Newsletters: @RISK

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

June 18, 2020

=============================================================

     @RISK: The Consensus Security Vulnerability Alert

            June 18, 2020 - Vol. 20, Num. 25


Providing a reliable, weekly summary of newly discovered attack vectors,

vulnerabilities with active exploits, and explanations of how recent

attacks worked


Archived issues may be found at http://www.sans.org/newsletters/at-risk


=============================================================


CONTENTS:

NOTABLE RECENT SECURITY ISSUES

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

MOST PREVALENT MALWARE FILES June 11 - 18

============================================================


TOP VULNERABILITY THIS WEEK: NetWire malware used to target human rights activists


******************** Sponsored By SANS *********************


Cyber Solutions Fest | This FREE action packed 2-day virtual event brings together an ensemble of security professionals, and experts ready to share the latest developments and innovative technologies in Cloud Security, DevSecOps, Threat Intel and Network Security. | Join our all-star cast including Jake Williams, Dave Shackleford, Ismael Valenzuela and Matt Bromiley on October 8-9, 2020 | http://www.sans.org/info/216730


============================================================

TRAINING UPDATE


SANS Training is 100% Online, with two

convenient ways to complete a course:


OnDemand  | Live Online

- https://www.sans.org/ondemand/

- https://www.sans.org/live-online


Keep your skills sharp with SANS Online Training:

.        The world's top cybersecurity courses

.        Taught by real world practitioners

.        Ideal preparation for more than 30 GIAC Certifications


Take advantage of the current promotional offer:

Get a Free GIAC Certification Attempt or Take $350 Off with OnDemand or Live Online Training through June 24

https://www.sans.org/online-security-training/specials/

 

Top OnDemand Courses

SEC401: Security Essentials Bootcamp Style

- https://www.sans.org/ondemand/course/security-essentials-bootcamp-style

SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling

- https://www.sans.org/ondemand/course/hacker-techniques-exploits-incident-handling

SEC560: Network Penetration Testing and Ethical Hacking

- https://www.sans.org/ondemand/course/network-penetration-testing-ethical-hacking

______________________


Upcoming In Person and Live Online Events:

    

2-Day Firehose Training | June 29-30 | Live Online

- https://www.sans.org/event/2-day-firehose-training-jun29-2020


SANS Summer of Cyber | July 6-17 | Live Online

- https://www.sans.org/event/summer-of-cyber-jul-6


DFIR Summit & Training | July 16-25 | Live Online

- https://www.sans.org/event/digital-forensics-summit-2020


SANS Network Security 2020 | September 20-25 | Las Vegas, NV or Live Online

- https://www.sans.org/event/network-security-2020

______________________


Test drive a course: https://www.sans.org/course-preview


View the full SANS course catalog and skills roadmap.

- https://www.sans.org/cyber-security-courses

- https://www.sans.org/cyber-security-skills-roadmap


********************** Sponsored Links: ********************


1) Webcast |  Join Prasidh Srikanth and Kenneth G. Hartman as they introduce "The Best of Both Worlds: Cloud + SASE" | June 23, 2020 @ 2:00pm EDT | http://www.sans.org/info/216735


2) Free Virtual Event | SANS Malware & Ransomware Solutions Forum | Join chairman Jake Williams on Friday, July 24th | http://www.sans.org/info/216740


3) Webcast | Join Andrey Yesyev and Michael Rezek as they dive deeper into "Detecting advanced persistent threats with behavior-based intrusion detection" | June 23, 2020 @ 3:30pm EDT | http://www.sans.org/info/216745


============================================================


NOTABLE RECENT SECURITY ISSUES

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Indian human rights advocates targeted by NetWire malware

Description: Attackers targeted several human rights activists in India between January and October of 2019 with the NetWire malware, attempting to intercept their communications. Researchers say the victims opened spear-phishing emails, which eventually led to the infection. NetWire can steal users' audio recordings, steal credentials and log keystrokes. All the targets are advocating for the release of protestors who were jailed after demonstrations in 2018.

Reference: https://www.cyberscoop.com/india-spyware-nso-group-amnesty-international-citizen-lab/

Snort SIDs: 54284, 54285


Title: Remote code execution vulnerability in Firefox's SharedWorkerService function

Description: The Mozilla Firefox web browser contains a vulnerability in its SharedWorkerService function that could allow an attacker to gain the ability to remotely execute code on a target's machine. This vulnerability can be triggered if the user visits a malicious web page. The attacker can design this page in a way that it would cause a race condition, eventually leading to a use-after-free vulnerability and remote code execution.

Reference: https://blog.talosintelligence.com/2020/06/vuln-spotlight-firefox-shared-service-june-2020.html

Snort SIDs: 53759, 53760


============================================================


INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY


Outages across several popular American wireless companies caused speculation that the U.S. was facing a massive distributed denial-of-service attack, though the executives of those companies quickly downplayed the concerns. It's widely believed that the company T-Mobile made some errors in a recent network update.

https://www.newsweek.com/cyberattack-ddos-anonymous-hacking-group-t-mobile-outage-websites-offline-explained-1511082


America's largest tech companies are pushing for a nationwide facial recognition law to regulate use of the technology.

https://www.cnn.com/2020/06/13/tech/facial-recognition-policy/index.html


Nintendo said even more Switch user accounts were breached in April than initially thought, now estimating the count to be more than 300,000.

https://www.businessinsider.com/nintendo-switch-account-hack-update-2020-6


Community activists in New York are building a network of surveillance cameras to track police violence against protestors.

https://www.vice.com/en_us/article/y3zp55/activists-are-using-traffic-cameras-to-track-police-brutality


The hacking group "Anonymous" took credit for taking down the Atlanta Police Department's website after local police officers shot and killed a black man in a restaurant parking lot.

https://www.ajc.com/news/breaking-news/hacker-group-claims-responsibility-after-apd-website-goes-offline/pYHBqHERBqPYqzPuC5tTxL/


Researchers discovered 12 malicious apps for Android devices that disguised themselves as COVID-19-tracing software, but instead downloaded malware on users' devices.

https://www.darkreading.com/vulnerabilities---threats/fake-covid-19-contact-tracing-apps-infect-android-phones/d/d-id/1338047


A large brewing company in New Zealand had to put production on hold after a ransomware attack on its Australian parent company, Lion.

https://www.nzherald.co.nz/business/news/article.cfm?c_id=3&objectid=12339678


There has been a resurgence of activity from the Tor2Mine cryptocurrency mining group. The actors behind the malware have added a new IP address and two new domains to carry out their actions.

https://blog.talosintelligence.com/2020/06/tor2mine-is-up-to-their-old-tricks-and_11.html


Google is already receiving pushback for a planned update to the Chrome web browser that would make it more difficult for users to see the full URL of the page they're visiting.

https://www.techradar.com/uk/news/this-strange-chrome-change-hides-full-web-addresses-from-view


=========================================================


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


ID:        CVE-2020-1300

Title:  Microsoft Windows Remote Code Execution Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists when Microsoft Windows fails to properly handle cabinet files. To exploit the vulnerability, an attacker would have to convince a user to either open a specially crafted cabinet file or spoof a network printer and trick a user into installing a malicious cabinet file disguised as a printer driver.

CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2020-1206

Title:  Microsoft Windows SMBv3 Client/Server Remote Code Execution Vulnerability

Vendor: Microsoft

Description: An information disclosure vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user's system. To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a target.

CVSS v3 Base Score: 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)


ID:        CVE-2020-1054

Title:  Microsoft Win32k Elevation of Privilege Vulnerability

Vendor: Microsoft

Description: An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.

CVSS v3 Base Score: 7.0 (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2020-5410

Title:  Spring Cloud Config Directory Traversal Vulnerability

Vendor: VMWare

Description: Spring Cloud Config allows applications to serve arbitrary configuration files through the spring-cloud-config-server module. A malicious user, or attacker, can send a request using a specially crafted URL that can lead to a directory traversal attack.

CVSS v3 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)


ID:        CVE-2020-1301

Title:  Microsoft Windows SMB Authenticated Remote Code Execution Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server. To exploit the vulnerability an authenticated attacker could send a specially crafted packet to a targeted SMBv1 server.

CVSS v3 Base Score: 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2020-1181

Title:  Microsoft SharePoint Server Remote Code Execution Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists in Microsoft SharePoint Server when it fails to properly identify and filter unsafe ASP.Net web controls. An authenticated attacker who successfully exploited the vulnerability could use a specially crafted page to perform actions in the security context of the SharePoint application pool process. To exploit the vulnerability, an authenticated user must create and invoke a specially crafted page on an affected version of Microsoft SharePoint Server.

CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2020-0796

Title:  Microsoft Windows SMBv3 Client/Server Remote Code Execution Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client. To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server.

CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)


ID:        CVE-2020-13160

Title:  AnyDesk UDP Discovery Remote Code Execution Vulnerability

Vendor: AnyDesk

Description: A format string vulnerability exists in AnyDesk that can be exploited for remote code execution. By sending a single UDP packet to the target machine, an attacker can successfully exploit the discovered format string vulnerability to gain Remote Code Execution.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2018-13379

Title:  Fortinet FortiOS Directory Traversal Vulnerability

Vendor: Fortinet

Description: Fortinet FortiOS is exposed to a directory traversal vulnerability because it fails to properly sanitize user supplied input. A path traversal vulnerability in the FortiOS SSL VPN web portal may allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


=========================================================


MOST PREVALENT MALWARE FILES June 11 - 18:

COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details

Typical Filename: FlashHelperServices.exe

Claimed Product: Flash Helper Services

Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos


SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd

MD5: 8193b63313019b614d5be721c538486b

VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details

Typical Filename: SAntivirusService.exe

Claimed Product: SAService

Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg


SHA 256: 094d4da0ae3ded8b936428bb7393c77aaedd5efb5957116afd4263bd7edc2188

MD5: a10a6d9dfc0328a391a3fdb1a9fb18db

VirusTotal: https://www.virustotal.com/gui/file/094d4da0ae3ded8b936428bb7393c77aaedd5efb5957116afd4263bd7edc2188/details

Typical Filename: FlashHelperServices.exe

Claimed Product: Flash Helper Service

Detection Name: PUA.Win.Adware.Flashserv::100.sbx.vioc


SHA 256: 32155b070c7e1b9d6bdc021778c5129edfb9cf7e330b8f07bb140dedb5c9aae7

MD5: 73d1de319c7d61e0333471c82f2fc104

VirusTotal: https://www.virustotal.com/gui/file/32155b070c7e1b9d6bdc021778c5129edfb9cf7e330b8f07bb140dedb5c9aae7/details

Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: Win.Dropper.Zudochka::in03.talos


SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f

MD5: e2ea315d9a83e7577053f52c974f6a5a

VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/detection

Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin

Claimed Product: N/A

Detection Name: Win.Dropper.Agentwdcr::1201


=============================================================


(c) 2020.  All rights reserved.  The information contained in this

newsletter, including any external links, is provided "AS IS," with no

express or implied warranty, for informational purposes only.


Please feel free to share this with interested parties via email, but

no posting is allowed on web sites. For a free subscription, (and for

free posters) or to update a current subscription, visit

https://www.sans.org/account


SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743