Join us at the Rocky Mountain Hackfest, Live Online!! Virtual summit and courses take place June 4-13.

Newsletters: @RISK

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

April 16, 2020

=============================================================

     @RISK: The Consensus Security Vulnerability Alert

            April 16, 2020 - Vol. 20, Num. 16


Providing a reliable, weekly summary of newly discovered attack vectors,

vulnerabilities with active exploits, and explanations of how recent

attacks worked


Archived issues may be found at http://www.sans.org/newsletters/at-risk


=============================================================


CONTENTS:

NOTABLE RECENT SECURITY ISSUES

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

MOST PREVALENT MALWARE FILES April 9 - 16

============================================================


TOP VULNERABILITY THIS WEEK: 18 critical vulnerabilities disclosed as part of Microsoft Patch Tuesday


****************** Sponsored By Eclypsium ******************


Assessing Enterprise Firmware Security Risk - Attacks in the wild are targeting firmware in order to achieve persistence, evade security controls, and further strategic attacks. With firmware vulnerabilities at an all-time high, this Eclypsium whitepaper outlines 5 questions to evaluate and improve your firmware security posture. http://www.sans.org/info/216110


============================================================

TRAINING UPDATE


SANS Training is 100% Online, with two convenient ways to complete a course:


OnDemand  | Live Online

- https://www.sans.org/ondemand/

- https://www.sans.org/live-online


Keep your skills sharp with SANS Online Training:


.        The world's top cybersecurity courses

.        Taught by real world practitioners

.        Ideal preparation for more than 30 GIAC Certifications


Test drive a course: https://www.sans.org/course-preview

______________________


Upcoming Live Online Events:


Pen Test Austin 2020 | April 27-May 2

- https://www.sans.org/event/pen-test-austin-2020


Security West 2020 | May 11-16

- https://www.sans.org/event/security-west-2020


SANSFIRE 2020 | June 13-20

- https://www.sans.org/event/sansfire-2020


2-Day Firehose Training | June 29-30

- https://www.sans.org/event/2-day-firehose-training-jun29-2020


In Person Training:


SANS Network Security 2020 | Las Vegas, NV | September 20-27

- https://www.sans.org/event/network-security-2020

______________________


View the full SANS course catalog and skills roadmap.

- https://www.sans.org/courses

- https://www.sans.org/cyber-security-skills-roadmap


Any course you have or will purchase is protected by the SANS Training Guarantee.

- https://www.sans.org/training-guarantee.


********************** Sponsored Links: ********************


1) Poll | If you're now working remotely, take the SANS 2020 Work from Home Poll: http://www.sans.org/info/216115


2) Learn the implications of securing cloud applications and recommendations to approaching cloud security. http://www.sans.org/info/216120


3) Upcoming Webcast | How to Ensure Security and Productivity for Employees Working Remotely through Zoom, Teams, WebEx and other Collaboration Applications. http://www.sans.org/info/216125


============================================================


NOTABLE RECENT SECURITY ISSUES

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Microsoft releases monthly security update

Description: Microsoft released its monthly security update this week, disclosing vulnerabilities across many of its products and releasing corresponding updates. This month's Patch Tuesday covers 113 vulnerabilities. Eighteen of the flaws Microsoft disclosed are considered critical, while one is considered "moderate." The remainders are scored as being "important" updates. This month's security update covers security issues in a variety of Microsoft services and software, including SharePoint, the Windows font library and the Windows kernel.

Reference: https://blog.talosintelligence.com/2020/04/microsoft-patch-tuesday-april-2020.html

Snort SIDs: 53489 - 53492, 53619 - 53630,  53652 - 53655


Title: DrayTek routers, switches open to attack

Description: Tech company DrayTek recently patched two zero-day vulnerabilities in some of its routers and switches that could allow malicious actors to monitor traffic and install backdoors on affected networks. DrayTek worked with security researchers to discover the vulnerabilities and active exploitations in December, and patches were made available in late March. Users are encouraged to patch their devices as soon as possible or disable remote admin access.

Reference: https://www.scmagazine.com/home/security-news/vulnerabilities/zero-day-vulnerabilities-used-against-draytek-routers-and-switches/

Snort SIDs: 53591, 53592


============================================================


INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY


Apple and Google announced plans to jointly develop a service that will alert users if they've been near someone who's been diagnosed with COVID-19.

https://techcrunch.com/2020/04/10/apple-and-google-are-launching-a-joint-covid-19-tracing-tool/


This "contact tracing" service has raised some concerns over privacy, however, and potential inequalities over individuals' access to wireless networks.

https://www.cnet.com/news/how-youll-get-apple-and-googles-contact-tracing-update-for-your-phone/


Cisco Talos researchers discovered many devices' fingerprint scanners can be tricked using 3-D printed models and resin copies of users' fingerprints.

https://blog.talosintelligence.com/2020/04/fingerprint-research.html


Foreign currency exchange company Travelex paid a $2.3 million ransomware demand in January. (Please note that this story is behind a paywall.)

https://www.wsj.com/articles/travelex-paid-hackers-multimillion-dollar-ransom-before-hitting-new-obstacles-11586440800


Teleconferencing platform Zoom has taken steps to address some of the privacy and security concerns raised by experts.

https://www.fastcompany.com/90488717/can-you-trust-zoom


Microsoft says every country in the world has now seen at least one COVID-19-themed cyber attack, many of them utilizing the Emotet and Trickbot families.

https://www.microsoft.com/security/blog/2020/04/08/microsoft-shares-new-threat-intelligence-security-guidance-during-global-crisis/


Individuals working from home are looking toward upgrading to mesh Wi-Fi networks to improve their wireless internet speed while more employees work from home during the pandemic.

https://arstechnica.com/gadgets/2020/04/remote-work-lagging-if-you-cant-plug-it-in-upgrade-to-mesh/


Scammers are attempting to capitalize on the COVID-19 pandemic by offering phony services and health products through "gig economy" apps like Fiverr.

https://www.vice.com/en_us/article/v74ay9/fiverr-coronavirus-healers-mask-sellers


Online casino magnate SBTech is setting aside $30 million to respond to a cyber attack from last month as part of an acquisition agreement.

zdnet.com/article/gambling-company-to-set-aside-30-million-to-deal-with-cyber-attack-fallout/


=========================================================


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


ID:        CVE-2020-0760

Title:  Microsoft Office Remote Code Execution Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists when Microsoft Office improperly loads arbitrary type libraries. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

CVSS v3 Base Score: 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)


ID:        CVE-2020-1027

Title:  Microsoft Windows Kernel Elevation of Privilege Vulnerability

Vendor: Microsoft

Description: An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.

CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)


ID:        CVE-2020-1020

Title:  Microsoft Adobe Font Manager Library Remote Code Execution Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font - Adobe Type 1 PostScript format.

CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)


ID:        CVE-2020-0687

Title:  Microsoft Graphics Remote Code Execution Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts. An attacker who successfully exploited the vulnerability could take control of the affected system.

CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)


ID:        CVE-2019-1381

Title:  Microsoft Windows Information Disclosure Vulnerability

Vendor: Microsoft

Description: An information disclosure vulnerability exists when the Windows Servicing Stack allows access to unprivileged file locations. An attacker who successfully exploited the vulnerability could potentially access unauthorized files.

CVSS v3 Base Score: 9.9 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)


ID:        CVE-2020-0968

Title:  Microsoft Scripting Engine Memory Corruption Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

CVSS v3 Base Score: 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)


ID:        CVE-2020-0939

Title:  Microsoft Media Foundation Information Disclosure Vulnerability

Vendor: Microsoft

Description: An information disclosure vulnerability exists when Media Foundation improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the user's system.

CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)


=========================================================


MOST PREVALENT MALWARE FILES April 9 - 16:

COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: a545df34334b39522b9cc8cc0c11a1591e016539b209ca1d4ab8626d70a54776

MD5: 5d34464531ddbdc7b0a4dba5b4c1cfea

VirusTotal: https://www.virustotal.com/gui/file/a545df34334b39522b9cc8cc0c11a1591e016539b209ca1d4ab8626d70a54776/details

Typical Filename: FlashHelperServices.exe

Claimed Product: Flash Helper Service

Detection Name: PUA.Win.Adware.Flashserv::in03.talos


SHA 256: 589d9977a5b0420d29acc0c1968a2ff48102ac3ddc0a1f3188be79d0a4949c82

MD5: bf1d79fad6471fcf50e38a9ea1f646a5

VirusTotal: https://www.virustotal.com/gui/file/589d9977a5b0420d29acc0c1968a2ff48102ac3ddc0a1f3188be79d0a4949c82/details

Typical Filename: wupxarch.exe

Claimed Product: N/A

Detection Name: W32.Auto:589d99.in03.Talos


SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details

Typical Filename: Eternalblue-2.2.0.exe

Claimed Product: N/A

Detection Name: W32.85B936960F.5A5226262.auto.Talos


SHA 256: 518a8844dae953d7f2510d38ba916f1c4ccc01cfba58f69290938b6ddde8b472

MD5: 9b47b9f19455bf56138ddb81c93b6c0c

VirusTotal: https://www.virustotal.com/gui/file/518a8844dae953d7f2510d38ba916f1c4ccc01cfba58f69290938b6ddde8b472/details

Typical Filename: updateprofile.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Generic::tpd


SHA 256: 1c3ed460a7f78a43bab0ae575056d00c629f35cf7e72443b4e874ede0f305871

MD5: c2406fc0fce67ae79e625013325e2a68

VirusTotal: https://www.virustotal.com/gui/file/1c3ed460a7f78a43bab0ae575056d00c629f35cf7e72443b4e874ede0f305871/details

Typical Filename: SegurazoIC.exe

Claimed Product: Segurazo IC

Detection Name: PUA.Win.Adware.Ursu::95.sbx.tg


=============================================================


(c) 2020.  All rights reserved.  The information contained in this

newsletter, including any external links, is provided "AS IS," with no

express or implied warranty, for informational purposes only.


Please feel free to share this with interested parties via email, but

no posting is allowed on web sites. For a free subscription, (and for

free posters) or to update a current subscription, visit

https://www.sans.org/account


SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743