SANS Open-Source Intelligence (OSINT) Summit & Training offers immersive cyber security courses and a free Summit!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #38

May 12, 2020

Mini-Netwars on Thursday; Ransomware Lessons Learned; Nation State Hackers Targeted COVID Drug Manufacturer

For all our technical readers: Challenge yourself on the mini Netwars this Thursday and Friday. Substantial bragging rights for those who do well, and it is free. The top 400 scorers will qualify for the Jupiter Rockets range at the Pen Test HackFest and Cyber Ranges Summit on June 4.

The PenTest HackFest and Cyber Range Summit on June 4-5 is already the largest gathering of active cyber professionals this Spring. According to Ed Skoudis, it's the only place where you can try your skills against the full array of professional and other cyber ranges, including Core NetWars Tournament, the Jupiter Rockets Pen Test range, and the Cyber Fundamentals CtF. There's also a track on the newest threat vectors and the appropriate defenses. The whole program is a gift from SANS to the technical security community - there is no cost, but with 2,000 people already registered there are only about 1,200 places left.


SANS NewsBites                 May 12, 2020                Vol. 22, Num. 038




  Lessons Learned From Analysis of Ransomware Attacks

  Nation State Hackers Targeted Pharmaceutical Company That Makes Drug Being Used to Treat COVID-19


  Diebold Nixdorf Suffered Ransomware Attack Last Month

  Pitney Bowes Detects Ransomware Attack, Prevents Data Encryption

  Texas Court System Hit With Ransomware

  Data Stolen From NYC Law Firm in Ransomware Attack

  German University Takes Systems Offline in Wake of Ransomware Attack

  Samsung Releases Fix for Critical Zero-click Flaw

  DHS's CISA Says Online Voting Has Significant Security Risks

  MITRE Releases APT29 Emulation Test Results for Products From 21 Vendors

  Virginia State Government Website Subdomains Hijacked

  Thunderspy Data Stealing Attack


*********************  Sponsored By AWS Marketplace  ************************

How to Implement a Software-Defined Network Security Fabric in AWS. Learn how to create and implement a policy-driven software-defined network (SDN) architecture in the cloud and hear real-world use cases of successful implementations that have been deployed in Amazon Web Services (AWS) environments. Thursday, May 14, 2 PM ET.



SANS Training is 100% Online, with two convenient ways to complete a course:

OnDemand  | Live Online



Keep your skills sharp with SANS Online Training:

.        The world's top cybersecurity courses

.        Taught by real world practitioners

.        Ideal preparation for more than 30 GIAC Certifications

Test drive a course:

Choose a great promo offer* through May 13 with OnDemand or Live Online training:

*    Get a 10.2" iPad (34GB)

*    Samsung Galaxy Tab A

*    Take $250 Off

*Restrictions apply, see Terms & Conditions online


Hot OnDemand Courses:

SEC401: Security Essentials Bootcamp Style |

SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling |

SEC560: Network Penetration Testing and Ethical Hacking |

FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics |


Upcoming Live Online Events:


2-Day Firehose Training | May 26-29


Cloud Security Summit & Training 2020 | May 26-June 5


Pen Test Hackfest & Cyber Ranges Summit 2020 | June 4-13


SANSFIRE 2020 | June 13-20


2-Day Firehose Training | June 29-30


SANS Summer Surge: Wave 1 | July 6-11


In Person Training:

SANS Network Security 2020 | Las Vegas, NV | September 20-27



View the full SANS course catalog and skills roadmap.



Any course you have or will purchase is protected by the SANS Training Guarantee.





--Lessons Learned From Analysis of Ransomware Attacks

(May 7 & 11, 2020)

In a Threat Research report, Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents, FireEye takes a close look at MAZE ransomware. The report draws from FireEye Mandiant Threat Intelligence's experience responding to multiple incidents as well as "research into the MAZE ecosystem and operations."

[Editor Comments]

[Neely] The FireEye report provides insight into how the various Maze teams operate as well as indicators of compromise. The affiliate model of Maze distribution suggests the TTPs will continue to change over time. It is worth noting that the initial compromise is not just users falling for a phishing attack, but also may be via exposed vulnerable services such as RDP or VDI services using compromised accounts. The call to action is ransomware protection, which includes both user awareness and due diligence, particularly for the security of internet facing services. At a minimum, enable multi-factor authentication and limit account access so compromised credentials cannot be readily used for maleficence.

[Pescatore] Several ransomware news items in this issue of NewsBites - the FireEye report around MAZE serves as a good summary of most ransomware incidents. Two major ways initial compromise was gained: (a) targeted phishing via email; and (b) exploitation of glaring lack of basic security hygiene in patching, server configuration and privilege management. The techniques used for lateral movement included sophisticated "living off the land" exploits but plenty of success from simple techniques like searching for files containing the text "password." SANS published a "2020 Threat Trends Report" with advice from SANS instructors Ed Skoudis, Heather Mahalik and Johannes Ullrich on this and related threat areas:

[Murray] One interesting finding is that the attacks are a team effort, involving multiple skilled parties, using a black market to cooperate, collaborate, and coordinate.

Read more in:

Cyberscoop: What one cybersecurity company has learned from responding to Maze ransomware

FireEye: Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents


--Nation State Hackers Targeted Pharmaceutical Company That Makes Drug Being Used to Treat COVID-19

(May 8, 2020)

Suspected nation-state hackers have reportedly targeted employees of a company that makes Remdesivir, a drug that has shown promise in speeding up recovery of patients suffering from COVID-19. The hackers attempted to trick employees of Gilead Science, Inc., into disclosing their email account credentials. The US Food and Drug Administration (FDA) last week granted the drug emergency use authorization. The US and Britain have recently warned that nation-state-backed hackers are increasingly targeting organizations involved with developing treatments for COVID-19.

[Editor Comments]

[Murray] Enterprises with significant intellectual property should be using strong authentication.

Read more in:

Reuters: Exclusive: Iran-linked hackers recently targeted coronavirus drugmaker Gilead - sources


*****************************  SPONSORED LINKS  *****************************

1) Download Splunk's IT Security Predictions 2020 to learn how to best protect your organization, and your data, against a fast-approaching future.

2) Oil & Gas Solutions Forum | Join Jason Dely and invited guest speakers for this free virtual event on July 10th!

3) Survey | Share with SANS how your organization is extending DevSecOps security controls into the cloud.




--Diebold Nixdorf Suffered Ransomware Attack Last Month

(May 11, 2020)

Diebold Nixdorf, which makes automated teller machines (ATMs), point-of-sale systems, and related software, was hit with a ransomware attack in April. The company's security team detected unusual activity on the corporate network on Saturday, April 25; they started disconnecting systems to prevent the malware from spreading further. Diebold says it did not pay the ransom.  

[Editor Comments]

[Skoudis] Today's NewsBites could be called "The Ransomware Round-Up." Ransomware clearly is a preferred attack mechanism today, with attackers increasingly not only encrypting the data, but also stealing it and threatening public disclosure unless they are paid. Based on that evolution of these attacks, I found this quote from Lawrence Abrams of BleepingComputer really thought provoking: "Every ransomware attack has to be treated as a data breach now."

Read more in:

KrebsOnSecurity: Ransomware Hit ATM Giant Diebold Nixdorf


--Pitney Bowes Detects Ransomware Attack, Prevents Data Encryption

(May 11, 2020)

Mailing services and equipment company Pitney Bowes has suffered a second ransomware attack. The company managed to detect the most recent attack and stop it before any data were encrypted. However, the attackers, who used Maze ransomware, claim they have stolen data from the company and are threatening to publish it. Pitney Bowes was also the target of an October 2019 ransomware attack that caused limited downtime for some package tracking systems. The ransomware used in that attack was Ryuk.

Read more in:

ZDNet: Package delivery giant Pitney Bowes confirms second ransomware attack in 7 months

Bleeping Computer: Maze ransomware fails to encrypt Pitney Bowes, steals files


--Texas Court System Hit With Ransomware

(May 11, 2020)

The Texas courts system became infected with ransomware late last week; the incident was detected early on Friday, May 8. Websites and servers were disabled to prevent the malware from spreading further. The Office of Court Administration administrative director says they do not plan to pay the ransom.

Read more in:

Gizmodo: Texas Courts System Hit by Ransomware Attack

Bleeping Computer: Texas Courts hit by ransomware, network disabled to limit spread


--Data Stolen From NYC Law Firm in Ransomware Attack

(May 8 & 12, 2020)

A New York City law firm has been hit with REvil (also known as Sodinokibi) ransomware. The attackers are threatening to expose data they claim to have stolen from the firm's systems. They plan to release the data in nine stages unless the firm pays the ransom demand. The law firm, Grubman Shire Meiselas & Sacks, has a large number of high-profile clients.

Read more in:

Infosecurity Magazine: Celebrity Data Stolen in Ransomware Attack on NYC Law Firm

The Register: Papa don't breach: Contracts, personal info on Madonna, Lady Gaga, Elton John, others swiped in celeb law firm 'hack'


--German University Takes Systems Offline in Wake of Ransomware Attack

(May 7, 2020)

A ransomware attack against IT systems at Ruhr-Universitaet Bochum has forced the German university to take down portions of the network, including backup systems. Last week, the university announced that "Due to significant technical problems in the IT infrastructure, a large number of systems have not been available since around 8 a.m. on Thursday, May 7, 2020." Users are unable to access the university's email system or the school's VPN tunnel.

[Editor Comments]

[Murray] We need to dramatically raise the cost of attacks, starting with strong authentication, "least privilege" access control, system to system isolation (think "zero trust") among other measures. We must not continue to fund this growing extortion cabal. We have known what to do more than a decade. If not now, when?

Read more in:

Bleeping Computer: Ruhr University Bochum shuts down servers after ransomware attack

Heise: (in German) Ruhr-Universitaet Bochum: Ransomware-Befall bestaetigt, Stoerungen dauern an (Ruhr University Bochum: Ransomware infestation confirmed, disruptions continue)


--Samsung Releases Fix for Critical Zero-click Flaw

(May 6, 7, & 8, 2020)

Samsung has made an update available to address a critical zero-click vulnerability that affects devices running Android versions 4.4.4 and later. The flaw could be exploited to assume permissions and privileges granted to Samsung Messenger; no user interaction is required. The issue lies in a problem with the way Android's Skia graphics library handles .qmg images.

[Editor Comments]

[Neely] The Qmage image format, developed by Quarmsoft, is Samsung-specific. While the exploit takes 50-100 messages to bypass ASLR, it is possible to send those messages without triggering device alerts, and requires no user action to exploit, making this a very stealthy attack. While the update applies to a wide range of devices, check Samsung's Android Security Updates page to make sure your device is in scope for updates, particularly if it is more than three years old.

[Murray] Safe operation of Android devices requires cooperation between vendors, carriers, and knowledgeable end users. Nice people do not give such devices to children or the elderly.

Read more in:

ZDNet: Samsung patches 0-click vulnerability impacting all smartphones sold since 2014

SC Magazine: Zero-click vulnerability found in Samsung mobile phones

Forbes: Samsung Confirms Critical Security Issue For Millions: Every Galaxy After 2014 Affected


--DHS's CISA Says Online Voting Has Significant Security Risks

(May 11, 2020)

In an advisory to election officials and voting vendors, the US Department of Homeland Security's (DHS) Cybersecurity and Infrastructure Security Agency (CISA) warned that online voting "faces significant security risks to the confidentiality, integrity, and availability of voted ballots." Other agencies, including the FBI, the Election Assistance Commission (EAC), and the National Institute of Standards and Technology (NIST), have signed off on the guidance.

[Editor Comments]

[Skoudis] It's interesting to see this comment come in the same issue as the Diebold ransomware story.

[Murray] The response to the Pandemic demonstrates the need for online voting. Surely we can do as good a job online with purpose-built apps as the banks do. Surely we can do as good a job as is done with paper, rubber stamps, and double envelopes. We cannot continue to allow the perfect to be the enemy of good enough.

Read more in:

Cyberscoop: DHS memo: 'Significant' security risks presented by online voting


--MITRE Releases APT29 Emulation Test Results for Products From 21 Vendors

(April 21 & May 8, 2020)

MITRE has released the results of evaluations of security products' response to attacks that emulated the activity of the APT29 hacking group. In all, products from 21 vendors were evaluated.

[Editor Comments]

[Honan] This is worth reading, not necessarily to determine how the various products fared in the testing, but to get an understanding as to how threat actors attack your network and how to prevent that happening.

Read more in:

FNN: Mitre puts cybersecurity vendors to the test

MITRE: MITRE Releases Results of Evaluations of 21 Cybersecurity Products

MITRE: ZATT&CK Evaluations | APT29 | Results

MITRE: ATT&CK Evaluations | APT29 Emulation


--Virginia State Government Website Subdomains Hijacked

(May 8, 2020)

Two subdomains of the state of Virginia's official government website were hijacked by hackers who set up what appear to be suspicious e-book sites. A researcher with the Electronic Frontier Foundation (EFF) found the sites and contacted Motherboard. After Motherboard notified the State of Virginia, the sites were taken down. A spokesperson for Virginia's state government says they plan to "undertake a full audit of the domain to verify the hosting and content responsibilities across the platform."

Read more in:

Vice: Hackers Turned Virginia Government Websites Into Elaborate eBooks Scam Pages


--Thunderspy Data Stealing Attack

(May 10 & 11, 2020)

A researcher from Eindhoven University of Technology in the Netherlands has discovered an attack that allows attackers to steal data from Windows and Linux devices that have Thunderbolt ports. Exploiting the vulnerability, known as Thunderspy, requires physical access to the targeted device.

[Editor Comments]

[Ullrich] To exploit this vulnerability, an attacker has to have access to your laptop, needs to open it, and then apply new firmware. Exploitability depends on how easy it is to open the device and how easy it is to reach the respective components that need to be patched. With current travel restrictions, attacks are unlikely. But if you ever get to travel again, you could cover your laptops screws in glitter nail polish to make it easier to detect tampering. And as a reminder: There are about 6 or 7 ransomware attack stories in this edition of NewsBites alone. Once you got ransomware under control, this may be an attack worth worrying about.

[Skoudis] While this attack does require physical access to a system, it's still a fascinating approach to undermining the security levels that were... bolted on... to Thunderbolt. Direct Memory Access (DMA) attacks have been around for many years and are based on the idea that, to achieve high speeds, we can have devices and even peripherals talk directly to memory with little involvement of the CPU. That's hard terrain to defend.

[Neely] While the exploit requires physical access, the Thunderbolt bus still needs to be active, so the best mitigation is to not leave systems sleeping, but instead have them powered off or hibernating, particularly when left in a hotel room or vehicle.  

[Honan] While this reads like an exciting vulnerability, it requires the attacker to have unfettered physical access to the device. It is probably a technique that will be more useful for forensic investigators rather than attackers.

Read more in:

Thunderspy: When Lightning Strikes Thrice: Breaking Thunderbolt 3 Security

Wired: Thunderbolt Flaws Expose Millions of PCs to Hands-On Hacking

ZDNet: Thunderbolt flaws affect millions of computers - even locking unattended devices won't help

Threatpost: Millions of Thunderbolt-Equipped Devices Open to 'ThunderSpy' Attack

Bleeping Computer: New Thunderbolt security flaws affect systems shipped before 2019



YARA 4.0.0 Released


Excel 4 Macro Analysis: XLMMacroDeobfuscator


vBulletin Vulnerability


MacOS 2FA Application Trojan


LinkedIn Phish


VMWare Patches vRealize to Address SaltStack Vulnerabilities


Samsung Patches Android RCE Vulnerabilities


ThunderSpy Thunderbolt Attack




The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit