Live, interactive cybersecurity training available through SANS Live Online. View upcoming events.

Newsletters: @RISK

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

March 5, 2020

=============================================================

     @RISK: The Consensus Security Vulnerability Alert

            March 5, 2020 - Vol. 20, Num. 10


Providing a reliable, weekly summary of newly discovered attack vectors,

vulnerabilities with active exploits, and explanations of how recent

attacks worked


Archived issues may be found at http://www.sans.org/newsletters/at-risk


=============================================================


CONTENTS:

NOTABLE RECENT SECURITY ISSUES

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

MOST PREVALENT MALWARE FILES Feb. 27 - March 5

============================================================


TOP VULNERABILITY THIS WEEK: Mozart backdoor uses DNS to communicate with attackers


******************** Sponsored By SANS *********************


Women in Cybersecurity Forum, April 24th in Washington, D.C. Join successful and empowering women including Lesley Carhart, Diana Kelley and Renee Guttmann as they share their experiences working in the cybersecurity industry. Learn about their valuable training experiences, advice on moving up the corporate ladder, and more! Free with discount code WICForum2020. http://www.sans.org/info/215715


============================================================

TRAINING UPDATE


-- SANS 2020 | Orlando, FL | April 3-10 | https://www.sans.org/event/sans-2020


-- SANS Security West 2020 |San Diego, CA | May 6-13 | https://www.sans.org/event/security-west-2020


-- SANS London March 2020 | March 16-21 | https://www.sans.org/event/london-march-2020


-- SANS San Francisco Spring 2020 | March 16-27 | https://www.sans.org/event/san-francisco-spring-2020


-- SANS Secure Singapore 2020 | 16-28 March | https://www.sans.org/event/secure-singapore-2020


-- SANS Secure Canberra 2020 | March 23-28 | https://www.sans.org/event/secure-canberra-2020


-- SANS London April 2020 | April 20-25 | https://www.sans.org/event/london-april-2020


-- Cloud Security Summit & Training 2020 | Frisco, TX | May 27-June 3 | https://www.sans.org/event/cloud-security-summit-2020


-- Rocky Mountain Hackfest Summit & Training 2020 | Denver, CO | June 1-8 | https://www.sans.org/event/rockymountainhackfest-summit-2020


-- SANS OnDemand and vLive Training

Get an iPad mini (64GB), HP Chromebook 14 G5, or Take $300 Off through March 18 with OnDemand or vLive training.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


********************** Sponsored Links: ********************


1) Webinar: How to Prioritize Security Controls for Situational Awareness in AWS. http://www.sans.org/info/215720


2) Webcast March 12th at 1PM ET: Innovative Application Security Testing Techniques for Modern Software Development. http://www.sans.org/info/215725


3) Learn best practices for implementing SD-WAN to ensure consistent security in this upcoming webcast. http://www.sans.org/info/215730



============================================================


NOTABLE RECENT SECURITY ISSUES

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Details of new Mozart malware family unveiled

Description: A new malware family known as "Mozart" uses DNS to communicate with a command and control seemingly belonging to its creators. It also evades detection by disguising itself and executing specialized JSScript files. Once infected, Mozart can download other types of malware onto the victim machine, including ransomware and cryptocurrency miners. This malware is typically spread through spam campaigns with malicious PDF attachments. If a victim opens the PDF, it displays a message saying that the PDF reader doesn't support a specific font, and asks the user to download a font, which actually points to a malicious ZIP file.

Reference: https://www.pcrisk.com/removal-guides/17152-mozart-malware

Snort SIDs: 53364 - 53373


Title: Ryuk ransomware strikes across the globe

Description: Several reports surfaced over the past week of the Ryuk ransomware being used in attacks over the course of the past year. Notable recent infections include an attack on a Fortune 500 company that specializes in mechanical and electrical construction, a local library system and police department in Florida and a school district in New Mexico. Ryuk primarily spreads through phishing emails and contains a number of capabilities, including credential theft and the downloading of a cryptocurrency miner.

Reference: https://www.infosecurity-magazine.com/blogs/ryuk-defending-ransomware/

Snort SIDs: 53333, 53334, 53336, 53337


============================================================


INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY


A BuzzFeed News investigation found that the controversial Clearview AI facial recognition company is partnering with more than 2,200 government organizations and private companies across the U.S., including the U.S. Justice Department, Immigration and Customs Enforcement and even the NBA.

https://www.buzzfeednews.com/article/ryanmac/clearview-ai-fbi-ice-global-law-enforcement


An NSA program aimed at scraping metadata from Americans' phone calls only produced two leads over the course of its four years in existence, despite the program costing $100 million to run.

https://www.theatlantic.com/ideas/archive/2020/02/costs-spying/607177/


A new variant of the Cerberus trojan for Android devices can steal user's Google two-factor authentication passcodes to gain access to secured accounts.

https://www.zdnet.com/article/android-malware-can-steal-google-authenticator-2fa-codes/


A widely used Wi-Fi chip is open to an attack that could allow adversaries to break WPA2 Personal and Enterprise protocols.

https://threatpost.com/billions-of-devices-wifi-encryption-hack/153267/


Online prescription provider GoodRx announced it was stopping an information-sharing partnership with Google and Facebook after multiple reports made customers aware of the relationships.

https://nakedsecurity.sophos.com/2020/03/03/goodrx-stops-sharing-personal-medical-data-with-google-facebook/


The U.S.'s so-called "Super Tuesday" in the primary elections was shaping up to be the country's first major test of its cyber security preparedness for this year's election season.

https://www.cnbc.com/2020/03/03/on-super-tuesday-us-voting-technology-will-be-under-intense-scrutiny.html


American officials charged two Chinese nationals with laundering more than $100 million worth of cryptocurrency for a state-sponsored North Korean threat actor.

https://www.washingtonpost.com/local/legal-issues/two-chinese-nationals-indicted-in-cryptocurrency-laundering-scheme-linked-to-north-korea/2020/03/02/b6a286c2-5c8d-11ea-9055-5fa12981bbbf_story.html


The U.S. Federal Communications Commission outlined a plan to fine wireless carriers up to $200 million for selling customers' location data.

https://krebsonsecurity.com/2020/02/fcc-proposes-to-fine-wireless-carriers-200m-for-selling-customer-location-data/


MITRE released the newest version of its Common Weakness Enumeration list, adding new categories for security vulnerabilities that could arise in hardware design.

https://www.helpnetsecurity.com/2020/02/27/hardware-security-weaknesses/


=========================================================


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


ID:        CVE-2020-0688

Title:  Microsoft Windows Installer Elevation of Privilege Vulnerability

Vendor: Microsoft

Description: An elevation of privilege vulnerability exists in the Windows Installer when MSI packages process symbolic links. An attacker who successfully exploited this vulnerability could bypass access restrictions to add or remove files.

CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2020-1938

Title:  Apache Tomcat AJP File Inclusion Vulnerability ("Ghostcat")

Vendor: Apache

Description: Due to a file inclusion defect in the AJP service (port 8009) that is enabled by default in Tomcat, an attacker can construct a malicious request package for file inclusion operation, and then read the web directory file on the affected Tomcat server.

CVSS v3 Base Score: 9.8    (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2019-9465

Title:  Google's Titan M chip Information Disclosure Vulnerability

Vendor: Google

Description: In the Titan M handling of cryptographic operations, there is a possible information disclosure due to an unusual root cause. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Product: Android Versions: Android-10 Android ID: A-133258003.

CVSS v3 Base Score:    5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)


ID:        CVE-2020-8794

Title:  OpenBSD OpenSMTPD Local Privilege Escalation and Remote Code Execution Vulnerability

Vendor: OpenBSD

Description: An out of bounds read in smtpd allows an attacker to inject arbitrary commands into the envelope file which are then executed as root. Separately, missing privilege revocation in smtpctl allows arbitrary commands to be run with the _smtpq group.

CVSS v3 Base Score: 9.8    (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2019-15126

Title:  WPA and WPA2 Disassociation Vulnerability ("Kr00k")

Vendor: Multi-Vendor

Description: An issue was discovered on Broadcom Wi-Fi client devices. Specifically timed and handcrafted traffic can cause internal errors (related to state transitions) in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure over the air for a discrete set of traffic.

CVSS v3 Base Score:    3.1 (AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)


ID:        CVE-2020-6418

Title:  Google Chrome Heap Corruption Vulnerability

Vendor: Google

Description: Type confusion in V8 in Google Chrome allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code in the context of the browser.

CVSS v3 Base Score:    6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)


=========================================================


MOST PREVALENT MALWARE FILES Feb. 27 - March 5:

COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: c0cdd2a671195915d9ffb5c9533337db935e0cc2f4d7563864ea75c21ead3f94

MD5: 7c38a43d2ed9af80932749f6e80fea6f

VirusTotal: https://www.virustotal.com/gui/file/c0cdd2a671195915d9ffb5c9533337db935e0cc2f4d7563864ea75c21ead3f94/details

Typical Filename: wup.exe

Claimed Product: N/A

Detection Name: PUA.Win.File.Coinminer::1201


SHA 256: 1460fd00cb6addf9806a341fee9c5ab0a793762d1d97dca05fa17467c8705af7

MD5: 88cbadec77cf90357f46a3629b6737e6

VirusTotal: https://www.virustotal.com/gui/file/1460fd00cb6addf9806a341fee9c5ab0a793762d1d97dca05fa17467c8705af7/details

Typical Filename: FlashHelperServices.exe

Claimed Product: Flash Helper Services

Detection Name: PUA.Win.File.2144flashplayer::tpd


SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details

Typical Filename: eternalblue-2.2.0.exe

Claimed Product: N/A

Detection Name: W32.85B936960F.5A5226262.auto.Talos


SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f

MD5: e2ea315d9a83e7577053f52c974f6a5a

VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details

Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin

Claimed Product: N/A

Detection Name: W32.AgentWDCR:Gen.21gn.1201


SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b

MD5: 799b30f47060ca05d80ece53866e01cc

VirusTotal: https://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details

Typical Filename: mf2016341595.exe

Claimed Product: N/A

Detection Name: W32.Generic:Gen.22fz.1201


=============================================================


(c) 2020.  All rights reserved.  The information contained in this

newsletter, including any external links, is provided "AS IS," with no

express or implied warranty, for informational purposes only.


Please feel free to share this with interested parties via email, but

no posting is allowed on web sites. For a free subscription, (and for

free posters) or to update a current subscription, visit

https://www.sans.org/account


SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743