iPad Pro w/ Magic KB, Surface Go 2, or $350 Off with OnDemand Training - Register Now

Newsletters: @RISK

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

June 4, 2020

=============================================================

     @RISK: The Consensus Security Vulnerability Alert

            June 04, 2020 - Vol. 20, Num. 23


Providing a reliable, weekly summary of newly discovered attack vectors,

vulnerabilities with active exploits, and explanations of how recent

attacks worked


Archived issues may be found at http://www.sans.org/newsletters/at-risk


=============================================================


CONTENTS:

NOTABLE RECENT SECURITY ISSUES

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

MOST PREVALENT MALWARE FILES May 28 - June 4

============================================================


TOP VULNERABILITY THIS WEEK: Mokes malware hidden behind fake expired certificate alerts


******************** Sponsored By SANS *********************


Take the SANS 2020 Firewalls in the Modern Enterprise Survey | Share your perception of the use of firewalls inside the modern enterprise and how your organization is using firewalls! Survey closes June 24th | http://www.sans.org/info/216600


============================================================

TRAINING UPDATE


SANS Training is 100% Online, with two

convenient ways to complete a course:


OnDemand  | Live Online

- https://www.sans.org/ondemand/

- https://www.sans.org/live-online


Keep your skills sharp with SANS Online Training:

.        The world's top cybersecurity courses

.        Taught by real world practitioners

.        Ideal preparation for more than 30 GIAC Certifications


Take advantage of the current promotional offer

Featuring a Free iPad Air w/Smart Keyboard, Surface GO,

Or $300 Off through June 10

https://www.sans.org/online-security-training/specials/

 ______________________


Upcoming In Person and Live Online Events:

    

SANSFIRE 2020 | June 13-20 | Live Online

- https://www.sans.org/event/sansfire-2020


2-Day Firehose Training | June 29-30 | Live Online

- https://www.sans.org/event/2-day-firehose-training-jun29-2020


SANS Summer of Cyber: Week 1 | July 6-11 | Live Online

- https://www.sans.org/event/summer-of-cyber-jul-6


DFIR Summit & Training | July 16-25 | Live Online

- https://www.sans.org/event/digital-forensics-summit-2020


SANS Network Security 2020 | September 20-27 | Las Vegas, NV or Live Online

- https://www.sans.org/event/network-security-2020

______________________


Test drive a course: https://www.sans.org/course-preview


View the full SANS course catalog and skills roadmap.

- https://www.sans.org/courses

- https://www.sans.org/cyber-security-skills-roadmap


********************** Sponsored Links: ********************


1) Webcast June 18th at 2PM EDT | How to Prioritize Security Controls for Sensitive AWS Assets | http://www.sans.org/info/216605


2) Webcast June 10th at 2PM EDT | Getting Engineering and Security Teams Building Together | http://www.sans.org/info/216610


3) Webcast June 11th at 12PM EDT | How to Eliminate Alert Fatigue by Turbo-Charging Splunk Phantom with Corelight NSM | http://www.sans.org/info/216615


============================================================


NOTABLE RECENT SECURITY ISSUES

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Fake certificate expiration notices used to plant Mokes malware

Description: Attackers are infecting websites and displaying fake notifications that the site's certificate is expired. The URL bar still displays the legitimate URL, but a fake image is displayed in the entire window stating that "Security Certificate is out of date." If the user clicks on a button to download the updated certificate, they are infected with the Buerak downloader and Mokes malware.

Reference: https://www.tripwire.com/state-of-security/security-data-protection/expired-certificates-used-as-disguise-to-spread-buerak-mokes-malware/

Snort SIDs: 54097 - 54106


Title: Variant of ZeuS malware available for sale online

Description: Attackers are selling a new fork of the infamous ZeuS banking trojan. Known as "Silent Night," security researchers discovered the malware that appears to date back to November. Silent Night is for sale currently on a Russian dark web forum. It fetches the core malicious module and injects it into other running processes, showing very similar techniques and code to ZeuS.

Reference: https://blog.malwarebytes.com/threat-analysis/2020/05/the-silent-night-zloader-zbot/

Snort SIDs: 54093, 54094


============================================================


INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY


Minneapolis's city computer systems and websites were hit with a distributed denial-of-service (DDoS) attack late last week; the majority of systems were operating as usual within a few hours.

https://www.govtech.com/security/Minneapolis-Hit-with-DDoS-Attack-amid-Social-Unrest.html


Hackers claimed that email addresses and passwords posted to the web were stolen from the Minneapolis police department; closer examination of the information suggests that it came from other, unrelated breaches.

https://www.troyhunt.com/analysing-the-alleged-minneapolis-police-department-hack/


A report from the World Economic Forum describes how lessons learned from the COVID-19 pandemic can inform preparations for a global cyberattack.

https://www.weforum.org/agenda/2020/06/covid-19-pandemic-teaches-us-about-cybersecurity-cyberattack-cyber-pandemic-risk-virus/


A bipartisan bill in the US Senate would prohibit any commercial use of data collected by COVID-19 tracing apps and would allow users to request that their data be deleted.

https://www.washingtonpost.com/technology/2020/06/01/contact-tracing-congress-privacy/


As employees start to return to physical offices, some companies are turning to monitoring apps to keep track of whether employees are sick or have been in contact with other sick people.

https://www.buzzfeednews.com/article/carolinehaskins1/coronavirus-private-contact-tracing


Older versions of Android are vulnerable to a security flaw that could allow an attacker to secretly steal private information off mobile devices.

https://www.inc.com/minda-zetlin/security-flaw-means-malware-could-steal-data-from-android-devices.html


A GitHub report details an open-source supply chain attack that affected at least 26 code repositories.

https://www.zdnet.com/article/github-warns-java-developers-of-new-malware-poisoning-netbeans-projects/


The American Civil Liberties Union is suing facial recognition startup Clearview AI for allegedly violating an Illinois privacy law.

https://www.theverge.com/2020/5/28/21273388/aclu-clearview-ai-lawsuit-facial-recognition-database-illinois-biometric-laws


Google patched dozens of vulnerabilities in its Android operating system, including two critical remote code execution vulnerabilities.

https://arstechnica.com/information-technology/2020/06/google-fixes-android-flaws-that-allow-code-execution-with-high-system-rights/



=========================================================


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


=========================================================


MOST PREVALENT MALWARE FILES: May 28 - June 4

COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 094d4da0ae3ded8b936428bb7393c77aaedd5efb5957116afd4263bd7edc2188

MD5: a10a6d9dfc0328a391a3fdb1a9fb18db

VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details

Typical Filename: FlashHelperServices.exe

Claimed Product: Flash Helper Service

Detection Name: PUA.Win.Adware.Flashserv::100.sbx.vioc


SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

VirusTotal: https://www.virustotal.com/gui/file/094d4da0ae3ded8b936428bb7393c77aaedd5efb5957116afd4263bd7edc2188/details

Typical Filename: FlashHelperServices.exe

Claimed Product: Flash Helper Services

Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos


SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3

MD5: 47b97de62ae8b2b927542aa5d7f3c858

VirusTotal: https://www.virustotal.com/gui/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details

Typical Filename: qmreportupload.exe

Claimed Product: qmreportupload

Detection Name: Win.Trojan.Generic::in10.talos


SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f

MD5: e2ea315d9a83e7577053f52c974f6a5a

VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/detection

Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin

Claimed Product: N/A

Detection Name: Win.Dropper.Agentwdcr::1201


SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b

MD5: 799b30f47060ca05d80ece53866e01cc

VirusTotal: https://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/detection

Typical Filename: mf2016341595.exe

Claimed Product: N/A

Detection Name: Win.Downloader.Generic::1201



=============================================================


(c) 2020.  All rights reserved.  The information contained in this

newsletter, including any external links, is provided "AS IS," with no

express or implied warranty, for informational purposes only.


Please feel free to share this with interested parties via email, but

no posting is allowed on web sites. For a free subscription, (and for

free posters) or to update a current subscription, visit

https://www.sans.org/account


SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743