@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
December 3, 2020=============================================================
@RISK: The Consensus Security Vulnerability Alert
December 3, 2020 - Vol. 20, Num. 49
Providing a reliable, weekly summary of newly discovered attack vectors,
vulnerabilities with active exploits, and explanations of how recent
attacks worked
Archived issues may be found at http://www.sans.org/newsletters/at-risk
=============================================================
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES Nov. 26 - Dec. 3
============================================================
TOP VULNERABILITY THIS WEEK: Xanthe cryptocurrency miner goes after Monero
**************** Sponsored By AWS Marketplace ****************
How to Enhance SOC Efficiency for the AWS Cloud | December 3rd @3:30 pm ET | We invite you to join SANS analyst Dave Shackleford and AWS Specialist Solutions Architect Nam Le as they host an informative webcast designed to teach you how to limit alert fatigue, while enhancing SOC productivity through automating actionable insights and removing respective manual tasks, through the exploration of real-world examples and offering practical guidance to help equip you with the needed visibility and efficiencies to scale.
| http://www.sans.org/info/218330
============================================================
TRAINING UPDATE
OnDemand and Live Online Training Special Offer
Best offers of the year! Get the latest MacBook Air, a Microsoft Surface Pro 7, or take $350 Off with ANY qualifying SANS Training Course through December 9.
- www.sans.org/specials/north-america/
New & Updated Courses
SEC588: Cloud Penetration Testing
- https://www.sans.org/cyber-security-courses/cloud-penetration-testing/
MGT525: IT Project Management, Effective Communication, and PMP Exam Prep
- https://www.sans.org/cyber-security-courses/project-management-effective-communication/
SEC487: Open-Source Intelligence (OSINT) Gathering and Analysis
- https://preview.sans.org/cyber-security-courses/open-source-intelligence-gathering/
Upcoming Live Online Events
SANS Security East 2021 Jan 11-16 CST
20 Courses | Core and GRID NetWars
- https://www.sans.org/event/security-east-2021-live-online/
SANS Stay Sharp: Blue Team Ops 2021 Jan 18-22 MST
Targeted Short Courses | Cyber Defense NetWars
- https://www.sans.org/event/stay-sharp-blue-team-operations-jan-2021/
Cyber Threat Intelligence Summit & Training
FREE Summit: Jan 21-22 | Courses: Jan 25-30
- https://www.sans.org/event/cyber-threat-intelligence-summit-2021/
Cloud Security Resources
Cheat Sheets, Papers, eBooks, and more. View & Download
- https://www.sans.org/cloud-security/
********************** Sponsored Links: ********************
1) Free Virtual Event | SANS Cloud Security Solutions Forum brings together SANS instructors and other cloud security leaders as they share tactics, techniques, and procedures for operating effectively and securely in the cloud. Register now to reserve your spot! | December 11 @ 10:30 AM EST
| http://www.sans.org/info/218335
2) Webcast | We invite you to join SANS Senior Instructor, Jake Williams, as he chairs our upcoming webcast titled, "Leverage AI to Protect Against Phishing and Fraud Scams." Viewers will learn how to protect your customers and employees from rampant phishing and fraudulent sites that pop up every day. | December 10 @ 10:30 AM EST
| http://www.sans.org/info/218340
3) Webcast | Our upcoming webcast, "Smart Enterprise Visibility with DTEX InTERCEPT", SANS instructor Matt Bromiley reviews DTEX InTERCEPT, a platform that offers holistic visibility and provides unique insight into user behavior | December 8 @ 3:30 PM EST
| http://www.sans.org/info/218345
============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Xanthe miner goes after Docker-based targets
Description: Cisco Talos recently discovered a cryptocurrency-mining botnet attack we're calling "Xanthe," which attempted to compromise one of Cisco's security honeypots for tracking Docker-related threats. The infection starts with the downloader module, which downloads the main installer module, which is also tasked with spreading to other systems on the local and remote networks. The main module attempts to spread to other known hosts by stealing the client-side certificates and connecting to them without the requirement for a password. Two additional bash scripts terminate security services, removing competitor's botnets and ensuring persistence by creating scheduled cron jobs and modifying one of the system startup scripts. The main payload is a variant of the XMRig Monero mining program that is protected with a shared object developed to hide the presence of the miner's process from various tools for process enumeration.
References: https://blog.talosintelligence.com/2020/12/xanthe-docker-aware-miner.html
OSQueries: https://github.com/Cisco-Talos/osquery_queries/blob/master/packs/linux_malware.conf
ClamAV: Unix.Coinminer.Xanthe-9791859-0, Unix.Coinminer.Xanthe-9791860-0, Unix.Coinminer.Xanthe-9791861-0
Title: WebKit fixes use-after-free, code execution vulnerabilities
Description: The WebKit browser engine contains multiple vulnerabilities in various functions of the software. A malicious web page code could trigger multiple use-after-free errors, which could lead to remote and arbitrary code execution. An attacker could exploit these vulnerabilities by tricking the user into visiting a specially crafted, malicious web page on a browser utilizing WebKit. WebKit is utilized mainly in Apple's Safari web browser, but is also utilized by some PlayStation consoles and all iOS web browsers.
References: https://blog.talosintelligence.com/2020/11/vuln-spotlight-webkit-use-after-free-nov-2020.html
Snort SIDs: 55844, 55845, 56126, 56127, 56379 - 56382
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
At least three health care providers in America have been recently targeted by ransomware attacks.
https://www.infosecurity-magazine.com/news/cyberattacks-on-three-us/
A ransomware attack against systems at the University of Vermont Health Network has disrupted chemotherapy treatments and availability of critical records.
https://www.nytimes.com/2020/11/26/us/hospital-cyber-attack.html
Microsoft patched a bug in Xbox video game consoles that could have allowed anyone to expose the email address associated with any user's gamertag on the Xbox Live gaming service.
https://www.vice.com/en/article/m7ag44/bug-allowed-hackers-to-get-anyones-email-address-on-xbox-live
Some Australian intelligence agencies mistakenly collected data from the country's "COVIDSafe" contact-tracing app, though none of that information has been decrypted, accessed or used.
One of the largest fertility clinic networks in the U.S. says attackers stole patient information in a recent ransomware attack after malware sat on their network for more than a month.
https://techcrunch.com/2020/11/26/us-fertility-ransomware-attack/
Home Depot reached a $17.5 million settlement with 46 U.S. states and Washington, D.C. over a 2014 data breach, and also agreed to implement new security measures going forward.
https://duo.com/decipher/home-depot-settles-with-states-over-2014-data-breach
Schools in Baltimore County, Maryland had to cancel classes for several days after a ransomware attack, though officials say the incident does not affect students' school-issued Chromebooks.
The FBI released a warning that email attackers are exploiting email forwarding rules to hide themselves inside legitimate email threads, hoping to trick victims.
https://www.zdnet.com/article/fbi-warns-of-email-forwarding-rules-being-abused-in-recent-hacks/
=========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: CVE-2018-13379
Title: Fortinet FortiOS Directory Traversal Vulnerability
Vendor: Fortinet
Description: Fortinet FortiOS is exposed to a directory traversal vulnerability because it fails to properly sanitize user supplied input. A path traversal vulnerability in the FortiOS SSL VPN web portal may allow an unauthenticated attacker to download FortiOS system files through specially crafted HTTP resource requests.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-14882
Title: Oracle WebLogic Server Remote Code Execution Vulnerability
Vendor: Oracle
Description: Oracle WebLogic Server (formerly known as BEA WebLogic Server) is an application server for building and deploying enterprise applications and services. A remote code execution vulnerability exists in the Oracle WebLogic Server product of Oracle Fusion Middleware
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-15505
Title: MobileIron Core and Connector Remote Code Execution Vulnerability
Vendor: MobileIron
Description: A remote code execution vulnerability exists in MobileIron Core and Connector, and Sentry, that allows remote attackers to execute arbitrary code via unspecified vectors. The manipulation with an unknown input leads to a privilege escalation vulnerability. The UK's National Cyber Security Centre alerts that APT nation-state groups and cybercriminals are exploiting MobileIron RCE vulnerability to compromise the networks.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-5902
Title: F5 BIG-IP Remote Code Execution Vulnerability
Vendor: F5
Description: F5 BIG-IP is exposed to remote code execution vulnerability. The vulnerability that has been actively exploited in the wild allows attackers to read files, execute code or take complete control over vulnerable systems having network access.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-9844
Title: MacOS Catalina Memory Corruption Vulnerability
Vendor: Apple
Description: A double free issue was addressed with improved memory management. A remote attacker may be able to cause unexpected system termination or corrupt kernel memory.
CVSS v3 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
ID: CVE-2018-12809
Title: Adobe Experience Manager Server-Side Request Forgery Vulnerability
Vendor: Adobe
Description: Adobe Experience Manager is exposed to server-side request forgery vulnerability. Successful exploitation could lead to sensitive information disclosure.
CVSS v3 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
ID: CVE-2020-1472
Title: Microsoft Netlogon Elevation of Privilege Vulnerability
Vendor: Microsoft
Description: An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a device on the network. To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to obtain domain administrator access.
CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
=========================================================
MOST PREVALENT MALWARE FILES Nov. 26 - Dec. 3:
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507
MD5: 2915b3f8b703eb744fc54c81f4a9c67f
VirusTotal: https://www.virustotal.com/gui/file/9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507/details
Typical Filename: vid001.exe
Claimed Product: N/A
Detection Name: Win.Worm.Coinminer::1201
SHA 256: 586d6b581a868f71c903097a3b7046f61a0797cda090a36687767189483e2360
MD5: 7e0bc1c01f44c7a663d82e4aff71ee6c
VirusTotal: https://www.virustotal.com/gui/file/586d6b581a868f71c903097a3b7046f61a0797cda090a36687767189483e2360/details
Typical Filename: dfsvc.exe
Claimed Product: N/A
Detection Name: Auto.586D6B.232349.in02
SHA 256: 100318042c011363a98f82516b48c09bbcdd016aec557b009c3dd9c17eed0584
MD5: 920823d1c5cb5ce57a7c69c42b60959c
VirusTotal: https://www.virustotal.com/gui/file/100318042c011363a98f82516b48c09bbcdd016aec557b009c3dd9c17eed0584/details
Typical Filename: FlashHelperService.exe
Claimed Product: Flash Helper Service
Detection Name: W32.Variant.23mj.1201
SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9
MD5: 34560233e751b7e95f155b6f61e7419a
VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details
Typical Filename: SAntivirusService.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: PUA.Win.Dropper.Segurazo::tpd
SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos
=============================================================
(c) 2020. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743
