@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
December 17, 2020=============================================================
@RISK: The Consensus Security Vulnerability Alert
December 17, 2020 - Vol. 20, Num. 51
Providing a reliable, weekly summary of newly discovered attack vectors,
vulnerabilities with active exploits, and explanations of how recent
attacks worked
Archived issues may be found at http://www.sans.org/newsletters/at-risk
=============================================================
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES Dec. 10 - 17
============================================================
TOP VULNERABILITY THIS WEEK: SolarWinds supply chain attack hits government agencies, massive companies
****************** Sponsored By Dragos, Inc. ******************
New Report: Manufacturing Cyber Risk Threat Perspective | Cyber risk across the manufacturing sector is increasing, led by disruptive cyberattacks targeting industrial processes. This report provides a current snapshot of the manufacturing threat landscape including the use of ransomware, the most dangerous threat activity groups, the potential impact on supply chain and over a dozen defensive recommendations.
Read this complimentary report. | http://www.sans.org/info/218470
============================================================
TRAINING UPDATE
New & Updated Courses
SEC588: Cloud Penetration Testing
- https://www.sans.org/cyber-security-courses/cloud-penetration-testing/
MGT516: Managing Security Vulnerabilities: Enterprise and Cloud
- https://www.sans.org/cyber-security-courses/managing-enterprise-cloud-security-vulnerabilities/
SEC487: Open-Source Intelligence (OSINT) Gathering and Analysis
- https://preview.sans.org/cyber-security-courses/open-source-intelligence-gathering/
Upcoming Live Online Events
SANS Stay Sharp: Blue Team Ops 2021 - Jan 18-22 MST
Targeted Short Courses | Cyber Defense NetWars
- https://www.sans.org/event/stay-sharp-blue-team-operations-jan-2021/
Cyber Threat Intelligence Summit & Training EST
FREE Summit: Jan 21-22 | Courses: Jan 25-30
- https://www.sans.org/event/cyber-threat-intelligence-summit-2021/
SANS Cyber Security West 2021 - Feb 1-6 PST
Cloud Security, Blue Team, DFIR, and More
- https://www.sans.org/event/cyber-security-west-feb-2021/
OnDemand and Live Online Training Special Offer
Get a free GIAC Certification Attempt or take $350 off with OnDemand or Live Online Training through December 30.
- www.sans.org/specials/north-america/
Cloud Security Resources
Cheat Sheets, Papers, eBooks, and more. View & Download
- https://www.sans.org/cloud-security/
********************** Sponsored Links: ********************
1) Free Virtual Event Happening Now! | December 14th-19th EST | Discover the most effective steps to prevent cyber-attacks and detect adversaries with actionable techniques you can apply immediately. Join us for our exciting upcoming event, SANS Cyber Defense Initiative 2020 - Live Online, and receive relevant cyber security training from real-world practitioners. You can still join us now!
| http://www.sans.org/info/218490
2) Panel Discussion Tomorrow | Join us for our upcoming webcast that digs more deeply into the results of the SANS 2020 Threat Hunting Survey. Survey authors Mathias Fuchs and Joshua Lemon will discuss key themes that emerged during their analysis of survey results, joined by a panel of sponsor representatives. | December 18 @ 3:30 PM ET
| http://www.sans.org/info/218480
3) Webcast | Zero trust has become one of the hottest topics in IT and cybersecurity, especially in light of the global pandemic and related work-from-home (WFH) momentum. Join us for our upcoming webcast, "Zero Trust must include the workforce, workloads, AND workplace." | January 7th @ 3:30 PM ET
| http://www.sans.org/info/218485
============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: State-sponsored actors behind massive SolarWinds attacks, full breadth yet to be discovered
Description: In a sophisticated supply-chain attack, adversaries compromised updates to the widely used SolarWinds Orion IT monitoring and management software. The digitally signed updates were posted on the SolarWinds website from March to May 2020. This backdoor is loaded by the actual SolarWinds executable before the legitimate code, as not to alert the victim that anything is amiss. Reports indicate that some of the largest companies in the world use this software, so it is still unclear if the backdoor has led to any major cyber attacks or data breaches. At least two American government agencies are also affected: the Treasury and Commerce departments. The U.S. Department of Homeland Security (DHS) and CISA issued an emergency alert calling on all U.S. federal civilian agencies to review their networks for indicators of compromise (IOCs) and advising them to disconnect SolarWinds Orion products immediately.
References: https://blog.talosintelligence.com/2020/12/solarwinds-supplychain-coverage.html
Snort SIDs: 56660 - 56668
Title: Red-teaming security tools stolen as part of broad attack
Description: In an attack related to the vulnerabilities in SolarWindws products, security vendor FireEye had some red-teaming tools stolen by a state-sponsored actor. Some of these tools appear to be based on well-known offensive frameworks like Cobalt Strike. It has been reported that none of the tools target zero-day vulnerabilities. It's currently unknown why a state-sponsored actor would want to target these tools. Typically, these types of actors target high-value data possessed by victims. As part of this disclosure, FireEye also released a repository of signatures/rules designed to detect the use of these tools across a variety of detection technologies.
Reference: https://github.com/fireeye/red_team_tool_countermeasures
https://blog.talosintelligence.com/2020/12/fireeye-breach-guidance.html
Snort SIDs: 8068, 8422, 38491, 38492, 48359, 49100, 49171, 49861, 50137, 50168 - 50170, 50275 - 50278, 51288 - 51289, 51368, 51370 - 51372, 51390, 51966, 52512, 52513, 52603, 52620, 53433, 53435, 53346 - 53351, 53380 - 53383, 55703, 55704, 55802, 55862, 56290, 56436, 56586
ClamAV signature: W32.FindstrSearchForKeyWords
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
The adversaries behind the SolarWinds attack have a history of using unique techniques to bypass multi-factor authentication based on multiple previous intrusions on a think tank's network.
SolarWinds is known for working with many high-profile companies, though its hidden this marketing list on its website after news of the hack broke.
https://www.theverge.com/2020/12/15/22176053/solarwinds-hack-client-list-russia-orion-it-compromised
The SolarWinds incident put a spotlight on supply chain attacks, a lesser-known technique adversaries used that can be far more quiet than users and victims realize.
https://www.cyberscoop.com/solarwinds-supply-chain-treasury-commerce-espionage/
Attackers reportedly accessed documents related to Moderna's COVID-19 vaccine in the European Union after a data breach at the European Medicines Agency.
As COVID vaccines start to be distributed around the world, attackers could start using the vaccines' reliance on cold storage to carry out new types of attacks that seek to disrupt the release process.
While U.S. President Donald Trump continues to try to discredit election results in states like Georgia and Michigan, there actually is a point to be made about antiquated voting technology used in many states that leaned toward Trump in the November election.
https://www.theatlantic.com/ideas/archive/2020/12/trump-looking-fraud-all-wrong-places/617366/
Ransomware known as "MountLocker" can steal users' sensitive information and share it with the malware's creators; it has added on new anti-detection functionality as of November.
Apps on the Mac and iOS stores must now carry unique labels showing what data and information the apps collect.
https://www.wired.com/story/apple-app-privacy-labels/
=========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: CVE-2020-17049
Title: Microsoft Kerberos Security Feature Bypass Vulnerability
Vendor: Microsoft
Description: A security feature bypass vulnerability exists in the way Key Distribution Center (KDC) determines if a service ticket can be used for delegation via Kerberos Constrained Delegation (KCD). To exploit the vulnerability, a compromised service that is configured to use KCD could tamper with a service ticket that is not valid for delegation to force the KDC to accept it.
CVSS v3 Base Score: 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-17530
Title: Apache Struts OGNL Remote Code Execution Vulnerability
Vendor: Apache
Description: A vulnerability exists in the "forced OGNL evaluation on raw user input in tag attributes" of Apache Struts. Due to insufficient validation of user input in OGNL evaluation functionality, an unauthenticated user can exploit this flaw leading it to remote code execution vulnerability.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-17140
Title: Microsoft Windows SMB Information Disclosure Vulnerability
Vendor: Microsoft
Description: Microsoft Windows is exposed to SMB information disclosure vulnerability where an attacker can successfully exploit this vulnerability to access contents of Kernel memory. An attacker could read the contents of Kernel memory from a user mode process. In a network-based attack, an authenticated attacker would need to open a specific file with captured oplock lease, then perform repeated specific modifications to that file.
CVSS v3 Base Score: 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H)
ID: CVE-2020-17143
Title: Microsoft Exchange Information Disclosure Vulnerability
Vendor: Microsoft
Description: Microsoft Exchange Server is exposed to information disclosure vulnerability that could be disclosed if an attacker successfully exploited this vulnerability for sensitive information.
CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-4006
Title: VMware Workspace One Access Command Injection Vulnerability
Vendor: VMware
Description: VMware Workspace One Access is exposed to a command injection vulnerability in the administrative configurator that could allow a malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account to execute commands with unrestricted privileges on the underlying operating system.
CVSS v3 Base Score: 9.1 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-8554
Title: Kubernetes Man In The Middle Vulnerability
Vendor: Multi-Vendor
Description: A man in the middle vulnerability exists in Kubernetes. The vulnerability could be exploited by users with very less privileges like creating services or editing services and pods in a Kubernetes cluster.
CVSS v3 Base Score: 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
ID: CVE-2020-15257
Title: containerd Privilege Escalation Vulnerability
Vendor: Multi-Vendor
Description: The containerd-shim API is improperly exposed to host network containers. Access controls for the shim's API socket verified that the connecting process had an effective UID of 0, but did not otherwise restrict access to the abstract Unix domain socket. This would allow malicious containers running in the same network namespace as the shim, with an effective UID of 0 but otherwise reduced privileges, to cause new processes to be run with elevated privileges.
CVSS v3 Base Score: 5.2 (AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N)
ID: CVE-2020-26258
Title: XStream Server-Side Forgery Request Vulnerability
Vendor: Multi-Vendor
Description: A Server-Side Forgery Request vulnerability exists in XStream that can be activated when unmarshalling. The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream.
CVSS v3 Base Score: 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N)
=========================================================
MOST PREVALENT MALWARE FILES Dec. 10 - 17:
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos
SHA 256: 2c36cb4e1771a04e728d75eb65b05f6875d4eb56df6eb5810af09d0d5e419cd5
MD5: eb20ca63dc3badc1a48072d33bd6428b
VirusTotal: https://www.virustotal.com/gui/file/2c36cb4e1771a04e728d75eb65b05f6875d4eb56df6eb5810af09d0d5e419cd5/details
Typical Filename: 1 Total New Invoices-Monday December 14 2020.xlsm
Claimed Product: N/A
Detection Name: W32.2C36CB4E17-90.SBX.TG
SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd
MD5: 8193b63313019b614d5be721c538486b
VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg
SHA 256: 4b8aef15c75ab675acdd9588bbcbd45dcc11a270513badfb21cfdfd92f723b01
MD5: 7e36752d274e61b9f2b0ee43200fe36d
VirusTotal: https://www.virustotal.com/gui/file/4b8aef15c75ab675acdd9588bbcbd45dcc11a270513badfb21cfdfd92f723b01/details
Typical Filename: Click HERE to start the File Launcher by WebNavigator Installer_ryymehv3_.exe
Claimed Product: WebNavigator Browser
Detection Name: W32.48C6324412-95.SBX.TG
SHA 256: 763d0f405ca4a762ce5d27077f3092f295b6504a743f61b88a1de520bcdb3d8a
MD5: 552299482ffa389321df9b05740c1b92
VirusTotal: https://www.virustotal.com/gui/file/763d0f405ca4a762ce5d27077f3092f295b6504a743f61b88a1de520bcdb3d8a/details
Typical Filename: webnavigatorbrowser.exe
Claimed Product: WebNavigator Browser
Detection Name: W32.763D0F405C-100.SBX.VIOC
=============================================================
(c) 2020. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743
