OnDemand Includes 4 Months Access to Course Content - Special Offers Available Now!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #5

January 17, 2020

Exploit Code Released for Critical Cryptographic Flaw in Windows; The U.S. National Cybersecurity Talent Discovery Program; Russian Hackers Breached Ukrainian Gas Company

NSA played a central role in this week's critical cryptographic vulnerability affecting tens of millions of Windows systems. Upon discovering the flaw, NSA moved quickly to protect systems rather than exploiting the vulnerability until information about it leaked out. And they did it with government-wide and vendor coordination. Impressive.


SANS NewsBites               January 17, 2020              Vol. 22, Num. 005



  Proof-of-Concept Exploit Code Released for Critical Cryptographic Flaw in Windows 10

  Microsoft Patch Tuesday

  The U.S. National High School Cybersecurity Talent Discovery Program

  Report: Russian Hackers Breached Systems at Ukrainian Gas Company Burisma


  Adobe Patch Tuesday

  Oracle Critical Patch Update for January 2020

  Android Mobile App Data Sharing is "Out of Control"

  P&N Bank Discloses Breach

  Users Urged to Patch Cisco Data Center Network Manager Vulnerabilities

  WordPress Plugin Flaws Affect 320,000 Sites

  Alleged Swatter Arrested

  Ryuk Ransomware Tries to Wake Powered-Down Devices

  FBI Changes Breach Notification Policy for Election Systems


*************************  Sponsored By  SANS  ******************************

Join SANS Chris Crowley and experts from SaltyCloud, Swimlane and ThreatConnect for this informative half day event as they provide actionable actionable examples of the sequence of steps your organization needs to utilize security orchestration, automation and response tools. FREE to attendees with Discount Code AUTO20. http://www.sans.org/info/215285



Cybersecurity Training Update


-- SANS Security East 2020 | New Orleans, LA | February 1-8 | https://www.sans.org/event/security-east-2020

-- SANS Scottsdale 2020 | February 17-22 | https://www.sans.org/event/scottsdale-2020

-- Open-Source Intelligence Summit & Training 2020 | Alexandria, VA | February 18-24 | https://www.sans.org/event/osint-summit-2020

-- SANS Munich March 2020 | March 2-7 | https://www.sans.org/event/munich-march-2020

-- SANS Northern VA - Reston Spring 2020 | March 2-7 | https://www.sans.org/event/northern-va-spring-reston-2020

-- Blue Team Summit & Training 2020 | Louisville, KY | March 2-9 | https://www.sans.org/event/blue-team-summit-2020

-- ICS Security Summit & Training 2020 | Orlando, FL | March 2-9 | https://www.sans.org/event/ics-security-summit-2020

-- SANS London March 2020 | March 16-21 | https://www.sans.org/event/london-march-2020

-- SANS Secure Singapore 2020 | 16-28 March | https://www.sans.org/event/secure-singapore-2020

-- SANS Secure Canberra 2020 | March 23-28 | https://www.sans.org/event/secure-canberra-2020

-- SANS OnDemand and vLive Training

Get an iPad (32G), a Samsung Galaxy Tab A, or Take $250 Off through January 22 with OnDemand or vLive training.


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/

Single Course Training

-- Single Course Training

SANS Mentor | https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/


-- View the full SANS course catalog and Cyber Security Skills Roadmap






--Proof-of-Concept Exploit Code Released for Critical Cryptographic Flaw in Windows 10

(January 14, 15, & 16, 2020)

The US National Security Agency (NSA) has deemed a cryptographic flaw it found in Windows 10 so critical that it took the unusual step of disclosing the flaw itself. The flaw could be exploited to spoof code signing certificates. The issue also affects Windows Server 2016 and 2019 and "applications that rely on Windows for trust functionality." The Department of Homeland Security's (DHS's) Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive instructing federal agencies to patch the issue by January 29. Proof-of-concept exploit code for the vulnerability has been released.   

[Editor Comments]

[Ullrich] SANS created a test site at https://curveballtest.com. The site also offers a benign executable that was signed with an exploit signature. Use it to test your defenses. Many end point protection products and even Chrome have added rules to detect bad signatures, possibly protecting you even if you are not yet patched.


Read more in:

Defense: Patch Critical Cryptographic Vulnerability in Microsoft Windows Clients and Servers (PDF)


DHS: Mitigate Windows Vulnerabilities from January 2020 Patch Tuesday


FNN: CISA demands 'emergency action' from agencies on Windows vulnerability patch


Wired: Windows 10 Has a Security Flaw So Severe the NSA Disclosed It


SC Magazine: NSA reveals to Microsoft critical Windows 10 flaw


ZDNet: Proof-of-concept exploits published for the Microsoft-NSA crypto bug


Ars Technica: Critical Windows 10 vulnerability used to Rickroll the NSA and Github


Ars Technica: Patch Windows 10 and Server now because certificate validation is broken


Dark Reading: Microsoft Patches Windows Vuln Discovered by the NSA


Threatpost: PoC Exploits Published For Microsoft Crypto Bug



--Microsoft Patch Tuesday

(January 14, 2020)

On Tuesday, January 14, Microsoft released fixes for 50 security issues, including a critical cryptographic vulnerability in Windows 10. While that vulnerability has grabbed headlines, users are also being urged to apply the update to fix a pair of Remote Desktop Protocol (RDP) vulnerabilities. January 14 also marks the last update Microsoft will provide for Windows 7; the operating system will no longer be supported for home users.

[Editor Comments]

[Ullrich] Do not overlook the RD Gateway issues (CVE-2020-0609 and CVE-2020-0610). These are critical and on the same level as the famous "BlueKeep" vulnerability in RDP if you are using RD Gateway.

[Neely] DHS/CISA considers these vulnerabilities severe enough to have issued Emergency Directive 20-02 (https://cyber.dhs.gov/ed/20-02/) which requires federal agencies to apply these patches within ten business days (1/29/20) as well as report progress on applying the fixes. DHS's last emergency directive was ED 19-01 (Jan. 22, 2019) to "Mitigate DNS Infrastructure Tampering." It is expected that products that leverage the Microsoft crypto library, or otherwise use or implement ECC should be checked for similar flaws. Vendors are starting to publish their assessments.

Read more in:

KrebsOnSecurity: Patch Tuesday, January 2020 Edition


The Register: Welcome to the 2020s: Booby-trapped Office files, NSA tipping off Windows cert-spoofing bugs, RDP flaws...


ZDNet: Microsoft January 2020 Patch Tuesday fixes 49 security bugs


Ars Technica: Another reason to hurry with Windows server patches: A new RDP vulnerability


MSRC: Security Update Summary



--The U.S. National High School Cybersecurity Talent Discovery Program

(January 17, 2020)

The U.S. National high school cybersecurity talent discovery program (an extracurricular program) has 6,669 high school girls participating in just the first four days of the multi-week program. Texas, New Jersey and Nevada are leading the nation with Maryland and Virginia rounding out the top 5. In all those states and in 22 more, governors personally invited students to "just try it." California seems to be gaining momentum - reflecting Cisco's initiatives to encourage employees to get the word out and help high school teams. Playing the game doubles the likelihood that a young woman will be interested in pursuing computer science. And students learn far more while playing than in any other cybersecurity competition and in fact more than in most high school or college cybersecurity classes.

[Paller] Boys also get to play in every school where five or more girls are making progress.

Texas success:

KXAN: Girls' cybersecurity contest aims to promote equity, fill worker shortage


More info at www.girlsgocyberstart.org


--Report: Russian Hackers Breached Systems at Ukrainian Gas Company Burisma

(January 14, 15, & 16, 2020)

According to a report from security company Area 1, Russian hackers successfully targeted systems at Ukrainian gas company Burisma through phishing attacks late last year. The attacks appear to be an effort to obtain potentially embarrassing information to be used against Joe Biden. Biden's son once served on Burisma's board of directors. Ukraine's Ministry of Internal Affairs has begun criminal proceedings in connection with the attacks, and is reportedly seeking help from the FBI.

Read more in:



NYT: Russians Hacked Ukrainian Gas Company at Center of Impeachment


CS Monitor: Russians hacked Ukrainian company key to Trump's impeachment


Wired: If Russia Hacked Burisma, Brace for the Leaks to Follow


SC Magazine: Russia's Fancy Bear successfully hacked Burisma during impeachment probe


Vice: The Russian Group That Hacked the DNC Has Now Breached the Company at the Center of Trump's Impeachment


The Hill: Ukrainian authorities ask FBI for help investigating Russian hack on Burisma


****************************  SPONSORED LINKS  ******************************

1) Webcast January 22nd at 3:30PM ET: Optimize Decision Support Through Verifiable Classification. http://www.sans.org/info/215290

2) Take the SANS 2020 Automation & Integration Survey and enter for a chance to win a $400 Amazon gift card: http://www.sans.org/info/215305

3) Join Anomali January 23rd as they cover how the cyber threat landscape appeared in 2019 and the most common TTPs used. http://www.sans.org/info/215310




--Adobe Patch Tuesday

(January 14 & 15, 2020)

Adobe's monthly security release includes fixes for five critical memory corruption flaws in Illustrator CC and four flaws in Adobe Experience Manager.

[Editor Comments]

[Neely] The good news is Adobe's creative cloud desktop service by default will automatically apply these patches and are fixes specific to their Illustrator and Experience Manager products which are typically not as widely deployed as Acrobat or Flash in the enterprise, so ensuring they are mitigated should be much easier.

Read more in:

SC Magazine: Adobe rolls out a light Patch Tuesday offering


ZDNet: Adobe's first 2020 security patch update fixes code execution vulnerabilities


Bleeping Computer: Adobe Releases Their January 2020 Security Updates


Adobe: Security Updates Available for Adobe Illustrator CC | APSB20-03


Adobe: Security updates available for Adobe Experience Manager | APSB20-01



--Oracle Critical Patch Update for January 2020

(January 14, 15, & 16, 2020)

Oracle's Critical Patch Update for January 2020 includes fixes for 334 security issues across a wide spectrum of product families. Forty-three of the vulnerabilities addressed in the update are rated critical.

[Editor Comments]

[Ullrich] The WebLogic and Peoplesoft flaws are my main concern. We have seen similar flaws exploited in the wild before. It is a bit disappointing that Oracle still patches two year old flaws in open source libraries like Apache Commons and log4j.

[Neely] The large number here is due to the breadth of products included in the patch bundle which includes 10 Solaris fixes, 38 Fusion Middleware fixes, 23 for the E-Business suite and 12 for their database server. The urgency of the update is due to 191 fixes for flaws that can be remotely executed without authentication. When pared down to products running in your environment, the number is much more manageable. Even so, timely regression testing and application is prudent, particularly for externally accessible services.

Read more in:

The Register: Yo, sysadmins! Thought Patch Tuesday was big? Oracle says 'hold my Java' with huge 334 security flaw fix bundle


ZDNet: Oracle just released a whopping 334 security fixes in critical patch update


Threatpost: Oracle Ties Previous All-Time Patch High with January Updates


Oracle: Oracle Critical Patch Update Advisory - January 2020



--Android Mobile App Data Sharing is "Out of Control"

(January 16, 2020)

A report from the Norwegian Consumer Council says that the sharing of sensitive information by Android apps is "out of control." According to analysis of 10 popular Android apps conducted by Mnemonic, the apps share sensitive user data with numerous third-parties. Mnemonic conducted its analyses between June and November 2019. In all, the 10 examined apps sent user data to a total of 135 separate third-party entities that all engage in advertising or behavioral marketing.  

[Editor Comments]

[Ullrich] At the same time, users are complaining that the latest iOS release from Apple is "too noisy" with its location tracking alerts. In the end, many people just want things to work and don't care who they are sharing what information with.

[Neely] For many applications, enabling access to sensitive data is needed for desired functionality. Even so, in current Android operating systems, you can now review application privileges and ensure that you've not granted extra permissions in the heat of installing a new app. While reading the privacy/data sharing agreements is a good way to find out where a given application will share data, providers need to make sure they are short, easy to understand, and quick to read so users will look at them.

Read more in:

SC Magazine: Analysis of popular apps finds rampant sharing of personal data


Forbrukerradet: Out of Control: How consumers are exploited by the online advertising industry (PDF)



--P&N Bank Discloses Breach

(January 15 & 16, 2020)

Australia's P&N Bank has disclosed a breach that compromised customer data, including names, account numbers, and account balances. The incident occurred around the second week of December 2019 during a server upgrade. P&N believes that the intruders gained entry through third-party hosting provider.

Read more in:

PN Bank: Statement from the CEO - information breach


ZDNet: P&N Bank discloses data breach, customer account information, balances exposed


Bleeping Computer: Customer-Owned Bank Informs 100k of Breach Exposing Account Balance, PII


Softpedia: Hackers Break Into Western Australia's Largest Bank, Personal Data Exposed



--Users Urged to Patch Cisco Data Center Network Manager Vulnerabilities

(January 15, 2020)

Cisco released fixes for a trio of critical flaws in its Data Center Network Manager software earlier this month. Users are urged to apply the patches as soon as possible because proof-of-concept exploit code has been released.

Read more in:

ZDNet: Critical Cisco DCNM flaws: Patch right now as PoC exploits are released


Cisco: Cisco Data Center Network Manager Authentication Bypass Vulnerabilities



--WordPress Plugin Flaws Affect 320,000 Sites

(January 14 & 15, 2020)

Critical flaws in two WordPress plugins could be exploited to access websites' administrator accounts without a password. The affected plugins - InfiniteWP Client and WP Time Capsule, run on 300,000 and 20,000 websites, respectively. The developers of both plugins have addressed the issues in updates.

[Editor Comments]

[Ullrich] WordPress just can't get its act together. There are two ways to run WordPress: Either you run it at WordPress.com and pay, or you don't run it. WordPress's business model is based on the fact that the only way to run its product securely is if you let them manage it for you.

[Neely] Automating plugin updates for CMS systems prevents more problems than it creates. Coupled with incremental backups which permit easy roll-back, the risks are largely mitigated. Reviewing and removing unused plugins regularly is also prudent.

Read more in:

ZDNet: Critical bugs in WordPress plugins InfiniteWP, WP Time Capsule expose 320,000 websites to attack


The Register: Updated your WordPress plugins lately? Here are 320,000 auth-bypassing reasons why you should


Threatpost: Critical WordPress Bug Leaves 320,000 Sites Open to Attack


Bleeping Computer: Critical WordPress Plugin Bug Allows Admin Logins Without Password



--Alleged Swatter Arrested

(January 14, 2020)

US federal authorities have arrested a Virginia man for his alleged involvement with a neo-Nazi group that launched swatting attacks and bomb threats against hundreds of targets. John William Kirby Kelley was identified after he phoned in a bomb threat to Old Dominion University in November 2018, while he was a student there. Two other individuals involved in the attacks remain at large.

Read more in:

KrebsOnSecurity: Alleged Member of Neo-Nazi Swatting Group Charged


Ars Technica: FBI arrests man suspected of orchestrating dozens of "swatting" calls


Court Listener: Affidavit (PDF)



--Ryuk Ransomware Tries to Wake Powered-Down Devices

(November 1, 2019 & January 14, 2020)

Ryuk Ransomware is capable of using the Wake-on-LAN feature to cause devices in standby state to turn on so it can attempt to encrypt them. The Wake-on-LAN feature allows devices that have been powered down to be woken up by sending a special network packet. Administrators are advised to restrict Wake-on-LAN packet permissions. Researchers at CrowdStrike noted this capability in November 2019.

[Editor Comments]

[Neely] Wake-on-Lan needs to be activated from the local subnet and is more likely used on workstations and desktops than servers which run continuously. Apply filters to only allow Wake-on-Lan packets from authorized devices. Also check for permissions on shares, which is how the Ransomware is attempting to access and encrypt awakened systems.

Read more in:

Bleeping Computer: Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices


CrowdStrike: WIZARD SPIDER Adds New Features to Ryuk for Targeting Hosts on LAN



--FBI Changes Breach Notification Policy for Election Systems

(January 16, 2020)

The FBI will now notify state officials when election systems within their states have been breached in a cyber attack. Previously, the FBI notified only affected counties.  (Please note that the WSJ story is behind a paywall.)

Read more in:

The Hill: FBI announces new policy to give election officials 'timely' notification of cyber breaches


WSJ: FBI Changes Policy for Notifying States of Election Systems Cyber Breaches (paywall)





Microsoft January 2020 Patch Tuesday and #CryptoAPI Flaw

Webcast: https://sans.org/cryptoapi-isc

Diary: https://isc.sans.edu/forums/diary/Microsoft+Patch+Tuesday+for+January+2020/25710/

NSA Release: https://media.defense.gov/2020/Jan/14/2002234275/-1/-1/0/CSA-WINDOWS-10-CRYPT-LIB-20190114.PDF

CVE-2020-0601 Followup


CVE-2020-0601 Update ("Curveball", "Letsdecrypt")



Oracle Patches


Certain Netscaler Devices Do Not Support Mitigation (article in Dutch)


Cable Haunt Vulnerability


STI Student Interview: Jon Michael Lacek




The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create