Special Offer w/ OnDemand: Get an iPad (32 G), Galaxy Tab A, or Take $250 Off OnDemand Training thru Jan 27

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXI - Issue #94

December 3, 2019

Ransomware at Great Plains Health; Top 25 Cyber Weaknesses Updated


SANS NewsBites                 Dec. 3, 2019                Vol. 21, Num. 094



  Great Plains Health Recovering From Ransomware

  Common Weakness Enumeration List Updated


  Google Warns Users of Nation-State eMail Hacking

  Sentara Hospitals Fined for Failing to Properly Report Breach to HHS

  Piracy Sites Shutdown

  Imminent Monitor RAT Operation Shut Down

  CISA Wants US Government Agencies to Establish Vulnerability Disclosure Programs

  Facebook and Twitter Warn of Malicious SDKs

  California DMV Makes Millions Selling Drivers' Personally Identifiable Information





-- SANS OnDemand and vLive Training

Get an 11" iPad Pro, a 12.3" Surface Pro, or Take $350 Off through December 4 with OnDemand or vLive training.


-- SANS Security East 2020 | New Orleans, LA | February 1-8 | https://www.sans.org/event/security-east-2020

-- SANS Miami 2020 | January 13-18 | https://www.sans.org/event/miami-2020

-- SANS Threat Hunting & IR Summit & Training | London, UK | January 13-19, 2020 | https://www.sans.org/event/threat-hunting-europe-2020

-- SANS Tokyo January 2020 | January 20-25 | https://www.sans.org/event/tokyo-january-2020

-- SANS Amsterdam January 2020 | January 20-25 | https://www.sans.org/event/amsterdam-january-2020

-- Cyber Threat Intelligence Summit & Training | Arlington, VA | January 20-27 | https://www.sans.org/event/cyber-threat-intelligence-summit-2020

-- SANS Scottsdale 2020 | February 17-22 | https://www.sans.org/event/scottsdale-2020

-- Open-Source Intelligence Summit & Training 2020 | Alexandria, VA | February 18-24 | https://www.sans.org/event/osint-summit-2020

-- SANS Secure Singapore 2020 | 16-28 March | https://www.sans.org/event/secure-singapore-2020

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/

Single Course Training

-- Single Course Training

SANS Mentor | https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/


-- View the full SANS course catalog and Cyber Security Skills Roadmap



***************************  Sponsored By Splunk  ***********************************

The Fundamental Guide to Building a Better Security Operation Center (SOC). Outdated security solutions struggle to stay ahead of advanced cyberthreats, making it hard to detect unknown or hidden threats. So what are companies who rely on dinosaur technology to do? They need to start building the next generation, modern SOC today. Download The Fundamental Guide to Building a Better Security Operation Center (SOC) today to learn how a security operation suite can move your SOC into the future. http://www.sans.org/info/214905




--Great Plains Health Recovering From Ransomware

(November 27, 2019)

Great Plains Health (GPHealth) medical center is recovering from a ransomware attack. The attack occurred on Monday, November 25. The next day, GPHealth cancelled a large number of non-emergency appointments and procedures. GPHealth is based in North Platte, Nebraska.

[Editor Comments]

[Shpantzer] Speaking of HHS notifications, in the Sentara Hospitals story, the regulators want you to tell them all about your ransomware problems, even if you think it's just an integrity issue and not confidentiality. HHS put out specific ransomware guidance a few years ago. Yes, it's a breach:



Read more in:

Bleeping Computer: Ransomware Locks Medical Records at Great Plains Health


Health IT Security: Ransomware Attack Forces Great Plains Health to EHR Downtime



--Common Weakness Enumeration List Updated

(November 26 & 27, 2019)

The MITRE Corp has updated the Common Weakness Enumeration (CWE) list. According to MITRE, the CWE Top 25 is "a demonstrative list of the most widespread and critical weaknesses that can lead to serious vulnerabilities in software." Topping the revised list is "Improper Restriction of Operations within the Bounds of a Memory Buffer." Cross-site scripting errors is listed second. SQL injection vulnerabilities, which topped the previous version of the list, is now in sixth place. MITRE Corp. operates the Department of Homeland Security's (DHS's) Systems Engineering and Development Institute.

[Editor Comments]

[Murray] It is sad that we can enumerate our errors but not fix them. Part of the problem here is the von Neumann Architecture, part the languages we use, part that the programmer does not, or cannot, know the environment in which his program will run, and only a small part that it is a hard problem. However, a good craftsman does not blame his tools. If we insist upon using flawed tools for hard problems, we must train to compensate for them. Our tolerance for shoddy continues to be an embarrassment.


Read more in:

CWE Mitre: 2019 CWE Top 25 Most Dangerous Software Errors


DHS: Snapshot: Top 25 Most Dangerous Software Errors


Dark Reading: SQL Injection Errors No Longer the Top Software Security Issue


Bleeping Computer: Top 25 Most Dangerous Vulnerabilities Refreshed After 8 Years


****************************  SPONSORED LINKS  ******************************

1) Upcoming Webcast | Learn how to streamline investigations between individuals, teams and organizations all from a single workspace: http://www.sans.org/info/214910

2) Join us at SANS Cyber Threat Intelligence Summit | Arlington, VA | Jan 20-21: http://www.sans.org/info/214915

3) Webcast December 5th at 10:30 AM ET: Outmaneuver attackers with deceptive countermeasures in this upcoming webcast: http://www.sans.org/info/214920




--Google Warns Users of Nation-State eMail Hacking

(November 26, 27,  & 28, 2019)

In a three-month period earlier this year, Google notified more than 12,000 users that their accounts were being targeted in phishing attacks conducted by government-backer hackers. The majority of alerts were sent to users in South Korea, Pakistan, Vietnam, and the US.   

[Editor Comments]

[Pescatore] SANS instructor Heather Mahalik did a great talk at the SANS keynote threat panel at the RSA conference on how much information many users expose to cloud-based email providers such as Gmail, and common ways attackers use social media paths to trick users into exposing password reset info. Heather gave great advice to give to executives. You can see a summary with links in the white paper at https://www.sans.org/reading-room/whitepapers/analyst/top-attacks-threat-report-38908 (PDF)


Read more in:

Forbes: Google Warns 12,000 People They Were Hit By Government Hackers--Here's What To Do If You're A Target


The Register: Google caught a Russian state hacker crew uploading badness to the Play Store


ZDNet: In just three months, Google sent 12k warnings about government-backed attacks



--Sentara Hospitals Fined for Failing to Properly Report Breach to HHS

(December 2, 2019)

Virginia-based Sentara Hospitals has agreed to a $2.2 million settlement with the Office for Civil Rights (OCR) at the U.S Department of Health and Human Services (HHS) over violations of the Health Insurance Portability and Accountability ACT (HIPAA). OCR launched its investigation after learning that Sentara had mailed nearly 600 patients' personal health information to the wrong addresses. Sentara has also agreed to "a corrective action plan."

[Editor Comments]

[Pescatore] The fine works out to about $3,600 per record exposed, a really scary number that will be good ammunition for getting senior management attention. In 2019, HHS has issued 7 fines averaging just under $2M each - the size of the fines is more related to large process deficiencies than to size of breach. The average profit margin in healthcare is in the 5% range, meaning that a $2M fine essentially cancels out $40M in revenue! That is a better number to use when trying to justify the spending needed to reach basic security hygiene levels.


Read more in:

HHS: OCR Secures $2.175 Million HIPAA Settlement After Hospitals Failed to Properly Notify HHS of a Breach of Unsecured Protected Health Information


Infosecurity Magazine: US Hospitals Fined $2.175M for "Refusal to Properly Report" Data Breach


GovInfosecurity: Sentara Hospitals' HIPAA Settlement: Why $2.2 Million?



--Piracy Sites Shutdown

(December 2, 2019)

Europol, working with law enforcement teams from 18 countries, has shut down more than 30,000 Internet domains names for trafficking in pirated digital content and counterfeit products and pharmaceuticals. Officials have also seized physical property, frozen at least [euro]150,000 (US $165,000) in several bank accounts, and arrested three individuals in connection with the investigation.

Read more in:

Europol: 30,506 Internet Domain Names Shut Down For Intellectual Property Infringement


Bleeping Computer: Over 30,500 Online Piracy Sites Shut Down in Global Operation


The Register: Europol wipes out 30,000+ piracy sites, three suspects cuffed to walk the legal plank



--Imminent Monitor RAT Operation Shut Down

(November 29, 30, & December 2, 2019)

Law enforcement officials from multiple countries cooperated to take down the infrastructure supporting a malware operation known as Imminent Monitor, a remote access Trojan (RAT) that has been sold online since 2013. The investigation was led by the Australian Federal Police and aided by authorities in Belgium, New Zealand, the UK, the US, and other countries.   

[Editor Comments]

[Honan] Well done to all involved in this takedown. A timely reminder that international cooperation is key to tackling the scourge of online crime. It is also a good time to highlight again the No More Ransom website supported by Europol which distributes the known decryption keys for ransomware strains. You can access it for free at http://www.nomoreransom.org


Read more in:

AFP: The Rat Trap: international cybercrime investigation shuts down insidious malware operation


Europol: International Crackdown On Rat Spyware Which Takes Total Control of Victims' PCs


ZDNet: Authorities take down 'Imminent Monitor' RAT malware operation


Threatpost: Authorities Break Up Imminent Monitor Spyware Organization


Bleeping Computer: Law Enforcement Shuts Down Imminent Monitor Malware, Makes Arrests


SC Magazine: Law enforcement delivers knockout blow to Imminent Monitor RAT network



--CISA Wants US Government Agencies to Establish Vulnerability Disclosure Programs

(November 27, 29, & December 2, 2019)

The US Department of Homeland Security's (DHS's) Cybersecurity and Infrastructure Security Agency (CISA) has issued a draft binding operational directive (B20-01) that would require civilian agencies to establish vulnerability disclosure programs, as well as a plan for managing security issues that are reported. CISA is accepting comments on the draft document through December 27, 2019.  

[Editor Comments]

[Pescatore] Large technology companies in private industry went through this over a decade ago, and the results were overwhelmingly positive. It would be good to see CISA provide a strawman vulnerability disclosure policy as a starting point for the all the departments and agencies.


[Neely] The guidance on the BOD 20-01 web site includes all the aspects needed as well as timelines; providing a sample policy would help agencies meet the deliverables, as well as avoiding "wrong-rock" iterations. The directive includes additional FISMA reporting requirements associated with the disclosure program starting in FY21. While well intended, not every agency has the resources or process maturity to meet the tracking, verification, response and reporting requirements.

Read more in:

CISA: Improving Vulnerability Disclosure Together (blog)


cyber.dhs: Binding Operational Directive 20-01 | November 27, 2019 (draft) | Develop and Publish a Vulnerability Disclosure Policy


Dark Reading: DHS to Require Federal Agencies to Set Vulnerability Disclosure Policies


Threatpost: CISA Pushing U.S. Agencies to Adopt Vulnerability Disclosure Policies


Cyberscoop: DHS issues draft order to require vulnerability disclosure policies at civilian agencies



--Facebook and Twitter Warn of Malicious SDKs

(November 26 & 27, 2019)

Twitter and Facebook have warned of certain malicious software development kits (SDKs) that could be used to steal users' personal information. The SDKs in question are maintained by MobiBurn and oneAudience.

[Editor Comments]

[Neely] These SDKs are being leveraged by data aggregators and have been seen on Android vs iOS. Use caution with granting excess permissions on Android applications.

Read more in:

SC Magazine: Facebook, Twitter ban malicious SDK that removed member info


ZDNet: Two third-party SDKs allowed secret harvesting of Twitter and Facebook user data


Threatpost: SDKs Misused to Scrape Twitter, Facebook Account Info


Twitter: Keeping your account safe from malicious activity



--California DMV Makes Millions Selling Drivers' Personally Identifiable Information

(November 25, 2019)

According to documents obtained through a public records act request, the California Department of Motor Vehicles (DMV) has been making millions of dollars a year selling drivers' personal information. Customers paying for the information include data brokers, credit reporting agencies, and private investigators. The data include names, addresses, and car registration information, all of which drivers must provide to get a license. The practice of DMVs selling driver data is not unique to California.  

[Editor Comments]

[Murray] No, it is not unique to California but is usually governed by law. Where it is not, it is because the legislature chooses to look the other way.

Read more in:

Vice: The California DMV Is Making $50M a Year Selling Drivers' Personal Information




Agent Tesla Malware Sample Analysis


Search With SauronEye


Increased Scans on Port 26


Recent Ursnif Malspam


Playing with Phishing


Splunk Y2K20 Patch


Google TAG Quarterly Summary


Windows 7 Extended Security Updates


QNAP Patches Photo Station


HPE SSD Drives will Stop Working in 3 years


Malicious Android SDK Captures Social Media Data


Kaspersky API Exposed to Websites


Malicious Ad Statistics




The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create