SANS Open-Source Intelligence (OSINT) Summit & Training offers immersive cyber security courses and a free Summit!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #59

July 28, 2020

Most Sought-After Cybersecurity Skills; Real Damage from Ransomware:  Meow,  Garmin, and SEI


SANS NewsBites                July 28, 2020                Vol. 22, Num. 059



  Most Sought-After (Pre-)Cybersecurity Skills

  The Number of Databases Deleted by Meow is Growing

  Garmin Acknowledges Ransomware Attack was Responsible for Outage

  SEI Customer Data Compromised in Ransomware Attack on Vendor


  CISA and NCSC Urge Users to Patch QNAP NAS Devices

  Hackers are Actively Exploiting Flaws in F5 BIG-IP and Cisco Network Products

  Russian Hackers Targeted US Government, Education, and Energy Sectors

  Former Raytheon Employee Sentenced for Retaining National Defense Information

  FBI Warning on New DDoS Attack Vectors

  CISA ICS Advisory Warns of Vulnerabilities in Schneider Products


********************  Sponsored By Dragos, Inc.  ****************************

Despite being one of the most widely deployed vulnerabilities creating significant ICS exposure, the recently discovered Ripple20 is one of the most difficult to detect and address. Join Dragos Senior Vulnerability experts Reid Wightman and Kate Vajda for an update of their analysis in this August 4 webinar briefing."





Best Special Offers of the Year are Available Now with OnDemand

Choose a MacBook Air, Surface Pro 7, or Take $350 Off through August 5.


SANS now offers THREE ways to complete a course:

OnDemand | Live Online | In-Person:




Keep your skills sharp with SANS Online Training:

.        The world's top cybersecurity courses

.        Taught by real world practitioners

.        Ideal preparation for more than 30 GIAC Certifications

Top OnDemand Courses

SEC401: Security Essentials Bootcamp Style


SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling


SEC560: Network Penetration Testing and Ethical Hacking



Upcoming In-Person and Live Online Events:

SANS Baltimore Fall 2020 | September 8-13 | Baltimore, MD or Live Online


Threat Hunting and Incident Response Summit & Training | September 10-19 | Live Online


SANS Network Security 2020 | September 20-25 | Las Vegas, NV or Live Online


SANS Northern VA - Reston Fall 2020 | Sep 28-Oct 3 | Reston, VA or Live Online



Test drive a course:

View the full SANS course catalog and skills roadmap.






--Most Sought-After (Pre-)Cybersecurity Skills

(July 24, 2020)

Brian Krebs writes that people considering careers in cybersecurity frequently reach out to him, asking which specialization or certification he would recommend, but rarely do they ask, "which practical skills they should seek to make themselves more appealing candidates for a future job." A recent SANS survey asked more than 500 people who work in cybersecurity which skills they consider most valuable in job candidates, and which are most often missing. (Read the comments for more insights.)

[Editor Comments]

[Paller] Perhaps surprisingly, some people already employed as cybersecurity analysts lack these same critical underlying skills. One of the larger federal cybersecurity contractors tested the beta version of a new course SANS developed for its undergraduate college students to ensure they have mastered the key foundational cybersecurity skills, hands-on, before diving into the challenging SANS courses required for their degree. The contractor's technical director called us last week and said he wanted to "start by having 100" of their existing cybersecurity employees take the foundations course and "the number will likely grow from there."

[Neely] Hands-on experience with information systems, knowing how they operate, as well as system and service lifecycle are important skills in cybersecurity. And often people wishing to enter the field are unable to do so as they don't have needed experience. Internship programs are not only great ways to get this experience, but also provide a low-risk opportunity for an employer to discover and grow talent that can become a long-term employee.

[Pescatore] We just completed a targeted survey on cybersecurity hiring needs and issues, separate from the one quoted in this piece. Among the results: (1) there is more of a skills gap than a headcount gap; and (2) the highest demand for entry level employees is for those who have experience using popular open source and commercial tools. One major finding: attrition rates in SOC teams are lower than IT industry average. Qualitative interviews gave anecdotal evidence that teams with more hands-on tool use and enhancement had the lowest attrition rates with managers saying it allowed staff to feel more creative and help fight alert burnout. Webinar on the results is on Wednesday - info at

Read more in:

KrebsOnSecurity: Thinking of a Cybersecurity Career? Read This


--The Number of Databases Deleted by Meow is Growing

(July 25, 2020)

The number of databases that have been wiped by the mysterious Meow hacker has grown to nearly 4,000 as of Saturday, July 25. The attacks appear to be targeting any database that is accessible from the Internet and is not adequately secured. The attacks are being conducted through a ProtonVPN IP address. It is still not clear why the attacker is deleting the vulnerable databases.

[Editor Comments]

[Neely] Take immediate action to ensure you don't have databases that are world-writeable from the Internet. Meow has been seen mostly targeting Elastic and MongoDB. It is also targeting CouchDB, Redis, Hadoop, Jenkins, and even NAS devices. Don't rely on prevention by blocking ProtonVPN address ranges; there are likely other attack vectors as yet undiscovered.

[Murray] Since the early days of the Verizon DBIR, we have been cautioned about orphan databases and servers. Know your own resources and vulnerabilities. These should be cheaper and more efficient for you to identify and eliminate than for your potential adversaries to find and exploit.  

Read more in:

Bleeping Computer: New 'Meow' attack has deleted almost 4,000 unsecured databases


--Garmin Acknowledges Ransomware Attack was Responsible for Outage

(July 26 & 27, 2020)

In a post on Monday, July 27, Garmin acknowledged that the outage it suffered last week was due to ransomware. The company says they are in the process of getting its systems up and running. The attack occurred in the middle of last week.  

[Editor Comments]

[Neely] This was a case of the WastedLocker Ransomware, which comes from the Russian Evil Corp group, who are also known for Dridex banking malware. WastedLocker leverages fake software update messages to get installed, and targets file servers, database services, virtual machines and cloud environments. Make sure you are installing verified updates, particularly on core business system components. The Garmin Aviation, InReach and Explore systems are now fully functional, including resolution of backlogs. Garmin Connect services are still being restored. Check Garmin service status sites:

Aviation service:


Connect services:

Read more in:

Garmin: Garmin Ltd. was the victim of a cyber attack...

Ars Technica: Garmin's four-day service meltdown was caused by ransomware

Wired: A Cyberattack on Garmin Disrupted More Than Workouts

The Register: Garmin staggers back to its feet: Aviation systems seem to be lagging, though: And here's why...

ZDNet: Garmin begins to restore Garmin Connect features, services

Bleeping Computer: Garmin confirms ransomware attack, services coming back online


--SEI Customer Data Compromised in Ransomware Attack on Vendor

(July 27, 2020)

A ransomware attack on the network of M.J. Brunner, a service provider, exposed data belonging to the customers of one of its clients, SEI Investments. The attackers stole files containing usernames, emails, and other personal information associated with the SEI dashboard that Brunner developed and supports. Brunner refused to pay the demanded ransom, and the malware operators posted the stolen data online earlier this month. (Please note that the WSJ story is behind a paywall.)

[Editor Comments]

[Murray] One thing that we should be learning from the success of "ransomware" is that our systems are too weak. By the time that a ransom demand is made, one's network is already severely compromised. Paying ransom is only one of many bad things that may result. Resist the breach in the first place; raise the cost of attack. Use strong authentication, DMARC, least privilege access control, application layer end-to-end encryption or network segmentation, and early warning systems. Use training and supervision.

Read more in:

SC Magazine: SEI Investments customer data exposed in ransomware attack on vendor

WSJ: Fund Administrator for Fortress, Pimco and Others Suffers Data Breach Through Vendor (paywall)

******************************  SPONSORED LINKS  *******************************

1) Webcast | July 29 @ 10:30 AM EDT | We are only 24 hours away from our informative webcast hosted by, SANS Instructor, Matt Bromiley as he presents "Browser Isolation: A SANS Review of Cyberinc's Isla".


2) Webcast | We invite you to join SANS Senior Instructor, Dave Shackleford as he presents an informative webcast titled "Comparing CASB Technologies: What's the Difference?" | August 12 @ 2:00 PM EDT


3) Webcast | Join Snyks, Alyssa Miller as she hosts "What's in your Financial Services Software?" A webcast that will discuss the hidden threats in the Software Supply Chain and analyze some of the unique challenges of open source software in financial services as well as real world strategies | August 13 @ 1:00 PM EDT





--CISA and NCSC Urge Users to Patch QNAP NAS Devices

(July 27, 2020)

A joint alert from the US Cybersecurity and Infrastructure Security Agency (CISA) and the UK's National Cyber Security Center (NCSC) warns users to patch their QNAP network attached storage (NAS) devices to protect them from QSnatch malware. QSnatch attacks were detected as long ago as 2014, but the agencies noted a significant uptick in infections: in October 2019, 7,000 devices were affected, in mid-June 2020, more than 62,000 devices were infected. The newest version of QSnatch can steal passwords, exfiltrate data, and can be used to execute arbitrary code.   

[Editor Comments]

[Ullrich] QNAP and other network-based storage devices are at the top of the list of targeted devices. Do not expose them to the internet, minimize the installed applications and at least try to keep them patched. (It is hard to do this quickly!)

[Neely] Protect your NAS system from direct access, either from the Internet, or from other systems which have no need to connect to them. QNAP published a security advisory; if you have devices that you suspect or know are compromised, they need to be factory wiped prior to performing the firmware update. Security Advisory for Malware QSnatch

[Murray] Better yet, put NAS devices on network segments isolated from the public networks. While software quality is an issue and patching is mandatory, it operates late. Raise the cost of attack. Reduce the attack surface using compartmentation (e.g. firewalls, network segmentation, and application layer end-to-end encryption) and restrictive access control (e.g., "least privilege," "white-listing").

Read more in:

ZDNet: CISA says 62,000 QNAP NAS devices have been infected with the QSnatch malware

The Register: Data-stealing, password-harvesting, backdoor-opening QNAP NAS malware Qsnatch reaches 62,000 infections

US-CERT: Alert (AA20-209A) | Potential Legacy Risk from Malware Targeting QNAP NAS Devices


--Hackers are Actively Exploiting Flaws in F5 BIG-IP and Cisco Network Products

(July 24, 25, & 27 2020)

Hackers are actively exploiting a high-severity directory traversal vulnerability that affects Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software firewall products. Cisco has released a fix for the issue. Hackers are also actively exploiting a critical vulnerability in F5 BIG-IP advanced delivery controller; F5 released fixes for the flaw on July 9.

[Editor Comments]

[Ullrich] We have written about these attacks a few times in the last weeks. If you still have unpatched F5, Citrix, or affected Cisco products around, assume that they are now compromised. Include SAP Netweaver in that list (but it is not as heavily targeted yet, so you may be lucky and find one that hasn't been compromised, yet.)

[Neely] Touch base with your F5 administration team; you may find they have already patched. The Cisco patch, released last Wednesday, definably boosted the interest of attackers attempting to exploit the flaw, and may not be as well known to your network team. For both patches, make sure that staff understand the flaw is being actively exploited and immediate patching is appropriate.

Read more in:

Ars Technica: Hackers actively exploit high-severity networking vulnerabilities

Bleeping Computer: US govt confirms active exploitation of F5 BIG-IP RCE flaw

Cyberscoop: CISA confirms hackers are exploiting F5 flaw on federal and private networks

Threatpost: Attackers Exploiting High-Severity Network Security Flaw, Cisco Warns

SC Magazine: Cisco patches severe traversal vulnerability exploited in wild


--Russian Hackers Targeted US Government, Education, and Energy Sectors

(July 24, 2020)

A hacking group with ties to Russian military intelligence launched previously undisclosed attacks against US targets between December 2018 and May 2020. In that 18-month period, Fancy Bear, also known as APT 28, conducted cyberattacks against networks at government agencies, educational institutions, and organizations in the energy sector. The attacks were largely focused on breaking into email servers, VPN servers, and Office 365 and email accounts. Earlier this year, the FBI notified organizations that had been targeted.   

Read more in:

Wired: Russia's GRU Hackers Hit US Government and Energy Targets


--Former Raytheon Employee Sentenced for Retaining National Defense Information

(July 24, 2020)

A former Raytheon systems engineer has been sentenced to 18 months in prison for taking home sensitive data. In January 2020, Ahmedelhadi Yassin Serageldin pleaded guilty to willfully retaining national defense information. According to a Department of Justice press release, Serageldin "retained 31,000 pages of information that was marked as classified, some of which pertained to U.S. missile defense and was classified at the SECRET level, and altered or obliterated the classification markings on documents." Serageldin worked at Raytheon for nearly 20 years.

[Editor Comments]

[Neely] The documents were transferred on a portable drive against company policy. There are requirements from DoD, NIST, and CNNSI to employ technical control software to manage connection of allowed peripherals/devices to classified system to prevent these activities. In addition to the control, monitoring is necessary to assure it is operating and track changes or disablement. While not a complete solution, technical controls on media connection can slow inappropriate data transfers in and out of your enterprise.

[Murray] "Classified" or other sensitive data should be stored in document management systems or other object-oriented databases that preserve meta-data (e.g., classification labels), resist arbitrary copying, and preserve transparency and accountability. Such data should not be stored in file system objects or on desktop systems.

Read more in:

The Register: Raytheon techie who took home radar secrets gets 18 months in the clink in surprise time fraud probe twist

Justice: Massachusetts Man Sentenced for Illegally Retaining Classified National Defense Information Regarding U.S. Military Programs


--FBI Warning on New DDoS Attack Vectors

(July 27, 2020)

Last week, the FBI issued a Private Industry Notification warning of several new network protocols and a web application that are being abused to conduct distributed denial-of-service (DDoS) attacks. They are CoAP (Constrained Application Protocol), WS-DD (Web Services Dynamic Discovery), ARMS (Apple Remote Management Service, and Jenkins web-based automation software.

[Editor Comments]

[Pescatore] In the SANS 2020 Top New Attacks and Threats report, SANS Fellow Ed Skoudis detailed "Living Off the Land" attacks and what to do about them for near term mitigation. Longer term, pressure needs to be applied to vendors to provide out-of-the-box configurations that have potentially dangerous services off by default. The report can be downloaded at

Read more in:

ZDNet: FBI warns of new DDoS attack vectors: CoAP, WS-DD, ARMS, and Jenkins

RackCDN: Private Industry Notification | Cyber Actors Exploiting Built-In Network Protocols to Carry Out Larger, More Destructive Distributed Denial of Service Attacks (PDF)


--CISA ICS Advisory Warns of Vulnerabilities in Schneider Products

(July 23 & 24, 2020)

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an ICS advisory regarding five vulnerabilities in Schneider Electric Triconex TriStation and Tricon Communication Module. The vulnerabilities include cleartext transmission of sensitive information, uncontrolled resource consumption, hidden functionality, and improper access control. One of the vulnerabilities - the improper access control issue - has been given a CVSS v3 base score of 10.

Read more in:

Threatpost: NSA Urgently Warns on Industrial Cyberattacks, Triconex Critical Bug

US-CERT: ICS Advisory (ICSA-20-205-01) | Schneider Electric Triconex TriStation and Tricon Communication Module




Compromised Desktop Applications By Web Technologies


Cracking Maldoc VBA Project Passwords


Analyzing Metasploit ASP .Net Payloads


Cisco Patching Treck IP Stack Vulnerabilities


Ubiquity Devices Break Due to Malformed Feed


Emotet Payloads Replaces with GIFs


QNAP Devices Attacked


In Memory of Donald Smith



The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit