Last day to save $150 off Offensive Operations courses during SANS Pen Test & Offensive Training 2021!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #37

May 8, 2020

Surging Ransomware Cases: Healthcare, Energy, and Toll Group (Again); New WordPress Vulnerabilities Put Websites at Risk


SANS NewsBites                  May 8, 2020                Vol. 22, Num. 037



  Snake Ransomware Hits Major European Healthcare Company's Systems

  Toll Group Systems Infected with Ransomware Again

  Ransomware Strikes Taiwan Energy Company

  Hackers Take Aim at Cross-Site Scripting Flaws in WordPress Sites



  GitHub Code-Scanning Tools for Open-Source Projects

  Several Thousand Salt Servers Remain Unpatched

  NYC Department of Education Approves Improved Zoom Platform

  Zoom Acquires Keybase in Effort to Improve Security Issues

  Cisco Updates Include Fixes for a Dozen High Severity Flaws Affecting ASA and Firepower Software

  German Authorities Charge Alleged Bundestag Hacker

  InfinityBlack Hacking Group Operations Dismantled

  Firefox Update Fixes 11 Vulnerabilities

  Vulnerabilities in Schneider Electric Products


*********************  Sponsored By Netskope  ******************************

Join Netskope's Cloud Security Workshop. Are you really ready to provide safe access to cloud services and keep pace with new threats? Register for Netskope's complimentary cloud security workshop! Take control over your web services. Get 5 CPE credits and hands-on experience with Next Gen Secure Web Gateway (SWG) and Zero Trust Network Access (ZTNA) solutions built for the cloud.  



SANS Training is 100% Online, with two convenient ways to complete a course:

OnDemand  | Live Online



Keep your skills sharp with SANS Online Training:

.        The world's top cybersecurity courses

.        Taught by real world practitioners

.        Ideal preparation for more than 30 GIAC Certifications

Test drive a course:

Get a 10.2" iPad (34GB), Samsung Galaxy Tab A, or Take $250 Off through May 13 with OnDemand or Live Online training.


Upcoming Live Online Events:

2-Day Firehose Training | May 26-29


Cloud Security Summit & Training 2020 | May 26-June 5


Pen Test Hackfest & Cyber Ranges Summit 2020 | June 4-13


SANSFIRE 2020 | June 13-20


2-Day Firehose Training | June 29-30


SANS Summer Surge: Wave 1 | July 6-11


In Person Training:

SANS Network Security 2020 | Las Vegas, NV | September 20-27



View the full SANS course catalog and skills roadmap.



Any course you have or will purchase is protected by the SANS Training Guarantee.






--Snake Ransomware Hits Major European Healthcare Company's Systems

(May 6 & 7, 2020)

IT systems belonging to Fresenius, a European healthcare conglomerate, were hit with ransomware earlier this month. The ransomware used in the attack has been identified as Snake, which has recently been used in attacks against a variety of large businesses.

[Editor Comments]

[Murray] The healthcare industry is a target of choice for extortion attacks. Within the industry, attacks succeed against targets of opportunity. Healthcare enterprises should raise the cost to their attackers high enough not to be targets of opportunity. "Targets of opportunity" are, almost by definition, on the flat part of the security cost curve where one can get a significant reduction in the cost of losses for every dollar spent.  

Read more in:                                                       

KrebsOnSecurity: Europe's Largest Private Hospital Operator Fresenius Hit by Ransomware

Golem: Schadsoftware beeintraechtigt Produktion bei Fresenius (malware affects production at Fresenius) (in German)

Cyberscoop: European health care giant Fresenius Group grappling with computer virus

SC Magazine: No reprieve for health care orgs as ransomware hits hospital operator, plastic surgeons

ZDNet: Major European private hospital operator struck by ransomware

Bleeping Computer: Large scale Snake Ransomware campaign targets healthcare, more


--Toll Group Systems Infected with Ransomware Again

(May 6, 2020)

IT systems belonging to Australian transportation and logistics company Toll Group have been hit with ransomware for the second time since the beginning of the year. On Tuesday, May 5, Toll acknowledged that they "took the precautionary step yesterday of shutting down certain IT systems after [they] detected unusual activity on some of [their] servers." The ransomware used in the attack has been identified as Nefilim. The ransomware used in the attack earlier this year was identified as MailTo, also known as Netwalker.

[Editor Comments]

[Neely] The tricky part here is the second attack was delivered through vulnerable RDP servers while the first used phishing emails, indicating that while one vector was hardened the other was missed. If you must offer RDP services, follow best practice guides for securing them, including use of multi-factor authentication, secure gateways and restrictions on which accounts can use RDP. Make sure that incident response procedures include validation of your entire security posture not just the vector exploited.

Read more in:

Toll Group: Toll IT systems update

The Register: Transport biz Toll Group suffers second ransomware infection in just three months

ZDNet: Logistics giant Toll Group hit by ransomware for the second time in three months

Threatpost: Ransomware Attack Takes Down Toll Group Systems, Again


--Ransomware Strikes Taiwan Energy Company

(May 5, 2020)

Taiwan's state-owned energy company, CPC Corp., has reportedly been hit with ransomware. The attack did not disrupt CPC's energy production, but some customers had trouble using CPC payment cards to buy fuel.

Read more in:

Cyberscoop: Taiwan's state-owned energy company suffers ransomware attack


--Hackers Take Aim at Cross-Site Scripting Flaws in WordPress Sites

(May 5 & 6, 2020)

The Wordfence Threat Intelligence Team has observed a significant increase in attempted attacks targeting cross-site scripting (XSS) vulnerabilities in WordPress sites over the past 10 days. The number of these attacks is 30 times what Wordfence normally sees. The attacks are likely the work of a single hacking group.  

[Editor Comments]

[Neely] These attacks are targeting five WordPress plugins: Easy2Map, Total Donations (both of which are discontinued), Blog Designer, WP GDPR Compliance, and the Newspaper Theme, which have updates. Removal of the discontinued plugins is the best mitigation. Note that while Wordfence offers a security plugin for WordPress that both monitors and will perform automated updates of plugins, removal of discontinued plugins is still manual.

[Paller] There is hard data showing the most frequently exploited vulnerability in government agencies and, by extension in smaller organizations and not-for-profits is WordPress (because of the carelessness of the developers of the plug-ins) and the other content management systems. Allowing people to deploy WordPress-based websites may well be seen as actionable negligence unless additional mitigating controls are implemented.

Read more in:

SC Magazine: 900,000 WordPress sites attacked via XSS vulnerabilities

ZDNet: A hacker group tried to hijack 900,000 WordPress sites over the last week

Wordfence: Nearly a Million WP Sites Targeted in Large-Scale Attacks

*****************************  SPONSORED LINKS  ******************************

1) Survey | Take the SANS 2020 Enterprise Cloud Incident Response Survey.

2) Webcast May 13th at 12:30 PM MDT: Arming your SOC with SOAR in Today's Threat Landscape.

3) Webcast May 11th at 1PM ET: Enabling Consistent Multi-Cloud Security, Forensics and Incident Response.





--GitHub Code-Scanning Tools for Open-Source Projects

(May 6, 2020)

GitHub is offering its automated code-scanning tools to open-source projects at no cost. The GitHub Advanced Security Suite includes the Semmle code scanning tool, which GitHub acquired last fall, as well as tools that can scan repositories for data that should not be exposed, like passwords and private keys.

[Editor Comments]

[Pescatore] Even before Microsoft acquired GitHub back in 2018, Microsoft had been using Semmle on Windows code. The pricing for GitHub Advanced Security doesn't seem to be public yet. One of the news items says scanning will be free of charge, a good thing.

Read more in:

Read more in:

Wired: GitHub Takes Aim at Open Source Software Vulnerabilities

The Register: GitHub blasts code-scanning tool into all open-source projects

Portswigger: GitHub showcases new code-scanning security tools at virtual event


--Several Thousand Salt Servers Remain Unpatched

(March 5 & 6, 2020)

Over the past few weeks, hackers have been exploiting vulnerabilities in unpatched versions of the Salt configuration management tool. While many servers have been patched against the exploit, there are still several thousand that remain vulnerable. Organizations that have been breached include DigiCert, LineageOS, Ghost, and Algolia. Users are urged to patch their systems as soon as possible.

[Editor Comments]

[Neely] In addition to patching SaltStack, be sure to follow the Salt hardening guide, which recommends restricting who can login, use SSH Keys with a passphrase and not making the Salt server internet accessible. Salt Hardening Guide: Hardening Salt

Read more in:

The Register: More Salt in their wounds: DigiCert hit as hackers wriggle through (patched) holes in buggy config tool

Duo: Thousands of SaltStack Servers Patched, But Many Still Vulnerable

SC Magazine: Salt exploit attacks expose underestimated threat vector: Infrastructure-as-Code tools

ZDNet: Search provider Algolia discloses security incident due to Salt vulnerability


--NYC Department of Education Approves Improved Zoom Platform

(May 7, 2020)

The New York City Department of Education has approved a specially tailored Zoom platform to use for remote learning. Last month, the NYC Department of Education banned the use of Zoom due to privacy concerns. In a statement, the NYC Schools Chancellor said that "Zoom has addressed vulnerabilities over the last few weeks and effective immediately, our community can safely use the Department of Education licensed Zoom account for remote learning."

[Editor Comments]

[Murray] Properly configured and set up, Zoom was probably always sufficiently secure for K-12 instruction. In an abundance of caution and in response to reports about exploitation of Zoom, the NYC Department of Education "banned" its use. It is to the credit of Zoom and the Department that the ban has now been lifted. Zoom is "free" for educational institutions and represents a major contribution in the response to school closures.  

Read more in:

SC Magazine: New York City schools OK tailored Zoom platform for remote learning


--Zoom Acquires Keybase in Effort to Improve Security Issues

(May 7, 2020)

Video conferencing platform company Zoom has acquired security company Keybase, which will help Zoom implement stronger encryption. The improved encryption service will be available to paid versions of Zoom.

[Editor Comments]                                                          

[Pescatore] Zoom is following the path many other fast growth tech startups (like Microsoft, Salesforce and Google) followed when they were forced by customers to realize security is critical. Zoom is continuing to live up to its CEO's promise to focus on security and encryption (and especially key management) -  something that is easy to do badly and complex to do right - especially at scale. Keybase has been around for 6 years, was early to sign up for bug bounty programs to make sure vulnerabilities in their code were exposed and fixed, and also paid for a professional audit of their product and made the results public - all good signs.       

[Neely] Keybase focuses on key management which essential for getting end-to-end encryption right, which will help address concerns over Zoom's current security implementation. There are no plans to eliminate the existing functions of Keybase; there are new products planned and updates to Zoom to leverage Keybase's services. The current ZoomBot client will allow a Zoom meeting to be started from your Keybase client.

Read more in:

ZDNet: Zoom acquires encryption startup Keybase

CNBC: Zoom buys Keybase -- its first acquisition -- as part of 90-day plan to fix security flaws

Cyberscoop: Zoom acquires Keybase to beef up encryption, ease security questions

CNET: Zoom security issues: Zoom buys security company, aims for end-to-end encryption

Threatpost: Zoom Beefs Up End-to-End Encryption to Thwart 'Zoombombers'

Zoom: Zoom Acquires Keybase and Announces Goal of Developing the Most Broadly Used Enterprise End-to-End Encryption Offering


--Cisco Updates Include Fixes for a Dozen High Severity Flaws Affecting ASA and Firepower Software

(May 7, 2020)

Cisco has released fixes for a total of 34 security issues in a range of products. Twelve of the vulnerabilities are rated high severity; they affect Cisco Adaptive Security Appliance (ASA) software and Firepower Threat Defense (FTD) software.  

Read more in:

ZDNet: Cisco: These 12 high-severity bugs in ASA and Firepower security software need patching

Duo: Cisco Fixes Kerberos Authentication Bypass Bug in ASA Software

Threatpost: Cisco Fixes High-Severity Flaws In Firepower Security Software, ASA

Cisco: Cisco Security Advisories


--German Authorities Charge Alleged Bundestag Hacker

(May 5, 2020)

Authorities in Germany have issued an arrest warrant for an individual who allegedly  hacked the internal network of the German Parliament (Bundestag) five years ago. Dmitriy Sergeyevich Badin allegedly conducted the attacks as part of a cyberespionage campaign on behalf of the Russian military. Badin, who remains at large, is also wanted in the US in connection with cyberattacks against the Democratic National Committee and the World Anti-Doping Agency.

Read more in:

ZDNet: German authorities charge Russian hacker for 2015 Bundestag hack


--InfinityBlack Hacking Group Operations Dismantled

(May 5 & 6, 2020)

Law enforcement authorities in Poland and Switzerland, with help from Europol, and Eurojust, have dismantled the InfinityBlack hacking group's operations. Five people were arrested in Poland late last month. Police seized electronic equipment, external hard drives, and hardware cryptocurrency wallets; they also shut down platforms that held databases with more than 170 million entries. The group sold stolen user credentials with a particular focus on loyalty reward account credentials.

Read more in:

Europol: Hacker Group Selling Databases With Millions of User Credentials Busted in Poland and Switzerland

Threatpost: InfinityBlack Dismantled After Selling Millions of Credentials

ZDNet: Europol arrests hackers behind Infinity Black hacker group

Bleeping Computer: InfinityBlack hacker group dismantled by European authorities


--Firefox Update Fixes 11 Vulnerabilities

(May 7, 2020)

Mozilla has released updates for Firefox and Firefox ESR to address a total of 11 security issues. Three of the flaws are rated critical. The most recent versions of the browsers are Firefox 76 and Firefox ESR 68.8.

[Editor Comments]

[Murray] Isolate browsing (and e-mail) from sensitive applications. Prefer purpose-built clients to browsers.  

Read more in:

SC Magazine: Mozilla patches three critical vulnerabilities in Firefox

Mozilla: Mozilla Foundation Security Advisory 2020-16 | Security Vulnerabilities fixed in Firefox 76


--Vulnerabilities in Schneider Electric Products

(May 7, 2020)

Security flaws in Schneider's SoMachine Basic v1.6 and Schneider Electric M221, firmware version, Programmable Logic Controller (PLC) can be exploited to take control of vulnerable systems. The flaws can be used to intercept, modify, and resend commands between the engineering software and the PLC. Schneider has made a fix available for SoMachine Basic v1.6 and is working on a fix for the second issue.

[Editor Comments]

[Murray] For most applications and environments, prefer to attach PLCs only to private networks.

Read more in:

SC Magazine: Vulnerabilities in two Schneider Electric ICS products reminiscent of Stuxnet

Trustwave: Attacking SCADA: Vulnerabilities in Schneider Electric SoMachine and M221 PLC (CVE-2017-6034 and CVE-2020-7489)

Trustwave: Trustwave SpiderLabs Security Advisory TWSL2020-001: Multiple Vulnerabilities in Schneider Electric Products




Do Cloud Security Features Replace Personnel Security Capabilities?


Keeping an Eye on Malicious Files' Life Time


Scanning With NMAP NSE Scripts


Citrix ShareFile Storage Zones Controller Update


Android Update


Firefox Update


Dell OS Recovery Image Insecure Inherited Permissions


WordPress Update


Fake Crypto Wallet Chrome Extensions


Favicon Hides Credit Card Skimmer


WebEx Phishing


iOS Psychic Paper Vulnerability


World Password Day


Cisco Kerberos Bypass


The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit