Interactive Courses + Cyber Defense NetWars Available During SANS Scottsdale: Virtual Edition 2021. Save $300 thru 1/27.

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #6

January 21, 2020

The annual ICS Security Summit, now in its 15th year, brings together practitioners and leading experts to share techniques for defending control system environments. In-depth presentations and interactive panel discussions deliver real-world approaches that work.

Was Georgia Election System Server Compromised?; Iowa Caucus Results at Risk with Smartphone App; IE Zero-Day Actively Exploited; California Profile Rises in National Cybersecurity Talent Search


SANS NewsBites               January 21, 2020              Vol. 22, Num. 006




  Georgia Election System Server May Have Been Compromised Through Shellshock in 2014

  Iowa Caucus Results to be Calculated with Smartphone App

  IE Zero-Day is Being Actively Exploited

  State of California Raises Profile in National Cybersecurity Talent Search



  Senator Has Questions About Compromise of Service Members' Medical Data

  Travelex CEO Says Some Services Restored

  Companies Need to Patch Pulse Secure VPN Flaw Exploited in Attack Against Travelex

  WeLeakInfo Domain Seized, Two People Arrested

  Citrix Releases Fixes for Critical Vulnerability in Application Delivery Controller and Gateway

  Hackers Install Citrix Mitigation and Leave Backdoor Open for Themselves

  Major Telnet Credential Leak


************************  Sponsored By Splunk  ******************************

How to Uplevel Your Defenses With Security Analytics. If you don't have actionable insights to detect and respond to emerging and current threats, you're not reaping the rewards of modern security information event management (SIEM) technology. Download How to Uplevel Your Defenses With Security Analytics, and find out what you (and your SIEM) are missing and how to harden your defenses.



Cybersecurity Training Update


-- SANS Security East 2020 | New Orleans, LA | February 1-8 |

-- SANS Scottsdale 2020 | February 17-22 |

-- Open-Source Intelligence Summit & Training 2020 | Alexandria, VA | February 18-24 |

-- SANS Munich March 2020 | March 2-7 |

-- SANS Northern VA - Reston Spring 2020 | March 2-7 |

-- Blue Team Summit & Training 2020 | Louisville, KY | March 2-9 |

-- ICS Security Summit & Training 2020 | Orlando, FL | March 2-9 |

-- SANS London March 2020 | March 16-21 |

-- SANS Secure Singapore 2020 | 16-28 March |

-- SANS Secure Canberra 2020 | March 23-28 |

-- SANS OnDemand and vLive Training

Get an iPad (32G), a Samsung Galaxy Tab A, or Take $250 Off through January 22 with OnDemand or vLive training.

-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast -

-- Evening training 2x per week for 6 weeks with vLive |

-- Anywhere, Anytime access for 4 months with OnDemand format |

Single Course Training

-- Single Course Training

SANS Mentor |

Community SANS |


-- View the full SANS course catalog and Cyber Security Skills Roadmap




--Georgia Election System Server May Have Been Compromised Through Shellshock in 2014

(January 16, 2020)

Evidence suggests that an election system server in the US state of George was vulnerable to the Shellshock flaw for several months in 2014, and that the server was compromised through the vulnerability.

[Editor Comments]

[Murray] While much of the attention on election systems has been on vote recording, history suggests that problems are more likely to occur in the backend tabulation and reporting systems.


[Northcutt] Computers can be hacked; voting machines are computers. Computers connected to the Internet have a greater chance of being hacked, voting machines are, (sometimes), connected to the Internet.

[Guest Editor: Russ McGee] States are increasingly turning to National Guard cyber forces.

Read more in:

Politico: Georgia election systems could have been hacked before 2016 vote

Ars Technica: A Georgia election server was vulnerable to Shellshock and may have been hacked


--Iowa Caucus Results to be Calculated with Smartphone App

(January 14, 2020)

When Iowa's Democratic Party holds its caucuses next month, the results will be calculated and reported with the help of a mobile app. (Iowa, like several other US states, holds caucuses, where voters must be physically present to declare their support for a candidate.) The reasoning behind using the app is that results will be available to the public more quickly. The Iowa Democratic Party chairperson declined to disclose which app they will use.  

[Editor Comments]

[Neely] The risk there is the human firewall, which social engineers have repeatedly shown will be compromised. Iowa does have contingency plans in case something goes wrong; detecting the anomaly and providing corrected information, particularly after results are published, is problematic.

Read more in:

NPR: Despite Election Security Fears, Iowa Caucuses Will Use New Smartphone App


--IE Zero-Day is Being Actively Exploited

(January 17, 19, & 20, 2020)

Microsoft has published mitigations and workarounds for "a remote code execution vulnerability ... in the way that the scripting engine handles objects in memory in Internet Explorer." The flaw is being actively exploited. Microsoft is developing a fix for the vulnerability.

[Editor Comments]

[Neely] Time to re-assess the use of IE in the enterprise. Microsoft has done a lot of work to make Edge more compatible and functional. Some applications still require plugins that only work in IE, such as Silverlight, or those using active X controls; consider providing them a sandboxed enterprise browser solution rather than running these on the endpoint.

Read more in:

MSRC: ADV200001 | Microsoft Guidance on Scripting Engine Memory Corruption Vulnerability

ZDNet: Microsoft warns about Internet Explorer zero-day, but no patch yet

Bleeping Computer: Microsoft Issues Mitigation for Actively Exploited IE Zero-Day

Portswigger: Internet Explorer zero-day surfaces in 'limited targeted attacks'


--State of California Raises Profile in National Cybersecurity Talent Search

(January 21, 2019)

Texas and New Jersey and Nevada are still the top three states in the national cybersecurity high school talent search, but last week California's Department of Technology and CIO raised the level of visibility for California's high schools. California's numbers have nearly doubled since then.

Read more in: CDT Promoting Cybersecurity as Career Path for Girls

To see where your state stands:

To make sure your students have the opportunity to participate:

****************************  SPONSORED LINKS  ******************************

1) See what strategies organizations can use to justify security spending based on the recent SANS Cybersecurity Spending Survey.

2) Upcoming Webcast: United We Stand, Divided We Fall: 2019 Threat Landscape and the Influence of Sharing Communities.

3) Webcast: Discover the impact of better threat classification when planning your incident response to make better security decisions.




--Senator Has Questions About Compromise of Service Members' Medical Data

(January 16, 2020)

US Senator Mark Warner (D-Virginia) wants to know how American service members' medical data were left unprotected on the Internet. In a letter to Defense Health Agency (DHA) Assistant Secretary Thomas McCaffery, Warner notes that Picture and Archiving Servers (PACS) at three military medical facilities left service members' "personally identifiable and sensitive medical information available online for anyone with a DICOM viewer to find." Warner asks McCaffery to provide "information about [DHA's] oversight of the information practices at military hospitals," and that the PACS be removed from open Internet access.

Read more in:

Nextgov: German Researchers Accessed Service Members' Sensitive Medical Data--and One Lawmaker Wants Answers

warner.senate: Letter to DHA Assistant Secretary McCaffery


--Travelex CEO Says Some Services Restored

(January 17 & 19, 2020)

In a video statement, Travelex CEO Tony D'Souza said that the company is making progress in restoring its systems in the wake of a December 31 ransomware attack. D'Souza said that the company "is bringing systems up in a controlled and secure manner." The company's main website is still not operational.

[Editor Comments]

[Neely] Restored services are currently only in the UK, with service restoration outside the UK scheduled for a future phase.

[Murray] Enterprise management should immediately take steps to resist and mitigate "ransomware" and "wiper" attacks. Use strong authentication, system-to-system and application-to-application isolation, and at least 3 copies of mission critical applications and data, on at least 2 different media, with at least 1 copy off site. If one cannot mitigate attacks within hours to days, the life of the enterprise is at risk.

Read more in:

ZDNet: Travelex says some in-store systems are back up and running after ransomware attack

BBC: Travelex boss breaks silence 17 days after cyber attack

SC Magazine: Travelex recovering from ransomware, but more firms at risk of VPN exploit

Travelex: A message from our CEO (video: 3:09)


--Companies Need to Patch Pulse Secure VPN Flaw Exploited in Attack Against Travelex

(January 16 & 17, 2020)

In a Flash Security Alert issued earlier this month, the FBI said that hackers exploited a known vulnerability in Pulse Secure VPN servers to breach. The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) also issued an alert, urging companies to patch the flaw. A fix for the issue has been available since April 2019. (Please note that the WSJ story is behind a paywall.)

[Editor Comments]

[Neely] This is a case where defense in depth visibly paid off. While the flaw allowed attackers to access the agency network on a single segment and enumerate users from Active Directory, services on other segments were protected by MFA and were not able to be accessed.

Read more in:

Bleeping Computer: FBI Says State Actors Hacked US Govt Network With Pulse VPN Flaw

WSJ: Major Companies Shared Vulnerability Used in Travelex Cyberattack (paywall)


---WeLeakInfo Domain Seized, Two People Arrested

(January 16 & 17, 2020)

Law enforcement authorities in the Netherlands, the UK, Northern Ireland, Germany, and the US have taken down the WeLeakInfo website, which was used to sell access to more than 12 billion stolen user records. Two people have been arrested in connection with the site's operation.

Read more in:

ZDNet: FBI seizes WeLeakInfo, a website that sold access to breached data

The Register: Stolen creds site WeLeakInfo busted by multinational cop op for data reselling

Ars Technica: WeLeakInfo gets pwned by FBI; Dutch, N. Irish police arrest alleged breach brokers

Threatpost: Feds Cut Off Access to Billions of Breached Records with Site Takedown

Justice: Domain Name Seized


---Citrix Releases Fixes for Critical Vulnerability in Application Delivery Controller and Gateway

(January 19 & 20, 2020)

Citrix has released permanent fixes for its Application Delivery Controller (ADC) and Gateway versions 11.1 and 12.0. Citrix expects to release fixes for ADC versions 12.1, 13, and 10.5, as well as for SD-WAN WANOP, on Friday, January 24. The vulnerability, which was initially disclosed in mid-December 2019, is being actively exploited.  

[Editor Comments]

[Neely] Citrix has accelerated the release of the permanent fixes, with an ETA of January 24th for the balance of them. As the vulnerabilities are being actively exploited, implementing the available mitigations now is prudent until the fixes for your particular device and service are released and you've completed appropriate regression testing on those patches.

Read more in:

Citrix: Vulnerability Update: First permanent fixes available, timeline accelerated

ZDNet: Citrix rolls out patches for critical ADC vulnerability exploited in the wild

Bleeping Computer: Citrix Patches CVE-2019-19781 Flaw in Citrix ADC 11.1 and 12.0

Portswigger: Citrix releases first patches as attacks against ADC vulnerability go pro

The Register: As miscreants prey on thousands of vulnerable boxes, Citrix finally emits patches to fill in hijacking holes in Gateway and ADC

Ars Technica: As attacks begin, Citrix ships patch for VPN vulnerability


---Hackers Install Citrix Mitigation and Leave Backdoor Open for Themselves

(January 16 & 17, 2020)

Among the numerous exploits of the Citrix vulnerability, FireEye noted one threat actor who reportedly scans for vulnerable Citrix servers, then installs mitigations that keep others out while establishing a backdoor for themselves.

[Editor Comments]

[Neely] When verifying that the mitigations have been implemented, verify that devices showing as no longer vulnerable were patched by your team. Also, verify NOTROBIN has not been installed. The FireEye article explains behavior and indications of compromise you can incorporate into your SIEM.

Read more in:

FireEye: 404 Exploit Not Found: Vigilante Deploying Mitigation for Citrix NetScaler Vulnerability While Maintaining Backdoor

Bleeping Computer: Hackers Are Securing Citrix Servers, Backdoor Them for Access

ZDNet: A hacker is patching Citrix servers to maintain exclusive access

The Register: 'Friendly' hackers are seemingly fixing the Citrix server hole - and leaving a nasty present behind


--Major Telnet Credential Leak

(January 19 & 20, 2020)

A hacker posted a list of Telnet credentials for more than half a million devices, including servers, home routers, and Internet of Things (IoT) devices. The information was reportedly posted by someone who maintains a DDoS-for-hire service.

[Editor Comments]

[Murray] Enterprises should offer strong authentication options to users. Users should employ strong authentication where available and use password managers to resist password re-use across applications and systems.

Read more in:

ZDNet: Hacker leaks passwords for more than 500,000 servers, routers, and IoT devices

TechNadu: A Hacker Has Published a List with 515k Passwords for IoT Devices




Microsoft Scripting Engine Memory Corruption Vulnerability

CVE-2020-0601 Update

Curveball Update

Twist on Sextortion

Emotet Uses Extortion to Infect Systems

Lastpass Outage

Netgear Signed TLS Cert Private Key Disclosure



The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit