SANS Open-Source Intelligence (OSINT) Summit & Training offers immersive cyber security courses and a free Summit!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #41

May 22, 2020

Virtual Cyber Schools Open In U.K. and U.S.; Verizons 2020 Data Breach Report; Toll Group Ransomware Data Published on Dark Web


SANS NewsBites                 May 22, 2020                Vol. 22, Num. 041



  U.K. and U.S. Virtual Cyber Schools Open This Month

  Verizons 2020 Data Breach Investigations Report

  Data Stolen from The Toll Group Published on Dark Web

***************************  Sponsored By Chronicle ************************************

Get a free 15-minute SIEM TCO analysis report. Eventually, the cost isn't worth the effort. If keeping your legacy SIEM running is more than you can handle, unwind your SIEM costs with zero-management security analytics from Chronicle and let us ensure perfect fidelity, no matter how much data you generate." class="">



  US Legislators Push for Complete Phone Encryption Between House and Senate

  Facebook New Messenger Warnings are Based on Metadata

  Lawsuits Filed Against ADT Over Former Employee Spying On Customers

  EasyJet Data Breach

  Cisco Releases Update to Fix Deserialization Flaw in Cisco Unified CCX

  Adobe Releases Unscheduled Updates

  Info Leaked from 2019 Mitsubishi Breach May Include Missile Data

  Data Stolen from Fresenius Dialysis Facility Data Leaked




SANS Training is 100% Online, with two convenient ways to complete a course:

OnDemand  | Live Online



Keep your skills sharp with SANS Online Training:

        The worlds top cybersecurity courses

        Taught by real world practitioners

        Ideal preparation for more than 30 GIAC Certifications

Test drive a course:

Choose a great promo offer* through May 27 with OnDemand or Live Online training


Hot OnDemand Courses:

SEC401: Security Essentials Bootcamp Style |

SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling |

SEC560: Network Penetration Testing and Ethical Hacking |


Upcoming Live Online Events:


Pen Test Hackfest & Cyber Ranges Summit 2020 (Free Summit) | June 4-13


SANSFIRE 2020 | June 13-20


2-Day Firehose Training | June 29-30


SANS Summer of Cyber: Week 1 | July 6-11


DFIR Summit & Training | July 16-25


In Person Training:

SANS Network Security 2020 | Las Vegas, NV | September 20-27



View the full SANS course catalog and skills roadmap.



Any course you have or will purchase is protected by the SANS Training Guarantee.





--U.K. and U.S. Virtual Cyber Schools Open This Month

(May 20, 2020)

Students ages 13-18 in the UK and the US have the opportunity to take part in a virtual cyber school that offers more than 200 cybersecurity challenges. The program is government sponsored: free for residents of the UK; students in the US can participate for US $100 a year. No background in computers expected or needed.  Kids observations: The most fun Ive ever had learning, and I had no idea I could be so good at computer science.  

[Editor Comments]

[Pescatore] Great opportunity to take advantage of current crazy times and get your kids or your companys employees kids into the cybersecurity skills pipeline. The gaming aspect is very coolmuch like in the makers movement, the fact that the technology is really a tool vs. the entire focus attracts and holds types of kids who had no interest in computers or networks for technologys sake.

[Neely] My 13 year-old-self would love this type of opportunity. My present-day-self is thinking of all the friends and family who ask how their kids can get started in cyber security and sending this to them. If they object to the cost, Ill suggest they also look to the SANS Holiday Hack Challenge web site for some fun challenges, reminding them the past solutions are published if they want a hint.

Read more in:

CNN: Virtual cybersecurity school teaches kids to fix security flaws and hunt down hackers New virtual cyber school gives teens chance to try out as cyber security agents from home

U.K. Cyber-School: Cyber Discovery Virtual Cyber School

U.S. Sign-ups:


--Verizons 2020 Data Breach Investigations Report

(May 19, 2020)

Some takeaways from Verizons 2020 Data Breach Investigations Report: Eighty-six percent of breaches in 2019 were financially motivated, compared with 71 percent in 2018; 70 percent of breaches were caused by outsiders; and 27 percent of incidents were attributed to ransomware. The information in the report is derived from more than 150,000 security incidents experienced by Verizon clients as well as by other organizations in data shared by partners, law enforcement agencies, CSIRTs, and security firms.

[Editor Comments]

[Neely] The Verizon DBIR is always a good synopsis of incidents and trends to watch for. The report also notes that unsecured or misconfigured cloud data storage opens the doors of small businesses to attacks previously faced only by larger organizations. The report also shows a trend in breaches related to configuration errors catching up with socially engineered ones.

[Honan] This is one of the most valuable reports a security professional can read. The report will give you valuable insights into how to defend your systems and networks. It also gives you good data points when dealing with security vendors to ask them how their product would deal with the breaches and issues raised in the report.

[Murray] The DBIR continues to be a valuable source of open source intelligence. Be sure to read the disclaimers.

Read more in:

Verizon: 2020 Data Breach Investigations Report

SC Magazine: Six need-to-know takeaways from the Verizon breach report

ZDNet: Verizon's data breach report highlights how unsecured cloud storage opens door to attacks

Threatpost: Verizon Data Breach Report: DoS Skyrockets, Espionage Dips

Cyberscoop: Money is still the main motivating factor for hackers, Verizon report finds


--Data Stolen from The Toll Group Published on Dark Web

(May 21, 2020)

Data stolen from Australian transportation and logistics company The Toll Group have been published to the dark web. The data were taken from a corporate server during an April ransomware attack. Toll has not paid the ransom and has shut down its IT systems to contain the malware. The company was the victim of a ransomware attack in January as well. 

[Editor Comments]

[Neely] When the decision was made not to pay the ransom and recover systems, The Toll Group identified the server and data they believed had been exfiltrated. They are now faced with the challenge of validating the scope and depth of data published to determine appropriate response actions, including deciding whether it is worth paying ransom to prevent additional disclosures.

Read more in:

ZDNet: Toll's stolen data finds itself on the 'dark web'

*****************************  SPONSORED LINKS  ******************************

1) DFIR Summit Solutions Track | July 17th  at 9AM ET | Join Lodrina Cherne and guest speakers for this free virtual event!" class="">

2) Take the SANS 2020 Enterprise Cloud Incident Response Survey! Survey closes June 15th." class="">

3) Webcast May 28th at 10:30AM ET | How Dangerous File Uploads Disrupt Business-Critical Web & Mobile Apps. Register:" class="">



--US Legislators Push for Complete Phone Encryption Between House and Senate

(May 19, 2020)

US legislators want to ensure that phone communications between the House and the Senate are protected by encryption. Currently, most internal calls in both chambers are encrypted. In a letter dated May 19, 2020, legislators ask the Senate Sergeant at Arms and the House Chief Administrative Officer to take immediate action to encrypt, in bulk, all internal calls and other electronic communications between the Senate, House and other components of the legislative branch.

[Editor Comments]

[Neely] Not a bad idea for protecting corporate secrets, too. VoIP phones make the encryption within the system practical, without having to invest in formal COMSEC equipment, provided you have the infrastructure to manage the certificates. The challenge is more and more communications also happen over mobile devices necessitating either a smartphone client on the device, or training users to have sensitive conversations only over the secure phone system. Even with encryption, situational awareness is important to prevent eavesdropping.

Read more in:

FCW: Lawmakers want more complete phone encryption on Capitol Hill

The Verge: Calls between the House and Senate should be encrypted, lawmakers say

Wyden: Letter to Senate Sergeant at Arms and House Chief Administrative Officer (PDF)


--Facebook New Messenger Warnings are Based on Metadata

(May 21, 2020)

Governments have criticized Facebooks plans to implement end-to-end encryption for all its apps because they say it allows criminals to escape detection. Facebook is debuting tools that use metadata analysis to generate warnings in its Messenger app when messages appear to come from scammers, child abusers, or other criminals.

Read more in:

Wired: Facebook Messenger Adds Safety AlertsEven in Encrypted Chats


--Lawsuits Filed Against ADT Over Former Employee Spying On Customers

(May 15 & 19, 2020)

ADT Security Services is facing lawsuits over the companys alleged intentional and negligent tortious acts in providing security services to its customers with remote-viewing capabilities. ADT has admitted that an ADT technician created admin accounts for himself on customers systems and then abused that privilege to spy on them. More than 200 customer accounts were compromised; the activity went on for seven years before it was detected. The scheme was uncovered when a customer in Texas reported an unknown email address as an admin user on their system. ADT conducted an internal investigation and determined that the issue was with one of their employees. ADT fired the individual, reported them to the police, and contacted all affected customers. 

[Editor Comments]

[Neely] Have a clear understanding of what the remote monitoring service can and cannot do. Review accounts with access to your home systems regularly. Even so, the service provider may still have legitimate access to your system for emergency response. If you must have cameras in your home, make sure that privacy needs are considered, including where images can be accessed and stored. Make sure that electronic locks are not the only access control on outer doors so you can prevent them from being unsecured when desired.

[Honan] Quis custodiet ipsos custodes? (Who will guard the guards themselves?)A great example of why people need to check the security settings of all devices installed in their homes and businesses. Trusting default settings or relying on third parties to set up devices securely can lead to security and/or privacy breaches. Always, review settings on devices to ensure they are secure.

[Murray] Supervision and multi-party controls are indicated to resist insider abuse and misuse. Privileged Access Management software should be considered to provide accountability for privileged users.  

Read more in:

The Register: Rogue ADT tech spied on hundreds of customers in their homes via CCTVincluding me, says teen girl

ADT: ADT Internal Investigation Reveals Improper Behavior By Former Dallas-Based Employee

Regmedia: Class Action Complaint and Demand for Jury Trial (PDF)

Regmedia: Class Action Complaint and Demand for Jury Trial (PDF)


--EasyJet Data Breach

(May 19, 2020)

UK-based EasyJet has disclosed a breach that compromised information, including email addresses and travel details, belonging to 9 million customers. For a small subset of customers, payment card information was also compromised. EasyJet has reported the incident to the UK Information Commissioners Office (ICO) and to the National Cyber Security Centre.

[Editor Comments]

[Murray] As an accommodation to frequent travelers, airlines and hotel chains offer them the option of storing a credit card number for convenience with future bookings. There have been enough successful attacks in the travel industry to make the risk of doing so obvious and significant. Frequent travelers can limit this risk by using tokens from that can only be used by that airline or hotel chain.  

Read more in:

The Register: Easyjet hacked: 9 million people's data accessed plus 2,200 folks' credit card details grabbed

SC Magazine: British airline easyJet breached, data of 9 million customers compromised

ZDNet: EasyJet hack: 9 million customers hit and 2,000 credit cards exposed

Threatpost: EasyJet Hackers Take Off with Travel Details for 9M Customers

Bleeping Computer: EasyJet hacked: data breach affects 9 million customers


--Cisco Releases Update to Fix Deserialization Flaw in Cisco Unified CCX

(May 21, 2020)

Cisco has released updates to fix a critical deserialization flaw in the Java Remote Interface of its Unified Contact Center Express (CCX). The vulnerability could be exploited to install malware on unpatched devices.

Read more in:

ZDNet: Cisco: Critical Java flaw strikes 'call center in a box', patch urgently

Threatpost: Critical Cisco Bug in Unified CCX Allows Remote Code Execution

Cisco: Cisco Unified Contact Center Express Remote Code Execution Vulnerability


--Adobe Releases Unscheduled Updates

(May 19 & 20, 2020)

Adobe has released updates to address a critical vulnerability in Adobe Character Animator. The issue affects Character Animator 2020 versions 3.2 and earlier. The buffer overflow vulnerability could be exploited to allow arbitrary code execution. Adobe has also released fixes for vulnerabilities in its Premiere Rush, Audition, and Premiere Pro products.

Read more in:

Threatpost: Adobe Patches Critical RCE Flaw in Character Animator App

ZDNet: Adobe issues out-of-band patch to fix remote code execution flaw in animation software

Bleeping Computer: Adobe releases critical out-of-band security update

Adobe: Security Updates Available for Adobe Character Animator | APSB20-25

Adobe: Recent bulletins and advisories


--Info Leaked from 2019 Mitsubishi Breach May Include Missile Data

(May 20 & 21, 2020)

Japans Defense Ministry is investigating the leak of information about a prototype missile. The data are believed to have been compromised during a cyberattack against systems at Mitsubishi Electric Corp. in late June 2019; the incident was not disclosed until January 2020. The attack exploited a then-zero-day vulnerability in Trend Micro OfficeScan antivirus software.

[Editor Comments]

[Neely] Am I the only one thinking that I would be able to buy a missile equipped vehicle in the future? The exploited zero-day vulnerability in the Trend Micro AV product has since been patched. Attribution is still tricky, although initial indications point to the Tick group which has previously targeted Japanese and South Korean technology and defense industries.

Read more in:

ZDNet: Japan investigates potential leak of prototype missile data in Mitsubishi hack

ZDNet: Trend Micro antivirus zero-day used in Mitsubishi Electric hack (January 2020)

Fifth Domain: Japan suspects missile data leak in Mitsubishi cyberattack

--Data Stolen from Fresenius Dialysis Facility Data Leaked

(May 20 & 21, 2020)

Fresenius Medical Care says that some patient data from dialysis facilities in Serbia has been posted to the Internet. The data include personally identifiable patient information. Fresenius was the target of a ransomware attack earlier this year.

Read more in:

Bleeping Computer: Snake ransomware leaks patient data from Fresenius Medical Care

Reuters: Germany's Fresenius Medical Care confirms data leak in Serbia after hacker attack




Spike of Scans for Port 62234

IcedID Malware Update

Malware Triage with FLOSS: API Calls Based Behavior

Cisco Patches

Google Chrome 83 Released

QNAP Vulnerability Details Released

ISC YouTube Channel

NXNSAttack DNS Amplification

Adobe Updates

Verizon Breach Report

Apple Updates

Sophos Firewall Vulnerability Exploit



The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit