One More Day to get an iPad mini, Surface Go 2, or Take $300 Off with OnDemand Training

Newsletters: Newsbites

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume XX - Issue #31

July 30, 2020

=============================================================

     @RISK: The Consensus Security Vulnerability Alert

                July 30, 2020 - Vol. 20, Num. 31


Providing a reliable, weekly summary of newly discovered attack vectors,

vulnerabilities with active exploits, and explanations of how recent

attacks worked


Archived issues may be found at http://www.sans.org/newsletters/at-risk


=============================================================


CONTENTS:

NOTABLE RECENT SECURITY ISSUES

INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY

VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

MOST PREVALENT MALWARE FILES July 23 - 30

============================================================


TOP VULNERABILITY THIS WEEK: Prometei botnet goes after computing power in the name of Monero


******************** Sponsored By SANS *********************


Free Virtual Event | The SANS Cyber Solutions Fest 2020 is a 2 day virtual event featuring 4 unique tracks chaired by top SANS experts. Talks will feature case studies, demos and discussions revolving around solutions available in the marketplace | October 8-9

http://www.sans.org/info/217185


============================================================

TRAINING UPDATE


Best Special Offers of the Year are Available Now with OnDemand

Choose a MacBook Air, Surface Pro 7, or Take $350 Off through August 5.

- https://www.sans.org/ondemand/specials


SANS now offers THREE ways to complete a course:


OnDemand | Live Online | In-Person:

- https://www.sans.org/ondemand/

- https://www.sans.org/live-online

- https://www.sans.org/cyber-security-training-events/in-person/north-america


Keep your skills sharp with SANS Online Training:

.        The world's top cybersecurity courses

.        Taught by real world practitioners

.        Ideal preparation for more than 30 GIAC Certifications


Top OnDemand Courses

SEC401: Security Essentials Bootcamp Style

- https://www.sans.org/ondemand/course/security-essentials-bootcamp-style

SEC504: Hacker Tools, Techniques, Exploits, and Incident Handling

- https://www.sans.org/ondemand/course/hacker-techniques-exploits-incident-handling

SEC560: Network Penetration Testing and Ethical Hacking

- https://www.sans.org/ondemand/course/network-penetration-testing-ethical-hacking

______________________


Upcoming In-Person and Live Online Events:


SANS Baltimore Fall 2020 | September 8-13 | Baltimore, MD or Live Online

- https://www.sans.org/event/baltimore-fall-2020


Threat Hunting and Incident Response Summit & Training | September 10-19 | Live Online

- https://www.sans.org/event/threat-hunting-and-incident-response-summit-2020


SANS Network Security 2020 | September 20-25 | Las Vegas, NV or Live Online

- https://www.sans.org/event/network-security-2020


SANS Northern VA - Reston Fall 2020 | Sep 28-Oct 3 | Reston, VA or Live Online

- https://www.sans.org/event/northern-va-reston-fall-2020

______________________


Test drive a course: https://www.sans.org/course-preview


View the full SANS course catalog and skills roadmap.

- https://www.sans.org/cyber-security-courses

- https://www.sans.org/cyber-security-skills-roadmap


********************** Sponsored Links: ********************


1) Survey | This is your chance to be the lucky winner of a $150 Amazon Gift Card for completing the "SANS 2020 Threat Hunting Survey"

| http://www.sans.org/info/217170


2) Webcast | August 6 @ 1:00 PM EDT | Join SANS instructor, John Hubbard as he dives into our informative upcoming webcast titled "Understanding and Leveraging the MITRE ATT&CK Framework: A SANS Roundtable"

| http://www.sans.org/info/217175


3) Webcast | We invite you to join John Pescatore for our upcoming webcast as he presents "How to Show Business Benefit by Moving to Risk-Based Vulnerability Management" | August 11 @ 2:00 PM EDT

| http://www.sans.org/info/217190


============================================================


NOTABLE RECENT SECURITY ISSUES

SELECTED BY THE TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


Title: New botnet supports cryptocurrency mining for Monero

Description: Cisco Talos recently discovered a complex campaign employing a multi-modular botnet with multiple ways to spread and a payload focused on providing financial benefits for the attacker by mining the Monero online currency. Prometei employs various methods to spread across the network, like SMB with stolen credentials, psexec, WMI and SMB exploits. The adversary also uses several crafted tools that helps the botnet increase the amount of systems participating in its Monero-mining pool. Apart from a large focus on spreading across the environment, Prometei also tries to recover administrator passwords. The discovered passwords are sent to the C2 and then reused by other modules that attempt to verify the validity of the passwords on other systems using SMB and RDP protocols.

References: https://blog.talosintelligence.com/2020/07/prometei-botnet-and-its-quest-for-monero.html

Snort SIDs: 54610 - 54612


Title: Attackers exploit high-severity vulnerability in Cisco Adaptive Security Appliance

Description: Cisco warned users that attackers are actively exploiting a vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability exists in the software due to improper input validation for URLs in HTTP requests. An adversary could use this exploit to carry out directory traversal attacks.

References: https://threatpost.com/attackers-exploiting-high-severity-network-security-flaw-cisco-warns/157756/

Snort SIDs: 54598 - 54601


============================================================


INTERESTING NEWS FROM AROUND THE SECURITY COMMUNITY


Many Garmin GPS services went dark for several days last week after a ransomware attack.

https://arstechnica.com/information-technology/2020/07/garmans-four-day-service-meltdown-was-caused-by-ransomware/


While many users complained of the Garmin outage affecting things like workout tracking, the attack was much more serious in that it shut down Garmin's flight-tracking technology used by amateur and training pilots.

https://www.wired.com/story/garmin-outage-ransomware-attack-workouts-aviation/


Top Democrats in Congress called on President Donald Trump's administration to go public with the top security threats facing the 2020 general election.

https://www.marketwatch.com/story/trump-needs-to-go-public-with-threats-to-election-security-top-democrats-say-2020-07-24


The manager of the Cerberus Android malware is selling what they say is the banking trojan's source code for $100,000, all while still offering services at yearly and monthly rates, too.

https://www.bleepingcomputer.com/news/security/cerberus-android-malware-source-code-offered-for-sale-for-100-000/


An unknown hacker breached the infamous Emotet botnet, replacing its malware payloads with humorous GIFs, defanging what is the origin of many spam emails.

https://www.zdnet.com/article/a-vigilante-is-sabotaging-the-emotet-botnet-by-replacing-malware-payloads-with-gifs/


Attackers are still exploiting a major vulnerability in F5's BIG-IP controller, weeks after the company first disclosed the bug. The U.S. government urged all users to patch as soon as possible.

https://arstechnica.com/information-technology/2020/07/hackers-actively-exploit-high-severity-networking-vulnerabilities/


A leading American think tank warned that companies need to take greater measures to protect supply chains from cyber attacks, outlining 115 examples of attacks that took place over the past 10 years.

https://www.atlanticcouncil.org/programs/scowcroft-center-for-strategy-and-security/cyber-statecraft-initiative/breaking-trust/


The Fancy Bear APT hacking group carried out an espionage campaign from December 2018 until May 2020, looking to break into mail servers belonging to major U.S. government agencies and energy sector organizations.

https://www.wired.com/story/russia-fancy-bear-us-hacking-campaign-government-energy/


Grocery delivery app Instacart blamed reused passwords for a recent spike in compromised accounts.

https://techcrunch.com/2020/07/24/instacart-data-theft-two-factor/


=========================================================


RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE

COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM


This is a list of recent vulnerabilities for which exploits are

available. System administrators can use this list to help in

prioritization of their remediation activities. The Qualys Vulnerability

Research Team compiles this information based on various exploit

frameworks, exploit databases, exploit kits and monitoring of internet

activity.


ID:        CVE-2020-3187

Title:  Cisco ASA Software and FTD Software Web Services Path Traversal Vulnerability

Vendor: Cisco

Description: A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and obtain read and delete access to sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of the HTTP URL. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences.

CVSS v3 Base Score: 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)


ID:        CVE-2020-3452

Title:  Cisco ASA Software and FTD Software Web Services Read-Only Path Traversal Vulnerability

Vendor: Cisco

Description: A vulnerability in the web services interface of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct directory traversal attacks and read sensitive files on a targeted system. The vulnerability is due to a lack of proper input validation of URLs in HTTP requests processed by an affected device. An attacker could exploit this vulnerability by sending a crafted HTTP request containing directory traversal character sequences to an affected device.

CVSS v3 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)


ID:        CVE-2020-8163

Title:  Ruby On Rails Remote Code Execution Vulnerability

Vendor: Ruby On Rails

Description: The is a code injection vulnerability that would allow an attacker who controlled the "locals" argument of a "render" call to perform a remote code execution vulnerability.

CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

 

ID:        CVE-2020-5902

Title:  F5 BIG-IP Remote Code Execution Vulnerability

Vendor: F5

Description: F5 BIG-IP is exposed to remote code execution vulnerability. The vulnerability that has been actively exploited in the wild allows attackers to read files, execute code or take complete control over vulnerable systems having network access.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2020-1350

Title:  Microsoft Windows DNS Server Remote Code Execution Vulnerability

Vendor: Microsoft

Description: A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the Local System Account. Windows servers that are configured as DNS servers are at risk from this vulnerability.

CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)


ID:        CVE-2020-3140

Title:  Cisco Prime License Manager Privilege Escalation Vulnerability

Vendor: Cisco

Description: A vulnerability in the web management interface of Cisco Prime License Manager (PLM) Software could allow an unauthenticated, remote attacker to gain unauthorized access to an affected device. The vulnerability is due to insufficient validation of user input on the web management interface. An attacker could exploit this vulnerability by submitting a malicious request to an affected system. An exploit could allow the attacker to gain administrative-level privileges on the system.

CVSS v3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)


ID:        CVE-2020-2021

Title:  Palo Alto Networks PAN-OS Authentication Bypass in SAML Authentication Vulnerability

Vendor: Palo Alto Networks

Description: When Security Assertion Markup Language (SAML) authentication is enabled and the 'Validate Identity Provider Certificate' option is disabled (unchecked), improper verification of signatures in PAN-OS SAML authentication enables an unauthenticated network-based attacker to access protected resources. The attacker must have network access to the vulnerable server to exploit this vulnerability.

CVSS v3 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)


=========================================================


MOST PREVALENT MALWARE FILES July 23 - 30:

COMPILED BY TALOS SECURITY INTELLIGENCE AND RESEARCH GROUP


SHA 256: e66d6d13096ec9a62f5c5489d73c0d1dd113ea4668502021075303495fd9ff82

MD5: f0fdc17674950a4eaa4bbaafce5007f6

VirusTotal: https://www.virustotal.com/gui/file/e66d6d13096ec9a62f5c5489d73c0d1dd113ea4668502021075303495fd9ff82/details

Typical Filename: FlashHelperServices.exe

Claimed Product: Flash Helper Service

Detection Name: W32.Auto:e66d6d1309.in03.Talos


SHA 256: 8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9

MD5: 34560233e751b7e95f155b6f61e7419a

VirusTotal: https://www.virustotal.com/gui/file/8b4216a7c50599b11241876ada8ae6f07b48f1abe6590c2440004ea4db5becc9/details

Typical Filename: SAService.exe

Claimed Product: SAService

Detection Name: PUA.Win.Dropper.Segurazo::tpd


SHA 256: e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd

MD5: 8193b63313019b614d5be721c538486b

VirusTotal: https://www.virustotal.com/gui/file/e3eeaee0af4b549eae4447fa20cfe205e8d56beecf43cf14a11bf3e86ae6e8bd/details

Typical Filename: SAntivirusService.exe

Claimed Product: SAService

Detection Name: PUA.Win.Dropper.Segurazo::95.sbx.tg


SHA 256: 3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3

MD5: 47b97de62ae8b2b927542aa5d7f3c858

VirusTotal: https://www.virustotal.com/gui/file/3f6e3d8741da950451668c8333a4958330e96245be1d592fcaa485f4ee4eadb3/details

Typical Filename: qmreportupload.exe

Claimed Product: qmreportupload

Detection Name: Win.Trojan.Generic::in10.talos


SHA 256: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f

MD5: e2ea315d9a83e7577053f52c974f6a5a

VirusTotal: https://www.virustotal.com/gui/file/c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f/details

Typical Filename: c3e530cc005583b47322b6649ddc0dab1b64bcf22b124a492606763c52fb048f.bin

Claimed Product: N/A

Detection Name: Win.Dropper.Agentwdcr::1201


=============================================================


(c) 2020.  All rights reserved.  The information contained in this

newsletter, including any external links, is provided "AS IS," with no

express or implied warranty, for informational purposes only.


Please feel free to share this with interested parties via email, but

no posting is allowed on web sites. For a free subscription, (and for

free posters) or to update a current subscription, visit

https://www.sans.org/account


SANS Institute, 8120 Woodmont Ave., Suite 310, Bethesda, MD 20814-2743