Vulners weekly digest #13

Published on 6 July 2020 12:00 AM

🍿 4 min. read

This post thumbnail

There are 4 sections:


Vulnerability CVE-2020-5902 in F5 BIG-IP received a CVSS score of 10. Exploiting the vulnerability allows executing commands on behalf of an unauthorized user and completely compromising the system, for example, intercepting the traffic of web resources controlled by the controller.


Multiple vulnerabilities in popular remote desktop client Apache Guacamole (over 10 million downloads on Docker Hub). The bugs were found in March, and at the end of June Guacamole developers released version 1.2.0, which fixed them. The vulnerabilities allow an attacker who infected one of the remote systems with the client installed to perform a reverse attack via the RDP protocol and capture the system from which remote administration is performed.

Since some technical details of the errors are now published by Check Point, it is highly probable that the corresponding exploits will appear soon.


Critical vulnerability was discovered in the PAN-OS operating system for firewalls and corporate VPN installations from Palo Alto Networks (CVE-2020-2021). Exploiting the vulnerability allows an unauthorized attacker to bypass authentication. The problem affects versions of PAN-OS 9.1, older than 9.1.3; PAN-OS version 9.0, older than 9.0.9; PAN-OS 8.1 versions older than 8.1.15, and all versions of PAN-OS 8.0. The vulnerability has been fixed in PAN-OS 8.1.15, PAN-OS 9.0.9, PAN-OS 9.1.3 and in all later versions.

The U.S. Cyber Command has warned that foreign cybercriminals are likely to attempt to exploit the discovered vulnerability in PAN-OS. Researchers at Boston's Rapid7 found on the network nearly 70 thousand devices based on PAN-OS, 40% of which protect networks in the United States.

An Active Defense and EDR software to empower Blue Teams. Looks COOL.

**IS Raid is a native IIS module that abuses the extendibility of IIS to backdoor the web server and carry out custom actions defined by an attacker.

**kube-bench is a Go application that checks whether Kubernetes is deployed securely by running the checks documented in the CIS Kubernetes Benchmark.


University of California, San Francisco (UCSF) paid $ 1.14 million to ransomware Netwalker.

Earlier, on June 1, the operator Netwalker hacked into the internal network of the UCSF Medical School, stealing and encrypting information including personal data of students and staff, medical research data and information about financial transactions.

Netwalker is a ransomware that appeared in the fall of 2019 and works under the Ransomware as a Service (RaaS) scheme.


EvilQuest was discovered earlier this week by K7 Lab and analyzed by a team of researchers from Malwarebytes, Jamf and BleepingComputer. It encrypts files in a compromised system, but masquerading as a ransomware, it also has the ability to collect information from an infected host, including a keylogger and theft of cryptocurrency wallet data.

EvilQuest will check whether it is running on a virtual machine, as well as the presence of popular anti-virus products (Avast, Kaspersky, Mcaffee, etc.) in the attacked system. After encrypting the files, he offers to pay $ 50 for a static bitcoin wallet, however, he leaves no way of feedback, which makes it impossible to link the payment to a specific victim.

After the victim has paid the ransom, the attacker will still remain in the system and will collect the data of interest to him, and the files will remain encrypted. EvilQuest is the third identified ransomware species for MacOS after KeRanger and Patcher.


Facebook reported an incident involving a breach of confidentiality by social network users. According to the company, about 5,000 software developers continued to receive user data even after the expiration of the period of access to information by applications.

The Facebook privacy mechanism blocks applications from accessing user data if users have not used the programs for 90 days. According to Facebook, in some cases the security mechanism was not activated and allowed applications to continue accessing user data.

Vulnserver Exploit vs Windows Defender Exploit Guard. Great write-up, worth a thorough read:
Exploit Guard vs Process (DLL) Injection:

Red Team C2 over VirusTotal - SharpHungarian - C#
This is an unifished console app for defeating EDR, defeating internal centralised loggin, and using Virustotal as an outbound command and control channel for C2.

Elastic Security opens public detection rules repo:

Interesting tactic by Ratty & Adwind for distribution of JAR appended to signed MSI - Securityinbits: