Newsletters: @RISK

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

November 26, 2020

=============================================================

     @RISK: The Consensus Security Vulnerability Alert

                November 26, 2020 - Vol. 20, Num. 48


Providing a reliable, weekly summary of newly discovered attack vectors,

vulnerabilities with active exploits, and explanations of how recent

attacks worked


Archived issues may be found at http://www.sans.org/newsletters/at-risk


=============================================================


CONTENTS:

NOTABLE RECENT SECURITY ISSUES

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

MOST PREVALENT MALWARE FILES Nov. 19 - 26

============================================================


TOP VULNERABILITY THIS WEEK: Razy variants targeting video game players on Discord


******************** Sponsored By SANS ********************


Virtual Event | Looking for practical guidance on security in the AWS Cloud? Join SANS instructors and other cloud security leaders as they share tactics, techniques, and procedures for operating effectively and securely in the cloud. This virtual event is based on the recently released book Practical Guide for Security in the AWS Cloud. | December 11 @ 10:30 AM EST | http://www.sans.org/info/218265


============================================================

TRAINING UPDATE


OnDemand and Live Online Training Special Offer

Best offers of the year! Get the latest MacBook Air, a Microsoft Surface Pro 7, or take $350 Off with ANY qualifying SANS Training Course through December 9.

- www.sans.org/specials/north-america/

 

New & Updated Courses

 

SEC588: Cloud Penetration Testing

- https://www.sans.org/cyber-security-courses/cloud-penetration-testing/

 

MGT525:  IT Project Management, Effective Communication, and PMP Exam Prep

- https://www.sans.org/cyber-security-courses/project-management-effective-communication/

 

SEC487: Open-Source Intelligence (OSINT) Gathering and Analysis

- https://preview.sans.org/cyber-security-courses/open-source-intelligence-gathering/

 

Upcoming Live Online Events

 

SANS Security East 2021Jan 11-16 CST

20 Courses | Core and GRID NetWars

- https://www.sans.org/event/security-east-2021-live-online/

 

SANS Stay Sharp: Blue Team Ops 2021Jan 18-22 MST

Targeted Short Courses | Cyber Defense NetWars

- https://www.sans.org/event/stay-sharp-blue-team-operations-jan-2021/

 

Cyber Threat Intelligence Summit & Training

FREE Summit: Jan 21-22 | Courses: Jan 25-30

- https://www.sans.org/event/cyber-threat-intelligence-summit-2021/

 

Cloud Security Resources

Cheat Sheets, Papers, eBooks, and more. View & Download

- https://www.sans.org/cloud-security/


********************** Sponsored Links: ********************


Virtual Event | December 14th-19th | Discover the most effective steps to prevent cyber-attacks and detect adversaries with actionable techniques you can apply immediately. Join us for our exciting upcoming event, SANS Cyber Defense Initiative 2020 - Live Online (EST), and receive relevant cyber security training from real-world practitioners. Choose your course and register now! | http://www.sans.org/info/218270


Webcast | An upcoming webcast, "5 things you need to know to future-proof your data security today" chaired by cybersecurity expert, John Pescatore, is designed to teach you the steps to build an intelligent roadmap for protecting your business and reduce the risk of data breaches by gaining better control over your IT environment | December 3 @ 1:00 PM EST | http://www.sans.org/info/218275


Product Review Webcast | ExtraHops Reveal(x) security analytics product, provides security analysts with a platform that can rapidly analyze huge quantities of data without acquiring full network packets. Join us in this webcast to learn from Dave Shackleford and his review of the ExtraHop Reveal(x) product | December 8 @ 2:00 PM EST | http://www.sans.org/info/218280


============================================================


NOTABLE RECENT SECURITY ISSUES

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: TroubleGrabber malware spreads on Discord servers

Description: Variants of the Razy malware have recently been spotted on Discord servers attempting to steal user's login credentials. Discord is a popular app used to create communities of individuals centered around a singular topic, and is most popular around the video gaming computer. Known collectively as "TroubleGrabber," a recent wave of Razy variants have been spotted hidden in messages to Discord users. If the user clicks on the malicious link, the malware downloads a malicious payload from GitHub onto the victim's machine, which then steals the target's system information, IP address, web browser passwords and tokens. The attacker then receives all that information back via a webhook URL.

References: https://www.netskope.com/blog/here-comes-troublegrabber-stealing-credentials-through-discord

Snort SIDs: 56490, 56491


Title: Cisco discloses more vulnerabilities in WebEx, controllers

Description: Cisco recently disclosed several vulnerabilities across its suite of products, one of which could allow an attacker to spy on some WebEx meetings. A remote attacker could act as a "ghost" in some WebEx meetings and remain on the call unseen using a specific exploit, though they must also have the link to the specific meeting and its password. There are also three critical vulnerabilities in the Cisco Integrated Management Controller, the Cisco DNA Spaces Connector and the REST API of Cisco IoT Field Network Director.

References: https://threatpost.com/cisco-webex-flaw-snooping/161355/

Snort SIDs: 56424, 56440 - 56451


============================================================


INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY


U.S. President Donald Trump fired the leading American cyber security official, Chris Krebs, after Krebs and his agency denied voter fraud in the recent presidential election and called it the safest in history.

https://www.theguardian.com/us-news/2020/nov/17/chris-krebs-trump-fired-cybersecurity-voter-fraud-claims


Besides the Krebs firing, the state of American cyber security has also been placed in limbo by the fact that the Trump administration has yet to start fully cooperating with president-elect Joe Biden's transition team.

https://www.wsj.com/articles/biden-team-lacks-full-u-s-cybersecurity-support-in-transition-fracas-11605891470


Attackers defrauded some GoDaddy employees, convincing them to turn domains over to malicious users, which were eventually used as part of an attack on some crytptocurrency services.

https://krebsonsecurity.com/2020/11/godaddy-employees-used-in-attacks-on-multiple-cryptocurrency-services/


Apple says it plans to release a new feature for iOS in early 2021 that will prevent iOS apps from tracking users' usage of other apps on the same device.

https://www.cyberscoop.com/apple-apps-advertising-privacy-facebook/


A patched flaw in Facebook Messenger for Android could have allowed an attacker to listen in on targets' voice and video calls.

https://www.wired.com/story/facebook-messenger-bug-bounty/


Prominent English football team Manchester United was the target of a recent cyber attack, taking down some of the team's systems, though it was not serious enough to cause any game cancellations.

https://techxplore.com/news/2020-11-manchester-cyber.html


Google is rolling out end-to-end encryption for Rich Communication Service, the standard most Android devices use for sending and receiving text messages.

https://arstechnica.com/gadgets/2020/11/google-is-testing-end-to-end-encryption-in-android-messages/


The FBI warned that several web pages exist looking to be exact copies of the FBI's own site, which it believes could be used in future disinformation campaigns and cyber attacks.

https://www.zdnet.com/article/fbi-fake-versions-of-our-site-could-be-used-for-cyberattacks-so-watch-out/


A security research found a bug in some Tesla vehicles that could allow anyone to use Bluetooth to unlock and drive away with a target's car.

https://www.wired.com/story/tesla-model-x-hack-bluetooth/


=========================================================


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


ID:        CVE-2018-13379

Title:  Fortinet FortiOS Directory Traversal Vulnerability

Vendor: Fortinet

Description: Fortinet FortiOS is exposed to a directory traversal vulnerability because it fails to properly sanitize user supplied input. A path traversal vulnerability in the FortiOS SSL VPN web portal may allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2020-13671

Title:  Drupal Core Remote Code Execution Vulnerability (SA-CORE-2020-012)

Vendor: Multi-Vendor

Description: Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. Successful exploitation of these vulnerabilities could affect Confidentiality, Integrity and Availability.

CVSS v3 Base Score: 7.9 (AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L)



ID:        CVE-2017-5638

Title:  Apache Struts Remote Code Execution Vulnerability (S2-045)

Vendor: Apache

Description: The Jakarta Multipart parser in Apache Struts has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.

CVSS v3 Base Score: 10.0 AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H


ID:        CVE-2020-3470

Title:  Cisco Integrated Management Controller Multiple Remote Code Execution Vulnerabilities

Vendor: Cisco

Description: Multiple vulnerabilities in the API subsystem of Cisco Integrated Management Controller (IMC) could allow an unauthenticated, remote attacker to execute arbitrary code with root privileges. The vulnerabilities are due to improper boundary checks for certain user-supplied input. An attacker could exploit these vulnerabilities by sending a crafted HTTP request to the API subsystem of an affected system. When this request is processed, an exploitable buffer overflow condition may occur. A successful exploit could allow the attacker to execute arbitrary code with root privileges on the underlying operating system (OS).

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID:     CVE-2020-1034

Title:  Microsoft Windows Kernel Elevation of Privilege Vulnerability

Vendor: Microsoft

Description: An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application.

CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2020-15647

Title:  Mozilla Firefox Arbitrary Local File Access Vulnerability

Vendor: Mozilla

Description: A Content Provider in Firefox for Android allowed local files accessible by the browser to be read by a remote webpage, leading to sensitive data disclosure, including cookies for other origins.

CVSS v3 Base Score: 7.8 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N)


ID:        CVE-2020-1380

Title:  Microsoft Scripting Engine Memory Corruption Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

CVSS v3 Base Score: 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)


=========================================================


MOST PREVALENT MALWARE FILES Nov. 19 - 26:

COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 432FC2E3580E818FD315583527AE43A729586AF5EE37F99F04B562D1EFF2A1FD

MD5: dd726d5e223ca762dc2772f40cb921d3

VirusTotal: https://www.virustotal.com/gui/file/432fc2e3580e818fd315583527ae43a729586af5ee37f99f04b562d1eff2a1fd/detection

Typical Filename: ww24.exe

Claimed Product: N/A

Detection Name: W32.TR:Attribute.23ln.1201


SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detection

Typical Filename: Eternalblue-2.2.0.exe

Claimed Product: N/A

Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos


SHA 256: 100318042c011363a98f82516b48c09bbcdd016aec557b009c3dd9c17eed0584

MD5: 920823d1c5cb5ce57a7c69c42b60959c

VirusTotal: https://www.virustotal.com/gui/file/100318042c011363a98f82516b48c09bbcdd016aec557b009c3dd9c17eed0584/details

Typical Filename: FlashHelperService.exe

Claimed Product: Flash Helper Service

Detection Name: W32.Variant.23mj.1201


SHA 256: 7bd78114e61ae332e9e9d67b66cdab4a4db4e0c74dc43a0582ab1aecb13d7f0f

MD5: 6423f6d49466f739d4eaa2a30759c46a

VirusTotal: https://www.virustotal.com/gui/file/7bd78114e61ae332e9e9d67b66cdab4a4db4e0c74dc43a0582ab1aecb13d7f0f/details

Typical Filename: Xerox_Device_060214.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Upatre::1201


SHA 256: 23c9f0de513ce4632965291b8adbaa9d228b04d74ab695a412603a1e49dcff18

MD5: 5ca36dec01d06ab7ded640f7ecf74302

VirusTotal: https://www.virustotal.com/gui/file/23c9f0de513ce4632965291b8adbaa9d228b04d74ab695a412603a1e49dcff18/details

Typical Filename: Xerox_Device_060214.zip

Claimed Product: N/A

Detection Name: Win.Dropper.Upatre::tpd


=============================================================


(c) 2020.  All rights reserved.  The information contained in this

newsletter, including any external links, is provided "AS IS," with no

express or implied warranty, for informational purposes only.


Please feel free to share this with interested parties via email, but

no posting is allowed on web sites. For a free subscription, (and for

free posters) or to update a current subscription, visit

https://www.sans.org/account


SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743