Final Week: Get an iPad (32 G), Galaxy Tab A, or Take $250 Off OnDemand Training - Ends Jan 27

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #52

June 30, 2020

Medical Research Center Pays Ransomware; Hackers Wiping Lenovo/Iomega NAS Devices, Demanding Ransom; Card Skimming Malware on Government Websites in Eight US Cities


SANS NewsBites                June 30, 2020                Vol. 22, Num. 052




  California's Top Medical Research University Pays Ransomware Actors

  Hackers are Wiping Old Lenovo/Iomega NAS Devices and Demanding Ransom

  Magecart Card Skimming Malware Found on Government Websites in Eight US Cities




  British Tech Companies Urge Reworking Computer Misuse Act

  Michigan House of Representatives Passes Bill Prohibiting Employers From Requiring Implanted Microchips for Workers

  Magento 1.x EOL is June 30; Merchants Urged to Upgrade

  Tax Software Required by Chinese Bank Installs Backdoor on Companies' Systems

  Cardplanet Operator Aleksei Burkov Sentenced to Nine Years in Prison

  Medvedev Guilty Plea

  Cyber Flag 20-2 Participants Used New Remote Cyber Training Tool

  Palo Alto Networks Fixes Critical Flaw in Firewall Operating System


*********************  Sponsored By Netskope  *******************************

Are you really ready to provide safe access to cloud services and keep pace with new threats? Register for Netskope's complimentary cloud security workshop! Take control over your web services. Get 5 CPE credits and hands-on experience with Next Gen Secure Web Gateway (SWG) and Zero Trust Network Access (ZTNA) solutions built for the cloud. |



SANS Training is 100% Online, with two convenient ways to complete a course:

OnDemand  | Live Online



Keep your skills sharp with SANS Online Training:

.        The world's top cybersecurity courses

.        Taught by real world practitioners

.        Ideal preparation for more than 30 GIAC Certifications

OnDemand Training Special Offer

Flexible Offer with Flexible Training

Choose an iPad Air, an iPad with Smart Keyboard, a Surface Go, or Take $300 Off with OnDemand Training through July 8.


Live Online Training Special Offer

Get a Free GIAC Certification Attempt or Take $350 Off with Live Online Training through July 4.



Top OnDemand Courses

SEC401: Security Essentials Bootcamp Style


SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling


SEC560: Network Penetration Testing and Ethical Hacking



Upcoming In-Person and Live Online Events:


DFIR Summit & Training (Free Summit) | July 16-25 | Live Online


SANS Rocky Mountain Summer 2020 | July 20-25 | Live Online


SANS Reboot - NOVA 2020 | August 10-15 | Arlington, VA or Live Online


SANS Network Security 2020 | September 20-25 | Las Vegas, NV or Live Online



Test drive a course:

View the full SANS course catalog and skills roadmap.






--California's Top Medical Research University Pays Ransomware Actors

(June 26 & 29, 2020)

The University of California, San Francisco (USCF) has paid a ransomware demand of more than $1.4m. A "limited number of servers" at the public health research facility were encrypted by Netwalker ransomware. UCSF disclosed the incident on June 3. BBC News was able to observe a live chat on the dark web involving UCSF ransom negotiations.

[Editor Comments]

[Neely] The Netwalker operators used multiple techniques to entice UCSF into paying the ransom, including making both samples of exfiltrated data and the ransom negotiations visible to the press. For UCSF reputation risk is key to continued support as they are working on research to support the public good including a cure for C-19. Sophos has published information about the tactics and tools used by Netwalker ransomware:

[Murray] Extortion attacks will continue as long as the value of success exceeds the cost of attack. Currently the excess of the value of success over the cost of attack is so high as to suggest that we need to increase the cost of attack perhaps ten-fold while reducing the value of success. The strategy of some enterprises of attempting to assign the risk to insurance underwriters is aggravating a problem that we have had years to fix.  

Read more in:

The Register: University of California San Francisco pays ransomware gang $1.14m as BBC publishes 'dark web negotiations'

SC Magazine: UCSF paid $1.4 million ransom in NetWalker attack

Cyberscoop: California university pays $1 million ransom amid coronavirus research

BBC: How hackers extorted $1.14m from University of California, San Francisco

UCSF: Update on IT Security Incident at UCSF


--Hackers are Wiping Old Lenovo/Iomega NAS Devices and Demanding Ransom

(June 29, 2020)

Hackers have been breaking into old LenovoEMC/Iomega network-attached storage (NAS) devices, wiping them, and demanding between $200 and $275 in ransom for the return of the data. The attacks targeted NAS devices that exposed their management interface on the Internet with no password protection. Similar attacks were reported a year ago. The LenovoEMC and Iomega NAS lines were discontinued in 2018.

[Editor Comments]

[Neely, Murray] These devices should not be exposed to the Internet. Refer to the Lenovo support page ( on how to secure these devices. Then start taking steps to replace them. While they are still functional, Lenovo will no longer be releasing updates or fixes.

Read more in:

ZDNet: A hacker gang is wiping Lenovo NAS devices and asking for ransoms


--Magecart Card Skimming Malware Found on Government Websites in Eight US Cities

(June 26 & 29, 2020)

Researchers at Trend Micro found that local government websites in eight US cities were infected with Magecart card skimming malware. The common factor appears to be that all the affected sites were using the Click2Gov municipal payment software. The attacks began on April 10 and appear to still be active. This is not the first time that Click2Gov has been the target of attacks.

[Editor Comments]

[Neely] With past attacks, in 2018 and 2019, some cities took the added step of reverting to taking payments over the phone or US mail. The current attack, which may not be connected to the prior incidents, has been characterized as relatively easy. This would be a good time to investigate alternatives to Click2Gov. Include the cost of breach and transition timing in the research to understand your ongoing exposure and total costs.

[Murray] Any enterprise providing checkout on a website is a potential target for these attacks and should behave accordingly. Click2Gov is used widely for municipal utility bill collection. You know who you are.

[Northcutt] This style of attack has been going on for at least six years. If British Airways can get tagged via this threat vector, thinly staffed municipal IT staffs face a serious risk.

Read more in:

Trend Micro: US Local Government Services Targeted by New Magecart Credit Card Skimming Attack

Threatpost: 8 U.S. City Websites Targeted in Magecart Attacks

SC Magazine: Eight cities using Click2Gov targeted in Magecart skimming attacks

Statescoop: Click2Gov breaches in eight cities attributed to Magecart hackers

*****************************  SPONSORED LINKS  *****************************


1) Webcast | Join SANS Instructor, John Pescatore as he discusses "Insights on Remote Access Cybersecurity and Workplace Flexibility - A SANS Whitepaper".  This expert, practitioner webcast will explore how enterprises have built-up from existing remote access approaches, and how they can progress remote access and WFH cybersecurity capabilities. | July 8 @ 12:00PM EDT


2) Webcast | Tune in as Senior SANS Instructor, Jake Williams hosts the "4 Secrets to Power Charge Your SOC - How prevention and detection can deliver new work stream efficiencies". | July 8 @ 1:00PM EDT

3) Webcast | Join top security analyst John Pescatore, accompanied by Nemi George and Nayeem Islam as they discuss "AI and Emerging Threat Protection - the new security normal" to learn the critical role security leaders will play in protecting their companies while driving change for continued cyber resilience.




--British Tech Companies Urge Reworking Computer Misuse Act

(June 29, 2020)

A group of British technology organizations and individuals have signed a letter to Prime Minister Boris Johnson, urging him to act to reform the Computer Misuse Act (CMA). The law was created 30 years ago, when less than one percent of the UK's population used the Internet and "the concept of cyber security and threat intelligence research did not exist." The letter also notes that "the CMA inadvertently criminalises a large proportion of modern cyber defence practices."

[Editor Comments]

[Neely] Writing legislation that stands the test of time is challenging, particularly in this space where both technologies and practices evolve rapidly. As such, it is optimal to include a plan for review and updating cyber legislation at the outset.

[Murray] We have often noted here that drafting legislation that has only the intended results while avoiding unintended consequences is difficult. On the other hand, we have a much better understanding of computer misuse and abuse than we did thirty years ago. It is time to undertake the task of replacing the CMA and CFAA.  

Read more in:

BBC: Yes, Prime Minister, rewrite the Computer Misuse Act: Brit infosec outfits urge reform

Regmedia: Letter to PM Boris Johnson (PDF)


--Michigan House of Representatives Passes Bill Prohibiting Employers From Requiring Implanted Microchips for Workers

(June 29, 2020)

The Michigan State House of Representatives has passed a bill that would prohibit employers from requiring workers to have RFID chips implanted. The measure is proactive; there have not been instances in which employers have actually imposed this requirement. A Wisconsin company has used implantable ID chips for their employees on a voluntary basis. The Microchip Protection Act now heads to the Michigan State Senate for consideration.

[Editor Comments]

[Pescatore] I usually try to only comment on news items where there is a meaningful or interesting tie-in to real world enterprise security issues but this one was hard to pass up. Proactive-ness seems to be in short supply across politicians and legislators. I'd certainly rather see states focus that scarce resource more on increasing election security (where the Michigan Secretary of State has been taking steps) than on preemptive technology-specific laws.

Read more in:

ZDNet: Michigan tackles compulsory microchip implants for employees with new bill

abc12: Bill requires employers to keep implanted microchips voluntary for workers

Michigan Legislature: HOUSE BILL NO. 5672 (as passed by the Michigan House)


--Magento 1.x EOL is June 30; Merchants Urged to Upgrade

(June 27 & 29, 2020)

Magento 1.x will no longer be supported after June 30, 2020. Payment processors are urging merchants to update; Visa informed merchants that failing to update to Magento 2.x will eventually cost them PCI DSS (Payment Card Industry Data Security Standard) compliance. Adobe's Security Bulletin for Magento updates last week included a reminder: "Support for Magento Commerce 1.14 and Magento Open Source 1 is ending in June 2020. This will be the final security patches available for these editions."

[Editor Comments]

[Murray] Before upgrading to Magento 2.0, merchants should consider taking the opportunity to switch to the exclusive use of checkout proxies like PayPal, Apple Pay, and Click2Pay. Payment collection should be separate from order entry. We have known that to be true since the days of the Sears and Roebuck Catalog.  

Read more in:

ZDNet: Adobe, Mastercard, Visa warn online store owners of Magento 1.x EOL

HelpNet Security: Magento 1 reaches EOL: Merchants urged to upgrade or risk breaches, falling out of PCI DSS compliance

Adobe: Security Updates Available for Magento | APSB20-41


--Tax Software Required by Chinese Bank Installs Backdoor on Companies' Systems

(June 25, 26, & 29, 2020)

At least two western companies opening offices in China were forced to install tax software on their systems; the software has been found to download and install a backdoor. The companies said that a bank in China "required that they install a software package called Intelligent Tax produced by the Golden Tax Department of Aisino Corporation, for paying local taxes." The backdoor, which has been named GoldenSpy, operates with SYSTEM-level privileges.

[Editor Comments]

[Pescatore] This echoes the 2017 NotPetya ransomware and the Ukrainian M.E. Doc accounting software that enabled the initial backdoor. Another strong reminder about supply chain security overall and when testing can't be done, the need for the network security equivalent of "quarantining" any software or appliances that must be used but hasn't been tested. A few years ago, I did a Board of Director's briefing around the risks of travel to foreign countries and most CXOs and Boards these days understand the risks of using their corporate devices in foreign countries. I made a point of emphasizing the same risk existed in the company's IT operations in those countries - special effort towards whitelisting, isolation and segmentation has to be part of the cost of doing business in those countries.

[Neely] When faced with a mandate like this, it is very hard to slow down and assess the security of the required software. Even so, testing and approving all installed software prior to general deployment is key to maintaining the integrity of your systems. Support that process with a transparent interface that anyone can use to request approval, and follow-up in a timely fashion to prevent an end-around.

Read more in:

Trustwave: The Golden Tax Department and the Emergence of GoldenSpy Malware

Ars Technica: Chinese bank requires foreign firm to install app with covert backdoor

ZDNet: Chinese bank forced western companies to install malware-laced tax software

SC Magazine: Tax software used by Chinese bank clients installs GoldenSpy backdoor

Infosecurity Magazine: Chinese Bank Forces Firms to Download Backdoored Software


--Cardplanet Operator Aleksei Burkov Sentenced to Nine Years in Prison

(June 26 & 27, 2020)

Aleksei Burkov has been sentenced to nine years in prison for his role in operating the Cardplanet carding website, which sold payment card information that was used to make millions of dollars in fraudulent transactions. Burkov was arrested in Israel in December 2015; he was extradited to the US in 2019. Earlier this year, he pleaded guilty to access device fraud, conspiracy to commit access device fraud, identity theft, computer intrusions, wire fraud, and money laundering.

Read more in:

KrebsOnSecurity: Russian Cybercrime Boss Burkov Gets 9 Years

Threatpost: 'Cardplanet' Operator Sentenced to 9 Years for Selling Stolen Credit Cards


Justice: Russian National Sentenced to Prison for Operating Websites Devoted to Fraud and Malicious Cyber Activities


--Medvedev Guilty Plea

(June 26, 2020)

Sergey Medvedev has pleaded guilty to RICO conspiracy for his role in "an Internet-based cybercriminal enterprise" known as Infraud. The group's activity resulted in more than $586m in losses. US authorities have indicted 36 people in connection with Infraud.

Read more in:

Cyberscoop: Russian national pleads guilty to being part of $568 million fraud ring

Bleeping Computer: Admin of carding portal behind $568M in losses pleads guilty

Justice: Russian National Pleads Guilty for Role in Transnational Cybercrime Organization Responsible for more than $568 Million in Losses


--Cyber Flag 20-2 Participants Used New Remote Cyber Training Tool

(June 25, 2020)

US Cyber Command's Cyber Flag 20-2 training exercise took place earlier this month. More than 500 people participated; there were 17 teams from five countries. For the first time, participants had access to a new remote access training tool. The Persistent Cyber Training Environment (PCTE) "is an online client that allows Cyber Command's cyber warriors, as well as partner nations, to log on from anywhere in the world to conduct individual or collective cyber training as well as mission rehearsal." The Cyber Flag exercise is run by US Cyber Command.  

Read more in:

c4isrnet: This training tool could be the answer to stop mass cyberattacks


--Palo Alto Networks Fixes Critical Flaw in Firewall Operating System

(June 29, 2020)

Palo Alto Networks has released fixes for a critical authentication bypass vulnerability that affects PAN-OS, the operating system used in many its firewalls. According to the Palo Alto Advisory, "Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources." If SAML authentication is not enabled, the flaw cannot be exploited. The affected versions of the operating system are PAN-OS 9.1 versions earlier than PAN-OS 9.1.3; PAN-OS 9.0 versions earlier than PAN-OS 9.0.9; PAN-OS 8.1 versions earlier than PAN-OS 8.1.15, and all versions of PAN-OS 8.0 (EOL). PAN-OS 7.1 is not affected.

[Editor Comments

[Neely] This was given a CVSSv3.1 base score of 10, which indicates rapid response is appropriate if you're using this configuration of SAML authentication. Verify your exposure per the Palo Alto KB article ( Securing your SAML Deployments).Suggest verifying the update in your test firewall prior to production deployment.

Read more in:

Palo Alto Networks: CVE-2020-2021 PAN-OS: Authentication Bypass in SAML Authentication

DUO: Palo Alto Fixes Critical Authentication Bypass Flaw

Bleeping Computer: Palo Alto Networks patches critical vulnerability in firewall OS




Sysmon 11.10 and ADS Logging


MacOS 11 Security Changes


Cisco Telnet Vulnerability


Palo Alto PAN-OS SAML Vulnerability


Certificate Lifetime Limited to 1 Year Starting September


The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit