Last Day: Get a 10.2" iPad (32 G), Galaxy Tab A, or Take $250 Off with OnDemand Training

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #43

May 31, 2019

EternalBlue Accountability; WordPress Flaw Actively Exploited (Again)


SANS NewsBites                 May 31, 2019                Vol. 21, Num. 043




  EternalBlue: Accountability and Responsibility

  Known WordPress Flaw is Being Actively Exploited



  Digital Watermarks to Fight "Deepfakes"  

  GCHQ's Ghost User Proposal Meets with Opposition

  Docker Race Condition Vulnerability

  Prison Term for Selling Encrypted Phones to Criminals

  Gatekeeper Bypass Flaw in macOS X

  GitHub Acquires Dependabot to Help with Automated Updates

  New Chrome Extension Policies Aim to Improve Security

  Correction: Available Fixes for BlueKeep RDP Flaw (CVE-2019-0708)



*************************  Sponsored By  Sentryo  ***************************

ICYMI: "Not sure that you need OT Cybersecurity? A Sentryo Assessment can quickly provide the data and guidance that you need." with Tim Conway, Michael Thompson, Bob Foley and Fayce Dair. Register:



-- SANSFIRE 2019 | Washington, DC | June 15-22 |

-- Security Operations Summit 2019 | New Orleans, LA | June 24-July 1 |

-- SANS Cyber Defence Canberra 2019 | June 24-July 13 |

-- SANS Cyber Defence Japan 2019 | July 1-13 |

-- SANS London July 2019 | July 8-13 |

-- SANS Rocky Mountain 2019 | Denver, CO | July 15-20 |

-- SANS San Francisco Summer 2019 | July 22-27 |

-- Pen Test Hackfest Europe 2019 | Berlin, DE | July 22-28 |

-- DFIR Summit & Training 2019 | Austin, TX | July 25-August 1 |

-- SANS OnDemand and vLive Training

Get an iPad Mini, ASUS Chromebook Flip, or Take $250 off through June 12 with OnDemand or vLive training.

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast -

-- Evening training 2x per week for 6 weeks with vLive |

-- Anywhere, Anytime access for 4 months with OnDemand format |

Single Course Training

-- Single Course Training

SANS Mentor |

Community SANS |


-- View the full SANS course catalog and Cyber Security Skills Roadmap




--EternalBlue: Accountability and Responsibility

(May 30, 2019)

The ransomware known as EternalBlue that has caused so many problems for the city of Baltimore was powered by an NSA hacking tool that was stolen and posted to the Internet. Senior NSA cybersecurity advisor Rob Joyce said that the city had ample time to bolster its cyber defenses against what has been a known threat with a patch available for more than two years. Some security experts agree with Joyce, while others say that the NSA's cybertool development needs more oversight. As the Axios article points out, the two are not mutually exclusive.

[Editor Comments]

[Henry] (Disclaimer - the conference Joyce spoke at was hosted by my employer.) I think there's truth to both points here. First, the exploit has been well-known for two years, and leaving systems unpatched after the fix was released is a serious violation of cybersecurity 101. Secondly, and perhaps more importantly, there need to be serious discussions about how nations and intelligence services globally define the norms by which network exploitation occurs. The fragility of the infrastructure and the effect on critical municipal and human services will have wide-ranging impact going forward. The deployment of tools which exploit and/or damage that infrastructure needs to be evaluated, government to government, in international forums to define the redlines of acceptability and create clear rules of engagement.

[Murray] This tool has permanently contaminated "cyberspace." It makes the environment in which we must all work more hostile than it needed to be. Because the environment cannot be de-contaminated, we must all patch the vulnerability that it exploits. NSA must take some responsibility for the secure use of its tools, its "methods."  

[Neely] Assigning accountability for EternalBlue doesn't offset the need for active cyber hygiene. As learned with Baltimore, and Equifax, etc. unmitigated vulnerabilities will be exploited. Also, when tools like EternalBlue are used against our adversaries, they learn from that to develop equivalent capabilities, possibly making containment of that capability untenable.  

Read more in:

Nextgov: NSA Deflects Blame for Baltimore Ransomware Attack

Axios: NSA's rogue hacking tool sparks debate


--Known WordPress Flaw is Being Actively Exploited

(May 29, 2019)

Hackers are actively exploiting a known vulnerability in a WordPress plugin to display malicious pop-ups and redirect site visitors to malicious websites. A fix for the cross-site scripting flaw in WP Live Chat Support was released two weeks ago.

[Editor Comments]

[Paller] The most often exploited, dangerous, and damaging packages employed on websites are content management systems, and WordPress (WP) seems to appear most often in discussions of content management systems that are putting your data and users at risk. Using a web site developer who relies on WP and does not have documented, tested controls in place to protect your data and users against the WP flaws is likely to be considered the definition of negligence at some point in the near future.

Read more in:

Ars Technica: Hackers actively exploit WordPress plugin flaw to send visitors to bad sites

****************************  SPONSORED LINKS  ******************************

1) ICYMI: "New Year, Same Magecart: The Continuation of Web-based Supply Chain Attacks" get it here:

2) Don't Miss "Lessons From the Front Lines of AppSec: Analysis of real-world attacks from 2019 and best practices for dealing with them" Register:

3) Today's reality is that a security breach is not a matter of IF, but a matter of WHEN. Register for "How SOC Superheroes Win"




--Digital Watermarks to Fight "Deepfakes"  

(May 28, 2019)

Researchers at New York University's (NYU's) Tandon School of Engineering are developing technology to detect altered photographs known as "deepfakes," which are often used to spread disinformation. The researchers propose an "approach [that] aims to exploit neural imaging processors" to place watermarks in the code of photos; the watermarks could be checked by forensic analysts for indicators of alteration.    

[Editor Comments]

[Pescatore, Murray, Neely] Digital signatures and watermarks require an end-to-end infrastructure to make authentication and integrity verification possible without giving a false sense of security. Today, support for such services at the transport level is starting to happen as standards like DMARC and DNSSEC increase penetration but having reliable and secure watermarking on the device level is not realistic any time soon.

Read more in:

Arxiv: Neural Imaging Pipelines - the Scourge or Hope of Forensics?

Wired: To Fight Deepfakes, Researchers Built a Smarter Camera


--GCHQ's Ghost User Proposal Meets with Opposition

(May 22 & 30, 2019)

In an open letter to Britain's GCHQ, a group of civil society organizations, tech companies and trade associations, and security and policy experts has made clear that they are opposed to the intelligence agency's "ghost user" plan, which would "silently add... a law enforcement participant to a group chat or call." The letter is a response to a proposal published late last year. While the letter supports the overall proposal's principles, it notes that not only would such a plan "undermine the GCHQ principles on user trust and transparency set forth in the" proposal, but it would also pose added security risks.

Read more in:

newamericadotorg: Open Letter to GCHQ

The Register: We ain't afraid of no 'ghost user': Infosec world tells GCHQ to GTFO over privacy-busting proposals

ZDNet: Apple and WhatsApp fight proposal to let spies tap encrypted comms


--Docker Race Condition Vulnerability

(May 28, 29, & 30, 2019)

An unpatched race condition in all versions of Docker software could be exploited to gain read-write access to the host file system. The flaw, a time of check to time of use (TOCTOU) condition is not remotely exploitable.

[Editor Comments]

[Murray] "TOCTOU" (somewhat more descriptive than "race condition") means relying upon a checked but unbound condition (e.g. length or content of a field, address), one which might have been altered after the check but before the reliance or use. It is a vulnerability in multi-user systems that many developers are not trained on or aware of.  

Read more in:

Seclists: CVE-2018-15664: docker (all versions) is vulnerable to a symlink-race attack

The Register: Contain yourself, Docker: Race-condition bug puts host machines at risk... sometimes, ish

SC Magazine: Docker race condition flaw could grant attackers root access to host file system

Dark Reading: Docker Vulnerability Opens Servers to Container Code

GovInfoSecurity: Researcher Describes Docker Vulnerability

Duo: Docker Bug Allows Root Access to Host File System


--Prison Term for Selling Encrypted Phones to Criminals

(May 28 & 29, 2019)

Vincent Ramos, the CEO of a company that sold encrypted BlackBerry phones to criminals has been sentenced to nine years in prison. For more than 10 years, Phantom Secure knowingly sold PGP-encrypted BlackBerrys to criminal groups in the US, Mexico, and Australia. The phones allowed the criminals to encrypt their communications and remotely wipe the devices if they were seized by authorities.  

