@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
October 1, 2020=============================================================
@RISK: The Consensus Security Vulnerability Alert
October 1, 2020 - Vol. 20, Num. 40
Providing a reliable, weekly summary of newly discovered attack vectors,
vulnerabilities with active exploits, and explanations of how recent
attacks worked
Archived issues may be found at http://www.sans.org/newsletters/at-risk
=============================================================
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES Sept. 24 - Oct. 1
============================================================
TOP VULNERABILITY THIS WEEK: Exploit for Netlogon vulnerability goes public
**************** Sponsored By Dtex Systems *****************
DTEX Insider Threat Kill Chain: Learn the 5 Steps Present in Almost all Insider Attacks| Get the whitepaper now!
| http://www.sans.org/info/217770
============================================================
TRAINING UPDATE
New OnDemand Courses
SEC588: Cloud Penetration Testing
- https://www.sans.org/ondemand/course/cloud-penetration-testing
SEC401: Security Essentials Bootcamp Style
- https://www.sans.org/ondemand/course/security-essentials-bootcamp-style
View all courses
- https://www.sans.org/cyber-security-courses/?focus-area=&training-format=ondemand
Live Online Training Events and Summits
SANS DFIRCON 2020 - Live Online
Nov 2-7 EST | 9 DFIR Courses | Virtual DFIR NetWars
- https://www.sans.org/event/dfircon-2020-live-online
Pen Test HackFest - Live Online
Nov 16-21 EST | 15 Courses | Summit @Night Bonus Sessions
- https://www.sans.org/event/pen-test-hackfest-2020-live-online
View complete event schedule
- https://www.sans.org/cyber-security-training-events/north-america
Free Resources
Tools, Posters, and more.
OnDemand Training Special Offer: Get an iPad (32 G), Galaxy Tab S5e, or Take $250 Off with qualified OnDemand courses through October 14.
- https://www.sans.org/ondemand/specials
********************** Sponsored Links: ********************
1) Free Virtual Event | The SANS Cyber Solutions Fest 2020 is a free, two-day virtual event featuring 4 unique tracks, chaired by top SANS experts. Talks will feature demos, case studies, and discussions revolving around solutions that are currently available in the marketplace | October 8-9
| http://www.sans.org/info/217775
2) On-Demand Webcast | Join James Nixon as he explains how your feedback can positively influencing a software vendor's product roadmap
| http://www.sans.org/info/217780
3) Webcast | Tune in for our upcoming webcast, "5 Considerations for ICS Incident Response." A webinar that will outline 5 recommendations to ensure IR efforts are successful, timely, and efficient resulting in safe return to stable state | October 6 @ 3:30pm EDT
| http://www.sans.org/info/217785
============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Attackers using Zerologon vulnerability at higher rate
Description: Cisco Talos researchers report seeing a spike in exploitation attempts against the Microsoft vulnerability CVE-2020-1472, an elevation of privilege bug in Netlogon, outlined in the August Microsoft Patch Tuesday report. The vulnerability stems from a flaw in a cryptographic authentication scheme used by the Netlogon Remote Protocol which -- among other things -- can be used to update computer passwords by forging an authentication token for specific Netlogon functionality. This flaw allows attackers to impersonate any computer, including the domain controller itself and gain access to domain admin credentials.
References: https://blog.talosintelligence.com/2020/09/netlogon-rises.html
Snort SIDs: 55703, 55704
Title: Cisco warns of vulnerabilities in IOS operating system
Description: Cisco patched several vulnerabilities -- many of them considered severe -- in its IOS operating system. The updates address denial-of-service, file overwrite and input validation attacks that affect many of Cisco's products. Two of the vulnerabilities -- CVE-2020-3421 and CVE-2020-3480 -- exist in Cisco's Zone-Based Firewall. An attacker could exploit these bugs to cause the affected device to reload or make it stop forwarding traffic through the firewall.
References: https://threatpost.com/cisco-patches-bugs/159537/
Snort SIDs: 55815 - 55819, 55830 - 55832
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
An Emotet outbreak brought down the email systems of Hamilton County, Texas' government, raising election security concerns just weeks before the American presidential election.
E-commerce provider Shopify says two rogue employees stole sensitive information belonging to some of its customers, affecting sites' customer databases.
A federal judge ruled Twitter cannot reveal how many surveillance requests its received, the latest chapter in a six-year legal battle.
A new tool will scan popular websites for users and inform them of any trackers installed on the sites that may be difficult or impossible to spot.
https://themarkup.org/blacklight
A top general in the U.K. said the country's military possesses offensive cyber capabilities that could be used in future conflicts -- confirming abilities that had long been assumed.
Google removed 17 apps from its Play store infected with the Joker (aka Bread) malware that silently signed users up for premium wireless services and charge payment methods on their phone.
Researchers discovered a years' long campaign by Iranian state-sponsored actors to use Windows and Android information-stealers to spy on users' Telegram messages.
Hospital chain Universal Health Services has been dealing with a cyber attack since the weekend, and the situation has since grown to be potentially the largest attack in U.S. history.
https://www.nbcnews.com/tech/security/cyberattack-hits-major-u-s-hospital-system-n1241254
=========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: CVE-2020-1472
Title: Microsoft Netlogon Elevation of Privilege Vulnerability
Vendor: Microsoft
Description: An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.
CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
ID: CVE-2020-1895
Title: Instagram App Heap Buffer Overflow Vulnerability
Vendor: Facebook
Description: A large heap overflow could occur in Instagram for Android when attempting to upload an image with specially crafted dimensions.
CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
ID: CVE-2020-0688
Title: Microsoft Exchange Validation Key Remote Code Execution Vulnerability
Vendor: Microsoft
Description: A remote code execution vulnerability exists in Microsoft Exchange Server when the server fails to properly create unique keys at install time. Knowledge of a the validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the web application, which runs as SYSTEM.
CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-1350
Title: Microsoft Windows DNS Server Remote Code Execution Vulnerability
Vendor: Microsoft
Description: A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability.
CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
ID: CVE-2020-4486
Title: IBM QRadar Arbitrary File Overwrite Vulnerability
Vendor: IBM
Description: IBM QRadar allows an authenticated user to overwrite or delete arbitrary files due to a flaw after WinCollect installation.
CVSS v3 Base Score: 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H)
ID: CVE-2020-8437
Title: BitTorrent uTorrent Denial of Service Vulnerability
Vendor: bittorrent
Description: The bencoding parser in BitTorrent uTorrent misparses nested bencoded dictionaries, which allows a remote attacker to cause a denial of service.
CVSS v3 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
ID: CVE-2020-6506
Title: Google Chrome on Android Insufficient Bounds Check Vulnerability
Vendor: Google
Description: Insufficient policy enforcement in WebView in Google Chrome on Android allows a remote attacker to bypass site isolation via a crafted HTML page. An Android WebView instance with default configuration and JavaScript enabled allows an iframe on a different origin to bypass same-origin policies and execute arbitrary JavaScript in the top document.
CVSS v3 Base Score: 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
ID: CVE-2020-3566
Title: Cisco IOS XR Software DVMRP Memory Exhaustion Vulnerabilities
Vendor: Cisco
Description: A vulnerability in the Distance Vector Multicast Routing Protocol (DVMRP) feature of Cisco IOS XR Software could allow an unauthenticated, remote attacker to exhaust process memory of an affected device. The vulnerability is due to insufficient queue management for Internet Group Management Protocol (IGMP) packets. An attacker could exploit this vulnerability by sending crafted IGMP traffic to an affected device. A successful exploit could allow the attacker to cause memory exhaustion, resulting in instability of other processes.
CVSS v3 Base Score: 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)
=========================================================
MOST PREVALENT MALWARE FILES Sept. 24 - Oct. 1:
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details
Typical Filename: Eter.exe
Claimed Product: N/A
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos
SHA 256: be29d4902d72abbc293376b42005d954807b3e6794b13fe628faff9bc94f6063
MD5: 29f47c2f15d6421bdd813be27a2e3b25
VirusTotal: https://www.virustotal.com/gui/file/be29d4902d72abbc293376b42005d954807b3e6794b13fe628faff9bc94f6063/details
Typical Filename: FlashHelperServices.exe
Claimed Product: N/A
Detection Name: Flash Helper Service
SHA 256: 1eef72aa566ba6c76b33f9d430d7233e358392382bfb3db81ca4f28d74f415a5
MD5: 01a607b4d69c549629e6f0dfd3983956
VirusTotal: https://www.virustotal.com/gui/file/1eef72aa566ba6c76b33f9d430d7233e358392382bfb3db81ca4f28d74f415a5/details
Typical Filename: wupxarch.exe
Claimed Product: N/A
Detection Name: W32.Auto:1eef72aa56.in03.Talos
SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details
Typical Filename: Tempmf582901854.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Agentwdcr::1201
SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
VirusTotal: https://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: Win.Downloader.Generic::1201
=============================================================
(c) 2020. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743
