@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
August 6, 2020=============================================================
@RISK: The Consensus Security Vulnerability Alert
August 6, 2020 - Vol. 20, Num. 32
Providing a reliable, weekly summary of newly discovered attack vectors,
vulnerabilities with active exploits, and explanations of how recent
attacks worked
Archived issues may be found at http://www.sans.org/newsletters/at-risk
=============================================================
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES July 30 - Aug. 6
============================================================
TOP VULNERABILITY THIS WEEK: WastedLocker ransomware continues to gain notoriety
******************** Sponsored By SANS ********************
Survey | We invite you to complete our SANS 2020 Vulnerability Management Survey and enter for a chance to win a $150 Amazon Gift card! This survey will examine how organizations are using automated mechanisms to identify vulnerabilities and how they are managing these vulnerabilities across their enterprise infrastructure, applications, cloud services and business partners. | Survey results will be shared November 10 @ 1:00 PM ET
| http://www.sans.org/info/217235
============================================================
TRAINING UPDATE
Best Special Offers of the Year for OnDemand are Ending Soon: Choose an iPad Pro with Apple Pencil, Surface Go 2, or Take $300 Off through August 19.
- https://www.sans.org/ondemand/specials
SANS now offers THREE ways to complete a course:
OnDemand | Live Online | In-Person:
- https://www.sans.org/ondemand/
- https://www.sans.org/live-online
- https://www.sans.org/cyber-security-training-events/in-person/north-america
Keep your skills sharp with SANS Online Training:
. The world's top cybersecurity courses
. Taught by real world practitioners
. Ideal preparation for more than 30 GIAC Certifications
Top OnDemand Courses
SEC401: Security Essentials Bootcamp Style
- https://www.sans.org/ondemand/course/security-essentials-bootcamp-style
SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling
- https://www.sans.org/ondemand/course/hacker-techniques-exploits-incident-handling
SEC560: Network Penetration Testing and Ethical Hacking
- https://www.sans.org/ondemand/course/network-penetration-testing-ethical-hacking
______________________
Upcoming In-Person and Live Online Events:
SANS Baltimore Fall 2020 | September 8-13 | Baltimore, MD or Live Online
- https://www.sans.org/event/baltimore-fall-2020
Threat Hunting and Incident Response Summit & Training | September 10-19 | Live Online
- https://www.sans.org/event/threat-hunting-and-incident-response-summit-2020
SANS Network Security 2020 | September 20-25 | Las Vegas, NV or Live Online
- https://www.sans.org/event/network-security-2020
SANS Northern VA - Reston Fall 2020 | Sep 28-Oct 3 | Reston, VA or Live Online
- https://www.sans.org/event/northern-va-reston-fall-2020
______________________
Test drive a course: https://www.sans.org/course-preview
View the full SANS course catalog and skills roadmap.
- https://www.sans.org/cyber-security-courses
- https://www.sans.org/cyber-security-skills-roadmap
********************** Sponsored Links: ********************
1) Webcast | Join Snyks, Alyssa Miller as she hosts "What's in your Financial Services Software?" A webcast that will discuss the hidden threats in the Software Supply Chain and analyze some of the unique challenges of open source software in financial services as well as real world strategies | August 13 @ 1:00 PM EDT
| http://www.sans.org/info/217240
2) Webcast | We invite you to join SANS instructor, Matt Bromiley as he hosts "Intuitive Endpoint Security: A SANS Review of Morphisec Shield". Bromiley will review the Morphisec Shield, a tool that uses moving target defense to defeat threats such as zero-days, evasive malware, fileless attacks and exploits by morphing process memory. | August 18 @ 10:30 AM EDT
| http://www.sans.org/info/217245
3) Webcast | Tune in for our upcoming webcast "So Many Tools So Little Time: Optimizing Threat Intelligence Effectiveness for SOC Teams" which will be hosted by cyber expert, John Pescatore. | August 20 @ 1:00 PM EDT
| http://www.sans.org/info/217250
============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: WastedLocker adding new techniques, makes headlines
Description: The WastedLocker ransomware is now using the Windows memory management feature to evade detection. This malware has made headlines recently for its expanded use, and has even potentially been linked to a recent cyber attack on GPS service provider Garmin. WastedLocker now has the ability to disguise its actions and bypass any ransomware protections that are already deployed on a victim machine.
Snort SIDs: 54685 - 54692
Title: Microsoft fixes vulnerabilities in Azure Sphere
Description: Cisco Talos researchers recently discovered seven vulnerabilities in Microsoft's Azure Sphere, a cloud-connected SoC platform designed specifically with IoT application security in mind. The infrastructure around the Azure Sphere platform is Microsoft's Azure Sphere cloud, which takes care of secure updates, app deployment, and periodically verifying the device integrity. Internally, the SoC is made up of a set of several ARM cores that have different roles. The researchers discovered two chainable vulnerabilities within Azure Sphere that, assuming an attacker could flash a malicious application, would allow for arbitrary writing to anywhere in the /mnt/config partition, resulting in further privilege escalation.
References: https://blog.talosintelligence.com/2020/07/vuln-spotlight-azure-sphere-july-2020.html
Snort SIDs: 54501 - 53504
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Police arrested a 17-year-old on charges related to their alleged involvement in a recent massive Twitter hack.
https://www.vice.com/en_us/article/dyzwnw/cops-arrest-17-year-old-suspect-in-massive-twitter-hack
The European Union levied its first ever sanctions over a cyber attack, formally charging actors from China, Russia and North Korea, including those involved with the Not Petya attack in 2017.
A new vulnerability discovered in many physical devices could allow ransomware to remain on a victim machine event even after a safe boot restart.
https://www.cyberscoop.com/secure-boot-flaw-grub-vulnerability-eclypsium/
Adversaries were able to break into Zoom meetings by brute-forcing meeting passwords until the company placed a limit on how many times a user could enter an incorrect password before being locked out.
https://www.tomanthony.co.uk/blog/zoom-security-exploit-crack-private-meeting-passwords/
Rite Aid reportedly started using facial recognition technology in stores in New York City and Los Angeles eight years ago, primarily targeting low-income neighborhoods.
https://www.reuters.com/investigates/special-report/usa-riteaid-software/
A new report suggest Garmin may have paid a large extortion payment in exchange for a decryption code after a recent ransomware attack.
https://www.engadget.com/garmin-cyber-attack-ransomware-payment-180211805.html
Security researchers found a bevy of vulnerabilities in the automated robots many manufacturing companies are using in their production lines.
In the continuing TikTok saga, Microsoft expressed interested in buying the social media app's American operations in order for it to continue operating after multiple threats of a ban from U.S. President Donald Trump.
https://www.cnn.com/2020/08/03/tech/tiktok-acquisition-trump-treasury/index.html
=========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: CVE-2020-3382
Title: Cisco Data Center Network Manager Authentication Bypass Vulnerability
Vendor: Cisco
Description: The vulnerability is due to insufficient validation of user input on the web management interface. An attacker could exploit this vulnerability by submitting a malicious request to an affected system. An exploit could allow the attacker to gain administrative-level privileges on the system. The attacker needs a valid username to exploit this vulnerability.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-10713
Title: GRUB2 bootloader Buffer Overflow Vulnerability
Vendor: Multi-Vendor
Description: A flaw was found in grub2, where an attacker may use the GRUB 2 flaw to hijack and tamper the GRUB verification process. This flaw also allows the bypass of Secure Boot protections. In order to load an untrusted or modified kernel, an attacker would first need to establish access to the system such as gaining physical access, obtain the ability to alter a pxe-boot network, or have remote access to a networked system with root access. With this access, an attacker could then craft a string to cause a buffer overflow by injecting a malicious payload that leads to arbitrary code execution within GRUB. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVSS v3 Base Score: 6.7 (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-3187
Title: Cisco ASA Software and FTD Software Web Services Path Traversal Vulnerability
Vendor: Cisco
Description: A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and obtain read and delete access to sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of the HTTP URL. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences.
CVSS v3 Base Score: 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
ID: CVE-2020-3452
Title: Cisco ASA Software and FTD Software Web Services Read-Only Path Traversal Vulnerability
Vendor: Cisco
Description: A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device.
CVSS v3 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
ID: CVE-2020-8163
Title: Ruby On Rails Remote Code Execution Vulnerability
Vendor: Ruby On Rails
Description: The is a code injection vulnerability that would allow an attacker who controlled the "locals" argument of a "render" call to perform a remote code execution vulnerability.
CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-4534
Title: IBM WebSphere Application Server Remote Code Execution Vulnerability
Vendor: IBM
Description: IBM WebSphere Application Server could allow a local authenticated attacker to gain elevated privileges on the system, caused by improper handling of UNC paths. By scheduling a task with a specially-crafted UNC path, an attacker could exploit this vulnerability to execute arbitrary code with higher privileges.
CVSS v3 Base Score: 8.8 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
ID: CVE-2020-8607
Title: Trend Micro Rootkit Driver Input Validation Vulnerability
Vendor: Trend Micro
Description: An input validation vulnerability found in multiple Trend Micro products utilizing a particular version of a specific rootkit protection driver could allow an attacker in user-mode with administrator permissions to abuse the driver to modify a kernel address that may cause a system crash or potentially lead to code execution in kernel mode. An attacker must already have obtained administrator access on the target machine (either legitimately or via a separate unrelated attack) to exploit this vulnerability.
CVSS v3 Base Score: 6.7 (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-3698
Title: Qualcomm Out-Of-Bounds Memory Corruption Vulnerability
Vendor: Qualcomm
Description: An Out of bound write happens in the component QoS DSCP when mapping due to improper input validation for data received from association response frame in Qualcomm Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music and Snapdragon Wearables (Chip Software).
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
=========================================================
MOST PREVALENT MALWARE FILES July 30 - Aug. 6:
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: e66d6d13096ec9a62f5c5489d73c0d1dd113ea4668502021075303495fd9ff82
MD5: f0fdc17674950a4eaa4bbaafce5007f6
VirusTotal: https://www.virustotal.com/gui/file/e66d6d13096ec9a62f5c5489d73c0d1dd113ea4668502021075303495fd9ff82/details
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Service
Detection Name: W32.Auto:e66d6d1309.in03.Talos
SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9
MD5: 34560233e751b7e95f155b6f61e7419a
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::tpd
SHA 256: 32155b070c7e1b9d6bdc021778c5129edfb9cf7e330b8f07bb140dedb5c9aae7
MD5: 73d1de319c7d61e0333471c82f2fc104
VirusTotal: https://www.virustotal.com/gui/file/32155b070c7e1b9d6bdc021778c5129edfb9cf7e330b8f07bb140dedb5c9aae7/details
Typical Filename: SAntivirusService.exe
Claimed Product: SAService
Detection Name: Win.Dropper.Segurazo::tpd
SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: Win.Dropper.Agentwdcr::1201
SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
VirusTotal: https://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: Win.Downloader.Generic::1201
=============================================================
(c) 2020. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743
