SANS Open-Source Intelligence (OSINT) Summit & Training offers immersive cyber security courses and a free Summit!

Newsletters: NewsBites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XXII - Issue #64

August 14, 2020

Microsoft IE Flaw Actively Exploited; NSA and FBI: New Linux Rootkit


SANS NewsBites               August 14, 2020                Vol. 22, Num. 064



  Patch Tuesday: Microsoft: Two Actively Exploited (incl. IE) and File Validation)

  NSA and FBI: Fancy Bear Hacking Group Using New Linux Rootkit

***************************  Sponsored By SANS   ************************************

SANS Survey | Take the SANS Cloud Security Survey for an opportunity to win a $150 Amazon gift card | This survey is designed to summarize data in three generalized areas including demographics, cloud architecture, and cloud security. The primary goal of this survey is to better understand if security professionals feel cloud-native security tooling is equivalent to industry-leading security tools, and the decisions behind adoption. | Results will be shared during a webcast on December 15 @ 1:00 PM EST



  CISA Warns of Phishing Attempts that Spoof SBA Loan Program

  US Financial Regulator FINRA Warns of Phishing Website

  TikTok Secretly Collected MAC Addresses

  Amazon Alexa Vulnerabilities Patched

  Citrix Releases Fixes for Flaws in XenMobile Server

  Patch Tuesday: Adobe

  TinyMCE Flaw Fixed

  Intel Security Updates for Server Boards, Server Systems, and Compute Modules

  WordPress 5.5: Option to Update Plugins Automatically

  SEPTA (Philadelphia Transit) Malware Attack




Best Special Offers of the Year for OnDemand are Ending Soon

Choose an iPad Pro with Apple Pencil, Surface Go 2, or Take $300 Off through August 19.


SANS now offers THREE ways to complete a course:

OnDemand | Live Online | In-Person:




Keep your skills sharp with SANS Online Training:

        The worlds top cybersecurity courses

        Taught by real world practitioners

        Ideal preparation for more than 30 GIAC Certifications

Top OnDemand Courses

SEC401: Security Essentials Bootcamp Style


SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling


SEC560: Network Penetration Testing and Ethical Hacking



Upcoming In-Person and Live Online Events:

SANS Baltimore Fall 2020 | September 8-13 | Baltimore, MD or Live Online


Threat Hunting and Incident Response Summit & Training | September 10-19 | Live Online


SANS Network Security 2020 | September 20-25 | Live Online


SANS Northern VA - Reston Fall 2020 | Sep 28-Oct 3 | Live Online



Test drive a course:

View the full SANS course catalog and skills roadmap.






--Patch Tuesday: Microsoft: Two Actively Exploited (incl. IE) and File Validation)

(August 11 & 12, 2020)

On Tuesday, August 11, Microsoft released updates to address at least 120 vulnerabilities in Windows and other products and services. Two of the flaws are being actively exploited: a memory corruption vulnerability in the scripting engine in Internet Explorer, and a spoofing flaw in Windows file validation that could be exploited to bypass security features. 

[Editor Comments]

[Pescatore] I really like The Registers excellent headline, but I will add one thing: A lot of VPN approaches only support connectivity back to corporate data centers when the user has initiated the VPN and it hasnt timed out. Other VPN approaches that are always on dont handle intermittent or low speed home internet connections very well. Patch success rates for those sporadically-connected devices are always lower than LAN-connected or always on VPN approaches on solid remote connectionsworth extra attention on this patch-filled vacation/holiday month.

[Neely] As IE is being actively exploited, it may also be time to change the default browser. Consider limiting IE through the perimeter to reduce the likelihood of interaction with malicious sites. While you're busy queueing up application of this months suite of patches, take a check of your backup system to make sure youre covered in case something goes wrong.  

[Murray] This is the third "Patch Tuesday" in a row when the number of vulnerabilities addressed exceeded one hundred. One does not know whether to credit Microsoft for its diligence or condemn it for the quality of its code. Suffice it to say that the next Patch Tuesday will address far more than zero vulnerabilities and most of them will be older than a month. While patching is mandatory, one cannot patch one's way to security. Use "least privilege" access control at all layers, internal firewalls, strong authentication, structured networks, and end-to-end application layer encryption to reduce your attack surface and hide potentially vulnerable processes. While I still do not like the expression "Zero Trust," it is an old idea whose time has come.  

Read more in:

KrebsOnSecurity: Microsoft Patch Tuesday, August 2020 Edition

The Register: We spent way too long on this Microsoft, Intel, Adobe, SAP, Red Hat Patch Tuesday article. Just click on it, pretend to read it, apply updates

Duo: Microsoft Patches Zero Days Used in Targeted Attacks

Threatpost: Two 0-Days Under Active Attack, Among 120 Bugs Patched by Microsoft

Ars Technica: 0-days, a failed patch, and a backdoor threat. Update Tuesday highlights

Dark Reading: Microsoft Patches 120 Vulnerabilities, Two Zero-Days

SC Magazine: Microsoft patches 2 actively exploited zero-day flaws

ZDNet: Microsoft August 2020 Patch Tuesday fixes 120 vulnerabilities, two zero-days

Bleeping Computer: Microsoft August 2020 Patch Tuesday fixes 2 zero-days, 120 flaws

MSRC: Security Update Summary


--NSA and FBI: Fancy Bear Hacking Group Using New Linux Rootkit

(August 13, 2020)

In a joint cybersecurity advisory, the US National Security Agency (NSA) and the FBI warn of a new strain of malware being used by hackers with ties to Russias government. Drovorub is a rootkit designed to infect Linux systems and steal data.

Read more in:

ZDNet: FBI and NSA expose new Linux malware Drovorub, used by Russian state hackers

The Register: This NSA, FBI security advisory has four words you never want to see together: Fancy Bear Linux rootkit

Defense: Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware (PDF)

FBI: NSA and FBI Expose Russian Previously Undisclosed Malware Drovorub in Cybersecurity Advisory

NSA: Drovorub Malware Fact Sheet & FAQs (PDF)

*******************************  SPONSORED LINKS  ********************************

1) Webcast | Join SANS analyst and instructor, Dave Shackleford as he hosts one of our upcoming webcasts titled, "Securing Lift-and-Shift Cloud Migrations".  Tune in to our live webinar, to help you better understand how to adapt your security strategy to address new security requirements for lift-and-shift migrations. | August 26 @ 1:00 PM EDT

2) Webcast | Join Google Cloud Security's Ansh Patnaik and Dr. Anton Chavakin, with SANS moderator Matt Bromiley as they host, "Rethinking Security Detection in an XDR World" to learn more about the dimensions of modern security analytics that will enable you to fully unleash your XDR investment. | August 27 @ 12:30 PM EDT


3) Webcast | During our upcoming webcast, "Intuitive Endpoint Security: A SANS Review of Morphisec Shield"  SANS Instructor Matt Bromiley reviews Morphisec Shield, a tool that uses moving target defense to defeat threats such as zero-days, evasive malware, fileless attacks and exploits by morphing process memory. | August 18 @ 10:30 AM EDT




--CISA Warns of Phishing Attempts that Spoof SBA Loan Program

(August 10, 12, & 13, 2020)

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory warning of a phishing attack that sends users to a spoofed version of the Small Business Administrations (SBAs) COVID-19 loan relief webpage. 

[Editor Comments]

[Neely] Threat actors are leveraging anything relating to COVID-19, from wellness advice, contract tracing, and testing to financial relief programs to lure users into clicking/opening their content. With the increased telecommuting, its easy to forget that on-premise protections may not be protecting users full time. Step up user training, keeping in mind that current concerns and stress are leading users to click where they otherwise would not.

[Murray] "Phishing," i.e., bait attacks, remains efficient and popular. Because such attacks exploit human frailty and there are so many of us, they are difficult to address. The bait is generally offered in e-mails and on web sites. E-mail and browsing applications are implicated in a majority of breaches. They should be isolated from the rest of the the enterprise network. As a user, I hated it when any of my clients blocked my access to my e-mail (e.g., OWA) from their networks, but as their security adviser I had to appreciate it. Note that one no longer needs the enterprise network to access e-mail or to browse; one uses one's mobile and the cellular data network.  

Read more in:

Fedscoop: Malicious cyber actor spoofing SBAs coronavirus loan relief webpage

Bleeping Computer: CISA alerts of phishing attack targeting SBA loan relief accounts

FCW: Scammers spoof SBA to get disaster loan dollars

US-CERT.CISA: Alert (AA20-225A) | Malicious Cyber Actor Spoofing COVID-19 Loan Relief Webpage via Phishing Emails


--US Financial Regulator FINRA Warns of Phishing Website

(August 13, 2020)

The US Financial Industry Regulatory Authority (FINRA) has issued an alert warning of the existence of a fraudulent copycat website that includes a registration form for collecting data that could be used in targeted phishing attacks. Observant users will note an extra n in the domain name of the copycat site. FINRA has requested that the domain registrar suspend the phony domain.

Read more in:

Bleeping Computer: U.S. stock broker regulator FINRA warns of copycat phishing site

FINRA: FINRA Alerts Firms to Use of Fake FINRA Domain Name


--TikTok Secretly Collected MAC Addresses

(August 11 & 12, 2020)

According to a report in the Wall Street Journal, the TikTok video-sharing app collected MAC addresses from Android users for more than a year. The app hid the questionable activity with encryption. The activity was conducted for 15 months, ending in November 2019.  (Please note that the WSJ story is behind a paywall.)

[Editor Comments]

[Neely] As more information about inappropriate behavior from TikTok emerges, its time to make an active decision whether to block or prohibit the application. Use your MDM to inventory your corporate mobile devices for TikTok. Also took a look at application protections on your BYO devices to make sure that your enterprise information is protected from malicious behavior. Note that not all device/MDM combinations allow blocking installation or removal of disallowed apps.

Read more in:

Threatpost: TikTok Surreptitiously Collected Android User Data Using Google-Prohibited Tactic

WSJ: TikTok Tracked User Data Using Tactic Banned by Google (paywall)


--Amazon Alexa Vulnerabilities Patched

(August 13, 2020)

Earlier this year, researchers from Check Point found that some Amazon Alexa subdomains were vulnerable to cross-origin resource sharing (CORS) misconfiguration and cross site scripting. Check Point notified Amazon of the issues in June. The issues could be exploited to access users voice history logs to discover which skill are installed, and to install additional skills. Amazon has fixed the issues.

[Editor Comments]

[Neely] Take a look at the voice history your digital assistants are storing. Both Amazon and Google allow you to delete messages from their website, mobile app, or the device itself. Also, review the enabled skills and connected smart devices to make sure that no extra features are enabled, or devices connected.

Read more in:

Wired: An Alexa Bug Could Have Exposed Your Voice History to Hackers

ZDNet: In one click: Amazon Alexa could be exploited for theft of voice history, PII, skill tampering

Threatpost: Amazon Alexa One-Click Attack Can Divulge Personal Data

CNET: Alexa vulnerability is a reminder to delete your voice history

Check Point: Keeping the gate locked on your IoT devices: Vulnerabilities found on Amazons Alexa


--Citrix Releases Fixes for Flaws in XenMobile Server

(August 11 & 12, 2020)

Citrix has released updates to address vulnerabilities in its Citrix Endpoint Management, often known as XenMobile Server. Users are urged to apply the updates as soon as possible, as Citrix says they anticipate malicious actors will move quickly to exploit. Two of the vulnerabilities are rated critical.

Read more in:

Citrix: Citrix provides security update on Citrix Endpoint Management

Support.Citrix: Citrix Endpoint Management (CEM) Security Update

Cyberscoop: Citrix releases fix for software bug that hackers will move quickly to exploit

Bleeping Computer: Citrix fixes critical bugs allowing takeover of XenMobile Servers

Threatpost: Citrix Warns of Critical Flaws in XenMobile Server

The Register: Citrix warns of patch-ASAP-grade bugs in its working-from-home products, just as we're all working from home


--Patch Tuesday: Adobe

(August 11 & 12, 2020)

Adobe has released updates to address vulnerabilities in Reader and Acrobat; 11 of the flaws are rated critical. Adobe also released an update to address a privilege elevation vulnerability in Lightroom.

[Editor Comments]

[Neely] While the Lightroom and Acrobat updates are not actively being exploited, the Reader and Acrobat vulnerabilities are considered elevated risk because of past issues with these products. The updates for Reader and Acrobat affect a wide range of versions, back to Acrobat and Reader 2015. Check the Adobe Security Bulletin for the full list of products impacted. This would be a good time to replace older versions with current, patched ones.

[Murray] After ten years, we are finally nailing the final nail into the coffin of Flash. Perhaps it is time to consider the future of Reader and Acrobat. Many enterprises already restrict pdf attachments and others use alternative application programs to handle them.  

Read more in:

ZDNet: Adobe tackles critical code execution vulnerabilities in Acrobat, Reader

Bleeping Computer: Adobe fixes critical code execution bugs in Acrobat and Reader

Threatpost: Critical Adobe Acrobat and Reader Bugs Allow RCE

Adobe: Recent bulletins and advisories


--TinyMCE Flaw Fixed

(August 9, 12, & 13, 2020)

TinyMCE developers have released a fix for a cross-site scripting vulnerability in the open-source text editor. The flaw could be remotely exploited to gain administrative access to vulnerable websites. TinyMCE is usually part of content management systems (CMS) used by websites.

Read more in:

Threatpost: High-Severity TinyMCE Cross-Site Scripting Flaw Fixed

Bishop Fox: TinyMCEVersion 5.2.1 | ADVISORY SUMMARY

GitHub: Cross-site scripting vulnerability in TinyMCE


--Intel Security Updates for Server Boards, Server Systems, and Compute Modules

(August 11, 2020)

Intel has released updates to address 22 security issues in certain Intel Server Boards, Server Systems, and Compute Modules. One of the flaws is rated critical; it could be exploited by an unauthenticated remote attacker to gain elevated privileges. Ten of the flaws are rated high severity.

[Editor Comments]

[Pescatore] The most critical one is a flaw in baseboard management controller software, an issue Johannes Ullrich covered in the 2019 SANS The Five Most Dangerous New Attack Techniques keynote at the RSA conference and we covered in the 2019 SANS Threat Report. In addition to the usual local patching issues, this is an important risk issue to address with supply chain partners that may be using the impacted server boards.

Read more in:

Threatpost: Critical Intel Flaw Afflicts Several Motherboards, Server Systems, Compute Modules

Intel: Intel Server Boards, Server Systems and Compute Modules Advisory

CVE Mitre: CVE-2020-8708 | Improper authentication for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow an unauthenticated user to potentially enable escalation of privilege via adjacent access.


--WordPress 5.5: Option to Update Plugins Automatically

(August 11 & 12, 2020)

WordPress has released version 5.5 of its content management platform. Among the new features is the option to enable automatic updates for plugins and themes. Users can choose to have all background updates, or to enable or disable them on specific themes and plugins.

[Editor Comments]

[Neely] WordPress 5.5 has added automatic update status to the plugins listing, as well as the ability to select and bulk enable automatic updates. Even so, not all your plugins will support automatic update. Review and enable it for those which do, consider removing or replacing those which do not. Also look for plugins which are redundant, such as a cache plugin which overlaps the caching of your CDN which may not have been in place when you stood up your site.  

[Murray] WordPress plugins are popular but of questionable quality. Consider enabling "all" by default until and unless "the solution becomes the problem."

Read more in:

WordPress: WordPress 5.5 Eckstine

Portswigger: WordPress 5.5 rolls out with auto-updates for plugins, themes

WordPress: WordPress 5.5 Field Guide


--SEPTA (Philadelphia Transit) Malware Attack

(August 12, 2020)

Servers belonging to the Southeastern Pennsylvania Transit Authority (SEPTA) were infected with malware last weekend; SEPTA has called in help from cybersecurity experts and the FBI. Since the infection, SEPTA has shut down employee email, payroll access, remote timekeeping, and real-time data feeds for customers.

Read more in:

GovTech: Pennsylvania Transit Agency Disrupted by Malware Attack




vBulletin 0-Day Exploit


Microsoft Patches


Adobe Patches


Citrix End Point Management Updates


To the Brim at the Gates of Mordor


Large Group of Malicious Tor Exit Nodes


SAP Updates


Intel Updates


Decrypting Voice over LTE Calls


Vulnerabilities found on Amazon's Alexa


DROVORUB Russian GRU Linux Malware (PDF)



The Editorial Board of SANS NewsBites


John Pescatore was Vice President at Gartner Inc. for fourteen years. He became a director of the SANS Institute in 2013. He has worked in computer and network security since 1978 including time at the NSA and the U.S. Secret Service.

Shawn Henry is president of CrowdStrike Services. He retired as FBI Executive Assistant Director responsible for all criminal and cyber programs and investigations worldwide, as well as international operations and the FBI's critical incident response.

Suzanne Vautrinot was Commander of the 24th Air Force (AF Cyber) and now sits on the board of directors of Wells Fargo and several other major organizations.

Ed Skoudis is co-founder of CounterHack, the nation's top producer of cyber ranges, simulations, and competitive challenges, now used from high schools to the Air Force. He is also author and lead instructor of the SANS Hacker Exploits and Incident Handling course, and Penetration Testing course.

Mark Weatherford is Global Information Security Strategist for Booking Holdings and the former Deputy Under Secretary of Cybersecurity at the US Department of Homeland Security.

Stephen Northcutt teaches advanced courses in cyber security management; he founded the GIAC certification and was the founding President of STI, the premier skills-based cyber security graduate school,

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

William Hugh Murray is an executive consultant and trainer in Information Assurance and Associate Professor at the Naval Postgraduate School.

Lee Neely is a Senior Cyber Analyst at Lawrence Livermore National Laboratory, SANS Analyst and Mentor. He has worked in computer security since 1989.

Rob Lee is the SANS Institute's top forensics instructor and director of the digital forensics and incident response research and education program at SANS (

Tom Liston is member of the Cyber Network Defense team at UAE-based Dark Matter. He is a Handler for the SANS Institute's Internet Storm Center and co-author of the book Counter Hack Reloaded.

Jake Williams is a SANS course author and the founder of Rendition Infosec, with experience securing DoD, healthcare, and ICS environments.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a founder with Secure Anchor Consulting.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Gal Shpantzer is a trusted advisor to CSOs of large corporations, technology startups, Ivy League universities and non-profits specializing in critical infrastructure protection. Gal created the Security Outliers project in 2009, focusing on the role of culture in risk management outcomes and contributes to the Infosec Burnout project.

Alan Paller is director of research at the SANS Institute.

Brian Honan is an independent security consultant based in Dublin, Ireland.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription visit