@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
February 27, 2020=============================================================
@RISK: The Consensus Security Vulnerability Alert
February 27, 2020 - Vol. 20, Num. 09
Providing a reliable, weekly summary of newly discovered attack vectors,
vulnerabilities with active exploits, and explanations of how recent
attacks worked
Archived issues may be found at http://www.sans.org/newsletters/at-risk
=============================================================
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES Feb. 20 - 27
============================================================
TOP VULNERABILITY THIS WEEK: New remote access tool shows connections to other RAT families
*************** Sponsored By Dragos, Inc. ******************
Join the Dragos 2019 ICS Year in Review webinar on March 5 for recommendations to improve your cybersecurity defenses. The report authors will summarize their conclusions from real-world threat hunts, incident response and vulnerability assessments. Hear what the state of the ICS cyberthreat landscape is and the public threat activity groups Dragos tracks. http://www.sans.org/info/215655
============================================================
TRAINING UPDATE
-- SANS 2020 | Orlando, FL | April 3-10 | https://www.sans.org/event/sans-2020
-- SANS Security West 2020 |San Diego, CA | May 6-13 | https://www.sans.org/event/security-west-2020
-- SANS London March 2020 | March 16-21 | https://www.sans.org/event/london-march-2020
-- SANS San Francisco Spring 2020 | March 16-27 | https://www.sans.org/event/san-francisco-spring-2020
-- SANS Secure Singapore 2020 | 16-28 March | https://www.sans.org/event/secure-singapore-2020
-- SANS Secure Canberra 2020 | March 23-28 | https://www.sans.org/event/secure-canberra-2020
-- SANS London April 2020 | April 20-25 | https://www.sans.org/event/london-april-2020
-- Cloud Security Summit & Training 2020 | Frisco, TX | May 27-June 3 | https://www.sans.org/event/cloud-security-summit-2020
-- Rocky Mountain Hackfest Summit & Training 2020 | Denver, CO | June 1-8 | https://www.sans.org/event/rockymountainhackfest-summit-2020
-- SANS OnDemand and vLive Training
Get an iPad (32G), a Samsung Galaxy Tab A, or Take $250 Off through March 4 with OnDemand or vLive training.
https://www.sans.org/online-security-training/specials/
-- Can't travel? SANS offers online instruction for maximum flexibility
-- Live Daytime training with Simulcast - https://www.sans.org/simulcast
-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive
-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/
-- Single Course Training
SANS Mentor | https://www.sans.org/mentor/about
Community SANS | https://www.sans.org/community/
-- View the full SANS course catalog and Cyber Security Skills Roadmap
https://www.sans.org/cyber-security-skills-roadmap
********************** Sponsored Links: ********************
1) How effective is your threat hunting? Take this survey and enter to win a $400 Amazon gift card: http://www.sans.org/info/215660
2) Webcast March 12th at 1PM ET: Innovative Application Security Testing Techniques for Modern Software Development. Register: http://www.sans.org/info/215665
3) Did you miss this webcast? Pivotal Platform - Getting Started with Native Runtime Protection for PAS. View here: http://www.sans.org/info/215670
============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: ObliqueRAT spreads via malicious documents
Description: Cisco Talos has observed a malware campaign that utilizes malicious Microsoft Office documents (maldocs) to spread a remote access trojan (RAT) we're calling "ObliqueRAT." These maldocs use malicious macros to deliver the second-stage RAT payload. Network-based detection, although important, should be combined with endpoint protections to combat this threat and provide multiple layers of security. According to Talos researchers, ObliqueRAT has connections to the adversaries behind the CrimsonRAT discovered last year.
Reference: https://blog.talosintelligence.com/2020/02/obliquerat-hits-victims-via-maldocs.html
Snort SIDs: 53152 - 53163
Title: Multiple vulnerabilities in Cisco Data Center Network Manager
Description: Cisco Data Center Network Manager contains a privilege escalation vulnerability and a cross-site request forgery vulnerability. Cisco disclosed the high-severity vulnerabilities late last week. In the case of the privilege escalation vulnerability, an attacker could exploit the Network Manager in a way that would allow them to interact with the API with administrator-level privileges. A successful exploit could allow the attacker to interact with the API with administrative privileges.
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200219-dcnm-csrf
Snort SIDs: Snort Rule 53171 - 53176
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
The KidsGuard surveillance app exfiltrated data from targeted devices to an unprotected cloud storage bucket.
https://techcrunch.com/2020/02/20/kidsguard-spyware-app-phones/
A vulnerability in Bluetooth software development kits leaves numerous medical devices and other internet-of-things devices open to attacks.
https://www.wired.com/story/bluetooth-flaws-ble-internet-of-things-pacemakers/
Mexico's economy ministry said it detected a cyber attack on its network over the weekend.
American and British government agencies teamed up to formally blame Russia for a massive cyber attack on the country of Georgia last year; the attacks targeted web hosting providers, broadcasters, and numerous government, NGO, and business websites.
https://www.cnn.com/2020/02/20/politics/russia-georgia-hacking/index.html
Dell sold its RSA security business, including the popular RSA conference, to a private equity firm for $2 billion.
https://rcpmag.com/articles/2020/02/21/consortium-buys-rsa-from-dell.aspx?m=1
This year's RSA Conference kicked off earlier this week. Here is a roundup of some of the major announcements made thus far.
French sporting goods chain Decathlon leaked the information of more than 123 million customers and employees on an unsecured Elasticsearch server.
https://www.infosecurity-magazine.com/news/sports-giant-decathlon-leaks-123/
Google released the latest version of its Chrome web browser, starting a rollback of third-party cookies. Chrome 80 also includes a new capability called ScrollToTextFragment, which security researchers worry could be exploited to expose sensitive information.
https://www.adweek.com/digital/new-deep-linking-feature-in-google-chrome-80-sparks-privacy-concerns/
The adversaries behind the DoppelPaymer ransomware launched a new site that they say will be used to publish the information and stolen data of victims who do not pay the requested extortion payment.
=========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: CVE-2020-1938
Title: Apache Tomcat AJP File Inclusion Vulnerability
Vendor: Apache
Description: Apache Tomcat AJP file inclusion vulnerability allows an attacker to read any webapps files. If the Tomcat instance supports file uploads, the vulnerability could also be leveraged to achieve remote code execution.
CVSS v2 Base Score: 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
ID: CVE-2020-0618
Title: Microsoft SQL Server Reporting Services Vulnerability
Vendor: Microsoft
Description: A remote code execution vulnerability exists in Microsoft SQL Server Reporting Services when it incorrectly handles page requests. To exploit the vulnerability, an authenticated attacker would need to submit a specially crafted page request to an affected Reporting Services instance.
CVSS v2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
ID: CVE-2020-8813
Title: Cacti authenticated Remote Code Execution Vulnerability
Vendor: Cacti
Description: graph_realtime.php in Cacti allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege. This vulnerability could be exploited without authentication if Cacti is enabling "Guest Realtime Graphs" privilege.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
ID: CVE-2020-8794
Title: OpenBSD OpenSMTPD Local Privilege Escalation and Remote Code Execution Vulnerability
Vendor: OpenBSD
Description: An out of bounds read in smtpd allows an attacker to inject arbitrary commands into the envelope file which are then executed as root. Separately, missing privilege revocation in smtpctl allows arbitrary commands to be run with the _smtpq group.
CVSS v2 Base Score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
ID: CVE-2018-8611
Title: Microsoft Windows Kernel Elevation of Privilege Vulnerability
Vendor: Microsoft
Description: An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker could then run a specially crafted application to take control of an affected system.
CVSS v2 Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
ID: CVE-2020-3765
Title: Adobe After Effects Out-of-Bounds Write Vulnerability (APSB20-09)
Vendor: Adobe
Description: Adobe After Effects have an out-of-bounds write vulnerability. Successful exploitation could lead to arbitrary code execution.
CVSS v2 Base Score: 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
=========================================================
MOST PREVALENT MALWARE FILES Feb. 20 - 27:
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
VirusTotal: https://www.virustotal.com/gui/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos
SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details
Typical Filename: eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: W32.85B936960F.5A5226262.auto.Talos
SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: W32.AgentWDCR:Gen.21gn.1201
SHA 256: 1460fd00cb6addf9806a341fee9c5ab0a793762d1d97dca05fa17467c8705af7
MD5: 88cbadec77cf90357f46a3629b6737e6
VirusTotal: https://www.virustotal.com/gui/file/1460fd00cb6addf9806a341fee9c5ab0a793762d1d97dca05fa17467c8705af7/details
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Services
Detection Name: PUA.Win.File.2144flashplayer::tpd
SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b
MD5: 799b30f47060ca05d80ece53866e01cc
VirusTotal: https://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details
Typical Filename: mf2016341595.exe
Claimed Product: N/A
Detection Name: W32.Generic:Gen.22fz.1201
=============================================================
(c) 2020. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743
