@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
January 28, 2021=============================================================
@RISK: The Consensus Security Vulnerability Alert
January 28, 2021 - Vol. 21, Num. 03
Providing a reliable, weekly summary of newly discovered attack vectors,
vulnerabilities with active exploits, and explanations of how recent
attacks worked
Archived issues may be found at http://www.sans.org/newsletters/at-risk
=============================================================
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES Jan. 21 - 28
============================================================
TOP VULNERABILITY THIS WEEK: ElectroRAT malware tries to empty cryptocurrency wallets
*************** Sponsored By AWS Marketplace ****************
Webcast | Our upcoming webcast is designed to teach you how to improve your Cloud Threat Intelligence (CTI) program by gathering critical cloud-specific event data, relevant types of indicators of compromise (IoC), and adversarial tactics, techniques, and procedures (TTPs). SANS and AWS Marketplace will discuss CTI detection and prevention metrics, finding effective intelligence data feeds and sources, and determining how best to integrate them into security operations functions. Register today and be one of the first to receive the associated whitepaper written by SANS Senior Instructor, Dave Shackleford! | January 28th @ 2:00 PM ET
| http://www.sans.org/info/218770
============================================================
TRAINING UPDATE
New & Updated Courses
SEC401: Security Essentials Bootcamp Style
- https://www.sans.org/cyber-security-courses/security-essentials-bootcamp-style/
SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling
- https://www.sans.org/cyber-security-courses/hacker-techniques-exploits-incident-handling/
FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics
- https://www.sans.org/cyber-security-courses/advanced-incident-response-threat-hunting-training/
Upcoming Live Online Events
Register early to save up to $300 on Live Online courses.
See event pages for specific offers.
ICS Security Summit & Training
FREE Summit: Mar 4-5 | Courses: Mar 8-13 EST
- https://www.sans.org/event/ics-security-summit-2021/
SANS Stay Sharp - Mar 8-9 EST
2-Day Pen Test & Offensive Ops Courses
- https://www.sans.org/event/stay-sharp-pen-test-march-2021/
SANS 2021 - Mar 22-27 EDT
30+ Courses | Core, Cyber Defense, and DFIR NetWars
- https://www.sans.org/event/sans-2021-live-online/
OnDemand Training Special Offer
Get an iPad mini, Galaxy Tab S5e, or Take $300 Off with OnDemand training through February 10.
- www.sans.org/specials/north-america/
Offensive Operations Resources
New Cheat Sheets, Slingshot Linux Distro, Posters, and more. View & Download
- https://www.sans.org/offensive-operations/
********************** Sponsored Links: ********************
1) Webcast | Join our live webinar during which Anthony Moisant, CISO of Glassdoor and Doug Cahill, Vice President and Group Director, Cybersecurity at Enterprise Strategy Group, will share their perspectives on the challenges security organizations faced in 2020 and what lies ahead for 2021 and beyond. | January 29th @ 1:00 PM EST
| http://www.sans.org/info/218775
2) Webcast | Join our upcoming webcast, "Best Practices for Securing Modern Cloud Native Application with ActiveCampaign CISO" where Chaim Mazal, ActiveCampaign CISO, shares his experience in the cloud native space and offers tips for others. | February 4th @ 10:30 AM EST
| http://www.sans.org/info/218780
3) Webcast | We invite your to join us tomorrow for an interactive and informative webinar on securing todays digital remote workforces! | January 29th @ 3:30 PM EST
| http://www.sans.org/info/218785
============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: ElectroRAT trojan makes full push to infect cryptocurrency users
Description: A recently discovered trojan known as ElectroRAT is pulling out all the stops to try and infect cryptocurrency wallets. The actors behind this campaign have so far created three cryptocurrency-related apps that are disguised as legitimate. They've also invested in a full-fledged marketing campaign trying to encourage users to download the apps. If a victim downloads the trojanized apps, they are infected with the malware that then takes over their cryptocurrency wallet.
References: https://cyware.com/news/electrorat-yet-another-golang-multi-platform-malware-12406d32
Snort SIDs: 56991 - 56993
Title: Cisco SD-WAN vulnerabilities could allow for remote code execution
Description: Cisco disclosed multiple vulnerabilities last week that could allow attackers to execute malicious code remotely on affected devices. Three of these vulnerabilities collectively have a severity score of 9.9 out of 10. An adversary could cause a variety of conditions on the affected products that could eventually lead to remote code execution. These issues affect several Cisco products, including SD-WAN vBond Orchestrator Software, SD-WAN vEdge Cloud Routers, SD-WAN vEdge Routers, SD-WAN vManage Software, and SD-WAN vSmart Controller Software.
Snort SIDs: 56942 - 56944, 56957 - 56963
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Google disclosed a wide-ranging campaign by North Korean state-sponsored actors looking to compromise cybersecurity researchers and organizations.
https://blog.google/threat-analysis-group/new-campaign-targeting-security-researchers/
President Joe Biden's administration is facing increasing pressure to disclose more information regarding the SolarWinds breach that's affected many private companies and government agencies.
https://www.cnn.com/2021/01/23/politics/solarwinds-hack-biden-pressure/index.html
During Biden's first full week in office, he's tapped many cybersecurity veterans to his cabinet and advisory teams and is still working to fill a cyber-focused office reporting to a new National Cyber Director.
A website uploaded screenshots from the now-shutdown Parler app to try and identify individuals who partook in riot on the U.S. Capitol earlier this month.
https://www.cnet.com/news/website-features-faces-from-parlers-capitol-riot-videos/
Vulnerabilities in Amazon's Kindle devices could have allowed adversaries to take over a device by tricking them into opening specially crafted eBooks.
As the COVID-19 vaccination effort ramps up across the globe, security experts are bracing for a new wave of attacks looking to cause economic or civil disruption.
The US Defense Intelligence Agency has circumvented warrant requirements for obtaining mobile phone location data by purchasing commercially available databases of information.
https://www.nytimes.com/2021/01/22/us/politics/dia-surveillance-data.html
President Biden's Peloton exercise bike could be a security risk, highlighting the dangers of having any internet-of-things devices connected to sensitive networks.
https://securityboulevard.com/2021/01/is-bidens-peloton-bike-an-iot-cybersecurity-risk/
=========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
D: CVE-2021-3129
Title: Laravel in debug mode susceptible to Remote code execution vulnerability
Vendor: Beyondco
Description: Ignition before 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of file_get_contents() and file_put_contents() methods. This is exploitable on sites using debug mode with Laravel before 8.4.2.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-3118
Title: ECSIMAGING PACS 6.21.5 - SQL injection Vulnerability
Vendor: Medicalexpo
Description: Unsupported versions of EVOLUCARE ECSIMAGING (aka ECS Imaging) products through 6.21.5 has multiple SQL Injection issues in the login form and the password-forgotten form. This allows an attacker to steal data in the database and obtain access to the application.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-11651
Title: Improper method call validation allows arbitrary code execution vulnerability
Vendor: Saltstack
Description: This vulnerability exists in SaltStack Salt before 2019.2.4 and 3000 before 3000.2. The salt-master process ClearFuncs class does not properly validate method calls. This allows a remote user to access some methods without authentication. These methods can be used to retrieve user tokens from the salt master and/or run arbitrary commands on salt minions.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-6207
Title: Missing Authentication Check in SAP Solution Manager
Vendor: SAP
Description: SAP Solution Manager (User Experience Monitoring), version- 7.2, due to Missing Authentication Check does not perform any authentication for a service resulting in complete compromise of all SMDAgents connected to the Solution Manager.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-1337
Title: Windows Print Spooler Elevation of Privilege Vulnerability
Vendor: MicroSoft
Description: An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly allows arbitrary writing to the file system.
CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-17136
Title: Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability
Vendor: MicroSoft
Description: , Microsoft Windows could allow a local authenticated malicious user to gain elevated privileges on the system, caused by a flaw in the Cloud Files Mini Filter Driver. By executing a specially-crafted program, an authenticated attacker could exploit this vulnerability to execute arbitrary code with higher privileges.
CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-2109
Title: Oracle WebLogic Server 14.1.1.0 Remote Code Execution Vulnerability
Vendor: Oracle
Description: Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). This vulnerability is easily exploitable and allows high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.
CVSS v3 Base Score: 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-1257
Title: Cisco DNA Center Cross-Site Request Forgery Vulnerability
Vendor: Cisco
Description: A vulnerability in the web-based management interface of Cisco DNA Center Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack to manipulate an authenticated user into executing malicious actions without their awareness or consent. The vulnerability is due to insufficient CSRF protections for the web-based management interface of an affected device. An attacker could exploit this vulnerability by persuading a web-based management user to follow a specially crafted link. A successful exploit could allow the attacker to perform arbitrary actions on the device with the privileges of the authenticated user. These actions include modifying the device configuration, disconnecting the user's session, and executing Command Runner commands.
CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
ID: CVE-2020-1472
Title: Netlogon Elevation of Privilege Vulnerability
Vendor: Multi-Vendor
Description: An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC), aka 'Netlogon Elevation of Privilege Vulnerability'.
CVSS v3 Base Score: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
=========================================================
MOST PREVALENT MALWARE FILES Jan. 21 - 28:
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd
MD5: 8193b63313019b614d5be721c538486b
VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg
SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9
MD5: 34560233e751b7e95f155b6f61e7419a
VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details
Typical Filename: SAntivirusService.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: PUA.Win.Dropper.Segurazo::tpd
SHA 256: b76fbd5ff8186d43364d4532243db1f16f3cca3138c1fab391f7000a73de2ea6
MD5: 6a7401614945f66f1c64c6c845a60325
VirusTotal: https://www.virustotal.com/gui/file/b76fbd5ff8186d43364d4532243db1f16f3cca3138c1fab391f7000a73de2ea6/details
Typical Filename: pmropn.exe
Claimed Product: PremierOpinion
Detection Name: PUA.Win.Adware.Relevantknowledge::231753.in02
SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos
SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e
MD5: 9a4b7b0849a274f6f7ac13c7577daad8
VirusTotal: https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details
Typical Filename: ww31.exe
Claimed Product: N/A
Detection Name: W32.GenericKD:Attribute.24ch.1201
=============================================================
(c) 2021. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743