@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
March 5, 2020=============================================================
@RISK: The Consensus Security Vulnerability Alert
March 5, 2020 - Vol. 20, Num. 10
Providing a reliable, weekly summary of newly discovered attack vectors,
vulnerabilities with active exploits, and explanations of how recent
attacks worked
Archived issues may be found at http://www.sans.org/newsletters/at-risk
=============================================================
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES Feb. 27 - March 5
============================================================
TOP VULNERABILITY THIS WEEK: Mozart backdoor uses DNS to communicate with attackers
******************** Sponsored By SANS *********************
Women in Cybersecurity Forum, April 24th in Washington, D.C. Join successful and empowering women including Lesley Carhart, Diana Kelley and Renee Guttmann as they share their experiences working in the cybersecurity industry. Learn about their valuable training experiences, advice on moving up the corporate ladder, and more! Free with discount code WICForum2020. http://www.sans.org/info/215715
============================================================
TRAINING UPDATE
-- SANS 2020 | Orlando, FL | April 3-10 | https://www.sans.org/event/sans-2020
-- SANS Security West 2020 |San Diego, CA | May 6-13 | https://www.sans.org/event/security-west-2020
-- SANS London March 2020 | March 16-21 | https://www.sans.org/event/london-march-2020
-- SANS San Francisco Spring 2020 | March 16-27 | https://www.sans.org/event/san-francisco-spring-2020
-- SANS Secure Singapore 2020 | 16-28 March | https://www.sans.org/event/secure-singapore-2020
-- SANS Secure Canberra 2020 | March 23-28 | https://www.sans.org/event/secure-canberra-2020
-- SANS London April 2020 | April 20-25 | https://www.sans.org/event/london-april-2020
-- Cloud Security Summit & Training 2020 | Frisco, TX | May 27-June 3 | https://www.sans.org/event/cloud-security-summit-2020
-- Rocky Mountain Hackfest Summit & Training 2020 | Denver, CO | June 1-8 | https://www.sans.org/event/rockymountainhackfest-summit-2020
-- SANS OnDemand and vLive Training
Get an iPad mini (64GB), HP Chromebook 14 G5, or Take $300 Off through March 18 with OnDemand or vLive training.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
********************** Sponsored Links: ********************
1) Webinar: How to Prioritize Security Controls for Situational Awareness in AWS. http://www.sans.org/info/215720
2) Webcast March 12th at 1PM ET: Innovative Application Security Testing Techniques for Modern Software Development. http://www.sans.org/info/215725
3) Learn best practices for implementing SD-WAN to ensure consistent security in this upcoming webcast. http://www.sans.org/info/215730
============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Details of new Mozart malware family unveiled
Description: A new malware family known as "Mozart" uses DNS to communicate with a command and control seemingly belonging to its creators. It also evades detection by disguising itself and executing specialized JSScript files. Once infected, Mozart can download other types of malware onto the victim machine, including ransomware and cryptocurrency miners. This malware is typically spread through spam campaigns with malicious PDF attachments. If a victim opens the PDF, it displays a message saying that the PDF reader doesn't support a specific font, and asks the user to download a font, which actually points to a malicious ZIP file.
Reference: https://www.pcrisk.com/removal-guides/17152-mozart-malware
Snort SIDs: 53364 - 53373
Title: Ryuk ransomware strikes across the globe
Description: Several reports surfaced over the past week of the Ryuk ransomware being used in attacks over the course of the past year. Notable recent infections include an attack on a Fortune 500 company that specializes in mechanical and electrical construction, a local library system and police department in Florida and a school district in New Mexico. Ryuk primarily spreads through phishing emails and contains a number of capabilities, including credential theft and the downloading of a cryptocurrency miner.
Reference: https://www.infosecurity-magazine.com/blogs/ryuk-defending-ransomware/
Snort SIDs: 53333, 53334, 53336, 53337
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
A BuzzFeed News investigation found that the controversial Clearview AI facial recognition company is partnering with more than 2,200 government organizations and private companies across the U.S., including the U.S. Justice Department, Immigration and Customs Enforcement and even the NBA.
https://www.buzzfeednews.com/article/ryanmac/clearview-ai-fbi-ice-global-law-enforcement
An NSA program aimed at scraping metadata from Americans' phone calls only produced two leads over the course of its four years in existence, despite the program costing $100 million to run.
https://www.theatlantic.com/ideas/archive/2020/02/costs-spying/607177/
A new variant of the Cerberus trojan for Android devices can steal user's Google two-factor authentication passcodes to gain access to secured accounts.
https://www.zdnet.com/article/android-malware-can-steal-google-authenticator-2fa-codes/
A widely used Wi-Fi chip is open to an attack that could allow adversaries to break WPA2 Personal and Enterprise protocols.
https://threatpost.com/billions-of-devices-wifi-encryption-hack/153267/
Online prescription provider GoodRx announced it was stopping an information-sharing partnership with Google and Facebook after multiple reports made customers aware of the relationships.
The U.S.'s so-called "Super Tuesday" in the primary elections was shaping up to be the country's first major test of its cyber security preparedness for this year's election season.
American officials charged two Chinese nationals with laundering more than $100 million worth of cryptocurrency for a state-sponsored North Korean threat actor.
The U.S. Federal Communications Commission outlined a plan to fine wireless carriers up to $200 million for selling customers' location data.
MITRE released the newest version of its Common Weakness Enumeration list, adding new categories for security vulnerabilities that could arise in hardware design.
https://www.helpnetsecurity.com/2020/02/27/hardware-security-weaknesses/
=========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: CVE-2020-0688
Title: Microsoft Windows Installer Elevation of Privilege Vulnerability
Vendor: Microsoft
Description: An elevation of privilege vulnerability exists in the Windows Installer when MSI packages process symbolic links. An attacker who successfully exploited this vulnerability could bypass access restrictions to add or remove files.
CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-1938
Title: Apache Tomcat AJP File Inclusion Vulnerability ("Ghostcat")
Vendor: Apache
Description: Due to a file inclusion defect in the AJP service (port 8009) that is enabled by default in Tomcat, an attacker can construct a malicious request package for file inclusion operation, and then read the web directory file on the affected Tomcat server.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2019-9465
Title: Google's Titan M chip Information Disclosure Vulnerability
Vendor: Google
Description: In the Titan M handling of cryptographic operations, there is a possible information disclosure due to an unusual root cause. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android-10 Android ID: A-133258003.
CVSS v3 Base Score: 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
ID: CVE-2020-8794
Title: OpenBSD OpenSMTPD Local Privilege Escalation and Remote Code Execution Vulnerability
Vendor: OpenBSD
Description: An out of bounds read in smtpd allows an attacker to inject arbitrary commands into the envelope file which are then executed as root. Separately, missing privilege revocation in smtpctl allows arbitrary commands to be run with the _smtpq group.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2019-15126
Title: WPA and WPA2 Disassociation Vulnerability ("Kr00k")
Vendor: Multi-Vendor
Description: An issue was discovered on Broadcom Wi-Fi client devices. Specifically timed and handcrafted traffic can cause internal errors (related to state transitions) in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure over the air for a discrete set of traffic.
CVSS v3 Base Score: 3.1 (AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
ID: CVE-2020-6418
Title: Google Chrome Heap Corruption Vulnerability
Vendor: Google
Description: Type confusion in V8 in Google Chrome allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code in the context of the browser.
CVSS v3 Base Score: 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
=========================================================
MOST PREVALENT MALWARE FILES Feb. 27 - March 5:
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: c0cdd2a671195915d9ffb5c9533337db935e0cc2f4d7563864ea75c21ead3f94
MD5: 7c38a43d2ed9af80932749f6e80fea6f
VirusTotal: https://www.virustotal.com/gui/file/c0cdd2a671195915d9ffb5c9533337db935e0cc2f4d7563864ea75c21ead3f94/details
Typical Filename: wup.exe
Claimed Product: N/A
Detection Name: PUA.Win.File.Coinminer::1201
SHA 256: 1460fd00cb6addf9806a341fee9c5ab0a793762d1d97dca05fa17467c8705af7
MD5: 88cbadec77cf90357f46a3629b6737e6
VirusTotal: https://www.virustotal.com/gui/file/1460fd00cb6addf9806a341fee9c5ab0a793762d1d97dca05fa17467c8705af7/details
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Services
Detection Name: PUA.Win.File.2144flashplayer::tpd
SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details
Typical Filename: eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: W32.85B936960F.5A5226262.auto.Talos
SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201
SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
VirusTotal: https://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201
=============================================================
(c) 2020. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743
