Develop invaluable cybersecurity skills through interactive training during SANS 2021 - Live Online. Register now.

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #27

April 3, 2020

FBI Warning On Zoom Security Issues and More Zoom Info; Microsoft Warns Hospitals of Vulnerabilities in VPN and Gateway Appliances



SANS NewsBites               April 3, 2020                 Vol. 22, Num. 027




  FBI Issues Warning About Zoom Security Issues

  Zoom: Two Zero-days Patched; Credential Theft Flaw Not Yet Fixed; Password Problems

  Zoom Founder Says Company Will Focus on Security and Privacy

  Microsoft Warns Hospitals of Vulnerabilities in VPN and Gateway Appliances



  FCC Order Requires Carriers to Implement STIR/SHAKEN Protocol

  Marriott Discloses Second Data Breach in 16 Months

  Microsoft Will Postpone Disabling TLS 1.0 and 1.1 in Browsers

  COVID-19 Malware Overwrites Master Boot Record

  GoDaddy Phishing Attack

  Update Addresses Two Vulnerabilities in WordPress Rank Math SEO Plugin

  Biotech Company Doing COVID-19 Research Hit With Ransomware

  NERC Releases Report on November 2019 Power Grid Security Exercise

  Hackers with Alleged Iranian Ties Have Targeted WHO Staff eMail Accounts


*********************  Sponsored By Netskope  *******************************

Join Netskope's Cloud Security Workshop. Are you really ready to provide safe access to cloud services and keep pace with new threats? Register for Netskope's complimentary cloud security workshop! Take control over your web services. Get 5 CPE credits and hands-on experience with Next Gen Secure Web Gateway (SWG) and Zero Trust Network Access (ZTNA) solutions built for the cloud.




Keep your skills sharp, train online with SANS OnDemand:

* 45 of the world's top cybersecurity courses

* Flexible self-paced format you can take anytime, anywhere

* A battle-tested training platform including 4 months of access

* Hands-on labs and GIAC-certified SME support

Test drive and purchase SANS OnDemand courses.


SANS Network Security 2020 | Las Vegas, NV | September 20-27


View the full SANS course catalog and skills roadmap.



Any course you have or will purchase is protected by the SANS Training Guarantee.





--FBI Issues Warning About Zoom Security Issues

(March 30 & 31, 2020)

The FBI has issued a warning that Zoom and other teleconferencing apps may be vulnerable to hijacking. The FBI advises users not to make meetings or classrooms, public, to restrict screensharing capability, and to use meeting passwords. Zoom has a "waiting room" feature that allows the host to control who is admitted.

[Editor Comments]

[Honan]  Today The Citizen Lab released the results of their examination of the security and privacy features in Zoom ( Move Fast & Roll Your Own Crypto: A Quick Look at the Confidentiality of Zoom Meetings) Their findings back up the warnings from the FBI and raised several concerns over how encryption is enabled within the application. However, we need to remember that companies are using Zoom, and other conferencing platforms, to enable them to survive through the COVID19 pandemic and companies need to do a risk assessment that suits them. For many companies the warnings from the FBI and The Citizen Lab will be an acceptable risk for them, while others who may be discussing sensitive data it may not.

[Pescatore] The easy answer is there are more secure alternatives to Zoom and companies should be providing and recommending those. The real answer is that many employees working at home and their families will be using Zoom for the next few months. Security vendor Checkpoint recently put good safe use guidelines for using Zoom at ( Who's Zooming Who? Guidelines on How to Use Zoom Safely) and SANS has released a secure work at home awareness kit at ( SANS Security Awareness Work-from-Home Deployment Kit)  Zoom (see item below) has also pledged to make security job one over the next few months - much needed.

Read more in:

Cyberscoop: FBI warns Zoom, teleconference meetings vulnerable to hijacking

FBI: FBI Warns of Teleconferencing and Online Classroom Hijacking During COVID-19 Pandemic


--Zoom: Two Zero-days Patched; Credential Theft Flaw Not Yet Fixed; Password Problems

(April 1 & 2, 2020)

Fixes Available for two zero-day vulnerabilities in Zoom for macOS; Zoom is working on a fix for a vulnerability that lets attackers steal Windows credentials; and an automated Zoom meeting discovery tool found that many meetings are not password protected.

[Editor Comments]

[Neely] Disclosing vulnerabilities should be done responsibly, and directly to the affected provider prior to a public blog posting to give them time to respond. Zoom has been working to accelerate addressing security issues discovered. Of late, the patches are released as quickly as 24 hours after issue discovery. These discovered issues have been resolved.

[Murray] For reasons of audience convenience, few Zoom meetings employ passwords. However, they are essential for many business applications. Be particularly careful about privileges granted to meeting participants.  

Read more in:

Threatpost: Two Zoom Zero-Day Flaws Uncovered

GovInfosecurity: Zoom Rushes Patches for Zero-Day Vulnerabilities

Ars Technica: Attackers can use Zoom to steal users' Windows credentials with no warning

KrebsOnSecurity: 'War Dialing' Tool Exposes Zoom's Password Problems


--Zoom Founder Says Company Will Focus on Security and Privacy

(April 1 & 2, 2020)                           

Due to the number of people currently working and learning from home, use of the Zoom videoconferencing app has risen sharply from 10 million users in December 2019 to more than 200 million in March 2020. The company has faced complaints about myriad security and privacy issues, including meetings disrupted by intruders, user data being shared with Facebook, and the fact that the app's end-to-end encryption feature does not actually function as end-to-end encryption. The company has taken steps to remedy some of the issues. Zoom's founder Eric Yuan says that the company will spend the next three months working on addressing security issues.

[Editor Comments]

[Pescatore] Zoom's founder came from Cisco where security is the top priority. He should have made security a top requirement from the start. I hope Zoom's Board of Directors is hearing the message - you can help by giving Zoom feedback about how important security is. Their feedback form is at

[Honan] Credit is due to Zoom for how quickly they responded to the issues raised and how openly they have communicated to their users. There are many lessons here for companies to learn on how they can improve their vulnerability management processes.

Read more in:

Zoom: A Message to Our Users

ZDNet: Zoom: We're freezing all new features to sort out security and privacy

Cyberscoop: Zoom founder promises to remedy security, privacy concerns during a 'feature freeze'

CNET: Zoom boss says it'll freeze feature updates to address security issues

Wired: The Zoom Privacy Backlash Is Only Getting Started

The Register: Zoom's end-to-end encryption isn't actually end-to-end at all. Good thing the PM isn't using it for Cabinet calls. Oh, for f...


--Microsoft Warns Hospitals of Vulnerabilities in VPN and Gateway Appliances

(April 1 & 2, 2020)

Microsoft has directly warned hospitals that their virtual private network (VPN) and gateway appliances contain security flaws that are being exploited by attackers behind the REvil/Sodinokibi ransomware. In a blog post, the Microsoft Threat Protection Intelligence Team writes, "Through Microsoft's vast network of threat intelligence sources, we identified several dozens of hospitals with vulnerable gateway and VPN appliances in their infrastructure."

[Editor Comments]

[Pescatore] Johannes Ulrich of SANS Internet Storm Center highlighted these vulnerabilities in his part of the SANS "Five Most Dangerous Attack Techniques and How to Prevent Them" keynote panel at the 2020 RSA Conference - you can see it at The Five Most Dangerous New Attack Techniques). SANS will present the 2020 Threat Trends report that includes those 5 areas and more, on an April 28th webinar - info at SANS Top New Attacks and Threat Report.

[Murray] Terminate VPNs on the application, not the perimeter and not an on operating system. The additional design, setup, and administration will be more than offset by the reduction in risk.  

Read more in:

ZDNet: Coronavirus: Microsoft directly warns hospitals, 'Fix your vulnerable VPN appliances'

Bleeping Computer: Microsoft is Alerting Hospitals Vulnerable to Ransomware Attacks

Infosecurity Magazine: Ransomware Attackers Exploit #COVID19 to Target Hospital VPNs

Microsoft: Microsoft works with healthcare organizations to protect from popular ransomware during COVID-19 crisis: Here's what to do

*******************************  SPONSORED LINKS  ********************************

1) Webcast April 3rd at 1 PM ET: Shared Responsibility of Salesforce Security. View here:

2) Did you miss this webcast? An Inside Look at Security and Compliance at a Hypergrowth Startup. View here:

3) Learn where deception is at today and why its having a major impact in the defensive fighting for companies. Register:




--FCC Order Requires Carriers to Implement STIR/SHAKEN Protocol

(March 31 & April 1, 2020)

The US Federal Communications Commission (FCC) has unanimously approved an anti-robocall order, which "requires all originating and terminating voice service providers to implement STIR/SHAKEN in the Internet Protocol (IP) portions of their networks by June 30, 2021." This action from the FCC was required as a part of the TRACED Act, which passed Congress and became law in December 2019.

[Editor Comments]

[Neely] While some carriers, including AT&T, Verizon, Sprint and T-Mobile, have voluntarily implemented STIR/SHAKEN, sometimes a regulatory requirement is needed to get resources and commitment to implement security measures. Once implemented, carriers need to verify their solution works with other networks. The last step: users need devices which display the "Caller Verified" notification and have the notification enabled for their account.

[Pescatore] STIR/SHAKEN is the first critical step, providing call authentication - raising the bar against spoofing of the calling number. Congress finally acted on that, a good thing. The next step is another chance for the carriers to raise the bar through rapid voluntary action - the addition of better call analytics to detect malicious calls, even if they are coming from an authenticated calling number. Then apply those same major bar raisers to data traffic.

Read more in:

Ars Technica: FCC requires anti-robocall tech after "voluntary" plan didn't work out [Updated]

Engadget: FCC will require phone carriers to authenticate calls by June 2021

TransNexus: STIR/SHAKEN overview


--Marriott Discloses Second Data Breach in 16 Months

(March 31, 2020)

Marriott International has disclosed a data breach that exposed information belonging to 5.2 million customers. The information was compromised through the use of access credentials belonging to "two employees at a franchise property." In November 2018, Marriott disclosed that a breach of the Starwood hotel reservation database that affected nearly 400 million people. Both breaches illustrate the need for organizations to ensure the security not only of their own systems, but also of those of their partners.  

[Editor Comments]

[Neely] Judicious use of multi-factor authentication reduces the value of captured credentials. Make sure that all entry points that accept those credentials have the same authentication requirements.

[Pescatore] The lodging industry is obviously hard hit by the travel restrictions to fight the pandemic. This would be a good time for lodging IT operations to upgrade the security of their IT systems, just as they will be upgrading sanitary protections at the facilities.

Read more in:

Marriott: Marriott International: Incident Notification

SC Magazine: New Marriott data breach impacts 5.2 million guests

Wired: Hack Brief: Marriott Got Hacked. Yes, Again

The Register: Marriott Hotels hacked AGAIN: Two compromised employee logins abused to siphon off 5.2m guests' personal info

ZDNet: Marriott discloses new data breach impacting 5.2 million hotel guests

Bleeping Computer: Marriott Reports Data Breach Affecting Up to 5.2 Million Guests


--Microsoft Will Postpone Disabling TLS 1.0 and 1.1 in Browsers

(April 1, 2020)

Microsoft will delay disabling of TLS 1.0 and 1.1 in its browsers. The change, originally scheduled for the first half of 2020 will be pushed back to the second half of the year. TLS 1.0 and 1.1 will now be disabled by default "no sooner than Microsoft Edge version 84," scheduled for release in July 2020. The protocols will be disabled by default in Internet Explorer 11 and Microsoft Edge Legacy as of September 8, 2020. Microsoft made the decision to postpone the changes "in light of current global circumstances."  

[Editor Comments]

[Neely] Continue to queue up efforts to update services to support TLS 1.2 & 1.3 as regardless of when the support is deprecated, the perception will be a problem with your service rather than their browser.

Read more in:

Windows: Plan for change: TLS 1.0 and TLS 1.1 soon to be disabled by default

The Register: Microsoft finds itself in odd position of sparing elderly, insecure protocols: Grants stay of execution to TLS 1.0, 1.1


--COVID-19 Malware Overwrites Master Boot Record

(April 1 & 2, 2020)

Researchers have identified several strains of coronavirus-themed malware that wipe files or overwrite master boot records on infected computers.

Read more in:

Threatpost: Wiper Malware Called "Coronavirus" Spreads Among Windows Victims

ZDNet: There's now COVID-19 malware that will wipe your PC and rewrite your MBR


--GoDaddy Phishing Attack

(March 31, 2020)

A spear phishing attack that targeted employees of domain name registrar GoDaddy managed to obtain access credentials that allowed the attacker to alter domain settings for at least six GoDaddy customers.

[Editor Comments]

[Neely] Dealing with entities that are trolling domain registries and sending users messages designed to modify their registration is common; attackers are trying to target less savvy associates for success. Additionally, make sure that your registrar accounts use two-factor authentication, your domains are locked, and DNSSEC is enabled. GoDaddy support will help you analyze any unexpected messages if you cannot verify they are genuine on your own.  

Read more in:

KrebsOnSecurity: Phish of GoDaddy Employee Jeopardized, Among Others


--Update Addresses Two Vulnerabilities in WordPress Rank Math SEO Plugin

(March 31 & April 1, 2020)

A critical vulnerability in the WordPress Rank Math search engine optimization (SEO) plugin could be exploited to gain elevated privileges. A second, high-severity vulnerability in the same plugin could be exploited to install redirects on a vulnerable website. Users are urged to update to Rank Math version  

[Editor Comments]

[Murray] Plug-ins are a major source of vulnerability in WordPress use and come with few indicators of quality. They may even put other applications at risk. Minimize and maintain those that you use; consider focused penetration testing of them.

Read more in:

WordFence: Critical Vulnerabilities Affecting Over 200,000 Sites Patched in Rank Math SEO Plugin

Threatpost: Critical WordPress Plugin Bug Can Lock Admins Out of Websites

Bleeping Computer: Critical WordPress Plugin Bug Lets Hackers Turn Users Into Admins


--Biotech Company Doing COVID-19 Research Hit With Ransomware

(April 2, 2020)

According to information provided in a financial disclosure filing to the US Securities and Exchange Commission (SEC), biotech company 10x Genomics experienced a ransomware attack in March 2020 in which some company data were stolen. 10x Genomics writes that it has "isolated the source of the attack and restored normal operations with no material day-to-day impact to the Company or the Company's ability to access its data." 10x Genomics, along with other companies around the world, is sequencing cells from people who have recovered from COVID-19 to look for antibodies.

Read more in:

Cyberscoop: Ransomware strikes biotech firm researching possible COVID-19 treatments

Bloomberg: Hackers 'Without Conscience' Target Health-Care Providers

SEC: FORM 8-K | 10x Genomics, Inc.


--NERC Releases Report on November 2019 Power Grid Security Exercise

(April 1, 2020)

The North American Electric Reliability Corporation (NERC) has released its report on the results of the November 2019 GridEx grid security and emergency response exercise. In all, over 7,000 people at more than 500 organizations participated in the exercise, which simulated a malware attack against utilities' industrial control systems. The report includes recommendations from NERC on how to improve grid resilience.

[Editor Comments]

[Murray] It should not come as too big a surprise that the conclusions and recommendations of the exercise report focus on communications among the organizations rather than on the security and resilience of those organizations.  

Read more in:

Cyberscoop: North American utilities drill 'GridEx' brings record turnout -- except from supply chain vendors

NERC: GridEx V Grid Security Exercise | Lessons Learned Report March | 2020 (PDF)


--Hackers with Alleged Iranian Ties Have Targeted WHO Staff eMail Accounts

(April 2, 2020)

Hackers with alleged ties to Iran's government have been trying to break into staff members' email accounts systems at the World Health Organization (WHO) since early March. It is not known if the phishing attacks succeeded.  

Read more in:

Reuters: Exclusive: Hackers linked to Iran target WHO staff emails during coronavirus - sources




Kwampirs Update

Quakbot Malspam Sent From an Infected Windows Host

TPOT Cowrie to ISC Logs

Exposed RDP

D-Link DSL-2640B Vulnerability

SMB 3.1.1 (CVE-2020-0796) Local Privilege Escalation Exploit

SSH Issues After MacOS Update

Cloudflare DNS For Families

Zoom Leaks Windows Password Hashes via UNC Links

More Zoom Vulnerabilities

Twitter Cache Bug in Firefox

MS-SQL Server Attack

Covid-19 Economic Impact Payments Scams

Safari Camera Access Bug


The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit