@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
November 12, 2020=============================================================
@RISK: The Consensus Security Vulnerability Alert
November 12, 2020 - Vol. 20, Num. 46
Providing a reliable, weekly summary of newly discovered attack vectors,
vulnerabilities with active exploits, and explanations of how recent
attacks worked
Archived issues may be found at http://www.sans.org/newsletters/at-risk
=============================================================
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES Nov. 5 - 12
============================================================
TOP VULNERABILITY THIS WEEK: More than a dozen critical vulnerabilities disclosed as part of Patch Tuesday
**************** Sponsored By AWS Marketplace ****************
How to Enhance SOC Efficiency for the AWS Cloud | November 19 @ 2:00 PM ET | Traditional security operations center (SOC) practices are manual and plagued with lengthy alert triage and inefficient incident response processes which do not translate well to modern cloud methodologies that are built for scale and with automation. In this upcoming webinar, you will learn how to limit alert fatigue while enhancing SOC productivity through automating actionable insights and removing repetitive manual tasks.
| http://www.sans.org/info/218145
============================================================
TRAINING UPDATE
OnDemand and Live Online Training Special Offer
Best Offers of the Year! Get an 11" iPad Pro w/ Magic Keyboard, a Microsoft Surface Go 2 - 256 GB SSD, or Take $350 Off with ANY qualifying SANS Training Course through November 18.
- www.sans.org/specials/north-america/
New & Updated Courses
MGT516: Managing Security Vulnerabilities: Enterprise and Cloud
- https://www.sans.org/cyber-security-courses/managing-enterprise-cloud-security-vulnerabilities/
SEC460: Enterprise and Cloud | Threat and Vulnerability Assessment
- https://www.sans.org/cyber-security-courses/enterprise-cloud-threat-vulnerability-assessment/
SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling
- https://www.sans.org/cyber-security-courses/hacker-techniques-exploits-incident-handling/
View all courses
- https://www.sans.org/cyber-security-courses/
Live Online Training Events and Summits
SANS Cyber Defense Initiative(R) 2020 - Dec 14-19 EST
35+ Courses | Core, Cyber Defense, and DFIR NetWars
- https://www.sans.org/event/cyber-defense-initiative-2020-live-online/
Cyber Threat Intelligence Summit & Training
FREE Summit: Jan 21-22 | Courses: Jan 25-30
- https://www.sans.org/event/cyber-threat-intelligence-summit-2021/
View complete event schedule
- https://www.sans.org/cyber-security-training-events/north-america/
Free Resources
Tools, Posters, and more.
********************** Sponsored Links: ********************
1) Webcast | Tune in to our upcoming webcast, "What Works in Maintaining Deep Security and Enabling Detection and Response Across Data Center and Cloud Apps" and gain insight into the business justification for advanced network detection and response (NDR) capabilities and the key evaluation factors that resulted in the election and deployment of ExtraHop's Reveal(x) platform to increase visibility into network traffic to secure Grand Canyon's business and customer systems | November 24 @ 1:00 PM EST
| http://www.sans.org/info/218150
2) Survey | If you work in the telecommunications, media, and technology industries and are involved in the budgeting process for security tools and services for their business, this survey is for you! Take this survey to share insight into your security spending and help other organizations (and individuals) develop strategies for justifying their security spending. You'll be entered to win a $100 Amazon gift card!
| http://www.sans.org/info/218155
3) Webcast | We invite you to join our upcoming Ask the Expert Session hosted by Axonius Director of Security, Daniel Trauner during our webcast titled, "What's This Thing? Solving Asset Management for Security Ops" | November 17 @ 2:00 PM EST
| http://www.sans.org/info/218160
============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Microsoft Patch Tuesday
Description: Microsoft released its monthly security update Tuesday, disclosing just over 110 vulnerabilities across its products. This is a slight jump from last month, when Microsoft disclosed one of their lowest vulnerability totals in months. Eighteen of the vulnerabilities are considered "critical" while the vast remainder are ranked as "important," with two also considered of "low" importance. Users of all Microsoft and Windows products are urged to update their software as soon as possible to avoid possible exploitation of all these bugs. The security updates cover several different products and services, including the HEVC video file extension, the Azure Sphere platform and Microsoft Exchange servers.
References: https://blog.talosintelligence.com/2020/11/microsoft-patch-tuesday-for-nov-2020.html
Snort SIDs: 56161 - 56264, 56230, 56231, 56254, 56255, 56286 - 56289, 56295, 56296, 56309, 56301 - 56305, 56310 and 56312
Title: Adobe issues security updates for Acrobat Reader
Description: Adobe recently disclosed multiple vulnerabilities in its Acrobat PDF Reader, including for both desktop and Android versions. Among them are a heap buffer overflow and use-after-free vulnerability that Cisco Talos researchers discovered. Acrobat reader integrates into web browsers as a plugin for rendering PDFs. As such, tricking a user into visiting a malicious web page or sending a specially crafted email attachment can be enough to trigger these vulnerabilities. There is also a bug that's considered "important" in all Android versions of Acrobat that could allow an adversary to disclose sensitive information on an affected device.
References: https://helpx.adobe.com/security/products/reader-mobile/apsb20-71.html
https://blog.talosintelligence.com/2020/11/vulnerability-spotlight-multiple.html
Snort SIDs: 53563, 53564, 55842, 55843
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
While election week in the U.S. seemed to drag on, the good news is that polls closed and counting finished in most states without any major signs of a cyber disruption.
The FBI released a warning that international threat actors are using misconfigured SonarQube applications to steal source code repositories from U.S. government agencies and private businesses.
Voters in Portland, Maine approved a ban on facial recognition technology and are now eligible for up to $1,000 in payments if they are scanned in violation of the new order.
Storied video game production company Capcom says it was the victim of a cyber attack last week, the latest in a string of targeted attacks on video game companies.
https://www.bbc.com/news/technology-54840768
Disinformation written in Spanish largely dodged efforts by social media platforms to remove fake or misleading posts, leading to an increase in fake news in the days leaking up to the U.S. election.
It's believed that President-elect Joe Biden's future administration will come down tougher on Russia on cyber security and take greater steps to bolster American election security.
Google Chrome will join Safari and Firefox as blocking so-called "tab-nabbing" attacks in web browsers with an upcoming security release.
https://www.zdnet.com/article/chrome-to-block-tab-nabbing-attacks/
Several key details remain unknown regarding some serious vulnerabilities Google recently disclosed and patched in its Android operating system.
=========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: CVE-2020-14882
Title: Oracle WebLogic Server Remote Code Execution Vulnerability
Vendor: Oracle
Description: Oracle Weblogic server is exposed to a critical vulnerability. The vulnerability could be exploited by an unauthenticated attacked with a single HTTP request. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2019-5544
Title: VMware Horizon DaaS OpenSLP Remote Code Execution Vulnerability
Vendor: VMware
Description: OpenSLP as used in Horizon DaaS is exposed to heap overwrite issue. A malicious actor with network access to port 427 on an ESXi host may be able to overwrite the heap of the OpenSLP service resulting in remote code execution.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-14871
Title: Oracle Solaris Remote Code Execution Vulnerability
Vendor: Oracle
Description: Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Solaris.
CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
ID: CVE-2020-27955
Title: Git for Windows Large File Storage Remote Code Execution Vulnerability
Vendor: Git
Description: On Windows, if Git LFS operates on a malicious repository with a git.bat or git.exe file in the current directory, that program is executed, permitting the attacker to execute arbitrary code. Successful exploitation allows attacker to execute remote code and compromise the system.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-17087
Title: Microsoft Windows Kernel Privilege Escalation Vulnerability
Vendor: Microsoft
Description: Security researchers from Google's Project Zero have disclosed a zero-day vulnerability in the Windows operating system which is currently being exploited in the wild. The Google Project Zero team notified Microsoft last week and gave the company seven days to patch the bug.
CVSS v3 Base Score: 7.1 (AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H)
ID: CVE-2020-15999
Title: Google Chrome Freetype Heap Buffer Overflow Vulnerability
Vendor: Google
Description: Google Chrome issued an update announcement for the browser across all platforms. Google confirmed that the "stable channel" desktop Chrome browser is being updated across Windows, Mac, and Linux platforms. As per Google's official sources, this urgent update will start rolling out over the coming few days or weeks.
CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
ID: CVE-2020-14750
Title: Oracle WebLogic Server Unauthenticated Remote Code Execution Vulnerability
Vendor: Oracle
Description: Oracle released critical October update to patch CVE-2020-14882 earlier in October. Oracle WebLogic Server has now observed that attackers can now bypass this patch exposing an unauthenticated Remote Code Execution vulnerability. Unauthorized attackers can continue to bypass the WebLogic background login restrictions and control the server even after WebLogic is patched for CVE-2020-14882.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-1472
Title: Microsoft Netlogon Elevation of Privilege Vulnerability
Vendor: Microsoft
Description: An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.
CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
ID: CVE-2020-27930
Title: Apple iOS Memory Corruption Vulnerability
Vendor: Apple
Description: A memory corruption vulnerability exists in Apple iOS that may lead to arbitrary code execution when processing a maliciously crafted font. The vulnerability leads to memory corruption due to lack of proper input validation.
CVSS v3 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
=========================================================
MOST PREVALENT MALWARE FILES Nov. 5 - 12:
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: F059A5358C24CC362C2F74B362C75E02035FDF82F9FFAE8D553AFEE1A271AFD0
MD5: ce4395edbbf9869a5e276781af2e0fb5
VirusTotal: https://www.virustotal.com/gui/file/f059a5358c24cc362c2f74b362c75e02035fdf82f9ffae8d553afee1a271afd0/details
Typical Filename: wupxarch635.exe
Claimed Product: N/A
Detection Name: W32.Auto:f059a5358c.in03.Talos
SHA 256: 432FC2E3580E818FD315583527AE43A729586AF5EE37F99F04B562D1EFF2A1FD
MD5: dd726d5e223ca762dc2772f40cb921d3
Typical Filename: ww24.exe
Claimed Product: N/A
Detection Name: W32.TR:Attribute.23ln.1201
SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos
SHA 256: 97511b671c29a6c04c9c80658428b4ce55010d9dfe6ee5d813595d37fbe5500a
MD5: 0cd267df5b55552a6589f4e67164fd3d
VirusTotal: https://www.virustotal.com/gui/file/97511b671c29a6c04c9c80658428b4ce55010d9dfe6ee5d813595d37fbe5500a/details
Typical Filename: FlashHelperService.exe
Claimed Product: Flash Helper Service
Detection Name: Auto.97511B.232354.in02
SHA 256: C3E530CC005583B47322B6649DDC0DAB1B64BCF22B124A492606763C52FB048F
MD5: MD5: e2ea315d9a83e7577053f52c974f6a5a
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: Win.Dropper.Agentwdcr::1201
=============================================================
(c) 2020. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743