@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
February 13, 2020=============================================================
@RISK: The Consensus Security Vulnerability Alert
February 13, 2020 - Vol. 20, Num. 07
Providing a reliable, weekly summary of newly discovered attack vectors,
vulnerabilities with active exploits, and explanations of how recent
attacks worked
Archived issues may be found at http://www.sans.org/newsletters/at-risk
=============================================================
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES Feb. 6 - 13
============================================================
TOP VULNERABILITY THIS WEEK: Microsoft patches 98 vulnerabilities in monthly security update
**************** Sponsored By AWS Marketplace ***************
AWS Education Series: How to Leverage Endpoint Detection and Response (EDR) for Investigations in AWS Environments. Learn how to unpack and leverage the telemetry provided by endpoint security solutions using MITRE Cloud examples, such as Exploit Public-Facing Application (T1190) and Data Transfer to Cloud Account (T1537) by examining process trees. Webcast Thursday, February 20, 1 PM ET. http://www.sans.org/info/215520
============================================================
TRAINING UPDATE
-- SANS 2020 | Orlando, FL | April 3-10 | https://www.sans.org/event/sans-2020
-- SANS Training at RSA Conference 2020 | San Francisco, CA | February 23-24 | https://www.sans.org/event/rsa-conference-2020
-- SANS Munich March 2020 | March 2-7 | https://www.sans.org/event/munich-march-2020
-- SANS Northern VA - Reston Spring 2020 | March 2-7 | https://www.sans.org/event/northern-va-spring-reston-2020
-- Blue Team Summit & Training 2020 | Louisville, KY | March 2-9 | https://www.sans.org/event/blue-team-summit-2020
-- ICS Security Summit & Training 2020 | Orlando, FL | March 2-9 | https://www.sans.org/event/ics-security-summit-2020
-- SANS London March 2020 | March 16-21 | https://www.sans.org/event/london-march-2020
-- SANS San Francisco Spring 2020 | March 16-27 | https://www.sans.org/event/san-francisco-spring-2020
-- SANS Secure Singapore 2020 | 16-28 March | https://www.sans.org/event/secure-singapore-2020
-- SANS Secure Canberra 2020 | March 23-28 | https://www.sans.org/event/secure-canberra-2020
-- SANS OnDemand and vLive Training
Get a free GIAC Certification Attempt or Take $350 Off through February 19 with OnDemand or vLive training.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
********************** Sponsored Links: ********************
1) See a real ICS range demo. Register for the ICS is Everywhere Dragos Webinar. http://www.sans.org/info/215525
2) Hear from the analysts tracking down adversaries everyday with the new SANS Threat Analysis Rundown (STAR) webcast series. http://www.sans.org/info/215540
3) Webcast February 19th at 1PM ET: Real-World Implementation of Deception Technologies. http://www.sans.org/info/215535
============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: 12 critical vulnerabilities fixed in latest Microsoft Patch Tuesday
Description: Microsoft released its monthly security update today, disclosing vulnerabilities across many of its products and releasing corresponding updates. This month's Patch Tuesday covers 98 vulnerabilities, 12 of which are considered critical and 84 that are considered important. There are also two bugs that were not assigned a severity. This month's patches include updates to the Windows kernel, the Windows scripting engine and Remote Desktop Protocol, among other software and features. Microsoft also provided a critical advisory covering updates to Adobe Flash Player.
Reference: https://blog.talosintelligence.com/2020/02/microsoft-patch-tuesday-feb-2020.html
Snort SIDs: 48701, 48702, 53050 - 53056, 53061, 53072, 53073, 53079 - 53089
Title: Adobe release updates for Reader, Flash Player and more
Description: Adobe disclosed 42 new vulnerabilities this week as part of its monthly security update, 35 of which are considered critical. These updates include Acrobat Reader, Flash Player and other Adobe products. Most notable are two bugs in Flash Player and Adobe Framemaker that could allow an attacker to execute arbitrary code on the victim machine.
Reference: https://threatpost.com/adobe-security-update-critical-flash-framemaker-flaws/152782/
Snort SIDs: 52331, 52332
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
The U.S. formally charged four members of the Chinese military for stealing millions of Americans' personal information during a hack on credit reporting agency Equifax, one of the largest data breaches in history.
https://apnews.com/05aa58325be0a85d44c637bd891e668f
Chinese officials immediately rebuffed the charges and denied any involvement in the attack.
Government officials and security researchers are still unpacking the failures of an election results-reporting app used during the Iowa caucus. A delay in results is likely the result of many factors, including flaws in the app and understaffing.
It also appears members of an online forum may have attempted to disrupt the app, clogging a phone line used to report results in a distributed denial-of-service attack.
A new report from the U.S. Government Accountability Office states America's cyber security agency is not equipped to properly handle the threats posed to the upcoming presidential election.
https://www.cnn.com/2020/02/06/politics/election-security-department-of-homeland-security/index.html
Corp.com, a domain said to have connections to a large numb passwords, email and other proprietary data belonging to major organizations around the globe, is up for sale, as the owner looks to downsize his estate.
https://krebsonsecurity.com/2020/02/dangerous-domain-corp-com-goes-up-for-sale/
India is close to implementing a new set of cyber security regulations, which could have wide-ranging consequences for future policies in other countries.
https://www.wired.com/story/opinion-indias-data-protection-bill-threatens-global-cybersecurity/
A cyber attack shut down roughly 25 percent of Iran's internet access last week for roughly an hour, though the country touted how quickly it fended off the attack.
https://netblocks.org/reports/internet-shutdown-in-iran-following-reported-cyber-attack-18lJVDBa
Cisco patched five critical vulnerabilities in is Discovery Protocol that could allow attackers to remotely execute code or deny service on thousands of devices.
=========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: CVE-2020-0665
Title: Microsoft Active Directory Privilege Escalation Vulnerability
Vendor: Microsoft
Description: The vulnerability exists in Active Directory Forest trust due to a default setting that lets an attacker in the trusting forest request delegation of a TGT for an identity from the trusted forest. The vulnerability allows a remote user to escalate privileges on the system. A remote user can gain elevated privileges on the target system.
CVSS v2 Base Score: 9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)
ID: CVE-2020-0674
Title: Microsoft Scripting Engine Memory Corruption Vulnerability
Vendor: Microsoft
Description: A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. An attacker could then install programs; view, change, or delete data or create new accounts with full user rights.
CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
ID: CVE-2020-0759
Title: Microsoft Excel Remote Code Execution Vulnerability
Vendor: Microsoft
Description: A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. A
CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
ID: CVE-2020-8808
Title: CORSAIR iCUE Driver Local Privilege Escalation Vulnerability
Vendor: CORSAIR
Description: The CorsairLLAccess64.sys and CorsairLLAccess32.sys drivers in CORSAIR iCUE allows local non privileged users to read and write to arbitrary physical memory locations, and consequently gain NT AUTHORITYSYSTEM privileges, via a function call such as MmMapIoSpace.
CVSS v2 Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
ID: CVE-2019-8449
Title: Atlassian Jira Information Disclosure Vulnerability
Vendor: Atlassian
Description: The /rest/api/latest/groupuserpicker resource in Jira allows remote attackers to enumerate usernames through an information disclosure vulnerability.
CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
ID: CVE-2019-18634
Title: Sudo pwfeedback Buffer Overflow Vulnerability
Vendor: Multi-Vendor
Description: A potential security issue exists in sudo when the pwfeedback option is enabled in sudoers that can lead to a buffer overflow. If pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. The attacker needs to deliver a long string to the stdin of getln() in tgetpass.c.
CVSS v2 Base Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)
ID: CVE-2019-19470
Title: Tinywall Controller Privilege Escalation Vulnerability
Vendor: Tinywall
Description: In Tinywall, unsafe usage of .NET deserialization in Named Pipe message processing allows privilege escalation to NT AUTHORITYSYSTEM for a local attacker. An attacker who has already compromised the local system could use TinyWall Controller to gain additional privileges by attaching a debugger to the running process and modifying the code in memory.
CVSS v2 Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
=========================================================
MOST PREVALENT MALWARE FILES Feb. 6 - 13:
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: 1460fd00cb6addf9806a341fee9c5ab0a793762d1d97dca05fa17467c8705af7
MD5: 88cbadec77cf90357f46a3629b6737e6
VirusTotal: https://www.virustotal.com/gui/file/1460fd00cb6addf9806a341fee9c5ab0a793762d1d97dca05fa17467c8705af7/details
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Services
Detection Name: PUA.Win.File.2144flashplayer::tpd
SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details
Typical Filename: eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: W32.85B936960F.5A5226262.auto.Talos
SHA 256: 97d8ea6cee63296eaf0fa5d97a14898d7cec6fa49fee1bf77c015ca7117a2ba7
MD5: be52a2a3074a014b163096055df127a0
VirusTotal: https://www.virustotal.com/gui/file/97d8ea6cee63296eaf0fa5d97a14898d7cec6fa49fee1bf77c015ca7117a2ba7/details
Typical Filename: xme64-553.exe
Claimed Product: N/A
Detection Name: Win.Trojan.Coinminer::tpd
SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
VirusTotal: https://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201
SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201
=============================================================
(c) 2020. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743
