SANS Open-Source Intelligence (OSINT) Summit & Training offers immersive cyber security courses and a free Summit!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #63

August 11, 2020

NB: 80 Million Malicious Chrome Extensions Installed; Qualcomms Snapdragon Chip FlawS Affect Millions of Android Devices; FBI: Hackers Exploiting F5s BIG-IP


SANS NewsBites               August 11, 2020                Vol. 22, Num. 063



  Malicious Chrome Extensions Have More Than 80 Million Installs

  Vulnerabilities in Qualcomms Snapdragon Chip Affect Android Devices

  FBI: Hackers are Attempting to Exploit Known Vulnerability in F5s BIG-IP


***************************  Sponsored By AWS Marketplace   ************************************
"August 27th @ 2:00pm EDT | Join SANS Instructor Dave Shackleford and Ross Warren, AWS Specialist, as they present "How to improve threat detection and hunting in the AWS Cloud using the MITRE ATT&CK Matrix"

Context provided by data sources is what enables us to make actionable decisions. Still, our ability to make the proper decisions to mitigate, remediate and prevent future adversarial activity is limited to the quality of the data we consume.  This webinar will provide real-world observations and techniques for understanding adversary tactics critical to building more effective threat detection and hunting capabilities."




  Bulgarian Police Arrest Hacker

  Ohio Secretary of State Has a Vulnerability Disclosure Policy for Election-Related Sites

  TeamViewer Releases Updates to Address High-Severity Flaw

  Travelex Now in Administration, Forced to Eliminate 1,300 Jobs in UK

  vBulletin Releases Fixes to Address Patch Bypass Flaw

  Mystery Threat Actor Operated 25 Percent of Tor Exit Nodes




Best Special Offers of the Year for OnDemand are Ending Soon

Choose an iPad Pro with Apple Pencil, Surface Go 2, or Take $300 Off through August 19.


SANS now offers THREE ways to complete a course:

OnDemand | Live Online | In-Person:




Keep your skills sharp with SANS Online Training:

        The worlds top cybersecurity courses

        Taught by real world practitioners

        Ideal preparation for more than 30 GIAC Certifications

Top OnDemand Courses

SEC401: Security Essentials Bootcamp Style


SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling


SEC560: Network Penetration Testing and Ethical Hacking



Upcoming In-Person and Live Online Events:

SANS Baltimore Fall 2020 | September 8-13 | Baltimore, MD or Live Online


Threat Hunting and Incident Response Summit & Training | September 10-19 | Live Online


SANS Network Security 2020 | September 20-25 | Live Online


SANS Northern VA - Reston Fall 2020 | Sep 28-Oct 3 | Reston, VA or Live Online



Test drive a course:

View the full SANS course catalog and skills roadmap.






--Malicious Chrome Extensions Have More Than 80 Million Installs

(August 7, 2020)

Nearly 300  malicious extensions were found to be available in the Google Chrome Web Store. The extensions include phony utilities and ad blockers that inject ads into search results or engage in cookie stuffing. Google removed the extensions after a blog post from AdGuard. The extensions in question have been downloaded 80 million times.

[Editor Comments]

[Neely] These extensions are attractive to end-users because they claim to solve problems such as blocking ads. Unfortunately, they hide their malicious behavior so it may not be evident for a while. Consider using the Chrome Admin Console to manage your enterprise Chrome browsers, including extensions. In general run only needed and verified extensions in your browser to minimize the attack surface and keep security as close to out-of-the box as possible.

[Pescatore] Browser market share statistics are all over the place, but Chrome has something like 60% of the browser market, probably around 2 billion active users. So, only about 4% of active users downloaded any of those extensions. At one point there were close to 200,000 extensions in the Chrome Web Store, so 300 malicious extensions is 0.15% of the total. In April, Google announced new and more restrictive/security-centric rules for developers and gave them a deadline of 27 August to comply. We need to see what progress is made in reducing that percentage in September.

[Ullrich] The purpose of sites like the Google Webstore should be to provide a selection of known

good Chrome extensions. Google has repeatedly failed at this task. Researchers regularly find large numbers of malicious extensions. Google has changed the approval process, but it appears all they accomplished is to antagonize the developers of valid extension without solving the problem of malicious or questionable extensions.

Read more in:

ZDNet: Cluster of 295 Chrome extensions caught hijacking Google and Bing search results

The Register: Chrome Web Store slammed again after 295 ad-injecting, spammy extensions downloaded 80 million times

AdGuard: 80M People Scammed by Chrome Fake Ad Blockers: the Same Old Song


--Vulnerabilities in Qualcomms Snapdragon Chip Affect Android Devices

(August 7 & 8, 2020)

Flaws in Qualcomm Snapdragon chips could be exploited to monitor location and audio and to steal images and videos. They could also be exploited to render devices useless. The chips are used in hundreds of millions of Android devices.

[Editor Comments]

[Neely] This is a system on a chip (SOC) vulnerability in Qualcomms Digital Signal Processing (DSP) chip used to enhance charging, multimedia, and audio activities. The fix will require updates from the hardware manufacturer. There is no evidence of active exploit at this time. Mitigate risks by controlling physical possession of your device, keeping it updated, and leveraging play protect to install vetted applications. Coincidentally, Samsung has released a number of fixes for critical vulnerabilities; while those fixes do not include the DSP CVEs, you should apply them regardless.

[Ullrich] These flaws could haunt Android users (and manufacturers of devices) for a while. It isnt clear how or even whether they will be patched. Even if they will be patched, the process will take a while.

Read more in:

Checkpoint: Over 400 vulnerabilities on Qualcomms Snapdragon chip threaten mobile phones usability worldwide

Ars Technica: Snapdragon chip flaws put >1 billion Android phones at risk of data theft

Threatpost: Qualcomm Bugs Open 40 Percent of Android Handsets to Attack

Cyberscoop: Flaws in Qualcomm chips could allow snooping, Check Point finds

Bleeping Computer: Samsung rolls out Android updates fixing critical vulnerabilities


--FBI: Hackers are Attempting to Exploit Known Vulnerability in F5s BIG-IP

(August 8 & 10, 2020)

In a security alert sent to private sector partners last week, the FBI warned that hackers are actively trying to exploit a known flaw in F5s BIG-IP networking device. The FBI did not identify the hacking group, but sources have said that the attacks are being perpetrated by a hacking group, known as Fox Kitten or Parisite, with ties to Iran.

[Editor Comments]

[Neely] If youre having trouble getting your support staff to apply the updates from F5, you may wish to mention this to management, particularly for your internet-facing services.

Read more in:

ZDNet: FBI says an Iranian hacking group is attacking F5 networking devices

Bleeping Computer: FBI: Iranian hackers trying to exploit critical F5 BIG-IP flaw

*******************************  SPONSORED LINKS  ********************************

1) Webcast |  Join SANS instructor Jake Williams, VirusTotal and Authentic8 for our upcoming webcast as they discuss and demo these 3 key elements of malware threat intelligence:  1. How malware threat intelligence best practices evolving  2. Malware trends of 2020- what the bad guys are up to  3. Practical tips and techniques to safely access and analyze suspicious or malicious content | August 25 @ 1:00 PM EDT

2) Webcast | We invite you to join SANS instructor, Matt Bromiley as he hosts "Intuitive Endpoint Security: A SANS Review of Morphisec Shield". Bromiley will review the Morphisec Shield, a tool that uses moving target defense to defeat threats such as zero-days, evasive malware, fileless attacks and exploits by morphing process memory. | August 18 @ 10:30 AM EDT

3) SANS Survey | Take the 2020 SANS Threat Hunting Survey for a chance to win a $150 Amazon Gift Card | The purpose of this survey is to determine how organizations perform threat hunting and whether their efforts are effective. The survey focuses on how security departments benefit from proactive threat hunting according to the user's perspective, with the goal of shedding light on the interaction between human hunters and the tools they use.




--Bulgarian Police Arrest Hacker

(August 7, 2020)

Authorities in Bulgaria have arrested a man for alleged hacking, extortion, and selling stolen data. According to a Ministry of Interior press release, authorities seized equipment from the suspects home.

Read more in:

ZDNet: Bulgarian police arrest hacker Instakilla


--Ohio Secretary of State Has a Vulnerability Disclosure Policy for Election-Related Sites

(August 7, 2020)

Ohio is the first US state to establish a vulnerability disclosure policy for its election-related websites. The policy from Ohios secretary of state lays out guidelines, including which sites the policy covers, what types of testing are not permitted, and what information vulnerability reports should include. Vulnerability hunters are required to wait 120 days after reporting vulnerabilities to publicly disclose details.

[Editor Comments]

[Neely] This is an outstanding step forward for Ohio. The long disclosure window of 120 days will result in early disclosure by those used to the more common 30-90 day window. One hopes low-hanging fruit issues are identified quickly to enable the state to improve its security posture for the upcoming election.

[Pescatore] 120 days is long compared the 30-90 days that commonly accepted responsible vulnerability disclosure recommendations specify, and this does push public disclosure beyond the 2020 election cycle. Realistically, this seems reasonable for the complex and fractured way election systems are developed, procured and run at local levels. At this late point, basic security hygiene (including segmentation and mitigation) needs to be the focus.

[Murray] The motivation of "research" should be to improve quality, in this case of a socially and politically sensitive application, not to enhance the reputation, not to say notoriety, of the "researcher." Public shaming may have a place but this is not it. I know of no other field that engages in this destructive competition.  

Read more in:

Cyberscoop: Ohio becomes first state to release vulnerability policy for election-related websites

OhioSoS: Vulnerability Disclosure Policy


--TeamViewer Releases Updates to Address High-Severity Flaw

(August 7 & 10, 2020)

A vulnerability in the Desktop for Windows desktop app version of TeamViewer remote support software could be exploited to execute code and access password hashes. The flaw exists because the app does not properly quote its custom URI handlers. The vulnerability affects versions of TeamViewer Desktop for Windows prior to 15.8.3. TeamViewer has released updates for multiple versions of the software to fix the problem.

Read more in:

Threatpost: TeamViewer Flaw in Windows App Allows Password-Cracking

Bleeping Computer: TeamViewer fixes bug that lets attackers access your PC

Mitre: CVE-2020-13699 | TeamViewer Desktop for Windows before 15.8.3 does not properly quote its custom URI handlers.


--Travelex Now in Administration, Forced to Eliminate 1,300 Jobs in UK

(August 6 & 10, 2020)

Currency exchange company Travelex is now in administration, the UK equivalent of bankruptcy. The restructuring plan includes eliminating 1,300 jobs in the UK. The currency exchange company suffered a ransomware attack in late December 2019 and was not able to resume conducting business until January 17, 2020. The onset of the COVID pandemic took a toll on the business as well.

[Editor Comments]

[Neely] After a ransomware attack, business recovery is complex. Economic impact of the recovery, reputation of the business, and continued customer support, or lack thereof, can make or break you. When your primary customer base, in this case the travel industry, shuts down right after you are back on-line, partnerships and restructuring are needed to survive. For many of us, Travelexs reputation as a known quantity in currency exchange while traveling will help them recover.

[Murray] This suggests that current standards of "hygiene" are not sufficient to protect the business from an increasingly hostile public network. Do not bet your business. 

Read more in:

SC Magazine: Travelex driven into financial straits by ransomware attack

BBC: Travelex strikes rescue deal but 1,300 UK jobs go

Infosecurity Magazine: Travelex Forced into Administration After Ransomware Attack


--vBulletin Releases Fixes to Address Patch Bypass Flaw

(August 10, 2020)

An as-yet unpatched vulnerability in vBulletin can be exploited to run malicious code and take control of forums without authentication. The issue lies in a patch issued in September 2019. Proof-of-concept exploit code for the vulnerability bypasses the protections put in place by the earlier patch. The vulnerability is being actively exploited. vBulletin has released a fix as well as suggestions for mitigation.

Read more in:

vBulletin: vBulletin 5.6.0, 5.6.1, 5.6.2 Security Patch

Bleeping Computer: vBulletin fixes ridiculously easy to exploit zero-day RCE bug

ZDNet: Security researcher publishes details and exploit code for a vBulletin zero-day


--Mystery Threat Actor Operated 25 Percent of Tor Exit Nodes

(August 8 & 10, 2020)

An unidentified threat actor has been adding servers to the Tor network since January 2020. By May, they were operating 380 Tor exit relays, a quarter of all exit relays. The group is conducting SSL stripping attacks, downgrading traffic from HTTPS to HTTP in an attempt to steal cryptocurrency by replacing Bitcoin addresses in the traffic.

[Editor Comments]

[Neely] The actor was taking advantage of insufficient vetting processes for adding exit relays. While many of the malicious relays have been reported and shut down, as of August 8th, the threat actor still controlled 10% of the Tor exit relays. SSL stripping attacks can be prevented by setting up HSTS preload for your domain; many sites have not done this. Browsers which are not by default marking HTTP traffic insecure may benefit by installing a plugin such as HTTPS Everywhere, which enforces HTTPS use by rewriting headers on the fly.


[Murray] Users should be aware that Tor does a better job of hiding the origin of traffic, what it was built for, than it does of protecting the traffic itself.

Read more in:

Medium: How Malicious Tor Relays are Exploiting Users in 2020 (Part I)

ZDNet: A mysterious group has hijacked Tor exit nodes to perform SSL stripping attacks




Scanning Activity Against WIFICAM Using Netcat


Small Challenge: A Simple Word Maldoc (Solution)


Scoping Web Application Pentests


PDF Test Suite

Qualcomm Snapdragon Vulnerabilities


China Blocking TLS 1.3 and ESNI


Problems With Chrome Extensions


TeamViewer Update



The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit