iPad Pro w/ Magic KB, Surface Go 2, or $350 Off with OnDemand Training - Register Now

Newsletters: @RISK

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

May 28, 2020

=============================================================

     @RISK: The Consensus Security Vulnerability Alert

            May 28, 2020 - Vol. 20, Num. 22


Providing a reliable, weekly summary of newly discovered attack vectors,

vulnerabilities with active exploits, and explanations of how recent

attacks worked


Archived issues may be found at http://www.sans.org/newsletters/at-risk


=============================================================


CONTENTS:

NOTABLE RECENT SECURITY ISSUES

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

MOST PREVALENT MALWARE FILES May 21 - 28

============================================================


TOP VULNERABILITY THIS WEEK: EVILNUM malware going after financial sector


******************* Sponsored By ExtraHop ******************


Factoring IoT Devices into Detection and Response: A SANS Whitepaper | Thursday, May 28, 2020 at 1:00 PM EDT | This paper explores the growth of enterprise IoT devices and the implications for incident detection and response. The enterprise device landscape is constantly changing; your information security team must adopt practices to easily adapt | http://www.sans.org/info/216495


============================================================

TRAINING UPDATE


SANS Training is 100% Online, with two convenient ways to complete a course:


OnDemand  | Live Online

- https://www.sans.org/ondemand/

- https://www.sans.org/live-online


Keep your skills sharp with SANS Online Training:


.        The world's top cybersecurity courses

.        Taught by real world practitioners

.        Ideal preparation for more than 30 GIAC Certifications


Test drive a course: https://www.sans.org/course-preview


For a limited time, choose an iPad Air with Smart Keyboard, or Surface GO, or Take $300 Off with OnDemand or Live Online training. Special offer expires June 10.

https://www.sans.org/online-security-training/specials/


Hot OnDemand Courses:


SEC401: Security Essentials Bootcamp Style | https://www.sans.org/ondemand/course/security-essentials-bootcamp-style


SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling | https://www.sans.org/ondemand/course/hacker-techniques-exploits-incident-handling


SEC560: Network Penetration Testing and Ethical Hacking | https://www.sans.org/ondemand/course/network-penetration-testing-ethical-hacking

____________________


Upcoming Live Online Events:


Pen Test Hackfest & Cyber Ranges Summit 2020  (Free Summit) | June 4-13

- https://www.sans.org/event/rockymountainhackfest-summit-2020


SANSFIRE 2020 | June 13-20

- https://www.sans.org/event/sansfire-2020


2-Day Firehose Training | June 29-30

- https://www.sans.org/event/2-day-firehose-training-jun29-2020


SANS Summer of Cyber: Week 1 | July 6-11

- https://www.sans.org/event/summer-of-cyber-jul-6


DFIR Summit & Training | July 16-25

- https://www.sans.org/event/digital-forensics-summit-2020


In Person Training:


SANS Network Security 2020 | Las Vegas, NV | September 20-27

- https://www.sans.org/event/network-security-2020

______________________


View the full SANS course catalog and skills roadmap.

- https://www.sans.org/courses

- https://www.sans.org/cyber-security-skills-roadmap


Any course you have or will purchase is protected by the SANS Training Guarantee.

- https://www.sans.org/training-guarantee.


********************** Sponsored Links: *********************


1) Take the SANS Cloud Incident Response Survey and share your knowledge with the SANS community | https://survey.sans.org/jfe/form/SV_5bFOAKda8p1dVit


2) Upcoming webcast May 28 at 10:30 AM EDT | How Dangerous File Uploads Disrupt Business-Critical Web & Mobile Apps | https://www.sans.org/webcasts/dangerous-file-uploads-disrupt-business-critical-web-mobile-apps-114940


3) SANS Oil & Gas Solutions Forum: Objective-based Security Drives Effective Solutions | Free virtual event Friday, July 10, 2020 at 9:30 AM EDT | https://www.sans.org/webcasts/112760


============================================================


NOTABLE RECENT SECURITY ISSUES

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Threat actors keep updating the EVILNUM malware to carry out various attacks across the financial sector

Description: The EVILNUM malware family is continuously adding anti-detection techniques as its owners target various organizations in the financial sector. The actors use EVILNUM in conjunction with Cardinal RAT to infect systems. In the past, the actors have targeted organizations in Israel, but researchers say there are no clues to where they may strike next. As of earlier this month, only eight anti-virus detection engines on VirusTotal were detecting this malware.

Reference: https://www.cyberscoop.com/evilnum-financial-malware-prevailion/

Snort SIDs: 54040 - 54045


Title: Adversaries use SaltStack vulnerabilities to go after data centers

Description: Attackers are using two recently disclosed vulnerabilities in the SaltStack automation software to target data centers. Adversaries quickly reverse-engineered the exploits after SaltStack disclosed the bugs. So far, victims have only been hit with cryptocurrency mining malware, but users are still urged to patch SaltStack, an open-source, Python-based software, as soon as possible.

 Reference: https://www.datacenterknowledge.com/security/hackers-exploiting-saltstack-vulnerability-hit-data-centers

Snort SIDs: 54030 - 54033


============================================================


INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY


A previously unknown tool from the Grayshift group can allow law enforcement agencies to secretly record users' iPhone passcodes when they enter them into the device.

https://9to5mac.com/2020/05/20/capture-an-iphone-passcode/


The new Unc0ver tool allows users to jailbreak iOS versions 11 to 13.5.

https://www.wired.com/story/apple-ios-unc0ver-jailbreak/


The infamous NSO Group reportedly used spoofed Facebook URLs to entice users into downloading spyware onto their mobile devices.

https://www.vice.com/en_us/article/qj4p3w/nso-group-hack-fake-facebook-domain


British security researchers say threat groups are increasingly targeting users who are working remotely during the COVID-19 pandemic.

https://www.theguardian.com/technology/2020/may/24/hacking-attacks-on-home-workers-see-huge-rise-during-lockdown


The Red Cross is urging national governments to pursue threat actors who target health care organizations and take more decisive action against them.

https://tech.newstatesman.com/security/red-cross-open-letter-healthcare-cyber-attacks-covid-19


At least four US states have warned individuals who applied for COVID-19 unemployment relief that their personal data may have been leaked.

https://www.nbcnews.com/tech/security/four-states-warn-unemployment-benefits-applicants-about-data-leaks-n1212431


Signal, an encrypted messaging app, is rolling out a new PIN feature for users to recover their data if they lose or need to replace their device.

https://signal.org/blog/signal-pins/


Security researchers uncovered ways to track military personnel using the popular Untappd beer-rating app.

https://www.bellingcat.com/news/2020/05/18/military-and-intelligence-personnel-can-be-tracked-with-the-untappd-beer-app/


Facial recognition algorithms are already adapting to more individuals wearing face coverings in public.

https://www.cnet.com/news/your-face-mask-selfies-could-be-training-the-next-facial-recognition-tool/


=========================================================


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.


ID:        CVE-2020-0096

Title:  Google Android Elevation of Privilege Vulnerability

Vendor: Google

Description: Android is a mobile operating system based on a modified version of the Linux kernel and other open source software, designed primarily for touchscreen mobile devices such as smartphones and tablets. In startActivities of ActivityStartController.java, there is a possible escalation of privilege due to a confused deputy. This could lead to local escalation of privilege with no additional execution privileges needed.  

CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2020-9484

Title:  Apache Tomcat Remote Code Execution Vulnerability

Vendor: Apache

Description: When using Apache Tomcat versions if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2020-1048

Title:  Microsoft Windows Print Spooler Elevation of Privilege Vulnerability

Vendor: Microsoft

Description: An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly allows arbitrary writing to the file system. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges.

CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2020-3153

Title:  Cisco AnyConnect Secure Mobility Client Vulnerability

Vendor: Cisco

Description: A vulnerability in the installer component of Cisco AnyConnect Secure Mobility Client for Windows could allow an authenticated local attacker to copy user-supplied files to system level directories with system level privileges. The vulnerability is due to the incorrect handling of directory paths. An attacker could exploit this vulnerability by creating a malicious file and copying the file to a system directory. An exploit could allow the attacker to copy malicious files to arbitrary locations with system level privileges.

CVSS v3 Base Score: 6.5 (AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N)


ID:        CVE-2020-8617

Title:  ISC BIND Denial of Service Vulnerability

Vendor: Multi-Vendor

Description: Using a specially crafted message, an attacker may potentially cause a BIND server to reach an inconsistent state if the attacker knows (or successfully guesses) the name of a TSIG key used by the server. Since BIND, by default, configures a local session key even on servers whose configuration does not otherwise make use of it, almost all current BIND servers are vulnerable. A remote attacker could use this issue to cause Bind to crash, resulting in a denial of service, or possibly perform other attacks.

CVSS v3 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)


ID:        CVE-2019-7192

Title:  QNAP Pre-Auth Root Remote Code Execution Vulnerability

Vendor: Qnap

Description: QTS (QNAP Turbo NAS System) is a Turbo NAS Operating System, providing file storage, backup, disaster recovery, security management and virtualization applications for businesses; multimedia applications. This improper access control vulnerability allows remote attackers to gain unauthorized access to the system.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2020-12720

Title:  vBulletin Remote SQL Injection Vulnerability

Vendor: vBulletin

Description: A remote SQL injection vulnerability exists in vBulletin. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2020-1048

Title:  Microsoft Windows Print Spooler Elevation of Privilege Vulnerability

Vendor: Microsoft

Description: An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly allows arbitrary writing to the file system. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges.

CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


=========================================================


MOST PREVALENT MALWARE FILES May 21 - 28:

COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details

Typical Filename: FlashHelperServices.exe

Claimed Product: Flash Helper Services

Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos


SHA 256: 64f3633e009650708c070751bd7c7c28cd127b7a65d4ab4907dbe8ddaa01ec8b

MD5: 42143a53581e0304b08f61c2ef8032d7

VirusTotal: https://www.virustotal.com/gui/file/64f3633e009650708c070751bd7c7c28cd127b7a65d4ab4907dbe8ddaa01ec8b/details

Typical Filename: JPMorganChase Instructions SMG 82749206.pdf

Claimed Product: N/A

Detection Name: Pdf.Phishing.Phishing::malicious.tht.talos


SHA 256: dddbfa95401a3f2d9999055b976a0b4ae963e128f7f0d5b043efae29e4306c4a

MD5: 3409ff801cb177f6df26cfec8f4528ae

VirusTotal: https://www.virustotal.com/gui/file/dddbfa95401a3f2d9999055b976a0b4ae963e128f7f0d5b043efae29e4306c4a/details

Typical Filename: FlashHelperServices.exe

Claimed Product: Flash Helper Services

Detection Name: PUA.Win.Adware.Flashserv::100.sbx.vioc


SHA 256: 28c33a9676f04274b2868c1a2c092503a57d38833f0f8b964d55458623b82b6e

MD5: b065af93b5fd551526705b5968d0ca10

VirusTotal: https://www.virustotal.com/gui/file/28c33a9676f04274b2868c1a2c092503a57d38833f0f8b964d55458623b82b6e/details

Typical Filename: vscekgp.exe

Claimed Product: NTLM Shared Functionality

Detection Name: W32.28C33A9676-100.SBX.TG


SHA 256: a545df34334b39522b9cc8cc0c11a1591e016539b209ca1d4ab8626d70a54776

MD5: 5d34464531ddbdc7b0a4dba5b4c1cfea

VirusTotal: https://www.virustotal.com/gui/file/a545df34334b39522b9cc8cc0c11a1591e016539b209ca1d4ab8626d70a54776/details

Typical Filename: FlashHelperServices.exe

Claimed Product: Flash Helper Services

Detection Name: PUA.Win.Adware.Flashserv::in03.talos


=============================================================


(c) 2020.  All rights reserved.  The information contained in this

newsletter, including any external links, is provided "AS IS," with no

express or implied warranty, for informational purposes only.


Please feel free to share this with interested parties via email, but

no posting is allowed on web sites. For a free subscription, (and for

free posters) or to update a current subscription, visit

https://www.sans.org/account


SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743