Newsletters: @RISK

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

August 13, 2020

=============================================================

     @RISK: The Consensus Security Vulnerability Alert

                    August 13, 2020 - Vol. 20, Num. 33


Providing a reliable, weekly summary of newly discovered attack vectors,

vulnerabilities with active exploits, and explanations of how recent

attacks worked


Archived issues may be found at http://www.sans.org/newsletters/at-risk


=============================================================


CONTENTS:

NOTABLE RECENT SECURITY ISSUES

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

MOST PREVALENT MALWARE FILES Aug. 6 - 13

============================================================


TOP VULNERABILITY THIS WEEK: Vulnerabilities in Microsoft scripting engine, Media Foundation among Patch Tuesday fixes


******************** Sponsored By AWS Marketplace ********************


August 20th @ 2:00 pm EDT | Understanding adversary tactics are critical to building more effective threat detection and hunting capabilities.  Join industry experts Dave Shackleford and Ross Warren, as they present "How to improve threat detection and hunting in the AWS Cloud using the MITRE ATT&CK Matrix".  During this webinar, they will discuss  the exercise of applying MITRE's ATT&CK Matrix to the AWS Cloud.  They will also explore how to enhance threat detection and hunting in an AWS environment to maintain a strong security posture.

| http://www.sans.org/info/217285


============================================================

TRAINING UPDATE


Best Special Offers of the Year for OnDemand are Ending Soon: Choose an iPad Pro with Apple Pencil, Surface Go 2, or Take $300 Off through August 19.


- https://www.sans.org/ondemand/specials


 

SANS now offers THREE ways to complete a course:


 

OnDemand | Live Online | In-Person:


- https://www.sans.org/ondemand/


- https://www.sans.org/live-online


- https://www.sans.org/cyber-security-training-events/in-person/north-america


 

Keep your skills sharp with SANS Online Training:


.        The world's top cybersecurity courses


.        Taught by real world practitioners


.        Ideal preparation for more than 30 GIAC Certifications


 

Top OnDemand Courses


SEC401: Security Essentials Bootcamp Style


- https://www.sans.org/ondemand/course/security-essentials-bootcamp-style


SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling


- https://www.sans.org/ondemand/course/hacker-techniques-exploits-incident-handling


SEC560: Network Penetration Testing and Ethical Hacking


- https://www.sans.org/ondemand/course/network-penetration-testing-ethical-hacking


______________________



Upcoming In-Person and Live Online Events:



SANS Baltimore Fall 2020 | September 8-13 | Baltimore, MD or Live Online


- https://www.sans.org/event/baltimore-fall-2020



Threat Hunting and Incident Response Summit & Training | September 10-19 | Live Online


- https://www.sans.org/event/threat-hunting-and-incident-response-summit-2020


 

SANS Network Security 2020 | September 20-25 | Live Online


- https://www.sans.org/event/network-security-2020


 

SANS Northern VA - Reston Fall 2020 | Sep 28-Oct 3 | Reston, VA or Live Online


- https://www.sans.org/event/northern-va-reston-fall-2020


______________________


Test drive a course: https://www.sans.org/course-preview



View the full SANS course catalog and skills roadmap.


- https://www.sans.org/cyber-security-courses


- https://www.sans.org/cyber-security-skills-roadmap


********************** Sponsored Links: ********************


1) Free Virtual Event |  Attend SANS Cyber Solutions Fest 2020, one of our marquee 2 day events featuring 4 unique tracks, ongoing tech-talks, chat rooms where attendees can communicate with the speakers and each other, prize giveaways, etc.  This is one event that you won't want to miss.  Register now to reserve you place!

| http://www.sans.org/info/217290


2) Webcast | August 19th @ 12:00 PM EDT | Security analysts need to be putting their data to use instead of drowning in it.  Join SANS expert Matt Bromiley and Fred Wilmot as they explore techniques for bringing together disparate data sets for analyst consumption. | http://www.sans.org/info/217320


3) Virtual Forum | August 28 @ 10:30 AM EDT | Join SANS instructor Ismael Valenzuela, co-author of Security 530: Defensible Security Architecture and Engineering, as he chairs a one-day solutions forum of security professionals that will share their experience and provide specific advice on how to implement Zero Trust strategies.

| http://www.sans.org/info/217305


============================================================


NOTABLE RECENT SECURITY ISSUES

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Microsoft disclosed 16 critical vulnerabilities as part of Patch Tuesday

Description: Microsoft released its monthly security update Tuesday, disclosing 120 vulnerabilities across its array of products. Sixteen of the vulnerabilities are considered "critical," including one that Microsoft says is currently being exploited in the wild. Users of all Microsoft and Windows products are urged to update their software as soon as possible to avoid possible exploitation of all these bugs. Microsoft Media Foundation contains the largest number of these critical vulnerabilities. The bugs (CVE-2020-1379, CVE-2020-1477, CVE-2020-1492, CVE-2020-1525 and CVE-2020-1554) could all allow an adversary to corrupt memory in a way that would allow them to execute code remotely on the victim machine. Any of these vulnerabilities could be triggered if the target opens a specially crafted document or web page.

References: https://blog.talosintelligence.com/2020/08/microsoft-patch-tuesday-aug-2020.html

Snort SIDs: 54733 - 54746, 54753, 54754


Title: Cisco reports high-severity vulnerabilities in AnyConnect VPN, small business switches and routers

Description: Cisco warned users last week to update multiple lines of switches and routers, as well as the company's VPN service. Some of the affected products could be force-rebooted and knocked offline. The AnyConnect VPN client for Windows also has a bug that could allow an adversary to perform a dynamic link library (DLL) hijacking attack. If a malicious user was to obtain credentials for the targeted Windows system, they could then execute malicious code with system-level privileges.

References: https://www.zdnet.com/article/cisco-alert-four-high-severity-flaws-in-routers-switches-and-anyconnect-vpn-for-windows/

Snort SIDs: 54698 - 59702


============================================================


INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY


Several speakers at DEF CON and Blackhat last week emphasized the unique challenges COVID-19 poses to securing the upcoming U.S. election while maintaining voter turnout.

https://www.cnet.com/news/coronavirus-creates-new-election-threats-experts-warn-at-black-hat/


Some states are still working to do away with paperless voting machines, which pose a significant security threat, but those changes have come in the form of piecemeal changes.

https://www.politico.com/interactives/2019/election-security-americas-voting-machines/


A secretive document shared within the White House suggested that Russia once again wants to influence the 2020 election in a way that helps current president Donald Trump get reelected.

https://www.nytimes.com/2020/08/08/magazine/us-russia-intelligence.html


The U.S.' Cybersecurity and Infrastructure Intelligence Agency (CISA) finalized a vulnerability disclosure agreement with civilian agencies that will help find and disclose security flaws in federal government websites.

https://www.nextgov.com/cybersecurity/2020/08/cisa-finalized-directive-vulnerability-disclosure-policies-congressman-says/167530/


A small company with connections to the US military and intelligence communities reportedly embeds its SDK in popular apps to track users' locations and then sell the data. (Please note that this story is behind a paywall.)

https://www.wsj.com/articles/u-s-government-contractor-embedded-software-in-apps-to-track-phones-11596808801


Some hospitals in California sent unencrypted COVID-19 patient information over their pager networks.

https://www.cnet.com/news/hospitals-leaked-personal-details-of-covid-19-patients-on-unencrypted-system/


A vulnerability on a Windows file that dates back to 2000 contains a vulnerability that could be used to halt the spooler service, which handles communications between Windows machines and printers.

https://www.cyberscoop.com/windows-print-spooler-safebreach-black-hat/


In the latest in the developing TikTok saga, the social media app is reportedly planning to file a lawsuit over an executive order that would ban TikTok from US app stores.

https://www.theverge.com/2020/8/8/21360101/tiktok-lawsuit-trump-ban-executive-order


Some Qualcomm chips spanning multiple generations contain a combined 400-some vulnerabilities, the most severe of which could allow attackers to spy on users' personal information contained on smartphones made by the likes of Google and Samsung.

https://www.cyberscoop.com/400-vulnerabilities-qualcomm-snapdragon-chips-check-point-def-con-2020/


=========================================================


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.



This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.



ID:        CVE-2020-1464

Title:  Microsoft Windows Spoofing Vulnerability

Vendor: Microsoft

Description: A spoofing vulnerability exists when Windows incorrectly validates file signatures. An attacker who successfully exploited this vulnerability could bypass security features and load improperly signed files. In an attack scenario, an attacker could bypass security features intended to prevent improperly signed files from being loaded

CVSS v3 Base Score: 5.3 (AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)


ID:        CVE-2020-3382

Title:  Pi-hole Remote Code Execution

Vendor: Cisco

Description: Pi-Hole is a DNS server specialized in content-filtering and is affected by a remote code execution vulnerability. An authenticated user of the Web portal can execute arbitrary commands with the underlying server with the privileges of the local user executing the service.

CVSS v3 Base Score: 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2020-3187

Title:  Cisco ASA Software and FTD Software Web Services Path Traversal Vulnerability

Vendor: Cisco

Description: A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and obtain read and delete access to sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of the HTTP URL. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences.

CVSS v3 Base Score: 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)


ID:        CVE-2020-3452

Title:  Cisco ASA Software and FTD Software Web Services Read-Only Path Traversal Vulnerability

Vendor: Cisco

Description: A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device.

CVSS v3 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)


ID:        CVE-2020-1380

Title:  Microsoft Scripting Engine Memory Corruption Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. An attacker could also embed an ActiveX control marked "safe for initialization" in an application or Microsoft Office document that hosts the IE rendering engine.

CVSS v3 Base Score: 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)


ID:        CVE-2020-3698

Title:  Qualcomm Out-Of-Bounds Memory Corruption Vulnerability

Vendor: Qualcomm

Description: An Out of bound write happens in the component QoS DSCP when mapping due to improper input validation for data received from association response frame in Qualcomm Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music and Snapdragon Wearables (Chip Software).

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2020-1339

Title:  Microsoft Windows Media Remote Code Execution Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists when Windows Media Audio Codec improperly handles objects. An attacker who successfully exploited the vulnerability could take control of an affected system. There are multiple ways an attacker could exploit the vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit a malicious webpage.

CVSS v3 Base Score: 7.3 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N)




=========================================================


MOST PREVALENT MALWARE FILES Aug. 6 - 13:

COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details

Typical Filename: Eter.exe

Claimed Product: N/A

Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos


SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3

MD5: 47b97de62ae8b2b927542aa5d7f3c858

VirusTotal: https://www.virustotal.com/gui/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details

Typical Filename: qmreportupload.exe

Claimed Product: qmreportupload

Detection Name: Win.Trojan.Generic::in10.talos


SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a

https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name: PUA.Win.Dropper.Segurazo::tpd


SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f

MD5: e2ea315d9a83e7577053f52c974f6a5a

VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details

Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin

Claimed Product: N/A

Detection Name: Win.Dropper.Agentwdcr::1201


SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b

MD5: 799b30f47060ca05d80ece53866e01cc

VirusTotal: https://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details

Typical Filename: mf2016341595.exe

Claimed Product: N/A

Detection Name: Win.Downloader.Generic::1201


=============================================================


(c) 2020.  All rights reserved.  The information contained in this

newsletter, including any external links, is provided "AS IS," with no

express or implied warranty, for informational purposes only.


Please feel free to share this with interested parties via email, but

no posting is allowed on web sites. For a free subscription, (and for

free posters) or to update a current subscription, visit

https://www.sans.org/account


SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743