SANS Open-Source Intelligence (OSINT) Summit & Training offers immersive cyber security courses and a free Summit!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #34

April 30, 2019

Huawei Backdoors Confirmed; Maersk Lessons Learned from NotPetya; Greenville Recovering from Ransomware; Cleveland Airport Malware



SANS NewsBites               April 30, 2019                Vol. 21, Num. 034




  Huawei Backdoors Confirmed in Vodaphone Documents

  Maersk Head of Security on Lessons Learned from NotPetya

  Greenville, North Carolina, Recovering from Ransomware

  Cleveland Airport Malware Update



  What Other Countries Are Doing to Help Prevent SIM Swap Attacks

  BIND Patches

  P2P Software Flaws Put IoT Devices at Risk

  The Value in Naming and Shaming State Cyber Attackers

  Wireless Carrier Lobby Opposes California Bill That Would Ban Throttling First Responder Service During Emergencies

  US Dept. Of Labor Adding IT Asset Security Assessment Tool to its CDM Dashboard

  OMB's New Federal Shared Services Policy

  Another Day, Another WordPress Plug-in Vulnerability

  Docker Hub Database Breach

  FBI Developing Relationships with Private Sector to Improve Critical Infrastructure Security





-- SANS Security West 2019 | San Diego, CA | May 9-16 |

-- SANSFIRE 2019 | Washington, DC | June 15-22 |

-- SANS Amsterdam May 2019 | May 20-25 |

-- SANS San Antonio 2019 | May 28-June 2 |

-- SANS London June 2019 | June 3-8 |

-- Enterprise Defense Summit & Training 2019 | Redondo Beach, CA | June 3-10 |

-- Security Operations Summit 2019 | New Orleans, LA | June 24-July 1 |

-- SANS Cyber Defence Canberra 2019 | June 24-July 13 |

-- SANS Cyber Defence Japan 2019 | July 1-13 |

-- SANS OnDemand and vLive Training

Get an iPad Mini, Surface Go, or Take $300 Off your OnDemand or vLive course. Offer ends May 1.

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast -

-- Evening training 2x per week for 6 weeks with vLive |

-- Anywhere, Anytime access for 4 months with OnDemand format |

Single Course Training

-- Single Course Training

SANS Mentor |

Community SANS |


-- View the full SANS course catalog and Cyber Security Skills Roadmap

*************************  Sponsored By Yubico  ******************************

Imagine a world where users no longer need to set, forget and reset multiple passwords. Passwords are known as the weakest link for enterprise security and the #1 IT support cost. The world is about to change with the introduction of passwordless authentication.   Download the whitepaper to learn how.




--Huawei Backdoors Confirmed in Vodaphone Documents

(April 30, 2019)

Vodafone Group Plc has acknowledged that it found vulnerabilities going back years with equipment supplied by Shenzhen-based Huawei for the carrier's Italian business. While Vodafone says the issues were resolved, the revelation may further damage the reputation of a major symbol of China's global technology prowess. This is the first time such serious Huawei security issues have been made public.

[Editor Comments]

[Neely] Couple the security issues with the counterintelligence concerns over Huawei to augment your risk assessment on using Huawei in the enterprise.

Read more in:

Bloomberg: Vodafone Found Hidden Backdoors in Huawei Equipment


--Maersk Head of Security on Lessons Learned from NotPetya

(April 29, 2019)

In late June 2017, international shipping container company Moller-Maersk was hit with the NotPetya malware. Speaking in a keynote session at CYBER UK 19, Maersk's head of cybersecurity compliance said he was stunned by "the sheer ferocity and the speed and scale of the attack and the impact it had." He said that the attack was a reminder that companies can become unintended victims, and that while it is important to protect systems and networks, companies also need to ensure that they have a solid recovery plan in place.

[Editor Comments]

[Pescatore] The quote to highlight to your management is that the $300M impact to Maersk "...served as a wakeup call that not all cyberattacks are targeted and that organizations can find themselves the unintended victims of these events - businesses shouldn't approach their cyber defenses as if hackers will specifically target them because in some attacks you could simply end up as collateral damage." Short version: First get to basic security hygiene, then worry about advanced targeted attacks!!


[Murray] Management should update its plans in the light of the experience of Saudi Aramco, Sony, and Maersk. That said, the current default access control rule of "read/write," instead of "least privilege," leaves the enterprise much more vulnerable to these attacks than necessary.  


Read more in:

ZDNet: Ransomware: The key lesson Maersk learned from battling the NotPetya attack


--Greenville, North Carolina, Recovering from Ransomware

(April 26, 2019)

The city of Greenville, North Carolina is in the process of recovering from a ransomware attack that infected its systems on April 10. Officials say the city's website is operational again and that some employees have email. The city said it never planned to pay the ransom. IT staff is reimaging all of the city's computers.

[Editor Comments]

[Neely] Kudos to Greenville for not paying the ransom and taking the needed steps to recover their systems. Their challenge will be implementing technical and administrative controls to prevent recurrence. Beyond increased user awareness training (UAT), enabling attachment checking and suspect URL mangling help the user when they click anyway. While it's not clear that labelling external emails and adding warnings about clicking links in them is effective in the long run, implementing this in the short term could help the UAT succeed.


