@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
November 5, 2020=============================================================
@RISK: The Consensus Security Vulnerability Alert
November 5, 2020 - Vol. 20, Num. 45
Providing a reliable, weekly summary of newly discovered attack vectors,
vulnerabilities with active exploits, and explanations of how recent
attacks worked
Archived issues may be found at http://www.sans.org/newsletters/at-risk
=============================================================
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES Oct 29 - Nov 5
============================================================
TOP VULNERABILITY THIS WEEK: US hospitals and healthcare seeing increasing attack rate from trojan and ransomware
******************** Sponsored By SANS ********************
Survey | Calling all individuals working in the telecommunications, media, and technology industries who are involved in the budgeting process for security tools and services for their business. We invite you to take our survey to share insight into your security spending and help other organizations (and individuals) develop strategies for justifying their security spending! Take the survey to be entered to win a $100 Amazon gift card! | http://www.sans.org/info/218084
============================================================
TRAINING UPDATE
OnDemand and Live Online Training Special Offer
Best Offers of the Year! Get an 11" iPad Pro w/ Magic Keyboard, a Microsoft Surface Go 2 - 256 GB SSD, or Take $350 Off with ANY qualifying SANS Training Course through November 18.
- www.sans.org/specials/north-america/
New OnDemand Courses -- Available Now
SEC588: Cloud Penetration Testing
- https://www.sans.org/ondemand/course/cloud-penetration-testing
MGT525: IT Project Management, Effective Communication, and PMP(R) Exam Prep
- https://www.sans.org/ondemand/course/project-management-effective-communication
View all courses
- https://www.sans.org/cyber-security-courses/?focus-area=&training-format=ondemand
Live Online Training Events and Summits
Pen Test HackFest + Summit @Night
Nov 16-21 EST | 15 Courses | Core NetWars + Coin-A-Palooza
- https://www.sans.org/event/pen-test-hackfest-2020-live-online
SANS Cyber Defense Initiative(R) 2020 - Dec 14-19 EST
35+ Courses | Core, Cyber Defense, and DFIR NetWars
- https://www.sans.org/event/cyber-defense-initiative-2020-live-online
View complete event schedule
- https://www.sans.org/cyber-security-training-events/north-america
Free Resources
Tools, Posters, and more.
********************** Sponsored Links: ********************
1) Webcast | Our upcoming webinar features the Anomali security team and SANS Instructor John Hubbard as they discuss how the Anomali Match security analytics platform can complement your existing SIEM infrastructure, and improve your security team's ability to detect, investigate, and respond to threats in your network at scale | November 12 @ 1:00 PM EST
| http://www.sans.org/info/218089
2) Webcast | We invite you to join our upcoming Ask the Expert Session hosted by Axonius Director of Security, Daniel Trauner during our webcast titled, "What's This Thing? Solving Asset Management for Security Ops" | November 17 @ 2:00 PM EST
| http://www.sans.org/info/218094
3) Webcast | By using Swimlanes security orchestration, automation and response (SOAR) solution, you can automate the testing of your security controls and get a clear view of what you can detect versus what you cannot. To learn more about SOAR Solution, join cybersecurity expert Jake Williams as he chairs our upcoming webcast, "Using SOAR to Automate ATT&CK Testing" | November 18 @ 10:30 AM EST
| http://www.sans.org/info/218099
============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Trickbot banking trojan and Ryuk ransomware targeting US hospitals and healthcare providers
Description: Cisco Talos has become aware that an adversary is leveraging Trickbot banking trojan and Ryuk ransomware to target U.S. hospitals and healthcare providers at an increasing rate. Security journalists reported on October 28, 2020 that the adversary was preparing to encrypt systems at "potentially hundreds" of medical centers and hospitals, based on a tip from a researcher who had been monitoring communications for the threat actor. On October 28 and 29, these claims were supported by the reports of six U.S. hospitals being compromised with Ryuk in the span of 24 hours.
References: https://blog.talosintelligence.com/2020/10/healthcare-advisory.html
Snort SIDs:
RYUK
50644, 50645, 53332, 53333, 53335, 53336
EMOTET
43890, 43891, 44559, 44560, 47616, 47617, 48402, 51971, 52029, 53108, 53353, 53354, 55931, 56003, 143892, 49888, 49889, 53770, 53771, 54804, 54805, 54900, 54901, 54924, 54925, 55253, 55254, 55591, 55592, 55781, 55782, 55787, 55788, 55869, 55870, 55873, 55874, 55929, 55930, 56046, 56047, 51967, 51968, 51969, 51970, 53355, 53356, 53357, 53358, 53359, 53360
TRICKBOT
40643, 40644, 44399, 44400, 44401, 44402, 44403, 44404, 44405, 44406, 44407, 44408, 44409, 44410, 44411, 44412, 44413, 44414, 44415, 47618, 50712, 50713, 50714, 50715, 54014, 54061, 54062, 54063, 54064, 54065, 54066, 54067, 54068, 54069, 54070, 54071, 54072, 54073, 54074, 54075, 54076, 54077, 54078, 54079, 54080, 54199, 54200, 54201, 54202, 54203, 54204, 54205, 54206, 54207, 54208, 54209, 54210, 54211, 54212, 54213, 55002, 55003, 55004, 55005
POWERSHELL EMPIRE
38259, 38260, 38261, 44561, 44562, 44563, 44564, 45352, 52063, 52064
COBALT STRIKE
53656, 53657, 53658, 53659, 45907, 45908, 53972, 53973, 53974, 53975, 30229, 30471, 30480, 53757, 53758, 54095, 54096, 8068, 54110, 54111, 54112, 54113, 54114, 54115, 54116, 54117, 54169, 54170, 54171, 54172, 54173, 54174, 54175, 54183, 13913, 23878, 38038, 54180, 54181, 54182
Title: Talos discovers multiple remote vulnerabilities in Synology Router Manager
Description: Cisco Talos recently discovered multiple remote vulnerabilities in software that helps power Synology routers. The bugs exist in Synology Router Manager (SRM) -- a Linux-based operating system for Synology routers -- and QuickConnect, a feature inside SRM that allows users to remotely connect to their routers. An adversary could use these vulnerabilities to carry out a range of malicious actions, including executing remote code on the device, the exposure of sensitive information regarding the victim's network and communication with other devices connected to the same network.
References: https://blog.talosintelligence.com/2020/10/vulnerability-spotlight-multiple.html#more
Snort SIDs: 53755, 53756, 53839, 53840, 53959, 54009
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Windows 0-day vulnerability under active exploitation revealed by Google's Project Zero, patch not expected for 2 more weeks.
Iranian-backed hackers targeted high-profile attendees of two international security and policy conferences with phishing emails to steal passwords and other sensitive data.
https://techcrunch.com/2020/10/28/microsoft-iran-hackers/
Security issues posed by a permanent working-from-home world shows spikes in RDP servers exposed to the Internet, as keeping internal network control no longer applies.
https://arstechnica.com/features/2020/11/future-of-collaboration-03/
Bad actors are exploiting Google Drive's collaboration feature to send users to malicious sites.
https://www.wired.com/story/beware-a-new-google-drive-scam-landing-in-inboxes/
Election security dominates several news sites, as concern over attacks and disinformation campaigns take off.
https://threatpost.com/cyberattacks-disinformation-top-concerns-election-day/160814/
=========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: CVE-2020-14882
Title: Oracle WebLogic Server Remote Code Execution Vulnerability
Vendor: Oracle
Description: Oracle Weblogic server is exposed to a critical vulnerability. The vulnerability could be exploited by an unauthenticated attacked with a single HTTP request. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-14871
Title: Oracle Solaris Remote Code Execution Vulnerability
Vendor: Oracle
Description: Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Solaris.
CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
ID: CVE-2020-17087
Title: Microsoft Windows Kernel Privilege Escalation Vulnerability
Vendor: Microsoft
Description: Security researchers from Google's Project Zero have disclosed a zero-day vulnerability in the Windows operating system which is currently being exploited in the wild. The Google Project Zero team notified Microsoft last week and gave the company seven days to patch the bug.
CVSS v3 Base Score: 7.1 (AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H)
ID: CVE-2020-15999
Title: Google Chrome Freetype Heap Buffer Overflow Vulnerability
Vendor: Google
Description: Google Chrome issued an update announcement for the browser across all platforms. Google confirmed that the "stable channel" desktop Chrome browser is being updated across Windows, Mac, and Linux platforms. As per Google's official sources, this urgent update will start rolling out over the coming few days or weeks.
CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
ID: CVE-2020-14750
Title: Oracle WebLogic Server Unauthenticated Remote Code Execution Vulnerability
Vendor: Oracle
Description: Oracle released critical October update to patch CVE-2020-14882 earlier in October. Oracle WebLogic Server has now observed that attackers can now bypass this patch exposing an unauthenticated Remote Code Execution vulnerability. Unauthorized attackers can continue to bypass the WebLogic background login restrictions and control the server even after WebLogic is patched for CVE-2020-14882.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-13935
Title: Apache Tomcat WebSocket Denial of Service Vulnerability
Vendor: Apache
Description: The payload length in a WebSocket frame was not correctly validated in Apache Tomcat. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.
CVSS v3 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
ID: CVE-2020-1472
Title: Microsoft Netlogon Elevation of Privilege Vulnerability
Vendor: Microsoft
Description: An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.
CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
ID: CVE-2019-4563
Title: IBM Security Directory Server Vulnerability
Vendor: IBM
Description: IBM Security Directory Server does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.
CVSS v3 Base Score: 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
=========================================================
MOST PREVALENT MALWARE FILES Oct 29 - Nov 5:
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: F059A5358C24CC362C2F74B362C75E02035FDF82F9FFAE8D553AFEE1A271AFD0
MD5: ce4395edbbf9869a5e276781af2e0fb5
VirusTotal: https://www.virustotal.com/gui/file/f059a5358c24cc362c2f74b362c75e02035fdf82f9ffae8d553afee1a271afd0/details
Typical Filename: wupxarch635.exe
Claimed Product: N/A
Detection Name: W32.Auto:f059a5358c.in03.Talos
SHA 256: 432FC2E3580E818FD315583527AE43A729586AF5EE37F99F04B562D1EFF2A1FD
MD5: dd726d5e223ca762dc2772f40cb921d3
Typical Filename: ww24.exe
Claimed Product: N/A
Detection Name: W32.TR:Attribute.23ln.1201
SHA 256: C3E530CC005583B47322B6649DDC0DAB1B64BCF22B124A492606763C52FB048F
MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: Win.Dropper.Agentwdcr::1201
SHA 256: 15716598F456637A3BE3D6C5AC91266142266A9910F6F3F85CFD193EC1D6ED8B
MD5: 799b30f47060ca05d80ece53866e01cc
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: Win.Downloader.Generic::1201
SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos
=============================================================
(c) 2020. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743
