@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
October 15, 2020=============================================================
@RISK: The Consensus Security Vulnerability Alert
October 15, 2020 - Vol. 20, Num. 42
Providing a reliable, weekly summary of newly discovered attack vectors,
vulnerabilities with active exploits, and explanations of how recent
attacks worked
Archived issues may be found at http://www.sans.org/newsletters/at-risk
=============================================================
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES Oct. 8 - 15
============================================================
TOP VULNERABILITY THIS WEEK: Microsoft discloses fewer than 100 vulnerabilities for first time in months
***************** Sponsored By Dtex Systems *****************
DTEX Insider Threat Kill Chain: Learn the 5 Steps Present in Almost all Insider Attacks| Get the whitepaper now!
| http://www.sans.org/info/217900
============================================================
TRAINING UPDATE
New OnDemand Courses
SEC588: Cloud Penetration Testing
- https://www.sans.org/ondemand/course/cloud-penetration-testing
MGT525: IT Project Management, Effective Communication, and PMP(R) Exam Prep
- https://www.sans.org/ondemand/course/project-management-effective-communication-pmp-exam-prep
View all courses
- https://www.sans.org/cyber-security-courses/?focus-area=&training-format=ondemand
Live Online Training Events and Summits
SANS San Francisco Winter 2020 - Live Online
Nov 30-Dec 5 PST | 11 Courses | Virtual Core NetWars
- https://www.sans.org/event/san-francisco-winter-2020-live-online
Pen Test HackFest - Live Online
Nov 16-21 EST | 15 Courses | Core NetWars + Coin-A-Palooza
- https://www.sans.org/event/pen-test-hackfest-2020-live-online
View complete event schedule
- https://www.sans.org/cyber-security-training-events/north-america
Free Resources
Tools, Posters, and more.
OnDemand Training Special Offer: Get an iPad mini, Surface Go 2, or Take $300 Off with qualified OnDemand courses through October 28.
- www.sans.org/specials/north-america/
********************** Sponsored Links: ********************
1) Webcast | Email authentication (DMARC at enforcement) is the key to protecting your domains and your brand from being used to phish your customers, partners, and employees. Join us for this DMARC Ask the Expert roundtable and learn how to quickly and easily authenticate who is sending email for you and achieve DMARC enforcement with the confidence that no good email will be blocked | October 27 @ 10:30 AM EDT
| http://www.sans.org/info/217905
2) Webcast | In our upcoming webcast, "Immunizing Modern Application Frameworks", participants will be shown how to deploy open source code pre-hardened from dangerous attacks | October 27 @ 12:00 PM EDT
| http://www.sans.org/info/217910
3) Webcast | Small businesses face many of the same cybersecurity attacks as larger businesses. In our upcoming webcast, you'll learn more about small business cybersecurity and why DNS protection makes a difference. Join us for, "Small Businesses Deserve Big Protection." | October 29 @ 10:30 AM EDT
| http://www.sans.org/info/217915
============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Microsoft Patch Tuesday for Oct. 2020
Description: Microsoft released its monthly security update Tuesday, disclosing just under 100 vulnerabilities across its array of products. Fourteen of the vulnerabilities are considered "critical" while the vast remainder are ranked as "important." Users of all Microsoft and Windows products are urged to update their software as soon as possible to avoid possible exploitation of all these bugs. The security updates cover several different products including the SharePoint document management system, Azure Sphere and the Windows camera codec, which allows users to view a variety of video files on their machines.
References: https://blog.talosintelligence.com/2020/10/microsoft-patch-tuesday-for-oct-2020.html
Snort SIDs: 53689 - 53691
Title: Lemon Duck brings cryptocurrency miners back into the spotlight
Description: Cisco Talos recently discovered a complex campaign employing a multi-modular botnet with multiple ways to spread. This threat, known as "Lemon Duck," has a cryptocurrency mining payload that steals computer resources to mine the Monero virtual currency. The actor employs various methods to spread across the network, like sending infected RTF files using email, psexec, WMI and SMB exploits, including the infamous Eternal Blue and SMBGhost threats that affect Windows 10 machines. Some variants also support RDP brute-forcing. In recent attacks we observed, this functionality was omitted. The adversary also uses tools such as Mimikatz, that help the botnet increase the amount of systems participating in its mining pool.
References: https://blog.talosintelligence.com/2020/10/lemon-duck-brings-cryptocurrency-miners.html
Snort SIDs: 55926 - 55928
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
U.S. Cyber Command took steps to disrupt the Trickbot botnet, hoping to prevent any disruption to the upcoming presidential election.
Microsoft, along with several security companies and the Financial Services Information Sharing and Analysis Center (FS-ISAC) also took steps to disrupt Trickbot, including a legal maneuver that will make it easier to take down botnets in the future.
Unsealed court documents show how Google sells some of its search data to law enforcement agencies.
https://www.cnet.com/news/google-is-giving-data-to-police-based-on-search-keywords-court-docs-show/
Some users of the Robinhood investment app have reported that hackers have stolen funds from their accounts. The company does not appear to have a customer service line.
A security breach of a Chowbus database exposed information belonging to hundreds of thousands of customers of the food delivery service.
https://www.cyberscoop.com/chowbus-breach-personal-data-customers-linxin-wen/
Facebook created a new bug bounty program that offers premiums for researchers who regularly discover vulnerabilities in the site and ranks them in a tier list.
https://threatpost.com/facebook-bug-bounty-loyalty-program/159993/
The U.S. Cybersecurity and Infrastructure Security Agency warned that several APTs are using a combination of older vulnerabilities along with the Windows Netlogon vulnerability to target state and local government networks.
https://us-cert.cisa.gov/ncas/alerts/aa20-283a
Norway's foreign minister said that Russian cyber actors are responsible for an attack against the Norwegian Parliament's email system earlier this year.
Video calling and meeting software Zoom says it is rolling out end-to-end encrypted calls to users starting next week.
https://www.zdnet.com/article/zoom-to-roll-out-end-to-end-encrypted-e2ee-calls/
Twitter and Facebook both said they will remove all Holocaust denial-related content from their sites.
https://www.theverge.com/2020/10/14/21516468/twitter-holocaust-denial-banned-facebook-policy
=========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: CVE-2020-16898
Title: Microsoft Windows TCP/IP Stack Remote Code Execution Vulnerability
Vendor: Microsoft
Description: A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. An attacker who successfully exploited this vulnerability could gain the ability to execute code on the target server or client. To exploit this vulnerability, an attacker would have to send specially crafted ICMPv6 Router Advertisement packets to a remote Windows computer.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-1472
Title: Microsoft Netlogon Elevation of Privilege Vulnerability
Vendor: Microsoft
Description: An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.
CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
ID: CVE-2020-6927
Title: HP Device Manager Elevation of Privilege Vulnerability
Vendor: HP
Description: HP Device Manager is enterprise-class thin client management software that allows customers to view their thin client assets remotely and to manipulate those thin clients to meet the required business need. Successful exploitation of this vulnerability may allow a malicious actor to gain SYSTEM privileges.
CVSS v3 Base Score: 8.0 (AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H)
ID: CVE-2020-3452
Title: Cisco ASA and FTD Path Traversal Vulnerability
Vendor: Cisco
Description: A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device.
CVSS v3 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
ID: CVE-2020-13943
Title: Apache Tomcat Unexpected Resource Response Vulnerability
Vendor: Apache
Description: If an HTTP/2 client exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources.
CVSS v3 Base Score: 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
ID: CVE-2020-9746
Title: Adobe Flash Player Arbitrary Code Execution Vulnerability
Vendor: Adobe
Description: Adobe Flash Player is affected by an exploitable NULL pointer dereference vulnerability that could result in a crash and arbitrary code execution. Exploitation of this issue requires an attacker to insert malicious strings in an HTTP response that is by default delivered over TLS/SSL.
CVSS v3 Base Score: 7.0 (AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)
ID: CVE-2020-16951
Title: Microsoft SharePoint Remote Code Execution Vulnerability
Vendor: Microsoft
Description: A remote code execution vulnerability exists in Microsoft SharePoint when the software fails to check the source markup of an application package. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the SharePoint application pool and the SharePoint server farm account. Exploitation of this vulnerability requires that a user uploads a specially crafted SharePoint application package to an affected version of SharePoint.
CVSS v3 Base Score: 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L)
=========================================================
MOST PREVALENT MALWARE FILES Oct. 8 - 15:
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details
Typical Filename: Eter.exe
Claimed Product: N/A
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos
SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
VirusTotal: https://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: Win.Downloader.Generic::1201
SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details
Typical Filename: Tempmf582901854.exe
Claimed Product: N/A
Detection Name: Win.Dropper.Agentwdcr::1201
SHA 256: 1eef72aa566ba6c76b33f9d430d7233e358392382bfb3db81ca4f28d74f415a5
MD5: 01a607b4d69c549629e6f0dfd3983956
VirusTotal: https://www.virustotal.com/gui/file/1eef72aa566ba6c76b33f9d430d7233e358392382bfb3db81ca4f28d74f415a5/details
Typical Filename: wupxarch.exe
Claimed Product: N/A
Detection Name: W32.Auto:1eef72aa56.in03.Talos
SHA 256: 1a8a17b615799f504d1e801b7b7f15476ee94d242affc103a4359c4eb5d9ad7f
MD5: 88781be104a4dcb13846189a2b1ea055
VirusTotal: https://www.virustotal.com/gui/file/1a8a17b615799f504d1e801b7b7f15476ee94d242affc103a4359c4eb5d9ad7f/details
Typical Filename: UltraSearchApp
Claimed Product: N/A
Detection Name: Win.Trojan.Generic::sso.talos
=============================================================
(c) 2020. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743