Read more in:

SC Magazine: Greenville in recovery phase from Robbinhood ransomware attack

WNCT: City of Greenville bouncing back from ransomware attack


--Cleveland Airport Malware Update

(April 29, 2019)

Flight and baggage information monitors are once again operational at Cleveland's Hopkins International Airport. Last week, city officials said that the problems were not caused by ransomware. At a press conference on Monday, April 29 Cleveland's Chief Information Officer says that the malware that infected computers at the airport was indeed ransomware. Airport officials did not respond to the ransomware demands. The FBI is investigating.

Read more in:

Cleveland: Cleveland acknowledges for first time Hopkins airport hack involved ransomware

WKYC: Flight screens working again at Cleveland Hopkins Airport after going dark amid malware discovery

****************************  SPONSORED LINKS  ******************************

1) Don't miss "Gaining a Decisive Advantage Through Terrain Based Cyber Defense" Register:

2) Attend the inaugural SANS Enterprise Defense Summit in Redondo Beach, CA June 3-4.

3) Visit the SANS Reading Room, and check out the Latest 25 Papers Added.




--What Other Countries Are Doing to Help Prevent SIM Swap Attacks

(April 26, 2019)

SIM swapping attacks are increasing. Thieves who convince mobile carriers to change the SIM card associated with a certain mobile phone number can then use that number to change passwords and access accounts. Mozambique, Nigeria, Kenya, South Africa, Australia, and the UK allow banks to query mobile carriers for recent SIM swapping and prevent fund transfers if a swap has occurred recently. US mobile carriers do not seem to be as eager to share that information with financial institutions.

[Editor Comments]

[Neely] SIM Swapping underscores the risks of SMS based two-factor authentication. Allowing the banks to access SIM swap data in the US is going to be a function of demand and financial motivation, and where present, is another layer of security for consumers. In the interim, when given a choice, don't select SMS based multi-factor options.


[Northcutt] Ask not what your country can do for you, ask what you can do for your account . . . and that starts with putting a PIN on it:

Read more in:

Wired: The SIM Swap Fix That The US Isn't Using


--BIND Patches

(April 26, 2019)

The Internet Systems Consortium has released updates to fix three vulnerabilities in Berkeley Internet Name Domain (BIND) software. The first vulnerability is due to ineffective code means to limit the number of TCP clients connected at the same time. It is remotely exploitable and could be used to create denial of service conditions. The other two vulnerabilities could also be used to cause denial of service conditions.

Read more in:

SC Magazine: ICS patches three vulnerabilities in BIND


--P2P Software Flaws Put IoT Devices at Risk

(April 26 & 29, 2019)

Millions of Internet of Things (IoT) devices are vulnerable to hijacking because of two vulnerabilities in the iLnkP2P peer-to-peer (P2P) software component. The first vulnerability is an enumeration flaw that allows attackers to discover what's online; the second can be exploited to intercept traffic between users and their devices. iLnkP2P, developed in China, is used in millions of security cameras, webcams, baby monitors, smart doorbells, and DVRs. The software was designed to allow device owners to easily access their devices over the Internet. The devices require no authentication and do not use encryption. There is currently no fix available.

[Editor Comments]

[Ullrich] A lot of home users rely on their routers/firewalls to protect them, but these devices typically only prevent inbound attacks. The iLnkP2P protocol does provide access to cameras behind NAT and uses the camera's guessable serial number as "address". You are still protected by the camera's username and password if you bothered to set a strong one, but even then, the username and password are sent in the clear which may expose it to a MitM. But for a random "scanning" attack, a username and password should help until the usual authentication bypass vulnerability is found.

Read more in:

ZDNet: Over two million IoT devices vulnerable because of P2P component flaws

KrebsOnSecurity: P2P Weakness Exposes Millions of IoT Devices

Threatpost: 2 Million IoT Devices Vulnerable to Complete Takeover


--The Value in Naming and Shaming State Cyber Attackers

(April 26, 2019)

Speaking on a panel at the CYBERUK 19 conference, intelligence experts from the Five Eyes countries (Australia, New Zealand, Canada, the UK, and the US) talked about the value of attributing cyberattacks to nation states. Senior security advisor for the US's National Security Agency (NSA) Rob Joyce said that "We won't get international norms without being able to speak that truth."

[Editor Comments]

[Pescatore] Of course, transparency in attribution is a two-way street. Will these (and other) countries identify themselves as sources of cyberattacks, when malware such as Stuxnet is released?


Read more in:

ZDNet: Naming and shaming nations that launch cyberattacks does work, say intel chiefs


--Wireless Carrier Lobby Opposes California Bill That Would Ban Throttling First Responder Service During Emergencies

(April 25, 2019)

A lobbying group that represents the wireless carrier industry is opposed to a proposed California law that would prohibit throttling service for first responders and public safety organizations during emergencies. The group maintains that as written, the law is too vague and should only take effect if the governor or the president of the US declares an emergency, not if a local government declares one.

Read more in:

Ars Technica: Wireless carriers fight ban on throttling firefighters during emergencies


--US Dept. Of Labor Adding IT Asset Security Assessment Tool to its CDM Dashboard

(April 26, 2019)

US Department of Labor is adding an algorithm to its CDM (Continuous Diagnostics and Mitigation) dashboard to assess the security of its IT assets. The tool, Agency-Wide Adaptive Risk Enumeration (AWARE) will have a soft roll-out to all agencies on October 1, 2019. AWARE tracks vulnerabilities and misconfigurations, giving them more weight as they remain unaddressed over time.  

[Editor Comments]

[Pescatore] AWARE is a well-thought-out approach to risk scoring, building on what the State Department had done with iPost and Department of Justice with Security Posture Dashboard and Reporting, using an approach that integrates and mirrors the Common Vulnerability Scoring Standard. It is vulnerability focused - more modern risk scoring should include and heavily weight "compromise assessment" - i.e., use of internal active threat hunting to determine if the system has already been compromised even if vulnerabilities are currently not present.

[Neely] CDM training includes AWARE scoring and solution providers are already incorporating AWARE related components into their offerings. A big challenge with continuous monitoring is incorporating external mitigations and accepted risk into the scoring process. As a system's AWARE score increases, at some point, there needs to be a technical consequence, such as blocking internet access or removal from the network altogether, to not only protect other assets from these risky systems but also reinforce actually remediating the deficiencies.


Read more in:

Fedscoop: This agency is preparing to score its cyber risk with a new algorithm


--OMB's New Federal Shared Services Policy

(April 26, 2019)

Federal CIO Suzette Kent said that the US Office of Management and Budget's (OMB's) new federal shared services policy is "a fundamental change in our operating model for how we deliver common services across the Federal government." The policy establishes lead agencies, called Quality Service Management Offices (QSMOs) for business support areas. The four initial areas include Cybersecurity Services, for which the Department of Homeland Security will serve as QSMO.

Read more in:

Fedscoop: OMB issues a new model for federal shared services

Nextgov: Exclusive: What OMB's New Shared Services Policy Will Mean for Modernization

Nextgov: What Agencies Get From Taking Leadership Roles In New Shared Services Regime

MeriTalk: OMB's New Shared Services Memo: A User's Guide

MeriTalk: OMB's New Approach on Shared Services Limits Acquisitions, Emphasizes Standards

White House: Memorandum for Heads of Executive Departments and Agencies


--Another Day, Another WordPress Plug-in Vulnerability

(April 26 & 29, 2019)

An arbitrary file upload vulnerability in the WooCommerce Checkout Manager WordPress plug-in could be exploited to execute malicious code. The issue has been fixed in version 4.3. Researchers from Sucuri said that they had detected some attempted exploits for the flaw in the wild. They also noted "that this vulnerability was left unpatched for weeks." The WooCommerce Checkout Manager plug-in extends the WooCommerce plug-in; the two have separate owners.

Read more in:

Sucuri: Insufficient Privilege Validation in WooCommerce Checkout Manager

Threatpost: Users Urged to Disable WordPress Plugin After Unpatched Flaw Disclosed


--Docker Hub Database Breach

(April 26, 27, & 29, 2019)

Following a breach of the Docker Hub database, owners of 190,000 Docker accounts are being forced to change their passwords. They will also need to verify that their container images have not been compromised.

[Editor Comments]

[Ullrich] Note that authentication tokens for services like Github were leaked as well. Docker invalidated them as soon as they found the problem, but there is a chance that these credentials were used before Docker became aware of the incident.

[Murray] Every time one hears "change passwords," one should think "one-time passwords." When one hears "verify content," one should think content management systems, e.g., Tripwire. These should be anticipatory and early rather than remedial and late.


Read more in:

Dark Reading: Docker Forces Password Reset for 190,000 Accounts After Breach

Motherboard: Hackers Breached a Programming Tool Used By Big Tech and Stole Private Keys and Tokens

ZDNet: Docker Hub hack exposed data of 190,000 users

Bleeping Computer: Docker Hub Database Hack Exposes Sensitive Data of 190K Users

Threatpost: Docker Hub Hack Affects 190K Accounts


--FBI Developing Relationships with Private Sector to Improve Critical Infrastructure Security

(April 29, 2019)

Ninety-five percent of US critical infrastructure is managed by private companies. Therefore, the government has an interest in making sure that those private entities know how to manage cybersecurity threats. To that end, the FBI is developing relationships with private industry because the sooner FBI knows about attacks, the sooner the perpetrator can be identified and hopefully blocked from doing the same thing again. The FBI is reaching out, letting companies know how to understand the threats and how to respond. Some of the companies are hesitant, particularly government contractors, because they are concerned their reputations will suffer.

Read more in:

FNN: FBI building relationships with private sector to improve cybersecurity responses



WebLogic Update

Docker Hub Breach

Windows 10 Users Not Applying October Update

iFrame "Ransom Support" Attacks

iLnkP2P Allows Access to Millions of Security Cameras



The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit