Live, interactive cybersecurity training available through SANS Live Online. View upcoming events.

Newsletters: @RISK

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

May 14, 2020

=============================================================

     @RISK: The Consensus Security Vulnerability Alert

            May 14, 2020 - Vol. 20, Num. 20


Providing a reliable, weekly summary of newly discovered attack vectors,

vulnerabilities with active exploits, and explanations of how recent

attacks worked


Archived issues may be found at http://www.sans.org/newsletters/at-risk


=============================================================


CONTENTS:

NOTABLE RECENT SECURITY ISSUES

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

MOST PREVALENT MALWARE FILES May 7 - 14

============================================================


TOP VULNERABILITY THIS WEEK: 15 critical vulnerabilities are a part of Microsoft Patch Tuesday


******************* Sponsored By Eclypsium *****************


Protecting Device Integrity in the Supply Chain - How can you secure laptops, servers, routers and other critical devices from cyberattacks targeting vulnerabilities in the global technology supply chain? Learn how to gain visibility, detect tampering and protect devices in a webinar with industry experts from TAG Cyber, NIST, Eclypsium and Johns Hopkins APL. http://www.sans.org/info/216375


============================================================

TRAINING UPDATE


SANS Training is 100% Online, with two convenient ways to complete a course:


OnDemand  | Live Online

- https://www.sans.org/ondemand/

- https://www.sans.org/live-online


Keep your skills sharp with SANS Online Training:


.        The world's top cybersecurity courses

.        Taught by real world practitioners

.        Ideal preparation for more than 30 GIAC Certifications


Test drive a course: https://www.sans.org/course-preview


Choose a great promo offer* through May 27 with OnDemand or Live Online training:


*    Get a 10.2" iPad (32G) with Smart Keyboard

*    Train-From-Home Tech Package: Apple TV 4K (64G) with AirPods Pro

*    Take $300 Off


*Restrictions apply, see Terms & Conditions online

https://www.sans.org/online-security-training/specials/


Hot OnDemand Courses:


SEC401: Security Essentials Bootcamp Style | https://www.sans.org/ondemand/course/security-essentials-bootcamp-style


SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling | https://www.sans.org/ondemand/course/hacker-techniques-exploits-incident-handling


SEC560: Network Penetration Testing and Ethical Hacking | https://www.sans.org/ondemand/course/network-penetration-testing-ethical-hacking


FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics | https://www.sans.org/ondemand/course/advanced-incident-response-threat-hunting-training

____________________


Upcoming Live Online Events:


2-Day Firehose Training | May 26-29

- https://www.sans.org/event/2-day-firehose-training-may27-2020


Cloud Security Summit & Training 2020 | May 26-June 5

- https://www.sans.org/event/cloud-security-summit-2020


Pen Test Hackfest & Cyber Ranges Summit 2020 | June 4-13

- https://www.sans.org/event/rockymountainhackfest-summit-2020


SANSFIRE 2020 | June 13-20

- https://www.sans.org/event/sansfire-2020


2-Day Firehose Training | June 29-30

- https://www.sans.org/event/2-day-firehose-training-jun29-2020


SANS Summer Surge: Wave 1 | July 6-11

- https://www.sans.org/event/sans-surge-summer-series-wave-1


In Person Training:


SANS Network Security 2020 | Las Vegas, NV | September 20-27

- https://www.sans.org/event/network-security-2020

______________________


View the full SANS course catalog and skills roadmap.

- https://www.sans.org/courses

- https://www.sans.org/cyber-security-skills-roadmap


Any course you have or will purchase is protected by the SANS Training Guarantee.

- https://www.sans.org/training-guarantee.


********************** Sponsored Links: ********************


1) Survey | Share insights into the current state of your organization's cloud incident response capabilities! Survey closes June 15th. http://www.sans.org/info/216380


2) Pen Test HackFest & Cyber Ranges Summit | June 4-13. http://www.sans.org/info/216385


3) Free Virtual Forum | Join Jason Dely for the SANS Oil & Gas Solutions Forum July 10th! http://www.sans.org/info/216390


============================================================


NOTABLE RECENT SECURITY ISSUES

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Microsoft discloses 111 vulnerabilities as part of monthly security update

Description: Microsoft released its monthly security update today, disclosing vulnerabilities across many of its products and releasing corresponding updates. This month's Patch Tuesday covers 111 vulnerabilities. Fifteen of the flaws Microsoft disclosed are considered critical. There are also 95 "important" vulnerabilities and six low- and moderate-severity vulnerabilities each. This month's security update also covers security issues in a variety of Microsoft services and software, including SharePoint, Media Foundation and the Chakra scripting engine.

Reference: https://blog.talosintelligence.com/2020/05/microsoft-patch-tuesday-may-2020.html

Snort SIDs: 53916 - 53919, 53924 - 53933, 53940, 53941, 53950, 53951


Title: Adobe releases fixes for 36 vulnerabilities, 12 of which are critical

Description: Adobe disclosed 36 vulnerabilities this week in Acrobat, Reader and DNG. Twelve of the bugs are considered critical. Specifically, in Acrobat, there are six different vulnerabilities that could allow an adversary to execute arbitrary code on the victim machine. The DNG Software Development Kit also contains four heap overflow issues (CVE-2020-9589, CVE-2020-9590 , CVE-2020-9620, CVE-2020-9621) that can all lead to remote code execution attacks.

 Reference: https://www.zdnet.com/article/adobe-issues-patches-for-36-vulnerabilities-in-dng-reader-acrobat/

Snort SIDs: 53563, 53564, 53485, 53486


============================================================


INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY


A study conducted by researchers in the U.S. and U.K. found the COVID Symptom Study app was able to effectively track the spread of the virus and predict infections.

https://www.nytimes.com/2020/05/11/health/coronavirus-symptoms-app.html


Business analytics expert Kaiser Fung says that analysis of COVID-19 mobile app data is problematic because the analytical sample suffers from selection bias.

https://www.wired.com/story/beware-the-lofty-promises-of-covid-19-tracker-apps/


The U.S. Department of Homeland Security has released draft guidelines that strongly advise states not to use online voting during the remaining presidential primaries and the November general election.

https://www.theguardian.com/us-news/2020/may/08/us-government-internet-voting-department-of-homeland-security


Popular cyber security and hacking conferences DEFCON and Black Hat have both been moved entirely online.

https://www.zdnet.com/article/black-hat-and-def-con-security-conferences-to-take-place-in-a-virtual-format/


Video conferencing service Zoom acquired end-to-end encryption service Keybase as Zoom looks to beef up its security credentials.

https://techcrunch.com/2020/05/07/zoom-acquires-keybase-to-get-end-to-end-encryption-expertise/


The FBI and Department of Homeland Security are reportedly preparing a warning to Chinese state-sponsored threat actors after a series of cyberattacks on COVID-19 vaccine researchers.

https://www.nytimes.com/2020/05/10/us/politics/coronavirus-china-cyber-hacking.html


Package logistics company Pitney Bowes was hit with a ransomware attack for the second time in less than a year.

https://www.infosecurity-magazine.com/news/pitney-bowes-hit-by-ransomware-for/


American intelligence agencies unveiled three new malware families believed to be connected to North Korean state-sponsored actors.

https://www.darkreading.com/vulnerabilities---threats/dhs-fbi-and-dod-report-on-new-north-korean-malware/d/d-id/1337795


New information-stealing malware called "Astaroth" is going after Brazilian users with several types of malicious lure documents, most recently using COVID-19-related themes.

https://blog.talosintelligence.com/2020/05/astaroth-analysis.html


=========================================================


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


ID:        CVE-2019-18935

Title:  Telerik Remote Code Execution Vulnerability

Vendor: Telerik

Description: Progress Telerik UI for ASP.NET AJAX contains a .NET deserialization vulnerability in the RadAsyncUpload function. This is exploitable when the encryption keys are known due to the presence of CVE-2017-11317 or CVE-2017-11357, or other means. Exploitation can result in remote code execution.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2020-0674

Title:  Microsoft Scripting Engine Memory Corruption Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

CVSS v3 Base Score: 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)


ID:        CVE-2020-2883

Title:  Oracle WebLogic Server T3 Protocol Deserialization of Untrusted Data Remote Code Execution Vulnerability

Vendor: Oracle

Description: Oracle WebLogic Server product of Oracle Fusion Middleware (component: Core) is vulnerable to an easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in takeover of Oracle WebLogic Server.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2020-11108

Title:  Pi-hole Remote Code Execution Vulnerability

Vendor: Pi-hole

Description: The Gravity updater in Pi-hole allows an authenticated adversary to upload arbitrary files. This can be abused for Remote Code Execution by writing to a PHP file in the web directory. The code error is in gravity_DownloadBlocklistFromUrl in gravity.sh.

CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2020-0792

Title:  Microsoft Windows Graphics Component Elevation of Privilege Vulnerability

Vendor: Microsoft

Description: An elevation of privilege vulnerability exists when the Windows Graphics Component improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. In a local attack scenario, an attacker could exploit this vulnerability by running a specially crafted application to take control over the affected system.

CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2020-12116

Title:  Zoho ManageEngine Arbitrary File Read Vulnerability

Vendor: Zoho

Description: Zoho ManageEngine OpManager allows an unauthenticated attacker to read arbitrary files on the server by sending a crafted request.

CVSS v3 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)


ID:        CVE-2020-1054

Title:  Microsoft Win32k Elevation of Privilege Vulnerability

Vendor: Microsoft

Description: An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


=========================================================


MOST PREVALENT MALWARE FILES May 7 - 14:

COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: fb022bbec694d9b38e8a0e80dd0bfdfe0a462ac0d180965d314651a7bc0614f4

MD5: c6dc7326766f3769575caa3ccab71f63

VirusTotal: https://www.virustotal.com/gui/file/fb022bbec694d9b38e8a0e80dd0bfdfe0a462ac0d180965d314651a7bc0614f4/details

Typical Filename: wupxarch.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Ranumbot::in03.talos


SHA 256: dddbfa95401a3f2d9999055b976a0b4ae963e128f7f0d5b043efae29e4306c4a

MD5: 3409ff801cb177f6df26cfec8f4528ae

VirusTotal: https://www.virustotal.com/gui/file/dddbfa95401a3f2d9999055b976a0b4ae963e128f7f0d5b043efae29e4306c4a/details

Typical Filename: FlashHelperServices.exe

Claimed Product: Flash Helper Services

Detection Name: PUA.Win.Adware.Flashserv::100.sbx.vioc


SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details

Typical Filename: Eternalblue-2.2.0.exe

Claimed Product: N/A

Detection Name: W32.85B936960F.5A5226262.auto.Talos


SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f

MD5: e2ea315d9a83e7577053f52c974f6a5a

VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details

Typical Filename: Tempmf582901854.exe

Claimed Product: N/A

Detection Name: W32.AgentWDCR:Gen.21gn.1201


SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b

MD5: 799b30f47060ca05d80ece53866e01cc

VirusTotal: https://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details

Typical Filename: mf2016341595.exe

Claimed Product: N/A

Detection Name: W32.Generic:Gen.22fz.1201


=============================================================


(c) 2020.  All rights reserved.  The information contained in this

newsletter, including any external links, is provided "AS IS," with no

express or implied warranty, for informational purposes only.


Please feel free to share this with interested parties via email, but

no posting is allowed on web sites. For a free subscription, (and for

free posters) or to update a current subscription, visit

https://www.sans.org/account


SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743