@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
April 30, 2020=============================================================
@RISK: The Consensus Security Vulnerability Alert
April 30, 2020 - Vol. 20, Num. 18
Providing a reliable, weekly summary of newly discovered attack vectors,
vulnerabilities with active exploits, and explanations of how recent
attacks worked
Archived issues may be found at http://www.sans.org/newsletters/at-risk
=============================================================
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES April 23 - 30
============================================================
TOP VULNERABILITY THIS WEEK: MedusaLocker adds more features, continues to encrypt victims' files
******************* Sponsored By Eclypsium *******************
Assessing Enterprise Firmware Security Risk - Attacks in the wild are targeting firmware in order to achieve persistence, evade security controls, and further strategic attacks. With firmware vulnerabilities at an all-time high, this Eclypsium whitepaper outlines 5 questions to evaluate and improve your firmware security posture. http://www.sans.org/info/216240
============================================================
TRAINING UPDATE
SANS Training is 100% Online, with two convenient ways to complete a course:
OnDemand | Live Online
- https://www.sans.org/ondemand/
- https://www.sans.org/live-online
Keep your skills sharp with SANS Online Training:
. The world's top cybersecurity courses
. Taught by real world practitioners
. Ideal preparation for more than 30 GIAC Certifications
Test drive a course: https://www.sans.org/course-preview
Get a 10.2" iPad (34GB), Samsung Galaxy Tab A, or Take $250 Off through May 13 with OnDemand or Live Online training.
https://www.sans.org/online-security-training/specials/
______________________
Upcoming Live Online Events:
Instructor-Led Training | May 4-9
- https://www.sans.org/event/live-online-may4-2020
Security West 2020 | May 11-16
- https://www.sans.org/event/security-west-2020
2-Day Firehose Training | May 26-29
- https://www.sans.org/event/2-day-firehose-training-may27-2020
Cloud Security Summit & Training 2020 | May 26-June 5
- https://www.sans.org/event/cloud-security-summit-2020
Rocky Mountain Hackfest Summit & Training 2020 | June 4-13
- https://www.sans.org/event/rockymountainhackfest-summit-2020
SANSFIRE 2020 | June 13-20
- https://www.sans.org/event/sansfire-2020
2-Day Firehose Training | June 29-30
- https://www.sans.org/event/2-day-firehose-training-jun29-2020
In Person Training:
SANS Network Security 2020 | Las Vegas, NV | September 20-27
- https://www.sans.org/event/network-security-2020
______________________
View the full SANS course catalog and skills roadmap.
- https://www.sans.org/courses
- https://www.sans.org/cyber-security-skills-roadmap
Any course you have or will purchase is protected by the SANS Training Guarantee.
- https://www.sans.org/training-guarantee.
********************** Sponsored Links: ********************
1) How to prevent remote users from being locked out due to old cached credentials. http://www.sans.org/info/216245
2) Webcast Thursday April 30th at 3:30PM ET | Unwind Your SIEM: Improved Threat Hunting and Detection with Chronicle. http://www.sans.org/info/216250
3) Upcoming Webcast | Learn what machine-learning is and how it can detect anomalous behavior. http://www.sans.org/info/216255
============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: MedusaLocker ransomware continues to remap drives, encrypt victims' files
Description: MedusaLocker is a ransomware family that has been observed being deployed since its discovery in 2019. Since its introduction to the threat landscape, there have been several variants observed. However, most of the functionality remains consistent. The most notable differences are changes to the file extension used for encrypted files and the look and feel of the ransom note that is left on systems following the encryption process.
Reference: https://blog.talosintelligence.com/2020/04/medusalocker.html
Snort SIDs: 53662 - 53664
Title: Kwampirs malware goes after health care sector
Description: The FBI recently released a warning to health care organizations warning them to be on the lookout for the Kwampirs malware. The RAT infects systems and then opens a backdoor on the victims' network. Adversaries using Kwampirs have already been successful in infecting health care-related networks across the globe, according to the FBI's report. Attackers are attempting to capitalize on the fear, uncertainty and large amount of work that are coming with the COVID-19 pandemic.
Snort SIDs: 53738 - 53741
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
The U.K. government plans to build its own coronavirus contact-tracing app, forgoing Apple's and Google's jointly created API.
https://www.zdnet.com/article/contact-tracing-apps-why-the-nhs-said-no-to-apple-and-googles-plan/
The World Health Organization says some of its top leadership has been targeted by cyberattacks in recent weeks, continuing a trend it's seen since mid-March.
Adversaries are stepping up the quality of their spear-phishing campaigns, recently targeting U.S.-based energy companies working in the oil industry.
Nintendo shut down an older form of logins for its users after more than 160,000 accounts were compromised.
Video streaming service Netflix upgraded to TLS 1.3, which it says will make streaming safer and quicker for users.
Israeli's cyber defense ministry says it recently warded off multiple cyberattacks on its water control infrastructure.
Microsoft patched a vulnerability in its Teams application that could allow an adversary to scrape data from a victim's account by sending them a specific GIF.
https://www.bbc.com/news/technology-52415773
Business leaders are raising concerns over cyberattacks that could slow down or interrupt mergers and acquisitions as economies around the world start to open up again.
=========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
=========================================================
MOST PREVALENT MALWARE FILES April 23 - 30:
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: fb022bbec694d9b38e8a0e80dd0bfdfe0a462ac0d180965d314651a7bc0614f4
MD5: c6dc7326766f3769575caa3ccab71f63
VirusTotal: https://www.virustotal.com/gui/file/fb022bbec694d9b38e8a0e80dd0bfdfe0a462ac0d180965d314651a7bc0614f4/details
Typical Filename: wupxarch.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Ranumbot::in03.talos
SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: W32.85B936960F.5A5226262.auto.Talos
SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
VirusTotal: https://www.virustotal.com/gui/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos
SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details
Typical Filename: Tempmf582901854.exe
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201
SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
VirusTotal: https://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details
Typical Filename: mf2016341595.exe
Claimed Product: N/A
=============================================================
(c) 2020. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743
