Join us at the Rocky Mountain Hackfest, Live Online!! Virtual summit and courses take place June 4-13.

Newsletters: @RISK

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

May 21, 2020

=============================================================

     @RISK: The Consensus Security Vulnerability Alert

            May 21, 2020 - Vol. 20, Num. 21


Providing a reliable, weekly summary of newly discovered attack vectors,

vulnerabilities with active exploits, and explanations of how recent

attacks worked


Archived issues may be found at http://www.sans.org/newsletters/at-risk


=============================================================


CONTENTS:

NOTABLE RECENT SECURITY ISSUES

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

MOST PREVALENT MALWARE FILES May 14 - 21

============================================================


TOP VULNERABILITY THIS WEEK: Gh0st RAT part of large-scale spying campaign in Asia


******************** Sponsored By SANS ******************


Exciting News: SANS Rocky Mountain HackFest is now Pen Test HackFest & Cyber Ranges Summit. The best part? This Summit is now FREE to attend. Whether you have red team, pen testing, forensics, or cyber defense experience, this Summit will broaden your knowledge and help you better protect your organization. Join us Live Online June 4-5 for Virtual Summit Talks & Panel Discussions, SANS Cyber Ranges: NetWars & Jupiter Rockets, and Networking Opportunities, via Virtual Chat Rooms. Learn more and register now. http://www.sans.org/info/216435


============================================================

TRAINING UPDATE


SANS Training is 100% Online, with two convenient ways to complete a course:


OnDemand  | Live Online

- https://www.sans.org/ondemand/

- https://www.sans.org/live-online


Keep your skills sharp with SANS Online Training:


.        The world's top cybersecurity courses

.        Taught by real world practitioners

.        Ideal preparation for more than 30 GIAC Certifications


Test drive a course: https://www.sans.org/course-preview


Choose a great promo offer* through May 27 with OnDemand or Live Online training:


*    Get a 10.2" iPad (32G) with Smart Keyboard

*    Train-From-Home Tech Package: Apple TV 4K (64G) with AirPods Pro

*    Take $300 Off


*Restrictions apply, see Terms & Conditions online

https://www.sans.org/online-security-training/specials/


Hot OnDemand Courses:


SEC401: Security Essentials Bootcamp Style | https://www.sans.org/ondemand/course/security-essentials-bootcamp-style


SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling | https://www.sans.org/ondemand/course/hacker-techniques-exploits-incident-handling


SEC560: Network Penetration Testing and Ethical Hacking | https://www.sans.org/ondemand/course/network-penetration-testing-ethical-hacking


FOR508: Advanced Incident Response, Threat Hunting, and Digital Forensics | https://www.sans.org/ondemand/course/advanced-incident-response-threat-hunting-training

____________________


Upcoming Live Online Events:


Pen Test Hackfest & Cyber Ranges Summit 2020 (Free Summit) | June 4-13

- https://www.sans.org/event/rockymountainhackfest-summit-2020


SANSFIRE 2020 | June 13-20

- https://www.sans.org/event/sansfire-2020


2-Day Firehose Training | June 29-30

- https://www.sans.org/event/2-day-firehose-training-jun29-2020


SANS Summer Surge: Wave 1 | July 6-11

- https://www.sans.org/event/sans-surge-summer-series-wave-1


In Person Training:


SANS Network Security 2020 | Las Vegas, NV | September 20-27

- https://www.sans.org/event/network-security-2020


DFIR Summit & Training | July 16-25

- https://www.sans.org/event/digital-forensics-summit-2020

______________________


View the full SANS course catalog and skills roadmap.

- https://www.sans.org/courses

- https://www.sans.org/cyber-security-skills-roadmap


Any course you have or will purchase is protected by the SANS Training Guarantee.

- https://www.sans.org/training-guarantee.


********************** Sponsored Links: ********************


1) Oil & Gas Solutions Forum | Friday, July 10 | Free virtual event with Jason Dely and guest speakers! http://www.sans.org/info/216440


2) Survey | Share your perception of using firewalls inside the modern enterprise! http://www.sans.org/info/216445


3) Missed this webcast? SANS 2020 Automation and Integration Survey Results. View here: http://www.sans.org/info/216450


============================================================


NOTABLE RECENT SECURITY ISSUES

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Researchers believe Gh0st RAT played large role in Asian spying campaign

Description: A joint analysis from two security firms found that malicious actors in Asia are using the Gh0st RAT backdoor to conduct espionage campaigns across Asia. The targets allegedly include a government agency, a telecommunications company and a gas company. The RAT allows the adversaries to take screenshots, execute console commands and exfiltrate data to a command and control (C2) server.

Reference: https://www.cisomag.com/a-joint-analysis-reveals-apt-group-spying-activities/

Snort SIDs: 53961, 53962


Title: DenDroid variant goes after Android users in Thailand

Description: Thai Android devices and users are being targeted by a modified version of DenDroid researchers at Cisco Talos are calling "WolfRAT," that is looking to exploit messaging apps like WhatsApp, Facebook Messenger and Line. Talos assesses with high confidence that this modified version is operated by the infamous Wolf Research. This actor has shown a surprising level of amateur actions, including code overlaps, open-source project copy/paste, classes never being instanced, unstable packages and unsecured panels.

 Reference: https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html

Snort SIDs: 54004


============================================================


INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY


Several so-called "malware testing services" are offering to fix flaws in adversaries' code, shoring up any vulnerabilities researchers may use to inspect the malware.

https://krebsonsecurity.com/2020/05/this-service-helps-malware-authors-fix-flaws-in-their-code/


Ukrainian officials arrested the alleged hacker behind a massive data dump that exposed more than 770 million email addresses last year.

https://www.pcmag.com/news/hacker-behind-last-years-collection1-data-dump-arrested-in-ukraine


Google Chrome will begin blocking online advertisements that use up too much of the user's memory and device power, using several metrics to determine if an ad is too resource-heavy.

https://venturebeat.com/2020/05/14/chrome-will-start-blocking-resource-heavy-ads-in-august/


The popular video game "Call of Duty" is requiring users to log in via two-factor authentication to access some online modes to push cheaters away.

https://www.vice.com/en_us/article/3azzyn/call-of-duty-warzone-cheaters-2fa-cellphone-number


Three vulnerabilities in Adobe Acrobat Reader could be used in conjunction with one another to allow an adversary to gain root access to some macOS machines.

https://rekken.github.io/2020/05/14/Security-Flaws-in-Adobe-Acrobat-Reader-Allow-Malicious-Program-to-Gain-Root-on-macOS-Silently/


Microsoft announced plans last week to make all its COVID-19 threat intelligence open-source to help organizations protect against threats built to capitalize on the pandemic.

https://www.microsoft.com/security/blog/2020/05/14/open-sourcing-covid-threat-intelligence/


Swiss budget airline easyJet was the victim of a data breach; the company says the attack compromised information belonging to more than 9 million customers.

https://www.theguardian.com/business/2020/may/19/easyjet-hacking-attack-what-to-do-customers


Israeli state-sponsored actors appear to be behind a disruptive attack on an Iranian port.

https://www.washingtonpost.com/national-security/officials-israel-linked-to-a-disruptive-cyberattack-on-iranian-port-facility/2020/05/18/9d1da866-9942-11ea-89fd-28fb313d1886_story.html


Adversaries hoping to capitalize on the COVID-19 pandemic are overloading states' unemployment portals by submitting fraudulent claims using stolen data.

https://www.nytimes.com/2020/05/16/us/coronavirus-unemployment-fraud-secret-service-washington.html


The U.S. Department of Justice is blaming Apple's encryption for a delayed discovery in terrorist group al-Qaida's connection to a mass shooting on a Naval base in December.

https://arstechnica.com/tech-policy/2020/05/feds-want-apple-to-weaken-crypto-after-al-qaida-ties-found-on-shooters-iphone/


=========================================================


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


ID:        CVE-2020-1048

Title:  Microsoft Windows Print Spooler Elevation of Privilege Vulnerability

Vendor: Microsoft

Description: An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly allows arbitrary writing to the file system. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges.

CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2020-3153

Title:  Cisco AnyConnect Secure Mobility Client Vulnerability

Vendor: Cisco

Description: A vulnerability in the installer component of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated local attacker to copy user-supplied files to system level directories with system level privileges. The vulnerability is due to the incorrect handling of directory paths. An attacker could exploit this vulnerability by creating a malicious file and copying the file to a system directory. An exploit could allow the attacker to copy malicious files to arbitrary locations with system level privileges.

CVSS v3 Base Score: 6.5 (AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N)


ID:        CVE-2020-0674

Title:  Microsoft Windows Scripting Engine Memory Corruption Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

CVSS v3 Base Score: 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)


ID:        CVE-2019-0685

Title:  Microsoft Windows Win32k Elevation of Privilege Vulnerability

Vendor: Microsoft

Description: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.

CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2020-11022

Title:  jQuery Cross Site Scripting Vulnerability

Vendor: Multi-Vendor

Description: In jQuery, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. Successful exploitation of these vulnerabilities could lead to disclosure of sensitive information or addition or modification of data.

CVSS v3 Base Score: 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)


ID:        CVE-2020-5837

Title:  Symantec Endpoint Protection Elevation of Privilege Vulnerability

Vendor: Symantec

Description: Symantec Endpoint Protection, may not respect file permissions when writing to log files that are replaced by symbolic links, which can lead to a potential elevation of privilege.

CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2020-1015

Title:  Microsoft Windows Elevation of Privilege Vulnerability

Vendor: Microsoft

Description: An elevation of privilege vulnerability exists in the way that the User-Mode Power Service (UMPS) handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions.

CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2019-0887

Title:  Microsoft Remote Desktop Services Remote Code Execution Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists in Remote Desktop Servicesformerly known as Terminal Serviceswhen an authenticated attacker abuses clipboard redirection. An attacker who successfully exploited this vulnerability could execute arbitrary code on the victim system.

CVSS v3 Base Score: 7.2 (AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H)


=========================================================


MOST PREVALENT MALWARE FILES May 14 - 21:

COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 64f3633e009650708c070751bd7c7c28cd127b7a65d4ab4907dbe8ddaa01ec8b

MD5: 42143a53581e0304b08f61c2ef8032d7

VirusTotal: https://www.virustotal.com/gui/file/64f3633e009650708c070751bd7c7c28cd127b7a65d4ab4907dbe8ddaa01ec8b/details

Typical Filename: JPMorganChase Instructions SMG 82749206.pdf

Claimed Product: N/A

Detection Name: Pdf.Phishing.Phishing::malicious.tht.talos


SHA 256: dddbfa95401a3f2d9999055b976a0b4ae963e128f7f0d5b043efae29e4306c4a

MD5: 3409ff801cb177f6df26cfec8f4528ae

VirusTotal: https://www.virustotal.com/gui/file/dddbfa95401a3f2d9999055b976a0b4ae963e128f7f0d5b043efae29e4306c4a/details

Typical Filename: FlashHelperServices.exe

Claimed Product: Flash Helper Services

Detection Name: PUA.Win.Adware.Flashserv::100.sbx.vioc


SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details

Typical Filename: FlashHelperServices.exe

Claimed Product: Flash Helper Services

Detection Name: PUA.Win.Adware.Flashserv::100.sbx.vioc


SHA 256: 28c33a9676f04274b2868c1a2c092503a57d38833f0f8b964d55458623b82b6e

MD5: b065af93b5fd551526705b5968d0ca10

VirusTotal: https://www.virustotal.com/gui/file/28c33a9676f04274b2868c1a2c092503a57d38833f0f8b964d55458623b82b6e/details

Typical Filename: vscekgp.exe

Claimed Product: NTLM Shared Functionality

Detection Name: W32.28C33A9676-100.SBX.TG


SHA 256: a545df34334b39522b9cc8cc0c11a1591e016539b209ca1d4ab8626d70a54776

MD5: 5d34464531ddbdc7b0a4dba5b4c1cfea

VirusTotal: https://www.virustotal.com/gui/file/a545df34334b39522b9cc8cc0c11a1591e016539b209ca1d4ab8626d70a54776/details

Typical Filename: FlashHelperServices.exe

Claimed Product: Flash Helper Services

Detection Name: PUA.Win.Adware.Flashserv::in03.talos


=============================================================


(c) 2020.  All rights reserved.  The information contained in this

newsletter, including any external links, is provided "AS IS," with no

express or implied warranty, for informational purposes only.


Please feel free to share this with interested parties via email, but

no posting is allowed on web sites. For a free subscription, (and for

free posters) or to update a current subscription, visit

https://www.sans.org/account


SANS Institute, 11200 Rockville Pike, Suite 200 North Bethesda, MD 20852