SAP, SIGred, procmon for Linux, Tsunami, Twitter and ZOOM?

Vulnerabilities: There was a couple of high-profile news about vulnerabilities this week: SAP and SIGred (Patch it please!)
Tools: A couple of cool tools appeared: procmon for Linux and Tsunami scanner from google
News: Over 100 high profile Twitter accounts hacked via internal tool that was leaked by a Twitter employee. ZOOM? Again?
And Research, because technical descriptions are always interesting to someone



In May, Onapsis discovered a vulnerability with a score of 10 on the criticality scale in several products of the German SAP business solution provider.

SAP released updates to its software to address the vulnerability. The researchers called the vulnerability (CVE-2020-6287) RECON. It is a component of SAP NetWeaver AS and allows unauthorized attackers to create an account with maximum privileges and gain full control over the attacked SAP system.

SAP also fixed the CVE-2020-6286 directory traversal vulnerability allowing an unauthorized attacker to upload zip files to a specific directory. According to Onapsis specialists who discovered the vulnerability, the problem currently affects 40,000 users of SAP products.\_packets/status/1283473525613838336?s=20


There is no information on the use of RECON in the wild. It is possible that hackers have already exploited the vulnerability.


Earlier, we posted about this vulnerability: Windows DNS vulnerability - CVSS 10

The US Cybersecurity and Infrastructure Agency (CISA) has asked federal executive authorities and US agencies to conduct an emergency update of all vulnerable systems in all information systems within 24 hours (by 14:00 EST July 17).

The message also contains recommendations to remove Windows Server-based systems from networks if they cannot be updated within 7 days. In addition, CISA recommends that all these measures be applied by both state and municipal governments.


Pandora is a network monitoring tool for IT infrastructure management. Remote code execution (CVE-2020-13851) in a Pandora FMS Events versions 7.0 NG 742, 7.0 NG 743, and 7.0 NG 744 and older.

Microweber is a Drag and Drop website builder (CMS) written in PHP. Vulnerability CVE-2020-13405 allows an unauthenticated user to disclose the users database via POST request.


Process Monitor (Procmon) is a Linux reimagining of the classic Procmon tool from the Sysinternals suite of tools for Windows.

An open source malware analysis platform.

Universal network security scanner with an extensible plug-in system for detecting high-risk vulnerabilities with a high degree of confidence. (from Google)


Twitter reported this week that it detected a cyber attack using social engineering on some of its employees who had access to internal systems and tools.

More than 100 accounts of such famous people as Bill Gates, Elon Musk and Barack Obama were compromised. Using compromised accounts, the hackers tried to lure users into a fraudulent "crypto giveaway" scheme.

It isn't the first case of compromise popular accounts to promote this kind of scam. In March, attackers hacked into Microsoft's official Youtube account, where they spent more than 13 hours spinning a recording of one of Gates' performances with text information about "crypto giveaway".

According to ZDNet materials, the leak of personal data of MGM Resorts guests, which was first reported in February 2020, was much larger than previously thought.

Last week, a hacker put a stolen database of MGM Resorts, which includes information about more than 142 million guests, on sale in the darknet. The hacker claims he received the database as a result of a recent hack into Night Lion Security's DataViper service.

CheckPoint reported a vulnerability in popular Zoom software. The Zoom vulnerability allows attackers to impersonate legitimate organizations by deceiving their employees or business partners in order to steal personal or other sensitive information through social engineering.

Due to incorrect account verification, any conference could have been started using the Vanity URL of any organization, even if the meeting was created with a separate account. In this way, an attacker could carry out phishing attacks by impersonating legitimate company employees.


New Attack Technique Uses Misconfigured Docker API:

Malware Wiki:

Hunting for advanced Tactics, Techniques and Procedures (TTPs):

Bypassing Symantec Endpoint Protection for Fun & Profit (Defense Evasion):