Develop invaluable cybersecurity skills through interactive training during SANS 2021 - Live Online. Register now.

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #60

July 31, 2018


SANS NewsBites                July 31, 2018                Vol. 20, Num. 060




  Supply Chain Cyber Risk Warning

  Firefox Working on Site Isolation and Time Travel Debugging


  DOD Will Move Sites to HTTPS by Years End

  Cloudflares Lava Lamp Cryptography

  DC Police Camera Hack Part of Wider Planned Scheme

  Idaho Prison Inmates Hacked JPay Tablets

  Font Packages Compromised with Cryptocurrency Miners

  State Governments and Snail Mail Malware

  Houston Conducts Natural Disaster-Cyber Preparedness Exercise

  Auto-ISAC Members Workshop on Bug Disclosure Programs



***************************  Sponsored By VMRay *****************************

Technical Analysis: Gandcrab Ransomware

The VMRay Research Team has been tracking Gandcrab ransomware since it was first spotted in-the-wild back in February. Read their deep dive into Gandcrab ransomware which covers: distribution methods, packer, payload history (v1 through v4) and payload control flow.


-- SANS Network Security 2018 | Las Vegas, NV | September 23-30 |

-- Data Breach Summit & Training 2018 | New York, NY | August 20-27 |

-- SANS Virginia Beach 2018 | August 20-31 |

-- SANS Amsterdam September 2018 | September 3-8 |

-- SANS Tokyo Autumn 2018 | September 3-15 |

-- Threat Hunting & Incident Response Summit 2018 | New Orleans, LA | September 6-13 |

-- SANS Baltimore Fall 2018 | September 8-15 |

-- SANS London September 2018 | September 17-22 |

-- SANS October Singapore 2018 | October 15-27 |

-- SANS OnDemand and vLive Training

The SANS Training you want with the flexibility you need.

Best Offers of the Year: Get a 12.9 iPad Pro, Microsoft Surface Pro, or take $350 Off with Any OnDemand or vLive Course, Offer Ends August 1.

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast

-- Evening training 2x per week for 6 weeks with vLive |

-- Anywhere, Anytime access for 4 months with OnDemand format |

Single Course Training

-- Single Course Training

SANS Mentor |

Community SANS |


-- View the full SANS course catalog and Cyber Security Skills Roadmap




--Supply Chain Cyber Risk Warning

(July 30, 2018)

A report from the US National Counterintelligence and Security Center (NCSC), a mission center within the Office of the Director of National Intelligence, says that the software supply chain is a significant emerging threat to organizations. The report provides additional insight into the most pervasive nation-state threats, and it includes a detailed breakout of the industrial sectors and technologies judged to be of highest interest to threat actors. It also discusses several potentially disruptive threat trends that warrant close attention. 

[Editor Comments]

[Northcutt] If you are really in a hurry, read page 12 and 13 of the DNI document. That is the main supply chain discussion, and also how intellectual property laws are diverging.

[Pescatore] The basic point (state-sponsored attackers are actively attacking US industry) has been coming out in the multiple government annual reports since at least 2011. The press interest is always piqued by details on the attack groups, but the companies (and government agencies) that have actually reduced supply chain risk have done so by focusing on increasing basic security hygiene requirements and monitoring *and* by making substantial progress in strong authentication, encryption and privilege management.

[Murray] There may be threats in the supply chain. However, the supply chain, per se, is a vulnerability, might even be a risk, not a threat. If we cannot use threat, attack, vulnerability, and risk in a consistent and exclusive manner, we will have great difficulty in making rational decisions about what to do.

Read more in:

InfoSecurity Magazine: US Warns of Supply Chain Attacks

DNI: Foreign Economic Espionage in Cyberspace


--Firefox Working on Site Isolation and Time Travel Debugging

(July 28, 2018)

Mozilla developers are working on some new features for the Firefox browser. First, a feature similar to Google Chromes Site Isolation would open a new browser process for a domain loaded in a browser tab. The Firefox feature is called Project Fission. Second, Firefox developers are also testing a feature called Time Travel Debugging, which is an implementation of the older WebReplay project; it will let developers record complex page renderings, so they can look back and see where problems occurred.

[Editor Comments]

[Neely] Implementing explicit isolation in the browser is another layer in providing security for one of the top entry points for malware on the endpoint.

Read more in:

Bleeping Computer: Mozilla Is Working on a Chrome-Like "Site Isolation" Feature for Firefox

Bleeping Computer: Firefox Is Testing "Time Travel Debugging"


**************************  SPONSORED LINKS  ********************************

1) Engage and learn from Unisys cyber experts with our security demos at Black Hat 2018. Stop by the Unisys Booth #1420 for an interactive "walk-around" experience!

2) "How Network Traffic Analytics Eliminates Darkspace for the SOC" with Barbara Kay and Chris Crowley. Register:

3) Don't Miss "Automating Open Source Security: A SANS Review of WhiteSource"  Learn More:




--DOD Will Move Sites to HTTPS by Years End

(July 30, 2018)

On May 22, 2018, Senator Ron Wyden (D-Oregon) wrote to Department of Defense (DOD) CIO Dana Deasy, asking that DOD take immediate action to require the adoption of cybersecurity best practices on all publicly accessible DOD web services. The letter urges Deasy to implement HTTPS and to use certificates trusted by major browsers for public facing web services. Deasys July 20, 2018, response says that DOD plans to move all public-facing sites to HTTPS by the end of this calendar year.

[Editor Comments]

[Neely] This was a requirement for all government agencies back in 2015 with OMB Memo 13-15 which required implementation by the end of 2016. It was reiterated last fall with OMB Binding Operational Directive 18-1 which adds the requirement to disable weak cyphers. The two directives and letter from the Senator do not include clearly stated consequences for non-compliance. DOD is holding the line on using their certificate authority rather than commercial offerings. While their CA is part of the Federal PKI chain of trust, the FPKI roots are not consistently distributed with commercial browsers. Plan on pushing the FPKI root certs to devices if you are using DOD.

Read more in:

Bleeping Computer: DOD to Move All Websites to HTTPS by the End of the Year

Document Cloud: DOD Letter to Senator Wyden

Document Cloud: Wyden Letter to DOD/Deasy


--Cloudflares Lava Lamp Cryptography

(July 29, 2018)

Cloudflare uses data generated from images of 100 active lava lamps in the lobby of the companys office in San Francisco in combination with other datathe movement of a pendulum in London and data from a Geiger counter in Singaporeto generate cryptographic keys.

[Editor Comments]

[Pescatore] Lava lamps were used by Silicon Graphics 20 years ago to seed random number generation. I dont think in the intervening decades anyone has debunked the method, but the old joke was that the security team came through and put lens caps on the cameras monitoring the lamps

Read more in:

Wired: How a Bunch of Lava Lamps Protect Us From Hackers

Cloudflare: LavaRand in Production: The Nitty-Gritty Technical Details

Cloudflare: Randomness 101: LavaRand in Production


--DC Police Camera Hack Part of Wider Planned Scheme

(July 28, 2018)

Prosecutors say that the hacking scheme that disabled two-thirds of police surveillance cameras in Washington DC, in January 2017 was part of a larger ransomware scheme. The suspects in the case allegedly planned to use the compromised devices to email ransomware to nearly 180,000 accounts. One of the two suspects has been extradited to the US from Romania; the US attorneys office for the District of Columbia is seeking to extradite the second.

Read more in:

Washington Post: Hack of D.C. police security cameras was part of bigger ransomware scheme, prosecutors say


--Idaho Prison Inmates Hacked JPay Tablets

(July 27, 2018)

Inmates at five state prisons in Idaho figured out how to trick JPay tablets into loading more than $225,000 in JPay credits to their accounts. JPay provides tablets specifically for inmates to use for email, purchasing music, and managing prison store accounts.

[Editor Comments]

[Neely] A practical demonstration of what can happen when you have time and arent in a hurry to find flaws. The 364 inmates known to have exploited the flaw have had their accounts limited in an attempt to reduce further abuse. Since this is an active exploit, it is far more important to close the vulnerability in a timely fashion as other inmates are also likely aware of the needed techniques.

Read more in:

SC Magazine: Idaho inmates hack prison tablets, steal $225,000 in commissary credits

Wired: How a Group Of Imprisoned Hackers Introduced JPay to the World


--Font Packages Compromised with Cryptocurrency Miners

(July 26 & 27, 2018)

Hackers planted cryptomining software in several font packages used by an unidentified PDF editor. Microsoft detected the infection from Windows Defender ATP alerts.

Read more in:

The Register: Font of pwnage: Crims poison well with crypto-jacking code, trickles into PDF editor app

Bleeping Computer: Microsoft Discovers Supply Chain Attack at Unnamed Maker of PDF Software


--State Governments and Snail Mail Malware

(July 27, 2018)

Some US state and local governments have reported receiving snail mail letters containing compact disks (CDs) infected with malware. The letters appear to have come from China. Disks examined by the Multi-State Information Sharing and Analysis Center (MS-ISAC) appear to contain Mandarin language Microsoft Word files, some containing malicious Visual Basic scripts. 

[Editor Comments]

[Neely] This feels like a flashback to getting AOL CDs in the mail. Instead of distributing media in the parking lot, they are sending it directly to the desired recipient. Needless to say, the same hygiene applies to this mediadont insert media from unknown sources, let alone open the documents or install included software.

Read more in:

KrebsOnSecurity: State Govts. Warned of Malware-Laden CD Sent Via Snail Mail from China


--Houston Conducts Natural Disaster-Cyber Preparedness Exercise

(July 25, 2018)

The city of Houston, Texas, ran an emergency preparedness exercise involving both a natural disaster and a cyberattack. The exercise is designed to examine the challenges those incidents place on critical infrastructure, while assessing response capability, agency collaboration, communications interoperability, and military integration. Dubbed Jack Voltaic 2.0, the exercise ran from July 24-26.

[Editor Comments]

[Pescatore] SANS instructor Chris Crowley shares great lessons learned about dealing with IT and security response after Hurricane Katrina hit New Orleans. Very smart to do a combined physical/cyber incident drilleven just localized flooding or wildfire can break many playbooks that assume teams will be able to communicate with each other or use online tools.

Read more in:

Houston, TX: Houston Prepares for Critical Infrastructure Threats Involving Cyberattacks

Houston Public Media: Houston Tests Its Preparedness for A Cyberattack


--Auto-ISAC Members Workshop on Bug Disclosure Programs

(July 25, 2018)

Car makers are coming around to the idea of working with the security community to find vulnerabilities in their systems. On August 2, 2018, the Automotive Information Sharing and Analysis Center (Auto-ISAC) will host a workshop in Detroit, Michigan, to help car makers set up bug disclosure programs. HackerOne, an organization that helps set up bug bounty programs, will help run the workshop. 

Read more in:

Cyberscoop: Automotive companies are warming up to vulnerability disclosure programs

Auto-ISAC: HackerOne and Auto ISAC Members Only Workshop




DOSFuscation Campaign

Following the Money in Recent Sextortion Attack

Let's Encrypt Outage

PDF Editor Supply Chain Exploit


Malvertising Campaign Insides

Adware Distributed with Legitimate Applications



The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit