Final Week: Get an iPad (32 G), Galaxy Tab A, or Take $250 Off OnDemand Training - Ends Jan 27

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #95

December 4, 2020

FBI Warning: eMail Forwarding Exploited; Phishing COVID Cold Chain; Oracle WebLogic Flaw Actively Exploited

The SANS Holiday Hack Challenge is back and bigger than ever! It's the most festive way to learn new technical skills, get inspired, and connect with people who love InfoSec as much as you do - and it's free for anyone with any skill set! This year's challenge kicks off next week and runs through January 4. The winner will receive a free SANS course or subscription to NetWars Continuous! Login now to create your avatar, mingle with the other challengers, and practice in last year's challenge.

Every year the Holiday Hack team outdoes themselves by making one of the most fun CTF challenges anywhere. It never fails to introduce us to exciting technologies and teach us new skills. -Travis Deyarmin, Concurrent Technologies Corporation


SANS NewsBites               December 4, 2020               Vol. 22, Num. 095



  FBI Warns of BEC Scammers Exploiting eMail Forwarding Rules

  Phishing Campaign Targets COVID Cold Chain

  Oracle WebLogic Flaw is Being Actively Exploited


  Alabama School District Hit with Ransomware

  Online Curriculum Company K12 Pays Ransomware Demand

  Vancouver Transit System Hit with Ransomware

  Aerospace Company Embraer Discloses Cyberattack

  CISA Warns that Foreign Threat Actors are Targeting US Think Tanks

  TrickBot's Up to New Tricks

  Allegations that DHS Agents Bought Phone Location Data from Brokers Prompt Lawsuit and Investigation

  iOS Flaw Could be Exploited to Take Control of Vulnerable Devices

  Current Version of NDAA Gives CISA Subpoena Power to Identify Owners of Vulnerable Critical Infrastructure


***********************  Sponsored By AWS Marketplace  ***************************

How to Enhance SOC Efficiency for the AWS Cloud | Traditional security operations center (SOC) practices are manual and plagued with lengthy alert triage and inefficient incident response processes which do not translate well to modern cloud methodologies that are built for scale and with automation. In this upcoming webinar, you will learn how to limit alert fatigue while enhancing SOC productivity through automating actionable insights and removing repetitive manual tasks.




Ending Soon! OnDemand and Live Online Training Special Offer

Best offers of the year! Get the latest MacBook Air, a Microsoft Surface Pro 7, or take $350 Off with ANY qualifying SANS Training Course through December 9.


New & Updated Courses

SEC588: Cloud Penetration Testing


MGT525:  IT Project Management, Effective Communication, and PMP(R) Exam Prep


SEC487: Open-Source Intelligence (OSINT) Gathering and Analysis


Upcoming Live Online Events

SANS Security East 2021 - Jan 11-16 CST

20 Courses | Core and GRID NetWars


SANS Stay Sharp: Blue Team Ops 2021 - Jan 18-22 MST  

Targeted Short Courses | Cyber Defense NetWars


Cyber Threat Intelligence Summit & Training

FREE Summit: Jan 21-22 | Courses: Jan 25-30


Cloud Security Resources

Cheat Sheets, Papers, eBooks, and more. View & Download  





--FBI Warns of BEC Scammers Exploiting eMail Forwarding Rules

(November 25 & December 1, 2020)

The FBI has released a Private Industry Notification warning that cyber threat actors are exploiting email forwarding rules to evade detection while conducting business email compromise (BEC) attacks.  The thieves are setting email forwarding rules on web-based email clients. If the company admins have not synced email settings for web-based email accounts and desktop clients, the forwarding rule changes could go unnoticed.

[Editor Comments]

[Neely] Compromising credentials of internet-accessible email accounts continues to be a target, and in many cases, low-hanging fruit. Implement multi-factor authentication on all internet-accessible services. If you must enable password access, ensure passwords are sufficiently robust; review NIST SP 800-63-3 ( for guidance. Make sure that account lock-out and misuse detection on those services are enabled and actively monitored to detect malicious activities.

[Pescatore] These types of attacks have been around for several years; many SIEM products have rules to detect and alarm on mail forwarding changes. Microsoft, SecureSky, and the Center for Internet Security have updated the Microsoft 365 Foundation Benchmark to v1.2 that also addresses mitigating the forwarding risk.

[Honan] This is an important warning from the FBI. We've been involved in several email hijacking cases where forwarding rules were set by the criminals at the server side, be that an on-premise or cloud based solution. However, the criminals have made the changes noted by the FBI which have been overlooked by the clients in their initial investigation. Also, be aware this vulnerability can be exploited on older installations of Microsoft Outlook which we have seen in several cases.

Read more in:

Document Cloud: Private Industry Notification | Cyber Criminals Exploit Email Rule Vulnerability to Increase the Likelihood of Successful Business Email Compromise (PDF)

ZDNet: FBI warns of email forwarding rules being abused in recent hacks

Security Week: FBI Warns of Auto-Forwarding Email Rules Abused for BEC Scams


--Phishing Campaign Targets COVID Cold Chain

(December 3, 2020)

An IBM Security X-Force threat intelligence task force "recently uncovered a global phishing campaign targeting organizations associated with a COVID-19 cold chain." British regulators have approved Pfizer's vaccine; US regulators are scheduled to evaluate Pfizer's and Moderna's vaccines next week. Once vaccines are approved, they must be transported at extremely low temperatures, hence the term cold chain for the companies that will provide the specialized refrigeration for vaccine storage and transportation. EU regulators are due to approve this vaccine over the coming weeks.

[Editor Comments]

[Neely] As vaccines are approved and distribution begins, expect increased occurrence of attempts to redirect or otherwise disrupt the supply chain, particularly as the viability depends on proper refrigeration. Distributors need to be prepared for aggressive social engineering, including impersonation of officials, intended to redirect supplies.  

Read more in:

Security Intelligence: IBM Uncovers Global Phishing Campaign Targeting the COVID-19 Vaccine Cold Chain

Wired: Hackers Are Targeting the Covid-19 Vaccine 'Cold Chain'

ZDNet: Mysterious phishing campaign targets organizations in COVID-19 vaccine cold chain

Ars Technica: Nation-state backed hackers going after COVID vaccine supply chain

Threatpost: Cyberattacks Target COVID-19 Vaccine 'Cold-Chain' Orgs

Bleeping Computer: Hackers target EU Commission, COVID-19 cold chain supply orgs

Security Week: State-Sponsored Hackers Likely Behind Attacks on COVID-19 Vaccine Cold Chain

Health IT Security: Hackers Targeting COVID-19 Vaccine Supply Chain Via Phishing Campaigns

Cyberscoop: COVID-19 hacking extends to supply chain for controlling vaccine temperature, IBM says


--Oracle WebLogic Flaw is Being Actively Exploited

(December 1, 2020)

Cyber threat actors are actively exploiting a critical vulnerability in Oracle WebLogic. Oracle released a fix for the flaw in its October 2020 Critical Patch Update. The remote code execution flaw is being exploited to drop several different payloads, including one that installs the DarkIRC bot. Users are urged to apply the available patch for CVE-2020-14882 as well as for CVE-2020-14750, a related vulnerability for which Oracle released an unscheduled fix in November.

[Editor Comments]

[Neely] The DarkIRC bot is available for $75 through hacker forums; it ultimately installs itself as an auto-run version of chrome.exe leveraging powershell scripts and obfuscated downloads. Use the cost of obtaining an exploit as compared to the cost of the data included in your WebLogic instance when calculating the risk or ROI for this update.

Read more in:

Ars Technica: Oracle vulnerability that executes malicious code is under active attack

Bleeping Computer: Critical Oracle WebLogic flaw actively exploited by DarkIRC malware

Security Week: Recent Oracle WebLogic Vulnerability Exploited to Deliver DarkIRC Malware


*******************************  SPONSORED LINKS  ********************************   

1) Product Review Webcast | ExtraHops Reveal(x) security analytics product, provides security analysts with a platform that can rapidly analyze huge quantities of data without acquiring full network packets. Join us in this webcast to learn from Dave Shackleford and his review of the ExtraHop Reveal(x) product | December 8 @ 2:00 PM EST


2) Virtual Event | December 14th-19th EST | Discover the most effective steps to prevent cyber-attacks and detect adversaries with actionable techniques you can apply immediately. Join us for our exciting upcoming event, SANS Cyber Defense Initiative 2020 - Live Online, and receive relevant cyber security training from real-world practitioners. Choose your course and register now!


3) Webcast | Join us for our upcoming webcast, "Bringing validity to defense-in-depth" to learn how Elastic helps customers break down artificial silos between teams and use cases in our movement towards a DevSecOps culture | December 9 @ 1:00 PM EST





--Alabama School District Hit with Ransomware

(December 1, 2020)

Huntsville (Alabama) City Schools have temporarily shut down in the wake of a ransomware attack. The school district has been providing both remote and in-person learning. The attack became apparent on Monday, November 30. The district has asked that all district-owned devices be shut down until further notice. Schools will remain closed for the rest of the week and possibly into next week.

[Editor Comments]

[Honan] I am old enough to remember when schools closed for snow days, not ransomware days.

Read more in:

Bleeping Computer: Alabama school district shut down by ransomware attack


--Online Curriculum Company K12 Pays Ransomware Demand

(December 2, 2020)

K12, a Virginia-based company that provides customized online learning curricula, paid threat actors to regain access to compromised systems following a November 2020 ransomware attack.

[Editor Comments]

[Neely] This attack involved the Ryuk ransomware actors who not only encrypt systems but also exfiltrate data and demand payment for that as well, sometimes called "double-extortion." K12 did isolate the attack and restore those systems; the data exposure threat drove the decision to pay. Make sure your ransomware response process includes decision trees related to exfiltrated data exposure as well as identification of critical and sensitive data. If you are relying on cyber insurance to negotiate payment, make sure your expectations are aligned with the services contracted before needed.

[Murray] The decision as to whether or not to pay extortion should be made before the demand and should be documented, for example, in a business resumption plan.

Read more in:

Bleeping Computer: K12 online schooling giant pays Ryuk ransomware to stop data leak

--Vancouver Transit System Hit with Ransomware

(December 4, 2020)

TransLink, the Vancouver, British Columbia, transit system, was infected with ransomware. On December 1, TransLink said that the incident had disrupted phones, inline services, and the ability to pay fares with credit and debit cards, but that transit services were not affected. As of Thursday, December 3, customers were once again able to use payment cards for fares.

Read more in:

CBC: Ransomware attack led to 3 days of transit payment problems, TransLink says

Bleeping Computer: Metro Vancouver's transit system TransLink hit by Egregor ransomware

--Aerospace Company Embraer Discloses Cyberattack

(December 1 & 2, 2020)

Brazilian aerospace conglomerate Embraer has disclosed that one of its systems was hit with a cyberattack in November. The incident has been reported to Brazil's Securities and Exchange Commission.


Read more in:

ZDNet: Brazilian aerospace firm Embraer hit by cyberattack

AINOnline: Hackers Gain Access to Embraer IT Systems


--CISA Warns that Foreign Threat Actors are Targeting US Think Tanks

(December 2, 2020)

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert warning that it has "observed persistent continued cyber intrusions by advanced persistent threat (APT) actors targeting U.S. think tanks." The alert includes an attack profile and recommended mitigations.

[Editor Comments]

[Neely] The think-tanks are being targeted because they are often involved in shaping future policies for the new administration. Mitigations build on existing UAT for spear-phishing campaigns. Focus on unwanted and unexpected emails & attachments. Make sure users are operating with least-privilege. Also make sure systems are properly secured, updated, and isolated to prevent lateral movement.

[Murray] The list of "mitigations" is long and daunting but is mostly things that should be done in any case. The list is ordered by role (who should do what) but errs on the side of completeness. Given the number of items, it would have been nice if, within role, the list had been ordered by efficiency or effectiveness. Strong authentication, by far our most necessary, effective, and efficient measure, is way down the list, as though it were peer with many less important measures.  

Read more in:

Cyberscoop: US alert urges think tanks to be on guard for foreign hacking activity

Bleeping Computer: FBI and Homeland Security warn of APT attacks on US think tanks

Threatpost: Think-Tanks Under Attack by Foreign APTs, CISA Warns

US-CERT CISA: Alert (AA20-336A) | Advanced Persistent Threat Actors Targeting U.S. Think Tanks


--TrickBot's Up to New Tricks

(December 3, 2020)

A new component in the TrickBot botnet/banking Trojan is capable of modifying the Unified Extensible Firmware Interface (UEFI) on targeted computers. This new feature "makes use of readily available tools to check devices for well-known vulnerabilities that can allow attackers to read, write, or erase the UEFI/BIOS firmware of a device," according to researchers at Eclypsium and AdvantIntel.

Read more in:


Wired: The Internet's Most Notorious Botnet Has an Alarming New Trick

ZDNet: New TrickBot version can tamper with UEFI/BIOS firmware

Ars Technica: One of the Internet's most aggressive threats could take UEFI malware mainstream

Bleeping Computer: TrickBot's new module aims to infect your UEFI firmware

Security Week: TrickBot Malware Can Scan Systems for Firmware Vulnerabilities

Cyberscoop: TrickBot adds firmware tool that researchers say could lead to 'bricking' devices

SC Magazine: Trickbot trojan takes aim at vulnerabilities in booting process



--Allegations that DHS Agents Bought Phone Location Data from Brokers Prompt Lawsuit and Investigation

(December 3, 2020)

The American Civil Liberties Union (ACLU) is suing the US government for information about whether the US Department of Homeland Security (DHS) is circumventing warrant requirements and buying cell phone location information from commercial data brokers. According to a 2018 US Supreme Court ruling, law enforcement must obtain a valid search warrant prior to accessing mobile device information, including location. In a related story, the Department of Homeland Security's (DHS's) inspector general is investigating similar allegations.

[Editor Comments]

[Neely] This should be interesting to watch. Cell location data to be sold to third-party data aggregators by carriers and "anonymized" for research processes. This case is about data from applications which use the on-device location services, on the premise the user can disable location services negating the need for a warrant. You can opt out by disabling location services, and the reality is opting out is no longer trivial or viable for most users due to the number of applications and services which leverage location services.

[Murray] If anyone else can buy it, why not the government? The issue here may not be so much the role of the government as that of the data brokers. This measure results in a public record. It is not the kind of secret surveillance for which a warrant is required.  

[Honan] Cases like this reinforce the recent Schrems II judgment by the Court of Justice of the European Union (CJEU) which invalidated Privacy Shield and now requires much more stringent controls for the transfer of personal data belonging to those resident in the EU to the US.

Read more in:

Wyden: Wyden, Warren, Markey, Schatz Secure DHS IG Investigation of CBP Phone Location Data Surveillance Program

Vice: How an ICE Contractor Tracks Phones Around the World

Ars Technica: CBP's warrantless use of cell phone location data is under investigation

The Register: ACLU sues US govt, demands to know if agents are buying their way around warrants to track suspects' smartphones



--iOS Flaw Could Have Been Exploited to Take Control of Vulnerable Devices

(December 3, 2020)

A Google Project Zero researcher has found a bug that could have been exploited to take control of iOS devices without user interaction. Ian Beer found that a memory corruption bug affecting the iOS kernel could be exploited through Wi-Fi to remotely gain control of nearby iOS devices. Apple patched the flaw in May 2020 with iOS 12.4.7, iPadOS & iOS 13.5 and watchOS 5.3.7 & 6.2.5.  

[Editor Comments]

[Neely] The flaws were addressed in Apple's May updates for iOS, iPadOS, and watchOS, which included unexpected updates for older devices. Make sure they were applied, replace devices which cannot run the current OS releases. Ian Beer describes the flaw and research in a 30,000 word Project Zero article ( which is worth reading. His key takeaway is not to conclude nobody would spend six months to hack your phone, but rather that one person, working alone, in isolation, was able to build a capability to seriously compromise devices in close proximity. His recommendations, while iOS focused, should be considered for any system where legacy code and compromises, often driven by time to market, exist.

Read more in:

Wired: This 'Magical Bug' Exposed Any iPhone in a Hacker's Wi-Fi Range

Threatpost: iPhone Bug Allowed for Complete Device Takeover Over the Air

ZDNet: Google researcher: I made this 'magic' iPhone Wi-Fi hack in my bedroom, imagine what others could do

The Register: How a nightmare wormable, wireless, automatic hijack-a-nearby-iPhone security flaw was found and fixed

Dark Reading: Google Security Researcher Develops 'Zero-Click' Exploit for iOS Flaw

Vice: Watch This Google Hacker Pwn 26 iPhones With a 'WiFi Broadcast Packet of Death'


--Current Version of NDAA Gives CISA Subpoena Power to Identify Owners of Vulnerable Critical Infrastructure

(December 3, 2020)

The most recent version of the US National Defense Authorization Act (NDAA) gives the Cybersecurity and Infrastructure Security Agency (CISA) the authority to issue administrative subpoenas to help identify owners of unsecure and/or unpatched Internet-connected devices. The provision would grant CISA the authority to obtain the information from Internet service providers.

[Editor Comments]

[Pescatore] This is another one of those safety vs. privacy issues that require finding a middle ground. I would rather see focus on the federal government requiring ISPs and all telecom providers to stop delivering known attack traffic to their customers. The pandemic has re-emphasized that internet connectivity is a necessary utility, just like drinking water and electricity. We do not allow water providers to deliver toxic water and the power companies aren't allowed to electrocute their customers. The common conduits of known dangerous content are much higher leverage points for legislative efforts.

Read more in:

SC Magazine: CISA set to receive subpoena powers over ISPs in effort to track critical infrastructure vulnerabilities




Register For Cyberstart

Traffic Analysis Quiz: Mr. Natural

Xanthe Docker Aware Miner

Ocean Lotus Mac Backdoor

DarkIRC Bot Exploits Recent Oracle WebLogic Vulnerability

Prevalence of DNS Spoofing

New npm Malware Includes Bladabindi Trojan

OpenClinic vs OpenClinic GA

An iOS Zero-Click Radio Proximity Exploit Odyssey

Github "State of the Octoverse" Report (PDF)

Christopher Hurless: Open-Source Endpoint Detection and Response with CIS Benchmarks, OSQuery, Elastic Stack and The Hive


The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit