Newsletters: @RISK

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

December 17, 2020

=============================================================

     @RISK: The Consensus Security Vulnerability Alert

                December 17, 2020 - Vol. 20, Num. 51


Providing a reliable, weekly summary of newly discovered attack vectors,

vulnerabilities with active exploits, and explanations of how recent

attacks worked


Archived issues may be found at http://www.sans.org/newsletters/at-risk


=============================================================


CONTENTS:

NOTABLE RECENT SECURITY ISSUES

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

MOST PREVALENT MALWARE FILES Dec. 10 - 17

============================================================


TOP VULNERABILITY THIS WEEK: SolarWinds supply chain attack hits government agencies, massive companies


******************  Sponsored By Dragos, Inc.  ******************


New Report: Manufacturing Cyber Risk Threat Perspective | Cyber risk across the manufacturing sector is increasing, led by disruptive cyberattacks targeting industrial processes. This report provides a current snapshot of the manufacturing threat landscape including the use of ransomware, the most dangerous threat activity groups, the potential impact on supply chain and over a dozen defensive recommendations.

Read this complimentary report. | http://www.sans.org/info/218470


============================================================

TRAINING UPDATE


New & Updated Courses

 

SEC588: Cloud Penetration Testing

- https://www.sans.org/cyber-security-courses/cloud-penetration-testing/

                

MGT516: Managing Security Vulnerabilities: Enterprise and Cloud

- https://www.sans.org/cyber-security-courses/managing-enterprise-cloud-security-vulnerabilities/

 

SEC487: Open-Source Intelligence (OSINT) Gathering and Analysis

- https://preview.sans.org/cyber-security-courses/open-source-intelligence-gathering/

 

Upcoming Live Online Events

 

SANS Stay Sharp: Blue Team Ops 2021 - Jan 18-22 MST

Targeted Short Courses | Cyber Defense NetWars

- https://www.sans.org/event/stay-sharp-blue-team-operations-jan-2021/

 

Cyber Threat Intelligence Summit & Training EST

FREE Summit: Jan 21-22 | Courses: Jan 25-30

- https://www.sans.org/event/cyber-threat-intelligence-summit-2021/

 

SANS Cyber Security West 2021 - Feb 1-6 PST

Cloud Security, Blue Team, DFIR, and More

- https://www.sans.org/event/cyber-security-west-feb-2021/

 

OnDemand and Live Online Training Special Offer

 

Get a free GIAC Certification Attempt or take $350 off with OnDemand or Live Online Training through December 30.

- www.sans.org/specials/north-america/

 

Cloud Security Resources

 

Cheat Sheets, Papers, eBooks, and more. View & Download

- https://www.sans.org/cloud-security/


********************** Sponsored Links: ********************


1) Free Virtual Event Happening Now! | December 14th-19th EST | Discover the most effective steps to prevent cyber-attacks and detect adversaries with actionable techniques you can apply immediately. Join us for our exciting upcoming event, SANS Cyber Defense Initiative 2020 - Live Online, and receive relevant cyber security training from real-world practitioners. You can still join us now!

| http://www.sans.org/info/218490


2) Panel Discussion Tomorrow | Join us for our upcoming webcast that digs more deeply into the results of the SANS 2020 Threat Hunting Survey. Survey authors Mathias Fuchs and Joshua Lemon will discuss key themes that emerged during their analysis of survey results, joined by a panel of sponsor representatives. | December 18 @ 3:30 PM ET

| http://www.sans.org/info/218480


3) Webcast | Zero trust has become one of the hottest topics in IT and cybersecurity, especially in light of the global pandemic and related work-from-home (WFH) momentum. Join us for our upcoming webcast, "Zero Trust must include the workforce, workloads, AND workplace." | January 7th @ 3:30 PM ET

| http://www.sans.org/info/218485


============================================================


NOTABLE RECENT SECURITY ISSUES

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: State-sponsored actors behind massive SolarWinds attacks, full breadth yet to be discovered

Description: In a sophisticated supply-chain attack, adversaries compromised updates to the widely used SolarWinds Orion IT monitoring and management software. The digitally signed updates were posted on the SolarWinds website from March to May 2020. This backdoor is loaded by the actual SolarWinds executable before the legitimate code, as not to alert the victim that anything is amiss. Reports indicate that some of the largest companies in the world use this software, so it is still unclear if the backdoor has led to any major cyber attacks or data breaches. At least two American government agencies are also affected: the Treasury and Commerce departments. The U.S. Department of Homeland Security (DHS) and CISA issued an emergency alert calling on all U.S. federal civilian agencies to review their networks for indicators of compromise (IOCs) and advising them to disconnect SolarWinds Orion products immediately.

References: https://blog.talosintelligence.com/2020/12/solarwinds-supplychain-coverage.html


https://krebsonsecurity.com/2020/12/u-s-treasury-commerce-depts-hacked-through-solarwinds-compromise/

Snort SIDs: 56660 - 56668


Title: Red-teaming security tools stolen as part of broad attack

Description: In an attack related to the vulnerabilities in SolarWindws products, security vendor FireEye had some red-teaming tools stolen by a state-sponsored actor. Some of these tools appear to be based on well-known offensive frameworks like Cobalt Strike. It has been reported that none of the tools target zero-day vulnerabilities. It's currently unknown why a state-sponsored actor would want to target these tools. Typically, these types of actors target high-value data possessed by victims. As part of this disclosure, FireEye also released a repository of signatures/rules designed to detect the use of these tools across a variety of detection technologies.

Reference: https://github.com/fireeye/red_team_tool_countermeasures


https://blog.talosintelligence.com/2020/12/fireeye-breach-guidance.html


https://www.fireeye.com/blog/products-and-services/2020/12/fireeye-shares-details-of-recent-cyber-attack-actions-to-protect-community.html

Snort SIDs: 8068, 8422, 38491, 38492, 48359, 49100, 49171, 49861, 50137, 50168 - 50170, 50275 - 50278, 51288 - 51289, 51368, 51370 - 51372, 51390, 51966, 52512, 52513, 52603, 52620, 53433, 53435, 53346 - 53351, 53380 - 53383, 55703, 55704, 55802, 55862, 56290, 56436, 56586

ClamAV signature: W32.FindstrSearchForKeyWords


============================================================


INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY


The adversaries behind the SolarWinds attack have a history of using unique techniques to bypass multi-factor authentication based on multiple previous intrusions on a think tank's network.

https://arstechnica.com/information-technology/2020/12/solarwinds-hackers-have-a-clever-way-to-bypass-multi-factor-authentication/


SolarWinds is known for working with many high-profile companies, though its hidden this marketing list on its website after news of the hack broke.

https://www.theverge.com/2020/12/15/22176053/solarwinds-hack-client-list-russia-orion-it-compromised


The SolarWinds incident put a spotlight on supply chain attacks, a lesser-known technique adversaries used that can be far more quiet than users and victims realize.

https://www.cyberscoop.com/solarwinds-supply-chain-treasury-commerce-espionage/


Attackers reportedly accessed documents related to Moderna's COVID-19 vaccine in the European Union after a data breach at the European Medicines Agency.

https://thehill.com/policy/cybersecurity/530225-moderna-vaccine-data-accessed-in-cyberattack-on-eu-regulator


As COVID vaccines start to be distributed around the world, attackers could start using the vaccines' reliance on cold storage to carry out new types of attacks that seek to disrupt the release process.

https://www.cisa.gov/sites/default/files/publications/Insights_Cold_Storage_Cyber_Custodial%20Care_final_508.pdf


While U.S. President Donald Trump continues to try to discredit election results in states like Georgia and Michigan, there actually is a point to be made about antiquated voting technology used in many states that leaned toward Trump in the November election.

https://www.theatlantic.com/ideas/archive/2020/12/trump-looking-fraud-all-wrong-places/617366/


Ransomware known as "MountLocker" can steal users' sensitive information and share it with the malware's creators; it has added on new anti-detection functionality as of November.

https://blogs.blackberry.com/en/2020/12/mountlocker-ransomware-as-a-service-offers-double-extortion-capabilities-to-affiliates


Apps on the Mac and iOS stores must now carry unique labels showing what data and information the apps collect.

https://www.wired.com/story/apple-app-privacy-labels/


=========================================================


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


ID:     CVE-2020-17049

Title:  Microsoft Kerberos Security Feature Bypass Vulnerability

Vendor: Microsoft

Description: A security feature bypass vulnerability exists in the way Key Distribution Center (KDC) determines if a service ticket can be used for delegation via Kerberos Constrained Delegation (KCD). To exploit the vulnerability, a compromised service that is configured to use KCD could tamper with a service ticket that is not valid for delegation to force the KDC to accept it.

CVSS v3 Base Score: 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)


ID:     CVE-2020-17530

Title:  Apache Struts OGNL Remote Code Execution Vulnerability

Vendor: Apache

Description: A vulnerability exists in the "forced OGNL evaluation on raw user input in tag attributes" of Apache Struts. Due to insufficient validation of user input in OGNL evaluation functionality, an unauthenticated user can exploit this flaw leading it to remote code execution vulnerability.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2020-17140

Title:  Microsoft Windows SMB Information Disclosure Vulnerability

Vendor: Microsoft

Description: Microsoft Windows is exposed to SMB information disclosure vulnerability where an attacker can successfully exploit this vulnerability to access contents of Kernel memory. An attacker could read the contents of Kernel memory from a user mode process. In a network-based attack, an authenticated attacker would need to open a specific file with captured oplock lease, then perform repeated specific modifications to that file.

CVSS v3 Base Score: 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H)


ID:        CVE-2020-17143

Title:  Microsoft Exchange Information Disclosure Vulnerability

Vendor: Microsoft

Description: Microsoft Exchange Server is exposed to information disclosure vulnerability that could be disclosed if an attacker successfully exploited this vulnerability for sensitive information.

CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2020-4006

Title:  VMware Workspace One Access Command Injection Vulnerability

Vendor: VMware

Description: VMware Workspace One Access is exposed to a command injection vulnerability in the administrative configurator that could allow a malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account to execute commands with unrestricted privileges on the underlying operating system.

CVSS v3 Base Score: 9.1 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2020-8554

Title:  Kubernetes Man In The Middle Vulnerability

Vendor: Multi-Vendor

Description: A man in the middle vulnerability exists in Kubernetes. The vulnerability could be exploited by users with very less privileges like creating services or editing services and pods in a Kubernetes cluster.

CVSS v3 Base Score: 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)


ID:        CVE-2020-15257

Title:  containerd Privilege Escalation Vulnerability

Vendor: Multi-Vendor

Description: The containerd-shim API is improperly exposed to host network containers. Access controls for the shim's API socket verified that the connecting process had an effective UID of 0, but did not otherwise restrict access to the abstract Unix domain socket. This would allow malicious containers running in the same network namespace as the shim, with an effective UID of 0 but otherwise reduced privileges, to cause new processes to be run with elevated privileges.

CVSS v3 Base Score: 5.2 (AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N)


ID:        CVE-2020-26258

Title:    XStream Server-Side Forgery Request Vulnerability

Vendor: Multi-Vendor

Description: A Server-Side Forgery Request vulnerability exists in XStream that can be activated when unmarshalling. The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream.

CVSS v3 Base Score: 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)


=========================================================


MOST PREVALENT MALWARE FILES Dec. 10 - 17:

COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/detection

Typical Filename: Eternalblue-2.2.0.exe

Claimed Product: N/A

Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos


SHA 256: 2c36cb4e1771a04e728d75eb65b05f6875d4eb56df6eb5810af09d0d5e419cd5

MD5: eb20ca63dc3badc1a48072d33bd6428b

VirusTotal: https://www.virustotal.com/gui/file/2c36cb4e1771a04e728d75eb65b05f6875d4eb56df6eb5810af09d0d5e419cd5/details

Typical Filename: 1 Total New Invoices-Monday December 14 2020.xlsm

Claimed Product: N/A

Detection Name: W32.2C36CB4E17-90.SBX.TG


SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd

MD5: 8193b63313019b614d5be721c538486b

VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg


SHA 256: 4b8aef15c75ab675acdd9588bbcbd45dcc11a270513badfb21cfdfd92f723b01

MD5: 7e36752d274e61b9f2b0ee43200fe36d

VirusTotal: https://www.virustotal.com/gui/file/4b8aef15c75ab675acdd9588bbcbd45dcc11a270513badfb21cfdfd92f723b01/details

Typical Filename: Click HERE to start the File Launcher by WebNavigator Installer_ryymehv3_.exe

Claimed Product: WebNavigator Browser

Detection Name: W32.48C6324412-95.SBX.TG


SHA 256: 763d0f405ca4a762ce5d27077f3092f295b6504a743f61b88a1de520bcdb3d8a

MD5: 552299482ffa389321df9b05740c1b92

VirusTotal: https://www.virustotal.com/gui/file/763d0f405ca4a762ce5d27077f3092f295b6504a743f61b88a1de520bcdb3d8a/details

Typical Filename: webnavigatorbrowser.exe

Claimed Product: WebNavigator Browser

Detection Name: W32.763D0F405C-100.SBX.VIOC


=============================================================


(c) 2020.  All rights reserved.  The information contained in this

newsletter, including any external links, is provided "AS IS," with no

express or implied warranty, for informational purposes only.


Please feel free to share this with interested parties via email, but

no posting is allowed on web sites. For a free subscription, (and for

free posters) or to update a current subscription, visit

https://www.sans.org/account


SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743