Newsletters: @RISK

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

March 14, 2013
=============================================================

@RISK: The Consensus Security Vulnerability Alert

Vol. 13, Num. 11

Providing a reliable, weekly summary of newly discovered attack vectors, vulnerabilities with active exploits, and explanations of how recent attacks worked.

=============================================================

CONTENTS:

NOTABLE RECENT SECURITY ISSUES
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST POPULAR MALWARE FILES 3/5/2013 - 3/12/2013
============================================================

TOP VULNERABILITY THIS WEEK: Last week's new Java 0-day, CVE-2013-1493, has been spotted in the wild in Cool Exploit Kit, and is likely to work its way into other kits in the near term. Users who have not or cannot patch should consider using their browser's "click to play" solution, if available, which would require a user to click on an applet to allow it to run, thereby taking attacks like these from automatic after a click to a state where further user interaction is required for exploitation.

============================================================

TRAINING UPDATE

- -- SANS 2013 Orlando, FL March 8-March 15, 2013
47 courses. Bonus evening sessions include Please keep Your Brain Juice Off My Enigma: A True Story; InfoSec in the Financial World: War Stories and Lessons Learned; and Finding Unknown Malware.
http://www.sans.org/event/sans-2013

- -- SANS Monterey 2013 Monterey, CA March 22-March 27, 2013
8 courses. Bonus evening presentations include Base64 Can Get You Pwned!; The 13 Absolute Truths of Security; and Look Ma, No Packets! - The Recon-ng Framework.
http://www.sans.org/event/monterey-2013

- -- SANS Northern Virginia 2013 Reston, VA April 8-April 13, 2013
7 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional; Pentesting Web Apps with Python; and Practical, Efficient Unix Auditing: With Scripts.
http://www.sans.org/event/northern-virginia-2013

- -- SANS Cyber Guardian 2013 Baltimore, MD April 15-April 20, 2013
9 courses. Bonus evening presentations include Windows Exploratory Surgery with Process Hacker; Offensive Countermeasures, Active Defenses, and Internet Tough Guys; and Tactical SecOps: A Guide to Precision Security Operations.
http://www.sans.org/event/cyber-guardian-2013

- -- SANS Security West 2013 San Diego, CA May 7-May 16, 2013
32 courses. Bonus evening sessions include Gone in 60 Minutes; The Ancient Art of Falconry; and You Can Panic Now. Host Protection is (Mostly) Dead.
http://www.sans.org/event/security-west-2013

- -- Secure Canberra 2013 Canberra, Australia March 18 - March 23, 2013
Featuring Network Penetration Testing and Ethical Hacking and Computer Forensic Investigations - Windows In-Depth.
https://www.sans.org/event/secure-canberra-2013

- -- Critical Security Controls International Summit London, UK April 26 May 2 2013
Including SEC566: Implementing and Auditing the 20 Critical Security Controls led by Dr. Eric Cole.
http://www.sans.org/event/critical-security-controls-international-summit

- -- SANS Pen Test Berlin 2013 Berlin, Germany June 2-June 8, 2013
Europe's only specialist pen test training and networking event. Five dedicated pen test training courses led by five SANS world-class instructors.
http://www.sans.org/event/pentest-berlin-2013

- -- Looking for training in your own community?
http://www.sans.org/community/

- -- Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/ondemand/specials

Plus Abu Dhabi, New Delhi, Seoul, Bangalore, and Johannesburg, all in the next 90 days.

For a list of all upcoming events, on-line and live: www.sans.org

============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM

Title: Recent Java 0-day Added To Cool Exploit Kit
Description: Researchers have spotted last week's Java 0-day in the high-end Cool Exploit Kit, marking a shift from originally being a targeted attack to a mass-market one. The vulnerability is likely to appear in other exploit kits as details on exploitation become more widely available in the underground; users are urged to patch immediately if they have not already. Those who have not patched should also strongly consider Click-to-Play if available in their browser, which requires users to actually click on an applet to allow it to run, helping to minimize harm from drive-by exploit attempts.
Reference:
http://malware.dontneedcoffee.com/2013/03/cve-2013-1493-jre17u15-jre16u41.html
http://blog.mozilla.org/security/2013/01/29/putting-users-in-control-of-plugins/
http://www.ghacks.net/2010/08/13/google-chrome-gets-click-to-play/
Snort SID: 25952, 25953, 26025, 26030,
ClamAV: JAVA.Exploit.CVE_2013_1493, WIN.Trojan.McRat

Title: Microsoft Releases Patches for 20 CVEs
Description: Microsoft dumped another large Patch Tuesday on the Internet this week, with 7 bulletins covering a total of 20 CVEs. While none of the bugs are currently being exploited in the wild, the slew of user-after-free bugs in Internet Explorer are likely to be targeted by attackers in the coming weeks, as reverse engineers have a chance to examine and break them apart. Users are urged to patch as soon as feasible.
Reference:
http://technet.microsoft.com/en-us/security/bulletin/ms13-mar
https://krebsonsecurity.com/2013/03/critical-updates-for-windows-adobe-flash-air/
Snort SID: Multiple
ClamAV: Multiple

Title: TP-Link Router HTTP Backdoor
Description: An advisory was released on Monday detailing how to gain a shell on certain TP-Link routers, popular in the SOHO market, simply by querying a specific URL on the device. While it was unclear at the time of publication whether this could be accessed only while on the internal network, this is the second remote shell problem with that type of router in the last year; users may wish to consider switching models at the next feasible opportunity.
Reference:
http://sekurak.pl/tp-link-httptftp-backdoor/
http://websec.ca/advisories/view/root-shell-tplink-wdr740
Snort SID:
ClamAV: N/A

Title: New Attack on TLS Disclosed
Description: Researchers at the Royal Holloway University of London released on Wednesday details of a new attack against TLS when RC4 is used as a block cipher. While not as severe as previous attacks such as BEAST - this new attack can only recover 220 bytes of cleartext data from a packet, and then only after at least 2^24 sessions have been analyzed - this further flaw in the protocol pushes TLS/RC4 one step further towards obsolescence. Patches are currently under development by impacted vendors; users are urged to use different cyper suites wherever possible in TLS transactions.
Reference:
http://www.isg.rhul.ac.uk/tls/
Snort SID: N/A
ClamAV: N/A

============================================================
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK

Kelihos is dead...No, wait...Long live Kelihos! Again!
http://blog.spiderlabs.com/2013/03/kelihos-is-dead-no-wait-long-live-kelihos-again.html

Stars aligners' how-to: kernel pool spraying and VMware CVE-2013-1406:
http://blog.ptsecurity.com/2013/03/stars-aligners-how-to-kernel-pool.html

New DIY hacked email account content grabbing tool facilitates cyber espionage on a massive scale:
http://blog.webroot.com/2013/03/07/new-diy-hacked-email-account-content-grabbing-tool-facilitates-cyber-espionage-on-a-mass-scale/

Frozen Android phones give up data secrets:
http://www.bbc.co.uk/news/technology-21697704

Hello Neutrino: one more exploit kit:
http://malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html

Breakdown of BitInstant compromise:
http://blog.bitinstant.com/blog/2013/3/4/events-of-friday-bitinstant-back-online.html

Sinkholing of Trojan Downloader Zortob.B reveals fast growing malware threat:
http://www.welivesecurity.com/2013/03/08/sinkholing-trojan-downloader-zortob-b-reveals-fast-growing-malware-threat/

Intercepting system calls on x86_64 Windows:
http://jbremer.org/intercepting-system-calls-on-x86_64-windows/

=========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM.

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: CVE-2013-1288
Title: Microsoft Internet Explorer CTreeNode Use After Free Vulnerability (MS13-021)
Vendor: Microsoft
Description: Use-after-free vulnerability in Microsoft Internet Explorer allows remote attackers to execute arbitrary code via a crafted web site, aka "CTreeNode Use After Free Vulnerability."
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID: CVE-2013-1493
Title Oracle Java SE JVM 2D Subcomponent Remote Code Execution
Vulnerability (Oracle Security Alert for CVE-2013-1493)
Vendor: Oracle
Description: The color management (CMM) functionality in the 2D component in Oracle Java SE 7 Update 15 and earlier, 6 Update 41 and earlier, and 5.0 Update 40 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (crash) via an image with crafted raster parameters, which triggers (1) an out-of-bounds read or (2) memory corruption in the JVM, as exploited in the wild in February 2013.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

ID: CVE-2013-0431
Title: Java Applet JMX Remote Code Execution
Vendor: Oracle
Description: Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 through Update 11 allows user-assisted remote attackers to bypass the Java security sandbox via unspecified vectors related to JMX, aka "Issue 52," a different vulnerability than CVE-2013-1490.
CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)

ID: CVE-2013-0640, CVE-2013-0641
Title: Adobe Reader and Acrobat Unspecified Code Execution Vulnerability (APSB13-07)
Vendor: Adobe
Description: Unspecified vulnerability in Adobe Reader and Acrobat 9.x through 9.5.3, 10.x through 10.1.5, and 11.x through 11.0.1 allows remote attackers to execute arbitrary code via a crafted PDF document, as exploited in the wild in February 2013.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID: CVE-2013-0025
Title: Microsoft Internet Explorer SLayoutRun Use-After-Free (MS13-009)
Vendor: Microsoft
Description: Use-after-free vulnerability in Microsoft Internet Explorer 8 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to a deleted object, aka "Internet Explorer SLayoutRun Use After Free Vulnerability."
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

=========================================================
MOST POPULAR MALWARE FILES 3/5/2013 - 3/12/2013:
COMPILED BY SOURCEFIRE

SHA 256: bcc6188203e7b42073209f9356aa15598f61151217eb25dbd869db0e5b99b0c9
MD5: efac97460bd2e8fad7f5118bc4020fdc
VirusTotal: https://www.virustotal.com/file/bcc6188203e7b42073209f9356aa15598f61151217eb25dbd869db0e5b99b0c9/analysis/
Typical Filename: D3D Damag CF v11.8.exe
Claimed Product: -
Claimed Publisher: -

SHA 256: fe1e4987cd97c1198da240aa490e94c4def8db61b95815d1379220fd7bed603a
MD5: 595f95f3b1f54d51a179d60804184ceb
VirusTotal: https://www.virustotal.com/file/fe1e4987cd97c1198da240aa490e94c4def8db61b95815d1379220fd7bed603a/analysis/
Typical Filename: jf_1hitcf.exe
Claimed Product: -
Claimed Publisher: www.crazyfrost.com

SHA 256: a316c76591ec14102164ef345cd2bd61a8a455724cfcd1591b1fe1d50543ad25
MD5: 7a402a1cf3be24a2eb97e79973df91e7
VirusTotal: https://www.virustotal.com/file/a316c76591ec14102164ef345cd2bd61a8a455724cfcd1591b1fe1d50543ad25/analysis/
Typical Filename: 9DF.exe
Claimed Product: -
Claimed Publisher: -

SHA 256: 213692eb100ee731c78852c50d3fd46d87e787e33ce15ce3d987b741eda8396e
MD5: 5f8323b86b648dae0aed2e93fe753ded
VirusTotal: https://www.virustotal.com/file/213692eb100ee731c78852c50d3fd46d87e787e33ce15ce3d987b741eda8396e/analysis/
Typical Filename: jf_cf_zm.exe
Claimed Product: -
Claimed Publisher: www.crazyfrost.com

SHA 256: 611a1be1c5637480b0b8decc45f959ade2d73aa26a28a0fc70c6de050ed8f5a7
MD5: a273babaefcff8f5fe61992a54e3ef1d
VirusTotal: https://www.virustotal.com/file/213692eb100ee731c78852c50d3fd46d87e787e33ce15ce3d987b741eda8396e/analysis/
Typical Filename: jf_cf_bezpaleva.exe
Claimed Product: -
Claimed Publisher: www.crazyfrost.com

=============================================================

(c) 2013. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account