@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
April 16, 2020=============================================================
@RISK: The Consensus Security Vulnerability Alert
April 16, 2020 - Vol. 20, Num. 16
Providing a reliable, weekly summary of newly discovered attack vectors,
vulnerabilities with active exploits, and explanations of how recent
attacks worked
Archived issues may be found at http://www.sans.org/newsletters/at-risk
=============================================================
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES April 9 - 16
============================================================
TOP VULNERABILITY THIS WEEK: 18 critical vulnerabilities disclosed as part of Microsoft Patch Tuesday
****************** Sponsored By Eclypsium ******************
Assessing Enterprise Firmware Security Risk - Attacks in the wild are targeting firmware in order to achieve persistence, evade security controls, and further strategic attacks. With firmware vulnerabilities at an all-time high, this Eclypsium whitepaper outlines 5 questions to evaluate and improve your firmware security posture. http://www.sans.org/info/216110
============================================================
TRAINING UPDATE
SANS Training is 100% Online, with two convenient ways to complete a course:
OnDemand | Live Online
- https://www.sans.org/ondemand/
- https://www.sans.org/live-online
Keep your skills sharp with SANS Online Training:
. The world's top cybersecurity courses
. Taught by real world practitioners
. Ideal preparation for more than 30 GIAC Certifications
Test drive a course: https://www.sans.org/course-preview
______________________
Upcoming Live Online Events:
Pen Test Austin 2020 | April 27-May 2
- https://www.sans.org/event/pen-test-austin-2020
Security West 2020 | May 11-16
- https://www.sans.org/event/security-west-2020
SANSFIRE 2020 | June 13-20
- https://www.sans.org/event/sansfire-2020
2-Day Firehose Training | June 29-30
- https://www.sans.org/event/2-day-firehose-training-jun29-2020
In Person Training:
SANS Network Security 2020 | Las Vegas, NV | September 20-27
- https://www.sans.org/event/network-security-2020
______________________
View the full SANS course catalog and skills roadmap.
- https://www.sans.org/courses
- https://www.sans.org/cyber-security-skills-roadmap
Any course you have or will purchase is protected by the SANS Training Guarantee.
- https://www.sans.org/training-guarantee.
********************** Sponsored Links: ********************
1) Poll | If you're now working remotely, take the SANS 2020 Work from Home Poll: http://www.sans.org/info/216115
2) Learn the implications of securing cloud applications and recommendations to approaching cloud security. http://www.sans.org/info/216120
3) Upcoming Webcast | How to Ensure Security and Productivity for Employees Working Remotely through Zoom, Teams, WebEx and other Collaboration Applications. http://www.sans.org/info/216125
============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Microsoft releases monthly security update
Description: Microsoft released its monthly security update this week, disclosing vulnerabilities across many of its products and releasing corresponding updates. This month's Patch Tuesday covers 113 vulnerabilities. Eighteen of the flaws Microsoft disclosed are considered critical, while one is considered "moderate." The remainders are scored as being "important" updates. This month's security update covers security issues in a variety of Microsoft services and software, including SharePoint, the Windows font library and the Windows kernel.
Reference: https://blog.talosintelligence.com/2020/04/microsoft-patch-tuesday-april-2020.html
Snort SIDs: 53489 - 53492, 53619 - 53630, 53652 - 53655
Title: DrayTek routers, switches open to attack
Description: Tech company DrayTek recently patched two zero-day vulnerabilities in some of its routers and switches that could allow malicious actors to monitor traffic and install backdoors on affected networks. DrayTek worked with security researchers to discover the vulnerabilities and active exploitations in December, and patches were made available in late March. Users are encouraged to patch their devices as soon as possible or disable remote admin access.
Snort SIDs: 53591, 53592
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Apple and Google announced plans to jointly develop a service that will alert users if they've been near someone who's been diagnosed with COVID-19.
https://techcrunch.com/2020/04/10/apple-and-google-are-launching-a-joint-covid-19-tracing-tool/
This "contact tracing" service has raised some concerns over privacy, however, and potential inequalities over individuals' access to wireless networks.
https://www.cnet.com/news/how-youll-get-apple-and-googles-contact-tracing-update-for-your-phone/
Cisco Talos researchers discovered many devices' fingerprint scanners can be tricked using 3-D printed models and resin copies of users' fingerprints.
https://blog.talosintelligence.com/2020/04/fingerprint-research.html
Foreign currency exchange company Travelex paid a $2.3 million ransomware demand in January. (Please note that this story is behind a paywall.)
Teleconferencing platform Zoom has taken steps to address some of the privacy and security concerns raised by experts.
https://www.fastcompany.com/90488717/can-you-trust-zoom
Microsoft says every country in the world has now seen at least one COVID-19-themed cyber attack, many of them utilizing the Emotet and Trickbot families.
Individuals working from home are looking toward upgrading to mesh Wi-Fi networks to improve their wireless internet speed while more employees work from home during the pandemic.
https://arstechnica.com/gadgets/2020/04/remote-work-lagging-if-you-cant-plug-it-in-upgrade-to-mesh/
Scammers are attempting to capitalize on the COVID-19 pandemic by offering phony services and health products through "gig economy" apps like Fiverr.
https://www.vice.com/en_us/article/v74ay9/fiverr-coronavirus-healers-mask-sellers
Online casino magnate SBTech is setting aside $30 million to respond to a cyber attack from last month as part of an acquisition agreement.
zdnet.com/article/gambling-company-to-set-aside-30-million-to-deal-with-cyber-attack-fallout/
=========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: CVE-2020-0760
Title: Microsoft Office Remote Code Execution Vulnerability
Vendor: Microsoft
Description: A remote code execution vulnerability exists when Microsoft Office improperly loads arbitrary type libraries. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
CVSS v3 Base Score: 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
ID: CVE-2020-1027
Title: Microsoft Windows Kernel Elevation of Privilege Vulnerability
Vendor: Microsoft
Description: An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.
CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
ID: CVE-2020-1020
Title: Microsoft Adobe Font Manager Library Remote Code Execution Vulnerability
Vendor: Microsoft
Description: A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format.
CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
ID: CVE-2020-0687
Title: Microsoft Graphics Remote Code Execution Vulnerability
Vendor: Microsoft
Description: A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system.
CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
ID: CVE-2019-1381
Title: Microsoft Windows Information Disclosure Vulnerability
Vendor: Microsoft
Description: An information disclosure vulnerability exists when the Windows Servicing Stack allows access to unprivileged file locations. An attacker who successfully exploited the vulnerability could potentially access unauthorized files.
CVSS v3 Base Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
ID: CVE-2020-0968
Title: Microsoft Scripting Engine Memory Corruption Vulnerability
Vendor: Microsoft
Description: A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.
CVSS v3 Base Score: 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)
ID: CVE-2020-0939
Title: Microsoft Media Foundation Information Disclosure Vulnerability
Vendor: Microsoft
Description: An information disclosure vulnerability exists when Media Foundation improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user's system.
CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
=========================================================
MOST PREVALENT MALWARE FILES April 9 - 16:
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: a545df34334b39522b9cc8cc0c11a1591e016539b209ca1d4ab8626d70a54776
MD5: 5d34464531ddbdc7b0a4dba5b4c1cfea
VirusTotal: https://www.virustotal.com/gui/file/a545df34334b39522b9cc8cc0c11a1591e016539b209ca1d4ab8626d70a54776/details
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Service
Detection Name: PUA.Win.Adware.Flashserv::in03.talos
SHA 256: 589d9977a5b0420d29acc0c1968a2ff48102ac3ddc0a1f3188be79d0a4949c82
MD5: bf1d79fad6471fcf50e38a9ea1f646a5
VirusTotal: https://www.virustotal.com/gui/file/589d9977a5b0420d29acc0c1968a2ff48102ac3ddc0a1f3188be79d0a4949c82/details
Typical Filename: wupxarch.exe
Claimed Product: N/A
Detection Name: W32.Auto:589d99.in03.Talos
SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: W32.85B936960F.5A5226262.auto.Talos
SHA 256: 518a8844dae953d7f2510d38ba916f1c4ccc01cfba58f69290938b6ddde8b472
MD5: 9b47b9f19455bf56138ddb81c93b6c0c
VirusTotal: https://www.virustotal.com/gui/file/518a8844dae953d7f2510d38ba916f1c4ccc01cfba58f69290938b6ddde8b472/details
Typical Filename: updateprofile.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Generic::tpd
SHA 256: 1c3ed460a7f78a43bab0ae575056d00c629f35cf7e72443b4e874ede0f305871
MD5: c2406fc0fce67ae79e625013325e2a68
VirusTotal: https://www.virustotal.com/gui/file/1c3ed460a7f78a43bab0ae575056d00c629f35cf7e72443b4e874ede0f305871/details
Typical Filename: SegurazoIC.exe
Claimed Product: Segurazo IC
Detection Name: PUA.Win.Adware.Ursu::95.sbx.tg
=============================================================
(c) 2020. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743
