Final Week: Get an iPad (32 G), Galaxy Tab A, or Take $250 Off OnDemand Training - Ends Jan 27

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #96

December 8, 2020

NSA Says VMware Flaw Actively Exploited; Healthcare Org to Pay $4.2M in Breach Settlement; U.S. National Cybersecurity Director

$2 million in new college scholarships for cyber-talented high school students announced by the National Cyber Scholarship Foundation ( Attend tomorrow's (December 9) free national workshop for U.S. high school teachers and counselors (and parents) to learn how students qualify for the scholarships and to get access to wonderful new resources (posters, videos) that help students learn about careers in cybersecurity.

More information and registration:

To qualify:


SANS NewsBites               December 8, 2020                Vol. 22, Num. 096




  NSA Warns that VMware Flaw is Being Actively Exploited, Fixes Available

  Kalispell Regional Healthcare Agrees to Pay $4.2M in Breach Settlement

  NDAA Would Create Position of National Cybersecurity Director


  Greater Baltimore Medical Center Suffers Ransomware Attack

  Embraer Data Leaked After Ransomware Attack

  Randstad Discloses Ransomware Attack

  Kmart Network Reportedly Hit with Ransomware

  UK Engineering Services Firm Acknowledges Cyberattack

  Kazakhstan Government Wants to Intercept Citizens' HTTPS Traffic Again

  Package Delivery Lockers Hacked

  Italian Police Make Arrests in Leonardo Data Theft

  QNAP Releases Fixes for Vulnerabilities in NAS Devices


**********************  Sponsored By AWS Marketplace  ******************************

AWS Marketplace would like to present you with a digital copy of the new book, Practical Guide to Security in the AWS Cloud, by the SANS Institute. This complimentary book is a collection of knowledge from 18 contributing authors, who share their tactics, techniques, and procedures for securely operating in the cloud.

Download Now:





Ending Soon! OnDemand and Live Online Training Special Offer

Best offers of the year! Get the latest MacBook Air, a Microsoft Surface Pro 7, or take $350 Off with ANY qualifying SANS Training Course through December 9.


New & Updated Courses

SEC588: Cloud Penetration Testing


MGT525:  IT Project Management, Effective Communication, and PMP(R) Exam Prep


SEC487: Open-Source Intelligence (OSINT) Gathering and Analysis


Upcoming Live Online Events

SANS Security East 2021 - Jan 11-16 CST

20 Courses | Core and GRID NetWars


SANS Stay Sharp: Blue Team Ops 2021 - Jan 18-22 MST  

Targeted Short Courses | Cyber Defense NetWars


Cyber Threat Intelligence Summit & Training

FREE Summit: Jan 21-22 | Courses: Jan 25-30


Cloud Security Resources

Cheat Sheets, Papers, eBooks, and more. View & Download  





--NSA Warns that VMware Flaw is Being Actively Exploited, Fixes Available

(December 4, 5, & 7, 2020)

The US National Security Agency (NSA) has issued a cybersecurity advisory, warning that Russian hackers are exploiting a command injection flaw in VMware Access and VMware identity Manager. The exploit allows attackers to install malware, access data, and maintain a persistent presence on vulnerable systems. VMware issued fixes for the flaw on Thursday, December 3.

[Editor Comments]

[Neely] The attack relies on compromising the management interface, which runs on port 8443. The workaround disables configurator-managed settings changes. Apply the package updates now rather than the workaround and only make the management interface available to trusted systems, don't expose it to the internet.

Read more in:

Defense: Russian State-Sponsored Actors Exploiting Vulnerability in VMware(R) Workspace ONE Access Using Compromised Credentials (PDF)

VMware: HW-128524: CVE-2020-4006 for Workspace ONE Access, Identity Manager and Connector (81754)

VMware: Advisory | VMSA-2020-0027.2

Ars Technica: NSA says Russian state hackers are using a VMware flaw to ransack networks

Cyberscoop: NSA warns of Russian government-backed hackers aiming at US defense sector targets

Wired: The NSA Warns That Russia Is Attacking Remote Work Platforms

ZDNet: NSA warns of Russian state-sponsored hackers exploiting VMWare vulnerability

Security Week: VMware Patches Workspace ONE Access Vulnerability Reported by NSA

Threatpost: VMware Rolls a Fix for Formerly Critical Zero-Day Bug

Bleeping Computer: VMware fixes zero-day vulnerability reported by the NSA


--Kalispell Regional Healthcare Agrees to Pay $4.2M in Breach Settlement

(December 4 & 7, 2020)

Kalispell (Montana) Regional Healthcare (KRH) has reached a settlement with plaintiffs in a lawsuit filed after a data security breach. KRH will pay $4.2 million. The lawsuit was filed in December 2019; the incident occurred earlier that year. The attack began through phishing emails; the attackers gained access to employee accounts and retained that access until the breach was detected several months later.

[Editor Comments]

[Pescatore] This is an expensive settlement, worth highlighting to management: up to $15,000 in direct breach related losses per claimant, in addition to the usual credit theft/identity theft assistance type services. There were only 250 social security numbers reported compromised from the 130,000 records exposed, so it may be unlikely that the maximum is reached. But, the cost of avoiding the deficiencies cited (not following industry standard levels of security, not adequately training employees, etc.) for KRH's roughly 1,000 employees would not only be less than the total costs incurred but are also going to now be incurred anyway.

[Neely] Kalispell had been identified as being in the top 9% of organizations in the healthcare industry for cybersecurity compliance. Even so, they were undone by phishing attacks. Adequate user training, protection of sensitive data, monitoring, and response to unauthorized activities and actions are key to not only resisting an attack but also detecting and stopping these sorts of attacks. Leverage external assessors and testers to make sure the controls implemented work as expected before your adversaries find weaknesses for you.

Read more in:

GovTech: Montana Hospital Group to Pay $4.2M After Breach Lawsuit

Health IT Security: $4.2M Settlement Proposed in Kalispell Regional Breach Lawsuit


--NDAA Would Create Position of National Cybersecurity Director

(December 3 & 4, 2020)

The proposed 2021 US National Defense Authorization Act (a must-pass bill) would establish a new Senate-confirmed, executive branch position of National Cyber Director. The bill would also give the Cybersecurity and Infrastructure Security Agency (CISA) subpoena authority to keep tabs on critical infrastructure cybersecurity and require CISA to hire cybersecurity coordinators for every state.

[Editor Comments]

[Neely] This bill, if passed, formalizes the role the National Guard cyber units play in responding to cyber incidents. Tt also allows for collaboration with civilian agencies and provides a framework for collaboration, cross-training with other agencies such as the FBI, DHS CISA, state & local governments, law-enforcement and non-federal agencies.

Read more in:

GovInfosecurity: Defense Bill Would Restore White House Cybersecurity Post

Statescoop: Defense bill set to pass with state cybersecurity programs

Cyberscoop: Congress set to establish White House national cyber director, enact other Solarium Commission recommendations

SC Magazine: Potential national cybersecurity director inches towards reality

Meritalk: Congress Sets up National Cyber Director in NDAA, Trump Threatens to Veto


*******************************  SPONSORED LINKS  ********************************

1) Free Virtual Event | SANS Cloud Security Solutions Forum brings together SANS instructors and other cloud security leaders as they share tactics, techniques, and procedures for operating effectively and securely in the cloud. Register now to reserve your spot! | December 11 @ 10:30 AM EST


2) Webcast | We invite you to join SANS Senior Instructor, Jake Williams, as he chairs our upcoming webcast titled, "Leverage AI to Protect Against Phishing and Fraud Scams." Viewers will learn how to protect your customers and employees from rampant phishing and fraudulent sites that pop up every day. | December 10 @ 10:30 AM EST


3) Webcast | Join our upcoming webcast, "Secure Your Data, Your Recovery and Your Mission", to learn more about security and the continuity of operations (COOP) best practices employed across the globe. These practices have been adapted through a process of continuous improvement and innovation to provide data security and recovery readiness. | December 14 @ 12:30 PM EST





--Greater Baltimore Medical Center Suffers Ransomware Attack

(December 7, 2020)

The Greater Baltimore Medical Center (GBMC) has acknowledged that its network was hit with ransomware over the weekend. GBMC Health Care says that the attack has forced them to cancel some procedures that were scheduled for Monday, December 7.   

Read more in:

Security Week: Greater Baltimore Medical Center Hit by Ransomware Attack


--Embraer Data Leaked After Ransomware Attack

(December 7, 2020)

Ransomware operators behind a November ransomware attack on Brazilian aerospace company Embraer have published files that were allegedly taken from the company's network. Embraer has refused to pay the demanded ransom and has restored its systems from backups.

[Editor Comments]

[Neely] Embraer believed they understood the scope and value of data exfiltrated and subsequently released, and had sufficient resources to rebuild affected systems. Before an incident occurs, assess sensitive data and have the hard conversations about what damage can occur if data are released. Include conversations about the location and protections of that data, make adjustments and improvements where needed. Document your decisions; review them annually; and stand by them when or if the time comes.  

Read more in:

ZDNet: Hackers leak data from Embraer, world's third-largest airplane maker

Threatpost: RansomExx Ransomware Gang Dumps Stolen Embraer Data: Report


--Randstad Discloses Ransomware Attack

(December 4 & 7, 2020)

Randstad, a human resources company based in the Netherlands, has disclosed that its network was hit with ransomware known as Egregor. The ransomware operators have also targeted systems at Barnes and Noble and at TransLink, Vancouver, BC's transportation agency.

Read more in:

Bleeping Computer: Largest global staffing agency Randstad hit by Egregor ransomware

Security Week: HR Giant Randstad Hit by Egregor Ransomware


--Kmart Network Reportedly Hit with Ransomware

(December 3 & 4, 2020)

US retailer Kmart has reportedly been targeted in a ransomware attack. The incident affected the company's back-end servers. Kmart has not confirmed the report; a ransom note was shared with Bleeping Computer.

Read more in:

Bleeping Computer: Kmart nationwide retailer suffers a ransomware attack

SC Magazine: Kmart, a vulnerable target, among those hit in Egregor ransomware attack spree

Threatpost: Kmart, Latest Victim of Egregor Ransomware - Report


--UK Engineering Services Firm Acknowledges Cyberattack

(December 6, 7, & 8, 2020)

RMD Kwikform, a UK engineering services firm, was the target of a cyberattack in November. The company has notified the Information Commissioner's Office (ICO) and is cooperating with the National Cyber Security Centre (NCSC) and other authorities. Kwikform's parent company, Interserve, was the target of a cyberattack in May 2020.

Read more in:

IT Pro: Walsall-based construction firm hit by cyber attack

BBC: Walsall construction firm targeted in cyber attack

New Civil Engineer: Interserve's 'up for sale' subsidiary RMD Kwikform suffers cyber attack


--Kazakhstan Government Wants to Intercept Citizens' HTTPS Traffic Again

(December 6, 2020)

The government of Kazakhstan is once again requiring that citizens living in the country's capital install a government-issued digital certificate on their devices if they want to access Internet services outside the country. The certificate allows the government to intercept all HTTPS traffic from those devices. If Kazakh citizens want to access sites like Facebook, YouTube, Instagram, Twitter, or Netflix, they will need the certificate. This has happened twice before - in December 2015 and in July 2019. In those previous instances, browser makers blacklisted the Kazakh government certificate. The requirement is being touted as a security initiative; the country plans to hold a parliamentary election in January 2021.

[Editor Comments]

[Ullrich] While done a bit more clumsily, this is pretty much the same type of encryption backdoor that is proposed by the "EARN-IT" or "LEAD" bills proposed in the United States. Kazakhstan just doesn't have the cloud to force the tech industry into compliance, so they rely on pressuring citizens to install the backdoors necessary for interception.

[Neely] The certificate will enable MiTM inspection/interception and possible modification of traffic flowing through their perimeter, and as the certificate is trusted, the user will not be alerted, or aware. This monitoring also provides mechanisms for credential capture. The prior attempt failed after browser manufacturers blacklisted the Kazakhstan Government's certificates. As traffic is being routed through centralized control points, bypassing the security perimeter by the use of a VPN or other service to wrap/embed user's traffic is unlikely to succeed for long.

Read more in:

ZDNet: Kazakhstan government is intercepting HTTPS traffic in its capital

Eurasianet: Kazakhstan: As election beckons, authorities tighten control on internet


--Package Delivery Lockers Hacked

(December 7, 2020)

Someone hacked into a system that allowed them to unlock thousands of package delivery lockers in Moscow, Russia. The PickPoint delivery service allows people to order items and have them delivered to lockers, where they retrieve their packages using a mobile app.

Read more in:

ZDNet: Hacker opens 2,732 PickPoint package lockers across Moscow


--Italian Police Make Arrests in Leonardo Data Theft

(December 5 & 7, 2020)

Authorities in Italy have arrested two people in connection with the theft of data from a defense contractor LeonardoSpA. The suspects introduced malware into the company computers through a USB drive; they allegedly stole 10GB of data from Leonardo over a two-year period. One of the suspects was an IT manager at the company.

Read more in:

ZDNet: Italian police arrest suspects in Leonardo military, defense data theft

Bleeping Computer: Police arrest two in data theft cyberattack on Leonardo defense corp

Security Week: Italy Says Two Arrested for Defense Data Theft


--QNAP Releases Fixes for Vulnerabilities in NAS Devices

(December 7, 2020)

QNAP has published a security advisory urging users to update to the most recent versions of QTS and QuTS to address four vulnerabilities in its Network Attached Storage (NAS) products. One of the flaws could be exploited to take control of vulnerable NAS devices.

[Editor Comments]

[Neely] Make sure your QNAP devices are updated now. Don't expose your NAS devices to the Internet. If you're using them to share content, follow security guidelines. Consider using separate devices for sharing content and backups, and minimize services enabled. Note that some versions of the QTS operating systems are also vulnerable to the Windows ZeroLogin flaw when configured as a domain controller.

[Ullrich, Murray] It has been a of couple weeks, so here is the regular reminder: Do not expose network storage devices to the Internet, QNAP or any other brand. QNAP is actually pretty good in patching these flaws, which is why you may see them mentioned more frequently.

Read more in:

Threatpost: QNAP High-Severity Flaws Plague NAS Systems

Bleeping Computer: QNAP patches QTS vulnerabilities allowing NAS device takeover

QNAP: Multiple Vulnerabilities in QTS and QuTS hero





Proxy Scanner Attempting to Connect to Specific Hostname

Corrupt BASE64 Strings: Detection and Decoding

Recovering Passwords From Pixelized Screenshots

Tomcat Information Leak

Google Updates

Microsoft Teams Remote Code Execution Vulnerability (Patched)

PlayStation Now RCE

Cisco Security Manager Java Deserialization Vulnerabilities


The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit