Newsletters: @RISK

Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.





SANS NewsBites
@Risk: Security Alert
OUCH! Security Awareness
Case Leads DFIR Digest
Industrial Control Systems
Industrials & Infrastructure


@RISK provides a reliable weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) insightful explanations of how recent attacks worked, and other valuable data

A key purpose of the @RISK is to provide the data that will ensure that the 20 Critical Controls (the US and UK benchmark for effective protection of networked systems) continue to be the most effective defenses for all known attack vectors. But since it is also valuable for security practitioners, SANS is making it available to the 145,000 security practitioners who have completed SANS security training and others at their organizations who hope to stay current with the offensive methods in use.

January 10, 2013
=============================================================

@RISK: The Consensus Security Vulnerability Alert

Vol. 13, Num. 02

Providing a reliable, weekly summary of newly discovered attack vectors, vulnerabilities with active exploits, and explanations of how recent attacks worked.

=============================================================

CONTENTS:

NOTABLE RECENT SECURITY ISSUES
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK
VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
MOST POPULAR MALWARE FILES 1/3/2013 - 1/9/2013
============================================================

TOP VULNERABILITY THIS WEEK: A 0-day was discovered in Java by researchers who saw it being used in several distinct exploit kits. While Oracle has released a patch, which includes requiring users to click an applet to run it by default, US-CERT has advised everyone who does not need Java to disable it in their browser immediately.

============================================================

TRAINING UPDATE

- --SANS Security East 2013 New Orleans, LA January 16-23, 2013
11 courses. Bonus evening presentations include The Next Wave - Data Center Consolidation; Top Threats to Cloud for 2013; and Hacking Your Friends and Neighbors for Fun. Special Event: NetWars Tournament of Champions.
http://www.sans.org/event/security-east-2013

- --North American Industrial Controls Systems and SCADA Summit 2013
Lake Buena Vista, FL February 6-13, 2013
The only technical security and training program in ICS security - for program managers, control systems engineers, IT security professionals and critical infrastructure protection specialists from asset owning and operating organizations along with control systems and security vendors who have innovative solutions for improving security. Every attendee leaves with new tools and techniques they can put to work immediately. 8 courses. Bonus evening presentation: The SANS SCADA Dinner Theater Players Present: From Exposure to Closure - Act III.
http://www.sans.org/event/north-american-scada-2013

- --SANS Secure Singapore 2013 February 25-March 2, 2013
6 courses. Bonus evening presentation: Security of National eID (smartcard-based) Web Applications.
http://www.sans.org/event/singapore-2013

- --SANS 2013 Orlando, FL March 8-March 15, 2013
46 courses. Bonus evening presentations include Why Our Defenses Are Failing Us: One Click Is All It Takes ...; Human Nature and Information Security: Irrational and Extraneous Factors That Matter; and Over-Zealous Social Media Investigations: Beware the Privacy Monster.
http://www.sans.org/event/sans-2013

- --SANS Monterey 2013 Monterey, CA March 22-March 27, 2013
7 courses. Bonus evening presentations include Base64 Can Get You Pwned!; and The 13 Absolute Truths of Security. http://www.sans.org/event/monterey-2013

- --SANS Northern Virginia 2013 Reston, VA April 8-April 13, 2013
7 courses. Bonus evening presentations include Infosec Rock Star: How to be a More Effective Security Professional; Pentesting Web Apps with Python; and Practical, Efficient Unix Auditing: With Scripts.
http://www.sans.org/event/northern-virginia-2013

- --Looking for training in your own community?
http://www.sans.org/community

- --Save on On-Demand training (30 full courses) - See samples at
http://www.sans.org/onCyberdemand/discounts.php#current

Plus Cairo, New Delhi, Scottsdale, Brussels, Johannesburg, and Canberra all in the next 90 days.

For a list of all upcoming events, on-line and live: www.sans.org

============================================================
NOTABLE RECENT SECURITY ISSUES
SELECTED BY THE SOURCEFIRE VULNERABILITY RESEARCH TEAM

Title: Java 0-day attack exploited in the wild
Description: Researchers last Thursday discovered a 0-day attack against the latest version of Java being exploited in the wild by a series of exploit kits, with owners of multiple kits claiming responsibility for having added the attack to their kit first. After US-CERT released an advisory recommending that anyone who does not use Java regularly disable it immediately, Oracle issued a patch on Sunday, which included a change to Java's security settings that would require users to click on an applet to allow it to run. While experts are praising that settings update as a proactive defensive mechanism, researchers from Immunity on Monday noted that the patch issued by Oracle - while effective against attacks currently in the wild - did not completely resolve one of the underlying issues with this bug, leaving the door open for further attacks in the future. The VRT strongly recommends following US-CERT's guidance on the issue and disabling Java if possible, while being vigilant on patches if it must be left enabled.
Reference:
http://www.oracle.com/technetwork/topics/security/alert-cve-2013-0422-1896849.html
http://vrt-blog.snort.org/2013/01/generic-exploit-kit-detection-first.html
http://malware.dontneedcoffee.com/2013/01/0-day-17u10-spotted-in-while-disable.html
http://labs.alienvault.com/labs/index.php/2013/new-year-new-java-zeroday/
http://krebsonsecurity.com/2013/01/zero-day-java-exploit-debuts-in-crimeware/
http://immunityproducts.blogspot.com.ar/2013/01/confirmed-java-only-fixed-one-of-two.html
Snort SID: 25041, 25042, 25301 25302
ClamAV: Java.Exploit.Agent-14 - Java.Exploit.Agent-16

Title: Ruby on Rails vulnerability could be largest server-side web bug in years
Description: A pair of remotely exploitable vulnerabilities were discovered in the popular Ruby on Rails web programming framework last week, one of which allows for code execution in default installations with the permissions of the application running Rails code. While estimates on the number of vulnerable sites vary, experts agree that number could easily be north of 1 million systems, making this one of the most widespread server-side exploits in years. An official patch has been issued (including a patch for the popular Metasploit framework, which was itself vulnerable), and system administrators are urged to patch immediately, as exploits are known to be circulating in the wild.
Reference:
https://groups.google.com/forum/?fromgroups=#!topic/rubyonrails-security/61bkgvnSGTQ
http://vrt-blog.snort.org/2013/01/the-ruby-on-rails-vulnerability-that.html
http://blog.sourcefire.com/Post/2013/01/09/1357761360-therubyonrailsvulnerabilitiesofwhattheyareandwhatshouldwedo/
Snort SID: 28287, 25288
ClamAV: N/A

Title: Anonymous takes down MIT sites after suicide of Aaron Swartz
Description: Well-known activist Aaron Swartz, while awaiting trial on charges related to allegations that he had made publicly available the entire subscription-only section of the JSTOR database of scholarly journals and a large section of copyrighted documents at MIT, took his own life last Friday. Amid allegations that he was driven to suicide by overly zealous prosecution, Anonymous defaced several MIT sites in a show of support for Swartz and his crusade for online openness, and a petition has surfaced to remove the federal prosecutor handling the case for being overly zealous in his prosecution. The case raises questions about copyright prosecution in the 21st century, particularly in light of the fact that Swartz was facing a 35-year sentence even after JSTOR had asked the federal government to drop its prosecution and allow them to pursue civil action instead.
Reference:
http://www.washingtonpost.com/business/technology/anonymous-hacks-mit-sites-to-post-aaron-swartz-tribute-call-to-arms/2013/01/14/ff6f706c-5e44-11e2-9940-6fc488f3fecd_story.html
http://pastebin.com/PKm921c9
http://news.cnet.com/8301-1023_3-57563752-93/anonymous-hacks-mit-after-aaron-swartzs-suicide/
Snort SID: N/A
ClamAV: N/A

Title: Researchers discover "Red October" worldwide cyber espionage campaign
Description: Kaspersky Labs released a major report this week on a highly sophisticated, long-term malware campaign designed to infiltrate diplomatic circles and collect data valuable to both state and private actors. According to their analysis, which has held up well to scrutiny from independent researchers, the campaign has been running since at least 2007, and includes Chinese-created exploits and malware code from Russian-speaking engineers. The malware was delivered via highly targeted spear phish, and used a variety of exploits in MS Office and other file formats to break into victim machines. While the total number of infected hosts was low, this discovery helps to highlight the extreme danger high-profile organizations face from online espionage in the modern era.
Reference:
http://www.securelist.com/en/analysis/204792262/Red_October_Diplomatic_Cyber_Attacks_Investigation
Snort SID: 17597, 21902, 22101, 25392-25447
ClamAV: N/A

============================================================
USEFUL EXPLANATIONS OF HOW NEW ATTACKS WORK

Computer scientists find flaw in Cisco VoIP phones:
http://www.eurekalert.org/pub_releases/2013-01/cu-csf010713.php

Minion - automating security for developers:
https://air.mozilla.org/minion-automating-security-for-developers/

Snapshot of Virut botnet after interruption:
http://www.symantec.com/connect/blogs/snapshot-virut-botnet-after-interruption

Nokia: Yes, we decrypt your HTTPS data, but don't worry about it:
http://gigaom.com/2013/01/10/nokia-yes-we-decrypt-your-https-data-but-dont-worry-about-it/

GET-PEB: A tool to dump the Process Environment Block (PEB) of any process:
http://www.exploit-monday.com/2013/01/Get-PEB.html

I/O you own: Windows 8 update:
http://blog.crowdstrike.com/2013/01/io-you-own-windows-8-update.html

Yahoo DOM XSS:
http://www.offensive-security.com/offsec/yahoo-dom-xss-0day-prevails/

The future of protocol reversing and simulation applied on ZeroAccess botnet:
http://events.ccc.de/congress/2012/Fahrplan/events/5256.en.html

Black Hole Exploit Kit author's 'vertical market integration' fuels growth in malicious web activity:
http://blog.webroot.com/2013/01/08/black-hole-exploit-kit-authors-vertical-market-integration-fuels-growth-in-malicious-web-activity/

Private market growing for zero-day exploits and vulnerabilities:
http://searchsecurity.techtarget.com/feature/Private-market-growing-for-zero-day-exploits-and-vulnerabilities

=========================================================
RECENT VULNERABILITIES FOR WHICH EXPLOITS ARE AVAILABLE
COMPILED BY THE QUALYS VULNERABILITY RESEARCH TEAM.

This is a list of recent vulnerabilities for which exploits are available. System administrators can use this list to help in prioritization of their remediation activities. The Qualys Vulnerability Research Team compiles this information based on various exploit frameworks, exploit databases, exploit kits and monitoring of internet activity.

ID: : CVE-2013-0422
Title: Oracle Java SE Security Bypass Vulnerability
Vendor: Oracle
Description: Unspecified vulnerability in Oracle Java 7 Update 10 and earlier allows remote attackers to execute arbitrary code via unknown vectors, possibly related to "permissions of certain Java classes," as exploited in the wild in January 2013, and as demonstrated by Blackhole and Nuclear Pack.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

ID: : CVE-2012-4792
Title: Microsoft Internet Explorer CDwnBindInfo Object Use-After-Free Vulnerability
Vendor: Microsoft
Description: Use-after-free vulnerability in Microsoft Internet Explorer 6 through 8 allows remote attackers to execute arbitrary code via a crafted web site that triggers access to an object that (1) was not properly allocated or (2) is deleted, as demonstrated by a CDwnBindInfo object, and exploited in the wild in December 2012.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID: : CVE-2013-0156
Title: Ruby on Rails XML Processor YAML Deserialization Code Execution
Vendor: rubyonrails.org
Description: active_support/core_ext/hash/conversions.rb in Ruby on Rails before 2.3.15, 3.0.x before 3.0.19, 3.1.x before 3.1.10, and 3.2.x before 3.2.11 does not properly restrict casts of string values, which allows remote attackers to conduct object-injection attacks and execute arbitrary code, or cause a denial of service (memory and CPU consumption) involving nested XML entity references, by leveraging Action Pack support for (1) YAML type conversion or (2) Symbol type conversion.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

ID: : CVE-2012-6066
Title: Freesshd Authentication Bypass
Vendor: freesshd.com
Description: freeSSHd.exe in freeSSHd through 1.2.6 allows remote attackers to bypass authentication via a crafted session, as demonstrated by an OpenSSH client with modified versions of ssh.c and sshconnect2.c.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID: : CVE-2012-0202
Title: IBM Cognos TM1 Buffer Overflow Vulnerability
Vendor: IBM
Description: Multiple stack-based buffer overflows in tm1admsd.exe in the Admin Server in IBM Cognos TM1 9.4.x and 9.5.x before 9.5.2 FP2 allow remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via crafted data.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

=========================================================
MOST POPULAR MALWARE FILES 1/3/2013 - 1/9/2013:
COMPILED BY SOURCEFIRE

SHA 256: E82A4FCAC5871ADF5516A2E3DE312EF135537A51EDC3F2E379B68C6AE90961DD
MD5: fe2eb24e6bd36b8be3869ece85aa72bc
VirusTotal: https://www.virustotal.com/file/E82A4FCAC5871ADF5516A2E3DE312EF135537A51EDC3F2E379B68C6AE90961DD/analysis/

Typical Filename: 00000004.@
Claimed Product: 00000004.@
Claimed Publisher: 00000004.@

SHA 256: E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B
MD5: bf31a8d79f704f488e3dbcb6eea3b3e3
VirusTotal: https://www.virustotal.com/file/E0B193D47609C9622AA018E81DA69C24B921F2BA682F3E18646A0D09EC63AC2B/analysis/

Typical Filename: mjomn.sys
Claimed Product: mjomn.sys
Claimed Publisher: mjomn.sys

SHA 256: E473A10CEE73DE92042E2ED8E2C12F0BB2B923A44A583E96A37FA9C4D2CFC21C
MD5: 80aebc81a5d1eb392bd7c615a779918c
VirusTotal: https://www.virustotal.com/file/E473A10CEE73DE92042E2ED8E2C12F0BB2B923A44A583E96A37FA9C4D2CFC21C/analysis/

Typical Filename: 00000008.@
Claimed Product: 00000008.@
Claimed Publisher: 00000008.@

SHA 256: 2FB8D429AD85AE810AB4605BFDE78CCA8053A512D6C85B179395725BAE96E199
MD5: 543b96731b80fc30a7583bd22cd0d567
VirusTotal: https://www.virustotal.com/file/2FB8D429AD85AE810AB4605BFDE78CCA8053A512D6C85B179395725BAE96E199/analysis/

Typical Filename: tchcsy.exe Claimed Product: tchcsy.exe Claimed Publisher: tchcsy.exe

SHA 256: B73E0A5620E689856ED7EE95387FDB7EBF6D66D1373664AC58B10094CD20318F
MD5: 54ed1955edb126599e3814b6e251bca6
VirusTotal: https://www.virustotal.com/file/B73E0A5620E689856ED7EE95387FDB7EBF6D66D1373664AC58B10094CD20318F/analysis/

Typical Filename: 80000000.@
Claimed Product: 80000000.@
Claimed Publisher: 80000000.@

=============================================================

(c) 2013. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account