[Editor Comments]

[Pescatore] This is a pretty clear-cut case of a company and CEO purposely targeting and supporting illegal use of their products, not just selling secure products that bad guys happened to use. It doesn't set any precedent that will impact legitimate vendors of secure technology who follow standard "know your customer" norms.

Read more in:

ZDNet: CEO who sold encrypted phones to criminal gangs gets nine years in prison

Justice: Chief Executive of Communications Company Sentenced to Prison for Providing Encryption Services and Devices to Criminal Organizations


--Gatekeeper Bypass Flaw in macOS X

(May 28 & 29, 2019)

A vulnerability in Apple's macOS Gatekeeper feature could be exploited to execute arbitrary code. The Gatekeeper security feature aims to prevent untrusted apps from running; it requires apps to have valid signatures; users can also choose settings to allow only apps from the official app store to run. There is currently no fix available for the vulnerability.

[Editor Comments]

[Neely] Disabling automount,the prime mitigation, should be assessed for impact prior to implementing across the enterprise. Gatekeeper should not be the only threat mitigation on Mac Endpoints.

Read more in:

Threatpost: Gatekeeper Bug in MacOS Mojave Allows Malware to Execute

Duo: Researcher Finds Mac Gatekeeper Bypass

SC Magazine: Bypass vulnerability in MacOS X GateKeeper


 --GitHub Acquires Dependabot to Help with Automated Updates

(May 23 & 29, 2019)

Within a week of acquiring Dependabot, GitHub has put the tool to work to "monitor... dependencies for known security vulnerabilities and automatically open pull requests to update them to the minimum required version." The feature is currently in beta.

Read more in:

Duo: GitHub Brings Automated Fixes with Dependabot

The Register: GitHub slurps open-source bug zapping automator Dependabot, chucks cash at devs


--New Chrome Extension Policies Aim to Improve Security

(May 30, 2019)

Google has introduced new security policies for Chrome extensions. The extensions will be permitted to access only data that are necessary to implement the extension's features. Google is also expanding the requirement for the extensions to have privacy policies; previously, extensions that use personal and sensitive data had to have a posted security policy and manage the information securely. Now the requirement also applies to "extensions that handle user-provided content and personal communications." Google has also introduced new security and privacy rules for the Google Drive API and third-party apps.   

[Editor Comments]

[Pescatore] I'm going to wait for Google to produce data to see if this has any meaningful difference. Strategies that reduce 98% of the problem often just mean the bad guys focus on the openings that still enable the 2% - which is still a big number when there are 180,000 extensions in use. Plus, posting security policies doesn't improve anything unless Google Play is actively testing to make sure those policies are being enforced.

[Neely] Adding capabilities to keep extensions operating within limits aligns with Google's aims to raise the assurance around browsing with improved controls at the browser. Even so, it's a good idea to keep an eye on deployed extensions, enabling only those that are needed, and uninstalling those no longer used. If possible, limit installation to approved extensions only.

Read more in:

Wired: Google is Finally Making Chrome Extensions More Secure

ZDNet: Google takes a stance against permission-grabbing Chrome extensions

Google: Update on Project Strobe: New policies for Chrome and Drive

CNET: Google holds firm on Chrome changes that may break ad blockers


 --Correction: Available Fixes for BlueKeep RDP Flaw (CVE-2019-0708)

(May 31, 2019)

In the Tuesday's edition of NewsBites, we indicated that a patch for the BlueKeep Windows Remote Desktop Protocol vulnerability was available for Vista. There is currently no official Microsoft patch for the RDP flaw for Vista; we apologize for the error.




Office Document And Base64 Encoded PowerShell Script

Behavioural Malware Analysis With Microsoft Attack Surface Analyzer

Analyzing Shell Code with scdbg

Enumeration of BlueKeep Vulnerable Hosts

Exposed Docker Containers Uses for Cryptocoin Mining

DHCP Client Vulnerability Analysis

Office File Deleting Phishing Emails

Docker Symlink Race Attack

Nansh0u Campaign Using Signed Rootkit

GitHub Automating Security Patches

Mozilla Objecting to Web Packaging


The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit