Newsletters: @RISK

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

October 22, 2020

=============================================================

     @RISK: The Consensus Security Vulnerability Alert

                October 22, 2020 - Vol. 20, Num. 43


Providing a reliable, weekly summary of newly discovered attack vectors,

vulnerabilities with active exploits, and explanations of how recent

attacks worked


Archived issues may be found at http://www.sans.org/newsletters/at-risk


=============================================================


CONTENTS:

NOTABLE RECENT SECURITY ISSUES

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

MOST PREVALENT MALWARE FILES Oct. 8 - 16

============================================================


TOP VULNERABILITY THIS WEEK: Emotet using new Windows update-related lures


******************** Sponsored By UPPERAD ********************


Virtual Forum | Be sure to join us for the Adversary Detection and Response Solutions Forum, chaired by security expert Jake Williams! This forum will present carefully curated technologies that can be used by practitioners to both detect intrusions and remediate issues quickly | October 30 @ 10:30 AM EDT

| http://www.sans.org/info/217960


============================================================

TRAINING UPDATE


New OnDemand Courses


SEC588: Cloud Penetration Testing

- https://www.sans.org/ondemand/course/cloud-penetration-testing


MGT525: IT Project Management, Effective Communication, and PMP(R) Exam Prep

- https://www.sans.org/ondemand/course/project-management-effective-communication-pmp-exam-prep


View all courses

- https://www.sans.org/cyber-security-courses/?focus-area=&training-format=ondemand


Live Online Training Events and Summits


SANS San Francisco Winter 2020 - Live Online

Nov 30-Dec 5 PST | 10 Courses | Virtual Core NetWars

- https://www.sans.org/event/san-francisco-winter-2020-live-online


Pen Test HackFest - Live Online

Nov 16-21 EST | 15 Courses | Core NetWars + Coin-A-Palooza

- https://www.sans.org/event/pen-test-hackfest-2020-live-online


View complete event schedule

- https://www.sans.org/cyber-security-training-events/north-america

 

Free Resources

Tools, Posters, and more.

- https://www.sans.org/free

 

OnDemand Training Special Offer: Get an iPad mini, Surface Go 2, or Take $300 Off with qualified OnDemand courses through October 28.

- www.sans.org/specials/north-america/


********************** Sponsored Links: ********************


1) DTEX Insider Threat Kill Chain: Learn the 5 Steps Present in Almost all Insider Attacks| Get the whitepaper now!

| http://www.sans.org/info/217965


2) Webcast | In our upcoming webcast, "Immunizing Modern Application Frameworks", participants will be shown how to deploy open source code pre-hardened from dangerous attacks | October 27 @ 12:00 PM EDT

| http://www.sans.org/info/217970


3) Webcast | Tune in to our upcoming webcast titled, "Quick Wins for Securing your Cloud Workloads." This webcast will be chaired by SANS analyst Dave Shackleford and will cover examples of recent attacks against cloud workloads, what they have in common, and discuss quick wins to gain maximum coverage quickly | October 28 @ 10:30 AM EDT

| http://www.sans.org/info/217975


============================================================


NOTABLE RECENT SECURITY ISSUES

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Emotet employs Windows 10 update lures


Description: Popular malware Emotet now draws users to click with a fake Windows 10 Update. This social engineering tactic comes in emails with distracting body text such as current-events articles or bogus shipping information. Opening the email's attachments triggers the update notification. Enabling editing on the attachment will free up Emotet to infect the system.  


References: https://www.forbes.com/sites/leemathews/2020/10/19/notorious-emotet-malware-starts-using-fake-windows-update-alerts-to-deceive-victims/#4ad66d5661ab


Snort SIDs: 56046, 56047


 

Title: F2FS toolset contains multiple vulnerabilities


Description: F2FS is a filesystem toolset commonly found in embedded

devices that creates, verifies and/or fixes Flash-Friendly File System files. An attacker could provide a malicious file to the target to trigger these vulnerabilities, causing a variety of negative conditions for the target. The tool contains two code execution vulnerabilities for multiple devices, and information disclosure vulnerability in init_node_manager and dev_read.  


References: https://blog.talosintelligence.com/2020/10/vuln-spotlight-f2fs-tools-.html


Snort SIDs: 53684, 53685, 53729 - 53732


============================================================


INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY



The US Department of Justice indicted six Russian nationals believed to be members of one of Russia's elite hacking and cyberwar units known as Sandworm.


https://www.zdnet.com/article/us-charges-russian-hackers-behind-notpetya-killdisk-olympicdestroyer-attacks/



Fancy Bear imposters are on a hacking extortion spree, sending ransom notes pretending to be from the North Korean government hackers Lazarus Group, or APT38, and Russian state-backed hackers Fancy Bear, or APT28.


https://arstechnica.com/information-technology/2020/10/fancy-bear-imposters-are-on-a-hacking-extortion-spree/



Gartner lists 'internet of behaviors,' automation, AI, experiences as key 2021 strategic technologies for CIOs.


https://www.zdnet.com/article/gartner-sees-internet-of-behaviors-automation-ai-experiences-key-2021-technologies/


