OnDemand Includes 4 Months Access to Course Content - Special Offers Available Now!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #85

October 29, 2019

Ransomware Epidemic Expanding: Insurance Companies, Johannesburg, St. Louis Healthcare


SANS NewsBites                Oct. 29, 2019                Vol. 21, Num. 085



  Insurance Companies See Increasing Numbers of Ransomware Claims

  Johannesburg City Data Held for Ransom

  St. Louis Healthcare and Social Services Provider Struggling with Ransomware Attack


  Illinois Computer Repair Shop Worker is a Wizard at Cracking Ransomware

  Inspector General: US Social Security Administration Let Critical Flaws Go Unfixed for More Than a Year

  UniCredit Data Breach Compromised Three Million Customer Records

  US Federal General Schedule System Hobbles Cyber Reskilling Job Placement Efforts

  Google Will Replace Bricked Devices

  Ukraine Arrests Alleged Hacker

  Canada and Independent Security Researchers (Podcast)

  FBI Protected Voices Election Security Initiative

  Man Who Rented Car Months Ago Still Has Remote Access to Doors, Engine





-- SANS Cyber Defense Initiative(R) 2019 | Washington, DC | December 10-17 | https://www.sans.org/event/cyber-defense-initiative-2019

-- SANS London November 2019 | November 11-16 | https://www.sans.org/event/london-november-2019

-- SANS Atlanta Fall 2019 | November 18-23 | https://www.sans.org/event/atlanta-fall-2019

-- Pen Test HackFest Summit 2019 | Washington, DC | November 18-25 | https://www.sans.org/event/pen-test-hackfest-2019

-- SANS Miami 2020 | January 13-18 | https://www.sans.org/event/miami-2020

-- SANS Threat Hunting & IR Summit & Training | London, UK | January 13-19, 2020 | https://www.sans.org/event/threat-hunting-europe-2020

-- SANS Tokyo January 2020 | January 20-25 | https://www.sans.org/event/tokyo-january-2020

-- Cyber Threat Intelligence Summit & Training | Arlington, VA | January 20-27 | https://www.sans.org/event/cyber-threat-intelligence-summit-2020

-- SANS SANS Secure Singapore 2020 | 16-28 March | https://www.sans.org/event/secure-singapore-2020

-- SANS OnDemand and vLive Training

Get an iPad Mini, an ASUS Chromebook Flip, or Take $250 Off through October 30 with OnDemand or vLive training.


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/

Single Course Training

-- Single Course Training

SANS Mentor | https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/


-- View the full SANS course catalog and Cyber Security Skills Roadmap



************************  Sponsored By SANS  ********************************

2020 SANS Women in Cybersecurity Survey: Today, women are entering and rising through the ranks of cybersecurity experts, with more expected to join these ranks in coming years. This survey intends to learn how successful women in cybersecurity have navigated their career opportunities, from entering the field to pursuing higher-level positions. Take the survey: http://www.sans.org/info/214600



--Insurance Companies See Increasing Numbers of Ransomware Claims

(October 25, 2019)

The number of ransomware attacks and the amounts the hackers are demanding are both increasing. Insurance companies are seeing an increase in ransomware-related claims. Globally, insurers collected between $7 billion and $8 billion in cyberinsurance premiums in 2018.

Read more in:

Reuters: Global insurers face quiet strain from hacker ransom demands


--Johannesburg City Data Held for Ransom

(October 25, 2019)

The computer network of the city of Johannesburg, South Africa, was hit with a cyberattack last week. The files on the city's network are not encrypted, but the hackers have threatened to dump data they stole on the Internet unless they are paid. Shortly after receiving the ransom demand, Johannesburg shut down its website, e-services, and billing system. This is the second major cyberattack Johannesburg has faced in the past several months. In what appears to be an unrelated incident, several banks in Johannesburg have been fending off distributed denial-of-service (DDoS) attacks.

