@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
December 6, 2012=============================================================
@RISK: The Consensus Security Vulnerability Alert
Vol. 12, Num. 49
Providing a reliable, weekly summary of newly discovered attack vectors, vulnerabilities with active exploits, and explanations of how recent attacks worked.
=============================================================CONTENTS:
NOTABLE RECENT SECURITY ISSUES
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST POPULAR MALWARE FILES 11/15/2012 - 11/21/2012
============================================================TOP VULNERABILITY THIS WEEK: Multiple remotely exploitable 0-day attacks were released against MySQL this weekend, with proof of concept available for each issue. The bugs, which range from buffer overflows to user enumeration, are being actively exploited in the wild now, and no patches are available.
============================================================TRAINING UPDATE
- --SANS Cyber Defense Initiative ® 2012 Washington, DC December 7-16, 2012
27 courses. Bonus evening presentations include Gamification: Hacking
Your Brain for Better Learning; Building a Portable Private Cloud; and
Tactical SecOps: A Guide to Precision Security Operations.
http://www.sans.org/event/cyber-defense-initiative-2012
11 courses. Bonus evening presentations include The Next Wave - Data
Center Consolidation; Top Threats to Cloud for 2013; and Hacking Your
Friends and Neighbors for Fun. Special Event: NetWars Tournament of
Champions.
http://www.sans.org/event/security-east-2013
- --North American SCADA and Process Control Summit 2013 Lake Buena Vista, FL February 6-13, 2013
The Summit brings together the program managers, control systems
engineers, IT security professionals and critical infrastructure
protection specialists from asset owning and operating organizations
along with control systems and security vendors who have innovative
solutions for improving security. The Security Summit is an action
conference designed so that every attendee leaves with new tools and
techniques they can put to work immediately when they return to their
office. The Summit is the place to come and interact with top SCADA
experts, key government personnel, researchers and asset owners at the
multiple special networking events.
8 courses. Bonus evening presentation: The SANS SCADA Dinner Theater
Players Present: From Exposure to Closure - Act III.
http://www.sans.org/event/north-american-scada-2013
- --SANS Secure Singapore 2013 Singapore, Singapore February 25-March 2, 2013
6 courses.
http://www.sans.org/event/singapore-2013
- --Looking for training in your own community?
http://www.sans.org/community/
- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/onCyberdemand/discounts.php#current
Plus Barcelona, Cairo, Anaheim, New Delhi, and Brussels all in the next 90 days.
For a list of all upcoming events, on-line and live: www.sans.org
********************* Sponsored Links: *********************1) Take the SANS Survey on the Security Practices of SCADA System Operators and register to win an iPad! http://www.sans.org/info/118965
2) Learn results of the SANS Survey on Application Security in the Enterprise with SANS instructor Frank Kim, Thur. Dec. 13, 1PM EDT: http://www.sans.org/info/118970
============================================================NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM
Title: Multiple Remote 0-Day Attacks Against MySQL Databases
Description: A slew of remotely exploitable bugs in MySQL were released
by security researcher KingCope on the Full-Disclosure mailing list over
the weekend, with exploits including buffer overflows, user enumeration
techniques, and denial-of-service attacks. As no patches are currently
available, some of the issues target default configurations, and
exploits are already circulating in the wild, system administrators are
urged to lock down access to their database systems to only authorized
users wherever possible as a mitigation until patches become available.
Reference:
http://lists.grok.org.uk/pipermail/full-disclosure/2012-December/089025.html
http://lists.grok.org.uk/pipermail/full-disclosure/2012-December/089027.html
http://lists.grok.org.uk/pipermail/full-disclosure/2012-December/089023.html
http://lists.grok.org.uk/pipermail/full-disclosure/2012-December/089022.html
http://lists.grok.org.uk/pipermail/full-disclosure/2012-December/089026.html
http://lists.grok.org.uk/pipermail/full-disclosure/2012-December/089024.html
http://lists.grok.org.uk/pipermail/full-disclosure/2012-December/089020.html
Snort SID: 24897
ClamAV: N/A
Title: Dump of Syrian Ministry of Foreign Affairs' Email Reveals Targeted Malware
Description: After Anonymous published a dump of email from the Syrian
Ministry of Foreign Affairs on the site "Par:AnoIA", researchers noted
that a message sent on December 5, 2011 contained targeted malware,
which entered the system via a PDF exploit using CVE-2010-0188. A
similar attack has been used in targeted campaigns over the course of
the last year, according to Kaspersky.
Reference:
http://vrt-blog.snort.org/2012/12/quarian.html
http://www.securelist.com/en/blog/774/A_Targeted_Attack_Against_The_Syrian_Ministry_of_Foreign_Affairs
http://par-anoia.net/releases.html#mofa
Snort SID: 24858, 24859
ClamAV: Win.Trojan.Quarian
Title: Windows AutoRun Malware Makes A Comeback
Description: Several security vendors have noted recently that malware
known alternately as W32/Autorun or W32/Changeup - which spreads via the
AutoRun feature on Windows when removable media is plugged into a system
- - has been spreading again in the wild, after having been largely
dormant this year. System administrators should disable the AutoRun
feature wherever feasible, in addition to deploying AV and IDS
signatures as appropriate.
Reference:
http://isc.sans.edu/diary.html?storyid=14584&rss
Snort SID: 17042 - 17044, 19290, 24842 - 24856, 24500
ClamAV: WIN.Trojan.Changeup
Title: Exploit Kit Market Continues To Expand
Description: New exploit kits are continuing to emerge in the wild, as
that model of online criminal economics becomes more dominant by the
day. Kits such as Sweet Orange and the Cool Exploit Kit, released within
the last few months, are nowhere near as dominant as established players
like Blackhole or Phoenix, but are equally dangerous, and network
defenders need to be paying attention to them as well as the heavy
hitters of the industry.
Reference:
http://malware.dontneedcoffee.com/2012/11/cool-ek-hello-my-friend-cve-2012-5067.html
http://malware.dontneedcoffee.com/2012/08/cve-2012-4681-sweet-orange.html
Snort SID: 24837 - 24840, 24778 - 24784
ClamAV: N/A
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
Romanian hackers responsible for $30 million Australian credit card theft:
http://www.abc.net.au/news/2012-11-29/afp-uncovers-romanian-card-hacking-scheme/4397954
China Mafia-style hack drives California firm to brink:
http://www.bloomberg.com/news/2012-11-27/china-mafia-style-hack-attack-drives-california-firm-to-brink.html
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM.
This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.
ID: : Not Available
Title: SSH Tectia Authentication Bypass Remote
Vendor: SSH Communications
Description: A remote authentication bypass vulnerability was disclosed
which affects the current Unix/Linux versions of Tectia SSH Server. The
vulnerability exploits a bug in the SSH USERAUTH CHANGE REQUEST
function.
CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
ID: : CVE-2012-5615
Title: MySQL Remote User Enumeration
Vendor: Oracle
Description: MySQL 5.5.19 and possibly other versions, and MariaDB
5.5.28a, 5.3.11, 5.2.13, 5.1.66, and possibly other versions, generates
different error messages with different time delays depending on whether
a user name exists, which allows remote attackers to enumerate valid
usernames.
CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
ID: : CVE-2012-3752
Title: Apple QuickTime 7.7.2 TeXML Style Element font-table Field Stack Buffer Overflow
Vendor: Apple
Description: Multiple buffer overflows in Apple QuickTime before 7.7.3
allow remote attackers to execute arbitrary code or cause a denial of
service (application crash) via a crafted style element in a QuickTime
TeXML file.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
ID: : CVE-2012-4964
Title: Samsung Printer Firmware Contains A Backdoor Administrator Account
Vendor: Samsung
Description: Samsung printers contain a hardcoded account that could
allow a remote attacker to take control of an affected device.
CVSS v2 Base Score: 9.0 (AV:N/AC:M/Au:N/C:C/I:C/A:P)
ID: : CVE-2012-4956
Title: Novell File Reporter Vulnerabilities
Vendor: Novell
Description: Heap-based buffer overflow in NFRAgent.exe in Novell File
Reporter 1.0.2 allows remote attackers to execute arbitrary code via a
large number of VOL elements in an SRS record.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
MOST PREVALENT MALWARE FILES 11/29/2012 - 12/5/2012:
COMPILED BY SOURCEFIRE
SHA256: 1dd140c8d5dd1c32294f31d1784ce3553af63a0d054a0bea9423b1978fcd693f
MD5:9e180cdfa4869b8dd15b7b06771c5838
VirusTotal: https://www.virustotal.com/file/1DD140C8D5DD1C32294F31D1784CE3553AF63A0D054A0BEA9423B1978FCD693F/analysis/
Typical Filename: -
Claim Product: -
Claim Publisher: -
SHA256: 611a1be1c5637480b0b8decc45f959ade2d73aa26a28a0fc70c6de050ed8f5a7
MD5: a273babaefcff8f5fe61992a54e3ef1d
VirusTotal: https://www.virustotal.com/file/611A1BE1C5637480B0B8DECC45F959ADE2D73AA26A28A0FC70C6DE050ED8F5A7/analysis/
Typical Filename: -
Claim Product: -
Claim Publisher: -
SHA256: a3a7b80ce839360b3f50206b7381827e6257c851010328ca8043e38ee970afbd
MD5: 4852bc9f12a0d9d4125ca3f91d93647b
VirusTotal: https://www.virustotal.com/file/A3A7B80CE839360B3F50206B7381827E6257C851010328CA8043E38EE970AFBD/analysis/
Typical Filename: GOLAYA-RUSSAKAYA.exe
Claim Product: -
Claim Publisher: -
SHA 256: b7b28e855b8c6225c605330760ff4dc407efc83f72f1a04e974a72189d0f1d96
MD5: 573b6cc513e1b7cd9e35b491eacc38f3
VirusTotal: https://www.virustotal.com/file/B7B28E855B8C6225C605330760FF4DC407EFC83F72F1A04E974A72189D0F1D96/analysis/
Typical Filename: winkgts.exe
Claimed Product: winkgts.exe
Claimed Publisher: winkgts.exe
SHA256: 04005e3b053e8f8465cf45fddf5856cd6ed67cbcaf908bd5eeaddd76785ca574
MD5: 0265A6D07D7D03E657B694ECEE310FA5
VirusTotal: https://www.virustotal.com/file/04005E3B053E8F8465CF45FDDF5856CD6ED67CBCAF908BD5EEADDD76785CA574/analysis/
Typical Filename: -
Claim Product: -
Claim Publisher: -
(c) 2012. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account
