@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
October 22, 2020=============================================================
@RISK: The Consensus Security Vulnerability Alert
October 22, 2020 - Vol. 20, Num. 43
Providing a reliable, weekly summary of newly discovered attack vectors,
vulnerabilities with active exploits, and explanations of how recent
attacks worked
Archived issues may be found at http://www.sans.org/newsletters/at-risk
=============================================================
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES Oct. 8 - 16
============================================================
TOP VULNERABILITY THIS WEEK: Emotet using new Windows update-related lures
******************** Sponsored By UPPERAD ********************
Virtual Forum | Be sure to join us for the Adversary Detection and Response Solutions Forum, chaired by security expert Jake Williams! This forum will present carefully curated technologies that can be used by practitioners to both detect intrusions and remediate issues quickly | October 30 @ 10:30 AM EDT
| http://www.sans.org/info/217960
============================================================
TRAINING UPDATE
New OnDemand Courses
SEC588: Cloud Penetration Testing
- https://www.sans.org/ondemand/course/cloud-penetration-testing
MGT525: IT Project Management, Effective Communication, and PMP(R) Exam Prep
- https://www.sans.org/ondemand/course/project-management-effective-communication-pmp-exam-prep
View all courses
- https://www.sans.org/cyber-security-courses/?focus-area=&training-format=ondemand
Live Online Training Events and Summits
SANS San Francisco Winter 2020 - Live Online
Nov 30-Dec 5 PST | 10 Courses | Virtual Core NetWars
- https://www.sans.org/event/san-francisco-winter-2020-live-online
Pen Test HackFest - Live Online
Nov 16-21 EST | 15 Courses | Core NetWars + Coin-A-Palooza
- https://www.sans.org/event/pen-test-hackfest-2020-live-online
View complete event schedule
- https://www.sans.org/cyber-security-training-events/north-america
Free Resources
Tools, Posters, and more.
OnDemand Training Special Offer: Get an iPad mini, Surface Go 2, or Take $300 Off with qualified OnDemand courses through October 28.
- www.sans.org/specials/north-america/
********************** Sponsored Links: ********************
1) DTEX Insider Threat Kill Chain: Learn the 5 Steps Present in Almost all Insider Attacks| Get the whitepaper now!
| http://www.sans.org/info/217965
2) Webcast | In our upcoming webcast, "Immunizing Modern Application Frameworks", participants will be shown how to deploy open source code pre-hardened from dangerous attacks | October 27 @ 12:00 PM EDT
| http://www.sans.org/info/217970
3) Webcast | Tune in to our upcoming webcast titled, "Quick Wins for Securing your Cloud Workloads." This webcast will be chaired by SANS analyst Dave Shackleford and will cover examples of recent attacks against cloud workloads, what they have in common, and discuss quick wins to gain maximum coverage quickly | October 28 @ 10:30 AM EDT
| http://www.sans.org/info/217975
============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Emotet employs Windows 10 update lures
Description: Popular malware Emotet now draws users to click with a fake Windows 10 Update. This social engineering tactic comes in emails with distracting body text such as current-events articles or bogus shipping information. Opening the email's attachments triggers the update notification. Enabling editing on the attachment will free up Emotet to infect the system.
Snort SIDs: 56046, 56047
Title: F2FS toolset contains multiple vulnerabilities
Description: F2FS is a filesystem toolset commonly found in embedded
devices that creates, verifies and/or fixes Flash-Friendly File System files. An attacker could provide a malicious file to the target to trigger these vulnerabilities, causing a variety of negative conditions for the target. The tool contains two code execution vulnerabilities for multiple devices, and information disclosure vulnerability in init_node_manager and dev_read.
References: https://blog.talosintelligence.com/2020/10/vuln-spotlight-f2fs-tools-.html
Snort SIDs: 53684, 53685, 53729 - 53732
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
The US Department of Justice indicted six Russian nationals believed to be members of one of Russia's elite hacking and cyberwar units known as Sandworm.
Fancy Bear imposters are on a hacking extortion spree, sending ransom notes pretending to be from the North Korean government hackers Lazarus Group, or APT38, and Russian state-backed hackers Fancy Bear, or APT28.
Gartner lists 'internet of behaviors,' automation, AI, experiences as key 2021 strategic technologies for CIOs.
Thousands of infected IoT devices are being used in a for-profit anonymity botnet called Interplanetary Storm.
An investigation report on the Twitter hack points to social engineering techniques and calls for cybersecurity rules for social media giants, arguing that regulation and innovation can coexist.
Ryuk ransomware operators are using the Zerologon bug to move attacks from initial phish to domain-wide encryption in five hours.
https://threatpost.com/ryuk-ransomware-gang-zerologon-lightning-attack/160286/
=========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: CVE-2020-16898
Title: Microsoft Windows TCP/IP Stack Remote Code Execution Vulnerability
Vendor: Microsoft
Description: A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. An attacker who successfully exploited this vulnerability could gain the ability to execute code on the target server or client. To exploit this vulnerability, an attacker would have to send specially crafted ICMPv6 Router Advertisement packets to a remote Windows computer.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-1472
Title: Microsoft Netlogon Elevation of Privilege Vulnerability
Vendor: Microsoft
Description: An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.
CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
ID: CVE-2020-1034
Title: Microsoft Windows Kernel Elevation of Privilege Vulnerability
Vendor: Microsoft
Description: An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application.
CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-13957
Title: Apache Solr ConfigSet Remote Code Execution Vulnerability
Vendor: Apache
Description: Apache Solr allows some features to be configured in ConfigSet that's uploaded via API without authentication/authorization, which could be used for remote code execution. The checks in place to prevent such features can be circumvented by using a combination of UPLOAD/CREATE actions.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2019-1151
Title: Microsoft Font Subsetting DLL ReadAllocFormat12CharGlyphMapList Heap Corruption
Vendor: Microsoft
Description: A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
ID: CVE-2020-14144
Title: Gitea Authenticated Remote Code Execution Vulnerability
Vendor: Gitea
Description: A vulnerability exists in Gitea, that allows an attacker with access to an administrative account or an account with special privileges to execute arbitrary code on the server.
CVSS v3 Base Score: 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-4280
Title: IBM QRadar RemoteJavaScript Deserialization Vulnerability
Vendor: IBM
Description: A Java deserialization vulnerability exists in the IBM QRadar RemoteJavaScript Servlet. An authenticated user can call one of the vulnerable methods and cause the Servlet to deserialize arbitrary objects. An attacker can exploit this vulnerability by creating a specially crafted (serialized) object, which amongst other things can result in a denial of service, change of system settings, or execution of arbitrary code.
CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
=========================================================
MOST PREVALENT MALWARE FILES Oct. 8 - 16:
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: 15716598F456637A3BE3D6C5AC91266142266A9910F6F3F85CFD193EC1D6ED8B
MD5: 799b30f47060ca05d80ece53866e01cc
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: Win.Downloader.Generic::1201
SHA 256: 7F16B5E291CCBA6411C95BAFC3FE7EEB5C4A57DF8BA32CFD173E75CC8826C921
MD5: 0b422df6c3d71d2147350d11c256724e
VirusTotal: https://www.virustotal.com/gui/file/7f16b5e291ccba6411c95bafc3fe7eeb5c4a57df8ba32cfd173e75cc8826c921/details
Typical Filename: wupxarch11.exe
Claimed Product: N/A
Detection Name: W32.Auto:7f16b5.in03.Talos
SHA 256: 432FC2E3580E818FD315583527AE43A729586AF5EE37F99F04B562D1EFF2A1FD
MD5: dd726d5e223ca762dc2772f40cb921d3
Typical Filename: ww24.exe
Claimed Product: N/A
Detection Name: W32.TR:Attribute.23ln.1201
SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos
SHA 256: C3E530CC005583B47322B6649DDC0DAB1B64BCF22B124A492606763C52FB048F
MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: Win.Dropper.Agentwdcr::1201
=============================================================
(c) 2020. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743
