@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
September 10, 2020=============================================================
@RISK: The Consensus Security Vulnerability Alert
September 10, 2020 - Vol. 20, Num. 37
Providing a reliable, weekly summary of newly discovered attack vectors,
vulnerabilities with active exploits, and explanations of how recent
attacks worked
Archived issues may be found at http://www.sans.org/newsletters/at-risk
=============================================================
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES Sept. 3 - 10
============================================================
TOP VULNERABILITY THIS WEEK: Microsoft Patch Tuesday
*************** Sponsored By AWS Marketplace ******************
Want to learn "How to continuously monitor and assess your security posture in the AWS Cloud"? Join SANS Instructor, Dave Shackleford and AWS Solutions Architect, Nam Le as they present real-world examples that will help you secure your cloud control plane, identify misconfigurations, uncover security gaps, and enable you to better predict, prevent, and respond to events. | Free Webcast | Thursday, September 17th @ 2:00 EDT
| http://www.sans.org/info/217450
============================================================
TRAINING UPDATE
Popular OnDemand Courses
SEC401: Security Essentials Bootcamp Style
- https://www.sans.org/ondemand/course/security-essentials-bootcamp-style
SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling
- https://www.sans.org/ondemand/course/hacker-techniques-exploits-incident-handling
View all courses
- https://www.sans.org/cyber-security-courses/?focus-area=&training-format=ondemand
Upcoming Interactive Training Events
Oil & Gas Cybersecurity Summit & Training - Live Online (Oct 2-10, CDT)
- https://www.sans.org/event/oil-gas-cybersecurity-summit-2020/
SANS San Francisco Fall 2020 - Live Online (Oct 26-31, PDT)
- https://www.sans.org/event/san-francisco-fall-2020-live-online/
View complete event schedule
- https://www.sans.org/cyber-security-training-events/north-america
Free Resources
Tools, Posters, and more.
SANS OnDemand Special Offer
Get an iPad (32GB), Galaxy Tab A, or Take $250 Off with a qualifying OnDemand course.
- https://www.sans.org/ondemand/specials
********************** Sponsored Links: ********************
1) Earn 16 CPE Credits | October 8-9, 2020 | Cyber Solutions Fest 2020 features 4 tracks including Cloud / DevSecOps / Threat Intel / Network Security. Join our 4 of our most popular SANS instructors along with experts from the top solutions providers in the industry. Exciting 2 day event featuring great content, numerous prize drawings, peer-to-peer chat rooms and much more. Register Now!
| http://www.sans.org/info/217595
2) Webcast | Join StratoZen and SANS instructor, Matt Bromiley as they present, "SOAR Pitfall Avoidance" to learn specific examples of where companies have gone wrong with SOAR and other examples of where SOAR done correctly, can bring companies great success. | September 17 @ 1:00 PM EDT
| http://www.sans.org/info/217600
3) Webcast | September 23 @ 10:30 AM ET | Power! Unlimited Power! Understanding the Techniques of Malicious Kernel-Mode Code. Tune into our upcoming Webcast, hosted by SANS Senior Instructor Jacob Williams and VMRay's Tamas Boczan. Register today!
| http://www.sans.org/info/217590
============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: More than 120 vulnerabilities patched as part of Microsoft monthly security update
Description: Microsoft released its monthly security update Tuesday, disclosing more than 120 vulnerabilities across its array of products. Twenty-three of the vulnerabilities are considered "critical" while the vast remainder are ranked as "important." Users of all Microsoft and Windows products are urged to update their software as soon as possible to avoid possible exploitation of all these bugs. The security updates cover several different products including the Microsoft Office suite of products, Windows Media Audo Decoder and the Hyper-V virtual machine software. One of the most sever vulnerabilities exists in Microsoft COM. CVE-2020-0922 received a CVSS severity score of 8.8 out of a possible 10. An adversary could exploit this bug to gain the ability to remotely execute code on the victim machine after a user opens an attacker-controlled web page that contains specially crafted JavaScript.
References: https://blog.talosintelligence.com/2020/09/microsoft-patch-tuesday-for-sept-2020.html
Snort SIDs: 55139 - 55146, 55161, 55162, 55187, 55188, 55206
Title: Salfram spam campaigns spread several malware families
Description: Cisco Talos recently uncovered a series of email campaigns utilizing links to malicious documents hosted on legitimate file-sharing platforms to spread malware. The campaigns distributed various malware payloads including Gozi ISFB, ZLoader, SmokeLoader and AveMaria, among others.
Ongoing campaigns are distributing various malware families using the same crypter. While effective, this crypting mechanism contains an easy-to-detect flaw: The presence of a specific string value "Salfram" makes it easy to track over time. The obfuscated binaries used by Salfram are completely different, from both a binary and execution flow graph perspective. The techniques used by this crypter can confuse weak API behavior-based systems and static analysis tools and it appears to be undergoing active development and improvement over time.
References: https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html
Snort SIDs: 54920, 54921
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
E-Voting company Voatz has filed an amicus brief with the US Supreme Court arguing that security researchers who do not have permission to search for vulnerabilities should not be protected under the Computer Fraud and Abuse Act.
Apple delayed the rollout of its new anti-tracking measures for third-party apps, saying they want to allow developers more time to build around the new rules.
https://www.bbc.com/news/technology-54033321
WhatsApp does not know how to process messages containing certain unusual characters. The "scary messages" can cause the app to crash; if users reinstall the app, they may lose their chat histories.
https://www.tomsguide.com/news/whatsapp-is-crashing-and-its-completely-wiping-chat-histories
Facebook unveiled a new site where it will publish vulnerabilities its researchers discover in third-party software, as well as a tool for researchers to report bugs they discover in WhatsApp.
An open-source project aiming to bring standardization to home internet-of-things devices with the backing of Amazon, Google, Apple and other companies hope to launch in 2021.
A popular texting app used by many inmates to communicate with friends and family outside the prison system mistakenly leaked users' messages and their personal information, including their relationship status, prescriptions and religious affiliations.
https://gizmodo.com/prison-phone-app-exposes-millions-of-inmate-messages-an-1844957081?
A 16-year-old high school student has admitted to launching distributed denial-of-service (DDoS) attacks against the Miami-Dade School District remote learning platform.
https://gizmodo.com/teen-hacker-charged-with-paralyzing-miami-schools-in-em-1844968182
Cyber security companies say they're facing an even greater staffing shortage due to the COVID-19 pandemic as more users work remotely and threat actors increase the volume of their attacks.
https://www.cnbc.com/2020/09/05/cyber-security-workers-in-demand.html
Adobe patched 12 critical vulnerabilities this week in InDesign, Framemaker and Experience Manager, all of which could allow an adversary to run arbitrary code on a victim machine.
=========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: CVE-2020-3495
Title: Cisco Jabber for Windows Message Handling Arbitrary Code Execution Vulnerability
Vendor: Cisco
Description: A vulnerability in Cisco Jabber for Windows could allow an authenticated, remote attacker to execute arbitrary code. The vulnerability is due to improper validation of message contents. An attacker could exploit this vulnerability by sending specially crafted Extensible Messaging and Presence Protocol messages to the affected software. A successful exploit could allow the attacker to cause the application to execute arbitrary programs on the targeted system with the privileges of the user account that is running the Cisco Jabber client software, possibly resulting in arbitrary code execution.
CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-0986
Title: Microsoft Windows Kernel Elevation of Privilege Vulnerability
Vendor: Microsoft
Description: An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system.
CVSS v3 Base Score: 7.8 (V:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-9715
Title: Adobe Reader and Acrobat Arbitrary Code Execution Vulnerability
Vendor: Adobe
Description: Adobe Reader and Acrobat are applications for handling PDF files. Adobe Reader and Acrobat have an use-after-free vulnerability. Successful exploitation could lead to arbitrary code execution. An attacker could exploit this vulnerability to compromise Confidentiality, Integrity and/or Availability.
CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
ID: CVE-2020-17496
Title: vBulletin Remote Code Execution Vulnerability
Vendor: vBulletin
Description: vBulletin allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. vBulletin is vulnerable to a remote code execution vulnerability caused by incomplete patching of the previous "CVE-2019-16759" remote code execution vulnerability.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-8218
Title: Pulse Connect Secure Arbitrary Code Execution Vulnerability
Vendor: PulseSecure
Description: A code injection vulnerability exists in Pulse Connect Secure that allows an attacker to crafted a URI to perform an arbitrary code execution via the admin web interface.
CVSS v3 Base Score: 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-1247
Title: Microsoft Win32k Elevation of Privilege Vulnerability
Vendor: Microsoft
Description: An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.
CVSS v3 Base Score: 7.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-2040
Title: PAN-OS Management Interface Command Injection Vulnerability
Vendor: PAN-OS
Description: An OS Command Injection vulnerability exists in the PAN-OS management interface that allows authenticated administrators to execute arbitrary OS commands with root privileges. This issue affects some unknown processing of the component Management Interface. The manipulation with an unknown input leads to a privilege escalation vulnerability.
CVSS v3 Base Score: 7.2 (V:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
=========================================================
MOST PREVALENT MALWARE FILES Sept. 3 - 10:
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: 7f9446709fbd77a21a806d17cf163ba00ce1a70f8b6af197990aa9924356fd36
MD5: adad179db8c67696ac24e9e11da2d075
VirusTotal: https://www.virustotal.com/gui/file/7f9446709fbd77a21a806d17cf163ba00ce1a70f8b6af197990aa9924356fd36/details
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Service
Detection Name: W32.7F9446709F-100.SBX.VIOC
SHA 256: 32155b070c7e1b9d6bdc021778c5129edfb9cf7e330b8f07bb140dedb5c9aae7
MD5: 73d1de319c7d61e0333471c82f2fc104
VirusTotal: https://www.virustotal.com/gui/file/32155b070c7e1b9d6bdc021778c5129edfb9cf7e330b8f07bb140dedb5c9aae7/details
Typical Filename: SAntivirusService.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: Win.Dropper.Segurazo::tpd
SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details
Typical Filename: Tempmf582901854.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Agentwdcr::1201
SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
VirusTotal: https://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: Win.Downloader.Generic::1201
SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd
MD5: 8193b63313019b614d5be721c538486b
VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg
=============================================================
(c) 2020. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743
