40+ Cyber Security Courses at SANSFIRE in Washington DC! Save up to $350 thru 4/24.

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XIX - Issue #1

January 3, 2017


Malware Used by Russian Hacking Group Found on Vermont Utility Laptop
Grizzly Steppe Report from DHS and FBI Describes Russian Malicious Cyber Activity
Charges Filed Against Chinese Nationals in Insider Trading Case Based on Law Firm Hacking
FDA Medical Device Postmarket Cybersecurity Guidelines


Subcontractor's Server Vulnerability Exposed US Military Personnel Data
KillDisk Variant is Ransomware
New York State Financial Security Rules Revised, Deadline Pushed Back
Hotel Company Investigating Reports of Information Security Breach
An End to the NSA/Cybercom Dual Hat?



*********************** Sponsored By Sophos Inc. ************************

NEW Whitepaper: How to Ensure You're Not Part of the Next Botnet: With an estimated 500,000 'Internet of Things' devices using default security credentials its little wonder the recent Mirai botnet's DDoS attack was able to cause such disruption. Organizations like yours are being targeted with malware in order to compromise your network. Continue reading: http://www.sans.org/info/191157



--SANS Brussels Winter 2017 | Brussels, Belgium | Jan 16-21, 2017 | https://www.sans.org/event/brussels-winter-2017

--Cloud Security Summit & Training | San Francisco, CA | Jan 17-19, 2017 | https://www.sans.org/event/cloud-security-summit-2017

--SANS Las Vegas 2017 | Las Vegas, NV | January 23-30, 2017 | https://www.sans.org/event/las-vegas-2017

--Cyber Threat Intelligence Summit & Training | Arlington, VA | Jan 25-Feb 1, 2017 | https://www.sans.org/event/cyber-threat-intelligence-summit-2017

--SANS Southern California - Anaheim 2017 | Anaheim, CA |February 6-11, 2017 | https://www.sans.org/event/anaheim-2017

--SANS Munich Winter 2017 | Munich, Germany | February 13-18, 2017 | https://www.sans.org/event/munich-winter-2017

--SANS Secure Japan 2017 | Tokyo, Japan | February 13-25, 2017 | https://www.sans.org/event/secure-japan-2017

--SANS Secure Singapore 2017 | Singapore, Singapore | March 13-25, 2017 | https://www.sans.org/event/secure-singapore-2017

--SANS Pen Test Austin 2017 | March 27-April 1 | https://www.sans.org/event/pentest2017

--SANS Online Training: Get an iPad Pro, Samsung Galaxy Tab S2, or $500 off with all OnDemand (https://www.sans.org/ondemand/specials) and vLive (https://www.sans.org/vlive/specials) courses now.

--Single Course Training SANS Mentor https://www.sans.org/mentor/about Community SANS https://www.sans.org/community/ View the full SANS course catalog https://www.sans.org/find-training/



Malware Used by Russian Hacking Group Found on Vermont Utility Laptop (December 31, 2016 & January 2-3, 2017)

A story in the Washington Post last Friday, entitled, "Russian hackers penetrated U.S. electricity grid through a utility in Vermont, U.S. officials say," was incorrect. Based on the Vermont reports, the government initiated a large-scale effort to find code that was supposedly placed on the Vermont utility site, in companies across 16 industry sectors. The Post issued a revision this morning reporting that an investigation into suspicious activity on a laptop owned by Vermont utility Burlington Electric indicates that there is no connection to any Russian attempt to infiltrate the utility's network. A Burlington Electric employee triggered an alert while checking email last week; the alert indicated that the computer had connected to a suspicious IP address. A toolkit called Neutrino found on the computer is not connected to malicious Russian activity.

[Editor Comments ]

[Assante ]
It is not surprising that the utilityâs investigation determined there is no association with Russian Intelligence Service (RIS) campaigns, especially based on the type/details of the IOCs released. Collective concern should be the rule as there have been known and documented attempts by RIS actors to access U.S. energy infrastructure over the last five years. Many of the campaigns, described by the techniques and specific versions of malware employed like Black Energy 2 and Havex, were discovered months to years after their introduction.

[Murray ]
We should not allow this obscure our dependence on electricity, the fundamental fragility of the grid, and the implementation induced vulnerability of public network facing controls, both known and unknown. Can we not make 2017 the year in which we finally identify all those controls and protect them with end-to-end encryption and strong authentication?

[Honan ]
Of concern is the fact that Vermont Utility shared this information with government sources, as per best practice, which in turn made its way into the media. Subsequent to this tale, how many other organizations will now hold back on sharing intel for fear of a similar leak and their organization appearing in the headlines? A lot of damage has been done to private-public cooperation by this incident

Read more in:


The Washington Post: Russian government appears to have not targeted Vermont utility

Forbes: Fake News and how the Washington Post rewrote its story on Russian hacking of the power grid

The Register: Russian 'grid attack' turned out to be a damp squib

Original Stories:

Washington Post: Russian operation hacked a Vermont utility, showing risk to U.S. electrical grid security, officials say

CNET: Russian hackers strike at US electrical grid, report says

Grizzly Steppe Report from DHS and FBI Describes Russian Malicious Cyber Activity (January 2, 2017)

The U.S. Department of Homeland Security (DHS) and the FBI have issued a Joint Analysis Report (JAR) that describes the tools and techniques that Russian intelligence allegedly used against targets in the U.S.

[Editor Comments ]

[Shpantzer ]
The IOCs released by CERT seem to be a missed opportunity to demonstrate usefulness of some IOCs while showing others as supporting/FYI. I can't imagine how many false positives there have been in the last week on the IP addresses related to major tech companies. Robert Lee has a good post on intent of report vs actual report

Robert Lee will host a webinar Jan 6 on this JAR

Read more in:

eWeek: DHS-FBI Report Details Russian Malicious Cyber Activity

Charges Filed Against Chinese Nationals in Insider Trading Case Based on Law Firm Hacking (December 28 & 29, 2016)

U.S. federal prosecutors have filed charges against three Chinese men for allegedly breaking into computer systems at several U.S.-based international law firms and stealing information about pending mergers and acquisitions. The men allegedly used the information to make profitable trades in the stock market.

[Editor Comments ]

[Paller ]
This story provides another reason (theft of early IPO information) that law firms are direct targets for international economic espionage. But law firms have been known to be a favored target of Chinese spies seeking commercial intelligence for more than 8 years, because they are target rich. Documents about international activities of clients are aggregated at the law firm representing the company. Jonathan Evans, then head of MI-5, made a rare disclosure in 2008, picked up by the Telegraph (

highlighting law firms' favored-victim status. Despite widespread knowledge of their vulnerability, fewer than 10 of the large law firms have made any substantial effort to upgrade their monitoring and response capabilities.

[Shpantzer ]
As a sector, Law firms are both incredible concentrations of juicy data and incredibly lacking and immature relating to infosec.

Read more in:

eWeek: U.S. Prosecutors Charge Three Chinese Hackers With Insider Trading

CNET: Accused hackers make millions off insider trading info

The Register: Trio charged with $4m insider trading by hacking merger lawyers

U.S. Justice Department: Manhattan U.S. Attorney Announces Arrest Of Macau Resident And Unsealing Of Charges Against Three Individuals For Insider Trading Based On Information Hacked From Prominent U.L. Law Firms

FDA Medical Device Postmarket Cybersecurity Guidelines (December 28, 2016)

The U.S. Food and Drug Administration (FDA) has released the final version of security guidance for network-connected medical device manufacturers. The guidelines, which are not mandatory, address post-market cybersecurity issues and are a companion to pre-market guidelines issued in 2014. The FDA believes that "medical device manufacturers should implement a structured and comprehensive program to manage cybersecurity risks," which would ideally include ensuring a means to monitor and detect vulnerabilities; assessing the risks vulnerabilities pose to patients; establishing a process for vulnerability disclosure; and releasing fixes in a timely fashion.

[Editor Comments ]

[Williams ]
Whether or not you work with medical devices, this may be of interest to you. The FDA sets different security reporting guidelines for organizations that are actively participating in an Information Sharing and Analysis Organization (ISAO). In the draft guidelines released earlier this year, the FDA failed to state the standards for active participation, but rectified this in the final document (

These guidelines are the first codified definition of what it means to "actively participate" in an ISAO or ISAC and will likely set legal precedent.

Read more in:

GovInfoSecurity: FDA Unveils Additional Medical Device Security Guidelines

FDA: Postmarket Management of Cybersecurity in Medical Devices (PDF)

*************************** SPONSORED LINKS ******************************** 1) Don't Miss: Packet Capture + Flow Analytics = Holistic Network Visibility. Register: http://www.sans.org/info/191162 2) Looking for a solution to your security issue? Visit the SANS Affiliate Directory for a list of vendors who may be able to help! http://www.sans.org/info/191167 3) Cyber Threat Intelligence Survey - Take the SANS 2017 Cyber Threat Intelligence Survey and enter to win a $400 Amazon Gift Card! http://www.sans.org/info/191172 ******************************************************************************


Subcontractor's Server Vulnerability Exposed US Military Personnel Data (December 31, 2016 & January 3, 2017)

Potomac Healthcare Solutions, a U.S. government subcontractor, has inadvertently exposed personal information of Military Special Operations Command healthcare professionals through a database vulnerability. At least two of the affected individuals hold top-secret security clearances. The compromised data include names, locations, Social Security numbers, and salaries. Potomac has fixed the vulnerability.

[Editor Comments ]

[Williams ]
The root cause of this vulnerability was an unsecured rsync server. Rsync isn't normally open by default. It took some doing by the system admin to create this security hole. This probably stems from change management processes not being followed or no security influence on the change control board.

Read more in:

The Register: Top Secret-cleared SOCOM staff in 11Gb Govt contractor breach

ZDNet: US government subcontractor leaks confidential military personnel data

KillDisk Variant is Ransomware (December 29, 2016)

According to a report from CyberX, a new variant of KillDisk malware is being used in ransomware attack targeting industrial control systems. The KillDisk disk-wiper malware was used along with BlackEnergy malware in attacks on Ukrainian utilities a year ago.

[Editor Comments ]

[Northcutt ]
This is not going away. Up to date backups, whether human computing systems or IOT is the best defense:



[Shpantzer ]
Ransomware and other availability attacks proliferating to top of malware food chain will change CIOs' perception of infosec as business defender more than anything we've seen.

Read more in:

SCMagazine: New variant of KillDisk wiper threatens industrial control networks with ransomware

CyberX: New KillDisk Malware Brings Ransomware Into Industrial Domain

New York State Financial Security Rules Revised, Deadline Pushed Back (December 21 & 29, 2016)

The New York State Department of Financial Services (DFS) has pushed back the January 1, 2017 implementation deadline for revising its proposed cybersecurity regulations for financial firms, 23 NYCRR 500. The rules now take effect on March 1, 2017, and organizations have 180 days from then to meet the first compliance requirements. The rules have also been revised to clarify some provisions and relax others.

Read more in:

SC Magazine: New York State revises its sweeping cyber regulation proposal for financial sector

CNBC: NY financial regulator to delay cybersecurity rules

Hotel Company Investigating Reports of Information Security Breach (December 28, 2016)

InterContinental Hotels group (IHG) is investigating reports that payment cards used at some of its U.S. locations may have been used in unauthorized transactions. Sources at several fraud prevention institutions have reported a pattern of payment card fraud indicating that cards used at those properties had been compromised. IHG has hired an outside firm to help with the investigation.

Read more in:

KrebsOnSecurity: Holiday Inn Parent IHG Probes Breach Claims

An End to the NSA/Cybercom Dual Hat? (December 23, 2016)

President Obama has moved to separate control of the US Cyber Command (Cybercom) from the NSA. Since Cybercom's inception in 2009, direction of both entities has been overseen by one individual. Known as the "dual-hat" arrangement, the shared direction was initially seen as necessary "to enable a fledgling Cybercom to leverage NSA's advanced capabilities and expertise." Now that Cybercom has matured, some say that the responsibilities of both organizations are too large for one person.

Read more in:

Washington Post: Obama moves to split cyber warfare command from the NSA


AT&T 2G Network Shutdown

Leap Second Causes Problems For Cloudflare

Calendar File Crashes iMessage

Truffle Hog

Critical RCE Flaw in PHPMailer

Malware Delays Execution with "Ping"

Apple Extends TLS Deadline

The Editorial Board of SANS NewsBites

View the Editorial Board of SANS Newsbites here: https://www.sans.org/newsletters/newsbites/editorial-board