Develop invaluable cybersecurity skills through interactive training during SANS 2021 - Live Online. Register now.

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #10

February 4, 2020

Hackers are Hijacking Smart Buildings for DDoS Attacks; Pentagon Sets Cybersecurity Benchmark for Contractors


SANS NewsBites                February 4, 2020             Vol. 22, Num. 010



  Hackers are Hijacking Vulnerable Smart Building Access Systems to Launch DDoS Attacks

  Pentagon Releases Cybersecurity Maturity Model Certification Standard



  EKANS Ransomware Also Kills ICS Processes

  Maze Ransomware Hits French Construction Company

  Tillamook County Will Negotiate with Hackers for Decryption Key

  City of Racine, Wisconsin Hit with Ransomware

  TVEyes Target of Ransomware Attack




  Prosecutors Drop Burglary Charges Against Coalfire Pentesters

  Australian Freight Company Suffers Cyberattack

  Six Arrested in Connection with Maltese Bank Cyberattack

  Raytheon Engineer Arrested for Taking Laptop with Missile Data to China

  Hackers Insert Themselves in eMail Conversation, Steal Payment in Fine Art Sale

  NEC Acknowledges December 2016 Breach

  APT34 Targeting US Company Through Spear Phishing eMail

  Some US Emergency Alert Systems Remain Unpatched Years After Fix Released


**********************  Sponsored By Swimlane  ******************************

Think you can't have it all? With Swimlane's security orchestration, automation and response (SOAR) solution, you can. Don't put limits on what you can do. Automate any use case based on what, how and when you need it. Download this Use Cases for SOAR e-book to learn what processes you should automate.



-- SANS 2020 | Orlando, FL | April 3-10 |

-- SANS Scottsdale 2020 | February 17-22 |

-- Open-Source Intelligence Summit & Training 2020 | Alexandria, VA | February 18-24 |

-- SANS Training at RSA Conference 2020 | San Francisco, CA | February 23-24 |

-- SANS Munich March 2020 | March 2-7 |

-- SANS Northern VA - Reston Spring 2020 | March 2-7 |

-- Blue Team Summit & Training 2020 | Louisville, KY | March 2-9 |

-- ICS Security Summit & Training 2020 | Orlando, FL | March 2-9 |

-- SANS London March 2020 | March 16-21 |

-- SANS Secure Singapore 2020 | 16-28 March |

-- SANS Secure Canberra 2020 | March 23-28 |

-- SANS OnDemand and vLive Training

Get an iPad Mini, an HP Chromebook 14 G5, or Take $300 Off through February 5 with OnDemand or vLive training.

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast -

-- Evening training 2x per week for 6 weeks with vLive |

-- Anywhere, Anytime access for 4 months with OnDemand format |

Single Course Training

-- Single Course Training

SANS Mentor |

Community SANS |


-- View the full SANS course catalog and Cyber Security Skills Roadmap



 --Hackers are Hijacking Vulnerable Smart Building Access Systems to Launch DDoS Attacks

(February 2 & 3, 2020)

Attackers are hijacking vulnerable smart building access systems and using them to launch distributed denial-of-service (DDoS) attacks. There has been increased scanning for Nortek Security & Control (NSC) Linear eMerge E3 systems that are vulnerable to a known critical command injection flaw.

[Editor Comments]

[Pescatore] Back in late 2013, SANS held an Internet of Things Security Summit where we pointed out smart building systems as the most likely future attack path for real business damage, vs. other attacks. The growth of commercial real estate being developed with wired and wireless networks built in, and with elevator, HVAC systems on the network with remote access to all those systems means many companies are putting their internal systems onto building networks that are being run quite often at very low levels of security hygiene.

Read more in:

SonicWall: Linear eMerge E3 Access Controller Actively Being Exploited

Dark Reading: Attackers Actively Targeting Flaw in Door-Access Controllers

Cyware: Attackers Exploit Security Flaws in Smart Building Systems

ZDNet: Hackers are hijacking smart building access systems to launch DDoS attacks


--Pentagon Releases Cybersecurity Maturity Model Certification Standard

(January 30, 31, February 1 & 3, 2020)

The US Defense Department (DoD) has released the Cybersecurity Maturity Model Certification version 1.0. The framework describes the cybersecurity standards that DoD contractors must meet if they want to win contracts. CMMC will be applied to some contracts starting later this year; by 2026, all DoD contracts are expected to include CMMC.

Read more in:

FCW: Pentagon finalizes CMMC standard for contractors

Bleeping Computer: DoD to Require Cybersecurity Certification From Defense Contractors

FNN: Pentagon issues long-awaited cyber framework for Defense industry

Fifth Domain: Pentagon finalizes first set of cyber standards for contractors

ACQ.OSD: Cybersecurity Maturity Model Certification (CMMC) (PDF)





--EKANS Ransomware Also Kills ICS Processes

(February 3, 2020)

Ransomware known as EKANS not only encrypts data on infected systems, it also interrupts Industrial Control Systems (ICS) applications. Prior to encrypting data, EKANS kills 64 different ICS processes named in a static list. Some versions of MegaCortex ransomware target the same list of ICS processes.  

[Editor Comments]

[Murray] Given the frequency and success of "Ransomware" attacks, it is essential that we increase the cost of attack and improve our resilience in the face of such attacks. It is a myth that the advantage is always to the attacker. We can get a ten-fold increase in cost of attack for a relatively small increase in one's cost of security. Keep in mind that most of these victims are targets of opportunity. One does not have to "outrun the bear."

Read more in:

Dragos: EKANS Ransomware and ICS Operations

Wired: Mysterious New Ransomware Targets Industrial Control Systems

Ars Technica: New ransomware doesn't just encrypt data. It also meddles with critical infrastructure

Dark Reading: EKANS Ransomware Raises Industrial-Control Worries


--Maze Ransomware Hits French Construction Company

(February 3, 2020)

A French construction company was hit with Maze ransomware on January 30. Bouygues Construction has shut down its network to prevent the ransomware from encryption additional data. The operators of Maze ransomware have gained a reputation for stealing data from targeted organizations and uploading it if the victims do not pay the ransom.

Read more in:

Bleeping Computer: Bouygues Construction Shuts Down Network to Thwart Maze Ransomware

Infosecurity Magazine: Maze Ransomware Hits Law Firms and French Giant Bouygues


--Tillamook County Will Negotiate with Hackers for Decryption Key

(January 27 & 31, 2020)

Tillamook (Oregon) County Commissioners have voted unanimously to negotiate with hackers for the decryption key to regain access to the county's computer systems. Tillamook County systems were with with ransomware on January 22, 2020.  

[Editor Comments]

[Neely] This case illustrates the factors that have to be balanced: (1) The need for both public and private meetings to keep the public informed, including the appointment of communication officers and selection of communication means; (2) the complexity of a transition from old to new update information systems; (3) getting professional help where needed; and (4) keeping as much of business as usual operating smoothly while (5) informing the public of alternate mechanisms for offline components. The complexity shows why a verified thorough disaster recovery plan is so important.

[Murray] It appears to be the consensus among the NewsBites editors that the decision to pay ransom is a business, not a security, decision. However, the failure to make this decision in advance of an attack is a security decision. There should be accountability.

Read more in:

Tillamook Headlight Herald: Cyberattack: County to negotiate for ransomware key

Infosecurity Magazine: US County's Computers Still Down Nine Days After Ransomware Attack


--City of Racine, Wisconsin Hit with Ransomware

(February 3, 2020)

Computer systems belonging to the city of Racine, Wisconsin were infected with ransomware on January 31. As of February 3, the city's website, email, and online payment systems were still down. The attack did not affect 911 and public safety systems. Tax collection systems are also operating as usual.

Read more in:

SC Magazine: Ransomware knocks city of Racine offline


--TVEyes Target of Ransomware Attack

(January 31, 2020)

Broadcast media monitoring company TVEyes was hit with ransomware early on Thursday, January 30. The company's CEO said on Friday, January 31 that they had restored servers from backups.

[Editor Comments]

[Honan] At last a good news story relating to ransomware and evidence that reliable backups are an effective measure against ransomware.

[Murray] Note that this may only be successful to the extent that one has addressed the vulnerabilities that led to the breach in the first place. We have seen reinfections.  

Read more in:

ZDNet: Ransomware hits TV & radio news monitoring service TVEyes

CNET: Ransomware hits TV search engine popular among political campaigns

****************************  SPONSORED LINKS  ******************************

1) Webcast February 6th at 1PM ET: Implementer's Guide to Deception Technologies with SANS Kyle Dickinson. Register:

2) Join us at the SANS ICS Security Summit & Training Summit 2020 | Orlando, FL | March 2-9.

3) Webcast: See how deception technologies can assist with common attack behaviors with SANS Kyle Dickinson and Acalvio. Register:





--Prosecutors Drop Burglary Charges Against Coalfire Pentesters

(January 30, 31, & February 3, 2020)

Prosecutors in Iowa have dropped burglary charges against two people who broke into a county courthouse after hours as part of a penetration test. The two are employees of Coalfire labs, which had been hired by Iowa's State Court Administration to test the security of its IT systems and its buildings. Gary DeMercurio and Justin Wynn were arrested in September 2019 and held for hours before being released on bail. The case illustrates the need for establishing pen testing best practices.

[Editor Comments]

[Neely] This is awesome news. An important lesson from this case is that security contractors, and especially penetration testers, have the responsibility to educate their customers on all aspects of authorized permission including specific actions and timing and to ensure a common understanding so that they have the pen tester's back when something goes awry.

[Murray] The case illustrates the need for well documented and agreed terms of service.

Read more in:

KrebsOnSecurity: Iowa Prosecutors Drop Charges Against Men Hired to Test Their Security

The Register: Remember those infosec fellas who were cuffed while testing the physical security of a courthouse? The burglary charges have been dropped

ZDNet: Charges dropped against Coalfire security team who broke into courthouse during pen test

Ars Technica: Exonerated: Charges dropped against pentesters paid to break into Iowa courthouse


--Australian Freight Company Suffers Cyberattack

(February 3, 2020)

Australian freight and logistics company Toll Group has shut down several of its IT systems to contain damage from a cybersecurity incident. Toll customers have experienced problems tracking shipments. The company has not released details about the nature of the cyberattack.

Read more in:

SMH: Toll stops services after security breach

The Register: 'Cyber security incident' takes its Toll on Aussie delivery giant as box-tracking boxen yanked offline

Infosecurity Magazine: Cybersecurity Incident Mars Australian Freight Giant's Operations


--Six Arrested in Connection with Maltese Bank Cyberattack

(January 31 & February 3, 2020)

The UK's National Crime Agency (NCA) has arrested six people in connection with a cyberattack against Malta's Bank of Valletta. The suspects allegedly gained access to the bank's IT systems in February 2019 and made several large transfers totaling [euro]13 million (US $14.4 million). The Bank of Valletta said in May 2019 that it had recovered [euro]10 million (US $11.1 million) of the stolen funds.

[Editor Comments]

[Murray] Prevention is easier than recovery. That said, early (within hours) reporting of fraudulent transfers to the FBI will greatly improve the chances of recovery. Do you know who to call?

Read more in:

OCCRP: UK Arrests Cyber-Thieves Who Stole Millions from Maltese Bank

The Register: A year after Bank of Valletta 'cyber heist', cuffs applied as cash-cleansing case continues

ZDNet: Three suspects arrested in Maltese bank cyber-heist


--Raytheon Engineer Arrested for Taking Laptop with Missile Data to China

(February 2 & 3, 2020)

US federal law enforcement agents have arrested a Raytheon engineer after he took a work laptop containing missile defense systems information to China. Wei Sun has worked at Raytheon since December 2008. In December 2018, Sun traveled abroad with his work laptop in defiance of Raytheon's exhortations not to bring it on his travels. In January 2019, Sun emailed Raytheon and informed them he was resigning his position so he could study and work abroad. Sun returned to the US later that month. He initially told Raytheon security officials that he had traveled to Singapore and the Philippines, but eventually admitted that he had traveled to China, Cambodia, and Hong Kong.     

[Editor Comments]

[Neely] Mechanisms to limit sensitive data exposure include specific laptops configured for foreign travel, DLP solutions which limit data storage and access, and location-aware device management which could be used to remotely wipe a device. Even so, the employee is the critical most challenging link in the security chain. In support of the human factor, appropriate consequences with visible actions may act as a deterrent.

Read more in:

ZDNet: Raytheon engineer arrested for taking US missile defense data to China

Infosecurity Magazine: Missile Engineer Arrested After Taking Secret Info to China

Court Listener: First Superseding Indictment (PDF)


--Hackers Insert Themselves in eMail Conversation, Steal Payment in Fine Art Sale

(January 30 & 31, 2020)

The ownership of a 200-year-old painting by British artist John Constable is in question after hackers infiltrated email conversations regarding payment for the artwork. A museum in the Netherlands had agreed to purchase the painting from a British art dealer for #2.4 million ($3.1 million). Hackers sent a spoofed message directing the museum to transfer the payment into a bank account they controlled. Each party blames the other: the museum maintains that the dealer should have known that spoofed messages were sent, while the dealer maintains that the museum should have verified the details of the bank transfer.     

[Editor Comments]

[Murray] Non-routine payments must be verified out of band prior to paying: "Pick up the telephone." This the responsibility of the payer. Transfers should be confirmed out of band; this is the responsibility of the paying agent (usually the bank.) The role of reconciling confirmations should be separate from that of authorizing payments in the first place.  

[Honan] This is a classic invoice/payment redirection scam, also known as Business Email Compromise. Technical controls such DMARC, DKIM, and SPF, and also using effective email filtering solutions can help minimise the risk of this type of attack. However, as demonstrated by the blame game in this example, the human factor plays a significant part. Basic manual verification processes can often be the most effective prevention measures. Europol provides some excellent guides on how to protect against scams targeting employees Infographic: Fraud Scams Targeting Employees

Read more in:

ZDNet: Hacker snoops on art sale and walks away with $3.1m, victims fight each other in court

Claims Journal: Fraudsters Posing as Art Dealer Got Gallery to Pay Millions


--NEC Acknowledges December 2016 Breach

(January 31, 2020)

Japan's NEC Corp. has disclosed that its systems were breached in December 2016. The company did not detect the breach until June 2017, when it noticed encrypted traffic being sent from a company server. NEC decrypted the traffic in July 2018, and found that the attackers had exfiltrated data from the company's defense business division.

[Editor Comments]

[Murray and Paller] Mean time to detection (MTTD) of a breach needs to go from months in 2017 to days in 2020. Many companies that take cybersecurity seriously have or have nearly accomplished that goal. For others, it will never happen because they have not yet established MTTD as a key cybersecurity objective and thus they are not measuring it.  

Read more in:

ZDNet: Japanese company NEC confirms 2016 security breach


--APT34 Targeting US Company Through Spear Phishing eMail

(January 31, 2020)

A hacker group with ties to Iran has been sending spear phishing emails to customers and employees of a company that works with US federal, state, and local governments. The phony messages sent to Westat employees contain malicious Excel spreadsheet attachments. The spreadsheets appear to be black; if recipients enable macros, the content - a phony job satisfaction survey - appears and malware that installs the TONEDEAF backdoor is downloaded in the background.

Read more in:

Threatpost: Iranian Hackers Target U.S. Gov. Vendor With Malware


--Some US Emergency Alert Systems Remain Unpatched Years After Fix Released

(January 27, 2020)

A vulnerability in certain emergency alert systems (EAS) that was disclosed in 2013 remains unpatched on at least 50 systems across the US. The issue lies in the web interfaces for Monroe/Digital Alert Systems EAS hardware.

[Editor Comments]

[Neely] These systems are effectively appliances that are configured to accept and forward emergency messages. The challenge with appliance-type systems is not only monitoring them for security vulnerabilities, but also having appropriate processes in place, with accountability, to keep them updated and secure.

Read more in:

Security Ledger: Seven Years Later, Scores of EAS Systems sit Un-patched, Vulnerable




Stego and Cryptominers (with video)

Triple Encrypted AZORult Installer

Corona Virus Phishing / Scams

Google Open Sources Security Token Software

New sudo Vulnerability (pwfeedback)

Teamviewer Password Storage



The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit