Interactive Courses + Cyber Defense NetWars Available During SANS Scottsdale: Virtual Edition 2021. Save $300 thru 1/27.

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #39

May 15, 2020

British Research Supercomputer Offline;  Patch Tuesday: Microsoft and Adobe


SANS NewsBites                 May 15, 2020                Vol. 22, Num. 039



- ARCHER Supercomputer Offline - Part of Large UK/Global Cyber Event

- Patch Tuesday: Microsoft and Adobe


- US Accuses China of Cyberattacks Aimed at Stealing COVID-19 Research

- Toll Group Says Ransomware Hackers Downloaded Corporate Data

- Customer Data Exfiltrated in Ransomware Attack on Magellan Health

- Scammers Steal Millions from Norwegian State Investment Fund

- CISA Lists Top 10 Most Exploited Vulnerabilities

- Ramsay Cyberespionage Toolkit Targets Air-Gapped Networks

- Privilege Elevation Vulnerability in Google's Site Kit WordPress Plugin

- CISA: Lazarus Hacking Group is Using New Malware

- US Supreme Court Hearing CFAA Case

- UK Power Grid Middleman Suffers Cyberattack


*********************  Sponsored By Chronicle  ******************************

Get a free 15-minute SIEM TCO analysis report. Eventually, the cost isn't worth the effort. If keeping your legacy SIEM running is more than you can handle, unwind your SIEM costs with zero-management security analytics from Chronicle and let us ensure perfect fidelity, no matter how much data you generate. Learn more:



SANS Training is 100% Online, with two convenient ways to complete a course:

OnDemand  | Live Online



Keep your skills sharp with SANS Online Training:

.        The world's top cybersecurity courses

.        Taught by real world practitioners

.        Ideal preparation for more than 30 GIAC Certifications

Test drive a course:

Choose a great promo offer* through May 27 with OnDemand or Live Online training:

*    Get a 10.2" iPad (32G) with Smart Keyboard

*    Train-From-Home Tech Package: Apple TV 4K (64G) with AirPods Pro

*    Take $300 Off

*Restrictions apply, see Terms & Conditions online


Hot OnDemand Courses:

SEC401: Security Essentials Bootcamp Style |

SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling |

SEC560: Network Penetration Testing and Ethical Hacking |

FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics |


Upcoming Live Online Events:


2-Day Firehose Training | May 26-29


Cloud Security Summit & Training 2020 | May 26-June 5


Pen Test Hackfest & Cyber Ranges Summit 2020 (Free Event) | June 4-13


SANSFIRE 2020 | June 13-20


2-Day Firehose Training | June 29-30


SANS Summer Surge: Wave 1 | July 6-11


In Person Training:

SANS Network Security 2020 | Las Vegas, NV | September 20-27



View the full SANS course catalog and skills roadmap.



Any course you have or will purchase is protected by the SANS Training Guarantee.




--ARCHER Supercomputer Offline

(May 13 & 14, 2020)

The ARCHER supercomputer, used for academic research in the UK, has been offline since Monday, May 11. According to the ARCHER website, the "incident is part of a much broader issue involving many other sites in the UK and internationally." ARCHER is located at the University of Edinburgh.

[Editor Comments]

[Neely] While unauthorized use of resources or unexpected jobs running on a Super Computer raise flags immediately, campus data center resources are a current target for crypto mining. Raising the bar on authentication is appropriate. Adding multi-factor authentication, and deliberate update of SSH keys go a long way towards keeping this in check.

Read more in:

Cyberscoop: Security incident knocks UK supercomputer service offline for days

The Register: Danger zone! Brit research supercomputer ARCHER's login nodes exploited in cyber-attack, admins reset passwords and SSH keys

Archer: Service Status


--Patch Tuesday: Microsoft and Adobe

(May 12 & 13, 2020)

Microsoft's Patch Tuesday for May includes more than 110 fixes. Of those, Microsoft has rated 16 as critical; the rest are rated as important. Adobe's Patch Tuesday release includes fixes for 24 issues in Acrobat and Reader, as well as 12 in the Adobe DNG Software Development Kit.

[Editor Comments]

[Pescatore] A couple of important points: (1) There have been reports of this Microsoft patch release causing more "application error code 0X..." errors than usual, often meaning the update either didn't take, or memory needs were exceeded or there were connectivity issues. The size of the updates and the number of business Windows laptops being updated over marginal home WiFi connectivity could be part of the problem - this is a good month to recheck that all business PCs actually did install the updates. (2) SAP issued a notice about many vulnerabilities in several of their SaaS cloud-based applications and Cisco issued a big list of patches for their ASA appliances and Firepower software, too.

[Neely] Adobe gives this update a priority rating of 2, which means there is an elevated risk but no known exploits, and none are expected imminently. Which means pushing the patch with your monthly patch cycle, versus an out-of-band patch is sufficient and should not distract you from applying the larger Microsoft update.

[Murray] The rate of published "fixes" suggests that there is a reservoir of known and unknown vulnerabilities in these popular products (e.g., operating systems, browsers, readers, content managers). They present an attack surface much larger than the applications for which they are used and cannot be relied upon to resist those attacks. They should not be exposed to the public networks. Hiding them behind firewalls and end-to-end application layer encryption moves from "good" practice to "essential."

Read more in:


KrebsOnSecurity: Microsoft Patch Tuesday, May 2020 Edition

The Register: Sadly, 111 in this story isn't binary. It's decimal. It's the number of security fixes emitted by Microsoft this week

SC Magazine: Microsoft again surpasses 100 vulnerabilities on Patch Tuesday

MSRC: Release Notes | May 2020 Security Updates


SC Magazine: Adobe Reader and Acrobat in the spotlight for Patch Tuesday updates

ZDNet: Adobe issues patches for 36 vulnerabilities in DNG, Reader, Acrobat

Adobe: Security?update available?for?Adobe?DNG Software Development Kit (SDK) | APSB20-26

Adobe: Security Update available for Adobe Acrobat and Reader | APSB20-24

****************************  SPONSORED LINKS  ******************************

1) Tune in for the Automation and Integration Survey Results on May 19th with Don Murdoch and Barb Filkins!

2) Pen Test HackFest & Cyber Ranges Summit | June 4-13.

3) Survey | Take the 2020 SANS Firewalls in the Modern Enterprise Survey:



--US Accuses China of Cyberattacks Aimed at Stealing COVID-19 Research

(May 13, 2020)

In a joint statement, the US Federal Bureau of Investigation (FBI) and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) accused the hackers working on behalf of the People's Republic of China (PRC) of launching cyberattacks against US organizations involved in COVID-19 research and attempting to steal intellectual property.

Read more in:

CISA: People's Republic of China (PRC) Targeting of COVID-19 Research Organizations (PDF)

ZDNet: US formally accuses China of hacking US entities working on COVID-19 research

SC Magazine: FBI, CISA warn China targeting orgs conducting Covid-19-related vaccine, treatment research

Bleeping Computer: US warns of Chinese hackers targeting COVID-19 research orgs

Cyberscoop: U.S. accuses Chinese hackers of trying to steal coronavirus vaccine research


--Toll Group Says Ransomware Hackers Downloaded Corporate Data

(May 12 & 13, 2020)

Australian shipping company Toll Group said that the hackers behind a recent ransomware attack "downloaded some data stored on [a] corporate server." The Toll Group, which experienced another ransomware attack earlier this year, is determined not to pay the ransom.

[Editor Comments]

[Neely] This appears to be the Nefilim ransomware which often spreads through unsecure RDP services. It is yet not known if Nefilim operators will threaten to reveal exfiltrated data to ensure payment, as the Maze operators do. The Toll Group claims there was no operational data affected, indicating they not only are aware of what data was on that server, but also that they have taken the necessary steps to assess the risk of that data being exposed.

Read more in:

GovInfosecurity: Toll Group Says Ransomware Attackers Stole Data

Toll Group: Toll IT systems update

--Customer Data Exfiltrated in Ransomware Attack on Magellan Health

(May 12 & 13, 2020)

Arizona-based Magellan Health, Inc., has disclosed that it was the victim of a ransomware attack. The company's systems were initially breached on April 6, 2020, through a phishing email that was spoofed to appear to come from a client. Magellan detected the ransomware attack on April 11. Between the initial breach and launch of the ransomware, the attackers exfiltrated data taken from a company server. The stolen data include customers' personally identifiable information, including names, Social Security numbers, and Taxpayer ID numbers.

[Editor Comments]

[Murray] It is essential that healthcare institutions address their vulnerability to extortion attacks; their ability to perform their mission depends on making improvements. At a minimum, there must be a documented plan or risk acceptance that describes how the institution will respond to such attacks.

Read more in:

SC Magazine: Magellan Health warns ransomware attack exposed PII

Bleeping Computer: Healthcare giant Magellan Health hit by ransomware attack

Document Cloud: Sample Notification Letter (PDF)


--Scammers Steal Millions from Norwegian State Investment Fund

(May 13 & 14, 2020)

Fraudsters stole $10 million from Norfund, Norway's state-owned investment fund for developing countries. The scammers gained access to Norfund's network and spent months laying the groundwork for the theft, monitoring the organizations' operations and injecting themselves into communications. The $10 million investment was intended for a Cambodian microfinance organization. The fraudsters infiltrated communications between Norfund and the Cambodian organization over a period of several months. The money that was supposed to go to that organization was instead transferred to an account in Mexico. The fraudulent transaction took place on March 16, 2020, but Norfund did not realize the funds had been stolen until April 30.

Read more in:

Norfund: Norfund Has Been Exposed to a Serious Case Of Fraud

The Register: There's Norway you're going to believe this: World's largest sovereign wealth fund conned out of $10m in cyber-attack

Bleeping Computer: Scammers steal $10 million from Norway's state investment fund

Cyberscoop: Scammers steal $10 million from Norfund, the largest sovereign wealth fund


--CISA Lists Top 10 Most Exploited Vulnerabilities

(May 12, 13, & 14, 2020)

The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has released a list of the 10 vulnerabilities most commonly exploited by foreign hackers between 2016 and 2019. CISA has also listed the vulnerabilities that are most frequently being exploited in 2020. The alert includes a listing of indicators of compromise and mitigations for each of the vulnerabilities. CISA notes that "a concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries' operational tradecraft and force them to develop or acquire exploits that are more costly and less widely effective."

[Editor Comments]

[Pescatore] Pay particular attention to the ones listed for 2020 - the vulnerabilities in VPN (and other security) appliances being exploited is something Johannes Ullrich pointed out in the SANS Top New Attack Trends keynote at RSA ( The scanning for misconfigured cloud applications is an ongoing issue, but the rush to cloud-based teleconferencing and storage/collaboration apps to support Work From Home has made misconfigurations even more likely.

[Neely] Note that the vulnerabilities are listed by CVE which are then summarized, such as vulnerabilities in Microsoft OLE. Mitigations start with basic cyber hygiene - timely application of patches and following security configuration guides. Leverage continuous monitoring, including scanning and testing, to verify products remain updated and secure.

Read more in:

US-CERT: Top 10 Routinely Exploited Vulnerabilities

Nextgov: CISA Releases Top 10 Most Routinely Exploited Vulnerabilities

The Register: US-CERT lists the 10 most-exploited security bugs and, yeah, it's mostly Microsoft holes people forgot to patch

Dark Reading: Attackers Routinely Use Older Vulnerabilities to Exploit Businesses, US Cyber Agency Warns

Bleeping Computer: US govt shares list of most exploited vulnerabilities since 2016


--Ramsay Cyberespionage Toolkit Targets Air-Gapped Networks

(May 13 & 14, 2020)

Researchers at ESET have found samples of malware that steals information from air-gapped networks. The cyber-espionage toolkit, dubbed Ramsay, appears to be under development; each of the three samples contains new features. Each of the three has been used to conduct attacks through varying attack vectors.

[Editor Comments]

[Neely] The ESET research provides information about how the malware spreads, actions it can provide, and how it gathers and exfiltrates data, as well as IOCs to aid discovery and response. Ramsay appears to share roots with the PLANEPATCH and Retro Malware strains. There is no explicit information on how data from air-gapped computer is accessed; the assumption is that data would be intercepted when transferred to those systems over thumb drives or by an attacker with physical access to target systems. The use of a media kiosk, which prevents transfer of malware and direct insertion of media from one system to another, could prevent the transfer of the malware to the air-gapped system; this would not prevent the capture of data from media inserted into a connected compromised system.

Read more in:

WeLiveSecurity: Ramsay: A cyberx1Eespionage toolkit tailored for airx1Egapped networks

Dark Reading: New Cyber-Espionage Framework Dubbed Ramsay

Threatpost: Ramsay Malware Targets Air-Gapped Networks

Bleeping Computer: New Ramsay malware steals files from air-gapped computers

Cyberscoop: Researchers expose new malware designed to steal data from air-gapped networks

GovInfosecurity: Cyber-Espionage Malware Targets Air-Gapped Networks: Report


--Privilege Elevation Vulnerability in Google's Site Kit WordPress Plugin

(May 13, 2020)

A critical flaw in Google's Site Kit WordPress plugin could be exploited to access vulnerable sites' Google Search Console. The privilege elevation vulnerability could be exploited "to modify sitemaps, remove pages from Google search engine result pages (SERPs), or to facilitate black hat SEO campaigns." Google was alerted to the problem on April 21, 2020, and a fix was released on May 7.

[Editor Comments]

[Neely] WordPress plugin weaknesses remain a popular target of exploitation. As the plugins are run with privileges needed to modify the entire WordPress site and installation, any weakness, when exploited, can be significant. While there are ways to convert a site to read only, that requires new processes for updating content and software which may outweigh the benefits or the overhead of judicious monitoring and updating of your site.

Read more in:

Wordfence: Vulnerability in Google WordPress Plugin Grants Attacker Search Console Access

GitHub: google / site-kit-wp

Bleeping Computer: Google WordPress plugin bug can be exploited for black hat SEO


--CISA: Lazarus Hacking Group is Using New Malware

(May 12 & 14, 2020)

The Cybersecurity and Infrastructure Security Agency (CISA) has released three Malware Analysis Reports detailing new variants of malware that are being used by hackers acting on behalf of North Korea's government. The new malware variants are a remote access tool called Copperhedge, and two Trojans, knowns as Taintedscribe and Pebbledash.

Read more in:

US-CERT: North Korean Malicious Cyber Activity

GovInfosecurity: Group Behind WannaCry Now Using New Malware

DUO: US Exposes New North Korean Malware Tools


--US Supreme Court Hearing CFAA Case

(May 14, 2020)

The US Supreme Court is hearing a case that could affect the way the Computer Fraud and Abuse Act (CFAA) is enforced. The case the court is hearing involves a police officer who used his access to law enforcement databases to conduct a search in return for payment.  Circuit courts are not in agreement about the scope of CFAA. Some say there has to be deliberate malicious hacking for a CFAA violations; others say that merely violating terms of service is sufficient.

[Editor Comments]

[Murray] It seems unlikely that the SCOTUS can "fix" the CFAA, written when most access to computers was by insiders. Congress must undertake the thankless job of crafting a law that will outlaw abuse and misuse of computer applications and the Internet while minimizing unintended consequences. Drafting such a law will be difficult but not impossible.

Read more in:

Portswigger: US Computer Fraud and Abuse Act: How an upcoming Supreme Court ruling could have serious ramifications for ethical hackers


--UK Power Grid Middleman Suffers Cyberattack

(May 14, 2020)

British power grid middleman Elexon has suffered a cyberattack that affected its internal IT systems. In a bulletin posted to its website, the company provided few details about the incident, but did note that they "are unable to send or receive any emails." The company said on Thursday that it has found the "root cause" of the problem.

Read more in:

Elexon Portal: BSC Bulletin 335 -ELEXON's internal IT systems have been impacted by a cyber attack

ZDNet: UK electricity middleman hit by cyber-attack

Cyberscoop: Cyberattack hits internal IT systems of key player in British power market




Microsoft Patch Tuesday


Adobe Security Updates


Top Exploited Vulnerabilities


ISC Handler Series (SANSFIRE)


Rethinking Severity


Malspam with Links to ZIP Archives Pushes Dridex Malware


Android Applications Expose Firebase Databases


More Magecart Sighted


Glitter vs. Thunderspy


Ramsay Cyber Espionage Toolkit


Windows DNS over HTTPS Preview


Zerodium Drops Payouts For iOS/Safari Exploits


BigIP Edge Client Vulnerability



The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit