@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
October 29, 2020=============================================================
@RISK: The Consensus Security Vulnerability Alert
October 29, 2020 - Vol. 20, Num. 44
Providing a reliable, weekly summary of newly discovered attack vectors,
vulnerabilities with active exploits, and explanations of how recent
attacks worked
Archived issues may be found at http://www.sans.org/newsletters/at-risk
=============================================================
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES Oct. 22 - 29
============================================================
TOP VULNERABILITY THIS WEEK: Code execution vulnerability in Google Chrome WEbGL
******************** Sponsored By SANS *********************
Survey | Help your industry counterparts better defend & resource their environments by completing the 2020 Security Operations Center Survey. Your insights could greatly help with identifying trends in the Cyber Security industry | Survey closes on Oct 31st
| http://www.sans.org/info/218025
============================================================
TRAINING UPDATE
SEC588: Cloud Penetration Testing
- https://www.sans.org/ondemand/course/cloud-penetration-testing
MGT525: IT Project Management, Effective Communication, and PMP(R) Exam Prep
- https://www.sans.org/ondemand/course/project-management-effective-communication
View all courses
- https://www.sans.org/cyber-security-courses/?focus-area=&training-format=ondemand
Live Online Training Events and Summits
Pen Test HackFest + Summit @Night
Nov 16-21 EST | 15 Courses | Core NetWars + Coin-A-Palooza
- https://www.sans.org/event/pen-test-hackfest-2020-live-online
SANS Cyber Defense Initiative(R) 2020 - Dec 14-19 EST
35+ Courses | Core, Cyber Defense, and DFIR NetWars
- https://www.sans.org/event/cyber-defense-initiative-2020-live-online
View complete event schedule
- https://www.sans.org/cyber-security-training-events/north-america
Free Resources
Tools, Posters, and more.
OnDemand Training Special Offer
One Week Only! FREE Core Netwars Continuous with qualifying OnDemand Course purchases through November 4 - a $1,420 value!
- www.sans.org/specials/north-america/
********************** Sponsored Links: ********************
1) Webcast | Our upcoming webcast, "Are you protected from a resurgence of APT29?" will teach you how to operationalize MITRE ATT&CK framework and leverage it to validate your controls against threat groups | November 3 @ 1:00 PM EST
| http://www.sans.org/info/218030
2) Webcast | Join the incredibly knowledgeable Jake Williams as he chairs, "Doing More with Less: Detection and Response Planning for 2021" | November 3 @ 10:30 AM EST
| http://www.sans.org/info/218035
3) Virtual Forum Tomorrow | Be sure to join us for the Adversary Detection and Response Solutions Forum, chaired by security expert Jake Williams! This forum will present carefully curated technologies that can be used by practitioners to both detect intrusions and remediate issues quickly | October 30 @ 10:30 AM ET
| http://www.sans.org/info/218040
============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Google Chrome WebGL Vulnerability provides code execution opportunity
Description: The Google Chrome web browser contains a vulnerability that could be exploited by an adversary to gain the ability to execute code on the victim machine. Chrome is one of the most popular web browsers currently available to users. Cisco Talos researchers recently discovered a bug in WebGL, which is a Chrome API responsible for displaying 3-D graphics. Read the complete vulnerability advisory here for additional information.
References: https://blog.talosintelligence.com/2020/10/vuln-spotlight-chrome-web-gl-.html
Snort SIDs: 54638, 54639
Title: Heap buffer overflow bug found in FreeType, a font-rendering engine used in Chrome and other platforms
Description: For users with the FreeType extension, malformed .ttf files with .png sbit glyphs can lead to heap buffer overflows. The bug affects versions 2.6 and on, but has been fixed in version 2.10.4. This bug has been exploited in the wild, though no details have been released.
References: https://duo.com/decipher/google-patches-bug-used-in-active-attacks-against-chrome
Snort SIDs: 56130-56133
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Attackers target indie-game Among Us amidst its rise in popularity.
https://threatpost.com/among-us-mobile-game-attackers/160555/
Link previews from chat applications endanger accounts in Slack, LinkedIn and other platforms.
https://threatpost.com/linkedin-instagram-preview-link-rce-security/160600/
The new "Digital Normal" and the numbers on how COVID-19 fueled the transition, and cyber attackers.
https://cisomag.eccouncil.org/the-digital-normal/
The major US political parties have different stances and implementation practices on privacy and security standards.
https://www.politico.com/newsletters/weekly-cybersecurity
Neural networks use blocklists to help users create better passwords, without complex-password requirements.
=========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: CVE-2020-14181
Title: Atlassian Jira Server and Data Center User Enumeration Vulnerability
Vendor: Atlassian
Description: Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the /ViewUserHover.jspa endpoint.
CVSS v3 Base Score: 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
ID: CVE-2020-16938
Title: Microsoft Windows Kernel Information Disclosure Vulnerability
Vendor: Microsoft
Description: An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user's system. To exploit this vulnerability, an attacker would have to log on to an affected system and run a specially crafted application. The vulnerability would not allow an attacker to execute code or to elevate user rights directly, but it could be used to obtain information that could be used to try to further compromise the affected system.
CVSS v3 Base Score: 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
ID: CVE-2020-3118
Title: Cisco IOS XR Software Cisco Discovery Protocol Format String Vulnerability
Vendor: Cisco
Description: A vulnerability in the Cisco Discovery Protocol implementation for Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to execute arbitrary code or cause a reload on an affected device. The vulnerability is due to improper validation of string input from certain fields in Cisco Discovery Protocol messages. An attacker could exploit this vulnerability by sending a malicious Cisco Discovery Protocol packet to an affected device.
CVSS v3 Base Score: 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-1472
Title: Microsoft Netlogon Elevation of Privilege Vulnerability
Vendor: Microsoft
Description: An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.
CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
ID: CVE-2020-14882
Title: Oracle Weblogic Remote Code Execution Vulnerability
Vendor: Oracle
Description: A critical vulnerability exists in Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-16898
Title: Microsoft Windows TCP/IP Stack Remote Code Execution Vulnerability
Vendor: Microsoft
Description: A remote code execution vulnerability exists when the Windows TCP/IP stack improperly handles ICMPv6 Router Advertisement packets. An attacker who successfully exploited this vulnerability could gain the ability to execute code on the target server or client. To exploit this vulnerability, an attacker would have to send specially crafted ICMPv6 Router Advertisement packets to a remote Windows computer.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-1013
Title: Microsoft Windows Group Policy Elevation of Privilege Vulnerability
Vendor: Microsoft
Description: An elevation of privilege vulnerability exists when Microsoft Windows processes group policy updates. An attacker who successfully exploited this vulnerability could potentially escalate permissions or perform additional privileged actions on the target machine. To exploit this vulnerability, an attacker would need to launch a man-in-the-middle (MiTM) attack against the traffic passing between a domain controller and the target machine. An attacker could then create a group policy to grant administrator rights to a standard user.
CVSS v3 Base Score: 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
=========================================================
MOST PREVALENT MALWARE FILES Oct. 22 - 29:
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: Win.Dropper.Agentwdcr::1201
SHA 256: 432fc2e3580e818fd315583527ae43a729586af5ee37f99f04b562d1eff2a1fd
MD5: dd726d5e223ca762dc2772f40cb921d3
Typical Filename: ww24.exe
Claimed Product: N/A
Detection Name: W32.TR:Attribute.23ln.1201
SHA 256: 46b3ef7f9e824322e2dc741029cae4430f16cdac96fd8280f4278d368a97b3ed
MD5: 1d9b733c36a1725501de3f8ea0a60630
VirusTotal: https://www.virustotal.com/gui/file/46b3ef7f9e824322e2dc741029cae4430f16cdac96fd8280f4278d368a97b3ed/details
Typical Filename: wupxarch640.exe
Claimed Product: N/A
Detection Name: W32.Auto:46b3ef7f9e.in03.Talos
SHA 256: 7d46349108b039adbea9483ff010c7b8214878148dd93baacaf0d0b7fe8d1384
MD5: e987b83e2571e6adda4a0ebc368b81f4
Typical Filename: 7d46349108b039adbea9483ff010c7b8214878148dd93baacaf0d0b7fe8d1384.bin
Claimed Product: N/A
Detection Name: W32.7D46349108-90.SBX.TG
SHA 256: d431b8c8cd87d7bd7d3f88aaf2dacadc1d8553c29b1b970657faba974eb9e148
MD5: c3e9e334ccffe94b48a7645455665d4d
Typical Filename: 517651925_20201026.xlsm
Claimed Product: N/A
Detection Name: W32.D431B8C8CD-95.SBX.TG
=============================================================
(c) 2020. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743
