Last day to save $150 off Offensive Operations courses during SANS Pen Test & Offensive Training 2021!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #54

July 10, 2020

Critical Vulnerabilities in Zoom, Citrix, WordPress and Palo Alto -- Already Being Exploited


SANS NewsBites                July 10, 2020                Vol. 22, Num. 054



  Zoom Zero-day Affects Clients Running on Older Versions of Windows

  Palo Alto Networks Releases Updates for Another PAN-OS Vulnerability

  Citrix Patches 11 Vulnerabilities in Networking Products; Someone is Already Scanning for Vulnerable Installations

  Critical Flaw in WordPress Plugin


  Russian Hacking Group Cosmic Lynx is Conducting Sophisticated eMail Scams

  Criminals are Taking Control of Abandoned Subdomains

  ThiefQuest macOS Malware More Focused on Stealing Information than on Encrypting Data

  DigiCert Will Revoke 50,000 Certificates This Weekend Because of Botched Audit

  Turchin Indictment Unsealed

  German Authorities Seize BlueLeaks Server

  Microsoft Seizes Domains Used in Phishing Attacks that Targeted Office 365 Users

  CISA Warns of Vulnerabilities in Medical Devices and Hospital Information Management System


******************  Sponsored By Cyolo Security Ltd  ************************

Webcast | Join Almog Apirion, CEO and Co-founder of Cyolo and SANS Instructor, Chris Dale as they discuss "Everything you need to know before trusting a zero-trust provider" | Tuesday, July 14, 2020 at 2:00 PM EDT




Best Special Offers of the Year with OnDemand Cybersecurity Training

Get an 11" iPad Pro w/ Magic Keyboard, a Microsoft Surface Go 2 (256GB SSD), or Take $350 Off with your OnDemand registration through July 22.


SANS now offers THREE ways to complete a course:

OnDemand | Live Online | In-Person:




Keep your skills sharp with SANS Online Training:

.        The world's top cybersecurity courses

.        Taught by real world practitioners

.        Ideal preparation for more than 30 GIAC Certifications

Top OnDemand Courses

SEC401: Security Essentials Bootcamp Style


SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling


SEC560: Network Penetration Testing and Ethical Hacking



Upcoming In-Person and Live Online Events:


DFIR Summit & Training (Free Summit) | July 16-25 | Live Online


SANS Rocky Mountain Summer 2020 | July 20-25 | Live Online


SANS Reboot - NOVA 2020 | August 10-15 | Arlington, VA or Live Online


SANS Network Security 2020 | September 20-25 | Las Vegas, NV or Live Online



Test drive a course:

View the full SANS course catalog and skills roadmap.






--Zoom Zero-day Affects Clients Running on Older Versions of Windows

(July 9, 2020)

Zoom is working on a fix for a zero-day vulnerability that was disclosed on Thursday, July 9. The arbitrary code execution flaw affects the Zoom client running on Windows 7, Windows Server 2008 R2, and older versions of the operating system. Zoom clients running on Windows 8 and Windows 10 are not affected.

[Editor Comments]

[Ullrich] This bug only appears to be useable on Windows 7. If you still use Windows 7: Don't use it for tasks like Zoom, web browsing or anything. Only use it for the specific task that requires Windows 7 to run on the particular system.

[Neely] A more complete fix is to upgrade to supported Windows versions. Windows 7 and Server 2008 support ended January 14th this year. If you must run older operating systems, don't use them for internet-based activities such as email, browsing, or video conferencing, and restrict access to make exploitation more difficult.

Read more in:

Threatpost: Zoom Zero-Day Allows RCE, Patch on the Way

ZDNet: Zoom working on patching zero-day disclosed in Windows client

Cyberscoop: Zero-day flaw found in Zoom for Windows 7


--Palo Alto Networks Releases Updates for Another PAN-OS Vulnerability

(July 8 & 9, 2020)

Palo Alto Networks has released updates to fix a critical command injection vulnerability in its PAN-OS GlobalProtect portal. The flaw affects PAN-OS 9.1 versions prior to 9.1.3; PAN-OS 8.1 versions prior to 8.1.15; PAN-OS 9.0 versions prior to 9.0.9; and all versions of PAN-OS 8.0 and PAN-OS 7.1. Fixes will not be released for PAN-OS 8.0 and 7.1 as those versions are no longer supported.

[Editor Comments]

[Neely] This patch addresses CVE-2020-2034, which allows unauthenticated remote attackers to execute arbitrary OS commands with root privileges on unpatched devices. If you're on the older unsupported PAN-OS versions, it's time to move forward, which may necessitate new hardware.

[Ullrich] Another reason to make sure the administrative interfaces for these devices are not visible to the outside.

Read more in:

Bleeping Computer: Palo Alto Networks fixes another severe flaw in PAN-OS devices

The Register: If you haven't potentially exposed 1000s of customers once again with networking vulns, step forward... Not so fast, Palo Alto Networks

Palo Alto Networks: CVE-2020-2034 PAN-OS: OS command injection vulnerability in GlobalProtect portal


--Citrix Patches 11 Vulnerabilities in Networking Products; Someone is Already Scanning for Vulnerable Installations

(July 7, 8, & 9, 2020)

Earlier this week, Citrix released fixes for 11 vulnerabilities in Citrix ADC, Citrix Gateway, and Citrix SD-WAN WANOP appliances. The flaws include information disclosure, local privilege elevation, code injection, cross-site scripting, authorization bypass, denial of service. Rob Joyce, the former head of the NSA's Tailored Access Operations (TAO) team, has urged users to apply the patches as soon as possible. Active scanning for vulnerable installations has been detected.

[Editor Comments]

[Ullrich] The XSS vulnerability is particularly interesting here. The impact of XSS vulnerabilities is often underestimated. In this case, the XSS vulnerability can be used to execute code on the device. Exploitation has been demonstrated in a YouTube video, but code for the full exploit has not been made public yet. The victim, an administrator currently logged into the system, will have to visit a malicious website to trigger the exploit chain. The result is full access to the device for the attacker.

[Neely] The debate over urgency occurs because the attacks require access to vulnerable devices to exploit. Targeting the management interface using XSS can lead to compromise. Virtual IPs could also be used to initiate a DOS attack or internal network scan. In addition to applying the patches, restrict access to the management interface.

[Honan] Given the large number of people now working remotely during the Coronavirus pandemic, attacks against remote access points, such as Citrix gateways, are on the rise. These vulnerabilities are already being actively exploited and should be patched as quickly as possible.

Read more in:

ISC: Active Exploit Attempts Targeting Recent Citrix ADC Vulnerabilities CTX276688

The Register: FYI: Someone's scanning for gateways with those security holes Citrix told you not to worry too much about

DUO: Citrix Patches 11 Vulnerabilities in Several Products

Threatpost: Citrix Bugs Allow Unauthenticated Code Injection, Data Theft

The Register: Citrix tells everyone not to worry too much about its latest security patches. NSA's former top hacker disagrees

Bleeping Computer: Citrix fixes 11 flaws in ADC, Gateway, and SD-WAN WANOP appliances

Twitter: Rob Joyce

Citrix: Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliance Security Update


--Critical Flaw in WordPress Plugin

(July 8, 2020)

A critical remote code execution flaw in the Adning Advertising plugin for WordPress could be exploited to completely take control of vulnerable sites. The flaw has been exploited in the wild. Users are urged to update to Adning version 1.5.6, which also fixes a high-severity unauthenticated arbitrary file deletion via path traversal vulnerability.

Read more in:

Threatpost: Advertising Plugin for WordPress Threatens Full Site Takeovers

Wordfence: Critical Vulnerabilities Patched in Adning Advertising Plugin

****************************  SPONSORED LINKS  ******************************

1) Webcast | You don't want to miss SANS Senior Instructor, Chris Crowley as he presents "Preventing Runtime Exploits: The SANS Implementation Guide for RunSafe Security's Alkemist" | Wednesday, July 15, 2020 at 2:00 PM EDT


2) Webcast | Join SANS Senior Instructor, Dave Shackleford and Guillaume Ross for this informative webcast as they discuss "Securing the Remote Workforce without VPNs: Uptycs and JA3" | Thursday, July 16, 2020 at 1:00 PM EDT


3) Webcast | Join SANS Senior Instructor, Dave Shackleford joined by Portshift's Co-Founder, Zohar Kaufman for our upcoming webcast as they present "Containers Vulnerability Management: Time to Step Things Up!" | Tuesday, July 14, 2020 at 12:00 PM EDT





--Russian Hacking Group Cosmic Lynx is Conducting Sophisticated eMail Scams

(July 7, 2020)

A group of Russian hackers dubbed Cosmic Lynx has been launching sophisticated business email compromise schemes since last July. According to researchers at Agari, the group has launched more than 200 attacks against organizations in 46 countries. Cosmic Lynx targets organizations that have not implemented DMARC; the group has focused on scams involving mergers and acquisitions.

[Editor Comments]

[Honan] While DMARC is not a panacea against phishing attacks, it helps reduce the risk. The Global Cyber Alliance has a simple step-by-step guide that is available for free on how to ensure your mail service has DMARC configured correctly:

Read more in:

Wired: Looks Like Russian Hackers Are on an Email Scam Spree

SC Magazine: BEC scams grow in complexity as Russian actors launch Cosmic Lynx operation

Threatpost: First-Ever Russian BEC Gang, Cosmic Lynx, Uncovered

Bleeping Computer: First reported Russian BEC scam gang targets Fortune 500 firms


--Criminals are Taking Control of Abandoned Subdomains

(June 23 & July 7, 2020)

Criminals have been taking control of abandoned subdomains associated with well-known organizations and using them for nefarious purposes, including malware, pornographic content, or spreading malware. In late June, Microsoft published an article describing how to prevent subdomain takeovers.

[Editor Comments]

[Pescatore] The use of cloud services caused "dangling DNS" records to be a bigger issue. Warnings were coming out at least as far back as 2015 when use of IaaS started to ramp up. Infoblox, Nominet and other DNS security-focused vendors have put out detailed "DNS basic security hygiene" advice.

Read more in:

The Register: Hundreds of forgotten corners of mega-corp websites fall into the hands of spammers and malware slingers

Microsoft: Prevent dangling DNS entries and avoid subdomain takeover


--ThiefQuest macOS Malware More Focused on Stealing Information than on Encrypting Data

(July 7 & 8, 2020)

Researchers now think the ThiefQuest malware that targets macOS is largely focused on exfiltrating data from infected networks. Initial assessment of ThiefQuest categorized the malware as ransomware. While it does have an encryption component, researchers think it may be included as a distraction rather than the main purpose of the malware.

Read more in:

Malwarebytes: Mac ThiefQuest malware may not be ransomware after all

SC Magazine: Hidden purpose of Mac 'ransomware' EvilQuest is data exfiltration, say researchers


--DigiCert Will Revoke 50,000 Certificates This Weekend Because of Botched Audit

(July 10, 2020)

DigiCert plans to revoke 50,000 Extended Validation (EV) certificates on Saturday, July 11 after learning that they were not properly audited. While the situation does not pose a security threat, EV guidelines require that the certificates be revoked. 

[Editor Comments]

[Ullrich] Yet more proof that the problem with TLS is not so much technical flaws but flaws in the CA ecosystem. The CA/Browser forum has done good work in tightening up some of the requirements around certificate authorities, and browser makers are abandoning the idea of "Extended Validation" (EV) certificates, as they caused more issues than they solved.

[Neely] If you're managing your intermediate certificate store, you'll want to make sure you have updated intermediate certificate authority (ICA) certificates for DigiCert EV RSA CA G2, GeoTrust EV RSA CA G2 and Thawte EV RSA CA G2.

Read more in:

The Register: Digicert will shovel some 50,000 EV HTTPS certificates into the furnace this Saturday after audit bungle

Knowledge.digicert: DigiCert ICA Replacement


--Turchin Indictment Unsealed

(July 8, 2020)

The US Department of Justice recently unsealed an indictment charging Andrey Turchin

with conspiracy to commit computer hacking, two counts of computer fraud and abuse, conspiracy to commit wire fraud, and access device fraud. Turchin allegedly hacked into networks at hundreds of organizations, established backdoors, and then sold access to those systems. Turchin is a citizen of Kazakhstan and is believed to be residing there currently.

Read more in:

Justice: Citizen of Kazakhstan, known as "fxmsp," charged with computer fraud, wire fraud, and conspiracy for hacking hundreds of corporate networks in more than 40 countries worldwide

Dark Reading: US Charges Kazakhstani Citizen With Hacking Into More Than 300 Orgs

ZDNet: Fxmsp hacker indicted by feds for selling backdoor access to hundreds of companies

Threatpost: Notorious Hacker 'Fxmsp' Outed After Widespread Access-Dealing

Justice: Andrey Turchin Indictment (PDF)


--German Authorities Seize BlueLeaks Server

(July 7, 8, & 9, 2020)

Authorities in Germany have seized a server hosting BlueLeaks data, 269 GB of US police documents. The department of public prosecution in Zwickau said the server was seized on July 3 at the request of the US government.

Read more in:

PC Mag: Germany Seizes Server Hosting 'BlueLeaks' Data Dump on US Police Practices

Vice: Cops Seize Server that Hosted BlueLeaks, DDoSecrets Says

Threatpost: BlueLeaks Server Seized By German Police: Report

ZDNet: German authorities seize 'BlueLeaks' server that hosted data on US cops

Cyberscoop: German police seize DDoSecrets server distributing 'BlueLeaks' files

The Hill: Germany seizes server hosting leaked US police files


--Microsoft Seizes Domains Used in Phishing Attacks that Targeted Office 365 Users

(July 7 & 8, 2020)

Recently unsealed documents detail Microsoft's efforts to thwart phishing attacks that preyed on people's concerns about COVID-19. The attacks targeted Office 365 users in 62 countries around the world and were crafted to appear to be from employers or other trusted entities. Microsoft's Digital Crime Unit became aware of the fraudulent activity in December 2019. On July 1, Microsoft obtained a court order allowing it to seize the malicious domains.

[Editor Comments]

[Neely] The federal court's motion was sealed so as not to tip their hand, which allows Microsoft to fight cyber-attacks without enlisting federal prosecutors. Unlike traditional phishing email schemes, when the user clicked the link, they were prompted to grant access to their Office 365 account, which then allowed access to email, contacts, OneDrive, SharePoint and notes without explicitly collecting login credentials. Enabling 2FA is a key mitigation to this sort of attack.

Read more in:

Microsoft: Microsoft takes legal action against COVID-19-related cybercrime

Dark Reading: Microsoft Seizes Domains Used in COVID-19-Themed Attacks

Ars Technica: Microsoft neuters Office 365 account attacks that used clever ruse

ZDNet: Microsoft seizes six domains used in COVID-19 phishing operations

The Register: Microsoft sues coronavirus phishing spammers to seize their domains amid web app attacks against Office 354.5

Threatpost: Microsoft Seizes Malicious Domains Used in Mass Office 365 Attacks


--CISA Warns of Vulnerabilities in Medical Devices and Hospital Information Management System

(July 8, 2020)

The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) has published two advisories regarding security issues in ultrasound systems from Philips and in the OpenClinic GA open source hospital information management system. Philips has released updates to address the authentication bypass issue in some of the affected products and expects to have fixes for the rest of the affected products by the end of the calendar year. 

Read more in:

GovInfosecurity: Alerts: Flaws in Ultrasound, Open-Source Hospital Systems

US-CERT/CISA: ICS Medical Advisory (ICSMA-20-177-01) Philips Ultrasound Systems

Philips: Security Advisories: Philips Ultrasound (24-June-2020)

US-CERT/CISA: ICS Medical Advisory (ICSMA-20-184-01) OpenClinic GA




F5 Big IP Wrap-up


Citrix ADC / Citrix Gateway Patches


Citrix Scanning


Citrix Vulnerability Details (CVE-2020-8194) Student Billy Wilson: Security Supercomputers with BPF Probes


Obfuscated Malware


PaloAlto Networks PAN-OS CVE-2020-2034


Microsoft Releases Free Memory Analysis Service


Mozilla Suspending Send Service


Juniper Patches


Google Releases Tsunami Security Scanner



The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit