@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
September 24, 2020=============================================================
@RISK: The Consensus Security Vulnerability Alert
September 24, 2020 - Vol. 20, Num. 39
Providing a reliable, weekly summary of newly discovered attack vectors,
vulnerabilities with active exploits, and explanations of how recent
attacks worked
Archived issues may be found at http://www.sans.org/newsletters/at-risk
=============================================================
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES Sept. 17 - 24
============================================================
TOP VULNERABILITY THIS WEEK: U.S. government raises flags over Netlogon vulnerability
*************** Sponsored By Dtex Systems *****************
DTEX Insider Threat Kill Chain: Learn the 5 Steps Present in Almost all Insider Attacks| Get the whitepaper now!
| http://www.sans.org/info/217710
============================================================
TRAINING UPDATE
New OnDemand Courses
SEC588: Cloud Penetration Testing
- https://www.sans.org/ondemand/course/cloud-penetration-testing
SEC760: Advanced Exploit Development for Penetration Testers
- https://www.sans.org/ondemand/course/advanced-exploit-development-penetration-testers
View all courses
- https://www.sans.org/cyber-security-courses/?focus-area=&training-format=ondemand
Live Online Training Events and Summits
Cyber Defense Forum & Training - Live Online
Free Forum: Oct 9 | Training: Oct 12-17, CDT
- https://www.sans.org/event/cyber-defense-summit-2020
SANS Rocky Mountain Fall - Live Online Nov 2-7 MT
17 Interactive Courses | Virtual NetWars
- https://www.sans.org/event/rocky-mountain-fall-2020-live-online
View complete event schedule
- https://www.sans.org/cyber-security-training-events/north-america
Free Resources
Tools, Posters, and more.
- https://www.sans.org/free
OnDemand Training Special Offer: Get an iPad mini, Surface Go, or Take $300 Off with qualified OnDemand courses through September 30.
- https://www.sans.org/ondemand/specials
********************** Sponsored Links: ********************
1) 82% of respondents believe their organizations experienced at least one data breach as a result of digital transformation. Let's see how your organization stacks up.
| http://www.sans.org/info/217725
2) Free Virtual Event | SANS ICS Solutions Forum | 4 CPE credits | Join SANS Instructor Don Weber as he explores how organizations can prepare their IT and OT teams to be ready for security incidents. This event will dive into techniques and tools teams can use to improve the identification, containment, and eradication of suspicious or malicious activities to improve response times and reduce recovery efforts | Thursday October 1 @ 9:00am EDT
| http://www.sans.org/info/217715
3) Free Virtual Event | SANS Cyber Solutions Fest | 16 CPE credits | Two days, four tracks lead by SANS experts (Cloud & Cloud Native, DevSecOps, Threat Hunting & Intel, Network Security), 30+ solution providers, 3,000+ attendees, virtual networking space, ongoing Tech Talk sessions and multiple prize giveaways | October 8 & 9 @ 9:00am EDT
| http://www.sans.org/info/217720
============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Exploit code for Microsoft Netlogon vulnerability goes public
Description: Security researchers and government agencies alerted users that exploit code for a critical vulnerability is circulating in the wild. Known as "Zerologon" the vulnerability could allow an adversary to run a specially crafted application on devices connected to the affected network. Microsoft disclosed the bug back in August as part of its Patch Tuesday update, when it received a CVSS score of a maximum 10.0 out of 10. Microsoft plans to release a second portion of a fix for the vulnerability, though proof of concepts have only just now started to surface on GitHub.
References: https://www.darkreading.com/vulnerabilities---threats/cisa-issues-alert-for-microsoft-netlogon-vulnerability/d/d-id/1338920
Snort SIDs: 55703, 55704
Title: Trickbot and Emotet team up for spam campaign
Description: After going quiet for a few months, the infamous Emotet botnet is back again with another surge. Security researchers recently found Emotet teaming up with Trickbot for a phishing campaign earlier this month. Attackers are using Microsoft Word lures, blurring out what is supposed to be important text and alerting the user that they can only read the text if they enable macros. If enabled, a malicious macro then downloads the Trickbot loader, and the attacker can carry out other malicious actions from there.
References: https://securityboulevard.com/2020/09/trickbot-emotet-delivery-through-word-macro/
Snort SIDs: 55787, 55788
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Apple's iOS 14 is out now, and it may be one of the most secure mobile operating systems ever. New security features include more granular control over stored photos and notifications when an app is accessing users' cameras and microphones.
https://arstechnica.com/tech-policy/2020/09/a-bevy-of-new-features-makes-ios-14-the-most-secure-mobile-os-ever/
Not to be outdone, the new release Android 11 also includes several new security features of its own, including more significant restrictions on app using users' locations in the background and quick app patches via the home screen.
https://thehackernews.com/2020/09/android-11-security-privacy.html
Police in Germany are launching a homicide investigation after a woman died after a ransomware attack on a hospital prompted doctors to transfer her to a different facility.
https://www.bbc.com/news/technology-54204356
Cisco Talos released a new wave of coverage for Cobalt Strike after a deep-dive into the functionality of the red-teaming tool.
https://blog.talosintelligence.com/2020/09/coverage-strikes-back-cobalt-strike-paper.html
American law makers are increasingly relying on tech companies to update them on election security, though they say that's not enough as the Trump administration has pulled back on information-sharing ahead of the November election.
https://abcnews.go.com/Politics/wireStory/trump-holds-back-tech-firms-step-election-security-73115687
Facebook threatened to end is operations in Europe if a new rule were to go into effect in Ireland that would prevent the country from sharing intelligence with the U.S.
https://www.theguardian.com/technology/2020/sep/22/facebook-says-it-may-quit-europe-over-ban-on-sharing-data-with-us
Operation Disruptor is one of the largest dark web takedowns in history, consisting of 179 arrests and the seizure of a large amount of illegal drugs, cash and cryptocurrency.
https://www.wired.com/story/operation-disruptor-179-arrested-global-dark-web-takedown/
The "BLESA" flaw in Bluetooth devices could allow attackers to spoof connections to mobile and internet-of-things devices.
https://threatpost.com/bluetooth-spoofing-bug-iot-devices/159291/
The Firefox web browser released a new version that fixes a vulnerability that could have allowed an attacker to remotely open any web page on a victim's Android device.
https://www.securityweek.com/firefox-flaw-allowed-hackers-remotely-open-malicious-sites-android-phones
=========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: CVE-2020-1472
Title: Microsoft Netlogon Elevation of Privilege Vulnerability
Vendor: Microsoft
Description: An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.
CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
ID: CVE-2020-14386
Title: Linux kernel "af_packet.c" Memory Corruption Vulnerability
Vendor: Multi-Vendor
Description: A Memory corruption vulnerability exists in the Linux kernel that can be exploited to gain root privileges from unprivileged processes. The highest threat from this vulnerability is to data confidentiality and integrity.
CVSS v3 Base Score: 6.7 (AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-4486
Title: IBM QRadar Arbitrary File Overwrite Vulnerability
Vendor: IBM
Description: IBM QRadar allows an authenticated user to overwrite or delete arbitrary files due to a flaw after WinCollect installation.
CVSS v3 Base Score: 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H)
ID: CVE-2020-8437
Title: BitTorrent uTorrent Denial of Service Vulnerability
Vendor: bittorrent
Description: The bencoding parser in BitTorrent uTorrent misparses nested bencoded dictionaries, which allows a remote attacker to cause a denial of service.
CVSS v3 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
ID: CVE-2020-1350
Title: Microsoft Windows DNS Server Remote Code Execution Vulnerability
Vendor: Microsoft
Description: A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability.
CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
ID: CVE-2020-9496
Title: Apache OFBiz XML-RPC Cross-Site Scripting Vulnerability
Vendor: Apache
Description: Apache OFBiz XML-RPC request are vulnerable to unsafe deserialization and Cross-Site Scripting vulnerability.
CVSS v3 Base Score: 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
ID: CVE-2020-16875
Title: Microsoft Exchange Server Remote Code Execution Vulnerability
Vendor: Microsoft
Description: A remote code execution vulnerability exists in Microsoft Exchange server due to improper validation of cmdlet arguments. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the System user. Exploitation of the vulnerability requires an authenticated user in a certain Exchange role to be compromised.
CVSS v3 Base Score: 8.4 (AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:H)
ID: CVE-2020-2037
Title: PAN-OS Management Interface Command Injection Vulnerability
Vendor: PAN-OS
Description: An OS Command Injection vulnerability exists in the PAN-OS management interface that allows authenticated administrators to execute arbitrary OS commands with root privileges. This issue affects some unknown processing of the component Management Interface. The manipulation with an unknown input leads to a privilege escalation vulnerability.
CVSS v3 Base Score: 7.2 (V:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-1380
Title: Microsoft Scripting Engine Memory Corruption Vulnerability
Vendor: Microsoft
Description: A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.
CVSS v3 Base Score: 7.5 (AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:N/A:H)
=========================================================
MOST PREVALENT MALWARE FILES Sept. 17 - 24:
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: 52c8cff981e5d541e4b2930a4a5e0b0a495d62c8237e91538d94c03a048dd51d
MD5: bd4b03e6127a34ecab890f6eb1546634
VirusTotal: https://www.virustotal.com/gui/file/52c8cff981e5d541e4b2930a4a5e0b0a495d62c8237e91538d94c03a048dd51d/details
Typical Filename: wupxarch.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Ranumbot::95.sbx.tg
SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details
Typical Filename: Eter.exe
Claimed Product: N/A
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos
SHA 256: 32155b070c7e1b9d6bdc021778c5129edfb9cf7e330b8f07bb140dedb5c9aae7
MD5: 73d1de319c7d61e0333471c82f2fc104
VirusTotal: https://www.virustotal.com/gui/file/32155b070c7e1b9d6bdc021778c5129edfb9cf7e330b8f07bb140dedb5c9aae7/details
Typical Filename: SAntivirusService.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: Win.Dropper.Segurazo::tpd
SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details
Typical Filename: Tempmf582901854.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Agentwdcr::1201
SHA 256: 60b6d7664598e6a988d9389e6359838be966dfa54859d5cb1453cbc9b126ed7d
MD5: bc26fd7a0b7fe005e116f5ff2227ea4d
VirusTotal: https://www.virustotal.com/gui/file/60b6d7664598e6a988d9389e6359838be966dfa54859d5cb1453cbc9b126ed7d/details
Typical Filename: svchost.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Python::1201
=============================================================
(c) 2020. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
https://www.sans.org/account
SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743
