Final Week: Get an iPad (32 G), Galaxy Tab A, or Take $250 Off OnDemand Training - Ends Jan 27

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXIII - Issue #2

January 8, 2021

SolarWinds Even More Victims; $2 Million In Scholarships for talented students interested in cyber

For students considering pursuing computer science or cybersecurity careers: A workshop on the new $2 million scholarship programs and key question son cyber education sponsored by the National Cyber Scholarship Foundation

Date and time: January 14, 2021 (3:30 PM Eastern)  

Answers four questions commonly asked by high school students:

* What do I need to learn to get a good job in cybersecurity?

* Is there a way to find out if I have the aptitude to do well?

* Are there scholarships available?

* Where should I apply to college if I want to maximize my chances of getting a good job?



SANS NewsBites               January 8, 2021                Vol. 23, Num. 002



  SolarWinds: Federal Judiciary Electronic Records Possibly Breached

  SolarWinds: DoJ eMail Accounts Breached

  SolarWinds: FBI, NSA, ODNI, and CISA Point Finger at Russia

  SolarWinds: CISA Guidance Update Requires Agencies to Conduct Forensic Analysis



  Hackney Data Stolen, Leaked in Ransomware Attack

  Ransomware Hits Minnesota Lake Region Healthcare Network

  House Passes FedRAMP Bill

  Fired Healthcare Exec Sentenced to Prison for Sabotaging PPE Distribution

  Nissan Source Code Possibly Exposed

  NSA Guidance Urges Updating Outdated TLS Protocols

  Legislators' Computers Left Unattended When They Were Evacuated


**********************  Sponsored By  Dragos, Inc.  ********************************

Free Analyst Report: OT Cybersecurity Best Practices | Industrial digital transformation is exposing cybersecurity risks and new threats across many industries requiring new approaches to security efforts to ensure safety and reliability of critical OT environments. Read this complimentary report to learn about Gartner's recommendations for addressing the IT-OT cybersecurity gap.




New & Updated Courses

SEC401: Security Essentials Bootcamp Style


SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling


FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics


Upcoming Live Online Events

SANS Stay Sharp - Feb 1-4 CST

1-3 Day Management & Cloud Courses


SANS Pen Test & Offensive Training - Feb 8-13 CST

14 Courses | Core NetWars Tournament


Open-Source Intelligence (OSINT) Summit & Training

FREE Summit: Feb 11-12 | Courses: Feb 8-10 & 15-20 EST


OnDemand Training Special Offer

Get a iPad mini, an ASUS ZenScreen LED Monitor, or take $300 Off with OnDemand training through January 16.


Blue Team Operations Resources

Cheat Sheets, Papers, Podcasts, and more. View & Download





--SolarWinds: Federal Judiciary Electronic Records Possibly Breached

(January 6 & 7, 2021)

The Administrative Offices of the US Courts is "adding new security procedures to protect highly sensitive confidential documents filed with the courts" following a possible compromise of its Case Management/Electronic Case Files (CM/ECF) system. The Judiciary is auditing the system along with the Department of Homeland Security (DHS).

Read more in:

US Courts: Judiciary Addresses Cybersecurity Breach: Extra Safeguards to Protect Sensitive Court Records

KrebsOnSecurity: Sealed U.S. Court Records Exposed in SolarWinds Breach

Bleeping Computer: US Judiciary adds safeguards after potential breach in SolarWinds hack

Cyberscoop: Federal courts are latest apparent victim of SolarWinds hack

The Hill: Federal judiciary likely compromised as part of SolarWinds hack

MeriTalk: U.S. Courts Records System Breached in SolarWinds Hack


--SolarWinds: DoJ eMail Accounts Breached

(January 6, 2021)

The US Department of Justice (DoJ) says that the hackers behind the SolarWinds supply chain attack breached the department's Office 365 environment and compromised more than 3,000 email accounts. The DoJ Office of the Chief Information Officer (OCIO) detected malicious activity in late December 2020.

Read more in:

Justice: Department of Justice Statement on Solarwinds Update

FCW: DOJ says it was hit by SolarWinds hackers

The Hill: Justice Department confirms breach as part of SolarWinds hack, says emails were accessed

Cyberscoop: Justice Department confirms SolarWinds hackers accessed Department emails

Ars Technica: DoJ says SolarWinds hackers breached its Office 365 system and read email

ZDNet: SolarWinds fallout: DOJ says hackers accessed its Microsoft O365 email server

Bleeping Computer: SolarWinds hackers had access to over 3,000 US DOJ email accounts


--SolarWinds: FBI, NSA, ODNI, and CISA Point Finger at Russia

(January 5 & 6, 2021)

In a joint statement, the US Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and The National Security Agency (NSA) wrote, "an Advanced Persistent Threat (APT) actor, likely Russian in origin, is responsible for most or all of the recently discovered, ongoing cyber compromises of both government and non-governmental networks."

[Editor Comments]

[Murray and Paller] It is highly likely that at least one hostile nation state has gained persistent access to our infrastructure. While much of the access may never be exploited, its existence constitutes an existential threat to our national security. It is time to stop admiring the problem.

[Paller] Good cybersecurity tools can find the persistent presence of those nation states only when they are deeply and continuously adapted to local conditions by people with elite cyber talent like the folks who found the SolarWinds infection at Mandiant/FireEye. Tools don't find these problems without those hunters and tool adapters, and no nation will be able to withstand sustained cyber attacks without a cadre of world-class hunters. Hunters will be as important in future conflicts as fighter pilots were in World War II. The National Cyber Scholarship Foundation launched a $2 million scholarship program to identify and support the next generation of hunters; more than 25,000 high school students are participating this winter and spring. A parallel collegiate program will be announced in late January.  

Read more in:

CISA: Joint Statement By The Federal Bureau of Investigation (FBI), The Cybersecurity And Infrastructure Security Agency (CISA), The Office Of The Director Of National Intelligence (ODNI), And The National Security Agency (NSA)

Ars Technica: Bucking Trump, NSA and FBI say Russia was "likely" behind SolarWinds hack

ZDNet: US government formally blames Russia for SolarWinds hack

Threatpost: Feds Pinpoint Russia as 'Likely' Culprit Behind SolarWinds Attack


--SolarWinds: CISA Guidance Update Requires Agencies to Conduct Forensic Analysis

(December 6 & 7, 2021)

The US Cybersecurity and Infrastructure Security Agency (CISA) has updated its SolarWinds guidance. The January 6, 2021, "supplemental guidance v3 requires (1) agencies that ran affected versions conduct forensic analysis, (2) agencies that accept the risk of running SolarWinds Orion comply with certain hardening requirements, and (3) reporting by agency from department-level Chief Information Officers (CIOs) by Tuesday, January 19, and Monday, January 25, 2021."

[Editor Comments]

[Neely] CISA has three categories of network/systems for response guidance as well as whether or not you were running an impacted version of SolarWinds. If you don't have the required forensic capabilities, CISA will help you locate a qualified provider. CISA also warns that there may be other vulnerabilities in SolarWinds Orion the threat actors have yet to exploit. The best plan for reintroduction of Orion into your environment is to build on freshly provisioned servers from the most current version. Before implementing CISA measures, make sure your organization is not taking a more conservative approach.

Read more in:

DHS: Supplemental Guidance v3

Fedscoop: CISA updates guidance on SolarWinds compromise

MeriTalk: CISA Issues Updated Remediation Guidance to Feds for SolarWinds Hack

*******************************  SPONSORED LINKS  ********************************  

1) Register Now | January 22nd @ 9:00 AM EST | We invite you to join us for the 2021 Cyber Threat Intelligence Summit Solutions Track! Chaired by Robert M. Lee, this virtual event will consist of presentations that focus on case-studies and thought leadership using specific examples relevant to the industry as we know it today. | 4 CPE Credits


2) Webcast |  Network Detection and Response Solutions record all network activity and flag any anomalous behavior to detect threats before they can have a major business impact. Tune in to our upcoming webcast "Beyond Network Detection and Response (NDR)" to dive deeper into NDR. | January 13 @ 3:30 PM EST


3) Webcast | Whether you're an ATT&CK beginner or expert, join us for "MITRE ATT&CK: The Magic of Mitigations and ATT&CK v8", a surprisingly engaging discussion on ATT&CK v8. We'll cover all the basics, but we'll also provide deeper insight into ATT&CK, its use cases, and great ways to get started. | January 14th @ 1:00 PM EST





--Hackney Data Stolen, Leaked in Ransomware Attack

(January 7, 2021)

The ransomware operators responsible for an attack against the network of the Hackney council in London, UK have leaked stolen data. The ransomware attack occurred in October 2020. The council's services are still "significantly disrupted." The stolen information has reportedly been posted on the dark web.

Read more in:

ZDNet: Months after this 'serious' cyber-attack, stolen data has been leaked online by hackers


--Ransomware Hits Minnesota Lake Region Healthcare Network

(December 30, 2020, & January 7, 2021)

Lake Region Healthcare (LRHC) in Minnesota was the victim of a ransomware attack in late December 2020. The attack prompted LRHC to initiate HER downtime procedures. In a public statement, LRHC said they "are providing most of [their] services as usual by operating largely off alternative systems."

[Editor Comments]

[Murray] Given the number of successful attacks against healthcare institutions, it is fair to infer that far too many such institutions are accepting the risk of such attacks. While this may be justified, it simply cannot be acceptable to take that risk while also failing to have a plan for timely remediation.  

Read more in:

Health IT Security: Minnesota's Lake Region Healthcare Recovering From Ransomware Attack

LRHC: Public Statement: Update from LRH CEO Kent Mattson about Ransomware Attack


--House Passes FedRAMP Bill

(January 3, 5, & 6, 2021)

The US House of Representatives has passed a bill that codifies the Federal Risk and Authorization Management Program, or FedRAMP. The FedRAMP Authorization Act also establishes an advisory committee "to ensure effective and ongoing coordination of agency adoption, use, authorization, monitoring, acquisition, and security of cloud computing products and services to enable agency mission and administrative priorities."

[Editor Comments]

[Neely] FedRAMP provides a level playing field for assessing the security of cloud services to a known standard, including ongoing monitoring and visibility to issues and responses, known as POA&Ms. Assessing the security of a FedRAMP authorized service is much easier than trying to exercise your "right to audit" and mapping their practices to your security standards. FedRAMP also adds the requirements to support strong authentication, e.g. PIV/SmartCard. Even so, it's up to the agency to either implement the use of smart cards or obtain approval not to from their authorizing official; all FedRAMP customer responsibilities must be addressed in order to obtain an approval to operate (ATO).

[Pescatore] In many areas of information security the federal government lags behind private industry. But FedRAMP and DMARC and DNSSEC are areas where the federal government used its buying power to drive higher levels of security in the broader commercial markets and led the way in adopting more secure use of the Internet and Internet-based services. I'd like to see application security and strong authentication get added to that list for future government adoption to drive markets.

[Murray] One agrees with John Pescatore on strong authentication. It resists the fraudulent reuse of compromised credentials, a pervasive risk. It is, at least arguably, our most efficient security measure. One also agrees that application security, especially applications common across enterprises, is essential, though much more difficult to specify or legislate. However, particularly on the desktop, applications are a small part of the attack surface. Most desktops have ten to a hundred times the amount of system code than is actually required by the applications. The vulnerabilities in this code are common and exploited across enterprises. Consider reducing your attack surface by eliminating gratuitous functions.

Read more in:

Executive Gov: House OKs Bill to Codify FedRAMP, Create Federal Cloud Advisory Panel

FCW: House passes FedRAMP bill

Nextgov: House Passes Bill to Codify and Revamp FedRAMP

Connolly: FedRAMP Authorization Act (PDF)


--Fired Healthcare Exec Sentenced to Prison for Sabotaging PPE Distribution

(January 6 & 7, 2021)

A former employee of Georgia-based Stradis Healthcare has pleaded guilty to computer intrusion for tampering with the company's computer systems. Christopher Dobbins used a secret account he had created to gain access to the Stradis network where he altered and deleted data, hobbling the company's efforts to distribute personal protective equipment (PPE) in spring 2020. Dobbins has been sentenced to one year in prison.

[Editor Comments]

[Neely] Stradis terminated Dobbins's regular accounts after he was terminated but missed the secret account he created.  Accounts should be validated regularly. Not only after creation but on a regular basis to ensure only legitimate and active accounts are enabled. Account creation, particularly when assigned privileges, should create an alert or trigger an action.

[Pescatore] Hard to do anything but cheer the sentencing. But, the question of how a "secret account" existed should be a spur to making sure privileged accounts are limited and routinely audited - if not regularly revoked to require regular re-justification for access.

[Murray] Transparency and accountability are the primary controls over privileged users. In enterprises with more than one or two such users, consideration should be given to Privileged Access Management software.  

Read more in:

ZDNet: Disgruntled former VP hacks company, disrupts PPE supply, earns jail term

Threatpost: Fired Healthcare Exec Stalls Critical PPE Shipment for Months

FBI: Medical Equipment Packaging Company Hacker Sentenced


--Nissan Source Code Possibly Exposed

(January 6, 2021)

Source code for Nissan North America mobile apps and diagnostic tools may have been exposed due to an improperly configured Git server. Nissan says it has secured the server.  

[Editor Comments]

[Neely] The server had default (admin/admin) credentials. As much has been done of late to make services available to remote workers, verifying the security, including the presence of default credentials, has to be part of service delivery. Security also should be re-verified after installing patches, upgrades, or significant changes.

Read more in:

ZDNet: Nissan source code leaked online after Git repo misconfiguration

Cyberscoop: Nissan investigated source code exposure, says it plugged leak


--NSA Guidance Urges Updating Outdated TLS Protocols

(January 5 & 6, 2021)

The US National Security Agency (NSA) has issued guidance urging system administrators to replace obsolete Transport Layer Security (TLS) protocols with updated versions. The guidance offers strategies for detecting obsolete TLS instances (TLS 1.0 and 1.1 as well as SL 2.0 and 3.0) and for replacing them with newer versions with strong encryption and authentication (TLS 1.2 and 1.3).

[Editor Comments]

[Ullrich] NSA Cyber also set up a valuable GitHub repo with tools ( A tool that should probably be added is Zeek which is ideally suited to detect the use of outdated TLS configurations. It can also be used to verify that certain outdated versions and ciphers are no longer in use, and that it is safe to disable them.

[Neely] When implementing strong encryption, be sure to disable weak algorithms as well. The weak algorithms in TLS 1.2 are NULL, RC2, RC4, DES, IDEA, and TDES/3DES. While TLS 1.3 removes these, if you're also supporting TLS 1.2, use an external scanner verify they are disabled.

Read more in:

Defense: Eliminating Obsolete Transport Layer Security (TLS) Protocol Configurations (PDF)

Threatpost: NSA Urges SysAdmins to Replace Obsolete TLS Protocols

Bleeping Computer: NSA shares guidance, tools to mitigate weak encryption protocols

MeriTalk: NSA Urges Federal Stakeholders to Update Obsolete TLS Configurations


--Legislators' Computers Left Unattended When They Were Evacuated

(January 7, 2021)

When people stormed the US Capitol building on Wednesday, legislators' computers were left unattended. One senator has reported that a laptop was stolen from his office. It has not been determined what information the computer contains.

[Editor Comments]

[Ullrich] In emergency situations, in particular, it is important to have automated tools to secure systems. During an evacuation, people should focus on leaving the area, not securing their screen. This has happened at hotels when thieves used fire alarms to evacuate buildings before stealing laptops.

[Pescatore] Can't fault people fleeing violent mobs or burning airplanes for leaving the laptops on behind them, but this is a good news item for reminding decision makers why screenlock and timeout timers are beneficial to the health of the business in any instance where a computing device may be left unattended even in normal circumstances.

[Neely] The first priority during a crisis is preservation of life and limb. Typically drill/test scenarios don't include facility breach, so unlocked or unattended systems are not at risk. Even so, implementing idle timers which lock the screen have to be SOP. NIST SP 800-53 controls require this on federal information systems. Similar requirements stem from NIST SP 800-171 which apply to non-federal systems processing sensitive USG information.

Read more in:

Reuters: U.S. senator says Capitol building rioters made off with laptop

Nextgov: Capitol Riot Opens Congress to Potential IT Compromise

Vice: Rioters Had Physical Access to Lawmakers' Computers. How Bad Is That?

Wired: Post-Riot, the Capitol Hill IT Staff Faces a Security Mess




Netfox Detective: An Alternative Open-Source Packet Analysis Tool

Using the NIST Database and API to Keep Up with Vulnerabilities

Zyxel Exploitation Under Way

Brian Nishida: Ubuntu Artifacts Generated by Gnome Desktop Environment (PDF)

ElectroRAT Drains Cryptocurrency Accounts

Chrome Will Prefer HTTPS over HTTP By Default

Android January Patch Day

Telegram Publishes Users' Locations Online

Fortinet Patches

Foxit PhantomPDF Patches

Firefox Android Updates

Titan Security Key (PDF)

The Great Suspender Google Chrome Extension


The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.