@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
April 23, 2020=============================================================
@RISK: The Consensus Security Vulnerability Alert
April 23, 2020 - Vol. 20, Num. 17
Providing a reliable, weekly summary of newly discovered attack vectors,
vulnerabilities with active exploits, and explanations of how recent
attacks worked
Archived issues may be found at http://www.sans.org/newsletters/at-risk
=============================================================
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES April 16 - 23
============================================================
TOP VULNERABILITY THIS WEEK: PoetRAT uses COVID-19-themed lure documents to entice victims
******************** Sponsored By SANS *********************
Remote Worker Poll | With the COVID-19 pandemic, organizations have been forced to rethink how they will get their work done with their employees mandated to stay at home. How has your organization handle working from home? Take this Remote Worker Poll written by Heather Mahalik and tell us how your company has adjusted to this new landscape as a workforce. http://www.sans.org/info/216175
============================================================
TRAINING UPDATE
SANS Training is 100% Online, with two convenient ways to complete a course:
OnDemand | Live Online
- https://www.sans.org/ondemand/
- https://www.sans.org/live-online
Keep your skills sharp with SANS Online Training:
. The world's top cybersecurity courses
. Taught by real world practitioners
. Ideal preparation for more than 30 GIAC Certifications
Test drive a course: https://www.sans.org/course-preview
______________________
Upcoming Live Online Events:
Security West 2020 | May 11-16
- https://www.sans.org/event/security-west-2020
2-Day Firehose Training | May 26-29
- https://www.sans.org/event/2-day-firehose-training-may27-2020
Cloud Security Summit & Training 2020 | May 28-June 6
- https://www.sans.org/event/cloud-security-summit-2020
Rocky Mountain Hackfest Summit & Training 2020 | June 4-13
- https://www.sans.org/event/rockymountainhackfest-summit-2020
SANSFIRE 2020 | June 13-20
- https://www.sans.org/event/sansfire-2020
2-Day Firehose Training | June 29-30
- https://www.sans.org/event/2-day-firehose-training-jun29-2020
In Person Training:
SANS Network Security 2020 | Las Vegas, NV | September 20-27
- https://www.sans.org/event/network-security-2020
______________________
View the full SANS course catalog and skills roadmap.
- https://www.sans.org/courses
- https://www.sans.org/cyber-security-skills-roadmap
Any course you have or will purchase is protected by the SANS Training Guarantee.
- https://www.sans.org/training-guarantee.
********************** Sponsored Links: ********************
1) Webcast Today at 1PM ET | WhatWorks in High Security Alternatives for Remote Collaboration and Communications. http://www.sans.org/info/216180
2) Survey | Tell us how your organization is extending their DevSecOps security controls into the public cloud networks. http://www.sans.org/info/216185
3) Webcast April 28th at 3:30 PM ET | How Operational Technology (OT) Security is Redefining the CISO Role. http://www.sans.org/info/216190
============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Microsoft releases monthly security update
Description: A new remote access trojan known as "PoetRAT" uses coronavirus-themed documents and emails to lure victims in. This was a previously undiscovered RAT. It uses two components to avoid detection by a single component. The dropper uses an old trick in a new way: It appends the RAT to a Word document. Upon opening the document, a macro is executed that will extract the malware and execute it. The operation seems to be manual, but it's streamlined to deploy additional tools as needed and to avoid unnecessary steps.
Reference: https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html
Snort SIDs: 53689 - 53691
Title: Cisco discloses 17 critical vulnerabilities in UCS software
Description: Cisco patched 17 critical vulnerabilities last week in its Unified Computing system. The software allows users to build private cloud systems and optimize data-center resources. If successful, and adversary could use these flaws to remotely access systems or cause denial-of-service conditions. The majority of the exploits lie in UCS' REST API.
Snort SIDs: 53667 - 53683
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Hackers are reportedly selling two zero-day vulnerabilities in the Zoom video conferencing service; one of the exploits affects Windows, and the other affects OS X.
https://www.vice.com/en_us/article/qjdqgv/hackers-selling-critical-zoom-zero-day-exploit-for-500000
A new report from Google says the company saw more than 18 million spam emails per day related to the COVID-19 pandemic during the week of April 5 - 12.
https://www.theverge.com/2020/4/16/21223800/google-malware-phishing-covid-19-coronavirus-scams
U.S. officials warned American financial institutions that it believes North Korean state-sponsored actors could soon launch cyberattacks that "pose a significant threat to the integrity and stability of the international financial system."
A new court ruling will prevent Twitter from reporting any of the surveillance requests it has received from the American government.
American government contractors have been under attack from Chinese state-sponsored actors, with counterintelligence officials saying in an internal report that it detected hundreds of unwanted inbound and outbound connections.
https://www.politico.com/news/2020/04/16/china-electric-panda-hackers-seek-us-targets-191220
Security researchers are pushing back against a new policy on the Pastebin website that prevents users from scanning new data.
https://www.cyberscoop.com/pastebin-research-cybercrime-osint-scraping/
Scammers claiming to sell codes to download the popular new online video game "Valorant" are actually infecting victims with a keylogger.
https://www.tomsguide.com/news/valorant-beta-keygen-malware
=========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: CVE-2020-0760
Title: HAPaproxy hpack-tbl.c Out of Bounds Write Vulnerability
Vendor: Multi-Vendor
Description: A vulnerability exists in hpack-tbl.c present in the HPACK decoder in HAProxy, wherein a remote attacker can write arbitrary bytes around a certain location on the heap via a crafted HTTP/2 request, possibly causing remote code execution. This vulnerability could be exploited to gain access to sensitive information also use this vulnerability to change contents or configuration on the system. Additionally, this vulnerability can also be used to cause a denial of service in the form of interruptions in resource availability.
CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-0796
Title: Microsoft Windows SMBv3 Client/Server Remote Code Execution Vulnerability
Vendor: Microsoft
Description: A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client.
CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
ID: CVE-2020-8835
Title: Linux Kernel Privilege Escalation Vulnerability
Vendor: Multi-Vendor
Description: It was discovered that the bpf verifier in the Linux kernel did not properly calculate register bounds for certain operations. A local attacker could use this to expose sensitive information (kernel memory) or gain administrative privileges.
CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-1967
Title: OpenSSL Denial of service Vulnerability
Vendor: Multi-Vendor
Description: Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a
result of incorrect handling of the "signature_algorithms_cert" TLS extension. The crash occurs if an invalid or unrecognized signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack.
CVSS v3 Base Score: 5.0 (AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L)
ID: CVE-2020-7066
Title: PHP Information Disclosure Vulnerability
Vendor: PHP
Description: In PHP, while using get_headers() with user-supplied URL, if the URL contains zero (�) character, the URL will be silently truncated at it. This may cause some software to make incorrect assumptions about the target of the get_headers() and possibly send some information to a wrong server. A remote attacker can abuse this behavior to bypass implemented security restrictions within the application.
CVSS v3 Base Score: 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)
ID: CVE-2020-2555
Title: Oracle Coherence Remote Code Execution Vulnerability
Vendor: Oracle
Description: A vulnerability exists in the Oracle Coherence product of Oracle Fusion Middleware. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle Coherence. Successful attacks of this vulnerability can result in takeover of Oracle Coherence.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-3952
Title: VMware vCenter vmdir Information Disclosure Vulnerability
Vendor: VMware
Description: Under certain conditions vmdir does not correctly implement access controls. A malicious actor with network access to an affected vmdir deployment may be able to extract highly sensitive information which could be used to compromise vCenter Server or other services which are dependent upon vmdir for authentication.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
=========================================================
MOST PREVALENT MALWARE FILES April 16 - 23:
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: a545df34334b39522b9cc8cc0c11a1591e016539b209ca1d4ab8626d70a54776
MD5: 5d34464531ddbdc7b0a4dba5b4c1cfea
VirusTotal: https://www.virustotal.com/gui/file/a545df34334b39522b9cc8cc0c11a1591e016539b209ca1d4ab8626d70a54776/details
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Service
Detection Name: PUA.Win.Adware.Flashserv::in03.talos
SHA 256: fb022bbec694d9b38e8a0e80dd0bfdfe0a462ac0d180965d314651a7bc0614f4
MD5: c6dc7326766f3769575caa3ccab71f63
VirusTotal: https://www.virustotal.com/gui/file/fb022bbec694d9b38e8a0e80dd0bfdfe0a462ac0d180965d314651a7bc0614f4/details
Typical Filename: wupxarch.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Ranumbot::in03.talos
SHA 256: 9cc2b845bdee4774e45143e00dc82c673bf940c764b687c976f8d27d9f48b704
MD5: 4202e589899ec68bc2d4fa6fb1218e2f
VirusTotal: https://www.virustotal.com/gui/file/9cc2b845bdee4774e45143e00dc82c673bf940c764b687c976f8d27d9f48b704/details
Typical Filename: app171.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Ranumbot::sbmt.talos
SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: W32.85B936960F.5A5226262.auto.Talos
SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details
Typical Filename: Tempmf582901854.exe
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201
=============================================================
(c) 2020. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743
