SANS Open-Source Intelligence (OSINT) Summit & Training offers immersive cyber security courses and a free Summit!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #13

February 15, 2019

US Air Force Counterintelligence Agent Indicted for Espionage; What Will Russias Internet Disconnect Look Like?


SANS NewsBites                 Feb. 15, 2019              Vol. 21, Num. 013




  Former US Air Force Counterintelligence Agent Indicted on Espionage Charges

  What Will Russias Internet Disconnect Look Like?


  Two People Charged in Connection with DDoS Attacks and Bomb Threats

  Google Experimenting With Solutions to Mixed Content Loading Issue

  The Android Upgrade Lag

  Patch Available for runc Vulnerability

  Mojave Flaw Lets Apps Access Safari Browsing Histories

  Bank of Valletta Takes Itself Offline After Detecting Attempted Theft

  Christopher Krebs Tells Legislators That Voting Machines Need Paper Trails

  Microsofts Patch Tuesday

  Adobes Patch Tuesday

  VFEmail US Data Wiped in Attack

  Siemens Releases 16 Security Advisories

  CISOs Under Increasing Pressure (Survey)





-- SANS 2019 | Orlando, FL | April 1-8 |

-- SANS Baltimore Spring 2019 | March 2-9 |

-- SANS London March 2019 | March 11-16 |

-- SANS San Francisco Spring 2019 | March 11-16 |

-- SANS Secure Singapore 2019 | March 11-23 |

-- SANS Munich March 2019 | March 18-23 |

-- SANS Secure Canberra 2019 | March 18-23 |

-- ICS Security Summit & Training 2019 | Orlando, FL | March 18-25 |

-- Blue Team Summit & Training 2019 | Louisville, KY | April 11-18 |

-- SANS OnDemand and vLive Training

The SANS Training you want with the flexibility you need.

Get a GIAC Certification Attempt Included or take $350 Off your OnDemand or vLive course. Offer ends February 20.

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast

-- Evening training 2x per week for 6 weeks with vLive |

-- Anywhere, Anytime access for 4 months with OnDemand format |

Single Course Training

-- Single Course Training

SANS Mentor |

Community SANS |


-- View the full SANS course catalog and Cyber Security Skills Roadmap

***************************  Sponsored By SANS  ****************************

New Blog Post: Traditional network controls are blind to commonly deployed attacks. It's time to rethink network security. Read more here:




--Former US Air Force Counterintelligence Agent Indicted on Espionage Charges

(February 13 & 14, 2019)

A federal grand jury has indicted a former US military intelligence officer for conspiracy to deliver and delivering national defense information to representatives of the Iranian government. Monica Elfriede Witt served as an intelligence specialist and counterintelligence agent in the US Air Force. Witt served in the Air Force from 1997-2008, and worked as a military contractor until 2010. She defected to Iran in 2013. The indictment also charges four Iranian nationals with conspiracy, attempts to commit computer intrusion and aggravated identity theft. Witt allegedly helped Iranian hackers target some of her former colleagues. All five individuals remain at large.

[Editor Comments]

[Williams]  The most significant takeaway involves the simple tradecraft used by the Iranian government directed hackers. For instance, the attackers ask the victim to disable antivirus before opening an attachment. The indictment also shows that cat phishing (pretending to seek a relationship as a phishing pretext) is being actively used by APT (advanced persistent threat) groups. Many organizations I work with today resist including cat phishing examples in their security awareness training because they fear complaints from employees who may be offended. This leaves employees susceptible to the technique, which has been used by multiple APT groups. Security practitioners can use this indictment to change that attitude in your organization.

[Honan] The indictment provides examples of how nation state attackers target individuals. What is striking is how unsophisticated many of these attempts are, they highlight the value of basic hygiene for cybersecurity and the importance of implementing controls such as those outlined in the The CIS Critical Security Controls for Effective Cyber Defense:

Read more in:

Justice: Former U.S. Counterintelligence Agent Charged With Espionage on Behalf of Iran; Four Iranians Charged With a Cyber Campaign Targeting Her Former Colleagues

Dark Reading: Ex-US Intel Officer Charged with Helping Iran Target Her Former Colleagues

Wired: US Air Force Defector Allegedly Helped Iran Hack Americans

The Hill: Former Air Force intelligence specialist charged with spying for Iran

Nextgov: DOJ Indicts Former Intel Officer For Helping Iran Hack Her Colleagues

Cyberscoop: Former Air Force intelligence officer charged with espionage

The Register: US counterintelligence agent helped Iran lob cyber-bombs at America, say Uncle Sam's lawyers


--What Will Russias Internet Disconnect Look Like?

(February 12, 2019)

Russia reportedly intends to test its ability to disconnect from the rest of the Internet. Experts say there is no way to be certain what the effects it will have. Websites could lose functionality or break altogether if they depend on servers that exist outside of Russia. There is also the possibility that some countries route traffic through Russia and may therefore feel the effect. The disconnect test is being conducted to comply with a new law that requires Russian Internet providers to demonstrate the independence of Russias Internet. 

Read more in:

Wired: What Happens If Russia Cuts Itself Off From the Internet

****************************  SPONSORED LINKS  ******************************

1) SURVEY: Are you involved with operational technology and ICS? SANS wants to hear from you! Take 10 minutes to complete the State of OT/ICS Cybersecurity Survey and enter to win a $400 Amazon gift card.

2) What does it take to establish a successful security operations program? Take the 2019 SANS SOC Survey and enter for a chance to win a $400 Amazon gift card.

3) The 14th Annual ICS Security Summit & Training is the event to attend in 2019 to better understand attacks that target industrial control systems and how to best protect your organization.




--Two People Charged in Connection with DDoS Attacks and Bomb Threats

(February 14, 2019)

Federal authorities in the US have arrested Timothy Dalton Vaughn in connection with distributed denial-of-service (DDoS) attacks and false threats of violence against schools, Los Angeles International Airport, and other targets during the first half of 2018. Vaughn and another individual, George Duke-Cohan, were indicted by a federal grand jury in California. Duke-Cohan is already serving a sentence in the UK for making a hoax threat against an airplane.

Read more in:

KrebsOnSecurity: Bomb Threat Hoaxer Exposed by Hacked Gaming Site

The Register: US man and Brit teen convict indicted over school bomb threat spree

Cyberscoop: Two hackers charged for DDoS attacks, threats to LAX

Justice: Members of Hacker Collective Face Federal Charges for Attacking Computer Systems, Emailing Mass Hoax Bomb and Shooting Threats

Document Cloud: Indictment


--Google Experimenting With Solutions to Mixed Content Loading Issue

(February 14, 2019)

Google is running an experiment to determine how best to address mixed content loading issues. Mixed content loading when a user visits a site that is delivered over HTTPS, but contains elements delivered over HTTP. Mixed content browser errors can prevent users from accessing some pages entirely. Google hypothesize[s that] most of the content delivered over HTTP in HTTPS sites is either available over HTTPS, and can be transparently upgraded, or doesnt impact the user experience. The experiment aims to determine how feasible it would be to auto-upgrade all or a subset of mixed content.

[Editor Comments]

[Neely] Mixed content often results from sites which have updated to HTTPS while still containing some links hard coded to HTTP, typically images. Googles approach should be an improvement over current behavior of browsers when accessing mixed content sites where content is not displayed and most users dont understand what the security warnings mean.

Read more in:

Google: Auto Upgrade Mixed Content

ZDNet: Google is running an auto-update-to-HTTPS experiment in Chrome


--The Android Upgrade Lag

(February 14, 2019)

Computerworld Contributing Editor JR Raphael looks at upgrade delivery times for Android device manufacturers. Raphael calculated a grade for each manufacturer based on the length of time for it took for the upgrade to reach the current flagship, the length of time it took for the upgrade to reach the previous-gen flagship; and communication. Unsurprisingly, Google is the only manufacturer to receive a grade of A. One Plus received a grade of C, and all other manufacturers received failing grades. In the second link below, Raphael discusses why Android upgrades matter, noting that new Android versions almost always contain significant under-the-hood improvements along with important security and privacy enhancements, and in the third link, Raphael talks with Computerworld Executive Editor Ken Mingis about these issues as well as why manufacturers do not appear to feel compelled to deliver the upgrades quickly.

[Editor Comments]

[Pescatore] I think this set of articles misses an important point: the yearly Android version changes have security patches mixed in with new functionality, purely cosmetic GUI changes and seemingly random lets move the cheese changes. Security patches should be where the focus on speed to update is measured, not how quickly everyone is forced to adopt Googles latest competitive UI moves. Imagine if in car operating systems, security patches came with new dashboard UI redesigns and to be secure you now also had to figure out you needed to swipe your turn stalk vs. push it up or down to get the turn signal to work

[Neely] It is important to understand how the Android ecosystem works. When selecting an enterprise Android solution, it is necessary to understand the release process and device lifecycle. Note that lifecycle dates start from product release dates, not purchase dates. Google manufactured devices are going to be the most compatible with the Google produced Android OS and updates as that is where they are developed and tested first. In the past, not all Google devices had updates ported equally; Google has improved this. Third party device manufacturers have to port and test the updates on their hardware before passing the update to mobile operators for testing and possible distribution to users. Depending on the product lifecycle, newer OS releases, such as Android 9, may never get ported. While purchasing unlocked devices allows for the potential application of updates without the mobile operator validation step, work with your device provider to understand exactly what to expect.

[Murray] From a security perspective, I have always preferred the Apple/iOS strategy to the Google/Android strategy. However, attacks against Android devices do not scale well or rapidly. While it is important to address vulnerabilities in some Android devices, it is not necessary for all devices and it is not as urgent as intuition might lead one to believe.  

Read more in:

Computerworld: Android Upgrade Report Card: Grading the manufacturers on Pie

Computerworld: Why Android upgrades absolutely matter

Computerworld: All about Android upgrades (and why they're late) | TECH(talk)


--Patch Available for runc Vulnerability

(February 12 & 14, 2019)

A flaw in the runc component used in multiple container technologies could be exploited to allow malware to escape a container and infect the host system. The vulnerability allows a malicious container to (with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host. A patch is available.

[Editor Comments]

[Ullrich] This vulnerability allows any containerized app in your Docker environment to gain root access on the host. It is exploitable; patching of this vulnerability should be expedited. While you are patching, also take a look at steps you can take to harden your Docker install. SELinux for example works to prevent exploitation of this vulnerability on default installs on some distributions. I believe we are seeing just the tip of the iceberg of Docker vulnerabilities. Too many organizations do not yet have solid configuration guides for containers but are just in the we finally got it to work phase of deployment.

Read more in:

Openwall: CVE-2019-5736: runc container breakout (all versions)

SC Magazine: Flaw in runC could allow malicious containers to infect host environment

Threatpost: Major Container Security Flaw Threatens Cascading Attacks


--Mojave Flaw Lets Apps Access Safari Browsing Histories

(February 11 & 13, 2019)

A flaw in macOS Mojave could be exploited to allow apps to access users Safari browsing histories. The issue affects all versions of Mojave. The problem lies in the fact that there are no permission dialogs for apps in some Mojave folders. For the flaw to be exploited, a user would have to install and run a maliciously crafted app on their Mac.

Read more in:

Threatpost: Unpatched Apple macOS Hole Exposes Safari Browsing History

Bleeping Computer: Privacy Protection Bypass Flaw in macOS Gives Access to Browsing History


--Bank of Valletta Takes Itself Offline After Detecting Attempted Theft

(February 13, 2019)

Maltas Bank of Valletta (BOV) took its systems completely offline on Wednesday, February 13 after detecting an attempt to make fraudulent transfers of 13 million (US$14.7 million) to banks in other countries. The outage affected businesses that use BOV point-of-sale devices to process payment card transactions. A second Maltese financial institution, APS Bank, decided to suspend some services as a precaution. BOVs mobile app was functional as of Thursday morning, February 14.

Read more in:

Times of Malta: BOV goes dark after hackers go after 13m

The Register: Hackers KO Malta's Bank of Valletta in attempt to nick 13m


--Christopher Krebs Tells Legislators That Voting Machines Need Paper Trails

(February 13, 2019)

In testimony before the House Homeland Security Committee Christopher Krebs, Director of the US Department of Homeland Securitys (DHSs) Cybersecurity and Infrastructure Security Agency (CISA), told members that electronic voting machines must provide paper receipts. If you dont know whats happening and you cant check back across the system whats happening in the system, then you dont really have security. Currently, five US statesLouisiana, Georgia, South Carolina, New Jersey, and Delawareuse electronic voting machines that do not provide paper receipts.

[Editor Comments]

[Ullrich] Voting machine security is all about voter trust. The impact of voting machine insecurity isnt so much that votes are changed by attackers exploiting them, but the fact that voting machine insecurities lead voters to believe that votes are not tabulated accurately. Whatever can be done to improve trust and to create tamper-proof audit trails should help improve trust in the process.


Read more in:

Bloomberg: Trump Cyber Official Warns Voting Machines Need Paper Trails

The Hill: Lawmakers quiz officials on 2020 election security measures


--Microsofts Patch Tuesday

(February 12, 2019)

On Tuesday, February 12, Microsoft released updates to address for more than 70 security issues in a range of products; 20 of the flaws addressed are rated critical. The fixes include a patch for a privilege elevation flaw in Microsoft Exchange Server and an information disclosure flaw in Internet Explorer that is being actively exploited. 

[Editor Comments]

[Murray] The rate of issuing patches overwhelms the ability of customers to appreciate their importance and make rational decisions about the risks of applying or not applying them.  

Read more in:

KrebsOnSecurity: Patch Tuesday, February 2019 Edition

Dark Reading: Microsoft, Adobe Both Close More Than 70 Security Issues

SC Magazine: 77 updates in Microsoft patch Tuesday

Bleeping Computer: Microsoft Patches PrivExchange Vulnerability in February Quarterly Updates

Threatpost: Microsoft Patches Zero-Day Browser Bug Under Active Attack

MSRC: Security Update Guide

MSRC: Release Notes: February 2019 Security Updates


--Adobes Patch Tuesday

(February 12 & 13, 2019)

On Tuesday, February 12, Adobe released fixes for vulnerabilities in Acrobat, Reader, Flash, ColdFusion, and Creative Cloud. Forty-three of the vulnerabilities that affect Reader and Acrobat are rated critical.

[Editor Comments]

[Murray] Patching transfers the cost of quality from the provider to the consumer. Patching multiplies some part of the cost of quality by the number of customers.  

Read more in:

ZDNet: Adobes massive patch update fixes critical Acrobat, Reader bugs

Bleeping Computer: Adobe Releases Security Fixes for Flash Player, ColdFusion, and More

Adobe: Security updates available for Adobe Acrobat and Reader | APSB19-07

Adobe: Security updates available for Flash Player | APSB19-06

Adobe: Security updates available for ColdFusion | APSB19-10

Adobe: Security updates available for Creative Cloud Desktop Application | APSB19-11


--VFEmail US Data Wiped in Attack

(February 12, 2019)

Attackers have launched a catastrophic attack against secure email provider VFEmail, wiping all primary and backup systems that contained data belonging to US users of the service. The VFEmail website now appears to be operational in the US and paid users can receive new messages, but their inboxes and archives are empty.  

[Editor Comments]

[Ullrich, Honan] Great case to show the REAL impact of badly designed disaster recovery procedures. Offline backups and regular testing of backups is a MUST. Backups are boring and may seem to be an easy area for cost savings, but backup quality can make or break your business. This isnt the first case (or the last) where a business failed because its backups failed.

[Williams] The owner of the company has revealed that the machines that were wiped did not have shared credentials and that the attackers must have used another vector to access the information. Assuming this is true and that there weren't unpatched Internet accessible services, this speaks to one of the normally downplayed issues with configuration management. Configuration management should ensure consistent configurations across your devices. This is great as long as the configurations being replicated are secure. But if those configurations introduce a vulnerability, that is then replicated across the environment.

[Neely] Are you prepared to restore service when not only your servers but your backups are destroyed? While the risk of occurrence of an event like this has been considered low in the past where backups were often kept off-line, with both servers and backups moving to online/cloud solutions the risk model changes. You should update your contingency plans accordingly.

Read more in:

The Register: Ever used VFEmail? No? Well, chances are you never will now: Hackers wipe servers, backups in 'catastrophic' attack

Dark Reading: Devastating Cyberattack on Email Provider Destroys 18 Years of Data

KrebsOnSecurity: Email Provider VFEmail Suffers Catastrophic Hack

Threatpost: Attackers Completely Destroy VFEmails Secure Mail Infrastructure


--Siemens Releases 16 Security Advisories

(February 12, 2019)

Among the 16 advisories Siemens released earlier this week is one that addresses three security issues in the WibuKey digital rights management (DRM) solution affecting its SICAM 230 process control system. The vulnerabilities have been given CVSS scores of 4.3, 9.3, and 10.0. SICAM 230 is used in a variety of industrial control system (ICS) applications.

Read more in:

Threatpost: Siemens Warns of Critical Remote-Code Execution ICS Flaw

Siemens: Search Security Advisories


--CISOs Under Increasing Pressure (Survey)

(February 14, 2019)

Nominet commissioned a survey of 408 CISOs in the UK and US; each overseeing the cyber security of businesses that have an average of just under 9,000 employees. They found, to no surprise, stress is increasing for CISOs with 17% resorting to medicine or alcohol.

[Editor Comments]

[Northcutt] "60% of CISOs questioned admitted to having found malware on their infrastructure which had been there for an unknown period of time. The other 40% of CISO still havent found it; large organizations have to assume they are compromised and continue to try to find the infection.

Read more in:

Information Age: Cyber security professionals struggling to balance under increasing pressure

Dark Reading: High Stress Levels Impacting CISOs Physically, Mentally

Nominet: Major Global Study of Senior Cyber Security Professionals reveals increasing pressure, workload and budgetary deficits



Microsoft Patch Tuesday

Microsoft Exchange Server Patch (Errata for yesterday's podcast)

Adobe Updates

Ubuntu Linux snapd "dirty_sock" exploit

VFEMail Backup Failure

Managed Service Providers Targeted By Ransomware

Fake Updates Campaign Still Active in 2019

macOS Malware (Shlayer) Disables Gatekeeper

Cisco Network Assurance Engine Password Synchronization Issue

QNAP Malware

Bomb Threat Spammers Arrested

PDF includes SMB Link


The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Eric Cornelius is Director of Critical Infrastructure and ICS at Cylance, and earlier served as deputy director and chief technical analyst for the Control Systems Security Program at the US Department of Homeland Security.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit