SANS Security East 2021 features 20+ courses - Register now to get a MacBook Air or Microsoft Surface Pro 7 or Take $350 Off

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #61

August 4, 2020

Organizations Paying Ransomware Extortion as More Exfiltrated Data Is Published


SANS NewsBites                August 4, 2020                Vol. 22, Num. 061



  Ransomware Operators Publish Data Allegedly Stolen from LG, Xerox

  Blackbaud Paid Ransomware Demand

  Bleeping Computer: Garmin Paid Ransomware Demand

  US Travel Agency CWT Reportedly Paid $4.5M Ransomware Demand

  Texas School District Will Pay Ransomware Demand

  No More Ransom Website Helps Ransomware Victims                                                      


  Three Arrested in Connection With the Twitter Hack

  GandCrab Suspect Arrested

  FastPOS Author Pleads Guilty to RICO Conspiracy

  Taidoor RAT

  BootHole Fix is Causing Problems

  Update Available for WordPress Newsletter Plugin Flaws

  Citizen Lab: NSO Used to Spy on Clergy, Supporters of Political Opposition in Togo


***********************  Sponsored By  RiskIQ  *******************************

Build Your Threat Hunting Skills & Earn CPE Credits

Learn new threat hunting methods and data sets that will enable quicker and more thorough investigations. Join RiskIQ's virtual threat hunting workshop Summer Camp to fortify your skillset through hands-on exercises and earn CPE credits. Register today!





Best Special Offers of the Year are Available Now with OnDemand

Choose a MacBook Air, Surface Pro 7, or Take $350 Off through August 5.


SANS now offers THREE ways to complete a course:

OnDemand | Live Online | In-Person:




Keep your skills sharp with SANS Online Training:

.        The world's top cybersecurity courses

.        Taught by real world practitioners

.        Ideal preparation for more than 30 GIAC Certifications

Top OnDemand Courses

SEC401: Security Essentials Bootcamp Style


SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling


SEC560: Network Penetration Testing and Ethical Hacking



Upcoming In-Person and Live Online Events:

SANS Baltimore Fall 2020 | September 8-13 | Baltimore, MD or Live Online


Threat Hunting and Incident Response Summit & Training | September 10-19 | Live Online


SANS Network Security 2020 | September 20-25 | Las Vegas, NV or Live Online


SANS Northern VA - Reston Fall 2020 | Sep 28-Oct 3 | Reston, VA or Live Online



Test drive a course:

View the full SANS course catalog and skills roadmap.





--Ransomware Operators Publish Data Allegedly Stolen from LG, Xerox

(August 4, 2020)

Maze ransomware operators have published data they claim to have taken from internal networks at LG and Xerox after the companies declined to pay a ransom. In a June email exchange with ZDNet, Maze operators say they did not launch ransomware on LG's network, but only exfiltrated data.

[Editor Comments]

[Neely] Both systems ran Citrix ADC servers, vulnerable to CVE-2019-19781, which has been characterized as a favorite entry point for Maze Operators. Keeping your boundary and remote access devices patched, expeditiously, is critical with today's threat environment. Verify you can monitor and alert on exfiltration of data, including tuning and testing. Also, when considering breached data, remember to include assessing loss of intellectual property. Too often, the review is of customer or employee personal information.

Read more in:

ZDNet: Ransomware gang publishes tens of GBs of internal data from LG and Xerox


--Blackbaud Paid Ransomware Demand

(August 3, 2020)

Blackbaud's CEO says the company "discovered and stopped a sophisticated attempted ransomware attack." Blackbaud paid the ransomware demand in May 2020; the attack was publicly disclosed in July. Blackbaud provides customer relationship management (CRM) software for colleges and universities, non-profit groups, and others.   

[Editor Comments]

[Neely] In this issue we have several articles where the ransom was paid. Back in October, the FBI published updated guidance on payment ( acknowledging that there are cases where companies will pay. With exfiltrated data being published, payment is vastly incentivized. Beyond payment, ensure that adequate steps are taken to prevent recurrence as well as timely notification of the incident, status, and resolution to affected parties to allow them to take appropriate actions, and to include required breach notifications to regulators and customers.

Read more in:

The Register: 'We stopped ransomware' boasts Blackbaud CEO. And by 'stopped' he means 'got insurance to pay off crooks'


--Bleeping Computer: Garmin Paid Ransomware Demand

(August 3, 2020)

According to a report in Bleeping Computer, Garmin received the WastedLocker ransomware encryption key on July 25, two days after its network was hit with the malware. While it is not known how much Garmin paid the WastedLocker operators, the initial demand was reportedly $10 million. Bleeping Computer obtained "access to an executable created by the Garmin IT department to decrypt a workstation and then install a variety of security software on the machine."

[Editor Comments]

[Pescatore] Dealing with the Covid virus has reinforced the importance of data-based decision making. There are many good reasons not to pay ransomware demands but there is not good data to support when/if it does make financial sense. One factor that can swing the decision: if your company has extortion insurance and the language in that policy covers/does not exclude ransomware, management may find that the cost of paying off is reduced enough to be well below the business disruption costs. In next week's NewsBites DrillDown I'll publish a deeper dive into the issues with a few example data sets.

Read more in:

Bleeping Computer: Confirmed: Garmin received decryptor for WastedLocker ransomware?

Threatpost: Garmin Pays Up to Evil Corp After Ransomware Attack -- Reports


--US Travel Agency CWT Reportedly Paid $4.5M Ransomware Demand

(July 31, 2020)

Corporate travel agency CWT, formerly known as Carlson Wagonlit Travel) has confirmed that its network was shut down due to a ransomware attack in late July. The company reportedly paid $4.5 million to regain access to its encrypted data. The strain of ransomware used in the attack appears to be Ragnar Locker.

Read more in:

The Register: First rule of Ransomware Club is do not pay the ransom, but it looks like Carlson Wagonlit Travel didn't get the memo

Reuters: 'Payment sent' - travel giant CWT pays $4.5 million ransom to cyber criminals

Threatpost: CWT Travel Agency Faces $4.5M Ransom in Cyberattack, Report


--Texas School District Will Pay Ransomware Demand

(July 31, 2020)

The Athens (Texas) Independent School District (ISD) will pay $50,000 to ransomware operators to regain access to the data in its servers that have been encrypted. The district's board of trustees voted to pay the ransom, which will be covered by insurance. The attack will postpone the start of the school year by at least a week.

Read more in:

Govtech: Texas School District Forks Over $50K in Ransomware Attack


--No More Ransom Website Helps Ransomware Victims

(July 27, 2020)

The No More Ransom decryption tool repository was established four years ago this month. No More Ransom offers free tools to decrypt 140 strains of ransomware. "The website is an initiative by the National High Tech Crime Unit of the Netherlands' police, Europol's European Cybercrime Centre, Kaspersky and McAfee with the goal to help victims of ransomware retrieve their encrypted data without having to pay the criminals."

[Editor Comments]

[Neely] This site doesn't eliminate the need for good disconnected differential backups; it provides a potential resource where you could retrieve the decryption key for your particular ransomware attack. Be sure to take steps to fix and verify that the entry point is closed to prevent recurrence first. This also doesn't eliminate the need to respond to ransom demands for exfiltrated and published content.

Read more in:

Europol: No More Ransom: How 4 Millions Victims of Ransomware Have Fought Back Against Hackers

No More Ransom: No more ransom!

*****************************  SPONSORED LINKS  ******************************

1) Webcast | Tune in for our upcoming webcast hosted by Bitglass as SANS Senior Instructor, Dave Shackleford dives into "Comparing CASB Technologies: What's the Difference?"  In this webinar, you will learn: 1. The major differences between CASB architectures. 2. CASB deployment modes and how they provide different data protection. 3. Key items you need to consider to secure any app or device. | August 12 @ 2:00 PM EDT


2) Webcast |  Join us for an informative webcast hosted by SANS Instructor, Matt Bromiley as he presents "All for One, One for All: Bringing Data Together with Devo" In this webcast, SANS instructor Matt Bromiley reviews Security Operations as an intuitive solution that empowers analysts to put their data to use. | August 19 @ 12:00 PM EDT


3) Webcast | Mark your calendars for our webcast that will be hosted by SANS Analyst, Serge Borso titled "Securing the Future of Work: How to Achieve Complete Malware and Phishing Protection"  | August 19 @ 2:00 PM EDT




--Three Arrested in Connection With the Twitter Hack

(July 31 & August 1, 2020)

Authorities have arrested and charged three people in connection with the July 15 Twitter hack that took over several high-profile accounts and used them in a Bitcoin fraud scheme. The attackers allegedly used social engineering to gain access to internal Twitter tools. One of the suspects, a 17-year-old, faces 30 felony charges and will be tried as an adult.

[Editor Comments]

[Neely] With enhanced working from home, there are more opportunities for accessing malicious content from outside the company perimeter. Take a pause to identify and resolve gaps. Ask whether your users are using personal phones or the corporate softphone with its VoIP firewall and associated protections? Are users able to browse to disallowed sites normally blocked by NGFW or outbound proxy rules? Even with remote or virtual desktops, understand what work is permitted off those systems as well as data interchange capabilities between the remote and local systems. Take steps to minimize data exchange to prevent paths for inbound malfeasance.

Read more in:

KrebsOnSecurity: Three Charged in July 15 Twitter Compromise

Wired: How the Alleged Twitter Hackers Got Caught

ZDNet: How the FBI tracked down the Twitter hackers

Ars Technica: Florida teen charged as "mastermind" in Twitter hack hitting Biden, Bezos, and others


--GandCrab Suspect Arrested

(July 31 & August 3, 2020)

Authorities in Belarus have arrested an individual allegedly involved in the distribution of the GandCrab ransomware. GandCrab ceased operations in June 2019. The FBI released master encryption keys for GandCrab, and Bitdefender released a decryptor.

Read more in:

ZDNet: GandCrab ransomware distributor arrested in Belarus

Bleeping Computer: GandCrab ransomware operator arrested in Belarus


--FastPOS Author Pleads Guilty to RICO Conspiracy

(August 1 & 3, 2020)

A Moldovan citizen has pleaded guilty to RICO (Racketeer Influenced and Corrupt Organizations) conspiracy in a Nevada courtroom for his role in the Infraud cybercriminal organization. In a plea agreement, Valerian Chiochiu admitted to creating malware known as FastPOS, which was designed to facilitate payment card data theft. Chiochiu is the second person in just over a month to plead guilty in connection with Infraud; in late June, Sergey Medvedev also pleaded guilty to RICO conspiracy.

Read more in:

ZDNet: Author of FastPOS malware revealed, pleads guilty

Cyberscoop: Another guilty plea in $568 million Infraud crime ring

Infosecurity Magazine: Malware Author Admits Role in $568m Cyber-Fraud

Justice: Malware Author Pleads Guilty for Role in Transnational Cybercrime Organization Responsible for more than $568 Million in Losses


--Taidoor RAT

(August 3, 2020)

The FBI, the US Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Defense have issued a joint malware analysis report about malware that China has been using since 2008. Taidoor, as the malware is known, is a remote access trojan (RAT) and has been used in cyberespionage campaigns.

Read more in:

Duo: DHS Exposes Chinese Malware Tools

Cyberscoop: DOD, FBI, DHS release info on malware used in Chinese government-led hacking campaigns

Bleeping Computer: US govt exposes Chinese espionage malware secretly used since 2008

ZDNet: CISA, DOD, FBI expose new Chinese malware strain named Taidoor

US-CERT.CISA: Malware Analysis Report (AR20-216A) | MAR-10292089-1.v1 - Chinese Remote Access Trojan: TAIDOOR


--BootHole Fix is Causing Problems

(July 31, 2020)

Users are urged to take steps to mitigate the issue. Linux distributions have released fixes for the GNU GRUB2 bootloader vulnerability, a.k.a. BootHole. However, some users are reporting that these fixes are causing problems themselves. Users are rebooting booting and dual-booting issues in Debian, Ubuntu, Red Hat, CentOS, and Fedora. The US National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have issued advisories that include suggestions for mitigating the BootHole vulnerability.

Read more in:

ZDNet: BootHole fixes causing boot problems across multiple Linux distros

Ars Technica: Red Hat and CentOS systems aren't booting due to BootHole patches

FCW: NSA and CISA push guidance for BootHole fix

kb.cert: GRUB2 bootloader is vulnerable to buffer overflow


--Update Available for WordPress Newsletter Plugin Flaws

(August 3, 2020)

Flaws in the Newsletter plugin for WordPress can be exploited to establish backdoors, create admin accounts, and possibly take control of vulnerable sites. The plugin's developers have released an updated version, Newsletter 6.8.3, which addresses these vulnerabilities.

[Editor Comments]

[Neely] This flaw includes a PHP Object Injection as well as a reflected Cross-Site Scripting (XSS) vulnerability. The good news is that the plugin author provided an update the day after the vulnerability was disclosed. The bad news is you still need to update your plugins, or make sure you have an application firewall rule to detect attempted exploitation. While Wordfence premium has the firewall rule, and it will be released to the free version users on August 14th, don't wait to update.

Read more in:

Wordfence: Newsletter Plugin Vulnerabilities Affect Over 300,000 Sites

Bleeping Computer: Newsletter plugin bugs let hackers inject backdoors on 300K sites


--Citizen Lab: NSO Used to Spy on Clergy, Supporters of Political Opposition in Togo

(August 3, 2020)

A report from Citizen Lab says that spyware made by NSO Group was used to target political opposition members and members of the clergy in Togo. All of the targets had spoken out about the need for government reform in the West African country.

Read more in:

Citizen Lab: Religious and Secular Voices for Reform in Togo Targeted with NSO Spyware

Vice: NSO Spyware Was Used to Hack Clergy in Togo




Pages Hit By Bad Bots


VBA Macro With Multiple Command and Control Channels


KeePassRPC Vulnerability


QNAP Updates Malware Remover


Android Phone Updates


BootHole Patch Causes Unbootable Systems


Disabling MacOS TCC


CISA Publishes Details about Chinese Malware



The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit