@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
July 9, 2020=============================================================
@RISK: The Consensus Security Vulnerability Alert
July, 9 2020 - Vol. 20, Num. 28
Providing a reliable, weekly summary of newly discovered attack vectors,
vulnerabilities with active exploits, and explanations of how recent
attacks worked
Archived issues may be found at http://www.sans.org/newsletters/at-risk
=============================================================
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES July 2 - 9
============================================================
TOP VULNERABILITY THIS WEEK: F5 vulnerability exposes large organizations to attacks
************** Sponsored By AWS Marketplace ****************
Join Dave Shackleford, SANS and Chris Chapman, AWS Marketplace, as they explore best practices and provide practical guidance on how you can secure all services and surfaces in the AWS cloud. These top industry experts will present real-world use cases and examples of tools you can leverage to protect your investments. | July 16 @ 11:00 AM EDT | http://www.sans.org/info/216890
============================================================
TRAINING UPDATE
Best Special Offers of the Year with OnDemand Cybersecurity Training
Get an 11" iPad Pro w/ Magic Keyboard, a Microsoft Surface Go 2 (256GB SSD), or Take $350 Off with your OnDemand registration through July 22.
- https://www.sans.org/ondemand/specials
SANS now offers THREE ways to complete a course:
OnDemand | Live Online | In-Person:
- https://www.sans.org/ondemand/
- https://www.sans.org/live-online
- https://www.sans.org/cyber-security-training-events/in-person/north-america
Keep your skills sharp with SANS Online Training:
. The world's top cybersecurity courses
. Taught by real world practitioners
. Ideal preparation for more than 30 GIAC Certifications
Top OnDemand Courses
SEC401: Security Essentials Bootcamp Style
- https://www.sans.org/ondemand/course/security-essentials-bootcamp-style
SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling
- https://www.sans.org/ondemand/course/hacker-techniques-exploits-incident-handling
SEC560: Network Penetration Testing and Ethical Hacking
- https://www.sans.org/ondemand/course/network-penetration-testing-ethical-hacking
______________________
Upcoming In-Person and Live Online Events:
DFIR Summit & Training (Free Summit) | July 16-25 | Live Online
- https://www.sans.org/event/digital-forensics-summit-2020
SANS Rocky Mountain Summer 2020 | Jul 20-25 | Live Online
- https://www.sans.org/event/rocky-mountain-summer-2020
SANS Reboot - NOVA 2020 | August 10-15 | Arlington, VA or Live Online
- https://www.sans.org/event/reboot-nova-2020
SANS Network Security 2020 | September 20-25 | Las Vegas, NV or Live Online
- https://www.sans.org/event/network-security-2020
______________________
Test drive a course: https://www.sans.org/course-preview
View the full SANS course catalog and skills roadmap.
- https://www.sans.org/cyber-security-courses
- https://www.sans.org/cyber-security-skills-roadmap
********************** Sponsored Links: ********************
1) Take the SANS 2020 Vulnerability Management Survey and be entered for a chance to win a $150 Amazon Gift Card.
| http://www.sans.org/info/216945
2) Webcast | Thursday, July 16, 2020 at 3:30 PM EDT | Join SANS Senior Instructor, Chris Crowley as he presents "Force Multiplier: How we use SOAR to maximize our own SOC analyst efficiency while minimizing fatigue and burnout"
| http://www.sans.org/info/216950
3) SANS Oil & Gas Solutions Forum is Tomorrow | Free 1/2 Day Virtual Event | 4 CPE Credits | Join Chairman Jason Dely along with top experts from Swimlane, ThreatConnet, CyberInc, Siemplify, Tripwire and Dispel | Friday, July 10, 2020 starting at 9:30 AM EDT
| http://www.sans.org/info/216955
============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Critical remote code execution vulnerability in F5 BIG-IP
Description: BIG-IP is one of the most popular networking products on the modern market. This product is used to shape web traffic, access gateways, limit rates and much more. F5 disclosed a remote code execution over the weekend that was assigned a maximum 10 out of 10 severity score. CVE-2020-5902 is a remote code execution vulnerability in BIG-IP's configuration interface. Users are urged to make their interfaces inaccessible to the internet and patch as soon as possible.
Reference: https://www.helpnetsecurity.com/2020/07/06/exploit-cve-2020-5902/
Snort SIDs: 54462
Title: Google Chrome PDFium memory corruption vulnerability
Description: The PDF renderer inside Google Chrome, known as PDFium, contains a memory corruption vulnerability that could be exploited by an adversary. PDFium is open-source software that is utilized in the Chrome browser and other applications. The software supports the use of JavaScript embedded inside PDFs and other specially crafted documents could corrupt the memory of the application, allowing an adversary to achieve arbitrary code execution inside the browser.
Reference: https://blog.talosintelligence.com/2020/07/vuln-spotlight-chrome-pdfium-corruption-july-2020.html
Snort SIDs: 53599, 53600
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Law enforcement officials in Europe recently dismantled a network of encrypted messages and cell phones where criminals used code names to discuss drug deals and other illicit transactions.
https://www.vice.com/en_us/article/3aza95/how-police-took-over-encrochat-hacked
The US Senate Judiciary Committee approved a revamped version of the EARN IT bill, maintaining that the bill's primary focus is to protect children from exploitation online and not to weaken encryption.
Researchers say they have found a vulnerability in several popular cryptocurrency wallets that could cause them to display incorrect balances.
Iran blamed state-sponsored attackers for a cyber attack it says led to a fire at its Natanz uranium-enrichment facility and promised retaliation for any future attacks.
The years-old Android malware FakeSpy is back infecting users, this time disguising itself as official postal service apps.
https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world
A recent study from German researchers discovered that many home wireless routers had not received a security update in more than a year, and others contained still-unpatched bugs.
A new Mac ransomware called "ThiefQuest" steals users' credit card information and login credentials, and lurks in the background as a backdoor for other malware.
A state-sponsored threat actor known as "Cosmic Lynx" is targeting high-profile executives across the globe in business email compromise (BEC) campaigns.
https://www.wired.com/story/russian-hackers-email-scams/
The Lazarus Group APT has added card-skimming to its inventory of attack vectors.
https://threatpost.com/lazarus-group-adds-magecart/157167/
=========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: CVE-2020-5902
Title: F5 BIG-IP Remote Code Execution Vulnerability
Vendor: F5
Description: F5 BIG-IP is exposed to remote code execution vulnerability. The vulnerability that has been actively exploited in the wild allows attackers to read files, execute code or take complete control over vulnerable systems having network access.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2019-19781
Title: Citrix Application Delivery Controller and Gateway Directory Traversal Vulnerability
Vendor: Citrix
Description: A vulnerability exists in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway that, if exploited, could allow an unauthenticated attacker to perform arbitrary code execution. This vulnerability exploits a directory traversal to execute an arbitrary command payload.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-2021
Title: Palo Alto Networks PAN-OS Authentication Bypass in SAML Authentication Vulnerability
Vendor: Palo Alto Networks
Description: When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. The attacker must have network access to the vulnerable server to exploit this vulnerability.
CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
ID: CVE-2020-12828
Title: AnchorFree OpenVPN SDK Privilege Escalation Vulnerability
Vendor: Pango
Description: An issue was discovered in AnchorFree VPN SDK. The VPN SDK service takes certain executable locations over a socket bound to localhost. Binding to the socket and providing a path where a malicious executable file resides leads to executing the malicious executable file with SYSTEM privileges.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-2012
Title: Palo Alto Networks PAN-OS XML External Entity Reference Vulnerability
Vendor: Palo Alto Networks
Description: Improper restriction of XML external entity reference ('XXE') vulnerability in Palo Alto Networks Panorama management service allows remote unauthenticated attackers with network access to the Panorama management interface to read arbitrary files on the system.
CVSS v3 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
ID: CVE-2020-0796
Title: Microsoft Windows SMBv3 Client/Server Remote Code Execution Vulnerability
Vendor: Microsoft
Description: A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client. To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server.
CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
ID: CVE-2020-9497
Title: Apache Guacamole Information Disclosure Vulnerability
Vendor: Apache
Description: Apache Guacamole do not properly validate data received from RDP servers via static virtual channels. If a user connects to a malicious or compromised RDP server, specially-crafted PDUs could result in disclosure of information within the memory of the guacd process handling the connection.
CVSS v3 Base Score: 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)
=========================================================
MOST PREVALENT MALWARE FILES July 2 - 9:
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: 094d4da0ae3ded8b936428bb7393c77aaedd5efb5957116afd4263bd7edc2188
MD5: a10a6d9dfc0328a391a3fdb1a9fb18db
VirusTotal: https://www.virustotal.com/gui/file/094d4da0ae3ded8b936428bb7393c77aaedd5efb5957116afd4263bd7edc2188/details
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Service
Detection Name: PUA.Win.Adware.Flashserv::100.sbx.vioc
SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Services
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos
SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: Win.Dropper.Agentwdcr::1201
SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd
MD5: 8193b63313019b614d5be721c538486b
VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details
Typical Filename: SAntivirusService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg
SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
VirusTotal: https://www.virustotal.com/gui/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::95.sbx.tg
=============================================================
(c) 2020. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743