Newsletters: @RISK

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

September 17, 2020

=============================================================

     @RISK: The Consensus Security Vulnerability Alert

                September 17, 2020 - Vol. 20, Num. 38


Providing a reliable, weekly summary of newly discovered attack vectors,

vulnerabilities with active exploits, and explanations of how recent

attacks worked


Archived issues may be found at http://www.sans.org/newsletters/at-risk


=============================================================


CONTENTS:

NOTABLE RECENT SECURITY ISSUES

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

MOST PREVALENT MALWARE FILES Sept. 10 - 17

============================================================


TOP VULNERABILITY THIS WEEK: Threat actors still targeting VPN vulnerabilities


******************** Sponsored By VMRay ********************


Dissecting GuLoader's Evasion Techniques | A new download, GuLoader (aka CloudEyE) has been actively distributed in 2020. The VMRay Labs Team has observed GuLoader using a combination of techniques that evade sandboxes and slow down (manual) analysis. Read the in-depth analysis:

| http://www.sans.org/info/217635


============================================================

TRAINING UPDATE


Popular OnDemand Courses

SEC401: Security Essentials Bootcamp Style

- https://www.sans.org/ondemand/course/security-essentials-bootcamp-style


SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling

- https://www.sans.org/ondemand/course/hacker-techniques-exploits-incident-handling


View all courses

- https://www.sans.org/cyber-security-courses/?focus-area=&training-format=ondemand


Live Online Training Events and Summits


Cyber Defense Forum & Training - Live Online

Free Forum: Oct 9 | Training: Oct 12-17, CDT

- https://www.sans.org/event/cyber-defense-summit-2020


SANS Rocky Mountain Fall - Live Online Nov 2-7 MT

17 Interactive Courses | Virtual NetWars

- https://www.sans.org/event/rocky-mountain-fall-2020-live-online


View complete event schedule

- https://www.sans.org/cyber-security-training-events/north-america

 

Free Resources

Tools, Posters, and more.

- https://www.sans.org/free

 

OnDemand Training Special Offer: Get a iPad mini, Surface Go, or Take $300 Off with qualified OnDemand courses through September 30.

- https://www.sans.org/ondemand/specials


New OnDemand Courses


ICS456: Essentials for NERC Critical Infrastructure Protection *Available for Pre-Sale

- https://www.sans.org/ondemand/course/essentials-for-nerc-critical-infrastructure-protection


SEC510: Multicloud Security Assessment and Defense *Available for Pre-Sale

- https://www.sans.org/ondemand/course/multicloud-security-assessment-and-defense


SEC588: Cloud Penetration Testing

- https://www.sans.org/ondemand/course/cloud-penetration-testing


SEC760: Advanced Exploit Development for Penetration Testers

- https://www.sans.org/ondemand/course/advanced-exploit-development-penetration-testers


MGT516: Managing Security Vulnerabilities: Enterprise and Cloud

- https://www.sans.org/ondemand/course/managing-enterprise-cloud-security-vulnerabilities


MGT525: IT Project Management, Effective Communication, and PMP(R) Exam Prep

- https://www.sans.org/ondemand/course/project-management-effective-communication-pmp-exam-prep


********************** Sponsored Links: ********************


1) Earn 16 CPE Credits |  October 8-9, 2020 | Cyber Solutions Fest 2020 features 4 tracks including Cloud / DevSecOps / Threat Intel / Network Security.  Join our 4 of our most popular SANS instructors along with experts from the top solutions providers in the industry.  Exciting 2 day event featuring great content, numerous prize drawings, peer-to-peer chat rooms and much more. Register Now!

| http://www.sans.org/info/217640


2) DTEX Insider Threat Kill Chain: Learn the 5 Steps Present in Almost all Insider Attacks| Get the whitepaper now!

| http://www.sans.org/info/217645


3) Webinar | Thursday, September 24th @ 3:30PM BST (10:30AM EDT) | SANS on Elastic Security: Discover the integration of endpoint security into the new Elastic Agent.  Featuring  John Pescatore, SANS Director of Emerging Trends, along with industry experts Mike Nichols & James Spiteri from Elastic Security.

| http://www.sans.org/info/217650


============================================================


NOTABLE RECENT SECURITY ISSUES

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: U.S. warns of exploitation of well-known vulnerabilities

Description: The U.S. Cybersecurity and Infrastructure Security Agency released a warning this week that state-sponsored actors are targeting several well-known vulnerabilities disclosed over the past year. Among them are vulnerabilities in the Pulse and Citrix VPN services that could allow an attacker to carry out directory-traversal attacks and infiltrate a victim's network via the VPN. These same actors are also spreading several malware families through spear-phishing campaigns. Users in the public and private sectors are asked to update these affected products as soon as possible, including F5 BIG-IP, Pulse Secure VPN, Citrix VPN and Microsoft Exchange servers.

References: https://www.zdnet.com/article/cisa-chinese-state-hackers-are-exploiting-f5-citrix-pulse-secure-and-exchange-bugs/

Snort SIDs: 55637 - 55640


Title: Google Chrome PDFium memory corruption to lead to code execution

Description: Google Chrome's PDFium feature could be exploited by an adversary to corrupt memory and potentially execute remote code. PDFium allows users to open PDFs inside Chrome. Cisco Talos researchers recently discovered a bug that would allow an adversary to send a malicious web page to a user, and then cause out-of-bounds memory access. To trigger this vulnerability, the victim must visit a malicious webpage or open a malicious PDF document.

References: https://blog.talosintelligence.com/2020/09/vuln-spotlight-google-pdfium-sept-2020.html

Snort SIDs: 54282, 54283


============================================================


INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY


Microsoft warned that state-sponsored threat actors are targeting members of the Biden and Trump campaigns in the leadup to the November election.

https://blogs.microsoft.com/on-the-issues/2020/09/10/cyberattacks-us-elections-trump-biden/


The city of Portland, Oregon passed the broadest facial recognition ban of any American city or state, preventing law enforcement agencies, private companies and government agencies from using the technology "in places of public accommodation."

https://www.popularmechanics.com/technology/security/a33982818/portland-facial-recognition-ban/


Oracle plans to acquire TikTok's American operations to avoid a full-on ban from the Trump administration, though this will prompt a closer look into Oracle's privacy policies and data collection.

https://www.politico.com/news/2020/09/15/oracle-tiktok-privacy-415043


Encrochat, a French encrypted network of Android phones, contains backdoors that could allow law enforcement to obtain users' locations, messages, passwords and more.

https://www.vice.com/en_us/article/k7qjkn/encrochat-hack-gps-messages-passwords-data


A vulnerability in Joe Biden's main campaign app could allow an attacker to steal information on registered voters by matching the user's contacts with the TargetSmart political marketing service.

https://techcrunch.com/2020/09/14/biden-app-voter-files/


Security researchers are pushing to have their voices heard in the Supreme Court as America's highest court considers a landmark case that could change the way researchers hunt for vulnerabilities.

https://www.cyberscoop.com/voatz-supreme-court-cfaa-security-research/


The U.S. Department of Veteran Affairs says a third-party actor compromised the personal information of 46,000 American military veterans through a vulnerability in an online application.

https://www.zdnet.com/article/department-of-veteran-affairs-discloses-breach-impacting-46000-veterans/


A US Federal Communications Commission filing includes photos of GrayKey, a tool commonly used by law enforcement agencies to unlock secured iPhones.

https://appleinsider.com/articles/20/09/15/grayshifts-graykey-iphone-forensics-tool-disassembled-in-fcc-photos


A memo written by a former Facebook data scientist states that the social media giant knew its platform was being used by world leaders to manipulate voters and declined to act.

https://www.buzzfeednews.com/article/craigsilverman/facebook-ignore-political-manipulation-whistleblower-memo


=========================================================


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


ID:        CVE-2020-1472

Title:  Microsoft Netlogon Elevation of Privilege Vulnerability

Vendor: Microsoft

Description: An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.

CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)


ID:        CVE-2020-14386

Title:  Linux kernel "af_packet.c" Memory Corruption Vulnerability

Vendor: Multi-Vendor

Description: A Memory corruption vulnerability exists in the Linux kernel that can be exploited to gain root privileges from unprivileged processes. The highest threat from this vulnerability is to data confidentiality and integrity.

CVSS v3 Base Score: 6.7 (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2020-16875

Title:  Microsoft Exchange Server Remote Code Execution Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists in Microsoft Exchange server due to improper validation of cmdlet arguments. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the System user. Exploitation of the vulnerability requires an authenticated user in a certain Exchange role to be compromised.

CVSS v3 Base Score: 8.4 (AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H)


ID:        CVE-2020-14356

Title:  Linux Kernel Denial of Service Vulnerability

Vendor: Multi-Vendor

Description: A flaw null pointer dereference in the Linux kernel cgroupv2 subsystem was found in the way when reboot the system. A local user could use this flaw to crash the system or escalate their privileges on the system. Successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service

CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2020-15505

Title:  MobileIron Core and Connector Remote Code Execution Vulnerability

Vendor: MobileIron

Description: A remote code execution vulnerability exists in MobileIron Core and Connector, and Sentry, that allows remote attackers to execute arbitrary code via unspecified vectors. The manipulation with an unknown input leads to a privilege escalation vulnerability.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2020-2037

Title:    PAN-OS Management Interface Command Injection Vulnerability

Vendor: PAN-OS

Description: An OS Command Injection vulnerability exists in the PAN-OS management interface that allows authenticated administrators to execute arbitrary OS commands with root privileges. This issue affects some unknown processing of the component Management Interface. The manipulation with an unknown input leads to a privilege escalation vulnerability.

CVSS v3 Base Score:    7.2 (V:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2020-0751

Title:  Microsoft Windows Hyper-V Denial of Service Vulnerability

Vendor: Microsoft

Description: A denial of service vulnerability exists when Microsoft Hyper-V on a host server fails to properly validate specific malicious data from a user on a guest operating system. To exploit the vulnerability, an attacker who already has a privileged account on a guest operating system, running as a virtual machine, could run a specially crafted application.

CVSS v3 Base Score: 6.0 (AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H)


ID:        CVE-2020-1380

Title:  Microsoft Scripting Engine Memory Corruption Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.

CVSS v3 Base Score: 7.5 (AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H)


=========================================================


MOST PREVALENT MALWARE FILES Sept. 10 - 17:

COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details

Typical Filename: Eter.exe

Claimed Product: N/A

Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos


SHA 256: 32155b070c7e1b9d6bdc021778c5129edfb9cf7e330b8f07bb140dedb5c9aae7

MD5: 73d1de319c7d61e0333471c82f2fc104

VirusTotal: https://www.virustotal.com/gui/file/32155b070c7e1b9d6bdc021778c5129edfb9cf7e330b8f07bb140dedb5c9aae7/details

Typical Filename: SAntivirusService.exe

Claimed Product: A n t i v i r u s S e r v i c e

Detection Name: Win.Dropper.Segurazo::tpd


SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f

MD5: e2ea315d9a83e7577053f52c974f6a5a

VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details

Typical Filename: Tempmf582901854.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Agentwdcr::1201


SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b

MD5: 799b30f47060ca05d80ece53866e01cc

VirusTotal: https://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details

Typical Filename: mf2016341595.exe

Claimed Product: N/A

Detection Name: Win.Downloader.Generic::1201


SHA 256: 7bd78114e61ae332e9e9d67b66cdab4a4db4e0c74dc43a0582ab1aecb13d7f0f

MD5: 6423f6d49466f739d4eaa2a30759c46a

VirusTotal: https://www.virustotal.com/gui/file/7bd78114e61ae332e9e9d67b66cdab4a4db4e0c74dc43a0582ab1aecb13d7f0f/details

Typical Filename: Xerox_Device_060214.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Upatre::1201


=============================================================


(c) 2020.  All rights reserved.  The information contained in this

newsletter, including any external links, is provided "AS IS," with no

express or implied warranty, for informational purposes only.


Please feel free to share this with interested parties via email, but

no posting is allowed on web sites. For a free subscription, (and for

free posters) or to update a current subscription, visit

https://www.sans.org/account


SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743