NEW Managing Security Vulnerabilities: Enterprise and Cloud Course in Boston. Save $300 thru 2/26

Newsletters: @RISK

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

February 13, 2020

=============================================================

     @RISK: The Consensus Security Vulnerability Alert

          February 13, 2020 - Vol. 20, Num. 07


Providing a reliable, weekly summary of newly discovered attack vectors,

vulnerabilities with active exploits, and explanations of how recent

attacks worked


Archived issues may be found at http://www.sans.org/newsletters/at-risk


=============================================================


CONTENTS:

NOTABLE RECENT SECURITY ISSUES

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

MOST PREVALENT MALWARE FILES Feb. 6 - 13

============================================================


TOP VULNERABILITY THIS WEEK: Microsoft patches 98 vulnerabilities in monthly security update


**************** Sponsored By AWS Marketplace ***************


AWS Education Series: How to Leverage Endpoint Detection and Response (EDR) for Investigations in AWS Environments. Learn how to unpack and leverage the telemetry provided by endpoint security solutions using MITRE Cloud examples, such as Exploit Public-Facing Application (T1190) and Data Transfer to Cloud Account (T1537) by examining process trees. Webcast Thursday, February 20, 1 PM ET. http://www.sans.org/info/215520


============================================================

TRAINING UPDATE


-- SANS 2020 | Orlando, FL | April 3-10 | https://www.sans.org/event/sans-2020


-- SANS Training at RSA Conference 2020 | San Francisco, CA | February 23-24 | https://www.sans.org/event/rsa-conference-2020


-- SANS Munich March 2020 | March 2-7 | https://www.sans.org/event/munich-march-2020


-- SANS Northern VA - Reston Spring 2020 | March 2-7 | https://www.sans.org/event/northern-va-spring-reston-2020


-- Blue Team Summit & Training 2020 | Louisville, KY | March 2-9 | https://www.sans.org/event/blue-team-summit-2020


-- ICS Security Summit & Training 2020 | Orlando, FL | March 2-9 | https://www.sans.org/event/ics-security-summit-2020


-- SANS London March 2020 | March 16-21 | https://www.sans.org/event/london-march-2020


-- SANS San Francisco Spring 2020 | March 16-27 | https://www.sans.org/event/san-francisco-spring-2020


-- SANS Secure Singapore 2020 | 16-28 March | https://www.sans.org/event/secure-singapore-2020


-- SANS Secure Canberra 2020 | March 23-28 | https://www.sans.org/event/secure-canberra-2020


-- SANS OnDemand and vLive Training

Get a free GIAC Certification Attempt or Take $350 Off through February 19 with OnDemand or vLive training.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


********************** Sponsored Links: ********************


1) See a real ICS range demo. Register for the ICS is Everywhere Dragos Webinar. http://www.sans.org/info/215525


2) Hear from the analysts tracking down adversaries everyday with the new SANS Threat Analysis Rundown (STAR) webcast series. http://www.sans.org/info/215540


3) Webcast February 19th at 1PM ET: Real-World Implementation of Deception Technologies. http://www.sans.org/info/215535


============================================================


NOTABLE RECENT SECURITY ISSUES

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: 12 critical vulnerabilities fixed in latest Microsoft Patch Tuesday

Description: Microsoft released its monthly security update today, disclosing vulnerabilities across many of its products and releasing corresponding updates. This month's Patch Tuesday covers 98 vulnerabilities, 12 of which are considered critical and 84 that are considered important. There are also two bugs that were not assigned a severity. This month's patches include updates to the Windows kernel, the Windows scripting engine and Remote Desktop Protocol, among other software and features. Microsoft also provided a critical advisory covering updates to Adobe Flash Player.

Reference: https://blog.talosintelligence.com/2020/02/microsoft-patch-tuesday-feb-2020.html

Snort SIDs: 48701, 48702, 53050 - 53056, 53061, 53072, 53073, 53079 - 53089


Title: Adobe release updates for Reader, Flash Player and more

Description: Adobe disclosed 42 new vulnerabilities this week as part of its monthly security update, 35 of which are considered critical. These updates include Acrobat Reader, Flash Player and other Adobe products. Most notable are two bugs in Flash Player and Adobe Framemaker that could allow an attacker to execute arbitrary code on the victim machine.

Reference: https://threatpost.com/adobe-security-update-critical-flash-framemaker-flaws/152782/

Snort SIDs: 52331, 52332


============================================================


INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY


The U.S. formally charged four members of the Chinese military for stealing millions of Americans' personal information during a hack on credit reporting agency Equifax, one of the largest data breaches in history.

https://apnews.com/05aa58325be0a85d44c637bd891e668f


Chinese officials immediately rebuffed the charges and denied any involvement in the attack.

https://www.cbsnews.com/news/china-denies-responsibility-in-equifax-breach-after-doj-charges-four-military-members/


Government officials and security researchers are still unpacking the failures of an election results-reporting app used during the Iowa caucus. A delay in results is likely the result of many factors, including flaws in the app and understaffing.

https://arstechnica.com/information-technology/2020/02/the-iowa-caucuses-were-a-comedy-of-tech-errors-and-poor-planning/


It also appears members of an online forum may have attempted to disrupt the app, clogging a phone line used to report results in a distributed denial-of-service attack.

https://www.nbcnews.com/tech/security/clog-lines-iowa-caucus-hotline-posted-online-encouragement-disrupt-results-n1131521


A new report from the U.S. Government Accountability Office states America's cyber security agency is not equipped to properly handle the threats posed to the upcoming presidential election.

https://www.cnn.com/2020/02/06/politics/election-security-department-of-homeland-security/index.html


Corp.com, a domain said to have connections to a large numb passwords, email and other proprietary data belonging to major organizations around the globe, is up for sale, as the owner looks to downsize his estate.

https://krebsonsecurity.com/2020/02/dangerous-domain-corp-com-goes-up-for-sale/


India is close to implementing a new set of cyber security regulations, which could have wide-ranging consequences for future policies in other countries.

https://www.wired.com/story/opinion-indias-data-protection-bill-threatens-global-cybersecurity/


A cyber attack shut down roughly 25 percent of Iran's internet access last week for roughly an hour, though the country touted how quickly it fended off the attack.

https://netblocks.org/reports/internet-shutdown-in-iran-following-reported-cyber-attack-18lJVDBa


Cisco patched five critical vulnerabilities in is Discovery Protocol that could allow attackers to remotely execute code or deny service on thousands of devices.

https://www.scmagazine.com/home/security-news/vulnerabilities/five-high-level-flaws-patched-in-cisco-discovery-protocol/


=========================================================


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


ID:        CVE-2020-0665

Title:    Microsoft Active Directory Privilege Escalation Vulnerability

Vendor: Microsoft

Description: The vulnerability exists in Active Directory Forest trust due to a default setting that lets an attacker in the trusting forest request delegation of a TGT for an identity from the trusted forest. The vulnerability allows a remote user to escalate privileges on the system. A remote user can gain elevated privileges on the target system.

CVSS v2 Base Score:    9.0 (AV:N/AC:L/Au:S/C:C/I:C/A:C)


ID:        CVE-2020-0674

Title:    Microsoft Scripting Engine Memory Corruption Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. An attacker could then install programs; view, change, or delete data or create new accounts with full user rights.

CVSS v2 Base Score:    7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)


ID:        CVE-2020-0759

Title:    Microsoft Excel Remote Code Execution Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists in Microsoft Excel software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. A

CVSS v2 Base Score:    6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)


ID:        CVE-2020-8808

Title:    CORSAIR iCUE Driver Local Privilege Escalation Vulnerability

Vendor: CORSAIR

Description: The CorsairLLAccess64.sys and CorsairLLAccess32.sys drivers in CORSAIR iCUE allows local non privileged users to read and write to arbitrary physical memory locations, and consequently gain NT AUTHORITYSYSTEM privileges, via a function call such as MmMapIoSpace.

CVSS v2 Base Score:    7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)


ID:        CVE-2019-8449

Title:    Atlassian Jira Information Disclosure Vulnerability

Vendor: Atlassian

Description: The /rest/api/latest/groupuserpicker resource in Jira allows remote attackers to enumerate usernames through an information disclosure vulnerability.

CVSS v2 Base Score:    5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)


ID:        CVE-2019-18634

Title:    Sudo pwfeedback Buffer Overflow Vulnerability

Vendor: Multi-Vendor

Description: A potential security issue exists in sudo when the pwfeedback option is enabled in sudoers that can lead to a buffer overflow. If pwfeedback is enabled in /etc/sudoers, users can trigger a stack-based buffer overflow in the privileged sudo process. The attacker needs to deliver a long string to the stdin of getln() in tgetpass.c.

CVSS v2 Base Score:    4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)


ID:        CVE-2019-19470

Title:    Tinywall Controller Privilege Escalation Vulnerability

Vendor: Tinywall

Description: In Tinywall, unsafe usage of .NET deserialization in Named Pipe message processing allows privilege escalation to NT AUTHORITYSYSTEM for a local attacker. An attacker who has already compromised the local system could use TinyWall Controller to gain additional privileges by attaching a debugger to the running process and modifying the code in memory.

CVSS v2 Base Score:    7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)


=========================================================


MOST PREVALENT MALWARE FILES Feb. 6 - 13:

COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 1460fd00cb6addf9806a341fee9c5ab0a793762d1d97dca05fa17467c8705af7

MD5: 88cbadec77cf90357f46a3629b6737e6

VirusTotal: https://www.virustotal.com/gui/file/1460fd00cb6addf9806a341fee9c5ab0a793762d1d97dca05fa17467c8705af7/details

Typical Filename: FlashHelperServices.exe

Claimed Product: Flash Helper Services

Detection Name: PUA.Win.File.2144flashplayer::tpd


SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details

Typical Filename: eternalblue-2.2.0.exe

Claimed Product: N/A

Detection Name: W32.85B936960F.5A5226262.auto.Talos


SHA 256: 97d8ea6cee63296eaf0fa5d97a14898d7cec6fa49fee1bf77c015ca7117a2ba7

MD5: be52a2a3074a014b163096055df127a0

VirusTotal: https://www.virustotal.com/gui/file/97d8ea6cee63296eaf0fa5d97a14898d7cec6fa49fee1bf77c015ca7117a2ba7/details

Typical Filename: xme64-553.exe

Claimed Product: N/A

Detection Name: Win.Trojan.Coinminer::tpd


SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b

MD5: 799b30f47060ca05d80ece53866e01cc

VirusTotal: https://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details

Typical Filename: mf2016341595.exe

Claimed Product: N/A

Detection Name: W32.Generic:Gen.22fz.1201


SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f

MD5: e2ea315d9a83e7577053f52c974f6a5a

VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details

Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f

Claimed Product:  N/A

Detection Name: W32.AgentWDCR:Gen.21gn.1201


=============================================================


(c) 2020.  All rights reserved.  The information contained in this

newsletter, including any external links, is provided "AS IS," with no

express or implied warranty, for informational purposes only.


Please feel free to share this with interested parties via email, but

no posting is allowed on web sites. For a free subscription, (and for

free posters) or to update a current subscription, visit

https://www.sans.org/account


SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743