Last Day: Get a 10.2" iPad (32 G), Galaxy Tab A, or Take $250 Off with OnDemand Training

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #48

June 18, 2019

US Planted Malware on Russian Power Grid; Hacking Group Targeting US Power Grid


SANS NewsBites                June 18, 2019                Vol. 21, Num. 048



  US Planted Malware on Russian Power Grid

  XENOTIME Hacking Group is Targeting US Power Grid Networks



  DHS Agency Issues BlueKeep Alert, Says Flaw Affects Windows 2000

  The Exim Flaw is Being Actively Exploited; Microsoft Urges Patching

  Massive Data Breaches Have Undermined the Reliability of Online Identity Verification

  GAO Report on Airline IT Outages

  DOD Cybersecurity Standards Slated to Take Effect in January 2020

  Senators Ask FBI for Details About Alleged Russian Hack of Election Technology Company

  SymCrypt Cryptographic Library Bug

  US Legislators Approve Cyber Incident Response Teams Bill




-- SANS Network Security 2019 | Las Vegas, NV | September 9-16 |

-- SANS Cyber Defence Japan 2019 | July 1-13 |

-- SANS London July 2019 | July 8-13 |

-- SANS Rocky Mountain 2019 | Denver, CO | July 15-20 |

-- SANS San Francisco Summer 2019 | July 22-27 |

-- Pen Test Hackfest Europe 2019 | Berlin, DE | July 22-28 |

-- DFIR Summit & Training 2019 | Austin, TX | July 25-August 1 |

-- Supply Chain Cybersecurity Summit 2019 | Arlington, VA | August 12-19 |

-- SANS Tokyo Autumn 2019 | September 30-October 12 |

-- SANS OnDemand and vLive Training

Get an iPad, Samsung Galaxy Tab A, or Take $250 off through June 26 with OnDemand or vLive training.

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast -

-- Evening training 2x per week for 6 weeks with vLive |

-- Anywhere, Anytime access for 4 months with OnDemand format |

Single Course Training

-- Single Course Training

SANS Mentor |

Community SANS |


-- View the full SANS course catalog and Cyber Security Skills Roadmap

********************** Sponsored By AWS Marketplace *************************

Building an Endpoint Security Strategy in AWS.  SANS analyst Thomas Banasik identifies the top challenges businesses face when migrating to the cloud.  He also explains key elements of a defense-in-depth architecture to create a readily deployable, fully integrated endpoint security strategy. Live webcast: June 27, 2 PM EST.




--US Planted Malware on Russian Power Grid

(June 15 & 17, 2019)

Current and former US government officials say that US intelligence has placed malware in Russia's electric power grid. While some support the increasingly aggressive cyber efforts, others are concerned that they could escalate tensions between the countries. The administration will not say what actions have been taken, but the authority to take them was granted to US Cyber Command last year.

[Editor Comments]

[Paller] As early as the late 1980s, an FSB agent who defected to the United States told his handlers, "Had my comrades not been able to penetrate computers running American power systems they would have been seen to have been incompetent." Power systems have 30-40 year lives. This is a long-term fight.

[Henry] Whether or not this story is accurate, the risks faced by escalation of cyber attacks are broad, wide, and catastrophic. This issue requires nation-to-nation discussions, norms, and treaties, similar to nuclear proliferation, to determine acceptable behavior. A failure to address this matter in a formalized way will result in increasingly dangerous and destructive activity.

[Murray] It would border on the irresponsible not to do this. It is clearly irresponsible to talk about it.  

[Northcutt] The first link, the NY Times story, is the source for all of the news stories on the topic I could find. If that story is not accurate, none of the derivative stories are accurate. For me, the story does not pass the smell test. It breaks down as:

1) We are scared the Russians would do this to us.

2) Now we are doing this to the Russians.

3) We are scared to tell THE PRESIDENT OF THE UNITED STATES what we are doing.

NOTE: the operative word in clause 1 and 3 is "we are scared". Also, keep in mind the Times prides themselves on telling stories adapted to what they believe people are looking for:

Read more in:

NYT: U.S. Escalates Online Attacks on Russia's Power Grid

SC Magazine: U.S. defense, intel ramp up efforts to insert malware in Russia's grid


--XENOTIME Hacking Group is Targeting US Power Grid Networks

(June 14 & 17, 2019)

The same hacking group that used the TRISIS malware to launch a cyberattack against a Saudi Arabian petrochemical plant in 2017 are believed to have been infiltrating power grid networks in the US and countries in the Asia-Pacific region. ICS security firm Dragos, which calls the group XENOTIME, says that the hackers began scanning the networks late last year. The activity marks a shift for the group from targeting oil and gas companies to targeting electric power companies.  

Read more in:

Dragos: Threat Proliferation in ICS Cybersecurity: XENOTIME Now Targeting Electric Sector, in Addition to Oil and Gas

Dark Reading: Triton Attackers Seen Scanning US Power Grid Networks

Dark Reading: Utilities, Nations Need Better Plan Against Critical Infrastructure Attackers

Cyberscoop: The group behind Trisis has expanded its targeting to the U.S. electric sector

Wired: The Highly Dangerous 'Triton' Hackers Have Probed the US Grid

Threatpost: TRISIS Group, Known for Physical Destruction, Targets U.S. Electric Companies


****************************  SPONSORED LINKS  ******************************

1) Don't miss "How To Increase MITRE ATT&CK Coverage with Network Traffic Analysis" with Chris Crowley. Register:

2) Keynotes announced for the inaugural SANS Supply Chain Cybersecurity Summit in Washington, DC. Summit Agenda:

3) SURVEY: How do your threat hunting efforts stack up with your peers? Take the SANS 2019 Threat Hunting Survey--and enter to win a $400 Amazon gift card!




--DHS Agency Issues BlueKeep Alert, Says Flaw Affects Windows 2000

(June 17, 2019)

The US Department of Homeland Security's (DHS's) Cybersecurity and Infrastructure Security Agency (CISA) has added its voice to the growing list of advisories urging Windows users to apply patches for the BlueKeep Remote Desktop Protocol vulnerability. CISA's alert notes that it has determined that the BlueKeep issue also affects Windows 2000.

Read more in:

Dark Reading: DHS Tests Remote Exploit for BlueKeep RDP Vulnerability

Bleeping Computer: U.S. Govt Achieves BlueKeep Remote Code Execution, Issues Alert

US-CERT: Microsoft Operating Systems BlueKeep Vulnerability


--The Exim Flaw is Being Actively Exploited; Microsoft Urges Patching

(June 14 & 17, 2019)

A flaw in the Exim mail transfer agent (MTA) is being actively exploited to place cryptominers on vulnerable devices. The issue affects some Microsoft Azure customers and the company is urging them to patch the flaw against the spreading malware. Users should update to Exim version 4.92. Exim runs on more than half of all email servers worldwide.

[Editor Comments]

[Neely] This Exim flaw, CVE-2019-10149, was initially downplayed as there was no evidence of active exploitation. This is no longer the case. A patch was released for prior versions of Exim; the best fix is to update to version 4.92. For Azure-hosted Exim systems, Microsoft has implemented restrictions on mail flow within Azure to limit the spread of this worm, and published some guidance you could implement to mitigate risk, which includes updating.

Read more in:

blogs.technet: Prevent the impact of a Linux worm by updating Exim (CVE-2019-10149)

Threatpost: Microsoft Pushes Azure Users to Patch Linux Systems

Threatpost: Millions of Linux Servers Under Worm Attack Via Exim Flaw

Bleeping Computer: Microsoft Warns about Worm Attacking Exim Servers on Azure

DUO: Linux Worm Hits Unpatched Exim Servers


--Massive Data Breaches Have Undermined the Reliability of Online Identity Verification

(June 14 & 17, 2019)

A report from the US Government Accountability Office (GAO) says that large data breaches like the 2015 breach at the Office of Personnel Management and the 2017 Equifax breach have undermined online identity authentication processes. Prior to the Equifax breach, federal agencies used consumer reporting agencies (CRAs) to verify users' identities. Now that so much information has been compromised, the method is no longer reliable. GAO conducted the study because it "was asked to review federal agencies' remote identity proofing practices in light of the recent Equifax breach and the potential for fraud." While 2017 guidance from the National Institute of Standards and Technology (NIST) basically prohibits agencies from using knowledge-based verification schemes for "sensitive applications," some agencies have not moved away from knowledge-based identity verification, noting that barriers include costs "and implementation challenges for certain segments of the public."

[Editor Comments]

[Pescatore] The report ignores the root problem: the US Government has consistently shied away from issuing any form of strong online credentials for US citizens. The lack of this top level "root" identity authority has meant that private industry efforts to move away from reusable passwords to some form of strong authentication have been fragmented and slow. For example, if some form of government digital ID was required for the 1 billion tax returns filed online since 2013, the penetration of strong authentication in overall online commerce would be exponentially higher than what we see today, and phishing and credential stuffing would be way less successful.

[Neely] I'm reminded of conversations 28 years ago about issuing digital certificates to the entire US populace. At that time the ROI was not understood. It's time to dust off that discussion and find effective ways to issue a strongly vetted credential.

Read more in:

FCW: Your personal data is too public for agencies to verify

ZDNet: Equifax breach impacted the online ID verification process at many US govt agencies

GAO: Federal Agencies Need to Strengthen Online Identity Verification Processes

NIST: NIST Special Publication 800-63A: Digital Identity Guidelines (2017)


--GAO Report on Airline IT Outages

(June 14, 2019)

The US Government Accountability Office's (GAO's) "Information on Airline IT Outages" report examined 34 incidents between 2015 and 2017. Of those, 29 caused flights to be delayed or cancelled. GAO found that the "number of delays or cancellations resulting from these outages was on par with or worse than those caused by severe weather in the same months the outages occurred." Airlines are not legally required to report IT outages. Even if an IT outage is the root cause, there are often multiple causes for delays and cancellation; reports on affected flights are likely to cite aircraft arriving late or National Aviation System issues.

Read more in:

Nextgov: Airline IT Failures Happening With Alarming Frequency, Little Government Oversight

GAO: Information on Airline IT Outages


--DOD Cybersecurity Standards Slated to Take Effect in January 2020

(June 14 & 17, 2019)

At a Professional Services Council Federal Acquisition Conference last week (June 13), a DOD official, Katie Arrington, special assistant to the assistant secretary of Defense acquisition for cyber, announced plans for DOD contractor cybersecurity standards, known as Cybersecurity Maturity Model Certification. The standards will have five security tiers; and the requirement will be stated in solicitations. The standards will combine NIST guidance with input from the private sector and academia. Contractors will be audited by third-party private sector companies. The standards are expected to be implemented in January 2020.

[Editor Comments]

[Neely] The plan is to make security as important as cost, schedule, and performance in the acquisition process. Transforming security to an allowable cost, rather than an unfunded mandate, has to potential facilitate or even accelerate adoption of these new standards.

Read more in:

FedScoop: DOD unveils plans for contractor cybersecurity standards

FNN: Why DoD's decision to make cybersecurity an 'allowable cost' matters

Fifth Domain: The new way security factors into acquisitions


--Senators Ask FBI for Details About Alleged Russian Hack of Election Technology Company

(June 13 & 14, 2019)

US Senators Amy Klobuchar (D-Minnesota) and Ron Wyden (D-Oregon) have asked the FBI what they are doing about an alleged breach of a Florida-based election technology vendor prior to the 2016 election. The Mueller Report "describes how Kremlin-backed spies installed malware on the network of an unnamed company that 'developed software used by numerous U.S. counties to manage voter rolls.'" While the report does not identify the company, Florida-based VR Systems has come forward to say it believes it is the unnamed company referenced in the report. In a letter, the legislators ask what steps the FBI has taken in its investigation of VR Systems.

Read more in:

Fifth Domain: Senators question FBI on Russian hack of voting firm

Nextgov: Senators Question FBI's Response to 2016 Russian Hack of Florida Election Tech

Wyden: Letter to FBI Director Wray


--SymCrypt Cryptographic Library Bug

(June 12, 2019)

Google's Project Zero has disclosed the presence of a flaw in the SymCrypt cryptographic library that is used by newer versions of the operating system. The bug could create a denial-of-service condition. Microsoft was notified about the flaw earlier this year, but has not yet released a fix. Project Zero's policy is to allow companies 90 days after notification to address a vulnerability, after which Project Zero will disclose the issue.

[Editor Comments]

[Neely] The library is used in the Windows 8 and newer OS for implementing symmetric cryptography. The flaw puts the system into an infinite loop, which can prevent the system from completing the key verification process. The flaw can be triggered by a specially crafted X.509 certificate which is likely undetectable by corporate security measures.

Read more in:

GovInfoSecurity: Google Researcher Details Windows Cryptographic Library Bug

SC Magazine: Unpatched bug in Windows SymCrypt library could cause DoS condition, warns researcher


--US Legislators Approve Cyber Incident Response Teams Bill

(June 11, 2019)

The US House of Representatives has passed the DHS Cyber Incident Response Teams Act would create permanent cyber incident teams to help federal agencies and organizations in the private sector contain damage and restore networks when their systems come under attack. The teams would be housed at DHS under the Cybersecurity and Infrastructure Security Agency's (CISA's) National Cybersecurity and Communications Integration Center (NCCIC).

[Editor Comments]

[Pescatore] Commenting on draft legislation is like commenting on baseball at bats: three times out of four nothing happens, but: the language in this bill is way wider than incident response. It essentially says DHS should hire (or use private industry personnel) to do a wide range of security services that hundreds of commercial security consulting firms already do and then report "robust metrics" to Congress each year. There would not be much visible difference to the overall level of security anywhere whether the bill passes or just fades away. I'd rather see legislation and funding aimed at Steve Bellovin and Adam Shostack's idea of a "Cyber Incident Response Board" modelled after the National Transportation Safety Board teams that investigate plan/train/bus crashes.

Read more in:

Nextgov: DHS Cyber Incident Response Team Gets House Approval

Fifth Domain: Congress wants to create 'cyber first responders'

Congress: H.R.1158 - DHS Cyber Incident Response Teams Act of 2019



An Infection from the Rig Exploit Kit

Encrypted EMail Phishing

Android Apps Link to Fake Sites

Precomputed Hash Tables

Whats App Phishing (in German)

Logitech Pointer Recall (in German)

TCP SACK Panic DoS in Linux



The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Michael Assante was Vice President and Chief Security Officer at NERC, led a key control systems group at Idaho National Labs, and was American Electric Power's CSO. He now leads the global cyber skills development program at SANS for power, oil & gas and other critical infrastructure industries.

Mark Weatherford is Chief Cybersecurity Strategist at vArmour and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He leads SANS' efforts to raise the bar in cybersecurity education around the world.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS operations manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit