Final Week: Get an iPad (32 G), Galaxy Tab A, or Take $250 Off OnDemand Training - Ends Jan 27

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #99

December 18, 2020

SolarWinds - Much More to Know


SANS NewsBites               December 18, 2020               Vol. 22, Num. 099



  SolarWinds: Domain Seized and Used as Kill Switch

  SolarWinds: More Victims Emerge

  SolarWinds: National Security Council Invokes Cybersecurity Emergency Process

  SolarWinds: APT Actors May Have Used Multiple Attack Vectors

  SolarWinds: Major Investors Sold Stock Days Before Breach was Disclosed



  GitHub to Move Away from Passwords for Git Operations Authentication

  Flaws Discovered in Maritime Communications Suite

  Fix Available for WordPress Contact Form 7 Plugin Vulnerability

  FBI Issues DoppelPaymer Warning

  Trend Micro Releases Fixes for Flaws in Web Gateway

  Prison Sentence for Data Theft and Abuse

  Critical Cross-site Scripting Vulnerability in F5 BIG-IP


*********************  Sponsored By  Dragos, Inc.  *******************************

Free Analyst Report: OT Cybersecurity Best Practices | Industrial digital transformation is exposing cybersecurity risks and new threats across many industries requiring new approaches to security efforts to ensure safety and reliability of critical OT environments. Read this complimentary report to learn about Gartner's recommendations for addressing the IT-OT cybersecurity gap.




New & Updated Courses

SEC588: Cloud Penetration Testing



MGT516: Managing Security Vulnerabilities: Enterprise and Cloud


SEC487: Open-Source Intelligence (OSINT) Gathering and Analysis


Upcoming Live Online Events

SANS Stay Sharp: Blue Team Ops 2021 - Jan 18-22 MST  

Targeted Short Courses | Cyber Defense NetWars


Cyber Threat Intelligence Summit & Training

FREE Summit: Jan 21-22 | Courses: Jan 25-30 EST


SANS Cyber Security West 2021 - Feb 1-6 PST

Cloud Security, Blue Team, DFIR, and More


OnDemand Training Special Offer

Get a free GIAC Certification Attempt or take $350 off with OnDemand Training through December 30.


Cloud Security Resources

Cheat Sheets, Papers, eBooks, and more. View & Download  






--SolarWinds: Domain Seized and Used as Kill Switch

(December 15 & 16, 2020)

Microsoft and a group of other tech companies have seized and sinkholed a malicious domain that was being used as a command-and-control server to communicate with networks infected through the SolarWinds supply chain attack. The domain has been reconfigured so that in some cases, it acts as a kill switch, preventing the SUNBURST malware that was distributed through the compromised SolarWinds software update system from operating.  

[Editor Comments]

[Neely] While this shuts down the C&C server, making it more difficult to leverage the existing SUNBURST malware distributions, the malware is still in place and still needs to be contained and eradicated. Also look for indicators of malicious activity such as credential changes and anomalous network traffic.  

Read more in:

KrebsOnSecurity: Malicious Domain in SolarWinds Hack Turned into 'Killswitch'

ZDNet: Microsoft and industry partners seize key domain used in SolarWinds hack

Dark Reading: FireEye Identifies Killswitch for SolarWinds Malware as Victims Scramble to Respond

Bleeping Computer: FireEye, Microsoft create kill switch for SolarWinds backdoor

Cyberscoop: FireEye, Microsoft find 'killswitch' to hamper SolarWinds-related malware

GeekWire: Microsoft unleashes 'Death Star' on SolarWinds hackers in extraordinary response to breach

ZDNet: Microsoft to quarantine SolarWinds apps linked to recent hack


--SolarWinds: More Victims Emerge

(December 16 & 17, 2020)

FireEye and the US Treasury Department were among the first organizations to acknowledge that their networks were infiltrated by hackers through the SolarWinds supply chain breach. More companies and government agencies have now come forward to disclose that their networks were also affected by the breach. Additional victims now include the US Energy Department and National Nuclear Security Administration, the Federal Energy Regulatory Commission (FERC), The US State Department, Microsoft, Cisco, and Intel.

[Editor Comments]

[Neely] SolarWinds was widely deployed in the US government and as such, more instances of SUNBURST will be discovered. While the C&C domain has been sinkholed, existing vulnerable versions need to be isolated and shutdown. If you have the capability, collect a forensic image of the system, including memory, prior to shutdown to aid analysis.

[Murray] All SolarWinds customers must be presumed compromised. Rigorous content control (think TripWire) is indicated for all enterprise software. "Read only" and "execute only" must replace default "read/write." This will represent a major change in essential enterprise "cybersecurity" going forward but will represent a significant reduction in the risk of breaches. This gives a whole new meaning to "zero trust."  (One can take some small comfort in the fact that the Russians will be overwhelmed by the data from 18000 simultaneous breaches.)

Read more in:

Politico: Nuclear weapons agency breached amid massive cyber onslaught

Ars Technica: SolarWinds hack that breached gov networks poses a "grave risk" to the nation

ZDNet: Microsoft confirms it was also breached in recent SolarWinds supply chain hack

GovInfosecurity: SolarWinds Supply Chain Hit: Victims Include Cisco, Intel

GovInfosecurity: SolarWinds: The Hunt to Figure Out Who Was Breached

The Hill: Pentagon, State Department among agencies hacked: report

GovTech: Federal Agencies, Think Tank Targeted in Russian Hacking Spree


--SolarWinds: National Security Council Invokes Cybersecurity Emergency Process

(December 15 & 16, 2020)

The SolarWinds supply chain breach has prompted the US National Security Council (NSC) to invoke a cybersecurity emergency process established under the Obama administration. PPD-41established a Unified Coordination Group to serve as "the primary method for coordinating between and among Federal agencies in response to a significant cyber incident as well as for integrating private sector partners into incident response efforts, as appropriate."

Read more in:

FBI: Joint Statement by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the Office of the Director of National Intelligence (ODNI)

Cyberscoop: White House activates cyber emergency response under Obama-era directive

FCW: NSC invokes 2016 directive to respond to SolarWinds hack

Obama White House: Presidential Policy Directive -- United States Cyber Incident Coordination


--SolarWinds: APT Actors May Have Used Multiple Attack Vectors

(December 17, 2020)

The attackers behind the SolarWinds supply chain attack may have used other attack vectors to infiltrate targeted networks. The US Cybersecurity and Infrastructure Security Agency (CISA) is investigating "evidence of additional access vectors, other than the SolarWinds Orion platform."

[Editor Comments]

[Neely] The CISA bulletin describes additional indicators related to the other attack vectors, such as SAML tokens with unusually long lifetimes (24 versus 1 hour); as well as fake valid SAML signing certificates; and sequential user access from geographically dispersed locations. Monitor accounts and authentication services closely for unexpected behavior and/or trust relationships.

[Pescatore] The US-CERT CISA alert referenced below has a simple "triage" list of 3 risk categories the 18,000 or so affected SolarWinds' users fall into, useful for justifying immediate disruptive action if you are in Category 3 and justifying needed resources to be sure if you think you are in Category 2.

[Murray] The use of software distribution as an attack vector demonstrates a major vulnerability in our infrastructure. It suggests that vendors must exercise rigorous content control over their distributions. Distributions must be digitally signed and customers must reconcile the signatures before use. Vendors will likely be seen as liable for contaminated distributions and shipping one may well be an existential event.  

Read more in:

Washington Post: Federal investigators find evidence of previously unknown tactics used to penetrate government networks

US-CERT CISA: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations

Bleeping Computer: CISA: Hackers breached US govt using more than SolarWinds backdoor

Security Week: Supply Chain Attack: CISA Warns of New Initial Attack Vectors Posing 'Grave Risk'

Nextgov: CISA: SolarWinds Is Not the Only Way Hackers Got Into Networks

Reuters: Microsoft says it found malicious software in its systems


--SolarWinds: Major Investors Sold Stock Days Before Breach was Disclosed

(December 15, 16, & 17, 2020)

Two major SolarWinds investors sold $280 million worth of stock just days before the breach of the company's software update system was disclosed. SolarWinds stock price dropped more than 20 percent in the days following the disclosure. The large transaction shortly before the announcement of the breach is likely to prompt an investigation from the Securities and Exchange Commission (SEC). The investors have issued a joint statement saying they were not aware of the breach when they sold the stock.

Read more in:

Washington Post: Investors in breached software firm SolarWinds traded $280 million in stock days before hack was revealed

The Register: SolarWinds' shares drop 22 per cent. But what's this? $286m in stock sales just before hack announced?

Security Week: Little-Known SolarWinds Gets Scrutiny Over Hack, Stock Sales


Look what the 10,000 people playing Holiday Hack Challenge are saying today:

"SANS was my first step into cybersecurity and the Holiday Hack Challenge was my first CTF ever! The incredible, outstanding, and powerful ways of learning and challenging changed my life and my skills. I am so grateful for that. Thanks again for bringing out the best in me." - Mahmoud Salah El-Din, Solutions by STC

It's free as a holiday gift to you! Join anytime for free, play along until January 4:

*******************************  SPONSORED LINKS  ********************************   

1) Tune in Today! | This upcoming webcast digs more deeply into the results of the SANS 2020 Threat Hunting Survey. Survey authors Mathias Fuchs and Joshua Lemon will discuss key themes that emerged during their analysis of survey results, joined by a panel of sponsor representatives. | December 18 @ 3:30 PM ET


2) Webcast | Zero trust has become one of the hottest topics in IT and cybersecurity, especially in light of the global pandemic and related work-from-home (WFH) momentum. Join us for our upcoming webcast, "Zero Trust must include the workforce, workloads, AND workplace." | January 7th @ 3:30 PM ET


3) Product Review Webcast | Join SANS Instructor, Matt Bromiley for our upcoming webcast, "Automated Testing Against an Ever-Changing Landscape."  Bromiley will review Cymulate Continuous Validation, a highly integrated, customizable platform built to challenge, assess, and optimize the security posture of your organization. | January 12th @ 10:30 AM ET





--GitHub to Move Away from Passwords for Git Operations Authentication

(December 17, 2020)

GitHub is planning to switch from password-based to token-based authentication for Git operations. The change will not apply to logging into accounts. The scheme will be tested in Summer 2021, and as of August 13, 2021, GitHub "will no longer accept account passwords when authenticating Git operations on"

[Editor Comments]

[Neely] If you have 2FA for your GitHub account, you're already using token-based authentication. The primary impact is to command line and apps/services which access Git Repos directly using your password. Two "brownouts" scheduled for June 30 and July 28 will provide testing windows before the hard cutoff in August. If you want to be more proactive, you can convert your account to 2FA today, which will require configuration of tokens for authenticated operations and third-party integrations immediately.

[Pescatore] This doesn't take effect until August 13, 2021, but should serve as a model for all such repositories and services. All admin operations should move beyond reusable passwords. If nothing else, this will eliminate the hardcoded default password risk. In their daily real lives, human beings are getting quite used to two-factor authentication - the assumed barriers to more 2FA being used online are largely just excuses for inaction.

[Murray] The use of passwords for authentication makes one vulnerable to credential replay attacks as well as so called "password stuffing" attacks, short dictionary attacks, and brute force attacks. Strong authentication is essential for all but the most trivial applications. GitHub does not qualify as "trivial."

Read more in:

GitHub Blog: Token authentication requirements for Git operations

The Register: Passwords begone: GitHub will ban them next year for authenticating Git operations


--Flaws Discovered in Maritime Communications Suite

(December 16, 2020)

Researchers from Pen Test Partners found numerous vulnerabilities in the Dualog Connection Suite, which ships use for communications - including email, file transfers, and Internet access - while at sea. The flaws include undocumented admin accounts with hardcoded passwords, SQL injection, and Flash-based two-factor authentication conducted in a Flash0-based, client-side app.

Read more in:

Pen Test Partners: Serious Vulnerabilities in Dualog Connection Suite

The Register: Your ship comms app is 'secured' with a Flash interface, doesn't sanitise SQL inputs and leaks user data, you say?


--Fix Available for WordPress Contact Form 7 Plugin Vulnerability

(December 17, 2020)

The developers of the Contact Form 7 WordPress plugin have released a fix to address a critical unrestricted file upload vulnerability. The plugin is installed on more than 5 million WordPress sites. Users are urged to update to Contact Form 7 version 5.3.2.

[Editor Comments]

[Neely] If you don't have the file upload capability of Contact Form 7 enabled, you're not vulnerable; even so, you need to update if you're using this plugin.  While there is no published exploit code, and that there were some mitigations to exploiting which raise the difficulty of exploitation, including a .htaccess file with restrictions, randomized file names and restrictions on the extensions accepted for file uploads, exploitation is not easy. Even so, given the frequency of WordPress issues, rapid response is still prudent.

Wordfence provides additional information on the Contact Form 7 vulnerability:

Read more in:

Bleeping Computer: WordPress plugin with 5 million installs has a critical vulnerability


--FBI Issues DoppelPaymer Warning

(December 10 & 17, 2020)

The FBI has issued a Private Industry Notification (PIN - TLP: White) warning of DoppelPaymer ransomware attacks against organizations operating critical infrastructure, such as healthcare, emergency services, and education. The PIN warns that the DoppelPaymer ransomware operators have called victims to coerce them into paying the demands, and have also threatened to release stolen data if they were not paid.

Read more in:

IC3: DoppelPaymer Ransomware Attacks on Critical Infrastructure Impact Critical Services (PDF)

Security Week: FBI Warns of DoppelPaymer Ransomware Targeting Critical Infrastructure


--Trend Micro Releases Fixes for Flaws in Web Gateway

(December 15 & 17, 2020)

Trend Micro has released an update to address six vulnerabilities in its InterScan Web Security Virtual Appliance. Some of the flaws could be exploited to take control of vulnerable appliances. The flaws were first reported to TrendMicro in the summer of 2019, but they were not all patched until late November 2020.

Read more in:

Security Week: Trend Micro Patches Serious Flaws in Product Used by Companies, Governments

TrendMicro: SECURITY BULLETIN: December 2020 Security Bulletin for Trend Micro InterScan Web Security Virtual Appliance (IWSVA) 6.5 SP2

SEC Consult: Multiple critical vulnerabilities in Trend Micro InterScan Web Security Virtual Appliance (IWSVA)


--Prison Sentence for Data Theft and Abuse

(December 10 & 17, 2020)

A US District Judge in Louisiana has sentenced Colbi Trent Defiore to three-and-a-half years in prison for stealing and abusing patient data from Defiore previously pleaded guilty to "intentionally accessing a protected computer in excess of authorization for the purpose of commercial advantage and private financial gain, and in furtherance of the commission of a felony." Defiore worked as a seasonal employee for a company that supported the Centers for Medicare & Medicaid Services (CMS). He used the stolen data to apply for credit cards and loans, resulting in nearly $600,000 in damages.

Read more in:

Infosecurity Magazine: Data Thief Jailed

Justice: Carriere, MS Man Sentenced to 42 Months Imprisonment for Stealing Personal Identifying Information of More Than 8,000 Healthcare.Gov Customers and Causing $587,000 in Losses


--Critical Cross-site Scripting Vulnerability in F5 BIG-IP

(December 10, 16, & 17, 2020)

F5 has warned of several security issues, including a critical cross-site scripting vulnerability, that affect its BIG-IP products. Users are urged to upgrade to versions,, 15.1.1, or 16.0.1.

[Editor Comments]

[Neely] It's really easy to overlook updating your load balancer; they are often a component in your perimeter security as they often also provide WAF and NAT/SNAT services for business applications and supporting servers; they need to be rigorously updated, monitored and secured.

Read more in:

Portswigger: F5 warns over 'critical' XSS flaw in BIG-IP

F5: K42696541: F5 TMUI XSS vulnerability CVE-2020-5948

NIST: CVE-2020-5948 Detail




Analyzing a FireEye Maldoc


2020 Difference Makers


Cloud DNS Logs


F5 Big IP Vulnerabilities


Google Outage


GoLang XML Parser Vulnerabilities


SAP HANA SAML Validation Weakness


SolarWinds Update (German)


Hewlett Packard Enterprise Systems Insight Manager (SIM) Vulnerability


Token Authentication Requirements for Git Operations


Google Attempting to Speed Up OS Update Adoption


Trend Micro InterScan Web Security Virtual Appliance Vulnerability


Malicious Browser Extensions


The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit