SANS Stay Sharp Training - Live Online: Quickly sharpen your skills with 2-day management courses. Register now.

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #11

March 12, 2020

=============================================================

     @RISK: The Consensus Security Vulnerability Alert

            March 12, 2020 - Vol. 20, Num. 11


Providing a reliable, weekly summary of newly discovered attack vectors,

vulnerabilities with active exploits, and explanations of how recent

attacks worked


Archived issues may be found at http://www.sans.org/newsletters/at-risk


=============================================================


CONTENTS:

NOTABLE RECENT SECURITY ISSUES

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

MOST PREVALENT MALWARE FILES March 5 - 12

============================================================


TOP VULNERABILITY THIS WEEK: Microsoft patches more than 100 vulnerabilities in monthly update


******************** Sponsored By Eclypsium *****************


Perilous Peripherals - The Hidden Dangers Inside Windows & Linux Computers. Unsigned firmware in WiFi adapters, USB hubs, trackpads, laptop cameras and network interface cards provides pathways for malicious attackers to compromise laptops and servers. Get firmware security insights from the Eclypsium research team in this report and webinar. http://www.sans.org/info/215775


============================================================

TRAINING UPDATE


-- SANS 2020 | Orlando, FL | April 3-10 | https://www.sans.org/event/sans-2020


-- SANS Security West 2020 |San Diego, CA | May 6-13 | https://www.sans.org/event/security-west-2020


-- SANS Secure Canberra 2020 | March 23-28 | https://www.sans.org/event/secure-canberra-2020


-- SANS London April 2020 | April 20-25 | https://www.sans.org/event/london-april-2020


-- SANS Pen Test Austin 2020 | April 27-May 2 | https://www.sans.org/event/pen-test-austin-2020


-- SANS Amsterdam May 2020 | May 11-18 | https://www.sans.org/event/amsterdam-may-2020


-- Cloud Security Summit & Training 2020 | Frisco, TX | May 27-June 3 | https://www.sans.org/event/cloud-security-summit-2020


-- Rocky Mountain Hackfest Summit & Training 2020 | Denver, CO | June 1-8 | https://www.sans.org/event/rockymountainhackfest-summit-2020


-- SANS Cyber Defence Canberra 2020 | June 29-July 11 | https://www.sans.org/event/canberra-june-2020


-- SANS OnDemand and vLive Training

Get an iPad mini (64GB), HP Chromebook 14 G5, or Take $300 Off through March 18 with OnDemand or vLive training.

https://www.sans.org/online-security-training/specials/


-- Can't travel? SANS offers online instruction for maximum flexibility

-- Live Daytime training with Simulcast - https://www.sans.org/simulcast

-- Evening training 2x per week for 6 weeks with vLive | https://www.sans.org/vlive

-- Anywhere, Anytime access for 4 months with OnDemand format | https://www.sans.org/ondemand/


-- Single Course Training

SANS Mentor |  https://www.sans.org/mentor/about

Community SANS | https://www.sans.org/community/

 

-- View the full SANS course catalog and Cyber Security Skills Roadmap

https://www.sans.org/courses

https://www.sans.org/cyber-security-skills-roadmap


********************** Sponsored Links: ********************


1) Pwned passwords in Active Directory? Scan accounts for breached passwords (free tool)! http://www.sans.org/info/215780


2) Webcast March 18th at 1PM ET: Empower Your Security Team with Approachable Threat Intelligence. Register: http://www.sans.org/info/215785


3) Survey | Take the 2020 SANS SOC Skills Survey and enter to win a $400 Amazon gift card. http://www.sans.org/info/215790


============================================================


NOTABLE RECENT SECURITY ISSUES

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: Microsoft Patch Tuesday includes 25 critical vulnerabilities

Description: Microsoft released its monthly security update today, disclosing vulnerabilities across many of its products and releasing corresponding updates. This month's Patch Tuesday covers 117 vulnerabilities, 25 of which are considered critical. There is also one moderate vulnerability and 91 that are considered important. This month's patches include updates to Microsoft Media Foundation, the GDI+ API and Windows Defender, among others.

Reference: https://blog.talosintelligence.com/2020/03/microsoft-patch-tuesday-march-2020.html

Snort SIDs: 52213, 52214, 53402 - 53409, 53414 - 53419, 53420 - 53424


Title: State-sponsored groups exploit bug in Microsoft Exchange servers

Description: The U.S. Department of Defense warned that multiple state-sponsored actors are exploiting a vulnerability in Microsoft Exchange servers. The bug was disclosed and patched in February, but many users out there have not updated their software. Attackers can send malicious, specially crafted requests to the Exchange control panel. The vulnerability allows adversaries to change serialized data to be unserialized, which allows them to run malicious code on the server's backend at the system level.

Reference: https://www.zdnet.com/article/multiple-nation-state-groups-are-hacking-microsoft-exchange-servers/

Snort SIDs: 53380 - 53383


============================================================


INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY


Microsoft says it assisted in taking down the Necurs botnet, which has infected millions of machines over the past eight years.

https://blogs.microsoft.com/on-the-issues/2020/03/10/necurs-botnet-cyber-crime-disrupt/


The U.S., U.K. and Estonia formally condemned Russia's alleged involvement in cyber attacks against the country of Georgia's government in front of the U.N. Security Council, the first time a cyber attack has ever been brought up in front of the influential group of nations.

https://www.foxnews.com/world/us-uk-estonia-call-out-russia-cyber-attacks-against-georgia


Several security-related conferences are either postponing or canceling their events due to concerns over the COVID-19 disease, including Kaspersky's SAS and Black Hat Asia.

https://www.zdnet.com/article/a-list-of-security-conferences-canceled-or-postponed-due-to-coronavirus-concerns/


Newly released documents and reports paint a broader picture of why a deal between the U.S. government and an influential Swiss cyber security company fell apart in the 1950s.

https://www.washingtonpost.com/national-security/as-the-us-spied-on-the-world-the-cia-and-nsa-bickered/2020/03/06/630a4e72-5365-11ea-b119-4faabac6674f_story.html


Nearly all Intel CPUs and chipsets made over the past five years contain an unfixable security flaw that could allow attackers to execute malicious code on victim machines with the highest possible level of credentials.

https://arstechnica.com/information-technology/2020/03/5-years-of-intel-cpus-and-chipsets-have-a-concerning-flaw-thats-unfixable/


A vulnerability in Apple's iOS and MacOS' kernels could allow adversaries to use the AirDrop feature to remotely dump physical memory, without requiring any user interaction. The bug has been patched since it was disclosed by Google's Project Zero.

https://bugs.chromium.org/p/project-zero/issues/detail?id=1982


New research from an antivirus testing firm discovered that the detection software on the Google Play store is not at effective as defending against malicious apps as advertised.

https://news.softpedia.com/news/you-d-better-not-count-on-google-play-protect-to-block-android-malware-529404.shtml


Members of the U.S. Senate were scheduled to be briefed on election security Tuesday afternoon, though the acting director of national intelligence was not expected to be in attendance.

https://www.cbsnews.com/news/administration-officials-brief-members-of-congress-on-election-security/


The FBI arrested a man they believe is behind the website deer.io, a popular site for adversaries to buy and sell stolen user credentials for online stores and services.

https://krebsonsecurity.com/2020/03/fbi-arrests-alleged-owner-of-deer-io-a-top-broker-of-stolen-accounts/


=========================================================


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


ID:        CVE-2020-0688

Title:  Microsoft Windows Installer Elevation of Privilege Vulnerability

Vendor: Microsoft

Description: An elevation of privilege vulnerability exists in the Windows Installer when MSI packages process symbolic links. An attacker who successfully exploited this vulnerability could bypass access restrictions to add or remove files.

CVSS v3 Base Score: 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2020-8597

Title:  pppd EAP Processing Buffer Overflow Vulnerability ("Ghostcat")

Vendor: Multi-Vendor

Description: pppd (Point to Point Protocol Daemon) is vulnerable to buffer overflow due to a flaw in Extensible Authentication Protocol (EAP) packet processing in eap_request and eap_response subroutines. The vulnerability is in the logic of the eap parsing code. By sending an unsolicited EAP packet to a vulnerable ppp client or server, an unauthenticated remote attacker could cause memory corruption in the pppd process, which may allow for arbitrary code execution.

CVSS v3 Base Score: 9.8    (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2019-0090

Title:  Intel CSME Privilige Escalation Vulnerability

Vendor: Intel

Description: Insufficient access control vulnerability exists in subsystem for Intel(R) CSME that may allow an unauthenticated user to potentially enable escalation of privilege via physical access.

CVSS v3 Base Score:    7.1 (AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H)


ID:        CVE-2020-9334

Title:  WordPress Envira Photo Gallery plugin Stored XSS Vulnerability

Vendor: WordPress

Description: A stored cross site scripting vulnerability exists in the Envira Photo Gallery plugin for WordPress. Successful exploitation of this vulnerability would allow a authenticated low privileged user to inject arbitrary JavaScript code that is viewed by other users.

CVSS v3 Base Score: 5.4    (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)


ID:        CVE-2020-10189

Title:  WPA and WPA2 Disassociation Vulnerability ("Kr00k")

Vendor: Multi-Vendor

Description: An issue was discovered on Broadcom Wi-Fi client devices. Specifically timed and handcrafted traffic can cause internal errors (related to state transitions) in a WLAN device that lead to improper layer 2 Wi-Fi encryption with a consequent possibility of information disclosure over the air for a discrete set of traffic.

CVSS v3 Base Score:    3.1 (AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)


ID:        CVE-2019-1458

Title:  Microsoft Win32k Elevation of Privilege Vulnerability

Vendor: Microsoft

Description: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.

CVSS v3 Base Score:    7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2020-1938

Title:  Apache Tomcat AJP File Inclusion Vulnerability ("Ghostcat")

Vendor: Apache

Description: Due to a file inclusion defect in the AJP service (port 8009) that is enabled by default in Tomcat, an attacker can construct a malicious request package for file inclusion operation, and then read the web directory file on the affected Tomcat server.

CVSS v3 Base Score: 9.8    (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


=========================================================


MOST PREVALENT MALWARE FILES March 5 - 12:

COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3

MD5: 47b97de62ae8b2b927542aa5d7f3c858

VirusTotal: https://www.virustotal.com/gui/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details

Typical Filename: qmreportupload.exe

Claimed Product: qmreportupload

Detection Name: Win.Trojan.Generic::in10.talos


SHA 256: 85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5

MD5: 8c80dd97c37525927c1e549cb59bcbf3

VirusTotal: https://www.virustotal.com/gui/file/85b936960fbe5100c170b777e1647ce9f0f01e3ab9742dfc23f37cb0825b30b5/details

Typical Filename: eternalblue-2.2.0.exe

Claimed Product: N/A

Detection Name: W32.85B936960F.5A5226262.auto.Talos


SHA 256: 537056acb77c9c65e1beb3518e158eb6cc8c49616687621f00942befaf012274

MD5: aa9bb66a406b5519e2063a65479dab90

VirusTotal: https://www.virustotal.com/gui/file/537056acb77c9c65e1beb3518e158eb6cc8c49616687621f00942befaf012274/details

Typical Filename: output.148937912.txt

Claimed Product: N/A

Detection Name: Win.Dropper.Generic::vv


SHA 256: c0cdd2a671195915d9ffb5c9533337db935e0cc2f4d7563864ea75c21ead3f94

MD5: 7c38a43d2ed9af80932749f6e80fea6f

VirusTotal: https://www.virustotal.com/gui/file/c0cdd2a671195915d9ffb5c9533337db935e0cc2f4d7563864ea75c21ead3f94/details

Typical Filename: wup.exe

Claimed Product: N/A

Detection Name: PUA.Win.File.Coinminer::1201


SHA 256: 1460fd00cb6addf9806a341fee9c5ab0a793762d1d97dca05fa17467c8705af7

MD5: 88cbadec77cf90357f46a3629b6737e6

VirusTotal: https://www.virustotal.com/gui/file/1460fd00cb6addf9806a341fee9c5ab0a793762d1d97dca05fa17467c8705af7/details

Typical Filename: FlashHelperServices.exe

Claimed Product: Flash Helper Services

Detection Name: PUA.Win.File.2144flashplayer::tpd


=============================================================


(c) 2020.  All rights reserved.  The information contained in this

newsletter, including any external links, is provided "AS IS," with no

express or implied warranty, for informational purposes only.


Please feel free to share this with interested parties via email, but

no posting is allowed on web sites. For a free subscription, (and for

free posters) or to update a current subscription, visit

https://www.sans.org/account


SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743