SANS Open-Source Intelligence (OSINT) Summit & Training offers immersive cyber security courses and a free Summit!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #59

July 27, 2018


SANS NewsBites                July 27, 2018                Vol. 20, Num. 059



  US-CERT Warns of Increasing Attacks Against ERP Applications

  US Defense Department Issues Final RFP for JEDI Cloud Project

  Senator Urges Government to Stop Using Adobe Flash Before 2020 End-of-Life


  Vulnerability in Swann IoT Security Camera App

  Russian Hackers Target Senator McCaskill

  NSA IG Audit Finds Cybersecurity Issues at the Agency

  No More Cryptocurrency Mining Apps in Google Play Store

  COSCO Shipping Company Ransomware Attack

  Ohio Police Department Denied Access to State Crime Database After Ransomware Attacks

  Device-Makers Issuing Fixes for Bluetooth Vulnerability

  2018 General Dynamics Hackathon



***************************  Sponsored By VMRay ******************************

Technical Analysis: Gandcrab Ransomware

The VMRay Research Team has been tracking Gandcrab ransomware since it was first spotted in-the-wild back in February. Read their deep dive into Gandcrab ransomware whi ch covers: distribution methods, packer, payload history (v1 through v4) and payload control flow.


-- SANS Network Security 2018 | Las Vegas, NV | September 23-30 |

-- SANS Boston Summer 2018 | August 6-11 |

-- Data Breach Summit & Training 2018 | New York, NY | August 20-27 |

-- SANS Virginia Beach 2018 | August 20-31 |

-- SANS Amsterdam September 2018 | September 3-8 |

-- SANS Tokyo Autumn 2018 | September 3-15 |

-- Threat Hunting & Incident Response Summit 2018 | New Orleans, LA | September 6-13 |

-- SANS London September 2018 | September 17-22 |

-- SANS October Singapore 2018 | October 15-27 |

-- SANS OnDemand and vLive Training

The SANS Training you want with the flexibility you need.

Best Offers of the Year: Get a 12.9 iPad Pro, Microsoft Surface Pro, or take $350 Off with Any OnDemand or vLive Course, Offer Ends August 1.

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast

-- Evening training 2x per week for 6 weeks with vLive |

-- Anywhere, Anytime access for 4 months with OnDemand format |

Single Course Training

-- Single Course Training

SANS Mentor |

Community SANS |


-- View the full SANS course catalog and Cyber Security Skills Roadmap



--US-CERT Warns of Increasing Attacks Against ERP Applications

(July 25 & 26, 2018)

US-CERT has released an advisory warning of increasing attacks on Enterprise Resource Planning (ERP) applications. US-CERT was prompted to publish the advisory by a report from Digital Shadows/Onapsis. A press release accompanying the report notes a 100 percent increase in the number of publicly-available exploits for SAP and Oracle ERP applications over the last three years [and] a 160 percent increase in the activity and interest in ERP-specific vulnerabilities from 2016 to 2017.

Read more in:

Onapsis: ERP Applications Under Fire: How cyberattackers target the crown jewels

BusinessWire: New Report Reveals Evidence That ERP Applications are Under Attack by Cybercriminals, Hacktivists and Nation-state Actors

US-CERT: Malicious Cyber Activity Targeting ERP Applications

ZDNet: ERP security warning as hackers step up attacks on systems

Dark Reading: US-CERT Warns of ERP Application Hacking

SC Magazine: US-CERT issues advisory after researchers report increase in attacks against SAP and Oracle ERP apps

The Register: US Homeland Security warns of latest hacker crazeERP pwnage


--US Defense Department Issues Final RFP for JEDI Cloud Project

(July 26, 2018)

The US Department of Defense (DOD) has issued the final request for proposals (RFP) for its Joint Enterprise Defense Infrastructure (JEDI) Cloud contract. DOD will accept questions on the RFP through August 16, 2018; responses from interested vendors are due by September 17, 2018. The RFPs Statement of Objectives attachment notes that DoD requires an extensible and secure cloud environment that spans the homeland to the global tactical edge, as well as the ability to rapidly access computing and storage capacity to address warfighting challenges at the speed of relevance.

[Editor Comments]

[Weatherford] Its good to see this RFP move forward. There is still a lot of controversy over it being a single, versus multi-vendor award but time is wasting, and Moores Law waits on no man. Technology is moving forward; DOD is being left behind. Cloud service providers are incentivized in ways that most organizations simply cant compete with, and this is a good thing in my book because I believe the cloud is a catalyst for better security.

[Paller] Cloud can be a powerful catalyst for better security, but it has been the opposite when used as infrastructure (rather than software as a service). High customer expectations for cloud-vendor-supplied security are nearly always unmet. There is a real person (who was previously a cyber-savvy FBI agent) who has a high-level job at one of the largest cloud suppliers that he has nicknamed CAO. That stands for Chief Apology Officer, he says, as his job is to go out to see angry CIOs to explain to them that his firm does not provide any useful security improvements when they buy infrastructure, unless the CIO wants to pay (a lot) more.

Read more in:

FedScoop: The Pentagon opens JEDI cloud for bidding, still as a single award contract

FCW: Pentagon's $10 billion JEDI cloud buy hits the street

MeriTalk: DoD Releases Final RFP, Now Taking Bids for JEDI Cloud Contract



--Senator Urges Government to Stop Using Adobe Flash Before 2020 End-of-Life

(July 26, 2018)

Senator Ron Wyden (D-Oregon) has asked the National Institute of Standards and Technology (NIST), the National Security Agency (NSA), and the Department of Homeland Security (DHS) to ensure that the government stop using Adobe Flash before Adobe stops technical support for it in 2020. In the letter, Wyden asks that the agencies mandate that the government not deploy any new Flash-based content on websites, effective within 60 days. He also asks that they require agencies to remove all Flash-based content by August 1, 2019, and to implement a pilot program requiring that Flash be removed from a subset of employee desktop computers by March 1, 2019 and to remove it from all computers by August 2019.

[Editor Comments]

[Pescatore] The DHS binding operational directive requiring agencies to start turning on DMARC policies was a proactive move by DHS; starting the process of getting rid of Flash early would be another good move. While politicians driving security guidance usually results in windows screens on submarines kind of security, this one makes sense.

[Neely] A hard deadline to remove Flash will help keep agencies aware of the need to retire the technology. Identification of a funding stream to recreate content using HTML5 will be the biggest challenge.

Read more in:

Wyden: Letter to NIST, NSA, & DHE Re: Adobe End-of-Life

Threatpost: Sen. Wyden Urges Ban of Adobe Flash for Gov. Use

The Register: Sen. Ron Wyden: Adobe Flash is doomed, why is Uncle Sam still using it?

InfoSecurity Magazine: Senator Urges Government to Kill Off Flash Now


**************************  SPONSORED LINKS  ********************************

1) To understand risks and control the attack surface, you need visibility. But what is visibility and why is it critical? How do you get it? Find Out:

2) "How Network Traffic Analytics Eliminates Darkspace for the SOC" with Barbara Kay and Chris Crowley. Register:

3) Unisys cybersecurity experts will introduce you to a new software-defined network microsegmentation that enables dynamic perimeters to isolate the critical assets without the cost and complexity of static controls. Register:




--Vulnerability in Swann IoT Security Camera App

(July 26, 2018)

A security flaw in the Swann smart security cameras app allows users to view other users video streams. The API does not ensure that the viewer of a stream from the camera on an app was indeed the cameras authorized user. It uses the cameras serial number as the identifier to connect to it. Swann released updated firmware to address the issue. The issue also lies with OzVision, the cloud service provider that the cameras use; there are possible other cameras that use OzVision and are similarly vulnerable.

[Editor Comments]

[Northcutt] Internet-accessible security cameras were a known problem 18 years ago with Johnny Longs GHD. Swann/OzVision just don't appear to care about their customers privacy and security. I wonder if either even has a CISO.

Read more in:

ZDNet: Flaw let researchers snoop on Swann smart security cameras

BBC: Swann's home security camera recordings could be hijacked


--Russian Hackers Target Senator McCaskill

(July 26, 2018)

Russian hackers attempted to gain access to Missouri Senator Claire McCaskills computer network through a phishing attack. The attackers appear to have created a custom phishing website aimed at a specific McCaskill staffer. They were unsuccessful. Two other candidates have been targeted as well, and neither of those attempts succeeded.

Read more in:

CNET: Sen. Claire McCaskill target of apparent Russian hacking attempt

Washington Post: Claire McCaskill, a vulnerable Democrat running for reelection, targeted in hacking attempt by Russian spies

The Daily Beast: Russian Hackers New Target: a Vulnerable Democratic Senator


--NSA IG Audit Finds Cybersecurity Issues at the Agency

(July 26, 2018)

According to an unclassified audit overview from the NSA Office of the Inspector General, the agency has numerous cyber security issues, including incomplete or inaccurate computer system security plans, and removable media not being scanned for malware. In addition, the NSA has not fully implemented two-person access controls on data centers and equipment rooms, a policy put in place after Edward Snowden leaked large quantities of agency data in 2013.

Read more in:

Nextgov: NSA Hasnt Implemented Post-Snowden Security Fixes, Audit Finds

Oversight: Office of the Inspector General National Security Agency Semi-Annual Report to Congress


--No More Cryptocurrency Mining Apps in Google Play Store

(July 26, 2018)

Google has updated its Google Play Store policy to read that they don't allow apps that mine cryptocurrency on devices. Google will continue to allow apps that manage cryptocurrency mining on remote devices. Chrome banned cryptocurrency mining apps in April, 2018, and Apple imposed a similar policy in early June. 

[Editor Comments]

Read more in:

Bleeping Computer: Google Bans Cryptocurrency Mining Apps From the Play Store


--COSCO Shipping Company Ransomware Attack

(July 25 & 26, 2018)

The US network of the China Ocean Shipping Company (COSCO) was hit with a ransomware attack on July 24, 2018. COSCOs American Region IT infrastructure was down as of July 25; the company warned employees in other global operating areas not to open suspicious email. In a notice to customers, COSCO referred to the incident as a network breakdown, but internal emails seen by some maritime news sites refer to the incident as a ransomware attack.

Read more in:

Bleeping Computer: Ransomware Infection Cripples Shipping Giant COSCO's American Network

The Register: Oh no, what a rough blow: Cosco at a lossco over ransomware tossco

Threatpost: COSCOs American Operations Hit With Crippling Ransomware Attack

COSCO Shipping: Update on the Progress of Network Problem within America Area (Jul 26th)


--Ohio Police Department Denied Access to State Crime Database After Ransomware Attacks

(July 25, 2018)

The Riverside, Ohio Police Departments access to a statewide law enforcement database system was suspended on May 14, 2018, after city websites were hit with ransomware twice this spring. The decision to suspend Riversides access to the Ohio Law Enforcement Gateway system was made to protect the system from possible ransomware infection.


[Editor Comments]

[Williams] While the state made the right decision, they did so for the wrong reasons. For the reason given (preventing ransomware), this is just poor threat modeling. Malware could read information from the database (unauthorized access), but its hard to imagine ransomware at a local LE encrypting the state database at another site.


Read more in:

GovTech: Multiple Ransomware Attacks Cut Off Police Access to Crime Database in Riverside, Ohio


--Device-Makers Issuing Fixes for Bluetooth Vulnerability

(July 24, 2018)

Various device-makers have begun to release fixes to address a Bluetooth specification vulnerability that could be exploited to intercept and alter wireless data, sometimes called a man-in-the-middle attack. The flaw lies in the Secure Simple Pairing and LE Secure Connections features, and allows attackers to force devices to use a known decryption key. The flaw has existed for more than 10 years.

[Editor Comments]

[Neely] Leaving decisions on important security components, such as public key verification, as an exercise for the implementer will lead to sub-optimal results.

[Guest Editor Joshua Wright]

Two parties are at fault for introducing this flaw: The Bluetooth SIG for not mandating or verifying public key validation in Bluetooth Certified products, and the implementing OEMs, for not realizing that public key validation is important. Exploitation is unlikely since there is a very limited opportunity for an adversary to take advantage of this flaw.

Read more in:

Ars Technica: Decade-old Bluetooth flaw lets hackers steal data passing between devices

Security Week: Bluetooth Vulnerability Allows Traffic Monitoring, Manipulation


--2018 General Dynamics Hackathon

(July 24, 2018)

The General Dynamics third annual Hackathon, held July 12-13, 2018, focused on Artificial Intelligence (AI) and machine learning in a cloud environment. Participating teams had to set up and secure their own cloud infrastructure using the Amazon Web Services (AWS) cloud, then populate it with large data sets and analyze the data using automated analysis tools.

[Editor Comments]

[Pescatore] Well-managed hack-a-thons and bug bounty programs have been showing excellent results, but only when they are well-managed. Good to see this effort focused on security of cloud systems, especially AWSand to see Amazon involved and supporting.

Read more in:

GDIT: 2018 GDIT AI Cyber Hackathon

Executive Biz: General Dynamics IT Business Holds 3rd Annual Cyber Hackathon




Emotet Update

Clear Text Phone Tracking

Bluetooth Bug

Apache OpenWhisk Vulnerability XSS Vulnerability

Tomcat Vulnerabilities Patched

DNS Over HTTPS Standard Finalized

ERP Systems Targeted in Recent Attacks

NetSpectre: Read Arbitrary Memory Over the Network

Google Play Store Bans Crypto Miners

Japanese Calendar Issues

Multiple Vulnerabilities in Samsung SmartThings Hub

Times Change and Your Training Data Should Too: The Effect of Training Data Recency on Twitter Classifiers     




The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit