@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
August 20, 2020=============================================================
@RISK: The Consensus Security Vulnerability Alert
August 20, 2020 - Vol. 20, Num. 34
Providing a reliable, weekly summary of newly discovered attack vectors,
vulnerabilities with active exploits, and explanations of how recent
attacks worked
Archived issues may be found at http://www.sans.org/newsletters/at-risk
=============================================================
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES Aug. 13 - 20
============================================================
TOP VULNERABILITY THIS WEEK: Widespread Taidoor malware makes a comeback
******************** Sponsored By SANS *********************
Webcast | August 27th @ 2:00 pm EDT | Join SANS Instructor Dave Shackleford and AWS Solutions Architect, Chris Chapman, as they present "How to achieve security visibility at scale in the AWS Cloud". In this webinar, SANS and AWS Marketplace will explore how security teams can leverage solutions to create visibility at scale that will allow you to do more with your data and improve your security posture.
| http://www.sans.org/info/217370
============================================================
TRAINING UPDATE
SANS now offers THREE ways to complete a course:
OnDemand | Live Online | In-Person:
- https://www.sans.org/ondemand/
- https://www.sans.org/live-online
- https://www.sans.org/cyber-security-training-events/in-person/north-america
Keep your skills sharp with SANS Online Training:
. The world's top cybersecurity courses
. Taught by real world practitioners
. Ideal preparation for more than 30 GIAC Certifications
OnDemand Training Special Offer: Get a GIAC Certification Attempt Included or Take $350 Off through September 2.
- https://www.sans.org/ondemand/specials
Top OnDemand Courses
SEC401: Security Essentials Bootcamp Style
- https://www.sans.org/ondemand/course/security-essentials-bootcamp-style
SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling
- https://www.sans.org/ondemand/course/hacker-techniques-exploits-incident-handling
SEC560: Network Penetration Testing and Ethical Hacking
- https://www.sans.org/ondemand/course/network-penetration-testing-ethical-hacking
______________________
Upcoming In-Person and Live Online Events:
SANS Baltimore Fall 2020 | September 8-13 | Baltimore, MD or Live Online
- https://www.sans.org/event/baltimore-fall-2020
Threat Hunting and Incident Response Summit & Training | September 10-19 | Live Online
- https://www.sans.org/event/threat-hunting-and-incident-response-summit-2020
SANS Network Security 2020 | September 20-25 | Live Online
- https://www.sans.org/event/network-security-2020
SANS Northern VA - Reston Fall 2020 | Sep 28-Oct 3 | Live Online
- https://www.sans.org/event/northern-va-reston-fall-2020
- Oil & Gas Cybersecurity Summit | October 2-10 | Live Online
https://www.sans.org/event/oil-gas-cybersecurity-summit-2020/
______________________
Test drive a course: https://www.sans.org/course-preview
View the full SANS course catalog and skills roadmap.
- https://www.sans.org/cyber-security-courses
- https://www.sans.org/cyber-security-skills-roadmap
********************** Sponsored Links: ********************
1) Webcast | We invite you to join cloud security expert, Dave Shackleford as he hosts, "Securing Lift-and-Shift Cloud Migrations", a webcast designed to help you better understand how to adapt your security strategy to address new security requirements for lift-and-shift migrations. | August 26 @ 1:00 PM EDT
| http://www.sans.org/info/217375
2) Webcast | Tune into our upcoming webcast, "Making the Digital Transformation: Re-evaluating your Security - How Automated Static Analysis Solves the Next Gen Security Challenges" | August 27 @ 10:30 AM EDT
| http://www.sans.org/info/217385
3) Webcast| Join NetEnrich and IBM for an outcome-driven look at the new approach regarding SOC-aaS in our upcoming webcast, "To build or not to build: Can SOC-aaS bridge your security skills gap?" | August 27 @ 1:00 PM EDT
| http://www.sans.org/info/217380
============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: American intelligence agencies warn of uptick in Taidoor infections
Description: American intelligence agencies released a joint statement last week warning government agencies, contractors and think tanks of the Taidoor malware. Taidoor is believed to date back to 2008, having been spotted in the wild since 2012. The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency, the Department of Defense's Cyber Command (CyberCom), and the FBI issued a joint statement outlining the new strain of malware, which masks its communication with a command and control (C2) server. The RAT carries out multiple espionage activities, including exfiltrating files.
Snort SIDs: 54801
Title: Linux malware used to infiltrate sensitive networks
Description: A new malware strain believed to originate from Russian state-sponsored actors is targeting networks that hold sensitive intelligence information. Known as Drovorub, CISA says the malware has gone undetected until recently, spying on networks and exfiltrating sensitive information. Drovorub is a fully functioning toolkit that includes the ability to infect Linux devices, a kernel to gain persistence and avoid detection, a server that reaches out to a C2 and an agent to act as an intermediary between infected machines and attacker-controlled servers. Linux users are urged to upgrade to version 3.7 or later.
Snort SIDs: 54793
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
The American Election Assistance Commission is asking one of the country's largest polling machine production companies to remove a claim from its products that implies they are EAC-certified.
https://www.politico.com/news/2020/08/13/election-voting-machine-misleading-claims-394891
The Tor browser warned users that it detected some exit relays monitoring outbound traffic in May and July, HTTP connections to certain cryptocurrency websites and preventing them from accessing the HTTPS versions of the sites.
https://blog.torproject.org/bad-exit-relays-may-june-2020
An alleged killswitch for the Emotet botnet has reportedly been circulating for six months, and the creator says administrators could use it to discover the exact moment Emotet infects their networks.
Oracle has now entered the race to purchase TikTok's American operations as the popular social media app tries to avoid a ban from U.S. app stores.
https://www.cnbc.com/2020/08/17/oracle-is-in-talks-to-acquire-tiktoks-us-operations-source-says.html
The Canadian government had to shut down access to some online resources over the weekend, including some sites that provides information on COVID-19 relief, after a credential-stuffing attack.
https://www.cnn.com/2020/08/17/tech/cyberattack-canada-government-accounts/index.html
The Cybersecurity and Infrastructure Security Agency says it has seen a recent uptick in attacks delivering Microsoft Word documents containing the KONNI remote access trojan.
https://us-cert.cisa.gov/ncas/alerts/aa20-227a
An upcoming version of the Google Chrome web browser will warn users if there are any forms on HTTPS sites that are not secure.
https://9to5google.com/2020/08/17/chrome-insecure-forms-warning/
=========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: CVE-2020-1147
Title: Microsoft Sharepoint Server Remote Code Execution Vulnerability
Vendor: Microsoft
Description: A remote code execution vulnerability exists in .NET Framework, Microsoft SharePoint, and Visual Studio when the software fails to check the source markup of XML file input. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the process responsible for deserialization of the XML content.
CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
ID: CVE-2020-1464
Title: Microsoft Windows Spoofing Vulnerability
Vendor: Microsoft
Description: A spoofing vulnerability exists when Windows incorrectly validates file signatures. An attacker who successfully exploited this vulnerability could bypass security features and load improperly signed files. In an attack scenario, an attacker could bypass security features intended to prevent improperly signed files from being loaded
CVSS v3 Base Score: 5.3 (AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L)
ID: CVE-2020-9715
Title: Adobe Acrobat Reader User After Free Vulnerability
Vendor: Adobe
Description: A use-after-free vulnerability could allow remote attackers to execute arbitrary code on affected installations of Adobe Acrobat Reader DC. The specific flaw exists within the handling of ESObject data objects. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current process.
CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
ID: CVE-2020-3411
Title: Cisco DNA Center Information Disclosure Vulnerability
Vendor: Cisco
Description: A vulnerability in Cisco DNA Center software could allow an unauthenticated remote attacker access to sensitive information on an affected system. The vulnerability is due to improper handling of authentication tokens by the affected software. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exploit could allow the attacker access to sensitive device information, which includes configuration files.
CVSS v3 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
ID: CVE-2020-3698
Title: Qualcomm Out-Of-Bounds Memory Corruption Vulnerability
Vendor: Qualcomm
Description: An Out of bound write happens in the component QoS DSCP when mapping due to improper input validation for data received from association response frame in Qualcomm Snapdragon Auto, Snapdragon Compute, Snapdragon Consumer Electronics Connectivity, Snapdragon Consumer IOT, Snapdragon Industrial IOT, Snapdragon Mobile, Snapdragon Voice & Music and Snapdragon Wearables (Chip Software).
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2019-16759
Title: vBulletin Remote Code Execution Vulnerability
Vendor: vBulletin
Description: vBulletin allows remote command execution via the widgetConfig[code] parameter in an ajax/render/widget_php routestring request. The vulnerability was disclosed through an 18-line exploit that was published on Monday by an unidentified person. The exploit allows unauthenticated attackers to remotely execute malicious code on just about any vBulletin server.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-3433
Title: Cisco AnyConnect Secure Mobility Client for Windows DLL Hijacking Vulnerability
Vendor: Cisco
Description: A vulnerability in the interprocess communication (IPC) channel of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated, local attacker to perform a DLL hijacking attack. The vulnerability is due to insufficient validation of resources that are loaded by the application at run time. A successful exploit could allow the attacker to execute arbitrary code on the affected machine with SYSTEM privileges.
CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
=========================================================
MOST PREVALENT MALWARE FILES Aug. 13 - 20:
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: 449f4a4524c06e798193c1d3ba21c2d9338936375227277898c583780392d4d8
MD5: 179c09b866c9063254083216b55693e6
VirusTotal: https://www.virustotal.com/gui/file/449f4a4524c06e798193c1d3ba21c2d9338936375227277898c583780392d4d8/details
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.File.Segurazo::95.sbx.tg
SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details
Typical Filename: Eter.exe
Claimed Product: N/A
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos
SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
VirusTotal: https://www.virustotal.com/gui/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos
SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9
MD5: 34560233e751b7e95f155b6f61e7419a
VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::tpd
SHA 256: 9836cf123caa799eaf57a449ba6da0cdecf0445f58a8238fa0d98b19e93cdb22
MD5: 26b2996b69542d039c303e2fee6dac81
VirusTotal: https://www.virustotal.com/gui/file/9836cf123caa799eaf57a449ba6da0cdecf0445f58a8238fa0d98b19e93cdb22/details
Typical Filename: 226a60f6-4340-45e9-9b01-d95106369b83
Claimed Product: N/A
Detection Name: W32.9836CF123C-100.SBX.TG
=============================================================
(c) 2020. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743