Join us at the Rocky Mountain Hackfest, Live Online!! Virtual summit and courses take place June 4-13.

Newsletters: @RISK

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

March 19, 2020

=============================================================

     @RISK: The Consensus Security Vulnerability Alert

            March 19, 2020 - Vol. 20, Num. 12


Providing a reliable, weekly summary of newly discovered attack vectors,

vulnerabilities with active exploits, and explanations of how recent

attacks worked


Archived issues may be found at http://www.sans.org/newsletters/at-risk


=============================================================


CONTENTS:

NOTABLE RECENT SECURITY ISSUES

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

MOST PREVALENT MALWARE FILES March 12 - 19

============================================================


TOP VULNERABILITY THIS WEEK: Microsoft patches more than 100 vulnerabilities in monthly update


*********** Sponsored By Fidelis Cybersecurity  ************


Elevating Enterprise Security with Fidelis Cybersecurity: Network and Deception | This two-part webcast features Matt Bromiley providing feedback on the Fidelis Elevate platform, with respect to its ability to provide insight into network traffic, threats, deception and endpoint activity. Learn how this platform enables holistic visibility into network activity, focused investigations, and deception techniques. View here: http://www.sans.org/info/215865


============================================================

TRAINING UPDATE


In response to the global escalation of the COVID-19 outbreak, and to keep our community safe, SANS will not run any in-person training between now and June 1st. We are in the process of transitioning these live events to virtual formats when possible. Check https://www.sans.org/information-security-training/by-location/all for a schedule of courses you can complete online.

Any course you have or will purchase is protected by the SANS Training Guarantee. For more information, visit https://www.sans.org/training-guarantee or contact us: https://www.sans.org/about/contact/.Travel-Free Training with SANS Online


SANS remains committed to providing you with:

-- The world's best cybersecurity training

-- Several battle-tested online platforms

-- The same Instructors, content, and learning results as live training

-- Hands-on labs and subject matter expert support

45 Courses are available now - no travel required. Learn More: sans.org/notravel

-- SANS 2020 - CyberCast | April 3-10 | https://www.sans.org/event/sans-2020-- SANS Seattle Spring 2020 - CyberCast | March 23-28 | https://www.sans.org/event/seattle-spring-2020


-- SANS Philadelphia 2020 - CyberCast | March 30-April 4 | https://www.sans.org/event/philadelphia-2020


-- SANS Bethesda 2020 - CyberCast | April 14-19 | https://www.sans.org/event/bethesda-2020


-- SANS Minneapolis 2020 - CyberCast | April 14-19 | https://www.sans.org/event/minneapolis-2020


-- SANS Boston Spring 2020 - CyberCast | April 20-25 | https://www.sans.org/event/boston-spring-2020


-- SANS Pen Test Austin 2020 - CyberCast | April 27-May 2 | https://www.sans.org/event/pen-test-austin-2020


-- Cloud Security Summit & Training 2020 - CyberCast | May 27-June 3 | https://www.sans.org/event/cloud-security-summit-2020

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


********************** Sponsored Links: ********************


1) Cyber Threat Intelligence Solutions Forum | Join Robert M. Lee and guest speakers from ReversingLabs, Ixia, Recorded Future and DomainTools for this live simulcast. Register: http://www.sans.org/info/215870


2) Webcast | Knock, Knock: Is This Security Thing Working? Be among the first to receive the associated whitepaper written by Matt Bromiley. http://www.sans.org/info/215855


3) Webcast March 25th at 1 PM ET: Stopping Attacks in Their Tracks Through Behavioral Blocking and Containment. Register: http://www.sans.org/info/215860


============================================================


NOTABLE RECENT SECURITY ISSUES

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Parallax malware-for-sale increasingly spread through spam

Description: The Parallax remote access trojan has been increasingly seen in spam emails as it becomes publicly available on hacker forums. The malware-as-a-service costs roughly $65 a month. Attackers attempt to use the RAT to gain access to a victim's machine, and then steal their login credentials and files and execute code. Users are recommended to be vigilant for phony emails that may contain malicious links pointing to a Parallax download.

Reference: https://www.bleepingcomputer.com/news/security/parallax-rat-common-malware-payload-after-hacker-forums-promotion/

Snort SIDs: 53437 - 53440


Title: Zoho ManageEngine contains remote code execution vulnerability, being exploited in the wild

Description: Attackers are exploiting a remote code execution vulnerability in Zoho ManageEngine in the wild. The bug, identified as CVE-2020-10189, could allow an attacker to deserialize data and then execute arbitrary code on the victim machine with SYSTEM or root privileges. One security researcher discovered 2,300 unprotected instances utilizing ManageEngine.

Reference: https://www.helpnetsecurity.com/2020/03/10/cve-2020-10189/

Snort SIDs: 53433 - 53435


============================================================


INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY


The COVID-19 pandemic has attackers looking to capitalize on current events, specifically spreading a popular map app that claims to show where there are new virus cases.

https://arstechnica.com/information-technology/2020/03/the-internet-is-drowning-in-covid-19-related-malware-and-phishing-scams/


More workers across the globe are also staying home to as part of "social distancing," which leaves large organizations open to cyber attacks. Here are some tips for staying safe online while working remotely.

https://www.zdnet.com/article/working-from-home-cybersecurity-tips-for-remote-workers/


The US Department of Health and Human Services suffered a cyber attack earlier this week as the government scrambled to respond to COVID-19.

https://www.bloomberg.com/news/articles/2020-03-16/u-s-health-agency-suffers-cyber-attack-during-covid-19-response


Microsoft released an out-of-band security update for a vulnerability in SMBv3 that could allow attackers to connect to remote systems while SMB is enabled.

https://www.zdnet.com/article/microsoft-patches-smbv3-wormable-bug-that-leaked-earlier-this-week/


The US Senate passed a 77-day extension of it surveillance powers, which allows them to carry out "roving" wiretaps and other actions, though leaders promise they will use that time to make changes to the policy.

https://thehill.com/policy/national-security/487910-senate-clears-77-day-extension-of-surveillance-powers


US Congress is working on a bill that would essentially allow lawmakers to bypass end-to-end encryption, though it has largely gone unnoticed during the COVID-19 outbreak.

https://www.theverge.com/interface/2020/3/12/21174815/earn-it-act-encryption-killer-lindsay-graham-match-group


A new bill in the US Senate would ban the Chinese-developed app TikTok from federal workers' mobile devices.

https://www.politico.com/news/2020/03/12/senate-bill-would-ban-tiktok-on-federal-employees-work-phones-126727


A new strain of Android malware known as "Cookiethief" is stealing users' Facebook credentials.

https://www.darkreading.com/new-android-malware-strain-sneaks-cookies-from-facebook/d/d-id/1337304


=========================================================


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


ID:        CVE-2020-0796

Title:  Microsoft Windows SMBv3 Client/Server Remote Code Execution Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client.

CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)


ID:        CVE-2020-0787

Title:  Microsoft Windows Background Intelligent Transfer Service Elevation of Privilege Vulnerability

Vendor: Microsoft

Description: An elevation of privilege vulnerability exists when the Windows Background Intelligent Transfer Service (BITS) improperly handles symbolic links. An attacker who successfully exploited this vulnerability could overwrite a targeted file leading to an elevated status.

CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2020-0688

Title:  Microsoft Exchange Memory Corruption Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory. Knowledge of a the validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the web application, which runs as SYSTEM.

CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2019-1019

Title:  Microsoft Windows Security Feature Bypass Vulnerability

Vendor: Microsoft

Description: A security feature bypass vulnerability exists where a NETLOGON message is able to obtain the session key and sign messages. To exploit this vulnerability, an attacker could send a specially crafted authentication request. An attacker who successfully exploited this vulnerability could access another machine using the original user privileges.

CVSS v3 Base Score: 8.5 (AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)


ID:        CVE-2019-18683

Title:  Linux Kernel User After Free Vulnerability

Vendor: Multi-Vendor

Description: An issue was discovered in drivers/media/platform/vivid in the Linux kernel. It is exploitable for privilege escalation on some Linux distributions where local users have /dev/video0 access, but only if the driver happens to be loaded. There are multiple race conditions during streaming stopping in this driver (part of the V4L2 subsystem). These issues are caused by wrong mutex locking in vivid_stop_generating_vid_cap(), vivid_stop_generating_vid_out(), sdr_cap_stop_streaming(), and the corresponding kthreads. At least one of these race conditions leads to a use-after-free.

CVSS v3 Base Score: 7.0 (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2019-18683

Title:  Linux Kernel User After Free Vulnerability

Vendor: Multi-Vendor

Description: An issue was discovered in drivers/media/platform/vivid in the Linux kernel. It is exploitable for privilege escalation on some Linux distributions where local users have /dev/video0 access, but only if the driver happens to be loaded. There are multiple race conditions during streaming stopping in this driver (part of the V4L2 subsystem). These issues are caused by wrong mutex locking in vivid_stop_generating_vid_cap(), vivid_stop_generating_vid_out(), sdr_cap_stop_streaming(), and the corresponding kthreads. At least one of these race conditions leads to a use-after-free.

CVSS v3 Base Score: 7.0 (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2020-1938

Title:  Apache Tomcat AJP File Inclusion Vulnerability ("Ghostcat")

Vendor: Apache

Description: Due to a file inclusion defect in the AJP service (port 8009) that is enabled by default in Tomcat, an attacker can construct a malicious request package for file inclusion operation, and then read the web directory file on the affected Tomcat server.

CVSS v3 Base Score: 9.8    (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2020-8794

Title:  OpenBSD OpenSMTPD Local Privilege Escalation and Remote Code Execution Vulnerability

Vendor: OpenBSD

Description: An out of bounds read in smtpd allows an attacker to inject arbitrary commands into the envelope file which are then executed as root. Separately, missing privilege revocation in smtpctl allows arbitrary commands to be run with the _smtpq group.

CVSS v3 Base Score: 9.8    (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)



=========================================================


MOST PREVALENT MALWARE FILES: March 12 - 19

COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 8e0aea169927ae791dbafe063a567485d33154198cd539ee7efcd81a734ea325

MD5: 5fb477098fc975fd1b314c8fb0e4ec06

VirusTotal: https://www.virustotal.com/gui/file/8e0aea169927ae791dbafe063a567485d33154198cd539ee7efcd81a734ea325/details

Typical Filename: upxarch.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Ranumbot::in07.talos


SHA 256: 1460fd00cb6addf9806a341fee9c5ab0a793762d1d97dca05fa17467c8705af7

MD5: 88cbadec77cf90357f46a3629b6737e6

VirusTotal: https://www.virustotal.com/gui/file/1460fd00cb6addf9806a341fee9c5ab0a793762d1d97dca05fa17467c8705af7/details

Typical Filename: FlashHelperServices.exe

Claimed Product: Flash Helper Services

Detection Name: PUA.Win.File.2144flashplayer::tpd


SHA 256: 1bbcd367a317af33aee72ae06f5f38067f27b27a0f321b54325cfb0f7431ebe7

MD5: 06fad4d91f0e79143d1270ad0b1fce3f

VirusTotal: https://www.virustotal.com/gui/file/1bbcd367a317af33aee72ae06f5f38067f27b27a0f321b54325cfb0f7431ebe7/details

Typical Filename: set-up.exe

Claimed Product: uTorrent

Detection Name: W32.1BBCD367A3-100.SBX.VIOC


SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details

Typical Filename: Eternalblue-2.2.0.exe

Claimed Product: N/A

Detection Name: W32.85B936960F.5A5226262.auto.Talos


SHA 256: 64f3633e009650708c070751bd7c7c28cd127b7a65d4ab4907dbe8ddaa01ec8b

MD5: 42143a53581e0304b08f61c2ef8032d7

VirusTotal: https://www.virustotal.com/gui/file/64f3633e009650708c070751bd7c7c28cd127b7a65d4ab4907dbe8ddaa01ec8b/details

Typical Filename: myfile.exe

Claimed Product: N/A

Detection Name: Pdf.Phishing.Phishing::malicious.tht.talos


=============================================================


(c) 2020.  All rights reserved.  The information contained in this

newsletter, including any external links, is provided "AS IS," with no

express or implied warranty, for informational purposes only.


Please feel free to share this with interested parties via email, but

no posting is allowed on web sites. For a free subscription, (and for

free posters) or to update a current subscription, visit

https://www.sans.org/account


SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743