@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
March 19, 2020=============================================================
@RISK: The Consensus Security Vulnerability Alert
March 19, 2020 - Vol. 20, Num. 12
Providing a reliable, weekly summary of newly discovered attack vectors,
vulnerabilities with active exploits, and explanations of how recent
attacks worked
Archived issues may be found at http://www.sans.org/newsletters/at-risk
=============================================================
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES March 12 - 19
============================================================
TOP VULNERABILITY THIS WEEK: Microsoft patches more than 100 vulnerabilities in monthly update
*********** Sponsored By Fidelis Cybersecurity ************
Elevating Enterprise Security with Fidelis Cybersecurity: Network and Deception | This two-part webcast features Matt Bromiley providing feedback on the Fidelis Elevate platform, with respect to its ability to provide insight into network traffic, threats, deception and endpoint activity. Learn how this platform enables holistic visibility into network activity, focused investigations, and deception techniques. View here: http://www.sans.org/info/215865
============================================================
TRAINING UPDATE
In response to the global escalation of the COVID-19 outbreak, and to keep our community safe, SANS will not run any in-person training between now and June 1st. We are in the process of transitioning these live events to virtual formats when possible. Check https://www.sans.org/information-security-training/by-location/all for a schedule of courses you can complete online.
Any course you have or will purchase is protected by the SANS Training Guarantee. For more information, visit https://www.sans.org/training-guarantee or contact us: https://www.sans.org/about/contact/.Travel-Free Training with SANS Online
SANS remains committed to providing you with:
-- The world's best cybersecurity training
-- Several battle-tested online platforms
-- The same Instructors, content, and learning results as live training
-- Hands-on labs and subject matter expert support
45 Courses are available now - no travel required. Learn More: sans.org/notravel
-- SANS 2020 - CyberCast | April 3-10 | https://www.sans.org/event/sans-2020-- SANS Seattle Spring 2020 - CyberCast | March 23-28 | https://www.sans.org/event/seattle-spring-2020
-- SANS Philadelphia 2020 - CyberCast | March 30-April 4 | https://www.sans.org/event/philadelphia-2020
-- SANS Bethesda 2020 - CyberCast | April 14-19 | https://www.sans.org/event/bethesda-2020
-- SANS Minneapolis 2020 - CyberCast | April 14-19 | https://www.sans.org/event/minneapolis-2020
-- SANS Boston Spring 2020 - CyberCast | April 20-25 | https://www.sans.org/event/boston-spring-2020
-- SANS Pen Test Austin 2020 - CyberCast | April 27-May 2 | https://www.sans.org/event/pen-test-austin-2020
-- Cloud Security Summit & Training 2020 - CyberCast | May 27-June 3 | https://www.sans.org/event/cloud-security-summit-2020
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
********************** Sponsored Links: ********************
1) Cyber Threat Intelligence Solutions Forum | Join Robert M. Lee and guest speakers from ReversingLabs, Ixia, Recorded Future and DomainTools for this live simulcast. Register: http://www.sans.org/info/215870
2) Webcast | Knock, Knock: Is This Security Thing Working? Be among the first to receive the associated whitepaper written by Matt Bromiley. http://www.sans.org/info/215855
3) Webcast March 25th at 1 PM ET: Stopping Attacks in Their Tracks Through Behavioral Blocking and Containment. Register: http://www.sans.org/info/215860
============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Parallax malware-for-sale increasingly spread through spam
Description: The Parallax remote access trojan has been increasingly seen in spam emails as it becomes publicly available on hacker forums. The malware-as-a-service costs roughly $65 a month. Attackers attempt to use the RAT to gain access to a victim's machine, and then steal their login credentials and files and execute code. Users are recommended to be vigilant for phony emails that may contain malicious links pointing to a Parallax download.
Snort SIDs: 53437 - 53440
Title: Zoho ManageEngine contains remote code execution vulnerability, being exploited in the wild
Description: Attackers are exploiting a remote code execution vulnerability in Zoho ManageEngine in the wild. The bug, identified as CVE-2020-10189, could allow an attacker to deserialize data and then execute arbitrary code on the victim machine with SYSTEM or root privileges. One security researcher discovered 2,300 unprotected instances utilizing ManageEngine.
Reference: https://www.helpnetsecurity.com/2020/03/10/cve-2020-10189/
Snort SIDs: 53433 - 53435
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
The COVID-19 pandemic has attackers looking to capitalize on current events, specifically spreading a popular map app that claims to show where there are new virus cases.
More workers across the globe are also staying home to as part of "social distancing," which leaves large organizations open to cyber attacks. Here are some tips for staying safe online while working remotely.
https://www.zdnet.com/article/working-from-home-cybersecurity-tips-for-remote-workers/
The US Department of Health and Human Services suffered a cyber attack earlier this week as the government scrambled to respond to COVID-19.
Microsoft released an out-of-band security update for a vulnerability in SMBv3 that could allow attackers to connect to remote systems while SMB is enabled.
https://www.zdnet.com/article/microsoft-patches-smbv3-wormable-bug-that-leaked-earlier-this-week/
The US Senate passed a 77-day extension of it surveillance powers, which allows them to carry out "roving" wiretaps and other actions, though leaders promise they will use that time to make changes to the policy.
US Congress is working on a bill that would essentially allow lawmakers to bypass end-to-end encryption, though it has largely gone unnoticed during the COVID-19 outbreak.
A new bill in the US Senate would ban the Chinese-developed app TikTok from federal workers' mobile devices.
A new strain of Android malware known as "Cookiethief" is stealing users' Facebook credentials.
https://www.darkreading.com/new-android-malware-strain-sneaks-cookies-from-facebook/d/d-id/1337304
=========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: CVE-2020-0796
Title: Microsoft Windows SMBv3 Client/Server Remote Code Execution Vulnerability
Vendor: Microsoft
Description: A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client.
CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
ID: CVE-2020-0787
Title: Microsoft Windows Background Intelligent Transfer Service Elevation of Privilege Vulnerability
Vendor: Microsoft
Description: An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) improperly handles symbolic links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status.
CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-0688
Title: Microsoft Exchange Memory Corruption Vulnerability
Vendor: Microsoft
Description: A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory. Knowledge of a the validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the web application, which runs as SYSTEM.
CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2019-1019
Title: Microsoft Windows Security Feature Bypass Vulnerability
Vendor: Microsoft
Description: A security feature bypass vulnerability exists where a NETLOGON message is able to obtain the session key and sign messages. To exploit this vulnerability, an attacker could send a specially crafted authentication request. An attacker who successfully exploited this vulnerability could access another machine using the original user privileges.
CVSS v3 Base Score: 8.5 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)
ID: CVE-2019-18683
Title: Linux Kernel User After Free Vulnerability
Vendor: Multi-Vendor
Description: An issue was discovered in drivers/media/platform/vivid in the Linux kernel. It is exploitable for privilege escalation on some Linux distributions where local users have /dev/video0 access, but only if the driver happens to be loaded. There are multiple race conditions during streaming stopping in this driver (part of the V4L2 subsystem). These issues are caused by wrong mutex locking in vivid_stop_generating_vid_cap(), vivid_stop_generating_vid_out(), sdr_cap_stop_streaming(), and the corresponding kthreads. At least one of these race conditions leads to a use-after-free.
CVSS v3 Base Score: 7.0 (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2019-18683
Title: Linux Kernel User After Free Vulnerability
Vendor: Multi-Vendor
Description: An issue was discovered in drivers/media/platform/vivid in the Linux kernel. It is exploitable for privilege escalation on some Linux distributions where local users have /dev/video0 access, but only if the driver happens to be loaded. There are multiple race conditions during streaming stopping in this driver (part of the V4L2 subsystem). These issues are caused by wrong mutex locking in vivid_stop_generating_vid_cap(), vivid_stop_generating_vid_out(), sdr_cap_stop_streaming(), and the corresponding kthreads. At least one of these race conditions leads to a use-after-free.
CVSS v3 Base Score: 7.0 (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-1938
Title: Apache Tomcat AJP File Inclusion Vulnerability ("Ghostcat")
Vendor: Apache
Description: Due to a file inclusion defect in the AJP service (port 8009) that is enabled by default in Tomcat, an attacker can construct a malicious request package for file inclusion operation, and then read the web directory file on the affected Tomcat server.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-8794
Title: OpenBSD OpenSMTPD Local Privilege Escalation and Remote Code Execution Vulnerability
Vendor: OpenBSD
Description: An out of bounds read in smtpd allows an attacker to inject arbitrary commands into the envelope file which are then executed as root. Separately, missing privilege revocation in smtpctl allows arbitrary commands to be run with the _smtpq group.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
=========================================================
MOST PREVALENT MALWARE FILES: March 12 - 19
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: 8e0aea169927ae791dbafe063a567485d33154198cd539ee7efcd81a734ea325
MD5: 5fb477098fc975fd1b314c8fb0e4ec06
VirusTotal: https://www.virustotal.com/gui/file/8e0aea169927ae791dbafe063a567485d33154198cd539ee7efcd81a734ea325/details
Typical Filename: upxarch.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Ranumbot::in07.talos
SHA 256: 1460fd00cb6addf9806a341fee9c5ab0a793762d1d97dca05fa17467c8705af7
MD5: 88cbadec77cf90357f46a3629b6737e6
VirusTotal: https://www.virustotal.com/gui/file/1460fd00cb6addf9806a341fee9c5ab0a793762d1d97dca05fa17467c8705af7/details
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Services
Detection Name: PUA.Win.File.2144flashplayer::tpd
SHA 256: 1bbcd367a317af33aee72ae06f5f38067f27b27a0f321b54325cfb0f7431ebe7
MD5: 06fad4d91f0e79143d1270ad0b1fce3f
VirusTotal: https://www.virustotal.com/gui/file/1bbcd367a317af33aee72ae06f5f38067f27b27a0f321b54325cfb0f7431ebe7/details
Typical Filename: set-up.exe
Claimed Product: uTorrent
Detection Name: W32.1BBCD367A3-100.SBX.VIOC
SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: W32.85B936960F.5A5226262.auto.Talos
SHA 256: 64f3633e009650708c070751bd7c7c28cd127b7a65d4ab4907dbe8ddaa01ec8b
MD5: 42143a53581e0304b08f61c2ef8032d7
VirusTotal: https://www.virustotal.com/gui/file/64f3633e009650708c070751bd7c7c28cd127b7a65d4ab4907dbe8ddaa01ec8b/details
Typical Filename: myfile.exe
Claimed Product: N/A
Detection Name: Pdf.Phishing.Phishing::malicious.tht.talos
=============================================================
(c) 2020. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743
