OnDemand Training - Best Special Offers of the Year Ending Soon - Learn More

Newsletters: @RISK

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

July 9, 2020

=============================================================

     @RISK: The Consensus Security Vulnerability Alert

                July, 9 2020 - Vol. 20, Num. 28


Providing a reliable, weekly summary of newly discovered attack vectors,

vulnerabilities with active exploits, and explanations of how recent

attacks worked


Archived issues may be found at http://www.sans.org/newsletters/at-risk


=============================================================


CONTENTS:

NOTABLE RECENT SECURITY ISSUES

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

MOST PREVALENT MALWARE FILES July 2 - 9

============================================================


TOP VULNERABILITY THIS WEEK: F5 vulnerability exposes large organizations to attacks


************** Sponsored By AWS Marketplace ****************


Join Dave Shackleford, SANS and Chris Chapman, AWS Marketplace, as they  explore best practices and provide practical guidance on how you can secure all services and surfaces in the AWS cloud. These top industry experts will present real-world use cases and examples of tools you can leverage to protect your investments. | July 16 @ 11:00 AM EDT | http://www.sans.org/info/216890


============================================================

TRAINING UPDATE


Best Special Offers of the Year with OnDemand Cybersecurity Training

Get an 11" iPad Pro w/ Magic Keyboard, a Microsoft Surface Go 2 (256GB SSD), or Take $350 Off with your OnDemand registration through July 22.

- https://www.sans.org/ondemand/specials


SANS now offers THREE ways to complete a course:


OnDemand | Live Online | In-Person:


- https://www.sans.org/ondemand/

- https://www.sans.org/live-online

- https://www.sans.org/cyber-security-training-events/in-person/north-america


Keep your skills sharp with SANS Online Training:

.        The world's top cybersecurity courses

.        Taught by real world practitioners

.        Ideal preparation for more than 30 GIAC Certifications


Top OnDemand Courses

SEC401: Security Essentials Bootcamp Style

- https://www.sans.org/ondemand/course/security-essentials-bootcamp-style

SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling

- https://www.sans.org/ondemand/course/hacker-techniques-exploits-incident-handling

SEC560: Network Penetration Testing and Ethical Hacking

- https://www.sans.org/ondemand/course/network-penetration-testing-ethical-hacking

______________________


Upcoming In-Person and Live Online Events:

    

DFIR Summit & Training (Free Summit) | July 16-25 | Live Online

- https://www.sans.org/event/digital-forensics-summit-2020


SANS Rocky Mountain Summer 2020 | Jul 20-25 | Live Online

- https://www.sans.org/event/rocky-mountain-summer-2020


SANS Reboot - NOVA 2020 | August 10-15 | Arlington, VA or Live Online

- https://www.sans.org/event/reboot-nova-2020


SANS Network Security 2020 | September 20-25 | Las Vegas, NV or Live Online

- https://www.sans.org/event/network-security-2020

______________________


Test drive a course: https://www.sans.org/course-preview


View the full SANS course catalog and skills roadmap.

- https://www.sans.org/cyber-security-courses

- https://www.sans.org/cyber-security-skills-roadmap


********************** Sponsored Links: ********************


1) Take the SANS 2020 Vulnerability Management Survey and be entered for a chance to win a $150 Amazon Gift Card.

| http://www.sans.org/info/216945


2) Webcast | Thursday, July 16, 2020 at 3:30 PM EDT | Join SANS Senior Instructor, Chris Crowley as he presents "Force Multiplier: How we use SOAR to maximize our own SOC analyst efficiency while minimizing fatigue and burnout"

http://www.sans.org/info/216950


3) SANS Oil & Gas Solutions Forum is Tomorrow | Free 1/2 Day Virtual Event | 4 CPE Credits | Join Chairman Jason Dely along with top experts from Swimlane, ThreatConnet, CyberInc, Siemplify, Tripwire and Dispel | Friday, July 10, 2020 starting at 9:30 AM EDT

| http://www.sans.org/info/216955


============================================================


NOTABLE RECENT SECURITY ISSUES

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Critical remote code execution vulnerability in F5 BIG-IP

Description: BIG-IP is one of the most popular networking products on the modern market. This product is used to shape web traffic, access gateways, limit rates and much more. F5 disclosed a remote code execution over the weekend that was assigned a maximum 10 out of 10 severity score. CVE-2020-5902 is a remote code execution vulnerability in BIG-IP's configuration interface. Users are urged to make their interfaces inaccessible to the internet and patch as soon as possible.

Reference: https://www.helpnetsecurity.com/2020/07/06/exploit-cve-2020-5902/

Snort SIDs: 54462


Title: Google Chrome PDFium memory corruption vulnerability

Description: The PDF renderer inside Google Chrome, known as PDFium, contains a memory corruption vulnerability that could be exploited by an adversary. PDFium is open-source software that is utilized in the Chrome browser and other applications. The software supports the use of JavaScript embedded inside PDFs and other specially crafted documents could corrupt the memory of the application, allowing an adversary to achieve arbitrary code execution inside the browser.

Reference: https://blog.talosintelligence.com/2020/07/vuln-spotlight-chrome-pdfium-corruption-july-2020.html

Snort SIDs: 53599, 53600


============================================================


INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY


Law enforcement officials in Europe recently dismantled a network of encrypted messages and cell phones where criminals used code names to discuss drug deals and other illicit transactions.

https://www.vice.com/en_us/article/3aza95/how-police-took-over-encrochat-hacked


The US Senate Judiciary Committee approved a revamped version of the EARN IT bill, maintaining that the bill's primary focus is to protect children from exploitation online and not to weaken encryption.

https://www.theverge.com/2020/7/2/21311464/earn-it-act-section-230-child-abuse-imagery-facebook-youtube-lindsey-graham


Researchers say they have found a vulnerability in several popular cryptocurrency wallets that could cause them to display incorrect balances.

https://techcrunch.com/2020/07/01/a-vulnerability-in-some-bitcoin-wallets-leads-to-double-spend-attacks-and-inflated-balance/


Iran blamed state-sponsored attackers for a cyber attack it says led to a fire at its Natanz uranium-enrichment facility and promised retaliation for any future attacks.

https://www.reuters.com/article/us-iran-nuclear-natanz/iran-threatens-retaliation-after-what-it-calls-possible-cyber-attack-on-nuclear-site-idUSKBN2441VY


The years-old Android malware FakeSpy is back infecting users, this time disguising itself as official postal service apps.

https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world


A recent study from German researchers discovered that many home wireless routers had not received a security update in more than a year, and others contained still-unpatched bugs.

https://www.zdnet.com/article/home-router-warning-theyre-riddled-with-known-flaws-and-run-ancient-unpatched-linux/


A new Mac ransomware called "ThiefQuest" steals users' credit card information and login credentials, and lurks in the background as a backdoor for other malware.

https://arstechnica.com/information-technology/2020/07/new-mac-ransomware-is-even-more-sinister-than-it-appears/


A state-sponsored threat actor known as "Cosmic Lynx" is targeting high-profile executives across the globe in business email compromise (BEC) campaigns.

https://www.wired.com/story/russian-hackers-email-scams/


The Lazarus Group APT has added card-skimming to its inventory of attack vectors.

https://threatpost.com/lazarus-group-adds-magecart/157167/


=========================================================


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


ID:        CVE-2020-5902

Title:  F5 BIG-IP Remote Code Execution Vulnerability

Vendor: F5

Description: F5 BIG-IP is exposed to remote code execution vulnerability. The vulnerability that has been actively exploited in the wild allows attackers to read files, execute code or take complete control over vulnerable systems having network access.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2019-19781

Title:  Citrix Application Delivery Controller and Gateway Directory Traversal Vulnerability

Vendor: Citrix

Description: A vulnerability exists in Citrix Application Delivery Controller (ADC) formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway that, if exploited, could allow an unauthenticated attacker to perform arbitrary code execution. This vulnerability exploits a directory traversal to execute an arbitrary command payload.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2020-2021

Title:  Palo Alto Networks PAN-OS Authentication Bypass in SAML Authentication Vulnerability

Vendor: Palo Alto Networks

Description: When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. The attacker must have network access to the vulnerable server to exploit this vulnerability.

CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)


ID:        CVE-2020-12828

Title:  AnchorFree OpenVPN SDK Privilege Escalation Vulnerability

Vendor: Pango

Description: An issue was discovered in AnchorFree VPN SDK. The VPN SDK service takes certain executable locations over a socket bound to localhost. Binding to the socket and providing a path where a malicious executable file resides leads to executing the malicious executable file with SYSTEM privileges.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2020-2012

Title:  Palo Alto Networks PAN-OS XML External Entity Reference Vulnerability

Vendor: Palo Alto Networks

Description: Improper restriction of XML external entity reference ('XXE') vulnerability in Palo Alto Networks Panorama management service allows remote unauthenticated attackers with network access to the Panorama management interface to read arbitrary files on the system.

CVSS v3 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)


ID:        CVE-2020-0796

Title:  Microsoft Windows SMBv3 Client/Server Remote Code Execution Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists in the way that the Microsoft Server Message Block 3.1.1 (SMBv3) protocol handles certain requests. An attacker who successfully exploited the vulnerability could gain the ability to execute code on the target server or client. To exploit the vulnerability against a server, an unauthenticated attacker could send a specially crafted packet to a targeted SMBv3 server.

CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)


ID:        CVE-2020-9497

Title:  Apache Guacamole Information Disclosure Vulnerability

Vendor: Apache

Description: Apache Guacamole do not properly validate data received from RDP servers via static virtual channels. If a user connects to a malicious or compromised RDP server, specially-crafted PDUs could result in disclosure of information within the memory of the guacd process handling the connection.

CVSS v3 Base Score: 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N)


=========================================================


MOST PREVALENT MALWARE FILES July 2 - 9:

COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 094d4da0ae3ded8b936428bb7393c77aaedd5efb5957116afd4263bd7edc2188

MD5: a10a6d9dfc0328a391a3fdb1a9fb18db

VirusTotal: https://www.virustotal.com/gui/file/094d4da0ae3ded8b936428bb7393c77aaedd5efb5957116afd4263bd7edc2188/details

Typical Filename: FlashHelperServices.exe

Claimed Product: Flash Helper Service

Detection Name: PUA.Win.Adware.Flashserv::100.sbx.vioc


SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details

Typical Filename: FlashHelperServices.exe

Claimed Product: Flash Helper Services

Detection Name: Win.Exploit.Shadowbrokers::5A5226262.auto.talos


SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f

MD5: e2ea315d9a83e7577053f52c974f6a5a

VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/detection

Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin

Claimed Product: N/A

Detection Name: Win.Dropper.Agentwdcr::1201


SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd

MD5: 8193b63313019b614d5be721c538486b

VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details

Typical Filename: SAntivirusService.exe

Claimed Product: SAService

Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg


SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3

MD5: 47b97de62ae8b2b927542aa5d7f3c858

VirusTotal: https://www.virustotal.com/gui/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details

Typical Filename: qmreportupload.exe

Claimed Product: qmreportupload

Detection Name: Win.Trojan.Generic::95.sbx.tg


=============================================================


(c) 2020.  All rights reserved.  The information contained in this

newsletter, including any external links, is provided "AS IS," with no

express or implied warranty, for informational purposes only.


Please feel free to share this with interested parties via email, but

no posting is allowed on web sites. For a free subscription, (and for

free posters) or to update a current subscription, visit

https://www.sans.org/account


SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743