iPad Pro w/ Magic KB, Surface Go 2, or $350 Off with OnDemand Training - Register Now

Newsletters: @RISK

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure

@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

June 25, 2020


     @RISK: The Consensus Security Vulnerability Alert

                June, 25 2020 - Vol. 20, Num. 26

Providing a reliable, weekly summary of newly discovered attack vectors,

vulnerabilities with active exploits, and explanations of how recent

attacks worked

Archived issues may be found at http://www.sans.org/newsletters/at-risk








TOP VULNERABILITY THIS WEEK: IndigoDrop campaign spreads Cobalt Strike beacons to government targets, contractors

************* Sponsored By Devo Technology Inc. *************

The Devo SOC Performance Report(TM)

How do integrated investments in people, process, and technology separate high- and low- performing security operations teams?

With research conducted by the Ponemon Institute, the 2020 Devo SOC Performance Report examines how the SOC is changing, and identifies the gaps in people, process, and technology between high- and low-performing SOCs.

| http://www.sans.org/info/216800



SANS Training is 100% Online, with two convenient ways to complete a course:

OnDemand  | Live Online

- https://www.sans.org/ondemand/

- https://www.sans.org/live-online

Keep your skills sharp with SANS Online Training:

.        The world's top cybersecurity courses

.        Taught by real world practitioners

.        Ideal preparation for more than 30 GIAC Certifications

OnDemand Training Special Offer

Flexible Offer with Flexible Training

Choose an iPad Air, an iPad with Smart Keyboard, a Surface Go, or Take $300 Off with OnDemand Training through July 8.

- https://www.sans.org/ondemand/specials

Live Online Training Special Offer

Get a Free GIAC Certification Attempt or Take $350 Off with Live Online Training through July 8.

- https://www.sans.org/live-online/specials

Top OnDemand Courses

SEC401: Security Essentials Bootcamp Style

- https://www.sans.org/ondemand/course/security-essentials-bootcamp-style

SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling

- https://www.sans.org/ondemand/course/hacker-techniques-exploits-incident-handling

SEC560: Network Penetration Testing and Ethical Hacking

- https://www.sans.org/ondemand/course/network-penetration-testing-ethical-hacking


Upcoming In Person and Live Online Events:


DFIR Summit & Training (Free Summit) | July 16-25 | Live Online

- https://www.sans.org/event/digital-forensics-summit-2020

SANS Rocky Mountain Summer 2020 | Jul 20-25 | Live Online

- https://www.sans.org/event/rocky-mountain-summer-2020

SANS Reboot - NOVA 2020 | August 10-15 | Arlington, VA or Live Online

- https://www.sans.org/event/reboot-nova-2020

SANS Network Security 2020 | September 20-25 | Las Vegas, NV or Live Online

- https://www.sans.org/event/network-security-2020


Test drive a course: https://www.sans.org/course-preview

View the full SANS course catalog and skills roadmap.

- https://www.sans.org/cyber-security-courses

- https://www.sans.org/cyber-security-skills-roadmap

*********************** Sponsored Links: *********************

1) Webcast | Join SANS Senior Instructor, Dave Shackleford as he discusses "Securing Assets Using Micro-Segmentation: A SANS Review of Guardicore Central"  | June 30, 2020 @ 1:00pm EDT

| http://www.sans.org/info/216820

2) Webcast | Tune in for this incredible webcast as SANS Director of Emerging Security Trends, John Pescatore hosts the "Insights on Remote Access Cybersecurity and Workplace Flexibility - A SANS Whitepaper" | July 8, 2020 @ 12:00pm EDT

| http://www.sans.org/info/216825

3) Malware & Ransomware Solutions Forum | The state of play in the malware and ransomware game continues to change at a rapid pace. Those who are still trying to defend against yesterdays threats will find themselves woefully unprepared to deal with the attacks of today. Join Jake Williams as he discusses innovating new classes of solutions that didn't exist a few short years ago. | July 24, 2020 @ 10:30am EDT

| http://www.sans.org/info/216830




Title: IndigoDrop spreads via military-themed lures to deliver Cobalt Strike

Description: Cisco Talos has observed a malware campaign that utilizes military-themed malicious Microsoft Office documents (maldocs) to spread Cobalt Strike beacons containing full-fledged RAT capabilities. These maldocs use malicious macros to deliver a multistage and highly modular infection. This campaign appears to target military and government organizations in South Asia. Network-based detection, although important, should be combined with endpoint protections to combat this threat and provide multiple layers of security.

Reference: https://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html

Snort SIDs: 54373 - 54376

Title: Qbot reemerges, goes after American banks

Description: The ever-changing Qbot information-stealing malware is back again and going after U.S.-based banks. Researchers say the malware family has a six-hour cycle that is uses to adapt and avoid detection. Attackers are spreading the malware via phishing emails, publicly reported exploits or malicious file shares. Qbot waits quietly on the victim machine until they visit a bank's website, and then it activates to steal the users' login credentials.

Reference: https://threatpost.com/qbot-trojan-us-banking-customers/156624/

Snort SIDs: 54384 - 54387



The Oracle software used to track users' web usage and serve them targeted ads left a server open on the internet, allowing anyone to see the software's insights.


Threat actors are increasingly relying on CAPTCHAs to avoid automated detection.


The U.S. Internal Revenue Service used cell phone location data to try and track down criminal suspects. (Please note that this story is behind a paywall.)


The FBI used Instagram posts, LinkedIn, and an Etsy review to identify a person suspected of setting two police cars on fire during protests in Philadelphia on May 30.


An IBM survey found that 52 percent of Americans who are working from home during the COVID-19 pandemic are using their personal laptops for work, opening the door for many security exploits.


More than 1,000 Google employees wrote a letter to management asking that the company no longer sell technology to police departments.


Hackers have started enabling multi-factor authentication after compromising accounts to make it more difficult for users to eventually recover their credentials.


A new collection of records called "BlueLeaks" claims to contain thousands of documents stolen from US from law enforcement agency fusion centers.


Foreign policy experts at the United States Studies Centre at the University of Sydney are urging Australia and the US to "name and shame" state-sponsored threat actors attempting to steal COVID-19-related research.


Microsoft is acquiring CyberX, a start-up focused on IoT and industrial control system security.





This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet


ID:        CVE-2020-0022

Title:  Google Android Bluetooth Remote Denial Of Service Vulnerability

Vendor: Google

Description: A remote denial of service vulnerability exists in Google Android. In reassemble_and_dispatch of packet_fragmenter.cc, there is possible out of bounds write due to an incorrect bounds calculation. This could lead to remote code execution over Bluetooth with no additional execution privileges needed.

CVSS v3 Base Score: 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

ID:        CVE-2020-10189

Title:  WPA and WPA2 Disassociation Vulnerability ("Kr00k")

Vendor: Multi-Vendor

Description: An issue was discovered on Broadcom Wi-Fi client devices. Specifically timed and handcrafted traffic can cause internal errors (related to state transitions) in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure over the air for a discrete set of traffic.

CVSS v3 Base Score:    9.8 (AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

ID:        CVE-2020-1170

Title:  Microsoft Windows Defender Elevation of Privilege Vulnerability

Vendor: Microsoft

Description: An elevation of privilege vulnerability exists in Windows Defender that leads arbitrary file deletion on the system. To exploit the vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.

CVSS v3 Base Score:    7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

ID:        CVE-2020-1181

Title:  Microsoft SharePoint Server Remote Code Execution Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists in Microsoft SharePoint Server when it fails to properly identify and filter unsafe ASP.Net web controls. An authenticated attacker who successfully exploited the vulnerability could use a specially crafted page to perform actions in the security context of the SharePoint application pool process. To exploit the vulnerability, an authenticated user must create and invoke a specially crafted page on an affected version of Microsoft SharePoint Server.

CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

ID:        CVE-2020-12388

Title:  Firefox Default Content Process DACL Sandbox Escape Vulnerability

Vendor: Mozilla

Description: The Firefox content processes did not sufficiently lockdown access control which could result in a sandbox escape. Multiple vulnerabilities have been discovered in Mozilla Firefox and Mozilla Firefox ESR. Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution in the context of the logged-on user.

CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

ID:        CVE-2020-3347

Title:  Cisco Webex Meetings Desktop App for Windows Shared Memory Information Disclosure Vulnerability

Vendor: Cisco

Description: A vulnerability in Cisco Webex Meetings Desktop App for Windows could allow an authenticated, local attacker to gain access to sensitive information on an affected system. The vulnerability is due to unsafe usage of shared memory that is used by the affected software. A successful exploit could allow the attacker to retrieve sensitive information from the shared memory, including usernames, meeting information, or authentication tokens that could aid the attacker in future attacks.

CVSS v3 Base Score: 5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

ID:        CVE-2020-1054

Title:  Microsoft Win32k Elevation of Privilege Vulnerability

Vendor: Microsoft

Description: An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.

CVSS v3 Base Score: 7.0 (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)




SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details

Typical Filename: FlashHelperServices.exe

Claimed Product: Flash Helper Services

Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos

SHA 256: 094d4da0ae3ded8b936428bb7393c77aaedd5efb5957116afd4263bd7edc2188

MD5: a10a6d9dfc0328a391a3fdb1a9fb18db

VirusTotal: https://www.virustotal.com/gui/file/094d4da0ae3ded8b936428bb7393c77aaedd5efb5957116afd4263bd7edc2188/details

Typical Filename: FlashHelperServices.exe

Claimed Product: Flash Helper Service

Detection Name: PUA.Win.Adware.Flashserv::100.sbx.vioc

SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f

MD5: e2ea315d9a83e7577053f52c974f6a5a

VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/detection

Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin

Claimed Product: N/A

Detection Name: Win.Dropper.Agentwdcr::1201

SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd

MD5: 8193b63313019b614d5be721c538486b

VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details

Typical Filename: SAntivirusService.exe

Claimed Product: SAService

Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg

SHA 256: 8e03f05ecd08cb78f37ccd92c48cd9d357c438112b85bd154e8261c19e38a56e

MD5: 60ba2a4b8ea5982a3a671a9e84f9268c

VirusTotal: https://www.virustotal.com/gui/file/8e03f05ecd08cb78f37ccd92c48cd9d357c438112b85bd154e8261c19e38a56e/details

Typical Filename: Diagnostics.txt

Claimed Product: N/A

Detection Name: Win.Dropper.Shadowbrokers::222044.in02


(c) 2020.  All rights reserved.  The information contained in this

newsletter, including any external links, is provided "AS IS," with no

express or implied warranty, for informational purposes only.

Please feel free to share this with interested parties via email, but

no posting is allowed on web sites. For a free subscription, (and for

free posters) or to update a current subscription, visit


SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743