3 Days left to get an iPad Pro with Smart Keyboard, Surface GO or $350 Off with Online Training

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #41

May 25, 2018


SANS NewsBites               May 25, 2018                Vol. 20, Num. 041




VPNFilter Malware Infects More Than Half a Million Routers


FBI Seizes Domain Used to Infect Routers


FITARA Scores Drop


Lack of Military Contractor Cooperation Affects Cybersecurity





Trisis Variant Targets Multiple Safety Instrumented Systems


FBI Acknowledges Encrypted Device Count Was Inaccurate


Chrome Outlines Plans to Alert Users to Unsecure Websites


Pentagon Tightens Rules for Personal Mobile Devices


Schneider Electric Patches SoMachine Vulnerability


Comcast Patches Xfinity Router Data Leak



***************************  Sponsored By Splunk  ****************************

Fraud is a growing problem as more parts of our lives are being touched by digitization. Download a free copy of A Guide to Fraud in the Real World to learn how much fraud is growing across different industries and how organizations are using machine data t


-- SANSFIRE 2018 | Washington, DC | July 14-21 | https://www.sans.org/event/sansfire-2018

-- SANS Rocky Mountain 2018 | Denver, CO | June 4-9 | https://www.sans.org/event/rocky-mountain-2018

-- SANS London June 2018 | June 4-12 | https://www.sans.org/event/london-june-2018

-- DFIR Summit & Training 2018 | Austin, TX | June 7-14 | https://www.sans.org/event/digital-forensics-summit-2018

-- Cloud In-Security Summit - DC | Crystal City, VA | June 8 | https://www.sans.org/event/cloud-insecurity-summit-dc

-- Cloud In-Security Summit - Austin | Austin, TX | June 11 | https://www.sans.org/event/cloud-insecurity-summit-tx

-- SANS Boston Summer 2018 | August 6-11 | https://www.sans.org/event/boston-summer-2018

-- SANS Cyber Defence Canberra 2018 | June 25-July 7 | https://www.sans.org/event/cyber-defence-canberra-2018

-- SANS London July 2018 | July 2-7 | https://www.sans.org/event/london-july-2018

-- SANS Tokyo Autumn 2018 | September 3-15 | https://www.sans.org/event/tokyo-autumn-2018

-- SANS OnDemand and vLive Training

The SANS Training you want with the flexibility you need.

Special Offer: Get a GIAC Certification Attempt Included or Take $350 Off with SANS Online Training until May 30.


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcasthttps://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/

Single Course Training

-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/


-- View the full SANS course catalog and Cyber Security Skills Roadmap






VPNFilter Malware Infects More Than Half a Million Routers

(May 23 & 24, 2018)

Researchers from Cisco Talos have identified malware called VPNFilter that has infected more than 500,000 routers. The malware has infected devices in at least 54 countries, but the majority of the affected devices appear to be in Ukraine. VPNFilter can snoop on traffic, steal website credentials, monitor Modbus SCADA protocols, and has the capacity to damage or brick infected devices.   

[Editor Comments]

[Neely] This malware will persist beyond just rebooting the infected router, remediation requires a factory reset. Mitigating the risk will require a firmware update.

[Williams] When evaluating a threat, we talk about the intersection of intent, opportunity, and capability. When intent is unclear, it may be inferred from the capabilities developed. The fact that the malware was modular was likely in part an anti-forensics feature. The fact that Modbus is explicitly targeted tells us that the attackers were likely looking for industrial control devices. This type of survey capability would likely be designed for mass deployments, where attackers wanted to quickly gravitate to the most desirable targets.

Read more in:

Talos: New VPNFilter malware targets at least 500K networking devices worldwide


Wired: Stealthy, Destructive Malware Infects Half a Million Routers


The Register: Advanced VPNFilter malware menacing routers worldwide


SC Magazine: VPNFilter malware with bricking capabilities poses major threat after infecting 500,000+ networking devices


ZDNet: Talos finds new VPNFilter malware hitting 500K IoT devices, mostly in Ukraine


Motherboard: Someone Has Infected At Least 500,000 Routers All Over The World And No One Knows Why




FBI Seizes Domain Used to Infect Routers

(May 23 & 24, 2018)

The FBI has seized a domain that has been used by the command and control server to communicate with routers infected with the VPNFilter malware (see story below). The takedown is the result of an investigation that began in August 2017. A court order issued earlier this week directed Verisign to surrender control of the domain in question. (Please note that the Wall Street Journal story is behind a paywall.)

Read more in:

Ars Technica: FBI seizes domain Russia allegedly used to infect 500,000 consumer routers


WSJ: FBI Moves to Dismantle Network of Hacked Devices Linked to Russia


BBC: FBI seeks to thwart cyber-attack on Ukraine




FITARA Scores Drop

(May 22 & 23, 2018)

The newest Federal Information Technology Acquisition Reform Act (FITARA) scorecard for federal agencies, released on Monday, May 21, shows that five agencies grades improved over last years scorecard, and eleven agencies scores dropped. The highest grade on this scorecard was a B+, achieved by the Education Department, the General Services Administration (GSA), and the National Science Foundation. The Defense Department received an F, as it has on the past three biannual scorecards. The areas that gave agencies the most trouble were software license tracking, making sure that CIOs report to department secretaries or deputy secretaries, and establishing working capital funds as required by the Modernizing Government Technology Act.

[Editor Comments]

[Pescatore] This is the first year the FITARA score card has included FISMA cybersecurity scores. Of the 23 agencies score, nine agencies received Fs in cybersecurity and the highest grade given was a Cand only 5 agencies were rated that high! The scores equally weighted IG reports with Cross Agency Priority assessments. Those CAP assessments have usually been pretty generous, meaning the poor results are even more disturbing. It seems that the government-wide focus on improving cybersecurity has sharply declined.

[Paller] Theres a new mood in federal cybersecurity leadership OMBone that focuses on accountability for actions rather than completion of paperwork. Refreshing!

Read more in:

House Oversight: OGR Biannual Scorecard - May 2018


House Oversight: The Federal Information Technology Acquisition Reform Act (FITARA) Scorecard 6.0


Nextgov: Agency Grades Get Worse in Latest FITARA Scorecard


Fedscoop: These 3 categories tanked agencies on the latest FITARA scorecard




Lack of Military Contractor Cooperation Affects Cybersecurity

(May 22, 2018)

Speaking at the Security Through Innovation Summit in Washington, DC last week, Col. Tim Brooks said that because military contractors compete with each other for work, they do not cooperate on cybersecurity issues. As a result, the military is faced with cybersecurity issues. Col. Brooks, who is the mission assurance division chief in the Department of Army Management OfficeCyber noted that if we dont get industry talking amongst themselves about how we could develop a common standard to ensure that information can flow from one side of an organization to anotherthen were never going to get better than our weakest link.

Read more in:

Cyberscoop: Lack of cooperation between contractors creates lasting vulnerabilities for DoD, official says


**************************  SPONSORED LINKS  ********************************

1) Don't Miss: "True DetectiveAutopsy of latest O365 and AWS threats" with John Pescatore. Register: http://www.sans.org/info/204280

2) Cisco Webcast: "We pass the costs to you! An analysis of cryptomining and cryptojacking" Register: http://www.sans.org/info/204285

3) How are you dealing with the rapid evolution of Secure DevOps? Take the SANS 2018 Secure DevOps Survey and enter to win a $400 Amazon gift card! http://www.sans.org/info/204290




Trisis Variant Targets Multiple Safety Instrumented Systems

(May 24, 2018)

Researchers at Dragos say that Xenotime, the name it has given the group behind Trisis malware, has broadened its targets to include industrial companies in the US. Last year, Trisis was used in an attack against an industrial facility in the Middle East in Saudi Arabia last year. The new Trisis variant is capable of infiltrating several different safety instrumented systems (SIS), unlike the version used in the earlier attack, which targeted just one SIS.

[Editor Comments]

[Assante] The implications of an actor group investing in tools and techniques to manipulate safety systems is significant. I fully suspect their suite of capabilities include control system tailored malware as well. The use of phishing and waterholing engineers has been associated with past ICS access campaigns and will continue as it obviously works.

Read more in:



Cyberscoop: Trisis masterminds have expanded operations to target U.S. industrial firms




FBI Acknowledges Encrypted Device Count Was Inaccurate

(May 22 & 23, 2018)

According to a Washington Post report, the FBI exaggerated the number of phones it was unable to access due to encryption. The FBI has been a vocal advocate of backdoors in encryption products to thwart criminals going dark, or communicating through channels that law enforcement cannot access. Earlier this year, FBI Director Christopher Wray told Congress that the bureau was unable to access 7,775 phones in the fiscal year ending September 2017. On Tuesday, May 23, the FBI acknowledged that the figure was inaccurate, attributing the error to an April 2016 effort to combine information from three different databases. The FBI has not said when it plans to release revised figures. 

Read more in:

Washington Post: FBI repeatedly overstated encryption threat figures to Congress, public


Wired: Significant FBI Error Reignites Data Encryption Debate


ZDNet: FBI inflated encrypted device figures, misleading public


Ars Technica: FBI exaggerated the number of phones it cant unlock by up to 550 percent




Chrome Outlines Plans to Alert Users to Unsecure Websites

(May 21, 2018)

In a Chromium blog post, Google has described some of the steps it will take to alert Chrome browser users that they are visiting unsecure websites. In September (Chrome 69), Chrome will stop identifying HTTP sites as secure in the address bar. In October, (Chrome 70) Chrome will begin displaying a red not secure warning when users enter data on HTTP sites. Google is in essence turning security indication on their head; instead of labeling sites as secure, Chrome security team project manager Emily Schechter wrote in a blog that Users should expect that the web is safe by default.

Read more in:

Chromium Blog: Evolving Chrome's security indicators


Computerworld: Google details how it will overturn encryption signals in Chrome




Pentagon Tightens Rules for Personal Mobile Devices

(May 23, 2018)

A US Defense Department (DoD) policy memo released on May 22, 2018, says that all Pentagon personnel, contractors, and visitors are no longer permitted to have personal mobile devices in areas involved in processing, handling, or discussion of classified information. People who violate the policy could face loss or delay of security clearances, fines, and administrative discipline. The policy must be implemented within 180 days.

[Editor Comments]

[Pescatore] For areas where classified information is present, there is no down side to this policy. It should be applied to all contractor facilities that are approved for handling classified information.


[Neely] The best implementation would be a single, simple policy that applies to all devices regardless of ownership or rank to reduce the chance of error. The risks associated with personally owned devices versus government furnished devices are not significantly different.

Read more in:

Defense: Memorandum for Chief Management Officer of the Department of Defense


FCW: Pentagon cracks down on personal mobile devices




Schneider Electric Patches SoMachine Vulnerability

(May 23, 2018)

Schneider Electric has released patches for a flaw in its SoMachine Basic software. The vulnerability could be exploited to allow data disclosure and retrieval. The issue lies in the way some versions of SoMachine parse XML documents. The fixes are available for download from or through the Schneider Electric Software Update tool. 

Read more in:

Schneider: Security NotificationSoMachine Basic


Threatpost: Schneider Electric Patches XXE Vulnerability in Software




Comcast Patches Xfinity Router Data Leak

(May 22, 2018)

Comcast has fixed a security issue that leaks customer SSIDs and passwords from Xfinity routers. The flaw was exploitable from the website that customers use to activate and manage the routers. Comcast customers who use their own routers are not affected.

Read more in:

Threatpost: Comcast Patches Router Bug That Leaked Some Wi-Fi Passwords




Malicious SYLK Files Used to Execute Code in Excel


BMW Releases Patches for Several Cars


Mac Crypto Miners


VMWare Spectre Updates


VPNFilter Malware Affecting Cisco Routers


DLink Vulnerabilities


Firefox Disabling "Spy APIs" and enabling 2FA



GDPR Going Into Effect May 25th


Bitcoin Gold Double Spend Attack


Amazon Alexa Forwards Random Conversations


Verge Crypto Coin Attacked Again




The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create