@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
January 21, 2021=============================================================
@RISK: The Consensus Security Vulnerability Alert
January 21, 2021 - Vol. 21, Num. 02
Providing a reliable, weekly summary of newly discovered attack vectors,
vulnerabilities with active exploits, and explanations of how recent
attacks worked
Archived issues may be found at http://www.sans.org/newsletters/at-risk
=============================================================
CONTENTS: BumbleBee webshell opens Exchange servers to attack
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES Jan. 14 - 21
============================================================
TOP VULNERABILITY THIS WEEK: BumbleBee webshell opens Exchange servers to attack
******************** Sponsored By UPPERAD ********************
Free Virtual Event Tomorrow! | January 22nd @ 9:00 AM EST | We invite you to join us for the 2021 Cyber Threat Intelligence Summit Solutions Track! Chaired by Robert M. Lee, this virtual event will consist of presentations that focus on case-studies and thought leadership using specific examples relevant to the industry as we know it today | 4 CPE Credits
| http://www.sans.org/info/218710
============================================================
TRAINING UPDATE
New & Updated Courses
SEC401: Security Essentials Bootcamp Style
- https://www.sans.org/cyber-security-courses/security-essentials-bootcamp-style/
SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling
- https://www.sans.org/cyber-security-courses/hacker-techniques-exploits-incident-handling/
FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics
- https://www.sans.org/cyber-security-courses/advanced-incident-response-threat-hunting-training/
Upcoming Live Online Events
SANS Stay Sharp - Mar 8-9 EST
2-Day Pen Test & Offensive Ops Courses
- https://www.sans.org/event/stay-sharp-pen-test-march-2021/
SANS 2021 - Mar 22-27 EDT
30+ Courses | Core, Cyber Defense, and DFIR NetWars
- https://www.sans.org/event/sans-2021-live-online/
ICS Security Summit & Training
FREE Summit: Mar 4-5 | Courses: Mar 8-13 EST
- https://www.sans.org/event/ics-security-summit-2021/
OnDemand Training Special Offer
Get an iPad, a Galaxy Tab A, or Take $250 Off with OnDemand training through January 27.
- www.sans.org/specials/north-america/
Offensive Operations Resources
New Cheat Sheets, Slingshot Linux Distro, Posters, and more. View & Download
- https://www.sans.org/offensive-operations/
********************** Sponsored Links: ********************
1) Webcast | Join our live webinar during which Anthony Moisant, CISO of Glassdoor and Doug Cahill, Vice President and Group Director, Cybersecurity at Enterprise Strategy Group, will share their perspectives on the challenges security organizations faced in 2020 and what lies ahead for 2021 and beyond. | January 29th @ 1:00 PM EST
| http://www.sans.org/info/218715
2) Webcast | Join us for our upcoming webcast, "Slacking on insider threats? Investigative and monitoring approaches to use within Slack to locate bad actors" | January 27th @ 10:30 AM EST
| http://www.sans.org/info/218720
3) Webcast | Join SANS senior instructor, Jake Williams, as he dives into how new generation anti-bot technology fundamentally changes the game in our upcoming webcast, "Bot Disruption: Beating Cybercriminals at their Own Game" | January 28th @ 1:00 PM EST
| http://www.sans.org/info/218725
============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Adversaries use BumbleBee tool to target organizations in Kuwait
Description: Researchers recently discovered a webshell called "BumbleBee" being used in an espionage campaign against Microsoft Exchange servers. The affected organizations thus far are located in Kuwait. BumbleBee was observed being used to upload and download files on a targeted Exchange server back in September. The operators behind this campaign, which researchers indicate is the xHunt group, used BumbleBee to execute commands and upload and download files. This is the latest tool xHunt's added to its arsenal. The group dates back to at least 2018 and has targeted Kuwaiti organizations and government agencies in the past, specifically going after the shipping and trading sectors.
References: https://threatpost.com/bumblebee-exchange-servers-xhunt-spy/162973/
Snort SIDs: 56887 - 56890
Title: Cisco urges users to update to new routers after vulnerabilities disclosed
Description: Cisco disclosed 74 vulnerabilities in some of its RV series of wireless routers last week, urging users to purchase new hardware rather than patching them. The vulnerabilities all exist in products that have already reached their end-of-life. The affected devices include the Cisco Small Business RV110W, RV130, RV130W and RV215W systems, which could all be use as firewalls, VPNs or standard routers. All of the vulnerabilities require that an attacker has login credentials for the targeted device, and therefore are not easily exploitable. This should give users a small runway to upgrade to new gear.
Snort SIDs: 56839 - 56845, 56866 - 56876, 56893, 56894
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Security researchers found a fourth malware strain used in the broad SolarWinds breach, though it was only deployed on a few targets' networks.
https://www.zdnet.com/article/fourth-malware-strain-discovered-in-solarwinds-incident/
Other threat actors are sure to copy many of the same tactics used in the SolarWinds incident and look to carry out supply chain attacks.
https://www.wired.com/story/solarwinds-hacker-methods-copycats/
The SolarWinds supply chain attack will likely influence cybersecurity legislation that U.S. President Joe Biden will look to pass in his first 100 days in office.
The FBI released a warning that Iranian cyber threat actors are threatening US election officials and trying to spread fear and disinformation online.
https://www.ic3.gov/Media/Y2021/PSA210115
A woman accused of stealing U.S. House Speaker Nancy Pelosi's laptop was arrested. The woman allegedly wanted to send the laptop to Russia's foreign intelligence service.
https://www.washingtonpost.com/2021/01/18/pelosi-laptop-riley-june-williams/
WhatsApp is delaying enforcement of its new privacy policies after users pushed back against a new rule that would have allowed WhatsApp to share its data directly with Facebook.
https://www.welivesecurity.com/2021/01/18/whatsapp-delays-privacy-policy-update/
A security flaw in Amazon's Ring home security service's Neighbors website exposed users' precise locations and home addresses.
https://techcrunch.com/2021/01/14/ring-neighbors-exposed-locations-addresses/
Supporters of a data breach notification bill in Congress hope the SolarWinds hack will push their colleagues to take up debate on the topic, though similar efforts stalled after the 2017 Equifax breach.
=========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: CVE-2020-29583
Title: Zyxel Firewalls And AP Controller Hardcoded Credential Vulnerability
Vendor: Zyxel
Description: Firmware version Zyxel USG devices contains an undocumented account (zyfwp) with an unchangeable password. The password for this account can be found in cleartext in the firmware. This account can be used by someone to login to the ssh server or web interface with admin privileges.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-3007
Title: Zend Framework Remote Code Execution Vulnerability
Vendor: Zend
Description: Zend Framework has a deserialization vulnerability that can lead to remote code execution if the content is controllable, related to the __destruct method of the ZendHttpResponseStream class in Stream.php.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-25681
Title: DNS Forwarder dnsmasq multiple Vulnerabilities
Vendor: Multi-Vendor
Description: A flaw was found in dnsmasq. A heap-based buffer overflow was discovered in the way RRSets are sorted before validating with DNSSEC data. An attacker on the network, who can forge DNS replies such as that they are accepted as valid, could use this flaw to cause a buffer overflow with arbitrary data in a heap memory segment, possibly executing code on the machine.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-29015
Title: FortiWeb Blind SQL Injection Vulnerability
Vendor: Fortinet
Description: A blind SQL injection in the user interface of FortiWeb that may allow an unauthenticated, remote attacker to execute arbitrary SQL queries or commands by sending a request with a crafted Authorization header containing a malicious SQL statement.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-10148
Title: SolarWinds Orion API Authentication Bypass Vulnerability
Vendor: SolarWinds
Description: The SolarWinds Orion API is vulnerable to an authentication bypass that could allow a remote attacker to execute API commands. This vulnerability could allow a remote attacker to bypass authentication and execute API commands which may result in a compromise of the SolarWinds instance.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-3452
Title: Cisco ASA Remote File Disclosure Vulnerability
Vendor: Cisco
Description: A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device.
CVSS v3 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
ID: CVE-2020-17096
Title: Microsoft Windows NTFS Remote Code Execution Vulnerability
Vendor: Microsoft
Description: Microsoft Windows is exposed to NTFS remote code execution vulnerability. A local attacker could run a specially crafted application that would elevate the attacker's privileges. A remote attacker with SMBv2 access to a vulnerable system could send specially crafted requests over a network to exploit this vulnerability and execute code on the target system.
CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-2109
Title: Oracle WebLogic Server Vulnerability
Vendor: Oracle
Description: A vulnerability exists in the Oracle WebLogic Server product of Oracle Fusion Middleware. Easily exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.
CVSS v3 Base Score: 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
=========================================================
MOST PREVALENT MALWARE FILES Jan. 14 - 21:
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: 8cb8e8c9fafa230ecf2f9513117f7679409e6fd5a94de383a8bc49fb9cdd1ba4
MD5: 176e303bd1072273689db542a7379ea9
VirusTotal: https://www.virustotal.com/gui/file/8cb8e8c9fafa230ecf2f9513117f7679409e6fd5a94de383a8bc49fb9cdd1ba4/details
Typical Filename: FlashHelperService.exe
Claimed Product: Flash Helper Service
Detection Name: W32.Variant.24cl.1201
SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9
MD5: 34560233e751b7e95f155b6f61e7419a
VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details
Typical Filename: SAntivirusService.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: PUA.Win.Dropper.Segurazo::tpd
SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos
SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd
MD5: 8193b63313019b614d5be721c538486b
VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg
SHA 256: 6fdfcd051075383b28f5e7833fde1bb7371192f54e381c8bdfa8e68269e3dc30
MD5: 0083bc511149ebc16109025b8b3714d7
VirusTotal: https://www.virustotal.com/gui/file/6fdfcd051075383b28f5e7833fde1bb7371192f54e381c8bdfa8e68269e3dc30/details
Typical Filename: webnavigatorbrowser.exe
Claimed Product: WebNavigatorBrowser
Detection Name: P W32.6FDFCD0510-100.SBX.VIOC
=============================================================
(c) 2021. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743