Join us at the Rocky Mountain Hackfest, Live Online!! Virtual summit and courses take place June 4-13.

Newsletters: @RISK

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

April 23, 2020

=============================================================

     @RISK: The Consensus Security Vulnerability Alert

            April 23, 2020 - Vol. 20, Num. 17


Providing a reliable, weekly summary of newly discovered attack vectors,

vulnerabilities with active exploits, and explanations of how recent

attacks worked


Archived issues may be found at http://www.sans.org/newsletters/at-risk


=============================================================


CONTENTS:

NOTABLE RECENT SECURITY ISSUES

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

MOST PREVALENT MALWARE FILES April 16 - 23

============================================================


TOP VULNERABILITY THIS WEEK: PoetRAT uses COVID-19-themed lure documents to entice victims


******************** Sponsored By SANS *********************


Remote Worker Poll | With the COVID-19 pandemic, organizations have been forced to rethink how they will get their work done with their employees mandated to stay at home. How has your organization handle working from home? Take this Remote Worker Poll written by Heather Mahalik and tell us how your company has adjusted to this new landscape as a workforce. http://www.sans.org/info/216175


============================================================

TRAINING UPDATE



SANS Training is 100% Online, with two convenient ways to complete a course:


OnDemand  | Live Online

- https://www.sans.org/ondemand/

- https://www.sans.org/live-online


Keep your skills sharp with SANS Online Training:


.        The world's top cybersecurity courses

.        Taught by real world practitioners

.        Ideal preparation for more than 30 GIAC Certifications


Test drive a course: https://www.sans.org/course-preview

______________________


Upcoming Live Online Events:


Security West 2020 | May 11-16

- https://www.sans.org/event/security-west-2020

 

2-Day Firehose Training | May 26-29

- https://www.sans.org/event/2-day-firehose-training-may27-2020

 

Cloud Security Summit & Training 2020 | May 28-June 6

- https://www.sans.org/event/cloud-security-summit-2020

 

Rocky Mountain Hackfest Summit & Training 2020 | June 4-13

- https://www.sans.org/event/rockymountainhackfest-summit-2020

 

SANSFIRE 2020 | June 13-20

- https://www.sans.org/event/sansfire-2020

 

2-Day Firehose Training | June 29-30

- https://www.sans.org/event/2-day-firehose-training-jun29-2020

 

In Person Training:

 

SANS Network Security 2020 | Las Vegas, NV | September 20-27

- https://www.sans.org/event/network-security-2020

______________________

 

View the full SANS course catalog and skills roadmap.

- https://www.sans.org/courses

- https://www.sans.org/cyber-security-skills-roadmap

 

Any course you have or will purchase is protected by the SANS Training Guarantee.

- https://www.sans.org/training-guarantee.


********************** Sponsored Links: ********************


1) Webcast Today at 1PM ET | WhatWorks in High Security Alternatives for Remote Collaboration and Communications. http://www.sans.org/info/216180


2) Survey | Tell us how your organization is extending their DevSecOps security controls into the public cloud networks. http://www.sans.org/info/216185


3) Webcast April 28th at 3:30 PM ET | How Operational Technology (OT) Security is Redefining the CISO Role. http://www.sans.org/info/216190


============================================================


NOTABLE RECENT SECURITY ISSUES

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Microsoft releases monthly security update

Description: A new remote access trojan known as "PoetRAT" uses coronavirus-themed documents and emails to lure victims in. This was a previously undiscovered RAT. It uses two components to avoid detection by a single component. The dropper uses an old trick in a new way: It appends the RAT to a Word document. Upon opening the document, a macro is executed that will extract the malware and execute it. The operation seems to be manual, but it's streamlined to deploy additional tools as needed and to avoid unnecessary steps.

Reference: https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html

Snort SIDs: 53689 - 53691


Title: Cisco discloses 17 critical vulnerabilities in UCS software

Description: Cisco patched 17 critical vulnerabilities last week in its Unified Computing system. The software allows users to build private cloud systems and optimize data-center resources. If successful, and adversary could use these flaws to remotely access systems or cause denial-of-service conditions. The majority of the exploits lie in UCS' REST API.

 Reference: https://www.networkworld.com/article/3537992/cisco-says-to-patch-critical-ucs-security-holes-now.html

Snort SIDs: 53667 - 53683


============================================================


INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY


Hackers are reportedly selling two zero-day vulnerabilities in the Zoom video conferencing service; one of the exploits affects Windows, and the other affects OS X.

https://www.vice.com/en_us/article/qjdqgv/hackers-selling-critical-zoom-zero-day-exploit-for-500000


A new report from Google says the company saw more than 18 million spam emails per day related to the COVID-19 pandemic during the week of April 5 - 12.

https://www.theverge.com/2020/4/16/21223800/google-malware-phishing-covid-19-coronavirus-scams


U.S. officials warned American financial institutions that it believes North Korean state-sponsored actors could soon launch cyberattacks that "pose a significant threat to the integrity and stability of the international financial system."

https://www.voanews.com/east-asia-pacific/north-korea-hackers-pose-significant-threat-global-finances-us-warns


A new court ruling will prevent Twitter from reporting any of the surveillance requests it has received from the American government.

https://www.reuters.com/article/us-usa-twitter-lawsuit/u-s-judge-blocks-twitters-bid-to-reveal-government-surveillance-requests-idUSKBN2200CS


American government contractors have been under attack from Chinese state-sponsored actors, with counterintelligence officials saying in an internal report that it detected hundreds of unwanted inbound and outbound connections.

https://www.politico.com/news/2020/04/16/china-electric-panda-hackers-seek-us-targets-191220


Security researchers are pushing back against a new policy on the Pastebin website that prevents users from scanning new data.

https://www.cyberscoop.com/pastebin-research-cybercrime-osint-scraping/


Scammers claiming to sell codes to download the popular new online video game "Valorant" are actually infecting victims with a keylogger.

https://www.tomsguide.com/news/valorant-beta-keygen-malware


=========================================================


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


ID:        CVE-2020-0760

Title:  HAPaproxy hpack-tbl.c Out of Bounds Write Vulnerability

Vendor: Multi-Vendor

Description: A vulnerability exists in hpack-tbl.c present in the HPACK decoder in HAProxy, wherein a remote attacker can write arbitrary bytes around a certain location on the heap via a crafted HTTP/2 request, possibly causing remote code execution. This vulnerability could be exploited to gain access to sensitive information also use this vulnerability to change contents or configuration on the system. Additionally, this vulnerability can also be used to cause a denial of service in the form of interruptions in resource availability.

CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2020-0796

Title:  Microsoft Windows SMBv3 Client/Server Remote Code Execution Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client.

CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)


ID:        CVE-2020-8835

Title:  Linux Kernel Privilege Escalation Vulnerability

Vendor: Multi-Vendor

Description: It was discovered that the bpf verifier in the Linux kernel did not properly calculate register bounds for certain operations. A local attacker could use this to expose sensitive information (kernel memory) or gain administrative privileges.

CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2020-1967

Title:  OpenSSL Denial of service Vulnerability

Vendor: Multi-Vendor

Description: Server or client applications that call the SSL_check_chain() function during or after a TLS 1.3 handshake may crash due to a NULL pointer dereference as a

result of incorrect handling of the "signature_algorithms_cert" TLS extension. The crash occurs if an invalid or unrecognized signature algorithm is received from the peer. This could be exploited by a malicious peer in a Denial of Service attack.

CVSS v3 Base Score: 5.0 (AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L)


ID:        CVE-2020-7066

Title:  PHP Information Disclosure Vulnerability

Vendor: PHP

Description: In PHP, while using get_headers() with user-supplied URL, if the URL contains zero () character, the URL will be silently truncated at it. This may cause some software to make incorrect assumptions about the target of the get_headers() and possibly send some information to a wrong server. A remote attacker can abuse this behavior to bypass implemented security restrictions within the application.

CVSS v3 Base Score: 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)


ID:        CVE-2020-2555

Title:  Oracle Coherence Remote Code Execution Vulnerability

Vendor: Oracle

Description: A vulnerability exists in the Oracle Coherence product of Oracle Fusion Middleware. Easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle Coherence. Successful attacks of this vulnerability can result in takeover of Oracle Coherence.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2020-3952

Title:  VMware vCenter vmdir Information Disclosure Vulnerability

Vendor: VMware

Description: Under certain conditions vmdir does not correctly implement access controls. A malicious actor with network access to an affected vmdir deployment may be able to extract highly sensitive information which could be used to compromise vCenter Server or other services which are dependent upon vmdir for authentication.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


=========================================================


MOST PREVALENT MALWARE FILES April 16 - 23:

COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: a545df34334b39522b9cc8cc0c11a1591e016539b209ca1d4ab8626d70a54776

MD5: 5d34464531ddbdc7b0a4dba5b4c1cfea

VirusTotal: https://www.virustotal.com/gui/file/a545df34334b39522b9cc8cc0c11a1591e016539b209ca1d4ab8626d70a54776/details

Typical Filename: FlashHelperServices.exe

Claimed Product: Flash Helper Service

Detection Name: PUA.Win.Adware.Flashserv::in03.talos


SHA 256: fb022bbec694d9b38e8a0e80dd0bfdfe0a462ac0d180965d314651a7bc0614f4

MD5: c6dc7326766f3769575caa3ccab71f63

VirusTotal: https://www.virustotal.com/gui/file/fb022bbec694d9b38e8a0e80dd0bfdfe0a462ac0d180965d314651a7bc0614f4/details

Typical Filename: wupxarch.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Ranumbot::in03.talos


SHA 256: 9cc2b845bdee4774e45143e00dc82c673bf940c764b687c976f8d27d9f48b704

MD5: 4202e589899ec68bc2d4fa6fb1218e2f

VirusTotal: https://www.virustotal.com/gui/file/9cc2b845bdee4774e45143e00dc82c673bf940c764b687c976f8d27d9f48b704/details

Typical Filename: app171.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Ranumbot::sbmt.talos


SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details

Typical Filename: Eternalblue-2.2.0.exe

Claimed Product: N/A

Detection Name: W32.85B936960F.5A5226262.auto.Talos


SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f

MD5: e2ea315d9a83e7577053f52c974f6a5a

VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details

Typical Filename: Tempmf582901854.exe

Claimed Product: N/A

Detection Name: W32.AgentWDCR:Gen.21gn.1201


=============================================================


(c) 2020.  All rights reserved.  The information contained in this

newsletter, including any external links, is provided "AS IS," with no

express or implied warranty, for informational purposes only.


Please feel free to share this with interested parties via email, but

no posting is allowed on web sites. For a free subscription, (and for

free posters) or to update a current subscription, visit

https://www.sans.org/account


SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743