Final Week to Get a MacBook Air or Surface Pro 7 with 5 or 6 Day Training - Register Today!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #86

October 30, 2020

Hospitals Under Ransomware Siege; SANS Launches CyberStart America: $2 million in Scholarships To Help Close Advanced Cyber Skills Gap

Lots of bad news this week - hospitals under ransomware siege; transport system disabled; $1 million HIPAA fine; CEO fired for hiding breach info. One good news story is today's launch of the United States' first program that has a chance to close the advanced cyber skills gap that China and Russia have established.



SANS NewsBites               October 30, 2020               Vol. 22, Num. 086



  A National Cyber Challenge: CyberStart America Free for All U.S. High School Students; $2 Million in College Scholarships

  Hospitals Under Ransomware Siege (Ref: FBI, HHS and DHS)


  Ransomware Attack Shut Down Montreal Public Transit Website

  Zoom Begins Phase One of End-to-End Encryption Rollout

  Vastaamo Fires CEO for Withholding Breach Information

  Hackers Leaked Swedish Security Company Customer Information

  Critical Flaw in Oracle WebLogic Server is Being Actively Exploited

  Optional Microsoft Update Removes Flash Player from Windows 10

  Steelcase SEC Filing Divulges Cyberattack

  FBI: Hackers Targeting Vulnerable SonarQube Instances

  Vulnerabilities in Hoermann Gateway Device

  Documents Show ICE, IRS Considering Using Hacking Tools

  Aetna Will Pay $1M USD for HIPAA Violations


*************************  Sponsored By Chronicle  ********************************

Google Cloud has launched modern security detection for modern security threats with Chronicle Detect. View our on demand webinar to see a demo of our next generation rules engine that operates at the speed of search and hear from Paul Farley, the Deputy CISO of NCR, about their journey with Chronicle. Watch it now! |



New OnDemand Courses

SEC588: Cloud Penetration Testing


MGT525: IT Project Management, Effective Communication, and PMP(R) Exam Prep


View all courses


Live Online Training Events and Summits

Pen Test HackFest + Summit @Night

Nov 16-21 EST | 15 Courses | Core NetWars + Coin-A-Palooza


SANS Cyber Defense Initiative(R) 2020 - Dec 14-19 EST

35+ Courses | Core, Cyber Defense, and DFIR NetWars


View complete event schedule



Free Resources

Tools, Posters, and more.


OnDemand Training Special Offer

One Week Only! FREE Core Netwars Continuous with qualifying OnDemand Course purchases through November 4 - a $1,420 value!





--A National Cyber Challenge: CyberStart America Free for All U.S. High School Students; $2 Million in College Scholarships

(October 30, 2020)

"The US Starts Enders Hacking Game" is the title of today's story on CyberStart America in The Register. Free to every high school student in the country, CyberStart America has a fighting chance of eliminating the advanced cyber skills pipeline advantage that China and Russia have established. Designed both for students who have played with technology and students who had no idea they could be good at it (through the "novice level,") the game allows students to become virtual cyber protection agents where they solve very real world problems. Those who enjoy it can progress through hundreds of challenges learning at every level through cryptography, Linux, Python programing all the way to reverse malware engineering. Teachers report it is the best program for teaching creative problem-solving skills they have seen. Students who solve 20% of the challenges are eligible for the scholarship round where $2,000,000 in college scholarships will be awarded for use at the college of their choice. The qualification round starts on October 30 and lasts until the end of February.

[Paller] As of noon today (Eastern) 830 students are engaged.

Read more:

The Register: On Friday the US starts Ender's hacking game: All local teens can compete for scholarships in cybersecurity

Dark Reading: SANS Launches New CyberStart Program for All High School Students


--Hospitals Under Ransomware Siege (Ref: FBI, HHS and DHS)

(October 28 & 29, 2020)

On Wednesday, October 28, the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Health and Human Services, and the FBI issued a joint cybersecurity advisory saying they are in possession of "credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers." As of Thursday, networks at nearly two dozen hospitals in the US have been hit with ransomware. Mandiant has released a list of indicators of compromise.

[Editor Comments]

[Paller] Hospital cybersecurity matters, as illustrated by last month's death of a German woman who was turned away from a hospital disabled by ransomware and died on the way to a second hospital.

[Pescatore] In the 2019 SANS Top New Attacks and Threat Report, Ed Skoudis detailed the DNS tunneling threat and mitigation approaches that are key to the threats in this latest warning. The publicity around the government agency warnings should be used to get management support for immediate mitigation and enhanced monitoring.

Read more in:

KrebsOnSecurity: FBI, DHS, HHS Warn of Imminent, Credible Ransomware Threat Against U.S. Hospitals

The Hill: Cyberattack targets networks of Vermont, New York hospitals

Wired: Ransomware Hits Dozens of Hospitals in an Unprecedented Wave

HealthITSecurity: Ransomware Wave Hits Healthcare, as 3 Providers Report EHR Downtime

ZDNet: FBI warning: Trickbot and ransomware attackers plan big hit on US hospitals

Ars Technica: Advisories: "Brazen" Russian ransomware hackers target hundreds of US hospitals

Threatpost: 2 More Hospitals Hit by Growing Wave of Ransomware Attacks, As Feds Issue Warning

US-CERT CISA: Ransomware Activity Targeting the Healthcare and Public Health Sector

Github: aaronst/unc1878_indicators.txt

*******************************  SPONSORED LINKS  ********************************  

1) How Look-alike Domains Drive BEC, Brand Abuse, and More [LIVE EXPERT WEBINAR] |

2) Webcast | Our upcoming webcast, "Are you protected from a resurgence of APT29?" will teach you how to operationalize MITRE ATT&CK framework and leverage it to validate your controls against threat groups | November 3 @ 1:00 PM EST |

3) Webcast |Google Clouds Chronicle platform works seamlessly with Palo Alto Networks Cortex XSOAR solution to investigate and remediate security threats with speed and scale. Join "Accelerate SecOps Incident Response with High Performance Playbooks from Cortex XSOAR and Google Chronicle" to learn more | November 4 @ 3:30 PM EST |




--Ransomware Attack Shut Down Montreal Public Transit Website

(October 21, 22, & 27, 2020)

A ransomware that hit the network of Societe de transport de Montreal (STC) shut down both the transit agency's website and STC's reservation system for adapted transit. The bus and metro networks were not affected. People needing to make reservations for adapted transit rides were unable to do so or to modify existing reservations after 9:15 pm, Sunday, October 25.

Read more in:

Montreal Gazette: Ransomware attack blamed for shutting down STM website

CBC: Adapted transit users want compensation after STM's website shut down by virus

Bleeping Computer: Montreal's STM public transport system hit by ransomware attack


--Zoom Begins Phase One of End-to-End Encryption Rollout

(October 27, 2020)

Zoom has begun rolling out end-to-end encryption (E2EE) for desktop and mobile devices. The initial phase of the rollout is a 30-day technical preview, during which Zoom will gather customer feedback. The current rollout does not offer E2EE for browsers.

[Editor Comments]

[Neely] To get the E2EE feature, you need to update your desktop and Zoom mobile clients to the latest version (5.4.0+). Evaluate the scenarios where you need E2EE, including the impacts to existing device access to meetings; for example, the web client and room systems cannot participate in E2EE.

Read more in:

ZDNet: Zoom rolls out encryption for all desktop and mobile users


--Vastaamo Fires CEO for Withholding Breach Information

(October 27 & 29, 2020)

Ville Tapio, CEO of Finnish psychotherapy center Vastaamo, has been fired after it was learned that they prevented details of data breaches from becoming public. Patients have reported that hackers have contacted them, demanding they pay a ransom or have their personal information posted online. The Vastaamo patient database was initially breached in November 2018 and remained vulnerable to intrusion through March 2019.

[Editor Comments]

[Pescatore] Good news to see a CEO fired for suppressing internal knowledge of the second breach from the board and the general public. Vastaamo was acquired as this was happening; the acquiring company has begun legal proceedings because of the impact of this on the value of Vastaamo. Similar to 2017 when Verizon acquired Yahoo before learning of the massive Yahoo breach - and ended up reducing the acquisition price by $350M, which in retrospect was not enough of a reduction.

[Honan] Personal data encrypted due to a ransomware attack means, under the EU General Data Protection Regulation (GDPR), the organisation has lost control of the personal data and the ransomware attack is deemed a data breach. Under the GDPR an organisation that suffers a personal data breach, in particular of sensitive data such as that held by Vastaamo, "shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority". It will be interesting to see what actions the Finnish supervisory authority will take in this case.


Read more in:

SC Magazine: Finnish psychotherapy center fires CEO for suppressing breach details

Cyberscoop: Why the extortion of Vastaamo matters far beyond Finland -- and how cyber pros are responding


--Hackers Leaked Swedish Security Company Customer Information

(October 28, 2020)

Hackers have posted data stolen from the Gunnebo Group, a Swedish company that provides physical security for organizations around the world. Gunnebo customers include banks, airports, government agencies, and nuclear power plants. In March, KrebsOnSecurity received a tip from Hold Security "about a financial transaction between a malicious hacker and a cybercriminal group which specializes in deploying ransomware." Included in that transaction were credentials for a Remote Desktop Protocol (RDP) account set up by a Gunnebo employee. In August 2020, Gunnebo disclosed that its network was hit with a ransomware attack.

[Editor Comments]

[Murray] Since Target, one should recognize the risk from third parties. It is bad enough that one must concern oneself with employee convenience that trumps one's security. One should not have to worry about the convenience of one's security vendors.

Read more in:

KrebsOnSecurity: Security Blueprints of Many Companies Leaked in Hack of Swedish Firm Gunnebo

Infosecurity Magazine: Hackers Leak Swedish Security Firm's Data


--Critical Flaw in Oracle WebLogic Server is Being Actively Exploited

(October 29, 2020)

A critical remote code execution flaw in Oracle WebLogic server is being actively exploited. Hackers are searching for servers running vulnerable versions of Oracle WebLogic server. Oracle released a fix for the vulnerability last week as part of its quarterly Critical Patch Update.

[Editor Comments]

[Neely] While you're still ingesting the 400 updates in the latest Oracle CPU, move the testing and deployment of the WebLogic update to the top of the list, particularly for Internet-facing services.

Read more in:

ISC: PATCH NOW: CVE-2020-14882 Weblogic Actively Exploited Against Honeypots

Threatpost: Oracle WebLogic Server RCE Flaw Under Active Attack

Bleeping Computer: Critical Oracle WebLogic flaw actively targeted in attacks

Security Week: Oracle WebLogic Vulnerability Targeted One Week After Patching

Ars Technica: Hackers are on the hunt for Oracle servers vulnerable to potent exploit


--Optional Microsoft Update Removes Flash Player from Windows 10

(October 27, 2020)

Microsoft has released an optional update for Windows 10 and Windows Server that removes Adobe Flash Player and prevents it from being installed again. Once the update, KB KB4577586, has been installed, it cannot be uninstalled. The update currently removes the version of Flash Player that is bundled with Windows 10. Standalone versions of Flash Player will not be removed, and the Flash Player component in Edge is not affected.

[Editor Comments]

[Ullrich] After applying this update, users are no longer able to install Flash Player. Make sure you actually no longer need it before applying the update.

[Neely] This update is available only through the Microsoft Catalog and doesn't comprehensively remove Flash. It is scheduled for general availability in early 2021. As the removal is not comprehensive, you may need to adopt a broader strategy to ensure that Flash is removed and disabled on endpoints. Now is a good time to start your validation process that systems reliant on Flash have been updated to other technology.

[Murray] One would like to think that, ten years after Steve Jobs published his analysis, most enterprises have already eliminated this porous product. However, "ten years" suggests just how sticky it is.  

Read more in:

Bleeping Computer: Microsoft releases update to remove Adobe Flash from Windows

Engadget: Windows 10 update removes Flash and prevents it from being reinstalled


--Steelcase SEC Filing Divulges Cyberattack

(October 27 & 28, 2020)

Office furniture manufacturer Steelcase has acknowledged that its network was the target of a cyberattack. The information was disclosed in an October 26 form 8-K filing with the US Securities and Exchange Commission (SEC).

[Editor Comments]

[Pescatore] In the SEC filing, Steelcase notes that it is not aware of any data loss and does not expect material impact from this incident, so technically the disclosure wasn't required. But, in 2018 the SEC issued additional guidance saying "...we also remind companies and their directors, officers, and other corporate insiders of the applicable insider trading prohibitions under the general antifraud provisions of the federal securities laws and also of their obligation to refrain from making selective disclosures of material nonpublic information about cybersecurity risks or incidents." Boards and CXOs have an incentive to err on the side of disclosure to avoid possible insider trading charges.

[Neely] Steelcase stated in its 8-K filing that it was not aware of any sensitive or customer data loss from its systems, or any other loss of assets as a result of this attack. They also immediately took action to contain and remediate. The top entry points for ransomware are still phishing email and vulnerable access services such as VDI and unpatched VPN servers. Make sure that you're keeping those Internet-exposed services updated and securely configured.

Read more in:

Infosecurity Magazine: Furniture Giant Steelcase Hit by Suspected Ransomware Attack

Bleeping Computer: Steelcase furniture giant hit by Ryuk ransomware attack

SEC: United States Securities and Exchange Commission | Form 8-K | Steelcase Inc.


--FBI: Hackers Targeting Vulnerable SonarQube Instances

(October 14 & 27, 2020)

In a TLP: White Flash, the FBI has warned that "unidentified cyber actors have actively targeted vulnerable SonarQube instances to access source code repositories of US government agencies and private businesses." The attacks have been occurring since April 2020. Recommended mitigations include changing SonarQube default settings, putting SonarQube instances behind a login screen, and checking for unauthorized access. "SonarQube is an open-source automatic code review tool that detects bugs and security vulnerabilities in source code."

[Editor Comments]

[Neely] Be sure to change the defaults, including passwords when installing services. As code security verification services such as SonarQube are tightly integrated into your Ci/Cd pipeline, they should not be exposed to the Internet to ensure their security functions, such as vulnerability and bug detection, are not compromised.

Read more in:

Bleeping Computer: FBI: Hackers stole government source code via SonarQube instances

Document Cloud: Cyber Actors Target Misconfigured SonarQube Instances to Access Proprietary Source Code of US Government Agencies and Businesses (PDF)


--Vulnerabilities in Hoermann Gateway Device

(October 28, 2020)

Researchers have found a number of vulnerabilities in the Hoermann BiSecur gateway device wireless access control system for garage doors, entrance gates, and other such smart systems. The flaws can be exploited both to open doors and to disable the door opening mechanisms. Some of the vulnerabilities require local network access to exploit; others can be exploited remotely.

Read more in:

Security Week: Hackers Can Open Doors by Exploiting Vulnerabilities in Hoermann Device


--Documents Show ICE, IRS Considering Using Hacking Tools

(October 28, 2020)

Documents shared with Motherboard show that US Immigration and Customs Enforcement (ICE) and the Internal Revenue Service (IRS) have explored the possibility of using hacking tools in criminal investigations and may have actually used them. The documents were obtained through a Freedom of Information Act (FoIA) lawsuit brought by Privacy International, the ACLU, and the Civil Liberties & Transparency Clinic of the University at Buffalo School of Law.

[Editor Comments]

[Neely] It is important to understand the tools and techniques used by our adversaries. The difference here is intent and permission.

Read more in:

Vice: ICE, IRS Explored Using Hacking Tools, New Documents Show


--Aetna Will Pay $1M USD for HIPAA Violations

(October 28 & 29, 2020)

The Aetna Life Insurance Company will pay the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) $1 million to settle alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). The fine covers three separate breaches that occurred in 2017 within a six-month period.

[Editor Comments]

[Pescatore] Between the April 2003 compliance date for HIPAA and September 30, 2020, the HHS OCR has settled or imposed a civil money penalty in 85 cases resulting in a total dollar amount of $128,155,082.00 - not an eye-catching amount per year, but since 2016 they have been stepping up the penalties. In 2020, Premera was fined $6.85M for a 10M record breach. These large fines are usually a small portion of the overall cost of the incidents, but they quickly catch the attention of boards and Chief Legal Officers because the fines have $$ directly attached.

[Neely] What is interesting here is the discovery of Aetna's lack of review of information protection validation. Regularly review & verify access to and handling of sensitive company information, including PII, and make sure users have training commensurate with the importance of the information they are accessing. In regulated environments, use internal audits to discover shortfalls before the regulator does.

Read more in:

Infosecurity Magazine: Triple Data Breach Earns Insurer $1m Fine

Bank Infosecurity: Aetna Fined $1 Million After 3 Data Breaches

HHS: Aetna Pays $1,000,000 to Settle Three HIPAA Breaches




PATCH NOW: CVE-2020-14882 WebLogic Actively Exploited

SMBGhost Remains Unpatched on 8% of Exposed SMB Servers

Mishka McCowan: Mitigating Risk with the CSA 12 Critical Risks for Serverless Applications

Vulnerable SonarQube Configurations Used to Steal Code

Microsoft Defender ATP Cobalt Strike False Positive

Microsoft Edge Security Updates (Chromium-Based)

Microsoft Releases Flash Removal Tool

Bypassing MSFT Teams Policies

QNAP Security Advisory

New Linux Trickbot Version Sighted Needs Help

Zonealarm Update

Ransomware Targeting Healthcare

OpenEMR Vulnerabilities


The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit