Join us at the Rocky Mountain Hackfest, Live Online!! Virtual summit and courses take place June 4-13.

Newsletters: @RISK

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

April 9, 2020

=============================================================

     @RISK: The Consensus Security Vulnerability Alert

            April 09, 2020 - Vol. 20, Num. 15


Providing a reliable, weekly summary of newly discovered attack vectors,

vulnerabilities with active exploits, and explanations of how recent

attacks worked


Archived issues may be found at http://www.sans.org/newsletters/at-risk


=============================================================


CONTENTS:

NOTABLE RECENT SECURITY ISSUES

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

MOST PREVALENT MALWARE FILES April 2 - 9

============================================================


TOP VULNERABILITY THIS WEEK: Mozilla Firefox patches two use-after-free vulnerabilities exploited in the wild


************** Sponsored By AWS Marketplace ****************


Architecting Least Privilege in the Cloud. SANS Analyst Dave Shackleford explains the importance of least privilege and micro-segmentation to reduce risk in cloud deployments. Learn how to deploy your architecture using the three pillars of least privilege and follow a use case for least privilege in the AWS cloud. Tuesday, April 14, 2 PM ET. http://www.sans.org/info/216050


============================================================

TRAINING UPDATE


Keep your skills sharp, train online with SANS OnDemand:


* 45 of the world's top cybersecurity courses

* Flexible self-paced format you can take anytime, anywhere

* A battle-tested training platform including 4 months of access

* Hands-on labs and GIAC-certified SME support


Test drive and purchase SANS OnDemand courses.

- https://www.sans.org/ondemand/


SANS Network Security 2020 | Las Vegas, NV | September 20-27

- https://www.sans.org/event/network-security-2020


View the full SANS course catalog and skills roadmap.

- https://www.sans.org/courses

- https://www.sans.org/cyber-security-skills-roadmap


Any course you have or will purchase is protected by the SANS Training Guarantee.

- https://www.sans.org/training-guarantee.


********************** Sponsored Links: ********************


1) Webcast April 14th at 10:30 AM ET: Pre-Runtime vs. Runtime Protection: What's Best for Your IaaS Security? http://www.sans.org/info/216055


2) Did you miss this webcast? Shared Responsibility of Salesforce Security. View here: http://www.sans.org/info/216060


3) Virtual Forum April 24th | Women in Cybersecurity featuring Lesley Carhart, Diana Kelley, Katie Nickels and more. Register: http://www.sans.org/info/216065



============================================================


NOTABLE RECENT SECURITY ISSUES

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Mozilla releases fixes for two use-after-free vulnerabilities in Firefox

Description: Mozilla released patches for two use-after-free vulnerabilities in its Firefox web browser. The company said it saw attackers actively exploiting bugs in the wild, which caused them to release the emergency updates. In both cases, a race condition in the browser can cause a use-after-free condition, though Mozilla has not provided information on how, exactly, these vulnerabilities were used in attacks.

Reference: https://duo.com/decipher/mozilla-fixes-two-firefox-flaws-under-active-attack

Snort SIDs: 53580, 53581


Title: Critical CODESYS vulnerability could allow attacker to crash server, execute remote code

Description: A critical bug in 3S' CODESYS automation software could allow an attacker to crash an affected server or execute remote code on the web server. 3S released a patch for the vulnerability, identified as CVE-2020-10245, which received a severity score of 10 out of 10. The bug is a heap-based buffer overflow in the software that could cause a denial of service.

Reference: https://threatpost.com/critical-codesys-bug-remote-code-execution/154213/

Snort SIDs: 53557, 53558


============================================================


INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY


Marriott disclosed that hackers used login credential belonging to two employees of a franchise company to access customer data, compromising the information of more than 5 million customers.

https://www.cnet.com/news/marriott-discloses-new-data-breach-impacting-5-point-2-million-guests/


Researchers discovered potential security flaws in video conference platform Zoom's encryption method including sending some encryption keys through servers in China.

https://citizenlab.ca/2020/04/move-fast-roll-your-own-crypto-a-quick-look-at-the-confidentiality-of-zoom-meetings/


After a wave of negative headlines concerning Zoom and its security features, the Taiwanese government informed employees they should not be using the conferencing app while they work from home during the COVID-19 crisis.

https://www.bloomberg.com/news/articles/2020-04-07/taiwan-bans-government-use-of-zoom-over-cybersecurity-concerns


A critical vulnerability in a popular WordPress plugin could allow attackers to completely lock admins out of their sites, the latest in a string of bugs for plugins for the popular content management system.

https://threatpost.com/critical-wordpress-plugin-bug-lock-admins-out/154354/


A new COVID-19-themed malware family can totally wipe victim's computers and in some cases, rewrite MBR sectors.

https://www.zdnet.com/article/theres-now-covid-19-malware-that-will-wipe-your-pc-and-rewrite-your-mbr/


Microsoft purchased controversial domain corp[.]com with the goal of keeping it out of bad actors' hands.

https://krebsonsecurity.com/2020/04/microsoft-buys-corp-com-so-bad-guys-cant/


While the vast majority of individuals across the globe are staying home during the COVID-19 crisis, their internet usage has changed, including spending an increasing amount of time on streaming sites while seeing a reduction in mobile device usage.

https://www.nytimes.com/interactive/2020/04/07/technology/coronavirus-internet-use.html


With more college classes moving completely online for the remainder of the semester, some schools have started using online proctor services, which students and professors have said is an invasion of privacy.

https://www.washingtonpost.com/technology/2020/04/01/online-proctoring-college-exams-coronavirus/


NASA says its seen an "exponential" increase in attempted cyber attacks as more of its employees began working remotely due to COVID-19 pandemic.

https://arstechnica.com/information-technology/2020/04/nasa-sees-an-exponential-jump-in-malware-attacks-as-personnel-work-from-home/


A cyber attack on Italy's Social Security website took down its services, temporarily preventing individuals from receiving government stimulus checks connected to a COVID-19 relief package.

https://www.forbes.com/sites/daveywinder/2020/04/02/covid-19-payouts-disrupted-as-heartless-hackers-attack-italian-crisis-benefits-site/


=========================================================


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


ID:        CVE-2020-0674

Title:  Microsoft Scripting Engine Memory Corruption Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

CVSS v3 Base Score: 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)


ID:        CVE-2020-0796

Title:  Microsoft Windows SMBv3 Client/Server Remote Code Execution Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client.

CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)


ID:        CVE-2020-0041

Title:  Google Android Privilege Escalation Vulnerability

Vendor: Android

Description: In binder_transaction of binder.c, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed.

CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2020-10204

Title:  Sonatype Nexus Repository Remote Code Execution Vulnerability

Vendor: Sonatype

Description: A Remote Code Execution vulnerability exists in Nexus Repository Manager. The vulnerability allows for an attacker with any type of account on NXRM to execute arbitrary code by crafting a malicious request to NXRM.

CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2020-3947

Title:  VMWare Workstation vmnetdhcp Denial of Service Vulnerability

Vendor: VMWare

Description: VMware Workstation contain a use-after vulnerability in vmnetdhcp. Successful exploitation of this issue may lead to code execution on the host from the guest or may allow attackers to create a denial of service condition of the vmnetdhcp service running on the host machine.

CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2020-3919

Title:  Apple MacOS Privilege Escalation Vulnerability

Vendor: Apple

Description: A memory initialization issue was addressed with improved memory handling. A malicious application may be able to execute arbitrary code with kernel privileges.

CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)


ID:        CVE-2020-7982

Title:  OpenWrt's opkg Man In The Middle Attack Vulnerability

Vendor: OpenWrt

Description: A bug in the fork of the opkg package manager before 2020-01-25 prevents correct parsing of embedded checksums in the signed repository index, allowing a man-in-the-middle attacker to inject arbitrary package payloads (which are installed without verification).

CVSS v3 Base Score: 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2020-8515

Title:  DrayTek pre-auth Remote Code Execution Vulnerability

Vendor: DrayTek

Description: DrayTek devices allow remote code execution as root (without authentication) via shell metacharacters to the cgi-bin/mainfunction.cgi URI.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


=========================================================


MOST PREVALENT MALWARE FILES April 2 - 9:

COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3

MD5: 47b97de62ae8b2b927542aa5d7f3c858

VirusTotal: https://www.virustotal.com/gui/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details

Typical Filename: qmreportupload.exe

Claimed Product: qmreportupload

Detection Name: Win.Trojan.Generic::in10.talos


SHA 256: a545df34334b39522b9cc8cc0c11a1591e016539b209ca1d4ab8626d70a54776

MD5: 5d34464531ddbdc7b0a4dba5b4c1cfea

VirusTotal: https://www.virustotal.com/gui/file/a545df34334b39522b9cc8cc0c11a1591e016539b209ca1d4ab8626d70a54776/details

Typical Filename: FlashHelperServices.exe

Claimed Product: Flash Helper Service

Detection Name: PUA.Win.Adware.Flashserv::in03.talos


SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f

MD5: e2ea315d9a83e7577053f52c974f6a5a

VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details

Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin

Claimed Product: N/A

Detection Name: W32.AgentWDCR:Gen.21gn.1201


SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b

MD5: 799b30f47060ca05d80ece53866e01cc

VirusTotal: https://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details

Typical Filename: f2016341595.exe

Claimed Product: N/A

Detection Name: W32.Generic:Gen.22fz.1201


SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details

Typical Filename: Eternalblue-2.2.0.exe

Claimed Product: N/A

Detection Name: W32.85B936960F.5A5226262.auto.Talos


=============================================================


(c) 2020.  All rights reserved.  The information contained in this

newsletter, including any external links, is provided "AS IS," with no

express or implied warranty, for informational purposes only.


Please feel free to share this with interested parties via email, but

no posting is allowed on web sites. For a free subscription, (and for

free posters) or to update a current subscription, visit

https://www.sans.org/account


SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743