SANS Security East 2021 features 20+ courses - Register now to get a MacBook Air or Microsoft Surface Pro 7 or Take $350 Off

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #47

June 12, 2020

Microsoft, Adobe, WordPress Issue Critical Patches -- Enterprises Falling Behind On Installing Them


SANS NewsBites                June 12, 2020                Vol. 22, Num. 047



  Microsoft Patch Tuesday

  Microsoft Releases Fix for Vulnerability in Windows Group Policy

  Adobe Releases Fixes for Flaws in Multiple Products

  WordPress 5.4.2 Patches More Vulnerabilities


  Alabama City Says it Will Pay US $300,000 Ransomware Demand

  Citizen Lab Says Dark Basin Hacking-for-Hire Group Has Ties to Indian Company

  A1 Telekom (Austria) Breach

  Cryptominer Campaign Targets Misconfigured Kubeflow Toolkit

  Updated Specification Available for Universal Plug-and-Play Protocol Vulnerability

  Senate Report: Chinese Telecoms Were Allowed to Operate in US with Minimal Oversight

  US Military and Federal Law Enforcement Agencies Have Purchased New IMSI-Catchers

  Knoxville City Systems Hit With Ransomware Attack


****************** Sponsored By Amazon Web Services, Inc. *******************

June 18, 2020 @ 2:00 EDT | Join Sounil Yu and AWS Marketplace to learn how you can better understand your sensitive data, including its location, configuration, and access privileges. Having the ability to identify and secure sensitive workloads through visibility layers and controls helps strengthen that understanding as well as your overall security posture. |



SANS Training is 100% Online, with two convenient ways to complete a course:

OnDemand  | Live Online



Keep your skills sharp with SANS Online Training:

        The worlds top cybersecurity courses

        Taught by real world practitioners

        Ideal preparation for more than 30 GIAC Certifications

Take advantage of the current promotional offer

Get a Free GIAC Certification Attempt or Take $350 Off with OnDemand or Live Online Training through June 24


Top OnDemand Courses

SEC401: Security Essentials Bootcamp Style


SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling


SEC560: Network Penetration Testing and Ethical Hacking



Upcoming In Person and Live Online Events:


2-Day Firehose Training | June 29-30 | Live Online


SANS Summer of Cyber | July 6-17 | Live Online


DFIR Summit & Training | July 16-25 | Live Online


SANS Network Security 2020 | September 20-25 | Las Vegas, NV or Live Online



Test drive a course:

View the full SANS course catalog and skills roadmap.






--Microsoft Patch Tuesday

(June 9 & 10, 2020)

On Tuesday, June 9, Microsoft released fixes for 129 security issues in multiple products. This is the fourth month in a row that Microsoft has fixed more than 100 vulnerabilities in its scheduled security updates. The patches include a fix for a critical remote code execution vulnerability in the Server Message Block (SMB) v1 protocol. Microsoft also released fixes for two other vulnerabilities in SMBv3.

[Editor Comments]

[Pescatore] In the current environment, two important points: (1) The NewsBites item last week about Rapid7 discovering over 80% of Microsoft Exchange servers had not installed a February critical patch indicates that IT operations may not be focusing on server patching while IT staff is working from home, and (2) Employees working at home from their own PCs should be reminded to make sure auto update is on and that these mega-patch releases are being successfully installed.

[Ullrich] Microsoft moved away from SMBv1 and introduced SMBv2 to reduce some of the attack surface created by many no-longer-used legacy features. In SMBv3, Microsoft started adding features like compression but apparently didnt learn from past mistakes and ended up with now three vulnerabilities that can be devastating if combined. In the end, the old rule still applies: Never allow SMB to pass your perimeter, and closely monitor SMB traffic internally. In March, we had SMBGhost (CVE-2020-0796). SMBGhost is a remote code execution vulnerability, but it is difficult to exploit, and it took until May for a working PoC exploit to be released publicly. This month, Microsoft patched another vulnerability in the exact same feature of SMBv3. SMBleed (CVE-2020-1206) sounds less severe at first, only allowing for information disclosure. But the information disclosed is Kernel memory, and paired with SMBGhost for privilege escalation, SMBleed can lead to devastating attacks. And finally, yes, we got another RCE in SMBv1 (SMBLost, CVE-2020-1301). But SMBv1 should have been disabled a long time ago.

[Neely] On the heels of making sure the patch for SBMGhost was applied, MS releases added SMB fixes. While SMB is contained within the traditional corporate perimeter, the current work environment may not be as well contained, so timely patching is essential. As John reminds us, our environment is further complicated by personally owned systems which also need to be kept updated. Where possible, incorporate patch checking into your VPN posture check. Be sure to let users know the enforcement timeline and expectations around attempted use of an unpatched system.

[Murray] For the moment and for most enterprises "patching" remains mandatory; failing to do so not only puts one at risk but puts one's neighbors at risk. At what point do we decide that the cost of patching is too high? When do we realize that the attack surface of these widely used products is so big, so homogenous, and so porous, that collectively they weaken the entire infrastructure? When do we realize that the architectures (e.g., von Neumann), languages, and development processes that we are using are fundamentally flawed? That hiding these products behind local firewalls and end-to-end application layer encryption is a more efficient strategy? When do we acknowledge that we must fundamentally reform how we build, buy, pay for, and use both hardware and software? At what point do we admit that we cannot patch our way to security?

Read more in:

SANS: Microsoft June 2020 Patch Tuesday

KrebsOnSecurity: Microsoft Patch Tuesday, June 2020 Edition

The Register: June's Patch Tuesday reveals 23 ways to remotely pwn Windowsand over 100 more bugs that could ruin your day

ZDNet: Microsoft June 2020 Patch Tuesday fixes 129 vulnerabilities

Dark Reading: Microsoft Fixes 129 Bugs in Largest Patch Tuesday Release

DUO: Critical Flaw Patched in Windows SMB


--Microsoft Releases Fix for Vulnerability in Windows Group Policy

(June 9 & 10, 2020)

One of the issues Microsoft patched in its scheduled monthly security update is a privilege elevation flaw in Windows Group Policy. CyberArk discovered the vulnerability and notified Microsoft more than a year ago; the issue affects all currently supported versions of Windows.

[Editor Comments]

[Neely] The fix to CVE-2020-1317 is included in this months patches from Microsoft. CyberArk characterized this vulnerability as easy to exploit once logged into the system; Microsoft claims specialized software is also needed. Either way, applying this months update solves the problem.

Read more in:

CyberArk: Group Policies Going Rogue

ZDNet: Windows 10: Microsoft patches 'important' Windows Group Policy bug reported a year ago

Bleeping Computer: Windows Group Policy flaw lets attackers gain admin privileges


--Adobe Releases Fixes for Flaws in Multiple Products

(June 9, 2020)

Adobe has released fixes for security issues in Flash Player, Experience Manager, and Framemaker. In all, the updates address 10 vulnerabilities. Four of the vulnerabilities are rated critical; they could be exploited to remotely execute code on unpatched systems. Three of the critical flaws, memory corruption and out-of-bounds write vulnerabilities, affect Framemaker; the fourth, a use after free vulnerability, affects Flash Player. 

[Editor Comments]

[Pescatore] Another one to remind work-at-home employees to patch, with an additional caveat: Adobe and McAfee continue to try to persuade Adobe software users to install McAfee software as part of the Adobe patching process. Users should be told explicitly to not just click yes on Adobe update requests. Hard to believe this Adobe/McAfee deal continuesimagine if Band Aids tried to trick users into signing up for home alarm services

[Neely] I still get an occasional prompt to enable Flash to view content, so I just checked: the Flash end-of-life date is still December 31, 2020, so you need to keep it updated where its still being used. Make sure that the plans to retire Flash-based content, or provide an isolated browser for using it, are still completing this year.

Read more in:

Threatpost: Adobe Warns of Critical Flaws in Flash Player, Framemaker

Bleeping Computer: Adobe fixes critical remote code execution bug in Flash Player

Adobe: Adobe Security Bulletins and Advisories


--WordPress 5.4.2 Patches More Vulnerabilities

(June 11, 2020)

WordPress has released version 5.4.2 of its content management system. The new version addresses a number of security issues, including six vulnerabilities that could be exploited by cross-site scripting attacks. The update is a security and maintenance release; WordPress plans to release its next major update, WordPress 5.5, in August 2020.

Read more in:

Portswigger: WordPress security release addresses multiple XSS vulnerabilities

WordPress: WordPress 5.4.2 Security and Maintenance Release

****************************  SPONSORED LINKS  ******************************

1) SANS Survey | Survey closes on June 24th. Share your perception of the use of firewalls inside the modern enterprise and how your organization is using firewalls:

2) Digital Forensics Solutions Forum | July 17, 2020 @ 9:00 am EDT | SANS is convening an inaugural forum for DFIR solutions featuring case studies from vetted solution providers who support investigations across a wide range of scenarios:

3) Webcast | Join Tim Conway, Peter Newton and Christopher Blauvelt as they discuss how to use "NERC CIP: An Overview of the Standards" | June 18, 2020 @ 10:30am EDT |




--Alabama City Says it Will Pay US $300,000 Ransomware Demand

(June 9 & 11, 2020)

The city of Florence, Alabama plans to pay nearly $300,000 in bitcoin to ransomware operators to prevent citizens data from being exposed. On May 26, Brian Krebs called the mayors office to let them know that ransomware operators had gained a foothold in the citys systems. On Friday, June 5, the citys mayor acknowledged that the city email system system was shut down due to a cyberattack, and earlier this week, the mayor confirmed to Krebs that Florences systems had been infected by DoppelPaymer ransomware. The Florence city council unanimously approved the decision to pay the ransom.

[Editor Comments]

[Neely] With ransomware operators offering purloined information for sale reminiscent of an eBay auction, its a good time to revisit your decision process regarding ransom payment as well as making sure you know what information resides in which locations so you can characterize affected data and respond appropriately if necessary.

[Murray] Three years in, all municipalities and healthcare institutions are responsible for knowing that they are targets of extortion attacks and for having a plan for resisting and mitigating such attacks. While paying ransom may, in at least some cases, be an appropriate part of such a plan, such a plan must have been made in advance of the attack, not simply as a convenient and expensive response to it.  

Read more in:

KrebsOnSecurity: Florence, Ala. Hit By Ransomware 12 Days After Being Alerted by KrebsOnSecurity

APR: Alabama city to pay $300,000 ransom in computer system hack


--Citizen Lab Says Dark Basin Hacking-for-Hire Group Has Ties to Indian Company

(June 9, 2020)

Researchers with the Citizen Lab Internet watchdog group say that a hacking-for-hire group it has dubbed Dark Basin has ties to BellTroX InfoTech Services, a company based in India. Dark Basin has targeted thousands of people and organizations around the world over the past seven years. Dark Basins targets include journalists, nonprofits, advocacy groups, and commercial organizations.

Read more in:

Citizen Lab: Dark Basin | Uncovering a Massive Hack-For-Hire Operation

Reuters: Exclusive: Obscure Indian cyber firm spied on politicians, investors worldwide

Dark Reading: Hack-for-Hire Firm Connected to Attacks on Nonprofits, Journalists

Ars Technica: Hackers for hire targeted hundreds of institutions, says report

The Register: Researchers unmask Indian 'infosec' firm to reveal hacker-for-hire op that targeted pretty much anyone clients wanted

Threatpost: Dark Basin Hack-For-Hire Group Targeted Thousands Over 7 Years

Cyberscoop: Vast hack-for-hire scheme against activists, corporate targets tied to Indian IT firm


--A1 Telekom (Austria) Breach

(June 8 & 11, 2020)

A1 Telekom, Austrias largest Internet service provider, has acknowledged a security breach that occurred in November 2019. The company says it detected the breach in December 2019, but that it took them until May 22, 2020 to fully mitigate the situation. All employee passwords have been reset, as have passwords and access keys for all servers.

Read more in:

ZDNet: Hackers breached A1 Telekom, Austria's largest ISP

Heise: Massive attack on A1 Telekom Austria (German)


--Cryptominer Campaign Targets Misconfigured Kubeflow Toolkit

(June 10 & 11, 2020)

Microsofts Azure Security Center recently detected a cryptominer campaign that is targeting misconfigured Kubeflow instances. If users changed the default settings, they could have exposed the Kubeflow admin panel on the Internet. The attackers appear to have been scanning for these misconfigured instances and exploiting them to install Monero cryptojacking malware.

Read more in:

Microsoft: Misconfigured Kubeflow workloads are a security risk

Threatpost: Kubernetes Falls to Cryptomining via Machine-Learning Framework

ZDNet: Microsoft discovers cryptomining gang hijacking ML-focused Kubernetes clusters


--Updated Specification Available for Universal Plug-and-Play Protocol Vulnerability

(June 9 & 11 , 2020)

A flaw in the Universal Plug-and-Play Protocol (UPnP) protocol could be exploited to launch distributed denial-of-service (DDoS) attacks, exfiltrate data, and scan internal ports. Dubbed CallStranger by the researchers who created proof-of-concept exploit code, the issue affects billions of Internet of Things (IoT) devices. An updated specification is available.

[Editor Comments]

[Neely] Dont expose UPnP devices to the Internet. Know what UPnP devices you have and what they can access. Paul Asadoorian of Security Weekly gave me this reference on discovering UPnP devices on your network using Nmap or the miranda-upnp python package:

Read more in:

DUO: Flaw in Plug-and-Play Protocol Exposes Devices to Data Theft, DDoS Attacks

Ars Technica: UPnP flaw exposes millions of network devices to attacks over the Internet

Dark Reading: Vulnerability in Plug-and-Play Protocol Puts Billions of Devices at Risk

CERT: Universal Plug and Play (UPnP) SUBSCRIBE can be abused to send traffic to arbitrary destinations


--Senate Report: Chinese Telecoms Were Allowed to Operate in US with Minimal Oversight

(June 9, 2020)

A staff report from the US Senates Permanent Subcommittee on Investigations found that the Federal Communications Commission (FCC) and other US agencies failed to adequately oversee Chinese telecommunications companies operating in the US for more nearly 20 years. The report notes that the team of officials from the Departments of Justice, Homeland Security, and Defense who were supposed to monitor the Chinese-owned carriers had scant resources and no statutory authority.

[Editor Comments]

[Pescatore] Over this same time frame, back in 2003 British Telecom selected Huawei for the UK national network upgrade, and the British government dedicated resources to (and required Huawei to help fund) the Huawei Cyber Security Evaluation Centre to test all software and firmware from Huawei before allowing in on production systems. The UK has mitigated the risk successfully for 17 years with that supply chain security approach.

Read more in:

Senate: Portman, Carper: Bipartisan Report Reveals How Three Chinese Government-Owned Telecoms Operated in the U.S. for Nearly 20 Years with Little-to-No Oversight from the Federal Government

HSGAC: Threats to U.S. Networks: Oversight of Chinese Government-Owned Carriers (PDF)

Ars Technica: FCC failed to monitor Chinese telecoms for almost 20 years: Senate report

Cyberscoop: Shoddy US government review of Chinese telcos endangered national security, Senate panel finds

FNN: Investigation finds interagency group lacked authority to oversee Chinese telecom companies

GovInfosecurity: Senate Report: Chinese Telecoms Operated Without Oversight


--US Military and Federal Law Enforcement Agencies Have Purchased New IMSI-Catchers

(May 27 & June 8, 2020)

The American Civil Liberties Union (ACLU) has obtained documents under the Freedom of Information ACT (FoIA) showing that the US Immigration and Customs Enforcement (ICE) had purchased upgraded IMSI-catcher devices known as Crossbows. The technology, which is made by the same company that makes Stingray IMSI-catchers, appears to target 4G mobile devices. Motherboard has found that other US military and federal law enforcement agencies have also purchased Crossbows.

Read more in:

Vice: Agencies Spending Millions on 'Crossbow' Spy Tech, an Upgraded Stingray

ACLU: ICE Records Confirm that Immigration Enforcement Agencies are Using Invasive Cell Phone Surveillance Devices


--Knoxville City Systems Hit With Ransomware Attack

(June 11, 2020)

The city of Knoxville, Tennessee, was the target of a ransomware attack this week. The city has shut down its IT network. By the time the attack was detected early in the morning of Thursday, June 11, multiple systems had been encrypted. Emergency services have not been impacted by the attack.

Read more in:

Ars Technica: Knoxville shuts down parts of its network after being hit by ransomware

ZDNet: Knoxville shuts down IT network following ransomware attack

SC Magazine: Knoxville ransomware attack shutters parts of city website




Microsoft Patch Day




Anti-Debugging JavaScript Techniques


Job Application Themed Malspam Pushes ZLoader


Adobe Patches


Intel Patch Day


More Expiring Root CAs


Black Lives Matter Themed Malware


Facebook Messenger Desktop App Vulnerability


Outlook Massmailing Macros


STI Student Research: Dennis Taggard; Ebb and Flow: Network Flow Logging as a Staple of Public Cloud Visibility or a Waning Imperative?





The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit