Live, interactive cybersecurity training available through SANS Live Online. View upcoming events.

Newsletters: @RISK

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

February 27, 2020

=============================================================

     @RISK: The Consensus Security Vulnerability Alert

            February 27, 2020 - Vol. 20, Num. 09


Providing a reliable, weekly summary of newly discovered attack vectors,

vulnerabilities with active exploits, and explanations of how recent

attacks worked


Archived issues may be found at http://www.sans.org/newsletters/at-risk


=============================================================


CONTENTS:

NOTABLE RECENT SECURITY ISSUES

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

MOST PREVALENT MALWARE FILES Feb. 20 - 27

============================================================


TOP VULNERABILITY THIS WEEK: New remote access tool shows connections to other RAT families


*************** Sponsored By Dragos, Inc. ******************


Join the Dragos 2019 ICS Year in Review webinar on March 5 for recommendations to improve your cybersecurity defenses. The report authors will summarize their conclusions from real-world threat hunts, incident response and vulnerability assessments. Hear what the state of the ICS cyberthreat landscape is and the public threat activity groups Dragos tracks. http://www.sans.org/info/215655


============================================================

TRAINING UPDATE


-- SANS 2020 | Orlando, FL | April 3-10 | https://www.sans.org/event/sans-2020


-- SANS Security West 2020 |San Diego, CA | May 6-13 | https://www.sans.org/event/security-west-2020


-- SANS London March 2020 | March 16-21 | https://www.sans.org/event/london-march-2020


-- SANS San Francisco Spring 2020 | March 16-27 | https://www.sans.org/event/san-francisco-spring-2020


-- SANS Secure Singapore 2020 | 16-28 March | https://www.sans.org/event/secure-singapore-2020


-- SANS Secure Canberra 2020 | March 23-28 | https://www.sans.org/event/secure-canberra-2020


-- SANS London April 2020 | April 20-25 | https://www.sans.org/event/london-april-2020


-- Cloud Security Summit & Training 2020 | Frisco, TX | May 27-June 3 | https://www.sans.org/event/cloud-security-summit-2020


-- Rocky Mountain Hackfest Summit & Training 2020 | Denver, CO | June 1-8 | https://www.sans.org/event/rockymountainhackfest-summit-2020


-- SANS OnDemand and vLive Training

Get an iPad (32G), a Samsung Galaxy Tab A, or Take $250 Off through March 4 with OnDemand or vLive training.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap



********************** Sponsored Links: ********************


1) How effective is your threat hunting? Take this survey and enter to win a $400 Amazon gift card: http://www.sans.org/info/215660


2) Webcast March 12th at 1PM ET: Innovative Application Security Testing Techniques for Modern Software Development. Register: http://www.sans.org/info/215665


3) Did you miss this webcast? Pivotal Platform - Getting Started with Native Runtime Protection for PAS. View here: http://www.sans.org/info/215670


============================================================


NOTABLE RECENT SECURITY ISSUES

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: ObliqueRAT spreads via malicious documents

Description: Cisco Talos has observed a malware campaign that utilizes malicious Microsoft Office documents (maldocs) to spread a remote access trojan (RAT) we're calling "ObliqueRAT." These maldocs use malicious macros to deliver the second-stage RAT payload. Network-based detection, although important, should be combined with endpoint protections to combat this threat and provide multiple layers of security. According to Talos researchers, ObliqueRAT has connections to the adversaries behind the CrimsonRAT discovered last year.

Reference: https://blog.talosintelligence.com/2020/02/obliquerat-hits-victims-via-maldocs.html

Snort SIDs: 53152 - 53163


Title: Multiple vulnerabilities in Cisco Data Center Network Manager

Description: Cisco Data Center Network Manager contains a privilege escalation vulnerability and a cross-site request forgery vulnerability. Cisco disclosed the high-severity vulnerabilities late last week. In the case of the privilege escalation vulnerability, an attacker could exploit the Network Manager in a way that would allow them to interact with the API with administrator-level privileges. A successful exploit could allow the attacker to interact with the API with administrative privileges.

Reference: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200219-dcnm-priv-esc

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200219-dcnm-csrf

Snort SIDs: Snort Rule 53171 - 53176


============================================================


INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY


The KidsGuard surveillance app exfiltrated data from targeted devices to an unprotected cloud storage bucket.

https://techcrunch.com/2020/02/20/kidsguard-spyware-app-phones/


A vulnerability in Bluetooth software development kits leaves numerous medical devices and other internet-of-things devices open to attacks.

https://www.wired.com/story/bluetooth-flaws-ble-internet-of-things-pacemakers/


Mexico's economy ministry said it detected a cyber attack on its network over the weekend.

https://in.reuters.com/article/mexico-economy-cyberattack/mexicos-economy-ministry-hit-by-cyber-attack-idINKCN20J0FQ


American and British government agencies teamed up to formally blame Russia for a massive cyber attack on the country of Georgia last year; the attacks targeted web hosting providers, broadcasters, and numerous government, NGO, and business websites.

https://www.cnn.com/2020/02/20/politics/russia-georgia-hacking/index.html


Dell sold its RSA security business, including the popular RSA conference, to a private equity firm for $2 billion.

https://rcpmag.com/articles/2020/02/21/consortium-buys-rsa-from-dell.aspx?m=1


This year's RSA Conference kicked off earlier this week. Here is a roundup of some of the major announcements made thus far.

https://www.csoonline.com/article/3527306/hottest-new-cybersecurity-products-at-rsa-conference-2020.html


French sporting goods chain Decathlon leaked the information of more than 123 million customers and employees on an unsecured Elasticsearch server.

https://www.infosecurity-magazine.com/news/sports-giant-decathlon-leaks-123/


Google released the latest version of its Chrome web browser, starting a rollback of third-party cookies. Chrome 80 also includes a new capability called ScrollToTextFragment, which security researchers worry could be exploited to expose sensitive information.

https://www.adweek.com/digital/new-deep-linking-feature-in-google-chrome-80-sparks-privacy-concerns/


The adversaries behind the DoppelPaymer ransomware launched a new site that they say will be used to publish the information and stolen data of victims who do not pay the requested extortion payment.

https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-launches-site-to-post-victims-data/


=========================================================


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


ID:        CVE-2020-1938

Title:  Apache Tomcat AJP File Inclusion Vulnerability

Vendor: Apache

Description: Apache Tomcat AJP file inclusion vulnerability allows an attacker to read any webapps files. If the Tomcat instance supports file uploads, the vulnerability could also be leveraged to achieve remote code execution.

CVSS v2 Base Score: 10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)


ID:        CVE-2020-0618

Title:  Microsoft SQL Server Reporting Services Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists in Microsoft SQL Server Reporting Services when it incorrectly handles page requests. To exploit the vulnerability, an authenticated attacker would need to submit a specially crafted page request to an affected Reporting Services instance.

CVSS v2 Base Score: 6.5    (AV:N/AC:L/Au:S/C:P/I:P/A:P)


ID:        CVE-2020-8813

Title:  Cacti authenticated Remote Code Execution Vulnerability

Vendor: Cacti

Description: graph_realtime.php in Cacti allows remote attackers to execute arbitrary OS commands via shell metacharacters in a cookie, if a guest user has the graph real-time privilege. This vulnerability could be exploited without authentication if Cacti is enabling "Guest Realtime Graphs" privilege.

CVSS v2 Base Score:    9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)


ID:        CVE-2020-8794

Title:  OpenBSD OpenSMTPD Local Privilege Escalation and Remote Code Execution Vulnerability

Vendor: OpenBSD

Description: An out of bounds read in smtpd allows an attacker to inject arbitrary commands into the envelope file which are then executed as root. Separately, missing privilege revocation in smtpctl allows arbitrary commands to be run with the _smtpq group.

CVSS v2 Base Score: 6.8    (AV:N/AC:M/Au:N/C:P/I:P/A:P)


ID:        CVE-2018-8611

Title:  Microsoft Windows Kernel Elevation of Privilege Vulnerability

Vendor: Microsoft

Description: An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker could then run a specially crafted application to take control of an affected system.

CVSS v2 Base Score:    7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)


ID:        CVE-2020-3765

Title:  Adobe After Effects Out-of-Bounds Write Vulnerability (APSB20-09)

Vendor: Adobe

Description: Adobe After Effects have an out-of-bounds write vulnerability. Successful exploitation could lead to arbitrary code execution.

CVSS v2 Base Score:    10 (AV:N/AC:L/Au:N/C:C/I:C/A:C)


=========================================================


MOST PREVALENT MALWARE FILES Feb. 20 - 27:

COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3

MD5: 47b97de62ae8b2b927542aa5d7f3c858

VirusTotal: https://www.virustotal.com/gui/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details

Typical Filename: qmreportupload.exe

Claimed Product: qmreportupload

Detection Name: Win.Trojan.Generic::in10.talos


SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details

Typical Filename: eternalblue-2.2.0.exe

Claimed Product: N/A

Detection Name: W32.85B936960F.5A5226262.auto.Talos


SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f

MD5: e2ea315d9a83e7577053f52c974f6a5a

VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details

Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin

Claimed Product: N/A

Detection Name: W32.AgentWDCR:Gen.21gn.1201


SHA 256: 1460fd00cb6addf9806a341fee9c5ab0a793762d1d97dca05fa17467c8705af7

MD5: 88cbadec77cf90357f46a3629b6737e6

VirusTotal: https://www.virustotal.com/gui/file/1460fd00cb6addf9806a341fee9c5ab0a793762d1d97dca05fa17467c8705af7/details

Typical Filename: FlashHelperServices.exe

Claimed Product: Flash Helper Services

Detection Name: PUA.Win.File.2144flashplayer::tpd


SHA 256: 15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b

MD5: 799b30f47060ca05d80ece53866e01cc

VirusTotal: https://www.virustotal.com/gui/file/15716598f456637a3be3d6c5ac91266142266a9910f6f3f85cfd193ec1d6ed8b/details

Typical Filename: mf2016341595.exe

Claimed Product: N/A

Detection Name: W32.Generic:Gen.22fz.1201


=============================================================


(c) 2020.  All rights reserved.  The information contained in this

newsletter, including any external links, is provided "AS IS," with no

express or implied warranty, for informational purposes only.


Please feel free to share this with interested parties via email, but

no posting is allowed on web sites. For a free subscription, (and for

free posters) or to update a current subscription, visit

https://www.sans.org/account


SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743