Develop invaluable cybersecurity skills through interactive training during SANS 2021 - Live Online. Register now.

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #53

July 7, 2020

NB: US CYBERCOM: Patch Palo Alto Now!; NSA Guidance  Securing IPsec VPNs; macOS Ransomware; MSP Hit by Ransomware


SANS NewsBites                July 7, 2020                 Vol. 22, Num. 053



  US CYBERCOM Warning on Palo Alto Technologies OS Vulnerability; Patch Now!

  NSA Issues Guidance on Securing IPsec VPNs

  New macOS Ransomware ThiefQuest Found on Torrent Sites

  Managed Service Provider Xchanging Hit by Ransomware


  Barclays Website Was Calling Javascript File from Internet Archive

  F5 Releases Patches for Flaws in BIG-IP Networking Devices; POC Exploit Code Released

  European Authorities Infiltrated Encrypted Communication Platform Used by Criminals

  Cisco Fixes XSS Flaw in Small Business VPN Router Firmware

  Cisco Releases Firmware Updates for Vulnerability in Small Business Switches

  Apple's Decision Forces Shortening of Digital Certificate Lifespans

  Microsoft Releases Two Out-of-Cycle Patches for Windows

  Home Router Study Finds "Alarming" Security Issues

  Top Three Network Intrusion Signatures Used Against Federal Agencies in May 2020


  More Security Vulnerabilities in Perimeter Security Devices and What To Do About Them


***********************  Sponsored By Splunk  ********************************

The Essential Guide to Security. Check out The Essential Guide to Security for 2020 to discover new security use cases as well as how to implement Splunk's security product suite for advanced security analytics, security automation and orchestration (SOAR), Security Information and Event Management (SIEM), MITRE ATT&CK, machine learning and more, all in one place to power your SOC. |



SANS Training now offers THREE ways to complete a course:

OnDemand | Live Online | In-Person:




Keep your skills sharp with SANS Online Training:

.        The world's top cybersecurity courses

.        Taught by real world practitioners

.        Ideal preparation for more than 30 GIAC Certifications

OnDemand Training Special Offer

Flexible Offer with Flexible Training

Choose an iPad Air, an iPad with Smart Keyboard, a Surface Go, or Take $300 Off with OnDemand Training through July 8.


Top OnDemand Courses

SEC401: Security Essentials Bootcamp Style


SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling


SEC560: Network Penetration Testing and Ethical Hacking



Upcoming In-Person and Live Online Events:


DFIR Summit & Training (Free Summit) | July 16-25 | Live Online


SANS Rocky Mountain Summer 2020 | July 20-25 | Live Online


SANS Reboot - NOVA 2020 | August 10-15 | Arlington, VA or Live Online


SANS Network Security 2020 | September 20-25 | Las Vegas, NV or Live Online



Test drive a course:

View the full SANS course catalog and skills roadmap.






--US CYBERCOM Warning on Palo Alto Technologies OS Vulnerability; Patch Now!

(June 30, 2020)

On June 29, US Cyber Command issued a cybersecurity alert regarding a critical flaw affecting Palo Alto Networks PAN-OS, the operating system that runs on the company's firewalls and VPN appliances. The alert urges users to "patch all devices affected by CVE-2020-2021 immediately, especially if SAML is in use." US Cyber Command expects that foreign adversaries will likely begin to exploit the vulnerability soon.

[Editor Comments]

[Murray] It is regrettable but "patching" is now a mandatory, expensive, and continuous, activity. However, all patches are not equal; patch first those vulnerabilities that are being actively exploited.

Read more in:

Ars Technica: Foreign adversaries likely to try exploiting critical networking bug, US says

ZDNet: US Cyber Command says foreign hackers will attempt to exploit new PAN-OS security bug

Twitter: USCYBERCOM Cybersecurity Alert

Knowledge Base: Securing your SAML Deployments

Palo Alto Networks: CVE-2020-2021 PAN-OS: Authentication Bypass in SAML Authentication


--NSA Issues Guidance on Securing IPsec VPNs

(July 2, 2020)

The US National Security Agency (NSA) has released guidance to help organizations secure their IPsec virtual private networks (VPNs). Many organizations are using these to allow their employees to work from home. The BNSA has also released a document with information about configuring IPsec VPNs.

[Editor Comments]

[Pescatore] Related to this item and the one about the Cybercom warning of critical vulnerabilities in Palo Alto Network's PAN-OS based products, Johannes Ullrich of SANS put forth great guidance earlier in the year about critical vulnerabilities in security and VPN appliances and certified. SANS published that guidance as part of the SANS 2020 New Attack and Threat Report available at

[Murray] This guidance seems to assume that all VPNs will terminate on a network "gateway." While there will be a lot of these in a WFH situation, prefer to terminate VPNs on applications rather than on networks or operating systems.  

Read more in:

Bleeping Computer: NSA releases guidance on securing IPsec Virtual Private Networks

Defense: Securing IPsec Virtual Private Networks (PDF)

Defense: Configuring IPsec Virtual Private Networks (PDF)


--New macOS Ransomware ThiefQuest Found on Torrent Sites

(July 1, 2020)

Researchers at Malwarebytes have detected new ransomware that targets devices running macOS. Dubbed ThiefQuest, the ransomware also has spyware capabilities: it can exfiltrate files, search for cryptocurrency wallets and passwords, and log keystrokes. ThiefQuest has been detected bundled with other software on torrent sites.

Read more in:

Malwarebytes: New Mac ransomware spreading through piracy

Twitter: Dinesh_Devadoss

Threatpost: EvilQuest: Inside A 'New Class' of Mac Malware

Wired: New Mac Ransomware Is Even More Sinister Than It Appears

The Register: Things that happen every four years: Olympic Games, Presidential elections, and now new Mac ransomware


--Managed Service Provider Xchanging Hit by Ransomware

(July 6, 2020)

In an 8-K form filed with the US Securities and Exchange Commission (SEC), DXC technologies disclosed that systems at one of its subsidiaries were hit with a ransomware attack. The company, Xchanging, is a managed service provider that focuses primarily on the insurance industry but has customers in other sectors as well. According to the filing, "DXC is actively working with affected customers to restore access to their operating environment as quickly as possible."   

Read more in:

Bleeping Computer: Ransomware attack on insurance MSP Xchanging affects clients

SEC: DXC Identifies Ransomware Attack on Part of its Xchanging Environment

*****************************  SPONSORED LINKS  ******************************

1) Webcast | Wednesday, July 15, 2020 at 2:00 PM EDT | Join SANS Expert as he presents "Preventing Runtime Exploits: The SANS Implementation Guide for RunSafe Security's Alkemist" |

2) Share your knowledge by taking the SANS 2020 Vulnerability Management Survey and be entered for a chance to win a $150 Amazon Gift Card. |

3) Webcast | July 14, 2020 at 2:00 PM EDT | Everything you need to know before trusting a zero-trust provider. |




--Barclays Website Was Calling Javascript File from Internet Archive

(July 3, 2020)

The Barclays Bank website appears to have been calling a Javascript file from the Internet Archive's Wayback Machine. This meant that if the Internet archive went down, the Barclays website would be down as well. Barclays has fixed the issue.

[Editor Comments]

[Murray] It is tempting to include both data and procedure by reference, rather than by copying. Be careful what you refer to.  

Read more in:

The Register: Barclays Bank appeared to be using the Wayback Machine as a 'CDN' for some Javascript


--F5 Releases Patches for Flaws in BIG-IP Networking Devices; POC Exploit Code Released

(July 2, 3, 4, 5, & 6, 2020)

F5 has released fixes to address a critical flaw in its BIG-IP networking equipment that could be exploited to take complete control of vulnerable devices. US Cyber Command tweeted last week that patching this vulnerability is urgent. On Sunday, July 5, CISA Director Christopher Krebs tweeted. "If you didn't patch by this morning, assume compromised." Proof-of-concept exploit code for the critical vulnerability, which has been given a CVSS score of 10, has been released. Hackers have begun exploiting the vulnerability. F5 has also released fixes for a high-severity cross-site scripting vulnerability in the BIG-IP Configuration utility.

[Editor Comments]

[Murray] We continue to see the publication by "researchers" of work product, "exploits," that reduces the cost of attack against our systems rather than that increases it. This appears to be a part of a "culture of hacking" left over from an era when hackers were motivated by, and recognized for, "cleverness."

Read more in:

Bleeping Computer: PoC exploits released for F5 BIG-IP vulnerabilities, patch now!

PT Security: F5 fixes critical vulnerability discovered by Positive Technologies in BIG-IP application delivery controller

Wired: Hack Brief: Hackers Are Exploiting a 5-Alarm Bug in Networking Equipment

Cyberscoop: Cyber Command backs 'urgent' patch for F5 security vulnerability

ZDNet: Hackers are trying to steal admin passwords from F5 BIG-IP devices

ZDNet: F5 patches vulnerability that received a CVSS 10 severity score

The Register: F5 emits fixes for critical flaws in BIG-IP gear: Hopefully yours aren't internet-facing while you ready a patch

Support.F5: K52145254: TMUI RCE vulnerability CVE-2020-5902

Support.F5: K43638305: BIG-IP TMUI XSS vulnerability CVE-2020-5903


--European Authorities Infiltrated Encrypted Communication Platform Used by Criminals

(July 2 & 3, 2020)

Law enforcement authorities in Europe countries were able to infiltrate EncroChat, an encrypted communication platform frequented by criminals. Hundreds of people have been arrested; large quantities of luxury items and illegal drugs and nearly EUR 20 million in cash have been seized.

Read more in:

Vice: How Police Secretly Took Over a Global Phone Network for Organized Crime

Ars Technica: Police infiltrate encrypted phones, arrest hundreds in organized crime bust

Threatpost: E.U. Authorities Crack Encryption of Massive Criminal and Murder Network

The Register: Euro police forces infiltrated encrypted phone biz - and now 'criminal' EncroChat users are being rounded up

Bleeping Computer: Hundreds arrested after encrypted messaging network takeover

Cyberscoop: European police crack encrypted phone network, arrest hundreds of alleged criminals


--Cisco Fixes XSS Flaw in Small Business VPN Router Firmware

(July 1, 2, & 6 2020)

Cisco has released fixes for a cross-site scripting vulnerability that affects two of its small business VPN routers. The flaw is the result of "insufficient validation of user-supplied input by the web-based management interface of the affected software." The issue affects Cisco Small Business RV042 and RV042G Routers running firmware releases older than

Read more in:

SC Magazine: Zero-day XSS vulnerability found in Cisco small business routers

The Register: Cisco SMB kit harbors cross-site scripting bug: One wrong link click... and that's your router pwned remotely

Cisco: Cisco Small Business RV042 and RV042G Routers Cross-Site Scripting Vulnerability


--Cisco Releases Firmware Updates for Vulnerability in Small Business Switches

(July 1, 2020)

Cisco has released a security update to fix a high-severity flaw in its Small Business Smart and Managed Switches. The vulnerability, which "is due to the use of weak entropy generation for session identifier values," could be exploited to gain administrator privileges. The issue is fixed in version of the firmware release for affected products that ae still supported.

[Editor Comments]

[Murray] The smaller the entity for which an appliance is intended, the more of them there are likely to be and the less likely that they will be actively managed.  

Read more in:

Threatpost: Cisco Warns of High-Severity Bug in Small Business Switch Lineup

Cisco: Cisco Small Business Smart and Managed Switches Session Management Vulnerability


--Apple's Decision Forces Shortening of Digital Certificate Lifespans

(June 28 & 30, 2020)

Starting September 1, 2020, Apple software, Chrome, and Firefox will identify new TLS certificates that are valid for more than 398 days as invalid. The changes arises from a unilateral decision Apple made earlier this year, bypassing the expected practice of bringing issues like this one to the CA/B Forum, "a voluntary group of certification authorities (CAs), vendors of Internet browser software, and suppliers of other applications that use X.509 v.3 digital certificates for SSL/TLS and code signing." The intent of reducing certificates' lifespans is to force websites and apps to issue new certificates every year. This will introduce more certificates that use the newest cryptographic standards.

[Editor Comments]

[Pescatore] In 2007 the CA/Browser forum moved quickly to specify Extended Validation certificates that would cost more but turn out to be of minimal security value. Ever since then, the Browser companies (who mostly do not charge for their browser software) have driven all increases in related security areas while the Certificate Authority part of the CA/Browser Forum (who mostly charge for certificates) have moved much more slowly or voted against proposed enhancements. Google at times, Mozilla at times, now Apple - in areas other than certificates, too - good to see the browser world pushing the security envelope.

Read more in:

The Register: Remember when we warned in February Apple will crack down on long-life HTTPS certs? It's happening: Chrome, Firefox ready to join in, too

ZDNet: Apple strong-arms entire CA industry into one-year certificate lifespans

CAB Forum: CA/Browser Forum


--Microsoft Releases Two Out-of-Cycle Patches for Windows

(July 1 & 5, 2020)

On June 30, Microsoft released two unscheduled patches to address remote code execution vulnerabilities in the Windows Codecs Library. Microsoft took the unusual step of delivering the fixes through the Microsoft Store rather than through Windows Update. The advisories for the vulnerabilities say, "Affected customers will be automatically updated by Microsoft Store. Customers do not need to take any action to receive the update."

Read more in:

Bleeping Computer: Windows 10's Microsoft Store Codecs patches are confusing users

Ars Technica: Unscheduled fixes released for critical flaw in optional Windows codec

ZDNet: Microsoft releases emergency security update to fix two bugs in Windows codecs

Threatpost: Microsoft Releases Emergency Security Updates for Windows 10, Server

MSRC: CVE-2020-1425 | Microsoft Windows Codecs Library Remote Code Execution Vulnerability

MSRC: CVE-2020-1457 | Microsoft Windows Codecs Library Remote Code Execution Vulnerability


--Home Router Study Finds "Alarming" Security Issues

(July 6, 2020)

A study of 127 home routers from seven manufacturers found numerous security issues. The Fraunhofer Institute for Communication (FKIE) in Germany looked at each router's most current firmware, focusing on five security aspects: when the firmware was last updated; which operating systems are used and how many known flaws they have; what exploit mitigation techniques the vendors use; whether the firmware images contain private cryptographic key material; and whether there are any hard-coded login credentials. Among the report's findings: 46 of the routers had not had a security update in the past year; some vendors ship firmware updates that contain known vulnerabilities, and just one of the seven vendors did not publish private cryptographic keys in its firmware.

Read more in:

FKIE: Home Router Security Report 2020 (PDF)

ZDNet: Home router warning: They're riddled with known flaws and run ancient, unpatched Linux


--Top Three Network Intrusion Signatures Used Against Federal Agencies in May 2020

(June 30 & July 2, 2020)

The top three network intrusion signatures detected by the US Department of Homeland Security's (DHS's) EINSTEIN intrusion detection system during May 2020 are the NetSupport Manager Remote Access Tool (RAT) - legitimate software that is also being used in phishing campaigns; the Kovter fileless Trojan; and the XMRig cryptocurrency miner. EINSTEIN gathers and analyzes traffic flowing into and out of federal civilian organizations systems and networks.

Read more in:

US-CERT: Alert (AA20-182A) | EINSTEIN Data Trends - 30-day Lookback

FCW: CISA's hit parade of malware aimed at federal agencies





--More Security Vulnerabilities in Perimeter Security Devices and What To Do About Them

The last two weeks highlighted yet again security problems with software and devices that are supposed to protect our perimeters. Most notable, F5's BigIP devices were found to suffer from a trivially exploitable remote code execution vulnerability. This vulnerability is already heavily exploited, and a vulnerable, badly configured device was likely exploited over the weekend. But F5 wasn't alone. About a week ago, Palo Alto reported a problem allowing authentication bypass in certain configurations of its devices. And less noted, but still important were vulnerabilities in the open source RDP gateway Guacamole. As a cheaper alternative to commercial solutions, some organizations implemented this solution to provide controlled access to RDP services for remote workers. One of the most important things you can do, even if you do not use any of these products, is to ensure that any administrative interfaces for these devices are accessible only from management networks or VPNs. Limiting access will prevent the vast majority of the exploits used against these vulnerabilities.



F5 BigIP Critical RCE


Special F5 BigIP Webcast


More BigIP Exploits


Guacamole RDP Gateway Vulnerability


Barclays Caught Serving Code from Wayback Machine


Microsoft ATP Web Content Filtering


Ouch Newsletter: Ransomware


Extended Research Feed: Added Net Systems Research


Window 10 / 2019 Server Out of Order Patch


MacOS Ransomware Arrives as Fake Little Snitch Software


Evil Quest "Ransomware" Update

VPN Privilege Escalation


DNSSEC Phishing Scam


Alina PoS Malware Exfiltrating Data via DNS


IBM Cyber Resilient Organization Report



The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit