Last Day: Get a 10.2" iPad (32 G), Galaxy Tab A, or Take $250 Off with OnDemand Training

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #51

June 26, 2020

FLASH! Patch Exchange Servers Now; and More Ransomware News - Some Good


SANS NewsBites                June 26, 2020                Vol. 22, Num. 051



  Microsoft: Patch Exchange Servers Now

  Lion Breweries are Operational Again After Ransomware Attack

  Maze Ransomware Operators Say They Stole Data From LG Electronics Network

  Sodinokibi/REvil Ransomware Group Scanning Compromised Networks for POS Systems



  Google Will Enable Auto-Delete for User Data by Default on New Accounts

  Legislators Introduce Bill Requiring Breakable Encryption

  Cyberbunker Analysis

  Akamai Mitigated Massive Packet-per-Second Based DDoS Attack

  Lucifer Malware Exploits Multiple Known Windows Vulnerabilities


  Suzette Kent is Leaving Government Service

  Prison Sentence for Botnet Creator


*********************  Sponsored By  Netskope  ******************************

Join Netskope's Cloud Security Workshop. Are you really ready to provide safe access to cloud services and keep pace with new threats? Register for Netskope's complimentary cloud security workshop! Take control over your web services. Get 5 CPE credits and hands-on experience with Next Gen Secure Web Gateway (SWG) and Zero Trust Network Access (ZTNA) solutions built for the cloud.




SANS Training is 100% Online, with two convenient ways to complete a course:

OnDemand  | Live Online



Keep your skills sharp with SANS Online Training:

.        The world's top cybersecurity courses

.        Taught by real world practitioners

.        Ideal preparation for more than 30 GIAC Certifications

OnDemand Training Special Offer

Flexible Offer with Flexible Training

Choose an iPad Air, an iPad with Smart Keyboard, a Surface Go, or Take $300 Off with OnDemand Training through July 8.


Live Online Training Special Offer

Get a Free GIAC Certification Attempt or Take $350 Off with Live Online Training through July 4.



Top OnDemand Courses

SEC401: Security Essentials Bootcamp Style


SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling


SEC560: Network Penetration Testing and Ethical Hacking



Upcoming In Person and Live Online Events:


DFIR Summit & Training (Free Summit) | July 16-25 | Live Online


SANS Rocky Mountain Summer 2020 | July 20-25 | Live Online


SANS Reboot - NOVA 2020 | August 10-15 | Arlington, VA or Live Online


SANS Network Security 2020 | September 20-25 | Las Vegas, NV or Live Online



Test drive a course:

View the full SANS course catalog and skills roadmap.





--Microsoft: Patch Exchange Servers Now

(June 24 & 25, 2020)

In a recent blog post, the Microsoft Defender ATP Research Team describes a recent increase in attacks targeting Microsoft Exchange servers. The attacks exploit a critical flaw in the Internet Information Service (IIS) component of Exchange servers. Fixes for the vulnerability have been available since February 2020.

[Editor Comments]

[Neely] While the initial attacks leveraged client access to reach your Exchange server, the new focus leverages a flaw in the servers' IIS component to launch a web shell. Additionally, once accessed, misconfigured servers allowed for credential harvesting. Two actions are needed. First, patch your servers. Second, review the security configuration. Microsoft has published security guides for Exchange and CIS ( has configuration guides which can also be leveraged.

[Pescatore] Three weeks ago Rapid7 pointed out the high percentage of unpatched Exchange servers, and we ran a NewsBites item. We also did a NewsBites drilldown on this issue with a general reminder to double check that server patching is still actually happening while your IT staff is largely consumed with supporting Work at Home.

Read more in:

Microsoft: Defending Exchange servers under attack

ZDNet: Microsoft: Patch your Exchange servers, they're under attack

Bleeping Computer: Microsoft: Attackers increasingly exploit Exchange servers

MSRC: CVE-2020-0688 | Microsoft Exchange Validation Key Remote Code Execution Vulnerability


--Lion Breweries are Operational Again After Ransomware Attack

(June 26, 2020)

Australian beverage company Lion says that all of its breweries are up and running, and that its dairy and juice facilities are operational. Lion suffered a ransomware attack earlier this month.

[Editor Comments]

[Neely] With all the ransomware attacks reported, it's nice to have news about recovery. Although Lion is still finishing up the IT cleanup and may have some disruptions related to that process, the restoration of service to their customers will make this transparent. As Australia remains an active target for ransomware attacks, Lion's mitigations to prevent recurrence will continue to be tested.   

Read more in:

LionCo: Lion Cyber incident update 26 June 2020

ZDNet: Lion gets breweries up and running following ransomware attack


--Maze Ransomware Operators Say They Stole Data From LG Electronics Network

(June 25, 2020)

Operators of the Maze ransomware claim they have stolen proprietary data from LG Electronics. They also claim to have encrypted the company's network. As of Thursday afternoon, June 25, LG has not commented.

Read more in:

Bleeping Computer: LG Electronics allegedly hit by Maze ransomware attack

--Sodinokibi/REvil Ransomware Group Scanning Compromised Networks for POS Systems

(June 23 & 24, 2020)

Researchers at Symantec have detected a Sodinokibi/REvil ransomware campaign that in some cases, also scans infected networks for point-of-sale (POS) software. It is unclear whether the Sodinokibi/REvil operators are seeking to encrypt POS systems or if they are looking to steal payment card data.

[Editor Comments]

[Neely] The Symantec blog post provides insight into the TTPs used for distribution, control, and exploitation as well as IOCs that should be used to consider mitigations which can reduce the chances of success for an attempted introduction of REvil. The Sodiokibi operators have demonstrated that no matter what data they access, they are prepared to leverage it to ensure payment. Compromised card data, in sufficient volume, is still marketable commodity independent of any business specific data.

[Murray] Once your systems are breached there are multiple ways for the perpetrators to monetize the breach. While one may be able to assign part of the risk to insurance underwriters, it is usually more efficient to resist the breach, and all the risk, in the first place.  

Read more in:

Symantec: Sodinokibi: Ransomware Attackers also Scanning for PoS Software, Leveraging Cobalt Strike

Bleeping Computer: REvil ransomware scans victim's network for Point of Sale systems

Threatpost: Sodinokibi Ransomware Now Scans Networks For PoS Systems

*****************************  SPONSORED LINKS  *****************************

1) Webcast | Join SANS Senior Instructor, Dave Shackleford as he discusses "Securing Assets Using Micro-Segmentation: A SANS Review of Guardicore Central"  | June 30, 2020 @ 1:00pm EDT


2) On- Demand Webcast | If you missed the "SANS ICS Asset Identification: It's More Than Just Security: A SANS Report" you can still listen online.


3) Webcast | Join leading industry expert, Jake Williams as he hosts the upcoming webcast "4 Secrets to Power Charge Your SOC - How prevention and detection can deliver new work stream efficiencies." | July 8,2020 @ 1:00pm EDT




--Google Will Enable Auto-Delete for User Data by Default on New Accounts

(June 24, 2020)

New Google accounts will now "automatically and continuously" delete user data after 18 months by default. Last year, Google introduced an opt-in data deletion feature; users could choose to have their data deleted after three months or after 18 months. If users already have the feature enabled, their setting will not be changed.

[Editor Comments]

[Neely] Existing accounts have three settings: Forever, 18 Months and 3 Months. These settings will not be changed. You can review your settings on the page under Activity Controls. This page also allows you to see what activity is tracked and manually delete it. Take a moment and review your settings as well as educate yourself on what's being tracked.

[Murray] One may also delete more recent activity, including third-party cookies, on a one-time basis. This can be useful in stopping nuisance ads based upon recent activity. (I recently googled an MIT project whose name was also the name of a popular dog food. I do not have a dog.)

Read more in:

Google: Keeping your private information private

The Hill: Google adds automatic data deletion for new accounts

Wired: Google Will Delete Your Data by Default--in 18 Months


--Legislators Introduce Bill Requiring Breakable Encryption

(June 24, 2020)

Three US senators have introduced a bill that would compel technology companies to help law enforcement by helping them obtain access to encrypted data on their networks when the request is accompanied by a warrant. The bill would apply to both data at rest and data in motion. The bill would not apply to products and services sold and operated outside the US.  

[Editor Comments]

[Pescatore] This bill is looking to amend the Communications Assistance to Law Enforcement Act (CALEA) which was passed back in 1994 to require digital switch makers and telecoms service providers to support targeted surveillance of a particular connection in a digital stream of voice data. That was a much simpler issue than this bill addresses in trying to extend the model to all consumer devices, operating systems, and cloud services. I've commented on various bills like this in the past - any data analysis shows an order of magnitude more digital crime has succeeded because data was NOT encrypted than the amount of damage from law enforcement being impeded by the user of strong encryption.

[Murray] Our colleague, David Kennedy at Verizon, cautions us not to even consider legislative proposals until they at least get a committee hearing. Related to "signal-to-noise."

Read more in:

Threatpost: New Bill Targeting 'Warrant-Proof' Encryption Draws Ire

ZDNet: US Republican Senators develop Bill to end use of 'warrant-proof' encryption

Vice: Republicans Who Don't Understand Encryption Introduce Bill to Break It

Duo: New Bill Takes Direct Aim At Encrypted Devices and Services

The Register: After huffing and puffing for years, US senators unveil law to blow the encryption house down with police backdoors

Regmedia: Lawful Access to Encrypted Data Act (PDF)


--Cyberbunker Analysis

(June 23 & 25, 2020)

Last September, German police raided a cold-war era nuclear bunker outside of Frankfurt. The facility was being used by "Cyberbunker," a criminal organization that provided hosting services for various illegal purposes. A few months ago, the Internet Storm Center was able to access the Cyberbunker's IP address space. graduate student Karim Lalji's analysis found evidence of various illegal activities including several botnets with thousands of hosts trying to reach command-and-control servers months after law enforcement took them down.

Read more in:

ISC: Cyberbunker 2.0: Analysis of the Remnants of a Bullet Proof Hosting Provider

The Register: Honeypot behind sold-off IP subnet shows Cyberbunker biz hosted all kinds of filth, says SANS Institute


--Akamai Mitigated Massive Packet-per-Second Based DDoS Attack

(June 25, 2020)

In a June 25, 2020 blog post, Akamai writes that it "mitigated the largest packet per second (pps) distributed denial-of-service (DDoS) attack ever recorded on the Akamai platform." The 809 million packets-per-second attack targeted an unnamed European bank on June 21. The blog also draws a distinction between DDoS attacks measured in bits per second (bps), which aim "to overwhelm the inbound internet pipeline," and attacks measured in packets per second (pps), which "are largely designed to overwhelm network gear and/or applications in the customer's data center or cloud environment."

Read more in:

Akamai: Largest Ever Recorded Packet Per Second-Based DDoS Attack Mitigated By Akamai

Bleeping Computer: European bank suffers biggest PPS DDoS attack, new botnet suspected

The Register: There are DDoS attacks, then there's this 809 million packet-per-second tsunami Akamai says it just caught

Ars Technica: Two record DDoSes disclosed this week underscore their growing menace


--Lucifer Malware Exploits Multiple Known Windows Vulnerabilities

(June 25, 2020)

Malware that has been dubbed Lucifer exploits a number of known high and critical severity Windows vulnerabilities, some dating back several years. The malware is multi-faceted: once it infects computers, it uses their resources for cryptomining or for launching distributed denial-of-service attacks.

Read more in:

Unit 42 Palo Alto Networks: Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices

Dark Reading: Lucifer Malware Aims to Become Broad Platform for Attacks

ZDNet: Lucifer: Devilish malware that abuses critical vulnerabilities on Windows machines

Bleeping Computer: New Lucifer DDoS malware creates a legion of Windows minions



(June 25, 2020)

The 19 vulnerabilities in the Treck TCP/IP stack, known collectively as Ripple20, affect millions of IoT devices. The health care industry appears to have significantly more affected devices than other sectors, according to information from Forescout. The Bleeping Computer article includes a list of vendors with products that are confirmed to be affected by Ripple20.

[Editor Comments]

[Pescatore] Medical devices comprise a large share of users of the flawed Treck software. You will find a NewsBites drilldown on the issue at

Read more in:

Bleeping Computer: List of Ripple20 vulnerability advisories, patches, and updates

Forescout: Identifying and Protecting Devices Vulnerable to Ripple20


--Suzette Kent is Leaving Government Service

(June 25, 2020)

US Federal CIO Suzette Kent has announced that she will leave her government position next month. Kent has served as Federal CIO since January 2018.

Read more in:

Fedscoop: Suzette Kent leaving government in July

Nextgov: Federal CIO Suzette Kent Tells Staff She's Retiring

Meritalk: Federal CIO Suzette Kent Stepping Down in July


--Prison Sentence for Botnet Creator

(June 25, 2020)

Kenneth Currin Schuchman has been sentenced to 13 months in prison for his role in the creation of numerous Internet-of-Things (IoT)-based botnets. Schuchman had earlier pleaded guilty to violating the Computer Fraud and Abuse Act (CFAA). Two accomplices have been charged with conspiracy to commit fraud in connection with the scheme.

Read more in:

KrebsOnSecurity: New Charges, Sentencing in Satori IoT Botnet Conspiracy

ZDNet: DDoS botnet coder gets 13 months in prison

Justice: Washington Man Sentenced for Role in Developing "Mirai" Successor Botnets

KrebsOnSecurity: Indictment (PDF)




Analysis Of Traffic Targeting CyberBunker IP Space Student Karim Lalji: Real-Time Honeypot Forensic Investigation on a German Organized Crime Network

Using Shell Links as zero-touch downloaders and to initiate network connections

Recordings of the Tech Tuesday Workshop

Microsoft Offering Enterprise Security Products for Linux/Android

Microsoft Safe Documents

Chrome Updates Released

QNAP Updates for Helpdesk

Magento Update

Attacks Against Microsoft Exchange Servers

Credit Card Skimmers Hide Code in Favicon EXIF Data

GeoVision Scanners Vulnerabilities

Docker Images Containing Cryptojacking Malware


The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit