@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
June 4, 2020=============================================================
@RISK: The Consensus Security Vulnerability Alert
June 04, 2020 - Vol. 20, Num. 23
Providing a reliable, weekly summary of newly discovered attack vectors,
vulnerabilities with active exploits, and explanations of how recent
attacks worked
Archived issues may be found at http://www.sans.org/newsletters/at-risk
=============================================================
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES May 28 - June 4
============================================================
TOP VULNERABILITY THIS WEEK: Mokes malware hidden behind fake expired certificate alerts
******************** Sponsored By SANS *********************
Take the SANS 2020 Firewalls in the Modern Enterprise Survey | Share your perception of the use of firewalls inside the modern enterprise and how your organization is using firewalls! Survey closes June 24th | http://www.sans.org/info/216600
============================================================
TRAINING UPDATE
SANS Training is 100% Online, with two
convenient ways to complete a course:
OnDemand | Live Online
- https://www.sans.org/ondemand/
- https://www.sans.org/live-online
Keep your skills sharp with SANS Online Training:
. The world's top cybersecurity courses
. Taught by real world practitioners
. Ideal preparation for more than 30 GIAC Certifications
Take advantage of the current promotional offer
Featuring a Free iPad Air w/Smart Keyboard, Surface GO,
Or $300 Off through June 10
https://www.sans.org/online-security-training/specials/
______________________
Upcoming In Person and Live Online Events:
SANSFIRE 2020 | June 13-20 | Live Online
- https://www.sans.org/event/sansfire-2020
2-Day Firehose Training | June 29-30 | Live Online
- https://www.sans.org/event/2-day-firehose-training-jun29-2020
SANS Summer of Cyber: Week 1 | July 6-11 | Live Online
- https://www.sans.org/event/summer-of-cyber-jul-6
DFIR Summit & Training | July 16-25 | Live Online
- https://www.sans.org/event/digital-forensics-summit-2020
SANS Network Security 2020 | September 20-27 | Las Vegas, NV or Live Online
- https://www.sans.org/event/network-security-2020
______________________
Test drive a course: https://www.sans.org/course-preview
View the full SANS course catalog and skills roadmap.
- https://www.sans.org/courses
- https://www.sans.org/cyber-security-skills-roadmap
********************** Sponsored Links: ********************
1) Webcast June 18th at 2PM EDT | How to Prioritize Security Controls for Sensitive AWS Assets | http://www.sans.org/info/216605
2) Webcast June 10th at 2PM EDT | Getting Engineering and Security Teams Building Together | http://www.sans.org/info/216610
3) Webcast June 11th at 12PM EDT | How to Eliminate Alert Fatigue by Turbo-Charging Splunk Phantom with Corelight NSM | http://www.sans.org/info/216615
============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Fake certificate expiration notices used to plant Mokes malware
Description: Attackers are infecting websites and displaying fake notifications that the site's certificate is expired. The URL bar still displays the legitimate URL, but a fake image is displayed in the entire window stating that "Security Certificate is out of date." If the user clicks on a button to download the updated certificate, they are infected with the Buerak downloader and Mokes malware.
Snort SIDs: 54097 - 54106
Title: Variant of ZeuS malware available for sale online
Description: Attackers are selling a new fork of the infamous ZeuS banking trojan. Known as "Silent Night," security researchers discovered the malware that appears to date back to November. Silent Night is for sale currently on a Russian dark web forum. It fetches the core malicious module and injects it into other running processes, showing very similar techniques and code to ZeuS.
Reference: https://blog.malwarebytes.com/threat-analysis/2020/05/the-silent-night-zloader-zbot/
Snort SIDs: 54093, 54094
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Minneapolis's city computer systems and websites were hit with a distributed denial-of-service (DDoS) attack late last week; the majority of systems were operating as usual within a few hours.
https://www.govtech.com/security/Minneapolis-Hit-with-DDoS-Attack-amid-Social-Unrest.html
Hackers claimed that email addresses and passwords posted to the web were stolen from the Minneapolis police department; closer examination of the information suggests that it came from other, unrelated breaches.
https://www.troyhunt.com/analysing-the-alleged-minneapolis-police-department-hack/
A report from the World Economic Forum describes how lessons learned from the COVID-19 pandemic can inform preparations for a global cyberattack.
A bipartisan bill in the US Senate would prohibit any commercial use of data collected by COVID-19 tracing apps and would allow users to request that their data be deleted.
https://www.washingtonpost.com/technology/2020/06/01/contact-tracing-congress-privacy/
As employees start to return to physical offices, some companies are turning to monitoring apps to keep track of whether employees are sick or have been in contact with other sick people.
https://www.buzzfeednews.com/article/carolinehaskins1/coronavirus-private-contact-tracing
Older versions of Android are vulnerable to a security flaw that could allow an attacker to secretly steal private information off mobile devices.
A GitHub report details an open-source supply chain attack that affected at least 26 code repositories.
The American Civil Liberties Union is suing facial recognition startup Clearview AI for allegedly violating an Illinois privacy law.
Google patched dozens of vulnerabilities in its Android operating system, including two critical remote code execution vulnerabilities.
=========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
=========================================================
MOST PREVALENT MALWARE FILES: May 28 - June 4
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: 094d4da0ae3ded8b936428bb7393c77aaedd5efb5957116afd4263bd7edc2188
MD5: a10a6d9dfc0328a391a3fdb1a9fb18db
VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Service
Detection Name: PUA.Win.Adware.Flashserv::100.sbx.vioc
SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
VirusTotal: https://www.virustotal.com/gui/file/094d4da0ae3ded8b936428bb7393c77aaedd5efb5957116afd4263bd7edc2188/details
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Services
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos
SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
VirusTotal: https://www.virustotal.com/gui/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos
SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: Win.Dropper.Agentwdcr::1201
SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: Win.Downloader.Generic::1201
=============================================================
(c) 2020. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743
