@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
July 23, 2020=============================================================
@RISK: The Consensus Security Vulnerability Alert
July, 23 2020 - Vol. 20, Num. 30
Providing a reliable, weekly summary of newly discovered attack vectors,
vulnerabilities with active exploits, and explanations of how recent
attacks worked
Archived issues may be found at http://www.sans.org/newsletters/at-risk
=============================================================
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES July 16 - 23
============================================================
TOP VULNERABILITY THIS WEEK: CISA urges users to patch SAP to fix critical vulnerability
*************** Sponsored By Dragos, Inc. *****************
Dragos White Paper: Map Cyber Threats to MITRE ATT&CK for ICS
MITRE ATT&CK for ICS is a framework to identify threat behaviors based on the tactics and techniques of ICS threats. Read this white paper to find out how to apply the MITRE ATT&CK for ICS framework to improve your threat detection and response.
| http://www.sans.org/info/217100
============================================================
TRAINING UPDATE
Best Special Offers of the Year are Available Now with OnDemand
Choose a MacBook Air, Surface Pro 7, or Take $350 Off through August 5.
- https://www.sans.org/ondemand/specials
SANS now offers THREE ways to complete a course:
OnDemand | Live Online | In-Person:
- https://www.sans.org/ondemand/
- https://www.sans.org/live-online
- https://www.sans.org/cyber-security-training-events/in-person/north-america
Keep your skills sharp with SANS Online Training:
. The world's top cybersecurity courses
. Taught by real world practitioners
. Ideal preparation for more than 30 GIAC Certifications
Top OnDemand Courses
SEC401: Security Essentials Bootcamp Style
- https://www.sans.org/ondemand/course/security-essentials-bootcamp-style
SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling
- https://www.sans.org/ondemand/course/hacker-techniques-exploits-incident-handling
SEC560: Network Penetration Testing and Ethical Hacking
- https://www.sans.org/ondemand/course/network-penetration-testing-ethical-hacking
______________________
Upcoming In-Person and Live Online Events:
Instructor-Led Training | August 3-8 | Live Online
- https://www.sans.org/event/live-online-aug3-2020-mdt
SANS Reboot - NOVA 2020 | August 10-15 | Arlington, VA or Live Online
- https://www.sans.org/event/reboot-nova-2020
SANS Baltimore Fall 2020 | September 8-13 | Baltimore, MD or Live Online
- https://www.sans.org/event/baltimore-fall-2020
SANS Network Security 2020 | September 20-25 | Las Vegas, NV or Live Online
- https://www.sans.org/event/network-security-2020
______________________
Test drive a course: https://www.sans.org/course-preview
View the full SANS course catalog and skills roadmap.
- https://www.sans.org/cyber-security-courses
- https://www.sans.org/cyber-security-skills-roadmap
********************** Sponsored Links: ********************
1) Survey | It's as easy as 1, 2, 3...Take the SANS 2020 Risk Based Vulnerability Survey and be entered for a chance to win a $150 Amazon Gift Card!
| http://www.sans.org/info/217105
2) Survey Results | Join John Pescatore as he presents the results for the SANS 2020 SOC Survey| June 29 @ 1:00 PM EDT
| http://www.sans.org/info/217110
3) Webcast | July 29 @ 10:30 AM EDT | We are only 8 days away from our informative webcast hosted by SANS Instructor Matt Bromiley: "Browser Isolation: A SANS Review of Cyberinc's Isla"
| http://www.sans.org/info/217115
============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: SAP systems vulnerability could allow adversaries to create new user accounts, execute code
Description: The U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) released a warning last week urging SAP admins to update their systems as soon as possible to fix a critical vulnerability. CVE-2020-6287 affects the SAP NetWeaver Application Server's Java component LM Configuration Wizard. An attacker could exploit this bug to obtain unrestricted access to SAP systems, allowing them to create their own user accounts and executing arbitrary system commands.
References: https://www.infosecurity-magazine.com/news/cisa-patch-critical-sap-recon-bug/
Snort SIDs: 54571 - 54574
Title: Cisco discloses 33 vulnerabilities in small business routers, firewalls
Description: Cisco disclosed 33 vulnerabilities in their RV series of routers and firewalls earlier this month. The products mainly service small business environments. One of the bugs, CVE-2020-3330, could allow an adversary to completely take over a device if the user hadn't reset the default admin credentials that came pre-installed on the device. There is also a critical privilege escalation vulnerability in Prime License Manager.
References: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv110w-static-cred-BMTWBWTy
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-rce-AQKREqp
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-code-exec-wH3BNFb
Snort SIDs: 54538 - 54567
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
More information is emerging about the massive Twitter hack last week that led to several high-profile accounts being taken over and used in a Bitcoin scam. A new report from the New York Times found that the group behind the hack does not have ties to state-sponsored actors.
https://www.nytimes.com/2020/07/17/technology/twitter-hackers-interview.html
A full breakdown of the intrusion from Twitter found that the hackers targeted 130 accounts, took control of 45 of those accounts, and downloaded information from eight of the compromised accounts.
The Twitter incident also shows what attackers can do when humans come into the equation, proving once again that employees are sometimes an organization's biggest security weakness.
https://slate.com/technology/2020/07/twitter-hack-human-weakness.html
Israel says it fended off a state-sponsored attack on its water infrastructure for the second time this year.
A new report from the British government urged parliament and the prime minister to take immediate action against Russia for its inference in national elections, saying the government "badly underestimated" the threat Russian actors posed.
https://www.bbc.com/news/uk-politics-53484344
As China and the U.S. continue to trade barbs over TikTok and other Chinese-created apps, security experts say TikTok's policies align with many other popular, American social media apps.
https://www.wired.com/story/tiktok-ban-us-national-security-risk/
American prosecutors charged two Chinese nationals for an alleged large-scale cyber campaign aimed at stealing information related to COVID-19 research.
https://www.cnn.com/2020/07/21/politics/china-hackers-coronavirus/index.html
Diebold Nixdorf says that hackers have managed to obtain proprietary software and are using it in ATM jackpotting attacks.
A new Android trojan appears to be a variant of LokiBot and is going after popular apps like Tinder, Netflix and Instagram to steal users' information.
=========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: CVE-2020-8605
Title: Trend Micro Web Security Virtual Appliance Remote Code Execution Vulnerability
Vendor: Trend Micro
Description: A vulnerability in Trend Micro InterScan Web Security Virtual Appliance may allow remote attackers to execute arbitrary code on affected installations. An attacker can leverage this vulnerability to disclose information in the context of the IWSS user. An authenticated remote attacker could exploit a command injection vulnerability in the product, leading to remote code execution vulnerability.
CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-1350
Title: Microsoft Windows DNS Server Remote Code Execution Vulnerability
Vendor: Microsoft
Description: A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability.
CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
ID: CVE-2020-5902
Title: F5 BIG-IP Remote Code Execution Vulnerability
Vendor: F5
Description: F5 BIG-IP is exposed to remote code execution vulnerability. The vulnerability that has been actively exploited in the wild allows attackers to read files, execute code or take complete control over vulnerable systems having network access.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-6287
Title: SAP NetWeaver Application Server JAVA Multiple Vulnerabilities
Vendor: SAP
Description: SAP NetWeaver AS JAVA (LM Configuration Wizard) does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check. An unauthenticated attacker can exploit this vulnerability through the Hypertext Transfer Protocol (HTTP) to take control of trusted SAP applications.
CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
ID: CVE-2020-15363
Title: WordPress Theme NexosReal Estate 'search_order' SQL Injection Vulnerability
Vendor: Nexos
Description: NexosReal Estate Theme is exposed to remote SQL injection vulnerability that allows side-map/?search_order= SQL Injection.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-13866
Title: WinGate Privilege Escalation Vulnerability
Vendor: qbik
Description: WinGate has insecure permissions for the installation directory, which allows local users to gain privileges by replacing an executable file with a Trojan horse. The WinGate directory hands full control to authenticated users, who can then run arbitrary code as SYSTEM after a WinGate restart or system reboot.
CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-2021
Title: Palo Alto Networks PAN-OS Authentication Bypass in SAML Authentication Vulnerability
Vendor: Palo Alto Networks
Description: When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. The attacker must have network access to the vulnerable server to exploit this vulnerability.
CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
ID: CVE-2020-3952
Title: VMware vCenter vmdir Information Disclosure Vulnerability
Vendor: VMware
Description: Under certain conditions vmdir does not correctly implement access controls. A malicious actor with network access to an affected vmdir deployment may be able to extract highly sensitive information which could be used to compromise vCenter Server or other services which are dependent upon vmdir for authentication.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
=========================================================
MOST PREVALENT MALWARE FILES July 16 - 23:
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9
MD5: 34560233e751b7e95f155b6f61e7419a
VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::tpd
SHA 256: 449f4a4524c06e798193c1d3ba21c2d9338936375227277898c583780392d4d8
MD5: 179c09b866c9063254083216b55693e6
VirusTotal: https://www.virustotal.com/gui/file/449f4a4524c06e798193c1d3ba21c2d9338936375227277898c583780392d4d8/details
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.File.Segurazo::95.sbx.tg
SHA 256: 094d4da0ae3ded8b936428bb7393c77aaedd5efb5957116afd4263bd7edc2188
MD5: a10a6d9dfc0328a391a3fdb1a9fb18db
VirusTotal: https://www.virustotal.com/gui/file/094d4da0ae3ded8b936428bb7393c77aaedd5efb5957116afd4263bd7edc2188/details
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Service
Detection Name: PUA.Win.Adware.Flashserv::100.sbx.vioc
SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd
MD5: 8193b63313019b614d5be721c538486b
VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details
Typical Filename: SAntivirusService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg
SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: Win.Dropper.Agentwdcr::1201
=============================================================
(c) 2020. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743
