@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
June 25, 2020=============================================================
@RISK: The Consensus Security Vulnerability Alert
June, 25 2020 - Vol. 20, Num. 26
Providing a reliable, weekly summary of newly discovered attack vectors,
vulnerabilities with active exploits, and explanations of how recent
attacks worked
Archived issues may be found at http://www.sans.org/newsletters/at-risk
=============================================================
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES June 18 - 25
============================================================
TOP VULNERABILITY THIS WEEK: IndigoDrop campaign spreads Cobalt Strike beacons to government targets, contractors
************* Sponsored By Devo Technology Inc. *************
The Devo SOC Performance Report(TM)
How do integrated investments in people, process, and technology separate high- and low- performing security operations teams?
With research conducted by the Ponemon Institute, the 2020 Devo SOC Performance Report examines how the SOC is changing, and identifies the gaps in people, process, and technology between high- and low-performing SOCs.
| http://www.sans.org/info/216800
============================================================
TRAINING UPDATE
SANS Training is 100% Online, with two convenient ways to complete a course:
OnDemand | Live Online
- https://www.sans.org/ondemand/
- https://www.sans.org/live-online
Keep your skills sharp with SANS Online Training:
. The world's top cybersecurity courses
. Taught by real world practitioners
. Ideal preparation for more than 30 GIAC Certifications
OnDemand Training Special Offer
Flexible Offer with Flexible Training
Choose an iPad Air, an iPad with Smart Keyboard, a Surface Go, or Take $300 Off with OnDemand Training through July 8.
- https://www.sans.org/ondemand/specials
Live Online Training Special Offer
Get a Free GIAC Certification Attempt or Take $350 Off with Live Online Training through July 8.
- https://www.sans.org/live-online/specials
Top OnDemand Courses
SEC401: Security Essentials Bootcamp Style
- https://www.sans.org/ondemand/course/security-essentials-bootcamp-style
SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling
- https://www.sans.org/ondemand/course/hacker-techniques-exploits-incident-handling
SEC560: Network Penetration Testing and Ethical Hacking
- https://www.sans.org/ondemand/course/network-penetration-testing-ethical-hacking
______________________
Upcoming In Person and Live Online Events:
DFIR Summit & Training (Free Summit) | July 16-25 | Live Online
- https://www.sans.org/event/digital-forensics-summit-2020
SANS Rocky Mountain Summer 2020 | Jul 20-25 | Live Online
- https://www.sans.org/event/rocky-mountain-summer-2020
SANS Reboot - NOVA 2020 | August 10-15 | Arlington, VA or Live Online
- https://www.sans.org/event/reboot-nova-2020
SANS Network Security 2020 | September 20-25 | Las Vegas, NV or Live Online
- https://www.sans.org/event/network-security-2020
______________________
Test drive a course: https://www.sans.org/course-preview
View the full SANS course catalog and skills roadmap.
- https://www.sans.org/cyber-security-courses
- https://www.sans.org/cyber-security-skills-roadmap
*********************** Sponsored Links: *********************
1) Webcast | Join SANS Senior Instructor, Dave Shackleford as he discusses "Securing Assets Using Micro-Segmentation: A SANS Review of Guardicore Central" | June 30, 2020 @ 1:00pm EDT
| http://www.sans.org/info/216820
2) Webcast | Tune in for this incredible webcast as SANS Director of Emerging Security Trends, John Pescatore hosts the "Insights on Remote Access Cybersecurity and Workplace Flexibility - A SANS Whitepaper" | July 8, 2020 @ 12:00pm EDT
| http://www.sans.org/info/216825
3) Malware & Ransomware Solutions Forum | The state of play in the malware and ransomware game continues to change at a rapid pace. Those who are still trying to defend against yesterdays threats will find themselves woefully unprepared to deal with the attacks of today. Join Jake Williams as he discusses innovating new classes of solutions that didn't exist a few short years ago. | July 24, 2020 @ 10:30am EDT
| http://www.sans.org/info/216830
============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: IndigoDrop spreads via military-themed lures to deliver Cobalt Strike
Description: Cisco Talos has observed a malware campaign that utilizes military-themed malicious Microsoft Office documents (maldocs) to spread Cobalt Strike beacons containing full-fledged RAT capabilities. These maldocs use malicious macros to deliver a multistage and highly modular infection. This campaign appears to target military and government organizations in South Asia. Network-based detection, although important, should be combined with endpoint protections to combat this threat and provide multiple layers of security.
Reference: https://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html
Snort SIDs: 54373 - 54376
Title: Qbot reemerges, goes after American banks
Description: The ever-changing Qbot information-stealing malware is back again and going after U.S.-based banks. Researchers say the malware family has a six-hour cycle that is uses to adapt and avoid detection. Attackers are spreading the malware via phishing emails, publicly reported exploits or malicious file shares. Qbot waits quietly on the victim machine until they visit a bank's website, and then it activates to steal the users' login credentials.
Reference: https://threatpost.com/qbot-trojan-us-banking-customers/156624/
Snort SIDs: 54384 - 54387
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
The Oracle software used to track users' web usage and serve them targeted ads left a server open on the internet, allowing anyone to see the software's insights.
https://techcrunch.com/2020/06/19/oracle-bluekai-web-tracking/
Threat actors are increasingly relying on CAPTCHAs to avoid automated detection.
The U.S. Internal Revenue Service used cell phone location data to try and track down criminal suspects. (Please note that this story is behind a paywall.)
https://www.wsj.com/articles/irs-used-cellphone-location-data-to-try-to-find-suspects-11592587815
The FBI used Instagram posts, LinkedIn, and an Etsy review to identify a person suspected of setting two police cars on fire during protests in Philadelphia on May 30.
An IBM survey found that 52 percent of Americans who are working from home during the COVID-19 pandemic are using their personal laptops for work, opening the door for many security exploits.
More than 1,000 Google employees wrote a letter to management asking that the company no longer sell technology to police departments.
https://www.vice.com/en_us/article/889x3a/1600-google-employees-demand-no-tech-for-police
Hackers have started enabling multi-factor authentication after compromising accounts to make it more difficult for users to eventually recover their credentials.
https://krebsonsecurity.com/2020/06/turn-on-mfa-before-crooks-do-it-for-you/
A new collection of records called "BlueLeaks" claims to contain thousands of documents stolen from US from law enforcement agency fusion centers.
https://www.wired.com/story/blueleaks-anonymous-law-enforcement-hack/
Foreign policy experts at the United States Studies Centre at the University of Sydney are urging Australia and the US to "name and shame" state-sponsored threat actors attempting to steal COVID-19-related research.
Microsoft is acquiring CyberX, a start-up focused on IoT and industrial control system security.
https://venturebeat.com/2020/06/22/microsoft-acquires-cybersecurity-startup-cyberx/
=========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: CVE-2020-0022
Title: Google Android Bluetooth Remote Denial Of Service Vulnerability
Vendor: Google
Description: A remote denial of service vulnerability exists in Google Android. In reassemble_and_dispatch of packet_fragmenter.cc, there is possible out of bounds write due to an incorrect bounds calculation. This could lead to remote code execution over Bluetooth with no additional execution privileges needed.
CVSS v3 Base Score: 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-10189
Title: WPA and WPA2 Disassociation Vulnerability ("Kr00k")
Vendor: Multi-Vendor
Description: An issue was discovered on Broadcom Wi-Fi client devices. Specifically timed and handcrafted traffic can cause internal errors (related to state transitions) in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure over the air for a discrete set of traffic.
CVSS v3 Base Score: 9.8 (AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
ID: CVE-2020-1170
Title: Microsoft Windows Defender Elevation of Privilege Vulnerability
Vendor: Microsoft
Description: An elevation of privilege vulnerability exists in Windows Defender that leads arbitrary file deletion on the system. To exploit the vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.
CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-1181
Title: Microsoft SharePoint Server Remote Code Execution Vulnerability
Vendor: Microsoft
Description: A remote code execution vulnerability exists in Microsoft SharePoint Server when it fails to properly identify and filter unsafe ASP.Net web controls. An authenticated attacker who successfully exploited the vulnerability could use a specially crafted page to perform actions in the security context of the SharePoint application pool process. To exploit the vulnerability, an authenticated user must create and invoke a specially crafted page on an affected version of Microsoft SharePoint Server.
CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-12388
Title: Firefox Default Content Process DACL Sandbox Escape Vulnerability
Vendor: Mozilla
Description: The Firefox content processes did not sufficiently lockdown access control which could result in a sandbox escape. Multiple vulnerabilities have been discovered in Mozilla Firefox and Mozilla Firefox ESR. Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution in the context of the logged-on user.
CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
ID: CVE-2020-3347
Title: Cisco Webex Meetings Desktop App for Windows Shared Memory Information Disclosure Vulnerability
Vendor: Cisco
Description: A vulnerability in Cisco Webex Meetings Desktop App for Windows could allow an authenticated, local attacker to gain access to sensitive information on an affected system. The vulnerability is due to unsafe usage of shared memory that is used by the affected software. A successful exploit could allow the attacker to retrieve sensitive information from the shared memory, including usernames, meeting information, or authentication tokens that could aid the attacker in future attacks.
CVSS v3 Base Score: 5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
ID: CVE-2020-1054
Title: Microsoft Win32k Elevation of Privilege Vulnerability
Vendor: Microsoft
Description: An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.
CVSS v3 Base Score: 7.0 (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
=========================================================
MOST PREVALENT MALWARE FILES June 18 - 25:
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Services
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos
SHA 256: 094d4da0ae3ded8b936428bb7393c77aaedd5efb5957116afd4263bd7edc2188
MD5: a10a6d9dfc0328a391a3fdb1a9fb18db
VirusTotal: https://www.virustotal.com/gui/file/094d4da0ae3ded8b936428bb7393c77aaedd5efb5957116afd4263bd7edc2188/details
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Service
Detection Name: PUA.Win.Adware.Flashserv::100.sbx.vioc
SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: Win.Dropper.Agentwdcr::1201
SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd
MD5: 8193b63313019b614d5be721c538486b
VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details
Typical Filename: SAntivirusService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg
SHA 256: 8e03f05ecd08cb78f37ccd92c48cd9d357c438112b85bd154e8261c19e38a56e
MD5: 60ba2a4b8ea5982a3a671a9e84f9268c
VirusTotal: https://www.virustotal.com/gui/file/8e03f05ecd08cb78f37ccd92c48cd9d357c438112b85bd154e8261c19e38a56e/details
Typical Filename: Diagnostics.txt
Claimed Product: N/A
Detection Name: Win.Dropper.Shadowbrokers::222044.in02
=============================================================
(c) 2020. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743
