SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.
Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.
Volume XX - Issue #31
July 30, 2020=============================================================
@RISK: The Consensus Security Vulnerability Alert
July 30, 2020 - Vol. 20, Num. 31
Providing a reliable, weekly summary of newly discovered attack vectors,
vulnerabilities with active exploits, and explanations of how recent
attacks worked
Archived issues may be found at http://www.sans.org/newsletters/at-risk
=============================================================
CONTENTS:
NOTABLE RECENT SECURITY ISSUES
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST PREVALENT MALWARE FILES July 23 - 30
============================================================
TOP VULNERABILITY THIS WEEK: Prometei botnet goes after computing power in the name of Monero
******************** Sponsored By SANS *********************
Free Virtual Event | The SANS Cyber Solutions Fest 2020 is a 2 day virtual event featuring 4 unique tracks chaired by top SANS experts. Talks will feature case studies, demos and discussions revolving around solutions available in the marketplace | October 8-9
| http://www.sans.org/info/217185
============================================================
TRAINING UPDATE
Best Special Offers of the Year are Available Now with OnDemand
Choose a MacBook Air, Surface Pro 7, or Take $350 Off through August 5.
- https://www.sans.org/ondemand/specials
SANS now offers THREE ways to complete a course:
OnDemand | Live Online | In-Person:
- https://www.sans.org/ondemand/
- https://www.sans.org/live-online
- https://www.sans.org/cyber-security-training-events/in-person/north-america
Keep your skills sharp with SANS Online Training:
. The world's top cybersecurity courses
. Taught by real world practitioners
. Ideal preparation for more than 30 GIAC Certifications
Top OnDemand Courses
SEC401: Security Essentials Bootcamp Style
- https://www.sans.org/ondemand/course/security-essentials-bootcamp-style
SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling
- https://www.sans.org/ondemand/course/hacker-techniques-exploits-incident-handling
SEC560: Network Penetration Testing and Ethical Hacking
- https://www.sans.org/ondemand/course/network-penetration-testing-ethical-hacking
______________________
Upcoming In-Person and Live Online Events:
SANS Baltimore Fall 2020 | September 8-13 | Baltimore, MD or Live Online
- https://www.sans.org/event/baltimore-fall-2020
Threat Hunting and Incident Response Summit & Training | September 10-19 | Live Online
- https://www.sans.org/event/threat-hunting-and-incident-response-summit-2020
SANS Network Security 2020 | September 20-25 | Las Vegas, NV or Live Online
- https://www.sans.org/event/network-security-2020
SANS Northern VA - Reston Fall 2020 | Sep 28-Oct 3 | Reston, VA or Live Online
- https://www.sans.org/event/northern-va-reston-fall-2020
______________________
Test drive a course: https://www.sans.org/course-preview
View the full SANS course catalog and skills roadmap.
- https://www.sans.org/cyber-security-courses
- https://www.sans.org/cyber-security-skills-roadmap
********************** Sponsored Links: ********************
1) Survey | This is your chance to be the lucky winner of a $150 Amazon Gift Card for completing the "SANS 2020 Threat Hunting Survey"
| http://www.sans.org/info/217170
2) Webcast | August 6 @ 1:00 PM EDT | Join SANS instructor, John Hubbard as he dives into our informative upcoming webcast titled "Understanding and Leveraging the MITRE ATT&CK Framework: A SANS Roundtable"
| http://www.sans.org/info/217175
3) Webcast | We invite you to join John Pescatore for our upcoming webcast as he presents "How to Show Business Benefit by Moving to Risk-Based Vulnerability Management" | August 11 @ 2:00 PM EDT
| http://www.sans.org/info/217190
============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
Title: New botnet supports cryptocurrency mining for Monero
Description: Cisco Talos recently discovered a complex campaign employing a multi-modular botnet with multiple ways to spread and a payload focused on providing financial benefits for the attacker by mining the Monero online currency. Prometei employs various methods to spread across the network, like SMB with stolen credentials, psexec, WMI and SMB exploits. The adversary also uses several crafted tools that helps the botnet increase the amount of systems participating in its Monero-mining pool. Apart from a large focus on spreading across the environment, Prometei also tries to recover administrator passwords. The discovered passwords are sent to the C2 and then reused by other modules that attempt to verify the validity of the passwords on other systems using SMB and RDP protocols.
References: https://blog.talosintelligence.com/2020/07/prometei-botnet-and-its-quest-for-monero.html
Snort SIDs: 54610 - 54612
Title: Attackers exploit high-severity vulnerability in Cisco Adaptive Security Appliance
Description: Cisco warned users that attackers are actively exploiting a vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability exists in the software due to improper input validation for URLs in HTTP requests. An adversary could use this exploit to carry out directory traversal attacks.
References: https://threatpost.com/attackers-exploiting-high-severity-network-security-flaw-cisco-warns/157756/
Snort SIDs: 54598 - 54601
============================================================
INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY
Many Garmin GPS services went dark for several days last week after a ransomware attack.
While many users complained of the Garmin outage affecting things like workout tracking, the attack was much more serious in that it shut down Garmin's flight-tracking technology used by amateur and training pilots.
https://www.wired.com/story/garmin-outage-ransomware-attack-workouts-aviation/
Top Democrats in Congress called on President Donald Trump's administration to go public with the top security threats facing the 2020 general election.
The manager of the Cerberus Android malware is selling what they say is the banking trojan's source code for $100,000, all while still offering services at yearly and monthly rates, too.
An unknown hacker breached the infamous Emotet botnet, replacing its malware payloads with humorous GIFs, defanging what is the origin of many spam emails.
Attackers are still exploiting a major vulnerability in F5's BIG-IP controller, weeks after the company first disclosed the bug. The U.S. government urged all users to patch as soon as possible.
A leading American think tank warned that companies need to take greater measures to protect supply chains from cyber attacks, outlining 115 examples of attacks that took place over the past 10 years.
The Fancy Bear APT hacking group carried out an espionage campaign from December 2018 until May 2020, looking to break into mail servers belonging to major U.S. government agencies and energy sector organizations.
https://www.wired.com/story/russia-fancy-bear-us-hacking-campaign-government-energy/
Grocery delivery app Instacart blamed reused passwords for a recent spike in compromised accounts.
https://techcrunch.com/2020/07/24/instacart-data-theft-two-factor/
=========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM
This is a list of recent vulnerabilities for which exploits are
available. System administrators can use this list to help in
prioritization of their remediation activities. The Qualys Vulnerability
Research Team compiles this information based on various exploit
frameworks, exploit databases, exploit kits and monitoring of internet
activity.
ID: CVE-2020-3187
Title: Cisco ASA Software and FTD Software Web Services Path Traversal Vulnerability
Vendor: Cisco
Description: A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and obtain read and delete access to sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of the HTTP URL. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences.
CVSS v3 Base Score: 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
ID: CVE-2020-3452
Title: Cisco ASA Software and FTD Software Web Services Read-Only Path Traversal Vulnerability
Vendor: Cisco
Description: A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device.
CVSS v3 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
ID: CVE-2020-8163
Title: Ruby On Rails Remote Code Execution Vulnerability
Vendor: Ruby On Rails
Description: The is a code injection vulnerability that would allow an attacker who controlled the "locals" argument of a "render" call to perform a remote code execution vulnerability.
CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-5902
Title: F5 BIG-IP Remote Code Execution Vulnerability
Vendor: F5
Description: F5 BIG-IP is exposed to remote code execution vulnerability. The vulnerability that has been actively exploited in the wild allows attackers to read files, execute code or take complete control over vulnerable systems having network access.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-1350
Title: Microsoft Windows DNS Server Remote Code Execution Vulnerability
Vendor: Microsoft
Description: A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability.
CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
ID: CVE-2020-3140
Title: Cisco Prime License Manager Privilege Escalation Vulnerability
Vendor: Cisco
Description: A vulnerability in the web management interface of Cisco Prime License Manager (PLM) Software could allow an unauthenticated, remote attacker to gain unauthorized access to an affected device. The vulnerability is due to insufficient validation of user input on the web management interface. An attacker could exploit this vulnerability by submitting a malicious request to an affected system. An exploit could allow the attacker to gain administrative-level privileges on the system.
CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
ID: CVE-2020-2021
Title: Palo Alto Networks PAN-OS Authentication Bypass in SAML Authentication Vulnerability
Vendor: Palo Alto Networks
Description: When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. The attacker must have network access to the vulnerable server to exploit this vulnerability.
CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
=========================================================
MOST PREVALENT MALWARE FILES July 23 - 30:
COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP
SHA 256: e66d6d13096ec9a62f5c5489d73c0d1dd113ea4668502021075303495fd9ff82
MD5: f0fdc17674950a4eaa4bbaafce5007f6
VirusTotal: https://www.virustotal.com/gui/file/e66d6d13096ec9a62f5c5489d73c0d1dd113ea4668502021075303495fd9ff82/details
Typical Filename: FlashHelperServices.exe
Claimed Product: Flash Helper Service
Detection Name: W32.Auto:e66d6d1309.in03.Talos
SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9
MD5: 34560233e751b7e95f155b6f61e7419a
VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details
Typical Filename: SAService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::tpd
SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd
MD5: 8193b63313019b614d5be721c538486b
VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details
Typical Filename: SAntivirusService.exe
Claimed Product: SAService
Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg
SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3
MD5: 47b97de62ae8b2b927542aa5d7f3c858
VirusTotal: https://www.virustotal.com/gui/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details
Typical Filename: qmreportupload.exe
Claimed Product: qmreportupload
Detection Name: Win.Trojan.Generic::in10.talos
SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f
MD5: e2ea315d9a83e7577053f52c974f6a5a
VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details
Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin
Claimed Product: N/A
Detection Name: Win.Dropper.Agentwdcr::1201
=============================================================
(c) 2020. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but
no posting is allowed on web sites. For a free subscription, (and for
free posters) or to update a current subscription, visit
SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743
