Last Day: Get a 10.2" iPad (32 G), Galaxy Tab A, or Take $250 Off with OnDemand Training

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #42

May 26, 2020

Ransomware Deploys Virtual Machine; Coronavirus Phishing Scheme Using Excel; Majority of Apps Contain Flaws via Open-Source Libraries


SANS NewsBites                 May 26, 2020                Vol. 22, Num. 042



  Ransomware Deploys Virtual Machine to Evade Detection

  Microsoft Warns of Coronavirus-Related Phishing Scheme Using Malicious Excel Files

  Majority of Apps Contain Flaws via Open-Source Libraries


  EasyJet Breach Exposed Travelers' Itineraries

  Companies Ask Congress to Block Warrantless Access to Browsing Data and Searches

  eBay is Conducting Port Scans on Site Visitors' Computers

  Hackers Leak Data Stolen From Banco de Costa Rica After Alleged Cyberattack

  DHS's CISA Bolstering Cybersecurity Protections for Organizations Conducting Coronavirus Research

  National Guard Deployed in Maryland for COVID Aid Also Helping with Cybersecurity

  Zoom E2E Encryption Whitepaper


***********************  Sponsored By SANS  *********************************

Oil & Gas Solutions Forum | July 10th at 9:30AM ET | Join Jason Dely and guest speakers for this free virtual event as they explore the latest technologies and solutions available in the control systems security market. Earn 4 CPE credit hours for attending this virtual event. Register:



SANS Training is 100% Online, with two convenient ways to complete a course:

OnDemand  | Live Online



Keep your skills sharp with SANS Online Training:

.        The world's top cybersecurity courses

.        Taught by real world practitioners

.        Ideal preparation for more than 30 GIAC Certifications

Test drive a course:

Choose a great promo offer through May 27 with OnDemand or Live Online training


Hot OnDemand Courses:

SEC401: Security Essentials Bootcamp Style |

SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling |

SEC560: Network Penetration Testing and Ethical Hacking |


Upcoming Live Online Events:


Pen Test Hackfest & Cyber Ranges Summit 2020 (Free Summit) | June 4-13


SANSFIRE 2020 | June 13-20


2-Day Firehose Training | June 29-30


SANS Summer of Cyber: Week 1 | July 6-11


DFIR Summit & Training | July 16-25


In Person Training:

SANS Network Security 2020 | Las Vegas, NV | September 20-27



View the full SANS course catalog and skills roadmap.



Any course you have or will purchase is protected by the SANS Training Guarantee.





--Ransomware Deploys Virtual Machine to Evade Detection

(May 22, 2020)

Researchers from Sophos found that the RagnarLocker ransomware group is installing the Oracle VirtualBox app to run virtual machines (VMs) on targeted computers. The attackers use the VM to execute the ransomware and evade detection. The  RagnarLocker operators choose their targets carefully, focusing exclusively on corporate and government networks.

[Editor Comments]

[Neely] The targets chosen are more likely to be running VirtualBox, so its presence alone is not necessarily a red flag. This attack installs an unsigned SunxVM VirtualBox MSI from 2009, which should trigger endpoint defenses. Unplanned disabling of backup and remote management utilities also merits follow-up. As this group is also known for exfiltrating data, expect threats of data disclosure to accompany ransom demands.

Read more in:

The Register: Forget BYOD, this is BYOVM: Ransomware tries to evade antivirus by hiding in a virtual machine on infected systems

SC Magazine: Attackers' use of virtual machine to hide ransomware is a first, say researchers

ZDNet: Ransomware deploys virtual machines to hide itself from antivirus software

Bleeping Computer: Ransomware encrypts from virtual machines to evade antivirus

Sophos: Ragnar Locker ransomware deploys virtual machine to dodge security


--Microsoft Warns of Coronavirus-Related Phishing Scheme Using Malicious Excel Files

(May 18, 19, & 22, 2020)

The Microsoft Security Intelligence Team has warned of a "massive campaign" that tries to install NetSupport Manager, a legitimate remote access tool, on users' computers. The phishing campaign pretends to be from Johns Hopkins Center and claims to contain a   World Health Organization coronavirus-related situation report. The scheme tries to get users to open email attachments that contain malicious Excel macros.

[Editor Comments]

[Neely] This attack is spoofing an email from the Johns Hopkins Center providing an update on the Coronavirus-related deaths in the United States, with an attached Excel file titled 'covid_usa_nyt_8072.xls.' Additionally, Microsoft has announced they are making some of their COVID-19 related threat intelligence open-source to help customers better protect themselves by providing the community a more complete view of attackers' tactics, techniques, and procedures (TTPs). Information is being provided via threat intelligence sharing feeds for Azure Sentinel Customers, and for the public on GitHub. See:

Read more in:

ZDNet: Microsoft: Beware this massive phishing campaign using malicious Excel macros to hack PCs

Bleeping Computer: Microsoft warns of 'massive' phishing attack pushing legit RAT

Twitter: Microsoft Security Intelligence


--Majority of Apps Contain Flaws via Open-Source Libraries

(May 25, 2020)

Open source libraries are ubiquitous; they help developers create apps more quickly. According to the State of Software Security Open Source Edition report from Veracode, 70 percent of apps is use today have at least one vulnerability that exists because of an open source library. The four most common types of vulnerabilities found in open source libraries are access control issues, cross-site scripting, sensitive data exposure, and injection.

[Editor Comments]

[Neely] The Veracode paper breaks down flaws by language type, with PHP having the most flaws including, at least, a Proof of Concept (Poc) exploit. This introduces the burden of not only monitoring and updating your Open-Source libraries but also integrating these releases with current software lifecycle update processes. The good news is the majority of identified open-source flaws are addressed in small updates unlikely to break applications, reducing the risk and difficulty of remaining current.

[Pescatore] Good reminder that open source software is just as likely to have vulnerabilities in it as commercial software. A key takeaway from the Veracode report: "Fixing most library-introduced flaws in most applications can be accomplished with only a minor version update. Major library upgrades are not usually required!"

Read more in:

Threatpost: 70 Percent of Mobile, Desktop Apps Contain Open-Source Bugs

Veracode: State of Software Security | Open Source Edition (PDF)

*****************************  SPONSORED LINKS  ******************************

1) Survey | Tell us how your organization is extending their DevSecOps security controls into the cloud!

2) Webcast May 28 at 1PM ET | Factoring IoT Devices into Detection and Response:

3) Webcast May 27 at 10:30AM ET | Learn how to create and implement a policy-driven software-defined network architecture in the cloud. Register:




--EasyJet Breach Exposed Travelers' Itineraries

(May 22, 2020)

The data compromised in the EasyJet breach that was disclosed last week is now believed to include travelers' itineraries for trips booked between October 17, 2019 and March 4, 2020. The hackers had access to EasyJet data between October 2019 and January 2020. A law firm in the UK has filed a class action claim against EasyJet, under Article 82 of the General Data Protection Regulation (GDPR).

Read more in:

The Register: It wasn't just a few credit cards: Entire travel itineraries were stolen by hackers, Easyjet now tells victims

Computer Weekly: EasyJet to be sued over customer data breach


--Companies Ask Congress to Block Warrantless Access to Browsing Data and Searches

(May 22 & 25, 2020)

Seven Internet companies have joined voices to ask Congress to prohibit the collection of browsing and Internet searches without a warrant. The US House of Representatives is scheduled to vote on the USA FREEDOM Reauthorization Act of 2020 this week. Late last week, US Representatives Zoe Lofgren (D-California) and Warren Davidson (R-Ohio) said they would introduce an amendment to the reauthorization legislation that is expected to be very similar to an amendment that failed to pass the Senate by just one vote.

Read more in:

Mozilla: Letter to US Representatives (PDF)

ZDNet: Mozilla, Twitter, Reddit join forces in effort to block browsing data from warrantless access

Politico: House leaders agree to vote on amendment restricting surveillance of internet browsing


--eBay is Conducting Port Scans on Site Visitors' Computers

(May 19, 24, & 25, 2020)

When users visit the eBay website, it conducts a local port scan on their computers. The site scans 14 ports in all ; The scan is conducted by a check.js script. It scans 14 ports associated with remote access and support tools. eBay scans Windows machines; the scans do not occur when users running Linux visit the site.

[Editor Comments]

[Pescatore] This has come up before with financial institutions scanning customers PCs trying to protect customers with compromised PCs from fraud, usually from the login page but not always. In general, in the US and in EU at least, it has been ruled to be legal and not violate various Computer Misuse Acts. But, generally accepted practice is to at least notify, if not obtain permission, for doing this kind of thing. If your organization is asking for advice on doing this kind of thing, best to involve legal counsel.

[Neely] While this is intended as an anti-fraud measure to make sure that a user's system is secure, the user is not granting permission for this activity, which is concerning with current privacy regulations. As the scan is run via a JavaScript, your local firewall is not going to block it. It can be blocked with browser extensions like NoScript and uBlock Origin, or by using a browser which is not targeted, such as Brave.

Read more in:

NullSweep: Why is This Website Port Scanning me?

Bleeping Computer: eBay port scans visitors' computers for remote access programs

Forbes: Did You Know eBay Is Probing Your Computer? Here's How To Stop It


--Hackers Leak Data Stolen From Banco de Costa Rica After Alleged Cyberattack

(May 23 & 24, 2020)

Malicious cyber actors claim to have launched a cyberattack against the Banco de Costa Rica and have begun publishing data stolen from the banks' servers. The attackers say they plan to release more information taken from bank systems every week. Banco de Costa Rica has denied that it suffered an attack. The first set of data published appears to be payment card information that belong to Banco de Costa Rica customers.

[Editor Comments]

[Murray] Payment card data is still too easy to monetize, now more so in "card not present" transactions. Online merchants should prefer check-out proxies (e.g. PayPal, Apple Pay, Click-to-Pay) to processing payments themselves. Telephone merchants should separate order taking from payment taking.

Read more in:

Bleeping Computer: Hackers leak credit card info from Costa Rica's state bank

Bank Infosecurity: Ransomware Gang Posting Financial Details From Bank Attack


--DHS's CISA Bolstering Cybersecurity Protections for Organizations Conducting Coronavirus Research

(May 22, 2020)

In a webinar last week, US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) assistant director Bryan Ware said that hackers working on behalf of China and other foreign governments have been targeting organizations conducting research into COVID-19 vaccines. CISA has "stepped up" cybersecurity protections for the Department of Health and Human Services (HHS) and the Centers for Disease Control and Prevention (CDC). CISA is also working closely with pharmaceutical companies and other research organizations to keep their Internet-connected devices secure.

[Editor Comments]

[Murray] The environment in which most of us work is dramatically more hostile than it was two years ago but our security is not much better, sometimes even worse. Keep doing the same thing, expect worse results.  

Read more in:

Cyberscoop: DHS's cyber division has stepped up protections for coronavirus research, official says


--National Guard Deployed in Maryland for COVID Aid Also Helping with Cybersecurity

(May 22, 2020)

More than two months ago, Maryland's governor called in the National Guard to help with the coronavirus pandemic. The Guard has been providing help with tests and screening and has also been conducting cybersecurity assessments of state data repositories.

Read more in:

FCW: Pandemic duties for National Guard include cyber help


--Zoom E2E Encryption Whitepaper

(May 22, 2020)

Zoom has published a whitepaper that "proposes major security and privacy upgrades for" the company through an "incrementally-deployable four-phase roadmap." The paper details how the four phases - Client Key Management, Identity, Transparency Tree, and Real-Time Security - will be implemented.

[Editor Comments]

[Neely] This paper also lays out the current meeting security mechanisms and differentiates between meeting access control features, such as a meeting password, and securing the meeting content, which may use a symmetric key. Take note of where connectors are required to extend encryption to certain devices and the limitations of those connections.

[Pescatore] I did a webinar with Zoom Head of Product Security Randy Barr, and he gave details on what Zoom has done to date to address needed security improvements and what is on the roadmap for the rest of their first 90 day plan. Encryption gets the press attention but the increase in focus on application security and proactive pen testing, and getting input from industry CISOs are the more important initiatives. Webinar recording available at

[Murray] "Zoom bombing" notwithstanding, most users have more risk in their operating systems, browsers, readers, etc. than in any application. Zoom remains more vulnerable to meeting host decisions than to attacks on its crypto. Zoom is rapidly approaching "enterprise grade." However, for most system code, that still involves a reservoir of known and unknown vulnerabilities. When using any conferencing application, prefer device specific purpose-built clients to historically porous browsers.  

Read more in:

GitHub:  E2E Encryption for Zoom Meetings (PDF)



Malicious PowerPoint Add-Ins Deliver Malware


Virtual Machine Delivers Malware


iOS Patch Analysis


eBay Port Scanning


iPhone Jailbreak


The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit