Develop invaluable cybersecurity skills through interactive training during SANS 2021 - Live Online. Register now.

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #60

July 31, 2020

NB: Bootloader Vulnerability Affects Millions of Devices; Netgear to Refuses Update Vulnerable Devices; Excellent Ransomware Case Study


SANS NewsBites                July 31, 2020                Vol. 22, Num. 060



  GRUB2 Bootloader Vulnerability Affects Millions of Devices

  Netgear Will Not Release Patches for 45 Devices Vulnerable to RCE Flaw

  Ryuk Ransomware Infection Case Study


  Microsoft is Retiring SHA-1 Windows Content

  Nefilim Ransomware Group Releases Files Stolen from DKA

  Lazarus Hacking Group is Using Ransomware

  McAfee: North Korean Hackers Launched Spear Phishing Attacks Against US Companies

  Cisco Releases Fix for Critical Flaw in Data Center Network Manager

  Update Available to Address Critical Flaw in wpDiscuz WordPress Plugin

  Zoom Fixes Meeting Password Cracking Vulnerabilities

  European Union Sanctions Russia, China, and North Korea for Cyberattacks


**********************  Sponsored By ExtraHop  ******************************

SANS Survey | Don't miss the opportunity to share you knowledge in Cloud Security and be entered to win a $150 Amazon gift card. The primary goal of this survey is to better understand if security professionals feel cloud-native security tooling is equivalent to industry-leading security tools, and the decisions behind adoption. |



Best Special Offers of the Year are Available Now with OnDemand

Choose a MacBook Air, Surface Pro 7, or Take $350 Off through August 5.


SANS now offers THREE ways to complete a course:

OnDemand | Live Online | In-Person:




Keep your skills sharp with SANS Online Training:

.        The world's top cybersecurity courses

.        Taught by real world practitioners

.        Ideal preparation for more than 30 GIAC Certifications

Top OnDemand Courses

SEC401: Security Essentials Bootcamp Style


SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling


SEC560: Network Penetration Testing and Ethical Hacking



Upcoming In-Person and Live Online Events:

SANS Baltimore Fall 2020 | September 8-13 | Baltimore, MD or Live Online


Threat Hunting and Incident Response Summit & Training | September 10-19 | Live Online


SANS Network Security 2020 | September 20-25 | Las Vegas, NV or Live Online


SANS Northern VA - Reston Fall 2020 | Sep 28-Oct 3 | Reston, VA or Live Online



Test drive a course:

View the full SANS course catalog and skills roadmap.






--GRUB2 Bootloader Vulnerability Affects Millions of Devices

(July 29 & 30, 2020)

A vulnerability in the GRUB2 (Grand Unified Bootloader version 2) bootloader could be exploited to run malicious firmware during startup. The issue affects most Linux devices and Windows devices that use Secure Boot. Researchers at Eclypsium discovered the issue and disclosed it to "including OS vendors, computer manufacturers, and CERTs" prior to public disclosure. Linux distributions have begun making fixes available, although not without hiccups: Red Hat's fix for the BootHole vulnerability is reportedly causing problems for some users - when the patch is installed, their systems will not boot.

[Editor Comments]

[Ullrich] This is an important vulnerability. Important, but not critical. Wait for your Linux distribution to address this. To exploit this issue, an attacker has to have root access on the system. It could provide a method for an attacker to retain more persistent access to a system. One more reason to "wipe and rebuild" vs. "clean" malware from affected systems. (And don't forget to wipe/reinstall grub as well.)

[Neely] The Grub2 bootloader is used with more than just Linux distributions, which may be somewhat unexpected to learn, and the exploit can be used to write code into the UEFI firmware which may then require factory reset to recover. Make sure you know how to do that reset. Due to side-effects of the patch, test on representative devices before wide deployment.  

Read more in:

ZDNet: Red Hat Enterprise Linux runs into Boothole patch trouble

Ars Technica: New flaw neuters Secure Boot, but there's no reason to panic. Here's why

ZDNet: Linux distros fix new Boothole bug

Dark Reading: 'BootHole' Vulnerability Exposes Secure Boot Devices to Attack

The Register: GRUB2, you're getting too bug for your boots: Config file buffer overflow is a boon for malware seeking to drill deeper into a system

SC Magazine: 'Boothole' threatens billions of Linux, Windows devices

Threatpost: Billions of Devices Impacted by Secure Boot Bypass

Bleeping Computer: BootHole GRUB bootloader bug lets hackers hide malware in Linux, Windows

Cyberscoop: New bug in PC booting process could take years to fix, researchers say



--Netgear Will Not Release Patches for 45 Devices Vulnerable to RCE Flaw

(July 30, 2020)

A remote code execution vulnerability affecting Netgear home routers was disclosed in June. Netgear will not release fixes for 45 of the affected router models, identifying them as "outside the security support period." Proof-of-concept exploit code for the stack buffer overflow vulnerability has been released.

[Editor Comments]

[Pescatore] Obviously, with high levels of work from home, use of the unpatchable devices is a concern. The CERT alert has a link to a nice spreadsheet with all the Netgear model numbers that won't be supported with patches. Netgear's response to this issue is a good reason to remove them from procurement lists for any corporate buys, and it is worth looking at what user devices are supplied with any ISP services you are using for small office/home office connectivity, as well. The consumer issue is really something that is going to need legislation to drive required support periods or at least up-front declaration of guaranteed support periods.  

[Ullrich] If you are sick of vendors forcing you to buy new devices vs. offering to fix defective devices they sold you: Consider one of the very capable, and by no means difficult to use open source alternatives that use commodity hardware. My favorite: OPNSense just released an update this week that yet again improves security and offers features that you will have a hard time finding in many expensive enterprise solutions. Other alternatives are pfsense, ipfire or for older/less capable hardware good old OpenWRT. Lots of other options depending on what you need. Some of these even offer paid supported versions.

[Murray] "Useful life" ends with the publication of vulnerabilities in unsupported products. Fortunately, the cost of the replacement will be a fraction of the cost of the original and the value higher.

Read more in:

CERT: Netgear httpd upgrade_check.cgi stack buffer overflow

The Register: If you own one of these 45 Netgear devices, replace it: Firm won't patch vulnerable gear despite live proof-of-concept code

Netgear: Security Advisory for Multiple Vulnerabilities on Some Routers, Mobile Routers, Modems, Gateways, and Extenders


--Ryuk Ransomware Infection Case Study

(July 30, 2020)

A Ryuk ransomware attack took down the network of an unidentified food and beverage manufacturer. AT&T Cybersecurity investigated the incident and helped the company recover from the attack without paying a ransom. The incident also offers reminders of actions organizations can take to better protect their networks, including replacing old hardware, changing default passwords, patching systems, and adhering to cyber hygiene.

[Editor Comments]

[Pescatore] This is a well-written "tick-tock" of how and why many ransomware attacks succeed - useful for getting decision makers to understand the need for reaching basic security hygiene. The piece is from the perspective of an external consulting organizations but in the real world those external voices are often needed to get that management backing.

[Honan] Kudos to AT&T Cybersecurity for releasing this great resource. This is a great read and a very useful tool to learn on how to improve your defence and reaction to ransomware. I strongly recommend reading it. Another tool to be aware of is the excellent NoMoreRansom project by Europol's European Cybercrime Centre which celebrated its fourth anniversary this week; the site,, has lots of useful resources including decryption keys to many of the ransomware strains.

Read more in:

ZDNet: Ransomware: How clicking on one email left a whole business in big trouble

******************************  SPONSORED LINKS  *******************************

1) Virtual Forum | August 28 @ 10:30 AM EDT | Join SANS instructor Ismael Valenzuela, co-author of Security 530: Defensible Security Architecture and Engineering, as he chairs a one-day solutions forum of security professionals that will share their experience and provide specific advice on how to implement Zero Trust strategies.


2) Webcast | We invite you to join SANS Senior Instructor, Dave Shackleford as he presents an informative webcast titled "Comparing CASB Technologies: What's the Difference?" | August 12 @ 2:00 PM EDT


3) Free Virtual ICS Forum | How can organizations prepare their IT and OT teams to be ready for security incidents? What are the techniques and tools teams use to identify, contain and eradicate malicious activities.  How do you improve response times and reduce recovery efforts? Join SANS Instructor Don Weber and other top experts to answer these and many other questions.  | October 1 @ 9:00 AM CST |




--Microsoft is Retiring SHA-1 Windows Content

(July 29, 2020)

On Monday, August 3, Microsoft will remove all Windows downloads signed with SHA-1 from the Microsoft Download Center. SHA-1 is vulnerable to collision attacks, a fact which could be exploited to create forged digital certificates.

[Editor Comments]

[Neely] Stop relying on SHA-1 digital signatures. The issue with collision attacks was identified in 2015. Collision attacks mean a malicious application, or other signed content, can impersonate a legitimate one. For Microsoft this is the last step in transitioning to SHA-2 hashes for their updates.

Read more in:

Tech Community Microsoft: SHA-1 Windows content to be retired August 3, 2020

The Register: YOU... SHA-1 NOT PASS! Microsoft magics away demonic hash algorithm from Windows updates, apps

ZDNet: Microsoft to remove all SHA-1 Windows downloads next week

Bleeping Computer: Microsoft to remove all Windows downloads signed with SHA-1


 --Nefilim Ransomware Group Releases Files Stolen from DKA

(July 28, 2020)

Operators of the Nefilim ransomware have published files stolen from Dresdner Kuehlanlagenbau GmbH (DKA), a subsidiary of the Dussmann Group, a multi-service provider in Germany. The Dussmann Group has confirmed that DKA was recently the victim of a ransomware attack.

Read more in:

Bleeping Computer: Business giant Dussmann Group's data leaked after ransomware attack


--Lazarus Hacking Group is Using Ransomware

(July 28, & 29, 2020)

Researchers at Kaspersky have found that the Lazarus hacking group, which is believed to operate on behalf of North Korea's government, has turned to ransomware. Lazarus hackers used ransomware identified as VHD in attacks against a company in France and a company in Asia earlier this year.

Read more in:

SecureList: Lazarus on the hunt for big game

Dark Reading: Lazarus Group Shifts Gears with Custom Ransomware

Ars Technica: North Korea's Lazarus brings state-sponsored hacking approach to ransomware

Threatpost: Lazarus Group Brings APT Tactics to Ransomware

Cyberscoop: North Korean hackers are stepping up their ransomware game, Kaspersky finds


--McAfee: North Korean Hackers Launched Spear Phishing Attacks Against US Companies

(July 29 & 30, 2020)

Researchers from McAfee Advanced Threat Research say that North Korean state-sponsored hackers launched phishing campaigns against US defense and aerospace companies earlier this year. The spear-phishing emails sent to employees at targeted companies pretended to be information about job offers from other defense contractors. McAfee has dubbed the campaign "Operation North Star."

Read more in:

McAfee: McAfee Defender's Blog: Operation North Star Campaign

ZDNet: US defense and aerospace sectors targeted in new wave of North Korean attacks

Bleeping Computer: US defense contractors targeted by North Korean phishing attacks


--Cisco Releases Fix for Critical Flaw in Data Center Network Manager

(July 29 & 30, 2020)

Cisco has released a fix for a critical flaw in its Data Center Network Manager (DCNM). The authentication bypass vulnerability has been given a CVSS base score of 9.8. The issue lies in the REST API of the DCNM software. Cisco also released fixes for several high- and medium-severity flaws in DCNM.

Read more in:

Threatpost: Critical, High-Severity Cisco Flaws Fixed in Data Center Network Manager

ZDNet: Patch now: Cisco warns of nasty bug in its data center software

Bleeping Computer: Cisco fixes severe flaws in data center management solution

Cisco: Cisco Data Center Network Manager Authentication Bypass Vulnerability

Cisco: Cisco Security Advisories


--Update Available to Address Critical Flaw in wpDiscuz WordPress Plugin

(July 28 & 29, 2020)

A critical remote code execution flaw in the wpDiscuz comment plugin for WordPress could be exploited by unauthenticated users to take control of vulnerable websites. Users are urged to update to wpDiscuz version 7.0.5.

[Editor Comments]

[Neely] Update now, or remove the plugin if you're not using it. The exploit leverages weaknesses in the PHP filetype checking to allow for malicious upload of content disguised as image files. Another mitigation is to disable execution of content in the uploads directory, which may require a plugin like Wordfence.

[Murray] A reminder that developers are responsible for the quality of all the code in their products, not just the code that they write themselves. Specifically, most WordPress plug-ins come with no explicit representations or expectations of quality.

Read more in:

Wordfence: Critical Arbitrary File Upload Vulnerability Patched in wpDiscuz Plugin

Threatpost: Critical Security Flaw in WordPress Plugin Allows RCE

Portswigger: WordPress plugin vulnerability exposes 80,000 sites to remote takeover

WordPress: Plugins | wpDiscuz


--Zoom Fixes Meeting Password Cracking Vulnerabilities

(July 29 & 30, 2020)

Zoom has fixed a security issue that could be exploited to crack meeting passwords. The default password protection for Zoom meetings was, before the fix, a six-digit numeric code. Because Zoom did not rate-limit password attempts, hackers could launch brute-force password attacks. Zoom has addressed the issues by "requiring a user logs in to join meetings in the web client, and updating default meeting passwords to be non-numeric and longer."

[Editor Comments]

[Neely] Zoom updated the Web client to rate limit password attempts as well as remove issues where CSRF based exploits were possible.

Read more in:

Bleeping Computer: Zoom bug allowed attackers to crack private meeting passwords

Portswigger: Zoom fixes flaws that allowed brute-force attacks to crack private meeting passwords


--European Union Sanctions Russia, China, and North Korea for Cyberattacks

(July 30, 2020)

The European Union has imposed economic sanctions, including travel bans and asset freezes, against Russia, China, and North Korea over cyberattacks conducted against EU citizens. Russia was sanctioned for Not Petya and "for an attempted cyber-attack on the Organisation for the Prohibition of Chemical Weapons (OPCW)." China was sanctioned for intrusions into cloud providers' networks. North Korea was sanctioned for WannaCry.

[Editor Comments]

[Murray] Cyber warfare is different. The response to low-level cyber attacks should be defensive (i.e., cyber security), legal, political, and economic. The response to all-out cyber warfare should be military. Attempts at retaliation in kind will only damage the infrastructure. "People who live in glass houses should not throw stones."

Read more in:

Reuters: EU sanctions Russian intelligence, North Korean, Chinese firms over alleged cyberattacks

ZDNet: EU sanctions China, Russia, and North Korea for past hacks




New Data Feeds


Consumer VPNs: You May Be Fine Without It


Python Developers: Prepare!


Emotet Stealing Email Attachments


Magento Update


Exposed Docker Servers Infected with More Malware


Tails Update


Firefox Update


Chrome Update


Facial Recognition With Masks


Office 365 Phishing Hiding in Google Ads


Netgear Vulnerabilities


OPNSense Update


Microsoft Retiring SHA1


The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit