Interactive Courses + Cyber Defense NetWars Available During SANS Scottsdale: Virtual Edition 2021. Save $300 thru 1/27.

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #88

November 9, 2018



SANS NewsBites               November 6, 2018               Vol. 20, Num. 88



  Apache Struts Commons-FileUpload Flaw

  Cisco Security Advisories

  Apples Adds T2 Chip to More Computers


  Thieves Are Abusing USPS Mail Scanning Service

  US Cyber Command Now Posting Malware Samples to VirusTotal

  Google Gives Android Developers Update API

  DJI Fixes Drone Security Flaw

  Symantec: Lazarus Groups FASTCash ATM Hacks

  BCMUPnP_Hunter Botnet Designed to Send Spam 

  Police in Netherlands Seize IronChat Encryption Server, Decrypt Messages

  Solid-State Drive Encryption Flaws

  IARPA RFI: Securing Physical Sites

  Windows 10 Update Problems





-- Cyber Defense Initiative 2018 | Washington, DC | December 11-18 |

-- SANS Security East 2019 | New Orleans, LA | February 2-9 |

-- SANS San Francisco Fall 2018 | November 26-December 1 |

-- Tactical Detection & Data Analytics Summit & Training | Scottsdale, AZ | December 4-11 |

-- SANS Amsterdam January 2019 | January 14-19 |

-- Cyber Threat Intelligence Summit & Training | Arlington, VA | January 21-28 |

-- SANS London February 2019 | February 11-16 |

-- SANS Secure Japan 2019 | Tokyo, Japan | February 18-March 2 |

-- SANS Secure Singapore 2019 | March 11-23 |

-- SANS OnDemand and vLive Training

The SANS Training you want with the flexibility you need.

Best Offer of the Year: Get the ALL NEW 12.9" iPad Pro, or an HP ProBook 450 G5, or Take $400 Off with OnDemand and vLive Training. Offer Ends November 14.

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast

-- Evening training 2x per week for 6 weeks with vLive |

-- Anywhere, Anytime access for 4 months with OnDemand format |

Single Course Training

-- Single Course Training

SANS Mentor |

Community SANS |


-- View the full SANS course catalog and Cyber Security Skills Roadmap

***************************  Sponsored By    ************************************



--Apache Struts Commons-FileUpload Flaw

(November 5, 6, & 7, 2018)

The Apache Struts framework development team is alerting users to a critical flaw affecting Struts 2.3.36 and earlier that could be exploited to take control of vulnerable systems. The issue lies in a commons-fileupload vulnerability. The issue has been present since 2016. The SANS Internet Storm Center (ISC) notes that users will need to swap out the commons-fileupload library manually, and that the library could also be present elsewhere, as its use goes beyond just Struts.

[Editor Comments]

[Ullrich] Yet another example of how important it is to track dependencies. You will see numerous vendors announcing patches for this in the next weeks/months. Cisco just released a list of software distributed by Cisco that uses Struts 5.2 and includes the vulnerable component. The tricky part here is not that Struts 5.2 is vulnerable, but a component that ships with Struts 5.2.

[Murray] Not Apache Struts but commons-fileupload. Apache Struts will be easy to fix compared to a user even knowing about any other exposure to commons-fileupload.  

Read more in:

Apache: Immediately upgrade commons-fileupload to version 1.3.3 when running Struts 2.3.36 or prior

ISC: Struts 2.3 Vulnerable to Two Year old File Upload Flaw

Threatpost: Apache Struts Warns Users of Two-Year-Old Vulnerability

SC Magazine: Apache Struts vulnerability would allow system take over

Cyberscoop: Apache alerts developers of remote code execution flaw


 --Cisco Security Advisories

(November 8, 2018)

On Wednesday, November 7, Cisco released 17 security advisories warning of security issues in multiple products. Three of the vulnerabilities are rated critical; fixes are available for two of them, and Cisco has a recommended workaround for the third, a privileged access flaw affecting seven models of Cicsos Small Business Switches. The other two critical flaws are an authentication bypass issue in Stealthwatch Management Console of Cisco Stealthwatch Enterprise and a remote shell command execution bug in Unity Express. A fourth Cisco advisory warns of the vulnerability in Apache Struts commons-fileupload library; the advisory carries a critical rating but it is not clear which if any Cisco products are affected. Cisco also acknowledged that it inadvertently included dormant exploit code for the Dirty CoW vulnerability in Cisco Expressway Series and Cisco TelePresence Video Communication Server (VCS) shipped software images.   

[Editor Comments]

[Ullrich] This update contains one informational bulletin that is noteworthy not because of the severity of the vulnerability, but because it may indicate some substantial shortcomings in Ciscos QA process -- leaving behind debug and testing tools on production equipment, including exploits.

Read more in:

SC Magazine: Cisco fixes two critical bugs, recommends workaround for a third

Threatpost: Cisco Accidentally Released Dirty Cow Exploit Code in Software

The Register: Oops: Cisco accidentally released in-house Dirty COW exploit attack code with software installer

Cisco: Cisco Security Advisories and Alerts


--Apples Adds T2 Chip to More Computers

(November 8, 2018)

Apple is now using T2 security chips in its new MacBook Air and Mac Mini. The chip was first introduced in 2017 in the iMac Pro, and has introduced in MacBook Pro laptops earlier this year. One of the chips newest features turns off the computers microphone when the lid is closed; this is meant to help prevent eavesdropping. 

[Editor Comments]

[Ullrich] Apple is using security and privacy more and more as a differentiator. The T2 chip substantially improves the security of the system against attackers with physical access to the system. On the other hand, Apple may also use this technology in the future to further lock down the platform, similar to what has been done with its mobile iOS devices. Some of the attacks prevented by the T2 chip will also hinder law enforcement, and governments may respond.


[Murray] To the extent that hardware isolated security functions reduce the attack surface of a system, they go a distance to addressing the so-called supply chain problem.


[Pescatore] Better hardware security is needed in all computing devices, and Apple is essentially catching up to the Trusted Platform Module chip in all modern Windows PCs that Windows 10 takes great advantage of. A few issues: (1) Apple has the T2 chip doing video and audio processing, in addition to the security functions -  this increases the surface area for attackers (and the complexity for testers), as Spectre and Meltdown on Intel chips showed. (2) There is no trusted certificate for Linux distributions, so for now you cant run Linux on a Mac with the T2 chip. Windows will run via Boot Camp, but not by default.

Read more in:

Threatpost: Apple Modernizes Its Hardware Security with T2

**************************  SPONSORED LINKS  *********************************




--Thieves Are Abusing USPS Mail Scanning Service

(November 8, 2018)

According to an internal alert from the US Secret Service, thieves have been abusing the US Postal Services (USPSs) Informed Delivery service to commit identity and credit card fraud. The service allows people to sign up online to receive scanned images of mail that has been delivered to their physical mailboxes. Brian Krebs warned that Informed Delivery was likely to be misused in this way if USPS did not strengthen security and make it easy for customers to opt out of the service.

[Editor Comments]

[Northcutt] Knowledge Based Authentication is snake oil. I just did one. The heavily favored answer is none of the above.

Read more in:

KrebsOnSecurity: U.S. Secret Service Warns ID Thieves are Abusing USPSs Mail Scanning Service


--US Cyber Command Now Posting Malware Samples to VirusTotal

(November 8, 2018)

The Cyber National Mission Force (CNMF), a subordinate unit of US Cyber Command (USCYBERCOM) has begun sharing malware samples on VirusTotal. In its  announcement, CNMF writes Recognizing the value of collaboration with the public sector, the CNMF has initiated an effort to share unclassified malware samples it has discovered that it believes will have the greatest impact on improving global cybersecurity.

Read more in:

Fifth Domain: How cyberspace makes the DoD think differently

ZDNet: US Cyber Command starts uploading foreign APT malware to VirusTotal

Cybercom: New CNMF initiative shares malware samples with cybersecurity industry


--Google Gives Android Developers Update API

(November 8, 2018)

Android developers now have an application programming interface (API) that will let them force, or at least remind, users to update their devices to the latest version of the app. The API is currently being tested with early access partners. (Scroll down to In-app Updates API in the Android developers blog.)

Read more in:

ZDNet: Android users now face forced app updates, thanks to Google's new dev tools

Android-Developers: Android Developers Blog: Unfolding right now at #AndroidDevSummit!


--DJI Fixes Drone Security Flaw

(November 8, 2018)

In March 2018, security firm Check Point reported a vulnerability to DJI through the companys bug bounty program. In September, the company fixed the flaw in its cloud infrastructure that could have been exploited to take over accounts and access their associated data. DJI established its bug bounty program after the US Army directed all personnel to stop using DJI drones and to uninstall all DJI software in August 2017 due to security concerns.

Read more in:

Check Point: The Spy Drone In Your Cloud

Wired: A DJI Bug Exposed Drone Photos and User Data

CNET: DJI fixes vulnerability that let potential hackers spy on drones

Bloomberg: Hackers Gain Access to Data Collected by Drones Giant


--Symantec: Lazarus Groups FASTCash ATM Hacks

(November 8, 2018)

Researchers at Symantec have discovered additional technical details about the malware used by the Lazarus Group (a.k.a. Hidden Cobra) to steal millions from ATMs around the world. US-CERT, the Department of Homeland Security, the Department of the Treasury, and the FBI issued a joint Technical Alert early last month regarding the groups ATM cash-out activity. The Lazarus Group is believed to have connections to North Korea.

[Editor Comments]

[Murray] I used to wonder where all the mules came from to carry these millions of dollars in twenty dollar bills. Turns out, they use pre-paid debit cards in lieu of currency.  

Read more in:

Symantec: FASTCash: How the Lazarus Group is Emptying Millions from ATMs

US-CERT: HIDDEN COBRAFASTCash Campaign (October 2, 2018)

SC Magazine: Lazarus FASTCash ATM attack details discovered

The Hill: North Korean hacker group poses 'serious threat to the banking sector,' security firm says

Cyberscoop: Symantec researchers dissect North Korean malware used in ATM attacks


--BCMUPnP_Hunter Botnet Designed to Send Spam

(November 7 & 8, 2018)

A botnet comprising at least 100,000 compromised routers could be used to send spam. The botnet spreads by exploiting a five-year-old vulnerability in the Broadcom Universal Plug and Play. The malware has infected more than 110 different device models.

