@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
September 3, 2020=============================================================
@RISK: The Consensus Security Vulnerability Alert
September 03, 2020 - Vol. 20, Num. 36
Providing a reliable, weekly summary of newly discovered attack vectors,
vulnerabilities with active exploits, and explanations of how recent
attacks worked
Archived issues may be found at http://www.sans.org/newsletters/at-risk
=============================================================
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES Aug. 27 - Sept. 3
============================================================
TOP VULNERABILITY THIS WEEK: LockBit, other ransomware continue to dominate malware landscape
********************* Sponsored By SANS *********************
Free two-day virtual event | Mark your calendars for the largest two-day virtual event in SANS history!! The SANS Cyber Solutions Fest 2020 features 4 unique solutions tracks which will be chaired by top SANS experts. Talks will include case studies, demos, and discussions revolving around solutions in the marketplace. We'll see you there! | October 8-9, 2020
| http://www.sans.org/info/217500
============================================================
TRAINING UPDATE
SANS now offers THREE ways to complete a course:
OnDemand | Live Online | In-Person:
- https://www.sans.org/ondemand/
- https://www.sans.org/live-online
- https://www.sans.org/cyber-security-training-events/in-person/north-america
Keep your skills sharp with SANS Online Training:
. The world's top cybersecurity courses
. Taught by real world practitioners
. Ideal preparation for more than 30 GIAC Certifications
OnDemand Training Special Offer: Get a 10.2" iPad, or Galaxy Tab A, or take $250 off with qualified OnDemand courses through September 16.
- https://www.sans.org/ondemand/specials
Top OnDemand Courses
SEC401: Security Essentials Bootcamp Style
- https://www.sans.org/ondemand/course/security-essentials-bootcamp-style
SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling
- https://www.sans.org/ondemand/course/hacker-techniques-exploits-incident-handling
SEC560: Network Penetration Testing and Ethical Hacking
- https://www.sans.org/ondemand/course/network-penetration-testing-ethical-hacking
______________________
Upcoming In-Person and Live Online Events:
Threat Hunting and Incident Response Summit & Training | September 10-19 | Live Online
- https://www.sans.org/event/threat-hunting-and-incident-response-summit-2020
SANS Network Security 2020 | September 20-25 | Live Online
- https://www.sans.org/event/network-security-2020
Oil & Gas Cybersecurity Summit | October 2-10 | Live Online
- https://www.sans.org/event/oil-gas-cybersecurity-summit-2020/
SANS Cyber Defense Initiative(R) 2020 | Dec 14-19 | Washington, DC or Live Online
- https://www.sans.org/event/cyber-defense-initiative-2020
______________________
Test drive a course: https://www.sans.org/course-preview
View the full SANS course catalog and skills roadmap.
- https://www.sans.org/cyber-security-courses
- https://www.sans.org/cyber-security-skills-roadmap
********************** Sponsored Links: ********************
1) SANS 2021 CTI Survey | The SANS 2021 CTI Survey builds on the trends in CTI from previous CTI surveys to provide guidance on how organizations are expanding their use of CTI, leading into how an organization can get the most out of CTI. We invite you to complete the 2021 SANS CTI Survey to be entered into our drawing, one lucky winner will receive a $150 Amazon gift card! | Survey closes on October 7
| http://www.sans.org/info/217505
2) Webcast | We invite yo to join our upcoming webcast titled, "Securing Common Web-Framework Stacks". This webinar, hosted by Doug Britton, CTO of RunSafe Security, will show you ways of automatically immunizing popular web framework building blocks from memory corruption risks, which comprise 40% of the CVEs in this code base. | September 15 @ 2:00 PM EDT
| http://www.sans.org/info/217510
3) Webcast | Join StratoZen and SANS instructor, Matt Bromiley as they present, "SOAR Pitfall Avoidance" to learn specific examples of where companies have gone wrong with SOAR and other examples of where SOAR done correctly, can bring companies great success. | September 17 @ 1:00 PM EDT
| http://www.sans.org/info/217520
============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Ransomware families LockBit, Maze headline ransomware dominance
Description: Cisco Talos Incident Response (CTIR) observed ransomware dominating the threat landscape over the past quarter, according to a new report. Infections involved a wide variety of malware families including LockBit and Maze, among others. Sixty-six percent of all ransomware attacks this quarter involved the red-teaming framework Cobalt Strike, suggesting that ransomware actors are increasingly relying on the tool as they abandon commodity trojans. CTIR reports a rise in ransomware actors engage in data exfiltration and even observed the new cartel formed by Maze and other ransomware operations in action.
References: https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html
Snort SIDs: 54910 - 54917 (Protect against the LockBit ransomware)
Title: Emotet starts using new Word lure document
Description: The Emotet botnet continues to evolve, and now uses a Microsoft Word template to spread its malware. Known as "Red Dawn," the new infection method involves the user downloading a Word file, and then the file prompts them to enable macros to read the document. If enabled, the macros then download Emotet onto the victim's machine. Emotet spam emails try to entice users with information on COVID-19, financial documents or package tracking.
References: https://www.bleepingcomputer.com/news/security/emotet-malwares-new-red-dawn-attachment-is-just-as-dangerous/
Snort SIDs: 54900, 54901
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Tesla CEO Elon Musk appeared to confirm on Twitter that his company was the alleged target of a Russian national who tried to recruit an employee to install malware on the company's network.
https://techcrunch.com/2020/08/27/elon-musk-confirms-tesla-was-target-of-foiled-ransomware-attack/
Several private investigators say loopholes in states' Department of Motor Vehicles that allow them to sell data are too broad and could be exploited by threat actors.
Canadian police are increasingly relying on controversial algorithms to try and predict where crimes might occur, which people are at high risk of disappearing and where officers should be patrolling, according to a new report.
Service problems with ISP CenturyLink over the weekend led many internet users to grow concerned that us networks were hit with denial-of-service attacks; web infrastructure company Cloudflare and CenturyLink clarified the cause of the outages.
https://www.theverge.com/2020/8/30/21407429/cloudflare-down-websites-hulu-feedly-discord
Norwegian parliament was the victim of a cyber attack over the past week, according to the country's chief parliamentarian administrator, and several government officials had their emails hacked.
Following a tip from the FBI, Facebook removed another set of Groups that were spreading disinformation and fake news stories.
https://www.cnet.com/news/facebook-says-its-catching-russian-linked-fake-accounts-earlier/
The latest iOS update includes a full-fledged COVID-19 alert system that utilizes Bluetooth to track whether a user has come in contact with someone else who tests positive for the disease.
https://9to5mac.com/2020/09/01/covid-19-exposure-ios-13-7-built-in/
Private companies and government agencies in New Zealand are on high alert after the country's stock exchange was the target of a series of distributed denial-of-service (DDoS) attacks.
https://www.nzherald.co.nz/business/news/article.cfm?c_id=3&objectid=12360876
Cisco disclosed two zero-day vulnerabilities in some carrier-grade routers that threat actors could use to cause a denial-of-service by sending code remotely.
The FBI says some Ring home security camera users can use their live video feeds to get early warnings of potential police raids, a change of pace for law enforcement agencies that are used to receiving crime-fighting information from Ring.
https://theintercept.com/2020/08/31/blueleaks-amazon-ring-doorbell-cameras-police/
=========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: CVE-2020-1147
Title: Pulse Connect Secure Arbitrary Code Injection Vulnerability
Vendor: Pulse Secure
Description: A code injection vulnerability exists in Pulse Connect Secure that allows an attacker to crafted a URI to perform an arbitrary code execution via the admin web interface.
CVSS v3 Base Score: 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-3566
Title: Cisco IOS XR Software DVMRP Memory Exhaustion Vulnerabilities
Vendor: Cisco
Description: A vulnerability in the Distance Vector Multicast Routing Protocol (DVMRP) feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to exhaust process memory of an affected device. The vulnerability is due to insufficient queue management for Internet Group Management Protocol (IGMP) packets. An attacker could exploit this vulnerability by sending crafted IGMP traffic to an affected device. A successful exploit could allow the attacker to cause memory exhaustion, resulting in instability of other processes.
CVSS v3 Base Score: 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)
ID: CVE-2019-17026
Title: Mozilla Firefox Type Confusion Vulnerability
Vendor: Mozilla
Description: Incorrect alias information in IonMonkey JIT compiler for setting array elements could lead to a type confusion. We are aware of targeted attacks in the wild abusing this flaw. If a user were tricked in to opening a specially crafted website in a browsing context, an attacker could potentially exploit these to cause a denial of service, conduct cross-site scripting attacks, or execute arbitrary code.
CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
ID: CVE-2020-8913
Title: Google Android Play Core Library Arbitrary Code Execution Vulnerability
Vendor: Google
Description: A local, arbitrary code execution vulnerability exists in the SplitCompat.install endpoint in Android's Play Core Library. A malicious attacker could create an app which targets a specific application, and if a victim were to install this app, the attacker could perform a directory traversal, execute code as the targeted application and access the targeted application's data on the Android device.
CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
ID: CVE-2020-2674
Title: Oracle VM VirtualBox Arbitrary Code Execution Vulnerability
Vendor: Oracle
Description: Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle VM VirtualBox executes to compromise Oracle VM VirtualBox. While the vulnerability is in Oracle VM VirtualBox, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle VM VirtualBox.
CVSS v3 Base Score: 8.2 (AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
ID: CVE-2020-4589
Title: IBM WebSphere Application Server Remote Code Execution Vulnerability
Vendor: IBM
Description: IBM WebSphere Application Server could allow a remote attacker to execute arbitrary code on the system with a specially crafted sequence of serialized objects from untrusted sources.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-3398
Title: Cisco NX-OS Software Border Gateway Protocol Multicast VPN Session Denial of Service Vulnerability
Vendor: Cisco
Description: A vulnerability in the Border Gateway Protocol (BGP) Multicast VPN (MVPN) implementation of Cisco NX-OS Software could allow an unauthenticated, remote attacker to cause a BGP session to repeatedly reset, causing a partial denial of service condition due to the BGP session being down. The vulnerability is due to incorrect parsing of a specific type of BGP MVPN update message. An attacker could exploit this vulnerability by sending this BGP MVPN update message to a targeted device. A successful exploit could allow the attacker to cause the BGP peer connections to reset, which could lead to BGP route instability and impact traffic.
CVSS v3 Base Score: 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)
=========================================================
MOST PREVALENT MALWARE FILES Aug. 27 - Sept. 3:
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details
Typical Filename: Tempmf582901854.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Agentwdcr::1201
SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd
MD5: 8193b63313019b614d5be721c538486b
VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg
SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
VirusTotal: https://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: Win.Downloader.Generic::1201
SHA 256: 7f9446709fbd77a21a806d17cf163ba00ce1a70f8b6af197990aa9924356fd36
MD5: adad179db8c67696ac24e9e11da2d075
VirusTotal: https://www.virustotal.com/gui/file/7f9446709fbd77a21a806d17cf163ba00ce1a70f8b6af197990aa9924356fd36/details
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Service
Detection Name: W32.7F9446709F-100.SBX.VIOC
SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
VirusTotal: https://www.virustotal.com/gui/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos
=============================================================
(c) 2020. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743
