@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
April 9, 2020=============================================================
@RISK: The Consensus Security Vulnerability Alert
April 09, 2020 - Vol. 20, Num. 15
Providing a reliable, weekly summary of newly discovered attack vectors,
vulnerabilities with active exploits, and explanations of how recent
attacks worked
Archived issues may be found at http://www.sans.org/newsletters/at-risk
=============================================================
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES April 2 - 9
============================================================
TOP VULNERABILITY THIS WEEK: Mozilla Firefox patches two use-after-free vulnerabilities exploited in the wild
************** Sponsored By AWS Marketplace ****************
Architecting Least Privilege in the Cloud. SANS Analyst Dave Shackleford explains the importance of least privilege and micro-segmentation to reduce risk in cloud deployments. Learn how to deploy your architecture using the three pillars of least privilege and follow a use case for least privilege in the AWS cloud. Tuesday, April 14, 2 PM ET. http://www.sans.org/info/216050
============================================================
TRAINING UPDATE
Keep your skills sharp, train online with SANS OnDemand:
* 45 of the world's top cybersecurity courses
* Flexible self-paced format you can take anytime, anywhere
* A battle-tested training platform including 4 months of access
* Hands-on labs and GIAC-certified SME support
Test drive and purchase SANS OnDemand courses.
- https://www.sans.org/ondemand/
SANS Network Security 2020 | Las Vegas, NV | September 20-27
- https://www.sans.org/event/network-security-2020
View the full SANS course catalog and skills roadmap.
- https://www.sans.org/courses
- https://www.sans.org/cyber-security-skills-roadmap
Any course you have or will purchase is protected by the SANS Training Guarantee.
- https://www.sans.org/training-guarantee.
********************** Sponsored Links: ********************
1) Webcast April 14th at 10:30 AM ET: Pre-Runtime vs. Runtime Protection: What's Best for Your IaaS Security? http://www.sans.org/info/216055
2) Did you miss this webcast? Shared Responsibility of Salesforce Security. View here: http://www.sans.org/info/216060
3) Virtual Forum April 24th | Women in Cybersecurity featuring Lesley Carhart, Diana Kelley, Katie Nickels and more. Register: http://www.sans.org/info/216065
============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Mozilla releases fixes for two use-after-free vulnerabilities in Firefox
Description: Mozilla released patches for two use-after-free vulnerabilities in its Firefox web browser. The company said it saw attackers actively exploiting bugs in the wild, which caused them to release the emergency updates. In both cases, a race condition in the browser can cause a use-after-free condition, though Mozilla has not provided information on how, exactly, these vulnerabilities were used in attacks.
Reference: https://duo.com/decipher/mozilla-fixes-two-firefox-flaws-under-active-attack
Snort SIDs: 53580, 53581
Title: Critical CODESYS vulnerability could allow attacker to crash server, execute remote code
Description: A critical bug in 3S' CODESYS automation software could allow an attacker to crash an affected server or execute remote code on the web server. 3S released a patch for the vulnerability, identified as CVE-2020-10245, which received a severity score of 10 out of 10. The bug is a heap-based buffer overflow in the software that could cause a denial of service.
Reference: https://threatpost.com/critical-codesys-bug-remote-code-execution/154213/
Snort SIDs: 53557, 53558
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Marriott disclosed that hackers used login credential belonging to two employees of a franchise company to access customer data, compromising the information of more than 5 million customers.
https://www.cnet.com/news/marriott-discloses-new-data-breach-impacting-5-point-2-million-guests/
Researchers discovered potential security flaws in video conference platform Zoom's encryption method including sending some encryption keys through servers in China.
After a wave of negative headlines concerning Zoom and its security features, the Taiwanese government informed employees they should not be using the conferencing app while they work from home during the COVID-19 crisis.
A critical vulnerability in a popular WordPress plugin could allow attackers to completely lock admins out of their sites, the latest in a string of bugs for plugins for the popular content management system.
https://threatpost.com/critical-wordpress-plugin-bug-lock-admins-out/154354/
A new COVID-19-themed malware family can totally wipe victim's computers and in some cases, rewrite MBR sectors.
Microsoft purchased controversial domain corp[.]com with the goal of keeping it out of bad actors' hands.
https://krebsonsecurity.com/2020/04/microsoft-buys-corp-com-so-bad-guys-cant/
While the vast majority of individuals across the globe are staying home during the COVID-19 crisis, their internet usage has changed, including spending an increasing amount of time on streaming sites while seeing a reduction in mobile device usage.
https://www.nytimes.com/interactive/2020/04/07/technology/coronavirus-internet-use.html
With more college classes moving completely online for the remainder of the semester, some schools have started using online proctor services, which students and professors have said is an invasion of privacy.
https://www.washingtonpost.com/technology/2020/04/01/online-proctoring-college-exams-coronavirus/
NASA says its seen an "exponential" increase in attempted cyber attacks as more of its employees began working remotely due to COVID-19 pandemic.
A cyber attack on Italy's Social Security website took down its services, temporarily preventing individuals from receiving government stimulus checks connected to a COVID-19 relief package.
=========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: CVE-2020-0674
Title: Microsoft Scripting Engine Memory Corruption Vulnerability
Vendor: Microsoft
Description: A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
CVSS v3 Base Score: 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)
ID: CVE-2020-0796
Title: Microsoft Windows SMBv3 Client/Server Remote Code Execution Vulnerability
Vendor: Microsoft
Description: A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client.
CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
ID: CVE-2020-0041
Title: Google Android Privilege Escalation Vulnerability
Vendor: Android
Description: In binder_transaction of binder.c, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed.
CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-10204
Title: Sonatype Nexus Repository Remote Code Execution Vulnerability
Vendor: Sonatype
Description: A Remote Code Execution vulnerability exists in Nexus Repository Manager. The vulnerability allows for an attacker with any type of account on NXRM to execute arbitrary code by crafting a malicious request to NXRM.
CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-3947
Title: VMWare Workstation vmnetdhcp Denial of Service Vulnerability
Vendor: VMWare
Description: VMware Workstation contain a use-after vulnerability in vmnetdhcp. Successful exploitation of this issue may lead to code execution on the host from the guest or may allow attackers to create a denial of service condition of the vmnetdhcp service running on the host machine.
CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-3919
Title: Apple MacOS Privilege Escalation Vulnerability
Vendor: Apple
Description: A memory initialization issue was addressed with improved memory handling. A malicious application may be able to execute arbitrary code with kernel privileges.
CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
ID: CVE-2020-7982
Title: OpenWrt's opkg Man In The Middle Attack Vulnerability
Vendor: OpenWrt
Description: A bug in the fork of the opkg package manager before 2020-01-25 prevents correct parsing of embedded checksums in the signed repository index, allowing a man-in-the-middle attacker to inject arbitrary package payloads (which are installed without verification).
CVSS v3 Base Score: 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-8515
Title: DrayTek pre-auth Remote Code Execution Vulnerability
Vendor: DrayTek
Description: DrayTek devices allow remote code execution as root (without authentication) via shell metacharacters to the cgi-bin/mainfunction.cgi URI.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
=========================================================
MOST PREVALENT MALWARE FILES April 2 - 9:
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
VirusTotal: https://www.virustotal.com/gui/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos
SHA 256: a545df34334b39522b9cc8cc0c11a1591e016539b209ca1d4ab8626d70a54776
MD5: 5d34464531ddbdc7b0a4dba5b4c1cfea
VirusTotal: https://www.virustotal.com/gui/file/a545df34334b39522b9cc8cc0c11a1591e016539b209ca1d4ab8626d70a54776/details
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Service
Detection Name: PUA.Win.Adware.Flashserv::in03.talos
SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201
SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
VirusTotal: https://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details
Typical Filename: f2016341595.exe
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201
SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: W32.85B936960F.5A5226262.auto.Talos
=============================================================
(c) 2020. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743
