Final Week: Get an iPad (32 G), Galaxy Tab A, or Take $250 Off OnDemand Training - Ends Jan 27

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #81

October 15, 2019

Ransomware Targeting Canadians; DHS's CISA Requests Subpoena Powers

2019 Security Difference Makers Awards

Help the security community recognize unsung heroes of cybersecurity so that others can learn from their successes. Please nominate people and teams for the 2019 Security Difference Makers Awards. Winners/Recipients will be recognized on December 16 in Washington, DC. Send nominations to Deadline: October 18. Full details on how to nominate at



SANS NewsBites                Oct. 15, 2019                Vol. 21, Num. 081



  Ransomware Targeting Canadian Businesses and Municipalities

  DHS's CISA Wants Administrative Subpoena Powers


  CrowdStrike Report: China's C919 Aircraft Components Copied from Manufacturers in Other Countries

  Pitney Bowes Suffers Cyberattack

  Eighth Pentagon Bug Bounty Program Finds 31 Vulnerabilities

  DCH Health Hospitals Open After Ransomware Attack

  IRS IT Specialist Allegedly Stole Identities, Made Fraudulent Charges

  HHS Seeks Rule Changes to Allow Hospitals to Donate Cybersecurity to Doctors

  France's Cybersecurity Agency Warns of Cyber Espionage Attacks

  West Virginia Mobile Voting App Hack May be Due to Univ. of Michigan Class





-- SANS Cyber Defense Initiative(R) 2019 | Washington, DC | December 10-17 |

-- SANS Amsterdam October 2019 | October 28-November 2 |

-- DFIRCON 2019 | Miami, FL | November 4-9 |

-- Cloud & DevOps Security Summit 2019 | Denver, CO | November 4-11 |

-- SANS Sydney 2019 | November 4-23 |

-- SANS London November 2019 | November 11-16 |

-- SANS Atlanta Fall 2019 | November 18-23 |

-- Pen Test HackFest Summit 2019 | Washington, DC | November 18-25 |

-- SANS Tokyo January 2020 | January 20-25 |

-- SANS OnDemand and vLive Training

Get a 7th gen 10.2" iPad, Samsung Galaxy Tab A, or Take $250 off through October 16 with OnDemand or vLive training.

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast -

-- Evening training 2x per week for 6 weeks with vLive |

-- Anywhere, Anytime access for 4 months with OnDemand format |

Single Course Training

-- Single Course Training

SANS Mentor |

Community SANS |


-- View the full SANS course catalog and Cyber Security Skills Roadmap

*********************  Sponsored By AWS Marketplace  ************************

Security Investigations in AWS Workloads. Speakers from SANS and AWS Marketplace will discuss how to set prerequisites, evaluate services/technologies, plan for and execute investigations into incidents in cloud operations. Learn how to leverage tools to determine source and timeline, targeted systems, origination point and more. October 22, 2 PM ET.




--Ransomware Targeting Canadian Businesses and Municipalities

(October 14, 2019)

A dental clinic in Toronto, Ontario, was hit with ransomware last week. The office was locked out of 19 of its 22 computers for at least a day; the clinic did not pay a ransom to regain access to its files; the dentist noted that they "were lucky... [because they] had a good backup." Several Canadian municipalities have also recently found their systems infected with ransomware.

[Editor Comments]

[Murray] Adequate backup to resist extortion attacks should not be a matter of "luck."


Read more in:

CBC: 'Definite uptick': Global wave of ransomware attacks hitting Canadian organizations


--DHS's CISA Wants Administrative Subpoena Powers

(October 9, 2019)

The US Department of Homeland Security's (DHS's) Cybersecurity and Infrastructure Security Agency (CISA) wants the authority to issue administrative subpoenas to service providers to obtain contact information for owners of vulnerable systems and devices. CISA wants to contact these entities directly, and currently cannot always let businesses know about cyber threats because it is not always clear who owns vulnerable systems.

[Editor Comments]

[Pescatore] Administrative subpoenas have long been one of those "intrusiveness vs. security" conflict areas between citizens/business and law enforcement/intelligence. Using subpoenas instead of asking ISPs or cloud service providers to contact their customers about vulnerabilities seems like overkill - kinda like breaking down the door of an apartment vs. asking the landlord for information on the renter. Lawyers and courts will make the final decision.


[Neely] Efforts to provide information exchange and communication with the private sector need to be in place prior to attempting such contact. Without a relationship established ahead of time, the government's visit could be unwelcome and may not result in the desired improvement or partnership.

Read more in:

Tech Crunch: DHS cyber unit wants to subpoena ISPs to identify vulnerable systems

Cyberscoop: DHS asks Congress for subpoena authority to contact vulnerable asset owners

****************************  SPONSORED LINKS  ******************************

1) Download How to Uplevel Your Defenses With Security Analytics, and find out what you (and your SIEM) are missing.

2) Use discount code CloudForum2019 to attend the Cloud Security Solutions Forum for free on October 18 in Denver.

3) Webcast October 17th at 1 PM ET: How Attackers Exploit Office 365 Vulnerabilities.




--CrowdStrike Report: China's C919 Aircraft Components Copied from Manufacturers in Other Countries

(October 14, 2019)

According to a report from CrowdStrike, China's new Comac C919 airplane appears to be an amalgam of components copied from other companies. A Chinese government-backed hacking group has been targeting aerospace companies for their intellectual property for nearly a decade. CrowdStrike said that one of China's goals was to be able to manufacture all the airplane parts within its own country.

Read more in:

CrowdStrike: Huge Fan of Your Work: How TURBINE PANDA and China's Top Spies Enabled Beijing to Cut Corners on the C919 Passenger Jet -- Part I

CrowdStrike: Intelligence Report: Huge Fan of Your Work: How Turbine Panda and China's Top Spies Enabled Beijing to Cut Corners on the C919 Passenger Jet

ZDNet: Building China's Comac C919 airplane involved a lot of hacking, report says

Dark Reading: Cyber Theft, Humint Helped China Cut Corners on Passenger Jet


--Pitney Bowes Suffers Cyberattack

(October 14, 2019)

Pitney Bowes, a US company that provides postage meters, says that some of its files were encrypted in a cyberattack. The attack "disrupted customer access" to the company's services.

[Editor Comments]

[Northcutt] PBI was my first share of stock: Christmas present when I was 14. (Still have it merrily DRIPPing away.) Noticed the 4% drop. It has since recovered, so Mr. Market doesn't seem to think it is too serious.


Read more in:

Maintenance.pb: System Update

The Register: Pitney Bowes: Can we be frank? Ransomware has borked our dead-tree post systems

SC Magazine: Malware takes down some Pitney Bowes systems


--Eighth Pentagon Bug Bounty Program Finds 31 Vulnerabilities

(October 14, 2019)

The US Department of Defense (DoD) has paid out nearly $34,000 for vulnerabilities found in its most recent bug bounty program, Hack the Proxy. This event allowed hackers to search for vulnerabilities in DoD proxies, VPNs, and virtual desktops. In all, hackers found 31 security flaws.

[Editor Comments]

[Murray] This program illustrates that the reservoir of undiscovered vulnerabilities is large; the risk cost of these vulnerabilities is orders of magnitude higher than their cost of discovery. Early discovery, as in "testing," is much more efficient than late.  


Read more in:

Fifth Domain: The latest Pentagon bug bounty revealed a critical vulnerability

MeriTalk: DoD Pays Out $33K To Proxy Bug Bounty Winners


--DCH Health Hospitals Open After Ransomware Attack

(October 11, 2019)

The Chief Operating Officer of DCH Health Systems says that all its hospitals' services are open less than two weeks after they were encrypted by a ransomware attack. DCH Health has access to patient-related electronic systems; non-essential systems are still being restored. DCH Health paid the ransom, but did not disclose the amount. The COO says DCH have cyber insurance.

Read more in:

GovTech: Hospital Operations Back to Normal After Paying Ransom


--IRS IT Specialist Allegedly Stole Identities, Made Fraudulent Charges

(October 10, 2019)

According to a recently unsealed complaint, an employee of the US Internal Revenue Service (IRS) allegedly used information obtained from their job to open fraudulent credit card accounts and charging nearly $70,000 in a two-year period. The employee works as an IT specialist for the IRS.  

[Editor Comments]

[Pescatore] A good example of privilege abuse that should have been prevented with basic privilege minimization and management and could have been detected rapidly with widely available tools. The complaint doesn't say the suspect was a developer, but tools for anonymizing/obfuscating live data to use for software testing are also widely available.


[Neely] Insider threat mitigation requires monitoring and privilege management. As John says, monitoring for use of production data in development as well as independent code reviews provide visibility into potential abuses.

Read more in:

Quartz: An IRS employee stole identities and went on a 2-year spending spree

Document Cloud: Complaint: USA v. Zilevu


--HHS Seeks Rule Changes to Allow Hospitals to Donate Cybersecurity to Doctors

(October 9, 2019)

The US Department of Health and Human Services (HHS) is proposing changes to the Physician Self-Referral Law (known as the Stark Law) and the Federal Anti-Kickback Statute to allow hospitals to share cybersecurity software and services with physicians.

[Editor Comments]

[Neely] Today's cyber security risks outweigh the concerns that such sharing will limit competition. Providing secure mechanisms to exchange patient data with providers as well as secure mechanisms to communicate with patients is a problem worth solving - rather than having patients agree to receive PHI data in plain text email. Many smaller service providers don't have the staff or resources to monitor and implement protections commensurate with current threats and regulations.

[Murray] Under HIPAA as implemented, "Privacy" trumps efficient and effective healthcare. While that needs to be fixed, and while this legislation may be necessary, interested parties should read the referenced articles.  

Read more in:

HHS: HHS Proposes Stark Law and Anti-Kickback Statute Reforms to Support Value-Based and Coordinated Care

GovInfosecurity: HHS Proposes Allowing Cybersecurity Donations to Doctors


--France's Cybersecurity Agency Warns of Cyber Espionage Attacks

(October 7 & 8, 2019)

France's national cybersecurity agency, Agence Nationale de la Securite des Systemes d'Information (ANSSI), has issued an alert warning of cyberattacks that are targeting engineering companies and service providers. In its report, ANSSI notes that "attackers are compromising these enterprise networks in order to access data and eventually the networks of their clients."

[Editor Comments]

[Murray] These attacks enable "pre-positioning" of malware for exploitation in the event of future conflict - a particular problem in the electric power industry.


Read more in:

ZDNet: France warns of cyberattacks against service providers and engineering offices

cert.ssi: RAPPORT MENACES ET INCIDENTS DU CERT-FR: Supply chain attacks: threats targeting service providers and design offices


--West Virginia Mobile Voting App Hack May be Due to Univ. of Michigan Class

(October 5 & 9, 2019)

The FBI is investigating an attempted attack against Voatz, the mobile voting app the state of West Virginia used to allow residents overseas to cast their ballots in the 2018 midterm elections. CNN is reporting that the hacking attempt, which was unsuccessful, may have been the work of a student or students taking an election security class at the University of Michigan.    

[Editor Comments]

[Neely] Required non-disclosure statements mean that analysts cannot be sure the system protected itself from the hack or if the attack was simply not sophisticated enough to succeed. Transparency of security assessments for electronic voting systems is necessary to provide for verifiable claims of security rather than reliance on published claims that appear to leverage current security measures.

[Murray] It is naive to expect students to understand or consider all the ethical implications of their activities. We have known since the days of the Dutch student hackers (who were defended by their faculty on the basis that their targets were all outside of the Netherlands) and Robert Tappan Morris (whose faculty should have known what he was up to), indeed since Socrates, that faculty are responsible for the ethics of their students' academic activities.   

Read more in:

Quartz: The FBI is investigating West Virginia's blockchain-based midterm elections

CNN: FBI investigating if attempted 2018 voting app hack was linked to Michigan college course




YARA Update

Hacking Back Against Ransomware

Fake Crypto Trading Software

sudo vulnerability

Apple Safe Browsing Controversy

Streaming Service Tracking Behavior


The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit