Last day to save $150 off Offensive Operations courses during SANS Pen Test & Offensive Training 2021!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #78

October 2, 2020

Treasury Department Threatens To Prosecute Organizations that Pay Ransomware; Major Problem for Hospitals

Game Changer: Treasury's threat to prosecute organizations that pay ransomware demands is a game changer. See Top of the News


SANS NewsBites               October 2, 2020               Vol. 22, Num. 078



  US Treasury Advisory: Sanction Risks for Paying Ransomware Demands

  Universal Health Services Still Working on Restoring Systems After Ransomware Attack

  Lawrence General Hospital Investigating "Data Security Incident"


  Pakistani Power Company Data Published Following Ransomware Demands

  Swatch Group Acknowledges Cyberattack

  Nikulin Sentenced

  North Korean Hackers Targeted UN Security Council Members in Phishing Attacks

  US 911 Emergency System Outage

  Unpatched Exchange Servers

  Zerologon Attacks Spike

  QNAP Warns of AgeLocker Ransomware Targeting its NAS Devices

  Blackbaud SEC Filing Discloses That Breach Compromised Bank Account Data


**************************  Sponsored By Chronicle. ********************************

New from Google Cloud, Chronicle Detect delivers advanced threat detection, built on the power of Google's infrastructure.  This solution includes a rules engine that operates at the speed of search, a powerful rules language optimized to describe complex threat behavior, and intelligence from Chronicle's elite threat research team. View our on demand launch event now.





New OnDemand Courses

SEC588: Cloud Penetration Testing


SEC401: Security Essentials Bootcamp Style


View all courses


Live Online Training Events and Summits

SANS DFIRCON 2020 - Live Online

Nov 2-7 EST | 9 DFIR Courses | Virtual DFIR NetWars


Pen Test HackFest - Live Online

Nov 16-21 EST | 15 Courses | Summit @Night Bonus Sessions


View complete event schedule



Free Resources

Tools, Posters, and more.



OnDemand Training Special Offer: Get an iPad (32 G), Galaxy Tab S5e, or Take $250 Off with qualified OnDemand courses through October 14.






--US Treasury Advisory: Sanction Risks for Paying Ransomware Operators

(October 1, 2020)

According to a recent advisory from the US Treasury Department's Office of Foreign Assets Control, organizations that pay ransomware demands to certain groups could be fined if the recipients of the payments are under economic sanctions. The rule applies not only to the organizations that suffer the attacks, but also to the third-party companies they bring in to help manage the problem.  

[Editor Comments]

[Paller] This is a very big deal. It can give you the justification at the most senior levels of your organization to implement the CIS Critical Security Controls this year.

[Neely] OFAC rules and consequences around foreign transactions to sanctioned entities can be substantial. Develop a risk-based approach to support the payment decision now, as John enumerates, before it is needed, including consideration of sensitive data being released. Additionally, include reporting and cooperation with law enforcement in your response plan as this can mitigate the weight of any OFAC enforcement outcome.

[Pescatore] This is consistent with the FBI's updated guidance on dealing with ransomware, which came out in Oct 2019: "... the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers. Regardless of whether you or your organization have decided to pay the ransom, the FBI urges you to report ransomware incidents to law enforcement." The reminder that payments to sanctioned entities may incur fines was added here. However, the Treasury advisory still says "...OFAC encourages financial institutions and other companies to implement a risk-based compliance program to mitigate exposure to sanctions-related violations," and points to a May 2019 compliance framework requiring demonstration of (1) management commitment; (2) risk assessment; (3) internal controls; (4) testing and auditing; and (5) training - essentially security hygiene: Bottom line: prevention of ransomware will always end up costing less than incurring or paying off successful attacks.

[Murray] Ransomware attacks must be resisted, not merely mitigated.  They constitute a risk that must be reduced, not simply assigned to underwriters.  

Read more in:

KrebsOnSecurity: Ransomware Victims That Pay Up Could Incur Steep Fines from Uncle Sam

Ars Technica: Paying ransomware demands could land you in hot water with the feds

Bleeping Computer: US govt warns of sanction risks for facilitating ransomware payments

Dark Reading: US Treasury Warns of Sanctions Violations for Paying Ransomware Attackers

Security Week: Treasury Department Warns Ransomware Payment Facilitators of Legal Implications

Cyberscoop: Helping to pay off ransomware hackers could draw big penalties from the feds

Treasury: Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments (PDF)

--Universal Health Services Still Working on Restoring Systems After Ransomware Attack

(October 1, 2020)

As of Thursday, October 1, Universal Health Services (UHS) is still "work[ing] through an IT network security issue caused my malware." The attack began over the weekend; UHS shut down its network to prevent the malware from spreading further. While UHS has facilities in the UK and the US, the issue affects only US facilities.

[Editor Comments]

[Neely] Hospitals are faced with challenging usability/security trade-offs, which include bearing the cost of security mitigations. Doctors and care givers don't want emergency care inhibited by an inability to login to a computer and order services rapidly. They need access to hundreds of hospital systems. Proximity cards coupled with added authentication to sensitive services are becoming more common, and the retrofit, both funding and implementing, without creating service disruptions is a huge challenge. Consider UHS's cost to recover, including loss of life of redirected patients, as an example when considering the ROI of increased security measures.  

Read more in:

USHINC: Statement from Universal Health Services

Reuters: Universal Health Services says its network is 'still down': spokeswoman

--Lawrence General Hospital Investigating "Data Security Incident"

(October 1, 2020)

Lawrence General Hospital (LGH) in Massachusetts is working with a third-party forensic organization to investigate a "data security incident" that took place in mid-September. During the incident, LGH took its systems offline to secure its data. The hospital was able to continue to care for patients, but those arriving by ambulance were diverted to other facilities for approximately 36 hours.

[Editor Comments]

[Murray] Critical systems, e.g., patient care systems, should be isolated from vulnerable systems running e-mail and browsers. That said, the report suggests that the hospital had plans in place to maintain critical care in the face of a breach. "A plan is a capability, the ability to do something in its presence that one cannot do in its absence. It is not a document that one takes out and reads while sitting in the ashes." -Robert H. Courtney, Jr.

Read more in:

GovTech: Massachusetts Hospital Investigates 'Data Security Incident'

*******************************  SPONSORED LINKS  ********************************

1) DTEX Insider Threat Kill Chain: Learn the 5 Steps Present in Almost all Insider Attacks| Get the whitepaper now!


2) On-Demand Webcast | Joins Jake Williams and he presents "Power! Unlimited Power! Understanding the Techniques of Malicious Kernel-Mode Code"


3) Wednesday, October 07, 2020 @ 3:30 PM EDT | Join Dave Shackleford, Phil Roth, Mark Dufresne as they present "Free and open hunting and protection with Elastic Endpoint"




--Pakistani Power Company Data Published Following Ransomware Attack

(October 1, 2020)

Ransomware operators have published data stolen from Pakistan's K-Electric power company. K-Electric suffered a ransomware attack last month and did not pay the $3.85 million demanded as ransom. The September 7th attack disrupted the company's billing services but did not interrupt power supply.

[Editor Comments]

[Murray] Systems must be breached before "Ransomware" can be used. Extortion is only one possible consequence of such breaches. The most efficient strategy is to resist the breach, to raise the cost of attack to the point that it removes one from the target population. "One does not need to outrun the bear."

Read more in:

Bleeping Computer: Hackers leak files stolen in Pakistan's K-Electric ransomware attack

--Swatch Group Acknowledges Cyberattack

(September 29 & October 1, 2020)

Swatch Group, the Swiss company that makes the eponymous watches, says that its network was hit with a cyberattack over the weekend. Once the company detected the attack, it shut down IT systems to prevent further damage. Swatch group did not provide details about the nature of the attack.

Read more in:

Bleeping Computer: Swiss watchmaker Swatch shuts down IT systems to stop cyberattack

Infosecurity Magazine: Swatch Group Hit by Likely Ransomware Attack


--Nikulin Sentenced

(September 30 & October 1, 2020)

A judge in California has sentenced Yevgeniy Nikulin to more than seven years in prison for his role in hacking into and stealing data from LinkedIn, Dropbox, and Formspring. He will be credited for time served following his arrest.

Read more in:

The Register: Russian hacker, described as 'brilliant' by judge, gets seven years in a US clink for raiding LinkedIn, Dropbox

Dark Reading: Russian National Sentenced to 7+ Years for Hacking US Tech Firms

Justice: Russian Hacker Sentenced to Over 7 Years in Prison for Hacking into Three Bay Area Tech Companies


--North Korean Hackers Targeted UN Security Council Members in Phishing Attacks

(September 30, 2020)

According to a report from the United Nations (UN), a hacking group with alleged ties to North Korea's government has been launching phishing attacks against UN Security Council members earlier this year. At least 28 individuals have been targeted.

[Editor Comments]

[Neely] The Kimsucky group targets individuals throughout their career, repeatedly using spear-phishing attacks in attempts to gain credentials or install malware, which then allows them to pivot through the accessed systems. Regularly training and supporting user awareness will keep users sharp, and encouraging reporting will aid your incident responders.

Read more in:

ZDNet: North Korea has tried to hack 11 officials of the UN Security Council


--US 911 Emergency System Outage

(September 29, 2020)

An outage affecting the 911 emergency system availability in more than a dozen US states on Monday, September 28 appears not to be related to a Microsoft outage the same day, as some had speculated. Instead, the issues are likely due to an issue with Intrado, a company that provides 911 and emergency communications infrastructure, systems, and services or with Lumen, its service provider.

Read more in:

KrebsOnSecurity: Who's Behind Monday's 14-State 911 Outage?


--Unpatched Exchange Servers

(September 29 & 30, 2020)

Nearly 250,000 Internet-facing Microsoft Exchange Servers remain unpatched against a critical remote code execution flaw in the Exchange Control Panel component. Microsoft released a fix for the issue nearly eight months ago. In March, the US Cybersecurity and Infrastructure Security Agency (CISA) and the NSA both urged organizations to patch the vulnerability as it was already being exploited in the wild.

[Editor Comments]

[Neely] I remember not having time to patch, and not wanting to update a fully functioning server or service because it was working perfectly. Today, patching and monitoring security settings is a mortgage that must be borne with insourced services, and is a cost which may be overlooked when considering outsourcing ROI. It may be helpful to have policies around patch application and security setting validation, so staff know what is required and that these actions are important to management as well.

[Murray] Poor quality in popular products puts the entire infrastructure at risk. Tens of thousands of instances are likely to go unpatched. Enterprises large enough to be running an Exchange Server should have a planned and routine program for patching, but such programs are unlikely to ever be universal.  

Read more in:

Threatpost: Microsoft Exchange Servers Still Open to Actively Exploited Flaw

Bleeping Computer: Over 247K Exchange servers unpatched for actively exploited flaw

MSRC: CVE-2020-0688 | Microsoft Exchange Validation Key Remote Code Execution Vulnerability


--Zerologon Attacks Spike

(September 29, 2020)

Cisco Talos has noted a significant increase in attempts to exploit the Zerologon vulnerability. The privilege elevation flaw can be exploited to take control of Active Directory identity services. Microsoft has released updated instructions for patching the vulnerability.

[Editor Comments]

[Neely] The Microsoft guidance below makes the update and mitigation process easier to follow. If you are using Windows Server 2008 R2 SP1, you need an Extended Security Update (ESU) license to successfully install any update that addresses this issue. Better still, replace these with Server 2016 or higher, which will also give you access to updated security and user management options in Active Directory.

Read more in:

Talos Intelligence: Microsoft Netlogon exploitation continues to rise

Threatpost: Zerologon Attacks Against Microsoft DCs Snowball in a Week

Gov Infosecurity: Microsoft Issues Updated Patching Directions for 'Zerologon'

Microsoft: How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472


--QNAP Warns of AgeLocker Ransomware Targeting its NAS Devices

(September 25 & 30, 2020)

An advisory from QNAP warns of ransomware attacks targeting its network attached storage (NAS) devices. Dubbed AgeLocker, the ransomware exploits a vulnerability in older versions of the Photo Station app. The advisory includes update instructions to secure vulnerable devices.

[Editor Comments]

[Murray] Storage devices should not be visible to the public networks. Who knew that they were running "older versions of the Photo Station app," much less that they posed a vulnerability to the enterprise? Patching is necessary but not sufficient. One should consider removing or hiding potentially vulnerable, but not mission critical, applications from the public networks.  

Read more in:

Bleeping Computer: QNAP warns customers of recent wave of ransomware attacks

QNAP: AgeLocker Ransomware


--Blackbaud SEC Filing Discloses That Breach Compromised Bank Account Data

(September 30 & October 1, 2020)

Months after disclosing a ransomware attack that compromised data belonging to many clients, customer relationship management (CRM) software provider Blackbaud is now acknowledging that the attackers may have accessed more than just names and email addresses. Bank account information may have been compromised. The additional information came to light in an 8-K filing Blackbaud made with the US Securities and Exchange Commission (SEC) on September 29. The attack occurred in May. Blackbaud paid a ransom demand after the attackers said they destroyed the purloined data.

[Editor Comments]

[Neely] Transparency and full disclosure is required. The question is, do you trust that the attackers really destroyed the purloined data? Rather than second guess the company's payment decision, or the destruction of the data, be proactive and keep your credit monitoring updated, including responding to any alerts sent.

Read more in:

Bleeping Computer: Blackbaud: Ransomware gang had access to banking info and passwords

Gov Infosecurity: Blackbaud: Hackers May Have Accessed Banking Details

The Register: Cloud biz Blackbaud admits ransomware crims may have captured folks' bank info, months after saying that everything's fine

RegMedia: FORM 8-K |Blackbaud (PDF)




Managing Remote Access for Contractors and Partners

Scans for FPURL.xml: Reconnaissance or Not?

Making Sense of Azure AD Activity Logs

IOCs Turning into IOOIs

HP Device Manager Backdoor

Updated Windows ZeroLogon Advisory

Cisco Patching Exploited DoS Vulnerabilities

FoxIT PDF Reader Update

KensingtonWorks RCE

Apple Security Patch Pulled

Have I Been EMOTET Service



The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit