Learn practical cyber security skills during SANS 2021 - Live Online. Choose from 30+ courses and three types of NetWars!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #3

January 10, 2020

U.S. National Cybersecurity Talent Discovery Program Launches on Monday; Consolidating Congressional Cybersecurity Oversight

The U.S. National high school cybersecurity talent discovery program launches Monday. Students play a game (CyberStart) to learn whether they have the aptitude to excel in cybersecurity; no teacher expertise in cyber or computers is required. NSF support this year enables high school students in every state to participate. See the first story in Top of the News.


SANS NewsBites               January 10, 2020              Vol. 22, Num. 003



  The U.S. National High School Cybersecurity Talent Discovery Program Launches on Monday

  Consolidating Cybersecurity Oversight in Congress



  Attackers Infected Travelex with Ransomware Through Known Pulse Secure VPN Flaw

  Pittsburgh School District Hit with Ransomware

  Contra Costa Library System Ransomware Attack



  ToTok App is Available in Google Play Store Again

  TikTok Vulnerabilities Fixed

  Google's Project Zero Announces Changes to Its 90-Day Disclosure Policy

  Minnesota Hospital eMail Breach

  Mozilla Releases Firefox 72.0.1 to Fix Actively Exploited Critical Flaw

  Prison for Webcam Spy

  Las Vegas City Network Fends Off Serious Cyber Incident

  Dustman Data-Wiping Malware Likely Has Ties to Iran, Say Analysts

  Hackers Scanning for Unpatched Citrix Servers

  Dragos Report Describes North American Electric Sector Cyber Threats

  US Government-Funded Android Phones Have Chinese Malware Preinstalled


*************************** Sponsored By SANS ******************************

Attend SANS ICS Security Summit & Training Summit 2020 | Orlando, FL | March 2-9. The 15th annual #ICSSummit will bring together in-the-field practitioners & leading experts to share ideas, methods, and techniques for defending control systems. http://www.sans.org/info/215220


Cybersecurity Training Update


-- SANS Security East 2020 | New Orleans, LA | February 1-8 | https://www.sans.org/event/security-east-2020

-- SANS Tokyo January 2020 | January 20-25 | https://www.sans.org/event/tokyo-january-2020

-- SANS Amsterdam January 2020 | January 20-25 | https://www.sans.org/event/amsterdam-january-2020

-- SANS Scottsdale 2020 | February 17-22 | https://www.sans.org/event/scottsdale-2020

-- Open-Source Intelligence Summit & Training 2020 | Alexandria, VA | February 18-24 | https://www.sans.org/event/osint-summit-2020

-- SANS Munich March 2020 | March 2-7 | https://www.sans.org/event/munich-march-2020

-- SANS Northern VA-Reston Spring 2020 | March 2-7 | https://www.sans.org/event/northern-va-spring-reston-2020

-- Blue Team Summit & Training 2020 | Louisville, KY | March 2-9 | https://www.sans.org/event/blue-team-summit-2020

-- ICS Security Summit & Training 2020 | Orlando, FL | March 2-9 | https://www.sans.org/event/ics-security-summit-2020

-- SANS Secure Singapore 2020 | 16-28 March | https://www.sans.org/event/secure-singapore-2020

-- SANS OnDemand and vLive Training

Get an iPad (32G), a Samsung Galaxy Tab A, or Take $250 Off through January 22 with OnDemand or vLive training.


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/

Single Course Training

-- Single Course Training

SANS Mentor | https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/


-- View the full SANS course catalog and Cyber Security Skills Roadmap






--The U.S. National High School Cybersecurity Talent Discovery Program Launches on Monday

(January 10, 2019)

The U.S. National High School Cybersecurity Talent Discovery Program launches on Monday (1/13). Students play a game (CyberStart) to learn whether they have the aptitude to excel in cybersecurity. It's all online and no teacher expertise in cyber or computers is required. NSF support this year enables high school students in every state to participate. High school girls are eligible to start next week; if five girls do well in a school, they win access to the game for boys as well.  Here's how parents and teachers describe the impact of GirlsGoCyberStart:

"Girls Go CyberStart REALLY made a big impact on my daughter! The first year, she had zero experience in computer coding or cybersecurity. After participating, she decided to take AP Comp Sci A and now she won a summer internship at the NJ Cyber Security Office!"

"Before I recruited girls to be a part of this wonderful program, I struggled to get girls to realize they could be computer scientists. I had girls actually saying they were too stupid to do this until I said, 'Just try it.'  Some of my girls found out they were good at puzzles, some found out they liked programming. I now have girls asking our counselor about computer science degrees at our local community college."

Twenty-seven state governors personally announced GirlsGoCyberStart this year and encouraged students in their states to "just try it!"  The Computer Science Teachers Association is a national cosponsor.


To learn more and/or sign up: https://www.girlsgocyberstart.org/

A personal note to NewsBites readers from Alan Paller: Finding talent early is the single biggest game changer a nation can implement to increase its effectiveness in cyberspace. The UK's CyberDiscovery program proved that the CyberStart game scales to provide full national coverage and identifies large numbers of high-aptitude students even when the student doesn't know s/he has it.  Now CyberStart's aptitude discovery program has become available at no cost to all high schools in the US, but it runs only once a year and sign-ups close in two weeks. If you have any relationship with a high school student or teacher or administrator or an email list or Twitter following that includes high school teachers, make sure they know about GirlsGoCyberStart in time to take advantage of it this year.


--Consolidating Cybersecurity Oversight in Congress

(January 8, 2020)

Members of the US Cyberspace Solarium Commission are likely to propose consolidating authority for cybersecurity issues under one committee in each chamber of Congress. Currently, numerous committees in each chamber address cybersecurity issues, which can slow down needed legislation.

[Editor Comments]

Read more in:

Fifth Domain: Is a single cybersecurity congressional committee possible?





--Attackers Infected Travelex with Ransomware Through Known Pulse Secure VPN Flaw

(January 6, 7, 8, & 9, 2020)

The Travelex currency exchange is still offline after a December 31 ransomware attack. The company says that its systems became infected with Sodinokibi, also known as REvil. The malware appears to have gained entry to the system through a known vulnerability in Pulse Secure VPN software; a patch for the flaw was made available in April 2019. (Please note that the WSJ story is behind a paywall.)

[Editor Comments]

[Neely] While keeping services updated with the latest security patches is important, prioritize services at the perimeter and pay even more attention to boundary and access control devices such as VPNs, Firewalls, Routers, Proxies and WAFs. It is worth noting that Pulse Secure has been reaching out to customers to make sure that they are applying the patch. The Pulse Secure VPN flaw is being actively leveraged for REvil attacks, including CyrusOne, several managed service providers, 20 Texas local government offices and over 200 dentist offices per ZDNet. https://www.zdnet.com/article/vpn-warning-revil-ransomware-targets-unpatched-pulse-secure-vpn-servers/: VPN warning: REvil ransomware targets unpatched Pulse Secure VPN servers

[Honan] This breach has several examples of how to not handle incident response, from poor communications to key stakeholders, to not engaging with media, and lack of transparency to customers as to the real cause of the systems being offline.


Read more in:

Ars Technica: Unpatched VPN makes Travelex latest victim of "REvil" ransomware


Dark Reading: Widely Known Flaw in Pulse Secure VPN Being Used in Ransomware Attacks


Threatpost: Sodinokibi Ransomware Behind Travelex Fiasco: Report


Bleeping Computer: Sodinokibi Ransomware Says Travelex Will Pay, One Way or Another


WSJ: Travelex Ransomware Outage Hits Foreign-Currency Transactions at Retail Banks (paywall)


US-CERT: US-CERT Alert (AA20-010A) Continued Exploitation of Pulse Secure VPN Vulnerability



--Pittsburgh School District Hit with Ransomware

(January 8, 2020)

The Pittsburgh Unified School District in Pennsylvania is recovering from a ransomware attack that infected its systems over the holiday break. Classes resumed as scheduled on Monday, January 6. The superintendent noted that while classrooms will not have laptops or Internet access, schools do have access to student information and phone systems are working.

Read more in:

SC Magazine: Ransomware hits, but doesn't stop, the Pittsburgh Unified School District



--Contra Costa Library System Ransomware Attack

(January 7, 2020)

The Contra Costa County (California) Library System was hit with a ransomware attack late last week. The incident affects all 26 of the system's branches. On December 3, library officials said that while impacted servers were taken offline, libraries would be open as usual.   

[Editor Comments]

[Neely] As libraries reinvent themselves in the digital age, the importance of their digital service offerings has increased. While you can still visit a branch to get a book, their web system processed over 1.5 million virtual visits, and 425,897 virtual checkouts in 2019. The system has address, phone numbers, email and dates of birth for members; it doesn't contain social security numbers or credit card information. They stopped collecting driver's license numbers and purged those data last year.

Read more in:

Govtech: Bay Area Library System Suffers Ransomware Attack


****************************  SPONSORED LINKS  ******************************

1) Free Event in Austin, Texas on January 30th | SANS Automation and Orchestration Solutions Forum with SANS Chris Crowley: http://www.sans.org/info/215225

2) Webcast January 22nd at 3:30 PM ET: Optimize Decision Support through Verifiable Classification. Register: http://www.sans.org/info/215235

3) Survey | Take the SANS 2020 Automation and Integration Survey and enter to win a $400 Amazon gift card: http://www.sans.org/info/215240




--ToTok App is Available in Google Play Store Again

(January 6 & 8, 2020)

Apple and Google pulled the ToTok messaging app from their stores after the US intelligence officials said it was likely being used as a spy tool for the United Arab Emirates. Google has put what appears to be an updated version of ToTok back in the Google Play Store. The app now asks users for permission to access and sync contact lists.  

Read more in:

Wired: An Alleged Spy App Puts Apple in a Bind


Threatpost: ToTok Returned to Google Play Despite 'Spy Tool' Claims



--TikTok Vulnerabilities Fixed

(January 8, 2020)

TikTok has patched several flaws that left the social video app vulnerable to account takeovers, private data exposure, and other forms of account manipulation. Researchers from Check Point found the vulnerabilities and notified TikTok in late November 2019. The company fixed the flaws in late December.

[Editor Comments]

[Neely] The patches address account takeover and data exposure issues, not the concerns raised last fall about China-based ByteDance collecting data while the app is being used. Those risks have not changed. If you are continuing to use the application, keep it updated.

Read more in:

The Register: TikTok on the clock, and the hacking won't stop: SMS spoofing vuln let baddies twiddle teens' social media videos


Wired: TikTok Bugs Could Have Allowed Account Takeovers


ZDNet: TikTok fixes security flaws that could have let hackers manipulate accounts, access personal data


Dark Reading: TikTok Bugs Put Users' Videos, Personal Data At Risk


Threatpost: TikTok Riddled With Security Flaws



--Google's Project Zero Announces Changes to Its 90-Day Disclosure Policy

(January 7, 8, & 9, 2020)

Google's Project Zero says it will now wait the full 90 days after notifying vendors about a bug to disclose details of the vulnerability, regardless of when the vendor makes a fix available. Previously, Project Zero would release vulnerability details as soon as a patch was released. The rationale for the change is that it will allow for more thorough patch development and wider patch adoption before details are released. Vulnerability details may be disclosed sooner than 90 days if the vendor agrees. Exceptions to the rules include allowing the vendor to request up to an additional 14 days if the patch will be ready within that time, and allowing only seven days for vulnerabilities that are being actively exploited.  

Read more in:

Google Project Zero: Policy and Disclosure: 2020 Edition


Threatpost: Google Ditches Patch-Time Bug Disclosure in Favor of 90-Day Policy


The Register: Yeah, says Google Project Zero, when you think about it, going public with exploit deets immediately after a patch is emitted isn't such a great idea


ZDNet: Google Project Zero shifts to full 90-day disclosures to improve patch uptake


Dark Reading: Google's Project Zero Policy Change Mandates 90-Day Disclosure


Portswigger: Project Zero relaxes 90-day vulnerability disclosure deadline to boost patch adoption



--Minnesota Hospital eMail Breach

(January 7 & 8, 2020)

Alomere Health is notifying nearly 50,000 patients in Minnesota that their personal health information may have been compromised. Two Alomere Health employee email accounts were compromised in late October and early November 2019.

[Editor Comments]

[Pescatore] I was encouraged to see in the SANS Security Spending Trends survey we are currently working on, increased spending on strong authentication came in 4th highest, after cloud monitoring, cloud access security and staff skills training. Ransomware and breaches in the news have been the ammunition to convince management to back the move away from reusable passwords. In telephone interviews, several small/medium sized organizations making the move as part of moving to O365 and other cloud-based services.

[Honan] Cases like this help to justify Multi-Factor Authentication to senior management.

Read more in:

Alomere Health: Vigilance Is The Best Defense To Cyber Attacks


Cyware: Minnesota Hospital Breach Impacts Personal and Medical Data of 50,000 Patients


SC Magazine: Breach of email accounts impacts 50,000 patients of Minnesota hospital


Portswigger: Data breach at Minnesota hospital threatens nearly 50,000 healthcare records



--Mozilla Releases Firefox 72.0.1 to Fix Actively Exploited Critical Flaw

(January 8 & 9, 2020)

Just one day after releasing Firefox 72, Mozilla released version 72.0.1 to address a critical vulnerability that was being actively exploited. The type-confusion flaw could be exploited to execute code or cause crashes on vulnerable systems. Firefox 72 included new privacy features and fixes for five high-severity security issues.

[Editor Comments]

[Neely] If you're on the ESR distribution, the fixes are in 68.4.1. The affected component is the IonMonkey JavaScript JIT compiler which provides optimization and performance enhancement for JavaScript. The flaw is reported as being actively exploited in the wild. Regardless of the version, unless you have disabled IonMonkey, which is enabled by default, applying the update quickly is prudent.


[Murray] Users should prefer purpose-built applications to porous browsers for sensitive applications. Enterprise management should isolate mission-critical data, applications, and systems from browsers.

Read more in:

Mozilla: Mozilla Foundation Security Advisory 2020-03: Security Vulnerabilities fixed inFirefox 72.0.1 and Firefox ESR 68.4.1


US-CERT: Mozilla Patches Critical Vulnerability


Threatpost: Mozilla Updates Firefox Browser: Zero-Day Bug Patched, Fingerprinting Nixed


Ars Technica: Firefox gets patch for critical zeroday that's being actively exploited


Bleeping Computer: Mozilla Firefox 72.0.1 Patches Actively Exploited Zero-Day



--Prison for Webcam Spy

(January 7 & 8, 2020)

A UK man has been sentenced to five years in prison for spying on people through their webcams and mobile phone cameras. Scott Cowley used the Imminent Monitor remote access Trojan (RAT) to infect the targeted computers and phones.

Read more in:

Threatpost: Liverpool Voyeur Used IM-RAT to Video Women at Home


ZDNet: UK man sentenced to prison for hacking and spying on victims through their webcams



--Las Vegas City Network Fends Off Serious Cyber Incident

(January 8 & 9, 2020)

On Tuesday, January 7, 2020, the city of Las Vegas, Nevada experienced a network security incident. The vector of attack is likely to have been a malicious email. City IT staff detected the breach quickly and took steps to minimize its impact. On Wednesday, January 8, the city posted a statement on Twitter that it has "resumed full operations with all data systems functioning as normal."

[Editor Comments]

[Pescatore] I love this news piece. Kudos to the city of Las Vegas IT and security teams. Think of when a strong storm hits your area. If the power blips a few times, or goes out for an hour or so, everyone understands. If it goes out for days, you hate the power company, you know they failed you. You really don't expect the electricity to your house to be totally immune to storms, but you expect the power company to minimize the outages and to proactively trim the trees in advance of the next season of storms. That is how CEOs and Boards of Directors think about IT security!

Read more in:

ZDNet: City of Las Vegas said it successfully avoided devastating cyber-attack


Statescoop: Las Vegas reports experiencing 'cyber compromise'



--Dustman Data-Wiping Malware Likely Has Ties to Iran, Say Analysts

(January 8 & 9, 2020)

Cyber analysts at Saudi Arabia's National Cybersecurity Authority (CNA) have detected a new variant of data-wiping malware. Dustman, as it has been named, was found on systems at Bapco, Bahrain's national oil company, late last year and appears to be a variant of data-wiping malware used in attacks on organizations in the Middle East last year. CNA analysts say the malware made its way into Bapco systems through the company's VPN servers. The malware affected only some of Bapco's computers, and the company continued to operate through the attack.

Read more in:

ZDNet: New Iranian data wiper malware hits Bapco, Bahrain's national oil company


Cyware: New Wiper Malware 'Dustman' Takes on Bahrain's National Oil Company


Cyberscoop: Saudi cyber authority uncovers new data-wiping malware, and experts suspect Iran is behind it



--Hackers Scanning for Unpatched Citrix Servers

(January 7, 8, & 9, 2020)

Hackers are actively conducting scans to find Citrix servers that have not been patched against a critical vulnerability that affects the company's Application Delivery Controller (ADC) and Gateway products. The directory traversal flaw could be exploited to remotely execute code.   

[Editor Comments]

Read more in:

ISC: A Quick Update on Scanning for CVE-2019-19781 (Citrix ADC / Gateway Vulnerability)


Help Net Security: Attackers exploiting critical Citrix ADC, Gateway flaw, company yet to release fixes


ZDNet: Hackers probe Citrix servers for weakness to remote code execution vulnerability


Bleeping Computer: Attackers Are Scanning for Vulnerable Citrix Servers, Secure Now



--Dragos Report Describes North American Electric Sector Cyber Threats

(January 9, 2020)

Dragos has published a report titled North American Electric Cyber Threat Perspective that "provides a comprehensive look at threats to the North American electric sector and offers numerous defensive recommendations for asset owners and operators to implement and combat observed threats."

Read more in:

Dragos: The State of Threats to Electric Entities in North America (summary)


Dragos: North American Electric Cyber Threat Perspective


Wired: Iranian Hackers Have Been 'Password-Spraying' the US Grid


ZDNet: These hacking groups are eyeing power grids, says security company



--US Government-Funded Android Phones Have Chinese Malware Preinstalled

(January 9, 2020)

The US Federal Lifeline Assurance program provides inexpensive or even free phones free with discounted service for low-income households. Researchers at Malwarebytes  found that one of the phones available through the program, the $35 Unimax (UMX) U686CL device from Assurance Wireless, comes with unremovable Chinese malware preinstalled.

[Editor Comments]

[Neely] Supply chain security is complicated, and critical, especially when you're driven to deliver the lowest bid solution. US funded programs typically insist on American made solutions, but in this case the $35 device was accepted without full security vetting. As an entity, purchasing devices from a known source, is a good first step; verifying their security, or hiring someone to do that, is prudent.

Read more in:

Ars Technica: US Government-funded Android phones come preinstalled with unremovable malware


 Dark Reading: Chinese Malware Found Preinstalled on US Government-Funded Phones


Forbes: U.S. Funds Program With Free Android Phones For The Poor -- But With Permanent Chinese Malware




Citrix ADC Update


Another Malicious Word Document


Google Project Zero Changing Disclosure Policy


Google Updates Android


Critical Firefox Update Fixing Exploited Bug


Pulse Secure SSLVPN Exploited



3 Google Play Store Apps Exploit Android Zero-Day


Tails 4.2


TikTok Vulnerabilities


SHA1 Update


Cisco Updates



The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create