OnDemand Includes 4 Months Access to Course Content - Special Offers Available Now!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #14

February 18, 2020

Details on North Korean and Iranian Hacker Infiltrations; 2016 Florida Elections System Ransomware Attack


SANS NewsBites              February 18, 2020              Vol. 22, Num. 014




  Exposing North Korea's Malicious Cyber Activity

  Iranian Hackers Infiltrating VPN Servers to Plant Backdoors

  DHS Investigating 2016 Florida Elections System Ransomware Attack



  Redcar and Cleveland Borough Systems Suffer Malware Attack

  Boston Children's Hospital Affiliates Experience Ransomware Attack

  Bitcoin Mixer Arrest

  Coronavirus: IBM Says No to RSA, Facebook Cancels Marketing Meeting, Black Hat Asia Postponed

  Microsoft Pulls Problematic Windows 10 Patches

  WordPress ThemeGrill Demo Importer Plugin Updated to Fix Critical Flaw

  Corp.com Domain For Sale, Raises Specter of Namespace Collision

  Local Election in Wisconsin Will Be First to Use ElectionGuard

  US Department of Commerce OIG Report Says Weak Security Controls Allowed Foreign Nationals to Access Sensitive Data


*******************  Sponsored By AWS MArketplace  **************************

Identify Threats and Vulnerabilities with EDR and CASB in AWS. Find out how these solutions help identify who has vulnerable software/configurations on their cloud endpoints by leveraging indicators of compromise to enrich investigations and pinpoint the depth and breadth of malware across thousands of endpoints. SANS-AWS Webcast: Thursday, Feb. 20, 1 PM ET. http://www.sans.org/info/215570



-- SANS 2020 | Orlando, FL | April 3-10 | https://www.sans.org/event/sans-2020

-- SANS Munich March 2020 | March 2-7 | https://www.sans.org/event/munich-march-2020

-- SANS Northern VA - Reston Spring 2020 | March 2-7 | https://www.sans.org/event/northern-va-spring-reston-2020

-- Blue Team Summit & Training 2020 | Louisville, KY | March 2-9 | https://www.sans.org/event/blue-team-summit-2020

-- ICS Security Summit & Training 2020 | Orlando, FL | March 2-9 | https://www.sans.org/event/ics-security-summit-2020

-- SANS London March 2020 | March 16-21 | https://www.sans.org/event/london-march-2020

-- SANS San Francisco Spring 2020 | March 16-27 | https://www.sans.org/event/san-francisco-spring-2020

-- SANS Secure Singapore 2020 | 16-28 March | https://www.sans.org/event/secure-singapore-2020

-- SANS Secure Canberra 2020 | March 23-28 | https://www.sans.org/event/secure-canberra-2020

-- SANS OnDemand and vLive Training

Get a free GIAC Certification Attempt or Take $350 Off through February 19 with OnDemand or vLive training.


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/

Single Course Training

-- Single Course Training

SANS Mentor | https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/


-- View the full SANS course catalog and Cyber Security Skills Roadmap






--Exposing North Korea's Malicious Cyber Activity

(February 14, 2020)

The US Department of Homeland Security's (DHS's) Cybersecurity and Infrastructure Security Agency (CISA), the FBI, and the Department of Defense (DoD) have jointly disclosed a list of malware variants that are being used by hackers working on behalf of the North Korean government.  

[Editor Comments]

[Neely] This is part of a new approach by the federal government to publicly identify the activities of foreign-based hackers. Incorporate the information from these bulletins into your IOCs and supporting processes.

Read more in:

US-CERT: North Korean Malicious Cyber Activity


US-CERT: North Korean Malicious Cyber Activity


Ars Technica: US government goes all in to expose new malware used by North Korean hackers


Cyberscoop: Pentagon, FBI, DHS jointly expose a North Korean hacking effort


Nextgov: CISA, FBI and DOD Issue Warning on North Korea-Linked Malware



--Iranian Hackers Infiltrating VPN Servers to Plant Backdoors

(February 16, 2020)

Researchers from ClearSky say that hackers working on behalf of Iran's government have been exploiting vulnerabilities in VPN servers to install backdoors on networks at companies around the world. The hackers have targeted organizations in the IT, telecommunications, oil and gas, government, and security sectors.    

[Editor Comments]

[Pescatore] This is newsworthy because of political tension between the US and Iran, but it is basically just a story that says, "If you don't patch critical vulnerabilities quickly, attackers will find them and exploit them quickly." Many organizations have made great progress in accelerating Windows and Linux patches - this attack is a reminder to make that same progress in patching network and security equipment and other appliances.

[Neely] The news here is that vulnerabilities are being actively attacked hours after disclosure - and exploited shortly thereafter. This raises the importance of actively monitoring perimeter defenses for malfeasance or other abnormal behavior, particularly to cover the period where the new vulnerabilities haven't been mitigated. Even so, keep regression testing of fixes or updates for perimeter defenses focused an on-track and timely.


[Murray] One might infer that ClearSky had some indicators of attack or compromise, rather than of mere vulnerability, that they used in this work. Their blog does not say what they were. Perhaps they will disclose them at RSA.

Read more in:

ZDNet: Iranian hackers have been hacking VPN servers to plant backdoors in companies around the world


ClearskySec: Fox Kitten - Widespread Iranian Espionage-Offensive Campaign



--DHS Investigating 2016 Florida Elections System Ransomware Attack

(February 14, 2020)

The US Department of Homeland Security is investigating a ransomware attack that infected systems at the Palm Beach County (Florida) election office prior to the 2016 general election. The office's recently appointed Supervisor of Elections reported the incident to the FBI in November 2019, after learning about it from an IT employee. The incident was not disclosed in 2016.

Read more in:

GovTech: Unreported Florida Elections Breach Draws DHS Attention


********************************  SPONSORED LINKS  **********************************

1) Download Splunk's IT Security Predictions 2020 to learn how to best protect your organization, and your data, against a fast-approaching future. http://www.sans.org/info/215575

2) Webcast: Learn what deception technologies are all about with SANS Kyle Dickinson on February 19th at 1 PM ET. Register: http://www.sans.org/info/215580

3) Don't miss this upcoming webcast: Threat Actor Analysis and Strategic Security Investments. Register: http://www.sans.org/info/215585



--Redcar and Cleveland Borough Systems Suffer Malware Attack

(February 14 & 17, 2020)

Computer systems belonging to the Redcar and Cleveland Borough Council (UK) were infected with malware. The attack occurred on February 8, and as of February 12, were still "working with a reduced capacity. The council has called in help from the National Cyber Security Centre (NCSC). The council has not said what type of malware infected its IT systems.  

Read more in:

Infosecurity Magazine: Cyber-Attack Takes Down Redcar Council Services


BBC: Redcar cyber-attack: Council using pen and paper



--Boston Children's Hospital Affiliates Experience Ransomware Attack

(February 11 & 12, 2020)                   

Ransomware has infected systems belonging to the Pediatric Physicians' Organization at Children's (PPOC), affecting more than 500 physicians, physician assistants, and nurse practitioners across Massachusetts. While PPOC is affiliated with Boston's Children's Hospital, its network is separate from the hospital's. The affected servers have been quarantines and the remainder have been taken offline as a precaution.  

Read more in:

BizJournals: Hackers disrupt appointments for hundreds of doctors at Boston Children's


Boston 25News: Malware attack disables medical records at Children's Hospital affiliates


Health IT Security: Malware Attack Hits Boston Children's Hospital Physician Group



--Bitcoin Mixer Arrest

(February 13 & 14, 2020)

The US Department of Justice (DoJ) has charged an Ohio man in connection with a Darknet cryptocurrency laundering service. Larry Harmon allegedly ran the Helix service from 2014 until 2017. Helix operated as a Bitcoin mixer, allowing customers to mix their Bitcoin with others and obscure link between their Bitcoin addresses and their real-world identities.

Read more in:

Portswigger: Ohio man arrested over darknet bitcoin laundering operation


Justice: Ohio Resident Charged with Operating Darknet-Based Bitcoin "Mixer," which Laundered Over $300 Million



--Coronavirus: IBM Says No to RSA, Facebook Cancels Marketing Meeting, Black Hat Asia Postponed

(February 14, 15, & 17, 2020)

IBM said it will not attend the RSA Conference in San Francisco next week due to concerns about the coronavirus. RSA Conference executives say the event will go on as planned, from February 23-28. In related stories, Facebook has cancelled a marketing summit that was to have taken place in San Francisco in early March, and the organizers of Black Hat Asia have postponed a conference that was scheduled to be held in late March in Singapore.

Read more in:

SC Magazine: IBM pulls out of RSA over coronavirus fears


The Register: Roses are red, IBM is Big Blue. It's out of RSA Conference after coronavirus review: IBMers will not attend infosec event over 'health concerns'


Infosecurity Magazine: IBM Confirms #RSAC Withdrawal Over Coronavirus Fears


SF Chronicle: Facebook cancels SF conference as coronavirus concerns grow, flights end


CNET: Coronavirus prompts Facebook to cancel marketing summit


Portswigger: Black Hat Asia 2020 postponed due to coronavirus epidemic



--Microsoft Pulls Problematic Windows 10 Patches

(February 15, 2020)

Microsoft has pulled the standalone KB4524244 update and the related KB4502496 update from Windows Update servers "due to an issue affecting a sub-set of devices." Users reported installation issues, freezing, and boot problems. The patch was designed to address "an issue in which a third-party Unified Extensible Firmware Interface (UEFI) boot manager might expose UEFI-enabled computers to a security vulnerability."

Read more in:

ZDNet: Microsoft pulls security update after reports of issues affecting some PCs


Bleeping Computer: Microsoft Confirms Windows 10 KB4524244 Issues and Pulls the Update


Microsoft: Security update for Windows 10, version 1607, 1703, 1709, 1803, 1809, 1903 and 1909: February 11, 2020


Microsoft: Security update for Windows 10, version 1507, Windows 8.1, RT 8.1, Server 2012 R2, and Server 2012: February 11, 2020



--WordPress ThemeGrill Demo Importer Plugin Updated to Fix Critical Flaw

(February 17, 2020)

Developers of the ThemeGrill Demo Importer WordPress plugin have released an updated version to fix a critical flaw that could be exploited to wipe websites. The flaw could allow an attacker to obtain administrative privileges on vulnerable sites. The plugin is estimated to be installed on at least 200,000 websites. The vulnerability is addressed in version 1.6.2.    

Read more in:

Bleeping Computer: Unsafe WordPress Plugin Installed on Nearly 200,000 Sites


ZDNet: Bug in WordPress plugin can let hackers wipe up to 200,000 sites



--Corp.com Domain For Sale, Raises Specter of Namespace Collision

(February 8 & 14, 2020)

The corp.com domain is for sale. Administrators running Active Directory in their networks are urged to check their network configuration to ensure that the domain is not being used internally; some versions of Windows have used corp and corp.com as the default path for internal sites. If a user tries to access an internal site from outside the organization's network, they could run into namespace collision, "a situation where domain names intended to be used exclusively on an internal company network end up overlapping with domains that can resolve normally on the open Internet." The danger of exposing sensitive information through namespace collision is not theoretical. Jeff Schmidt, founder and CEO of JAS Global Advisors LLC, analyzed eight months of traffic bound for corp.com and found more than 375,000 PCs attempting to send internal information to an external site. Schmidt briefly set up the domain to capture email and called the results "terrifying."

[Editor Comments]

[Neely] While many lessons have been learned relating to using someone else's published domain name internally, there remains a preponderance of corp.com. The mitigation is to migrate to a new domain that you own before corp.com becomes a real domain associated with a third party, which may take advantage of the traffic "given" to them.

Read more in:

KrebsOnSecurity: Dangerous Domain Corp.com Goes Up for Sale


Duo: Sale of Corp.com Can Expose Corporate Data



--Local Election in Wisconsin Will Be First to Use ElectionGuard

(February 17, 2020)

On Tuesday, February 18, voters in Fulton, Wisconsin will use machines running Microsoft's open source ElectionGuard software in a primary election for Wisconsin Supreme Court candidates. This election will mark the first time ElectionGuard has been used in a US election.

[Editor Comments]

[Pescatore] This test will be in parallel with physical ballots, and Microsoft made the source code available previously in conjunction with a managed bug bounty program. Kudos to Wisconsin for taking the logical, measured approach. That approach should have been required of all new voting technology and software from the start.

[Neely] Microsoft leveraged their resources and experience to build what should be a secure foundation for voting machine manufacturers to implement, and then open sourced it. ElectionGuard addresses the core concerns of security, accountability, and vote verifiability, which could provide the building blocks of a reference architecture for delivering electronic voting systems.

Read more in:

ZDNet: Microsoft to deploy ElectionGuard voting software for the first time tomorrow


Microsoft: Another Step in Testing ElectionGuard



--US Department of Commerce OIG Report Says Weak Security Controls Allowed Foreign Nationals to Access Sensitive Data

(February 11 & 17, 2020)

According to a report from the US Department of Commerce Office of Inspector General (OIG), inadequate security controls on Department systems exposed "sensitive trade information to unvetted foreign nationals." People working as contractors outside the US could still access and modify the Department of Commerce's Enterprise Web Services (EWS) document management system after their contracts had ended. The Department "mishandled the response to unauthorized access [and] ... failed to account for sensitive data on its systems."     

[Editor Comments]

[Neely] A key component here is an automated identity management system that manages accounts centrally so that your authentication systems for internally facing, externally facing or even cloud-based information systems have near real time information on active, disabled and removed user accounts. That should be coupled with regular review of rights granted in applications to ensure only authorized staff have access, irrespective of citizenship or employment relationship.

Read more in:

MeriTalk: Commerce Exposed Sensitive Data to Foreign Nationals


OIG: Failures in the Department's Security Program Resulted in Exposure of Sensitive Trade Information to Unvetted Foreign Nationals (PDF)





Keep an Eye on Command-Line Browsers


More About Curl on Windows


DUO Security / Google Identify Malicious Chrome Extensions


Old Tricks in New Bots: KBOT


OpenSSH Now With Fido/U2F


WHO Warns of Coronavirus Phishing



The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create