Develop invaluable cybersecurity skills through interactive training during SANS 2021 - Live Online. Register now.

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #86

November 1, 2019

Managed Service Providers Used to Spread Ransomware; Malware on Indian Nuclear Plant Network; Utah Energy Provider Cyberattack


SANS NewsBites                 Nov. 1, 2019                Vol. 21, Num. 086



  Managed Service Providers Are Being Used to Spread Ransomware

  Malware Found on Indian Nuclear Plant Network

  Utah Renewable Energy Provider Hit with Cyberattack in March


  Scammers Trying to Steal Office 365 Credentials with Fake Voice Mail Messages

  Hackers Infect QNAP NAS Devices with Malware

  Persistent xHelper Malware Infects Android Devices

  Facebook Sues NSO Group Alleging It Used WhatsApp Accounts to Infect Phones with Spyware

  More Details About Coalfire PenTest Arrests

  Las Cruces School District Ransomware Attack

  Georgian Websites, Television Stations Hit with Cyber Attack




-- SANS OnDemand and vLive Training

Get an 11" iPad Pro with Smart Keyboard, an HP ProBook, or Take $350 Off through November 13 with OnDemand or vLive training.

-- SANS Cyber Defense Initiative(R) 2019 | Washington, DC | December 10-17 |

-- SANS London November 2019 | November 11-16 |

-- SANS Atlanta Fall 2019 | November 18-23 |

-- Pen Test HackFest Summit 2019 | Washington, DC | November 18-25 |

-- SANS Miami 2020 | January 13-18 |

-- SANS Threat Hunting & IR Summit & Training | London, UK | January 13-19, 2020 |

-- SANS Tokyo January 2020 | January 20-25 |

-- Cyber Threat Intelligence Summit & Training | Arlington, VA | January 20-27 |

-- SANS Secure Singapore 2020 | 16-28 March |

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast -

-- Evening training 2x per week for 6 weeks with vLive |

-- Anywhere, Anytime access for 4 months with OnDemand format |

Single Course Training

-- Single Course Training

SANS Mentor |

Community SANS |


-- View the full SANS course catalog and Cyber Security Skills Roadmap

************************  Sponsored By ExtraHop   ****************************

What Works in SOC/NOC Integration: Improving Time to Detect, Respond and Contain with ExtraHop Reveal(X). The 2019 SANS Security Operations Center survey showed that SOC managers list lack of integration between security and IT and network operations as a major obstacle in dealing with evolving threats. Mitch Roberson with Curo Financial will discuss the selection, deployment and experience of ExtraHop's Reveal(x) to address this issue in this webcast.




--Managed Service Providers Are Being Used to Spread Ransomware

(October 30 & 31, 2019)

According to a report from Armor, at least 13 managed service providers (MSPs) were used to spread ransomware so far in 2019. Companies that use MSPs generally install software that allows the MSP remote access to their systems; attackers can exploit the remote access to push the ransomware to the organizations' networks. The concurrent ransomware attacks in Texas earlier this year were launched through their shared MSP.

[Editor Comments]

[Ullrich] Supply chain security is a big topic these days, and MSPs are part of your supply chain. Your systems are only as secure as the weakest entity that has access to it. For ransomware distributers, MSPs are a gold mine in that they provide simple access to numerous networks.

[Neely] If the MSP has remote access to your network, they likely have access to multiple companies' networks which makes this a different risk profile than a remote branch or hosting center.

Read more in:

Armor: 6 New MSPs and/or Cloud-Based Service Providers Compromised by Ransomware, A Total of 13 for 2019, Reports Armor

Ars Technica: The count of managed service providers getting hit with ransomware mounts

ZDNet: At least 13 managed service providers were used to push ransomware this year


--Malware Found on Indian Nuclear Plant Network

(October 30, 2019)

The Nuclear Power Corporation of India Ltd. (NPCIL) detected malware on its network earlier this year, but noted that the affected computer was part of the plant's administrative network and isolated from the critical internal network." NPCIL learned of the infection from the government's cybersecurity agency in early September. Dtrack, the malware that was found on the computer, shares some code elements with malware used by a North Korean hacking group. (Please note that the WSJ story is behind a paywall.)

[Editor Comments]

[Neely] While this malware isn't on the control network, data often move between control networks and external networks which may provide a path. One-way links and media screening systems or kiosks can reduce the risks, but a full understanding of data flows is required for success.


[Murray] This appears to have been a target identification attack that failed at being sufficiently stealthy. All such targets should be on the alert for such attacks.  

Read more in:

ZDNet: Confirmed: North Korean malware found on Indian nuclear plant's network

Ars Technica: Indian nuclear power plant's network was hacked, officials confirm

WSJ: Malware Detected at India's Largest Nuclear Power Plant (paywall)

Scribd: NPCIL statement


--Utah Renewable Energy Provider Hit with Cyberattack in March

(October 31, 2019)

sPower, a Utah renewable energy company, was hit with a cyberattack in March of this year, causing it to lose communication connections with several of its solar and wind power generation sites for brief periods of time. The March 5 attack is believed to be the first recorded cyberincident that caused a disruption to the power industry. The attackers exploited a known vulnerability in a Cisco firewall to create a denial-of-service condition. sPower has since patched the affected devices. E&E News first reported the incident in April. The additional information in the more recent stories was obtained through a Freedom of Information Act (FoIA) request.

Read more in:

Cyberscoop: Utah renewables company was hit by rare cyberattack in March

ZDNet: Cyber-attack hits Utah wind and solar energy provider

EE News: 'Cyber event' disrupted U.S. grid networks -- DOE (April 2019)

****************************  SPONSORED LINKS  ******************************

1) Webcast November 7th at 10:30 AM ET: Step into a mind of a threat actor and learn how to build a better defense.

2) ICYMI Webcast: Effectively Addressing Advanced Threats with IBM and SANS Matt Bromiley.

3) Survey: Are you a woman with 5 years in cybersecurity and currently in a senior or leadership role? Take this survey:




--Scammers Trying to Steal Office 365 Credentials with Fake Voice Mail Messages

(October 30 & 31, 2019)

Researchers at McAfee have detected a phishing campaign that uses voicemail messages to try to trick recipients into disclosing their Office365 account access credentials. Targeted individuals received email messages telling them they had missed a phone call and asking them to log into their Office365 account to retrieve the message.

[Editor Comments]

[Neely] This is a good time to remind users of legitimate password recovery options to help them make good choices for these sorts of emails. Also make sure that your email service anti-phishing and anti-malware services are enabled to block or quarantine these types of attachments.

Read more in:

Securing Tomorrow: Office 365 Users Targeted by Voicemail Scam Pages

GovInfosecurity: McAfee: Malicious Voicemails Target Office365 Users

Bleeping Computer: New Office 365 Phishing Scams Using Audio Voicemail Recordings

Threatpost: Fake Voicemail/Office 365 Attack Targets Enterprise Execs


--Hackers Infect QNAP NAS Devices with Malware

(October 31, 2019)

Thousands of QNAP network-attached storage (NAS) devices have been infected with malware. The National Cyber Security Centre of Finland (NCSC-FI) detected the malware, known as QSnatch, last week. The malware's capabilities include preventing firmware updates, preventing a malware removal app from running, and stealing usernames and passwords. Currently the only confirmed way to remove QSnatch from infected devices is to do a factory reset.

[Editor Comments]

[Ullrich] Never expose a networked storage device to the Internet. These devices are notoriously vulnerable due to the numerous poorly coded web applications installed on them. And of course, users aren't helping with easy to guess passwords. Exposing them internally is still a risk, and even though some manufacturers advertise them for public file sharing, you are probably better off using a cloud service for that. This does not just apply to QNAP, but to this type of device in general.

Read more in:

ZDNet: Thousands of QNAP NAS devices have been infected with the QSnatch malware

Bleeping Computer: QSnatch Malware Infects Thousands of NAS Devices, Steals Credentials

Kyberturvallisuuskeskus: QSnatch - Malware designed for QNAP NAS devices


--Persistent xHelper Malware Infects Android Devices

(October 29, 2019)

A Trojan dropper that is being called xHelper infects Android devices and reinstalls itself after it is removed and even after factory resets. xHelper has infected more than 45,000 Android devices in the last six months.

[Editor Comments]

[Neely] Until the mechanism for clearing the malware out of persistent storage is discovered, affected devices should be replaced and not reused.

[Murray] While it is possible for the savvy to operate Android devices safely, they are not recommended for the young, the elderly, or the otherwise naive.

Read more in:

Threatpost: Android Malware Plaguing 45K Devices Remains a Mystery

Bleeping Computer: xHelper Trojan Variant Reinstalls Itself After Removal, Infects 45K


--Facebook Sues NSO Group Alleging It Used WhatsApp Accounts to Infect Phones with Spyware

(October 29, 30, & 31, 2019)

Facebook has filed a lawsuit against NSO Group, alleging that the company created WhatsApp accounts and used them to make calls to their targets, infecting them with Pegasus spyware. The alleged targets include lawyers, journalists, human rights activists, and political dissidents. (Please note that the WSJ story is behind a paywall.)

[Editor Comments]

[Pescatore] Many different issues in this item but I'll focus on this since there are lots of claims yet to be validated on who did what: supply chains are complex networks, not simple chains. Simplistically, to estimate the reliability of a chain you multiply all the probabilities of success of each link and come up with an estimate of overall reliability or risk. In a network, you have to do that for *every* path and find the highest risk path. Facebook left a vulnerability in WhatsApp that may have allowed WhatsApp to be used to impact your company or your customers and I doubt Facebook or WhatsApp was listed as a supplier.


[Murray] Users of device-to-device encryption should be aware of its limitation, i.e., the message is in the clear on the end devices. Prefer person-to-person encryption for "life and death" applications. NSO Group is a rogue enterprise operating under the protection of a nation state, with the consent of other states, and with dodgy customers.  

Read more in:

WhatsApp: Protecting our users from a video calling cyber attack

Quartz: A WhatsApp hack used Israeli spyware to target Rwandan dissidents

Ars Technica: WhatsApp suit says Israeli spyware maker exploited its app to target 1,400 users

Dark Reading: Facebook Says Israeli Firm Was Involved in Recent WhatsApp Intrusion

Wired: WhatsApp's Case Against NSO Group Hinges on a Tricky Legal Argument

Threatpost: WhatsApp Spyware Attack: Uncovering NSO Group Activity

Vice: NSO's Spying Contract Doesn't Limit Use of its Hacking Tools to Terrorism and Crime

WSJ: Facebook Sues Israel's NSO Group Over Alleged WhatsApp Attack (paywall)

Vice: How NSO Group Helps Countries Hack Targets

BBC: 'I was a victim of the WhatsApp hack'


--More Details About Coalfire PenTest Arrests

(October 29 & 30, 2019)

In September, two employees of Coalfire, a Colorado-based security firm, were arrested inside the Dallas County (Iowa) Courthouse while conducting a penetration test. The team entered the building in the middle of the night, deliberately tripped the alarm to test law enforcement response time, and waited for law enforcement to arrive. Coalfire had been hired by the Iowa State Judicial Branch to conduct the testing, and the employees were arrested by the Dallas County sheriff. In early October, the chief justice of the Iowa Supreme Court publicly apologized for the situation, acknowledging that "Mistakes were made [and that they] are doing everything possible to correct those mistakes, be accountable for the mistakes and to make sure they never, ever occur again." The two employees initially faced charges of felony burglary; on October 25, the charges were reduced to criminal trespass. Coalfire CEO Tom McAndrew has issued a statement saying that he "will continue to support and aggressively pursue all avenues to ensure that all charges are dropped and their criminal records are purged of any wrongdoing," and that "It is unacceptable that they are now pawns in the dispute between the state and the county related to governance of the court buildings."

[Editor Comments]

[Skoudis] This is really an unfortunate situation fueled by local politics. It underscores the absolute necessity of penetration testers having all their permission forms and rules of engagement signed in advance. Furthermore, it's vital to ask target personnel about various stake-holders and third parties associated with the target environment. It sure sounds like the Coalfire team did all of that here, and that vital prep work will make all the difference in how this ultimately turns out.

Read more in:

Coalfire: Coalfire CEO Tom McAndrew statement

Security Today: Justice Apologizes For Iowa Court System Authorizing Security Vulnerability Testing That Led To Break-Ins

Trusted Sec: A Message of Support: Coalfire Consultants Charged

KCCI: Coalfire CEO says Dallas County Courthouse doors were unlocked


--Las Cruces School District Ransomware Attack

(October 29, 2019)

The Las Cruces (New Mexico) public school district was the victim of a ransomware attack. When officials became aware of the malware on some district servers on the morning of Tuesday, October 29, they ordered a district-wide shutdown to contain the infection.

[Editor Comments]

[Neely] Segmenting traffic to isolate systems that don't need to connect would allow containment without taking the whole network offline. Also consider blocking outbound attachments from a compromised system in your disaster recovery planning.

Read more in:

LC Sun News: Ransomware hits Las Cruces school servers, prompts shutdown

Bleeping Computer: Ransomware Attack Causes School 'District-Wide Shutdown'


--Georgian Websites, Television Stations Hit with Cyber Attack

(October 29, 2019)

Authorities in the Republic of Georgia are investigating a significant cyberattack that affected thousands of websites in the country as well as two television stations. The attack targeted the Pro-Service web hosting provider.

Read more in:

Threatpost: Country of Georgia Suffers Widespread Cyberattack

BBC: Georgia hit by massive cyber-attack

Reuters: Georgian police investigate massive cyber attack




Generating PCAP Files from YAML

Phishing Made Easy With EML Files and Outlook 365

Helper Android Malware

Apple Security Updates Details Released

Untitled Goose Deserialization

Unsecure Pagers Leak Medical Data

Kibana Vulnerability

Counterstrike Game Keys Used for Money Laundering

Microsoft TLS Security Enhancements Lead to Timeouts


MESSAGETAP: Who's Reading Your Text Messages?

Amazon Authentication Failure for 3rd Party Devices


The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit