@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
February 4, 2021=============================================================
@RISK: The Consensus Security Vulnerability Alert
February 4, 2021 - Vol. 21, Num. 04
Providing a reliable, weekly summary of newly discovered attack vectors,
vulnerabilities with active exploits, and explanations of how recent
attacks worked
Archived issues may be found at http://www.sans.org/newsletters/at-risk
=============================================================
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES Jan. 28 - Feb. 2
============================================================
TOP VULNERABILITY THIS WEEK: State-sponsored attack may stretch far beyond SolarWinds
******************** Sponsored By SANS *********************
Cyber Range | SANS+HBCU Cyber Ranges competition - Black History Month Edition is open for registration! Throughout this four-day event, HBCU students, alum, faculty, and staff will gain cybersecurity skills by competing in a self-paced, independent, hands-on challenge. The skills gained from our CTF are applicable to real-world jobs. The range will be open for competition on February 19th at 9 am ET and will remain open, around the clock, until it officially closes on February 22nd at 6 pm ET. Learn more: http://www.sans.org/info/218830
============================================================
TRAINING UPDATE
New & Updated Courses
SEC301: Introduction to Cybersecurity
- https://www.sans.org/cyber-security-courses/introduction-cyber-security/
SEC401: Security Essentials Bootcamp Style
- https://www.sans.org/cyber-security-courses/security-essentials-bootcamp-style/
MGT512: Security Leadership Essentials for Managers
- https://www.sans.org/cyber-security-courses/security-leadership-essentials-managers/
Upcoming Live Online Events
Register early to save up to $300 on Live Online courses.
See event pages for specific offers.
ICS Security Summit & Training
FREE Summit: Mar 4-5 | Courses: Mar 8-13 EST
- https://www.sans.org/event/ics-security-summit-2021/
SANS Stay Sharp - Mar 8-9 EST
2-Day Pen Test & Offensive Ops Courses
- https://www.sans.org/event/stay-sharp-pen-test-march-2021/
SANS Cyber Security West 2021 - Mar 15-20 | PDT
10 Interactive Courses | Core NetWars Tournament
- https://www.sans.org/event/cyber-security-west-march-2021/
OnDemand Training Special Offer
Get an iPad mini, Galaxy Tab S5e, or Take $300 Off with OnDemand training through February 10.
- https://www.sans.org/specials/north-america/
Offensive Operations Resources
New Cheat Sheets, Slingshot Linux Distro, Posters, and more. View & Download
- https://www.sans.org/offensive-operations/
********************** Sponsored Links: ********************
1) Webcast | February 10th @ 3:30 PM EST: A step-by-step guide to implementing Moving Target Defense in OT Environments. Register Now: http://www.sans.org/info/218835
2) Upcoming Webcast: When Malware Source Code Leaks: Challenges & Solutions for Tracking New Variants. VMRay Labs Team will present their research and findings after tracking Ursnif/ISFB variants | February 11th @ 10:30 AM. http://www.sans.org/info/218840
3) In Case You Missed It | Securing Today's Digital Remote Workforces with Palo Alto Networks. View here: http://www.sans.org/info/218845
============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Campaign involving SolarWinds could extend to other software
Description: U.S. officials say a suspected state-sponsored attack on U.S. government agencies and companies may have further-reaching consequences than just SolarWinds products. A new report states that the attackers linked to the SolarWinds breach may have exploited other vulnerabilities to gain an initial foothold on victims' networks other than the ones already disclosed in SolarWinds products. The effects of this campaign are potentially staggering, and officials and security researchers are still unpacking the attack. Victims reportedly include government agencies and consulting, technology, telecom, and oil and gas companies in North America, Europe, Asia and the Middle East, according to FireEye. Several reports also indicate that the U.S. Treasury and Commerce departments were also targeted in what is likely related to the same activity.
References: https://www.wsj.com/articles/suspected-russian-hack-extends-far-beyond-solarwinds-software-investigators-say-11611921601 (paywall)
Snort SIDs: 56660 - 56668
AMP: Trojan.Sunburst.[A-Z], Trojan.Teardrop.[A-Z]
ClamAV: Win.Countermeasure.Sunburst-9816012-0, Win.Countermeasure.Sunburst-9809153-0, Win.Countermeasure.Sunburst-9816013-0, Win.Countermeasure.Sunburst-9809152-0, Win.Dropper.Teardrop-9808996-3, PUA.Tool.Countermeasure.DropperRaw64TEARDROP-9808998-0
Title: LockBit ransomware operator provides insight into targets, vulnerabilities exploited
Description: Cisco Talos recently spent several weeks speaking to an operator associated with the LockBit ransomware. The actor's TTPs they disclose are yet another reminder for all organizations to remain vigilant about these seemingly unsophisticated, common cybercriminals who, despite their straightforward approach to targeting and operations, continue to be highly successful in compromising companies and wreaking havoc on unsuspecting victims. Other findings include that many cybercriminals rely almost exclusively on common open-source tools that are readily available on the internet and easy to use and they rely solely on victims who have unpatched environments.
Reference: https://blog.talosintelligence.com/2021/02/interview-with-lockbit-ransomware.html
Snort SIDs: 54910-54917
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
The U.S. government spent $2.2 million developing a cybersecurity tool years ago that, had it ever been implemented, might have blocked or significantly lessened the damage caused by the recent SolarWinds supply-chain attack.
https://www.propublica.org/article/solarwinds-cybersecurity-system
The FBI and other international law enforcement agencies jointly took down the Emotet botnet, disrupting infrastructure the operators used.
https://www.fbi.gov/news/stories/emotet-malware-disrupted-020121
In a separate campaign, international partners also took steps to shut down the NetWalker ransomware family, dismantling infrastructure, recovering ransom payments that victims paid, and charging one individual in connection with the operation.
Facebook has begun displaying a prompt on its mobile app for iPhone and iPad that aims to convince them that opting in to ad tracking will enhance their experience and help small businesses. Apple plans to introduce a privacy change that will require developers to obtain permission to track users across apps and websites.
Attackers are exploiting a critical zero-day vulnerability in network security company's SonicWall's products.
The average ransomware payment dropped in the last quarter of 2020.
Attackers requested ransomware payments are rising in value as fewer victims opt to pay extortion payments after having their files locked and/or stolen.
The WallStreetBets reddit forum is being inundated with messages posted by bots.
https://www.cbsnews.com/news/wallstreetbets-reddit-bot-activity/
A publicly available website allows anyone to conduct a reverse facial image search.
=========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
D: CVE-2020-16875
Title: Microsoft Exchange Server Remote Code Execution Vulnerability
Vendor: Microsoft
Description: A remote code execution vulnerability exists in Microsoft Exchange server due to improper validation of cmdlet arguments. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the System user, aka 'Microsoft Exchange Server Remote Code Execution Vulnerability'. Recently, security researchers were able to demonstrate a bypass of the patch for this vulnerability. An updated patch is awaited from the vendor.
CVSS v3.1 Base Score: 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-1144
Title: Cisco Connected Mobile Experiences Privilege Escalation Vulnerability
Vendor: Cisco
Description: A vulnerability in Cisco Connected Mobile Experiences (CMX) could allow a remote, authenticated attacker without administrative privileges to alter the password of any user on an affected system. The vulnerability is due to incorrect handling of authorization checks for changing a password. An authenticated attacker without administrative privileges could exploit this vulnerability by sending a modified HTTP request to an affected device. A successful exploit could allow the attacker to alter the passwords of any user on the system, including an administrative user, and then impersonate that user.
CVSS v3.1 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-25311
Title: HTCondor Directory Traversal Vulnerability
Vendor: HTcondor
Description: condor_credd in HTCondor before 8.9.11 allows Directory Traversal outside the SEC_CREDENTIAL_DIRECTORY_OAUTH directory, as demonstrated by creating a file under /etc that will later be executed by root.
CVSS v3.1 Base Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
ID: CVE-2021-1647
Title: Microsoft Defender Remote Code Execution Vulnerability
Vendor: Microsoft
Description: This vulnerability exists in Microsoft's Defender antivirus software. Attackers can write specially crafted files that can be run immediately when Microsoft Defender initiates the scans.
Attackers can use this vulnerability not only to bypass Microsoft anti-virus software but also to use Microsoft anti-virus software to run malicious software to launch an attack. This means that an attacker can launch a non-interactive attack, such as sending a specially crafted file as an email attachment, and the email client will trigger a scan after receiving it.
CVSS v3.1 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-21113
Title: Heap Buffer Overflow Vulnerability in Skia
Vendor: Multiple Vendors
Description: Heap buffer overflow in Skia in Google Chrome prior to 87.0.4280.141 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
CVSS v3.1 Base Score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
ID: CVE-2021-1138, CVE-2021-1140, CVE-2021-1142
Title: Cisco Smart Software Manager Satellite Web UI Command Injection Vulnerabilities
Vendor: Cisco
Description: Multiple vulnerabilities in the web UI of Cisco Smart Software Manager Satellite could allow an unauthenticated, remote attacker to execute arbitrary commands on the underlying operating system.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-4958
Title: IBM Security Identity Governance and Intelligence Missing Authentication
Vendor: IBM
Description: IBM Security Identity Governance and Intelligence 5.2.6 does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-3190
Title: OS Command Injection Vulnerability in Async-Git
Vendor: Async-git_project
Description: The async-git package before 1.13.2 for Node.js allows OS Command Injection via shell metacharacters, as demonstrated by git.reset and git.tag.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-4888
Title: IBM QRadar SIEM Deserialization of Untrusted Data
Vendor: IBM
Description: IBM QRadar SIEM 7.4.0 to 7.4.2 Patch 1 and 7.3.0 to 7.3.3 Patch 7 could allow a remote attacker to execute arbitrary commands on the system, caused by insecure deserialization of user-supplied content by the Java deserialization function. By sending a malicious serialized Java object, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
CVSS v3.1 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
=========================================================
MOST PREVALENT MALWARE FILES Jan. 28 - Feb. 2:
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e
MD5: 9a4b7b0849a274f6f7ac13c7577daad8
VirusTotal: https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details
Typical Filename: ww31.exe
Claimed Product: N/A
Detection Name: W32.GenericKD:Attribute.24ch.1201
SHA 256: 8cb8e8c9fafa230ecf2f9513117f7679409e6fd5a94de383a8bc49fb9cdd1ba4
MD5: 176e303bd1072273689db542a7379ea9
VirusTotal: https://www.virustotal.com/gui/file/8cb8e8c9fafa230ecf2f9513117f7679409e6fd5a94de383a8bc49fb9cdd1ba4/details
Typical Filename: FlashHelperService.exe
Claimed Product: Flash Helper Service
Detection Name: W32.Variant.24cl.1201
SHA 256: b76fbd5ff8186d43364d4532243db1f16f3cca3138c1fab391f7000a73de2ea6
MD5: 6a7401614945f66f1c64c6c845a60325
VirusTotal: https://www.virustotal.com/gui/file/b76fbd5ff8186d43364d4532243db1f16f3cca3138c1fab391f7000a73de2ea6/details
Typical Filename: pmropn.exe
Claimed Product: PremierOpinion
Detection Name: PUA.Win.Adware.Relevantknowledge::231753.in02
SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos
SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9
MD5: 34560233e751b7e95f155b6f61e7419a
VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details
Typical Filename: SAntivirusService.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: PUA.Win.Dropper.Segurazo::tpd
=============================================================
(c) 2021. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743
