of other evidence, we should not project these problems on the Telegram apps.  Keep in mind that Telegram is device-to-device, not person-to-person, and should not be relied upon for life and death applications.  

Read more in:

The Register: Russian malware harvesting Telegram Desktop creds, chats

SC Magazine: TeleGrab information stealer swipes Telegram cache and key files

Dark Reading: Newly Discovered Malware Targets Telegram Desktop


 --Cisco Patches Flaws in Digital Network Architecture Center and Other Products

(May 17, 2018)

On Wednesday, May 16, Cisco released 16 security advisories. Three of the flaws addressed in the updates are critical, remotely exploitable vulnerabilities in Cisco's Digital Network Architecture (DNA) center software. A fourth critical flaw affects Cisco Adaptive Security Appliance. In all, Cisco's updates address 16 security issues.   

Read more in:

ZDNet: Cisco critical flaw warning: These 10/10 severity bugs need patching now

Bleeping Computer: Hardcoded Password Found in Cisco Enterprise Software, Again

Cisco: Cisco Security Advisories and Alerts


 --Minnesota Election Official Wants State Legislators to OK Spending Federal Funds on Cybersecurity

(May 16, 2018)

Minnesota Secretary of State Steve Simon is asking state legislators to release $1.5 million in federal funding that has been allocated to Minnesota to help secure voting systems ahead of this year's mid-term elections. Minnesota is one of a few states that require lawmakers to approve the spending of the federal funds.  

[Editor Comments]

[Murray] The Secretary of State, the responsible official for a very sensitive application, believes the funds to be useful.  While the integrity of our system relies in large part upon the diversity of methods and the independence of responsible officials, so far, the activity of the DHS appears to be efficient and benign.  

Read more in:

GovTech: Minnesota Secretary of State Calls for Access to Elections Security Funds


 --DHS Issues Cyber Risk Strategy

(May 16, 2018)

A new cybersecurity strategy from the US Department of Homeland Security (DHS) describes five pillars of cyber risk management: risk identification, vulnerability reduction, threat reduction, consequence mitigation, and enabling cybersecurity outcomes.  

Read more in:

Executive Gov: DHS Sets Approach to National Cyber Risk Management Through New Strategy

DHS: U.S. Department of Homeland Security Cybersecurity Strategy


 --US Legislators Introduce Bill to Reinstate White House Cybersecurity Advisor Position

(May 15 & 16, 2018)

Two US legislators, Ted Lieu (D-California) and Jim Langevin (D-Rhode Island), have introduced a bill that would save the White House cybersecurity advisor position. The current administration has announced plans to eliminate the post. The proposed legislation, The Executive Cyberspace Coordination Act, would require nominees to undergo Senate confirmation.

Read more in:

The Hill: Dems introduce bill to save top cyber role at White House

MeriTalk: Lawmakers Aim to Restore Top White House Cyber Post

NextGov: White House Cuts Cyber Coordinator Role But Lawmakers Say Not So Fast

Federal News Radio: After White House slashes cyber adviser role, lawmakers move to entrench the position


 --Mexico Bank Theft Prompts Creation of Cybersecurity Unit

(May 15, 2018)

Following last month's theft of more than 300 million pesos ($15.2 million USD) through a domestic payment system, Mexico's central bank plans to establish a cyber security unit to advise financial institutions there on information security.  

Read more in:

Reuters: Mexico central bank to create cyber security unit after hack

Threatpost: Mexico's Banking System Sees $18m Siphoned Off in Phantom Transactions


 --Signal Messaging App Flaw Fixed

(May 15, 2018)

Developers have fixed a remote code execution flaw in the Signal messaging app, just five hours after the vulnerability was disclosed. The security issue lies in the desktop app's failure to sanitize certain HTML tags that could inject HTML code into chat windows; the flaw could be exploited by simply sending a message to a targeted user. The updated version of Signal is 1.10.1.

Read more in:

Cyberscoop: It only took five hours to close a critical vulnerability in Signal's desktop client






The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit