Live, interactive cybersecurity training available through SANS Live Online. View upcoming events.

Newsletters: @RISK

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

April 30, 2020

=============================================================

     @RISK: The Consensus Security Vulnerability Alert

            April 30, 2020 - Vol. 20, Num. 18


Providing a reliable, weekly summary of newly discovered attack vectors,

vulnerabilities with active exploits, and explanations of how recent

attacks worked


Archived issues may be found at http://www.sans.org/newsletters/at-risk


=============================================================


CONTENTS:

NOTABLE RECENT SECURITY ISSUES

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

MOST PREVALENT MALWARE FILES April 23 - 30

============================================================


TOP VULNERABILITY THIS WEEK: MedusaLocker adds more features, continues to encrypt victims' files


******************* Sponsored By Eclypsium *******************


Assessing Enterprise Firmware Security Risk - Attacks in the wild are targeting firmware in order to achieve persistence, evade security controls, and further strategic attacks. With firmware vulnerabilities at an all-time high, this Eclypsium whitepaper outlines 5 questions to evaluate and improve your firmware security posture. http://www.sans.org/info/216240


============================================================

TRAINING UPDATE


SANS Training is 100% Online, with two convenient ways to complete a course:


OnDemand  | Live Online

- https://www.sans.org/ondemand/

- https://www.sans.org/live-online


Keep your skills sharp with SANS Online Training:


.        The world's top cybersecurity courses

.        Taught by real world practitioners

.        Ideal preparation for more than 30 GIAC Certifications


Test drive a course: https://www.sans.org/course-preview


Get a 10.2" iPad (34GB), Samsung Galaxy Tab A, or Take $250 Off through May 13 with OnDemand or Live Online training.

https://www.sans.org/online-security-training/specials/

______________________


Upcoming Live Online Events:


Instructor-Led Training | May 4-9

- https://www.sans.org/event/live-online-may4-2020


Security West 2020 | May 11-16

- https://www.sans.org/event/security-west-2020


2-Day Firehose Training | May 26-29

- https://www.sans.org/event/2-day-firehose-training-may27-2020


Cloud Security Summit & Training 2020 | May 26-June 5

- https://www.sans.org/event/cloud-security-summit-2020


Rocky Mountain Hackfest Summit & Training 2020 | June 4-13

- https://www.sans.org/event/rockymountainhackfest-summit-2020


SANSFIRE 2020 | June 13-20

- https://www.sans.org/event/sansfire-2020


2-Day Firehose Training | June 29-30

- https://www.sans.org/event/2-day-firehose-training-jun29-2020


In Person Training:


SANS Network Security 2020 | Las Vegas, NV | September 20-27

- https://www.sans.org/event/network-security-2020

______________________


View the full SANS course catalog and skills roadmap.

- https://www.sans.org/courses

- https://www.sans.org/cyber-security-skills-roadmap


Any course you have or will purchase is protected by the SANS Training Guarantee.

- https://www.sans.org/training-guarantee.


********************** Sponsored Links: ********************


1) How to prevent remote users from being locked out due to old cached credentials. http://www.sans.org/info/216245


2) Webcast Thursday April 30th at 3:30PM ET | Unwind Your SIEM: Improved Threat Hunting and Detection with Chronicle. http://www.sans.org/info/216250


3) Upcoming Webcast | Learn what machine-learning is and how it can detect anomalous behavior. http://www.sans.org/info/216255


============================================================


NOTABLE RECENT SECURITY ISSUES

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: MedusaLocker ransomware continues to remap drives, encrypt victims' files

Description: MedusaLocker is a ransomware family that has been observed being deployed since its discovery in 2019. Since its introduction to the threat landscape, there have been several variants observed. However, most of the functionality remains consistent. The most notable differences are changes to the file extension used for encrypted files and the look and feel of the ransom note that is left on systems following the encryption process.

Reference: https://blog.talosintelligence.com/2020/04/medusalocker.html

Snort SIDs: 53662 - 53664


Title: Kwampirs malware goes after health care sector

Description: The FBI recently released a warning to health care organizations warning them to be on the lookout for the Kwampirs malware. The RAT infects systems and then opens a backdoor on the victims' network. Adversaries using Kwampirs have already been successful in infecting health care-related networks across the globe, according to the FBI's report. Attackers are attempting to capitalize on the fear, uncertainty and large amount of work that are coming with the COVID-19 pandemic.

 Reference: https://www.cpomagazine.com/cyber-security/fbi-warns-of-healthcare-sector-supply-chain-attacks-involving-kwampirs-malware/

Snort SIDs: 53738 - 53741


============================================================


INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY


The U.K. government plans to build its own coronavirus contact-tracing app, forgoing Apple's and Google's jointly created API.

https://www.zdnet.com/article/contact-tracing-apps-why-the-nhs-said-no-to-apple-and-googles-plan/


The World Health Organization says some of its top leadership has been targeted by cyberattacks in recent weeks, continuing a trend it's seen since mid-March.

https://www.bloomberg.com/news/articles/2020-04-21/top-officials-at-world-health-organization-targeted-for-hacks


Adversaries are stepping up the quality of their spear-phishing campaigns, recently targeting U.S.-based energy companies working in the oil industry.

https://arstechnica.com/information-technology/2020/04/hackers-target-oil-producers-as-they-struggle-with-a-record-glut-of-crude/


Nintendo shut down an older form of logins for its users after more than 160,000 accounts were compromised.

https://techcrunch.com/2020/04/24/after-160000-accounts-are-compromised-nintendo-shuts-down-nnid-logins/


Video streaming service Netflix upgraded to TLS 1.3, which it says will make streaming safer and quicker for users.

https://netflixtechblog.com/how-netflix-brings-safer-and-faster-streaming-experience-to-the-living-room-on-crowded-networks-78b8de7f758c


Israeli's cyber defense ministry says it recently warded off multiple cyberattacks on its water control infrastructure.

https://www.scmagazine.com/home/security-news/cyberattack/israeli-cyber-defenders-warn-of-attacks-on-water-supply/


Microsoft patched a vulnerability in its Teams application that could allow an adversary to scrape data from a victim's account by sending them a specific GIF.

https://www.bbc.com/news/technology-52415773


Business leaders are raising concerns over cyberattacks that could slow down or interrupt mergers and acquisitions as economies around the world start to open up again.

https://www.wsj.com/articles/coronavirus-cybersecurity-concerns-could-add-hurdles-to-dealmaking-11587979802


=========================================================


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.



=========================================================


MOST PREVALENT MALWARE FILES April 23 - 30:

COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: fb022bbec694d9b38e8a0e80dd0bfdfe0a462ac0d180965d314651a7bc0614f4

MD5: c6dc7326766f3769575caa3ccab71f63

VirusTotal: https://www.virustotal.com/gui/file/fb022bbec694d9b38e8a0e80dd0bfdfe0a462ac0d180965d314651a7bc0614f4/details

Typical Filename: wupxarch.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Ranumbot::in03.talos


SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details

Typical Filename: Eternalblue-2.2.0.exe

Claimed Product: N/A

Detection Name: W32.85B936960F.5A5226262.auto.Talos


SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3

MD5: 47b97de62ae8b2b927542aa5d7f3c858

VirusTotal: https://www.virustotal.com/gui/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details

Typical Filename: qmreportupload.exe

Claimed Product: qmreportupload

Detection Name: Win.Trojan.Generic::in10.talos


SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f

MD5: e2ea315d9a83e7577053f52c974f6a5a

VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details

Typical Filename: Tempmf582901854.exe

Claimed Product: N/A

Detection Name: W32.AgentWDCR:Gen.21gn.1201


SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b

MD5: 799b30f47060ca05d80ece53866e01cc

VirusTotal: https://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details

Typical Filename: mf2016341595.exe

Claimed Product: N/A


=============================================================


(c) 2020.  All rights reserved.  The information contained in this

newsletter, including any external links, is provided "AS IS," with no

express or implied warranty, for informational purposes only.


Please feel free to share this with interested parties via email, but

no posting is allowed on web sites. For a free subscription, (and for

free posters) or to update a current subscription, visit

https://www.sans.org/account


SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743