OnDemand Training - Best Special Offers of the Year Ending Soon - Learn More

Newsletters: @RISK

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

July 23, 2020

=============================================================

     @RISK: The Consensus Security Vulnerability Alert

                July, 23 2020 - Vol. 20, Num. 30


Providing a reliable, weekly summary of newly discovered attack vectors,

vulnerabilities with active exploits, and explanations of how recent

attacks worked


Archived issues may be found at http://www.sans.org/newsletters/at-risk


=============================================================


CONTENTS:

NOTABLE RECENT SECURITY ISSUES

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

MOST PREVALENT MALWARE FILES July 16 - 23

============================================================


TOP VULNERABILITY THIS WEEK: CISA urges users to patch SAP to fix critical vulnerability


***************  Sponsored By Dragos, Inc.  *****************


Dragos White Paper: Map Cyber Threats to MITRE ATT&CK for ICS


MITRE ATT&CK for ICS is a framework to identify threat behaviors based on the tactics and techniques of ICS threats. Read this white paper to find out how to apply the MITRE ATT&CK for ICS framework to improve your threat detection and response.

| http://www.sans.org/info/217100


============================================================

TRAINING UPDATE


Best Special Offers of the Year are Available Now with OnDemand

Choose a MacBook Air, Surface Pro 7, or Take $350 Off through August 5.

- https://www.sans.org/ondemand/specials


SANS now offers THREE ways to complete a course:


OnDemand | Live Online | In-Person:

- https://www.sans.org/ondemand/

- https://www.sans.org/live-online

- https://www.sans.org/cyber-security-training-events/in-person/north-america


Keep your skills sharp with SANS Online Training:

.        The world's top cybersecurity courses

.        Taught by real world practitioners

.        Ideal preparation for more than 30 GIAC Certifications


Top OnDemand Courses

SEC401: Security Essentials Bootcamp Style

- https://www.sans.org/ondemand/course/security-essentials-bootcamp-style

SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling

- https://www.sans.org/ondemand/course/hacker-techniques-exploits-incident-handling

SEC560: Network Penetration Testing and Ethical Hacking

- https://www.sans.org/ondemand/course/network-penetration-testing-ethical-hacking

______________________


Upcoming In-Person and Live Online Events:


Instructor-Led Training | August 3-8 | Live Online

- https://www.sans.org/event/live-online-aug3-2020-mdt

    

SANS Reboot - NOVA 2020 | August 10-15 | Arlington, VA or Live Online

- https://www.sans.org/event/reboot-nova-2020


SANS Baltimore Fall 2020 | September 8-13 | Baltimore, MD or Live Online

- https://www.sans.org/event/baltimore-fall-2020


SANS Network Security 2020 | September 20-25 | Las Vegas, NV or Live Online

- https://www.sans.org/event/network-security-2020

______________________


Test drive a course: https://www.sans.org/course-preview


View the full SANS course catalog and skills roadmap.

- https://www.sans.org/cyber-security-courses

- https://www.sans.org/cyber-security-skills-roadmap



********************** Sponsored Links: ********************


1) Survey | It's as easy as 1, 2, 3...Take the SANS 2020 Risk Based Vulnerability Survey and be entered for a chance to win a $150 Amazon Gift Card!

http://www.sans.org/info/217105


2) Survey Results | Join John Pescatore as he presents the results for the SANS 2020 SOC Survey| June 29 @ 1:00 PM EDT

| http://www.sans.org/info/217110


3) Webcast | July 29 @ 10:30 AM EDT | We are only 8 days away from our informative webcast hosted by SANS Instructor Matt Bromiley: "Browser Isolation: A SANS Review of Cyberinc's Isla"

| http://www.sans.org/info/217115


============================================================


NOTABLE RECENT SECURITY ISSUES

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: SAP systems vulnerability could allow adversaries to create new user accounts, execute code

Description: The U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) released a warning last week urging SAP admins to update their systems as soon as possible to fix a critical vulnerability. CVE-2020-6287 affects the SAP NetWeaver Application Server's Java component LM Configuration Wizard. An attacker could exploit this bug to obtain unrestricted access to SAP systems, allowing them to create their own user accounts and executing arbitrary system commands.

References: https://www.infosecurity-magazine.com/news/cisa-patch-critical-sap-recon-bug/

Snort SIDs: 54571 - 54574


Title: Cisco discloses 33 vulnerabilities in small business routers, firewalls

Description: Cisco disclosed 33 vulnerabilities in their RV series of routers and firewalls earlier this month. The products mainly service small business environments. One of the bugs, CVE-2020-3330, could allow an adversary to completely take over a device if the user hadn't reset the default admin credentials that came pre-installed on the device. There is also a critical privilege escalation vulnerability in Prime License Manager.

References: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv110w-static-cred-BMTWBWTy


https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-rv-rce-AQKREqp


https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-code-exec-wH3BNFb


https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cisco-prime-priv-esc-HyhwdzBA

Snort SIDs: 54538 - 54567


============================================================


INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY


More information is emerging about the massive Twitter hack last week that led to several high-profile accounts being taken over and used in a Bitcoin scam. A new report from the New York Times found that the group behind the hack does not have ties to state-sponsored actors.

https://www.nytimes.com/2020/07/17/technology/twitter-hackers-interview.html


A full breakdown of the intrusion from Twitter found that the hackers targeted 130 accounts, took control of 45 of those accounts, and downloaded information from eight of the compromised accounts.

https://www.reuters.com/article/us-twitter-cyber/twitter-says-attackers-downloaded-data-from-up-to-eight-non-verified-accounts-idUSKBN24J068


The Twitter incident also shows what attackers can do when humans come into the equation, proving once again that employees are sometimes an organization's biggest security weakness.

https://slate.com/technology/2020/07/twitter-hack-human-weakness.html


Israel says it fended off a state-sponsored attack on its water infrastructure for the second time this year.

https://www.timesofisrael.com/cyber-attacks-again-hit-israels-water-system-shutting-agricultural-pumps/


A new report from the British government urged parliament and the prime minister to take immediate action against Russia for its inference in national elections, saying the government "badly underestimated" the threat Russian actors posed.

https://www.bbc.com/news/uk-politics-53484344


As China and the U.S. continue to trade barbs over TikTok and other Chinese-created apps, security experts say TikTok's policies align with many other popular, American social media apps.

https://www.wired.com/story/tiktok-ban-us-national-security-risk/


American prosecutors charged two Chinese nationals for an alleged large-scale cyber campaign aimed at stealing information related to COVID-19 research.

https://www.cnn.com/2020/07/21/politics/china-hackers-coronavirus/index.html


Diebold Nixdorf says that hackers have managed to obtain proprietary software and are using it in ATM jackpotting attacks.

https://arstechnica.com/information-technology/2020/07/crooks-are-using-a-new-way-to-jackpot-atms-made-by-diebold/


A new Android trojan appears to be a variant of LokiBot and is going after popular apps like Tinder, Netflix and Instagram to steal users' information.

https://www.techradar.com/news/new-android-malware-targets-over-300-different-apps-with-a-focus-on-dating-and-social-media


=========================================================


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


ID:        CVE-2020-8605

Title:  Trend Micro Web Security Virtual Appliance Remote Code Execution Vulnerability

Vendor: Trend Micro

Description: A vulnerability in Trend Micro InterScan Web Security Virtual Appliance may allow remote attackers to execute arbitrary code on affected installations. An attacker can leverage this vulnerability to disclose information in the context of the IWSS user. An authenticated remote attacker could exploit a command injection vulnerability in the product, leading to remote code execution vulnerability.

CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2020-1350

Title:  Microsoft Windows DNS Server Remote Code Execution Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability.

CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)


ID:        CVE-2020-5902

Title:  F5 BIG-IP Remote Code Execution Vulnerability

Vendor: F5

Description: F5 BIG-IP is exposed to remote code execution vulnerability. The vulnerability that has been actively exploited in the wild allows attackers to read files, execute code or take complete control over vulnerable systems having network access.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2020-6287

Title:  SAP NetWeaver Application Server JAVA Multiple Vulnerabilities

Vendor: SAP

Description: SAP NetWeaver AS JAVA (LM Configuration Wizard) does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check. An unauthenticated attacker can exploit this vulnerability through the Hypertext Transfer Protocol (HTTP) to take control of trusted SAP applications.

CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)


ID:        CVE-2020-15363

Title:  WordPress Theme NexosReal Estate 'search_order' SQL Injection Vulnerability

Vendor: Nexos

Description: NexosReal Estate Theme is exposed to remote SQL injection vulnerability that allows side-map/?search_order= SQL Injection.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2020-13866

Title:  WinGate Privilege Escalation Vulnerability

Vendor: qbik

Description: WinGate has insecure permissions for the installation directory, which allows local users to gain privileges by replacing an executable file with a Trojan horse. The WinGate directory hands full control to authenticated users, who can then run arbitrary code as SYSTEM after a WinGate restart or system reboot.

CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2020-2021

Title:  Palo Alto Networks PAN-OS Authentication Bypass in SAML Authentication Vulnerability

Vendor: Palo Alto Networks

Description: When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. The attacker must have network access to the vulnerable server to exploit this vulnerability.

CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)


ID:        CVE-2020-3952

Title:  VMware vCenter vmdir Information Disclosure Vulnerability

Vendor: VMware

Description: Under certain conditions vmdir does not correctly implement access controls. A malicious actor with network access to an affected vmdir deployment may be able to extract highly sensitive information which could be used to compromise vCenter Server or other services which are dependent upon vmdir for authentication.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


=========================================================


MOST PREVALENT MALWARE FILES July 16 - 23:

COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a

VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name: PUA.Win.Dropper.Segurazo::tpd


SHA 256: 449f4a4524c06e798193c1d3ba21c2d9338936375227277898c583780392d4d8

MD5: 179c09b866c9063254083216b55693e6

VirusTotal: https://www.virustotal.com/gui/file/449f4a4524c06e798193c1d3ba21c2d9338936375227277898c583780392d4d8/details

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name: PUA.Win.File.Segurazo::95.sbx.tg


SHA 256: 094d4da0ae3ded8b936428bb7393c77aaedd5efb5957116afd4263bd7edc2188

MD5: a10a6d9dfc0328a391a3fdb1a9fb18db

VirusTotal: https://www.virustotal.com/gui/file/094d4da0ae3ded8b936428bb7393c77aaedd5efb5957116afd4263bd7edc2188/details

Typical Filename: FlashHelperServices.exe

Claimed Product: Flash Helper Service

Detection Name: PUA.Win.Adware.Flashserv::100.sbx.vioc


SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd

MD5: 8193b63313019b614d5be721c538486b

VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details

Typical Filename: SAntivirusService.exe

Claimed Product: SAService

Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg


SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f

MD5: e2ea315d9a83e7577053f52c974f6a5a

VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details

Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin

Claimed Product: N/A

Detection Name: Win.Dropper.Agentwdcr::1201


=============================================================


(c) 2020.  All rights reserved.  The information contained in this

newsletter, including any external links, is provided "AS IS," with no

express or implied warranty, for informational purposes only.


Please feel free to share this with interested parties via email, but

no posting is allowed on web sites. For a free subscription, (and for

free posters) or to update a current subscription, visit

https://www.sans.org/account


SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743