iPad Pro w/ Magic KB, Surface Go 2, or $350 Off with OnDemand Training - Register Now

Newsletters: @RISK

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

June 11, 2020

=============================================================

     @RISK: The Consensus Security Vulnerability Alert

            June 11, 2020 - Vol. 20, Num. 24


Providing a reliable, weekly summary of newly discovered attack vectors,

vulnerabilities with active exploits, and explanations of how recent

attacks worked


Archived issues may be found at http://www.sans.org/newsletters/at-risk


=============================================================


CONTENTS:

NOTABLE RECENT SECURITY ISSUES

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

MOST PREVALENT MALWARE FILES June 4 - 11

============================================================


TOP VULNERABILITY THIS WEEK: Microsoft Patch Tuesday includes more than 100 vulnerabilities, some critical


******************** Sponsored By Netskope ********************


Join Netskope's Cloud Security Workshop. Are you really ready to provide safe access to cloud services and keep pace with new threats? Register for Netskope's complimentary cloud security workshop! Take control over your web services. Get 5 CPE credits and hands-on experience with Next Gen Secure Web Gateway (SWG) and Zero Trust Network Access (ZTNA) solutions built for the cloud. | http://www.sans.org/info/216680


============================================================

TRAINING UPDATE


SANS Training is 100% Online, with two

convenient ways to complete a course:


OnDemand  | Live Online

- https://www.sans.org/ondemand/

- https://www.sans.org/live-online


Keep your skills sharp with SANS Online Training:

.        The world's top cybersecurity courses

.        Taught by real world practitioners

.        Ideal preparation for more than 30 GIAC Certifications


Take advantage of the current promotional offer:

Get a Free GIAC Certification Attempt or Take $350 Off with OnDemand or Live Online Training through June 24

https://www.sans.org/online-security-training/specials/

 

Top OnDemand Courses

SEC401: Security Essentials Bootcamp Style

- https://www.sans.org/ondemand/course/security-essentials-bootcamp-style

SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling

- https://www.sans.org/ondemand/course/hacker-techniques-exploits-incident-handling

SEC560: Network Penetration Testing and Ethical Hacking

- https://www.sans.org/ondemand/course/network-penetration-testing-ethical-hacking

______________________


Upcoming In Person and Live Online Events:

    

2-Day Firehose Training | June 29-30 | Live Online

- https://www.sans.org/event/2-day-firehose-training-jun29-2020


SANS Summer of Cyber: Week 1 | July 6-17 | Live Online

- https://www.sans.org/event/summer-of-cyber-jul-6


DFIR Summit & Training | July 16-25 | Live Online

- https://www.sans.org/event/digital-forensics-summit-2020


SANS Network Security 2020 | September 20-25 | Las Vegas, NV or Live Online

- https://www.sans.org/event/network-security-2020

______________________


Test drive a course: https://www.sans.org/course-preview


View the full SANS course catalog and skills roadmap.

- https://www.sans.org/courses

- https://www.sans.org/cyber-security-skills-roadmap



********************** Sponsored Links: ********************


1) Get a quick free snapshot of your domain's password vulnerabilities in seconds. Enzoic's password auditor. | http://www.sans.org/info/216665


2) Webcast | A New World of Endpoint Security: Unifying user and endpoint protection | June 17, 2020 @ 1:00 EDT | http://www.sans.org/info/216670


3) SANS Cloud IR Survey | Last chance to participate and share your experiences with the cybersecurity community | Survey closes on June 15, 2020. | http://www.sans.org/info/216675


============================================================


NOTABLE RECENT SECURITY ISSUES

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Remote code execution bugs in Word, SMB disclosed as part of Patch Tuesday

Description: Microsoft released its monthly security update Tuesday, disclosing more than 120 vulnerabilities across its array of products. While none of the vulnerabilities disclosed have been exploited in the wild, users of all Microsoft and Windows products are urged to update their software as soon as possible to avoid possible exploitation. The security updates cover several different products including the VBScript engine, SharePoint file-sharing service and GDI+.

Reference: https://blog.talosintelligence.com/2020/06/microsoft-patch-tuesday-for-june-2020.html

Snort SIDs: 52213 - 52217, 54191 - 54194, 54219, 54220, 54230 - 54240, 54245 - 54250, 54270 and 54271


Title: Cisco patches vulnerabilities in IOS XE, affecting some industrial routers

Description: Cisco disclosed three critical vulnerabilities in its IOS and IOS XE software and industrial router group. Many of the alerts concern a command injection vulnerability that would allow an adversary to execute arbitrary code on the affected operating system. One of the most severe bugs could allow a remote attacker to obtain an authorization token on the affected system and execute their choice of IOx API commands on the device.

Reference: https://tools.cisco.com/security/center/publicationListing.x

Snort SIDs: 53497 - 53504, 54155, 54159 - 54164


============================================================


INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY


New exploit code published online could provide a blueprint to exploiting a wormable vulnerability in Windows.

https://arstechnica.com/information-technology/2020/06/exploiting-wormable-flaw-on-unpatched-windows-devices-is-about-to-get-easier/


Google warned that foreign state-sponsored hackers have targeted the Biden and Trump presidential campaigns.

https://www.reuters.com/article/us-usa-election-alphabet-cyberattack/chinese-and-iranian-hackers-targeted-biden-and-trump-campaigns-google-idUSKBN23B2T9


Car manufacturer Honda says a cyberattack on its global network is affecting production operations.

https://www.ft.com/content/da60f3da-9669-4d50-ac33-144adac28f4b


Researchers say there's been a spike in cyberattacks against organizations fighting racism.

https://blog.cloudflare.com/cyberattacks-since-the-murder-of-george-floyd/


The latest update to the Tor browser aims to make it easier for large corporations to make their .onion addresses more widely available to the public.

https://blog.torproject.org/new-release-tor-browser-95


Private messaging app Signal added a new feature that allows users to blur faces in pictures to protect people's privacy.

https://signal.org/blog/blur-tools/


A study revealed vulnerabilities in the OmniBallot online voting and ballot delivery system that will be used in several US states.

https://www.engadget.com/omniballot-online-voting-security-issues-163315509.html


Multiple federal agencies and local police departments are investing in a new surveillance device that tracks phones on 4G networks; the device is made by the same company that makes Stingray IMSI-catchers.

https://www.vice.com/en_us/article/jgxm3g/crossbow-imsi-catcher-new-stingray


The US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency is warning telecommunications providers to employ strong security measures around 5G cell towers as attacks against 5G infrastructure are increasing.

https://www.cyberscoop.com/5g-cell-towers-attacks-dhs-coronavirus/


=========================================================


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


ID:        CVE-2020-9484

Title:  Apache Tomcat Remote Code Execution Vulnerability

Vendor: Apache

Description: When using Apache Tomcat versions if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2020-0796

Title:  Microsoft Windows SMBv3 Client/Server Remote Code Execution Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client. To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server.

CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)


ID:        CVE-2020-3956

Title:  VMware Cloud Director Code Injection Vulnerability

Vendor: VMware

Description: VMware Cloud Director do not properly handle input leading to a code injection vulnerability. An authenticated actor may be able to send malicious traffic to VMware Cloud Director which may lead to arbitrary remote code execution. This vulnerability can be exploited through the HTML5- and Flex-based UIs, the API Explorer interface and API access.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2020-13401

Title:  Docker Engine IPv6 Address Spoofing Vulnerability

Vendor: Docker

Description: An issue exists in Docker Engine where an attacker in a container, with the CAP_NET_RAW capability, can craft IPv6 router advertisements, and consequently spoof external IPv6 hosts, obtain sensitive information, or cause a denial of service. A user is able to create containers with CAP_NET_RAW privileges on an affected cluster can intercept traffic from other containers on the host or from the host itself.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2020-1301

Title:  Microsoft Windows SMB Remote Code Execution Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server.

CVSS v3 Base Score: 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2020-1181

Title:  Microsoft SharePoint Server Remote Code Execution Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists in Microsoft SharePoint Server when it fails to properly identify and filter unsafe ASP.Net web controls. An authenticated attacker who successfully exploited the vulnerability could use a specially crafted page to perform actions in the security context of the SharePoint application pool process.

CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2020-1206

Title:  Microsoft Windows SMBv3 Client/Server Information Disclosure Vulnerability

Vendor: Microsoft

Description: An information disclosure vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user's system. To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server. To exploit the vulnerability against a client, an unauthenticated attacker would need to configure a malicious SMBv3 server and convince a user to connect to it.

CVSS v3 Base Score: 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)


=========================================================


MOST PREVALENT MALWARE FILES June 4 - 11:

COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details

Typical Filename: FlashHelperServices.exe

Claimed Product: Flash Helper Services

Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos


SHA 256: 094d4da0ae3ded8b936428bb7393c77aaedd5efb5957116afd4263bd7edc2188

MD5: a10a6d9dfc0328a391a3fdb1a9fb18db

VirusTotal: https://www.virustotal.com/gui/file/094d4da0ae3ded8b936428bb7393c77aaedd5efb5957116afd4263bd7edc2188/details

Typical Filename: FlashHelperServices.exe

Claimed Product: Flash Helper Service

Detection Name: PUA.Win.Adware.Flashserv::100.sbx.vioc


SHA 256: 8bf5d91950033ef6f40ffbd2340d8b0add0ffdcbbb4cfd309218d6d0810d85be

MD5: 4709a871ba0c0a3598eb78dadfe90aec

VirusTotal: https://www.virustotal.com/gui/file/8bf5d91950033ef6f40ffbd2340d8b0add0ffdcbbb4cfd309218d6d0810d85be/details

Typical Filename: tapout.exe

Claimed Product: N/A

Detection Name: Win.Dropper.Zudochka::in03.talos


SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f

MD5: e2ea315d9a83e7577053f52c974f6a5a

VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/detection

Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin

Claimed Product: N/A

Detection Name: Win.Dropper.Agentwdcr::1201


SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b

MD5: 799b30f47060ca05d80ece53866e01cc

VirusTotal: https://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/detection

Typical Filename: mf2016341595.exe

Claimed Product: N/A

Detection Name: Win.Downloader.Generic::1201


=============================================================


(c) 2020.  All rights reserved.  The information contained in this

newsletter, including any external links, is provided "AS IS," with no

express or implied warranty, for informational purposes only.


Please feel free to share this with interested parties via email, but

no posting is allowed on web sites. For a free subscription, (and for

free posters) or to update a current subscription, visit

https://www.sans.org/account


SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743