[Editor Comments]

[Murray] While, in some enterprises, routers may be managed devices, in many cases they are simply appliances, not even counted, much less managed or patched. In any case, they are proving to be a significant vulnerability.  

Read more in:

Threatpost: Rapidly Growing Router Botnet Takes Advantage of 5-Year-Old Flaw

The Register: Spammer scum hack 100,000 home routers via UPnP vulns to craft email-flinging botnet

ZDNet: IoT botnet infects 100,000 routers to send Hotmail, Outlook, and Yahoo spam


--Police in Netherlands Seize IronChat Encryption Server, Decrypt Messages

(November 7, 2018)

Dutch police have decrypted more than 258,000 messages sent with the IronChat encryption app on BlackBox smartphones. According to a statement released by law enforcement, the breakthrough came during an investigation into a money-laundering scheme. Police appear to have seized a server that contained the encryption keys.

[Editor Comments]

[Honan] A good example of why encryption itself is not a panacea to securing data as many times encryption is undermined by poor or insecure implementation of the supporting infrastructure. A timely reminder to for us to review how we manage and secure our own keys.

Read more in:

The Register: Dutch cops hope to cuff 'hundreds' of suspects after snatching server, snooping on 250,000+ encrypted chat texts

ZDNet: Dutch police snoop on criminal chats by intercepting encryption server

Ars Technica: Police decrypt 258,000 messages after breaking pricey IronChat crypto app

Politie: Police have achieved a breakthrough in the interception and decryption of crypto communication


--Solid-State Drive Encryption Flaws

(November 5 & 7, 2018)

Researchers at Radboud University in the Netherlands have discovered a pair of vulnerabilities affecting the hardware full-disk encryption mechanisms in some solid-state drives. The flaws could be exploited to bypass the encryption protection and access the data on the drives. The exploit requires direct physical access to the devices. The issues affect both internal and external devices. The flaws affect devices made by Samsung and Crucial. Researchers notified the companies of the flaws six months ago. Firmware patches for some of the affected devices are available.

[Editor Comments]

[Ullrich] This is particularly dangerous for users of Bitlocker. Bitlocker will default to hardware encryption if it recognizes it. Microsoft has provided guidance in how to switch to Bitlockers software encryption in these cases to avoid the problem. This flaw reminds me of some of the cheap encrypted USB drives that relied on client applications to send a signal to the drive to unlock the key, instead of properly encrypting the key with a secret derived from the users passphrase. See the article about Apples T2 chip above. The details released by Apple show how an encrypted drive should be done. Lets hope Apple implemented it all correctly.

Read more in:

MSRC: Guidance for configuring BitLocker to enforce software encryption

SC Magazine: Encryption flaws in solid state drives enable unauthorized data access

Bleeping Computer: Flaws in Popular SSD Drives Bypass Hardware Disk Encryption Radboud University researchers discover security flaws in widely used data storage devices


--IARPA RFI: Securing Physical Sites

(November 6, 2018)

The Intelligence Agency Research Projects Activity (IARPA) has issued a Request for Information (RFI) seeking ideas for highly innovative approaches to securing Sensitive Compartmented Information Facilities (SCIFs), sites where government officials can meet to discuss highly sensitive information. The RFI describes three principal areas of interest: protecting SCIFs from unintended radio frequency (RF), optical, magnetic, or acoustic transmissions; new approaches and technologies for monitor[ing] and detect[ing] surveillance attacks against existing and future SCIFs; and detect[ing] and secur[ing] the operation of wireless devices and networks near and within sensitive areas and prevent[ing] the unauthorized entry and operation of a variety of portable electronic devices. Interested entities have until December 31, 2018, to respond.

Read more in:

Fedscoop: Intelligence agency wants new tech to safeguard future SCIFs from foreign surveillance

FBO: RFI for Securing the SCIF of the Future

--Windows 10 Update Problems

(November 8, 2018)

Additional reports of problems with Microsoft Update servers are surfacing. Some users are reporting being downgraded from Pro to Home.

[Editor Comments]

[Northcutt] Here is an earlier link with suggested workarounds:

Read more in:

Forbes: Microsoft Warns Windows 10 Has An Expensive Problem

PC World: If your Windows 10 PC says it's having activation problems today, here's why



China Telecom's Internet Traffic Misdirection

Android Security Updates; Last for Nexus

PoC Facetime Exploit

Vulnerability in U-Boot Bootloader       

VirtualBox 0-Day Guest Escape Exploit Released

WooCommerce/Wordpress Bug Leads to RCE

Bing Advertises Fake Version of Notepad2

Jacksonville BSides

Cisco Security Bulletins

Ruby Deserialization

Ouch Newsletter: Am I Hacked?

Jonathan Sweeny: Smart Contract Botnets


The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit