Threat Intel Week 27, 2020

F5 Traffic Management User Interface (TMUI) Remote Code Execution (CVE-2020-5902) & XSS (CVE-2020-5903)

A critical vulnerability exists (CVE-2020-5902) that can lead to remove code execution from an unauthenticated network perspective. The vulnerability exists in the management interface, by good practise these interfaces would be on a private restricted network however we know this is not always the case as we can see from Shodan:


This vulnerability has an active POC exploit in the wild covering path traversal to file read through to remote code execution. Examples of both the Metasploit module and public intel on HTTP requests are here:

We strongly recommend management interfaces are not exposed to the internet, consider:

  • Removing the interface from the internet
  • Using IP Whitelisting to restrict traffic flows
  • Using a VPN and/or jump box solution to perform sensitive remote administration tasks
  • Restrict access using a management traffic interface/route
  • Patch the vulnerable devices

Palo Alto Networks PA-OS Authentication Bypass (CVE-2020-2021)

When Security Assertion Mark-up Language (SAML) authentication is enabled and the ‘Validate Identity Provider Certificate’ option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. The attacker must have network access to the vulnerable server to exploit this vulnerability.

This vulnerability requires specific conditions to exist (which are not good practise from a Palo Alto deployment best practise point of view) so whilst this is still critical, it is wise to conduct a configuration review and take appropriate action.


Phishing is a constant threat scenario, during the COVID pandemic we have seen lures adapted to take advantage of a range of situations, as always leveraging FUD and high-pressure scenarios such as PPE, Corona Virus testing equipment etc.

From an internet facing perspective we see the following generalisations:

  • Poor coverage of SPF, DMARC and DKIM deployment
  • Misconfiguration of mail protection records

Whilst we advocate security awareness with staff members, during a time of increased pressure it is just as (potentially more so) to leverage technical controls as well as soft controls to help combat the likelihood of a phishing incident achieving impact.

Useful Resources

Phishing and Web Content Filtering

Our friends in the CTI league and Cyber Threat Coalition both publish independent block lists which can be leverage my mail hygiene and perimeter security solutions (such as Firewall and IPS/IDS systems)

NCSC Weekly Threat Report

This report includes links to the phishing reporting service recently stood up by NCSC:

Are contact-tracing apps the solution to Covid-19?

As lockdown continues and uncertainty grows around how and when we can return to normal, governments and companies believe they have found the solution in technology. Contact tracing apps are being hailed as the best solution both to tracking people diagnosed with Covid-19 and alerting others who may have been infected so they can self quarantine, allowing healthy people to move around freely and return to work. 

Governments around the globe have been rolling out these apps to varying degrees of success and compliance. From China to Iceland, citizens are being asked to download an app to their smartphone and input personal details and information about their health. The UK government recently released its app, built in collaboration with the NHS, and France is also launching a testing phase of its app, StopCovid, in the coming weeks. 

The idea behind these apps is to make contact tracing easier and faster. Mapping the spread of the infection currently involves manually tracking the number of people who could have come into contact with an infected person, so will an app make that easier?

How the apps work

In theory, yes. Downloading and registering with these apps will allow users to be informed if they have been close to someone diagnosed with Covid-19 or to inform others that they are infected with the disease.  

The app is able to do this because it is monitoring the users’ location and the location of other app users nearby.  European governments are mostly using apps with Bluetooth technology as a way to track and inform people about their risk of contracting Covid-19. On a smartphone, Bluetooth works by exchanging an anonymous signal with other smartphone users – like a kind of virtual handshake. This exchange will either be recorded anonymously on the app, or stored in a central database, during which time, if a user tests positive for Covid-19 they can update the app with their health information, and an alert is sent out to those who have been in near contact with them. But it is not as simple as it sounds. 

It’s all about reliability

For the app to work effectively a large number of users must sign up to use it. A small number of users means that it will be difficult to carry out the extensive contact tracing that is needed to contain the disease. This means governments are going to have to convince citizens that these apps are worth downloading and using. 

The fact that everyone needs to have a smartphone in order to use the app is another barrier. Not everyone can afford a smartphone or is able to use one. This risks isolating the elderly, the homeless, people living in poverty, and asylum seekers and refugees. Groups that are at high risk of catching Covid-19 due to their age or inability to self isolate. 

Experts are also concerned about the reliability of the app as a way of gathering data. The app will not be able to tell users whether the person who was infected was wearing a mask, or whether they were standing behind a window or door. This is likely to lead to people being told to self quarantine when they do not need to. Too many false alerts and they could abandon using the app. People who have Covid-19 may leave the house without their phone or leave it in their vehicle meaning that people who have come into contact with them would not be alerted to the risk of infection. 

What about privacy?

And there is also the issue of privacy. Experts are increasingly concerned about the amount of data these apps collect, where this data is stored, and who has access to it. Data, even anonymous data, relating to people’s health can be a valuable asset for businesses and governments alike. What information is collected and who can see this information will vary depending on government policy and practice as well as how the app is designed and built. 

Apps can either use a centralised database or a decentralised one. A centralised database, like the one the NHS app will use, means that data is stored on a central server and that the information can be accessed by others, both officially, by government, and unofficially, by criminals.  While a centralised database allows governments and companies access to a greater data pool, which would allow them to better understand the spread of Covid-19, this database, like all databases, is vulnerable to abuse. 

Apple and Google recently announced a partnership that would allow for a decentralised server. This would mean that anonymised contact tracing would be carried out by individual phones and not from a central server. This approach is currently being adopted by a number of governments around the world. The lack of a central server means that the authorities will not have access to user data which means that while there is less opportunity to investigate Covid-19, user information is more secure. 

Whichever method is being used to collect data, privacy experts are keen to stress that checks and balances are necessary to ensure that apps are not being used to surveil and track users long after Covid-19 is past. And none of these apps are the magic solution – we need testing, social distancing, and ultimately, a vaccine before we start to turn the tide on Covid-19.

This guest blog was kindly written by Ela Stapley

Our Vulnerability Disclosure Process

Vulnerability Disclosure

Friends, Romans, Awesome Volunteers, lend me your ears!

We constantly get approached from you beautiful people with regard to putting you directly in touch with the contacts we have at the Health Trusts and Providers.

Whilst we do not wish to offend or dampen your volunteering efforts, we must point out that unfortunately this is not something we are able to do.

This is for several reasons, but the primary one is due to GDPR and responsibility for sharing private information.

What we can do however is share the activity or information you wish to bring to the trusts via our Threat Briefings or indeed if it warrants it, with a direct outreach to specific Trusts/Providers.

We do have direct reporting capabilities for high/critical vulnerabilities, this is handled through the intel services relevant to a specific country.

We are always willing to give volunteers who assist with a shout out or indeed attribution moving forward.

Also, we are not stopping you contacting Trusts/Providers directly, but again ask that if you do, you do it in your own capacity and make it clear to the recipients that you are not acting on our behalf or with our blessing.

Please, please, please do not take this in any other way other than the team adhering to the agreements we currently have in place.

Thank you for your continued help and support during this time.

Ransomware and Remote Desktop Services

A major threat to healthcare organisations

Insecure, misconfigured and under-protected remote desktop services are a major vulnerability. This attack vector is simple to find, easy to access and operate, very simple to exploit and can be the initial entry to a chain of devastating actions by a threat actor to take down your systems.

This screenshot is of a single, exposed live system that our team of volunteers has obtained (amongst a range of others) from live vulnerable systems on the internet:

You can see here that not only are we able to enumerate valid usernames, but we are also able to enumerate and identify the operating system (in this case it’s an out-of-support Windows Server 2008 R2 Standard Edition Server).

It’s important to also recognise that it’s not just RDP (Remote Desktop Protocol) services, there are a ton of systems which have remote code execution or authentication bypass vulnerabilities which will enable threat actors (cybercriminals) to potentially own your systems and data! Examples of these include vulnerabilities in systems such as PULSE VPN, CITRIX NETSCALER and RDP:

Common Ransomware Phases

Phase 1 – Recon

Threat actors identify exposed RDP services. They identify if NLA (Network Level Authentication) is disabled (if so, this provides them username enumeration to increase the likelihood of success). It should be noted that threat actors also buy and sell access credentials on marketplaces, so it some cases they skip straight to initial access.

Phase 2 – Exploitation

Threat actors obtain breached credential data and leverage this amongst other techniques (such as brute force) to attack the exposed services. These methods include:

  • Valid credentials
  • Credential stuffing
  • RDP exploits (such as Bluekeep)
  • Brute force

Phase 3 – Initial Access

Once a valid connection is made, the threat actor now has an initial foothold. From here they will attempt to do the following:

  • Harvest local access and data sources to elevate privileges (often they will run mimikatz)
    • Check web browser password caches
    • Check for clear text credentials stored in files
    • Check saved credentials in RDP sessions (Windows Credential Manager)
  • Enumerate the network using legitimate network scanning tools
  • Prepare ransomware payloads
    • Some ransomware requires communication with a command and control (C2) server; however, some ransomware such as REvil can be executed with a custom binary which does not require server communication.

Phase 4 – Lateral Movement

The threat actors will attempt to move to other nodes on your network to increase their position. In some cases, they will also establish persistence and several backdoors in case one access method is discovered and removed. You will often see them dump legitimate tools to scan networks to attempt to evade detection.

Phase 5 – Actions on Target

Once all resources have been exhausted, the threat actor will execute (run) the payloads to encrypt your data.

Phase 6 – Victim Contact and Payment

Once the servers and data have been encrypted, the ransomware operator will either wait for contact or will establish contact. This will usually be conducted using throwaway (burner) email accounts, etc. Most ransomware leaves a ransom note with details as to how to establish contact and how to arrange payment to the attacker.

Identify, Protect, Detect, Respond and Recover

There are a range of actions that can be taken to not only reduce the risk of incident occurrence but also to help mitigate the impact. The range of options are wide, so we’ve gone into the common ones:

  1. Ensure you have an ‘offline’ backup
    1. This may be in the form of a network-based backup that is NOT domain joined and is significantly isolated. Ideally, you want a copy of these backups shipped offsite as well.
  2. Ensure you have an incident response plan
    1. Ensure that it is tested (alongside restoration tests from backup services)
  3. Ensure you have NLA enabled. This will in some cases stop exploits (e.g. Bluekeep) or will significantly increase the complexity of the attack required.
  4. Use IP whitelists and/or “just in time” access
  5. Use VPNs and Secure Gateway services
  6. Ensure you have account lockout policies configured
  7. Implement proactive security monitoring
  8. Implement Multi-Factor Authentication (MFA)
  9. Use hardened configurations, jump boxes, limit standard user accounts
  10. Ensure systems are patched and maintained in line with vendor support
  11. Ensure logging configurations are set appropriately
  12. Deploy sysmon, if suitable
  13. Deploy EDR (Endpoint Detection and Response), if safe to do so

Alongside our guidance, please review the NCSC guidance on ransomware defence and response:

In short, practise good systems’ management. You can harden your attack surface with some very simple changes and you can make it insanely stronger with a bit more effort!


The risks that exposed RDP services present are huge. It’s estimated that ~80-85% of ransomware incidents use this vector as an initial foothold. One of our founders (Daniel Card) has personal experience responding to ransomware and in the last ~6 months, 100% of his responses have been due to exposed RDP.

There are clearly requirements to enable remote administration, but what we are seeing is many servers being exposed with high risk configurations in the healthcare sector. It’s imperative during this time that healthcare providers and IT service providers ensure their internet-facing assets are not exposed to unnecessary risks. We hope this article is useful, but if you need further guidance or support, please get in touch.  We have a large group of volunteers who are experienced cyber security professionals and skilled in detection, protection and response services.

If you need support please visit this url :

and one of our team will be in contact to help!

Stay safe, stay secure!


Using a Pi-hole to fight phishing


Due to recent events related to COVID-19, some Health Centres in Europe have fallen  victim to ransomware attacks. The first channel to spread ransomware is often phishing, so here are some suggestions to block web surfing to phishing sites if users have clicked on any emailed phishing links.

In my personal journey of learning about this technology, I installed some time ago Pi-hole Ad Blocking on my Raspberry Pi to avoid annoying commercials when surfing the net from home. Pi-hole can have more powerful applications as well, such as adding other types of blacklists to the Pi-hole – and a phishing site blacklist could be one of them.

The chain

The chain to follow to transform your Pi-hole into a DNS that blocks phishing links is pretty easy:

  1. Download and install Pi-hole; there are many guides on the Internet, depending on where you want to install it, here’s one for Raspberry.
  2. Add the phishing list to the adlist.list of your Pi-hole installation.
  3. Update your Gravity list.
  4. Report and vote for phishing sites.
  5. Check that Pi-hole blocks the right DNS queries.

As stated, the first step is pretty simple – yet it’s off topic here (ping the author if you are in trouble with the installation), so now to discuss directly the second point.

Add phishing list

I recently found a very good project that updates a phishing blacklist every 6 hours. This list could be implemented in your own Pi-hole installation to block phishing sites. It is called Phishing Army and it updates its lists directly from 3 sources:

Add Phishing Army blacklist to your Pi-hole

To add the Phishing Army blacklist to your Pi-hole simply add the list to the list file in the path /etc/pihole/adlist.list file in your Pi-hole installation. Just connect to the Pi-hole via ssh and type this command:

# vim /etc/pihole/adlists.list

Paste the link at the bottom of your list file, write and quit.

Update your Gravity list

Now you have to update the Gravity black list by typing the command

# pihole -g

Report and vote for phishing sites

The first thing to do is to report and vote for phishing sites and the easiest way is to follow the instruction written on the amazing blog of the CyberV19 volunteers about using the voting system on Phishtank. When a Phishtank-submitted link reaches a good number of votes, it is marked as phishing. At this stage, it will then be put on the blacklist update of Phishing Army and automatically updated in the feed to your Pi-hole.


Now you can check if your Pi-hole is blocking malicious DNS requests. Search for a full or partial link in the Query Lists Search of the Pi-hole:

Try to surf to one of the links in the results and see the DNS query blocked by the Pi-hole:

Well done!


This is a home setup scenario. For a small company or test enterprise solutions, we would suggest installing Pi-hole in a docker container and configuring the Domain Controller to point to the Pi-hole as your primary DNS.

To reiterate, we recommend this setup for HOME use only. Hospitals and healthcare providers should use business class solutions for DNS services and protective DNS.


Thanks to Luca Testoni for writing this blog and and contributing to CV19! This is a slightly modified version of the post on

Helping the fight against phishing!

PhishTank is a collaborative clearing house for data and information about phishing on the Internet. We can use Phishtank to help take down and disrupt phishing operations.

We are also working on some custom tooling; however, in the meantime let’s make sure everyone knows how easy it is to help fight phishing!

Getting Started

To report and vote for sites on Phishtank, you first need to register on the Phishtank site at

Click on Register or use the following URL:

Enter your details:

Click I’m not a robot and complete the captcha:

Click Verify and then Create My Account:

You will now be sent an email with a validation link:

You are now good to go! Next, we need to sign in:

Reviewing and Voting

We are now ready to report and vote for phishing sites!

Click on the submission ID you want to review.

Review the site – this one is impersonating the World Health Organization (WHO):

Click it’s a PHISH (or another option, depending upon the result of your review):

We have now voted this as a phishing site! Simples! If the site gets validated enough it will be added to block lists.

Phishtank can be used to report both URLs and phishing emails. The process is fairly simple. If you want to  check a URL, you can do this from the main page. If it is not in the database, follow the onscreen instructions and submit the phish. You can then share the URL with the group and we can help review and upvote sites once they’re submitted.

Every little bit we do to disrupt these networks helps, so get registered and make sure you remember to report and upvote!

Embedding safety culture and behaviour

In times of uncertainty we can see that demand for information security and risk management is increasing daily. How is our volatile, uncertain, complex and ambiguous (VUCA) world impacting healthcare services and companies that need to adapt to it?

The rush to use cloud services sometimes means organizations are not thinking fully about the risks. Thinking that “it’s in the cloud, therefore it’s safe” is wrong, though vendors may claim it is.

Therefore, it’s important to ensure that information risk is managed properly, and one way to do that is to embed safety culture when working with suppliers.

There is a risk to business activities if information becomes disclosed to those not authorized to see it, or if information or systems fail to be available or are corrupted.

It is therefore important that we take the appropriate security precautions to ensure that the third-party suppliers we work with have the right measures in place to protect the confidentiality of and ensure the integrity and availability of information.

Based on this Ponemon Study, more than 56% of organizations claimed that they have had data breaches in the past two years that can be linked to third parties. On top of that, 6% were unsure if they had suffered a data breach at all.

What we can do to ensure that we have effective, preventive controls in place:

  1. Assess supplier networks
    1. Consider including your expectations for security controls and periodic auditing within vendor contracts to ensure that your selected suppliers meet the same level of scrutiny as your internal enterprise. 
  2. Know your risks
    1. Identify your most valuable assets, such as intellectual property, proprietary information, and customer and employee personal data.
  3. Include third parties in your remediation plan
    1. Don’t assume that suppliers will handle everything for you.

Once we understand what assets we need to protect, it is easier to assess the risks. We must also remember to form partnerships with providers to ensure that value from services will be maximized and at the same time, both parties will be accountable for protecting critical data.

But how should we mitigate the risks, as the question is not if but when a breach will happen?

  1. Contract
    1. Security and risk mitigation requirements must be included in an organization’s contractual agreement with third-party vendor and service providers.
  2. Incident Response
    1. Does the service provider have an enhanced and up-to-date incident response plan? Does the third party test the resiliency of the plan and go through simulated tabletop exercises?
  3. Assessment
    1. Accept standardized questionnaire content based on known best practices security frameworks (i.e. ISO 27001, NIST)
  4. Penetration tests
    1. Look for vulnerabilities, such as unapplied patches and potential attack vectors, that could put your data at risk.
  5. Strong Access Controls
    1. Where possible, ensure vendors are using your systems and relevant controls to access your environment.
  6. Minimize risky providers
    1. Continuously monitor the cyber posture of the supplier and receive live alerts on any significant changes.

There’s too much at stake right now, so one of the things we can do is to raise awareness, build community and ensure that continuity of services will be maintained.

This post was authored by: Radoslaw Gnat

Protecting front-line healthcare services

Author: @SarahASmith75

As the situation with COVID-19 continues to develop, this is putting a strain on the availability and continuity of healthcare services.

Whilst it is generally accepted that social-distancing can slow the velocity of infection; the number of cases is set to rise over the coming weeks and months. Those most at risk are elderly and/or have underlying medical conditions. Healthcare professionals in regular contact with suspected and actual cases also increases the likelihood of them becoming ill and needing to self-isolate.

This increased demand and shortage of resources can lead to secondary incidents and failures, particularly with the availability of buildings, facilities and IT services.

So what can healthcare services do to protect themselves from the potential impact of COVID-19?

From a business continuity perspective, we will consider 3 key scenarios:

  1. Availability of buildings and facilities
  2. Availability of key IT systems
  3. Availability of key people
  1. Availability of buildings and facilities

As the number of people requiring treatment and hospitalisation rises, so does the demand for specialist buildings and facilities.

Intensive care facilities and ventilators require round-the-clock availability of power, which increases the potential for failure.

In addition, people in hospital for other reasons may need to be segregated to reduce their likelihood of exposure.

Things to consider:

  • Resilience of buildings to utilities failure
  • Testing of on-site and mobile generators 
  • Diesel storage for generators
  • Turning off non-essential services to reduce load
  • Physical separation and zoning of areas 
  • Increased cleaning and waste disposal to reduce secondary infection vectors
  • Use of hotels for staff and non-critical patients
  • Use of portable cabins or marquees for triage
  • Use of mobile catering units 

2.     Availability of key IT services

Not only is access to IT systems and data required for managing patients, it is also needed for reporting and modelling.

In crisis situations, IT systems and data are at risk from cyberattacks and data breaches as criminals look to exploit the situation or cause further disruptions.

Things to consider:

  • Ability to flex capacity and performance to meet demand
  • Proactive monitoring and system checks
  • Regular backups of systems and data
  • Security and awareness training
  • Ability to failover IT services in the event of failure or corruption
  • Ability to shut down non-essential services
  • Manual workarounds if key IT services not available
  • Use of third parties to provide additional IT support 

3.     Availability of key people

This goes beyond medical and care professionals and extends to ancillary staff to support the buildings, facilities and IT services.

When managing a crisis, people tend to work longer hours to deal with demand, but this can often be counter-productive due to fatigue and susceptibility to illness. 

Things to consider:

  • Prioritise essential and critical services
  • Perform key skills gap analysis
  • Perform additional training and awareness
  • Enforce strict breaks and rotation of shifts
  • Assess transport needs for staff and patients
  • Request additional support from private sector:
    • First aiders
    • Health and safety professionals
    • Security guards
    • IT professionals
    • Catering
    • Laboratory technicians
    • Child carers and teachers
    • Drivers

Vast numbers of people are being affected by COVID-19, either directly or indirectly.  It is vital to protect front-line healthcare services from buildings, facilities and IT failures, to ensure people can get access to the care and support they need. 

By working together, we can enable the continuity and availability of these essential services.

Thanks to @SarahASmith75 for creating this great post! We will be working out a wider process for volunteer submissions in the near future; in the meantime, please contact @UK_Daniel_Card or @LisaForteUK.

Supporting the world in cyber space

An unchartered path

We are working away in the background, as many of you can probably imagine, there are a huge rang of logistical challenges in our path. Healthcare (and other sensitive/critical services) is not somewhere where we can just rock up and start jumping on systems and networks, even just organisationally and from a comms point of view the challenges aren’t small. We want to make sure that as a group we can help no matter where we are.

A Force for Good

To this end we are formulating ideas for initiatives whereby we can support our healthcare services from an internet perspective.

Our thinking in this space is along these lines:

  • Phishing Reporting
  • Malware Analysis
  • OSINT/Threat Intelligence
  • Malicious Website Takedowns
  • COVID19 ‘Opportunity Abuse’
  • Social Media Amplification
  • Creation of helpful content around good cyber security guidance
  • Sharing of useful resources and trusted services

We are taking a cautious approach with how we enable this group, we are doing a huge amount of work talking with partners, volunteers and technical solution providers, but we also MUST ensure that the work we do is conducted inline with our mission to HELP (not hinder)! We’ve put together a code of conduct to help support this!

If anyone has any suggestions for other ways we can support, please get in touch with the team on the LinkedIn group.

Active Defences – Protective DNS


The NCSC provide a range of services for public organisations (such as the NHS). Part of these include active defence services. One of these is protective DNS!

Protective DNS

Protective DNS acts as a sink holing mechanism to help prevent an unsuspecting web user from visiting a malicious site (such as a phishing site or one hosting malware). Well what’s that?

So DNS acts as an address book, you enter a URL e.g. and your device does a look up to its name server, if the address exists it will return back a valid response. Now protective DNS is where rather than forwarding your requests to raw internet DNS servers, we use a managed service which has a constantly updated list of known malicious sites, etc. That way, if you try and visit a bad site, you get given a safe address and your device doesn’t even get there! Now my explanation here is really simple, it’s a bit more complex in reality. Luckily the team at NCSC have written up a far more in depth view of this.

If you are a public organisation hopefully you’ve already got this and a load of other controls deployed, however I wanted to highlight this again, as if you are a public sector organisation you can request and leverage this as one of the ways to help prevent the impact of phishing and typos, etc. (I typo all the time!)

For those of you who are operating at a personal or business level, there are a range of commercial and free services available such as:

Another line of defence

So, no matter how big or small your organisation is, and if it is public or private you can implement protective DNS as one of the many controls required to keep you safe from cybercriminals. Remember, you need a layered approach to cyber security and protective DNS is just one of those that can be a great way to fight back!