Interactive Courses + Cyber Defense NetWars Available During SANS Scottsdale: Virtual Edition 2021. Save $300 thru 1/27.

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #92

November 20, 2020

IoT Law to Set Standards Mandatory for Government Purchase; Cisco Webex Flaws Could be Exploited to Join Meetings Surreptitiously; Bad Actors Scanning WordPress Sites; COVID-19 Response Organizations Hit by Cyberattacks


SANS NewsBites              November 20, 2020               Vol. 22, Num. 092



  Internet of Things Security Bill To Establish Security Standards Mandatory for Government

  Cisco Webex Flaws Could be Exploited to Join Meetings Surreptitiously

  Bad Actors Scanning for Vulnerable WordPress Sites

  Organizations Involved in COVID-19 Response Hit by Cyberattacks


  CISA Director Krebs Fired

  Firefox 83 has HTTPS-Only Mode Feature

  Mozilla Seeks Input Before Rolling Out DNS-over-HTTP to All Firefox Users

  Firefox Says Goodbye to Flash in January

  Industrial Control System Vulnerabilities Hit with Ransomware


************************  Sponsored By Lookout  *********************************

Introducing the world's first mobile Endpoint Detection and Response - Today's cyberattackers utilize sophisticated methods over many days or weeks to execute a data breach. Organizations must adapt to keep their sensitive data safe. Aaron Cockerill, Chief Strategy Officer at Lookout discusses how businesses are now able to conduct their own threat hunting. Listen now.




OnDemand and Live Online Training Special Offer

Best offers of the year! Get the latest MacBook Air, a Microsoft Surface Pro 7, or take $350 Off with ANY qualifying SANS Training Course through December 9.


New & Updated Courses

MGT516: Managing Security Vulnerabilities: Enterprise and Cloud


SEC460: Enterprise and Cloud | Threat and Vulnerability Assessment


SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling


View all courses


Upcoming Live Online Events

SANS Cyber Defense Initiative(R) 2020 - Dec 14-19 EST

35+ Courses | Core, Cyber Defense, and DFIR NetWars


Cyber Threat Intelligence Summit & Training

FREE Summit: Jan 21-22 | Courses: Jan 25-30


View complete event schedule



Free Resources

Tools, Posters, and more.





--Internet of Things Security Bill To Establish Security Standards Mandatory for Government

(November 18 & 19, 2020)

The US Senate has unanimously passed the IoT Cybersecurity Improvement Act. The bill will require that Internet of Things (IoT) devices purchased by the federal government meet certain cybersecurity standards which will be set by the National Institute of Standards and Technology (NIST). Agencies will also need to establish vulnerability disclosure processes for IoT devices. The House of Representatives passed the bill in September.

[Editor Comments]

[Neely] While not yet law, having standards for IoT security will give us a baseline to hold manufacturers accountable, as well as aid in measuring the security, and possible certification, of current and future devices. Note that USG agencies will not be permitted to purchase devices not compliant with the standards once established.

Read more in:

FCW: Senate passes IoT cybersecurity bill

Threatpost: IoT Cybersecurity Improvement Act Passed, Heads to President's Desk

govtrack: H.R. 1668: IoT Cybersecurity Improvement Act of 2020


--Cisco Webex Flaws Could be Exploited to Join Meetings Surreptitiously

(November 18 & 19, 2020)

Three vulnerabilities in Cisco's Webex video conferencing application could be exploited to join meetings as ghost users, able to listen in without the knowledge of other meeting participants or the host. An attacker could exploit one of the flaws to access the names, email addresses, and IP addresses of meeting participants. Another flaw could be exploited to remain in a meeting even after being dismissed by the host. Cisco has released updates to address the vulnerabilities.

[Editor Comments]

[Pescatore] In the 2020 SANS Top New Attacks and Threat Report, Johannes Ullrich pointed out the risk of vulnerabilities in the numerous "Persistent and Promiscuous Web Agents" in use for applications such as Webex, Zoom and others. The Center for Internet Security recently released a good security guide for videoconferencing systems at

[Neely] Cisco patched their cloud based servers. You need to patch or update on premise Cisco Webex Meetings Server 3.0M3 Security Patch 4 and earlier; 4.0MR3 Security Patch 3 and earlier as well as mobile versions prior to 40.10.9.  

Read more in:

ZDNet: Cisco Webex bugs allow attackers to join meetings as ghost users

Ars Technica: Cisco rolls out fix for Webex flaws that let hackers eavesdrop on meetings

Dark Reading: Cisco Webex Vulns Let 'Ghost' Attendees Spy on Meetings

Threatpost: Cisco Webex 'Ghost' Flaw Opens Meetings to Snooping

Bleeping Computer: Cisco fixes WebEx bugs allowing 'ghost' attackers in meetings

Security Week: Cisco Webex Vulnerability Allows Ghost Access to Meetings

Cisco: Cisco Webex Meetings and Cisco Webex Meetings Server Ghost Join Vulnerability

Cisco: Cisco Webex Meetings and Cisco Webex Meetings Server Unauthorized Audio Information Exposure Vulnerability

Cisco: Cisco Webex Meetings and Cisco Webex Meetings Server Information Disclosure Vulnerability


--Bad Actors Scanning for Vulnerable WordPress Sites

(November 17 & 18, 2020)

Hackers appear to be scanning for WordPress sites that use Epsilon Framework-based themes. Multiple function injection vulnerabilities could be exploited together to execute code remotely and to take over vulnerable websites. Users are urged to update to a fixed version of the theme(s) they use, if they are available. Themes built with Epsilon Framework are used on at least 150,000 sites.

[Editor Comments]

[Neely] While the attacks appear to be probing, intel-gathering attacks at this time, don't wait for that information to be leveraged. The Wordfence site below lists the specific vulnerable theme versions. If there is not an update for your Theme, and switching themes is impractical, add an application firewall to block the attacks.

Read more in:

Wordfence: Large-Scale Attacks Target Epsilon Framework Themes

Threatpost: Widespread Scans Underway for RCE Bugs in WordPress Websites

Bleeping Computer: Hackers are actively probing millions of WordPress sites


--Organizations Involved in COVID-19 Response Hit by Cyberattacks

(November 18 & 19, 2020)

Two companies with ties to COVID-19 research and treatment were recently targeted by cyberattacks. Americold, an Atlanta-based company that provides cold storage for food distributors and is planning to be involved with COVID vaccine storage has disclosed that its network was hit with a cyberattack earlier this month. The disclosure was made in a US Securities and Exchange Commission (SEC) filing. Miltenyi Biotec, a biotechnology company based in Germany, was hit with a cyberattack that affected some operational processes; Miltenyi supplies research companies with antigens for use in developing COVID-19 treatments.

Read more in:

Health IT Security: Hackers Hit COVID-19 Biotech Firm, Cold Storage Giant with Cyberattacks

Threatpost: Food-Supply Giant Americold Admits Cyberattack

Miltenyi Biotec: Customer Service and Technical Support Contacts

*******************************  SPONSORED LINKS  ********************************

1) Virtual Event | Looking for practical guidance on security in the AWS Cloud? Join SANS instructors and other cloud security leaders as they share tactics, techniques, and procedures for operating effectively and securely in the cloud. This virtual event is based on the recently released book Practical Guide for Security in the AWS Cloud. | December 11 @ 10:30 AM EST


2) Webcast | An upcoming webcast, "5 things you need to know to future-proof your data security today" chaired by cybersecurity expert, John Pescatore, is designed to teach you the steps to build an intelligent roadmap for protecting your business and reduce the risk of data breaches by gaining better control over your IT environment | December 3 @ 1:00 PM EST


3) Webcast | Tune in to our upcoming webcast, "What Works in Maintaining Deep Security and Enabling Detection and Response Across Data Center and Cloud Apps"  to gain insight into the business justification for advanced network detection and response (NDR) capabilities and the key evaluation factors that resulted in the election and deployment of ExtraHop's Reveal(x) platform. | November 24 @ 1:00 PM EST





--CISA Director Krebs Fired

(November 17 & 18, 2020)

Cybersecurity and Infrastructure Security Agency (CISA) Director Christopher Krebs has been fired. The decision to fire Krebs has met with condemnation from legislators and from cybersecurity experts.

[Editor Comments]

[Neely] Under Krebs' leadership, the CISA raised the bar on cyber security alerting and partnerships with public and private sector entities. It's hoped his model will continue in his absence.

[Murray] Security professionals must take care not to give unwarranted comfort nor to raise unnecessary alarm. They are often called upon to speak truth to power and they must be willing to put their jobs on the line for their credibility. Let Christopher Krebs be our example and our hero.

[Honan] This dismissal has long-term ramifications for global cybersecurity. Many relationships at an international level are based on the individuals in various organisations and the personal relationships and trust they build with their peers elsewhere. The dismissal of Mr. Krebs sends a message to the US's international partners that building those personal relationships and the trust that comes with it can be quickly undermined by a political decision.

Read more in:

Threatpost: Firing of CISA Chief Christopher Krebs Widely Condemned

KrebsOnSecurity: Trump Fires Security Chief Christopher Krebs

Wired: Firing Christopher Krebs Crosses a Line--Even for Trump

Ars Technica: "Krebs has been terminated": Trump fires cybersecurity chief on Twitter

SC Magazine: Trump fires DHS cyber official, widely credited for repairing fractured relations with industry

SC Magazine: 'We can't do this every four years': Critical infrastructure rattled by Krebs DHS departure

Cyberscoop: Trump fires CISA chief Chris Krebs, who guarded the 2020 election from interference and domestic misinformation


--Firefox 83 has HTTPS-Only Mode Feature

(November 17 & 18, 2020)

Firefox 83 has a new mode that connects only to HTTPS sites; users will be asked to approve connections to unsecure websites. The feature is disabled by default. Mozilla released Firefox 83 to the stable channel earlier this week.

Read more in:

Mozilla: Firefox 83 introduces HTTPS-Only Mode

ZDNet: Firefox 83 released with 'HTTPS-Only Mode' that only loads HTTPS sites

Bleeping Computer: Firefox 83 boosts security with HTTPS-Only mode, zero-day fix

Security Week: Mozilla Boosts Security in Firefox With HTTPS-Only Mode


--Mozilla Seeks Input Before Rolling Out DNS-over-HTTP to All Firefox Users

(November 19, 2020)

Mozilla plans to rollout the DNS-over-HTTPS (DoH) protocol for Firefox for all users worldwide, but is asking companies, governments, and Internet service providers (ISPs) for their input. The public comment period runs through January 4, 2021.

[Editor Comments]

[Neely] It would be better to roll out DNS over TLS as specified by RFC 7858, providing secure DNS for all system services, not just the browser, to avoid inconsistencies between the browser and host-based resolvers as well as support existing investment in enterprise DNS architecture.

Read more in:

Mozilla: Mozilla DNS over HTTPS (DoH) and Trusted Recursive Resolver (TRR) Comment Period: Help us enhance security and privacy online

ZDNet: Fearing drama, Mozilla opens public consultation before worldwide Firefox DoH rollout

SC Magazine: In an unusual move, Mozilla asks for public comment about browser privacy feature


--Firefox Says Goodbye to Flash in January

(November 18, 2020)

Mozilla has announced that it will end support for Flash in Firefox as of January 26, 2021. With the release of Firefox 85, "there will be no setting to re-enable Flash support."

[Editor Comments]

[Neely] Develop and test your strategy to uninstall and disable Flash now. Leverage browsers no longer supporting Flash, Microsoft's Flash removal "patch" as well as verification to ensure it's truly disabled.

Read more in:

Mozilla: Ending Firefox support for Flash

ZDNet: Firefox support for Flash ends on January 26


--Industrial Control System Vulnerabilities

(November 17, 2020)

Four industrial control system (ICS) vendors have recently disclosed vulnerabilities in their products. Real Time Automation disclosed a stack overflow flaw in its 499ES ENIP stack protocol. Paradox disclosed two vulnerabilities in its IP150 Internet Module. Schneider Electric disclosed nine security issues in its Interactive Graphical SCADA System, and Sensormatic Electronics disclosed a vulnerability in the American Dynamics victor Web Client and Software House C*CURE Web Client.

Read more in:

Threatpost: Multiple Industrial Control System Vendors Warn of Critical Bugs Hit with Ransomware

(November 17 & 18, 2020)

Hosting provider was hit with a ransomware attack that began earlier this week. The company has taken down all its servers to contend with the incident. The attack affected's public facing hosting systems; some customers' sites were encrypted.

[Editor Comments]

[Neely] Make sure you have backups of hosted services, ideally stored at a separate service, as hosting services have become a new attack target with the goal that once the hosting provider's systems are compromised, manipulation or disruption client services will result. Other hosting providers attacked include Equinix, CyrusOne, Cognizant, X-Cart, A2 Hosting, SmarterASP.Net, and Internet Nayana.

[Honan] A classic example of why you need to include external providers in your Business Continuity Planning. Just because you outsource something to a third party, it does not mean it is no longer your responsibility.

[Murray] Consider Tripwire's Configuration Manager.

Read more in:

ZDNet: Ransomware attack forces web hosting provider to take servers offline

Bleeping Computer: REvil ransomware hits hosting provider, 500K ransom




When Security Controls Lead to Security Issues

PowerShell Dropper Delivering Formbook

Google Chrome Update

Firefox 83 HTTPS Only Mode

OOB Windows Kerberos Update

Cisco WebEx Patch Fixes "Ghost Users"

Apple Binaries Used to Bypass 3rd Party Security Products on MacOS 11

Apple Improving Privacy on App Certificate Checks

Cisco Security Manager Vulnerabilities

Ransomware Flooding Printers

Google Leading the Way in Phishing

Identifying Malicious Servers With JARM

Daniel Behrens: Industrial Traffic Collection: Understanding the Implications of Deploying Visibility Without Impacting Production


The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit