@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
August 27, 2020=============================================================
@RISK: The Consensus Security Vulnerability Alert
August 27, 2020 - Vol. 20, Num. 35
Providing a reliable, weekly summary of newly discovered attack vectors,
vulnerabilities with active exploits, and explanations of how recent
attacks worked
Archived issues may be found at http://www.sans.org/newsletters/at-risk
=============================================================
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES Aug. 20 - 27
============================================================
TOP VULNERABILITY THIS WEEK: Azure Sphere fixes privilege escalation, code execution vulnerabilities
******************** Sponsored By SANS *********************
SANS Survey | Take the SANS Cloud Security Survey for an opportunity to win a $150 Amazon gift card | This survey is designed to summarize data in three generalized areas including demographics, cloud architecture, and cloud security. The primary goal of this survey is to better understand if security professionals feel cloud-native security tooling is equivalent to industry-leading security tools, and the decisions behind adoption. | Results will be shared during a webcast on December 15 @ 1:00 PM EST
| http://www.sans.org/info/217430
============================================================
TRAINING UPDATE
OnDemand | Live Online | In-Person:
- https://www.sans.org/ondemand/
- https://www.sans.org/live-online
- https://www.sans.org/cyber-security-training-events/in-person/north-america
Keep your skills sharp with SANS Online Training:
. The world's top cybersecurity courses
. Taught by real world practitioners
. Ideal preparation for more than 30 GIAC Certifications
OnDemand Training Special Offer: Get a GIAC Certification Attempt Included or Take $350 Off through September 2 for qualified OnDemand, Live Online, or In-Person Courses.
- https://www.sans.org/ondemand/specials
Top OnDemand Courses
SEC401: Security Essentials Bootcamp Style
- https://www.sans.org/ondemand/course/security-essentials-bootcamp-style
SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling
- https://www.sans.org/ondemand/course/hacker-techniques-exploits-incident-handling
SEC560: Network Penetration Testing and Ethical Hacking
- https://www.sans.org/ondemand/course/network-penetration-testing-ethical-hacking
______________________
Upcoming In-Person and Live Online Events:
Threat Hunting and Incident Response Summit & Training | September 10-19 | Live Online
- https://www.sans.org/event/threat-hunting-and-incident-response-summit-2020
SANS Network Security 2020 | September 20-25 | Live Online
- https://www.sans.org/event/network-security-2020
SANS Northern VA - Reston Fall 2020 | Sep 28-Oct 3 | Live Online
- https://www.sans.org/event/northern-va-reston-fall-2020
Oil & Gas Cybersecurity Summit | October 2-10 | Live Online
- https://www.sans.org/event/oil-gas-cybersecurity-summit-2020/
SANS Cyber Defense Initiative(R) 2020 | Dec 14-19 | Washington, DC or Live Online
- https://www.sans.org/event/cyber-defense-initiative-2020
______________________
Test drive a course: https://www.sans.org/course-preview
View the full SANS course catalog and skills roadmap.
- https://www.sans.org/cyber-security-courses
- https://www.sans.org/cyber-security-skills-roadmap
********************** Sponsored Links: ********************
1) Free two-day virtual event | Mark your calendars to ensure that you're attending the SANS Cyber Solutions Fest 2020 which is the largest solutions focused virtual event of the year! This event features 4 tracks which will be chaired by top SANS experts. Talks will include case studies, demos, and discussions revolving around solutions in the marketplace. We'll see you there! Plus prize drawings, games and much more.| October 8-9, 2020
| http://www.sans.org/info/217435
2) Webcast | Make sure to tune in for, "Ask the IoT/OT Security Experts: Industrial Cyber Resilience Beyond Covid-19". In our upcoming webcast, hosted by CyberX we will discuss: What cybersecurity teams learned during the initial response to Covid-19, How they implemented IoT/OT cybersecurity best practices without disrupting business operations, and Recommendations for minimizing cyber attacks during this challenging time. | September 3 @ 10:30 AM EDT
| http://www.sans.org/info/217440
3) Webcast | Join SANS senior instructor, Jake Williams as he chairs our upcoming webcast, "Threat Hunting for Visibility" to discuss Threat Hunting and the proactive pursuit and elimination of adversaries before they cause damage and how loss can help analysts and security teams better understand where important assets reside. | September 10 @ 3:30 PM EDT
| http://www.sans.org/info/217445
============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Microsoft issues security update fixing vulnerabilities in Azure Sphere
Description: Cisco Talos researchers recently discovered multiple vulnerabilities in Microsoft's Azure Sphere, a cloud-connected and custom SoC platform designed specifically with IoT application security in mind. Internally, the SoC is made up of a set of several ARM cores that have different roles (e.g. running different types of applications, enforcing security, and managing encryption), and externally the Azure Sphere platform is supported by Microsoft's Azure Sphere cloud, which handles secure updates, app deployment, and periodically verifying the device integrity to determine whether or not it should be allowed cloud access. Talos discovered four vulnerabilities in Azure Sphere, two of which could lead to unsigned code execution, and the two others for privilege escalation.
References: https://blog.talosintelligence.com/2020/08/vuln-spotlight-microsoft-azure-aug-2020.html
Snort SIDs: 54645, 54646, 54729, 54730
Title: Cross-site scripting bug affects open-source CMS, used by many WordPress sites
Description: TinyMCE recently disclosed a vulnerability that could have allowed attackers to completely take over some websites. The open-source content management system and text editor fixed a high-severity cross-site scripting vulnerability. An attacker could input specific HTML code into a forum on an affected website to exploit this vulnerability, allowing them to take control of the websites. Security researchers suggest thousands of sites could be affected.
References: https://threatpost.com/high-severity-tinymce-cross-site-scripting-flaw-fixed/158306/
Snort SIDs: 54815, 54816
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
The U.S. Department of Homeland Security recently discovered multiple fake websites that could be used to spread fake news prior to the November election.
Google patched a vulnerability in Gmail that could have allowed attackers to spoof emails from any sender, making them appear legitimate.
Companies are trying to figure out how best to protect their data and important documents as there's no end in sight for the work from home trend created by the COVID-19 pandemic. (Please note: this story is behind a paywall.)
A hacktivist group claims to have uncovered information belonging to three Chinese companies that spy on social media users' profiles; Twitter quickly banned the group for violating its hacked documents policy.
Credit reporting agency Experian recently exposed the data of 24 million South African users after attackers tricked company representatives into handing over the information.
https://www.cyberscoop.com/experian-south-africa-breach-sabric/
The U.S. District Court in San Francisco unveiled charges against Uber's former security chief for allegedly trying to cover up a massive data breach in 2016 that affected more than 50 million Uber drivers and passengers.
https://www.nytimes.com/2020/08/20/technology/joe-sullivan-uber-charged-hack.html
The FBI and U.S. CISA issued a joint warning alerting private companies and government agencies of a voice-phishing campaign aims to steal VPN credentials and use them to steal data from company databases.
https://krebsonsecurity.com/2020/08/fbi-cisa-echo-warnings-on-vishing-threat/
A former Apple engineer alleges that the company secretly worked with the United States government to build a special version of the iPod that could have collected users' data.
=========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: CVE-2020-1147
Title: Microsoft Sharepoint Server Remote Code Execution Vulnerability
Vendor: Microsoft
Description: A remote code execution vulnerability exists in .NET Framework, Microsoft SharePoint, and Visual Studio when the software fails to check the source markup of XML file input. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the process responsible for deserialization of the XML content.
CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
ID: CVE-2020-1530
Title: Microsoft Windows Remote Access Elevation of Privilege Vulnerability
Vendor: Microsoft
Description: An elevation of privilege vulnerability exists when Windows Remote Access improperly handles memory. To exploit this vulnerability, an attacker would first have to gain execution on the victim system. An attacker could then run a specially crafted application to elevate privileges.
CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-1380
Title: Microsoft Scripting Engine Memory Corruption Vulnerability
Vendor: Microsoft
Description: A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.
CVSS v3 Base Score: 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)
ID: CVE-2020-6519
Title: Google Chrome Arbitrary Code Execution Vulnerability
Vendor: Google
Description: Policy bypass in CSP in Google Chrome allowed a remote attacker to bypass content security policy via a crafted HTML page. It could allow attackers to bypass the Content Security Policy (CSP) on websites, in order to steal data and execute rogue code.
CVSS v3 Base Score: 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
ID: CVE-2020-3506
Title: Cisco IP Cameras Cisco Discovery Protocol Remote Code Execution and Denial of Service Vulnerabilities
Vendor: Cisco
Description: Multiple vulnerabilities in the Cisco Discovery Protocol implementation for Cisco Video Surveillance 8000 Series IP Cameras could allow an unauthenticated, adjacent attacker to execute code remotely or cause a reload of an affected IP camera. These vulnerabilities are due to missing checks when the IP cameras process a Cisco Discovery Protocol packet. An attacker could exploit these vulnerabilities by sending a malicious Cisco Discovery Protocol packet to the targeted IP camera.
CVSS v3 Base Score: 8.8 (V:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-15858
Title: Cinterion Java Modules Vulnerability
Vendor: Cinterion
Description: This security vulnerability could potentially allow attackers with physical access to the device to compromise certain assets stored in the Cinterion modules' flash file system such as: Customer Java MIDlet byte code, TLS credentials or OTAP configuration data
CVSS v3 Base Score: 6.2 (AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L)
ID: CVE-2020-3398
Title: Cisco NX-OS Software Border Gateway Protocol Multicast VPN Session Denial of Service Vulnerability
Vendor: Cisco
Description: A vulnerability in the Border Gateway Protocol (BGP) Multicast VPN (MVPN) implementation of Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause a BGP session to repeatedly reset, causing a partial denial of service condition due to the BGP session being down. The vulnerability is due to incorrect parsing of a specific type of BGP MVPN update message. An attacker could exploit this vulnerability by sending this BGP MVPN update message to a targeted device. A successful exploit could allow the attacker to cause the BGP peer connections to reset, which could lead to BGP route instability and impact traffic.
CVSS v3 Base Score: 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)
=========================================================
MOST PREVALENT MALWARE FILES Aug. 20 - 27:
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details
Typical Filename: Eter.exe
Claimed Product: N/A
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos
SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details
Typical Filename: Tempmf582901854.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Agentwdcr::1201
SHA 256: 7f9446709fbd77a21a806d17cf163ba00ce1a70f8b6af197990aa9924356fd36
MD5: adad179db8c67696ac24e9e11da2d075
VirusTotal: https://www.virustotal.com/gui/file/7f9446709fbd77a21a806d17cf163ba00ce1a70f8b6af197990aa9924356fd36/details
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Service
Detection Name: W32.7F9446709F-100.SBX.VIOC
SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
VirusTotal: https://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: Win.Downloader.Generic::1201
SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
VirusTotal: https://www.virustotal.com/gui/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos
=============================================================
(c) 2020. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743
