@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
January 14, 2021=============================================================
@RISK: The Consensus Security Vulnerability Alert
January 14, 2021 - Vol. 21, Num. 01
Providing a reliable, weekly summary of newly discovered attack vectors,
vulnerabilities with active exploits, and explanations of how recent
attacks worked
Archived issues may be found at http://www.sans.org/newsletters/at-risk
=============================================================
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES Jan. 7 - 14
============================================================
TOP VULNERABILITY THIS WEEK: First Patch Tuesday of 2021
************** Sponsored By Security Risk Advisors **************
Purple Team "Essentials" is an effective way to begin purple teaming, obtain benchmarks, and strengthen your defenses against the most used attacker TTPs. Security Risk Advisors will help you measure the effectiveness of your defensive tools and track performance over time. SRA is a thought-leader in purple team methodology, represented by the free VECTR(TM) platform.
| http://www.sans.org/info/218650
============================================================
TRAINING UPDATE
New & Updated Courses
SEC401: Security Essentials Bootcamp Style
- https://www.sans.org/cyber-security-courses/security-essentials-bootcamp-style/
SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling
- https://www.sans.org/cyber-security-courses/hacker-techniques-exploits-incident-handling/
FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics
- https://www.sans.org/cyber-security-courses/advanced-incident-response-threat-hunting-training/
Upcoming Live Online Events
SANS Stay Sharp - Feb 1-4 CST
1-3 Day Management & Cloud Courses
- https://www.sans.org/event/stay-sharp-management-and-cloud-feb-2021/
SANS Pen Test & Offensive Training - Feb 8-13 CST
14 Courses | Core NetWars | Coin-A-Palooza!
- https://www.sans.org/event/pen-test-and-offensive-training-2021/
Open-Source Intelligence (OSINT) Summit & Training
FREE Summit: Feb 11-12 | Courses: Feb 8-10 & 15-20 EST
- https://www.sans.org/event/osint-summit-2021/
OnDemand Training Special Offer
Get an iPad, a Galaxy Tab A, or Take $250 Off with OnDemand training through January 27.
- www.sans.org/specials/north-america/
Blue Team Operations Resources
Cheat Sheets, Papers, Podcasts, and more. View & Download
- https://www.sans.org/blue-team/
********************** Sponsored Links: ********************
1) Register Now! | January 22nd @ 9:00 AM EST | Join us for the 2021 Cyber Threat Intelligence Summit Solutions Track! Chaired by Robert M. Lee, this virtual event will explore various CTI topics through invited speakers while showcasing current capabilities available today! | 4 CPE Credits
| http://www.sans.org/info/218655
2) Webcast | Join us for our upcoming webcast, "Protect your public cloud resources and achieve cloud maturity" which will explore hot topics in cloud security and powerful Secure Cloud Analytics features that could mean the difference between you and the next public cloud compromise. | January 20th @ 3:30 PM EST
| http://www.sans.org/info/218660
3) Webcast |Attend our upcoming webinar, "The Top 10 UEBA Use Cases for Today's SOCs" to learn more about why behavior analytics is a must-have for a mature security framework, and more! | January 21st @ 3:30 PM EST
| http://www.sans.org/info/218665
============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Microsoft disclosed 83 vulnerabilities, 10 critical, in monthly security update
Description: Microsoft released its monthly security update Tuesday, disclosing 83 vulnerabilities across its suite of products to kick off 2021. There are only 10 critical vulnerabilities as part of this release, while there are two moderate-severity exploits, and the remainder are considered "important." Users of all Microsoft and Windows products are urged to update their software as soon as possible to avoid possible exploitation of all these bugs. The security updates cover several different products and services, including the Microsoft Defender antivirus software, the Microsoft Remote Procedure Call tools and Bluetooth communication with Windows devices. One of the most serious vulnerabilities exists in Microsoft Defender. CVE-2021-1647 affects some versions of Windows dating back to Windows 2008. An attacker could exploit this vulnerability to execute arbitrary code on the victim machine. No action is required to install this update and protect against this vulnerability, according to Microsoft, as the fix is part of Microsoft's regular updates to its anti-malware products.
References: https://blog.talosintelligence.com/2021/01/microsoft-patch-tuesday-for-jan-2021.html
Snort SIDs: 56849 - 56860, 56865
Title: Lokibot adds new dropper to its arsenal
Description: Lokibot is one of the most well-known information stealers on the malware landscape. The actors behind Lokibot usually can steal multiple types of credentials and other sensitive information. This new campaign utilizes a complex, multi-stage, multi-layered dropper to execute Lokibot on the victim machine. The attack starts with a malicious XLS attachment, sent in a phishing email, containing an obfuscated macro that downloads a heavily packed second-stage downloader. The second stage fetches the encrypted third stage, which includes three layered encrypted Lokibot. After a privilege escalation, the third stage deploys Lokibot. The Image below shows the infection chain.
Reference: https://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infection-chain.html
Snort SIDs: 56577, 56578
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Several American intelligence agencies released a joint statement saying they believe the recent exploitation of SolarWinds products can be linked to Russia.
https://apnews.com/article/us-blames-russia-federal-hacking-3921096dfd9693a020420acc787132bd
Security researchers discovered a third, new malware strain the actors behind the SUNBURST campaign used that was used as far back as September 2019.
https://www.zdnet.com/article/third-malware-strain-discovered-in-solarwinds-supply-chain-attack/
SolarWinds, whose products were affected by the campaign, has hired former U.S. cybersecurity chief Chris Krebs as a consultant to investigate how attackers exploited its systems.
Social media platform Parler shut down this week after Amazon Web Services and other third parties dropped the app, leading to a massive data leak of users' information, including pictures of ID cards.
https://www.inputmag.com/culture/parlers-user-data-is-leaking-but-no-ones-really-sure-how
DDosSecrets, considered to be a successor to WikiLeaks, is sharing corporate information attackers stole as part of past ransomware attacks.
https://www.wired.com/story/ddosecrets-ransomware-leaks/
Attackers are transitioning more to SMS messages for their phishing attempts as local and national governments use text messages to provide COVID-19 information to citizens.
https://www.vice.com/en/article/m7appv/sms-phishing-is-getting-out-of-control
A new trojan known as "ElectroRAT" is infecting users' cryptocurrency wallets and stealing their contents.
https://www.infosecurity-magazine.com/news/electrorat-drains-crypto-wallets/
Officials in Hong Kong are using a new security law passed last year to ban certain sites inside the territory and track activists.
=========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: CVE-2020-17519
Title: Apache Flink Directory Traversal Vulnerability
Vendor: Apache
Description: Apache Flink allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager process.
CVSS v3 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
ID: CVE-2020-3452
Title: Cisco ASA Remote File Disclosure Vulnerability
Vendor: Cisco
Description: A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device.
CVSS v3 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
ID: CVE-2020-17096
Title: Microsoft Windows NTFS Remote Code Execution Vulnerability
Vendor: Microsoft
Description: Microsoft Windows is exposed to NTFS remote code execution vulnerability. A local attacker could run a specially crafted application that would elevate the attacker's privileges. A remote attacker with SMBv2 access to a vulnerable system could send specially crafted requests over a network to exploit this vulnerability and execute code on the target system.
CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-29583
Title: Zyxel Hardcoded Credential Vulnerability
Vendor: Zyxel
Description: Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the ssh server or web interface with admin privileges.
CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-16040
Title: Google Chrome Heap Corruption Vulnerability
Vendor: Google
Description: Insufficient data validation in V8 in Google Chrome allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. The exploitation doesn't require any form of authentication. However, successful exploitation requires user interaction by the victim.
CVSS v3 Base Score: 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
ID: CVE-2020-0646
Title: Microsoft .Net Framework Remote Code Execution Injection Vulnerability
Vendor: Microsoft
Description: A remote code execution vulnerability exists when the Microsoft .NET Framework fails to validate input properly. An attacker who successfully exploited this vulnerability could take control of an affected system. To exploit the vulnerability, an attacker would need to pass specific input to an application utilizing susceptible .Net methods.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-11851
Title: Micro Focus ArcSight Logger Code Injection Vulnerability
Vendor: Micro Focus
Description: Arbitrary code execution vulnerability on Micro Focus ArcSight Logger product. The vulnerability could be remotely exploited resulting in the execution of arbitrary code.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-10148
Title: SolarWinds Orion API Authentication Bypass Vulnerability
Vendor: SolarWinds
Description: The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
=========================================================
MOST PREVALENT MALWARE FILES Jan. 7 - 14:
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: 20f0ce6ae08d954767bdd8445017453475d53fe1e448c07da7a8a6a1194374c6
MD5: 6902aa6dd0fbd0d1b647e8d529c7ad3f
VirusTotal: https://www.virustotal.com/gui/file/20f0ce6ae08d954767bdd8445017453475d53fe1e448c07da7a8a6a1194374c6/details
Typical Filename: FlashHelperService.exe
Claimed Product: Flash Helper Service
Detection Name: W32.Variant.23nh.1201
SHA 256: a463f9a8842a5c947abaa2bff1b621835ff35f65f9d3272bf1fa5197df9f07d0
MD5: 9b7c2b0abf5478ef9a23d9a9e87c7835
VirusTotal: https://www.virustotal.com/gui/file/a463f9a8842a5c947abaa2bff1b621835ff35f65f9d3272bf1fa5197df9f07d0/details
Typical Filename: INV1458863388-20210111852384.xlsm
Claimed Product: N/A
Detection Name: W32.A463F9A884-90.SBX.TG
SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos
SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9
MD5: 34560233e751b7e95f155b6f61e7419a
VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details
Typical Filename: SAntivirusService.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: PUA.Win.Dropper.Segurazo::tpd
SHA 256: 6fdfcd051075383b28f5e7833fde1bb7371192f54e381c8bdfa8e68269e3dc30
MD5: 0083bc511149ebc16109025b8b3714d7
VirusTotal: https://www.virustotal.com/gui/file/6fdfcd051075383b28f5e7833fde1bb7371192f54e381c8bdfa8e68269e3dc30/details
Typical Filename: webnavigatorbrowser.exe
Claimed Product: WebNavigatorBrowser
Detection Name: P W32.6FDFCD0510-100.SBX.VIOC
=============================================================
(c) 2021. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743
