@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
February 11, 2021=============================================================
@RISK: The Consensus Security Vulnerability Alert
February 11, 2021 - Vol. 21, Num. 05
Providing a reliable, weekly summary of newly discovered attack vectors,
vulnerabilities with active exploits, and explanations of how recent
attacks worked
Archived issues may be found at http://www.sans.org/newsletters/at-risk
=============================================================
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES Feb. 4 - 11
============================================================
TOP VULNERABILITY THIS WEEK: Microsoft Patch Tuesday
*************** Sponsored By AWS Marketplace ****************
Webcast | February 25th @ 2:00 PM ET | Join SANS and AWS Marketplace as they discuss how to create a security-driven networking strategy for the AWS Cloud. Topics of discussion will include technologies, processes, and policies that can be used to enhance the security of your environment, traffic, and network-accessible assets. Register now and be among the first to receive the associated whitepaper written by SANS Senior Instructor and cloud security analyst Dave Shackleford.
| http://www.sans.org/info/218890
============================================================
TRAINING UPDATE
New & Updated Courses
SEC301: Introduction to Cybersecurity
- https://www.sans.org/cyber-security-courses/introduction-cyber-security/
SEC401: Security Essentials Bootcamp Style
- https://www.sans.org/cyber-security-courses/security-essentials-bootcamp-style/
MGT512: Security Leadership Essentials for Managers
- https://www.sans.org/cyber-security-courses/security-leadership-essentials-managers/
SANS Live Online Winter Special
Save $500 off standard 4-6 day courses during the events listed below.
Offer is valid thru February 24th. View event pages for details.
ICS Security Summit & Training
FREE Summit: Mar 4-5 | Courses: Mar 8-13 EST
- https://www.sans.org/event/ics-security-summit-2021/
SANS Cyber Security West 2021 - Mar 15-20 | PDT
10 Interactive Courses | Core NetWars Tournament
- https://www.sans.org/event/cyber-security-west-march-2021/
SANS 2021 - Mar 22-27 EDT
30+ Courses | Core, Cyber Defense, and DFIR NetWars
- https://www.sans.org/event/sans-2021-live-online
OnDemand Training Special Offer
Get a free GIAC certification attempt or take $350 Off with OnDemand or Live Online training through February 24.
- https://www.sans.org/specials/north-america/
Offensive Operations Resources
New Cheat Sheets, Slingshot Linux Distro, Posters, and more. View & Download
- https://www.sans.org/offensive-operations/
********************** Sponsored Links: ********************
1) Free Virtual Event | The Mobile Security Solutions Forum, chaired by SANS Senior Instructor, Heather Mahalik, is a free virtual event featuring invited mobile security experts who will explore various mobile security topics while showcasing current capabilities available today. Register and reserve your spot now for an incredible day! | February 19th @ 10:30 AM ET
| http://www.sans.org/info/218895
2) Webcast | We invite you to join us for our upcoming webcast, "Build and Automate an Effective Zero Trust Network with Cisco Secure Workload." This webcast and associated whitepaper reviews Secure Workload, Cisco's answer to micro-segmentation and cloud workload protection. | February 17th @ 3:30 PM EST
| http://www.sans.org/info/218900
3) Webcast | Are you overlooking the valuable role DNS can play in security detection and investigations? Join us for our upcoming webcast, "The Strategic Value of Passive DNS to Cyber Defenses and Risk Management." | February 23rd @ 3:30 PM EST
| http://www.sans.org/info/218905
============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: Microsoft discloses fewest vulnerabilities in a month since Jan. 2020
Description: Microsoft released its monthly security update Tuesday, disclosing 56 vulnerabilities across its suite of products. This is the smallest amount of vulnerabilities Microsoft has disclosed in a month since January 2020. There are only 11 critical vulnerabilities as part of this release, while there are three moderate-severity exploits, and the remainder are considered "important." Users of all Microsoft and Windows products are urged to update their software as soon as possible to avoid possible exploitation of all these bugs. The security updates cover several different products and services, including the Microsoft Office suite of products, the Windows DNS server and the SharePoint file-sharing service.
References: https://blog.talosintelligence.com/2021/02/microsoft-patch-tuesday-for-feb-2021.html
Snort SIDs: 57103, 57104, 57106 - 57108, 57123, 57128
Title: Cisco VPN routers open to remote attacks
Description: Cisco disclosed multiple vulnerabilities in some of its RV series routers designed for use as small business VPNs. An adversary could exploit any of these flaws to view or manipulate data on the targeted device and perform other unauthorized actions. These routers have a VPN function built into them and are purpose-built for small and medium-sized businesses or as a way for users to access their office's network remotely. The vulnerabilities exist in the way the routers validate HTTP requests in its management interface. An attacker could exploit these vulnerabilities by sending a specially crafted HTTP request to the targeted device and then gain the ability to execute arbitrary code as a root user.
Snort SIDs: 57065, 57068 - 57070, 57072 - 57095
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Instagram is cracking down on a group of users known for using a variety of tactics to steal high-profile usernames on the social media app.
https://www.vice.com/en/article/g5b3y4/instagram-unmasks-ogusers-cease-and-desist
Canada's privacy commissioners say that Clearview AI facial recognition technology amounts to mass surveillance and has asked the company to remove all images of Canadians from its database.
Minneapolis police have obtained a warrant ordering Google to provide them with account data to identify individuals who were in the vicinity of vandalism and violence during May 2020 protests in that city.
https://techcrunch.com/2021/02/06/minneapolis-protests-geofence-warrant/
A threat actor published extensive patient data stolen from two major U.S. hospital chains.
https://techcrunch.com/2021/02/06/minneapolis-protests-geofence-warrant/
Polish video game developer CD Projekt Red suffered a ransomware attack, with attackers stealing company data and the source code for two popular games, "Witcher 3" and "Cyberpunk 2077."
https://www.ign.com/articles/cd-project-red-hack-cyberpunk-2077-witcher-3-source-code-ransomware
Microsoft warned users that even though the Emotet botnet has been severely hampered by a recent international law enforcement campaign, they should keep protections in place to defend against the infamous threat.
Google blocked a popular tab-saving extension from its store after it was found to contain malware.
https://gizmodo.com/chrome-delisted-the-great-suspender-extension-but-dont-1846202554
French network security company Stormshield says it was recently the victim of a breach, which included the theft of some of the company's source code.
https://www.zdnet.com/article/security-firm-stormshield-discloses-data-breach-theft-of-source-code/
A United Nations panel says North Korea is still relying on cyber attacks to fund the development and updates of its nuclear and ballistic weapons programs.
=========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: CVE-2021-3156
Title: Heap-Based Buffer Overflow in Sudo
Vendor: sudo_project and Multiple Vendors
Description: Sudo before 1.9.5p2 has a Heap-based Buffer Overflow, allowing privilege escalation to root via "sudoedit -s" and a command-line argument that ends with a single backslash character.
CVSS v3.1 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-26843
Title: Denial of Service Vulnerability in shttpd
Vendor: sthttpd_project
Description: This is an issue in sthttpd through 2.27.1. On systems where the strcpy function is implemented with memcpy, the de_dotdot function may cause a Denial-of-Service (daemon crash) due to overlapping memory ranges being passed to memcpy. This can be triggered with an HTTP GET request for a crafted filename.
CVSS v3.1 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
ID: CVE-2021-3378
Title: Arbitrary File Upload Vulnerability in Fortilogger
Vendor: Fortilogger
Description: FortiLogger 4.4.2.2 is affected by Arbitrary File Upload by sending a "Content-Type: image/png" header to Config/SaveUploadedHotspotLogoFile and then visiting Assets/temp/hotspot/img/logohotspot.asp.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-25274
Title: Remote Code Execution Vulnerability in SolarWinds
Vendor: Solarwinds
Description: The Collector Service in SolarWinds Orion Platform before 2020.2.4 uses MSMQ (Microsoft Message Queue) and doesn't set permissions on its private queues. As a result, remote unauthenticated clients can send messages to TCP port 1801 that the Collector Service will process. Additionally, upon processing of such messages, the service deserializes them in insecure manner, allowing remote arbitrary code execution as LocalSystem.
CVSS v3.1 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-25646
Title: Remote Code Execution Vulnerability in Apache Druid
Vendor: Apache
Description: Apache Druid includes the ability to execute user-provided JavaScript code embedded in various types of requests. This functionality is intended for use in high-trust environments, and is disabled by default. However, in Druid 0.20.0 and earlier, it is possible for an authenticated user to send a specially-crafted request that forces Druid to run user-provided JavaScript code for that request, regardless of server configuration. This can be leveraged to execute code on the target machine with the privileges of the Druid server process.
CVSS v3.1 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2021-21261
Title: Arbitrary Code Execution Vulnerability in Flatpak
Vendor: Flatpak
Description: Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. This vulnerability in the `flatpak-portal` service can allow sandboxed applications to execute arbitrary code on the host system (a sandbox escape). This sandbox-escape bug is present in versions from 0.11.4 and before fixed versions 1.8.5 and 1.10.0. The Flatpak portal D-Bus service (`flatpak-portal`, also known by its D-Bus service name `org.freedesktop.portal.Flatpak`) allows apps in a Flatpak sandbox to launch their own subprocesses in a new sandbox instance, either with the same security settings as the caller or with more restrictive security settings. In vulnerable versions, the Flatpak portal service passes caller-specified environment variables to non-sandboxed processes on the host system, and in particular to the `flatpak run` command that is used to launch the new sandbox instance. A malicious or compromised Flatpak app could set environment variables that are trusted by the `flatpak run` command, and use them to execute arbitrary code that is not in a sandbox.
CVSS v3.1 Base Score: 8.8 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
ID: CVE-2021-23926
Title: XML Entity Expansion Vulnerability in Apache XMLBeans
Vendor: Apache
Description: This vulnerability exists in XML parsers used by XMLBeans up to version 2.6.0. The XML parsers did not set the properties needed to protect the user from malicious XML input. Hence, the resulting vulnerabilities include possibilities for XML Entity Expansion attacks.
CVSS v3.1 Base Score: 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H)
ID: CVE-2020-6779
Title: Weak Authentication Vulnerability in Bosch Products Database
Vendor: Bosch
Description: Use of Hard-coded Credentials in the database of Bosch FSM-2500 server and Bosch FSM-5000 server up to and including version 5.2 allows an unauthenticated remote attacker to log into the database with admin-privileges. This may result in complete compromise of the confidentiality and integrity of the stored data as well as a high availability impact on the database itself. In addition, an attacker may execute arbitrary commands on the underlying operating system.
CVSS v3.1 Base Score: 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
=========================================================
MOST PREVALENT MALWARE FILES Feb. 4 - 11:
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: 85B936960FBE5100C170B777E1647CE9F0F01E3AB9742DFC23F37CB0825B30B5
MD5: 8c80dd97c37525927c1e549cb59bcbf3
Typical Filename: Eternalblue-2.2.0.exe
Claimed Product: N/A
Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos
SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9
MD5: 34560233e751b7e95f155b6f61e7419a
VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details
Typical Filename: SAntivirusService.exe
Claimed Product: A n t i v i r u s S e r v i c e
Detection Name: PUA.Win.Dropper.Segurazo::tpd
SHA 256: c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e
MD5: 9a4b7b0849a274f6f7ac13c7577daad8
VirusTotal: https://www.virustotal.com/gui/file/c1d5a585fce188423d31df3ea806272f3daa5eb989e18e9ecf3d94b97b965f8e/details
Typical Filename: ww31.exe
Claimed Product: N/A
Detection Name: W32.GenericKD:Attribute.24ch.1201
SHA 256: 4647f1a0850a961e341a863194e921c102578a9c4ef898fa5e4b54d9fb65e57b
MD5: f37167c1e62e78b0a222b8cc18c20ba7
VirusTotal: https://www.virustotal.com/gui/file/4647f1a0850a961e341a863194e921c102578a9c4ef898fa5e4b54d9fb65e57b/details
Typical Filename: flashhelperservice.exe
Claimed Product: Flash Helper Service
Detection Name: W32.4647F1A085.in12.Talos
SHA 256: 1a8a17b615799f504d1e801b7b7f15476ee94d242affc103a4359c4eb5d9ad7f
MD5: 88781be104a4dcb13846189a2b1ea055
VirusTotal: https://www.virustotal.com/gui/file/1a8a17b615799f504d1e801b7b7f15476ee94d242affc103a4359c4eb5d9ad7f/details
Typical Filename: ActivityElement.dp
Claimed Product: N/A
Detection Name: Win.Trojan.Generic::sso.talos
=============================================================
(c) 2021. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743
