Learn practical cyber security skills during SANS 2021 - Live Online. Choose from 30+ courses and three types of NetWars!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #90

November 13, 2020

Surge of Critical Healthcare Attacks; Too Many High Priority Patches


SANS NewsBites               November 13, 2020               Vol. 22, Num. 090




  Critical Healthcare Cybersecurity Incidents Abound

  Australias Government Warns of SDBBot Activity Targeting Healthcare Sector

***************************  Sponsored By AWS Marketplace  ************************************

How to Enhance SOC Efficiency for the AWS Cloud | November 19 @ 2:00 PM ET | We invite you to join SANS analyst Dave Shackleford and AWS Specialist Solutions Architect Nam Le as they host an informative webcast designed to teach you how to limit alert fatigue, while enhancing SOC productivity through automating actionable insights and removing respective manual tasks, through the exploration of real-world examples and offering practical guidance to help equip you with the needed visibility and efficiencies to scale.

| http://www.sans.org/info/218165



  Microsoft: Use MFA That Doesnt Use Publicly Switched Phone Networks

  Microsoft Patch Tuesday, and A New Format for the Security Update Guide

  Adobe November Patch Tuesday Fixes Three Flaws

  Google Fixes More Chrome Zero-days

  Security Updates Available to Address Three Flaws in Silver Peak Unity Orchestrator

  Cisco Fixes Vulnerability in IOS XR Software

  Intel Fixes 95 Security Issues

  Schneider Electric PLC Vulnerabilities




OnDemand and Live Online Training Special Offer

Best Offers of the Year! Get an 11" iPad Pro w/ Magic Keyboard, a Microsoft Surface Go 2 - 256 GB SSD, or Take $350 Off with ANY qualifying SANS Training Course through November 18.

- www.sans.org/specials/north-america/

New & Updated Courses

MGT516: Managing Security Vulnerabilities: Enterprise and Cloud

- https://www.sans.org/cyber-security-courses/managing-enterprise-cloud-security-vulnerabilities/

SEC460: Enterprise and Cloud | Threat and Vulnerability Assessment

- https://www.sans.org/cyber-security-courses/enterprise-cloud-threat-vulnerability-assessment/

SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling

- https://www.sans.org/cyber-security-courses/hacker-techniques-exploits-incident-handling/

View all courses

- https://www.sans.org/cyber-security-courses/

Upcoming Live Online Events

SANS Cyber Defense Initiative 2020 - Dec 14-19 EST

35+ Courses | Core, Cyber Defense, and DFIR NetWars

- https://www.sans.org/event/cyber-defense-initiative-2020-live-online/

Cyber Threat Intelligence Summit & Training

FREE Summit: Jan 21-22 | Courses: Jan 25-30

- https://www.sans.org/event/cyber-threat-intelligence-summit-2021/

View complete event schedule

- https://www.sans.org/cyber-security-training-events/north-america/


Free Resources

Tools, Posters, and more.

- https://www.sans.org/free/




--Critical Healthcare Cybersecurity Incidents Abound

(November 11, 2020)

According to Health IT Security, Hendrick Health in Texas detected a threat that prompted it to shut down IT networks; the organization is operating under EHR (electronic health record) downtime procedures. Among other news in the article: Sonoma (California) Valley Hospital is operating under EHR downtime procedures a month after its network was hit with ransomware; Floridas Advanced Urgent Care is notifying patients that their personal information may have been compromised during a ransomware attack in March; and Minnesotas People Incorporated Mental Health Services notified 27,500 patients that their personal data were compromised following a phishing incident earlier this year.

[Editor Comments]

[Murray] Healthcare remains a target of both opportunity and choice. Increasing the cost, and reducing the surface, of attack in this industry is urgent.  

Read more in:

Health IT Security: Security Threat Forces Hendrick Health to EHR Downtime Procedures



--Australias Government Warns of SDBBot Activity Targeting Healthcare Sector

(November 13, 2020)

The Australian Cyber Security Centre (ACSC) has issued an alert warning that it observed increased targeting activity against the Australian Health sector. The threat actors have been using the SDBBot remote Access Tool (RAT) to move through networks and exfiltrate data. The ACSC notes that SDBBot is a known precursor of the Clop ransomware, and urges that all network owners review their controls against ransomware as per ACSCs publication Ransomware in Australia.

[Editor Comments]

[Murray] Patient care systems and applications should not be connected to the public networks.  

Read more in:

cyber.gov.au: SDBBot Targeting Health Sector


cyber.gov.au: Ransomware in Australia


ZDNet: Australian government warns of possible ransomware attacks on health sector





--Microsoft: Use MFA That Doesnt Use Publicly Switched Phone Networks

(November 10 & 11 & 12, 2020)

Microsoft is urging organizations to use multi-factor authentication (MFA) that does not rely on publicly switched telephone networks. SMS and voice protocols were designed without encryption; one-time passcodes sent via SMS or voice can be intercepted. Encrypted authentication apps, like Microsoft Authenticator, Google Authenticator, and Cisco Duo Mobile provide better security.

[Editor Comments]

[Pescatore] The most important quote from the Microsoft blog post is the rate of compromise of accounts using any type of MFA is less than 0.1% of the general population. Using the widely offered SMS-based 2FA options means a user is 1000 times less likely to have their credentials compromised. Before we start talking about more secure, but often single vendor-controlled alternatives, lets get that 1000x improvement in protection from phishing. If the apps (which are software written by vendors who are often issuing dozens of, often more than 100, applications patches per month) really do prove to be more secure, then the world can migrate to something more secure. I cant emphasize enough: the most important step is getting users away from reusable passwords.

[Neely] Implementing any form of MFA is a major improvement over a reusable password. Since you are able to forward SMS messages to your computer or other devices, using tools like Apple iMessage and Google Messages, interception is possible. Also, in the current environment, PSTN calls are also forwarded or otherwise re-routed, potentially exposing their data as well, as they are not encrypted end-to-end. Choose stronger authentication options such as the Microsoft Authenticator, Google Authenticator, prior to enabling SMS or voice verification options. Use a risk-based approach when selecting the authenticator strength for enterprise applications, which may lead you to require hard tokens for more sensitive data access, particularly when Internet accessible. NIST SP 800-63 provides guidance for selecting authenticator strength.


[Honan] MFA without doubt is a key layer of protection against accounts being hijacked. While the use of Authenticator Apps is the preferred method as recommended by Microsoft it is important to consider the challenge of rolling out such Apps across your user base, in particular for those users who dont have corporate devices and may be resistant to installing a corporate app onto their personal device. You should look not just at MFA to defend your systems but also include other elements in a zero trust model.

[Murray] Courtneys First Law: "Nothing useful can be said about the security of a mechanism except in the context of a specific application and environment."  

Read more in:

ZDNet: Microsoft urges users to stop using phone-based multi-factor authentication


The Register: Microsoft warns against SMS, voice calls for multi-factor authentication: Try something that can't be SIM swapped


Tech Community: It's Time to Hang Up on Phone Transports for Authentication



--Microsoft Patch Tuesday, and A New Format for the Security Update Guide

(November 10 & 11, 2020)

On Tuesday, November 10, Microsoft released fixes to address 112 vulnerabilities; one of the flaws is being actively exploited. The Windows Kernel Cryptography Driver vulnerability has been actively exploited in conjunction with a Chrome JavaScript engine RCE flaw to compromise vulnerable devices. With this monthly release, Microsoft has changed the format of its advisories. While the new format brings Microsofts advisories in line with those of other software vendors, it also eliminates some details that users have found useful.

[Editor Comments]

[Pescatore] Glad to see Microsoft finally joining the rest of the industry in standardizing on CVSS-based scoring. Next, they need to attack the issues around why enterprises seem to face obstacles to shortening Windows time to patch, even for the most critical vulnerabilities.

[Neely] While the change brings the notices in alignment with industry standards, evaluation information such as the scope, exploit path and consequences of exploit are no longer present, making it difficult to assess impact. Microsofts model is to apply all updates to end-user systems, such as Windows 10, and commodity servers; even so, have a good backup prior to updating, and regression test prior to deployment in production environments.

Read more in:

KrebsOnSecurity: Patch Tuesday, November 2020 Edition


Threatpost: Microsoft Patch Tuesday Update Fixes 17 Critical Bugs


The Register: Microsoft emits 112 security hole fixesincluding the cure for a Google-disclosed kernel vuln exploited in the wild


SC Magazine: Microsoft pushes 112 patches, which may cause management tools to buckle under pressure


SC Magazine: Bad move, plain and simple: Microsofts new bug reporting format draws criticism


MSRC: November 2020 Security Updates



--Adobe November Patch Tuesday Fixes Three Flaws

(November 11, 2020)

Adobe has released fixes for three vulnerabilities affecting Adobe Connect and Adobe Reader Mobile. A pair of reflected cross-site scripting flaws in Adobe Connect could be exploited to allow arbitrary JavaScript execution in the browser. An improper access control vulnerability in Adobe Reader Mobile could be exploited to disclose information.

[Editor Comments]

[Neely] The Adobe Connect fix is categorized as priority 3, meaning you can patch it with your normal patching process as its neither a traditional target nor under active exploit. Even so, if youre leveraging Adobe Connect for collaboration, application of the patch with your November activities is a good idea. The Reader Mobile vulnerability is Android specific and also a priority 3, which normal app store application updates should be able to support.

Read more in:

ZDNet: Adobe releases new security fixes for Connect, Reader Mobile


Bleeping Computer: Adobe releases security update for Adobe Reader for Android


Adobe: Security updates available for Adobe Connect | APSB20-69


Adobe: Security update available for Adobe Reader Mobile | APSB20-71



--Google Fixes More Chrome Zero-days

(November 11 & 12, 2020)

Google has fixed two more zero-day flaws in Chrome. One of the flaws is an inappropriate implementation in V8; the other is a use after free issue in Chrome Site Isolation. The vulnerabilities, which are being actively exploited, are resolved in Chrome 86.0.4240.198 for Windows, macOS, and Linux.

[Editor Comments]

[Neely] These are  the fourth and fifth updates for Chrome in the last three weeks. Unlike the prior three flaws, these were externally discovered and reported. And like prior updates, they are accompanied by claims of active exploit which drives the need for expeditious deployment. Dont forget to make sure that your mobile users are updating as well.

Read more in:

Threatpost: 2 More Google Chrome Zero-Days Under Active Exploitation


ZDNet: Google patches two more Chrome zero-days


Security Week: Google Patches Two More Chrome Zero-Days Exploited in Attacks


Bleeping Computer: Google fixes more Chrome zero-days exploited in the wild



--Security Updates Available to Address Three Flaws in Silver Peak Unity Orchestrator

(November 11, 2020)

A trio of flaws affecting Silver Peaks Unity Orchestrator SD-WAN management platform could be combined to allow unauthenticated attackers to take over vulnerable networks. The flaws, an authentication bypass issue, a file delete path traversal issue, and an arbitrary SQL query execution issue, are resolved in Silver Peak Unity Orchestrator 8.9.11+, 8.10.11+, or 9.0.1+.

Read more in:

Threatpost: Silver Peak SD-WAN Bugs Allow for Network Takeover


Portswigger: Silver Peak addresses three-pronged RCE exploit in Unity Orchestrator


Silver Peak: Security Advisories



--Cisco Fixes Vulnerability in IOS XR Software

(November 11, 2020)

Cisco has released an update to address a vulnerability in the ingress packet processing function of Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation Services Routers. The flaw could be exploited to cause a denial-of-service condition. The issue affects Cisco ASR 900 Series Aggregation Service Routers running IOS XR software earlier than versions 6.7.2 and 7.1.2.

Read more in:

Threatpost: High-Severity Cisco DoS Flaw Can Immobilize ASR Routers


Cisco: Cisco IOS XR Software for Cisco ASR 9000 Series Aggregation Services Routers Slow Path Forwarding Denial of Service Vulnerability



--Intel Fixes 95 Security Issues

(November 10 & 11, 2020)

Intel released 40 security advisories on Tuesday, November 10. The advisories address a total of 95 vulnerabilities in a variety of its products. Critical flaws affect Intel Wireless Bluetooth products and Intel Active Management Technology. 

Read more in:

Threatpost: Colossal Intel Update Anchored by Critical Privilege-Escalation Bugs


Bleeping Computer: Intel fixes 95 vulnerabilities in November 2020 Platform Update


Intel: Intel Product Security Center Advisories



--Schneider Electric PLC Vulnerabilities

(November 12, 2020)

Two flaws in Schneider Electric Programmable Logic Controllers (PLCs) could be exploited to compromise vulnerable PLCs and from there, move through the network. The flaws affect Schneider EcoStruxure Machine Expert v1.0 PLC management software and firmware for Schneider M221 PLC, version

[Editor Comments]

[Neely] The best mitigation is to protect PLCs by segregating them from unauthorized network access as they are not always engineered to handle general network traffic or probing.  

Read more in:

Threatpost: Bugs in Critical Infrastructure Gear Allow Sophisticated Cyberattacks


Security Week: Encryption Vulnerabilities Allow Hackers to Take Control of Schneider Electric PLCs


se: Security Notification - Modicon M221 Programmable Logic Controller




1) Webcast | Tune in to our upcoming webcast, "What Works in Maintaining Deep Security and Enabling Detection and Response Across Data Center and Cloud Apps"  to gain insight into the business justification for advanced network detection and response (NDR) capabilities and the key evaluation factors that resulted in the election and deployment of ExtraHop's Reveal(x) platform. | November 24 @ 1:00 PM EST

| http://www.sans.org/info/218170

2) Webcast | Join SANS Instructor, Matt Bromiley and Infoblox cybersecurity expert, Bob Hansmann for our upcoming webcast, "Supercharge IR with DDI Visibility" to learn how to enhance and supercharge your incident response process with tips you can implement right away | November 18 @ 12:00 PM EST

| http://www.sans.org/info/218175

3) Webcast | We invite you to join our upcoming Ask the Expert Session hosted by Axonius Director of Security, Daniel Trauner during our webcast titled, "What's This Thing? Solving Asset Management for Security Ops" | November 17 @ 2:00 PM EST

| http://www.sans.org/info/218180



Microsoft Patch Tuesday


Traffic Analysis Quiz


Preventing Exposed Azure Blob Storage


"Platypus" Attack against Intel SGX


Adobe Updates


Firefox Updates


Fingerprinting ADS-B Signals


Open Source Security Scorecards


Bitdefender: UPX Unpacking Featuring Ten Memory Corruptions


Ubuntu 20.04 Privilege Escalation


Apple Security Updates


DNS Cache Poisoning Attack Reloaded


Rebel Powell: Poisoned Postman; Detecting Manipulation of Compliance Features in a Microsoft Exchange Online Environment



The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school, www.sans.edu.

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (computer-forensics.sans.org).

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit https://www.sans.org/account/create