Last Day: Get a 10.2" iPad (32 G), Galaxy Tab A, or Take $250 Off with OnDemand Training

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #44

June 2, 2020

Judge: Opposing Lawyers Get Consultants' Forensic Breach Report; Highly Customized Spear Phishing Attacks; Open Source Supply Chain Attack; DHS Cyber Essentials Toolkit

SANS Most Offensive Event of the Year, and it's FREE!


The Pen Test HackFest & Cyber Ranges Summit starts at 9:00 AM MDT (11:00 AM EDT) this Thursday, June 4. This FREE online event lets you test your hands-on skills in three very real cyber ranges and learn practical threat emulation techniques from the world's most experienced and advanced pen testers.

Register now for the Summit and CtFs:

Full agenda:


SANS NewsBites                 June 2, 2020                Vol. 22, Num. 044



  Judge: Capital One Must Provide Lawyers With a Copy of Digital Forensic Breach Report

  Highly Customized Spear Phishing Attacks

  Open Source Software Supply Chain Attack: Octopus Scanner Malware Infected 26 GitHub-Hosted Projects

  CISA Cyber Essentials Toolkit


  REvil Ransomware Operators Publish Data Stolen from Elexon

  Georgia (US) Bureau of Investigation Found No Evidence of Hacking in Voter Registration System

  Daniel's Hosting Database Leaked Online

  Apple Releases Updates to Fix Memory Consumption Issue

  Prison Sentence for Former Employee Who Sabotaged Network

  Nipissing First Nation Computers Targeted by Ransomware


***********************  Sponsored By Splunk ********************************

G2 Grid Report for Enterprise SIEM - Spring 2020.

The latest G2 Enterprise Grid Report compares the leading enterprise SIEM vendors based on customer satisfaction, popularity and market presence. Read on to find out why Splunk is ranked as the No.1 Enterprise Security Information and Event Management (SIEM) vendor by G2, the world's largest B2B tech marketplace for software and services that helps businesses make smarter buying decisions |




SANS Training is 100% Online, with two

convenient ways to complete a course:

OnDemand  | Live Online



Keep your skills sharp with SANS Online Training:

.        The world's top cybersecurity courses

.        Taught by real world practitioners

.        Ideal preparation for more than 30 GIAC Certifications

Take advantage of the current promotional offer

Featuring a Free iPad Air w/Smart Keyboard, Surface GO,

Or $300 Off through June 10


Upcoming In Person and Live Online Events:


SANSFIRE 2020 | June 13-20 | Live Online


2-Day Firehose Training | June 29-30 | Live Online


SANS Summer of Cyber: Week 1 | July 6-11 | Live Online


DFIR Summit & Training | July 16-25 | Live Online


SANS Network Security 2020 | September 20-27 | Las Vegas, NV or Live Online



Test drive a course:

View the full SANS course catalog and skills roadmap.






--Judge: Capital One Must Provide Lawyers With a Copy of Digital Forensic Breach Report

(May 29, 2020)

A US federal judge in Virginia has ordered Capital One to provide a copy of a forensic report regarding a data breach to attorneys who are suing the company on behalf of affected customers. The Capital One breach, which was disclosed last year, affected payment card application data for more than 100 million people.

[Editor Comments]

[Murray] Subsequent to a breach, first hire experienced and competent legal counsel; let them hire and supervise the investigators. Any report of the investigators should be "attorney work product," so labeled, and arguably privileged. While transparency is desirable, litigation may increase transparency, and courts are entitled to all evidence, one does not want one's legitimate efforts used against one.  

[Neely] Understanding data protection and disclosure restrictions, particularly around security audits, assessments, and reports is key before the engagement begins. When taking legal action, be certain that the case, for or against, doesn't depend on disclosing the very documents you wish to keep private. Sometimes a redacted document can be offered as a compromise, particularly when protecting information with regulatory driven or mandatory protections such as PII, HIPAA, and CUI; even so, your legal and information management teams should validate your assumptions up front.

Read more in:

ZDNet: Judge demands Capital One release Mandiant cyberforensic report on data breach

Gov Infosecurity: Capital One Must Turn Over Mandiant's Forensics Report


--Highly Customized Spear Phishing Attacks

(May 29, 30, & June 1, 2020)

Researchers have detected targeted attacks that appear to be aimed at stealing credentials for industrial control systems (ICS) equipment and software suppliers. Researchers detected attacks targeting organizations in Germany, Japan, the UK, and Italy. The attacks employ steganography and messages customized to match the language used by the targets. In addition, one of several PowerShell scripts used in the attacks contains a deliberate error; the error message it returns serves as the decryption key for the data hidden in the steganographic image.

[Editor Comments]

[Neely] This attack leverages multiple techniques to avoid detection and analysis, including a deliberate PowerShell script "error" as well as downloading components from legitimate Internet sites. Segmentation or isolation is an important mitigation for control systems. Direct internet access, inbound our outbound, should not be available by default. Also make sure that credentials are unique for your control system so that credentials captured elsewhere are ineffective.

[Murray] All industrial control systems connected to the public networks must employ strong authentication to resist fraudulent reuse of compromised credentials.

Read more in:

Ars Technica: An advanced and unconventional hack is targeting industrial firms

Threatpost: Steganography Anchors Pinpoint Attacks on Industrial Targets

Bleeping Computer: Highly-targeted attacks on industrial sector hide payload in images

SC Magazine: Multilingual malware attacks on industrial sector suppliers designed to thwart detection


--Open Source Software Supply Chain Attack: Octopus Scanner Malware Infected 26 GitHub-Hosted Projects

(May 28, 29, & June 1, 2020)

In early March 2020, GitHub's Security Incident Response Team learned that some repositories were serving open-source projects that had been infected with malware known as Octopus Scanner. The malware is a backdoor that was crafted to infect NetBeans projects. A GitHub report describes the attack from detection through remediation.

[Editor Comments]

[Honan] Kudos to GitHub for being so open with this incident and for sharing their report. It is through sharing that we as an industry can learn how to improve our processes and responses.

Read more in:

Security Lab GitHub: The Octopus Scanner Malware: Attacking the open source supply chain

Portswigger: How Octopus Scanner malware attacked the open source supply chain

Bleeping Computer: New Octopus Scanner malware spreads via GitHub supply chain attack

Cyberscoop: How GitHub untangled itself from the 'Octopus' malware that infected 26 software projects

Cyware: New Octopus Scanner Malware Poisoning NetBeans Projects on Github

SC Magazine: Malware in GitHub-hosted projects designed to spread among open-source developers


--CISA Cyber Essentials Toolkit

(May 29 & June 1, 2020)

The US Department of Homeland Security's (DHS's) Cybersecurity and Infrastructure Security Agency (CISA) has released the first of six planned Cyber Essentials Toolkit modules, "Essential Element: Yourself, the Leader." This module "focuses on the role of leadership in forging a culture of cyber readiness in their organization with an emphasis on strategy and investment."

[Editor Comments]

[Neely] As a new or seasoned CISO, this reference provides an easy to read list of essential actions and supporting resources which will aid getting a handle on your current cyber readiness and starting to assess your corresponding risks. Future toolkits will focus on awareness, protection, access controls, backups, and business continuity.  

Read more in:

MeriTalk: CISA Releases First Cyber Essentials Toolkit

CISA: CISA Releases New Cyber Essentials Toolkit (press release)

CISA: Essential Element: Yourself, the Leader (PDF)

*****************************  SPONSORED LINKS  ******************************

1) Take the 2020 SANS Enterprise Cloud Incident Response Survey and provide insight into your current state of enterprise cloud incident response capabilities. Survey closes June 15th |

2) SANS Webcast | June 4, 2020 at 3:30PM EDT | Heather Mahalik | How Are Remote Workers Working? A SANS Poll |

3) SANS Webcast | June 9, 2020 at 3:30PM EDT | Implementing Lessons Learned from Threat Patterns on the Endpoint|



--REvil Ransomware Operators Publish Data Stolen from Elexon

(June 1, 2020)

Ransomware operators behind last month's attack on systems at the UK's Elexon have published data stolen from the company. The documents posted online include employee passport information and an insurance policy application. Elexon runs the balancing and settlement code for the UK's electricity markets.

[Editor Comments]

[Neely] The new modus operandi for ransomware is to extensively compromise systems and exfiltrate information well before encrypting the data. Also, ransomware operators are starting to include brute force attacks, reducing reliance on social engineering. Knowing where your data is housed and the value of those repositories is essential to assessing the impact of exposure and to using a risk-based approach to application of security protections.

[Honan] A reminder that under GDPR a ransomware attack can be considered a data breach as, in effect, you have lost control of that personal data entrusted to your organization. If GDPR applies to your organization, review your Incident Response processes for ransomware attacks to ensure they include an assessment of what personal data has been affected and whether you need to report the breach to your Supervisory Authority.

Read more in:

The Register: REvil ransomware gang publishes 'Elexon staff's passports' after UK electrical middleman shrugs off attack

CBR Online: Internal Data Stolen, Leaked, in REvil Attack on Electricity Market's Elexon


--Georgia (US) Bureau of Investigation Found No Evidence of Hacking in Voter Registration System

(May 29, 2020)

An investigation into allegations of hacking targeting the US state of Georgia's voter registration system found "no evidence of damage to (the Secretary of State's office) network or computers, and no evidence of theft, damage, or loss of data." The Georgia Bureau of Investigation recently released the case files from the closed investigation.

Read more in:

Pro Publica: Law Enforcement Files Discredit Brian Kemp's Accusation That Democrats Tried to Hack the Georgia Election

The Register: Remember when Republicans said Dems hacked voting systems to rig Georgia's election? There were no hacks


--Daniel's Hosting Database Leaked Online

(May 31 & June 1, 2020)

A database leaked online contains email addresses, associated passwords, and other sensitive information belonging to "owners and users of several thousand darknet domains." The database was taken from Daniel's Hosting.

Read more in:

ZDNet: Hacker leaks database of dark web hosting provider

Threatpost: Hosting Provider's Database of Crooked Customers Leaked


--Apple Releases Updates to Fix Memory Consumption Issue

(June 1, 2020)

Less than a week after a round of comprehensive security updates, Apple has released updates to iOS, iPadOS, watchOS, tvOS and macOS  to correct a memory consumption issue which could allow an application to execute arbitrary code with kernel privileges (CVE-2020-9859). The issue has been addressed through improved memory handling.

[Editor Comments]

[Neely]  Due to code reuse across products, the vulnerability had to be corrected in multiple places and while the severity rating has not yet been published, timely deployment of the updates is warranted. Note that this fix also closes the vulnerability used by the Unc0ver jailbreak.

Read more in:

DUO: iOS 13.5.1 Fixes Kernel Zero Day

ZDNet: Apple releases iOS 13.5.1 with security fixes, breaks recent Unc0ver jailbreak

Apple: Apple security updates


--Prison Sentence for Former Employee Who Sabotaged Network

(May 28 & 30, 2020)

A man who worked as a system administrator for an Atlanta, Georgia-based construction industry firm has been sentenced to 18 months in prison for sabotaging the company's computer network after his departure. Charles E. Taylor resigned from his position in July 2018; a month later, he logged into the company's network without authorization and change router passwords and shut down a central command server. Taylor was convicted of computer fraud earlier this year. Taylor was also ordered to pay more than US $800,000 in restitution.

[Editor Comments]

[Neely] Timely disabling of accounts and changing of shared credentials is key when staff separates, particularly system and network administrators. Monitoring use of disabled accounts as well as privileged accounts, including those with domain or device administration rights, is important in detecting this type of threat. Also, make sure that remote administration of network and boundary control devices require the use of a secure entry point - not only to prevent unauthorized user modification, but also to protect devices from direct exploitation of vulnerabilities.  

Read more in:

GovInfosecurity: Former IT Administrator Sentenced in Insider Threat Case

Justice: IT manager sentenced for hacking into and sabotaging his former employer's computer network


--Nipissing First Nation Computers Targeted by Ransomware

(May 29 & June 1, 2020)

Computers belonging to Nipissing First Nation (NFN) administration in Canada were infected with ransomware last month. The incident was detected on May 8 and affected every department, "result[ing] in communications disruptions that [they] are still working to overcome."

Read more in:

Bleeping Computer: Ransomware locks down the Nipissing First Nation

Nugget: Ransomware attack targets Nipissing First Nation

NFN: Enkamgak (page 2) Ransomware Attack (PDF)




Impact of Researchers on Our Data


Sectigo AddTrust CA Expired


Critical Sign In With Apple Flaw


Apple Patches Unc0ver


New Website Explaining FIDO


DABANGG: Refined Flush Based Cache Attacks


Office 365 Adds Details About Malicious E-Mail Attachments


The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit