Final Week to Get a MacBook Air or Surface Pro 7 with Online Training - Best Offers of the Year!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #49

June 22, 2018


SANS NewsBites               June 22, 2018                Vol. 20, Num. 049



  White House/DHS Announce New Cyber Skills Pipeline Initiative

  Cisco Releases June Security Updates


  China Cryptomining Arrests

  Tesla Suing Former Employee for Theft of Sensitive Data

  DNS Rebinding Vulnerability in Internet of Things Devices

  Mylobot Botnet Uses Multiple Evasion Techniques

  Browser Bug Report Responses Differ from Company to Company

  Prison Sentence for DDoS Attack That Affected City of Madison, Wisconsin Government

  China's Thrip Cyberespionage Group

  Fusion Center Could Help Fight Election Meddling

  House Draft NTIA Reauthorization Act

  Olympic Destroyer Hackers Targeting Bio-Chemical Threat Prevention Organizations

  White House Cyberskills Pipeline Initiative (Excerpts)  



***************************  Sponsored By Splunk   **************************

Fraud is a growing problem as more parts of our lives are being touched by digitization. Download a free copy of "A Guide to Fraud in the Real World" to learn how much fraud is growing across different industries and how organizations are using machine data to find anomalies to fight fraud.


-- SANSFIRE 2018 | Washington, DC | July 14-21 |

-- SANS Boston Summer 2018 | August 6-11 |

-- SANS London July 2018 | July 2-7 |

-- Security Operations Summit 2018 | New Orleans, LA | July 30-August 6 |

-- Data Breach Summit & Training 2018 | New York, NY | August 20-27 |

-- SANS Virginia Beach 2018 | August 20-31 |

-- SANS Amsterdam September 2018 | September 3-8 |

-- SANS Tokyo Autumn 2018 | September 3-15 |

-- SANS October Singapore 2018 | October 15-27 |

-- SANS OnDemand and vLive Training

The SANS Training you want with the flexibility you need.

Get a new iPad, Samsung Galaxy Tab A, or take $250 Off with Any OnDemand or vLive Course, Offer Ends June 27.

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast -

-- Evening training 2x per week for 6 weeks with vLive |

-- Anywhere, Anytime access for 4 months with OnDemand format |

Single Course Training

-- Single Course Training

SANS Mentor |

Community SANS |


-- View the full SANS course catalog and Cyber Security Skills Roadmap



 --White House/DHS Announce New Cyber Skills Pipeline Initiative

(June 22, 2018)

Yesterday the White House released the Government Reform Plan which includes a plan to solve the federal cybersecurity workforce shortage. The plan is government-wide and focuses both on the immediate needs of the federal government and on educating America's youth to build an enduring cybersecurity talent pipeline. [Ed: You will find key excerpts at the end of this issue of NewsBites.]

Full Government Reform Plan (see page 108)


Recent Press Clips on Cyber Workforce Reform Plan

 --Cisco Releases June Security Updates

(June 21, 2018)

Cisco's June updates include fixes for 34 vulnerabilities in several different products. Twenty-four of the fixes address issues in FXOS software for Firepower firewalls and NX-OS software for Nexus switches.

Read more in:

Cisco: Cisco Security Advisories and Alerts

ZDNet: Cisco patches critical Nexus flaws: Are your switches vulnerable?


**************************  SPONSORED LINKS  ********************************

1) 5 security experts say "Hack, No!" to DNS Threats.  Join the live panel discussion June 28.

2) "2018's Biggest Bugs and How to Beat Them" with John Pescatore. Register:

3) How are you dealing with the rapid evolution of Secure DevOps? Take the SANS 2018 Secure DevOps Survey and enter to win a $400 Amazon gift card!



 --China Cryptomining Arrests

(June 21, 2018)

Authorities in China have arrested 16 people in connection with a cryptocurrency mining scheme. The suspects allegedly placed cryptomining software on thousands of computers at Internet cafes. All 16 are employees of an IT company that had servicing contracts with Internet cafes in cities across China.

[Editor Comments]

[Murray] Cryptomining is not illegal, per se. Using someone else's computer for any purpose is.

Read more in:

Bleeping Computer: Sixteen Arrested After Deploying Coinminers Across Internet Cafes in 30 Cities


 --Tesla Suing Former Employee for Theft of Sensitive Data

(June 20 & 21 2018)

Tesla is suing a former employee for allegedly breaking into the company's computer network, stealing manufacturing systems information, and sharing it with third parties. The lawsuit alleges that the actions were taken by a former employee who was unhappy with a job reassignment, and that the employee, Martin Tripp, admitted to "writing software that hacked Tesla's manufacturing operating system" and leaking gigabytes of data to third parties. The lawsuit alleges that Tripp wrote software that exfiltrated data to third parties.

[Editor Comments]

[Neely] Elon Musk calls this sabotage, Martin Tripp calls it responsible disclosure or whistleblowing. Adding scripts to autonomously exfiltrate data and accessing systems using existing or false user names is not going to be taken as responsible and is going to make a whistleblower defense more complex. A reminder here to seek sound legal advice before taking action when preparing to blow the whistle.

Read more in:

ZDNet: Tesla: We're now suing ex-employee for alleged theft of gigabytes of trade secrets

Motherboard: Tesla Alleges an Employee Stole Gigabytes of Trade Secrets

BBC: Tesla sues former worker for hacking


 --DNS Rebinding Vulnerability in Internet of Things Devices

(June 19 & 21, 2018)

Many smart home Internet of Things (IoT) devices are vulnerable to DNS rebinding, an attack method that has been known since at least 2007. DNS rebinding works by evading same-origin policy checks. Some manufacturers of the vulnerable IoT devices have begun releasing updates to fix the problem.

[Editor Comments]

[Neely] This is not a simple attack to pull off. The target device has to access a service that causes the device to access the malicious site which triggers the change of the device DNS settings, and then is being leveraged to both map out the internal network and build pivot point to access path to other services. They are leveraging the user, their browser and its trust relationship with the vulnerable device. While a long-term fix requires software updates to the devices, a short-term mitigation is to use a DNS service that blocks returns of internal (RFC 1918 address) responses as well as putting IoT devices on a separate network from users.


[Murray] It is easier to do a single use device or appliance right the first time than to fix thousands of them late.  

Read more in:

Medium: Attacking Private Networks from the Internet with DNS Rebinding

The Register: Are your IoT gizmos, music boxes, smart home kit vulnerable to DNS rebinding attacks? Here's how to check

Wired: Millions of Streaming Devices are Vulnerable to a Retro Web Attack

Bleeping Computer: Google, Roku, Sonos to Fix DNS Rebinding Attack Vector


 --Mylobot Botnet Uses Multiple Evasion Techniques

(June 20, 2018)

The Mylobot botnet uses multiple layers of detection evasion and serves as a delivery point to download additional malware onto infected computers. Mylobot shuts down Windows Defender and Windows Update, and blocks additional firewall ports. Mylobot's final payload is downloaded from command-and-control servers.  

Read more in:

SC Magazine: Mylobot exhibits never before seen evasion techniques

ZDNet: This new Windows malware wants to add your PC to a botnet - or worse


 --Browser Bug Report Responses Differ from Company to Company

(June 20, 2018)

A researcher who found a flaw that affected both Microsoft Edge and Mozilla Firefox had very different experiences with each company when reporting the problem. Mozilla fixed the flaw in the stable version of Firefox 59, which was released in March 2018. Microsoft was notified of the flaw on March 1, 2018, but the issue was not fixed until the June 2018 patch Tuesday release. The flaw, dubbed Wavethrough by the researcher, stems from the fact that the Range HTTP request header was not standardized for HTML.

[Editor Comments]

[Pescatore] Microsoft's communication was definitely lacking, but a 90-day vulnerability notification to Microsoft patch release isn't really that long given that (1) Years ago Microsoft made the bad decision to embed browser code in the Windows operating system, making browser patching way more complex; (2) CIOs told Microsoft years ago they didn't want to see patches more than once per month. Both of these decisions put Windows at a security disadvantage, which in today's environment is a competitive disadvantage.

Read more in:

Jake Archibald: I discovered a browser bug

The Register: Microsoft Edge bug odyssey shows why we can't have nice things

Bleeping Computer: Microsoft Edge Bug Exposes Content From Other Sites via HTML5 Audio Tag


 --Prison Sentence for DDoS Attack That Affected City of Madison, Wisconsin Government

(June 20, 2018)

Randall Charles Tucker has been sentenced to 20 months in prison for launching distributed denial-of-service (DDoS) attacks against computer systems of several city governments, including Madison, Wisconsin, where systems remained intermittently unavailable for five days in March 2015. In April 2017, Tucker pleaded guilty to intentional damage to a protected computer.

Read more in:

SC Magazine: 'Bitcoin Baron' sentenced to 20 months for DDoS attack on Madison, Wis.

The Register: Script kiddie goes from 'Bitcoin Baron' to 'Lockup Lodger' after DDoSing 911 systems


 --China's Thrip Cyberespionage Group

(June 19 & 20, 2018)

A Chinese cyberespionage group that researchers are calling Thrip has been targeting telecommunications companies, defense contractors, and satellite operators in the US and southeast Asia. A report from Symantec points to Thrip's interest in the operational network of some of its targets suggests that the group could be looking beyond information harvesting to interference and disruption.

Read more in:

Symantec: Thrip: Espionage Group Hits Satellite, Telecoms, and Defense Companies

Ars Technica: China-based hackers burrow inside satellite, defense, and telecoms firms

Dark Reading: China-Based Cyber Espionage Campaign Targets Satellite, Telecom, Defense Firms

The Hill: Symantec warns of China-based espionage campaign targeting satellites

Cyberscoop: Chinese hacking group resurfaces, targets U.S. satellite companies and systems


 --Fusion Center Could Help Fight Election Meddling

(June 20, 2018)

Former US NATO ambassador Victoria Nuland told members of the Senate Intelligence Committee that it would be wise to establish a fusion center to help fight digital interference in elections. The center, as described by Nuland, would be modeled on the counterterrorism fusion center established in the wake of the September 11 attacks. Members of the Committee said that they would consider Nuland's suggestion.   

[Editor Comments]

[Northcutt] Nuland has served under both parties and her testimony was about a larger problem than just the Russian cyberattacks: Former U.S. Diplomat Warns China Is Emulating Russian Political Interference

Read more in:

Cyberscoop: Senate to review fusion center plan to deter Russian cyberattacks


 --House Draft NTIA Reauthorization Act

(June 20, 2018)

A discussion draft of the House reauthorization for the Commerce Department's National Telecommunications and Information Administration (NTIA) would require the Commerce Department to investigate cybersecurity threats in the telecommunications networks' supply chain.

Read more in:

Nextgov: Draft Reauthorization Pushes NTIA to Investigate Telecom Cyber Supply Chain Threats

US House: National Telecommunications and Information Administration Reauthorization Act of 2018


 --Olympic Destroyer Hackers Targeting Bio-Chemical Threat Prevention Organizations

(June 19, 2018)

Olympic Destroyer, the hacking group behind the attacks on the Pyeongchang Winter Olympics computer network earlier this year have begun targeting Russian financial institutions and chemical and biological threat prevention organizations in France, Switzerland, the Netherlands, and Ukraine. The new attacks began with spear phishing emails to harvest details about targeted computers and networks.

Read more in:

SecureList: Olympic Destroyer is still alive

Wired: The Olympic Destroyer Hackers May be Targeting Biochem Threat Prevention Now

Ars Technica: Hackers who sabotaged the Olympic games return for more mischief



PowerShell ScriptBlock Logging Bypass in the Wild

Virustotal "False Positive" Alert

Cloud Environments Exposed to the Internet (PDF),000%20Cloud%20Environments.pdf

Google Home DNS Rebinding Attack Reveals Geolocation


Netflix Phishing Sites Using TLS

OpenBSD Disables Hyperthreading By Default

Bithumb Crypto Currency Exchange Breached Again

Microsoft Edge CORS Bypass via Audio Files

Microsoft Releases a Special Patch for Oracle Outside-In Libraries


Fake Fortnite

Fake Wannacry E-Mails

Ransomware Installs In Internet Cafes (in Chinese with translation option)

OpenVPN Malicious Configuration Files


Cisco Advisories


White House Cyberskills Pipeline Initiative (Excerpts)

Summary of Proposal: The Federal Government struggles to recruit and retain cybersecurity professionals due to a shortage of talent along with growing demand for these employees across the public and private sectors. The Department of Homeland Security (DHS) and the Office of Management and Budget (OMB), working in coordination with all Federal departments and agencies, will establish a unified cyber workforce capability across the civilian enterprise. This Administration will work towards a standardized approach to Federal cybersecurity personnel, ensuring Government-wide visibility into talent gaps, as well as unified solutions to fill those gaps in a timely and prioritized manner.


The Federal Government struggles to recruit and retain cybersecurity professionals due to a shortage of, and growing demand for, cybersecurity talent across the public and private sectors. The workforce shortage compounds the Government's challenges in responding to a constantly evolving threat environment and achieving its many IT-dependent missions.

In the past, each Federal department and agency was responsible for addressing its own cybersecurity workforce gaps independently, which has led to disaggregated and redundant Federal programs. As a result, the Government lacks a comprehensive, risk-derived understanding of which cybersecurity skillsets the Federal enterprise needs to develop and which positions are most critical to fill.

Moreover, the manner in which departments and agencies recruit, hire, train, retain, and compensate cybersecurity personnel varies by agency. This uneven approach has created internal competition for talent, which in turn creates disparities and discontinuities that degrade agencies' ability to defend networks from malicious actors and respond to cyber incidents. A unified approach to attracting and retaining cybersecurity talent within the Federal Government would better support the Government's cybersecurity enterprise.

Finally, there have not been continuous, strategic investments made in U.S. education programs to strengthen a pipeline for future cybersecurity talent. The abundance of redundant Federal programs focused on strengthening cybersecurity education illustrates how the Government's role building the cybersecurity talent pipeline remains ill-defined.


This Administration can strengthen Federal cybersecurity and improve agencies' ability to carry out their missions by identifying and closing workforce gaps in the near term, and can ensure long-term viability by building the cybersecurity talent pipeline.


To improve recruitment and retention of highly qualified cybersecurity professionals to the Federal Government, this Administration will develop a standardized approach to identifying, hiring, developing, and retaining a talented cybersecurity workforce in a timely and prioritized manner.

In the near term, this Administration will prioritize and accelerate on-going efforts to reform the way that the Federal Government recruits, evaluates, selects, pays, and places cyber talent across the enterprise.

Taking Stock of the Current Cybersecurity Workforce and Identifying Gaps

Human Capital personnel from across the Executive Branch are currently working with the Office of Personnel Management (OPM) to categorize the Federal cybersecurity workforce, using the National Initiative for Cybersecurity Education Cybersecurity Workforce Framework (NICE Framework, as required by the Cybersecurity Workforce Assessment Act of 2015). By Fall 2018, the Federal Government will have catalogued the entire cybersecurity workforce to better understand our current set of knowledge, skills, abilities, and identify any gaps; this catalog will give us Government-wide insight into where our most pressing needs are, and, for the first time, enable the development of an enterprise-wide approach to the recruitment, placement, and training of cybersecurity talent.

Using the NICE Framework analysis, the Federal Government will be able to determine which workforce gaps are most critical to address the current cybersecurity threat landscape. DHS, as the lead agency for the protection of Federal IT networks, is best positioned to drive this prioritization with Federal agencies and OMB. By the first quarter of Fiscal Year (FY) 2019, all CFO Act agencies, in coordination with DHS and OMB, will develop a list of critical vacancies across their organizations. By the end of FY 2019, all CFO and non-CFO Act agencies will have a prioritized list of critical vacancies. OMB and DHS will analyze these lists and work with OPM to develop a whole-of-government approach to identifying or recruiting new employees or reskilling existing employees in FY 2019.

Developing Innovative Recruitment, Retention, and Mobility Strategies

As agencies prioritize their cyber workforce needs, they will likely need to adopt innovative hiring techniques to ensure the best and brightest cyber talent can seamlessly enter the Federal Government. To address this challenge, the Department of Homeland Security received authority, through the 2014 Border Patrol Pay Reform Act, to modernize the traditional personnel system. With this new authority,

DHS is working to create a new Federal hiring system called the Cyber Talent Management System (CTMS), exempting DHS from many of the requirements and restrictions in existing law under Title 5 for hiring and compensation of cybersecurity professionals. With an agile and innovative personnel system,

DHS will be better equipped to compete for cyber talent with the private sector-speeding up the hiring process, attracting talent from non-traditional educational backgrounds, using innovative tools to assess applicants, and offering more flexible performance-based compensation. DHS will also be able to align prospective cybersecurity talent to the most pressing cybersecurity needs and will allow these technical professionals to accelerate their careers as rapidly as their aptitudes allow. In order to implement CTMS, by the first quarter of FY 2019 OMB, through its Office of Information and Regulatory Affairs (OIRA), will work with DHS to promulgate the necessary regulatory notices. By the end of FY 2019, DHS will work with OMB and all Federal agencies to measure the performance of CTMS and determine how to expand the system so that all departments and agencies can leverage it to address their personnel gaps.

One of the main hindrances to a seamless entry into the Federal Government is the security clearance process. The success of this initiative partly hinges on the success of the Government's security clearance reform initiative, as discussed in a separate Executive Branch reorganization proposal in this Volume. In addition to the Government-wide security clearance solution, OMB, DHS, and OPM will work with agencies to review workforce characteristics to rationalize security clearance requirements in order to expedite the vetting and onboarding process.

The NICE Framework Federal workforce assessment is expected to confirm what has been known for some time: that cybersecurity employees' skills and competencies vary across the Government. OMB will consult with DHS to standardize training for cybersecurity employees, and will work to develop an enterprise-wide training process for Government cybersecurity employees.

As part of creating a modern hiring and compensation system that rewards cyber expertise, the Executive Branch should also evaluate opportunities to make cybersecurity positions more mobile than traditional Government jobs. Flexibilities that allow workers to easily move from one position to another, or from one agency to another, would appeal to cyber talent in the agile and fast-paced cybersecurity industry. This mobility is also useful during a major cybersecurity incident, allowing agencies to surge capacity for incident response activities. OMB, in coordination with departments and agencies, will develop a work plan to implement this initiative by the end of FY 2018. Departments and agencies will begin to exercise these authorities by the end of FY 2019.

As an alternative or supplement to surge capacity, a mobile workforce will allow agencies to surge capacity for incident response activities. OMB, DHS, and DOD will evaluate what workforce gaps might exist that would be needed during a major Federal cybersecurity incident to determine the requirements for a Federal cybersecurity reservist program. As part of this analysis, OMB, DHS, and DOD will evaluate the existing authorities of Federal agencies to rapidly mobilize talent, including those of the U.S. Digital Service, which recruits talent from the private sector. These organizations will also evaluate the feasibility of extending a reservist program to support non-Federal major cybersecurity incidents within the United States, such as those affecting critical infrastructure. These programs will be coordinated with existing cyber services, including those in the National Guard.

Reskilling Employees to Fill High-Value Cybersecurity Roles

In addition to hiring new cybersecurity talent, the Government must look for opportunities to maximize the potential of its existing workforce. This includes efforts to reskill employees whose skills have become less relevant due to automation. OMB, DHS, and OPM will build aptitude and skills assessments to identify and select current Government staff who can be reskilled to fill critically-needed cybersecurity jobs. By reskilling the current workforce, agencies will be able to quickly shift its workforce into the highest-priority vacancy gaps. OMB and DHS will establish a job reskilling work plan by the first quarter of FY 2019. OMB and DHS will then update the CIO Council on a quarterly basis on the implementation of the reskilling work plan.

Building a Pipeline of Cybersecurity Talent

While solving the immediate needs of the Federal workforce is a major challenge, the Administration will also work to educate America's youth to build an enduring cybersecurity talent pipeline. As part of the FY 2020 Budget development process, OMB will evaluate options to rationalize the size and scope of current Federal cybersecurity education programs, including the National Science Foundation (NSF)'s

CyberCorps, the Scholarship for Service program, the National Security Agency (NSA)/DHS Centers for Academic Excellence program, NSF and NSA's GenCyber Program, the Department of Labor's apprenticeship program, DHS's Cybersecurity Education and Training Assistance Program, the U.S. Army Cyber Center of Excellence, and the U.S. Navy Information Operations Command program, among others.

While the cybersecurity workforce shortage has been a known challenge for Federal agencies, no other Administration has taken a whole-of-Government approach to fixing it. OMB and DHS look forward to solving this major challenge through smart analysis and creative solutions.


The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit