Special Offer w/ OnDemand: Get an iPad (32 G), Galaxy Tab A, or Take $250 Off OnDemand Training thru Jan 27

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #35

May 1, 2020
U.K. Launches Virtual Cyber School, Students Become Cyber Protection Agents; Ransomware Targeting Healthcare and Cited in SEC Filings


SANS NewsBites                 May 1, 2020                 Vol. 22, Num. 035



  U.K. Launches Virtual Cyber School

  Ransomware Groups Targeting Healthcare Organizations

  Ransomware Mentioned More Frequently in SEC Filings


  Contact Tracing Technology Raise Concerns

  Adobe Releases Fixes for Vulnerabilities in Magento, Illustrator, and Bridge

  Estonian Internal Security Service Report Discloses eMail Compromise

  Microsoft Warns of Malware in Pirated Movie Files

  Fix Available for WordPress Real-Time Search and Replace Plugin Vulnerability

  Updates Available to Address Flaws in Word Press Remote Learning Plugins

  Twitter Eliminates SMS Services in Most Countries

  Switzerland's GovCERT Warns of Phishing Schemes Targeting Domain Owners

  CISA Updates Office 365 Security Best Practices to Address Telework Concerns


*****************  Sponsored By Palo Alto Networks  *************************

Transforming Detection and Response: A SANS Review of Cortex XDR. Extended detection and response (XDR) are security teams' secret weapon to uncover attacks and reduce incident response times. In this product review webcast, SANS instructor and security expert Matt Bromiley and Palo Alto Networks' Senior Product Marketing Manager Kasey Cross explore how Cortex XDR is transforming detection and response. May 6th at 1PM ET. http://www.sans.org/info/216265



SANS Training is 100% Online, with two convenient ways to complete a course:

OnDemand  | Live Online

- https://www.sans.org/ondemand/

- https://www.sans.org/live-online

Keep your skills sharp with SANS Online Training:

.        The world's top cybersecurity courses

.        Taught by real world practitioners

.        Ideal preparation for more than 30 GIAC Certifications

Test drive a course: https://www.sans.org/course-preview

Get a 10.2" iPad (34GB), Samsung Galaxy Tab A, or Take $250 Off through May 13 with OnDemand or Live Online training.



Upcoming Live Online Events:

Security West 2020 | May 11-16

- https://www.sans.org/event/security-west-2020

2-Day Firehose Training | May 26-29

- https://www.sans.org/event/2-day-firehose-training-may27-2020

Cloud Security Summit & Training 2020 | May 26-June 5

- https://www.sans.org/event/cloud-security-summit-2020

Rocky Mountain Hackfest Summit & Training 2020 | June 4-13

- https://www.sans.org/event/rockymountainhackfest-summit-2020

SANSFIRE 2020 | June 13-20

- https://www.sans.org/event/sansfire-2020

2-Day Firehose Training | June 29-30

- https://www.sans.org/event/2-day-firehose-training-jun29-2020

In Person Training:

SANS Network Security 2020 | Las Vegas, NV | September 20-27

- https://www.sans.org/event/network-security-2020


View the full SANS course catalog and skills roadmap.

- https://www.sans.org/courses

- https://www.sans.org/cyber-security-skills-roadmap

Any course you have or will purchase is protected by the SANS Training Guarantee.

- https://www.sans.org/training-guarantee.




--U.K. Launches Virtual Cyber School

(May 1, 2020)

The UK Government is inviting all high school students in England, Scotland, Wales, and Northern Ireland to join a virtual cyber security school as part of plans to make sure the country develops the next generation of professional cyber defenders. At a time when schools remain closed to most children, the online initiative aims to inspire future talent to work in the cyber security sector and give students a variety of extracurricular activities they can do from the safety of their homes. By becoming gamified "cyber protection agents," teens learn how to crack codes, fix security flaws and dissect criminals' digital trails while progressing through the game as a cyber agent. This will help them develop important skills needed for future jobs, particularly in cyber security.  

Editor's Comment

[Paller] This program also will enable the UK to identify and nurture elite cyber talent early, just as the Israeli government identifies and supports young cyber talent who are then guided into its world-class national cyber programs. Talented students spend hundreds of hours demonstrating their high aptitude for success in cybersecurity and honing their cyber skills.

Read more at:

GOV.UK: New virtual cyber school gives teens chance to try out as cyber security agents from home


Daily Mail: UK government launches free virtual 'cyber school' that gives teenagers in lockdown the chance to try out as cyber security agents from home


ZDNET: This new cybersecurity school will teach kids to crack codes from home


The Telegraph: Security services launch virtual lessons for children during coronavirus lockdown


UK Authority: Government opens Virtual Cyber School for teenagers



--Ransomware Groups Targeting Healthcare Organizations

(April 28, 2020)

Research from Microsoft shows that ransomware groups are increasingly targeting healthcare organizations and other critical industries. Several of the groups gained access to targeted systems months before they launched the attacks.  

[Editor Comments]

[Pescatore] The Microsoft blog entry starts off with a useful checklist of the patch vulnerabilities (and misconfigurations) being exploited: CVE-2019-11510, CVE-2019-0604, CVE-2020-0688 and CVE-2020-10189. Especially if you are in healthcare, good to check those - they include vulnerabilities in security perimeter equipment. Johannes Ullrich of SANS covered this area in his portion of the SANS Threat panel at the RSA conference, and SANS just published a white paper with more detail on that and other current attack trends emphasizing ransomware - available at https://www.sans.org/webcasts/top-attacks-threat-report-112665.

Read more in:

Wired: The Covid-19 Pandemic Reveals Ransomware's Long Game


Microsoft: Ransomware groups continue to target healthcare, critical services; here's how to reduce risk



--Ransomware Mentioned More Frequently in SEC Filings

(April 30, 2020)

More than 1,000 US Securities and Exchange Commission (SEC) filings over the past year have listed ransomware as a potential risk factor. Reasons for the increased mentions of ransomware include 2018 SEC guidance asking that companies be more forthcoming about the cybersecurity risks they face; ransomware groups targeting organizations rather than individuals; and significant increases in the amount of money the ransomware groups are demanding.

[Editor Comments]

[Pescatore] SEC filings are getting to be like drug commercials on TV - more time spent on the risks than on the benefits! The first time I remember ransomware being mentioned in an SEC filing was after the FedEx TNT Express business unit suffered a $300M outage due to NotPetya back in 2017. Now, it is just part of a long litany of risks. The National Association of Corporate Directors reports that about 1/3 SEC filings have already included mention of Coronavirus impact.

Read more in:

ZDNet: Ransomware mentioned in 1,000+ SEC filings over the past year


*****************************  SPONSORED LINKS  ******************************

1) Poll | Take the SANS 2020 Work from Home Poll and tell us how you're carrying out business from afar! Poll closes May 4th. http://www.sans.org/info/216270

2) SANS is proud to support Law Enforcement professionals experiencing hardship funding their training efforts.  Different Programs are available to offer significant flexibility toward SANS courses. Learn more: http://www.sans.org/info/216275

3) Cloud Security Summit & Training 2020 - SANS Live Online | May 28 - June 6. http://www.sans.org/info/216280





--Contact Tracing Technology Raise Concerns

(April 28 & 29, 2020)

Several groups have expressed concerns about privacy issues in contact tracing apps, which are being developed to let people know if they have come in contact with someone who has COVID-19. The Electronic Frontier Foundation (EFF) is concerned that COVID-19 contact tracing technology being developed by Apple and Google could be used by malicious actors to gather private information. In the UK, scientists and researchers have signed a joint statement expressing concerns about the NHS's plans to use a content tracing app, saying that the technology should be analyzed by experts in privacy and security. And in Australia, security experts who examined the COVIDSafe app say that it presents privacy and security issues.  

[Editor Comments]

[Pescatore] Any app used for something as critical as infection contract tracing needs to be bulletproof - written with security as a top priority and thoroughly reviewed and tested by experts. But there will need to be some individual privacy tradeoffs accepted to make gains in reopening economies while limiting new outbreaks.

[Neely] A Washington Post study found that 3 of 5 Americans say they are unwilling or unable to use the infection alert system under development by Apple and Google, which may impede or undermine the mission of these applications. Without verifiable claims of proper privacy and security handling, wide-spread adoption may be impossible. https://www.washingtonpost.com/technology/2020/04/29/most-americans-are-not-willing-or-able-use-an-app-tracking-coronavirus-infections-thats-problem-big-techs-plan-slow-pandemic/.

[Paller] When people are concerned for the health of their families, they make compromises on other priorities. If using a tracing app will allow them to keep their families safe, my guess is that a vast majority of people will accept some lessening of their privacy.

Read more in:

Threatpost: EFF: Google, Apple's Contact-Tracing System Open to Cyberattacks


SC Magazine: Google, Apple tighten protections on contact tracing; Americans worry over privacy


ZDNet: Security experts warn: Don't let contact-tracing app lead to surveillance


The Register: Australian contact-tracing app leaks telling info and increases chances of third-party tracking, say security folks



--Adobe Releases Fixes for Vulnerabilities in Magento, Illustrator, and Bridge

(April 28 & 29, 2020)

Adobe had fixed a total of 35 vulnerabilities in its Magento, Illustrator, and Bridge products. Twenty-five of the flaws are rated critical; some of these could be exploited to allow remote code execution. These updates were released outside of Adobe's scheduled monthly updates.

Read more in:

Bleeping Computer: Adobe fixes critical vulnerabilities in Magento and Illustrator


ZDNet: Adobe patches critical code, corruption bugs across Bridge, Illustrator, Magento


Threatpost: Critical Adobe Illustrator, Bridge and Magento Flaws Patched


The Register: In trying times like these, it's reassuring to know you can still get pwned five different ways by Adobe Illustrator files


Adobe: Recent bulletins and advisories



--Estonian Internal Security Service Report Discloses eMail Compromise

(April 29, 2020)

According to a recently published report from the Estonian Internal Security Service, hackers hijacked "a small number of [Mail.ee] email accounts belonging to persons of interest to a foreign country." The incident occurred last year, and the vulnerability the hackers exploited at Mail.ee has been fixed.

Read more in:

ZDNet: Estonia: Foreign hackers breached local email provider for targeted attacks



--Microsoft Warns of Malware in Pirated Movie Files

(April 28 & 29, 2020)

Bootlegged movies on some torrent sites have been found to contain malware, according to a warning from Microsoft. The attack appears to be primarily targeting users in Spain, Mexico, and South America. The malware tries to install cryptocurrency mining software on infected devices.

[Editor Comments]

[Neely] Explaining the down-side of pirated movie sites can be very challenging for older or financially limited friends and family members looking for home entertainment. The risk of malware causing harm that costs them more in the long run than a legitimate streaming service may be a sufficient enticement. You may need to hand-hold users through the process to ensure they are no longer accessing sources of pirated content.

[Pescatore] Good to use this one to remind those working at home that if they or anyone in their house is trying to save $5 to $20 a month by going to the pirated video sites (often with dodgy domain extensions) then every computer on their home network is at risk of compromise. Paying for a few months of streaming services while everyone is stuck at home will be way less expensive in the long run.

Read more in:

Cyberscoop: Microsoft warns of malware-laced 'John Wick 3,' 'Contagion' movie torrents


Bleeping Computer: Microsoft warns of malware surprise pushed via pirated movies


Dark Reading: Microsoft Warns of Malware Hidden in Pirated Film Files


Twitter: Microsoft Security Intelligence



--Fix Available for WordPress Real-Time Search and Replace Plugin Vulnerability

(April 27 & 28, 2020)

A cross-site request forgery vulnerability in the WordPress Real-Time Find and Replace plugin could be exploited "to inject a new administrative user account, steal session cookies, or redirect users to a malicious site." The flaw allows attackers to replace code on vulnerable websites. The issue was detected earlier this month and the developer has addressed the vulnerability; users are urged to update to Real-Time Find and Replace version 4.0.2.

[Editor Comments]

[Neely] Plugin issues will continue. Beyond keeping them updated, assessing their value add, versus the risk of compromise should be performed at least annually. Retired and unused plugins should be uninstalled, not just disabled. to leave no trace of potentially exploitable code.

Read more in:

Wordfence: High Severity Vulnerability Patched in Real-Time Find and Replace Plugin


Threatpost: WordPress Plugin Bug Opens 100K Websites to Compromise


Bleeping Computer: WordPress plugin bug lets hackers create rogue admin accounts



--Updates Available to Address Flaws in Word Press Remote Learning Plugins

(April 30, 2020)

Researchers have found critical flaws in three WordPress plugins used for online learning: LearnPress, LearnDash, and LifterLMS. The vulnerabilities could be exploited to change grades, steal information, cheat on exams, or elevate privileges. There are updated versions for all three plugins that address the flaws.

Read more in:

Dark Reading: Researchers Find Vulnerabilities in Popular Remote Learning Plug-ins


Bleeping Computer: Bugs in WordPress plugins for online courses let students cheat


Threatpost: Critical WordPress e-Learning Plugin Bugs Open Door to Cheating



--Twitter Eliminates SMS Services in Most Countries

(April 27, 28, & 29, 2020)

Twitter has switched off Twitter via SMS service in most countries around the world due to security concerns. Twitter has also purged millions of dormant accounts that had been created over SMS. Twitter temporarily eliminated the ability to tweet via text last fall after CEO Jack Dorsey's account was hijacked. Twitter is still using SMS for two-factor authentication and account verification.

[Editor Comments]

[Murray] The security of out-of-band mechanisms, such as the distribution of one-time-passwords via SMS and e-mail, relies in part upon the control exercised by those who provision addresses and phone numbers and those who maintain account profiles. The success of so-called "SIM-swapping" attacks suggest that those people are no less vulnerable to "social engineering" than those who click on the bait in "phishing" messages. All security mechanisms should be relied upon only in the context of their limitations.

Read more in:

Infosecurity Magazine: Twitter Switches Off SMS Services for Security Reasons


Mashable: Twitter quietly deletes millions of accounts from the old text message days


Bleeping Computer: Twitter kills SMS-based tweeting in most countries



--Switzerland's GovCERT Warns of Phishing Schemes Targeting Domain Owners

(April 22 & 28, 2020)

Switzerland's Computer Emergency Response Team (GovCERT) has issued a warning about phishing attacks targeting webmasters and domain owners. GovCERT has seen an uptick in the attacks since the beginning of April. The phishing emails have been written in German or French. Users and hosting providers are urged to enable two-factor authentication as well as other steps to protect their accounts.

[Editor Comments]

[Murray] We know that some of the worst security is practiced by administrators. They are likely to have too much privilege and are more likely than most to share IDs and passwords. In addition to strong authentication, Privileged Access Management systems and multi-party controls are indicated.  

Read more in:

Portswigger: Swiss CERT warns of spear-phishing campaign targeting webmasters


Govcert.ch: Phishing Attackers Targeting Webmasters



--CISA Updates Office 365 Security Best Practices to Address Telework Concerns

(April 30, 2020)

The US Department of Homeland Security's (DHS's) Cybersecurity and Infrastructure Security Agency (CISA) has updated its security best practices for Microsoft Office 365. The update specifically addresses configuration issues that arise from migrating to cloud-based collaboration.

[Editor Comments]

[Neely] Many organizations have implemented cloud-based services quickly in response to the pandemic. Guides like this should be leveraged to make sure that you have implemented minimum security settings. Tyler Robinson from NISOS suggested I also share NSA's recently published guide for safely selecting and using collaboration services https://media.defense.gov/2020/Apr/24/2002288653/-1/-1/0/CSI-SELECTING-AND-USING-COLLABORATION-SERVICES-SECURELY-SHORT-FINAL.PDF: Selecting and Safely Using Collaboration Services for Telework (PDF)

Read more in:

US-CERT: Microsoft Office 365 Security Recommendations


ZDNet: Microsoft Office 365: US issues security alert over rushed remote deployments


Bleeping Computer: US govt updates Microsoft Office 365 security best practices





Agent Tesla Delivered by the Same Phishing Campaign for Over a Year



Privacy Preserving Protocols to Trace Covid19 Exposure



Collecting IOCs from IMAP Folder



Attack Traffic on TCP Port 9673



Google Chrome Update




Updated Version of Sysmon




Microsoft Guidance For Ransomware Response



Adobe Security Patches



VMWare ESXi Patch



Shade Ransomware Keys Released



Exploiting the Exploiters



Saltstack Authorization Bypass



Mac Sandbox Escape




The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create