Newsletters: @RISK

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

September 10, 2020

=============================================================

     @RISK: The Consensus Security Vulnerability Alert

                September 10, 2020 - Vol. 20, Num. 37


Providing a reliable, weekly summary of newly discovered attack vectors,

vulnerabilities with active exploits, and explanations of how recent

attacks worked


Archived issues may be found at http://www.sans.org/newsletters/at-risk


=============================================================


CONTENTS:

NOTABLE RECENT SECURITY ISSUES

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

MOST PREVALENT MALWARE FILES Sept. 3 - 10

============================================================


TOP VULNERABILITY THIS WEEK: Microsoft Patch Tuesday


*************** Sponsored By AWS Marketplace ******************


Want to learn "How to continuously monitor and assess your security posture in the AWS Cloud"?  Join SANS Instructor, Dave Shackleford and AWS Solutions Architect, Nam Le as they present real-world examples that will help you secure your cloud control plane, identify misconfigurations, uncover security gaps, and enable you to better predict, prevent, and respond to events. | Free Webcast | Thursday, September 17th @ 2:00 EDT

| http://www.sans.org/info/217450


============================================================

TRAINING UPDATE


Popular OnDemand Courses


SEC401: Security Essentials Bootcamp Style

- https://www.sans.org/ondemand/course/security-essentials-bootcamp-style


SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling

- https://www.sans.org/ondemand/course/hacker-techniques-exploits-incident-handling


View all courses

- https://www.sans.org/cyber-security-courses/?focus-area=&training-format=ondemand


Upcoming Interactive Training Events


Oil & Gas Cybersecurity Summit & Training - Live Online (Oct 2-10, CDT)

- https://www.sans.org/event/oil-gas-cybersecurity-summit-2020/


SANS San Francisco Fall 2020 - Live Online (Oct 26-31, PDT)

- https://www.sans.org/event/san-francisco-fall-2020-live-online/


View complete event schedule

- https://www.sans.org/cyber-security-training-events/north-america

 

Free Resources

Tools, Posters, and more.

- https://www.sans.org/free

 

SANS OnDemand Special Offer

Get an iPad (32GB), Galaxy Tab A, or Take $250 Off with a qualifying OnDemand course.

- https://www.sans.org/ondemand/specials


********************** Sponsored Links: ********************


1) Earn 16 CPE Credits |  October 8-9, 2020 | Cyber Solutions Fest 2020 features 4 tracks including Cloud / DevSecOps / Threat Intel / Network Security.  Join our 4 of our most popular SANS instructors along with experts from the top solutions providers in the industry.  Exciting 2 day event featuring great content, numerous prize drawings, peer-to-peer chat rooms and much more. Register Now!

| http://www.sans.org/info/217595


2) Webcast | Join StratoZen and SANS instructor, Matt Bromiley as they present, "SOAR Pitfall Avoidance" to learn specific examples of where companies have gone wrong with SOAR and other examples of where SOAR done correctly, can bring companies great success. | September 17 @ 1:00 PM EDT

| http://www.sans.org/info/217600


3) Webcast | September 23 @ 10:30 AM ET | Power! Unlimited Power! Understanding the Techniques of Malicious Kernel-Mode Code.  Tune into our upcoming Webcast, hosted by SANS Senior Instructor Jacob Williams and VMRay's Tamas Boczan. Register today!

| http://www.sans.org/info/217590


============================================================


NOTABLE RECENT SECURITY ISSUES

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: More than 120 vulnerabilities patched as part of Microsoft monthly security update

Description: Microsoft released its monthly security update Tuesday, disclosing more than 120 vulnerabilities across its array of products. Twenty-three of the vulnerabilities are considered "critical" while the vast remainder are ranked as "important." Users of all Microsoft and Windows products are urged to update their software as soon as possible to avoid possible exploitation of all these bugs. The security updates cover several different products including the Microsoft Office suite of products, Windows Media Audo Decoder and the Hyper-V virtual machine software. One of the most sever vulnerabilities exists in Microsoft COM. CVE-2020-0922 received a CVSS severity score of 8.8 out of a possible 10. An adversary could exploit this bug to gain the ability to remotely execute code on the victim machine after a user opens an attacker-controlled web page that contains specially crafted JavaScript.

References: https://blog.talosintelligence.com/2020/09/microsoft-patch-tuesday-for-sept-2020.html

Snort SIDs: 55139 - 55146, 55161, 55162, 55187, 55188, 55206


Title: Salfram spam campaigns spread several malware families

Description: Cisco Talos recently uncovered a series of email campaigns utilizing links to malicious documents hosted on legitimate file-sharing platforms to spread malware. The campaigns distributed various malware payloads including Gozi ISFB, ZLoader, SmokeLoader and AveMaria, among others.

Ongoing campaigns are distributing various malware families using the same crypter. While effective, this crypting mechanism contains an easy-to-detect flaw: The presence of a specific string value "Salfram" makes it easy to track over time. The obfuscated binaries used by Salfram are completely different, from both a binary and execution flow graph perspective. The techniques used by this crypter can confuse weak API behavior-based systems and static analysis tools and it appears to be undergoing active development and improvement over time.

References: https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html

Snort SIDs: 54920, 54921


============================================================


INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY


E-Voting company Voatz has filed an amicus brief with the US Supreme Court arguing that security researchers who do not have permission to search for vulnerabilities should not be protected under the Computer Fraud and Abuse Act.

https://www.cnet.com/news/online-voting-company-pushes-to-make-it-harder-for-researchers-to-find-security-flaws/


Apple delayed the rollout of its new anti-tracking measures for third-party apps, saying they want to allow developers more time to build around the new rules.

https://www.bbc.com/news/technology-54033321


WhatsApp does not know how to process messages containing certain unusual characters. The "scary messages" can cause the app to crash; if users reinstall the app, they may lose their chat histories.

https://www.tomsguide.com/news/whatsapp-is-crashing-and-its-completely-wiping-chat-histories


Facebook unveiled a new site where it will publish vulnerabilities its researchers discover in third-party software, as well as a tool for researchers to report bugs they discover in WhatsApp.

https://www.darkreading.com/vulnerabilities---threats/facebook-announces-formal-vulnerability-disclosure-policy-for-third-party-bugs/d/d-id/1338844


An open-source project aiming to bring standardization to home internet-of-things devices with the backing of Amazon, Google, Apple and other companies hope to launch in 2021.

https://www.theverge.com/2020/9/8/21427139/amazon-apple-google-zigbee-alliance-open-source-smart-home-standard-2021-launch


A popular texting app used by many inmates to communicate with friends and family outside the prison system mistakenly leaked users' messages and their personal information, including their relationship status, prescriptions and religious affiliations.

https://gizmodo.com/prison-phone-app-exposes-millions-of-inmate-messages-an-1844957081?


A 16-year-old high school student has admitted to launching distributed denial-of-service (DDoS) attacks against the Miami-Dade School District remote learning platform.

https://gizmodo.com/teen-hacker-charged-with-paralyzing-miami-schools-in-em-1844968182


Cyber security companies say they're facing an even greater staffing shortage due to the COVID-19 pandemic as more users work remotely and threat actors increase the volume of their attacks.

https://www.cnbc.com/2020/09/05/cyber-security-workers-in-demand.html


Adobe patched 12 critical vulnerabilities this week in InDesign, Framemaker and Experience Manager, all of which could allow an adversary to run arbitrary code on a victim machine.

https://www.bleepingcomputer.com/news/security/adobe-fixes-critical-vulnerabilities-in-indesign-and-framemaker/


=========================================================


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


ID:        CVE-2020-3495

Title:  Cisco Jabber for Windows Message Handling Arbitrary Code Execution Vulnerability

Vendor: Cisco

Description: A vulnerability in Cisco Jabber for Windows could allow an authenticated, remote attacker to execute arbitrary code. The vulnerability is due to improper validation of message contents. An attacker could exploit this vulnerability by sending specially crafted Extensible Messaging and Presence Protocol messages to the affected software. A successful exploit could allow the attacker to cause the application to execute arbitrary programs on the targeted system with the privileges of the user account that is running the Cisco Jabber client software, possibly resulting in arbitrary code execution.

CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2020-0986

Title:  Microsoft Windows Kernel Elevation of Privilege Vulnerability

Vendor: Microsoft

Description: An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system.

CVSS v3 Base Score: 7.8 (V:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2020-9715

Title:  Adobe Reader and Acrobat Arbitrary Code Execution Vulnerability

Vendor: Adobe

Description: Adobe Reader and Acrobat are applications for handling PDF files. Adobe Reader and Acrobat have an use-after-free vulnerability. Successful exploitation could lead to arbitrary code execution. An attacker could exploit this vulnerability to compromise Confidentiality, Integrity and/or Availability.

CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)


ID:        CVE-2020-17496

Title:  vBulletin Remote Code Execution Vulnerability

Vendor: vBulletin

Description: vBulletin allows remote command execution via crafted subWidgets data in an ajax/render/widget_tabbedcontainer_tab_panel request. vBulletin is vulnerable to a remote code execution vulnerability caused by incomplete patching of the previous "CVE-2019-16759" remote code execution vulnerability.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2020-8218

Title:  Pulse Connect Secure Arbitrary Code Execution Vulnerability

Vendor: PulseSecure

Description: A code injection vulnerability exists in Pulse Connect Secure that allows an attacker to crafted a URI to perform an arbitrary code execution via the admin web interface.

CVSS v3 Base Score: 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2020-1247

Title:  Microsoft Win32k Elevation of Privilege Vulnerability

Vendor: Microsoft

Description: An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.

CVSS v3 Base Score: 7.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2020-2040

Title:    PAN-OS Management Interface Command Injection Vulnerability

Vendor: PAN-OS

Description: An OS Command Injection vulnerability exists in the PAN-OS management interface that allows authenticated administrators to execute arbitrary OS commands with root privileges. This issue affects some unknown processing of the component Management Interface. The manipulation with an unknown input leads to a privilege escalation vulnerability.

CVSS v3 Base Score:    7.2 (V:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)


=========================================================


MOST PREVALENT MALWARE FILES Sept. 3 - 10:

COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 7f9446709fbd77a21a806d17cf163ba00ce1a70f8b6af197990aa9924356fd36

MD5: adad179db8c67696ac24e9e11da2d075

VirusTotal: https://www.virustotal.com/gui/file/7f9446709fbd77a21a806d17cf163ba00ce1a70f8b6af197990aa9924356fd36/details

Typical Filename: FlashHelperServices.exe

Claimed Product: Flash Helper Service

Detection Name: W32.7F9446709F-100.SBX.VIOC


SHA 256: 32155b070c7e1b9d6bdc021778c5129edfb9cf7e330b8f07bb140dedb5c9aae7

MD5: 73d1de319c7d61e0333471c82f2fc104

VirusTotal: https://www.virustotal.com/gui/file/32155b070c7e1b9d6bdc021778c5129edfb9cf7e330b8f07bb140dedb5c9aae7/details

Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: Win.Dropper.Segurazo::tpd


SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f

MD5: e2ea315d9a83e7577053f52c974f6a5a

VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details

Typical Filename: Tempmf582901854.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Agentwdcr::1201


SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b

MD5: 799b30f47060ca05d80ece53866e01cc

VirusTotal: https://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details

Typical Filename: mf2016341595.exe

Claimed Product: N/A

Detection Name: Win.Downloader.Generic::1201


SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd

MD5: 8193b63313019b614d5be721c538486b

VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg


=============================================================


(c) 2020.  All rights reserved.  The information contained in this

newsletter, including any external links, is provided "AS IS," with no

express or implied warranty, for informational purposes only.


Please feel free to share this with interested parties via email, but

no posting is allowed on web sites. For a free subscription, (and for

free posters) or to update a current subscription, visit

https://www.sans.org/account


SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743