Read more in:

TimesLive: City of Joburg, banks under cyber attack


ZDNet: City of Johannesburg held for ransom by hacker gang


Ars Technica: Johannesburg's network shut down after second attack in 3 months


Cyberscoop: South Africa's banks, and its largest city, are grappling with separate cyber incidents


Infosecurity Magazine: Johannesburg Held to Ransom


The Register: City of Joburg says it knows who ransom hack attacker is, refuses to pay off criminals


--St. Louis Healthcare and Social Services Provider Struggling with Ransomware Attack

(October 28, 2019)

A medical and social services provider in St. Louis, Missouri, was hit with a ransomware attack in September. The Betty Jean Kerr People's Health Centers is still unable to access patient, health care provider, and employee data from 2011 through September 2, 2019.

Read more in:

SC Magazine: St. Louis health center stymied by September ransomware attack


PHCenters: Notice


****************************  SPONSORED LINKS  ******************************


1) Webcast November 6th at 3:30 PM ET: Evaluating Network Traffic Analysis SystemsRequirements and Challenges. http://www.sans.org/info/214605

2) ICYMI Webcast: NetOps and SecOps: Cant We All Just Get Along?" http://www.sans.org/info/214610

3) Step into the mind of a threat actor and hear tips for building a better defense in this upcoming webcast: http://www.sans.org/info/214615



--Illinois Computer Repair Shop Worker is a Wizard at Cracking Ransomware

(October 28, 2019)

Michael Gillespie has cracked more than 100 different strains of ransomware and provided decryption tools at no cost to people whose machines have been infected. Gillespie is averse to paying ransom, not only because the payments could be funding terrorist activity, but also because payment encourages the attackers to continue infecting systems.

[Editor Comments]

[Neely] Having access to the decryption keys or access to a resource like Gillespie to obtain them is a key part of the payment decision. This needs to be coupled with an honest assessment of recovery capabilities to ensure success as well as management support.

Read more in:

Pro Publica: The Ransomware Superhero of Normal, Illinois



--Inspector General: US Social Security Administration Let Critical Flaws Go Unfixed for More Than a Year

(October 28, 2019)

According to a summary of an audit report from the US Social Security Administration (SSA) Office of Inspector General (OIG), the SSA neglected to address known vulnerabilities in its systems for more than a year. Critical vulnerabilities detected in a 2018 audit were still percent in the 2019 audit. The report also found unauthorized software on SSA systems.

[Editor Comments]

[Pescatore] Not much information is available on this one, but SSA has a very good track record over the years of  protecting their systems. They have been proactive but have also done well in not repeating the same mistakes when something does go wrong. Let's hope that is the case here as well.

Read more in:

MeriTalk: SSA Failed to Fix Critical Vulnerabilities for Over a Year


Oversight: The Social Security Administration's Vulnerability

Management Program



--UniCredit Data Breach Compromised Three Million Customer Records

(October 28, 2019)

Italian banking and financial services company UniCredit has acknowledged that a data breach affected the information of three million of its customers. UniCredit has customers around the world, but this breach affected just Italian customers. This breach is the third data security incident UniCredit has experienced since 2016.  

Read more in:

Reuters: UniCredit unveils 2015 data breach involving 3 million Italian clients


Infosecurity Magazine: UniCredit Breach Affects Three Million Records


ZDNet: UniCredit reveals data breach exposing 3 million customer records



--US Federal General Schedule System Hobbles Cyber Reskilling Job Placement Efforts

(October 28, 2019)

The US cyber reskilling program is running into issues with placing the newly-trained employees in positions to use their new skills because of the government's General Schedule employment system. An Office of Management and Budget (OMB) official said of the system, "It's not agile and it's not responsive to the needs of the 21st century."

[Editor Comments]

[Neely] In addition to staff obtaining updated skills, management support is needed to place them appropriately to use those skills and creative non-monetary means may be needed to retain these workers.

Read more in:

FNN: Cyber reskilled, but in my old job: A common refrain for program graduates



--Google Will Replace Bricked Devices

(October 25, 2019)

Google says it will replace Google Home and Mini devices that were rendered useless by a recent automatic firmware update. All devices affected by the update will be replaced, regardless of their warranty status. Google also plans to roll out a fix to prevent more devices from becoming bricked.

[Editor Comments]

[Neely] Unlike traditional IT where updates are pulled or scheduled, these updates are made without user interaction. While it is commendable that updates are being pushed rapidly for these IoT devices, that Google is replacing those that were bricked,and that they are raising the bar on their SQA processes, consider these as third-party managed computers on your network and provide corresponding segmentation to offset that risk.

Read more in:

ZDNet: Google promises to replace Home devices bricked by flawed firmware update



--Ukraine Arrests Alleged Hacker

(October 25, 2019)

Authorities in Ukraine have arrested a person who is suspected of hacking companies in the US, stealing millions of dollars from financial institutions, and interfering with computer systems. Authorities from the US and Lithuania were also involved in the investigation.

Read more in:

Cyberscoop: Ukrainian cops just arrested an alleged hacker in one of Kyiv's 'most expensive' hotels



--Canada and Independent Security Researchers (Podcast)

(October 25, 2019)

A Canadian college student found a vulnerability in a smart doorbell. When he contacted the company, he asked to disclose the flaw sooner than 90 days because the device had been discontinued before he found the flaw. The company threatened legal action. The student contacted the Canadian Internet Policy and Public Interest Clinic (CIPPIC), which helped convince the company to drop its threats. A CIPPIC attorney noted that Canada has a lack of clear legal precedent in the area of security research, which gives companies and government entities room to push back against the researchers.

Read more in:

Security Ledger: Episode 165: Oh, Canada! Independent Security Researchers Feel the Chill Up North



--FBI Protected Voices Election Security Initiative

(October 23, 24, & 25, 2019)

The FBI has released new and updated security resources as part of its Protected Voices initiative to provide all political campaigns with information and tools to help ensure election integrity.

Read more in:

MeriTalk: FBI Releases new Election Security Resources


Dark Reading: FBI Expands Election Security Initiative


FBI: Protecting Every Voice: FBI Expands Suite of Resources on Election Security



--Man Who Rented Car Months Ago Still Has Remote Access to Doors, Engine

(October 28, 2019)

A man who rented a car in May connected it to the FordPass app that lets drivers remotely start and stop the vehicle's engine, lock and unlock its doors, and track its location. Masamba Sinclair returned the rental car months ago and other people have since rented it, but the app still allows him control over the vehicle. Both Ford and the rental company have been contacted, but neither has taken steps to remove the Sinclair's access to the vehicle.

[Editor Comments]


[Ullrich] This is an issue with many modern cars that are linked to mobile apps. There is often no clear method to "reset" the authentication tokens handed to these apps. This has been used in a few cases to steal high end rental cars, but it has also been an issue for used cars. Even if the prior owner isn't able to open the doors, these apps sometimes allow the prior owner to still track the location of the car. Disconnecting these applications is sometimes not possible at all, or has to be done at a dealership. There is no simple "factory reset" for some cars.

[Neely] My latest rental car agreement said I was on the hook for unpairing devices paired during my use. Ideally rental car providers need to incorporate resetting the car between rentals. The pressure to turn vehicles quickly may prevent this so user prudence is required.

[Pescatore] This is a good area to update in executive and employee security briefings. Rental cars, hotel room TVs, AirBNB rental houses, etc. all now have "apps" running in them in a number of devices that let you login to your personal Netflix, YouTube, Facebook, home video doorbell/smart thermostat etc. accounts - greatly increasing the probability that both sensitive personal information is left behind as well as accounts being left open and unauthorized access or password changes happening afterwards.

Read more in:

Ars Technica: Five months after returning rental car, man still has remote control





DNS Archeology With PowerShell


Finding Shellcode with scdbg


British Law Enforcement Misses Malware Reports Due to Anti-Malware


iOS Appstore Malware


Apple iOS / tvOS / Safari Updates


Sextortion Attempts Are Targeting Blogs


PHP 7 Remote Code Execution Vulnerability Exploited




The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create