@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data
A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.
March 7, 2013=============================================================
@RISK: The Consensus Security Vulnerability Alert
Vol. 13, Num. 10
Providing a reliable, weekly summary of newly discovered attack vectors, vulnerabilities with active exploits, and explanations of how recent attacks worked.
=============================================================CONTENTS:
NOTABLE RECENT SECURITY ISSUES
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST POPULAR MALWARE FILES 2/26/2013 - 3/5/2013
============================================================TOP VULNERABILITY THIS WEEK: Network administrators were given another reason to disable Java across their enterprises this week, as another new Java 0-day was publicly disclosed last Friday. While the vulnerability had been used for targeted attacks, and a patch was released on Monday, it is likely to become widely exploited, particularly in exploit kits, over the next few weeks.
============================================================TRAINING UPDATE
- -- SANS 2013 Orlando, FL March 8-March 15, 2013
47 courses. Bonus evening sessions include Please keep Your Brain Juice
Off My Enigma: A True Story; InfoSec in the Financial World: War Stories
and Lessons Learned; and Finding Unknown Malware.
http://www.sans.org/event/sans-2013
- -- SANS Monterey 2013 Monterey, CA March 22-March 27, 2013
8 courses. Bonus evening presentations include Base64 Can Get You
Pwned!; The 13 Absolute Truths of Security; and Look Ma, No Packets! -
The Recon-ng Framework.
http://www.sans.org/event/monterey-2013
- --SANS Northern Virginia 2013 Reston, VA April 8-April 13, 2013
7 courses. Bonus evening presentations include Infosec Rock Star: How
to be a More Effective Security Professional; Pentesting Web Apps with
Python; and Practical, Efficient Unix Auditing: With Scripts.
http://www.sans.org/event/northern-virginia-2013
- --SANS Cyber Guardian 2013 Baltimore, MD April 15-April 20, 2013
9 courses. Bonus evening presentations include Windows Exploratory
Surgery with Process Hacker; Offensive Countermeasures, Active Defenses,
and Internet Tough Guys; and Tactical SecOps: A Guide to Precision
Security Operations.
http://www.sans.org/event/cyber-guardian-2013
- --SANS Security West 2013 San Diego, CA May 7-May 16, 2013
32 courses. Bonus evening sessions include Gone in 60 Minutes; The
Ancient Art of Falconry; and You Can Panic Now. Host Protection is
(Mostly) Dead.
http://www.sans.org/event/security-west-2013
- --Secure Canberra 2013 Canberra, Australia March 18-March 23, 2013
Featuring Network Penetration Testing and Ethical Hacking and Computer
Forensic Investigations - Windows In-Depth.
https://www.sans.org/event/secure-canberra-2013
- -- Critical Security Controls International Summit London, UK April 26-May 2 2013
Including SEC566: Implementing and Auditing the 20 Critical Security
Controls led by Dr. Eric Cole.
http://www.sans.org/event/critical-security-controls-international-summit
- -- SANS Pen Test Berlin 2013 Berlin, Germany June 2-June 8, 2013
Europe's only specialist pen test training and networking event. Five
dedicated pen test courses and summit day.
http://www.sans.org/event/pentest-berlin-2013
- --Looking for training in your own community?
http://www.sans.org/community/
- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials
Plus Johannesburg, Abu Dhabi, Seoul, and Bangalore all in the next 90 days. For a list of all upcoming events, on-line and live: www.sans.org
********************** Sponsored Link: *********************1) Take the Mobile Application security Survey! Enter to Win an iPad!
http://www.sans.org/info/126537
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM
Title: Fresh Java 0-day hits, Oracle releases patch
Description: Described as "Yet another Java 0-day" by the organization
disclosing it, details emerged last Friday of a bug in the color
management portion of Java applets that Oracle said was "easily
exploitable" in the note it released on Monday to accompany its patches.
Attacks in the wild have been targeted to date, and initially
compromised sites were using C&C channels and malware samples associated
to the recent Bit9 breach, suggesting a coordinated campaign by those
using the exploit. Still, given the proliferation of exploit kits -
including a new one announced Monday that uses nothing but Java
vulnerabilities - it is only a matter of time before mass exploitation
occurs, and users are urged to patch immediately.
Reference:
http://blog.fireeye.com/research/2013/02/yaj0-yet-another-java-zero-day-2.html
https://krebsonsecurity.com/2013/03/new-java-0-day-attack-echoes-bit9-breach/
http://www.oracle.com/ocom/groups/public/@otn/documents/webcontent/1915099.xml
http://blog.webroot.com/2013/03/05/cybercriminals-release-new-java-exploits-centered-exploit-kit/
Snort SID: 26025 26030
ClamAV: JAVA.Exploit.CVE_2013_1493 , WIN.Trojan.McRat
Title: MiniDuke malware targeting European governments, agencies
Description: A newly discovered piece of targeted malware dubbed
"MiniDuke" has been using CVE-2013-0640 - a PDF vulnerability discovered
in February - to drop particularly sneaky malware on European
governments and their agencies at locations across the world. The
malware uses Twitter to spread information about C&C channels, and
authors left taunting clues inside their binaries, including a reference
to the number 666 just before the decryption routine.
Reference: http://www.securelist.com/en/blog/208194129/The_MiniDuke_Mystery_PDF_0_day_Government_Spy_Assembler_0x29A_Micro_Backdoor
Snort SID: -
ClamAV: PDF.Exploit.CVE_2013_0640
Title: 0-day exploit in the wild for Japanese word processor Ichitaro
Description: Trend Micro recently discovered an exploit in the wild for
popular Japanese word processing software Ichitaro. Similar to
vulnerabilities in Microsoft Office discovered in 2011, the program used
an improper path selection criteria for loading DLLs, and could easily
be tricked into loading a malicious DLL and executing arbitrary code on
the system. Patches for some versions of the software were made
available on March 5, while fixes for other versions are scheduled for
release on March 28.
Reference:
http://blog.trendmicro.com/trendlabs-security-intelligence/modified-ichitaro-dll-file-leads-to-backdoor/
Snort SID: 26070 26071 26072
ClamAV: Win.Exploit.CVE_2013_0707, Win.Trojan.Locati, Win.Trojan.Locati-1
Title: SAP NetWeaver remote code execution
Description: The SAP NetWeaver service is vulnerable to remote code
execution via malformed messages taking advantage of the
MSJ2EE_AddStatistics() function. Exploit code is publicly available, and
attacks are presumed to be occurring in the wild. Users should patch
their systems immediately.
Reference: http://www.exploit-db.com/exploits/24511/
Snort SID: 26073, 26074
ClamAV: N/A
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
New heapspray technique for Metasploit browser exploitation:
https://community.rapid7.com/community/metasploit/blog/2013/03/04/new-heap-spray-technique-for-metasploit-browser-exploitation
Oracle Java exploits and 0-days since 2012 - interactive timeline:
http://eromang.zataz.com/2013/03/03/oracle-java-exploits-and-0days-since-2012-interactive-timeline/
How much does it cost to buy 10,000 US-based malware-infected hosts?
http://blog.webroot.com/2013/02/28/how-much-does-it-cost-to-buy-10000-u-s-based-malware-infected-hosts/
Bound to fail: why cybersecurity risk cannot be "managed" away:
http://www.brookings.edu/research/papers/2013/02/cyber-security-langner-pederson
Finding hidden vHosts:
http://blog.cyberis.co.uk/2013/02/finding-hidden-vhosts.html
Debugging a debugger to debug a dump:
http://blogs.msdn.com/b/ntdebugging/archive/2013/02/27/debugging-a-debugger-to-debug-a-dump.aspx
How mobile spammers verify the validity of harvested phone numbers:
http://blog.webroot.com/2013/02/27/how-mobile-spammers-verify-the-validity-of-harvested-phone-numbers/
Fixing XSS: A practical guide for developers:
https://communities.coverity.com/blogs/security/2013/02/26/fixing-xss-a-practical-guide-for-developers
Russian ransomware takes advantage of Windows Powershell:
http://nakedsecurity.sophos.com/2013/03/05/russian-ransomware-windows-powershell
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM.
This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.
ID: CVE-2013-1493
Title: Oracle Java SE JVM 2D Subcomponent Remote Code Execution Vulnerability (Oracle Security Alert for CVE-2013-1493)
Vendor: Oracle
Description: The color management (CMM) functionality in the 2D
component in Oracle Java SE 7 Update 15 and earlier, 6 Update 41 and
earlier, and 5.0 Update 40 and earlier allows remote attackers to
execute arbitrary code or cause a denial of service (crash) via an image
with crafted raster parameters, which triggers (1) an out-of-bounds read
or (2) memory corruption in the JVM, as exploited in the wild in
February 2013.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
ID: CVE-2013-0431
Title: Java Applet JMX Remote Code Execution
Vendor: Oracle
Description: Unspecified vulnerability in the Java Runtime Environment
(JRE) component in Oracle Java SE 7 through Update 11 allows
user-assisted remote attackers to bypass the Java security sandbox via
unspecified vectors related to JMX, aka "Issue 52," a different
vulnerability than CVE-2013-1490.
CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
ID: CVE-2013-0640, CVE-2013-0641
Title: Adobe Reader and Acrobat Unspecified Code Execution Vulnerability (APSB13-07)
Vendor: Adobe
Description: Unspecified vulnerability in Adobe Reader and Acrobat 9.x
through 9.5.3, 10.x through 10.1.5, and 11.x through 11.0.1 allows
remote attackers to execute arbitrary code via a crafted PDF document,
as exploited in the wild in February 2013.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
ID: CVE-2013-0025
Title: Microsoft Internet Explorer SLayoutRun Use-After-Free (MS13-009)
Vendor: Microsoft
Description: Use-after-free vulnerability in Microsoft Internet Explorer
8 allows remote attackers to execute arbitrary code via a crafted web
site that triggers access to a deleted object, aka "Internet Explorer
SLayoutRun Use After Free Vulnerability."
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
ID: CVE-2012-3569
Title: VMWare OVF Tools Format String Vulnerability
Vendor: VMWare
Description: Format string vulnerability in VMware OVF Tool 2.1 on
Windows, as used in VMware Workstation 8.x before 8.0.5, VMware Player
4.x before 4.0.5, and other products, allows user-assisted remote
attackers to execute arbitrary code via a crafted OVF file.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
MOST POPULAR MALWARE FILES 2/26/2013 - 3/5/2013:
COMPILED BY SOURCEFIRE
SHA 256: 0585CDC0293EA6B8C86482608C08C583BF32E12CFA59D143F4A0411D2894C0F3
MD5: b3b9295385f4e74d023181e5a24f4d83
VirusTotal: https://www.virustotal.com/file/0585CDC0293EA6B8C86482608C08C583BF32E12CFA59D143F4A0411D2894C0F3/analysis/
Typical Filename: Keygen.exe
Claimed Product: Keygen.exe
Claimed Publisher: Keygen.exe
SHA 256: 9267AAD92DEA47A6A8B2F734037239AB3376E47F969F8B97B64192A820B2A86F
MD5: 3ff52cee72b936c56b4fbb9f970ece74
VirusTotal: https://www.virustotal.com/file/9267AAD92DEA47A6A8B2F734037239AB3376E47F969F8B97B64192A820B2A86F/analysis/
Typical Filename: wintdiyx.exe
Claimed Product: wintdiyx.exe
Claimed Publisher: wintdiyx.exe
SHA 256: B7B28E855B8C6225C605330760FF4DC407EFC83F72F1A04E974A72189D0F1D96
MD5: 573b6cc513e1b7cd9e35b491eacc38f3
VirusTotal: https://www.virustotal.com/file/B7B28E855B8C6225C605330760FF4DC407EFC83F72F1A04E974A72189D0F1D96/analysis/
Claimed Product: 573b6cc513e1b7cd9e35b491eacc38f3
Claimed Publisher: 573b6cc513e1b7cd9e35b491eacc38f3 =============================================================
(c) 2013. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only.
Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account