 

Thousands of infected IoT devices are being used in a for-profit anonymity botnet called Interplanetary Storm.  


https://arstechnica.com/information-technology/2020/10/thousands-of-infected-iot-devices-used-in-for-profit-anonymity-service/


 

An investigation report on the Twitter hack points to social engineering techniques and calls for cybersecurity rules for social media giants, arguing that regulation and innovation can coexist.  


https://techcrunch.com/2020/10/14/twitter-hack-probe-leads-to-call-for-cybersecurity-rules-for-social-media-giants/


 

Ryuk ransomware operators are using the Zerologon bug to move attacks from initial phish to domain-wide encryption in five hours.


https://threatpost.com/ryuk-ransomware-gang-zerologon-lightning-attack/160286/


=========================================================


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


ID:        CVE-2020-16898

Title:  Microsoft Windows TCP/IP Stack Remote Code Execution Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. An attacker who successfully exploited this vulnerability could gain the ability to execute code on the target server or client. To exploit this vulnerability, an attacker would have to send specially crafted ICMPv6 Router Advertisement packets to a remote Windows computer.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2020-1472

Title:  Microsoft Netlogon Elevation of Privilege Vulnerability

Vendor: Microsoft

Description: An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.

CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)


ID:     CVE-2020-1034

Title:  Microsoft Windows Kernel Elevation of Privilege Vulnerability

Vendor: Microsoft

Description: An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application.

CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


ID:     CVE-2020-13957

Title:  Apache Solr ConfigSet Remote Code Execution Vulnerability

Vendor: Apache

Description: Apache Solr allows some features to be configured in ConfigSet that's uploaded via API without authentication/authorization, which could be used for remote code execution. The checks in place to prevent such features can be circumvented by using a combination of UPLOAD/CREATE actions.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID:     CVE-2019-1151

Title:  Microsoft Font Subsetting DLL ReadAllocFormat12CharGlyphMapList Heap Corruption

Vendor: Microsoft

Description: A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)


ID:     CVE-2020-14144

Title:  Gitea Authenticated Remote Code Execution Vulnerability

Vendor: Gitea

Description: A vulnerability exists in Gitea, that allows an attacker with access to an administrative account or an account with special privileges to execute arbitrary code on the server.

CVSS v3 Base Score: 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)


ID:     CVE-2020-4280

Title:  IBM QRadar RemoteJavaScript Deserialization Vulnerability

Vendor: IBM

Description: A Java deserialization vulnerability exists in the IBM QRadar RemoteJavaScript Servlet. An authenticated user can call one of the vulnerable methods and cause the Servlet to deserialize arbitrary objects. An attacker can exploit this vulnerability by creating a specially crafted (serialized) object, which amongst other things can result in a denial of service, change of system settings, or execution of arbitrary code.

CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


=========================================================


MOST PREVALENT MALWARE FILES Oct. 8 - 16:

COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 15716598F456637A3BE3D6C5AC91266142266A9910F6F3F85CFD193EC1D6ED8B


MD5: 799b30f47060ca05d80ece53866e01cc


VirusTotal: https://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/detection


Typical Filename: mf2016341595.exe


Claimed Product: N/A


Detection Name: Win.Downloader.Generic::1201


 

SHA 256: 7F16B5E291CCBA6411C95BAFC3FE7EEB5C4A57DF8BA32CFD173E75CC8826C921


MD5: 0b422df6c3d71d2147350d11c256724e


VirusTotal: https://www.virustotal.com/gui/file/7f16b5e291ccba6411c95bafc3fe7eeb5c4a57df8ba32cfd173e75cc8826c921/details


Typical Filename: wupxarch11.exe


Claimed Product: N/A


Detection Name: W32.Auto:7f16b5.in03.Talos


 

SHA 256: 432FC2E3580E818FD315583527AE43A729586AF5EE37F99F04B562D1EFF2A1FD


MD5: dd726d5e223ca762dc2772f40cb921d3


VirusTotal: https://www.virustotal.com/gui/file/432fc2e3580e818fd315583527ae43a729586af5ee37f99f04b562d1eff2a1fd/detection


Typical Filename: ww24.exe


Claimed Product: N/A


Detection Name: W32.TR:Attribute.23ln.1201


 

SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5


MD5: 8c80dd97c37525927c1e549cb59bcbf3


VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detection


Typical Filename: Eternalblue-2.2.0.exe


Claimed Product: N/A


Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos


 

SHA 256: C3E530CC005583B47322B6649DDC0DAB1B64BCF22B124A492606763C52FB048F


MD5: e2ea315d9a83e7577053f52c974f6a5a


VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/detection


Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin


Claimed Product: N/A


Detection Name: Win.Dropper.Agentwdcr::1201



=============================================================


(c) 2020.  All rights reserved.  The information contained in this

newsletter, including any external links, is provided "AS IS," with no

express or implied warranty, for informational purposes only.


Please feel free to share this with interested parties via email, but

no posting is allowed on web sites. For a free subscription, (and for

free posters) or to update a current subscription, visit

https://www.sans.org/account


SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743