Last Day: Get a 10.2" iPad (32 G), Galaxy Tab A, or Take $250 Off with OnDemand Training

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #15

February 21, 2020

RSA Keynote Preview: Most Dangerous New Attack Vectors; US Natural Gas Pipeline Operator Hit with Ransomware; Citrix Says Hackers Had Access to its Networks for Five Months


SANS NewsBites              February 21, 2020              Vol. 22, Num. 015



  Preview: RSA Keynote Panel on the Most Dangerous New Attack Vectors

  US Natural Gas Pipeline Operator Hit with Ransomware

  Citrix Says Hackers Had Access to its Networks for Five Months




  Ring Now Requires 2FA

  Cisco Security Updates Include Fix for Smart Software Manager Static Password Issue

  MGM Resorts Acknowledges 2019 Data Breach

  Swiss Government Says Ransomware Poses Threat to SMEs

  US, UK, and Others Blame Russia's GRU for Republic of Georgia Cyberattacks

  Adobe Issues Out-of-Cycle Fixes for Critical Flaws

  ISS World Suffers Ransomware Attack

  2,000 UK Government Mobile Devices Reported Missing in Span of One Year

  Swatting Arrest

  Android Linux Kernel Code Changes Introduce New Vulnerabilities

  Apple Will Shorten Duration of Certificate Trust in Safari


*************************  Sponsored By SANS  *******************************

Hear from the analysts tracking down adversaries everyday with the new SANS Threat Analysis Rundown (STAR) webcast series. STAR will approach threats from all angles, and you'll get different takes each month.



-- SANS 2020 | Orlando, FL | April 3-10 |

-- SANS Munich March 2020 | March 2-7 |

-- SANS Northern VA - Reston Spring 2020 | March 2-7 |

-- Blue Team Summit & Training 2020 | Louisville, KY | March 2-9 |

-- ICS Security Summit & Training 2020 | Orlando, FL | March 2-9 |

-- SANS London March 2020 | March 16-21 |

-- SANS San Francisco Spring 2020 | March 16-27 |

-- SANS Secure Singapore 2020 | 16-28 March |

-- SANS Secure Canberra 2020 | March 23-28 |

-- SANS OnDemand and vLive Training

Get an iPad (32G), a Samsung Galaxy Tab A, or Take $250 Off through March 4 with OnDemand or vLive training.

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast -

-- Evening training 2x per week for 6 weeks with vLive |

-- Anywhere, Anytime access for 4 months with OnDemand format |

Single Course Training

-- Single Course Training

SANS Mentor |

Community SANS |


-- View the full SANS course catalog and Cyber Security Skills Roadmap




--Preview: RSA Keynote Panel on the Most Dangerous New Attack Vectors

(February 21, 2020)

If you are coming to RSA, you can see the SANS "Most Dangerous Attacks" keynote (Ed Skoudis, Heather Mahalik, Johannes Ullrich) live on Thursday, February 27, or after the conference on RSA's website. A great segment of this keynote is the rapid-fire Q&A. We would really appreciate your sending us (by Tuesday, February 25) any questions that arise when you see specifics item in the list of attack vectors below. Send questions to We'll answer all we can.

* New threats in command and control of compromised systems

* Social engineering SOC analysts through artifacts

* Deep persistence with malware on the USB wire and supply chain attacks

* Mobile: exploits in the chip

* Enterprise perimeters: devastating vulnerabilities in enterprise perimeter security devices from major vendors.

* Localhost API attacks


--US Natural Gas Pipeline Operator Hit with Ransomware

(February 18 & 19, 2020)

According to an advisory from the US Department of Homeland Security's (DHS's) Cybersecurity and Infrastructure Security Agency (CISA), networks at a natural gas compression facility were infected with ransomware. The incident is believed to be the same one reported by the US Coast Guard in December 2019. The initial vector of attack was a phishing email; the malware then made its way from an office computer through the IT network to the operational technology (OT) network.

[Editor Comments]

[Neely] Network isolation often includes the need to interact with and transfer data to other non-isolated systems. Using a trusted gateway or one-way link reduces the risks, and data transfer processes still need active anti-malware protections.


[Murray] One should not pass up an opportunity to remind management that e-mail (and browsing) should be isolated from mission critical applications. We cannot tolerate a situation where the cost of compromise of the enterprise is equal to that of social engineering any one of many users. Consider a combination of strong authentication, restrictive (as opposed to promiscuous or permissive) access control policy, and end-to-end application-layer encryption.

Read more in:

US-CERT: Alert (AA20-049A) Ransomware Impacting Pipeline Operations

Ars Technica: A US gas pipeline operator was infected by malware--your questions answered

The Register: When the air gap is the space between the ears: A natural gas plant let ransomware spread from office IT to ops

SC Magazine: CISA issues warns critical infrastructure sectors after successful ransomware attack on pipeline operator

ZDNet: DHS says ransomware hit US gas pipeline operator

Ars Technica: US natural gas operator shuts down for 2 days after being infected by ransomware

BBC: Ransomware-hit US gas pipeline shut for two days

Threatpost: U.S. Pipeline Disrupted by Ransomware Attack

Fifth Domain: Could this attack signal the future of ransomware?

The Hill: DHS warns of cyber threats to critical systems after attack on pipeline operator

NextGov: CISA Shares Details About Ransomware that Shut Down Pipeline Operator


--Citrix Says Hackers Had Access to its Networks for Five Months

(February 19, 2020)

Hackers maintained an "intermittent" presence inside Citrix networks for five months, according to a February 10, 2020, letter the company sent to users affected by the breach. Between October 13, 2018 and March 8, 2019, the hackers stole data belonging to employees, contractors, interns, and job candidates. Citrix first learned of the breach in March 2019, when the FBI notified the company that hackers had likely accessed the company's internal network. The FBI told Citrix that the intruders may have used "password spraying" attacks to gain access.

[Editor Comments]

[Neely] As Citrix is often deployed at the perimeter to provide a virtual desktop on the corporate network, like VPN servers, it is a prime target of attack, and warrants similar monitoring and security oversight. Be sure to apply Citrix's recently released patch for CVE-2019-19781.


[Pescatore] I guess whoever wrote the Citrix letter has never tried to sell a house where the real estate listing said "Termites had intermittent access to the structure..."

Read more in:

KrebsOnSecurity: Hackers Were Inside Citrix for Five Months

****************************  SPONSORED LINKS  ******************************

1) Free Event | Hear from successful and empowering women in the SANS Women in Cybersecurity Forum on April 24th. Register:

2) Webcast March 4th at 1 PM ET: State of Cloud and Threats. Register:

3) Don't miss this webcast to see how you can leverage endpoint detection and response in AWS investigations:




--Ring Now Requires 2FA

(February 18 & 19, 2020)

Ring now requires all users of its camera doorbell products to use two-factor authentication (2FA) when signing into their accounts. Previously, 2FA was optional. The decision follows reports of serious security issues, including not alerting users of failed login attempts and not limiting the number of login attempts.   

[Editor Comments]

[Ullrich] Good move by Ring (and maybe a bit overdue). It looks like the public pressure caused by several news items about compromised accounts got to them. Google recently implemented similar measures for its Nest devices.

[Pescatore] All movement away from reliance on reusable passwords is good movement, though not security nirvana. But, millions of consumers are being nudged towards increased use of multi-factor authentication - a good reason to try to make the same progress on enterprise user logins as a key element in fighting phishing attacks.

[Neely] Enable 2FA on all services which offer it. Make it a habit to check periodically on services that didn't offer it previously to see if offered, and enable it. Also review trusted devices allowed to access the service without 2FA. Setup login alerts, if supported, for visibility into account accesses.  


[Murray] Consumers are not nearly as resistant to strong authentication as enterprises are, and as enterprise management seems to believe everyone is. The use of reusable passwords must be restricted to trivial applications (or applications where fraudulent use will be immediately obvious.) "Convenience" is no longer sufficient justification. (In many applications and environments, one-time passwords are more convenient than mandated periodic changes.)

Read more in:

Ring: Extra Layers of Security and Control

SC Magazine: Ring mandating 2FA logins, ceases some third-party activity

ZDNet: Ring to enable 2FA for all user accounts after recent hacks

CNET: Ring makes two-factor sign-in mandatory for its video doorbells, security cameras

Threatpost: Ring Mandates 2FA After Rash of Hacks


--Cisco Security Updates Include Fix for Smart Software Manager Static Password Issue

(February 19 & 20, 2020)

Cisco has released patches to address 17 security issues in several products, including a critical static password flaw in Cisco Smart Software Manager On-Prem. The release also includes fixes for six high-severity vulnerabilities.

[Editor Comments]

[Murray] This may not be the result of mere error. History suggests that programmers are reluctant to give total control of their product to users and may use static passwords as long-term back doors.

Read more in:

The Register: Oi, Cisco! Who left the 'high privilege' login for Smart Software Manager just sitting out in the open?

ZDNet: Cisco critical bug: Static password in Smart Software Manager - patch now, says Cisco

Cisco: Cisco Smart Software Manager On-Prem Static Default Credential Vulnerability


--MGM Resorts Acknowledges 2019 Data Breach

(February 19, 2020)

MGM Resorts has disclosed that personal information belonging to more than 10.76 million people who stayed at MGM hotels has been posted to an online hacking forum. Attackers gained unauthorized access to a cloud server last summer.

Read more in:

ZDNet: Exclusive: Details of 10.6 million MGM hotel guests posted on a hacking forum

Threatpost: MGM Grand Breach Leaked Details of 10.6 Million Guests Last Summer

SC Magazine: MGM admits to 2019 data breach affecting 10.6 million customers


--Swiss Government Says Ransomware Poses Threat to Small and Medium Enterprises

(February 19 & 20, 2020)

The Swiss Government's Reporting and Analysis Centre for Information Assurance (MELANI) says that "ransomware continues to pose a significant security risk to small and medium enterprises." MELANI "has dealt with more than a dozen ransomware cases" in the past few weeks alone. MELANI's analysis of the incidents concluded that most affected organizations did not have adequate IT security and did not adhere to best practices. The alert lists weaknesses that were used as "gateways" for attack: lack of anti-virus software or ignoring or not taking seriously anti-virus warnings; poorly protected remote access procedures; ignoring or not taking seriously notifications from authorities; not maintaining offline backups; ineffective patch and lifecycle management; lack of network segmentation; and excessive user privileges.

[Editor Comments]

[Ullrich] I think this report pretty much sums up the current ransomware issue: Ransomware is an indicator of poor security controls and not implementing "best practices". Just as with other "commodity" malware like crypto coin miners, you should always be watching out for what else took advantage of these missing controls.

Read more in:

MELANI: Beware: Ransomware continues to pose a significant security risk for SMEs

Bleeping Computer: Swiss Govt Says Ransomware Victims Ignored Warnings, Had Poor Security

Infosecurity Magazine: Ransomware Wreaks Havoc Across Europe


--US, UK, and Others Blame Russia's GRU for Republic of Georgia Cyberattacks

(February 20, 2020)

The US, the UK, Australia, and a number of EU countries have formally blamed Russia's military intelligence (GRU) for launching cyberattacks against targets in the Republic of Georgia in October 2019. Thousands of websites were defaced or taken down, and two television stations' broadcasts were disrupted.

Read more in:

Wired: The US Blames Russia's GRU for Sweeping Cyberattacks in Georgia

ZDNet: US, UK formally blame Russia for mass-defacement of Georgian websites

BBC: UK says Russia's GRU behind massive Georgia cyber-attack

Cyberscoop: In rare move, State Department calls out Russia for attacks on Georgia last year

The Hill: Pompeo, foreign partners condemn Russian cyberattack on country of Georgia

NYT: U.S. and Allies Blame Russia for Cyberattack on Georgia


--Adobe Issues Out-of-Cycle Fixes for Critical Flaws

(February 19 & 20, 2020)

Adobe has released two out-of-cycle fixes that could be exploited to allow remote code execution. The affected products are Adobe After Effects and Adobe Media Encoder. Both flaws are out-of-bounds write vulnerabilities.  

[Editor Comments]

[Ullrich] According to Adobe, these flaws are unlikely to be exploited, but they can lead to arbitrary remote code execution. I don't think these are "emergency" patches, but they were not released on Adobe's normal patch Tuesday.

Read more in:

Threatpost: Critical Adobe Flaws Fixed in Out-of-Band Update

ZDNet: Adobe releases out-of-band patch for critical code execution vulnerabilities

Adobe: Security Updates Available for Adobe After Effects | APSB20-09

Adobe: Security Updates Available for Adobe Media Encoder | APSB20-10


--ISS World Suffers Ransomware Attack

(February 19 & 20, 2020)

Copenhagen-based ISS World has acknowledged that its internal network was hit with ransomware on Monday, February 17. A company spokesperson said ISS World "immediately disabled access to shared IT services across our sites and countries, which ensured the isolation of the incident." ISS World provides facilities management services, such as cleaning and catering; it has 500,000 employees worldwide.  

Read more in:

BBC: ISS World: Hack leaves half a million employees without computers

ISS World hack leaves thousands of employees offline

Reuters: Danish services company ISS hit by malware attack

Computer Weekly: Facilities firm ISS World crippled by ransomware attack


--2,000 UK Government Mobile Devices Reported Missing in Span of One Year

(February 20, 2020)

Over the past year, more than 2,000 UK government mobile devices, including smartphones, laptops, and external storage devices, have been reported missing. More than 1,800 of the devices are believed to be encrypted, but even one unencrypted device in the hands of the wrong individual could expose sensitive data. At least eight UK government departments say they have never been audited by the Information Commissioner's Office (ICO); others reported that their last audit was several years ago.   

[Editor Comments]

[Pescatore] There are about 3M UK central government employees; let's just assume an average of 1 phone/laptop/storage device per employee, which is probably low. 2,000 lost out of 3M is under .1% - a very low number. I think typical average rates for mobile phone losses per year are in the 4% range. 90% of the lost devices having encryption turned on is strong progress from previous years where this same type of report came out in the UK. Enterprises: how do your loss rates and encrypted device percentages compare to the UK government?

[Neely]  Current guidance for protecting mobile devices: Both iOS and Android (version 6+) support encryption of the device and can be managed by your MDM (mobile device management software). That will require a passcode to access the device; otherwise it is transparent to the user. Make sure the device passcode strength/option is commensurate with the data protected. Additionally, options exist to sandbox applications with further encryption, but investigate the trade-off between security and usability before rolling them out. Include sending a device wipe in your lost-device reporting processes, along with a good definition of what lost means, including duration.

Read more in:

Infosecurity Magazine: Over 2000 UK Government Devices Go Missing in a Year


--Swatting Arrest

(February 12 & 18, 2020)

A 19-year-old has been arrested in connection with multiple swatting, cyberstalking, and hacking incidents. Tristan Rowe has been charged with cyberstalking and unauthorized access to a computer. Each charge carries a maximum penalty of five years in prison.  

Read more in:

Infosecurity Magazine: US Teen Arrested Over Alleged Swatting and Cyberstalking

Justice: Tennessee Man Arrested For Engaging In Multi-Year Cyberstalking And Computer Hacking Campaign


--Android Linux Kernel Code Changes Introduce New Vulnerabilities

(February 12, 13, & 18, 2020)

A Google Project Zero researcher says that some smartphone makers are modifying the Android Linux kernel to protect devices from attacks, which can actually introduce new exploitable weaknesses. Jann Horn writes, "I believe that device-specific kernel modifications would be better off either being upstreamed or moved into userspace drivers, where they can be implemented in safer programming languages and/or sandboxed, and at the same time won't complicate updates to newer kernel releases."

[Editor Comments]

[Neely] While this flaw is specific to the Samsung kernel, extensions that support their Galaxy A50 devices and rely on a race condition to exploit, device manufacturers often need to extend Android OS to support their specific hardware. As such, when purchasing a non-Google-provided device, make sure the vendor has a proven track record with security. Samsung has a record of providing security features back to the community, such as their FIPS certified encryption library, and will address this flaw rapidly.

Read more in:

Google Project Zero: Mitigations are attack surface, too

Duo: Changes in Kernel Code Created New Security Bugs in Android Devices

ZDNet: Google to Samsung: Stop messing with Linux kernel code. It's hurting Android security


--Apple Will Shorten Duration of Certificate Trust in Safari

(February 20, 2020)

After September 1, 2020, Apple's Safari browser will no longer trust HTTPS certificates that have expiration dates more than 13 months, or 398 days, after they were created. Certificates issued before September 1 will be trusted for 27 months, or 825 days, from their creation dates. Apple announced the change at a Certification Authority Browser Forum meeting earlier this week.

[Editor Comments]

[Ullrich] No issue if you are using automatic certificate renewals via Let's Encrypt. However, this is going to get messy for people who are using internal certificate authorities and if you have a lot of certificates to renew for devices that cannot use a simple scripted system to renew certificates. Now may be a good time to look into a good certificate management solution if you haven't done so.

[Neely] Apple has not yet updated their guidance on certificate trust requirements ( These changes are intended to raise the bar on trustworthiness of sites claiming to be secure. When issuing shorter-lived certificates, support that with automated processes to alert, if not auto renew, to avoid lapses in coverage.

Read more in:

The Register: Apple drops a bomb on long-life HTTPS certificates: Safari to snub new security certs valid for more than 13 months




Discovering Contents of Folders Without Permission

Enumerating Who "Owns" a Workstation for IR

Ring Enforces 2FA

Iranians Finally Discover VPN Vulnerabilities

WordPress ThemeGrill Auth Bypass

SQL Server RCE Exploit

Ransomware in Switzerland

SonicWall Vulnerabilities

Peripheral Vulnerabilities in Windows and Linux

Cisco Updates

Python ReDoS Bugs

Special Update for Adobe After Effects and Media Encoder

Apple To No Longer Accept Certificates as Valid that Exceed a Lifetime of 13 months


The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit