Final Week to Get a MacBook Air or Surface Pro 7 with 5 or 6 Day Training - Register Today!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #87

November 3, 2020

Big Week for Critical Vulnerabilities Already Exploited: Google Drive Collaboration Feature, Windows Kernel, Oracle WebLogic Server, and WordPress


SANS NewsBites               November 3, 2020               Vol. 22, Num. 087



  Google Drive Collaboration Feature is Being Exploited by Bad Actors

  Google Project Zero Discloses Windows Kernel Zero-day

  Oracle Releases Emergency Fix for WebLogic Server Vulnerability

  WordPress Releases Multiple Security Updates


  UK's ICO Fines Marriott #18.4m Over Four-Year Data Breach

  Wroba Mobile Banking Trojan Spreads Though Text Messages

  Canadian Mall Customers' Images Collected Without Their Knowledge

  Precious Metals Dealer JM Bullion Hit with Skimmer Attack

  UHS Ransomware Recovery

  Hackers Stole US Voter Registration Data

  Montreal Transit Agency Says it Will Not Pay Ransom

  Chatham County, NC Government Network Hit with "Cyber Incident"


******************  Sponsored By Palo Alto Networks  **************************

Security analysts are often in a Pac-Man state, gobbling repetitive pellets and racing against time while malicious ghosts loom in the distance. It's time to level up your SOC skill! Join our XSOAR(TM) Workshop on Nov 25th, 10:30 am CET, and learn how to build playbooks to help you get the job done faster. |




 New OnDemand Courses

SEC588: Cloud Penetration Testing


MGT525: IT Project Management, Effective Communication, and PMP(R) Exam Prep


View all courses


Live Online Training Events and Summits

Pen Test HackFest + Summit @Night

Nov 16-21 EST | 15 Courses | Core NetWars + Coin-A-Palooza


SANS Cyber Defense Initiative(R) 2020 - Dec 14-19 EST

35+ Courses | Core, Cyber Defense, and DFIR NetWars


View complete event schedule



Free Resources

Tools, Posters, and more.


OnDemand Training Special Offer

One Week Only! FREE Core Netwars Continuous with qualifying OnDemand Course purchases through November 4 - a $1,420 value!




--Google Drive Collaboration Feature is Being Exploited by Bad Actors

(November 1 & 2, 2020)

Bad actors are exploiting a legitimate feature in Google Drive to send emails and push notifications that lead to Google docs that contain malicious links. Google Drive's collaboration feature lets users send messages to invite others to share a Google doc. The push notifications used in this scheme lead to malicious docs; the email messages include the malicious link.

[Editor Comments]

[Neely] While collaborating on documents using shared drives or shared documents is pretty common, it's still important to teach users to not accept unexpected collaboration requests. When collaborating, particularly outside your organization, make sure the collaboration link is only available for specific users, particularly if it allows write access. Once the document is opened there is a tempting link to a malicious site; use this as an opportunity to validate your boundary and endpoint protections still, in our current work environment, block access to malicious sites in case users click it.

[Pescatore] The major point is that every communication/collaboration method created for legitimate use will be used by attackers for spam, phishing, malware delivery etc. Consider an egg salad sandwich left at your door. It really doesn't matter whether it got there by the mail carrier, UPS, FedEx or whoever - you really shouldn't eat it unless you know who sent it to you and unless you have made sure that the mayonnaise hasn't turned yellow or green - the latter being what Google has said it will ramp up on this communications path.

Read more in:

Wired: Beware a New Google Drive Scam Landing in Inboxes

Threatpost: Scammers Abuse Google Drive to Send Malicious Links


--Google Project Zero Discloses Windows Kernel Zero-day

(October 22, 30, & November 2, 2020)

Google's Project Zero has disclosed a zero-day vulnerability in Windows that is being actively exploited. The high-severity flaw lies in the Windows Kernel Cryptography Driver and can be exploited to escape sandboxes. The Windows flaw is being exploited in attacks that combine it with a recently-disclosed vulnerability in Chrome. Microsoft has not yet released a fix for the issue. Google gave Microsoft seven days to produce a patch, which is its policy when the vulnerability is being actively exploited.

[Editor Comments]

[Neely] The Microsoft fix is scheduled to be released November 10th. Exploiting the flaw itself, a buffer overflow weakness in cng.sys, requires another successful exploit, such as the recent Chrome Flaw (CVE-2020-15999), to obtain local system access. The best mitigation is to fully deploy the Chrome update and push the Microsoft fix when released.

Read more in:

Threatpost: Unpatched Windows Zero-Day Exploited in the Wild for Sandbox Escape

Ars Technica: Google's Project Zero discloses Windows 0-day that's been under active exploit

ZDNet: Google discloses Windows zero-day exploited in the wild

The Register: Windows kernel zero-day disclosed by Google's Project Zero after bug exploited in the wild by hackers

Duo: Google Discloses Unpatched Windows Flaw Used in Attacks

--Oracle Releases Emergency Fix for WebLogic Server Vulnerability

(November 2, 2020)

Oracle has released a patch for addressing a critical remote code execution flaw that affects multiple versions of Oracle WebLogic Server. The US Cybersecurity and Infrastructure Security Agency (CGISA) is urging users and admins to apply the updates.

[Editor Comments]

[Ullrich] WebLogic is quickly becoming the WordPress of the enterprise world because of the large number of vulnerabilities being discovered. The flaws in Oracle's emergency fix have been actively exploited for about a week now, and the newest "emergency patch" is a trivial bypass of the patch released in October. First and foremost, do not expose WebLogic to the world. Even internally, be cautious. The latest flaw is easy enough to exploit. Any browser inside your network may easily be tricked into sending an exploit request to an internal WebLogic server when it visits a malicious web page. This could be exploited even via images included in emails (if your mail client downloads them automatically).

Read more in:

US-CERT CISA: Oracle Releases Out-of-Band Security Alert

Bleeping Computer: Oracle issues emergency patch for critical WebLogic Server flaw

Oracle: Oracle Security Alert Advisory - CVE-2020-14750

--WordPress Releases Multiple Security Updates

(October 30 & November 2, 2020)

Last week, WordPress pushed out a security update, WordPress 5.5.2, which was intended to address a critical remote code execution issue and nine other vulnerabilities. The update caused problems installing WordPress on new sites. After learning of the issue, WordPress halted the rollout, which inadvertently caused a pre-release version of  WordPress 5.5.3, (5.5.3-alpha) to be pushed out WordPress has now released WordPress 5.5.3.  

[Editor Comments]

[Neely] Check the version of your WordPress site to make sure that you're running 5.5.3. If you're on 5.5.3-alpha or earlier, or haven't enabled auto-updates, update to 5.5.3. While the 5.5.3-alpha plugin disablement was resolved in the 5.5.3 release, it's still a good idea to verify your plugins are properly enabled as well as updated. Given the pace of WordPress and plugin updates of late, automatic updates are a good way to stay current. Also make sure that you have regular backups in case you need to roll back.

[Murray] It is time to add WordPress to the list of historically broken applications. Any continued use should be accompanied by strict management, scrutiny, and maintenance.  

Read more in:

Wordfence: Emergency WP 5.5.3 Release

Threatpost: WordPress Pushes Out Multiple Flawed Security Updates

Tech Radar: This WordPress update might have caused your website to go berserk

*******************************  SPONSORED LINKS  ********************************

1) Is the SOC becoming obsolete? Learn how teams are leveraging cloud migration to gain visibility | Join us on December 3rd @ 12:00pm ET | Register Now! |

2) Survey | Calling all individuals working in the telecommunications, media, and technology industries who are involved in the budgeting process for security tools and services for their business! We invite you to take our survey to share insight into your security spending and help other organizations (and individuals) develop strategies for justifying their security spending! Take the survey to be entered to win a $100 Amazon gift card! |

3) How Look-alike Domains Drive BEC, Brand Abuse, and More [LIVE EXPERT WEBINAR] |



--UK's ICO Fines Marriott #18.4m Over Four-Year Data Breach

(October 3 & November 2, 2020)

The UK Information Commissioner's Office (ICO) has fined Marriott #18.4 million (USD 23.8 million) over a data breach that compromised information belonging to millions of customers. In 2014, hackers gained access to Starwood databases that held customer data. (Marriott acquired Starwood in 2016.) The system remained compromised through 2018. The number of customers affected is believed to be 339 million. Approximately seven million of those are UK citizens. The fine is significantly lower than the originally proposed #99m (USD 128 million) largely because of the economic situation created by the COVID pandemic.

[Editor Comments]

[Neely] Of note is the dwell time. The attackers installed a web shell which allowed further attacks, including data dumps, administrator and end-user credential capture, which went undetected from July 2014 to September 2018. Another contributing factor was an incomplete deployment of multi-factor authentication (MFA). Make sure that your monitoring has sufficient coverage to detect unexpected access. Verify the completeness of security measures such as MFA to identify any resulting risks or omissions.  

[Pescatore} In 2019, Marriott said the breach cost them $28M, but their cyberinsurance policy paid $25M - reducing the direct impact to $3M. However, cyberinsurance doesn't always pay for regulatory fines, especially in EU for GDPR. An AON research report stated that in 20 of 30 EU countries, including the UK, GDPR fines would not be insurable. So, even this drastically reduced fine may end up costing Marriott more than a breach - that is a rare occurrence and needs to part of the calculus in deciding if cyberinsurance has a positive ROI.

Read more in:

ZDNet: Marriott fined #18.4 million by UK watchdog over customer data breach

The Register: Marriott fined #0.05 for each of the 339 million hotel guests whose data crooks were stealing for four years


--Wroba Mobile Banking Trojan Spreads Though Text Messages

(October 30 & November 1, 2020)

The Wroba banking trojan spreads through text massages to infect mobile phones. It targets both iPhones and Android-based phones. Wroba is not new; it has mainly been used to target users in the APAC region. A campaign targeting US users was detected on October 29. The malicious text messages are often phony package delivery notifications. If users click on the link included in the message, the infection process begins.

[Editor Comments]

[Murray] All the usual precautions against clicking on bait messages apply. In this case users must click twice. Android users, once on the message itself and once to install the malware. While it is more difficult to corrupt iOS devices by clicking on something on a web page, iOS users must both click on the message and be duped into entering their Apple credentials. While it seems to be counter-intuitive, mobiles remain safer than so called "personal" computers.

Read more in:

Dark Reading: New Wroba Campaign Is Latest Sign of Growing Mobile Threats

SC Magazine: Wroba mobile banking trojan targets US smartphones

Threatpost: Wroba Mobile Banking Trojan Spreads to the U.S. via Texts


--Canadian Mall Customers' Images Collected Without Their Knowledge

(October 30, 2020)

A real estate firm that owns shopping malls in Canada collected images of shoppers in 12 of those malls and used "anonymous video analytics" (AVA) facial recognition technology to convert the images into individual biometric representations of each face. An investigation conducted by Canadian privacy commissioners revealed that the AVA service provider had collected and stored approximately five million numerical representations of faces on behalf of Cadillac Fairview Corporation Limited (CFCL). The data were stored on on a decommissioned server, for no apparent purpose and with no justification.


[Editor Comments]


[Neely] While there should not be an expectation of privacy in public, using facial data to create a unique biometric representation of one's image should be disclosed. Additionally, when storing unique identifiers or PII, that repository needs to be deliberately managed and tracked to protect the information from misuse or acquisition.


Read more in:

CBC: Mall real estate company collected 5 million images of shoppers, say privacy watchdogs


--Precious Metals Dealer JM Bullion Hit with Skimmer Attack

(November 1 & 2, 2020)

JM Bullion, a Texas-based company that deals in precious metals, has notified its customers that their personal information may have been stolen in a breach earlier this year. The company became aware of the issue on July 6, although the hackers had been in the system since February. The malicious code used to steal information was present on the JM Bullion from February 18 through July 17.

[Editor Comments]

[Neely] Timely breach notification are important when customers need to take action in response to lost data. In this case, JM Bullion didn't notify customers until three months after the breach discovery. As reports are circulating that the breach data from JM Bullion has been offered for sale since late May, JM Bullion customers should take active measures to monitor and secure their credit.

Read more in:

Read more in:

Bleeping Computer: Gold seller JM Bullion hacked to steal customers' credit cards

Security Week: Gold Dealer JM Bullion Discloses Months-Long Payment Card Breach

Threatpost: Texas Gold-Dealer Mined for Payment Details in Months-Long Data Breach


--UHS Ransomware Recovery

(October 29 & 30, 2020)

Universal Health Services (UHS) says it has recovered from a late September 2020 ransomware attack that affected the organization's facilities in the US. In both the company's third quarter financial report and in a form 8-K filing with the US Securities and Exchange Commission (SEC), UHS writes, "as a result of this cyberattack, we suspended user access to our information technology applications related to operations located in the United States," and "since that time, our information technology applications have been restored at our acute care and behavioral health hospitals."

Read more in:

Bleeping Computer: UHS restores hospital systems after Ryuk ransomware attack

UHSINC: United States Securities And Exchange Commission | Form 8-K

UHSINC: Universal Health Services, Inc. Reports 2020 Third Quarter Financial Results


--Hackers Stole US Voter Registration Data

(October 30 & November 2, 2020)

On October 30, the US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI jointly released an alert offering additional information about an Iranian cyber threat actor targeting state websites. "The actor successfully obtained voter registration data in at least one" of the systems they scanned earlier this fall.

[Editor Comments]

[Ullrich] A lot of voter data is available publicly or for a nominal fee from many states. In some cases, the goal of these hacks isn't the actual data, but to support the narrative that election systems are insecure.

Read more in:

US-CERT CISA: Iranian Advanced Persistent Threat Actor Identified Obtaining Voter Registration Data

Security Week: U.S. Says Iranian Hackers Accessed Voter Information

Cyberscoop: Iranian hackers probed election-related websites in 10 states, US officials say


--Montreal Transit Agency Says it Will Not Pay Ransom

(October 30, 2020)

The hackers behind an attack that took down Societe de transport de Montreal (STM) servers in mid-October are demanding a payment of USD 2.8 million. The attack caused an outage of more than two-thirds of the Montreal transit agency's servers; a reservation system for adapted transportation was rendered unavailable. While the STM website is still down, the adapted transportation reservation system is now operational. STM says it does not intend to pay the ransom.

Read more in:

Infosecurity Magazine: Montreal Metro Hacker Demands $2.8m Ransom

CBC: STM says it refused hackers' $2.8M demand in ransomware attack


--Chatham County, NC Government Network Hit with "Cyber Incident"

(October 30, 2020)

The Chatham County, North Carolina, communication system experienced a "cyber incident" on Wednesday, October 28. The county's government network, including email and phone lines, were rendered unavailable. The incident did not affect 911 emergency services or early voting. The Chatham County manager released a statement on October 30, saying the incident "is still under investigation [and] Chatham County's Management and Information Systems (MIS) Department, along with federal, state and local partners continue working to restore the affected systems."

[Editor Comments]

[Neely] The county is working to establish temporary email and phone numbers to allow operation while service restoration completes. Watch the county website ( and social media channels for updates.

Read more in:

GovTech: Chatham County, N.C., Systems 'Inoperable' After Cyberattack

Chatham Journal: Chatham County government experienced cybersecurity attack on October 28




Quick Status of the CAA DNS Record Adoption

Emotet -> Qakbot -> More Emotet

Operation Earth Kitsune

Google Chrome Update

Windows Kernel cng.sys pool-based buffer overflow CVE-2020-17087

WebLogic Bad News

NAT Slipstreaming Re-Discovered


The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit